Fabrice Bellet [Wed, 20 May 2020 12:25:17 +0000 (14:25 +0200)]
conncheck: add a check to move into the ready state after a pair failed
This patch tries to move the component state from connected to ready in
places where a pair may fail. Consequently, the final check done after
the expiration of the idle timeout can be removed, assuming that
transitions are done as soon as they occur.
The only place where such a situation has been observed in a real world
stress test is a 401 unauthorized stun error received in
priv_map_reply_to_conn_check_request(), when the conncheck contains a
local and a remote candidate, both of type host, with an identical IP
address and port number (two boxes with a private network using the same
subnet). In such a case, a stun request to the remote candidate will
reach the local candidate instead, and will logically fail.
Olivier Crête [Fri, 22 May 2020 22:18:15 +0000 (18:18 -0400)]
gitignore: Remove in-tree built files
Meson always does out of tree builds
Olivier Crête [Fri, 22 May 2020 22:07:30 +0000 (18:07 -0400)]
agent: Remove test that is not required
The stream and component pointers are always valid there.
Olivier Crête [Fri, 22 May 2020 21:35:14 +0000 (17:35 -0400)]
gitlab-ci: Put image at the top
Olivier Crête [Fri, 31 Jan 2020 16:31:48 +0000 (16:31 +0000)]
gitlab-ci: Rename tasks to not say meson
They're always meson now.
Tim-Philipp Müller [Fri, 31 Jan 2020 16:31:48 +0000 (16:31 +0000)]
Remove autotools build
Remove dist check on the CI, since it doesn't really
add anything in the Meson case (tarball is based
on files checked into git and srcdir != builddir).
Olivier Crête [Fri, 22 May 2020 19:58:01 +0000 (15:58 -0400)]
version 0.1.17.1
Olivier Crête [Fri, 22 May 2020 19:41:19 +0000 (15:41 -0400)]
version 0.1.17
Olivier Crête [Fri, 22 May 2020 19:32:22 +0000 (15:32 -0400)]
meson: Remove Wextra from options
meson already sets it on warning_level >= 2
Olivier Crête [Fri, 22 May 2020 03:09:19 +0000 (23:09 -0400)]
meson: Actually make meson generate the compat Makefile
The previous patch didn't get triggered
Olivier Crête [Fri, 22 May 2020 19:51:42 +0000 (15:51 -0400)]
Makefile.am: Add dist meson friendly test
Olivier Crête [Fri, 22 May 2020 14:36:52 +0000 (10:36 -0400)]
meson: Make gtkdoc-check work with older gtk-doc
Older gtkdoc versions expect to find a Makefile, so generate
a fake one with the information it wants.
Olivier Crête [Fri, 22 May 2020 03:09:19 +0000 (23:09 -0400)]
meson: Run gtkdoc-check
Olivier Crête [Fri, 22 May 2020 18:35:59 +0000 (14:35 -0400)]
gitlab-ci: Disable gtkdoc when doing valgrind
Olivier Crête [Fri, 22 May 2020 03:09:01 +0000 (23:09 -0400)]
gitignore: Don't ignore libnice-docs.txt
Olivier Crête [Fri, 22 May 2020 15:17:28 +0000 (11:17 -0400)]
test-new-trickle: No need to be connected to receive data
Fabrice Bellet [Tue, 19 May 2020 11:58:55 +0000 (13:58 +0200)]
conncheck: do not always remove pair in triggered check list
This patch reenables an interesting side effect that existed before
commit
263c0903, when the state of a pair state in the triggered check
list was changed to in-progress. Such "triggered" pairs with this state
were selectively pruned from the conncheck list according to their
priority in priv_prune_pending_checks(), meaning that pairs with a high
priority were conserved, and quickly rechecked.
Retrospectively, I suspect that this side effect was the initial
motivation for changing the state of a "triggered" pair.
Commit
263c0903 disabled that behaviour, for the sake of clarity, but it
seems important to restore it, because these "triggered" pairs are often
retriggered for a good reason, and frequently lead to a nominated pair.
And loosing the opportunity to nominate a pair may be critical in
controlled role when the peer agent is in aggressive nomination mode.
Olivier Crête [Fri, 8 May 2020 23:08:20 +0000 (19:08 -0400)]
agent: Don't hold hard ref while removing stream
The timeout has a weak ref that should be enough.
