diff options
| author | Adam Ierymenko <adam.ierymenko@gmail.com> | 2016-08-02 13:36:17 -0700 |
|---|---|---|
| committer | Adam Ierymenko <adam.ierymenko@gmail.com> | 2016-08-02 13:36:17 -0700 |
| commit | ecc1324bb0b2435d958947148984a2bd1f630ed7 (patch) | |
| tree | 405459f1dfba3cd2c349aa4eb63f558e8b4d3cea /include/ZeroTierOne.h | |
| parent | d3b0081447940ee3cad4f39bc6e022bd7434402b (diff) | |
| download | infinitytier-ecc1324bb0b2435d958947148984a2bd1f630ed7.tar.gz infinitytier-ecc1324bb0b2435d958947148984a2bd1f630ed7.zip | |
Rules engine work: capability based security model with tags and capabilities, and some cleanup across other places.
Diffstat (limited to 'include/ZeroTierOne.h')
| -rw-r--r-- | include/ZeroTierOne.h | 45 |
1 files changed, 38 insertions, 7 deletions
diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h index b03abf86..c4696e7d 100644 --- a/include/ZeroTierOne.h +++ b/include/ZeroTierOne.h @@ -102,14 +102,14 @@ extern "C" { #define ZT_MAX_NETWORK_PINNED 16 /** - * Maximum number of rule table entries per network (can be increased) + * Maximum number of multicast group subscriptions per network */ -#define ZT_MAX_NETWORK_RULES 256 +#define ZT_MAX_NETWORK_MULTICAST_SUBSCRIPTIONS 4096 /** - * Maximum number of multicast group subscriptions per network + * Maximum number of base (non-capability) network rules */ -#define ZT_MAX_NETWORK_MULTICAST_SUBSCRIPTIONS 4096 +#define ZT_MAX_NETWORK_RULES 256 /** * Maximum number of direct network paths to a given peer @@ -122,6 +122,21 @@ extern "C" { #define ZT_MAX_TRUSTED_PATHS 16 /** + * Maximum number of rules per capability + */ +#define ZT_MAX_CAPABILITY_RULES 64 + +/** + * Maximum length of a capbility's short descriptive name + */ +#define ZT_MAX_CAPABILITY_NAME_LENGTH 63 + +/** + * Global maximum length for capability chain of custody (including initial issue) + */ +#define ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH 7 + +/** * Maximum number of hops in a ZeroTier circuit test * * This is more or less the max that can be fit in a given packet (with @@ -516,9 +531,6 @@ enum ZT_VirtualNetworkRuleType /** * Network flow rule * - * NOTE: Currently (1.1.x) only etherType is supported! Other things will - * have no effect until the rules engine is fully implemented. - * * Rules are stored in a table in which one or more match entries is followed * by an action. If more than one match precedes an action, the rule is * the AND of all matches. An action with no match is always taken since it @@ -619,6 +631,25 @@ typedef struct } v; } ZT_VirtualNetworkRule; +typedef struct +{ + /** + * 128-bit ID (GUID) of this capability + */ + uint64_t id[2]; + + /** + * Expiration time (measured vs. network config timestamp issued by controller) + */ + uint64_t expiration; + + + struct { + uint64_t from; + uint64_t to; + } custody[ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH]; +} ZT_VirtualNetworkCapability; + /** * A route to be pushed on a virtual network */ |