diff options
| author | Adam Ierymenko <adam.ierymenko@gmail.com> | 2017-02-23 12:34:17 -0800 |
|---|---|---|
| committer | Adam Ierymenko <adam.ierymenko@gmail.com> | 2017-02-23 12:34:17 -0800 |
| commit | 72653e54f951b2a47686d420186f59f533542940 (patch) | |
| tree | d404273e2a6a5cf5f29a403a0e9ebaeb4e18137e /node/Network.cpp | |
| parent | 10185e92faa77a4b032a27a7c01b4186727b91b9 (diff) | |
| download | infinitytier-72653e54f951b2a47686d420186f59f533542940.tar.gz infinitytier-72653e54f951b2a47686d420186f59f533542940.zip | |
Finish wiring up ipauth and macauth to Network filter.
Diffstat (limited to 'node/Network.cpp')
| -rw-r--r-- | node/Network.cpp | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/node/Network.cpp b/node/Network.cpp index 290ceaf9..50df58bb 100644 --- a/node/Network.cpp +++ b/node/Network.cpp @@ -299,6 +299,7 @@ static _doZtFilterResult _doZtFilter( // If this was not an ACTION evaluate next MATCH and update thisSetMatches with (AND [result]) uint8_t thisRuleMatches = 0; + uint64_t ownershipVerificationMask = 1; // this magic value means it hasn't been computed yet -- this is done lazily the first time it's needed switch(rt) { case ZT_NETWORK_RULE_MATCH_SOURCE_ZEROTIER_ADDRESS: thisRuleMatches = (uint8_t)(rules[rn].v.zt == ztSource.toInt()); @@ -507,6 +508,30 @@ static _doZtFilterResult _doZtFilter( uint64_t cf = (inbound) ? ZT_RULE_PACKET_CHARACTERISTICS_INBOUND : 0ULL; if (macDest.isMulticast()) cf |= ZT_RULE_PACKET_CHARACTERISTICS_MULTICAST; if (macDest.isBroadcast()) cf |= ZT_RULE_PACKET_CHARACTERISTICS_BROADCAST; + if (ownershipVerificationMask == 1) { + ownershipVerificationMask = 0; + InetAddress src; + if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)) { + src.set((const void *)(frameData + 12),4,0); + } else if ((etherType == ZT_ETHERTYPE_IPV6)&&(frameLen >= 40)) { + src.set((const void *)(frameData + 8),16,0); + } + if (inbound) { + if (membership) { + if ((src)&&(membership->hasCertificateOfOwnershipFor(nconf,src))) + ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_IP_AUTHENTICATED; + if (membership->hasCertificateOfOwnershipFor(nconf,macSource)) + ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_MAC_AUTHENTICATED; + } + } else { + for(unsigned int i=0;i<nconf.certificateOfOwnershipCount;++i) { + if ((src)&&(nconf.certificatesOfOwnership[i].owns(src))) + ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_IP_AUTHENTICATED; + if (nconf.certificatesOfOwnership[i].owns(macSource)) + ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_MAC_AUTHENTICATED; + } + } + } if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)&&(frameData[9] == 0x06)) { const unsigned int headerLen = 4 * (frameData[0] & 0xf); cf |= (uint64_t)frameData[headerLen + 13]; |