remove session firewall, this can't prevent memory use so it's better to just use OS native tools

2024-09-19 16:09:36 +00:00 · 2021-06-06 02:35:02 -05:00 · 2021-06-06 02:35:02 -05:00 · e7da3d72c4
commit e7da3d72c4
parent 838bca083d
5 changed files with 3 additions and 100 deletions
--- a/cmd/yggdrasil/main.go
+++ b/cmd/yggdrasil/main.go
@ -281,7 +281,6 @@ func main() {
 	n.admin = &admin.AdminSocket{}
 	n.multicast = &multicast.Multicast{}
 	n.tuntap = &tuntap.TunAdapter{}
-	n.tuntap.SetSessionGatekeeper(n.sessionFirewall)
 	// Start the admin socket
 	if err := n.admin.Init(&n.core, cfg, logger, nil); err != nil {
 		logger.Errorln("An error occurred initialising admin socket:", err)
@ -326,62 +325,3 @@ func (n *node) shutdown() {
 	_ = n.tuntap.Stop()
 	n.core.Stop()
 }
-
-func (n *node) sessionFirewall(pubkey ed25519.PublicKey, initiator bool) bool {
-	n.config.RLock()
-	defer n.config.RUnlock()
-
-	// Allow by default if the session firewall is disabled
-	if !n.config.SessionFirewall.Enable {
-		return true
-	}
-
-	// Reject blacklisted nodes
-	for _, b := range n.config.SessionFirewall.BlacklistPublicKeys {
-		key, err := hex.DecodeString(b)
-		if err == nil {
-			if bytes.Equal(key, pubkey) {
-				return false
-			}
-		}
-	}
-
-	// Allow whitelisted nodes
-	for _, b := range n.config.SessionFirewall.WhitelistPublicKeys {
-		key, err := hex.DecodeString(b)
-		if err == nil {
-			if bytes.Equal(key, pubkey) {
-				return true
-			}
-		}
-	}
-
-	// Allow outbound sessions if appropriate
-	if n.config.SessionFirewall.AlwaysAllowOutbound {
-		if initiator {
-			return true
-		}
-	}
-
-	// Look and see if the pubkey is that of a direct peer
-	var isDirectPeer bool
-	for _, peer := range n.core.GetPeers() {
-		if bytes.Equal(peer.Key[:], pubkey[:]) {
-			isDirectPeer = true
-			break
-		}
-	}
-
-	// Allow direct peers if appropriate
-	if n.config.SessionFirewall.AllowFromDirect && isDirectPeer {
-		return true
-	}
-
-	// Allow remote nodes if appropriate
-	if n.config.SessionFirewall.AllowFromRemote && !isDirectPeer {
-		return true
-	}
-
-	// Finally, default-deny if not matching any of the above rules
-	return false
-}
--- a/src/config/config.go
+++ b/src/config/config.go
@ -40,21 +40,10 @@ type NodeConfig struct {
 	LinkLocalTCPPort    uint16                 `comment:"The port number to be used for the link-local TCP listeners for the\nconfigured MulticastInterfaces. This option does not affect listeners\nspecified in the Listen option. Unless you plan to firewall link-local\ntraffic, it is best to leave this as the default value of 0. This\noption cannot currently be changed by reloading config during runtime."`
 	IfName              string                 `comment:"Local network interface name for TUN adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN."`
 	IfMTU               uint64                 `comment:"Maximum Transmission Unit (MTU) size for your local TUN interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
-	SessionFirewall     SessionFirewall        `comment:"The session firewall controls who can send/receive network traffic\nto/from. This is useful if you want to protect this node without\nresorting to using a real firewall. This does not affect traffic\nbeing routed via this node to somewhere else. Rules are prioritised as\nfollows: blacklist, whitelist, always allow outgoing, direct, remote."`
 	NodeInfoPrivacy     bool                   `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Yggdrasil version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."`
 	NodeInfo            map[string]interface{} `comment:"Optional node info. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."`
 }

