mirror of
https://github.com/cwinfo/yggdrasil-go.git
synced 2024-11-26 16:31:41 +00:00
Merge pull request #512 from neilalexander/cryptokey
Cryptokey routing changes
This commit is contained in:
commit
12ce8c6a0a
@ -80,6 +80,24 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *config
|
|||||||
if listen, ok := dat["Listen"].(string); ok {
|
if listen, ok := dat["Listen"].(string); ok {
|
||||||
dat["Listen"] = []string{listen}
|
dat["Listen"] = []string{listen}
|
||||||
}
|
}
|
||||||
|
if tunnelrouting, ok := dat["TunnelRouting"].(map[string]interface{}); ok {
|
||||||
|
if c, ok := tunnelrouting["IPv4Sources"]; ok {
|
||||||
|
delete(tunnelrouting, "IPv4Sources")
|
||||||
|
tunnelrouting["IPv4LocalSubnets"] = c
|
||||||
|
}
|
||||||
|
if c, ok := tunnelrouting["IPv6Sources"]; ok {
|
||||||
|
delete(tunnelrouting, "IPv6Sources")
|
||||||
|
tunnelrouting["IPv6LocalSubnets"] = c
|
||||||
|
}
|
||||||
|
if c, ok := tunnelrouting["IPv4Destinations"]; ok {
|
||||||
|
delete(tunnelrouting, "IPv4Destinations")
|
||||||
|
tunnelrouting["IPv4RemoteSubnets"] = c
|
||||||
|
}
|
||||||
|
if c, ok := tunnelrouting["IPv6Destinations"]; ok {
|
||||||
|
delete(tunnelrouting, "IPv6Destinations")
|
||||||
|
tunnelrouting["IPv6RemoteSubnets"] = c
|
||||||
|
}
|
||||||
|
}
|
||||||
// Sanitise the config
|
// Sanitise the config
|
||||||
confJson, err := json.Marshal(dat)
|
confJson, err := json.Marshal(dat)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -74,11 +74,11 @@ type SessionFirewall struct {
|
|||||||
|
|
||||||
// TunnelRouting contains the crypto-key routing tables for tunneling
|
// TunnelRouting contains the crypto-key routing tables for tunneling
|
||||||
type TunnelRouting struct {
|
type TunnelRouting struct {
|
||||||
Enable bool `comment:"Enable or disable tunnel routing."`
|
Enable bool `comment:"Enable or disable tunnel routing."`
|
||||||
IPv6Destinations map[string]string `comment:"IPv6 CIDR subnets, mapped to the EncryptionPublicKey to which they\nshould be routed, e.g. { \"aaaa:bbbb:cccc::/e\": \"boxpubkey\", ... }"`
|
IPv6RemoteSubnets map[string]string `comment:"IPv6 subnets belonging to remote nodes, mapped to the node's public\nkey, e.g. { \"aaaa:bbbb:cccc::/e\": \"boxpubkey\", ... }"`
|
||||||
IPv6Sources []string `comment:"Optional IPv6 source subnets which are allowed to be tunnelled in\naddition to this node's Yggdrasil address/subnet. If not\nspecified, only traffic originating from this node's Yggdrasil\naddress or subnet will be tunnelled."`
|
IPv6LocalSubnets []string `comment:"IPv6 subnets belonging to this node's end of the tunnels. Only traffic\nfrom these ranges (or the Yggdrasil node's IPv6 address/subnet)\nwill be tunnelled."`
|
||||||
IPv4Destinations map[string]string `comment:"IPv4 CIDR subnets, mapped to the EncryptionPublicKey to which they\nshould be routed, e.g. { \"a.b.c.d/e\": \"boxpubkey\", ... }"`
|
IPv4RemoteSubnets map[string]string `comment:"IPv4 subnets belonging to remote nodes, mapped to the node's public\nkey, e.g. { \"a.b.c.d/e\": \"boxpubkey\", ... }"`
|
||||||
IPv4Sources []string `comment:"IPv4 source subnets which are allowed to be tunnelled. Unlike for\nIPv6, this option is required for bridging IPv4 traffic. Only\ntraffic with a source matching these subnets will be tunnelled."`
|
IPv4LocalSubnets []string `comment:"IPv4 subnets belonging to this node's end of the tunnels. Only traffic\nfrom these ranges will be tunnelled."`
|
||||||
}
|
}
|
||||||
|
|
||||||
// SwitchOptions contains tuning options for the switch
|
// SwitchOptions contains tuning options for the switch
|
||||||
|
@ -66,15 +66,15 @@ func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
|
|||||||
t.ckr.setEnabled(enabled)
|
t.ckr.setEnabled(enabled)
|
||||||
return admin.Info{"enabled": enabled}, nil
|
return admin.Info{"enabled": enabled}, nil
|
||||||
})
|
})
|
||||||
a.AddHandler("addSourceSubnet", []string{"subnet"}, func(in admin.Info) (admin.Info, error) {
|
a.AddHandler("addLocalSubnet", []string{"subnet"}, func(in admin.Info) (admin.Info, error) {
|
||||||
if err := t.ckr.addSourceSubnet(in["subnet"].(string)); err == nil {
|
if err := t.ckr.addLocalSubnet(in["subnet"].(string)); err == nil {
|
||||||
return admin.Info{"added": []string{in["subnet"].(string)}}, nil
|
return admin.Info{"added": []string{in["subnet"].(string)}}, nil
|
||||||
} else {
|
} else {
|
||||||
