From 47ce52228b2400cdcfbd90d30b9536b013f6706a Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Wed, 6 Jan 2016 12:54:51 -0800 Subject: Roots should probably not do this since it would likely be a waste of packets. --- node/Peer.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'node') diff --git a/node/Peer.cpp b/node/Peer.cpp index 1914da97..c00b07dc 100644 --- a/node/Peer.cpp +++ b/node/Peer.cpp @@ -512,7 +512,12 @@ bool Peer::_checkPath(Path &p,const uint64_t now) * counter is reset on any packet receive over this path. If it reaches the * MAX_PROBATION threshold the path is considred dead. */ - if ( (p.lastSend() > p.lastReceived()) && ((p.lastSend() - p.lastReceived()) >= ZT_PEER_DEAD_PATH_DETECTION_NO_ANSWER_TIMEOUT) && ((now - p.lastPing()) >= ZT_PEER_DEAD_PATH_DETECTION_NO_ANSWER_TIMEOUT) ) { + if ( + (p.lastSend() > p.lastReceived()) && + ((p.lastSend() - p.lastReceived()) >= ZT_PEER_DEAD_PATH_DETECTION_NO_ANSWER_TIMEOUT) && + ((now - p.lastPing()) >= ZT_PEER_DEAD_PATH_DETECTION_NO_ANSWER_TIMEOUT) && + (!RR->topology->amRoot()) + ) { TRACE("%s(%s) does not seem to be answering in a timely manner, checking if dead (probation == %u)",_id.address().toString().c_str(),p.address().toString().c_str(),p.probation()); if ( (_vProto >= 5) && ( !((_vMajor == 1)&&(_vMinor == 1)&&(_vRevision == 0)) ) ) { -- cgit v1.2.3 From a56fbc1929d3cb2c6c5a1b4acb3b026a1e13135d Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Wed, 6 Jan 2016 15:35:27 -0800 Subject: Close another potential anti-recursion loophole. --- node/IncomingPacket.cpp | 1 + node/Peer.cpp | 1 + node/Switch.cpp | 1 + 3 files changed, 3 insertions(+) (limited to 'node') diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index 2a51a387..c71c6790 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -250,6 +250,7 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,SharedPtr &peer outp.append((uint64_t)pid); outp.append((unsigned char)Packet::ERROR_IDENTITY_COLLISION); outp.armor(key,true); + RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } else { TRACE("rejected HELLO from %s(%s): packet failed authentication",id.address().toString().c_str(),_remoteAddress.toString().c_str()); diff --git a/node/Peer.cpp b/node/Peer.cpp index c00b07dc..0db3e8a0 100644 --- a/node/Peer.cpp +++ b/node/Peer.cpp @@ -199,6 +199,7 @@ void Peer::received( // 1.1.1 and newer nodes support ECHO, which is smaller -- but 1.1.0 has a bug so use HELLO there too Packet outp(_id.address(),RR->identity.address(),Packet::VERB_ECHO); outp.armor(_key,true); + RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(localAddr,remoteAddr,outp.data(),outp.size()); } else { sendHELLO(localAddr,remoteAddr,now); diff --git a/node/Switch.cpp b/node/Switch.cpp index a6575836..a9885a29 100644 --- a/node/Switch.cpp +++ b/node/Switch.cpp @@ -97,6 +97,7 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from _lastBeaconResponse = now; Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NOP); outp.armor(peer->key(),true); + RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(localAddr,fromAddr,outp.data(),outp.size()); } } -- cgit v1.2.3 From 1023ef23b7bf6a65fb563f7ba33ed7a20b139e5e Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Mon, 11 Jan 2016 09:06:10 -0800 Subject: Remove somewhat ugly and costly anti-recursion hack -- we will switch to more explicit methods. --- node/AntiRecursion.hpp | 135 -------------------------------------------- node/IncomingPacket.cpp | 15 ----- node/Node.cpp | 4 -- node/Path.cpp | 2 - node/Peer.cpp | 5 -- node/RuntimeEnvironment.hpp | 3 - node/Switch.cpp | 11 ---- 7 files changed, 175 deletions(-) delete mode 100644 node/AntiRecursion.hpp (limited to 'node') diff --git a/node/AntiRecursion.hpp b/node/AntiRecursion.hpp deleted file mode 100644 index 78ee95c2..00000000 --- a/node/AntiRecursion.hpp +++ /dev/null @@ -1,135 +0,0 @@ -/* - * ZeroTier One - Network Virtualization Everywhere - * Copyright (C) 2011-2015 ZeroTier, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - * -- - * - * ZeroTier may be used and distributed under the terms of the GPLv3, which - * are available at: http://www.gnu.org/licenses/gpl-3.0.html - * - * If you would like to embed ZeroTier into a commercial application or - * redistribute it in a modified binary form, please contact ZeroTier Networks - * LLC. Start here: http://www.zerotier.com/ - */ - -#ifndef ZT_ANTIRECURSION_HPP -#define ZT_ANTIRECURSION_HPP - -#include -#include - -#include "Constants.hpp" - -namespace ZeroTier { - -/** - * Size of anti-recursion history - */ -#define ZT_ANTIRECURSION_HISTORY_SIZE 16 - -/** - * Filter to prevent recursion (ZeroTier-over-ZeroTier) - * - * This works by logging ZeroTier packets that we send. It's then invoked - * again against packets read from local Ethernet taps. If the last 32 - * bytes representing the ZeroTier packet match in the tap frame, then - * the frame is a re-injection of a frame that we sent and is rejected. - * - * This means that ZeroTier packets simply will not traverse ZeroTier - * networks, which would cause all sorts of weird problems. - * - * This is highly optimized code since it's checked for every packet. - */ -class AntiRecursion -{ -public: - AntiRecursion() - { - for(int i=0;i(data) + (len - 32),32); -#else - uint64_t *t = _history[++_ptr % ZT_ANTIRECURSION_HISTORY_SIZE].tail; - const uint64_t *p = reinterpret_cast(reinterpret_cast(data) + (len - 32)); - *(t++) = *(p++); - *(t++) = *(p++); - *(t++) = *(p++); - *t = *p; -#endif - } - - /** - * Check an ethernet frame from a local tap against anti-recursion history - * - * @param data Raw frame data - * @param len Length of frame - * @return True if frame is OK to be passed, false if it's a ZT frame that we sent - */ - inline bool checkEthernetFrame(const void *const data,const unsigned int len) const - { - if (len < 32) - return true; - const uint8_t *const pp = reinterpret_cast(data) + (len - 32); - const _ArItem *i = _history; - const _ArItem *const end = i + ZT_ANTIRECURSION_HISTORY_SIZE; - while (i != end) { -#ifdef ZT_NO_TYPE_PUNNING - if (!memcmp(pp,i->tail,32)) { - return false; - } -#else - const uint64_t *t = i->tail; - const uint64_t *p = reinterpret_cast(pp); - uint64_t bits = *(t++) ^ *(p++); - bits |= *(t++) ^ *(p++); - bits |= *(t++) ^ *(p++); - bits |= *t ^ *p; - if (!bits) { - return false; - } -#endif - ++i; - } - return true; - } - -private: - struct _ArItem { uint64_t tail[4]; }; - _ArItem _history[ZT_ANTIRECURSION_HISTORY_SIZE]; - volatile unsigned long _ptr; -}; - -} // namespace ZeroTier - -#endif diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index c71c6790..5c9279dd 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -45,7 +45,6 @@ #include "World.hpp" #include "Cluster.hpp" #include "Node.hpp" -#include "AntiRecursion.hpp" #include "DeferredPackets.hpp" namespace ZeroTier { @@ -163,7 +162,6 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,const SharedPtr Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NETWORK_MEMBERSHIP_CERTIFICATE); nconf->com().serialize(outp); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } } @@ -250,7 +248,6 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,SharedPtr &peer outp.append((uint64_t)pid); outp.append((unsigned char)Packet::ERROR_IDENTITY_COLLISION); outp.armor(key,true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } else { TRACE("rejected HELLO from %s(%s): packet failed authentication",id.address().toString().c_str(),_remoteAddress.toString().c_str()); @@ -346,7 +343,6 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,SharedPtr &peer } outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); peer->setRemoteVersion(protoVersion,vMajor,vMinor,vRevision); // important for