Merge branch 'dev' into netbsd-support

node/Constants.hpp

@@ -1,6 +1,6 @@
 /*
  * ZeroTier One - Network Virtualization Everywhere
- * Copyright (C) 2011-2016  ZeroTier, Inc.  https://www.zerotier.com/
+ * Copyright (C) 2011-2018  ZeroTier, Inc.  https://www.zerotier.com/
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -14,6 +14,14 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * --
+ *
+ * You can be released from the requirements of the license by purchasing
+ * a commercial license. Buying such a license is mandatory as soon as you
+ * develop commercial closed-source software that incorporates or links
+ * directly against ZeroTier software without disclosing the source code
+ * of your own application.
  */
 
 #ifndef ZT_CONSTANTS_HPP
@@ -52,6 +60,8 @@
 #endif
 
 #ifdef __APPLE__
+#define likely(x) __builtin_expect((x),1)
+#define unlikely(x) __builtin_expect((x),0)
 #include <TargetConditionals.h>
 #ifndef __UNIX_LIKE__
 #define __UNIX_LIKE__
@@ -128,6 +138,28 @@
 #define RTF_MULTICAST   0x20000000
 #endif
 
+#if (defined(__GNUC__) && (__GNUC__ >= 3)) || (defined(__INTEL_COMPILER) && (__INTEL_COMPILER >= 800)) || defined(__clang__)
+#ifndef likely
+#define likely(x) __builtin_expect((x),1)
+#endif
+#ifndef unlikely
+#define unlikely(x) __builtin_expect((x),0)
+#endif
+#else
+#ifndef likely
+#define likely(x) (x)
+#endif
+#ifndef unlikely
+#define unlikely(x) (x)
+#endif
+#endif
+
+#ifdef __WINDOWS__
+#define ZT_PACKED_STRUCT(D) __pragma(pack(push,1)) D __pragma(pack(pop))
+#else
+#define ZT_PACKED_STRUCT(D) D __attribute__((packed))
+#endif
+
 /**
  * Length of a ZeroTier address in bytes
  */
@@ -143,27 +175,15 @@
  */
 #define ZT_ADDRESS_RESERVED_PREFIX 0xff
 
-/**
- * Default payload MTU for UDP packets
- *
- * In the future we might support UDP path MTU discovery, but for now we
- * set a maximum that is equal to 1500 minus 8 (for PPPoE overhead, common
- * in some markets) minus 48 (IPv6 UDP overhead).
- */
-#define ZT_UDP_DEFAULT_PAYLOAD_MTU 1444
-
 /**
  * Default MTU used for Ethernet tap device
  */
-#define ZT_IF_MTU ZT_MAX_MTU
+#define ZT_DEFAULT_MTU 2800
 
 /**
- * Maximum number of packet fragments we'll support
- *
- * The actual spec allows 16, but this is the most we'll support right
- * now. Packets with more than this many fragments are dropped.
+ * Maximum number of packet fragments we'll support (protocol max: 16)
  */
-#define ZT_MAX_PACKET_FRAGMENTS 4
+#define ZT_MAX_PACKET_FRAGMENTS 7
 
 /**
  * Size of RX queue
@@ -173,50 +193,40 @@
  */
 #define ZT_RX_QUEUE_SIZE 64
 
-/**
- * RX queue entries older than this do not "exist"
- */
-#define ZT_RX_QUEUE_EXPIRE 4000
-
 /**
  * Length of secret key in bytes -- 256-bit -- do not change
  */
 #define ZT_PEER_SECRET_KEY_LENGTH 32
 
 /**
- * How often Topology::clean() and Network::clean() and similar are called, in ms
- */
-#define ZT_HOUSEKEEPING_PERIOD 120000
-
-/**
- * Overriding granularity for timer tasks to prevent CPU-intensive thrashing on every packet
+ * Minimum delay between timer task checks to prevent thrashing
  */
 #define ZT_CORE_TIMER_TASK_GRANULARITY 500
 
