diff --git a/zerotierone/AUTHORS.md b/zerotierone/AUTHORS.md index 90a64ef..6b21f57 100644 --- a/zerotierone/AUTHORS.md +++ b/zerotierone/AUTHORS.md @@ -1,12 +1,12 @@ ## Primary Authors - * ZeroTier Core and ZeroTier One virtual networking service
+ * ZeroTier protocol design and core network virtualization engine, ZeroTier One service, React web UI, packaging for most platforms, kitchen sink...
Adam Ierymenko / adam.ierymenko@zerotier.com * Java JNI Interface to enable Android application development, and Android app itself (code for that is elsewhere)
Grant Limberg / glimberg@gmail.com - * ZeroTier SDK (formerly known as Network Containers)
+ * Network Containers for Linux, iOS, Android
Joseph Henry / joseph.henry@zerotier.com ## Third Party Contributors @@ -25,8 +25,6 @@ ## Third-Party Code -These are included in ext/ for platforms that do not have them available in common repositories. Otherwise they may be linked and the package may ship with them as dependencies. - * LZ4 compression algorithm by Yann Collet * Files: ext/lz4/* @@ -39,26 +37,25 @@ These are included in ext/ for platforms that do not have them available in comm * Home page: https://github.com/joyent/http-parser/ * License grant: MIT/Expat - * C++11 json (nlohmann/json) by Niels Lohmann + * json-parser by James McLaughlin - * Files: ext/json/* - * Home page: https://github.com/nlohmann/json - * License grant: MIT + * Files: ext/json-parser/* + * Home page: https://github.com/udp/json-parser/ + * License grant: BSD attribution * TunTapOSX by Mattias Nissler * Files: ext/tap-mac/tuntap/* * Home page: http://tuntaposx.sourceforge.net/ * License grant: BSD attribution no-endorsement - * ZeroTier Modifications: change interface name to zt#, increase max MTU, increase max devices - * tap-windows6 by the OpenVPN project + * tap-windows and tap-windows6 by the OpenVPN project * Files: windows/TapDriver6/* * Home page: + https://github.com/OpenVPN/tap-windows/ https://github.com/OpenVPN/tap-windows6/ * License grant: GNU GPL v2 - * ZeroTier Modifications: change name of driver to ZeroTier, add ioctl() to get L2 multicast memberships (source is in ext/ and modifications inherit GPL) * Salsa20 stream cipher, Curve25519 elliptic curve cipher, Ed25519 digital signature algorithm, and Poly1305 MAC algorithm, all by @@ -71,7 +68,7 @@ These are included in ext/ for platforms that do not have them available in comm * Home page: http://cr.yp.to/ * License grant: public domain - * MiniUPNPC and libnatpmp by Thomas Bernard + * MiniUPNPC by Thomas Bernard * Files: ext/libnatpmp/* diff --git a/zerotierone/README.md b/zerotierone/README.md index f8e438f..1a93a43 100644 --- a/zerotierone/README.md +++ b/zerotierone/README.md @@ -1,54 +1,35 @@ -ZeroTier - A Planetary Ethernet Switch +ZeroTier One ====== -ZeroTier is a software-based managed Ethernet switch for planet Earth. +ZeroTier is a software defined networking layer for Earth. -It erases the LAN/WAN distinction and makes VPNs, tunnels, proxies, and other kludges arising from the inflexible nature of physical networks obsolete. Everything is encrypted end-to-end and traffic takes the most direct (peer to peer) path available. +It can be used for on-premise network virtualization, as a peer to peer VPN for mobile teams, for hybrid or multi-data-center cloud deployments, or just about anywhere else secure software defined virtual networking is useful. -This repository contains ZeroTier One, a service that provides ZeroTier network connectivity to devices running Windows, Mac, Linux, iOS, Android, and FreeBSD and makes joining virtual networks as easy as joining IRC or Slack channels. It also contains the OS-independent core ZeroTier protocol implementation in [node/](node/). +ZeroTier One is our OS-level client service. It allows Mac, Linux, Windows, FreeBSD, and soon other types of clients to join ZeroTier virtual networks like conventional VPNs or VLANs. It can run on native systems, VMs, or containers (Docker, OpenVZ, etc.). -Visit [ZeroTier's site](https://www.zerotier.com/) for more information and [pre-built binary packages](https://www.zerotier.com/download.shtml). Apps for Android and iOS are available for free in the Google Play and Apple app stores. - -### Getting Started - -ZeroTier's basic operation is easy to understand. Devices have 10-digit *ZeroTier addresses* like `89e92ceee5` and networks have 16-digit network IDs like `8056c2e21c000001`. All it takes for a device to join a network is its 16-digit ID, and all it takes for a network to authorize a device is its 10-digit address. Everything else is automatic. - -A "device" can be anything really: desktops, laptops, phones, servers, VMs/VPSes, containers, and even (soon) apps. - -For testing we provide a public virtual network called *Earth* with network ID `8056c2e21c000001`. On Linux and Mac you can do this with: - - sudo zerotier-cli join 8056c2e21c000001 - -Now wait about 30 seconds and check your system with `ip addr list` or `ifconfig`. You'll see a new interface whose name starts with *zt* and it should quickly get an IPv4 and an IPv6 address. Once you see it get an IP, try pinging `earth.zerotier.net` at `29.209.112.93`. If you've joined Earth from more than one system, try pinging your other machine. - -*(IPv4 addresses for Earth are assigned from the block 28.0.0.0/7, which is not a part of the public Internet but is non-standard for private networks. It's used to avoid IP conflicts during testing. Your networks can run any IP addressing scheme you want.)* - -If you don't want to belong to a giant Ethernet party line anymore, just type: - - sudo zerotier-cli leave 8056c2e21c000001 - -The *zt* interface will disappear. You're no longer on the network. - -To create networks of your own you'll need a network controller. You can use [our hosted controller at my.zerotier.com](https://my.zerotier.com) which is free for up to 100 devices on an unlimited number of networks, or you can build your own controller and run it through its local JSON API. See [README.md in controller/](controller/) for more information. +Visit [ZeroTier's site](https://www.zerotier.com/) for more information. You can also download professionally packaged binary installers/packages for a variety of supported OSes there if you don't want to build ZeroTier One from source. ### Building from Source -For Mac, Linux, and BSD, just type `make` (or `gmake` on BSD). Platform requirements are: +For Mac, Linux, and BSD, just type "make" (or "gmake" on BSD). You won't need much installed; here are the requirements for various platforms: - - **Mac**: Xcode command line tools for OSX 10.7 or newer. - - **Linux**: GCC/G++ 4.9 or newer or CLANG 3.4 or newer, and GNU make and standard shell tools of course. - - The Linux make file will auto-detect and prefer CLANG if present since in our experience it does a better job optimizing C++ code. You can specify CC= and CXX= on the make command line to override this behavior. - - Several distributions including CentOS 7 ship with G++ 4.8 which has broken C++11 support. If you are running CentOS 7 type `sudo yum install clang` to install CLANG 3.4, which will work fine. There is no C++11 in the ZeroTier core but we have started using it in the service and network controller code. - - If any of the following have development headers on the system they are auto-detected and the build will link against system versions: `http-parser`, `lz4`, `libnatpmp`, and `miniupnpc`. If these are missing (or too old) the versions in `ext/` are used and are statically linked into the binary. Please be aware of this since if you build with these present the resulting binary will require them on other systems too. - - **FreeBSD**: GCC/G++ 4.9 or newer and `gmake` since our make files use GNU extensions. + * Mac: Xcode command line tools, and [Packages](http://s.sudre.free.fr/Software/Packages/about.html) if you want to build an OSX .pkg installer ("make mac-dist-pkg"). It should build on OSX 10.7 or newer. + * Linux: gcc/g++ or clang/clang++ (Makefile will use clang by default if available.) + * FreeBSD (and other BSD): C++ compiler (G++ usually) and GNU make (gmake). Each supported platform has its own *make-XXX.mk* file that contains the actual make rules for the platform. The right .mk file is included by the main Makefile based on the GNU make *OSTYPE* variable. Take a look at the .mk file for your platform for other targets, debug build rules, etc. -Typing `make selftest` will build a *zerotier-selftest* binary which unit tests various internals and reports on a few aspects of the build environment. It's a good idea to try this on novel platforms or architectures. +Windows, of course, is special. We build for Windows with Microsoft Visual Studio 2012 on Windows 7. A solution file is located in the *windows* subfolder. Newer versions of Visual Studio (and Windows) may work but haven't been tested. Older versions almost certainly will not, since they lack things like *stdint.h* and certain STL features. MinGW or other ports of gcc/clang to Windows should also work but haven't been tested. Build steps for Windows are a bit more complicated. For the moment you are on your own there. -Windows, of course, is special. A Visual Studio solution file is located in the *windows/* subfolder. We have not tried MinGW or CLANG for Windows but these may work, though you will have issues building the Windows GUI with them. +Mobile versions are in progress. They don't work yet, and in any case only the glue code will be included in this repository. The full mobile apps are in private repositories on our own git server. -Mac and Windows require tun/tap virtual network port drivers. We include pre-built signed binaries for these in `ext/bin`, so you should not need to build these yourself. Linux, FreeBSD, and others can use built-in kernel support for tun/tap network devices. +### Supported Platforms + +CPU architecture shouldn't matter unless it's smaller than 32-bit or something really bizarre like a "middle-endian" processor. We have reports of ZeroTier One running on arm32, arm64, and MIPS. It builds and runs out of the box on Raspberry Pi, BeagleBone, BananaPi, and other ARM-based developer/hobbyist boards. + +ZeroTier is written in C and C++ (C++03 / ISO/IEC 14882:2003) and uses data structures and algorithms from the C++03 STL. We do not use any C++11 features (yet), since we want to support a few old and embedded platforms that don't have C++11 compilers. You *will* require a compiler and headers new enough to support 64-bit integers (long long) and the *stdint.h* header. The latter could also be faked by adding defines for things like *uint32\_t*, *int64\_t*, etc. + +Typing "make selftest" will build a *zerotier-selftest* binary which unit tests various internals and reports on a few aspects of the build environment. It's a good idea to try this on novel platforms or architectures. ### Running @@ -64,10 +45,10 @@ The service is controlled via the JSON API, which by default is available at 127 Here's where home folders live (by default) on each OS: - * **Linux**: `/var/lib/zerotier-one` - * **FreeBSD**: `/var/db/zerotier-one` - * **Mac**: `/Library/Application Support/ZeroTier/One` - * **Windows**: `\ProgramData\ZeroTier\One` (That's for Windows 7. The base 'shared app data' folder might be different on different Windows versions.) + * Linux: /var/lib/zerotier-one + * BSD: /var/db/zerotier-one + * Mac: /Library/Application Support/ZeroTier/One + * Windows: \\ProgramData\\ZeroTier\\One (That's for Windows 7. The base 'shared app data' folder might be different on different Windows versions.) Running ZeroTier One on a Mac is the same, but OSX requires a kernel extension. We ship a signed binary build of the ZeroTier tap device driver, which can be installed on Mac with: @@ -75,6 +56,96 @@ Running ZeroTier One on a Mac is the same, but OSX requires a kernel extension. This will create the home folder for Mac, place *tap.kext* there, and set its modes correctly to enable ZeroTier One to manage it with *kextload* and *kextunload*. +We recommend using our binary packages on Windows, since there are several prerequisites such as a tap driver that must be installed on the system *and* in the home folder. + +### Joining A Network + +ZeroTier virtual networks are identified by 16-digit hexadecimal network IDs, while devices are identified by 10-digit addresses. To get your address run: + + sudo zerotier-cli status + +(Use ./zerotier-cli if you're running it right from your build folder.) + +You should see something like: + + 200 info ########## ONLINE #.#.# + +That 10-digit hex code is you. It's derived via a one-way proof of work function from your cryptographic public key. Your public key can be found in *identity.public* in ZeroTier's home folder, while *identity.secret* contains your full identity including the secret portion of the key pair. + +(The identity files define your device's *identity*. Moving them to another system will move that identity. Be careful when cloning virtual machines that have identities stored on them. If two devices have the same identity, they'll "fight" over it and you won't know which device will receive network packets.) + +If you want to do a quick test, you can join [Earth](https://www.zerotier.com/earth.html). It's a global public network that anyone can join. Type: + + sudo zerotier-cli join 8056c2e21c000001 + +Then: + + sudo zerotier-cli listnetworks + +At first it'll be in *REQUESTING\_CONFIGURATION* state. In a few seconds to a minute you should see something like: + + 200 listnetworks 8056c2e21c000001 earth.zerotier.net ##:##:##:##:##:## OK PUBLIC zt0 ##.##.##.##/## + +Earth will assign you an IP address in the "unofficially available" globally unrouted 28.0.0.0/7 IP block so as to avoid conflicts with local networks. (Your networks can use any IP scheme, or can even leave IP addresses unmanaged.) Once you get an IP, you should be able to ping something: + + ping earth.zerotier.net + +Go to [http://earth.zerotier.net/](http://earth.zerotier.net/) to see a short little welcome page that will tell you your IP and Ethernet MAC address. + +Earth is a public place. If you don't want to stick around run: + + sudo zerotier-cli leave 8056c2e21c000001 + +The network (and associated interface) should be gone. + +Networks are created and administrated by network controllers. Most users will want to use our hosted controllers. Visit [our web site](https://www.zerotier.com/) for more information. Later in this README there are brief instructions about building ZeroTier One with network controller support for those who want to try running their own. + +Macintosh and Windows installers also install a GUI application. + +### Installing + +We don't have a "make install" rule quite yet. On Linux you can type: + + make installer + +This will build a binary that, when run, will install ZeroTier One on most current Linux distributions. We also have RPM and DEB build files in *ext/installfiles/linux* that wrap this installer in packages for RedHat/CentOS and Debian/Ubuntu derived distributions. If *rpmbuild* is present on the system, the RPM will be built. If *dpkg-deb* is present, the DEB package will be built. + +On Mac the best way is to install [Packages](http://s.sudre.free.fr/Software/Packages/about.html) and use: + + make mac-dist-pkg + +This builds a .pkg file that can be installed. + +In FreeBSD there is now an official .pkg in the FreeBSD repository. Type "pkg install zerotier". It can also be built and installed from source. + +Linux/BSD and Mac installations have an *uninstall.sh* file in their ZeroTier home folder that cleanly removes ZeroTier One from the system. Run this with: + + sudo /path/to/ZeroTier/home/folder/uninstall.sh + +Windows installers are insane. We build our .MSI installers with [Advanced Installer Enterprise](http://www.advancedinstaller.com). The Advanced Installer project file is in *ext/installfiles/windows*. To avoid lasting psychological trauma we recommend leaving Windows installers alone and using the pre-built Windows binaries on our web site. + +### Using ZeroTier One in Docker Containers + +To run the ZeroTier One service in a Docker container, run it with "--device=/dev/net/tun --cap-add=NET_ADMIN". This will allow ZeroTier One to open a "tap" virtual network port inside the container. + +Alternately, you can use Ethernet bridging to bridge the *docker0* device on your system to a ZeroTier virtual network. This allows you to run ZeroTier One on the host and bridge the entire Docker network backplane to a virtual network or other hosts. + +We're working on better "official" Docker support. In the meantime there is a [user-contributed project here](https://github.com/davide/docker-zerotier). + +### Building with Network Controller Support + +**Warning: as of beta version 1.0.3 the new network controller is not heavily tested. We recommend waiting for 1.0.4 to deploy this in production.** + +Network controllers are nodes responsible for issuing configurations and certificates to members of ZeroTier virtual networks. Most users won't need to run their own, so this code is by default not included in the ZeroTier One binary. + +You can build a network controller on Linux or Mac with: + + make ZT_ENABLE_NETWORK_CONTROLLER=1 + +This will build a version that contains the Sqlite-backed network controller and associated extensions to the JSON local service control API. You will need the development headers for sqlite3 installed. On Mac these ship as part of Xcode, while on Linux they'll be found in packages for the various distributions. + +See the JSON API documentation in [service/](service/) for more information about how to control controllers. + ### Troubleshooting For most users, it just works. @@ -85,7 +156,7 @@ The Mac firewall can be found under "Security" in System Preferences. Linux has sudo ufw allow 9993/udp -On CentOS check `/etc/sysconfig/iptables` for IPTables rules. For other distributions consult your distribution's documentation. You'll also have to check the UIs or documentation for commercial third party firewall applications like Little Snitch (Mac), McAfee Firewall Enterprise (Windows), etc. if you are running any of those. Some corporate environments might have centrally managed firewall software, so you might also have to contact IT. +On CentOS check */etc/sysconfig/iptables* for IPTables rules. For other distributions consult your distribution's documentation. You'll also have to check the UIs or documentation for commercial third party firewall applications like Little Snitch (Mac), McAfee Firewall Enterprise (Windows), etc. if you are running any of those. Some corporate environments might have centrally managed firewall software, so you might also have to contact IT. ZeroTier One peers will automatically locate each other and communicate directly over a local wired LAN *if UDP port 9993 inbound is open*. If that port is filtered, they won't be able to see each others' LAN announcement packets. If you're experiencing poor performance between devices on the same physical network, check their firewall settings. Without LAN auto-location peers must attempt "loopback" NAT traversal, which sometimes fails and in any case requires that every packet traverse your external router twice. @@ -97,7 +168,7 @@ If a firewall between you and the Internet blocks ZeroTier's UDP traffic, you wi ### Contributing -Please make pull requests against the `dev` branch. The `master` branch is release, and `edge` is for unstable and work in progress changes and is not likely to work. +There are three main branches: **edge**, **test**, and **master**. Other branches may be for specific features, tests, or use cases. In general **edge** is "bleeding" and may or may not work, while **test** should be relatively stable and **master** is the latest tagged release. Pull requests should generally be done against **test** or **edge**, since pull requests against **master** may be working against a branch that is somewhat out of date. ### License diff --git a/zerotierone/attic/OSXEthernetTap.cpp.pcap-with-bridge-test b/zerotierone/attic/OSXEthernetTap.cpp.pcap-with-bridge-test index baae0a4..6019442 100644 --- a/zerotierone/attic/OSXEthernetTap.cpp.pcap-with-bridge-test +++ b/zerotierone/attic/OSXEthernetTap.cpp.pcap-with-bridge-test @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include diff --git a/zerotierone/attic/OSXEthernetTap.cpp.utun-work-in-progress b/zerotierone/attic/OSXEthernetTap.cpp.utun-work-in-progress index f40483e..b7a0533 100644 --- a/zerotierone/attic/OSXEthernetTap.cpp.utun-work-in-progress +++ b/zerotierone/attic/OSXEthernetTap.cpp.utun-work-in-progress @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include diff --git a/zerotierone/controller/README.md b/zerotierone/controller/README.md index 805641d..874fa18 100644 --- a/zerotierone/controller/README.md +++ b/zerotierone/controller/README.md @@ -1,253 +1,32 @@ -Network Controller Microservice +Network Controller Implementation ====== -Every ZeroTier virtual network has a *network controller*. This is our reference implementation and is the same one we use to power our own hosted services at [my.zerotier.com](https://my.zerotier.com/). Network controllers act as configuration servers and certificate authorities for the members of networks. Controllers are located on the network by simply parsing out the first 10 digits of a network's 16-digit network ID: these are the address of the controller. +This folder contains code implementing the node/NetworkController.hpp interface to allow ZeroTier nodes to create and manage virtual networks. -As of ZeroTier One version 1.2.0 this code is included in normal builds for desktop, laptop, and server (Linux, etc.) targets, allowing any device to create virtual networks without having to be rebuilt from source with special flags to enable this feature. While this does offer a convenient way to create ad-hoc networks or experiment, we recommend running a dedicated controller somewhere secure and stable for any "serious" use case. +### Building -Controller data is stored in JSON format under `controller.d` in the ZeroTier working directory. It can be copied, rsync'd, placed in `git`, etc. The files under `controller.d` should not be modified in place while the controller is running or data loss may result, and if they are edited directly take care not to save corrupt JSON since that can also lead to data loss when the controller is restarted. Going through the API is strongly preferred to directly modifying these files. +By default this code is not built or included in the client. To build on Linux, BSD, or Mac add `ZT_ENABLE_NETWORK_CONTROLLER=1` to the make command line. You'll need the development headers for Sqlite3 installed. They ship as part of OSX and Xcode. On Linux or BSD you'll probably need to install a package. -### Upgrading from Older Versions +### Running -Older versions of this code used a SQLite database instead of in-filesystem JSON. A migration utility called `migrate-sqlite` is included here and *must* be used to migrate this data to the new format. If the controller is started with an old `controller.db` in its working directory it will terminate after printing an error to *stderr*. This is done to prevent "surprises" for those running DIY controllers using the old code. +When started, a controller-enabled build of ZeroTier One will automatically create and initialize a *controller.db* in its home folder. This is where all the controller's data and persistent state lives. -The migration tool is written in nodeJS and can be used like this: +Since Sqlite3 supports multiple processes attached to the same database, it is safe to back up a running database with the command line *sqlite3* utility: - cd migrate-sqlite - npm install - node migrate-sqlite.js + sqlite3 /path/to/controller.db .dump -You may need to `sudo node ...