this to go first so received() knows the version @@ -484,7 +480,6 @@ bool IncomingPacket::_doWHOIS(const RuntimeEnvironment *RR,const SharedPtr outp.append(packetId()); queried.serialize(outp,false); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } else { #ifdef ZT_ENABLE_CLUSTER @@ -645,7 +640,6 @@ bool IncomingPacket::_doECHO(const RuntimeEnvironment *RR,const SharedPtr if (size() > ZT_PACKET_IDX_PAYLOAD) outp.append(reinterpret_cast(data()) + ZT_PACKET_IDX_PAYLOAD,size() - ZT_PACKET_IDX_PAYLOAD); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); peer->received(_localAddress,_remoteAddress,hops(),pid,Packet::VERB_ECHO,0,Packet::VERB_NOP); } catch ( ... ) { @@ -723,7 +717,6 @@ bool IncomingPacket::_doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *RR,cons if (outp.size() > ZT_PROTO_MAX_PACKET_LENGTH) { // sanity check TRACE("NETWORK_CONFIG_REQUEST failed: internal error: netconf size %u is too large",(unsigned int)netconfStr.length()); } else { - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } } @@ -736,7 +729,6 @@ bool IncomingPacket::_doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *RR,cons outp.append((unsigned char)Packet::ERROR_OBJ_NOT_FOUND); outp.append(nwid); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } break; @@ -747,7 +739,6 @@ bool IncomingPacket::_doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *RR,cons outp.append((unsigned char)Packet::ERROR_NETWORK_ACCESS_DENIED_); outp.append(nwid); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } break; @@ -770,7 +761,6 @@ bool IncomingPacket::_doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *RR,cons outp.append((unsigned char)Packet::ERROR_UNSUPPORTED_OPERATION); outp.append(nwid); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } } catch ( ... ) { @@ -816,7 +806,6 @@ bool IncomingPacket::_doMULTICAST_GATHER(const RuntimeEnvironment *RR,const Shar const unsigned int gatheredLocally = RR->mc->gather(peer->address(),nwid,mg,outp,gatherLimit); if (gatheredLocally) { outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } @@ -910,7 +899,6 @@ bool IncomingPacket::_doMULTICAST_FRAME(const RuntimeEnvironment *RR,const Share outp.append((unsigned char)0x02); // flag 0x02 = contains gather results if (RR->mc->gather(peer->address(),nwid,to,outp,gatherLimit)) { outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } } @@ -1221,7 +1209,6 @@ bool IncomingPacket::_doREQUEST_PROOF_OF_WORK(const RuntimeEnvironment *RR,const outp.append((uint16_t)sizeof(result)); outp.append(result,sizeof(result)); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } else { Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR); @@ -1229,7 +1216,6 @@ bool IncomingPacket::_doREQUEST_PROOF_OF_WORK(const RuntimeEnvironment *RR,const outp.append(pid); outp.append((unsigned char)Packet::ERROR_INVALID_REQUEST); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } } break; @@ -1335,7 +1321,6 @@ void IncomingPacket::_sendErrorNeedCertificate(const RuntimeEnvironment *RR,cons outp.append((unsigned char)Packet::ERROR_NEED_MEMBERSHIP_CERTIFICATE); outp.append(nwid); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } diff --git a/node/Node.cpp b/node/Node.cpp index 7e4ad642..19675bb5 100644 --- a/node/Node.cpp +++ b/node/Node.cpp @@ -39,7 +39,6 @@ #include "NetworkController.hpp" #include "Switch.hpp" #include "Multicaster.hpp" -#include "AntiRecursion.hpp" #include "Topology.hpp" #include "Buffer.hpp" #include "Packet.hpp" @@ -114,7 +113,6 @@ Node::Node( try { RR->sw = new Switch(RR); RR->mc = new Multicaster(RR); - RR->antiRec = new AntiRecursion(); RR->topology = new Topology(RR); RR->sa = new SelfAwareness(RR); RR->dp = new DeferredPackets(RR); @@ -122,7 +120,6 @@ Node::Node( delete RR->dp; delete RR->sa; delete RR->topology; - delete RR->antiRec; delete RR->mc; delete RR->sw; throw; @@ -141,7 +138,6 @@ Node::~Node() delete RR->dp; delete RR->sa; delete RR->topology; - delete RR->antiRec; delete RR->mc; delete RR->sw; #ifdef ZT_ENABLE_CLUSTER diff --git a/node/Path.cpp b/node/Path.cpp index c67352de..6f595189 100644 --- a/node/Path.cpp +++ b/node/Path.cpp @@ -26,7 +26,6 @@ */ #include "Path.hpp" -#include "AntiRecursion.hpp" #include "RuntimeEnvironment.hpp" #include "Node.hpp" @@ -34,7 +33,6 @@ namespace ZeroTier { bool Path::send(const RuntimeEnvironment *RR,const void *data,unsigned int len,uint64_t now) { - RR->antiRec->logOutgoingZT(data,len); if (RR->node->putPacket(_localAddress,address(),data,len)) { sent(now); return true; diff --git a/node/Peer.cpp b/node/Peer.cpp index 0db3e8a0..04e5bdf0 100644 --- a/node/Peer.cpp +++ b/node/Peer.cpp @@ -32,7 +32,6 @@ #include "Node.hpp" #include "Switch.hpp" #include "Network.hpp" -#include "AntiRecursion.hpp" #include "SelfAwareness.hpp" #include "Cluster.hpp" #include "Packet.hpp" @@ -104,7 +103,6 @@ void Peer::received( } outp.append((uint16_t)redirectTo.port()); outp.armor(_key,true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(localAddr,remoteAddr,outp.data(),outp.size()); } else { // For older peers we use RENDEZVOUS to coax them into contacting us elsewhere. @@ -120,7 +118,6 @@ void Peer::received( outp.append(redirectTo.rawIpData(),16); } outp.armor(_key,true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(localAddr,remoteAddr,outp.data(),outp.size()); } suboptimalPath = true; @@ -199,7 +196,6 @@ void Peer::received( // 1.1.1 and newer nodes support ECHO, which is smaller -- but 1.1.0 has a bug so use HELLO there too Packet outp(_id.address(),RR->identity.address(),Packet::VERB_ECHO); outp.armor(_key,true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(localAddr,remoteAddr,outp.data(),outp.size()); } else { sendHELLO(localAddr,remoteAddr,now); @@ -233,7 +229,6 @@ void Peer::sendHELLO(const InetAddress &localAddr,const InetAddress &atAddress,u outp.append((uint64_t)RR->topology->worldTimestamp()); outp.armor(_key,false); // HELLO is sent in the clear - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(localAddr,atAddress,outp.data(),outp.size(),ttl); } diff --git a/node/RuntimeEnvironment.hpp b/node/RuntimeEnvironment.hpp index 4846c9df..c9990c4a 100644 --- a/node/RuntimeEnvironment.hpp +++ b/node/RuntimeEnvironment.hpp @@ -41,7 +41,6 @@ class Switch; class Topology; class Node; class Multicaster; -class AntiRecursion; class NetworkController; class SelfAwareness; class Cluster; @@ -59,7 +58,6 @@ public: ,localNetworkController((NetworkController *)0) ,sw((Switch *)0) ,mc((Multicaster *)0) - ,antiRec((AntiRecursion *)0) ,topology((Topology *)0) ,sa((SelfAwareness *)0) ,dp((DeferredPackets *)0) @@ -91,7 +89,6 @@ public: Switch *sw; Multicaster *mc; - AntiRecursion *antiRec; Topology *topology; SelfAwareness *sa; DeferredPackets *dp; diff --git a/node/Switch.cpp b/node/Switch.cpp index a9885a29..9ef8611a 100644 --- a/node/Switch.cpp +++ b/node/Switch.cpp @@ -42,7 +42,6 @@ #include "InetAddress.hpp" #include "Topology.hpp" #include "Peer.hpp" -#include "AntiRecursion.hpp" #include "SelfAwareness.hpp" #include "Packet.hpp" #include "Cluster.hpp" @@ -97,7 +96,6 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from _lastBeaconResponse = now; Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NOP); outp.armor(peer->key(),true); - RR->antiRec->logOutgoingZT(outp.data(),outp.size()); RR->node->putPacket(localAddr,fromAddr,outp.data(),outp.size()); } } @@ -125,15 +123,6 @@ void Switch::onLocalEthernet(const SharedPtr &network,const MAC &from,c if (to == network->mac()) return; - /* Check anti-recursion module to ensure that this is not ZeroTier talking over its own links. - * Note: even when we introduce a more purposeful binding of the main UDP port, this can - * still happen because Windows likes to send broadcasts over