Olivier Crête [Wed, 13 May 2020 21:52:18 +0000 (17:52 -0400)]
valgrind supp: Add updated gllibc suppressions
Fabrice Bellet [Mon, 18 May 2020 12:16:12 +0000 (14:16 +0200)]
conncheck: clear the retransmit flag when the stun list is empty
This patch ensures that the retransmit flag is more tightly in sync with
the stun transaction list, by now clearing it when the list becomes
empty. It makes the code a bit more readable by dropping some cases. In
a couple of places, the retransmit flag was also used as a way to
compare the priority of a pair and the priority of the selected pair.
Fabrice Bellet [Sun, 17 May 2020 21:08:12 +0000 (23:08 +0200)]
conncheck: add a missing component state transition
When reactivating a high priority pair, we have to change back the
component state from ready to connected, since there is a new pair to be
tested.
The case of the succeeded pair is also a bit simplified, the invocation
of the function conn_check_update_check_list_state_for_ready() to
complete the ready - connected - ready flip-flop transition is not
required for the trickle test any longer.
Fabrice Bellet [Sun, 17 May 2020 21:06:37 +0000 (23:06 +0200)]
conncheck: remove a redundant test
This test is redundant with the previous one.
Fabrice Bellet [Sun, 17 May 2020 20:59:48 +0000 (22:59 +0200)]
conncheck: do not change the pair state in triggered check queue
We prefer to not change the state of the pair, when it is added to the
triggered check queue. Previously its state was changed to in-progress,
which was a bit misleading, as it somewhat anticipated a future state.
Fabrice Bellet [Sun, 17 May 2020 20:51:21 +0000 (22:51 +0200)]
conncheck: handle the consequence when a pair is not created
Since commit
fcd6bc86 a pair is not always created, when its priority
is lower than the selected pair priority. We have to deal with this
possibility when calling the function priv_add_new_check_pair().
More precisely, the component state update really requires the addition
of a new pair.
Fabrice Bellet [Tue, 12 May 2020 18:13:18 +0000 (20:13 +0200)]
conncheck: rework the stun requests ordering per timer tick
With this patch, we merge the two variables stun_sent and
keep_timer_going. The three functions that are a possible source of a
new stun request returns a boolean value stating if a request has been
sent. The semantic of keep_timer_going can now be deduced from
stun_sent and from the result of priv_conn_check_stream_nominate().
The trick that makes this merge possible is to repurpose the return
value of priv_conn_check_tick_stream(), because keep_timer_going set
when the conncheck list contains in-progress pairs in this function is
redundant with the same check later in function
priv_conn_check_tick_stream_nominate().
Fabrice Bellet [Mon, 11 May 2020 10:05:14 +0000 (12:05 +0200)]
conncheck: explicitely order the type of stun requests per timer tick
With this patch, we try to make more explicit the process order between
the different types of stun requets, according that only one request is
sent per callback timer tick, ie every 20ms, to respect the stun pacing
of the spec. We implement the follow priority:
* triggered checks
* stun retransmissions
* ordinary checks
In a concrete case, while a stream has stun requests related to
triggered checks to be sent, all other stun transactions are delayed to
the next timer ticks.
The goal of this patch is to make this priority explicit, and more
easily swappable if needed. Triggered checks have more probability to
succeed than stun retransmissions, this is the reason why they are
handled before. Ordinary checks on the contrary can be performed on a
lower priority basis, after all other stun requests.
The problem that can be sometime observed with a large number of stun
transactions is that stun retransmissions may suffer from a delay after
they have reached their deadline. This delay should remain small thanks
to the design of the initial retransmission timer (RTO), that takes into
account the overall number of scheduled stun requests. It allows all
stun requests to be sent and resent at a predefined "pacing" frequency
without much extra delay.
This ordering not perfect, because stun requests of a given type are
examinated per-stream, by looking at the first stream before the others,
so it introduces a natural priority for the first stream.
Olivier Crête [Wed, 13 May 2020 23:47:11 +0000 (19:47 -0400)]
gitlab-ci: Actually gnore mingw failure
Olivier Crête [Wed, 13 May 2020 23:47:11 +0000 (19:47 -0400)]
gitlab-ci: Ignore mingw failure for now
Olivier Crête [Tue, 12 May 2020 20:04:25 +0000 (16:04 -0400)]
gitlab-ci: Upload build logs as artifacts on Win
Olivier Crête [Fri, 8 May 2020 23:14:43 +0000 (19:14 -0400)]
README: Update for meson
Also, update the RFC numbers that are implemented.