` if the ZeroTier working directory is owned by root. +In production ZeroTier runs this frequently and keeps many timestamped copies going back about a week. These are also backed up (encrypted) to Amazon S3 along with the rest of our data. -This code will dump the contents of any `controller.db` in the ZeroTier working directory and recreate its data in the form of JSON objects under `controller.d`. The old `controller.db` will then be renamed to `controller.db.migrated` and the controller will start normally. +### Administrating -After migrating make sure that the contents of `controller.d` are owned and writable by the user that will be running the ZeroTier controller process! (Usually this is root but controllers that don't also join networks are sometimes run as unprivileged users.) +See service/README.md for documentation on the JSON API presented by this network controller implementation. Also see *nodejs-zt1-client* for a NodeJS JavaScript interface. -If you don't have nodeJS on the machine running ZeroTier it is perfectly fine to just copy `controller.db` to a directory on another machine and run the migration tool there. After running your migration the contents of `controller.d` can be tar'd up and copied back over to the controller. Just remember to rename or remove `controller.db` on the controller machine afterwords so the controller will start. +### Reliability -### Scalability and Reliability +Network controllers can go offline without affecting already-configured members of running networks. You just won't be able to change anything and new members will not be able to join. -Controllers can in theory host up to 2^24 networks and serve many millions of devices (or more), but we recommend spreading large numbers of networks across many controllers for load balancing and fault tolerance reasons. Since the controller uses the filesystem as its data store we recommend fast filesystems and fast SSD drives for heavily loaded controllers. +High-availability can be implemented through fail-over. A simple method involves making a frequent backup of the SQLite database (use the SQLite command line client to do this safely) and the network configuration master's working directory. Then, if the master goes down, another instance of it can rapidly be provisioned elsewhere. Since ZeroTier addresses are mobile, the new instance will quickly (usually no more than 30s) take over for the old one and service requests. -Since ZeroTier nodes are mobile and do not need static IPs, implementing high availability fail-over for controllers is easy. Just replicate their working directories from master to backup and have something automatically fire up the backup if the master goes down. Many modern orchestration tools have built-in support for this. It would also be possible in theory to run controllers on a replicated or distributed filesystem, but we haven't tested this yet. +### Limits -### Dockerizing Controllers - -ZeroTier network controllers can easily be run in Docker or other container systems. Since containers do not need to actually join networks, extra privilege options like "--device=/dev/net/tun --privileged" are not needed. You'll just need to map the local JSON API port of the running controller and allow it to access the Internet (over UDP/9993 at a minimum) so things can reach and query it. - -### Network Controller API - -The controller API is hosted via the same JSON API endpoint that ZeroTier One uses for local control (usually at 127.0.0.1 port 9993). All controller options are routed under the `/controller` base path. - -The controller microservice does not implement any fine-grained access control (authentication is via authtoken.secret just like the regular JSON API) or other complex mangement features. It just takes network and network member configurations and reponds to controller queries. We have an enterprise product called [ZeroTier Central](https://my.zerotier.com/) that we host as a service (and that companies can license to self-host) that does this. - -All working network IDs on a controller must begin with the controller's ZeroTier address. The API will *allow* "foreign" networks to be added but the controller will have no way of doing anything with them since nobody will know to query it. (In the future we might support secondaries, which would make this relevant.) - -The JSON API is *very* sensitive about types. Integers must be integers and strings strings, etc. Incorrectly typed and unrecognized fields may result in ignored fields or a 400 (bad request) error. - -#### `/controller` - - * Purpose: Check for controller function and return controller status - * Methods: GET - * Returns: { object } - -| Field | Type | Description | Writable | -| ------------------ | ----------- | ------------------------------------------------- | -------- | -| controller | boolean | Always 'true' | no | -| apiVersion | integer | Controller API version, currently 3 | no | -| clock | integer | Current clock on controller, ms since epoch | no | - -#### `/controller/network` - - * Purpose: List all networks hosted by this controller - * Methods: GET - * Returns: [ string, ... ] - -This returns an array of 16-digit hexadecimal network IDs. - -#### `/controller/network/` - - * Purpose: Create, configure, and delete hosted networks - * Methods: GET, POST, DELETE - * Returns: { object } - -By making queries to this path you can create, configure, and delete networks. DELETE is final, so don't do it unless you really mean it. - -When POSTing new networks take care that their IDs are not in use, otherwise you may overwrite an existing one. To create a new network with a random unused ID, POST to `/controller/network/##########______`. The #'s are the controller's 10-digit ZeroTier address and they're followed by six underscores. Check the `nwid` field of the returned JSON object for your network's newly allocated ID. Subsequent POSTs to this network must refer to its actual path. - -| Field | Type | Description | Writable | -| --------------------- | ------------- | ------------------------------------------------- | -------- | -| id | string | 16-digit network ID | no | -| nwid | string | 16-digit network ID (old, but still around) | no | -| clock | integer | Current clock, ms since epoch | no | -| name | string | A short name for this network | YES | -| private | boolean | Is access control enabled? | YES | -| enableBroadcast | boolean | Ethernet ff:ff:ff:ff:ff:ff allowed? | YES | -| allowPassiveBridging | boolean | Allow any member to bridge (very experimental) | YES | -| v4AssignMode | object | IPv4 management and assign options (see below) | YES | -| v6AssignMode | object | IPv6 management and assign options (see below) | YES | -| multicastLimit | integer | Maximum recipients for a multicast packet | YES | -| creationTime | integer | Time network was first created | no | -| revision | integer | Network config revision counter | no | -| authorizedMemberCount | integer | Number of authorized members (for private nets) | no | -| activeMemberCount | integer | Number of members that appear to be online | no | -| totalMemberCount | integer | Total known members of this network | no | -| routes | array[object] | Managed IPv4 and IPv6 routes; see below | YES | -| ipAssignmentPools | array[object] | IP auto-assign ranges; see below | YES | -| rules | array[object] | Traffic rules; see below | YES | - -Recent changes: - - * The `ipLocalRoutes` field appeared in older versions but is no longer present. Routes will now show up in `routes`. - * The `relays` field is gone since network preferred relays are gone. This capability is replaced by VL1 level federation ("federated roots"). - -Other important points: - - * Networks without rules won't carry any traffic. If you don't specify any on network creation an "accept anything" rule set will automatically be added. - * Managed IP address assignments and IP assignment pools that do not fall within a route configured in `routes` are ignored and won't be used or sent to members. - * The default for `private` is `true` and this is probably what you want. Turning `private` off means *anyone* can join your network with only its 16-digit network ID. It's also impossible to de-authorize a member as these networks don't issue or enforce certificates. Such "party line" networks are used for decentralized app backplanes, gaming, and testing but are otherwise not common. - -**Auto-Assign Modes:** - -Auto assign modes (`v4AssignMode` and `v6AssignMode`) contain objects that map assignment modes to booleans. - -For IPv4 the only valid setting is `zt` which, if true, causes IPv4 addresses to be auto-assigned from `ipAssignmentPools` to members that do not have an IPv4 assignment. Note that active bridges are exempt and will not get auto-assigned IPs since this can interfere with bridging. (You can still manually assign one if you want.) - -IPv6 includes this option and two others: `6plane` and `rfc4193`. These assign private IPv6 addresses to each member based on a deterministic assignment scheme that allows members to emulate IPv6 NDP to skip multicast for better performance and scalability. The `rfc4193` mode gives every member a /128 on a /88 network, while `6plane` gives every member a /80 within a /40 network but uses NDP emulation to route *all* IPs under that /80 to its owner. The `6plane` mode is great for use cases like Docker since it allows every member to assign IPv6 addresses within its /80 that just work instantly and globally across the network. - -**IP assignment pool object format:** - -| Field | Type | Description | -| --------------------- | ------------- | ------------------------------------------------- | -| ipRangeStart | string | Starting IP address in range | -| ipRangeEnd | string | Ending IP address in range (inclusive) | - -Pools are only used if auto-assignment is on for the given address type (IPv4 or IPv6) and if the entire range falls within a managed route. - -IPv6 ranges work just like IPv4 ranges and look like this: - - { - "ipRangeStart": "fd00:feed:feed:beef:0000:0000:0000:0000", - "ipRangeEnd": "fd00:feed:feed:beef:ffff:ffff:ffff:ffff" - } - -(You can POST a shortened-form IPv6 address but the API will always report back un-shortened canonical form addresses.) - -That defines a range within network `fd00:feed:feed:beef::/64` that contains up to 2^64 addresses. If an IPv6 range is large enough, the controller will assign addresses by placing each member's device ID into the address in a manner similar to the RFC4193 and 6PLANE modes. Otherwise it will assign addresses at random. - -**Rule object format:** - -Each rule is actually a sequence of zero or more `MATCH_` entries in the rule array followed by an `ACTION_` entry that describes what to do if all the preceding entries match. An `ACTION_` without any preceding `MATCH_` entries is always taken, so setting a single `ACTION_ACCEPT` rule yields a network that allows all traffic. If no rules are present the default action is `ACTION_DROP`. - -Rules are evaluated in the order in which they appear in the array. There is currently a limit of 256 entries per network. Capabilities should be used if a larger and more complex rule set is needed since they allow rules to be grouped by purpose and only shipped to members that need them. - -Each rule table entry has two common fields. - -| Field | Type | Description | -| --------------------- | ------------- | ------------------------------------------------- | -| type | string | Entry type (all caps, case sensitive) | -| not | boolean | If true, MATCHes match if they don't match | - -The following fields may or may not be present depending on rule type: - -| Field | Type | Description | -| --------------------- | ------------- | ------------------------------------------------- | -| zt | string | 10-digit hex ZeroTier address | -| etherType | integer | Ethernet frame type | -| mac | string | Hex MAC address (with or without :'s) | -| ip | string | IPv4 or IPv6 address | -| ipTos | integer | IP type of service | -| ipProtocol | integer | IP protocol (e.g. TCP) | -| start | integer | Start of an integer range (e.g. port range) | -| end | integer | End of an integer range (inclusive) | -| id | integer | Tag ID | -| value | integer | Tag value or comparison value | -| mask | integer | Bit mask (for characteristics flags) | - -The entry types and their additional fields are: - -| Entry type | Description | Fields | -| ------------------------------- | ----------------------------------------------------------------- | -------------- | -| `ACTION_DROP` | Drop any packets matching this rule | (none) | -| `ACTION_ACCEPT` | Accept any packets matching this rule | (none) | -| `ACTION_TEE` | Send a copy of this packet to a node (rule parsing continues) | `zt` | -| `ACTION_REDIRECT` | Redirect this packet to another node | `zt` | -| `ACTION_DEBUG_LOG` | Output debug info on match (if built with rules engine debug) | (none) | -| `MATCH_SOURCE_ZEROTIER_ADDRESS` | Match VL1 ZeroTier address of packet sender. | `zt` | -| `MATCH_DEST_ZEROTIER_ADDRESS` | Match VL1 ZeroTier address of recipient | `zt` | -| `MATCH_ETHERTYPE` | Match Ethernet frame type | `etherType` | -| `MATCH_MAC_SOURCE` | Match source Ethernet MAC address | `mac` | -| `MATCH_MAC_DEST` | Match destination Ethernet MAC address | `mac` | -| `MATCH_IPV4_SOURCE` | Match source IPv4 address | `ip` | -| `MATCH_IPV4_DEST` | Match destination IPv4 address | `ip` | -| `MATCH_IPV6_SOURCE` | Match source IPv6 address | `ip` | -| `MATCH_IPV6_DEST` | Match destination IPv6 address | `ip` | -| `MATCH_IP_TOS` | Match IP TOS field | `ipTos` | -| `MATCH_IP_PROTOCOL` | Match IP protocol field | `ipProtocol` | -| `MATCH_IP_SOURCE_PORT_RANGE` | Match a source IP port range | `start`,`end` | -| `MATCH_IP_DEST_PORT_RANGE` | Match a destination IP port range | `start`,`end` | -| `MATCH_CHARACTERISTICS` | Match on characteristics flags | `mask`,`value` | -| `MATCH_FRAME_SIZE_RANGE` | Match a range of Ethernet frame sizes | `start`,`end` | -| `MATCH_TAGS_SAMENESS` | Match if both sides' tags differ by no more than value | `id`,`value` | -| `MATCH_TAGS_BITWISE_AND` | Match if both sides' tags AND to value | `id`,`value` | -| `MATCH_TAGS_BITWISE_OR` | Match if both sides' tags OR to value | `id`,`value` | -| `MATCH_TAGS_BITWISE_XOR` | Match if both sides` tags XOR to value | `id`,`value` | - -Important notes about rules engine behavior: - - * IPv4 and IPv6 IP address rules do not match for frames that are not IPv4 or IPv6 respectively. - * `ACTION_DEBUG_LOG` is a no-op on nodes not built with `ZT_RULES_ENGINE_DEBUGGING` enabled (see Network.cpp). If that is enabled nodes will dump a trace of rule evaluation results to *stdout* when this action is encountered but will otherwise keep evaluating rules. This is used for basic "smoke testing" of the rules engine. - * Multicast packets and packets destined for bridged devices treated a little differently. They are matched more than once. They are matched at the point of send with a NULL ZeroTier destination address, meaning that `MATCH_DEST_ZEROTIER_ADDRESS` is useless. That's because the true VL1 destination is not yet known. Then they are matched again for each true VL1 destination. On these later subsequent matches TEE actions are ignored and REDIRECT rules are interpreted as DROPs. This prevents multiple TEE or REDIRECT packets from being sent to third party devices. - * Rules in capabilities are always matched as if the current device is the sender (inbound == false). A capability specifies sender side rules that can be enforced on both sides. - -#### `/controller/network//member` - - * Purpose: Get a set of all members on this network - * Methods: GET - * Returns: { object } - -This returns a JSON object containing all member IDs as keys and their `memberRevisionCounter` values as values. - -#### `/controller/network//active` - - * Purpose: Get a set of all active members on this network - * Methods: GET - * Returns: { object } - -This returns an object containing all currently online members and the most recent `recentLog` entries for their last request. - -#### `/controller/network//member/
` - - * Purpose: Create, authorize, or remove a network member - * Methods: GET, POST, DELETE - * Returns: { object } - -| Field | Type | Description | Writable | -| --------------------- | ------------- | ------------------------------------------------- | -------- | -| id | string | Member's 10-digit ZeroTier address | no | -| address | string | Member's 10-digit ZeroTier address | no | -| nwid | string | 16-digit network ID | no | -| clock | integer | Current clock, ms since epoch | no | -| authorized | boolean | Is member authorized? (for private networks) | YES | -| authHistory | array[object] | History of auth changes, latest at end | no | -| activeBridge | boolean | Member is able to bridge to other Ethernet nets | YES | -| identity | string | Member's public ZeroTier identity (if known) | no | -| ipAssignments | array[string] | Managed IP address assignments | YES | -| memberRevision | integer | Member revision counter | no | -| recentLog | array[object] | Recent member activity log; see below | no | - -Note that managed IP assignments are only used if they fall within a managed route. Otherwise they are ignored. - -**Recent log object format:** - -| Field | Type | Description | -| --------------------- | ------------- | ------------------------------------------------- | -| ts | integer | Time of request, ms since epoch | -| authorized | boolean | Was member authorized? | -| clientMajorVersion | integer | Client major version or -1 if unknown | -| clientMinorVersion | integer | Client minor version or -1 if unknown | -| clientRevision | integer | Client revision or -1 if unknown | -| clientProtocolVersion | integer | ZeroTier protocol version reported by client | -| fromAddr | string | Physical address if known | - -The controller can only know a member's `fromAddr` if it's able to establish a direct path to it. Members behind very restrictive firewalls may not have this information since the controller will be receiving the member's requests by way of a relay. ZeroTier does not back-trace IP paths as packets are relayed since this would add a lot of protocol overhead. +A single network configuration master can administrate up to 2^24 (~16m) networks as per the ZeroTier protocol limit. There is no hard limit on the number of clients, though millions or more would impose significant CPU demands on a server. Optimizations could be implemented such as memoization/caching to reduce this. diff --git a/zerotierone/ext/README.md b/zerotierone/ext/README.md index be9484c..f296fa5 100644 --- a/zerotierone/ext/README.md +++ b/zerotierone/ext/README.md @@ -1,10 +1 @@ -Miscellaneous Stuff -====== - -This subfolder contains: - - * Bundled third party libraries that are compiled into the binary on platforms and Linux distributions where they are not available on the system. - - * Pre-compiled binaries for some platforms, such as pre-built and signed drivers for Mac and Windows. - - * Miscellaneous files used by installers and packages on various platform targets. +The ext/ folder contains third party code, drivers, installation support files, etc. \ No newline at end of file diff --git a/zerotierone/ext/http-parser/AUTHORS b/zerotierone/ext/http-parser/AUTHORS index 5323b68..29cdbb1 100644 --- a/zerotierone/ext/http-parser/AUTHORS +++ b/zerotierone/ext/http-parser/AUTHORS @@ -61,8 +61,3 @@ Marc O'Morain Jeff Pinner Timothy J Fontaine Akagi201 -Romain Giraud -Jay Satiro -Arne Steen -Kjell Schubert -Olivier MenguĂ© diff --git a/zerotierone/ext/http-parser/http_parser.c b/zerotierone/ext/http-parser/http_parser.c index 3c896ff..a113c7f 100644 --- a/zerotierone/ext/http-parser/http_parser.c +++ b/zerotierone/ext/http-parser/http_parser.c @@ -123,7 +123,7 @@ do { \ FOR##_mark = NULL; \ } \ } while (0) - + /* Run the data callback FOR and consume the current byte */ #define CALLBACK_DATA(FOR) \ CALLBACK_DATA_(FOR, p - FOR##_mark, p - data + 1) @@ -440,7 +440,7 @@ enum http_host_state * character or %x80-FF **/ #define IS_HEADER_CHAR(ch) \ - (ch == CR || ch == LF || ch == 9 || ((unsigned char)ch > 31 && ch != 127)) + (ch == CR || ch == LF || ch == 9 || (ch > 31 && ch != 127)) #define start_state (parser->type == HTTP_REQUEST ? s_start_req : s_start_res) @@ -1007,40 +1007,89 @@ reexecute: UPDATE_STATE(s_req_spaces_before_url); } else if (ch == matcher[parser->index]) { ; /* nada */ - } else if (IS_ALPHA(ch)) { - - switch (parser->method << 16 | parser->index << 8 | ch) { -#define XX(meth, pos, ch, new_meth) \ - case (HTTP_##meth << 16 | pos << 8 | ch): \ - parser->method = HTTP_##new_meth; break; - - XX(POST, 1, 'U', PUT) - XX(POST, 1, 'A', PATCH) - XX(CONNECT, 1, 'H', CHECKOUT) - XX(CONNECT, 2, 'P', COPY) - XX(MKCOL, 1, 'O', MOVE) - XX(MKCOL, 1, 'E', MERGE) - XX(MKCOL, 2, 'A', MKACTIVITY) - XX(MKCOL, 3, 'A', MKCALENDAR) - XX(SUBSCRIBE, 1, 'E', SEARCH) - XX(REPORT, 2, 'B', REBIND) - XX(POST, 1, 'R', PROPFIND) - XX(PROPFIND, 4, 'P', PROPPATCH) - XX(PUT, 2, 'R', PURGE) - XX(LOCK, 1, 'I', LINK) - XX(UNLOCK, 2, 'S', UNSUBSCRIBE) - XX(UNLOCK, 2, 'B', UNBIND) - XX(UNLOCK, 3, 'I', UNLINK) -#undef XX - - default: + } else if (parser->method == HTTP_CONNECT) { + if (parser->index == 1 && ch == 'H') { + parser->method = HTTP_CHECKOUT; + } else if (parser->index == 2 && ch == 'P') { + parser->method = HTTP_COPY; + } else { + SET_ERRNO(HPE_INVALID_METHOD); + goto error; + } + } else if (parser->method == HTTP_MKCOL) { + if (parser->index == 1 && ch == 'O') { + parser->method = HTTP_MOVE; + } else if (parser->index == 1 && ch == 'E') { + parser->method = HTTP_MERGE; + } else if (parser->index == 1 && ch == '-') { + parser->method = HTTP_MSEARCH; + } else if (parser->index == 2 && ch == 'A') { + parser->method = HTTP_MKACTIVITY; + } else if (parser->index == 3 && ch == 'A') { + parser->method = HTTP_MKCALENDAR; + } else { + SET_ERRNO(HPE_INVALID_METHOD); + goto error; + } + } else if (parser->method == HTTP_SUBSCRIBE) { + if (parser->index == 1 && ch == 'E') { + parser->method = HTTP_SEARCH; + } else { + SET_ERRNO(HPE_INVALID_METHOD); + goto error; + } + } else if (parser->method == HTTP_REPORT) { + if (parser->index == 2 && ch == 'B') { + parser->method = HTTP_REBIND; + } else { SET_ERRNO(HPE_INVALID_METHOD); goto error; + } + } else if (parser->index == 1) { + if (parser->method == HTTP_POST) { + if (ch == 'R') { + parser->method = HTTP_PROPFIND; /* or HTTP_PROPPATCH */ + } else if (ch == 'U') { + parser->method = HTTP_PUT; /* or HTTP_PURGE */ + } else if (ch == 'A') { + parser->method = HTTP_PATCH; + } else { + SET_ERRNO(HPE_INVALID_METHOD); + goto error; + } + } else if (parser->method == HTTP_LOCK) { + if (ch == 'I') { + parser->method = HTTP_LINK; + } else { + SET_ERRNO(HPE_INVALID_METHOD); + goto error; + } } - } else if (ch == '-' && - parser->index == 1 && - parser->method == HTTP_MKCOL) { - parser->method = HTTP_MSEARCH; + } else if (parser->index == 2) { + if (parser->method == HTTP_PUT) { + if (ch == 'R') { + parser->method = HTTP_PURGE; + } else { + SET_ERRNO(HPE_INVALID_METHOD); + goto error; + } + } else if (parser->method == HTTP_UNLOCK) { + if (ch == 'S') { + parser->method = HTTP_UNSUBSCRIBE; + } else if(ch == 'B') { + parser->method = HTTP_UNBIND; + } else { + SET_ERRNO(HPE_INVALID_METHOD); + goto error; + } + } else { + SET_ERRNO(HPE_INVALID_METHOD); + goto error; + } + } else if (parser->index == 4 && parser->method == HTTP_PROPFIND && ch == 'P') { + parser->method = HTTP_PROPPATCH; + } else if (parser->index == 3 && parser->method == HTTP_UNLOCK && ch == 'I') { + parser->method = HTTP_UNLINK; } else { SET_ERRNO(HPE_INVALID_METHOD); goto error; @@ -1812,9 +1861,6 @@ reexecute: case 0: break; - case 2: - parser->upgrade = 1; - case 1: parser->flags |= F_SKIPBODY; break; @@ -2253,13 +2299,12 @@ http_parse_host_char(enum http_host_state s, const char ch) { static int http_parse_host(const char * buf, struct http_parser_url *u, int found_at) { + //assert(u->field_set & (1 << UF_HOST)); enum http_host_state s; const char *p; size_t buflen = u->field_data[UF_HOST].off + u->field_data[UF_HOST].len; - assert(u->field_set & (1 << UF_HOST)); - u->field_data[UF_HOST].len = 0; s = found_at ? s_http_userinfo_start : s_http_host_start; diff --git a/zerotierone/ext/http-parser/http_parser.h b/zerotierone/ext/http-parser/http_parser.h index 105ae51..e33c062 100644 --- a/zerotierone/ext/http-parser/http_parser.h +++ b/zerotierone/ext/http-parser/http_parser.h @@ -26,8 +26,8 @@ extern "C" { /* Also update SONAME in the Makefile whenever you change these. */ #define HTTP_PARSER_VERSION_MAJOR 2 -#define HTTP_PARSER_VERSION_MINOR 7 -#define HTTP_PARSER_VERSION_PATCH 0 +#define HTTP_PARSER_VERSION_MINOR 6 +#define HTTP_PARSER_VERSION_PATCH 1 #include #if defined(_WIN32) && !defined(__MINGW32__) && \ @@ -77,11 +77,6 @@ typedef struct http_parser_settings http_parser_settings; * HEAD request which may contain 'Content-Length' or 'Transfer-Encoding: * chunked' headers that indicate the presence of a body. * - * Returning `2` from on_headers_complete will tell parser that it should not - * expect neither a body nor any futher responses on this connection. This is - * useful for handling responses to a CONNECT request which may not contain - * `Upgrade` or `Connection: upgrade` headers. - * * http_data_cb does not return data chunks. It will be called arbitrarily * many times for each string. E.G. you might get 10 callbacks for "on_url" * each providing just a few characters more data. diff --git a/zerotierone/ext/installfiles/mac/ZeroTier One.pkgproj b/zerotierone/ext/installfiles/mac/ZeroTier One.pkgproj index d973052..c917d82 100755 --- a/zerotierone/ext/installfiles/mac/ZeroTier One.pkgproj +++ b/zerotierone/ext/installfiles/mac/ZeroTier One.pkgproj @@ -37,7 +37,7 @@ GID 80 PATH - mac-ui-macgap1-wrapper/bin/ZeroTier One.app + ../../mac-ui-macgap1-wrapper/bin/ZeroTier One.app PATH_TYPE 1 PERMISSIONS @@ -130,7 +130,7 @@ GID 0 PATH - ui/index.html + ../../../ui/index.html PATH_TYPE 1 PERMISSIONS @@ -146,7 +146,7 @@ GID 0 PATH - ui/main.js + ../../../ui/main.js PATH_TYPE 1 PERMISSIONS @@ -162,7 +162,7 @@ GID 0 PATH - ui/react.min.js + ../../../ui/react.min.js PATH_TYPE 1 PERMISSIONS @@ -178,7 +178,7 @@ GID 0 PATH - ui/simpleajax.min.js + ../../../ui/simpleajax.min.js PATH_TYPE 1 PERMISSIONS @@ -194,7 +194,7 @@ GID 0 PATH - ui/zerotier.css + ../../../ui/zerotier.css PATH_TYPE 1 PERMISSIONS @@ -210,7 +210,7 @@ GID 0 PATH - ui/ztui.min.js + ../../../ui/ztui.min.js PATH_TYPE 1 PERMISSIONS @@ -759,7 +759,7 @@ OVERWRITE_PERMISSIONS VERSION - 1.1.14 + 1.0.3 PROJECT_COMMENTS @@ -773,27 +773,26 @@ ZW50LVN0eWxlLVR5cGUiIGNvbnRlbnQ9InRleHQvY3NzIj4KPHRp dGxlPjwvdGl0bGU+CjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29u dGVudD0iQ29jb2EgSFRNTCBXcml0ZXIiPgo8bWV0YSBuYW1lPSJD - b2NvYVZlcnNpb24iIGNvbnRlbnQ9IjE0MDQuNDciPgo8c3R5bGUg + b2NvYVZlcnNpb24iIGNvbnRlbnQ9IjEzNDcuNTciPgo8c3R5bGUg dHlwZT0idGV4dC9jc3MiPgpwLnAxIHttYXJnaW46IDAuMHB4IDAu - MHB4IDAuMHB4IDAuMHB4OyBsaW5lLWhlaWdodDogMTQuMHB4OyBm - b250OiAxMi4wcHggSGVsdmV0aWNhOyBjb2xvcjogIzAwMDAwMDsg - LXdlYmtpdC10ZXh0LXN0cm9rZTogIzAwMDAwMH0Kc3Bhbi5zMSB7 - Zm9udC1rZXJuaW5nOiBub25lfQo8L3N0eWxlPgo8L2hlYWQ+Cjxi - b2R5Pgo8cCBjbGFzcz0icDEiPjxzcGFuIGNsYXNzPSJzMSI+WmVy - b1RpZXIgT25lIC0gTmV0d29yayBWaXJ0dWFsaXphdGlvbiBFdmVy - eXdoZXJlPC9zcGFuPjwvcD4KPHAgY2xhc3M9InAxIj48c3BhbiBj - bGFzcz0iczEiPihjKTIwMTEtMjAxNiBaZXJvVGllciwgSW5jLjwv - c3Bhbj48L3A+CjxwIGNsYXNzPSJwMSI+PHNwYW4gY2xhc3M9InMx - Ij5jb250YWN0QHplcm90aWVyLmNvbTwvc3Bhbj48L3A+CjxwIGNs - YXNzPSJwMSI+PHNwYW4gY2xhc3M9InMxIj48YnI+Cjwvc3Bhbj48 - L3A+CjxwIGNsYXNzPSJwMSI+PHNwYW4gY2xhc3M9InMxIj5UbyB1 - bmluc3RhbGwgbWFudWFsbHksIHR5cGUgdGhlIGZvbGxvd2luZyBp - biBhIHRlcm1pbmFsIHdpbmRvdzo8L3NwYW4+PC9wPgo8cCBjbGFz - cz0icDEiPjxzcGFuIGNsYXNzPSJzMSI+PGJyPgo8L3NwYW4+PC9w - Pgo8cCBjbGFzcz0icDEiPjxzcGFuIGNsYXNzPSJzMSI+c3VkbyAi - L0xpYnJhcnkvQXBwbGljYXRpb24gU3VwcG9ydC9aZXJvVGllci9P - bmUvdW5pbnN0YWxsLnNoIjwvc3Bhbj48L3A+CjwvYm9keT4KPC9o - dG1sPgo= + MHB4IDAuMHB4IDAuMHB4OyBmb250OiAxMi4wcHggSGVsdmV0aWNh + OyBjb2xvcjogIzAwMDAwMDsgLXdlYmtpdC10ZXh0LXN0cm9rZTog + IzAwMDAwMH0Kc3Bhbi5zMSB7Zm9udC1rZXJuaW5nOiBub25lfQo8 + L3N0eWxlPgo8L2hlYWQ+Cjxib2R5Pgo8cCBjbGFzcz0icDEiPjxz + cGFuIGNsYXNzPSJzMSI+WmVyb1RpZXIgT25lIC0gTmV0d29yayBW + aXJ0dWFsaXphdGlvbiBFdmVyeXdoZXJlPC9zcGFuPjwvcD4KPHAg + Y2xhc3M9InAxIj48c3BhbiBjbGFzcz0iczEiPihjKTIwMTEtMjAx + NSBaZXJvVGllciwgSW5jLjwvc3Bhbj48L3A+CjxwIGNsYXNzPSJw + MSI+PHNwYW4gY2xhc3M9InMxIj5jb250YWN0QHplcm90aWVyLmNv + bTwvc3Bhbj48L3A+CjxwIGNsYXNzPSJwMSI+PHNwYW4gY2xhc3M9 + InMxIj48YnI+Cjwvc3Bhbj48L3A+CjxwIGNsYXNzPSJwMSI+PHNw + YW4gY2xhc3M9InMxIj5UbyB1bmluc3RhbGwgbWFudWFsbHksIHR5 + cGUgdGhlIGZvbGxvd2luZyBpbiBhIHRlcm1pbmFsIHdpbmRvdzo8 + L3NwYW4+PC9wPgo8cCBjbGFzcz0icDEiPjxzcGFuIGNsYXNzPSJz + MSI+PGJyPgo8L3NwYW4+PC9wPgo8cCBjbGFzcz0icDEiPjxzcGFu + IGNsYXNzPSJzMSI+c3VkbyAiL0xpYnJhcnkvQXBwbGljYXRpb24g + U3VwcG9ydC9aZXJvVGllci9PbmUvdW5pbnN0YWxsLnNoIjwvc3Bh + bj48L3A+CjwvYm9keT4KPC9odG1sPgo= PROJECT_SETTINGS diff --git a/zerotierone/ext/installfiles/windows/ZeroTier One.aip b/zerotierone/ext/installfiles/windows/ZeroTier One.aip index 331126e..d8a99c3 100644 --- a/zerotierone/ext/installfiles/windows/ZeroTier One.aip +++ b/zerotierone/ext/installfiles/windows/ZeroTier One.aip @@ -1,7 +1,7 @@ - + @@ -26,10 +26,10 @@ - + - + @@ -54,15 +54,17 @@ + - + + @@ -71,20 +73,26 @@ - + + + + + + - + + @@ -106,7 +114,7 @@ - + @@ -130,10 +138,6 @@ - - - - @@ -146,7 +150,6 @@ - @@ -209,8 +212,6 @@ - - @@ -220,12 +221,6 @@ - - - - - - @@ -241,9 +236,6 @@ - - - @@ -254,8 +246,8 @@ - - + + @@ -269,9 +261,6 @@ - - - @@ -342,13 +331,6 @@ - - - - - - - @@ -356,7 +338,7 @@ - + diff --git a/zerotierone/ext/libnatpmp/getgateway.c b/zerotierone/ext/libnatpmp/getgateway.c index f743a08..dfb9f3e 100644 --- a/zerotierone/ext/libnatpmp/getgateway.c +++ b/zerotierone/ext/libnatpmp/getgateway.c @@ -53,7 +53,6 @@ POSSIBILITY OF SUCH DAMAGE. #undef USE_PROC_NET_ROUTE #define USE_SOCKET_ROUTE #undef USE_SYSCTL_NET_ROUTE -#include #endif #ifdef __APPLE__ @@ -97,6 +96,7 @@ POSSIBILITY OF SUCH DAMAGE. #ifdef USE_SYSCTL_NET_ROUTE #include +#include #include #include #endif diff --git a/zerotierone/ext/miniupnpc/Changelog.txt b/zerotierone/ext/miniupnpc/Changelog.txt index 078bebc..bef61f5 100644 --- a/zerotierone/ext/miniupnpc/Changelog.txt +++ b/zerotierone/ext/miniupnpc/Changelog.txt @@ -1,16 +1,6 @@ -$Id: Changelog.txt,v 1.223 2016/04/19 21:06:20 nanard Exp $ +$Id: Changelog.txt,v 1.219 2015/10/26 17:05:06 nanard Exp $ miniUPnP client Changelog. -VERSION 2.0 : released 2016/04/19 - -2016/01/24: - change miniwget to return HTTP status code - increments API_VERSION to 16 - -2016/01/22: - Improve UPNPIGD_IsConnected() to check if WAN address is not private. - parse HTTP response status line in miniwget.c - 2015/10/26: snprintf() overflow check. check overflow in simpleUPnPcommand2() diff --git a/zerotierone/ext/miniupnpc/README b/zerotierone/ext/miniupnpc/README index 91535db..ab08de9 100644 --- a/zerotierone/ext/miniupnpc/README +++ b/zerotierone/ext/miniupnpc/README @@ -3,7 +3,7 @@ Project web page: http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ github: https://github.com/miniupnp/miniupnp freecode: http://freecode.com/projects/miniupnp Author: Thomas Bernard -Copyright (c) 2005-2016 Thomas Bernard +Copyright (c) 2005-2014 Thomas Bernard This software is subject to the conditions detailed in the LICENSE file provided within this distribution. @@ -32,7 +32,6 @@ To use the libminiupnpc in your application, link it with libminiupnpc.a (or .so) and use the following functions found in miniupnpc.h, upnpcommands.h and miniwget.h : - upnpDiscover() -- UPNP_GetValidIGD() - miniwget() - parserootdesc() - GetUPNPUrls() @@ -60,5 +59,3 @@ send me an email ! For any question, you can use the web forum : http://miniupnp.tuxfamily.org/forum/ -Bugs should be reported on github : -https://github.com/miniupnp/miniupnp/issues diff --git a/zerotierone/ext/miniupnpc/VERSION b/zerotierone/ext/miniupnpc/VERSION index cd5ac03..2e0e38c 100644 --- a/zerotierone/ext/miniupnpc/VERSION +++ b/zerotierone/ext/miniupnpc/VERSION @@ -1 +1 @@ -2.0 +1.9 diff --git a/zerotierone/ext/miniupnpc/apiversions.txt b/zerotierone/ext/miniupnpc/apiversions.txt index 9464a86..3e9ebef 100644 --- a/zerotierone/ext/miniupnpc/apiversions.txt +++ b/zerotierone/ext/miniupnpc/apiversions.txt @@ -1,12 +1,7 @@ -$Id: apiversions.txt,v 1.9 2016/01/24 17:24:36 nanard Exp $ +$Id: apiversions.txt,v 1.8 2015/10/08 16:15:47 nanard Exp $ Differences in API between miniUPnPc versions -API version 16 - added "status_code" argument to getHTTPResponse(), miniwget() and miniwget_getaddr() - updated macro : - #define MINIUPNPC_API_VERSION 16 - API version 15 changed "sameport" argument of upnpDiscover() upnpDiscoverAll() upnpDiscoverDevice() to "localport". When 0 or 1, behaviour is not changed, but it can take diff --git a/zerotierone/ext/miniupnpc/minihttptestserver.c b/zerotierone/ext/miniupnpc/minihttptestserver.c index 6663bc0..32e3cb7 100644 --- a/zerotierone/ext/miniupnpc/minihttptestserver.c +++ b/zerotierone/ext/miniupnpc/minihttptestserver.c @@ -1,4 +1,4 @@ -/* $Id: minihttptestserver.c,v 1.19 2015/11/17 09:07:17 nanard Exp $ */ +/* $Id: minihttptestserver.c,v 1.18 2015/07/15 12:41:15 nanard Exp $ */ /* Project : miniUPnP * Author : Thomas Bernard * Copyright (c) 2011-2015 Thomas Bernard @@ -18,10 +18,6 @@ #include #include -#ifndef INADDR_LOOPBACK -#define INADDR_LOOPBACK 0x7f000001 -#endif - #define CRAP_LENGTH (2048) volatile sig_atomic_t quit = 0; diff --git a/zerotierone/ext/miniupnpc/minisoap.c b/zerotierone/ext/miniupnpc/minisoap.c index e2efd8f..c685aac 100644 --- a/zerotierone/ext/miniupnpc/minisoap.c +++ b/zerotierone/ext/miniupnpc/minisoap.c @@ -22,7 +22,7 @@ #include "minisoap.h" #ifdef _WIN32 #define OS_STRING "Win32" -#define MINIUPNPC_VERSION_STRING "2.0" +#define MINIUPNPC_VERSION_STRING "1.9" #define UPNP_VERSION_STRING "UPnP/1.1" #endif diff --git a/zerotierone/ext/miniupnpc/minissdpc.c b/zerotierone/ext/miniupnpc/minissdpc.c index 0f7271e..a371d16 100644 --- a/zerotierone/ext/miniupnpc/minissdpc.c +++ b/zerotierone/ext/miniupnpc/minissdpc.c @@ -1,8 +1,7 @@ #define _CRT_SECURE_NO_WARNINGS -/* $Id: minissdpc.c,v 1.31 2016/01/19 09:56:46 nanard Exp $ */ -/* vim: tabstop=4 shiftwidth=4 noexpandtab - * Project : miniupnp +/* $Id: minissdpc.c,v 1.30 2015/10/26 17:05:07 nanard Exp $ */ +/* Project : miniupnp * Web : http://miniupnp.free.fr/ * Author : Thomas BERNARD * copyright (c) 2005-2015 Thomas Bernard @@ -70,10 +69,6 @@ struct sockaddr_un { #define HAS_IP_MREQN #endif -#if !defined(HAS_IP_MREQN) && !defined(_WIN32) -#include -#endif - #if defined(HAS_IP_MREQN) && defined(NEED_STRUCT_IP_MREQN) /* Several versions of glibc don't define this structure, * define it here and compile with CFLAGS NEED_STRUCT_IP_MREQN */ @@ -654,25 +649,11 @@ ssdpDiscoverDevices(const char * const deviceTypes[], { PRINT_SOCKET_ERROR("setsockopt"); } -#elif !defined(_WIN32) - struct ifreq ifr; - int ifrlen = sizeof(ifr); - strncpy(ifr.ifr_name, multicastif, IFNAMSIZ); - ifr.ifr_name[IFNAMSIZ-1] = '\0'; - if(ioctl(sudp, SIOCGIFADDR, &ifr, &ifrlen) < 0) - { - PRINT_SOCKET_ERROR("ioctl(...SIOCGIFADDR...)"); - } - mc_if.s_addr = ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr; - if(setsockopt(sudp, IPPROTO_IP, IP_MULTICAST_IF, (const char *)&mc_if, sizeof(mc_if)) < 0) - { - PRINT_SOCKET_ERROR("setsockopt"); - } -#else /* _WIN32 */ +#else #ifdef DEBUG printf("Setting of multicast interface not supported with interface name.\n"); #endif -#endif /* #ifdef HAS_IP_MREQN / !defined(_WIN32) */ +#endif } } } diff --git a/zerotierone/ext/miniupnpc/miniupnpc.c b/zerotierone/ext/miniupnpc/miniupnpc.c index 68d562f..5663888 100644 --- a/zerotierone/ext/miniupnpc/miniupnpc.c +++ b/zerotierone/ext/miniupnpc/miniupnpc.c @@ -1,11 +1,10 @@ #define _CRT_SECURE_NO_WARNINGS - -/* $Id: miniupnpc.c,v 1.149 2016/02/09 09:50:46 nanard Exp $ */ -/* vim: tabstop=4 shiftwidth=4 noexpandtab - * Project : miniupnp +/* $Id: miniupnpc.c,v 1.141 2015/10/26 17:05:07 nanard Exp $ */ +/* vim: tabstop=4 shiftwidth=4 noexpandtab */ +/* Project : miniupnp * Web : http://miniupnp.free.fr/ * Author : Thomas BERNARD - * copyright (c) 2005-2016 Thomas Bernard + * copyright (c) 2005-2015 Thomas Bernard * This software is subjet to the conditions detailed in the * provided LICENSE file. */ #include @@ -74,25 +73,6 @@ #define SERVICEPREFIX "u" #define SERVICEPREFIX2 'u' -/* check if an ip address is a private (LAN) address - * see https://tools.ietf.org/html/rfc1918 */ -static int is_rfc1918addr(const char * addr) -{ - /* 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) */ - if(COMPARE(addr, "192.168.")) - return 1; - /* 10.0.0.0 - 10.255.255.255 (10/8 prefix) */ - if(COMPARE(addr, "10.")) - return 1; - /* 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) */ - if(COMPARE(addr, "172.")) { - int i = atoi(addr + 4); - if((16 <= i) && (i <= 31)) - return 1; - } - return 0; -} - /* root description parsing */ MINIUPNP_LIBSPEC void parserootdesc(const char * buffer, int bufsize, struct IGDdatas * data) { @@ -128,7 +108,6 @@ char * simpleUPnPcommand2(int s, const char * url, const char * service, int soapbodylen; char * buf; int n; - int status_code; *bufsize = 0; snprintf(soapact, sizeof(soapact), "%s#%s", service, action); @@ -232,15 +211,11 @@ char * simpleUPnPcommand2(int s, const char * url, const char * service, return NULL; } - buf = getHTTPResponse(s, bufsize, &status_code); + buf = getHTTPResponse(s, bufsize); #ifdef DEBUG if(*bufsize > 0 && buf) { - printf("HTTP %d SOAP Response :\n%.*s\n", status_code, *bufsize, buf); - } - else - { - printf("HTTP %d, empty SOAP response. size=%d\n", status_code, *bufsize); + printf("SOAP Response :\n%.*s\n", *bufsize, buf); } #endif closesocket(s); @@ -552,7 +527,7 @@ UPNPIGD_IsConnected(struct UPNPUrls * urls, struct IGDdatas * data) * 3 = an UPnP device has been found but was not recognized as an IGD * * In any positive non zero return case, the urls and data structures - * passed as parameters are set. Dont forget to call FreeUPNPUrls(urls) to + * passed as parameters are set. Donc forget to call FreeUPNPUrls(urls) to * free allocated memory. */ MINIUPNP_LIBSPEC int @@ -572,9 +547,6 @@ UPNP_GetValidIGD(struct UPNPDev * devlist, int state = -1; /* state 1 : IGD connected. State 2 : IGD. State 3 : anything */ int n_igd = 0; char extIpAddr[16]; - char myLanAddr[40]; - int status_code = -1; - if(!devlist) { #ifdef DEBUG @@ -597,8 +569,8 @@ UPNP_GetValidIGD(struct UPNPDev * devlist, /* we should choose an internet gateway device. * with st == urn:schemas-upnp-org:device:InternetGatewayDevice:1 */ desc[i].xml = miniwget_getaddr(dev->descURL, &(desc[i].size), - myLanAddr, sizeof(myLanAddr), - dev->scope_id, &status_code); + lanaddr, lanaddrlen, + dev->scope_id); #ifdef DEBUG if(!desc[i].xml) { @@ -615,8 +587,6 @@ UPNP_GetValidIGD(struct UPNPDev * devlist, { desc[i].is_igd = 1; n_igd++; - if(lanaddr) - strncpy(lanaddr, myLanAddr, lanaddrlen); } } } @@ -632,25 +602,20 @@ UPNP_GetValidIGD(struct UPNPDev * devlist, parserootdesc(desc[i].xml, desc[i].size, data); if(desc[i].is_igd || state >= 3 ) { - int is_connected; - GetUPNPUrls(urls, data, dev->descURL, dev->scope_id); /* in state 2 and 3 we dont test if device is connected ! */ if(state >= 2) goto free_and_return; - is_connected = UPNPIGD_IsConnected(urls, data); #ifdef DEBUG printf("UPNPIGD_IsConnected(%s) = %d\n", - urls->controlURL, is_connected); + urls->controlURL, + UPNPIGD_IsConnected(urls, data)); #endif /* checks that status is connected AND there is a external IP address assigned */ - if(is_connected && - (UPNP_GetExternalIPAddress(urls->controlURL, data->first.servicetype, extIpAddr) == 0)) { - if(!is_rfc1918addr(extIpAddr) && (extIpAddr[0] != '\0') - && (0 != strcmp(extIpAddr, "0.0.0.0"))) - goto free_and_return; - } + if(UPNPIGD_IsConnected(urls, data) + && (UPNP_GetExternalIPAddress(urls->controlURL, data->first.servicetype, extIpAddr) == 0)) + goto free_and_return; FreeUPNPUrls(urls); if(data->second.servicetype[0] != '\0') { #ifdef DEBUG @@ -662,17 +627,14 @@ UPNP_GetValidIGD(struct UPNPDev * devlist, memcpy(&data->first, &data->second, sizeof(struct IGDdatas_service)); memcpy(&data->second, &data->tmp, sizeof(struct IGDdatas_service)); GetUPNPUrls(urls, data, dev->descURL, dev->scope_id); - is_connected = UPNPIGD_IsConnected(urls, data); #ifdef DEBUG printf("UPNPIGD_IsConnected(%s) = %d\n", - urls->controlURL, is_connected); + urls->controlURL, + UPNPIGD_IsConnected(urls, data)); #endif - if(is_connected && - (UPNP_GetExternalIPAddress(urls->controlURL, data->first.servicetype, extIpAddr) == 0)) { - if(!is_rfc1918addr(extIpAddr) && (extIpAddr[0] != '\0') - && (0 != strcmp(extIpAddr, "0.0.0.0"))) - goto free_and_return; - } + if(UPNPIGD_IsConnected(urls, data) + && (UPNP_GetExternalIPAddress(urls->controlURL, data->first.servicetype, extIpAddr) == 0)) + goto free_and_return; FreeUPNPUrls(urls); } } @@ -706,9 +668,8 @@ UPNP_GetIGDFromUrl(const char * rootdescurl, { char * descXML; int descXMLsize = 0; - descXML = miniwget_getaddr(rootdescurl, &descXMLsize, - lanaddr, lanaddrlen, 0, NULL); + lanaddr, lanaddrlen, 0); if(descXML) { memset(data, 0, sizeof(struct IGDdatas)); memset(urls, 0, sizeof(struct UPNPUrls)); diff --git a/zerotierone/ext/miniupnpc/miniupnpc.h b/zerotierone/ext/miniupnpc/miniupnpc.h index 0b5b473..dfbfa01 100644 --- a/zerotierone/ext/miniupnpc/miniupnpc.h +++ b/zerotierone/ext/miniupnpc/miniupnpc.h @@ -1,8 +1,8 @@ -/* $Id: miniupnpc.h,v 1.50 2016/04/19 21:06:21 nanard Exp $ */ +/* $Id: miniupnpc.h,v 1.48 2015/10/08 16:19:40 nanard Exp $ */ /* Project: miniupnp * http://miniupnp.free.fr/ * Author: Thomas Bernard - * Copyright (c) 2005-2016 Thomas Bernard + * Copyright (c) 2005-2015 Thomas Bernard * This software is subjects to the conditions detailed * in the LICENCE file provided within this distribution */ #ifndef MINIUPNPC_H_INCLUDED @@ -19,8 +19,8 @@ #define UPNPDISCOVER_MEMORY_ERROR (-102) /* versions : */ -#define MINIUPNPC_VERSION "2.0" -#define MINIUPNPC_API_VERSION 16 +#define MINIUPNPC_VERSION "1.9.20151026" +#define MINIUPNPC_API_VERSION 15 /* Source port: Using "1" as an alias for 1900 for backwards compatability diff --git a/zerotierone/ext/miniupnpc/miniwget.c b/zerotierone/ext/miniupnpc/miniwget.c index 1af106d..4b11ea9 100644 --- a/zerotierone/ext/miniupnpc/miniwget.c +++ b/zerotierone/ext/miniupnpc/miniwget.c @@ -1,10 +1,9 @@ #define _CRT_SECURE_NO_WARNINGS - -/* $Id: miniwget.c,v 1.75 2016/01/24 17:24:36 nanard Exp $ */ +/* $Id: miniwget.c,v 1.72 2015/10/26 17:05:08 nanard Exp $ */ /* Project : miniupnp * Website : http://miniupnp.free.fr/ * Author : Thomas Bernard - * Copyright (c) 2005-2016 Thomas Bernard + * Copyright (c) 2005-2015 Thomas Bernard * This software is subject to the conditions detailed in the * LICENCE file provided in this distribution. */ @@ -50,12 +49,12 @@ #define MIN(x,y) (((x)<(y))?(x):(y)) #endif /* MIN */ + #ifdef _WIN32 #define OS_STRING "Win32" -#define MINIUPNPC_VERSION_STRING "2.0" +#define MINIUPNPC_VERSION_STRING "1.9" #define UPNP_VERSION_STRING "UPnP/1.1" #endif - #include "miniwget.h" #include "connecthostport.h" #include "receivedata.h" @@ -71,7 +70,7 @@ * to the length parameter. */ void * -getHTTPResponse(int s, int * size, int * status_code) +getHTTPResponse(int s, int * size) { char buf[2048]; int n; @@ -89,10 +88,7 @@ getHTTPResponse(int s, int * size, int * status_code) unsigned int content_buf_used = 0; char chunksize_buf[32]; unsigned int chunksize_buf_index; - char * reason_phrase = NULL; - int reason_phrase_len = 0; - if(status_code) *status_code = -1; header_buf = malloc(header_buf_len); if(header_buf == NULL) { @@ -164,7 +160,7 @@ getHTTPResponse(int s, int * size, int * status_code) continue; /* parse header lines */ for(i = 0; i < endofheaders - 1; i++) { - if(linestart > 0 && colon <= linestart && header_buf[i]==':') + if(colon <= linestart && header_buf[i]==':') { colon = i; while(i < (endofheaders-1) @@ -175,29 +171,7 @@ getHTTPResponse(int s, int * size, int * status_code) /* detecting end of line */ else if(header_buf[i]=='\r' || header_buf[i]=='\n') { - if(linestart == 0 && status_code) - { - /* Status line - * HTTP-Version SP Status-Code SP Reason-Phrase CRLF */ - int sp; - for(sp = 0; sp < i; sp++) - if(header_buf[sp] == ' ') - { - if(*status_code < 0) - *status_code = atoi(header_buf + sp + 1); - else - { - reason_phrase = header_buf + sp + 1; - reason_phrase_len = i - sp - 1; - break; - } - } -#ifdef DEBUG - printf("HTTP status code = %d, Reason phrase = %.*s\n", - *status_code, reason_phrase_len, reason_phrase); -#endif - } - else if(colon > linestart && valuestart > colon) + if(colon > linestart && valuestart > colon) { #ifdef DEBUG printf("header='%.*s', value='%.