Merge branch 'dev' of http://git.int.zerotier.com/ZeroTier/ZeroTierOne into dev

author: Joseph Henry <josephjah@gmail.com> 2019-06-12 13:14:23 -0700
committer: Joseph Henry <josephjah@gmail.com> 2019-06-12 13:14:23 -0700
commit: 94bd2918fac33a1bf5ef9ebc4cfe9b4e1709d0f4 (patch)
tree: f0893a4811682fed6779ff5fe011f7d3319fb65b
parent: c3bfcf560b1db720c9bb08021b50bd31094e737c (diff)
parent: 5b2b0887141da25c290608632c2e609764abbf73 (diff)
download: infinitytier-94bd2918fac33a1bf5ef9ebc4cfe9b4e1709d0f4.tar.gz
infinitytier-94bd2918fac33a1bf5ef9ebc4cfe9b4e1709d0f4.zip
7 files changed, 8 insertions, 120 deletions
diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index cc012929..99c664f0 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -1053,7 +1053,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpDELETE(
 
 					json network,member;
 					_db->get(nwid,network,address,member);
-                                        _db->eraseMember(nwid, address);
+					_db->eraseMember(nwid, address);
 
 					{
 						std::lock_guard<std::mutex> l(_memberStatus_l);
diff --git a/node/Packet.hpp b/node/Packet.hpp
index 8b17bcd0..fcb81489 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -70,7 +70,6 @@
  * 9  - 1.2.0 ... 1.2.14
  * 10 - 1.4.0 ... CURRENT
  *    + Multipath capability and load balancing
- *    + Certificates of Delegation (CoDs) for full root decentralization
  */
 #define ZT_PROTO_VERSION 10
 
diff --git a/node/Peer.cpp b/node/Peer.cpp
index 3357bb2a..a0b0c1c4 100644
--- a/node/Peer.cpp
+++ b/node/Peer.cpp
@@ -208,31 +208,12 @@ void Peer::received(
 		const uint64_t sinceLastPush = now - _lastDirectPathPushSent;
 		if (sinceLastPush >= ZT_DIRECT_PATH_PUSH_INTERVAL) {
 			_lastDirectPathPushSent = now;
-
-			// Start with explicitly known direct endpoint paths.
 			std::vector<InetAddress> pathsToPush(RR->node->directPaths());
-
-#if 0
-			// Do symmetric NAT prediction if we are communicating indirectly.
-			if (hops > 0) {
-				std::vector<InetAddress> sym(RR->sa->getSymmetricNatPredictions());
-				for(unsigned long i=0,added=0;i<sym.size();++i) {
-					InetAddress tmp(sym[(unsigned long)RR->node->prng() % sym.size()]);
-					if (std::find(pathsToPush.begin(),pathsToPush.end(),tmp) == pathsToPush.end()) {
-						pathsToPush.push_back(tmp);
-						if (++added >= ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY)
-							break;
-					}
-				}
-			}
-#endif
-
 			if (pathsToPush.size() > 0) {
 				std::vector<InetAddress>::const_iterator p(pathsToPush.begin());
 				while (p != pathsToPush.end()) {
 					Packet outp(_id.address(),RR->identity.address(),Packet::VERB_PUSH_DIRECT_PATHS);
 					outp.addSize(2); // leave room for count
-
 					unsigned int count = 0;
 					while ((p != pathsToPush.end())&&((outp.size() + 24) < 1200)) {
 						uint8_t addressType = 4;
@@ -257,7 +238,6 @@ void Peer::received(
 						++count;
 						++p;
 					}
-
 					if (count) {
 						outp.setAt(ZT_PACKET_IDX_PAYLOAD,(uint16_t)count);
 						outp.compress();
diff --git a/node/SelfAwareness.cpp b/node/SelfAwareness.cpp
index 225d1dc2..0fb9e4a4 100644
--- a/node/SelfAwareness.cpp
+++ b/node/SelfAwareness.cpp
@@ -124,89 +124,4 @@ void SelfAwareness::clean(int64_t now)
 	}
 }
 
