Update mud

Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>

.gitmodules

@@ -1,6 +1,8 @@
 [submodule "mud"]
 	path = mud
 	url = https://github.com/angt/mud.git
+	ignore = dirty
 [submodule "argz"]
 	path = argz
 	url = https://github.com/angt/argz.git
+	ignore = dirty

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2016, angt
+Copyright (c) 2015-2019, Adrien Gallouët <adrien@gallouet.fr>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Makefile

@@ -0,0 +1,32 @@
+NAME    := glorytun
+VERSION := $(shell ./version.sh)
+DIST    := $(NAME)-$(VERSION)
+
+DESTDIR ?=
+CC      ?= gcc
+INSTALL ?= install
+prefix  ?= /usr
+CFLAGS  ?= -std=c11 -O2 -Wall -fstack-protector-strong
+
+FLAGS := $(CFLAGS) $(LDFLAGS) $(CPPFLAGS)
+FLAGS += -DPACKAGE_NAME=\"$(NAME)\" -DPACKAGE_VERSION=\"$(VERSION)\"
+
+SRC := argz/argz.c mud/mud.c $(wildcard src/*.c)
+
+.PHONY: $(NAME)
+$(NAME):
+	@echo "Building $(NAME)"
+	@$(CC) $(FLAGS) -o $(NAME) $(SRC) -lsodium -lm
+
+.PHONY: install
+install: $(NAME)
+	@echo "Installing $(NAME)"
+	@$(INSTALL) -m 755 -d $(DESTDIR)$(prefix)/bin
+	@$(INSTALL) -m 755 -s $(NAME) $(DESTDIR)$(prefix)/bin
+
+.PHONY: dist
+dist:
+	@echo "Building $(DIST).tar.gz"
+	@(git --git-dir=.git ls-files --recurse-submodules -- ':!:.*' ':!:**/.*' && echo VERSION) | ( \
+	    tar zcf $(DIST).tar.gz -T- --transform 's:^:$(DIST)/:' || \
+	    tar zcf $(DIST).tar.gz -T- -s ':^:$(DIST)/:' ) 2>/dev/null

README.md

@@ -1,7 +1,16 @@
 # Glorytun
 
 Glorytun is a small, simple and secure VPN over [mud](https://github.com/angt/mud).
-It runs on Linux, OpenBSD, FreeBSD and MacOS.
+
+## Compatibility
+
+Glorytun only depends on [libsodium](https://github.com/jedisct1/libsodium) version >= 1.0.4.
+Which can be installed on a wide variety of systems.
+
+Linux is the platform of choice but the code is standard so it should be easily ported on other posix systems.
+It was successfully tested on OpenBSD, FreeBSD and MacOS.
+
+IPv4 and IPv6 are supported.
 
 ## Features
 
@@ -12,7 +21,7 @@ The key features of Glorytun come directly from mud:
    The use of UDP and [libsodium](https://github.com/jedisct1/libsodium) allows you to secure
    your communications without impacting performance.
    Glorytun uses AES only if AES-NI is available otherwise ChaCha20 is used.
-   You can force the use of ChaCha20 for higher security.
+   If you are not cpu bounded, you can force the use of ChaCha20 for higher security.
    All messages are encrypted, authenticated and marked with a timestamp.
    Perfect forward secrecy is also implemented with ECDH over Curve25519.
 
@@ -20,32 +29,43 @@ The key features of Glorytun come directly from mud:
 
    This is the main feature of Glorytun that allows to build an SD-WAN like service.
    This allows a TCP connection to explore and exploit multiple links without being disconnected.
+   Aggregation should work on all conventional links, only very high latency (+500ms) links are not recommended for now.
+
+ * **Traffic shaping**
+
+   Shaping is very important in network, it allows to keep a low latency without sacrificing the bandwidth.
+   It also helps the multipath scheduler to make better decisions.
+   Currently it must be configured by hand, but soon Glorytun will do it for you.
 
  * **Path MTU discovery without ICMP**
 
    Bad MTU configuration is a very common problem in the world of VPN.
    As it is critical, Glorytun will try to setup it correctly by guessing its value.
    It doesn't rely on ICMP Next-hop MTU to avoid black holes.
+   In asymmetric situations the minimum MTU is selected.
+
+## Caveats
+
+Glorytun is strongly secure by default and protects against replay attacks,
+the clock between the client and the server must be synchronized.
+By default, an offset of 10min is accepted.
 
 ## Build and Install
 
-Glorytun depends on [libsodium](https://github.com/jedisct1/libsodium) version >= 1.0.4.
-We recommend the use of [meson](http://mesonbuild.com) for building instead of
-the more classical autotools suite (also available for old systems).
+You will need `git`, `make`, `gcc` and `libsodium`:
 
-On Ubuntu, the following command should be sufficient to get all the necessary build dependencies:
-
-    $ sudo apt-get install meson libsodium-dev pkg-config
+    $ sudo apt install git make gcc libsodium-dev    # debian based
+    $ sudo yum install git make gcc libsodium-devel  # redhat based
 
 To build and install the latest release from github:
 
     $ git clone https://github.com/angt/glorytun --recursive
-    $ meson glorytun glorytun/build
-    $ sudo ninja -C glorytun/build install
+    $ cd glorytun
+    $ sudo make install
 
-This will install all binaries in `/usr/local/bin` by default.
+This will install the binary in `/usr/bin` by default.
 
-You can easily customize your setup with meson (see `meson help`).
+The more classical autotools suite is also available.
 
 ## Usage
 
@@ -80,12 +100,12 @@ To start a server:
     # glorytun bind 0.0.0.0 keyfile my_secret_key &
 
 You should now have an unconfigured network interface (let's say `tun0`).
-For exemple, the simplest setup with `ifconfig`:
+For example, the simplest setup with `ifconfig`:
 
     # ifconfig tun0 10.0.1.1 pointopoint 10.0.1.2 up
 
 To check if the server is running, simply call `glorytun show`.
-It will show you all the running tunnels.
+It will show you all of the running tunnels.
 
 To start a new client, you need to get the secret key generated for the server.
 Then simply call:
@@ -93,20 +113,20 @@ Then simply call:
     # glorytun bind 0.0.0.0 to SERVER_IP keyfile my_secret_key &
     # ifconfig tun0 10.0.1.2 pointopoint 10.0.1.1 up
 
-Here the tricky part... You need to specify your paths or glorytun will not send anything, it's easy:
+Now you have to setup your path, let's say you have an ADSL link that can do 1Mbit upload and 20Mbit download then call:
 
-    # glorytun path LOCAL_IPADDR up
+    # glorytun path up LOCAL_IPADDR rate tx 1mbit rx 20mbit
 
 Again, to check if your path is working, you can watch its status with `glorytun path`.
 You should now be able to ping your server with `ping 10.0.1.1`.
 