return admin.Info{"not_added": []string{in["subnet"].(string)}}, errors.New("Failed to add source subnet")
|
return admin.Info{"not_added": []string{in["subnet"].(string)}}, errors.New("Failed to add source subnet")
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
a.AddHandler("addRoute", []string{"subnet", "box_pub_key"}, func(in admin.Info) (admin.Info, error) {
|
a.AddHandler("addRemoteSubnet", []string{"subnet", "box_pub_key"}, func(in admin.Info) (admin.Info, error) {
|
||||||
if err := t.ckr.addRoute(in["subnet"].(string), in["box_pub_key"].(string)); err == nil {
|
if err := t.ckr.addRemoteSubnet(in["subnet"].(string), in["box_pub_key"].(string)); err == nil {
|
||||||
return admin.Info{"added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
|
return admin.Info{"added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
|
||||||
} else {
|
} else {
|
||||||
return admin.Info{"not_added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, errors.New("Failed to add route")
|
return admin.Info{"not_added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, errors.New("Failed to add route")
|
||||||
@ -87,8 +87,8 @@ func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
|
|||||||
subnets = append(subnets, subnet.String())
|
subnets = append(subnets, subnet.String())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
getSourceSubnets(t.ckr.ipv4sources)
|
getSourceSubnets(t.ckr.ipv4locals)
|
||||||
getSourceSubnets(t.ckr.ipv6sources)
|
getSourceSubnets(t.ckr.ipv6locals)
|
||||||
return admin.Info{"source_subnets": subnets}, nil
|
return admin.Info{"source_subnets": subnets}, nil
|
||||||
})
|
})
|
||||||
a.AddHandler("getRoutes", []string{}, func(in admin.Info) (admin.Info, error) {
|
a.AddHandler("getRoutes", []string{}, func(in admin.Info) (admin.Info, error) {
|
||||||
@ -98,19 +98,19 @@ func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
|
|||||||
routes[ckr.subnet.String()] = hex.EncodeToString(ckr.destination[:])
|
routes[ckr.subnet.String()] = hex.EncodeToString(ckr.destination[:])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
getRoutes(t.ckr.ipv4routes)
|
getRoutes(t.ckr.ipv4remotes)
|
||||||
getRoutes(t.ckr.ipv6routes)
|
getRoutes(t.ckr.ipv6remotes)
|
||||||
return admin.Info{"routes": routes}, nil
|
return admin.Info{"routes": routes}, nil
|
||||||
})
|
})
|
||||||
a.AddHandler("removeSourceSubnet", []string{"subnet"}, func(in admin.Info) (admin.Info, error) {
|
a.AddHandler("removeLocalSubnet", []string{"subnet"}, func(in admin.Info) (admin.Info, error) {
|
||||||
if err := t.ckr.removeSourceSubnet(in["subnet"].(string)); err == nil {
|
if err := t.ckr.removeLocalSubnet(in["subnet"].(string)); err == nil {
|
||||||
return admin.Info{"removed": []string{in["subnet"].(string)}}, nil
|
return admin.Info{"removed": []string{in["subnet"].(string)}}, nil
|
||||||
} else {
|
} else {
|
||||||
return admin.Info{"not_removed": []string{in["subnet"].(string)}}, errors.New("Failed to remove source subnet")
|
return admin.Info{"not_removed": []string{in["subnet"].(string)}}, errors.New("Failed to remove source subnet")
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
a.AddHandler("removeRoute", []string{"subnet", "box_pub_key"}, func(in admin.Info) (admin.Info, error) {
|
a.AddHandler("removeRemoteSubnet", []string{"subnet", "box_pub_key"}, func(in admin.Info) (admin.Info, error) {
|
||||||
if err := t.ckr.removeRoute(in["subnet"].(string), in["box_pub_key"].(string)); err == nil {
|
if err := t.ckr.removeRemoteSubnet(in["subnet"].(string), in["box_pub_key"].(string)); err == nil {
|
||||||
return admin.Info{"removed": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
|
return admin.Info{"removed": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
|
||||||
} else {
|
} else {
|
||||||
return admin.Info{"not_removed": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, errors.New("Failed to remove route")
|
return admin.Info{"not_removed": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, errors.New("Failed to remove route")
|
||||||
|
@ -21,15 +21,15 @@ type cryptokey struct {
|
|||||||
tun *TunAdapter
|
tun *TunAdapter
|
||||||
enabled atomic.Value // bool
|
enabled atomic.Value // bool
|
||||||
reconfigure chan chan error
|
reconfigure chan chan error
|
||||||
ipv4routes []cryptokey_route
|
ipv4remotes []cryptokey_route
|
||||||
ipv6routes []cryptokey_route
