5
0
mirror of https://github.com/cwinfo/yggdrasil-go.git synced 2024-11-26 15:21:37 +00:00

Add initial crypto-key routing handlers

This commit is contained in:
Neil Alexander 2018-11-05 16:40:47 +00:00
parent f088a244da
commit 52206dc381
No known key found for this signature in database
GPG Key ID: A02A2019A2BB0944
4 changed files with 130 additions and 8 deletions

104
src/yggdrasil/ckr.go Normal file
View File

@ -0,0 +1,104 @@
package yggdrasil
import (
"encoding/hex"
"errors"
"net"
"sort"
)
// This module implements crypto-key routing, similar to Wireguard, where we
// allow traffic for non-Yggdrasil ranges to be routed over Yggdrasil.
type cryptokey struct {
core *Core
enabled bool
ipv4routes []cryptokey_route
ipv6routes []cryptokey_route
}
type cryptokey_route struct {
subnet net.IPNet
destination []byte
}
func (c *cryptokey) init(core *Core) {
c.core = core
c.ipv4routes = make([]cryptokey_route, 0)
c.ipv6routes = make([]cryptokey_route, 0)
}
func (c *cryptokey) isEnabled() bool {
return c.enabled
}
func (c *cryptokey) addRoute(cidr string, dest string) error {
// Is the CIDR we've been given valid?
_, ipnet, err := net.ParseCIDR(cidr)
if err != nil {
return err
}
// Get the prefix length and size
prefixlen, prefixsize := ipnet.Mask.Size()
// Check if the prefix is IPv4 or IPv6
if prefixsize == net.IPv6len*8 {
// IPv6
for _, route := range c.ipv6routes {
// Do we already have a route for this subnet?
routeprefixlen, _ := route.subnet.Mask.Size()
if route.subnet.IP.Equal(ipnet.IP) && routeprefixlen == prefixlen {
return errors.New("IPv6 route already exists")
}
}
// Decode the public key
if boxPubKey, err := hex.DecodeString(dest); err != nil {
return err
} else {
// Add the new crypto-key route
c.ipv6routes = append(c.ipv6routes, cryptokey_route{
subnet: *ipnet,
destination: boxPubKey,
})
// Sort so most specific routes are first
sort.Slice(c.ipv6routes, func(i, j int) bool {
im, _ := c.ipv6routes[i].subnet.Mask.Size()
jm, _ := c.ipv6routes[j].subnet.Mask.Size()
return im > jm
})
return nil
}
} else if prefixsize == net.IPv4len*8 {
// IPv4
return errors.New("IPv4 not supported at this time")
}
return errors.New("Unspecified error")
}
func (c *cryptokey) getPublicKeyForAddress(addr string) (boxPubKey, error) {
ipaddr := net.ParseIP(addr)
if ipaddr.To4() == nil {
// IPv6
for _, route := range c.ipv6routes {
if route.subnet.Contains(ipaddr) {
var box boxPubKey
copy(box[:boxPubKeyLen], route.destination)
return box, nil
}
}
} else {
// IPv4
return boxPubKey{}, errors.New("IPv4 not supported at this time")
/*
for _, route := range c.ipv4routes {
if route.subnet.Contains(ipaddr) {
return route.destination, nil
}
}
*/
}
return boxPubKey{}, errors.New("No route")
}

View File

@ -17,6 +17,7 @@ type NodeConfig struct {
IfTAPMode bool `comment:"Set local network interface to TAP mode rather than TUN mode if\nsupported by your platform - option will be ignored if not."` IfTAPMode bool `comment:"Set local network interface to TAP mode rather than TUN mode if\nsupported by your platform - option will be ignored if not."`
IfMTU int `comment:"Maximux Transmission Unit (MTU) size for your local TUN/TAP interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."` IfMTU int `comment:"Maximux Transmission Unit (MTU) size for your local TUN/TAP interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
SessionFirewall SessionFirewall `comment:"The session firewall controls who can send/receive network traffic\nto/from. This is useful if you want to protect this node without\nresorting to using a real firewall. This does not affect traffic\nbeing routed via this node to somewhere else. Rules are prioritised as\nfollows: blacklist, whitelist, always allow outgoing, direct, remote."` SessionFirewall SessionFirewall `comment:"The session firewall controls who can send/receive network traffic\nto/from. This is useful if you want to protect this node without\nresorting to using a real firewall. This does not affect traffic\nbeing routed via this node to somewhere else. Rules are prioritised as\nfollows: blacklist, whitelist, always allow outgoing, direct, remote."`
TunnelRouting TunnelRouting `comment:"Allow tunneling non-Yggdrasil traffic over Yggdrasil."`
//Net NetConfig `comment:"Extended options for connecting to peers over other networks."` //Net NetConfig `comment:"Extended options for connecting to peers over other networks."`
} }
@ -26,6 +27,7 @@ type NetConfig struct {
I2P I2PConfig `comment:"Experimental options for configuring peerings over I2P."` I2P I2PConfig `comment:"Experimental options for configuring peerings over I2P."`
} }
// SessionFirewall controls the session firewall configuration
type SessionFirewall struct { type SessionFirewall struct {
Enable bool `comment:"Enable or disable the session firewall. If disabled, network traffic\nfrom any node will be allowed. If enabled, the below rules apply."` Enable bool `comment:"Enable or disable the session firewall. If disabled, network traffic\nfrom any node will be allowed. If enabled, the below rules apply."`
AllowFromDirect bool `comment:"Allow network traffic from directly connected peers."` AllowFromDirect bool `comment:"Allow network traffic from directly connected peers."`
@ -34,3 +36,9 @@ type SessionFirewall struct {
WhitelistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."` WhitelistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."`
BlacklistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."` BlacklistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."`
} }
// TunnelRouting contains the crypto-key routing tables for tunneling
type TunnelRouting struct {
Enable bool `comment:"Enable or disable tunneling."`
IPv6Routes map[string]string `comment:"IPv6 subnets, mapped to the public keys to which they should be routed."`
}

View File

@ -121,6 +121,14 @@ func (c *Core) Start(nc *config.NodeConfig, log *log.Logger) error {
return err return err
} }
if nc.TunnelRouting.Enable {
for ipv6, pubkey := range nc.TunnelRouting.IPv6Routes {
if err := c.router.cryptokey.addRoute(ipv6, pubkey); err != nil {
panic(err)
}
}
}
if err := c.admin.start(); err != nil { if err := c.admin.start(); err != nil {
c.log.Println("Failed to start admin socket") c.log.Println("Failed to start admin socket")
return err return err

View File

@ -40,6 +40,7 @@ type router struct {
send <-chan []byte // place where the tun puts outgoing packets send <-chan []byte // place where the tun puts outgoing packets
reset chan struct{} // signal that coords changed (re-init sessions/dht) reset chan struct{} // signal that coords changed (re-init sessions/dht)
admin chan func() // pass a lambda for the admin socket to query stuff admin chan func() // pass a lambda for the admin socket to query stuff
cryptokey cryptokey
} }
// Initializes the router struct, which includes setting up channels to/from the tun/tap. // Initializes the router struct, which includes setting up channels to/from the tun/tap.
@ -67,6 +68,7 @@ func (r *router) init(core *Core) {
r.core.tun.send = send r.core.tun.send = send
r.reset = make(chan struct{}, 1) r.reset = make(chan struct{}, 1)
r.admin = make(chan func()) r.admin = make(chan func())
r.cryptokey.init(r.core)
// go r.mainLoop() // go r.mainLoop()
} }