interfaces that have little - * to do with their intended target audience. :P */ - if (!RR->antiRec->checkEthernetFrame(data,len)) { - TRACE("%.16llx: rejected recursively addressed ZeroTier packet by tail match (type %s, length: %u)",network->id(),etherTypeName(etherType),len); - return; - } - // Check to make sure this protocol is allowed on this network if (!nconf->permitsEtherType(etherType)) { TRACE("%.16llx: ignored tap: %s -> %s: ethertype %s not allowed on network %.16llx",network->id(),from.toString().c_str(),to.toString().c_str(),etherTypeName(etherType),(unsigned long long)network->id()); -- cgit v1.2.3 From b3e3d4cacca37a4850e4e1a91fb8c42a5b13cb26 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Mon, 11 Jan 2016 10:17:44 -0800 Subject: Instead of using binary packet comparison, add a callback to the API to explicitly check whether paths should be used. Check in with this callback (if present) when learning new paths or sending initial packets. --- include/ZeroTierOne.h | 45 ++++++++++++++++++++++++++++++++++++++------- node/IncomingPacket.cpp | 10 ++++++---- node/InetAddress.cpp | 24 ++++++++++++++++++++++++ node/InetAddress.hpp | 8 ++++++++ node/Node.cpp | 26 +++++++++++++++++++++++++- node/Node.hpp | 9 +++++++++ node/Peer.cpp | 2 +- service/OneService.cpp | 20 ++++++++++++++++++++ 8 files changed, 131 insertions(+), 13 deletions(-) (limited to 'node') diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h index 39959221..e087904f 100644 --- a/include/ZeroTierOne.h +++ b/include/ZeroTierOne.h @@ -1097,13 +1097,42 @@ typedef int (*ZT_DataStorePutFunction)( * delivery. It only means that the packet appears to have been sent. */ typedef int (*ZT_WirePacketSendFunction)( - ZT_Node *, /* Node */ - void *, /* User ptr */ - const struct sockaddr_storage *, /* Local address */ - const struct sockaddr_storage *, /* Remote address */ - const void *, /* Packet data */ - unsigned int, /* Packet length */ - unsigned int); /* TTL or 0 to use default */ + ZT_Node *, /* Node */ + void *, /* User ptr */ + const struct sockaddr_storage *, /* Local address */ + const struct sockaddr_storage *, /* Remote address */ + const void *, /* Packet data */ + unsigned int, /* Packet length */ + unsigned int); /* TTL or 0 to use default */ + +/** + * Function to check whether a path should be used for ZeroTier traffic + * + * Paramters: + * (1) Node + * (2) User pointer + * (3) Local interface address + * (4) Remote address + * + * This function must return nonzero (true) if the path should be used. + * + * If no path check function is specified, ZeroTier will still exclude paths + * that overlap with ZeroTier-assigned and managed IP address blocks. But the + * use of a path check function is recommended to ensure that recursion does + * not occur in cases where addresses are assigned by the OS or managed by + * an out of band mechanism like DHCP. The path check function should examine + * all configured ZeroTier interfaces and check to ensure that the supplied + * addresses will not result in ZeroTier traffic being sent over a ZeroTier + * interface (recursion). + * + * Obviously this is not required in configurations where this can't happen, + * such as network containers or embedded. + */ +typedef int (*ZT_PathCheckFunction)( + ZT_Node *, /* Node */ + void *, /* User ptr */ + const struct sockaddr_storage *, /* Local address */ + const struct sockaddr_storage *); /* Remote address */ /****************************************************************************/ /* C Node API */ @@ -1121,6 +1150,7 @@ typedef int (*ZT_WirePacketSendFunction)( * @param dataStoreGetFunction Function called to get objects from persistent storage * @param dataStorePutFunction Function called to put objects in persistent storage * @param virtualNetworkConfigFunction Function to be called when virtual LANs are created, deleted, or