|
ipv6remotes []cryptokey_route
|
||||||
ipv4cache map[address.Address]cryptokey_route
|
ipv4cache map[address.Address]cryptokey_route
|
||||||
ipv6cache map[address.Address]cryptokey_route
|
ipv6cache map[address.Address]cryptokey_route
|
||||||
ipv4sources []net.IPNet
|
ipv4locals []net.IPNet
|
||||||
ipv6sources []net.IPNet
|
ipv6locals []net.IPNet
|
||||||
mutexroutes sync.RWMutex
|
mutexremotes sync.RWMutex
|
||||||
mutexcaches sync.RWMutex
|
mutexcaches sync.RWMutex
|
||||||
mutexsources sync.RWMutex
|
mutexlocals sync.RWMutex
|
||||||
}
|
}
|
||||||
|
|
||||||
type cryptokey_route struct {
|
type cryptokey_route struct {
|
||||||
@ -65,43 +65,43 @@ func (c *cryptokey) configure() error {
|
|||||||
c.setEnabled(current.TunnelRouting.Enable)
|
c.setEnabled(current.TunnelRouting.Enable)
|
||||||
|
|
||||||
// Clear out existing routes
|
// Clear out existing routes
|
||||||
c.mutexroutes.Lock()
|
c.mutexremotes.Lock()
|
||||||
c.ipv6routes = make([]cryptokey_route, 0)
|
c.ipv6remotes = make([]cryptokey_route, 0)
|
||||||
c.ipv4routes = make([]cryptokey_route, 0)
|
c.ipv4remotes = make([]cryptokey_route, 0)
|
||||||
c.mutexroutes.Unlock()
|
c.mutexremotes.Unlock()
|
||||||
|
|
||||||
// Add IPv6 routes
|
// Add IPv6 routes
|
||||||
for ipv6, pubkey := range current.TunnelRouting.IPv6Destinations {
|
for ipv6, pubkey := range current.TunnelRouting.IPv6RemoteSubnets {
|
||||||
if err := c.addRoute(ipv6, pubkey); err != nil {
|
if err := c.addRemoteSubnet(ipv6, pubkey); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Add IPv4 routes
|
// Add IPv4 routes
|
||||||
for ipv4, pubkey := range current.TunnelRouting.IPv4Destinations {
|
for ipv4, pubkey := range current.TunnelRouting.IPv4RemoteSubnets {
|
||||||
if err := c.addRoute(ipv4, pubkey); err != nil {
|
if err := c.addRemoteSubnet(ipv4, pubkey); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Clear out existing sources
|
// Clear out existing sources
|
||||||
c.mutexsources.Lock()
|
c.mutexlocals.Lock()
|
||||||
c.ipv6sources = make([]net.IPNet, 0)
|
c.ipv6locals = make([]net.IPNet, 0)
|
||||||
c.ipv4sources = make([]net.IPNet, 0)
|
c.ipv4locals = make([]net.IPNet, 0)
|
||||||
c.mutexsources.Unlock()
|
c.mutexlocals.Unlock()
|
||||||
|
|
||||||
// Add IPv6 sources
|
// Add IPv6 sources
|
||||||
c.ipv6sources = make([]net.IPNet, 0)
|
c.ipv6locals = make([]net.IPNet, 0)
|
||||||
for _, source := range current.TunnelRouting.IPv6Sources {
|
for _, source := range current.TunnelRouting.IPv6LocalSubnets {
|
||||||
if err := c.addSourceSubnet(source); err != nil {
|
if err := c.addLocalSubnet(source); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Add IPv4 sources
|
// Add IPv4 sources
|
||||||
c.ipv4sources = make([]net.IPNet, 0)
|
c.ipv4locals = make([]net.IPNet, 0)
|
||||||
for _, source := range current.TunnelRouting.IPv4Sources {
|
for _, source := range current.TunnelRouting.IPv4LocalSubnets {
|
||||||
if err := c.addSourceSubnet(source); err != nil {
|
if err := c.addLocalSubnet(source); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -128,35 +128,21 @@ func (c *cryptokey) isEnabled() bool {
|
|||||||
|
|
||||||
// Check whether the given address (with the address length specified in bytes)
|
// Check whether the given address (with the address length specified in bytes)
|
||||||
// matches either the current node's address, the node's routed subnet or the
|
// matches either the current node's address, the node's routed subnet or the
|
||||||
// list of subnets specified in IPv4Sources/IPv6Sources.
|
// list of subnets specified in ipv4locals/ipv6locals.
|
||||||
func (c *cryptokey) isValidSource(addr address.Address, addrlen int) bool {
|
func (c *cryptokey) isValidLocalAddress(addr address.Address, addrlen int) bool {
|
||||||
c.mutexsources.RLock()
|
c.mutexlocals.RLock()
|
||||||
defer c.mutexsources.RUnlock()
|
defer c.mutexlocals.RUnlock()
|
||||||
|
|
||||||
ip := net.IP(addr[:addrlen])
|
|
||||||
|
|
||||||
if addrlen == net.IPv6len {
|
|
||||||
// Does this match our node's address?
|
|
||||||
if bytes.Equal(addr[:16], c.tun.addr[:16]) {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
// Does this match our node's subnet?
|
|
||||||
if bytes.Equal(addr[:8], c.tun.subnet[:8]) {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Does it match a configured CKR source?
|
// Does it match a configured CKR source?
