Only validate CKR routes if CKR enabled

src/yggdrasil/ckr.go

@@ -58,11 +58,13 @@ func (c *cryptokey) isValidSource(addr address) bool {
 	}
 
 	// Does it match a configured CKR source?
+	if c.isEnabled() {
 		for _, subnet := range c.ipv6sources {
 			if subnet.Contains(ip) {
 				return true
 			}
 		}
+	}
 
 	// Doesn't match any of the above
 	return false

src/yggdrasil/config/config.go

@@ -40,6 +40,6 @@ type SessionFirewall struct {
 // TunnelRouting contains the crypto-key routing tables for tunneling
 type TunnelRouting struct {
 	Enable           bool              `comment:"Enable or disable tunneling."`
-	IPv6Routes  map[string]string `comment:"IPv6 subnets, mapped to the public keys to which they should be routed."`
+	IPv6Destinations map[string]string `comment:"IPv6 subnets, mapped to the EncryptionPublicKey to which they should\nbe routed to."`
-	IPv6Sources []string          `comment:"Allow source addresses in these subnets."`
+	IPv6Sources      []string          `comment:"Optional IPv6 subnets which are allowed to be used as source addresses\nin addition to this node's Yggdrasil address/subnet."`
 }

src/yggdrasil/core.go

@@ -122,7 +122,7 @@ func (c *Core) Start(nc *config.NodeConfig, log *log.Logger) error {
 	}
 
 	if nc.TunnelRouting.Enable {
-		for ipv6, pubkey := range nc.TunnelRouting.IPv6Routes {
+		for ipv6, pubkey := range nc.TunnelRouting.IPv6Destinations {
 			if err := c.router.cryptokey.addRoute(ipv6, pubkey); err != nil {
 				panic(err)
 			}