*s'\n", @@ -368,8 +342,7 @@ static void * miniwget3(const char * host, unsigned short port, const char * path, int * size, char * addr_str, int addr_str_len, - const char * httpversion, unsigned int scope_id, - int * status_code) + const char * httpversion, unsigned int scope_id) { char buf[2048]; int s; @@ -467,7 +440,7 @@ miniwget3(const char * host, sent += n; } } - content = getHTTPResponse(s, size, status_code); + content = getHTTPResponse(s, size); closesocket(s); return content; } @@ -476,20 +449,18 @@ miniwget3(const char * host, * Call miniwget3(); retry with HTTP/1.1 if 1.0 fails. */ static void * miniwget2(const char * host, - unsigned short port, const char * path, - int * size, char * addr_str, int addr_str_len, - unsigned int scope_id, int * status_code) + unsigned short port, const char * path, + int * size, char * addr_str, int addr_str_len, + unsigned int scope_id) { char * respbuffer; #if 1 respbuffer = miniwget3(host, port, path, size, - addr_str, addr_str_len, "1.1", - scope_id, status_code); + addr_str, addr_str_len, "1.1", scope_id); #else respbuffer = miniwget3(host, port, path, size, - addr_str, addr_str_len, "1.0", - scope_id, status_code); + addr_str, addr_str_len, "1.0", scope_id); if (*size == 0) { #ifdef DEBUG @@ -497,8 +468,7 @@ miniwget2(const char * host, #endif free(respbuffer); respbuffer = miniwget3(host, port, path, size, - addr_str, addr_str_len, "1.1", - scope_id, status_code); + addr_str, addr_str_len, "1.1", scope_id); } #endif return respbuffer; @@ -623,8 +593,7 @@ parseURL(const char * url, } void * -miniwget(const char * url, int * size, - unsigned int scope_id, int * status_code) +miniwget(const char * url, int * size, unsigned int scope_id) { unsigned short port; char * path; @@ -637,13 +606,12 @@ miniwget(const char * url, int * size, printf("parsed url : hostname='%s' port=%hu path='%s' scope_id=%u\n", hostname, port, path, scope_id); #endif - return miniwget2(hostname, port, path, size, 0, 0, scope_id, status_code); + return miniwget2(hostname, port, path, size, 0, 0, scope_id); } void * miniwget_getaddr(const char * url, int * size, - char * addr, int addrlen, unsigned int scope_id, - int * status_code) + char * addr, int addrlen, unsigned int scope_id) { unsigned short port; char * path; @@ -658,6 +626,5 @@ miniwget_getaddr(const char * url, int * size, printf("parsed url : hostname='%s' port=%hu path='%s' scope_id=%u\n", hostname, port, path, scope_id); #endif - return miniwget2(hostname, port, path, size, addr, addrlen, scope_id, status_code); + return miniwget2(hostname, port, path, size, addr, addrlen, scope_id); } - diff --git a/zerotierone/ext/miniupnpc/miniwget.h b/zerotierone/ext/miniupnpc/miniwget.h index 0701494..d6db71a 100644 --- a/zerotierone/ext/miniupnpc/miniwget.h +++ b/zerotierone/ext/miniupnpc/miniwget.h @@ -1,7 +1,7 @@ -/* $Id: miniwget.h,v 1.12 2016/01/24 17:24:36 nanard Exp $ */ +/* $Id: miniwget.h,v 1.10 2015/07/21 13:16:55 nanard Exp $ */ /* Project : miniupnp * Author : Thomas Bernard - * Copyright (c) 2005-2016 Thomas Bernard + * Copyright (c) 2005-2015 Thomas Bernard * This software is subject to the conditions detailed in the * LICENCE file provided in this distribution. * */ @@ -14,11 +14,11 @@ extern "C" { #endif -MINIUPNP_LIBSPEC void * getHTTPResponse(int s, int * size, int * status_code); +MINIUPNP_LIBSPEC void * getHTTPResponse(int s, int * size); -MINIUPNP_LIBSPEC void * miniwget(const char *, int *, unsigned int, int *); +MINIUPNP_LIBSPEC void * miniwget(const char *, int *, unsigned int); -MINIUPNP_LIBSPEC void * miniwget_getaddr(const char *, int *, char *, int, unsigned int, int *); +MINIUPNP_LIBSPEC void * miniwget_getaddr(const char *, int *, char *, int, unsigned int); int parseURL(const char *, char *, unsigned short *, char * *, unsigned int *); diff --git a/zerotierone/ext/miniupnpc/receivedata.c b/zerotierone/ext/miniupnpc/receivedata.c index ef85a3d..fb05e09 100644 --- a/zerotierone/ext/miniupnpc/receivedata.c +++ b/zerotierone/ext/miniupnpc/receivedata.c @@ -1,4 +1,4 @@ -/* $Id: receivedata.c,v 1.7 2015/11/09 21:51:41 nanard Exp $ */ +/* $Id: receivedata.c,v 1.6 2014/11/13 13:51:52 nanard Exp $ */ /* Project : miniupnp * Website : http://miniupnp.free.fr/ * Author : Thomas Bernard @@ -40,7 +40,7 @@ receivedata(int socket, char * data, int length, int timeout, unsigned int * scope_id) { -#ifdef MINIUPNPC_GET_SRC_ADDR +#if MINIUPNPC_GET_SRC_ADDR struct sockaddr_storage src_addr; socklen_t src_addr_len = sizeof(src_addr); #endif /* MINIUPNPC_GET_SRC_ADDR */ @@ -80,7 +80,7 @@ receivedata(int socket, return 0; } #endif /* !defined(_WIN32) && !defined(__amigaos__) && !defined(__amigaos4__) */ -#ifdef MINIUPNPC_GET_SRC_ADDR +#if MINIUPNPC_GET_SRC_ADDR memset(&src_addr, 0, sizeof(src_addr)); n = recvfrom(socket, data, length, 0, (struct sockaddr *)&src_addr, &src_addr_len); @@ -90,7 +90,7 @@ receivedata(int socket, if(n<0) { PRINT_SOCKET_ERROR("recv"); } -#ifdef MINIUPNPC_GET_SRC_ADDR +#if MINIUPNPC_GET_SRC_ADDR if (src_addr.ss_family == AF_INET6) { const struct sockaddr_in6 * src_addr6 = (struct sockaddr_in6 *)&src_addr; #ifdef DEBUG diff --git a/zerotierone/ext/miniupnpc/testminiwget.c b/zerotierone/ext/miniupnpc/testminiwget.c index 5eb49ec..8ae9032 100644 --- a/zerotierone/ext/miniupnpc/testminiwget.c +++ b/zerotierone/ext/miniupnpc/testminiwget.c @@ -1,7 +1,7 @@ -/* $Id: testminiwget.c,v 1.5 2016/01/24 17:24:36 nanard Exp $ */ +/* $Id: testminiwget.c,v 1.4 2012/06/23 22:35:59 nanard Exp $ */ /* Project : miniupnp * Author : Thomas Bernard - * Copyright (c) 2005-2016 Thomas Bernard + * Copyright (c) 2005-2012 Thomas Bernard * This software is subject to the conditions detailed in the * LICENCE file provided in this distribution. * */ @@ -20,17 +20,15 @@ int main(int argc, char * * argv) int size, writtensize; FILE *f; char addr[64]; - int status_code = -1; if(argc < 3) { fprintf(stderr, "Usage:\t%s url file\n", argv[0]); fprintf(stderr, "Example:\t%s http://www.google.com/ out.html\n", argv[0]); return 1; } - data = miniwget_getaddr(argv[1], &size, addr, sizeof(addr), 0, &status_code); - if(!data || (status_code != 200)) { - if(data) free(data); - fprintf(stderr, "Error %d fetching %s\n", status_code, argv[1]); + data = miniwget_getaddr(argv[1], &size, addr, sizeof(addr), 0); + if(!data) { + fprintf(stderr, "Error fetching %s\n", argv[1]); return 1; } printf("local address : %s\n", addr); diff --git a/zerotierone/ext/miniupnpc/upnpc.c b/zerotierone/ext/miniupnpc/upnpc.c index 94f131c..8bc552e 100644 --- a/zerotierone/ext/miniupnpc/upnpc.c +++ b/zerotierone/ext/miniupnpc/upnpc.c @@ -1,7 +1,7 @@ -/* $Id: upnpc.c,v 1.114 2016/01/22 15:04:23 nanard Exp $ */ +/* $Id: upnpc.c,v 1.112 2015/10/08 16:15:48 nanard Exp $ */ /* Project : miniupnp * Author : Thomas Bernard - * Copyright (c) 2005-2016 Thomas Bernard + * Copyright (c) 2005-2015 Thomas Bernard * This software is subject to the conditions detailed in the * LICENCE file provided in this distribution. */ @@ -66,7 +66,7 @@ static void DisplayInfos(struct UPNPUrls * urls, char connectionType[64]; char status[64]; char lastconnerr[64]; - unsigned int uptime = 0; + unsigned int uptime; unsigned int brUp, brDown; time_t timenow, timestarted; int r; @@ -82,11 +82,9 @@ static void DisplayInfos(struct UPNPUrls * urls, else printf("Status : %s, uptime=%us, LastConnectionError : %s\n", status, uptime, lastconnerr); - if(uptime > 0) { - timenow = time(NULL); - timestarted = timenow - uptime; - printf(" Time started : %s", ctime(×tarted)); - } + timenow = time(NULL); + timestarted = timenow - uptime; + printf(" Time started : %s", ctime(×tarted)); if(UPNP_GetLinkLayerMaxBitRates(urls->controlURL_CIF, data->CIF.servicetype, &brDown, &brUp) != UPNPCOMMAND_SUCCESS) { printf("GetLinkLayerMaxBitRates failed.\n"); @@ -540,7 +538,7 @@ int main(int argc, char ** argv) char ** commandargv = 0; int commandargc = 0; struct UPNPDev * devlist = 0; - char lanaddr[64] = "unset"; /* my ip address on the LAN */ + char lanaddr[64]; /* my ip address on the LAN */ int i; const char * rootdescurl = 0; const char * multicastif = 0; @@ -562,7 +560,7 @@ int main(int argc, char ** argv) } #endif printf("upnpc : miniupnpc library test client, version %s.\n", MINIUPNPC_VERSION_STRING); - printf(" (c) 2005-2016 Thomas Bernard.\n"); + printf(" (c) 2005-2015 Thomas Bernard.\n"); printf("Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/\n" "for more information.\n"); /* command line processing */ diff --git a/zerotierone/ext/miniupnpc/upnpcommands.c b/zerotierone/ext/miniupnpc/upnpcommands.c index 2b65651..660b5d9 100644 --- a/zerotierone/ext/miniupnpc/upnpcommands.c +++ b/zerotierone/ext/miniupnpc/upnpcommands.c @@ -1,6 +1,5 @@ #define _CRT_SECURE_NO_WARNINGS - -/* $Id: upnpcommands.c,v 1.47 2016/03/07 12:26:48 nanard Exp $ */ +/* $Id: upnpcommands.c,v 1.46 2015/07/15 12:19:00 nanard Exp $ */ /* Project : miniupnp * Author : Thomas Bernard * Copyright (c) 2005-2015 Thomas Bernard @@ -618,14 +617,14 @@ UPNP_GetGenericPortMappingEntry(const char * controlURL, protocol[3] = '\0'; } p = GetValueFromNameValueList(&pdata, "NewInternalClient"); - if(p) + if(p && intClient) { strncpy(intClient, p, 16); intClient[15] = '\0'; r = 0; } p = GetValueFromNameValueList(&pdata, "NewInternalPort"); - if(p) + if(p && intPort) { strncpy(intPort, p, 6); intPort[5] = '\0'; diff --git a/zerotierone/include/ZeroTierOne.h b/zerotierone/include/ZeroTierOne.h index c66b907..b5e5bfe 100644 --- a/zerotierone/include/ZeroTierOne.h +++ b/zerotierone/include/ZeroTierOne.h @@ -96,51 +96,26 @@ extern "C" { */ #define ZT_MAX_NETWORK_SPECIALISTS 256 +/** + * Maximum number of static physical to ZeroTier address mappings (typically relays, etc.) + */ +#define ZT_MAX_NETWORK_PINNED 16 + +/** + * Maximum number of rule table entries per network (can be increased) + */ +#define ZT_MAX_NETWORK_RULES 256 + /** * Maximum number of multicast group subscriptions per network */ #define ZT_MAX_NETWORK_MULTICAST_SUBSCRIPTIONS 4096 -/** - * Rules engine revision ID, which specifies rules engine capabilities - */ -#define ZT_RULES_ENGINE_REVISION 1 - -/** - * Maximum number of base (non-capability) network rules - */ -#define ZT_MAX_NETWORK_RULES 1024 - -/** - * Maximum number of per-member capabilities per network - */ -#define ZT_MAX_NETWORK_CAPABILITIES 128 - -/** - * Maximum number of per-member tags per network - */ -#define ZT_MAX_NETWORK_TAGS 128 - /** * Maximum number of direct network paths to a given peer */ #define ZT_MAX_PEER_NETWORK_PATHS 4 -/** - * Maximum number of trusted physical network paths - */ -#define ZT_MAX_TRUSTED_PATHS 16 - -/** - * Maximum number of rules per capability - */ -#define ZT_MAX_CAPABILITY_RULES 64 - -/** - * Global maximum length for capability chain of custody (including initial issue) - */ -#define ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH 7 - /** * Maximum number of hops in a ZeroTier circuit test * @@ -154,11 +129,6 @@ extern "C" { */ #define ZT_CIRCUIT_TEST_MAX_HOP_BREADTH 8 -/** - * Circuit test report flag: upstream peer authorized in path (e.g. by network COM) - */ -#define ZT_CIRCUIT_TEST_REPORT_FLAGS_UPSTREAM_AUTHORIZED_IN_PATH 0x0000000000000001ULL - /** * Maximum number of cluster members (and max member ID plus one) */ @@ -174,81 +144,6 @@ extern "C" { */ #define ZT_CLUSTER_MAX_MESSAGE_LENGTH (1500 - 48) -/** - * Packet characteristics flag: packet direction, 1 if inbound 0 if outbound - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_INBOUND 0x8000000000000000ULL - -/** - * Packet characteristics flag: multicast or broadcast destination MAC - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_MULTICAST 0x4000000000000000ULL - -/** - * Packet characteristics flag: broadcast destination MAC - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_BROADCAST 0x2000000000000000ULL - -/** - * Packet characteristics flag: TCP left-most reserved bit - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_RESERVED_0 0x0000000000000800ULL - -/** - * Packet characteristics flag: TCP middle reserved bit - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_RESERVED_1 0x0000000000000400ULL - -/** - * Packet characteristics flag: TCP right-most reserved bit - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_RESERVED_2 0x0000000000000200ULL - -/** - * Packet characteristics flag: TCP NS flag - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_NS 0x0000000000000100ULL - -/** - * Packet characteristics flag: TCP CWR flag - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_CWR 0x0000000000000080ULL - -/** - * Packet characteristics flag: TCP ECE flag - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_ECE 0x0000000000000040ULL - -/** - * Packet characteristics flag: TCP URG flag - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_URG 0x0000000000000020ULL - -/** - * Packet characteristics flag: TCP ACK flag - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_ACK 0x0000000000000010ULL - -/** - * Packet characteristics flag: TCP PSH flag - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_PSH 0x0000000000000008ULL - -/** - * Packet characteristics flag: TCP RST flag - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_RST 0x0000000000000004ULL - -/** - * Packet characteristics flag: TCP SYN flag - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_SYN 0x0000000000000002ULL - -/** - * Packet characteristics flag: TCP FIN flag - */ -#define ZT_RULE_PACKET_CHARACTERISTICS_TCP_FIN 0x0000000000000001ULL - /** * A null/empty sockaddr (all zero) to signify an unspecified socket address */ @@ -467,7 +362,7 @@ enum ZT_VirtualNetworkStatus ZT_NETWORK_STATUS_PORT_ERROR = 4, /** - * ZeroTier core version too old + * ZeroTier One version too old */ ZT_NETWORK_STATUS_CLIENT_TOO_OLD = 5 }; @@ -491,16 +386,12 @@ enum ZT_VirtualNetworkType /** * The type of a virtual network rules table entry * - * These must range from 0 to 127 (0x7f) because the most significant bit - * is reserved as a NOT flag. + * These must range from 0 to 127 (0x7f). * - * Each rule is composed of zero or more MATCHes followed by an ACTION. - * An ACTION with no MATCHes is always taken. + * Each rule is composed of one or more MATCHes followed by an ACTION. */ enum ZT_VirtualNetworkRuleType { - // 0 to 31 reserved for actions - /** * Drop frame */ @@ -512,31 +403,14 @@ enum ZT_VirtualNetworkRuleType ZT_NETWORK_RULE_ACTION_ACCEPT = 1, /** - * Forward a copy of this frame to an observer (by ZT address) + * Forward a copy of this frame to an observer */ ZT_NETWORK_RULE_ACTION_TEE = 2, /** - * Exactly like TEE but mandates ACKs from observer + * Explicitly redirect this frame to another device (ignored if this is the target device) */ - ZT_NETWORK_RULE_ACTION_WATCH = 3, - - /** - * Drop and redirect this frame to another node (by ZT address) - */ - ZT_NETWORK_RULE_ACTION_REDIRECT = 4, - - /** - * Log if match and if rule debugging is enabled in the build, otherwise does nothing (for developers) - */ - ZT_NETWORK_RULE_ACTION_DEBUG_LOG = 5, - - /** - * Maximum ID for an ACTION, anything higher is a MATCH - */ - ZT_NETWORK_RULE_ACTION__MAX_ID = 31, - - // 32 to 127 reserved for match criteria + ZT_NETWORK_RULE_ACTION_REDIRECT = 3, /** * Source ZeroTier address -- analogous to an Ethernet port ID on a switch @@ -608,60 +482,38 @@ enum ZT_VirtualNetworkRuleType */ ZT_NETWORK_RULE_MATCH_IP_PROTOCOL = 45, - /** - * ICMP type and possibly code (does not match if not ICMP) - */ - ZT_NETWORK_RULE_MATCH_ICMP = 46, - /** * IP source port range (start-end, inclusive) */ - ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE = 47, + ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE = 46, /** * IP destination port range (start-end, inclusive) */ - ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE = 48, + ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE = 47, /** * Packet characteristics (set of flags) */ - ZT_NETWORK_RULE_MATCH_CHARACTERISTICS = 49, + ZT_NETWORK_RULE_MATCH_CHARACTERISTICS = 48, /** * Frame size range (start-end, inclusive) */ - ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE = 50, + ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE = 49, /** - * Match if local and remote tags differ by no more than value, use 0 to check for equality + * Match a range of relative TCP sequence numbers (e.g. approx first N bytes of stream) */ - ZT_NETWORK_RULE_MATCH_TAGS_DIFFERENCE = 51, - - /** - * Match if local and remote tags ANDed together equal value. - */ - ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_AND = 52, - - /** - * Match if local and remote tags ANDed together equal value. - */ - ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_OR = 53, - - /** - * Match if local and remote tags XORed together equal value. - */ - ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_XOR = 54, - - /** - * Maximum ID allowed for a MATCH entry in the rules table - */ - ZT_NETWORK_RULE_MATCH__MAX_ID = 127 + ZT_NETWORK_RULE_MATCH_TCP_RELATIVE_SEQUENCE_NUMBER_RANGE = 50 }; /** * Network flow rule * + * NOTE: Currently (1.1.x) only etherType is supported! Other things will + * have no effect until the rules engine is fully implemented. + * * Rules are stored in a table in which one or more match entries is followed * by an action. If more than one match precedes an action, the rule is * the AND of all matches. An action with no match is always taken since it @@ -708,13 +560,18 @@ typedef struct /** * Packet characteristic flags being matched */ - uint64_t characteristics[2]; + uint64_t characteristics; /** * IP port range -- start-end inclusive -- host byte order */ uint16_t port[2]; + /** + * TCP relative sequence number range -- start-end inclusive -- host byte order + */ + uint32_t tcpseq[2]; + /** * 40-bit ZeroTier address (in least significant bits, host byte order) */ @@ -751,7 +608,7 @@ typedef struct uint8_t ipProtocol; /** - * IP type of service a.k.a. DSCP field + * IP type of service */ uint8_t ipTos; @@ -759,54 +616,9 @@ typedef struct * Ethernet packet size in host byte order (start-end, inclusive) */ uint16_t frameSize[2]; - - /** - * ICMP type and code - */ - struct { - uint8_t type; // ICMP type, always matched - uint8_t code; // ICMP code if matched - uint8_t flags; // flag 0x01 means also match code, otherwise only match type - } icmp; - - /** - * For tag-related rules - */ - struct { - uint32_t id; - uint32_t value; - } tag; - - /** - * Destinations for TEE and REDIRECT - */ - struct { - uint64_t address; - uint32_t flags; - uint16_t length; - } fwd; } v; } ZT_VirtualNetworkRule; -typedef struct -{ - /** - * 128-bit ID (GUID) of this capability - */ - uint64_t id[2]; - - /** - * Expiration time (measured vs. network config timestamp issued by controller) - */ - uint64_t expiration; - - - struct { - uint64_t from; - uint64_t to; - } custody[ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH]; -} ZT_VirtualNetworkCapability; - /** * A route to be pushed on a virtual network */ @@ -821,16 +633,6 @@ typedef struct * Gateway IP address (port ignored) or NULL (family == 0) for LAN-local (no gateway) */ struct sockaddr_storage via; - - /** - * Route flags - */ - uint16_t flags; - - /** - * Route metric (not currently used) - */ - uint16_t metric; } ZT_VirtualNetworkRoute; /** @@ -875,28 +677,19 @@ enum ZT_VirtualNetworkConfigOperation ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_DESTROY = 4 }; -enum ZT_RelayPolicy -{ - ZT_RELAY_POLICY_NEVER = 0, - ZT_RELAY_POLICY_TRUSTED = 1, - ZT_RELAY_POLICY_ALWAYS = 2 -}; - /** * What trust hierarchy role does this peer have? */ -enum ZT_PeerRole -{ +enum ZT_PeerRole { ZT_PEER_ROLE_LEAF = 0, // ordinary node - ZT_PEER_ROLE_UPSTREAM = 1, // upstream node - ZT_PEER_ROLE_ROOT = 2 // global root + ZT_PEER_ROLE_RELAY = 1, // relay node + ZT_PEER_ROLE_ROOT = 2 // root server }; /** * Vendor ID */ -enum ZT_Vendor -{ +enum ZT_Vendor { ZT_VENDOR_UNSPECIFIED = 0, ZT_VENDOR_ZEROTIER = 1 }; @@ -904,8 +697,7 @@ enum ZT_Vendor /** * Platform type */ -enum ZT_Platform -{ +enum ZT_Platform { ZT_PLATFORM_UNSPECIFIED = 0, ZT_PLATFORM_LINUX = 1, ZT_PLATFORM_WINDOWS = 2, @@ -920,15 +712,13 @@ enum ZT_Platform ZT_PLATFORM_VXWORKS = 11, ZT_PLATFORM_FREERTOS = 12, ZT_PLATFORM_SYSBIOS = 13, - ZT_PLATFORM_HURD = 14, - ZT_PLATFORM_WEB = 15 + ZT_PLATFORM_HURD = 14 }; /** * Architecture type */ -enum ZT_Architecture -{ +enum ZT_Architecture { ZT_ARCHITECTURE_UNSPECIFIED = 0, ZT_ARCHITECTURE_X86 = 1, ZT_ARCHITECTURE_X64 = 2, @@ -937,14 +727,7 @@ enum ZT_Architecture ZT_ARCHITECTURE_MIPS32 = 5, ZT_ARCHITECTURE_MIPS64 = 6, ZT_ARCHITECTURE_POWER32 = 7, - ZT_ARCHITECTURE_POWER64 = 8, - ZT_ARCHITECTURE_OPENRISC32 = 9, - ZT_ARCHITECTURE_OPENRISC64 = 10, - ZT_ARCHITECTURE_SPARC32 = 11, - ZT_ARCHITECTURE_SPARC64 = 12, - ZT_ARCHITECTURE_DOTNET_CLR = 13, - ZT_ARCHITECTURE_JAVA_JVM = 14, - ZT_ARCHITECTURE_WEB = 15 + ZT_ARCHITECTURE_POWER64 = 8 }; /** @@ -982,11 +765,6 @@ typedef struct */ unsigned int mtu; - /** - * Recommended MTU to avoid fragmentation at the physical layer (hint) - */ - unsigned int physicalMtu; - /** * If nonzero, the network this port belongs to indicates DHCP availability * @@ -1010,15 +788,32 @@ typedef struct int broadcastEnabled; /** - * If the network is in PORT_ERROR state, this is the (negative) error code most recently reported + * If the network is in PORT_ERROR state, this is the error most recently returned by the port config callback */ int portError; /** - * Revision number as reported by controller or 0 if still waiting for config + * Is this network enabled? If not, all frames to/from are dropped. + */ + int enabled; + + /** + * Network config revision as reported by netconf master + * + * If this is zero, it means we're still waiting for our netconf. */ unsigned long netconfRevision; + /** + * Number of multicast group subscriptions + */ + unsigned int multicastSubscriptionCount; + + /** + * Multicast group subscriptions + */ + ZT_MulticastGroup multicastSubscriptions[ZT_MAX_NETWORK_MULTICAST_SUBSCRIPTIONS]; + /** * Number of assigned addresses */ @@ -1035,16 +830,6 @@ typedef struct * virtual network's configuration master. */ struct sockaddr_storage assignedAddresses[ZT_MAX_ZT_ASSIGNED_ADDRESSES]; - - /** - * Number of ZT-pushed routes - */ - unsigned int routeCount; - - /** - * Routes (excluding those implied by assigned addresses and their masks) - */ - ZT_VirtualNetworkRoute routes[ZT_MAX_NETWORK_ROUTES]; } ZT_VirtualNetworkConfig; /** @@ -1077,14 +862,9 @@ typedef struct uint64_t lastReceive; /** - * Is this a trusted path? If so this will be its nonzero ID. + * Is path active? */ - uint64_t trustedPathId; - - /** - * Is path expired? - */ - int expired; + int active; /** * Is path preferred? @@ -1246,13 +1026,18 @@ typedef struct { */ uint64_t timestamp; + /** + * Timestamp on remote device + */ + uint64_t remoteTimestamp; + /** * 64-bit packet ID of packet received by the reporting device */ uint64_t sourcePacketId; /** - * Flags + * Flags (currently unused, will be zero) */ uint64_t flags; @@ -1614,9 +1399,6 @@ typedef int (*ZT_PathCheckFunction)( * Note that this can take a few seconds the first time it's called, as it * will generate an identity. * - * TODO: should consolidate function pointers into versioned structure for - * better API stability. - * * @param node Result: pointer is set to new node instance on success * @param uptr User pointer to pass to functions/callbacks * @param now Current clock in milliseconds @@ -1707,15 +1489,6 @@ enum ZT_ResultCode ZT_Node_processVirtualNetworkFrame( */ enum ZT_ResultCode ZT_Node_processBackgroundTasks(ZT_Node *node,uint64_t now,volatile uint64_t *nextBackgroundTaskDeadline); -/** - * Set node's relay policy - * - * @param node Node instance - * @param rp New relay policy - * @return OK(0) or error code - */ -enum ZT_ResultCode ZT_Node_setRelayPolicy(ZT_Node *node,enum ZT_RelayPolicy rp); - /** * Join a network * @@ -2039,27 +1812,25 @@ void ZT_Node_clusterHandleIncomingMessage(ZT_Node *node,const void *msg,unsigned void ZT_Node_clusterStatus(ZT_Node *node,ZT_ClusterStatus *cs); /** - * Set trusted paths + * Do things in the background until Node dies * - * A trusted path is a physical network (network/bits) over which both - * encryption and authentication can be skipped to improve performance. - * Each trusted path must have a non-zero unique ID that is the same across - * all participating nodes. + * This function can be called from one or more background threads to process + * certain tasks in the background to improve foreground performance. It will + * not return until the Node is shut down. If threading is not enabled in + * this build it will return immediately and will do nothing. * - * We don't recommend using trusted paths at all unless you really *need* - * near-bare-metal performance. Even on a LAN authentication and encryption - * are never a bad thing, and anything that introduces an "escape hatch" - * for encryption should be treated with the utmost care. + * This is completely optional. If this is never called, all processing is + * done in the foreground in the various processXXXX() methods. * - * Calling with NULL pointers for networks and ids and a count of zero clears - * all trusted paths. + * This does NOT replace or eliminate the need to call the normal + * processBackgroundTasks() function in your main loop. This mechanism is + * used to offload the processing of expensive mssages onto background + * handler threads to prevent foreground performance degradation under + * high load. * * @param node Node instance - * @param networks Array of [count] networks - * @param ids Array of [count] corresponding non-zero path IDs (zero path IDs are ignored) - * @param count Number of trusted paths-- values greater than ZT_MAX_TRUSTED_PATHS are clipped */ -void ZT_Node_setTrustedPaths(ZT_Node *node,const struct sockaddr_storage *networks,const uint64_t *ids,unsigned int count); +void ZT_Node_backgroundThreadMain(ZT_Node *node); /** * Get ZeroTier One version diff --git a/zerotierone/java/jni/Android.mk b/zerotierone/java/jni/Android.mk index 6b5d4a4..5c2f1c7 100644 --- a/zerotierone/java/jni/Android.mk +++ b/zerotierone/java/jni/Android.mk @@ -11,14 +11,15 @@ LOCAL_LDLIBS := -llog # ZeroTierOne SDK source files LOCAL_SRC_FILES := \ $(ZT1)/ext/lz4/lz4.c \ + $(ZT1)/ext/json-parser/json.c \ $(ZT1)/ext/http-parser/http_parser.c \ $(ZT1)/node/C25519.cpp \ - $(ZT1)/node/Capability.cpp \ $(ZT1)/node/CertificateOfMembership.cpp \ + $(ZT1)/node/DeferredPackets.cpp \ + $(ZT1)/node/Dictionary.cpp \ $(ZT1)/node/Identity.cpp \ $(ZT1)/node/IncomingPacket.cpp \ $(ZT1)/node/InetAddress.cpp \ - $(ZT1)/node/Membership.cpp \ $(ZT1)/node/Multicaster.cpp \ $(ZT1)/node/Network.cpp \ $(ZT1)/node/NetworkConfig.cpp \ @@ -32,7 +33,6 @@ LOCAL_SRC_FILES := \ $(ZT1)/node/SelfAwareness.cpp \ $(ZT1)/node/SHA512.cpp \ $(ZT1)/node/Switch.cpp \ - $(ZT1)/node/Tag.cpp \ $(ZT1)/node/Topology.cpp \ $(ZT1)/node/Utils.cpp \ $(ZT1)/osdep/Http.cpp \ diff --git