-If you have systemd-networkd, you can use the helper program `glorytun-setup`.
+If you use systemd-networkd, you can easily setup your tunnels with the helper program `glorytun-setup`.
 
 ## Thanks
 
  * @jedisct1 for all his help and the code for MacOS/BSD.
  * The team OTB (@bessa, @gregdel, @pouulet, @sduponch and @simon) for all tests and discussions.
- * OVH
+ * OVH to support this soft :)
 
 ---
 

src/bench.c

@@ -27,11 +27,13 @@ gt_now(void)
 #elif defined CLOCK_MONOTONIC
     struct timespec tv;
     clock_gettime(CLOCK_MONOTONIC, &tv);
-    return tv.tv_sec * 1000000ULL + tv.tv_nsec / 1000ULL;
+    return (unsigned long long)tv.tv_sec * 1000000ULL
+         + (unsigned long long)tv.tv_nsec / 1000ULL;
 #else
     struct timeval tv;
     gettimeofday(&tv, NULL);
-    return tv.tv_sec * 1000000ULL + tv.tv_usec;
+    return (unsigned long long)tv.tv_sec * 1000000ULL
+         + (unsigned long long)tv.tv_usec;
 #endif
 }
 
@@ -63,11 +65,15 @@ gt_bench(int argc, char **argv)
     duration /= 1000;
 
     int term = isatty(1);
+    int aes = argz_is_set(bench_argz, "aes");
     int chacha = argz_is_set(bench_argz, "chacha");
 
-    if (!chacha && !crypto_aead_aes256gcm_is_available()) {
-        gt_log("aes is not available on your platform\n");
-        return 1;
+    if (!crypto_aead_aes256gcm_is_available()) {
+        if (aes) {
+            gt_log("aes is not available on your platform\n");
+            return 1;
+        }
+        chacha = 1;
     }
 
     unsigned char *buf = calloc(1, bufsize + crypto_aead_aes256gcm_ABYTES);
@@ -116,7 +122,7 @@ gt_bench(int argc, char **argv)
             size_t bytes = 0;
 
             gt_alarm = 0;
-            alarm(duration);
+            alarm((unsigned int)duration);
 
             while (!gt_quit && !gt_alarm) {
                 if (chacha) {
@@ -133,7 +139,7 @@ gt_bench(int argc, char **argv)
             total_dt += gt_now() - now;
             total_bytes += bytes;
 
-            mbps = (total_bytes * 8.0) / total_dt;
+            mbps = ((double)total_bytes * 8.0) / (double)total_dt;
             mbps_min = fmin(mbps_min, mbps);
             mbps_max = fmax(mbps_max, mbps);
             mbps_dlt = fabs(mbps_old - mbps);

src/bind.c

@@ -12,17 +12,19 @@
 #include "../argz/argz.h"
 #include "../mud/mud.h"
 
+#include <sodium.h>
+
 #ifndef O_CLOEXEC
 #define O_CLOEXEC 0
 #endif
 
-static void
+static int
 fd_set_nonblock(int fd)
 {
-    int ret;
-
     if (fd == -1)
-        return;
+        return 0;
+
+    int ret;
 
     do {
         ret = fcntl(fd, F_GETFL, 0);
@@ -34,8 +36,7 @@ fd_set_nonblock(int fd)
         ret = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
     } while (ret == -1 && errno == EINTR);
 
-    if (ret == -1)
-        perror("fcntl O_NONBLOCK");
+    return ret;
 }
 
 static int
@@ -48,7 +49,7 @@ gt_setup_secretkey(struct mud *mud, const char *keyfile)
     } while (fd == -1 && errno == EINTR);
 
     if (fd == -1) {
-        perror("open keyfile");
+        gt_log("couldn't open %s: %s\n", keyfile, strerror(errno));
         return -1;
     }
 
@@ -65,13 +66,13 @@ gt_setup_secretkey(struct mud *mud, const char *keyfile)
             break;
         }
 
-        size += r;
+        size += (size_t)r;
     }
 
     close(fd);
 
     if (size != sizeof(buf)) {
-        gt_log("unable to read secret key\n");
+        gt_log("couldn't read secret key\n");
         return -1;
     }
 
@@ -86,18 +87,15 @@ gt_setup_secretkey(struct mud *mud, const char *keyfile)
 }
 
 static size_t
-gt_setup_mtu(struct mud *mud, const char *tun_name)
+gt_setup_mtu(struct mud *mud, size_t old, const char *tun_name)
 {
-    static size_t oldmtu = 0;
     size_t mtu = mud_get_mtu(mud);
 
-    if (mtu == oldmtu)
+    if (mtu == old)
         return mtu;
 
     if (iface_set_mtu(tun_name, mtu) == -1)
-        perror("tun_set_mtu");
-
-    oldmtu = mtu;
+        gt_log("couldn't setup MTU at %zu on device %s\n", mtu, tun_name);
 
     return mtu;
 }
@@ -138,20 +136,21 @@ gt_bind(int argc, char **argv)
     gt_set_port((struct sockaddr *)&bind_addr, bind_port);
     gt_set_port((struct sockaddr *)&peer_addr, peer_port);
 
-    const size_t bufsize = 4096U;
-    unsigned char *buf = malloc(bufsize);
-
-    if (!buf) {
-        perror("malloc");
-        return 1;
-    }
-
     int chacha = argz_is_set(bindz, "chacha");
     int persist = argz_is_set(bindz, "persist");
 
-    struct mud *mud = mud_create((struct sockaddr *)&bind_addr);
+    if (sodium_init() == -1) {
+        gt_log("couldn't init sodium\n");
+        return 1;
+    }
 
-    if (!mud) {
+    unsigned char hashkey[crypto_shorthash_KEYBYTES];
+    randombytes_buf(hashkey, sizeof(hashkey));
+
+    struct mud *mud = mud_create((struct sockaddr *)&bind_addr);
+    const int mud_fd = mud_get_fd(mud);
+
+    if (mud_fd == -1) {
         gt_log("couldn't create mud\n");
         return 1;
     }
@@ -165,17 +164,19 @@ gt_bind(int argc, char **argv)
     }
 
     char tun_name[64];
-    const int tun_fd = tun_create(tun_name, sizeof(tun_name) - 1, dev);
+    const int tun_fd = tun_create(tun_name, sizeof(tun_name), dev);
 
     if (tun_fd == -1) {
         gt_log("couldn't create tun device\n");
         return 1;
     }
 
