From 4f8feaa530b91f8009fcdfdc1d8d7fb06dc4e79f Mon Sep 17 00:00:00 2001
From: Grant Limberg <grant.limberg@zerotier.com>
Date: Tue, 8 Nov 2016 10:23:25 -0800
Subject: update JSON API docs for OneService

---
 service/README.md | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'service')
diff --git a/service/README.md b/service/README.md
index 75c437dd..8fe6a3af 100644
--- a/service/README.md
+++ b/service/README.md
@@ -25,6 +25,8 @@ A *jsonp* URL argument may be supplied to request JSONP encapsulation. A JSONP r
 <tr><td><b>Field</b></td><td><b>Type</b></td><td><b>Description</b></td><td><b>Writable</b></td></tr>
 <tr><td>address</td><td>string</td><td>10-digit hexadecimal ZeroTier address of this node</td><td>no</td></tr>
 <tr><td>publicIdentity</td><td>string</td><td>Full public ZeroTier identity of this node</td><td>no</td></tr>
+<tr><td>worldId</td><td>integer</td><td>Fixed value representing the virtual data center of Earth.</td><td>no</td></tr>
+<tr><td>worldTimestamp</td><td>integer</td><td>Timestamp of the last root server topology change.</td><td>no</td></tr>
 <tr><td>online</td><td>boolean</td><td>Does this node appear to have upstream network access?</td><td>no</td></tr>
 <tr><td>tcpFallbackActive</td><td>boolean</td><td>Is TCP fallback mode active?</td><td>no</td></tr>
 <tr><td>versionMajor</td><td>integer</td><td>ZeroTier major version</td><td>no</td></tr>
@@ -77,11 +79,21 @@ Most network settings are not writable, as they are defined by the network contr
 <tr><td>broadcastEnabled</td><td>boolean</td><td>Is Ethernet broadcast (ff:ff:ff:ff:ff:ff) allowed?</td><td>no</td></tr>
 <tr><td>portError</td><td>integer</td><td>Error code (if any) returned by underlying OS "tap" driver</td><td>no</td></tr>
 <tr><td>netconfRevision</td><td>integer</td><td>Network configuration revision ID</td><td>no</td></tr>
-<tr><td>multicastSubscriptions</td><td>[string]</td><td>Multicast memberships as array of MAC/ADI tuples</td><td>no</td></tr>
 <tr><td>assignedAddresses</td><td>[string]</td><td>ZeroTier-managed IP address assignments as array of IP/netmask bits tuples</td><td>no</td></tr>
+<tr><td>routes</td><td>[route]</td><td>ZeroTier-managed route assignments for a network. See below for a description of the route object.</td><td>no</td></tr>
 <tr><td>portDeviceName</td><td>string</td><td>OS-specific network device name (if available)</td><td>no</td></tr>
 </table>
 
+`route` objects
+
+<table>
+<tr><td><b>Field</b></td><td><b>Type</b></td><td><b>Description</b></td><td><b>Writable</b></td></tr>
+<tr><td>target</td><td>string</td><td>Target network / netmask bits, NULL, or 0.0.0.0/0 for default route</td><td>no</td></tr>
+<tr><td>via</td><td>string</td><td>Gateway IP address</td><td>no</td></tr>
+<tr><td>flags</td><td>integer</td><td>Route flags</td><td>no</td></tr>
+<tr><td>metric</td><td>integer</td><td>Route metric (not currently used)</td><td>no</td></tr>
+</table>
+
 #### /peer
 
  * Purpose: Get all peers
-- 
cgit v1.2.3


From 00e1b0ed1028e0da3ec4c56cacf72e99e91452db Mon Sep 17 00:00:00 2001
From: Grant Limberg <grant.limberg@zerotier.com>
Date: Tue, 8 Nov 2016 11:00:48 -0800
Subject: added docs for allowManaged, allowGlobal, allowDefault

---
 service/README.md | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'service')

diff --git a/service/README.md b/service/README.md
index 8fe6a3af..1c71fbdc 100644
--- a/service/README.md
+++ b/service/README.md
@@ -82,6 +82,9 @@ Most network settings are not writable, as they are defined by the network contr
 <tr><td>assignedAddresses</td><td>[string]</td><td>ZeroTier-managed IP address assignments as array of IP/netmask bits tuples</td><td>no</td></tr>
 <tr><td>routes</td><td>[route]</td><td>ZeroTier-managed route assignments for a network. See below for a description of the route object.</td><td>no</td></tr>
 <tr><td>portDeviceName</td><td>string</td><td>OS-specific network device name (if available)</td><td>no</td></tr>
+<tr><td>allowManaged</td><td>boolean</td><td>Whether ZeroTier-managed IP addresses are allowed.</td><td>yes</td></tr>
+<tr><td>allowGlobal</td><td>boolean</td><td>Whether globally-reachable IP addresses are allowed to be assigned.</td><td>yes</td></tr>
+<tr><td>allowDefault</td><td>boolean</td><td>Whether a default route is allowed to be assigned for the network (route all traffic via ZeroTier)</td><td>yes</td></tr> 
 </table>
 