|
||||||
if c.isEnabled() {
|
if c.isEnabled() {
|
||||||
|
ip := net.IP(addr[:addrlen])
|
||||||
// Build our references to the routing sources
|
// Build our references to the routing sources
|
||||||
var routingsources *[]net.IPNet
|
var routingsources *[]net.IPNet
|
||||||
|
|
||||||
// Check if the prefix is IPv4 or IPv6
|
// Check if the prefix is IPv4 or IPv6
|
||||||
if addrlen == net.IPv6len {
|
if addrlen == net.IPv6len {
|
||||||
routingsources = &c.ipv6sources
|
routingsources = &c.ipv6locals
|
||||||
} else if addrlen == net.IPv4len {
|
} else if addrlen == net.IPv4len {
|
||||||
routingsources = &c.ipv4sources
|
routingsources = &c.ipv4locals
|
||||||
} else {
|
} else {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
@ -174,9 +160,9 @@ func (c *cryptokey) isValidSource(addr address.Address, addrlen int) bool {
|
|||||||
|
|
||||||
// Adds a source subnet, which allows traffic with these source addresses to
|
// Adds a source subnet, which allows traffic with these source addresses to
|
||||||
// be tunnelled using crypto-key routing.
|
// be tunnelled using crypto-key routing.
|
||||||
func (c *cryptokey) addSourceSubnet(cidr string) error {
|
func (c *cryptokey) addLocalSubnet(cidr string) error {
|
||||||
c.mutexsources.Lock()
|
c.mutexlocals.Lock()
|
||||||
defer c.mutexsources.Unlock()
|
defer c.mutexlocals.Unlock()
|
||||||
|
|
||||||
// Is the CIDR we've been given valid?
|
// Is the CIDR we've been given valid?
|
||||||
_, ipnet, err := net.ParseCIDR(cidr)
|
_, ipnet, err := net.ParseCIDR(cidr)
|
||||||
@ -192,9 +178,9 @@ func (c *cryptokey) addSourceSubnet(cidr string) error {
|
|||||||
|
|
||||||
// Check if the prefix is IPv4 or IPv6
|
// Check if the prefix is IPv4 or IPv6
|
||||||
if prefixsize == net.IPv6len*8 {
|
if prefixsize == net.IPv6len*8 {
|
||||||
routingsources = &c.ipv6sources
|
routingsources = &c.ipv6locals
|
||||||
} else if prefixsize == net.IPv4len*8 {
|
} else if prefixsize == net.IPv4len*8 {
|
||||||
routingsources = &c.ipv4sources
|
routingsources = &c.ipv4locals
|
||||||
} else {
|
} else {
|
||||||
return errors.New("Unexpected prefix size")
|
return errors.New("Unexpected prefix size")
|
||||||
}
|
}
|
||||||
@ -214,10 +200,10 @@ func (c *cryptokey) addSourceSubnet(cidr string) error {
|
|||||||
|
|
||||||
// Adds a destination route for the given CIDR to be tunnelled to the node
|
// Adds a destination route for the given CIDR to be tunnelled to the node
|
||||||
// with the given BoxPubKey.
|
// with the given BoxPubKey.
|
||||||
func (c *cryptokey) addRoute(cidr string, dest string) error {
|
func (c *cryptokey) addRemoteSubnet(cidr string, dest string) error {
|
||||||
c.mutexroutes.Lock()
|
c.mutexremotes.Lock()
|
||||||
c.mutexcaches.Lock()
|
c.mutexcaches.Lock()
|
||||||
defer c.mutexroutes.Unlock()
|
defer c.mutexremotes.Unlock()
|
||||||
defer c.mutexcaches.Unlock()
|
defer c.mutexcaches.Unlock()
|
||||||
|
|
||||||
// Is the CIDR we've been given valid?
|
// Is the CIDR we've been given valid?
|
||||||
@ -235,10 +221,10 @@ func (c *cryptokey) addRoute(cidr string, dest string) error {
|
|||||||
|
|
||||||
// Check if the prefix is IPv4 or IPv6
|
// Check if the prefix is IPv4 or IPv6
|
||||||
if prefixsize == net.IPv6len*8 {
|
if prefixsize == net.IPv6len*8 {
|
||||||
routingtable = &c.ipv6routes
|
routingtable = &c.ipv6remotes
|
||||||
routingcache = &c.ipv6cache
|
routingcache = &c.ipv6cache
|
||||||
} else if prefixsize == net.IPv4len*8 {
|
} else if prefixsize == net.IPv4len*8 {
|
||||||
routingtable = &c.ipv4routes
|
routingtable = &c.ipv4remotes
|
||||||
routingcache = &c.ipv4cache
|
routingcache = &c.ipv4cache
|
||||||
} else {
|
} else {
|
||||||
return errors.New("Unexpected prefix size")
|
return errors.New("Unexpected prefix size")
|
||||||
@ -323,14 +309,14 @@ func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (c
|
|||||||
|
|
||||||
c.mutexcaches.RUnlock()
|
c.mutexcaches.RUnlock()
|
||||||
|
|
||||||
c.mutexroutes.RLock()
|
c.mutexremotes.RLock()
|
||||||
defer c.mutexroutes.RUnlock()
|
defer c.mutexremotes.RUnlock()
|
||||||
|
|
||||||
// Check if the prefix is IPv4 or IPv6
|
// Check if the prefix is IPv4 or IPv6
|
||||||
if addrlen == net.IPv6len {
|
if addrlen == net.IPv6len {
|
||||||
routingtable = &c.ipv6routes
|
routingtable = &c.ipv6remotes
|
||||||
} else if addrlen == net.IPv4len {
|
} else if addrlen == net.IPv4len {
|
||||||
routingtable = &c.ipv4routes
|
routingtable = &c.ipv4remotes
|
||||||
} else {
|
} else {
|
||||||
return crypto.BoxPubKey{}, errors.New("Unexpected prefix size")
|
return crypto.BoxPubKey{}, errors.New("Unexpected prefix size")
|
||||||
}
|
}
|
||||||
@ -339,7 +325,7 @@ func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (c
|
|||||||
ip := make(net.IP, addrlen)
|
ip := make(net.IP, addrlen)
|
||||||
copy(ip[:addrlen], addr[:])
|
copy(ip[:addrlen], addr[:])
|
||||||
|
|
||||||
// Check if we have a route. At this point c.ipv6routes should be
|
// Check if we have a route. At this point c.ipv6remotes should be
|
||||||
// pre-sorted so that the most specific routes are first
|
// pre-sorted so that the most specific routes are first
|
||||||
for _, route := range *routingtable {
|
for _, route := range *routingtable {
|
||||||
// Does this subnet match the given IP?