-    size_t mtu = gt_setup_mtu(mud, tun_name);
+    size_t mtu = gt_setup_mtu(mud, 0, tun_name);
 
-    if (tun_set_persist(tun_fd, persist) == -1)
-        perror("tun_set_persist");
+    if (tun_set_persist(tun_fd, persist) == -1) {
+        gt_log("couldn't %sable persist mode on device %s\n",
+                persist ? "en" : "dis", tun_name);
+    }
 
     if (peer_addr.ss_family) {
         if (mud_peer(mud, (struct sockaddr *)&peer_addr)) {
@@ -187,15 +188,17 @@ gt_bind(int argc, char **argv)
     const int ctl_fd = ctl_create(GT_RUNDIR, tun_name);
 
     if (ctl_fd == -1) {
-        perror("ctl_create");
+        gt_log("couldn't create "GT_RUNDIR"/%s: %s\n",
+                tun_name, strerror(errno));
         return 1;
     }
 
-    const int mud_fd = mud_get_fd(mud);
-
-    fd_set_nonblock(tun_fd);
-    fd_set_nonblock(mud_fd);
-    fd_set_nonblock(ctl_fd);
+    if (fd_set_nonblock(tun_fd) ||
+        fd_set_nonblock(mud_fd) ||
+        fd_set_nonblock(ctl_fd)) {
+        gt_log("couldn't setup non-blocking fds\n");
+        return 1;
+    }
 
     const long pid = (long)getpid();
 
@@ -206,19 +209,36 @@ gt_bind(int argc, char **argv)
 
     const int last_fd = 1 + MAX(tun_fd, MAX(mud_fd, ctl_fd));
 
+    unsigned char buf[4096];
+
     while (!gt_quit) {
-        FD_SET(tun_fd, &rfds);
+        long send_wait = mud_send_wait(mud);
+
+        if (send_wait) {
+            FD_CLR(tun_fd, &rfds);
+        } else {
+            FD_SET(tun_fd, &rfds);
+        }
+
         FD_SET(mud_fd, &rfds);
         FD_SET(ctl_fd, &rfds);
 
-        if (select(last_fd, &rfds, NULL, NULL, NULL) == -1) {
-            if (errno != EBADF)
-                continue;
-            perror("select");
-            return 1;
+        struct timeval tv = {
+            .tv_sec  = 0,
+            .tv_usec = send_wait,
+        };
+
+        const int ret = select(last_fd, &rfds, NULL, NULL, send_wait > 0 ? &tv : NULL);
+
+        if (ret == -1) {
+            if (errno == EBADF) {
+                perror("select");
+                break;
+            }
+            continue;
         }
 
-        mtu = gt_setup_mtu(mud, tun_name);
+        mtu = gt_setup_mtu(mud, mtu, tun_name);
 
         if (FD_ISSET(ctl_fd, &rfds)) {
             struct ctl_msg req, res = {.reply = 1};
@@ -235,7 +255,8 @@ gt_bind(int argc, char **argv)
                 case CTL_NONE:
                     break;
                 case CTL_STATE:
-                    if (mud_set_state(mud, (struct sockaddr *)&req.path.addr, req.path.state))
+                    if (mud_set_state(mud, (struct sockaddr *)&req.path.addr,
+                                      req.path.state, req.path.rate_tx, req.path.rate_rx))
                         res.ret = errno;
                     break;
                 case CTL_PATH_STATUS:
@@ -263,8 +284,7 @@ gt_bind(int argc, char **argv)
                     break;
                 case CTL_MTU:
                     mud_set_mtu(mud, req.mtu);
-                    mtu = gt_setup_mtu(mud, tun_name);
-                    res.mtu = mtu;
+                    res.mtu = mtu = gt_setup_mtu(mud, mtu, tun_name);
                     break;
                 case CTL_TC:
                     if (mud_set_tc(mud, req.tc))
@@ -274,10 +294,6 @@ gt_bind(int argc, char **argv)
                     if (mud_set_keyx_timeout(mud, req.ms))
                         res.ret = errno;
                     break;
-                case CTL_TIMEOUT:
-                    if (mud_set_send_timeout(mud, req.ms))
-                        res.ret = errno;
-                    break;
                 case CTL_TIMETOLERANCE:
                     if (mud_set_time_tolerance(mud, req.ms))
                         res.ret = errno;
@@ -298,43 +314,42 @@ gt_bind(int argc, char **argv)
             }
         }
 
-        if (FD_ISSET(tun_fd, &rfds)) {
-            struct ip_common ic;
-            const int r = tun_read(tun_fd, buf, bufsize);
+        if (FD_ISSET(mud_fd, &rfds))  {
+            int n = 1000;
 
-            if (r <= 0) {
-                if (r == -1 && errno != EAGAIN)
-                    perror("tun_read");
-            } else if ((!ip_get_common(&ic, buf, r)) &&
-                       (mud_send(mud, buf, r, ic.tc) == -1)) {
-                if (errno != EAGAIN)
-                    perror("mud_send");
+            while (n--) {
+                const int r = mud_recv(mud, buf, sizeof(buf));
+
+                if (r <= 0)
+                    break;
+
+                if (ip_is_valid(buf, r))
+                    tun_write(tun_fd, buf, (size_t)r);
             }
         }
 
-        if (FD_ISSET(mud_fd, &rfds)) {
+        if (FD_ISSET(tun_fd, &rfds) && !mud_send_wait(mud)) {
             struct ip_common ic;
-            const int r = mud_recv(mud, buf, bufsize);
+            const int r = tun_read(tun_fd, buf, sizeof(buf));
 
-            if (r <= 0) {
-                if (r == -1 && errno != EAGAIN)
-                    perror("mud_recv");
-            } else if ((!ip_get_common(&ic, buf, r)) &&
-                       (tun_write(tun_fd, buf, r) == -1)) {
-                if (errno != EAGAIN)
-                    perror("tun_write");
+            if (r > 0 && !ip_get_common(&ic, buf, r)) {
+             // TODO: disable hash for now
+             // unsigned char hash[crypto_shorthash_BYTES];
+             // crypto_shorthash(hash, (const unsigned char *)&ic, sizeof(ic), hashkey);
+
+                unsigned h = 0;
+             // memcpy(&h, hash, sizeof(h));
+
+                mud_send(mud, buf, (size_t)r, (h << 8) | ic.tc);
             }
         }
     }
 
