From e7da3d72c494d6e9730cbd39e891327914a046dd Mon Sep 17 00:00:00 2001 From: Arceliar Date: Sun, 6 Jun 2021 02:35:02 -0500 Subject: [PATCH] remove session firewall, this can't prevent memory use so it's better to just use OS native tools --- cmd/yggdrasil/main.go | 60 ------------------------------------------ src/config/config.go | 15 ----------- src/tuntap/iface.go | 3 --- src/tuntap/keystore.go | 12 --------- src/tuntap/tun.go | 13 +++------ 5 files changed, 3 insertions(+), 100 deletions(-) diff --git a/cmd/yggdrasil/main.go b/cmd/yggdrasil/main.go index 8455a1c..114e37f 100644 --- a/cmd/yggdrasil/main.go +++ b/cmd/yggdrasil/main.go @@ -281,7 +281,6 @@ func main() { n.admin = &admin.AdminSocket{} n.multicast = &multicast.Multicast{} n.tuntap = &tuntap.TunAdapter{} - n.tuntap.SetSessionGatekeeper(n.sessionFirewall) // Start the admin socket if err := n.admin.Init(&n.core, cfg, logger, nil); err != nil { logger.Errorln("An error occurred initialising admin socket:", err) @@ -326,62 +325,3 @@ func (n *node) shutdown() { _ = n.tuntap.Stop() n.core.Stop() } - -func (n *node) sessionFirewall(pubkey ed25519.PublicKey, initiator bool) bool { - n.config.RLock() - defer n.config.RUnlock() - - // Allow by default if the session firewall is disabled - if !n.config.SessionFirewall.Enable { - return true - } - - // Reject blacklisted nodes - for _, b := range n.config.SessionFirewall.BlacklistPublicKeys { - key, err := hex.DecodeString(b) - if err == nil { - if bytes.Equal(key, pubkey) { - return false - } - } - } - - // Allow whitelisted nodes - for _, b := range n.config.SessionFirewall.WhitelistPublicKeys { - key, err := hex.DecodeString(b) - if err == nil { - if bytes.Equal(key, pubkey) { - return true - } - } - } - - // Allow outbound sessions if appropriate - if n.config.SessionFirewall.AlwaysAllowOutbound { - if initiator { - return true - } - } - - // Look and see if the pubkey is that of a direct peer - var isDirectPeer bool - for _, peer := range n.core.GetPeers() { - if bytes.Equal(peer.Key[:], pubkey[:]) { - isDirectPeer = true - break - } - } - - // Allow direct peers if appropriate - if n.config.SessionFirewall.AllowFromDirect && isDirectPeer { - return true - } - - // Allow remote nodes if appropriate - if n.config.SessionFirewall.AllowFromRemote && !isDirectPeer { - return true - } - - // Finally, default-deny if not matching any of the above rules - return false -} diff --git a/src/config/config.go b/src/config/config.go index 87d1af9..fa11012 100644 --- a/src/config/config.go +++ b/src/config/config.go @@ -40,21 +40,10 @@ type NodeConfig struct { LinkLocalTCPPort uint16 `comment:"The port number to be used for the link-local TCP listeners for the\nconfigured MulticastInterfaces. This option does not affect listeners\nspecified in the Listen option. Unless you plan to firewall link-local\ntraffic, it is best to leave this as the default value of 0. This\noption cannot currently be changed by reloading config during runtime."` IfName string `comment:"Local network interface name for TUN adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN."` IfMTU uint64 `comment:"Maximum Transmission Unit (MTU) size for your local TUN interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."` - SessionFirewall SessionFirewall `comment:"The session firewall controls who can send/receive network traffic\nto/from. This is useful if you want to protect this node without\nresorting to using a real firewall. This does not affect traffic\nbeing routed via this node to somewhere else. Rules are prioritised as\nfollows: blacklist, whitelist, always allow outgoing, direct, remote."` NodeInfoPrivacy bool `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Yggdrasil version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."