their config parameters change + * @param pathCheckFunction A function to check whether a path should be used for ZeroTier traffic, or NULL to allow any path * @param eventCallback Function to receive status updates and non-fatal error notices * @return OK (0) or error code if a fatal error condition has occurred */ @@ -1133,6 +1163,7 @@ enum ZT_ResultCode ZT_Node_new( ZT_WirePacketSendFunction wirePacketSendFunction, ZT_VirtualNetworkFrameFunction virtualNetworkFrameFunction, ZT_VirtualNetworkConfigFunction virtualNetworkConfigFunction, + ZT_PathCheckFunction pathCheckFunction, ZT_EventCallback eventCallback); /** diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index 5c9279dd..c63d70b7 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -507,10 +507,12 @@ bool IncomingPacket::_doRENDEZVOUS(const RuntimeEnvironment *RR,const SharedPtr< const unsigned int port = at(ZT_PROTO_VERB_RENDEZVOUS_IDX_PORT); const unsigned int addrlen = (*this)[ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRLEN]; if ((port > 0)&&((addrlen == 4)||(addrlen == 16))) { + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_RENDEZVOUS,0,Packet::VERB_NOP); + InetAddress atAddr(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRESS,addrlen),addrlen,port); TRACE("RENDEZVOUS from %s says %s might be at %s, starting NAT-t",peer->address().toString().c_str(),with.toString().c_str(),atAddr.toString().c_str()); - peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_RENDEZVOUS,0,Packet::VERB_NOP); - RR->sw->rendezvous(withPeer,_localAddress,atAddr); + if (RR->node->shouldUsePathForZeroTierTraffic(_localAddress,atAddr)) + RR->sw->rendezvous(withPeer,_localAddress,atAddr); } else { TRACE("dropped corrupt RENDEZVOUS from %s(%s) (bad address or port)",peer->address().toString().c_str(),_remoteAddress.toString().c_str()); } @@ -941,7 +943,7 @@ bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const Sha switch(addrType) { case 4: { InetAddress a(field(ptr,4),4,at(ptr + 4)); - if ( ((flags & 0x01) == 0) && (Path::isAddressValidForPath(a)) && (!peer->hasActivePathTo(now,a)) ) { + if ( ((flags & 0x01) == 0) && (Path::isAddressValidForPath(a)) && (!peer->hasActivePathTo(now,a)) && (RR->node->shouldUsePathForZeroTierTraffic(_localAddress,a)) ) { if (++countPerScope[(int)a.ipScope()][0] <= ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY) { TRACE("attempting to contact %s at pushed direct path %s",peer->address().toString().c_str(),a.toString().c_str()); peer->sendHELLO(_localAddress,a,now); @@ -952,7 +954,7 @@ bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const Sha } break; case 6: { InetAddress a(field(ptr,16),16,at(ptr + 16)); - if ( ((flags & 0x01) == 0) && (Path::isAddressValidForPath(a)) && (!peer->hasActivePathTo(now,a)) ) { + if ( ((flags & 0x01) == 0) && (Path::isAddressValidForPath(a)) && (!peer->hasActivePathTo(now,a)) && (RR->node->shouldUsePathForZeroTierTraffic(_localAddress,a)) ) { if (++countPerScope[(int)a.ipScope()][1] <= ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY) { TRACE("attempting to contact %s at pushed direct path %s",peer->address().toString().c_str(),a.toString().c_str()); peer->sendHELLO(_localAddress,a,now); diff --git a/node/InetAddress.cpp b/node/InetAddress.cpp index f35eb9c3..1b3a8064 100644 --- a/node/InetAddress.cpp +++ b/node/InetAddress.cpp @@ -280,6 +280,30 @@ InetAddress InetAddress::network() const return r; } +bool InetAddress::containsAddress(const InetAddress &addr) const +{ + if (addr.ss_family == ss_family) { + switch(ss_family) { + case AF_INET: { + const unsigned int bits = netmaskBits(); + return ( (Utils::ntoh((uint32_t)reinterpret_cast(&addr)->sin_addr.s_addr) >> (32 - bits)) == (Utils::ntoh((uint32_t)reinterpret_cast(this)->sin_addr.s_addr) >> (32 - bits)) ); + } + case AF_INET6: { + const InetAddress mask(netmask()); + const uint8_t *m = reinterpret_cast(reinterpret_cast(&mask)->sin6_addr.s6_addr); + const uint8_t *a = reinterpret_cast(reinterpret_cast(&addr)->sin6_addr.s6_addr); + const uint8_t *b = reinterpret_cast(reinterpret_cast(this)->sin6_addr.s6_addr); + for(unsigned int i=0;i<16;++i) { + if ((a[i] & m[i]) != b[i]) + return false; + } + return true; + } + } + } + return false; +} + bool InetAddress::isNetwork() const throw() { diff --git a/node/InetAddress.hpp b/node/InetAddress.hpp index 2573e694..201271f7 100644 --- a/node/InetAddress.hpp +++ b/node/InetAddress.hpp @@ -325,6 +325,14 @@ struct InetAddress : public sockaddr_storage */ InetAddress network() const; + /** + * Test whether this IP/netmask contains this address + * + * @param addr Address to check + * @return True if this IP/netmask (route) contains this address + */ + bool containsAddress(const InetAddress &addr) const; + /** * @return True if this is an IPv4 address */ diff --git a/node/Node.cpp b/node/Node.cpp index 19675bb5..f65aa843 100644 --- a/node/Node.cpp +++ b/node/Node.cpp @@ -64,6 +64,7 @@ Node::Node( ZT_WirePacketSendFunction wirePacketSendFunction, ZT_VirtualNetworkFrameFunction virtualNetworkFrameFunction, ZT_VirtualNetworkConfigFunction virtualNetworkConfigFunction, + ZT_PathCheckFunction pathCheckFunction, ZT_EventCallback eventCallback) : _RR(this), RR(&_RR), @@ -73,6 +74,7 @@ Node::Node( _wirePacketSendFunction(wirePacketSendFunction), _virtualNetworkFrameFunction(virtualNetworkFrameFunction), _virtualNetworkConfigFunction(virtualNetworkConfigFunction), + _pathCheckFunction(pathCheckFunction), _eventCallback(eventCallback), _networks(), _networks_m(), @@ -671,6 +673,27 @@ std::string Node::dataStoreGet(const char *name) return r; } +bool Node::shouldUsePathForZeroTierTraffic(const InetAddress &localAddress,const InetAddress &remoteAddress) +{ + { + Mutex::Lock _l(_networks_m); + for(std::vector< std::pair< uint64_t, SharedPtr > >::const_iterator i=_networks.begin();i!=_networks.end();++i) { + SharedPtr nc(i->second->config2()); + if (nc) { + for(std::vector::const_iterator a(nc->staticIps().begin());a!=nc->staticIps().end();++a) { + if (a->containsAddress(remoteAddress)) { + return false; + } + } + } + } + } + + if (_pathCheckFunction) + return (_pathCheckFunction(reinterpret_cast(this),_uPtr,reinterpret_cast(&localAddress),reinterpret_cast(&remoteAddress)) != 0); + else return true; +} + #ifdef ZT_TRACE void Node::postTrace(const char *module,unsigned int line,const char *fmt,...) { @@ -743,11 +766,12 @@ enum ZT_ResultCode ZT_Node_new( ZT_WirePacketSendFunction wirePacketSendFunction, ZT_VirtualNetworkFrameFunction virtualNetworkFrameFunction, ZT_VirtualNetworkConfigFunction virtualNetworkConfigFunction, + ZT_PathCheckFunction pathCheckFunction, ZT_EventCallback eventCallback) { *node = (ZT_Node *)0; try { - *node = reinterpret_cast(new ZeroTier::Node(now,uptr,dataStoreGetFunction,dataStorePutFunction,wirePacketSendFunction,virtualNetworkFrameFunction,virtualNetworkConfigFunction,eventCallback)); + *node = reinterpret_cast(new ZeroTier::Node(now,uptr,dataStoreGetFunction,dataStorePutFunction,wirePacketSendFunction,virtualNetworkFrameFunction,virtualNetworkConfigFunction,pathCheckFunction,eventCallback)); return ZT_RESULT_OK; } catch (std::bad_alloc &exc) { return ZT_RESULT_FATAL_ERROR_OUT_OF_MEMORY; diff --git a/node/Node.hpp b/node/Node.hpp index 15295139..b6b32363 100644 --- a/node/Node.hpp +++ b/node/Node.hpp @@ -71,6 +71,7 @@ public: ZT_WirePacketSendFunction wirePacketSendFunction, ZT_VirtualNetworkFrameFunction virtualNetworkFrameFunction, ZT_VirtualNetworkConfigFunction virtualNetworkConfigFunction, + ZT_PathCheckFunction pathCheckFunction, ZT_EventCallback eventCallback); ~Node(); @@ -189,6 +190,13 @@ public: len); } + /** + * @param localAddress Local address + * @param remoteAddress Remote address + * @return True if