-    if (gt_reload && tun_fd >= 0) {
-        if (tun_set_persist(tun_fd, 1) == -1)
-            perror("tun_set_persist");
-    }
+    if (gt_reload && tun_fd >= 0)
+        tun_set_persist(tun_fd, 1);
 
     mud_delete(mud);
     ctl_delete(ctl_fd);
-    free(buf);
 
     return 0;
 }

src/common.c

@@ -64,7 +64,7 @@ gt_fromhex(uint8_t *dst, size_t dst_size, const char *src, size_t src_size)
         if (_0_(a == -1 || b == -1))
             return -1;
 
-        *dst++ = (a << 4) | b;
+        *dst++ = (uint8_t)((a << 4) | b);
     }
 
     return 0;
@@ -105,10 +105,10 @@ gt_toaddr(char *str, size_t size, struct sockaddr *sa)
     switch (sa->sa_family) {
     case AF_INET:
         return -!inet_ntop(AF_INET,
-                           &((struct sockaddr_in *)sa)->sin_addr, str, size);
+                &((struct sockaddr_in *)sa)->sin_addr, str, (socklen_t)size);
     case AF_INET6:
         return -!inet_ntop(AF_INET6,
-                           &((struct sockaddr_in6 *)sa)->sin6_addr, str, size);
+                &((struct sockaddr_in6 *)sa)->sin6_addr, str, (socklen_t)size);
     }
 
     errno = EAFNOSUPPORT;

src/ctl.c

@@ -6,11 +6,10 @@
 #include <unistd.h>
 #include <dirent.h>
 #include <sys/socket.h>
+#include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/un.h>
 
-#define CTL_BIND_MAX 64
-
 int
 ctl_reply(int fd, struct ctl_msg *res, struct ctl_msg *req)
 {
@@ -24,7 +23,7 @@ ctl_reply(int fd, struct ctl_msg *res, struct ctl_msg *req)
         return -1;
 
     if (res->type != req->type || !res->reply) {
-        errno = EINTR;
+        errno = EINVAL;
         return -1;
     }
 
@@ -43,17 +42,15 @@ ctl_setsun(struct sockaddr_un *dst, const char *dir, const char *file)
         .sun_family = AF_UNIX,
     };
 
-    const char *path[] = {dir, "/", file};
-    const size_t len = sizeof(sun.sun_path) - 1;
+    int ret = snprintf(sun.sun_path, sizeof(sun.sun_path), "%s/%s", dir, file);
 
-    if (str_cat(sun.sun_path, len, path, COUNT(path)) == len) {
-        if (str_cat(NULL, len + 1, path, COUNT(path)) > len) {
-            errno = EINVAL;
-            return -1;
-        }
+    if (ret <= 0 || (size_t)ret >= sizeof(sun.sun_path)) {
+        errno = EINVAL;
+        return -1;
     }
 
-    *dst = sun;
+    if (dst)
+        *dst = sun;
 
     return 0;
 }
@@ -61,31 +58,25 @@ ctl_setsun(struct sockaddr_un *dst, const char *dir, const char *file)
 static int
 ctl_bind(int fd, const char *dir, const char *file)
 {
-    char tmp[32];
     struct sockaddr_un sun;
 
     if (str_empty(file)) {
-        for (int i = 0; i < CTL_BIND_MAX; i++) {
-            if (snprintf(tmp, sizeof(tmp), ".%i", i) >= sizeof(tmp))
-                return -1;
+        char name[10] = { [0] = '.' };
+        unsigned pid = (unsigned)getpid();
 
-            if (ctl_setsun(&sun, dir, tmp))
-                return -1;
+        for (size_t i = 1; i < sizeof(name) - 1; i++, pid >>= 4)
+            name[i] = "uncopyrightables"[pid & 15];
 
-            if (!bind(fd, (struct sockaddr *)&sun, sizeof(sun)))
-                return 0;
-        }
+        if (ctl_setsun(&sun, dir, name))
+            return -1;
     } else {
         if (ctl_setsun(&sun, dir, file))
             return -1;
 
         unlink(sun.sun_path);
-
-        if (!bind(fd, (struct sockaddr *)&sun, sizeof(sun)))
-            return 0;
     }
 
-    return -1;
+    return bind(fd, (struct sockaddr *)&sun, sizeof(sun));
 }
 
 void
@@ -94,7 +85,7 @@ ctl_delete(int fd)
     if (fd == -1)
         return;
 
-    struct sockaddr_storage ss;
+    struct sockaddr_storage ss = { 0 };
     socklen_t sslen = sizeof(ss);
 
     if ((getsockname(fd, (struct sockaddr *)&ss, &sslen) == 0) &&

src/ctl.h

@@ -11,7 +11,6 @@ enum ctl_type {
     CTL_MTU,
     CTL_TC,
     CTL_KXTIMEOUT,
-    CTL_TIMEOUT,
     CTL_TIMETOLERANCE,
     CTL_PATH_STATUS,
 };
@@ -23,6 +22,8 @@ struct ctl_msg {
         struct {
             struct sockaddr_storage addr;
             enum mud_state state;
+            unsigned long rate_tx;
+            unsigned long rate_rx;
         } path;
         struct mud_path path_status;
         struct {

src/iface.c

@@ -1,24 +1,27 @@
 #include "common.h"
 #include "iface.h"
-#include "str.h"
 
+#include <stdio.h>
 #include <net/if.h>
 #include <sys/ioctl.h>
 
 int
-iface_set_mtu(const char *dev_name, int mtu)
+iface_set_mtu(const char *dev_name, size_t mtu)
 {
+    if (mtu > (size_t)0xFFFF) {
+        errno = EINVAL;
+        return -1;
+    }
+
     struct ifreq ifr = {
-        .ifr_mtu = mtu,
+        .ifr_mtu = (int)mtu,
     };
 
-    const size_t len = sizeof(ifr.ifr_name) - 1;
+    int ret = snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", dev_name);
 
-    if (str_cpy(ifr.ifr_name, len, dev_name) == len) {
-        if (str_len(dev_name, len + 1) > len) {
-            errno = EINTR;
-            return -1;
-        }
+    if (ret <= 0 || (size_t)ret >= sizeof(ifr.ifr_name)) {
+        errno = EINVAL;
+        return -1;
     }
 
     int fd = socket(AF_INET, SOCK_DGRAM, 0);
@@ -26,7 +29,7 @@ iface_set_mtu(const char *dev_name, int mtu)
     if (fd == -1)
         return -1;
 