|
// Does this subnet match the given IP?
|
||||||
@ -366,14 +352,14 @@ func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (c
|
|||||||
}
|
}
|
||||||
|
|
||||||
// No route was found if we got to this point
|
// No route was found if we got to this point
|
||||||
return crypto.BoxPubKey{}, errors.New(fmt.Sprintf("No route to %s", ip.String()))
|
return crypto.BoxPubKey{}, fmt.Errorf("no route to %s", ip.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
// Removes a source subnet, which allows traffic with these source addresses to
|
// Removes a source subnet, which allows traffic with these source addresses to
|
||||||
// be tunnelled using crypto-key routing.
|
// be tunnelled using crypto-key routing.
|
||||||
func (c *cryptokey) removeSourceSubnet(cidr string) error {
|
func (c *cryptokey) removeLocalSubnet(cidr string) error {
|
||||||
c.mutexsources.Lock()
|
c.mutexlocals.Lock()
|
||||||
defer c.mutexsources.Unlock()
|
defer c.mutexlocals.Unlock()
|
||||||
|
|
||||||
// Is the CIDR we've been given valid?
|
// Is the CIDR we've been given valid?
|
||||||
_, ipnet, err := net.ParseCIDR(cidr)
|
_, ipnet, err := net.ParseCIDR(cidr)
|
||||||
@ -389,9 +375,9 @@ func (c *cryptokey) removeSourceSubnet(cidr string) error {
|
|||||||
|
|
||||||
// Check if the prefix is IPv4 or IPv6
|
// Check if the prefix is IPv4 or IPv6
|
||||||
if prefixsize == net.IPv6len*8 {
|
if prefixsize == net.IPv6len*8 {
|
||||||
routingsources = &c.ipv6sources
|
routingsources = &c.ipv6locals
|
||||||
} else if prefixsize == net.IPv4len*8 {
|
} else if prefixsize == net.IPv4len*8 {
|
||||||
routingsources = &c.ipv4sources
|
routingsources = &c.ipv4locals
|
||||||
} else {
|
} else {
|
||||||
return errors.New("Unexpected prefix size")
|
return errors.New("Unexpected prefix size")
|
||||||
}
|
}
|
||||||
@ -409,10 +395,10 @@ func (c *cryptokey) removeSourceSubnet(cidr string) error {
|
|||||||
|
|
||||||
// Removes a destination route for the given CIDR to be tunnelled to the node
|
// Removes a destination route for the given CIDR to be tunnelled to the node
|
||||||
// with the given BoxPubKey.
|
// with the given BoxPubKey.
|
||||||
func (c *cryptokey) removeRoute(cidr string, dest string) error {
|
func (c *cryptokey) removeRemoteSubnet(cidr string, dest string) error {
|
||||||
c.mutexroutes.Lock()
|
c.mutexremotes.Lock()
|
||||||
c.mutexcaches.Lock()
|
c.mutexcaches.Lock()
|
||||||
defer c.mutexroutes.Unlock()
|
defer c.mutexremotes.Unlock()
|
||||||
defer c.mutexcaches.Unlock()
|
defer c.mutexcaches.Unlock()
|
||||||
|
|
||||||
// Is the CIDR we've been given valid?
|
// Is the CIDR we've been given valid?