 `route` objects
-- 
cgit v1.2.3


From c61ca1dea2001d8b77bf6b1f44da4246c3088e32 Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@gmail.com>
Date: Wed, 9 Nov 2016 16:04:08 -0800
Subject: Keep connections up for netconf stuff as well as frames.

---
 include/ZeroTierOne.h    | 10 ----------
 node/Node.cpp            |  2 --
 node/Peer.cpp            | 17 +++++++++++------
 node/Peer.hpp            | 20 ++------------------
 service/ControlPlane.cpp |  4 ----
 service/README.md        |  2 --
 6 files changed, 13 insertions(+), 42 deletions(-)

(limited to 'service')

diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h
index 17112e90..d0fef1f1 100644
--- a/include/ZeroTierOne.h
+++ b/include/ZeroTierOne.h
@@ -1018,16 +1018,6 @@ typedef struct
 	 */
 	uint64_t address;
 
-	/**
-	 * Time we last received a unicast frame from this peer
-	 */
-	uint64_t lastUnicastFrame;
-
-	/**
-	 * Time we last received a multicast rame from this peer
-	 */
-	uint64_t lastMulticastFrame;
-
 	/**
 	 * Remote major version or -1 if not known
 	 */
diff --git a/node/Node.cpp b/node/Node.cpp
index db9b8ea0..9314478f 100644
--- a/node/Node.cpp
+++ b/node/Node.cpp
@@ -405,8 +405,6 @@ ZT_PeerList *Node::peers() const
 	for(std::vector< std::pair< Address,SharedPtr<Peer> > >::iterator pi(peers.begin());pi!=peers.end();++pi) {
 		ZT_Peer *p = &(pl->peers[pl->peerCount++]);
 		p->address = pi->second->address().toInt();
-		p->lastUnicastFrame = pi->second->lastUnicastFrame();
-		p->lastMulticastFrame = pi->second->lastMulticastFrame();
 		if (pi->second->remoteVersionKnown()) {
 			p->versionMajor = pi->second->remoteVersionMajor();
 			p->versionMinor = pi->second->remoteVersionMinor();
diff --git a/node/Peer.cpp b/node/Peer.cpp
index 87882dad..94fb5298 100644
--- a/node/Peer.cpp
+++ b/node/Peer.cpp
@@ -42,8 +42,7 @@ static uint32_t _natKeepaliveBuf = 0;
 
 Peer::Peer(const RuntimeEnvironment *renv,const Identity &myIdentity,const Identity &peerIdentity) :
 	_lastReceive(0),
-	_lastUnicastFrame(0),
-	_lastMulticastFrame(0),
+	_lastNontrivialReceive(0),
 	_lastDirectPathPushSent(0),
 	_lastDirectPathPushReceive(0),
 	_lastCredentialRequestSent(0),
@@ -128,10 +127,16 @@ void Peer::received(
 #endif
 
 	_lastReceive = now;
-	if ((verb == Packet::VERB_FRAME)||(verb == Packet::VERB_EXT_FRAME))
-		_lastUnicastFrame = now;
-	else if (verb == Packet::VERB_MULTICAST_FRAME)
-		_lastMulticastFrame = now;
+	switch (verb) {
+		case Packet::VERB_FRAME:
+		case Packet::VERB_EXT_FRAME:
+		case Packet::VERB_NETWORK_CONFIG_REQUEST:
+		case Packet::VERB_NETWORK_CONFIG:
+		case Packet::VERB_MULTICAST_FRAME:
+			_lastNontrivialReceive = now;
+			break;
+		default: break;
+	}
 
 	if (trustEstablished) {
 		_lastTrustEstablishedPacketReceived = now;
diff --git a/node/Peer.hpp b/node/Peer.hpp
index d0589ccf..be05aa3a 100644
--- a/node/Peer.hpp
+++ b/node/Peer.hpp
@@ -226,25 +226,10 @@ public:
 	 */
 	inline bool isAlive(const uint64_t now) const { return ((now - _lastReceive) < ZT_PEER_ACTIVITY_TIMEOUT); }
 