-    int ret = ioctl(fd, SIOCSIFMTU, &ifr);
+    ret = ioctl(fd, SIOCSIFMTU, &ifr);
 
     int err = errno;
     close(fd);

src/iface.h

@@ -1,3 +1,3 @@
 #pragma once
 
-int iface_set_mtu (const char *, int);
+int iface_set_mtu (const char *, size_t);

src/ip.h

@@ -5,37 +5,92 @@
 struct ip_common {
     uint8_t tc;
     uint8_t proto;
+    struct { // data are not reordered
+        union {
+            unsigned char v6[16];
+            struct {
+                unsigned char zero[10];
+                unsigned char ff[2];
+                unsigned char v4[4];
+            };
+        };
+        unsigned char port[2];
+    } src, dst;
 };
 
-static inline uint8_t
-ip_get_version(const uint8_t *data)
+static inline int
+ip_read16(const uint8_t *src)
 {
+    return ((int)src[1]) | (((int)src[0]) << 8);
+}
+
+static inline uint8_t
+ip_get_version(const uint8_t *data, int size)
+{
+    if (size < 20)
+        return 0;
+
     return data[0] >> 4;
 }
 
-static inline uint16_t
-ip_read16(const uint8_t *src)
+static inline int
+ip_is_valid(const uint8_t *data, int size)
 {
-    uint16_t ret = src[1];
-    ret |= ((uint16_t)src[0]) << 8;
-    return ret;
+    switch (ip_get_version(data, size)) {
+        case 4: return size == ip_read16(&data[2]);
+        case 6: return size == ip_read16(&data[4]) + 40;
+    }
+
+    return 0;
 }
 
 static inline int
-ip_get_common(struct ip_common *ic, const uint8_t *data, size_t size)
+ip_get_common(struct ip_common *ic, const uint8_t *data, int size)
 {
-    if (size < 20)
-        return 1;
-
-    switch (ip_get_version(data)) {
+    switch (ip_get_version(data, size)) {
     case 4:
         ic->tc = data[1];
         ic->proto = data[9];
-        return size != ip_read16(&data[2]);
+        if (size == ip_read16(&data[2])) {
+            const int hdrsize = (data[0] & 0xF) << 2;
+            memset(ic->src.zero, 0, sizeof(ic->src.zero));
+            memset(ic->src.ff, 0xff, sizeof(ic->src.ff));
+            memcpy(ic->src.v4, &data[12], sizeof(ic->src.v4));
+            memset(ic->dst.zero, 0, sizeof(ic->dst.zero));
+            memset(ic->dst.ff, 0xff, sizeof(ic->dst.ff));
+            memcpy(ic->dst.v4, &data[16], sizeof(ic->dst.v4));
+            switch (ic->proto) {
+            case 6:  // tcp
+            case 17: // udp
+                memcpy(ic->src.port, &data[hdrsize], sizeof(ic->src.port));
+                memcpy(ic->dst.port, &data[hdrsize + 2], sizeof(ic->dst.port));
+                break;
+            default:
+                memset(ic->src.port, 0, sizeof(ic->src.port));
+                memset(ic->dst.port, 0, sizeof(ic->dst.port));
+            }
+            return 0;
+        }
+        break;
     case 6:
-        ic->tc = ((data[0] & 0xF) << 4) | (data[1] >> 4);
+        ic->tc = (uint8_t)((data[0] << 4) | (data[1] >> 4));
         ic->proto = data[6];
-        return size != ip_read16(&data[4]) + 40;
+        if (size == ip_read16(&data[4]) + 40) {
+            memcpy(ic->src.v6, &data[8], sizeof(ic->src.v6));
+            memcpy(ic->dst.v6, &data[24], sizeof(ic->dst.v6));
+            switch (ic->proto) {
+            case 6:  // tcp
+            case 17: // udp
+                memcpy(ic->src.port, &data[40], sizeof(ic->src.port));
+                memcpy(ic->dst.port, &data[42], sizeof(ic->dst.port));
+                break;
+            default:
+                memset(ic->src.port, 0, sizeof(ic->src.port));
+                memset(ic->dst.port, 0, sizeof(ic->dst.port));
+            }
+            return 0;
+        }
+        break;
     }
 
     return 1;

src/main.c

@@ -1,14 +1,17 @@
 #include "common.h"
 #include "str.h"
 
+#include <sodium.h>
 #include <stdio.h>
 
+#include "../argz/argz.h"
+
 volatile sig_atomic_t gt_alarm;
 volatile sig_atomic_t gt_reload;
 volatile sig_atomic_t gt_quit;
 
 static void
-gt_quit_handler(int sig)
+gt_sa_handler(int sig)
 {
     switch (sig) {
     case SIGALRM:
@@ -30,7 +33,7 @@ gt_set_signal(void)
 
     sigemptyset(&sa.sa_mask);
 
-    sa.sa_handler = gt_quit_handler;
+    sa.sa_handler = gt_sa_handler;
     sigaction(SIGINT, &sa, NULL);
     sigaction(SIGQUIT, &sa, NULL);
     sigaction(SIGTERM, &sa, NULL);
@@ -46,7 +49,19 @@ gt_set_signal(void)
 static int
 gt_version(int argc, char **argv)
 {
-    printf(PACKAGE_VERSION "\n");
+    struct argz version_argz[] = {
+        {"libsodium", NULL, NULL, argz_option},
+        {NULL}};
+
+    if (argz(version_argz, argc, argv))
+        return 1;
+
+    if (argz_is_set(version_argz, "libsodium")) {
+        printf("%s\n", sodium_version_string());
+    } else {
+        printf("%s\n", PACKAGE_VERSION);
+    }
+
     return 0;
 }
 

src/path.c

@@ -4,10 +4,76 @@
 
 #include <stdio.h>
 #include <sys/socket.h>
+#include <unistd.h>
 
 #include "../argz/argz.h"
 