a/zerotierone/java/jni/Application.mk b/zerotierone/java/jni/Application.mk index 6950c0e..608e94c 100644 --- a/zerotierone/java/jni/Application.mk +++ b/zerotierone/java/jni/Application.mk @@ -1,5 +1,5 @@ -# NDK_TOOLCHAIN_VERSION := clang3.5 -APP_STL := gnustl_static -APP_CPPFLAGS := -O3 -fPIC -fPIE -Wall -fstack-protector -fexceptions -fno-strict-aliasing -Wno-deprecated-register -DZT_NO_TYPE_PUNNING=1 +NDK_TOOLCHAIN_VERSION := clang +APP_STL := c++_static +APP_CPPFLAGS := -O3 -fPIC -fPIE -fvectorize -Wall -fstack-protector -fexceptions -fno-strict-aliasing -Wno-deprecated-register -DZT_NO_TYPE_PUNNING=1 APP_PLATFORM := android-14 APP_ABI := all diff --git a/zerotierone/java/jni/ZT_jniutils.cpp b/zerotierone/java/jni/ZT_jniutils.cpp index 27ca737..ae1aa92 100644 --- a/zerotierone/java/jni/ZT_jniutils.cpp +++ b/zerotierone/java/jni/ZT_jniutils.cpp @@ -1,21 +1,3 @@ -/* - * ZeroTier One - Network Virtualization Everywhere - * Copyright (C) 2011-2016 ZeroTier, Inc. https://www.zerotier.com/ - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - #include "ZT_jniutils.h" #include "ZT_jnilookup.h" #include @@ -180,8 +162,8 @@ jobject createPeerRole(JNIEnv *env, ZT_PeerRole role) case ZT_PEER_ROLE_LEAF: fieldName = "PEER_ROLE_LEAF"; break; - case ZT_PEER_ROLE_UPSTREAM: - fieldName = "PEER_ROLE_UPSTREAM"; + case ZT_PEER_ROLE_RELAY: + fieldName = "PEER_ROLE_RELAY"; break; case ZT_PEER_ROLE_ROOT: fieldName = "PEER_ROLE_ROOTS"; @@ -331,20 +313,11 @@ jobject newInetSocketAddress(JNIEnv *env, const sockaddr_storage &addr) return NULL; } - jobject inetAddressObject = NULL; - - if(addr.ss_family != 0) - { - inetAddressObject = newInetAddress(env, addr); + jobject inetAddressObject = newInetAddress(env, addr); - if(env->ExceptionCheck() || inetAddressObject == NULL) - { - LOGE("Error creating new inet address"); - return NULL; - } - } - else + if(env->ExceptionCheck() || inetAddressObject == NULL) { + LOGE("Error creating new inet address"); return NULL; } @@ -377,9 +350,10 @@ jobject newInetSocketAddress(JNIEnv *env, const sockaddr_storage &addr) break; default: { + LOGE("ERROR: addr.ss_family is not set or unknown"); break; } - } + }; jobject inetSocketAddressObject = env->NewObject(inetSocketAddressClass, inetSocketAddress_constructor, inetAddressObject, port); @@ -389,6 +363,51 @@ jobject newInetSocketAddress(JNIEnv *env, const sockaddr_storage &addr) return inetSocketAddressObject; } +jobject newMulticastGroup(JNIEnv *env, const ZT_MulticastGroup &mc) +{ + jclass multicastGroupClass = NULL; + jmethodID multicastGroup_constructor = NULL; + + jfieldID macField = NULL; + jfieldID adiField = NULL; + + multicastGroupClass = lookup.findClass("com/zerotier/sdk/MulticastGroup"); + if(env->ExceptionCheck() || multicastGroupClass == NULL) + { + return NULL; + } + + multicastGroup_constructor = lookup.findMethod( + multicastGroupClass, "", "()V"); + if(env->ExceptionCheck() || multicastGroup_constructor == NULL) + { + return NULL; + } + + jobject multicastGroupObj = env->NewObject(multicastGroupClass, multicastGroup_constructor); + if(env->ExceptionCheck() || multicastGroupObj == NULL) + { + return NULL; + } + + macField = lookup.findField(multicastGroupClass, "mac", "J"); + if(env->ExceptionCheck() || macField == NULL) + { + return NULL; + } + + adiField = lookup.findField(multicastGroupClass, "adi", "J"); + if(env->ExceptionCheck() || adiField == NULL) + { + return NULL; + } + + env->SetLongField(multicastGroupObj, macField, mc.mac); + env->SetLongField(multicastGroupObj, adiField, mc.adi); + + return multicastGroupObj; +} + jobject newPeerPhysicalPath(JNIEnv *env, const ZT_PeerPhysicalPath &ppp) { LOGV("newPeerPhysicalPath Called"); @@ -397,6 +416,7 @@ jobject newPeerPhysicalPath(JNIEnv *env, const ZT_PeerPhysicalPath &ppp) jfieldID addressField = NULL; jfieldID lastSendField = NULL; jfieldID lastReceiveField = NULL; + jfieldID activeField = NULL; jfieldID preferredField = NULL; jmethodID ppp_constructor = NULL; @@ -429,6 +449,13 @@ jobject newPeerPhysicalPath(JNIEnv *env, const ZT_PeerPhysicalPath &ppp) return NULL; } + activeField = lookup.findField(pppClass, "active", "Z"); + if(env->ExceptionCheck() || activeField == NULL) + { + LOGE("Error finding active field"); + return NULL; + } + preferredField = lookup.findField(pppClass, "preferred", "Z"); if(env->ExceptionCheck() || preferredField == NULL) { @@ -459,6 +486,7 @@ jobject newPeerPhysicalPath(JNIEnv *env, const ZT_PeerPhysicalPath &ppp) env->SetObjectField(pppObject, addressField, addressObject); env->SetLongField(pppObject, lastSendField, ppp.lastSend); env->SetLongField(pppObject, lastReceiveField, ppp.lastReceive); + env->SetBooleanField(pppObject, activeField, ppp.active); env->SetBooleanField(pppObject, preferredField, ppp.preferred); if(env->ExceptionCheck()) { @@ -624,9 +652,10 @@ jobject newNetworkConfig(JNIEnv *env, const ZT_VirtualNetworkConfig &vnetConfig) jfieldID bridgeField = NULL; jfieldID broadcastEnabledField = NULL; jfieldID portErrorField = NULL; + jfieldID enabledField = NULL; jfieldID netconfRevisionField = NULL; + jfieldID multicastSubscriptionsField = NULL; jfieldID assignedAddressesField = NULL; - jfieldID routesField = NULL; vnetConfigClass = lookup.findClass("com/zerotier/sdk/VirtualNetworkConfig"); if(vnetConfigClass == NULL) @@ -720,6 +749,13 @@ jobject newNetworkConfig(JNIEnv *env, const ZT_VirtualNetworkConfig &vnetConfig) return NULL; } + enabledField = lookup.findField(vnetConfigClass, "enabled", "Z"); + if(env->ExceptionCheck() || enabledField == NULL) + { + LOGE("Error getting enabled field"); + return NULL; + } + netconfRevisionField = lookup.findField(vnetConfigClass, "netconfRevision", "J"); if(env->ExceptionCheck() || netconfRevisionField == NULL) { @@ -727,19 +763,17 @@ jobject newNetworkConfig(JNIEnv *env, const ZT_VirtualNetworkConfig &vnetConfig) return NULL; } - assignedAddressesField = lookup.findField(vnetConfigClass, "assignedAddresses", - "[Ljava/net/InetSocketAddress;"); - if(env->ExceptionCheck() || assignedAddressesField == NULL) + multicastSubscriptionsField = lookup.findField(vnetConfigClass, "multicastSubscriptions", "[Lcom/zerotier/sdk/MulticastGroup;"); + if(env->ExceptionCheck() || multicastSubscriptionsField == NULL) { - LOGE("Error getting assignedAddresses field"); + LOGE("Error getting multicastSubscriptions field"); return NULL; } - routesField = lookup.findField(vnetConfigClass, "routes", - "[Lcom/zerotier/sdk/VirtualNetworkRoute;"); - if(env->ExceptionCheck() || routesField == NULL) + assignedAddressesField = lookup.findField(vnetConfigClass, "assignedAddresses", "[Ljava/net/InetSocketAddress;"); + if(env->ExceptionCheck() || assignedAddressesField == NULL) { - LOGE("Error getting routes field"); + LOGE("Error getting assignedAddresses field"); return NULL; } @@ -770,8 +804,34 @@ jobject newNetworkConfig(JNIEnv *env, const ZT_VirtualNetworkConfig &vnetConfig) env->SetBooleanField(vnetConfigObj, dhcpField, vnetConfig.dhcp); env->SetBooleanField(vnetConfigObj, bridgeField, vnetConfig.bridge); env->SetBooleanField(vnetConfigObj, broadcastEnabledField, vnetConfig.broadcastEnabled); + env->SetBooleanField(vnetConfigObj, enabledField, vnetConfig.enabled); env->SetIntField(vnetConfigObj, portErrorField, vnetConfig.portError); + jclass multicastGroupClass = lookup.findClass("com/zerotier/sdk/MulticastGroup"); + if(env->ExceptionCheck() || multicastGroupClass == NULL) + { + LOGE("Error finding MulticastGroup class"); + return NULL; + } + + jobjectArray mcastSubsArrayObj = env->NewObjectArray( + vnetConfig.multicastSubscriptionCount, multicastGroupClass, NULL); + if(env->ExceptionCheck() || mcastSubsArrayObj == NULL) { + LOGE("Error creating MulticastGroup[] array"); + return NULL; + } + + for(unsigned int i = 0; i < vnetConfig.multicastSubscriptionCount; ++i) + { + jobject mcastObj = newMulticastGroup(env, vnetConfig.multicastSubscriptions[i]); + env->SetObjectArrayElement(mcastSubsArrayObj, i, mcastObj); + if(env->ExceptionCheck()) + { + LOGE("Error assigning MulticastGroup to array"); + } + } + env->SetObjectField(vnetConfigObj, multicastSubscriptionsField, mcastSubsArrayObj); + jclass inetSocketAddressClass = lookup.findClass("java/net/InetSocketAddress"); if(env->ExceptionCheck() || inetSocketAddressClass == NULL) { @@ -800,38 +860,10 @@ jobject newNetworkConfig(JNIEnv *env, const ZT_VirtualNetworkConfig &vnetConfig) env->SetObjectField(vnetConfigObj, assignedAddressesField, assignedAddrArrayObj); - jclass virtualNetworkRouteClass = lookup.findClass("com/zerotier/sdk/VirtualNetworkRoute"); - if(env->ExceptionCheck() || virtualNetworkRouteClass == NULL) - { - LOGE("Error finding VirtualNetworkRoute class"); - return NULL; - } - - jobjectArray routesArrayObj = env->NewObjectArray( - vnetConfig.routeCount, virtualNetworkRouteClass, NULL); - if(env->ExceptionCheck() || routesArrayObj == NULL) - { - LOGE("Error creating VirtualNetworkRoute[] array"); - return NULL; - } - - for(unsigned int i = 0; i < vnetConfig.routeCount; ++i) - { - jobject routeObj = newVirtualNetworkRoute(env, vnetConfig.routes[i]); - env->SetObjectArrayElement(routesArrayObj, i, routeObj); - if(env->ExceptionCheck()) - { - LOGE("Error assigning VirtualNetworkRoute to array"); - return NULL; - } - } - - env->SetObjectField(vnetConfigObj, routesField, routesArrayObj); - return vnetConfigObj; } -jobject newVersion(JNIEnv *env, int major, int minor, int rev) +jobject newVersion(JNIEnv *env, int major, int minor, int rev, long featureFlags) { // create a com.zerotier.sdk.Version object jclass versionClass = NULL; @@ -860,6 +892,7 @@ jobject newVersion(JNIEnv *env, int major, int minor, int rev) jfieldID majorField = NULL; jfieldID minorField = NULL; jfieldID revisionField = NULL; + jfieldID featureFlagsField = NULL; majorField = lookup.findField(versionClass, "major", "I"); if(env->ExceptionCheck() || majorField == NULL) @@ -879,79 +912,20 @@ jobject newVersion(JNIEnv *env, int major, int minor, int rev) return NULL; } + featureFlagsField = lookup.findField(versionClass, "featureFlags", "J"); + if(env->ExceptionCheck() || featureFlagsField == NULL) + { + return NULL; + } + env->SetIntField(versionObj, majorField, (jint)major); env->SetIntField(versionObj, minorField, (jint)minor); env->SetIntField(versionObj, revisionField, (jint)rev); + env->SetLongField(versionObj, featureFlagsField, (jlong)featureFlags); return versionObj; } -jobject newVirtualNetworkRoute(JNIEnv *env, const ZT_VirtualNetworkRoute &route) -{ - jclass virtualNetworkRouteClass = NULL; - jmethodID routeConstructor = NULL; - - virtualNetworkRouteClass = lookup.findClass("com/zerotier/sdk/VirtualNetworkRoute"); - if(env->ExceptionCheck() || virtualNetworkRouteClass == NULL) - { - return NULL; - } - - routeConstructor = lookup.findMethod(virtualNetworkRouteClass, "", "()V"); - if(env->ExceptionCheck() || routeConstructor == NULL) - { - return NULL; - } - - jobject routeObj = env->NewObject(virtualNetworkRouteClass, routeConstructor); - if(env->ExceptionCheck() || routeObj == NULL) - { - return NULL; - } - - jfieldID targetField = NULL; - jfieldID viaField = NULL; - jfieldID flagsField = NULL; - jfieldID metricField = NULL; - - targetField = lookup.findField(virtualNetworkRouteClass, "target", - "Ljava/net/InetSocketAddress;"); - if(env->ExceptionCheck() || targetField == NULL) - { - return NULL; - } - - viaField = lookup.findField(virtualNetworkRouteClass, "via", - "Ljava/net/InetSocketAddress;"); - if(env->ExceptionCheck() || targetField == NULL) - { - return NULL; - } - - flagsField = lookup.findField(virtualNetworkRouteClass, "flags", "I"); - if(env->ExceptionCheck() || flagsField == NULL) - { - return NULL; - } - - metricField = lookup.findField(virtualNetworkRouteClass, "metric", "I"); - if(env->ExceptionCheck() || metricField == NULL) - { - return NULL; - } - - jobject targetObj = newInetSocketAddress(env, route.target); - jobject viaObj = newInetSocketAddress(env, route.via); - - env->SetObjectField(routeObj, targetField, targetObj); - env->SetObjectField(routeObj, viaField, viaObj); - env->SetIntField(routeObj, flagsField, (jint)route.flags); - env->SetIntField(routeObj, metricField, (jint)route.metric); - - return routeObj; -} - #ifdef __cplusplus } -#endif - +#endif \ No newline at end of file diff --git a/zerotierone/java/jni/ZT_jniutils.h b/zerotierone/java/jni/ZT_jniutils.h index e35d4f4..b76a28c 100644 --- a/zerotierone/java/jni/ZT_jniutils.h +++ b/zerotierone/java/jni/ZT_jniutils.h @@ -1,21 +1,3 @@ -/* - * ZeroTier One - Network Virtualization Everywhere - * Copyright (C) 2011-2016 ZeroTier, Inc. https://www.zerotier.com/ - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - #ifndef ZT_jniutils_h_ #define ZT_jniutils_h_ #include @@ -58,9 +40,7 @@ jobject newPeerPhysicalPath(JNIEnv *env, const ZT_PeerPhysicalPath &ppp); jobject newNetworkConfig(JNIEnv *env, const ZT_VirtualNetworkConfig &config); -jobject newVersion(JNIEnv *env, int major, int minor, int rev); - -jobject newVirtualNetworkRoute(JNIEnv *env, const ZT_VirtualNetworkRoute &route); +jobject newVersion(JNIEnv *env, int major, int minor, int rev, long featureFlags); #ifdef __cplusplus } diff --git a/zerotierone/java/jni/com_zerotierone_sdk_Node.cpp b/zerotierone/java/jni/com_zerotierone_sdk_Node.cpp index 4d9a210..dbabf80 100644 --- a/zerotierone/java/jni/com_zerotierone_sdk_Node.cpp +++ b/zerotierone/java/jni/com_zerotierone_sdk_Node.cpp @@ -1234,10 +1234,11 @@ JNIEXPORT jobject JNICALL Java_com_zerotier_sdk_Node_version( int major = 0; int minor = 0; int revision = 0; + unsigned long featureFlags = 0; - ZT_version(&major, &minor, &revision); + ZT_version(&major, &minor, &revision, &featureFlags); - return newVersion(env, major, minor, revision); + return newVersion(env, major, minor, revision, featureFlags); } /* diff --git a/zerotierone/java/src/com/zerotier/sdk/PeerPhysicalPath.java b/zerotierone/java/src/com/zerotier/sdk/PeerPhysicalPath.java index 3f9a861..d64ea56 100644 --- a/zerotierone/java/src/com/zerotier/sdk/PeerPhysicalPath.java +++ b/zerotierone/java/src/com/zerotier/sdk/PeerPhysicalPath.java @@ -37,6 +37,7 @@ public final class PeerPhysicalPath { private long lastSend; private long lastReceive; private boolean fixed; + private boolean active; private boolean preferred; private PeerPhysicalPath() {} @@ -69,6 +70,13 @@ public final class PeerPhysicalPath { return fixed; } + /** + * Is path active? + */ + public final boolean isActive() { + return active; + } + /** * Is path preferred? */ diff --git a/zerotierone/java/src/com/zerotier/sdk/PeerRole.java b/zerotierone/java/src/com/zerotier/sdk/PeerRole.java index f281c1b..d7d55f0 100644 --- a/zerotierone/java/src/com/zerotier/sdk/PeerRole.java +++ b/zerotierone/java/src/com/zerotier/sdk/PeerRole.java @@ -34,9 +34,9 @@ public enum PeerRole { PEER_ROLE_LEAF, /** - * upstream node + * relay node */ - PEER_ROLE_UPSTREAM, + PEER_ROLE_RELAY, /** * root server diff --git a/zerotierone/java/src/com/zerotier/sdk/Version.java b/zerotierone/java/src/com/zerotier/sdk/Version.java index c93c259..d7fa0ce 100644 --- a/zerotierone/java/src/com/zerotier/sdk/Version.java +++ b/zerotierone/java/src/com/zerotier/sdk/Version.java @@ -33,4 +33,5 @@ public final class Version { public int major = 0; public int minor = 0; public int revision = 0; + public long featureFlags = 0; } \ No newline at end of file diff --git a/zerotierone/java/src/com/zerotier/sdk/VirtualNetworkConfig.java b/zerotierone/java/src/com/zerotier/sdk/VirtualNetworkConfig.java index 64512da..9816180 100644 --- a/zerotierone/java/src/com/zerotier/sdk/VirtualNetworkConfig.java +++ b/zerotierone/java/src/com/zerotier/sdk/VirtualNetworkConfig.java @@ -49,8 +49,8 @@ public final class VirtualNetworkConfig implements Comparable$(DESTDIR)/usr/share/man/man8/zerotier-one.8.gz - mkdir -p $(DESTDIR)/usr/share/man/man1 - rm -f $(DESTDIR)/usr/share/man/man1/zerotier-idtool.1.gz - rm -f $(DESTDIR)/usr/share/man/man1/zerotier-cli.1.gz - cat doc/zerotier-cli.1 | gzip -9 >$(DESTDIR)/usr/share/man/man1/zerotier-cli.1.gz - cat doc/zerotier-idtool.1 | gzip -9 >$(DESTDIR)/usr/share/man/man1/zerotier-idtool.1.gz - -# Uninstall preserves identity.public and identity.secret since the user might -# want to save these. These are your ZeroTier address. - -uninstall: FORCE - rm -f $(DESTDIR)/var/lib/zerotier-one/zerotier-one - rm -f $(DESTDIR)/var/lib/zerotier-one/zerotier-cli - rm -f $(DESTDIR)/var/lib/zerotier-one/zerotier-idtool - rm -f $(DESTDIR)/usr/sbin/zerotier-cli - rm -f $(DESTDIR)/usr/sbin/zerotier-idtool - rm -f $(DESTDIR)/usr/sbin/zerotier-one - rm -rf $(DESTDIR)/var/lib/zerotier-one/iddb.d - rm -rf $(DESTDIR)/var/lib/zerotier-one/updates.d - rm -rf $(DESTDIR)/var/lib/zerotier-one/networks.d - rm -f $(DESTDIR)/var/lib/zerotier-one/zerotier-one.port - rm -f $(DESTDIR)/usr/share/man/man8/zerotier-one.8.gz - rm -f $(DESTDIR)/usr/share/man/man1/zerotier-idtool.1.gz - rm -f $(DESTDIR)/usr/share/man/man1/zerotier-cli.1.gz - -# These are just for convenience for building Linux packages - -debian: distclean - debuild -I -i -us -uc - -redhat: distclean - rpmbuild -ba zerotier-one.spec +# Includes 'doc' target +include ${DOC_DIR}/module.mk FORCE: diff --git a/zerotierone/make-mac.mk b/zerotierone/make-mac.mk index ee90ae4..f14f340 100644 --- a/zerotierone/make-mac.mk +++ b/zerotierone/make-mac.mk @@ -11,7 +11,7 @@ LIBS= ARCH_FLAGS=-arch x86_64 include objects.mk -OBJS+=osdep/OSXEthernetTap.o ext/lz4/lz4.o ext/http-parser/http_parser.o +OBJS+=osdep/OSXEthernetTap.o # Disable codesign since open source users will not have ZeroTier's certs CODESIGN=echo @@ -19,7 +19,7 @@ PRODUCTSIGN=echo CODESIGN_APP_CERT= CODESIGN_INSTALLER_CERT= -# Build with libminiupnpc by default for Mac -- desktops/laptops almost always want this +# Build with libminiupnpc by default for Mac ZT_USE_MINIUPNPC?=1 # For internal use only -- signs everything with ZeroTier's developer cert @@ -32,6 +32,7 @@ ifeq ($(ZT_OFFICIAL_RELEASE),1) CODESIGN_INSTALLER_CERT="Developer ID Installer: ZeroTier Networks LLC (8ZD9JUCZ4V)" endif +# Build with ZT_ENABLE_CLUSTER=1 to build with cluster support ifeq ($(ZT_ENABLE_CLUSTER),1) DEFS+=-DZT_ENABLE_CLUSTER endif @@ -41,10 +42,17 @@ ifeq ($(ZT_AUTO_UPDATE),1) endif ifeq ($(ZT_USE_MINIUPNPC),1) - DEFS+=-DMACOSX -DZT_USE_MINIUPNPC -DMINIUPNP_STATICLIB -D_DARWIN_C_SOURCE -DMINIUPNPC_SET_SOCKET_TIMEOUT -DMINIUPNPC_GET_SRC_ADDR -D_BSD_SOURCE -D_DEFAULT_SOURCE -DOS_STRING=\"Darwin/15.0.0\" -DMINIUPNPC_VERSION_STRING=\"2.0\" -DUPNP_VERSION_STRING=\"UPnP/1.1\" -DENABLE_STRNATPMPERR + DEFS+=-DMACOSX -DZT_USE_MINIUPNPC -DMINIUPNP_STATICLIB -D_DARWIN_C_SOURCE -DMINIUPNPC_SET_SOCKET_TIMEOUT -DMINIUPNPC_GET_SRC_ADDR -D_BSD_SOURCE -D_DEFAULT_SOURCE -DOS_STRING=\"Darwin/15.0.0\" -DMINIUPNPC_VERSION_STRING=\"1.9\" -DUPNP_VERSION_STRING=\"UPnP/1.1\" -DENABLE_STRNATPMPERR OBJS+=ext/libnatpmp/natpmp.o ext/libnatpmp/getgateway.o ext/miniupnpc/connecthostport.o ext/miniupnpc/igd_desc_parse.o ext/miniupnpc/minisoap.o ext/miniupnpc/minissdpc.o ext/miniupnpc/miniupnpc.o ext/miniupnpc/miniwget.o ext/miniupnpc/minixml.o ext/miniupnpc/portlistingparse.o ext/miniupnpc/receivedata.o ext/miniupnpc/upnpcommands.o ext/miniupnpc/upnpdev.o ext/miniupnpc/upnperrors.o ext/miniupnpc/upnpreplyparse.o osdep/PortMapper.o endif +# Build with ZT_ENABLE_NETWORK_CONTROLLER=1 to build with the Sqlite network controller +ifeq ($(ZT_ENABLE_NETWORK_CONTROLLER),1) + DEFS+=-DZT_ENABLE_NETWORK_CONTROLLER + LIBS+=-L/usr/local/lib -lsqlite3 + OBJS+=controller/SqliteNetworkController.o +endif + # Debug mode -- dump trace output, build binary with -g ifeq ($(ZT_DEBUG),1) DEFS+=-DZT_TRACE @@ -54,12 +62,18 @@ ifeq ($(ZT_DEBUG),1) # C25519 in particular is almost UNUSABLE in heavy testing without it. ext/lz4/lz4.o node/Salsa20.o node/SHA512.o node/C25519.o node/Poly1305.o: CFLAGS = -Wall -O2 -g -pthread $(INCLUDES) $(DEFS) else - CFLAGS?=-Ofast -fstack-protector-strong + CFLAGS?=-Ofast -fstack-protector CFLAGS+=$(ARCH_FLAGS) -Wall -flto -fPIE -pthread -mmacosx-version-min=10.7 -DNDEBUG -Wno-unused-private-field $(INCLUDES) $(DEFS) STRIP=strip endif -CXXFLAGS=$(CFLAGS) -mmacosx-version-min=10.7 -std=c++11 -stdlib=libc++ +# Debug output for Network Containers +# Specific levels can be controlled in netcon/common.inc.c +ifeq ($(SDK_DEBUG),1) + DEFS+=-DSDK_DEBUG +endif + +CXXFLAGS=$(CFLAGS) -fno-rtti all: one @@ -71,9 +85,21 @@ one: $(OBJS) service/OneService.o one.o $(CODESIGN) -f -s $(CODESIGN_APP_CERT) zerotier-one $(CODESIGN) -vvv zerotier-one -cli: FORCE - $(CXX) $(CXXFLAGS) -o zerotier cli/zerotier.cpp osdep/OSUtils.cpp node/InetAddress.cpp node/Utils.cpp node/Salsa20.cpp node/Identity.cpp node/SHA512.cpp node/C25519.cpp -lcurl - $(STRIP) zerotier +netcon: $(OBJS) + rm -f *.o + # Need to selectively rebuild one.cpp and OneService.cpp with ZT_SERVICE_NETCON and ZT_ONE_NO_ROOT_CHECK defined, and also NetconEthernetTap + $(CXX) $(CXXFLAGS) $(LDFLAGS) -DZT_SDK -DZT_ONE_NO_ROOT_CHECK -Iext/lwip/src/include -Iext/lwip/src/include/ipv4 -Iext/lwip/src/include/ipv6 -o zerotier-netcon-service $(OBJS) service/OneService.cpp netcon/NetconEthernetTap.cpp netcon/NetconProxy.cpp one.cpp -x c netcon/NetconRPC.c $(LDLIBS) -ldl + # Build netcon/liblwip.so which must be placed in ZT home for zerotier-netcon-service to work + cd netcon ; make -f make-liblwip.mk + # Use gcc not clang to build standalone intercept library since gcc is typically used for libc and we want to ensure maximal ABI compatibility + #cd netcon ; gcc $(DEFS) -O2 -Wall -std=c99 -fPIC -fno-common -dynamiclib -flat_namespace -DVERBOSE -D_GNU_SOURCE -DNETCON_INTERCEPT -I. -nostdlib -shared -o libztapi.so zt_api.c common.c RPC.c -ldl + cd netcon ; gcc $(DEFS) -O2 -Wall -std=c99 -fPIC -fno-common -dynamiclib -flat_namespace -DVERBOSE -D_GNU_SOURCE -DNETCON_INTERCEPT -I. -nostdlib -shared -o libztintercept.so NetconSockets.c Intercept.c NetconDebug.c NetconRPC.c -ldl + #cd netcon ; gcc $(DEFS) -O2 -Wall -std=c99 -fPIC -fno-common -dynamiclib -flat_namespace -DVERBOSE -D_GNU_SOURCE -DNETCON_INTERCEPT -I. -nostdlib -shared -o libztkq.so zt_api.c kq.c Intercept.c common.c RPC.c -ldl + cp netcon/libztintercept.so libztintercept.so + #cp netcon/libztapi.so libztapi.so + #cp netcon/libztkq.so libztkq.so + ln -sf zerotier-netcon-service zerotier-cli + ln -sf zerotier-netcon-service zerotier-idtool selftest: $(OBJS) selftest.o $(CXX) $(CXXFLAGS) -o zerotier-selftest selftest.o $(OBJS) $(LIBS) @@ -86,17 +112,17 @@ mac-dist-pkg: FORCE $(PRODUCTSIGN) --sign $(CODESIGN_INSTALLER_CERT) "ZeroTier One.pkg" "ZeroTier One Signed.pkg" if [ -f "ZeroTier One Signed.pkg" ]; then mv -f "ZeroTier One Signed.pkg" "ZeroTier One.pkg"; fi -# For ZeroTier, Inc. to build official signed packages +# For internal use only official: FORCE - make clean - make ZT_OFFICIAL_RELEASE=1 -j 4 one + make ZT_OFFICIAL_RELEASE=1 clean + make -j 4 ZT_OFFICIAL_RELEASE=1 make ZT_OFFICIAL_RELEASE=1 mac-dist-pkg clean: - rm -rf *.dSYM build-* *.pkg *.dmg *.o node/*.o controller/*.o service/*.o osdep/*.o ext/http-parser/*.o ext/lz4/*.o ext/json-parser/*.o $(OBJS) zerotier-one zerotier-idtool zerotier-selftest zerotier-cli zerotier ZeroTierOneInstaller-* mkworld doc/node_modules - -distclean: clean - rm -rf doc/node_modules + # Remove junk generated by Android builds + rm -rf netcon/Android/*.o.d + rm -rf netcon/Netcon-Android/proj/app/build/intermediates + rm -rf netcon/*.o netcon/*.so *.dSYM build-* *.pkg *.dmg *.o node/*.o controller/*.o service/*.o osdep/*.o ext/http-parser/*.o ext/lz4/*.o ext/json-parser/*.o $(OBJS) netcon/zerotier-intercept zerotier-netcon-service ztproxy libztapi.so libztkq.so libztintercept.so zerotier-one zerotier-idtool zerotier-selftest zerotier-cli ZeroTierOneInstaller-* mkworld # For those building from source -- installs signed binary tap driver in system ZT home install-mac-tap: FORCE diff --git a/zerotierone/node/AtomicCounter.hpp b/zerotierone/node/AtomicCounter.hpp index a0f29ba..b499377 100644 --- a/zerotierone/node/AtomicCounter.hpp +++ b/zerotierone/node/AtomicCounter.hpp @@ -20,9 +20,11 @@ #define ZT_ATOMICCOUNTER_HPP #include "Constants.hpp" +#include "Mutex.hpp" #include "NonCopyable.hpp" -#ifndef __GNUC__ +#ifdef __WINDOWS__ +// will replace this whole class eventually once it's ubiquitous #include #endif @@ -34,34 +36,75 @@ namespace ZeroTier { class AtomicCounter : NonCopyable { public: + /** + * Initialize counter at zero + */ AtomicCounter() + throw() { _v = 0; } + inline operator int() const + throw() + { +#ifdef __GNUC__ + return __sync_or_and_fetch(const_cast (&_v),0); +#else +#ifdef __WINDOWS__ + return (int)_v; +#else + _l.lock(); + int v = _v; + _l.unlock(); + return v; +#endif +#endif + } + inline int operator++() + throw() { #ifdef __GNUC__ return __sync_add_and_fetch(&_v,1); #else +#ifdef __WINDOWS__ return ++_v; +#else + _l.lock(); + int v = ++_v; + _l.unlock(); + return v; +#endif #endif } inline int operator--() + throw() { #ifdef __GNUC__ return __sync_sub_and_fetch(&_v,1); #else +#ifdef __WINDOWS__ return --_v; +#else + _l.lock(); + int v = --_v; + _l.unlock(); + return v; +#endif #endif } private: -#ifdef __GNUC__ - int _v; -#else +#ifdef __WINDOWS__ std::atomic_int _v; +#else + int _v; +#ifndef __GNUC__ +#warning Neither __WINDOWS__ nor __GNUC__ so AtomicCounter using Mutex + Mutex _l; +#endif #endif }; diff --git a/zerotierone/node/CertificateOfMembership.cpp b/zerotierone/node/CertificateOfMembership.cpp index 43efcd2..55537fd 100644 --- a/zerotierone/node/CertificateOfMembership.cpp +++ b/zerotierone/node/CertificateOfMembership.cpp @@ -17,10 +17,6 @@ */ #include "CertificateOfMembership.hpp" -#include "RuntimeEnvironment.hpp" -#include "Topology.hpp" -#include "Switch.hpp" -#include "Network.hpp" namespace ZeroTier { @@ -156,9 +152,6 @@ bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other) c unsigned int myidx = 0; unsigned int otheridx = 0; - if ((_qualifierCount == 0)||(other._qualifierCount == 0)) - return false; - while (myidx < _qualifierCount) { // Fail if we're at the end of other, since this means the field is // missing. @@ -189,7 +182,7 @@ bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other) c bool CertificateOfMembership::sign(const Identity &with) { - uint64_t buf[ZT_NETWORK_COM_MAX_QUALIFIERS * 3]; + uint64_t *const buf = new uint64_t[_qualifierCount * 3]; unsigned int ptr = 0; for(unsigned int i=0;i<_qualifierCount;++i) { buf[ptr++] = Utils::hton(_qualifiers[i].id); @@ -200,32 +193,38 @@ bool CertificateOfMembership::sign(const Identity &with) try { _signature = with.sign(buf,ptr * sizeof(uint64_t)); _signedBy = with.address(); + delete [] buf; return true; } catch ( ... ) { _signedBy.zero(); + delete [] buf; return false; } } -int CertificateOfMembership::verify(const RuntimeEnvironment *RR) const +bool CertificateOfMembership::verify(const Identity &id) const { - if ((!