Only validate CKR routes if CKR enabled

src/yggdrasil/ckr.go

@@ -58,9 +58,11 @@ func (c *cryptokey) isValidSource(addr address) bool {
 	}
 
 	// Does it match a configured CKR source?
-	for _, subnet := range c.ipv6sources {
+	if c.isEnabled() {
-		if subnet.Contains(ip) {
+		for _, subnet := range c.ipv6sources {
-			return true
+			if subnet.Contains(ip) {
+				return true
+			}
 		}
 	}
 

src/yggdrasil/config/config.go

@@ -39,7 +39,7 @@ type SessionFirewall struct {
 
 // TunnelRouting contains the crypto-key routing tables for tunneling
 type TunnelRouting struct {
-	Enable      bool              `comment:"Enable or disable tunneling."`
+	Enable           bool              `comment:"Enable or disable tunneling."`
-	IPv6Routes  map[string]string `comment:"IPv6 subnets, mapped to the public keys to which they should be routed."`
+	IPv6Destinations map[string]string `comment:"IPv6 subnets, mapped to the EncryptionPublicKey to which they should\nbe routed to."`
-	IPv6Sources []string          `comment:"Allow source addresses in these subnets."`
+	IPv6Sources      []string          `comment:"Optional IPv6 subnets which are allowed to be used as source addresses\nin addition to this node's Yggdrasil address/subnet."`
 }

src/yggdrasil/core.go

@@ -122,7 +122,7 @@ func (c *Core) Start(nc *config.NodeConfig, log *log.Logger) error {
 	}
 
 	if nc.TunnelRouting.Enable {
-		for ipv6, pubkey := range nc.TunnelRouting.IPv6Routes {
+		for ipv6, pubkey := range nc.TunnelRouting.IPv6Destinations {
 			if err := c.router.cryptokey.addRoute(ipv6, pubkey); err != nil {
 				panic(err)
 			}