-int
+static void
+gt_path_print_status(struct mud_path *path, int term)
+{
+    char bindstr[INET6_ADDRSTRLEN];
+    char publstr[INET6_ADDRSTRLEN];
+    char peerstr[INET6_ADDRSTRLEN];
+
+    gt_toaddr(bindstr, sizeof(bindstr),
+            (struct sockaddr *)&path->local_addr);
+    gt_toaddr(publstr, sizeof(publstr),
+            (struct sockaddr *)&path->r_addr);
+    gt_toaddr(peerstr, sizeof(peerstr),
+            (struct sockaddr *)&path->addr);
+
+    const char *statestr = NULL;
+
+    switch (path->state) {
+        case MUD_UP:     statestr = "UP";     break;
+        case MUD_BACKUP: statestr = "BACKUP"; break;
+        case MUD_DOWN:   statestr = "DOWN";   break;
+        default:         return;
+    }
+
+    const char *statusstr = path->ok ? "OK" : "DEGRADED";
+
+    printf(term ? "path %s\n"
+            "  status:   %s\n"
+            "  bind:     %s port %"PRIu16"\n"
+            "  public:   %s port %"PRIu16"\n"
+            "  peer:     %s port %"PRIu16"\n"
+            "  mtu:      %zu bytes\n"
+            "  rtt:      %.3f ms\n"
+            "  rttvar:   %.3f ms\n"
+            "  rate tx:  %"PRIu64" bytes/sec\n"
+            "  rate rx:  %"PRIu64" bytes/sec\n"
+            "  total tx: %"PRIu64" packets\n"
+            "  total rx: %"PRIu64" packets\n"
+            : "path %s %s"
+            " %s %"PRIu16
+            " %s %"PRIu16
+            " %s %"PRIu16
+            " %zu"
+            " %.3f %.3f"
+            " %"PRIu64
+            " %"PRIu64
+            " %"PRIu64
+            " %"PRIu64
+            "\n",
+        statestr,
+        statusstr,
+        bindstr[0] ? bindstr : "-",
+        gt_get_port((struct sockaddr *)&path->local_addr),
+        publstr[0] ? publstr : "-",
+        gt_get_port((struct sockaddr *)&path->r_addr),
+        peerstr[0] ? peerstr : "-",
+        gt_get_port((struct sockaddr *)&path->addr),
+        path->mtu.ok,
+        (double)path->rtt.val / 1e3,
+        (double)path->rtt.var / 1e3,
+        path->rate_tx,
+        path->rate_rx,
+        path->send.total,
+        path->recv.total);
+}
+
+static int
 gt_path_status(int fd)
 {
     struct ctl_msg req = {
@@ -17,64 +83,29 @@ gt_path_status(int fd)
     if (send(fd, &req, sizeof(struct ctl_msg), 0) == -1)
         return -1;
 
-    do {
+    struct mud_path path[MUD_PATH_MAX];
+    int count = 0;
+
+    while (1) {
         if (recv(fd, &res, sizeof(struct ctl_msg), 0) == -1)
             return -1;
 
         if (res.type != req.type)
             return -2;
 
-        if (!res.ret)
-            return 0;
+        if (res.ret == EAGAIN) {
+            memcpy(&path[count], &res.path_status, sizeof(struct mud_path));
+            count++;
+        } else if (res.ret) {
+            errno = res.ret;
+            return -1;
+        } else break;
+    }
 
-        char bindstr[INET6_ADDRSTRLEN];
-        char publstr[INET6_ADDRSTRLEN];
-        char peerstr[INET6_ADDRSTRLEN];
+    int term = isatty(1);
 
-        gt_toaddr(bindstr, sizeof(bindstr),
-                  (struct sockaddr *)&res.path_status.local_addr);
-        gt_toaddr(publstr, sizeof(publstr),
-                  (struct sockaddr *)&res.path_status.r_addr);
-        gt_toaddr(peerstr, sizeof(peerstr),
-                  (struct sockaddr *)&res.path_status.addr);
-
-        const char *statestr = NULL;
-
-        switch (res.path_status.state) {
-            case MUD_UP:     statestr = "UP";     break;
-            case MUD_BACKUP: statestr = "BACKUP"; break;
-            case MUD_DOWN:   statestr = "DOWN";   break;
-            default:         return -2;
-        }
-
-        printf("path %s\n"
-               "  bind:     %s port %"PRIu16"\n"
-               "  public:   %s port %"PRIu16"\n"
-               "  peer:     %s port %"PRIu16"\n"
-               "  mtu:      %zu bytes\n"
-               "  rtt:      %.3f ms\n"
-               "  rttvar:   %.3f ms\n"
-               "  upload:   %"PRIu64" bytes/s (max: %"PRIu64")\n"
-               "  download: %"PRIu64" bytes/s (max: %"PRIu64")\n"
-               "  output:   %"PRIu64" packets\n"
-               "  input:    %"PRIu64" packets\n",
-               statestr,
-               bindstr[0] ? bindstr : "-",
-               gt_get_port((struct sockaddr *)&res.path_status.local_addr),
-               publstr[0] ? publstr : "-",
-               gt_get_port((struct sockaddr *)&res.path_status.r_addr),
-               peerstr[0] ? peerstr : "-",
-               gt_get_port((struct sockaddr *)&res.path_status.addr),
-               res.path_status.mtu.ok,
-               res.path_status.rtt/(double)1e3,
-               res.path_status.rttvar/(double)1e3,
-               res.path_status.r_rate,
-               res.path_status.r_ratemax,
-               res.path_status.recv.rate,
-               res.path_status.recv.ratemax,
-               res.path_status.send.total,
-               res.path_status.recv.total);
-    } while (res.ret == EAGAIN);
+    for (int i = 0; i < count; i++)
+        gt_path_print_status(&path[i], term);
 
     return 0;
 }
@@ -88,10 +119,16 @@ gt_path(int argc, char **argv)
         .type = CTL_STATE,
     }, res = {0};
 
+    struct argz ratez[] = {
+        {"tx", "BYTES/SEC", &req.path.rate_tx, argz_bytes},
+        {"rx", "BYTES/SEC", &req.path.rate_rx, argz_bytes},
+        {NULL}};
+
     struct argz pathz[] = {
         {NULL, "IPADDR", &req.path.addr, argz_addr},
         {"dev", "NAME", &dev, argz_str},
         {"up|backup|down", NULL, NULL, argz_option},
+        {"rate", NULL, &ratez, argz_option},
         {NULL}};
 
     if (argz(pathz, argc, argv))
@@ -124,6 +161,8 @@ gt_path(int argc, char **argv)
         if (ret == -2)
             gt_log("bad reply from server\n");
     } else {
+        req.path.state = MUD_EMPTY;
+
         if (argz_is_set(pathz, "up")) {
             req.path.state = MUD_UP;
         } else if (argz_is_set(pathz, "backup")) {
@@ -132,8 +171,7 @@ gt_path(int argc, char **argv)
             req.path.state = MUD_DOWN;
         }
 