|
||||||
@ -430,10 +416,10 @@ func (c *cryptokey) removeRoute(cidr string, dest string) error {
|
|||||||
|
|
||||||
// Check if the prefix is IPv4 or IPv6
|
// Check if the prefix is IPv4 or IPv6
|
||||||
if prefixsize == net.IPv6len*8 {
|
if prefixsize == net.IPv6len*8 {
|
||||||
routingtable = &c.ipv6routes
|
routingtable = &c.ipv6remotes
|
||||||
routingcache = &c.ipv6cache
|
routingcache = &c.ipv6cache
|
||||||
} else if prefixsize == net.IPv4len*8 {
|
} else if prefixsize == net.IPv4len*8 {
|
||||||
routingtable = &c.ipv4routes
|
routingtable = &c.ipv4remotes
|
||||||
routingcache = &c.ipv4cache
|
routingcache = &c.ipv4cache
|
||||||
} else {
|
} else {
|
||||||
return errors.New("Unexpected prefix size")
|
return errors.New("Unexpected prefix size")
|
||||||
|
@ -1,10 +1,12 @@
|
|||||||
package tuntap
|
package tuntap
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"errors"
|
"errors"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/yggdrasil-network/yggdrasil-go/src/address"
|
"github.com/yggdrasil-network/yggdrasil-go/src/address"
|
||||||
|
"github.com/yggdrasil-network/yggdrasil-go/src/crypto"
|
||||||
"github.com/yggdrasil-network/yggdrasil-go/src/util"
|
"github.com/yggdrasil-network/yggdrasil-go/src/util"
|
||||||
"github.com/yggdrasil-network/yggdrasil-go/src/yggdrasil"
|
"github.com/yggdrasil-network/yggdrasil-go/src/yggdrasil"
|
||||||
"golang.org/x/net/icmp"
|
"golang.org/x/net/icmp"
|
||||||
@ -70,6 +72,63 @@ func (s *tunConn) reader() (err error) {
|
|||||||
return e
|
return e
|
||||||
}
|
}
|
||||||
} else if len(bs) > 0 {
|
} else if len(bs) > 0 {
|
||||||
|
ipv4 := len(bs) > 20 && bs[0]&0xf0 == 0x40
|
||||||
|
ipv6 := len(bs) > 40 && bs[0]&0xf0 == 0x60
|
||||||
|
isCGA := true
|
||||||
|
// Check source addresses
|
||||||
|
switch {
|
||||||
|
case ipv6 && bs[8] == 0x02 && bytes.Equal(s.addr[:16], bs[8:24]): // source
|
||||||
|
case ipv6 && bs[8] == 0x03 && bytes.Equal(s.snet[:8], bs[8:16]): // source
|
||||||
|
default:
|
||||||
|
isCGA = false
|
||||||
|
}
|
||||||
|
// Check destiantion addresses
|
||||||
|
switch {
|
||||||
|
case ipv6 && bs[24] == 0x02 && bytes.Equal(s.tun.addr[:16], bs[24:40]): // destination
|
||||||
|
case ipv6 && bs[24] == 0x03 && bytes.Equal(s.tun.subnet[:8], bs[24:32]): // destination
|
||||||
|
default:
|
||||||
|
isCGA = false
|
||||||
|
}
|
||||||
|
// Decide how to handle the packet
|
||||||
|
var skip bool
|
||||||
|
switch {
|
||||||
|
case isCGA: // Allowed
|
||||||
|
case s.tun.ckr.isEnabled() && (ipv4 || ipv6):
|
||||||
|
var srcAddr address.Address
|
||||||
|
var dstAddr address.Address
|
||||||
|
var addrlen int
|
||||||
|
if ipv4 {
|
||||||
|
copy(srcAddr[:], bs[12:16])
|
||||||
|
copy(dstAddr[:], bs[16:20])
|
||||||
|
addrlen = 4
|
||||||
|
}
|
||||||
|
if ipv6 {
|
||||||
|
copy(srcAddr[:], bs[8:24])
|
||||||
|
copy(dstAddr[:], bs[24:40])
|
||||||
|
addrlen = 16
|
||||||
|
}
|
||||||
|
if !s.tun.ckr.isValidLocalAddress(dstAddr, addrlen) {
|
||||||
|
// The destination address isn't in our CKR allowed range
|
||||||
|
skip = true
|
||||||
|
} else if key, err := s.tun.ckr.getPublicKeyForAddress(srcAddr, addrlen); err == nil {
|
||||||
|
srcNodeID := crypto.GetNodeID(&key)
|
||||||
|
if s.conn.RemoteAddr() == *srcNodeID {
|
||||||
|
// This is the one allowed CKR case, where source and destination addresses are both good
|
||||||
|
} else {
|
||||||
|
// The CKR key associated with this address doesn't match the sender's NodeID
|
||||||
|
skip = true
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// We have no CKR route for this source address
|
||||||
|
skip = true