 /**
- * How long to remember peer records in RAM if they haven't been used
+ * How often Topology::clean() and Network::clean() and similar are called, in ms
  */
-#define ZT_PEER_IN_MEMORY_EXPIRATION 600000
+#define ZT_HOUSEKEEPING_PERIOD 60000
 
 /**
  * Delay between WHOIS retries in ms
  */
-#define ZT_WHOIS_RETRY_DELAY 1000
-
-/**
- * Maximum identity WHOIS retries (each attempt tries consulting a different peer)
- */
-#define ZT_MAX_WHOIS_RETRIES 3
+#define ZT_WHOIS_RETRY_DELAY 500
 
 /**
  * Transmit queue entry timeout
  */
-#define ZT_TRANSMIT_QUEUE_TIMEOUT (ZT_WHOIS_RETRY_DELAY * (ZT_MAX_WHOIS_RETRIES + 1))
+#define ZT_TRANSMIT_QUEUE_TIMEOUT 5000
 
 /**
  * Receive queue entry timeout
  */
-#define ZT_RECEIVE_QUEUE_TIMEOUT (ZT_WHOIS_RETRY_DELAY * (ZT_MAX_WHOIS_RETRIES + 1))
+#define ZT_RECEIVE_QUEUE_TIMEOUT 5000
+
+/**
+ * Maximum latency to allow for OK(HELLO) before packet is discarded
+ */
+#define ZT_HELLO_MAX_ALLOWABLE_LATENCY 120000
 
 /**
  * Maximum number of ZT hops allowed (this is not IP hops/TTL)
@@ -230,11 +240,21 @@
  */
 #define ZT_MULTICAST_LIKE_EXPIRE 600000
 
+/**
+ * Period for multicast LIKE announcements
+ */
+#define ZT_MULTICAST_ANNOUNCE_PERIOD 120000
+
 /**
  * Delay between explicit MULTICAST_GATHER requests for a given multicast channel
  */
 #define ZT_MULTICAST_EXPLICIT_GATHER_DELAY (ZT_MULTICAST_LIKE_EXPIRE / 10)
 
+/**
+ * Expiration for credentials presented for MULTICAST_LIKE or MULTICAST_GATHER (for non-network-members)
+ */
+#define ZT_MULTICAST_CREDENTIAL_EXPIRATON ZT_MULTICAST_LIKE_EXPIRE
+
 /**
  * Timeout for outgoing multicasts
  *
@@ -243,30 +263,34 @@
 #define ZT_MULTICAST_TRANSMIT_TIMEOUT 5000
 
 /**
- * Default maximum number of peers to address with a single multicast (if unspecified in network config)
+ * Delay between checks of peer pings, etc., and also related housekeeping tasks
  */
-#define ZT_MULTICAST_DEFAULT_LIMIT 32
+#define ZT_PING_CHECK_INVERVAL 5000
 
 /**
- * How frequently to send a zero-byte UDP keepalive packet
- *
- * There are NATs with timeouts as short as 20 seconds, so this turns out
- * to be needed.
+ * How frequently to send heartbeats over in-use paths
  */
-#define ZT_NAT_KEEPALIVE_DELAY 19000
+#define ZT_PATH_HEARTBEAT_PERIOD 14000
 
 /**
- * Delay between scans of the topology active peer DB for peers that need ping
- *
- * This is also how often pings will be retried to upstream peers (relays, roots)
- * constantly until something is heard.
+ * Do not accept HELLOs over a given path more often than this
  */
-#define ZT_PING_CHECK_INVERVAL 9500
+#define ZT_PATH_HELLO_RATE_LIMIT 1000
 