_signedBy)||(_signedBy != Network::controllerFor(networkId()))||(_qualifierCount > ZT_NETWORK_COM_MAX_QUALIFIERS)) - return -1; + if (!_signedBy) + return false; + if (id.address() != _signedBy) + return false; - const Identity id(RR->topology->getIdentity(_signedBy)); - if (!id) { - RR->sw->requestWhois(_signedBy); - return 1; - } - - uint64_t buf[ZT_NETWORK_COM_MAX_QUALIFIERS * 3]; + uint64_t *const buf = new uint64_t[_qualifierCount * 3]; unsigned int ptr = 0; for(unsigned int i=0;i<_qualifierCount;++i) { buf[ptr++] = Utils::hton(_qualifiers[i].id); buf[ptr++] = Utils::hton(_qualifiers[i].value); buf[ptr++] = Utils::hton(_qualifiers[i].maxDelta); } - return (id.verify(buf,ptr * sizeof(uint64_t),_signature) ? 0 : -1); + + bool valid = false; + try { + valid = id.verify(buf,ptr * sizeof(uint64_t),_signature); + delete [] buf; + } catch ( ... ) { + delete [] buf; + } + return valid; } } // namespace ZeroTier diff --git a/zerotierone/node/CertificateOfMembership.hpp b/zerotierone/node/CertificateOfMembership.hpp index 2d7c2cb..43c8c0a 100644 --- a/zerotierone/node/CertificateOfMembership.hpp +++ b/zerotierone/node/CertificateOfMembership.hpp @@ -34,14 +34,22 @@ #include "Utils.hpp" /** - * Maximum number of qualifiers allowed in a COM (absolute max: 65535) + * Default window of time for certificate agreement + * + * Right now we use time for 'revision' so this is the maximum time divergence + * between two certs for them to agree. It comes out to five minutes, which + * gives a lot of margin for error if the controller hiccups or its clock + * drifts but causes de-authorized peers to fall off fast enough. */ -#define ZT_NETWORK_COM_MAX_QUALIFIERS 8 +#define ZT_NETWORK_COM_DEFAULT_REVISION_MAX_DELTA (ZT_NETWORK_AUTOCONF_DELAY * 5) + +/** + * Maximum number of qualifiers in a COM + */ +#define ZT_NETWORK_COM_MAX_QUALIFIERS 16 namespace ZeroTier { -class RuntimeEnvironment; - /** * Certificate of network membership * @@ -71,11 +79,22 @@ class RuntimeEnvironment; class CertificateOfMembership { public: + /** + * Certificate type codes, used in serialization + * + * Only one so far, and only one hopefully there shall be for quite some + * time. + */ + enum Type + { + COM_UINT64_ED25519 = 1 // tuples of unsigned 64's signed with Ed25519 + }; + /** * Reserved qualifier IDs * - * IDs below 1024 are reserved for use as standard IDs. Others are available - * for user-defined use. + * IDs below 65536 should be considered reserved for future global + * assignment here. * * Addition of new required fields requires that code in hasRequiredFields * be updated as well. @@ -83,27 +102,36 @@ public: enum ReservedId { /** - * Timestamp of certificate + * Revision number of certificate + * + * Certificates may differ in revision number by a designated max + * delta. Differences wider than this cause certificates not to agree. */ - COM_RESERVED_ID_TIMESTAMP = 0, + COM_RESERVED_ID_REVISION = 0, /** * Network ID for which certificate was issued + * + * maxDelta here is zero, since this must match. */ COM_RESERVED_ID_NETWORK_ID = 1, /** * ZeroTier address to whom certificate was issued + * + * maxDelta will be 0xffffffffffffffff here since it's permitted to differ + * from peers obviously. */ COM_RESERVED_ID_ISSUED_TO = 2 }; /** - * Create an empty certificate of membership + * Create an empty certificate */ - CertificateOfMembership() + CertificateOfMembership() : + _qualifierCount(0) { - memset(this,0,sizeof(CertificateOfMembership)); + memset(_signature.data,0,_signature.size()); } CertificateOfMembership(const CertificateOfMembership &c) @@ -114,16 +142,16 @@ public: /** * Create from required fields common to all networks * - * @param timestamp Timestamp of certificate + * @param revision Revision number of certificate * @param timestampMaxDelta Maximum variation between timestamps on this net * @param nwid Network ID * @param issuedTo Certificate recipient */ - CertificateOfMembership(uint64_t timestamp,uint64_t timestampMaxDelta,uint64_t nwid,const Address &issuedTo) + CertificateOfMembership(uint64_t revision,uint64_t revisionMaxDelta,uint64_t nwid,const Address &issuedTo) { - _qualifiers[0].id = COM_RESERVED_ID_TIMESTAMP; - _qualifiers[0].value = timestamp; - _qualifiers[0].maxDelta = timestampMaxDelta; + _qualifiers[0].id = COM_RESERVED_ID_REVISION; + _qualifiers[0].value = revision; + _qualifiers[0].maxDelta = revisionMaxDelta; _qualifiers[1].id = COM_RESERVED_ID_NETWORK_ID; _qualifiers[1].value = nwid; _qualifiers[1].maxDelta = 0; @@ -140,6 +168,22 @@ public: return *this; } +#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF + /** + * Create from string-serialized data + * + * @param s String-serialized COM + */ + CertificateOfMembership(const char *s) { fromString(s); } + + /** + * Create from string-serialized data + * + * @param s String-serialized COM + */ + CertificateOfMembership(const std::string &s) { fromString(s.c_str()); } +#endif // ZT_SUPPORT_OLD_STYLE_NETCONF + /** * Create from binary-serialized COM in buffer * @@ -158,15 +202,45 @@ public: inline operator bool() const throw() { return (_qualifierCount != 0); } /** - * @return Timestamp for this cert and maximum delta for timestamp + * Check for presence of all required fields common to all networks + * + * @return True if all required fields are present */ - inline std::pair timestamp() const + inline bool hasRequiredFields() const + { + if (_qualifierCount < 3) + return false; + if (_qualifiers[0].id != COM_RESERVED_ID_REVISION) + return false; + if (_qualifiers[1].id != COM_RESERVED_ID_NETWORK_ID) + return false; + if (_qualifiers[2].id != COM_RESERVED_ID_ISSUED_TO) + return false; + return true; + } + + /** + * @return Maximum delta for mandatory revision field or 0 if field missing + */ + inline uint64_t revisionMaxDelta() const { for(unsigned int i=0;i<_qualifierCount;++i) { - if (_qualifiers[i].id == COM_RESERVED_ID_TIMESTAMP) - return std::pair(_qualifiers[i].value,_qualifiers[i].maxDelta); + if (_qualifiers[i].id == COM_RESERVED_ID_REVISION) + return _qualifiers[i].maxDelta; } - return std::pair(0ULL,0ULL); + return 0ULL; + } + + /** + * @return Revision number for this cert + */ + inline uint64_t revision() const + { + for(unsigned int i=0;i<_qualifierCount;++i) { + if (_qualifiers[i].id == COM_RESERVED_ID_REVISION) + return _qualifiers[i].value; + } + return 0ULL; } /** @@ -221,6 +295,7 @@ public: * @param s String to deserialize */ void fromString(const char *s); + inline void fromString(const std::string &s) { fromString(s.c_str()); } #endif // ZT_SUPPORT_OLD_STYLE_NETCONF /** @@ -247,12 +322,12 @@ public: bool sign(const Identity &with); /** - * Verify this COM and its signature + * Verify certificate against an identity * - * @param RR Runtime environment for looking up peers - * @return 0 == OK, 1 == waiting for WHOIS, -1 == BAD signature or credential + * @param id Identity to verify against + * @return True if certificate is signed by this identity and verification was successful */ - int verify(const RuntimeEnvironment *RR) const; + bool verify(const Identity &id) const; /** * @return True if signed @@ -267,7 +342,7 @@ public: template inline void serialize(Buffer &b) const { - b.append((uint8_t)1); + b.append((unsigned char)COM_UINT64_ED25519); b.append((uint16_t)_qualifierCount); for(unsigned int i=0;i<_qualifierCount;++i) { b.append(_qualifiers[i].id); @@ -287,8 +362,8 @@ public: _qualifierCount = 0; _signedBy.zero(); - if (b[p++] != 1) - throw std::invalid_argument("invalid object"); + if (b[p++] != COM_UINT64_ED25519) + throw std::invalid_argument("invalid type"); unsigned int numq = b.template at(p); p += sizeof(uint16_t); uint64_t lastId = 0; diff --git a/zerotierone/node/Cluster.cpp b/zerotierone/node/Cluster.cpp index 2a261e5..f590ad1 100644 --- a/zerotierone/node/Cluster.cpp +++ b/zerotierone/node/Cluster.cpp @@ -361,7 +361,7 @@ void Cluster::handleIncomingStateMessage(const void *msg,unsigned int len) case CLUSTER_MESSAGE_WANT_PEER: { const Address zeroTierAddress(dmsg.field(ptr,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); ptr += ZT_ADDRESS_LENGTH; SharedPtr peer(RR->topology->getPeerNoCache(zeroTierAddress)); - if ( (peer) && (peer->hasLocalClusterOptimalPath(RR->node->now())) ) { + if ( (peer) && (peer->hasClusterOptimalPath(RR->node->now())) ) { Buffer<1024> buf; peer->identity().serialize(buf); Mutex::Lock _l2(_members[fromMemberId].lock); @@ -455,7 +455,7 @@ void Cluster::handleIncomingStateMessage(const void *msg,unsigned int len) Mutex::Lock _l2(_members[fromMemberId].lock); _send(fromMemberId,CLUSTER_MESSAGE_PROXY_SEND,rendezvousForRemote.data(),rendezvousForRemote.size()); } - RR->sw->send(rendezvousForLocal,true); + RR->sw->send(rendezvousForLocal,true,0); } } } break; @@ -466,7 +466,7 @@ void Cluster::handleIncomingStateMessage(const void *msg,unsigned int len) const unsigned int len = dmsg.at(ptr); ptr += 2; Packet outp(rcpt,RR->identity.address(),verb); outp.append(dmsg.field(ptr,len),len); ptr += len; - RR->sw->send(outp,true); + RR->sw->send(outp,true,0); //TRACE("[%u] proxy send %s to %s length %u",(unsigned int)fromMemberId,Packet::verbString(verb),rcpt.toString().c_str(),len); } break; } @@ -719,9 +719,7 @@ bool Cluster::findBetterEndpoint(InetAddress &redirectTo,const Address &peerAddr std::vector best; const double currentDistance = _dist3d(_x,_y,_z,px,py,pz); double bestDistance = (offload ? 2147483648.0 : currentDistance); -#ifdef ZT_TRACE unsigned int bestMember = _id; -#endif { Mutex::Lock _l(_memberIds_m); for(std::vector::const_iterator mid(_memberIds.begin());mid!=_memberIds.end();++mid) { @@ -733,9 +731,7 @@ bool Cluster::findBetterEndpoint(InetAddress &redirectTo,const Address &peerAddr const double mdist = _dist3d(m.x,m.y,m.z,px,py,pz); if (mdist < bestDistance) { bestDistance = mdist; -#ifdef ZT_TRACE bestMember = *mid; -#endif best = m.zeroTierPhysicalEndpoints; } } diff --git a/zerotierone/node/Constants.hpp b/zerotierone/node/Constants.hpp index b7042d5..dc36b3a 100644 --- a/zerotierone/node/Constants.hpp +++ b/zerotierone/node/Constants.hpp @@ -179,16 +179,16 @@ */ #define ZT_PEER_SECRET_KEY_LENGTH 32 -/** - * Minimum delay between timer task checks to prevent thrashing - */ -#define ZT_CORE_TIMER_TASK_GRANULARITY 500 - /** * How often Topology::clean() and Network::clean() and similar are called, in ms */ #define ZT_HOUSEKEEPING_PERIOD 120000 +/** + * Overriding granularity for timer tasks to prevent CPU-intensive thrashing on every packet + */ +#define ZT_CORE_TIMER_TASK_GRANULARITY 500 + /** * How long to remember peer records in RAM if they haven't been used */ @@ -226,21 +226,11 @@ */ #define ZT_MULTICAST_LIKE_EXPIRE 600000 -/** - * Period for multicast LIKE announcements - */ -#define ZT_MULTICAST_ANNOUNCE_PERIOD 120000 - /** * Delay between explicit MULTICAST_GATHER requests for a given multicast channel */ #define ZT_MULTICAST_EXPLICIT_GATHER_DELAY (ZT_MULTICAST_LIKE_EXPIRE / 10) -/** - * Expiration for credentials presented for MULTICAST_LIKE or MULTICAST_GATHER (for non-network-members) - */ -#define ZT_MULTICAST_CREDENTIAL_EXPIRATON ZT_MULTICAST_LIKE_EXPIRE - /** * Timeout for outgoing multicasts * @@ -249,44 +239,30 @@ #define ZT_MULTICAST_TRANSMIT_TIMEOUT 5000 /** - * Delay between checks of peer pings, etc., and also related housekeeping tasks + * Default maximum number of peers to address with a single multicast (if unspecified in network config) */ -#define ZT_PING_CHECK_INVERVAL 5000 +#define ZT_MULTICAST_DEFAULT_LIMIT 32 /** - * How frequently to send heartbeats over in-use paths + * How frequently to send a zero-byte UDP keepalive packet + * + * There are NATs with timeouts as short as 20 seconds, so this turns out + * to be needed. */ -#define ZT_PATH_HEARTBEAT_PERIOD 10000 +#define ZT_NAT_KEEPALIVE_DELAY 19000 /** - * Paths are considered inactive if they have not received traffic in this long + * Delay between scans of the topology active peer DB for peers that need ping + * + * This is also how often pings will be retried to upstream peers (relays, roots) + * constantly until something is heard. */ -#define ZT_PATH_ALIVE_TIMEOUT 25000 +#define ZT_PING_CHECK_INVERVAL 9500 /** - * Minimum time between attempts to check dead paths to see if they can be re-awakened + * Delay between ordinary case pings of direct links */ -#define ZT_PATH_MIN_REACTIVATE_INTERVAL 2500 - -/** - * Do not accept HELLOs over a given path more often than this - */ -#define ZT_PATH_HELLO_RATE_LIMIT 1000 - -/** - * Delay between full-fledge pings of directly connected peers - */ -#define ZT_PEER_PING_PERIOD 60000 - -/** - * Paths are considered expired if they have not produced a real packet in this long - */ -#define ZT_PEER_PATH_EXPIRATION ((ZT_PEER_PING_PERIOD * 4) + 3000) - -/** - * How often to retry expired paths that we're still remembering - */ -#define ZT_PEER_EXPIRED_PATH_TRIAL_PERIOD (ZT_PEER_PING_PERIOD * 10) +#define ZT_PEER_DIRECT_PING_DELAY 60000 /** * Timeout for overall peer activity (measured from last receive) @@ -294,14 +270,19 @@ #define ZT_PEER_ACTIVITY_TIMEOUT 500000 /** - * General rate limit timeout for multiple packet types (HELLO, etc.) + * Timeout for path activity */ -#define ZT_PEER_GENERAL_INBOUND_RATE_LIMIT 500 +#define ZT_PATH_ACTIVITY_TIMEOUT ZT_PEER_ACTIVITY_TIMEOUT /** - * General limit for max RTT for requests over the network + * No answer timeout to trigger dead path detection */ -#define ZT_GENERAL_RTT_LIMIT 5000 +#define ZT_PEER_DEAD_PATH_DETECTION_NO_ANSWER_TIMEOUT 2000 + +/** + * Probation threshold after which a path becomes dead + */ +#define ZT_PEER_DEAD_PATH_DETECTION_MAX_PROBATION 3 /** * Delay between requests for updated network autoconf information @@ -320,6 +301,21 @@ */ #define ZT_MIN_UNITE_INTERVAL 30000 +/** + * Delay between initial direct NAT-t packet and more aggressive techniques + * + * This may also be a delay before sending the first packet if we determine + * that we should wait for the remote to initiate rendezvous first. + */ +#define ZT_NAT_T_TACTICAL_ESCALATION_DELAY 1000 + +/** + * How long (max) to remember network certificates of membership? + * + * This only applies to networks we don't belong to. + */ +#define ZT_PEER_NETWORK_COM_EXPIRATION 3600000 + /** * Sanity limit on maximum bridge routes * @@ -334,7 +330,7 @@ /** * If there is no known route, spam to up to this many active bridges */ -#define ZT_MAX_BRIDGE_SPAM 32 +#define ZT_MAX_BRIDGE_SPAM 16 /** * Interval between direct path pushes in milliseconds @@ -361,30 +357,23 @@ #define ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY 4 /** - * Time horizon for VERB_NETWORK_CREDENTIALS cutoff - */ -#define ZT_PEER_CREDENTIALS_CUTOFF_TIME 60000 - -/** - * Maximum number of VERB_NETWORK_CREDENTIALS within cutoff time - */ -#define ZT_PEER_CREDEITIALS_CUTOFF_LIMIT 15 - -/** - * General rate limit for other kinds of rate-limited packets (HELLO, credential request, etc.) both inbound and outbound - */ -#define ZT_PEER_GENERAL_RATE_LIMIT 1000 - -/** - * How long is a path or peer considered to have a trust relationship with us (for e.g. relay policy) since last trusted established packet? - */ -#define ZT_TRUST_EXPIRATION 600000 - -/** - * Enable support for older network configurations from older (pre-1.1.6) controllers + * Enable support for old Dictionary based network configs */ #define ZT_SUPPORT_OLD_STYLE_NETCONF 1 +/** + * A test pseudo-network-ID that can be joined + * + * Joining this network ID will result in a network with no IP addressing + * and default parameters. No network configuration master will be consulted + * and instead a static config will be used. This is used in built-in testnet + * scenarios and can also be used for external testing. + * + * This is an impossible real network ID since 0xff is a reserved address + * prefix. + */ +#define ZT_TEST_NETWORK_ID 0xffffffffffffffffULL + /** * Desired buffer size for UDP sockets (used in service and osdep but defined here) */ diff --git a/zerotierone/node/Dictionary.hpp b/zerotierone/node/Dictionary.hpp index 15ab9ce..d4cdd23 100644 --- a/zerotierone/node/Dictionary.hpp +++ b/zerotierone/node/Dictionary.hpp @@ -20,441 +20,261 @@ #define ZT_DICTIONARY_HPP #include "Constants.hpp" -#include "Utils.hpp" -#include "Buffer.hpp" -#include "Address.hpp" + +#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF #include +#include +#include +#include +#include + +#include "Utils.hpp" + +// Three fields are added/updated by sign() +#define ZT_DICTIONARY_SIGNATURE "~!ed25519" +#define ZT_DICTIONARY_SIGNATURE_IDENTITY "~!sigid" +#define ZT_DICTIONARY_SIGNATURE_TIMESTAMP "~!sigts" + namespace ZeroTier { +class Identity; + /** - * A small (in code and data) packed key=value store + * Simple key/value dictionary with string serialization * - * This stores data in the form of a compact blob that is sort of human - * readable (depending on whether you put binary data in it) and is backward - * compatible with older versions. Binary data is escaped such that the - * serialized form of a Dictionary is always a valid null-terminated C string. + * The serialization format is a flat key=value with backslash escape. + * It does not support comments or other syntactic complexities. It is + * human-readable if the keys and values in the dictionary are also + * human-readable. Otherwise it might contain unprintable characters. * - * Keys are restricted: no binary data, no CR/LF, and no equals (=). If a key - * contains these characters it may not be retrievable. This is not checked. + * Keys beginning with "~!" are reserved for signature data fields. * - * Lookup is via linear search and will be slow with a lot of keys. It's - * designed for small things. - * - * There is code to test and fuzz this in selftest.cpp. Fuzzing a blob of - * pointer tricks like this is important after any modifications. - * - * This is used for network configurations and for saving some things on disk - * in the ZeroTier One service code. - * - * @tparam C Dictionary max capacity in bytes + * It's stored as a simple vector and can be linearly scanned or + * binary searched. Dictionaries are only used for very small things + * outside the core loop, so this is not a significant performance + * issue and it reduces memory use and code footprint. */ -template -class Dictionary +class Dictionary : public std::vector< std::pair > { public: - Dictionary() - { - _d[0] = (char)0; - } - - Dictionary(const char *s) - { - Utils::scopy(_d,sizeof(_d),s); - } - - Dictionary(const char *s,unsigned int len) - { - if (len > (C-1)) - len = C-1; - memcpy(_d,s,len); - _d[len] = (char)0; - } - - Dictionary(const Dictionary &d) - { - Utils::scopy(_d,sizeof(_d),d._d); - } - - inline Dictionary &operator=(const Dictionary &d) - { - Utils::scopy(_d,sizeof(_d),d._d); - return *this; - } + Dictionary() {} /** - * Load a dictionary from a C-string - * - * @param s Dictionary in string form - * @return False if 's' was longer than our capacity + * @param s String-serialized dictionary + * @param maxlen Maximum length of buffer */ - inline bool load(const char *s) - { - return Utils::scopy(_d,sizeof(_d),s); - } + Dictionary(const char *s,unsigned int maxlen) { fromString(s,maxlen); } /** - * Delete all entries + * @param s String-serialized dictionary */ - inline void clear() - { - _d[0] = (char)0; - } + Dictionary(const std::string &s) { fromString(s.c_str(),(unsigned int)s.length()); } + + iterator find(const std::string &key); + const_iterator find(const std::string &key) const; /** - * @return Size of dictionary in bytes not including terminating NULL - */ - inline unsigned int sizeBytes() const - { - for(unsigned int i=0;isecond; } /** - * Get the contents of a key into a buffer - * * @param key Key to get - * @param dest Destination buffer - * @return True if key was found (if false, dest will be empty) - * @tparam BC Buffer capacity (usually inferred) + * @param dfl Default boolean result if key not found or empty (default: false) + * @return Boolean value of key */ - template - inline bool get(const char *key,Buffer &dest) const + bool getBoolean(const std::string &key,bool dfl = false) const; + + /** + * @param key Key to get + * @param dfl Default value if not present (default: 0) + * @return Value converted to unsigned 64-bit int or 0 if not found + */ + inline uint64_t getUInt(const std::string &key,uint64_t dfl = 0) const { - const int r = this->get(key,const_cast(reinterpret_cast(dest.data())),BC); - if (r >= 0) { - dest.setSize((unsigned int)r); - return true; - } else { - dest.clear(); - return false; - } + const_iterator e(find(key)); + if (e == end()) + return dfl; + return Utils::strToU64(e->second.c_str()); } /** - * Get a boolean value - * - * @param key Key to look up - * @param dfl Default value if not found in dictionary - * @return Boolean value of key or 'dfl' if not found + * @param key Key to get + * @param dfl Default value if not present (default: 0) + * @return Value converted to unsigned 64-bit int or 0 if not found */ - bool getB(const char *key,bool dfl = false) const + inline uint64_t getHexUInt(const std::string &key,uint64_t dfl = 0) const { - char tmp[4]; - if (this->get(key,tmp,sizeof(tmp)) >= 0) - return ((*tmp == '1')||(*tmp == 't')||(*tmp == 'T')); - return dfl; + const_iterator e(find(key)); + if (e == end()) + return dfl; + return Utils::hexStrToU64(e->second.c_str()); } /** - * Get an unsigned int64 stored as hex in the dictionary - * - * @param key Key to look up - * @param dfl Default value or 0 if unspecified - * @return Decoded hex UInt value or 'dfl' if not found + * @param key Key to get + * @param dfl Default value if not present (default: 0) + * @return Value converted to signed 64-bit int or 0 if not found */ - inline uint64_t getUI(const char *key,uint64_t dfl = 0) const + inline int64_t getInt(const std::string &key,int64_t dfl = 0) const { - char tmp[128]; - if (this->get(key,tmp,sizeof(tmp)) >= 1) - return Utils::hexStrToU64(tmp); - return dfl; + const_iterator e(find(key)); + if (e == end()) + return dfl; + return Utils::strTo64(e->second.c_str()); + } + + std::string &operator[](const std::string &key); + + /** + * @param key Key to set + * @param value String value + */ + inline void set(const std::string &key,const char *value) + { + (*this)[key] = value; } /** - * Add a new key=value pair - * - * If the key is already present this will append another, but the first - * will always be returned by get(). This is not checked. If you want to - * ensure a key is not present use erase() first. - * - * Use the vlen parameter to add binary values. Nulls will be escaped. - * - * @param key Key -- nulls, CR/LF, and equals (=) are illegal characters - * @param value Value to set - * @param vlen Length of value in bytes or -1 to treat value[] as a C-string and look for terminating 0 - * @return True if there was enough room to add this key=value pair + * @param key Key to set + * @param value String value */ - inline bool add(const char *key,const char *value,int vlen = -1) + inline void set(const std::string &key,const std::string &value) { - for(unsigned int i=0;i 0) { - _d[j++] = '\n'; - if (j == C) { - _d[i] = (char)0; - return false; - } - } - - const char *p = key; - while (*p) { - _d[j++] = *(p++); - if (j == C) { - _d[i] = (char)0; - return false; - } - } - - _d[j++] = '='; - if (j == C) { - _d[i] = (char)0; - return false; - } - - p = value; - int k = 0; - while ( ((vlen < 0)&&(*p)) || (k < vlen) ) { - switch(*p) { - case 0: - case '\r': - case '\n': - case '\\': - case '=': - _d[j++] = '\\'; - if (j == C) { - _d[i] = (char)0; - return false; - } - switch(*p) { - case 0: _d[j++] = '0'; break; - case '\r': _d[j++] = 'r'; break; - case '\n': _d[j++] = 'n'; break; - case '\\': _d[j++] = '\\'; break; - case '=': _d[j++] = 'e'; break; - } - if (j == C) { - _d[i] = (char)0; - return false; - } - break; - default: - _d[j++] = *p; - if (j == C) { - _d[i] = (char)0; - return false; - } - break; - } - ++p; - ++k; - } - - _d[j] = (char)0; - - return true; - } - } - return false; + (*this)[key] = value; } /** - * Add a boolean as a '1' or a '0' + * @param key Key to set + * @param value Boolean value */ - inline bool add(const char *key,bool value) + inline void set(const std::string &key,bool value) { - return this->add(key,(value) ? "1" : "0",1); + (*this)[key] = ((value) ? "1" : "0"); } - /** - * Add a 64-bit integer (unsigned) as a hex value + /** + * @param key Key to set + * @param value Integer value */ - inline bool add(const char *key,uint64_t value) + inline void set(const std::string &key,uint64_t value) { - char tmp[32]; + char tmp[24]; + Utils::snprintf(tmp,sizeof(tmp),"%llu",(unsigned long long)value); + (*this)[key] = tmp; + } + + /** + * @param key Key to set + * @param value Integer value + */ + inline void set(const std::string &key,int64_t value) + { + char tmp[24]; + Utils::snprintf(tmp,sizeof(tmp),"%lld",(long long)value); + (*this)[key] = tmp; + } + + /** + * @param key Key to set + * @param value Integer value + */ + inline void setHex(const std::string &key,uint64_t value) + { + char tmp[24]; Utils::snprintf(tmp,sizeof(tmp),"%llx",(unsigned long long)value); - return this->add(key,tmp,-1); - } - - /** - * Add a 64-bit integer (unsigned) as a hex value - */ - inline bool add(const char *key,const Address &a) - { - char tmp[32]; - Utils::snprintf(tmp,sizeof(tmp),"%.10llx",(unsigned long long)a.toInt()); - return this->add(key,tmp,-1); - } - - /** - * Add a binary buffer's contents as a value - * - * @tparam BC Buffer capacity (usually inferred) - */ - template - inline bool add(const char *key,const Buffer &value) - { - return this->add(key,(const char *)value.data(),(int)value.size()); + (*this)[key] = tmp; } /** * @param key Key to check - * @return True if key is present + * @return True if dictionary contains key */ - inline bool contains(const char *key) const - { - char tmp[2]; - return (this->get(key,tmp,2) >= 0); - } + inline bool contains(const std::string &key) const { return (find(key) != end()); } /** - * Erase a key from this dictionary - * - * Use this before add() to ensure that a key is replaced if it might - * already be present. + * @return String-serialized dictionary + */ + std::string toString() const; + + /** + * Clear and initialize from a string * + * @param s String-serialized dictionary + * @param maxlen Maximum length of string buffer + */ + void fromString(const char *s,unsigned int maxlen); + inline void fromString(const std::string &s) { fromString(s.c_str(),(unsigned int)s.length()); } + void updateFromString(const char *s,unsigned int maxlen); + inline void update(const char *s,unsigned int maxlen) { updateFromString(s, maxlen); } + inline void update(const std::string &s) { updateFromString(s.c_str(),(unsigned int)s.length()); } + + /** + * @return True if this dictionary is cryptographically signed + */ + inline bool hasSignature() const { return (find(ZT_DICTIONARY_SIGNATURE) != end()); } + + /** + * @return Signing identity in string-serialized format or empty string if none + */ + inline std::string signingIdentity() const { return get(ZT_DICTIONARY_SIGNATURE_IDENTITY,std::string()); } + + /** + * @return Signature timestamp in milliseconds since epoch or 0 if none + */ + uint64_t signatureTimestamp() const; + + /** * @param key Key to erase - * @return True if key was found and erased */ - inline bool erase(const char *key) + void eraseKey(const std::string &key); + + /** + * Remove any signature from this dictionary + */ + inline void removeSignature() { - char d2[C]; - char *saveptr = (char *)0; - unsigned int d2ptr = 0; - bool found = false; - for(char *f=Utils::stok(_d,"\r\n",&saveptr);(f);f=Utils::stok((char *)0,"\r\n",&saveptr)) { - if (*f) { - const char *p = f; - const char *k = key; - while ((*k)&&(*p)) { - if (*k != *p) - break; - ++k; - ++p; - } - if (*k) { - p = f; - while (*p) - d2[d2ptr++] = *(p++); - d2[d2ptr++] = '\n'; - } else { - found = true; - } - } - } - d2[d2ptr++] = (char)0; - memcpy(_d,d2,d2ptr); - return found; + eraseKey(ZT_DICTIONARY_SIGNATURE); + eraseKey(ZT_DICTIONARY_SIGNATURE_IDENTITY); + eraseKey(ZT_DICTIONARY_SIGNATURE_TIMESTAMP); } /** - * @return Value of C template parameter + * Add or update signature fields with a signature of all other keys and values + * + * @param with Identity to sign with (must have secret key) + * @param now Current time + * @return True on success */ - inline unsigned int capacity() const { return C; } + bool sign(const Identity &id,uint64_t now); - inline const char *data() const { return _d; } - inline char *unsafeData() { return _d; } + /** + * Verify signature against an identity + * + * @param id Identity to verify against + * @return True if signature verification OK + */ + bool verify(const Identity &id) const; private: - char _d[C]; + void _mkSigBuf(std::string &buf) const; + static void _appendEsc(const char *data,unsigned int len,std::string &to); }; } // namespace ZeroTier +#endif // ZT_SUPPORT_OLD_STYLE_NETCONF + #endif diff --git a/zerotierone/node/Hashtable.hpp b/zerotierone/node/Hashtable.hpp index 66f2990..f06b223 100644 --- a/zerotierone/node/Hashtable.hpp +++ b/zerotierone/node/Hashtable.hpp @@ -103,9 +103,9 @@ public: friend class Hashtable::Iterator; /** - * @param bc Initial capacity in buckets (default: 64, must be nonzero) + * @param bc Initial capacity in buckets (default: 128, must be nonzero) */ - Hashtable(unsigned long bc = 64) : + Hashtable(unsigned long bc = 128) : _t(reinterpret_cast<_Bucket **>(::malloc(sizeof(_Bucket *) * bc))), _bc(bc), _s(0) @@ -362,7 +362,7 @@ private: template static inline unsigned long _hc(const O &obj) { - return (unsigned long)obj.hashCode(); + return obj.hashCode(); } static inline unsigned long _hc(const uint64_t i) { diff --git a/zerotierone/node/Identity.cpp b/zerotierone/node/Identity.cpp index c47805d..6f89a1e 100644 --- a/zerotierone/node/Identity.cpp +++ b/zerotierone/node/Identity.cpp @@ -133,7 +133,7 @@ std::string Identity::toString(bool includePrivate) const std::string r; r.append(_address.toString()); - r.append(":0:"); // 0 == ZT_OBJECT_TYPE_IDENTITY + r.append(":0:"); // 0 == IDENTITY_TYPE_C25519 r.append(Utils::hex(_publicKey.data,(unsigned int)_publicKey.size())); if ((_privateKey)&&(includePrivate)) { r.push_back(':'); diff --git a/zerotierone/node/Identity.hpp b/zerotierone/node/Identity.hpp index e452273..e19c498 100644 --- a/zerotierone/node/Identity.hpp +++ b/zerotierone/node/Identity.hpp @@ -46,6 +46,14 @@ namespace ZeroTier { class Identity { public: + /** + * Identity types + */ + enum Type + { + IDENTITY_TYPE_C25519 = 0 + }; + Identity() : _privateKey((C25519::Private *)0) { @@ -197,6 +205,11 @@ public: return false; } + /** + * @return Identity type + */ + inline Type type() const throw() { return IDENTITY_TYPE_C25519; } + /** * @return This identity's address */ @@ -213,7 +226,7 @@ public: inline void serialize(Buffer &b,bool includePrivate = false) const { _address.appendTo(b); - b.append((uint8_t)0); // C25519/Ed25519 identity type + b.append((unsigned char)IDENTITY_TYPE_C25519); b.append(_publicKey.data,(unsigned int)_publicKey.size()); if ((_privateKey)&&(includePrivate)) { b.append((unsigned char)_privateKey->size()); @@ -244,7 +257,7 @@ public: _address.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH; - if (b[p++] != 0) + if (b[p++] != IDENTITY_TYPE_C25519) throw std::invalid_argument("unsupported identity type"); memcpy(_publicKey.data,b.field(p,(unsigned int)_publicKey.size()),(unsigned int)_publicKey.size()); @@ -282,24 +295,6 @@ public: bool fromString(const char *str); inline bool fromString(const std::string &str) { return fromString(str.c_str()); } - /** - * @return C25519 public key - */ - inline const C25519::Public &publicKey() const { return _publicKey; } - - /** - * @return C25519 key pair (only returns valid pair if private key is present in this Identity object) - */ - inline const C25519::Pair privateKeyPair() const - { - C25519::Pair pair; - pair.pub = _publicKey; - if (_privateKey) - pair.priv = *_privateKey; - else memset(pair.priv.data,0,ZT_C25519_PRIVATE_KEY_LEN); - return pair; - } - /** * @return True if this identity contains something */ diff --git a/zerotierone/node/IncomingPacket.cpp b/zerotierone/node/IncomingPacket.cpp index e0fa3bf..9e0226b 100644 --- a/zerotierone/node/IncomingPacket.cpp +++ b/zerotierone/node/IncomingPacket.cpp @@ -36,79 +36,66 @@ #include "World.hpp" #include "Cluster.hpp" #include "Node.hpp" -#include "CertificateOfMembership.hpp" -#include "Capability.hpp" -#include "Tag.hpp" -#include "Revocation.hpp" +#include "DeferredPackets.hpp" namespace ZeroTier { -bool IncomingPacket::tryDecode(const RuntimeEnvironment *RR) +bool IncomingPacket::tryDecode(const RuntimeEnvironment *RR,bool deferred) { const Address sourceAddress(source()); - try { - // Check for trusted paths or unencrypted HELLOs (HELLO is the only packet sent in the clear) - const unsigned int c = cipher(); - bool trusted = false; - if (c == ZT_PROTO_CIPHER_SUITE__NO_CRYPTO_TRUSTED_PATH) { - // If this is marked as a packet via a trusted path, check source address and path ID. - // Obviously if no trusted paths are configured this always returns false and such - // packets are dropped on the floor. - if (RR->topology->shouldInboundPathBeTrusted(_path->address(),trustedPathId())) { - trusted = true; - TRACE("TRUSTED PATH packet approved from %s(%s), trusted path ID %llx",sourceAddress.toString().c_str(),_path->address().toString().c_str(),trustedPathId()); + if ((cipher() == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_NONE)&&(verb() == Packet::VERB_HELLO)) { + // Unencrypted HELLOs require some potentially expensive verification, so + // do this in the background if background processing is enabled. + if ((RR->dpEnabled > 0)&&(!deferred)) { + RR->dp->enqueue(this); + return true; // 'handled' via deferring to background thread(s) } else { - TRACE("dropped packet from %s(%s), cipher set to trusted path mode but path %llx@%s is not trusted!",sourceAddress.toString().c_str(),_path->address().toString().c_str(),trustedPathId(),_path->address().toString().c_str()); - return true; + // A null pointer for peer to _doHELLO() tells it to run its own + // special internal authentication logic. This is done for unencrypted + // HELLOs to learn new identities, etc. + SharedPtr tmp; + return _doHELLO(RR,tmp); } - } else if ((c == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_NONE)&&(verb() == Packet::VERB_HELLO)) { - // Only HELLO is allowed in the clear, but will still have a MAC - return _doHELLO(RR,false); } - const SharedPtr peer(RR->topology->getPeer(sourceAddress)); + SharedPtr peer(RR->topology->getPeer(sourceAddress)); if (peer) { - if (!trusted) { - if (!dearmor(peer->key())) { - TRACE("dropped packet from %s(%s), MAC authentication failed (size: %u)",sourceAddress.toString().c_str(),_path->address().toString().c_str(),size()); - return true; - } + if (!dearmor(peer->key())) { + TRACE("dropped packet from %s(%s), MAC authentication failed (size: %u)",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),size()); + return true; } - if (!uncompress()) { - TRACE("dropped packet from %s(%s), compressed data invalid",sourceAddress.toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped packet from %s(%s), compressed data invalid",peer->address().toString().c_str(),_remoteAddress.toString().c_str()); return true; } const Packet::Verb v = verb(); - //TRACE("<< %s from %s(%s)",Packet::verbString(v),sourceAddress.toString().c_str(),_path->address().toString().c_str()); + //TRACE("<< %s from %s(%s)",Packet::verbString(v),sourceAddress.toString().c_str(),_remoteAddress.toString().c_str()); switch(v) { //case Packet::VERB_NOP: default: // ignore unknown verbs, but if they pass auth check they are "received" - peer->received(_path,hops(),packetId(),v,0,Packet::VERB_NOP,false); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),v,0,Packet::VERB_NOP); return true; - case Packet::VERB_HELLO: return _doHELLO(RR,true); - case Packet::VERB_ERROR: return _doERROR(RR,peer); - case Packet::VERB_OK: return _doOK(RR,peer); - case Packet::VERB_WHOIS: return _doWHOIS(RR,peer); - case Packet::VERB_RENDEZVOUS: return _doRENDEZVOUS(RR,peer); - case Packet::VERB_FRAME: return _doFRAME(RR,peer); - case Packet::VERB_EXT_FRAME: return _doEXT_FRAME(RR,peer); - case Packet::VERB_ECHO: return _doECHO(RR,peer); - case Packet::VERB_MULTICAST_LIKE: return _doMULTICAST_LIKE(RR,peer); - case Packet::VERB_NETWORK_CREDENTIALS: return _doNETWORK_CREDENTIALS(RR,peer); - case Packet::VERB_NETWORK_CONFIG_REQUEST: return _doNETWORK_CONFIG_REQUEST(RR,peer); - case Packet::VERB_NETWORK_CONFIG: return _doNETWORK_CONFIG(RR,peer); - case Packet::VERB_MULTICAST_GATHER: return _doMULTICAST_GATHER(RR,peer); - case Packet::VERB_MULTICAST_FRAME: return _doMULTICAST_FRAME(RR,peer); - case Packet::VERB_PUSH_DIRECT_PATHS: return _doPUSH_DIRECT_PATHS(RR,peer); - case Packet::VERB_CIRCUIT_TEST: return _doCIRCUIT_TEST(RR,peer); - case Packet::VERB_CIRCUIT_TEST_REPORT: return _doCIRCUIT_TEST_REPORT(RR,peer); - case Packet::VERB_REQUEST_PROOF_OF_WORK: return _doREQUEST_PROOF_OF_WORK(RR,peer); - case Packet::VERB_USER_MESSAGE: - return true; + case Packet::VERB_HELLO: return _doHELLO(RR,peer); + case Packet::VERB_ERROR: return _doERROR(RR,peer); + case Packet::VERB_OK: return _doOK(RR,peer); + case Packet::VERB_WHOIS: return _doWHOIS(RR,peer); + case Packet::VERB_RENDEZVOUS: return _doRENDEZVOUS(RR,peer); + case Packet::VERB_FRAME: return _doFRAME(RR,peer); + case Packet::VERB_EXT_FRAME: return _doEXT_FRAME(RR,peer); + case Packet::VERB_ECHO: return _doECHO(RR,peer); + case Packet::VERB_MULTICAST_LIKE: return _doMULTICAST_LIKE(RR,peer); + case Packet::VERB_NETWORK_MEMBERSHIP_CERTIFICATE: return _doNETWORK_MEMBERSHIP_CERTIFICATE(RR,peer); + case Packet::VERB_NETWORK_CONFIG_REQUEST: return _doNETWORK_CONFIG_REQUEST(RR,peer); + case Packet::VERB_NETWORK_CONFIG_REFRESH: return _doNETWORK_CONFIG_REFRESH(RR,peer); + case Packet::VERB_MULTICAST_GATHER: return _doMULTICAST_GATHER(RR,peer); + case Packet::VERB_MULTICAST_FRAME: return _doMULTICAST_FRAME(RR,peer); + case Packet::VERB_PUSH_DIRECT_PATHS: return _doPUSH_DIRECT_PATHS(RR,peer); + case Packet::VERB_CIRCUIT_TEST: return _doCIRCUIT_TEST(RR,peer); + case Packet::VERB_CIRCUIT_TEST_REPORT: return _doCIRCUIT_TEST_REPORT(RR,peer); + case Packet::VERB_REQUEST_PROOF_OF_WORK: return _doREQUEST_PROOF_OF_WORK(RR,peer); } } else { RR->sw->requestWhois(sourceAddress); @@ -117,7 +104,7 @@ bool IncomingPacket::tryDecode(const RuntimeEnvironment *RR) } catch ( ... ) { // Exceptions are more informatively caught in _do...() handlers but // this outer try/catch will catch anything else odd. - TRACE("dropped ??? from %s(%s): unexpected exception in tryDecode()",sourceAddress.toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped ??? from %s(%s): unexpected exception in tryDecode()",sourceAddress.toString().c_str(),_remoteAddress.toString().c_str()); return true; } } @@ -129,83 +116,77 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,const SharedPtr const uint64_t inRePacketId = at(ZT_PROTO_VERB_ERROR_IDX_IN_RE_PACKET_ID); const Packet::ErrorCode errorCode = (Packet::ErrorCode)(*this)[ZT_PROTO_VERB_ERROR_IDX_ERROR_CODE]; - //TRACE("ERROR %s from %s(%s) in-re %s",Packet::errorString(errorCode),peer->address().toString().c_str(),_path->address().toString().c_str(),Packet::verbString(inReVerb)); - - /* Security note: we do not gate doERROR() with expectingReplyTo() to - * avoid having to log every outgoing packet ID. Instead we put the - * logic to determine whether we should consider an ERROR in each - * error handler. In most cases these are only trusted in specific - * circumstances. */ + //TRACE("ERROR %s from %s(%s) in-re %s",Packet::errorString(errorCode),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),Packet::verbString(inReVerb)); switch(errorCode) { case Packet::ERROR_OBJ_NOT_FOUND: - // Object not found, currently only meaningful from network controllers. if (inReVerb == Packet::VERB_NETWORK_CONFIG_REQUEST) { - const SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); + SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); if ((network)&&(network->controller() == peer->address())) network->setNotFound(); } break; case Packet::ERROR_UNSUPPORTED_OPERATION: - // This can be sent in response to any operation, though right now we only - // consider it meaningful from network controllers. This would indicate - // that the queried node does not support acting as a controller. if (inReVerb == Packet::VERB_NETWORK_CONFIG_REQUEST) { - const SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); + SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); if ((network)&&(network->controller() == peer->address())) network->setNotFound(); } break; case Packet::ERROR_IDENTITY_COLLISION: - // FIXME: for federation this will need a payload with a signature or something. if (RR->topology->isRoot(peer->identity())) RR->node->postEvent(ZT_EVENT_FATAL_ERROR_IDENTITY_COLLISION); break; case Packet::ERROR_NEED_MEMBERSHIP_CERTIFICATE: { - // Peers can send this in response to frames if they do not have a recent enough COM from us - const SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); - const uint64_t now = RR->node->now(); - if ( (network) && (network->config().com) && (peer->rateGateIncomingComRequest(now)) ) - network->pushCredentialsNow(peer->address(),now); + /* Note: certificates are public so it's safe to push them to anyone + * who asks. We won't communicate unless we also get a certificate + * from the remote that agrees. */ + SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); + if ((network)&&(network->hasConfig())&&(network->config().com)) { + Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NETWORK_MEMBERSHIP_CERTIFICATE); + network->config().com.serialize(outp); + outp.armor(peer->key(),true); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); + } } break; case Packet::ERROR_NETWORK_ACCESS_DENIED_: { - // Network controller: network access denied. - const SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); + SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); if ((network)&&(network->controller() == peer->address())) network->setAccessDenied(); } break; case Packet::ERROR_UNWANTED_MULTICAST: { - // Members of networks can use this error to indicate that they no longer - // want to receive multicasts on a given channel. - const SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); - if ((network)&&(network->gate(peer))) { - const MulticastGroup mg(MAC(field(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 8,6),6),at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 14)); - TRACE("%.16llx: peer %s unsubscrubed from multicast group %s",network->id(),peer->address().toString().c_str(),mg.toString().c_str()); - RR->mc->remove(network->id(),mg,peer->address()); - } + uint64_t nwid = at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD); + MulticastGroup mg(MAC(field(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 8,6),6),at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 14)); + TRACE("%.16llx: peer %s unsubscrubed from multicast group %s",nwid,peer->address().toString().c_str(),mg.toString().c_str()); + RR->mc->remove(nwid,mg,peer->address()); } break; default: break; } - peer->received(_path,hops(),packetId(),Packet::VERB_ERROR,inRePacketId,inReVerb,false); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_ERROR,inRePacketId,inReVerb); } catch ( ... ) { - TRACE("dropped ERROR from %s(%s): unexpected exception",peer->address().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped ERROR from %s(%s): unexpected exception",peer->address().