-	/**
-	 * @return Time of most recent unicast frame received
-	 */
-	inline uint64_t lastUnicastFrame() const { return _lastUnicastFrame; }
-
-	/**
-	 * @return Time of most recent multicast frame received
-	 */
-	inline uint64_t lastMulticastFrame() const { return _lastMulticastFrame; }
-
-	/**
-	 * @return Time of most recent frame of any kind (unicast or multicast)
-	 */
-	inline uint64_t lastFrame() const { return std::max(_lastUnicastFrame,_lastMulticastFrame); }
-
 	/**
 	 * @return True if this peer has sent us real network traffic recently
 	 */
-	inline uint64_t isActive(uint64_t now) const { return ((now - lastFrame()) < ZT_PEER_ACTIVITY_TIMEOUT); }
+	inline uint64_t isActive(uint64_t now) const { return ((now - _lastNontrivialReceive) < ZT_PEER_ACTIVITY_TIMEOUT); }
 
 	/**
 	 * @return Latency in milliseconds or 0 if unknown
@@ -469,8 +454,7 @@ private:
 	uint8_t _key[ZT_PEER_SECRET_KEY_LENGTH];
 	uint8_t _remoteClusterOptimal6[16];
 	uint64_t _lastReceive; // direct or indirect
-	uint64_t _lastUnicastFrame;
-	uint64_t _lastMulticastFrame;
+	uint64_t _lastNontrivialReceive; // frames, things like netconf, etc.
 	uint64_t _lastDirectPathPushSent;
 	uint64_t _lastDirectPathPushReceive;
 	uint64_t _lastCredentialRequestSent;
diff --git a/service/ControlPlane.cpp b/service/ControlPlane.cpp
index 5c135636..f14bae54 100644
--- a/service/ControlPlane.cpp
+++ b/service/ControlPlane.cpp
@@ -222,8 +222,6 @@ static void _jsonAppend(unsigned int depth,std::string &buf,const ZT_Peer *peer)
 	Utils::snprintf(json,sizeof(json),
 		"%s{\n"
 		"%s\t\"address\": \"%.10llx\",\n"
-		"%s\t\"lastUnicastFrame\": %llu,\n"
-		"%s\t\"lastMulticastFrame\": %llu,\n"
 		"%s\t\"versionMajor\": %d,\n"
 		"%s\t\"versionMinor\": %d,\n"
 		"%s\t\"versionRev\": %d,\n"
@@ -234,8 +232,6 @@ static void _jsonAppend(unsigned int depth,std::string &buf,const ZT_Peer *peer)
 		"%s}",
 		prefix,
 		prefix,peer->address,
-		prefix,peer->lastUnicastFrame,
-		prefix,peer->lastMulticastFrame,
 		prefix,peer->versionMajor,
 		prefix,peer->versionMinor,
 		prefix,peer->versionRev,
diff --git a/service/README.md b/service/README.md
index 1c71fbdc..f487f2bc 100644
--- a/service/README.md
+++ b/service/README.md
@@ -114,8 +114,6 @@ Getting /peer returns an array of peer objects for all current peers. See below
 <table>
 <tr><td><b>Field</b></td><td><b>Type</b></td><td><b>Description</b></td><td><b>Writable</b></td></tr>
 <tr><td>address</td><td>string</td><td>10-digit hex ZeroTier address</td><td>no</td></tr>
-<tr><td>lastUnicastFrame</td><td>integer</td><td>Time of last unicast frame in ms since epoch</td><td>no</td></tr>
-<tr><td>lastMulticastFrame</td><td>integer</td><td>Time of last multicast frame in ms since epoch</td><td>no</td></tr>
 <tr><td>versionMajor</td><td>integer</td><td>Major version of remote if known</td><td>no</td></tr>
 <tr><td>versionMinor</td><td>integer</td><td>Minor version of remote if known</td><td>no</td></tr>
 <tr><td>versionRev</td><td>integer</td><td>Revision of remote if known</td><td>no</td></tr>
-- 
cgit v1.2.3


From ee5bd57d40f793baaf596a038f1446b29b1e86a4 Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@gmail.com>
Date: Mon, 14 Nov 2016 15:29:36 -0800
Subject: We don't bind to non-local IP for TCP yet, but eliminate double
 check.