path should be used + */ + bool shouldUsePathForZeroTierTraffic(const InetAddress &localAddress,const InetAddress &remoteAddress); + inline SharedPtr network(uint64_t nwid) const { Mutex::Lock _l(_networks_m); @@ -288,6 +296,7 @@ private: ZT_WirePacketSendFunction _wirePacketSendFunction; ZT_VirtualNetworkFrameFunction _virtualNetworkFrameFunction; ZT_VirtualNetworkConfigFunction _virtualNetworkConfigFunction; + ZT_PathCheckFunction _pathCheckFunction; ZT_EventCallback _eventCallback; std::vector< std::pair< uint64_t, SharedPtr > > _networks; diff --git a/node/Peer.cpp b/node/Peer.cpp index 04e5bdf0..c75a3e46 100644 --- a/node/Peer.cpp +++ b/node/Peer.cpp @@ -156,7 +156,7 @@ void Peer::received( } } - if (!pathIsConfirmed) { + if ((!pathIsConfirmed)&&(RR->node->shouldUsePathForZeroTierTraffic(localAddr,remoteAddr))) { if (verb == Packet::VERB_OK) { Path *slot = (Path *)0; diff --git a/service/OneService.cpp b/service/OneService.cpp index 57e1718d..84ebdd87 100644 --- a/service/OneService.cpp +++ b/service/OneService.cpp @@ -397,6 +397,7 @@ static long SnodeDataStoreGetFunction(ZT_Node *node,void *uptr,const char *name, static int SnodeDataStorePutFunction(ZT_Node *node,void *uptr,const char *name,const void *data,unsigned long len,int secure); static int SnodeWirePacketSendFunction(ZT_Node *node,void *uptr,const struct sockaddr_storage *localAddr,const struct sockaddr_storage *addr,const void *data,unsigned int len,unsigned int ttl); static void SnodeVirtualNetworkFrameFunction(ZT_Node *node,void *uptr,uint64_t nwid,uint64_t sourceMac,uint64_t destMac,unsigned int etherType,unsigned int vlanId,const void *data,unsigned int len); +static int SnodePathCheckFunction(ZT_Node *node,void *uptr,const struct sockaddr_storage *localAddr,const struct sockaddr_storage *remoteAddr); #ifdef ZT_ENABLE_CLUSTER static void SclusterSendFunction(void *uptr,unsigned int toMemberId,const void *data,unsigned int len); @@ -592,6 +593,7 @@ public: SnodeWirePacketSendFunction, SnodeVirtualNetworkFrameFunction, SnodeVirtualNetworkConfigFunction, + SnodePathCheckFunction, SnodeEventCallback); #ifdef ZT_USE_MINIUPNPC @@ -1393,6 +1395,22 @@ public: t->second->put(MAC(sourceMac),MAC(destMac),etherType,data,len); } + inline int nodePathCheckFunction(const struct sockaddr_storage *localAddr,const struct sockaddr_storage *remoteAddr) + { + Mutex::Lock _l(_taps_m); + for(std::map< uint64_t,EthernetTap * >::const_iterator t(_taps.begin());t!=_taps.end();++t) { + if (t->second) { + std::vector ips(t->second->ips()); + for(std::vector::const_iterator i(ips.begin());i!=ips.end();++i) { + if (i->containsAddress(*(reinterpret_cast(remoteAddr)))) { + return 0; + } + } + } + } + return 1; + } + inline void tapFrameHandler(uint64_t nwid,const MAC &from,const MAC &to,unsigned int etherType,unsigned int vlanId,const void *data,unsigned int len) { _node->processVirtualNetworkFrame(OSUtils::now(),nwid,from.toInt(),to.toInt(),etherType,vlanId,data,len,&_nextBackgroundTaskDeadline); @@ -1527,6 +1545,8 @@ static int SnodeWirePacketSendFunction(ZT_Node *node,void *uptr,const struct soc { return reinterpret_cast(uptr)->nodeWirePacketSendFunction(localAddr,addr,data,len,ttl); } static void SnodeVirtualNetworkFrameFunction(ZT_Node *node,void *uptr,uint64_t nwid,uint64_t sourceMac,uint64_t destMac,unsigned int etherType,unsigned int vlanId,const void *data,unsigned int len) { reinterpret_cast(uptr)->nodeVirtualNetworkFrameFunction(nwid,sourceMac,destMac,etherType,vlanId,data,len); } +static int SnodePathCheckFunction(ZT_Node *node,void *uptr,const struct sockaddr_storage *localAddr,const struct sockaddr_storage *remoteAddr) +{ return reinterpret_cast(uptr)->nodePathCheckFunction(localAddr,remoteAddr); } #ifdef ZT_ENABLE_CLUSTER static void SclusterSendFunction(void *uptr,unsigned int toMemberId,const void *data,unsigned int len) -- cgit v1.2.3