Fabrice Bellet [Sun, 3 May 2020 15:39:09 +0000 (17:39 +0200)]
conncheck: fix try-alternate on tcp turn sockets
In OC2007R2 compatibility mode, we observed the behaviour of a skype
turn server, when returning code 300 (try-alternate) stun error on its
tls connections. This value is returned apparently when the turn server
is overloaded already.
We noticed that the actual code in priv_handle_turn_alternate_server()
cannot handle a non-udp turn server, because a tcp one would require
to create a new socket.
But, even when creating such a new socket stack (tcp-bsd socket +
pseudossl socket), libnice still fails to establish a new connection to
the alternate server on port 443, in a very systematic way. I'm not sure
whether this problem is specific to this skype server infrastructure
(the skype client fails in a similar way). Anyway, this code path works
as expected with a non-microsoft turn server (tested with coturn).
Fabrice Bellet [Wed, 6 May 2020 12:09:08 +0000 (14:09 +0200)]
agent: fix tcp connection to turn servers
A previous commit broke the logic used to start a discovery request for
tcp turn servers. The ambiguity came from the distinction between the
type of the turn server (turn->type), the compatibility of the
transport of the local base candidate (turn_tcp), and the reliability
of the underlying tcp socket (reliable_tcp).
reliable_tcp indicates whether the turn allocate request should be
"framed" in a tcp packet, according to RFC 4571. This is required in
OC2007R2 only.
This commit also puts the setup of the tcp turn socket in a separate
function, because such setup is also required when handling
try-alternate (code 300) stun errors on these tcp sockets, where we have
to setup a new connection to another tcp turn server.
Fabrice Bellet [Thu, 7 May 2020 19:24:09 +0000 (21:24 +0200)]
conncheck: ignore refreshes for tls turn server for OC2007R2
Relay candidates obtained from TLS turn server don't have to be
refreshed in OC2007R2 compatibility mode.
Fabrice Bellet [Sun, 3 May 2020 15:35:22 +0000 (17:35 +0200)]
conncheck: send udp turn refreshes in oc2007r2 compatibility mode too
Olivier Crête [Fri, 8 May 2020 18:31:59 +0000 (14:31 -0400)]
meson: Move glib wrap to download
Fabrice Bellet [Mon, 20 Apr 2020 21:21:17 +0000 (23:21 +0200)]
conncheck: make a single ordinary check per callback
This is more friendly with stun pacing.
Fabrice Bellet [Thu, 16 Apr 2020 17:57:27 +0000 (19:57 +0200)]
conncheck: improve places where the conncheck list is dumped
Fabrice Bellet [Thu, 23 Apr 2020 15:12:41 +0000 (17:12 +0200)]
agent: stay in aggressive mode after stun requests have been sent
This patch updates the previous commit "agent: stay in aggressive mode
after conncheck has started", by accepting to switch from aggressive to
regular mode, while no stun request has been sent. It gives the agent
some extra delay to still accept remote tcp candidates, after its state
already changed from gathering to connecting.
Fabrice Bellet [Tue, 14 Apr 2020 15:25:24 +0000 (17:25 +0200)]
stun: update timer timeout and retransmissions
This patch updates the stun timing constants and provides the rationale
with the choice of these new values, in the context of the ice
connection check algorithm.
One important value during the discovery state is the combination of the
initial timeout and the number of retransmissions, because this state
may complete after the last stun discovery binding request has timed
out. With the combination of 500ms and 3 retransmissions, the discovery
state is bound to 2000ms to discover server reflexive and relay
candidates.
The retransmission delay doubles at each retransmission except for the
last one. Generally, this state will complete sooner, when all
discovery requests get a reply before the timeout.
Another mechanism is used during the connection check, where an stun
request is sent with an initial timeout defined by :
RTO = MAX(500ms, Ta * (number of in-progress + waiting pairs))
with Ta = 20ms
The initial timeout is bounded by a minimum value, 500ms, and scales
linearly depending of the number of pairs on the way to be emited. The
same number of retransmissions than in the discovery state in used
during the connection check. The total time to wait for a pair to fail
is then RTO + 2*RTO + RTO = 4*RTO with 3 retransmissions.