---
 service/OneService.cpp | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'service')

diff --git a/service/OneService.cpp b/service/OneService.cpp
index 30e6c938..fcbccd63 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -1259,12 +1259,10 @@ public:
 
 	inline void phyOnTcpAccept(PhySocket *sockL,PhySocket *sockN,void **uptrL,void **uptrN,const struct sockaddr *from)
 	{
-		if ((!from)||(reinterpret_cast<const InetAddress *>(from)->ipScope() != InetAddress::IP_SCOPE_LOOPBACK)) {
-			// Non-Loopback: deny (for now)
+		if (!from) {
 			_phy.close(sockN,false);
 			return;
 		} else {
-			// Loopback == HTTP JSON API request
 			TcpConnection *tc = new TcpConnection();
 			_tcpConnections.insert(tc);
 			tc->type = TcpConnection::TCP_HTTP_INCOMING;
-- 
cgit v1.2.3


From b6c99ba3efeb51c7f08c1a4b1392f3942258195d Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@gmail.com>
Date: Mon, 14 Nov 2016 15:47:06 -0800
Subject: Add (currently undocumented) option to allow management from certain
 networks.

---
 one.cpp                | 11 ++++++++++-
 service/OneService.cpp | 37 +++++++++++++++++++++++--------------
 service/OneService.hpp |  4 +++-
 3 files changed, 36 insertions(+), 16 deletions(-)

(limited to 'service')

diff --git a/one.cpp b/one.cpp
index 55cc2e19..51cda0c7 100644
--- a/one.cpp
+++ b/one.cpp
@@ -973,6 +973,7 @@ int main(int argc,char **argv)
 	std::string homeDir;
 	unsigned int port = ZT_DEFAULT_PORT;
 	bool skipRootCheck = false;
+	const char *allowManagementFrom = (const char *)0;
 
 	for(int i=1;i<argc;++i) {
 		if (argv[i][0] == '-') {
@@ -986,6 +987,14 @@ int main(int argc,char **argv)
 					}
 					break;
 
+				case 'M': // allow management from this IP/bits network
+					allowManagementFrom = argv[i] + 2;
+					if (!strlen(allowManagementFrom)) {
+						printHelp(argv[0],stdout);
+						return 1;
+					}
+					break;
+
 #ifdef __UNIX_LIKE__
 				case 'd': // Run in background as daemon
 					runAsDaemon = true;
@@ -1167,7 +1176,7 @@ int main(int argc,char **argv)
 	unsigned int returnValue = 0;
 
 	for(;;) {
-		zt1Service = OneService::newInstance(homeDir.c_str(),port);
+		zt1Service = OneService::newInstance(homeDir.c_str(),port,allowManagementFrom);
 		switch(zt1Service->run()) {
 			case OneService::ONE_STILL_RUNNING: // shouldn't happen, run() won't return until done
 			case OneService::ONE_NORMAL_TERMINATION:
diff --git a/service/OneService.cpp b/service/OneService.cpp
index fcbccd63..91063bad 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -483,6 +483,7 @@ public:
 
 	const std::string _homePath;
 	BackgroundResolver _tcpFallbackResolver;
+	InetAddress _allowManagementFrom;
 	EmbeddedNetworkController *_controller;
 	Phy<OneServiceImpl *> _phy;
 	Node *_node;
@@ -570,7 +571,7 @@ public:
 
 	// end member variables ----------------------------------------------------
 
-	OneServiceImpl(const char *hp,unsigned int port) :
+	OneServiceImpl(const char *hp,unsigned int port,const char *allowManagementFrom) :
 		_homePath((hp) ? hp : ".")
 		,_tcpFallbackResolver(ZT_TCP_FALLBACK_RELAY)
 		,_controller((EmbeddedNetworkController *)0)
@@ -595,6 +596,9 @@ public:
 #endif
 		,_run(true)
 	{
+		if (allowManagementFrom)
+			_allowManagementFrom.fromString(allowManagementFrom);
+
 		_ports[0] = 0;
 		_ports[1] = 0;
 		_ports[2] = 0;
@@ -614,7 +618,7 @@ public:
 				struct sockaddr_in in4;
 				memset(&in4,0,sizeof(in4));
 				in4.sin_family = AF_INET;
-				in4.sin_addr.s_addr = Utils::hton((uint32_t)0x7f000001); // right now we just listen for TCP @127.0.0.1
+				in4.sin_addr.s_addr = Utils::hton((uint32_t)((allowManagementFrom) ? 0 : 0x7f000001)); // right now we just listen for TCP @127.0.0.1
 				in4.sin_port = Utils::hton((uint16_t)port);
 				_v4TcpControlSocket = _phy.tcpListen((const struct sockaddr *)&in4,this);
 