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
skip = true
|
||||||
|
}
|
||||||
|
if skip {
|
||||||
|
util.PutBytes(bs)
|
||||||
|
continue
|
||||||
|
}
|
||||||
s.tun.send <- bs
|
s.tun.send <- bs
|
||||||
s.stillAlive()
|
s.stillAlive()
|
||||||
} else {
|
} else {
|
||||||
@ -96,6 +155,63 @@ func (s *tunConn) writer() error {
|
|||||||
if !ok {
|
if !ok {
|
||||||
return errors.New("send closed")
|
return errors.New("send closed")
|
||||||
}
|
}
|
||||||
|
v4 := len(bs) > 20 && bs[0]&0xf0 == 0x40
|
||||||
|
v6 := len(bs) > 40 && bs[0]&0xf0 == 0x60
|
||||||
|
isCGA := true
|
||||||
|
// Check source addresses
|
||||||
|
switch {
|
||||||
|
case v6 && bs[8] == 0x02 && bytes.Equal(s.tun.addr[:16], bs[8:24]): // source
|
||||||
|
case v6 && bs[8] == 0x03 && bytes.Equal(s.tun.subnet[:8], bs[8:16]): // source
|
||||||
|
default:
|
||||||
|
isCGA = false
|
||||||
|
}
|
||||||
|
// Check destiantion addresses
|
||||||
|
switch {
|
||||||
|
case v6 && bs[24] == 0x02 && bytes.Equal(s.addr[:16], bs[24:40]): // destination
|
||||||
|
case v6 && bs[24] == 0x03 && bytes.Equal(s.snet[:8], bs[24:32]): // destination
|
||||||
|
default:
|
||||||
|
isCGA = false
|
||||||
|
}
|
||||||
|
// Decide how to handle the packet
|
||||||
|
var skip bool
|
||||||
|
switch {
|
||||||
|
case isCGA: // Allowed
|
||||||
|
case s.tun.ckr.isEnabled() && (v4 || v6):
|
||||||
|
var srcAddr address.Address
|
||||||
|
var dstAddr address.Address
|
||||||
|
var addrlen int
|
||||||
|
if v4 {
|
||||||
|
copy(srcAddr[:], bs[12:16])
|
||||||
|
copy(dstAddr[:], bs[16:20])
|
||||||
|
addrlen = 4
|
||||||
|
}
|
||||||
|
if v6 {
|
||||||
|
copy(srcAddr[:], bs[8:24])
|
||||||
|
copy(dstAddr[:], bs[24:40])
|
||||||
|
addrlen = 16
|
||||||
|
}
|
||||||
|
if !s.tun.ckr.isValidLocalAddress(srcAddr, addrlen) {
|
||||||
|
// The source address isn't in our CKR allowed range
|
||||||
|
skip = true
|
||||||
|
} else if key, err := s.tun.ckr.getPublicKeyForAddress(dstAddr, addrlen); err == nil {
|
||||||
|
dstNodeID := crypto.GetNodeID(&key)
|
||||||
|
if s.conn.RemoteAddr() == *dstNodeID {
|
||||||
|
// This is the one allowed CKR case, where source and destination addresses are both good
|
||||||
|
} else {
|
||||||
|
// The CKR key associated with this address doesn't match the sender's NodeID
|
||||||
|
skip = true
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// We have no CKR route for this destination address... why do we have the packet in the first place?
|
||||||
|
skip = true
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
skip = true
|
||||||
|
}
|
||||||
|
if skip {
|
||||||
|
util.PutBytes(bs)
|
||||||
|
continue
|
||||||
|
}
|
||||||
msg := yggdrasil.FlowKeyMessage{
|
msg := yggdrasil.FlowKeyMessage{
|
||||||
FlowKey: util.GetFlowKey(bs),
|
FlowKey: util.GetFlowKey(bs),
|
||||||
Message: bs,
|
Message: bs,
|
||||||
|
@ -2,7 +2,6 @@ package tuntap
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"errors"
|
|
||||||
"net"
|
"net"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@ -22,24 +21,6 @@ func (tun *TunAdapter) writer() error {
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if tun.iface.IsTAP() {
|
if tun.iface.IsTAP() {
|
||||||
var dstAddr address.Address
|
|
||||||
if b[0]&0xf0 == 0x60 {
|
|
||||||
if len(b) < 40 {
|
|
||||||
//panic("Tried to send a packet shorter than an IPv6 header...")
|
|
||||||
util.PutBytes(b)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
copy(dstAddr[:16], b[24:])
|
|
||||||
} else if b[0]&0xf0 == 0x40 {
|
|
||||||
if len(b) < 20 {
|
|
||||||
//panic("Tried to send a packet shorter than an IPv4 header...")