On a typical laptop setup, with a wired and a wifi interface with
IPv4/IPv6 dual stack, a link-local and a link-global IPv6 address, a
couple a virtual addresses, a server-reflexive address, a turn relay
one, we end up with a total of 90 local candidates for 2 streams and 2
components each. The connection checks list includes up to 200 pairs
when tcp pairs are discarded, with :
<33 in-progress and waiting pairs in 50% cases (RTO = 660ms),
<55 in-progress and waiting pairs in 90% cases (RTO = 1100ms),
and up to 86 in-progres and waiting pairs (RTO = 1720ms)
The number of retransmission of 3 seems to be quite robust to handle
sporadic packets loss, if we consider for example a typical packet loss
frequency of 1% of the overall packets transmitted.
And a relatevely large initial timeout is interesting because it reduces
the overall network overhead caused by the stun requests and replies,
mesured around 3KB/s during a connection check with 4 components.
Finally, the total time to wait until all retransmissions have completed
and have timed out (2000ms with an initial timeout of 500ms and 3
retransmissions) gives a bound to the worst network latency we can
accept, when no packet is lost on the wire.
Fabrice Bellet [Mon, 13 Apr 2020 16:03:36 +0000 (18:03 +0200)]
conncheck: update the unfreeze method for RFC8445
The way pairs are unfrozen between RFC5245 and RFC8445 changed a bit,
and made the code much more simple. Previously pairs were unfrozen "per
stream", not they are unfrozen "per foundation". The principle of the
priv_conn_check_unfreeze_next function is now to unfreeze one and only
one frozen pair per foundation, all components and streams included.
The function is now idemporent: calling it when the connchecks still
contains waiting pairs does nothing.
Fabrice Bellet [Mon, 13 Apr 2020 15:54:33 +0000 (17:54 +0200)]
conncheck: update stun timer timeout for RFC8445
The new version of the RFC suppressed the difference between reliable
and not reliable maximum value for RTO. We choose to keep the value of
100ms that we used previously, which is lower that the recommended
value, but could be overriden most of the time, when a significant
number of pairs are handled.
We also compute exactly the number of in-progress and waiting
pairs for all streams of the agent, without relying on the value
per-stream, multiplied by the number of active streams.
Fabrice Bellet [Tue, 5 May 2020 15:09:47 +0000 (17:09 +0200)]
conncheck: another rare case of local tcp active candidate matching
An inbound stun request may come on a tcp pair, whose tcp-active socket
has just been created and connected (the local candidate port is zero),
but has not caused the creation of a discovered peer-reflexive local
candidate (with a non-zero port). This inbound request is stored in an
early icheck structure to be replayed later. When being processed after
remote creds have been received, we have to find which local candidate
it belongs to, by matching with the address only, without the port.
Fabrice Bellet [Sun, 3 May 2020 15:26:48 +0000 (17:26 +0200)]
conncheck: socket reliability should not change the conncheck behaviour
An inbound STUN request on a pair having another STUN request already
inflight already should generate to new triggered check, no matter the
type of the underlying socket.
Fabrice Bellet [Sun, 3 May 2020 15:22:42 +0000 (17:22 +0200)]
conncheck: inbound stun on tcp passive pairs should trigger a check
An inbound stun request on a newly discovered pair should trigger a
conncheck in the reverse direction, and not promote the pair directly in
state succeeded. This is particulary required if the agent is in
aggressive controlling mode.
Fabrice Bellet [Mon, 20 Apr 2020 21:29:49 +0000 (23:29 +0200)]
conncheck: simplify the test to find a matching local candidate
Since we keep a relation between a succeeded and its discovered pair, we
can just test for the socket associated to a given pair, and eventually
follow the link to the parent succeeded pair.
Fabrice Bellet [Mon, 20 Apr 2020 21:24:21 +0000 (23:24 +0200)]
conncheck: properly select tcp-active discovered candidate
Some tcp-active discovered peer-reflexive local candidates may only be
recognised by their local socket, if they have the same address and same
port. It may happen when a nat generates an identical mapping from two
different base local candidates.
Fabrice Bellet [Sun, 5 Apr 2020 19:02:47 +0000 (21:02 +0200)]
stun: set delay in retransmission instead of adding it
We may have situation when stun_timer_refresh is called with a
significant delay after the current deadline. In the actual situation,
this delay is just included to the computation of the new deadline of the
next stun retransmission. We think this may lead to unfair situations,
where the next deadline may be too short, just to compensate the first
deadline that was too long.