@@ -622,7 +626,8 @@ public:
 				memset((void *)&in6,0,sizeof(in6));
 				in6.sin6_family = AF_INET6;
 				in6.sin6_port = in4.sin_port;
-				in6.sin6_addr.s6_addr[15] = 1; // IPv6 localhost == ::1
+				if (!allowManagementFrom)
+					in6.sin6_addr.s6_addr[15] = 1; // IPv6 localhost == ::1
 				_v6TcpControlSocket = _phy.tcpListen((const struct sockaddr *)&in6,this);
 
 				// We must bind one of IPv4 or IPv6 -- support either failing to support hosts that
@@ -1699,16 +1704,20 @@ public:
 		std::string contentType("text/plain"); // default if not changed in handleRequest()
 		unsigned int scode = 404;
 
-		try {
-			if (_controlPlane)
-				scode = _controlPlane->handleRequest(tc->from,tc->parser.method,tc->url,tc->headers,tc->body,data,contentType);
-			else scode = 500;
-		} catch (std::exception &exc) {
-			fprintf(stderr,"WARNING: unexpected exception processing control HTTP request: %s" ZT_EOL_S,exc.what());
-			scode = 500;
-		} catch ( ... ) {
-			fprintf(stderr,"WARNING: unexpected exception processing control HTTP request: unknown exceptino" ZT_EOL_S);
-			scode = 500;
+		if ( ((!_allowManagementFrom)&&(tc->from.ipScope() == InetAddress::IP_SCOPE_LOOPBACK)) || (_allowManagementFrom.containsAddress(tc->from)) ) {
+			try {
+				if (_controlPlane)
+					scode = _controlPlane->handleRequest(tc->from,tc->parser.method,tc->url,tc->headers,tc->body,data,contentType);
+				else scode = 500;
+			} catch (std::exception &exc) {
+				fprintf(stderr,"WARNING: unexpected exception processing control HTTP request: %s" ZT_EOL_S,exc.what());
+				scode = 500;
+			} catch ( ... ) {
+				fprintf(stderr,"WARNING: unexpected exception processing control HTTP request: unknown exceptino" ZT_EOL_S);
+				scode = 500;
+			}
+		} else {
+			scode = 401;
 		}
 
 		const char *scodestr;
@@ -1973,7 +1982,7 @@ std::string OneService::autoUpdateUrl()
 	return std::string();
 }
 
-OneService *OneService::newInstance(const char *hp,unsigned int port) { return new OneServiceImpl(hp,port); }
+OneService *OneService::newInstance(const char *hp,unsigned int port,const char *allowManagementFrom) { return new OneServiceImpl(hp,port,allowManagementFrom); }
 OneService::~OneService() {}
 
 } // namespace ZeroTier
diff --git a/service/OneService.hpp b/service/OneService.hpp
index 72ff7d84..553bfd5e 100644
--- a/service/OneService.hpp
+++ b/service/OneService.hpp
@@ -98,10 +98,12 @@ public:
 	 *
 	 * @param hp Home path
 	 * @param port TCP and UDP port for packets and HTTP control (if 0, pick random port)
+	 * @param allowManagementFrom If non-NULL, allow control from supplied IP/netmask
 	 */
 	static OneService *newInstance(
 		const char *hp,
-		unsigned int port);
+		unsigned int port,
+		const char *allowManagementFrom = (const char *)0);
 
 	virtual ~OneService();
 
-- 
cgit v1.2.3


From 4ad942522ba17d94ac68a450ff29d7f6159c2202 Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@gmail.com>
Date: Mon, 14 Nov 2016 15:57:46 -0800
Subject: Kill unnecessary check in another spot.

---
 service/ControlPlane.cpp | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'service')

diff --git a/service/ControlPlane.cpp b/service/ControlPlane.cpp
index f14bae54..150bba1b 100644
--- a/service/ControlPlane.cpp
+++ b/service/ControlPlane.cpp
@@ -270,9 +270,6 @@ unsigned int ControlPlane::handleRequest(
 	std::map<std::string,std::string> urlArgs;
 	Mutex::Lock _l(_lock);
 
-	if (!((fromAddress.ipsEqual(InetAddress::LO4))||(fromAddress.ipsEqual(InetAddress::LO6))))
-		return 403; // Forbidden: we only allow access from localhost right now
-
 	/* Note: this is kind of restricted in what it'll take. It does not support
 	 * URL encoding, and /'s in URL args will screw it up. But the only URL args
 	 * it really uses in ?jsonp=funcionName, and otherwise it just takes simple
-- 
cgit v1.2.3


Field	Type	Description	Writable
target	string	Target network / netmask bits, NULL, or 0.0.0.0/0 for default route	no
via	string	Gateway IP address	no
flags	integer	Route flags	no
metric	integer	Route metric (not currently used)	no