-#if 0
-std::vector<InetAddress> SelfAwareness::getSymmetricNatPredictions()
-{
-	/* This is based on ideas and strategies found here:
-	 * https://tools.ietf.org/html/draft-takeda-symmetric-nat-traversal-00
-	 *
-	 * For each IP address reported by a trusted (upstream) peer, we find
-	 * the external port most recently reported by ANY peer for that IP.
-	 *
-	 * We only do any of this for global IPv4 addresses since private IPs
-	 * and IPv6 are not going to have symmetric NAT.
-	 *
-	 * SECURITY NOTE:
-	 *
-	 * We never use IPs reported by non-trusted peers, since this could lead
-	 * to a minor vulnerability whereby a peer could poison our cache with
-	 * bad external surface reports via OK(HELLO) and then possibly coax us
-	 * into suggesting their IP to other peers via PUSH_DIRECT_PATHS. This
-	 * in turn could allow them to MITM flows.
-	 *
-	 * Since flows are encrypted and authenticated they could not actually
-	 * read or modify traffic, but they could gather meta-data for forensics
-	 * purposes or use this as a DOS attack vector. */
-
-	std::map< uint32_t,unsigned int > maxPortByIp;
-	InetAddress theOneTrueSurface;
-	{
-		Mutex::Lock _l(_phy_m);
-
-		// First check to see if this is a symmetric NAT and enumerate external IPs learned from trusted peers
-		bool symmetric = false;
-		{
-			Hashtable< PhySurfaceKey,PhySurfaceEntry >::Iterator i(_phy);
-			PhySurfaceKey *k = (PhySurfaceKey *)0;
-			PhySurfaceEntry *e = (PhySurfaceEntry *)0;
-			while (i.next(k,e)) {
-				if ((e->trusted)&&(e->mySurface.ss_family == AF_INET)&&(e->mySurface.ipScope() == InetAddress::IP_SCOPE_GLOBAL)) {
-					if (!theOneTrueSurface)
-						theOneTrueSurface = e->mySurface;
-					else if (theOneTrueSurface != e->mySurface)
-						symmetric = true;
-					maxPortByIp[reinterpret_cast<const struct sockaddr_in *>(&(e->mySurface))->sin_addr.s_addr] = e->mySurface.port();
-				}
-			}
-		}
-		if (!symmetric)
-			return std::vector<InetAddress>();
-
-		{	// Then find the highest issued port per IP
-			Hashtable< PhySurfaceKey,PhySurfaceEntry >::Iterator i(_phy);
-			PhySurfaceKey *k = (PhySurfaceKey *)0;
-			PhySurfaceEntry *e = (PhySurfaceEntry *)0;
-			while (i.next(k,e)) {
-				if ((e->mySurface.ss_family == AF_INET)&&(e->mySurface.ipScope() == InetAddress::IP_SCOPE_GLOBAL)) {
-					const unsigned int port = e->mySurface.port();
-					std::map< uint32_t,unsigned int >::iterator mp(maxPortByIp.find(reinterpret_cast<const struct sockaddr_in *>(&(e->mySurface))->sin_addr.s_addr));
-					if ((mp != maxPortByIp.end())&&(mp->second < port))
-						mp->second = port;
-				}
-			}
-		}
-	}
-
-	std::vector<InetAddress> r;
-
-	// Try next port up from max for each
-	for(std::map< uint32_t,unsigned int >::iterator i(maxPortByIp.begin());i!=maxPortByIp.end();++i) {
-		unsigned int p = i->second + 1;
-		if (p > 65535) p -= 64511;
-		const InetAddress pred(&(i->first),4,p);
-		if (std::find(r.begin(),r.end(),pred) == r.end())
-			r.push_back(pred);
-	}
-
-	// Try a random port for each -- there are only 65535 so eventually it should work
-	for(std::map< uint32_t,unsigned int >::iterator i(maxPortByIp.begin());i!=maxPortByIp.end();++i) {
-		const InetAddress pred(&(i->first),4,1024 + ((unsigned int)RR->node->prng() % 64511));
-		if (std::find(r.begin(),r.end(),pred) == r.end())
-			r.push_back(pred);
-	}
-
-	return r;
-}
-#endif
-
 } // namespace ZeroTier
diff --git a/node/SelfAwareness.hpp b/node/SelfAwareness.hpp
index c03d4cb6..7940f5ac 100644
--- a/node/SelfAwareness.hpp
+++ b/node/SelfAwareness.hpp
@@ -64,15 +64,6 @@ public:
 	 */
 	void clean(int64_t now);
 