For example, if a stun request is scheduled with a delay of
200ms for the 2nd transmission, and 400ms for the 3rd transmission,
if stun_timer_remainder() is called 300ms after the start of the
timer, the second delay will last only 300ms, instead of 400ms.
Fabrice Bellet [Thu, 16 Apr 2020 18:01:25 +0000 (20:01 +0200)]
discovery: ensure port number uniqueness agent-wide
The port number must be different for all local host candidates, not
just in the same component, but across all components and all streams.
A candidate ambiguity between a host local host and an identical server
reflexive candidate have more unwanted consequences when it concerns two
different components, because an inbound stun request may be associated
to a wrong component.
Olivier Crête [Wed, 6 May 2020 04:01:37 +0000 (00:01 -0400)]
interfaces: Use the private address detector from NiceAddress
Olivier Crête [Wed, 6 May 2020 04:00:36 +0000 (00:00 -0400)]
address: Make the private IP address detector more complete
Also adds a unit test
Fixes #67
Fabrice Bellet [Sun, 3 May 2020 16:01:35 +0000 (18:01 +0200)]
conncheck: fix some missing loop exit cases
The refresh list may be modified while being iterated
Fabrice Bellet [Sun, 19 Apr 2020 15:16:05 +0000 (17:16 +0200)]
conncheck: add a couple of switch case fallthroughs
Fabrice Bellet [Sat, 29 Feb 2020 10:02:01 +0000 (11:02 +0100)]
conncheck: merge two cascaded conditions
Olivier Crête [Wed, 6 May 2020 01:59:38 +0000 (21:59 -0400)]
interfaces: Use union for sockaddr/sockaddr_in
This makes clang happy
Fixes #100
Fabrice Bellet [Mon, 13 Apr 2020 15:46:13 +0000 (17:46 +0200)]
conncheck: honor the retransmit flag in case of role conflict
This other rare situation happens when a role conflict is detected by an
stun reply message, on a component that already has a nominated pair
with a higher priority. In that case, the retransmit flag should be
honored, and the pair with "role conflict" should not be retransmitted.
Fabrice Bellet [Thu, 9 Apr 2020 14:47:17 +0000 (16:47 +0200)]
conncheck: add missing cases when pruning pending checks
When pruning pending checks (after at least one nominated pair has been
obtained), some supplementary cases need to be handled, to ensure that
the property "all pairs and only the pairs having a higher priority than
the nominated pair should have the stun retransmit flag set" remains
true during the whole conncheck:
- a pair "not to be retransmitted" must be removed from the triggered check
list (because a triggered check would create a new stun request, that
would defacto ignore the retransmit flag)
- an in-progress pair "not to be retransmitted", for which no stun
request has been sent (p->stun_transactions == NULL, a transient
state) must be removed from the conncheck list, just like a waiting
pair.
- a failed pair must have its flag "retransmit" updated too, just like
another pair, since a failed pair could match an inbound check, and
generate a triggered check, based on retransmit flag value : ie only
if this pair has a chance to become a better nominated pair. See
NICE_CHECK_FAILED case in priv_schedule_triggered_check().
Fabrice Bellet [Wed, 8 Apr 2020 15:24:05 +0000 (17:24 +0200)]
conncheck: toggle the retransmit flag when pruning pending checks
The function conn_check_update_retransmit_flag() that was introduced to
reenable the retransmit flag on pairs with higher priority than the
nominated one can be merged in priv_prune_pending_checks(), and its
invocation replaced by conn_check_update_check_list_state_for_ready().
The function priv_prune_pending_checks() can also be tweaked to use
the component selected pair priority, instead of getting it from
the checklist. This function is called when at least one nominated pair
exists, so selected_pair is this nominated pair.
Fabrice Bellet [Wed, 8 Apr 2020 15:16:30 +0000 (17:16 +0200)]
conncheck: discard new pair creation when priority is too low
It is possible to ignore the creation of a new pair whose priority is
lower than the priority of the selected pair, ie the nominated pair with
the highest priority. Such pair would be discarded by a call to
prune_pending_checks(), and if checked, there state would break the
assumption that all pairs with lower priority than the nominated pair
are not retransmitted.
Fabrice Bellet [Sun, 5 Apr 2020 20:13:27 +0000 (22:13 +0200)]
conncheck: optimize pending checks pruning
We use the property that the conncheck list is ordered by
pairs priorities, so we don't have to iterate twice.