-// SessionFirewall controls the session firewall configuration.
-type SessionFirewall struct {
-	Enable              bool     `comment:"Enable or disable the session firewall. If disabled, network traffic\nfrom any node will be allowed. If enabled, the below rules apply."`
-	AllowFromDirect     bool     `comment:"Allow network traffic from directly connected peers."`
-	AllowFromRemote     bool     `comment:"Allow network traffic from remote nodes on the network that you are\nnot directly peered with."`
-	AlwaysAllowOutbound bool     `comment:"Allow outbound network traffic regardless of AllowFromDirect or\nAllowFromRemote. This does allow a remote node to send unsolicited\ntraffic back to you for the length of the session."`
-	WhitelistPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."`
-	BlacklistPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."`
-}
-
 // Generates default configuration and returns a pointer to the resulting
 // NodeConfig. This is used when outputting the -genconf parameter and also when
 // using -autoconf.
@ -76,10 +65,6 @@ func GenerateConfig() *NodeConfig {
 	cfg.MulticastInterfaces = defaults.GetDefaults().DefaultMulticastInterfaces
 	cfg.IfName = defaults.GetDefaults().DefaultIfName
 	cfg.IfMTU = defaults.GetDefaults().DefaultIfMTU
-	cfg.SessionFirewall.Enable = false
-	cfg.SessionFirewall.AllowFromDirect = true
-	cfg.SessionFirewall.AllowFromRemote = true
-	cfg.SessionFirewall.AlwaysAllowOutbound = true
 	cfg.NodeInfoPrivacy = false

 	return &cfg
--- a/src/tuntap/iface.go
+++ b/src/tuntap/iface.go
@ -116,9 +116,6 @@ func (tun *TunAdapter) write() {
 			continue // bad local address/subnet
 		}
 		info := tun.store.update(ed25519.PublicKey(from.(iwt.Addr)))
-		if info == nil {
-			continue // Blocked by the gatekeeper
-		}
 		if srcAddr != info.address && srcSubnet != info.subnet {
 			continue // bad remote address/subnet
 		}
--- a/src/tuntap/keystore.go
+++ b/src/tuntap/keystore.go
@ -113,18 +113,6 @@ func (k *keyStore) update(key ed25519.PublicKey) *keyInfo {
 		info.key = kArray
 		info.address = *address.AddrForKey(ed25519.PublicKey(info.key[:]))
 		info.subnet = *address.SubnetForKey(ed25519.PublicKey(info.key[:]))
-		var isOutgoing bool
-		if k.addrBuffer[info.address] != nil {
-			isOutgoing = true
-		}
-		if k.subnetBuffer[info.subnet] != nil {
-			isOutgoing = true
-		}
-		if !k.tun.gatekeeper(key, isOutgoing) {
-			// Blocked by the gatekeeper, so don't create an entry for this
-			k.mutex.Unlock()
-			return nil
-		}
 		k.keyToInfo[info.key] = info
 		k.addrToInfo[info.address] = info
 		k.subnetToInfo[info.subnet] = info
--- a/src/tuntap/tun.go
+++ b/src/tuntap/tun.go
@ -43,16 +43,9 @@ type TunAdapter struct {
 	iface       tun.Device
 	phony.Inbox // Currently only used for _handlePacket from the reader, TODO: all the stuff that currently needs a mutex below
 	//mutex        sync.RWMutex // Protects the below
-	isOpen     bool
-	isEnabled  bool // Used by the writer to drop sessionTraffic if not enabled
-	gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool
-	proto      protoHandler
-}
-
-func (tun *TunAdapter) SetSessionGatekeeper(gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool) {
-	phony.Block(tun, func() {
-		tun.gatekeeper = gatekeeper
-	})
+	isOpen    bool
+	isEnabled bool // Used by the writer to drop sessionTraffic if not enabled
+	proto     protoHandler
 }

 // Gets the maximum supported MTU for the platform based on the defaults in