|
|
||||||
util.PutBytes(b)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
copy(dstAddr[:4], b[16:])
|
|
||||||
} else {
|
|
||||||
return errors.New("Invalid address family")
|
|
||||||
}
|
|
||||||
sendndp := func(dstAddr address.Address) {
|
sendndp := func(dstAddr address.Address) {
|
||||||
neigh, known := tun.icmpv6.getNeighbor(dstAddr)
|
neigh, known := tun.icmpv6.getNeighbor(dstAddr)
|
||||||
known = known && (time.Since(neigh.lastsolicitation).Seconds() < 30)
|
known = known && (time.Since(neigh.lastsolicitation).Seconds() < 30)
|
||||||
@ -48,6 +29,7 @@ func (tun *TunAdapter) writer() error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
peermac := net.HardwareAddr{0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
|
peermac := net.HardwareAddr{0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
|
||||||
|
var dstAddr address.Address
|
||||||
var peerknown bool
|
var peerknown bool
|
||||||
if b[0]&0xf0 == 0x40 {
|
if b[0]&0xf0 == 0x40 {
|
||||||
dstAddr = tun.addr
|
dstAddr = tun.addr
|
||||||
@ -69,7 +51,6 @@ func (tun *TunAdapter) writer() error {
|
|||||||
} else {
|
} else {
|
||||||
// Nothing has been discovered, try to discover the destination
|
// Nothing has been discovered, try to discover the destination
|
||||||
sendndp(tun.addr)
|
sendndp(tun.addr)
|
||||||
|
|
||||||
}
|
}
|
||||||
if peerknown {
|
if peerknown {
|
||||||
var proto ethernet.Ethertype
|
var proto ethernet.Ethertype
|
||||||
@ -146,10 +127,7 @@ func (tun *TunAdapter) readerPacketHandler(ch chan []byte) {
|
|||||||
// From the IP header, work out what our source and destination addresses
|
// From the IP header, work out what our source and destination addresses
|
||||||
// and node IDs are. We will need these in order to work out where to send
|
// and node IDs are. We will need these in order to work out where to send
|
||||||
// the packet
|
// the packet
|
||||||
var srcAddr address.Address
|
|
||||||
var dstAddr address.Address
|
var dstAddr address.Address
|
||||||
var dstNodeID *crypto.NodeID
|
|
||||||
var dstNodeIDMask *crypto.NodeID
|
|
||||||
var dstSnet address.Subnet
|
var dstSnet address.Subnet
|
||||||
var addrlen int
|
var addrlen int
|
||||||
n := len(bs)
|
n := len(bs)
|
||||||
@ -166,7 +144,6 @@ func (tun *TunAdapter) readerPacketHandler(ch chan []byte) {
|
|||||||
}
|
}
|
||||||
// IPv6 address
|
// IPv6 address
|
||||||
addrlen = 16
|
addrlen = 16
|
||||||
copy(srcAddr[:addrlen], bs[8:])
|
|
||||||
copy(dstAddr[:addrlen], bs[24:])
|
copy(dstAddr[:addrlen], bs[24:])
|
||||||
copy(dstSnet[:addrlen/2], bs[24:])
|
copy(dstSnet[:addrlen/2], bs[24:])
|
||||||
} else if bs[0]&0xf0 == 0x40 {
|
} else if bs[0]&0xf0 == 0x40 {
|
||||||
@ -180,37 +157,29 @@ func (tun *TunAdapter) readerPacketHandler(ch chan []byte) {
|
|||||||
}
|
}
|
||||||
// IPv4 address
|
// IPv4 address
|
||||||
addrlen = 4
|
addrlen = 4
|
||||||
copy(srcAddr[:addrlen], bs[12:])
|
|
||||||
copy(dstAddr[:addrlen], bs[16:])
|
copy(dstAddr[:addrlen], bs[16:])
|
||||||
} else {
|
} else {
|
||||||
// Unknown address length or protocol, so drop the packet and ignore it
|
// Unknown address length or protocol, so drop the packet and ignore it
|
||||||
tun.log.Traceln("Unknown packet type, dropping")
|
tun.log.Traceln("Unknown packet type, dropping")
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if tun.ckr.isEnabled() && !tun.ckr.isValidSource(srcAddr, addrlen) {
|
if tun.ckr.isEnabled() {
|
||||||
// The packet had a source address that doesn't belong to us or our
|
if addrlen != 16 || (!dstAddr.IsValid() && !dstSnet.IsValid()) {
|
||||||
// configured crypto-key routing source subnets
|
if key, err := tun.ckr.getPublicKeyForAddress(dstAddr, addrlen); err == nil {
|
||||||
continue
|
// A public key was found, get the node ID for the search
|
||||||
}
|
dstNodeID := crypto.GetNodeID(&key)
|
||||||
if !dstAddr.IsValid() && !dstSnet.IsValid() {
|
dstAddr = *address.AddrForNodeID(dstNodeID)
|
||||||
if key, err := tun.ckr.getPublicKeyForAddress(dstAddr, addrlen); err == nil {
|
dstSnet = *address.SubnetForNodeID(dstNodeID)
|
||||||
// A public key was found, get the node ID for the search
|
addrlen = 16
|
||||||
dstNodeID = crypto.GetNodeID(&key)
|
|
||||||
// Do a quick check to ensure that the node ID refers to a vaild
|
|
||||||
// Yggdrasil address or subnet - this might be superfluous
|
|
||||||
addr := *address.AddrForNodeID(dstNodeID)
|
|
||||||
copy(dstAddr[:], addr[:])
|
|
||||||
copy(dstSnet[:], addr[:])
|
|
||||||
// Are we certain we looked up a valid node?
|
|
||||||
if !dstAddr.IsValid() && !dstSnet.IsValid() {
|
|
||||||
continue
|
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
// No public key was found in the CKR table so we've exhausted our options
|
|
||||||
continue
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if addrlen != 16 || (!dstAddr.IsValid() && !dstSnet.IsValid()) {
|
||||||
|
// Couldn't find this node's ygg IP
|
||||||
|
continue
|
||||||
|
}
|
||||||
// Do we have an active connection for this node address?
|
// Do we have an active connection for this node address?
|
||||||
|
var dstNodeID, dstNodeIDMask *crypto.NodeID
|
||||||
tun.mutex.RLock()
|
tun.mutex.RLock()
|
||||||
session, isIn := tun.addrToConn[dstAddr]
|
session, isIn := tun.addrToConn[dstAddr]
|
||||||
if !isIn || session == nil {
|
if !isIn || session == nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user