Fabrice Bellet [Sun, 5 Apr 2020 19:15:02 +0000 (21:15 +0200)]
conncheck: enable retransmit flag after nominated pair reordering
When an existing peer-reflexive remote candidate is updated to a server
reflexive one, due to the late reception of remove candidates, this
update has several consequences on the conncheck list:
- pair foundations and priorities must be recomputed
- the highest nominated pair may have changed too
- this is not strictly required, but some pairs that had *a lower*
priority than the previously peer-reflexive nominated pair, had
their retransmit flag set to false, for this reason. These pairs may
now have *a higher* priority than the newly promoted nominated pair,
and it is fair in that case to turn their retransmit flag back to
true.
Olivier Crête [Wed, 6 May 2020 00:03:03 +0000 (20:03 -0400)]
Use g_assert_cmp.int() to get better debug logs on crash
Olivier Crête [Tue, 5 May 2020 22:53:02 +0000 (18:53 -0400)]
tests: Replace g_assert (memcmp) with g_assert_cmpmem()
This makes for clearer reports in the CI
Tim-Philipp Müller [Sun, 3 May 2020 09:49:58 +0000 (09:49 +0000)]
candidate: fix compiler warnings on raspbian
candidate.c:351:12: warning: format ‘%lx’ expects argument of
type ‘long unsigned int’, but argument 4/5 has type ‘guint64’
{aka ‘long long unsigned int’} [-Wformat=]
Olivier Crête [Tue, 5 May 2020 20:50:54 +0000 (16:50 -0400)]
test-thread: Use GCond to make sure there is no race
Olivier Crête [Tue, 5 May 2020 03:54:51 +0000 (23:54 -0400)]
test-gstreamer: Use g_debug instead of gst debug
This matches the rest of the tests.
Olivier Crête [Tue, 5 May 2020 03:54:12 +0000 (23:54 -0400)]
test-gstreamer: Use GCond to avoid race condition
This race condition is hit all the time when running the test under
valgrind.
Olivier Crête [Mon, 4 May 2020 23:19:22 +0000 (19:19 -0400)]
meson: Disable check forking, let meson handle the timeout
Fabrice Bellet [Sun, 23 Feb 2020 18:38:08 +0000 (19:38 +0100)]
conncheck: more debug
Fabrice Bellet [Sun, 5 Apr 2020 20:27:38 +0000 (22:27 +0200)]
conncheck: add debug about agent mode
Fabrice Bellet [Wed, 8 Apr 2020 14:59:40 +0000 (16:59 +0200)]
discovery: add the agent pointer to turn debug messages
Fabrice Bellet [Fri, 21 Feb 2020 14:40:56 +0000 (15:40 +0100)]
conncheck: drop some excessively verbose comment
Fabrice Bellet [Sun, 5 Apr 2020 19:11:19 +0000 (21:11 +0200)]
conncheck: wait for a pair until all stun requests are completed
Only the newest stun request may need to be retransmitted, according to
the pair retransmit flag. This is the first element of the
stun_transactions list. Older stun requests are just kept around until
their timeout expires, without retransmission.
The newest stun request is usually the last one that will timeout.
Current code was based on that assumption, causing the pair to fail when
the newest stun request timeout expires. This is not always true, and some
older stun requests may have a greater timeout delay.
So, we should wait until *all* stun requests of a given pair have
reached their timeout.
We also refactor this part of the code, to handle the first stun and the
other stun requests in the same loop.
Fabrice Bellet [Sun, 5 Apr 2020 19:18:55 +0000 (21:18 +0200)]
discovery: use different port numbers for every local host candidates
This constraint is added to handle the situation where the agent runs on
a box doing SNAT on one of its outgoing network interface. The NAT does
usually its best to ensure that source port number is preserved on the
external NAT address and port. This is called "port preservation" in RFC
4787.
When two local host candidates are allowed to have the same source port
number, we increase the risk that a first local host candidate *is* the
NAT mapping address and port of a second local host candidate, because
of the "port preservation" effect. When it happens, a server reflexive
candidate and a host candidate will have the same address and port.
For that situation to happen, a stun request must be emitted from the
internal address first, the NAT mapping doing the port preservation will
be created for the internal address, and when a stun request is sent
from the external address thereafter, a new NAT mapping will be created,
but without port preservation, because the previous mapping already took
that reservation.