-        if (req.path.state)
-            ret = ctl_reply(fd, &res, &req);
+        ret = ctl_reply(fd, &res, &req);
     }
 
     if (ret == -1)
@@ -141,5 +179,5 @@ gt_path(int argc, char **argv)
 
     ctl_delete(fd);
 
-    return 0;
+    return !!ret;
 }

src/set.c

@@ -45,24 +45,6 @@ gt_set_kxtimeout(int fd, unsigned long ms)
     return 0;
 }
 
-static int
-gt_set_timeout(int fd, unsigned long ms)
-{
-    struct ctl_msg res, req = {
-        .type = CTL_TIMEOUT,
-        .ms = ms,
-    };
-
-    int ret = ctl_reply(fd, &res, &req);
-
-    if (ret) {
-        perror("set timeout");
-        return 1;
-    }
-
-    return 0;
-}
-
 static int
 gt_set_timetolerance(int fd, unsigned long ms)
 {
@@ -132,7 +114,6 @@ gt_set(int argc, char **argv)
     size_t mtu;
     int tc;
     unsigned long kxtimeout;
-    unsigned long timeout;
     unsigned long timetolerance;
 
     struct argz pathz[] = {
@@ -140,7 +121,6 @@ gt_set(int argc, char **argv)
         {"mtu", "BYTES", &mtu, argz_bytes},
         {"tc", "CS|AF|EF", &tc, gt_argz_tc},
         {"kxtimeout", "SECONDS", &kxtimeout, argz_time},
-        {"timeout", "SECONDS", &timeout, argz_time},
         {"timetolerance", "SECONDS", &timetolerance, argz_time},
         {NULL}};
 
@@ -177,9 +157,6 @@ gt_set(int argc, char **argv)
     if (argz_is_set(pathz, "kxtimeout"))
         ret |= gt_set_kxtimeout(fd, kxtimeout);
 
-    if (argz_is_set(pathz, "timeout"))
-        ret |= gt_set_timeout(fd, timeout);
-
     if (argz_is_set(pathz, "timetolerance"))
         ret |= gt_set_timetolerance(fd, timetolerance);
 

src/show.c

@@ -9,6 +9,7 @@
 #include <dirent.h>
 #include <sys/un.h>
 #include <arpa/inet.h>
+#include <unistd.h>
 
 static int
 gt_show_dev_status(int fd, const char *dev)
@@ -27,12 +28,20 @@ gt_show_dev_status(int fd, const char *dev)
     int server = gt_toaddr(peerstr, sizeof(peerstr),
                            (struct sockaddr *)&res.status.peer);
 
+    int term = isatty(1);
+
     if (server) {
-        printf("server %s:\n"
-               "  pid:       %li\n"
-               "  bind:      %s port %"PRIu16"\n"
-               "  mtu:       %zu\n"
-               "  cipher:    %s\n",
+        printf(term ? "server %s:\n"
+                      "  pid:       %li\n"
+                      "  bind:      %s port %"PRIu16"\n"
+                      "  mtu:       %zu\n"
+                      "  cipher:    %s\n"
+                    : "server %s"
+                      " %li"
+                      " %s %"PRIu16
+                      " %zu"
+                      " %s"
+                      "\n",
                dev,
                res.status.pid,
                bindstr[0] ? bindstr : "-",
@@ -40,12 +49,19 @@ gt_show_dev_status(int fd, const char *dev)
                res.status.mtu,
                res.status.chacha ? "chacha20poly1305" : "aes256gcm");
     } else {
-        printf("client %s:\n"
-               "  pid:       %li\n"
-               "  bind:      %s port %"PRIu16"\n"
-               "  peer:      %s port %"PRIu16"\n"
-               "  mtu:       %zu\n"
-               "  cipher:    %s\n",
+        printf(term ? "client %s:\n"
+                      "  pid:       %li\n"
+                      "  bind:      %s port %"PRIu16"\n"
+                      "  peer:      %s port %"PRIu16"\n"
+                      "  mtu:       %zu\n"
+                      "  cipher:    %s\n"
+                    : "client %s"
+                      " %li"
+                      " %s %"PRIu16
+                      " %s %"PRIu16
+                      " %zu"
+                      " %s"
+                      "\n",
                dev,
                res.status.pid,
                bindstr[0] ? bindstr : "-",
@@ -95,10 +111,8 @@ gt_show(int argc, char **argv)
     if (argz(showz, argc, argv))
         return 1;
 
-    if (dev) {
-        gt_show_dev(dev);
-        return 0;
-    }
+    if (dev)
+        return !!gt_show_dev(dev);
 
     DIR *dp = opendir(GT_RUNDIR);
 
@@ -109,14 +123,15 @@ gt_show(int argc, char **argv)
         return 1;
     }
 
+    int ret = 0;
     struct dirent *d = NULL;
 
     while (d = readdir(dp), d) {
         if (d->d_name[0] != '.')
-            gt_show_dev(d->d_name);
+            ret |= !!gt_show_dev(d->d_name);
     }
 
     closedir(dp);
 
-    return 0;
+    return ret;
 }

src/str.h

@@ -31,32 +31,3 @@ str_len(const char *restrict str, size_t len)
 
     return strnlen(str, len);
 }
-
-static inline size_t
-str_cat(char *dst, size_t dst_len, const char **src, size_t count)
-{
-    if (count && !src)
-        return 0;
-
-    size_t len = 0;
-
-    for (size_t i = 0; i < count && dst_len > len; i++) {
-        size_t n = str_len(src[i], dst_len - len);
-
-        if (dst && n)
-            memmove(&dst[len], src[i], n);
-
-        len += n;
-    }
-
-    if (dst)
-        dst[len] = 0;
-
-    return len;
-}
-
-static inline size_t
-str_cpy(char *dst, size_t dst_len, const char *src)
-{
-    return str_cat(dst, dst_len, &src, 1);
-}

src/tun.c

@@ -32,9 +32,9 @@
 static int
 tun_create_by_id(char *name, size_t len, unsigned id)
 {
-    int ret = snprintf(name, len + 1, "utun%u", id);
+    int ret = snprintf(name, len, "utun%u", id);
 
-    if (ret <= 0 || ret > len) {
+    if (ret <= 0 || (size_t)ret >= len) {
         errno = EINVAL;
         return -1;
     }
@@ -44,8 +44,9 @@ tun_create_by_id(char *name, size_t len, unsigned id)
     if (fd == -1)
         return -1;
 