-#if 0
-	/**
-	 * If we appear to be behind a symmetric NAT, get predictions for possible external endpoints
-	 *
-	 * @return Symmetric NAT predictions or empty vector if none
-	 */
-	std::vector<InetAddress> getSymmetricNatPredictions();
-#endif
-
 private:
 	struct PhySurfaceKey
 	{
diff --git a/service/README.md b/service/README.md
index 3b9901fd..08a3a63f 100644
--- a/service/README.md
+++ b/service/README.md
@@ -25,7 +25,9 @@ Settings available in `local.conf` (this is not valid JSON, and JSON does not al
 		}
 	},
 	"settings": { /* Other global settings */
-		"primaryPort": 0-65535, /* If set, override default port of 9993 and any command line port */
+		"primaryPort": 1-65535, /* If set, override default port of 9993 and any command line port */
+		"secondaryPort": 1-65535, /* If set, override default random secondary port */
+		"tertiaryPort": 1-65535, /* If set, override default random tertiary port */
 		"portMappingEnabled": true|false, /* If true (the default), try to use uPnP or NAT-PMP to map ports */
 		"softwareUpdate": "apply"|"download"|"disable", /* Automatically apply updates, just download, or disable built-in software updates */
 		"softwareUpdateChannel": "release"|"beta", /* Software update channel */
@@ -33,7 +35,8 @@ Settings available in `local.conf` (this is not valid JSON, and JSON does not al
 		"interfacePrefixBlacklist": [ "XXX",... ], /* Array of interface name prefixes (e.g. eth for eth#) to blacklist for ZT traffic */
 		"allowManagementFrom": [ "NETWORK/bits", ...] |null, /* If non-NULL, allow JSON/HTTP management from this IP network. Default is 127.0.0.1 only. */
 		"bind": [ "ip",... ], /* If present and non-null, bind to these IPs instead of to each interface (wildcard IP allowed) */
-		"allowTcpFallbackRelay": true|false /* Allow or disallow establishment of TCP relay connections (true by default) */
+		"allowTcpFallbackRelay": true|false, /* Allow or disallow establishment of TCP relay connections (true by default) */
+		"multipathMode": 0|1|2 /* multipath mode: none (0), random (1), proportional (2) */
 	}
 }
 ```
diff --git a/version.h b/version.h
index 01a66ff8..82013819 100644
--- a/version.h
+++ b/version.h
@@ -35,12 +35,12 @@
 /**
  * Minor version
  */
-#define ZEROTIER_ONE_VERSION_MINOR 2
+#define ZEROTIER_ONE_VERSION_MINOR 4
 
 /**
  * Revision
  */
-#define ZEROTIER_ONE_VERSION_REVISION 13
+#define ZEROTIER_ONE_VERSION_REVISION 0
 
 /**
  * Build version
author	Joseph Henry <josephjah@gmail.com>	2019-06-12 13:14:23 -0700
committer	Joseph Henry <josephjah@gmail.com>	2019-06-12 13:14:23 -0700
commit	94bd2918fac33a1bf5ef9ebc4cfe9b4e1709d0f4 (patch)
tree	f0893a4811682fed6779ff5fe011f7d3319fb65b
parent	c3bfcf560b1db720c9bb08021b50bd31094e737c (diff)
parent	5b2b0887141da25c290608632c2e609764abbf73 (diff)
download	infinitytier-94bd2918fac33a1bf5ef9ebc4cfe9b4e1709d0f4.tar.gz infinitytier-94bd2918fac33a1bf5ef9ebc4cfe9b4e1709d0f4.zip