 /**
- * Delay between ordinary case pings of direct links
+ * Delay between full-fledge pings of directly connected peers
  */
-#define ZT_PEER_DIRECT_PING_DELAY 60000
+#define ZT_PEER_PING_PERIOD 60000
+
+/**
+ * Paths are considered expired if they have not sent us a real packet in this long
+ */
+#define ZT_PEER_PATH_EXPIRATION ((ZT_PEER_PING_PERIOD * 4) + 3000)
+
+/**
+ * How often to retry expired paths that we're still remembering
+ */
+#define ZT_PEER_EXPIRED_PATH_TRIAL_PERIOD (ZT_PEER_PING_PERIOD * 10)
 
 /**
  * Timeout for overall peer activity (measured from last receive)
@@ -274,19 +298,14 @@
 #define ZT_PEER_ACTIVITY_TIMEOUT 500000
 
 /**
- * Timeout for path activity
+ * General rate limit timeout for multiple packet types (HELLO, etc.)
  */
-#define ZT_PATH_ACTIVITY_TIMEOUT ZT_PEER_ACTIVITY_TIMEOUT
+#define ZT_PEER_GENERAL_INBOUND_RATE_LIMIT 500
 
 /**
- * No answer timeout to trigger dead path detection
+ * General limit for max RTT for requests over the network
  */
-#define ZT_PEER_DEAD_PATH_DETECTION_NO_ANSWER_TIMEOUT 2000
-
-/**
- * Probation threshold after which a path becomes dead
- */
-#define ZT_PEER_DEAD_PATH_DETECTION_MAX_PROBATION 3
+#define ZT_GENERAL_RTT_LIMIT 5000
 
 /**
  * Delay between requests for updated network autoconf information
@@ -306,19 +325,9 @@
 #define ZT_MIN_UNITE_INTERVAL 30000
 
 /**
- * Delay between initial direct NAT-t packet and more aggressive techniques
- *
- * This may also be a delay before sending the first packet if we determine
- * that we should wait for the remote to initiate rendezvous first.
+ * How often should peers try memorized or statically defined paths?
  */
-#define ZT_NAT_T_TACTICAL_ESCALATION_DELAY 1000
-
-/**
- * How long (max) to remember network certificates of membership?
- *
- * This only applies to networks we don't belong to.
- */
-#define ZT_PEER_NETWORK_COM_EXPIRATION 3600000
+#define ZT_TRY_MEMORIZED_PATH_INTERVAL 30000
 
 /**
  * Sanity limit on maximum bridge routes
@@ -334,7 +343,7 @@
 /**
  * If there is no known route, spam to up to this many active bridges
  */
-#define ZT_MAX_BRIDGE_SPAM 16
+#define ZT_MAX_BRIDGE_SPAM 32
 
 /**
  * Interval between direct path pushes in milliseconds
@@ -344,7 +353,7 @@
 /**
  * Time horizon for push direct paths cutoff
  */
-#define ZT_PUSH_DIRECT_PATHS_CUTOFF_TIME 60000
+#define ZT_PUSH_DIRECT_PATHS_CUTOFF_TIME 30000
 
 /**
  * Maximum number of direct path pushes within cutoff time
@@ -353,31 +362,63 @@
  * per CUTOFF_TIME milliseconds per peer to prevent this from being
  * useful for DOS amplification attacks.
  */
-#define ZT_PUSH_DIRECT_PATHS_CUTOFF_LIMIT 5
+#define ZT_PUSH_DIRECT_PATHS_CUTOFF_LIMIT 8
 
 /**
  * Maximum number of paths per IP scope (e.g. global, link-local) and family (e.g. v4/v6)
  */
-#define ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY 4
+#define ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY 8
 