The problem will occur on the remote agent, when receiving a stun request
from this address and port, that has no way to know wheather it comes from
the host or the server reflexive candidate, if both have been advertised
remotely, resulting in pair type mislabelling.
This case may happen more easily when a source port range is reduced.
Fabrice Bellet [Sun, 5 Apr 2020 18:56:38 +0000 (20:56 +0200)]
agent: stay in aggressive mode after conncheck has started
When remote tcp candidates are received late after the conncheck has
started, RFC 6554 suggests that we switch the nomination mode back from
aggressive to regular. The problem is that some stun requests may
already be inflight with the use-candidate stun flag set, and reverting
to regular mode in that case is too late, because these inflight
requests may nominate a pair on the remote agent, and not on the local
agent. We prefer to just ignore remote tcp candidates that are received
after the component state has reached state CONNECTING.
Fabrice Bellet [Tue, 3 Mar 2020 10:17:04 +0000 (11:17 +0100)]
agent: warn when reaching max number of turn and local addresses
Fabrice Bellet [Tue, 3 Mar 2020 10:13:37 +0000 (11:13 +0100)]
agent: fix boundary test of max turn servers and local addresses
We can accept up to 8 turn servers, with turn preference value
starting at zero. Also fix the error message.
Fabrice Bellet [Thu, 13 Feb 2020 17:50:07 +0000 (18:50 +0100)]
discovery: add a unique local preference value per turn server
This value is built from the position in the component turn servers
list, and from the base address network interface position in the list
of network interfaces. This value is used to ensure a unique candidate
priority for each one. Also ensure that the fields that compose the
local preference don't overlap, by checking their maximum value. See
RFC-8445, section 5.1.2.2 "Guidelines for Choosing Type and Local
Preferences".
Fabrice Bellet [Wed, 12 Feb 2020 15:07:33 +0000 (16:07 +0100)]
conncheck: rename peer-reflexive priority to stun-priority
Fabrice Bellet [Wed, 12 Feb 2020 14:48:12 +0000 (15:48 +0100)]
candidate: ensuring stun priority uniqueness no more needed
The uniqueness of candidate priorities is achieved by the iteration on
the ip local addresses for local host candidates, and also on their base
address for reflexive and relay candidates. Helper function checking
its uniqueness at allocation time is not required anyore.
The priority of the stun request (prflx_priority) is built from the
priority of the local candidate of the pair, according the RFC 5245,
section 7.1.2.1. This priority must be identical to a virtual "local
candidate of type peer-reflexive that would be learned as a consequence
of a check from this local candidate."
Outgoing stun requests will come from local candidates of type host or
type relayed. The priority uniqueness of local candidates of type host
implies the uniqueness of the computed peer-reflexive priority. And
relay local candidates cannot produce a peer-reflexive local candidate
by design, so we can safely use their unique local priority too in
the stun request.
Tim-Philipp Müller [Mon, 4 May 2020 12:01:02 +0000 (13:01 +0100)]
subprojects: bump glib wrap to latest stable branch for msys build
Should fix build failures with latest mingw compiler in msys.
Tim-Philipp Müller [Mon, 4 May 2020 11:52:35 +0000 (12:52 +0100)]
ci: update windows image
The old one (v8) was removed from the gstreamer registry it seems.
Hyunil [Fri, 13 Mar 2020 03:27:20 +0000 (12:27 +0900)]
Enable gstreamer nice plugins
Change-Id: I00ae0a4e6d14d58259419c5f2ff66357e004398a
Signed-off-by: Hyunil <hyunil46.park@samsung.com>
Hyunil [Wed, 11 Mar 2020 09:44:02 +0000 (18:44 +0900)]
apply tizen patches
Change-Id: Ibe72223c8c7e17954f45fdee220febd164a4fd1d
Hyunil [Wed, 11 Mar 2020 09:17:47 +0000 (18:17 +0900)]
Imported Upstream version 0.1.16
Change-Id: I75b5415e8a88ad6988803176da4b64a3e12396c9
Tizen Infrastructure [Wed, 11 Mar 2020 07:26:59 +0000 (07:26 +0000)]
Initial empty repository
Fabrice Bellet [Fri, 21 Feb 2020 14:40:56 +0000 (15:40 +0100)]
conncheck: refactor local and remote candidates validation
The same code to get and validate local and remote candidates from an
incoming stun is shared between regular inbound stun, early checks
replay, and partially in the local peer-reflexive discovery function.