` NodeInfo map[string]interface{} `comment:"Optional node info. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."` } -// SessionFirewall controls the session firewall configuration. -type SessionFirewall struct { - Enable bool `comment:"Enable or disable the session firewall. If disabled, network traffic\nfrom any node will be allowed. If enabled, the below rules apply."` - AllowFromDirect bool `comment:"Allow network traffic from directly connected peers."` - AllowFromRemote bool `comment:"Allow network traffic from remote nodes on the network that you are\nnot directly peered with."` - AlwaysAllowOutbound bool `comment:"Allow outbound network traffic regardless of AllowFromDirect or\nAllowFromRemote. This does allow a remote node to send unsolicited\ntraffic back to you for the length of the session."` - WhitelistPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."` - BlacklistPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."` -} - // Generates default configuration and returns a pointer to the resulting // NodeConfig. This is used when outputting the -genconf parameter and also when // using -autoconf. @@ -76,10 +65,6 @@ func GenerateConfig() *NodeConfig { cfg.MulticastInterfaces = defaults.GetDefaults().DefaultMulticastInterfaces cfg.IfName = defaults.GetDefaults().DefaultIfName cfg.IfMTU = defaults.GetDefaults().DefaultIfMTU - cfg.SessionFirewall.Enable = false - cfg.SessionFirewall.AllowFromDirect = true - cfg.SessionFirewall.AllowFromRemote = true - cfg.SessionFirewall.AlwaysAllowOutbound = true cfg.NodeInfoPrivacy = false return &cfg diff --git a/src/tuntap/iface.go b/src/tuntap/iface.go index be9b6eb..cb13690 100644 --- a/src/tuntap/iface.go +++ b/src/tuntap/iface.go @@ -116,9 +116,6 @@ func (tun *TunAdapter) write() { continue // bad local address/subnet } info := tun.store.update(ed25519.PublicKey(from.(iwt.Addr))) - if info == nil { - continue // Blocked by the gatekeeper - } if srcAddr != info.address && srcSubnet != info.subnet { continue // bad remote address/subnet } diff --git a/src/tuntap/keystore.go b/src/tuntap/keystore.go index 03f429f..2eb7920 100644 --- a/src/tuntap/keystore.go +++ b/src/tuntap/keystore.go @@ -113,18 +113,6 @@ func (k *keyStore) update(key ed25519.PublicKey) *keyInfo { info.key = kArray info.address = *address.AddrForKey(ed25519.PublicKey(info.key[:])) info.subnet = *address.SubnetForKey(ed25519.PublicKey(info.key[:])) - var isOutgoing bool - if k.addrBuffer[info.address] != nil { - isOutgoing = true - } - if k.subnetBuffer[info.subnet] != nil { - isOutgoing = true - } - if !k.tun.gatekeeper(key, isOutgoing) { - // Blocked by the gatekeeper, so don't create an entry for this - k.mutex.Unlock() - return nil - } k.keyToInfo[info.key] = info k.addrToInfo[info.address] = info k.subnetToInfo[info.subnet] = info diff --git a/src/tuntap/tun.go b/src/tuntap/tun.go index c1b90e7..f53f6de 100644 --- a/src/tuntap/tun.go +++ b/src/tuntap/tun.go @@ -43,16 +43,9 @@ type TunAdapter struct { iface tun.Device phony.Inbox // Currently only used for _handlePacket from the reader, TODO: all the stuff that currently needs a mutex below //mutex sync.RWMutex // Protects the below - isOpen bool - isEnabled bool // Used by the writer to drop sessionTraffic if not enabled - gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool - proto protoHandler -} - -func (tun *TunAdapter) SetSessionGatekeeper(gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool) { - phony.Block(tun, func() { - tun.gatekeeper = gatekeeper - }) + isOpen bool + isEnabled bool // Used by the writer to drop sessionTraffic if not enabled + proto protoHandler } // Gets the maximum supported MTU for the platform based on the defaults in