 /**
- * Enable support for old Dictionary based network configs
+ * Time horizon for VERB_NETWORK_CREDENTIALS cutoff
+ */
+#define ZT_PEER_CREDENTIALS_CUTOFF_TIME 60000
+
+/**
+ * Maximum number of VERB_NETWORK_CREDENTIALS within cutoff time
+ */
+#define ZT_PEER_CREDEITIALS_CUTOFF_LIMIT 15
+
+/**
+ * WHOIS rate limit (we allow these to be pretty fast)
+ */
+#define ZT_PEER_WHOIS_RATE_LIMIT 100
+
+/**
+ * General rate limit for other kinds of rate-limited packets (HELLO, credential request, etc.) both inbound and outbound
+ */
+#define ZT_PEER_GENERAL_RATE_LIMIT 1000
+
+/**
+ * Don't do expensive identity validation more often than this
+ *
+ * IPv4 and IPv6 address prefixes are hashed down to 14-bit (0-16383) integers
+ * using the first 24 bits for IPv4 or the first 48 bits for IPv6. These are
+ * then rate limited to one identity validation per this often milliseconds.
+ */
+#if (defined(__amd64) || defined(__amd64__) || defined(__x86_64) || defined(__x86_64__) || defined(__AMD64) || defined(__AMD64__) || defined(_M_X64) || defined(_M_AMD64))
+// AMD64 machines can do anywhere from one every 50ms to one every 10ms. This provides plenty of margin.
+#define ZT_IDENTITY_VALIDATION_SOURCE_RATE_LIMIT 2000
+#else
+#if (defined(__i386__) || defined(__i486__) || defined(__i586__) || defined(__i686__) || defined(_M_IX86) || defined(_X86_) || defined(__I86__))
+// 32-bit Intel machines usually average about one every 100ms
+#define ZT_IDENTITY_VALIDATION_SOURCE_RATE_LIMIT 5000
+#else
+// This provides a safe margin for ARM, MIPS, etc. that usually average one every 250-400ms
+#define ZT_IDENTITY_VALIDATION_SOURCE_RATE_LIMIT 10000
+#endif
+#endif
+
+/**
+ * How long is a path or peer considered to have a trust relationship with us (for e.g. relay policy) since last trusted established packet?
+ */
+#define ZT_TRUST_EXPIRATION 600000
+
+/**
+ * Enable support for older network configurations from older (pre-1.1.6) controllers
  */
 #define ZT_SUPPORT_OLD_STYLE_NETCONF 1
 
-/**
- * A test pseudo-network-ID that can be joined
- *
- * Joining this network ID will result in a network with no IP addressing
- * and default parameters. No network configuration master will be consulted
- * and instead a static config will be used. This is used in built-in testnet
- * scenarios and can also be used for external testing.
- *
- * This is an impossible real network ID since 0xff is a reserved address
- * prefix.
- */
-#define ZT_TEST_NETWORK_ID 0xffffffffffffffffULL
-
 /**
  * Desired buffer size for UDP sockets (used in service and osdep but defined here)
  */
@@ -387,6 +428,11 @@
 #define ZT_UDP_DESIRED_BUF_SIZE 131072
 #endif
 
+/**
+ * Desired / recommended min stack size for threads (used on some platforms to reset thread stack size)
+ */
+#define ZT_THREAD_MIN_STACK_SIZE 1048576
+
 /* Ethernet frame types that might be relevant to us */
 #define ZT_ETHERTYPE_IPV4 0x0800
 #define ZT_ETHERTYPE_ARP 0x0806
@@ -397,4 +443,13 @@
 #define ZT_ETHERTYPE_IPX_B 0x8138
 #define ZT_ETHERTYPE_IPV6 0x86dd
 
+#define ZT_EXCEPTION_OUT_OF_BOUNDS 100
+#define ZT_EXCEPTION_OUT_OF_MEMORY 101
+#define ZT_EXCEPTION_PRIVATE_KEY_REQUIRED 102
+#define ZT_EXCEPTION_INVALID_ARGUMENT 103
+#define ZT_EXCEPTION_INVALID_SERIALIZED_DATA_INVALID_TYPE 200
+#define ZT_EXCEPTION_INVALID_SERIALIZED_DATA_OVERFLOW 201
+#define ZT_EXCEPTION_INVALID_SERIALIZED_DATA_INVALID_CRYPTOGRAPHIC_TOKEN 202
+#define ZT_EXCEPTION_INVALID_SERIALIZED_DATA_BAD_ENCODING 203
+
 #endif