The selection of the matching local and remote candidate from an
incoming stun sometimes requires more information than just the local
socket, and the sender address and port. It happens more frequently when
the port range is reduced, and when the conncheck handles both tcp and
udp candidates.
To help to disambiguate such situations, we add supplementary checks
when two candidates in the list have the same address and and port
number:
* the type of the socket must compatible with the candidate transport.
A socket for a tcp candidate may be active of passive, but also
of type "tcp-bsd" when the parent active or passive socket is
replaced after a bind() or accept(). It gives several cases.
* the remote candidate transport and the local candidate transport must
be compatible
Fabrice Bellet [Thu, 20 Feb 2020 16:05:51 +0000 (17:05 +0100)]
conncheck: match remote candidates on the socket reliability
When the couple (address, port) is identical between two remote
candidates, we may have to match a remote candidate based on its socket
reliability.
Fabrice Bellet [Mon, 17 Feb 2020 15:29:41 +0000 (16:29 +0100)]
conncheck: match transport of peer-reflexive local candidates
Another some rare case, but we may have two local candidates with
the same couple (address, port) and a different transport.
Fabrice Bellet [Mon, 2 Mar 2020 12:23:35 +0000 (13:23 +0100)]
tests: add a unit test for private addresses ranges
This is a unix-only test
Fabrice Bellet [Thu, 13 Feb 2020 15:09:31 +0000 (16:09 +0100)]
interfaces: fix network to host conversion for private addresses
Fabrice Bellet [Wed, 12 Feb 2020 15:29:24 +0000 (16:29 +0100)]
tests: fix local preference based on interface rank in list
The local preference of UDP candidates is (now) determined by the
position of the IP address in the list returned by
nice_interfaces_get_local_ips().
Fabrice Bellet [Wed, 12 Feb 2020 14:40:52 +0000 (15:40 +0100)]
candidate: fix local preferences of udp candidates
udp candidates failed to call nice_candidate_ip_local_preferences()
and were all given the same local preference priority.
Fabrice Bellet [Wed, 19 Feb 2020 20:11:59 +0000 (21:11 +0100)]
agent: enforce turn deallocate stun pacing
In a way similar to other stun packets, we add a delay of Timer TA
(default is 20 ms) between each refresh candidate processing.
Fabrice Bellet [Tue, 18 Feb 2020 13:01:37 +0000 (14:01 +0100)]
conncheck: enforce keepalives stun requests pacing
Keepalives STUN requests should not be sent for each local host
candidate or each selected candidate in the single loop, but with a pacing
of at least Timer TA (default is 20 ms) between each request. It remains
compatible with a pause of Timer TR (default is 20 seconds) between each
keepalives batch.
Fabrice Bellet [Tue, 18 Feb 2020 12:58:09 +0000 (13:58 +0100)]
discovery: enforce stun requests pacing
Only a single STUN request should be sent per discovery tick to enforce
an overall pacing of 20ms per default between two STUN requests.
Stefan Becker [Fri, 28 Feb 2020 18:49:21 +0000 (20:49 +0200)]
interfaces: ignore only interfaces we really want to (II)
This improves commit
bd4b47813844aa0e68e9074b3ac516c383ca8bab
There is a second place where this fix is needed.
Olivier Crête [Thu, 13 Feb 2020 21:19:03 +0000 (16:19 -0500)]
gitlab-ci: Disable trigger for now
Olivier Crête [Fri, 10 May 2019 05:23:39 +0000 (01:23 -0400)]
gitlab-ci: Make the documentation acceptable for the website
Jakub Adam [Thu, 13 Feb 2020 19:33:18 +0000 (20:33 +0100)]
conncheck: Connection check reply must have a remote candidate
Ensure that a conncheck reply is coming from an address and port of a
known remote candidate and that the type of incoming socket matches that
candidate's transport.
Attemps to fix a Coverity issue in which no matching remote_candidate
gets found for a connectivity reply in conn_check_handle_inbound_stun()
(apparently due to transport mismatch), yet
priv_map_reply_to_conn_check_request() still successfully matches it
with a previous request.
Jakub Adam [Thu, 13 Feb 2020 18:59:39 +0000 (19:59 +0100)]
conncheck: Typo fix