diff options
Diffstat (limited to 'node')
| -rw-r--r-- | node/Node.cpp | 3 | ||||
| -rw-r--r-- | node/Topology.cpp | 17 | ||||
| -rw-r--r-- | node/Topology.hpp | 16 |
3 files changed, 36 insertions, 0 deletions
diff --git a/node/Node.cpp b/node/Node.cpp index 11f76365..ed60817f 100644 --- a/node/Node.cpp +++ b/node/Node.cpp @@ -633,6 +633,9 @@ bool Node::shouldUsePathForZeroTierTraffic(const Address &ztaddr,const InetAddre if (!Path::isAddressValidForPath(remoteAddress)) return false; + if (RR->topology->isProhibitedEndpoint(ztaddr,remoteAddress)) + return false; + { Mutex::Lock _l(_networks_m); for(std::vector< std::pair< uint64_t, SharedPtr<Network> > >::const_iterator i=_networks.begin();i!=_networks.end();++i) { diff --git a/node/Topology.cpp b/node/Topology.cpp index 517934fb..bf51b585 100644 --- a/node/Topology.cpp +++ b/node/Topology.cpp @@ -264,6 +264,23 @@ void Topology::setUpstream(const Address &a,bool upstream) RR->sw->requestWhois(a); } +bool Topology::isProhibitedEndpoint(const Address &ztaddr,const InetAddress &ipaddr) const +{ + Mutex::Lock _l(_lock); + + if (std::find(_rootAddresses.begin(),_rootAddresses.end(),ztaddr) != _rootAddresses.end()) { + for(std::vector<World::Root>::const_iterator r(_world.roots().begin());r!=_world.roots().end();++r) { + for(std::vector<InetAddress>::const_iterator e(r->stableEndpoints.begin());e!=r->stableEndpoints.end();++e) { + if (ipaddr.ipsEqual(*e)) + return false; + } + } + return true; + } + + return false; +} + bool Topology::worldUpdateIfValid(const World &newWorld) { Mutex::Lock _l(_lock); diff --git a/node/Topology.hpp b/node/Topology.hpp index 8e1d28cb..90ad7083 100644 --- a/node/Topology.hpp +++ b/node/Topology.hpp @@ -164,6 +164,22 @@ public: void setUpstream(const Address &a,bool upstream); /** + * Check for prohibited endpoints + * + * Right now this returns true if the designated ZT address is a root and if + * the IP (IP only, not port) does not equal any of the IPs defined in the + * current World. This is an extra little security feature in case root keys + * get appropriated or something. + * + * Otherwise it returns false. + * + * @param ztaddr ZeroTier address + * @param ipaddr IP address + * @return True if this ZT/IP pair should not be allowed to be used + */ + bool isProhibitedEndpoint(const Address &ztaddr,const InetAddress &ipaddr) const; + + /** * @return Vector of active upstream addresses (including roots) */ inline std::vector<Address> upstreamAddresses() const |