-    struct ctl_info ci = {0};
-    str_cpy(ci.ctl_name, sizeof(ci.ctl_name) - 1, UTUN_CONTROL_NAME);
+    struct ctl_info ci = {
+        .ctl_name = UTUN_CONTROL_NAME,
+    };
 
     if (ioctl(fd, CTLIOCGINFO, &ci)) {
         int err = errno;
@@ -92,14 +93,20 @@ tun_create_by_name(char *name, size_t len, const char *dev_name)
 static int
 tun_create_by_name(char *name, size_t len, const char *dev_name)
 {
+    int ret = snprintf(name, len, "%s", dev_name);
+
+    if (ret <= 0 || (size_t)ret >= len) {
+        errno = EINVAL;
+        return -1;
+    }
+
     struct ifreq ifr = {
         .ifr_flags = IFF_TUN | IFF_NO_PI,
     };
 
-    const size_t ifr_len = sizeof(ifr.ifr_name) - 1;
+    ret = snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", dev_name);
 
-    if ((len < ifr_len) ||
-        (str_len(dev_name, ifr_len + 1) > ifr_len)) {
+    if (ret <= 0 || (size_t)ret >= sizeof(ifr.ifr_name)) {
         errno = EINVAL;
         return -1;
     }
@@ -109,8 +116,6 @@ tun_create_by_name(char *name, size_t len, const char *dev_name)
     if (fd == -1)
         return -1;
 
-    str_cpy(ifr.ifr_name, ifr_len, dev_name);
-
     if (ioctl(fd, TUNSETIFF, &ifr)) {
         int err = errno;
         close(fd);
@@ -118,8 +123,6 @@ tun_create_by_name(char *name, size_t len, const char *dev_name)
         return -1;
     }
 
-    str_cpy(name, len, ifr.ifr_name);
-
     return fd;
 }
 
@@ -128,22 +131,13 @@ tun_create_by_name(char *name, size_t len, const char *dev_name)
 static int
 tun_create_by_name(char *name, size_t len, const char *dev_name)
 {
-    char tmp[128];
+    int ret = snprintf(name, len, "/dev/%s", dev_name);
 
-    int ret = snprintf(tmp, sizeof(tmp), "/dev/%s", dev_name);
-
-    if (ret <= 0 || ret >= sizeof(tmp)) {
+    if (ret <= 0 || (size_t)ret >= len) {
         errno = EINVAL;
         return -1;
     }
 
-    if (str_cpy(name, len, dev_name) == len) {
-        if (str_len(dev_name, len + 1) > len) {
-            errno = EINVAL;
-            return -1;
-        }
-    }
-
     return open(tmp, O_RDWR);
 }
 
@@ -153,10 +147,9 @@ static int
 tun_create_by_id(char *name, size_t len, unsigned id)
 {
     char tmp[64];
-
     int ret = snprintf(tmp, sizeof(tmp), "tun%u", id);
 
-    if (ret <= 0 || ret >= sizeof(tmp)) {
+    if (ret <= 0 || (size_t)ret >= sizeof(tmp)) {
         errno = EINVAL;
         return -1;
     }
@@ -201,17 +194,17 @@ tun_read(int fd, void *data, size_t size)
         },
     };
 
-    ssize_t ret = readv(fd, iov, 2);
+    int ret = (int)readv(fd, iov, 2);
 
-    if (ret <= (ssize_t)0)
+    if (ret <= 0)
         return ret;
 
-    if (ret <= (ssize_t)sizeof(family))
+    if ((size_t)ret <= sizeof(family))
         return 0;
 
-    return ret - sizeof(family);
+    return ret - (int)sizeof(family);
 #else
-    return read(fd, data, size);
+    return (int)read(fd, data, size);
 #endif
 }
 
@@ -224,7 +217,7 @@ tun_write(int fd, const void *data, size_t size)
 #ifdef GT_BSD_TUN
     uint32_t family;
 
-    switch (ip_get_version(data)) {
+    switch (ip_get_version(data, (int)size)) {
     case 4:
         family = htonl(AF_INET);
         break;
@@ -247,17 +240,17 @@ tun_write(int fd, const void *data, size_t size)
         },
     };
 
-    ssize_t ret = writev(fd, iov, 2);
+    int ret = (int)writev(fd, iov, 2);
 
-    if (ret <= (ssize_t)0)
+    if (ret <= 0)
         return ret;
 
-    if (ret <= (ssize_t)sizeof(family))
+    if ((size_t)ret <= sizeof(family))
         return 0;
 
-    return ret - sizeof(family);
+    return ret - (int)sizeof(family);
 #else
-    return write(fd, data, size);
+    return (int)write(fd, data, size);
 #endif
 }
 

systemd/glorytun-setup

@@ -59,7 +59,9 @@ TABLE=200
 # keep the current route to HOST
 SRC=$(ip route get "$HOST" | awk '/src/{getline;print $0}' RS=' ')
 ip rule add from "$SRC" table main pref "$((PREF-1))" || true
-glorytun path up "$SRC" dev "$DEV"
+
+# limit to 100Mbit by default
+glorytun path up "$SRC" dev "$DEV" rate rx 12500000 tx 12500000
 
 # forward everything else to the tunnel
 ip rule add from all table "$TABLE" pref "$PREF" || true

version.sh

@@ -1,12 +1,15 @@
 #!/bin/sh
 
-[ -z "${VERSION}" ] && VERSION="$(git describe --tags --match='v[0-9].*' 2>/dev/null)" \
-                    && VERSION="${VERSION#v}"
+export GIT_DIR=.git
+export GIT_WORK_TREE=.
 
-[ -z "${VERSION}" ] && VERSION="$(git rev-parse HEAD 2>/dev/null)"
+[ -z "$VERSION" ] && VERSION="$(git describe --tags --match='v[0-9].*' 2>/dev/null)" \
+                  && VERSION="${VERSION#v}"
 
-[ -z "${VERSION}" ] && VERSION="$(cat VERSION 2>/dev/null)"
+[ -z "$VERSION" ] && VERSION="$(git rev-parse HEAD 2>/dev/null)"
 
-[ -z "${VERSION}" ] && VERSION="0.0.0"
+[ -z "$VERSION" ] && VERSION="$(cat VERSION 2>/dev/null)"
 
-printf "%s" "${VERSION}" | tee VERSION
+[ -z "$VERSION" ] && VERSION="0.0.0"
+
+printf "%s" "$VERSION" | tee VERSION