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } -bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,const bool alreadyAuthenticated) +bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,SharedPtr &peer) { - try { - const uint64_t now = RR->node->now(); + /* Note: this is the only packet ever sent in the clear, and it's also + * the only packet that we authenticate via a different path. Authentication + * occurs here and is based on the validity of the identity and the + * integrity of the packet's MAC, but it must be done after we check + * the identity since HELLO is a mechanism for learning new identities + * in the first place. */ + try { const uint64_t pid = packetId(); const Address fromAddress(source()); const unsigned int protoVersion = (*this)[ZT_PROTO_VERB_HELLO_IDX_PROTOCOL_VERSION]; @@ -220,49 +201,46 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,const bool alreadyAut uint64_t worldTimestamp = 0; { unsigned int ptr = ZT_PROTO_VERB_HELLO_IDX_IDENTITY + id.deserialize(*this,ZT_PROTO_VERB_HELLO_IDX_IDENTITY); - - // Get external surface address if present (was not in old versions) - if (ptr < size()) + if (ptr < size()) // ZeroTier One < 1.0.3 did not include physical destination address info ptr += externalSurfaceAddress.deserialize(*this,ptr); - - // Get world ID and world timestamp if present (was not in old versions) - if ((ptr + 16) <= size()) { + if ((ptr + 16) <= size()) { // older versions also did not include World IDs or timestamps worldId = at(ptr); ptr += 8; worldTimestamp = at(ptr); } } - if (fromAddress != id.address()) { - TRACE("dropped HELLO from %s(%s): identity not for sending address",fromAddress.toString().c_str(),_path->address().toString().c_str()); + if (protoVersion < ZT_PROTO_VERSION_MIN) { + TRACE("dropped HELLO from %s(%s): protocol version too old",id.address().toString().c_str(),_remoteAddress.toString().c_str()); return true; } - if (protoVersion < ZT_PROTO_VERSION_MIN) { - TRACE("dropped HELLO from %s(%s): protocol version too old",id.address().toString().c_str(),_path->address().toString().c_str()); + if (fromAddress != id.address()) { + TRACE("dropped HELLO from %s(%s): identity not for sending address",fromAddress.toString().c_str(),_remoteAddress.toString().c_str()); return true; } - SharedPtr peer(RR->topology->getPeer(id.address())); - if (peer) { - // We already have an identity with this address -- check for collisions - if (!alreadyAuthenticated) { + if (!peer) { // peer == NULL is the normal case here + peer = RR->topology->getPeer(id.address()); + if (peer) { + // We already have an identity with this address -- check for collisions + if (peer->identity() != id) { // Identity is different from the one we already have -- address collision - uint8_t key[ZT_PEER_SECRET_KEY_LENGTH]; + unsigned char key[ZT_PEER_SECRET_KEY_LENGTH]; if (RR->identity.agree(id,key,ZT_PEER_SECRET_KEY_LENGTH)) { if (dearmor(key)) { // ensure packet is authentic, otherwise drop - TRACE("rejected HELLO from %s(%s): address already claimed",id.address().toString().c_str(),_path->address().toString().c_str()); + TRACE("rejected HELLO from %s(%s): address already claimed",id.address().toString().c_str(),_remoteAddress.toString().c_str()); Packet outp(id.address(),RR->identity.address(),Packet::VERB_ERROR); - outp.append((uint8_t)Packet::VERB_HELLO); + outp.append((unsigned char)Packet::VERB_HELLO); outp.append((uint64_t)pid); - outp.append((uint8_t)Packet::ERROR_IDENTITY_COLLISION); + outp.append((unsigned char)Packet::ERROR_IDENTITY_COLLISION); outp.armor(key,true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } else { - TRACE("rejected HELLO from %s(%s): packet failed authentication",id.address().toString().c_str(),_path->address().toString().c_str()); + TRACE("rejected HELLO from %s(%s): packet failed authentication",id.address().toString().c_str(),_remoteAddress.toString().c_str()); } } else { - TRACE("rejected HELLO from %s(%s): key agreement failed",id.address().toString().c_str(),_path->address().toString().c_str()); + TRACE("rejected HELLO from %s(%s): key agreement failed",id.address().toString().c_str(),_remoteAddress.toString().c_str()); } return true; @@ -270,45 +248,37 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,const bool alreadyAut // Identity is the same as the one we already have -- check packet integrity if (!dearmor(peer->key())) { - TRACE("rejected HELLO from %s(%s): packet failed authentication",id.address().toString().c_str(),_path->address().toString().c_str()); + TRACE("rejected HELLO from %s(%s): packet failed authentication",id.address().toString().c_str(),_remoteAddress.toString().c_str()); return true; } // Continue at // VALID } - } // else continue at // VALID - } else { - // We don't already have an identity with this address -- validate and learn it + } else { + // We don't already have an identity with this address -- validate and learn it - // Sanity check: this basically can't happen - if (alreadyAuthenticated) { - TRACE("dropped HELLO from %s(%s): somehow already authenticated with unknown peer?",id.address().toString().c_str(),_path->address().toString().c_str()); - return true; + // Check identity proof of work + if (!id.locallyValidate()) { + TRACE("dropped HELLO from %s(%s): identity invalid",id.address().toString().c_str(),_remoteAddress.toString().c_str()); + return true; + } + + // Check packet integrity and authentication + SharedPtr newPeer(new Peer(RR,RR->identity,id)); + if (!dearmor(newPeer->key())) { + TRACE("rejected HELLO from %s(%s): packet failed authentication",id.address().toString().c_str(),_remoteAddress.toString().c_str()); + return true; + } + peer = RR->topology->addPeer(newPeer); + + // Continue at // VALID } - // Check that identity's address is valid as per the derivation function - if (!id.locallyValidate()) { - TRACE("dropped HELLO from %s(%s): identity invalid",id.address().toString().c_str(),_path->address().toString().c_str()); - return true; - } - - // Check packet integrity and authentication - SharedPtr newPeer(new Peer(RR,RR->identity,id)); - if (!dearmor(newPeer->key())) { - TRACE("rejected HELLO from %s(%s): packet failed authentication",id.address().toString().c_str(),_path->address().toString().c_str()); - return true; - } - peer = RR->topology->addPeer(newPeer); - - // Continue at // VALID + // VALID -- if we made it here, packet passed identity and authenticity checks! } - // VALID -- if we made it here, packet passed identity and authenticity checks! - - // Learn our external surface address from other peers to help us negotiate symmetric NATs - // and detect changes to our global IP that can trigger path renegotiation. - if ((externalSurfaceAddress)&&(hops() == 0)) - RR->sa->iam(id.address(),_path->localAddress(),_path->address(),externalSurfaceAddress,RR->topology->isUpstream(id),now); + if (externalSurfaceAddress) + RR->sa->iam(id.address(),_localAddress,_remoteAddress,externalSurfaceAddress,RR->topology->isRoot(id),RR->node->now()); Packet outp(id.address(),RR->identity.address(),Packet::VERB_OK); outp.append((unsigned char)Packet::VERB_HELLO); @@ -319,7 +289,7 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,const bool alreadyAut outp.append((unsigned char)ZEROTIER_ONE_VERSION_MINOR); outp.append((uint16_t)ZEROTIER_ONE_VERSION_REVISION); if (protoVersion >= 5) { - _path->address().serialize(outp); + _remoteAddress.serialize(outp); } else { /* LEGACY COMPATIBILITY HACK: * @@ -344,7 +314,7 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,const bool alreadyAut * nulling out the port field. Since this info is only used for empirical * detection of link changes, it doesn't break anything else. */ - InetAddress tmpa(_path->address()); + InetAddress tmpa(_remoteAddress); tmpa.setPort(0); tmpa.serialize(outp); } @@ -360,12 +330,12 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,const bool alreadyAut } outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),now); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); peer->setRemoteVersion(protoVersion,vMajor,vMinor,vRevision); // important for this to go first so received() knows the version - peer->received(_path,hops(),pid,Packet::VERB_HELLO,0,Packet::VERB_NOP,false); + peer->received(_localAddress,_remoteAddress,hops(),pid,Packet::VERB_HELLO,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped HELLO from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped HELLO from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -376,12 +346,7 @@ bool IncomingPacket::_doOK(const RuntimeEnvironment *RR,const SharedPtr &p const Packet::Verb inReVerb = (Packet::Verb)(*this)[ZT_PROTO_VERB_OK_IDX_IN_RE_VERB]; const uint64_t inRePacketId = at(ZT_PROTO_VERB_OK_IDX_IN_RE_PACKET_ID); - if (!RR->node->expectingReplyTo(inRePacketId)) { - TRACE("%s(%s): OK(%s) DROPPED: not expecting reply to %.16llx",peer->address().toString().c_str(),_path->address().toString().c_str(),Packet::verbString(inReVerb),packetId()); - return true; - } - - //TRACE("%s(%s): OK(%s)",peer->address().toString().c_str(),_path->address().toString().c_str(),Packet::verbString(inReVerb)); + //TRACE("%s(%s): OK(%s)",source().toString().c_str(),_remoteAddress.toString().c_str(),Packet::verbString(inReVerb)); switch(inReVerb) { @@ -393,19 +358,17 @@ bool IncomingPacket::_doOK(const RuntimeEnvironment *RR,const SharedPtr &p const unsigned int vRevision = at(ZT_PROTO_VERB_HELLO__OK__IDX_REVISION); if (vProto < ZT_PROTO_VERSION_MIN) { - TRACE("%s(%s): OK(HELLO) dropped, protocol version too old",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("%s(%s): OK(HELLO) dropped, protocol version too old",source().toString().c_str(),_remoteAddress.toString().c_str()); return true; } + const bool trusted = RR->topology->isRoot(peer->identity()); + InetAddress externalSurfaceAddress; unsigned int ptr = ZT_PROTO_VERB_HELLO__OK__IDX_REVISION + 2; - - // Get reported external surface address if present (was not on old versions) - if (ptr < size()) + if (ptr < size()) // ZeroTier One < 1.0.3 did not include this field ptr += externalSurfaceAddress.deserialize(*this,ptr); - - // Handle world updates from root servers if present (was not on old versions) - if (((ptr + 2) <= size())&&(RR->topology->isRoot(peer->identity()))) { + if ((trusted)&&((ptr + 2) <= size())) { // older versions also did not include this field, and right now we only use if from a root World worldUpdate; const unsigned int worldLen = at(ptr); ptr += 2; if (worldLen > 0) { @@ -415,37 +378,46 @@ bool IncomingPacket::_doOK(const RuntimeEnvironment *RR,const SharedPtr &p } } - TRACE("%s(%s): OK(HELLO), version %u.%u.%u, latency %u, reported external address %s",source().toString().c_str(),_path->address().toString().c_str(),vMajor,vMinor,vRevision,latency,((externalSurfaceAddress) ? externalSurfaceAddress.toString().c_str() : "(none)")); + TRACE("%s(%s): OK(HELLO), version %u.%u.%u, latency %u, reported external address %s",source().toString().c_str(),_remoteAddress.toString().c_str(),vMajor,vMinor,vRevision,latency,((externalSurfaceAddress) ? externalSurfaceAddress.toString().c_str() : "(none)")); peer->addDirectLatencyMeasurment(latency); peer->setRemoteVersion(vProto,vMajor,vMinor,vRevision); - if ((externalSurfaceAddress)&&(hops() == 0)) - RR->sa->iam(peer->address(),_path->localAddress(),_path->address(),externalSurfaceAddress,RR->topology->isUpstream(peer->identity()),RR->node->now()); + if (externalSurfaceAddress) + RR->sa->iam(peer->address(),_localAddress,_remoteAddress,externalSurfaceAddress,trusted,RR->node->now()); } break; - case Packet::VERB_WHOIS: - if (RR->topology->isUpstream(peer->identity())) { + case Packet::VERB_WHOIS: { + if (RR->topology->isRoot(peer->identity())) { const Identity id(*this,ZT_PROTO_VERB_WHOIS__OK__IDX_IDENTITY); - RR->sw->doAnythingWaitingForPeer(RR->topology->addPeer(SharedPtr(new Peer(RR,RR->identity,id)))); + // Right now we can skip this since OK(WHOIS) is only accepted from + // roots. In the future it should be done if we query less trusted + // sources. + //if (id.locallyValidate()) + RR->sw->doAnythingWaitingForPeer(RR->topology->addPeer(SharedPtr(new Peer(RR,RR->identity,id)))); } - break; + } break; case Packet::VERB_NETWORK_CONFIG_REQUEST: { - const SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_OK_IDX_PAYLOAD))); - if (network) - network->handleConfigChunk(*this,ZT_PROTO_VERB_OK_IDX_PAYLOAD); + const SharedPtr nw(RR->node->network(at(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST__OK__IDX_NETWORK_ID))); + if ((nw)&&(nw->controller() == peer->address())) { + const unsigned int nclen = at(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST__OK__IDX_DICT_LEN); + if (nclen) { + nw->setConfiguration(field(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST__OK__IDX_DICT,nclen),nclen,true); + TRACE("got network configuration for network %.16llx from %s",(unsigned long long)nw->id(),source().toString().c_str()); + } + } } break; + //case Packet::VERB_ECHO: { + //} break; + case Packet::VERB_MULTICAST_GATHER: { const uint64_t nwid = at(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_NETWORK_ID); - const SharedPtr network(RR->node->network(nwid)); - if (network) { - const MulticastGroup mg(MAC(field(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_MAC,6),6),at(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_ADI)); - //TRACE("%s(%s): OK(MULTICAST_GATHER) %.16llx/%s length %u",source().toString().c_str(),_path->address().toString().c_str(),nwid,mg.toString().c_str(),size()); - const unsigned int count = at(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_GATHER_RESULTS + 4); - RR->mc->addMultiple(RR->node->now(),nwid,mg,field(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_GATHER_RESULTS + 6,count * 5),count,at(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_GATHER_RESULTS)); - } + const MulticastGroup mg(MAC(field(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_MAC,6),6),at(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_ADI)); + TRACE("%s(%s): OK(MULTICAST_GATHER) %.16llx/%s length %u",source().toString().c_str(),_remoteAddress.toString().c_str(),nwid,mg.toString().c_str(),size()); + const unsigned int count = at(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_GATHER_RESULTS + 4); + RR->mc->addMultiple(RR->node->now(),nwid,mg,field(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_GATHER_RESULTS + 6,count * 5),count,at(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_GATHER_RESULTS)); } break; case Packet::VERB_MULTICAST_FRAME: { @@ -453,35 +425,32 @@ bool IncomingPacket::_doOK(const RuntimeEnvironment *RR,const SharedPtr &p const uint64_t nwid = at(ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_NETWORK_ID); const MulticastGroup mg(MAC(field(ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_MAC,6),6),at(ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_ADI)); - //TRACE("%s(%s): OK(MULTICAST_FRAME) %.16llx/%s flags %.2x",peer->address().toString().c_str(),_path->address().toString().c_str(),nwid,mg.toString().c_str(),flags); + //TRACE("%s(%s): OK(MULTICAST_FRAME) %.16llx/%s flags %.2x",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),nwid,mg.toString().c_str(),flags); - const SharedPtr network(RR->node->network(nwid)); - if (network) { - unsigned int offset = 0; + unsigned int offset = 0; - if ((flags & 0x01) != 0) { // deprecated but still used by older peers - CertificateOfMembership com; - offset += com.deserialize(*this,ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_COM_AND_GATHER_RESULTS); - if (com) - network->addCredential(com); - } + if ((flags & 0x01) != 0) { + // OK(MULTICAST_FRAME) includes certificate of membership update + CertificateOfMembership com; + offset += com.deserialize(*this,ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_COM_AND_GATHER_RESULTS); + peer->validateAndSetNetworkMembershipCertificate(nwid,com); + } - if ((flags & 0x02) != 0) { - // OK(MULTICAST_FRAME) includes implicit gather results - offset += ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_COM_AND_GATHER_RESULTS; - unsigned int totalKnown = at(offset); offset += 4; - unsigned int count = at(offset); offset += 2; - RR->mc->addMultiple(RR->node->now(),nwid,mg,field(offset,count * 5),count,totalKnown); - } + if ((flags & 0x02) != 0) { + // OK(MULTICAST_FRAME) includes implicit gather results + offset += ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_COM_AND_GATHER_RESULTS; + unsigned int totalKnown = at(offset); offset += 4; + unsigned int count = at(offset); offset += 2; + RR->mc->addMultiple(RR->node->now(),nwid,mg,field(offset,count * 5),count,totalKnown); } } break; default: break; } - peer->received(_path,hops(),packetId(),Packet::VERB_OK,inRePacketId,inReVerb,false); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_OK,inRePacketId,inReVerb); } catch ( ... ) { - TRACE("dropped OK from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped OK from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -489,48 +458,27 @@ bool IncomingPacket::_doOK(const RuntimeEnvironment *RR,const SharedPtr &p bool IncomingPacket::_doWHOIS(const RuntimeEnvironment *RR,const SharedPtr &peer) { try { - if (!peer->rateGateInboundWhoisRequest(RR->node->now())) { - TRACE("dropped WHOIS from %s(%s): rate limit circuit breaker tripped",source().toString().c_str(),_path->address().toString().c_str()); - return true; - } - - Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK); - outp.append((unsigned char)Packet::VERB_WHOIS); - outp.append(packetId()); - - unsigned int count = 0; - unsigned int ptr = ZT_PACKET_IDX_PAYLOAD; - while ((ptr + ZT_ADDRESS_LENGTH) <= size()) { - const Address addr(field(ptr,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); - ptr += ZT_ADDRESS_LENGTH; - - const Identity id(RR->topology->getIdentity(addr)); - if (id) { - id.serialize(outp,false); - ++count; + if (payloadLength() == ZT_ADDRESS_LENGTH) { + Identity queried(RR->topology->getIdentity(Address(payload(),ZT_ADDRESS_LENGTH))); + if (queried) { + Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK); + outp.append((unsigned char)Packet::VERB_WHOIS); + outp.append(packetId()); + queried.serialize(outp,false); + outp.armor(peer->key(),true); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } else { - // If I am not the root and don't know this identity, ask upstream. Downstream - // peer may re-request in the future and if so we will be able to provide it. - if (!RR->topology->amRoot()) - RR->sw->requestWhois(addr); - #ifdef ZT_ENABLE_CLUSTER - // Distribute WHOIS queries across a cluster if we do not know the ID. - // This may result in duplicate OKs to the querying peer, which is fine. if (RR->cluster) RR->cluster->sendDistributedQuery(*this); #endif } + } else { + TRACE("dropped WHOIS from %s(%s): missing or invalid address",source().toString().c_str(),_remoteAddress.toString().c_str()); } - - if (count > 0) { - outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); - } - - peer->received(_path,hops(),packetId(),Packet::VERB_WHOIS,0,Packet::VERB_NOP,false); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_WHOIS,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped WHOIS from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped WHOIS from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -538,33 +486,31 @@ bool IncomingPacket::_doWHOIS(const RuntimeEnvironment *RR,const SharedPtr bool IncomingPacket::_doRENDEZVOUS(const RuntimeEnvironment *RR,const SharedPtr &peer) { try { - if (!RR->topology->isUpstream(peer->identity())) { - TRACE("RENDEZVOUS from %s ignored since source is not upstream",peer->address().toString().c_str()); - } else { + if (RR->topology->isUpstream(peer->identity())) { const Address with(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ZTADDRESS,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); - const SharedPtr rendezvousWith(RR->topology->getPeer(with)); - if (rendezvousWith) { + const SharedPtr withPeer(RR->topology->getPeer(with)); + if (withPeer) { const unsigned int port = at(ZT_PROTO_VERB_RENDEZVOUS_IDX_PORT); const unsigned int addrlen = (*this)[ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRLEN]; if ((port > 0)&&((addrlen == 4)||(addrlen == 16))) { - const InetAddress atAddr(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRESS,addrlen),addrlen,port); - if (RR->node->shouldUsePathForZeroTierTraffic(_path->localAddress(),atAddr)) { - RR->node->putPacket(_path->localAddress(),atAddr,"ABRE",4,2); // send low-TTL junk packet to 'open' local NAT(s) and stateful firewalls - rendezvousWith->attemptToContactAt(_path->localAddress(),atAddr,RR->node->now()); - TRACE("RENDEZVOUS from %s says %s might be at %s, sent verification attempt",peer->address().toString().c_str(),with.toString().c_str(),atAddr.toString().c_str()); - } else { - TRACE("RENDEZVOUS from %s says %s might be at %s, ignoring since path is not suitable",peer->address().toString().c_str(),with.toString().c_str(),atAddr.toString().c_str()); - } + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_RENDEZVOUS,0,Packet::VERB_NOP); + + InetAddress atAddr(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRESS,addrlen),addrlen,port); + TRACE("RENDEZVOUS from %s says %s might be at %s, starting NAT-t",peer->address().toString().c_str(),with.toString().c_str(),atAddr.toString().c_str()); + if (RR->node->shouldUsePathForZeroTierTraffic(_localAddress,atAddr)) + RR->sw->rendezvous(withPeer,_localAddress,atAddr); } else { - TRACE("dropped corrupt RENDEZVOUS from %s(%s) (bad address or port)",peer->address().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped corrupt RENDEZVOUS from %s(%s) (bad address or port)",peer->address().toString().c_str(),_remoteAddress.toString().c_str()); } } else { - TRACE("ignored RENDEZVOUS from %s(%s) to meet unknown peer %s",peer->address().toString().c_str(),_path->address().toString().c_str(),with.toString().c_str()); + RR->sw->requestWhois(with); + TRACE("ignored RENDEZVOUS from %s(%s) to meet unknown peer %s",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),with.toString().c_str()); } + } else { + TRACE("ignored RENDEZVOUS from %s(%s): not a root server or a network relay",peer->address().toString().c_str(),_remoteAddress.toString().c_str()); } - peer->received(_path,hops(),packetId(),Packet::VERB_RENDEZVOUS,0,Packet::VERB_NOP,false); } catch ( ... ) { - TRACE("dropped RENDEZVOUS from %s(%s): unexpected exception",peer->address().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped RENDEZVOUS from %s(%s): unexpected exception",peer->address().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -572,31 +518,31 @@ bool IncomingPacket::_doRENDEZVOUS(const RuntimeEnvironment *RR,const SharedPtr< bool IncomingPacket::_doFRAME(const RuntimeEnvironment *RR,const SharedPtr &peer) { try { - const uint64_t nwid = at(ZT_PROTO_VERB_FRAME_IDX_NETWORK_ID); - const SharedPtr network(RR->node->network(nwid)); - bool trustEstablished = false; + const SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_FRAME_IDX_NETWORK_ID))); if (network) { - if (network->gate(peer)) { - trustEstablished = true; - if (size() > ZT_PROTO_VERB_FRAME_IDX_PAYLOAD) { - const unsigned int etherType = at(ZT_PROTO_VERB_FRAME_IDX_ETHERTYPE); - const MAC sourceMac(peer->address(),nwid); - const unsigned int frameLen = size() - ZT_PROTO_VERB_FRAME_IDX_PAYLOAD; - const uint8_t *const frameData = reinterpret_cast(data()) + ZT_PROTO_VERB_FRAME_IDX_PAYLOAD; - if (network->filterIncomingPacket(peer,RR->identity.address(),sourceMac,network->mac(),frameData,frameLen,etherType,0) > 0) - RR->node->putFrame(nwid,network->userPtr(),sourceMac,network->mac(),etherType,0,(const void *)frameData,frameLen); + if (size() > ZT_PROTO_VERB_FRAME_IDX_PAYLOAD) { + if (!network->isAllowed(peer)) { + TRACE("dropped FRAME from %s(%s): not a member of private network %.16llx",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),(unsigned long long)network->id()); + _sendErrorNeedCertificate(RR,peer,network->id()); + return true; } - } else { - TRACE("dropped FRAME from %s(%s): not a member of private network %.16llx",peer->address().toString().c_str(),_path->address().toString().c_str(),(unsigned long long)network->id()); - _sendErrorNeedCredentials(RR,peer,nwid); + + const unsigned int etherType = at(ZT_PROTO_VERB_FRAME_IDX_ETHERTYPE); + if (!network->config().permitsEtherType(etherType)) { + TRACE("dropped FRAME from %s(%s): ethertype %.4x not allowed on %.16llx",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),(unsigned int)etherType,(unsigned long long)network->id()); + return true; + } + + const unsigned int payloadLen = size() - ZT_PROTO_VERB_FRAME_IDX_PAYLOAD; + RR->node->putFrame(network->id(),network->userPtr(),MAC(peer->address(),network->id()),network->mac(),etherType,0,field(ZT_PROTO_VERB_FRAME_IDX_PAYLOAD,payloadLen),payloadLen); } + + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_FRAME,0,Packet::VERB_NOP); } else { - TRACE("dropped FRAME from %s(%s): we are not a member of network %.16llx",source().toString().c_str(),_path->address().toString().c_str(),at(ZT_PROTO_VERB_FRAME_IDX_NETWORK_ID)); - _sendErrorNeedCredentials(RR,peer,nwid); + TRACE("dropped FRAME from %s(%s): we are not connected to network %.16llx",source().toString().c_str(),_remoteAddress.toString().c_str(),at(ZT_PROTO_VERB_FRAME_IDX_NETWORK_ID)); } - peer->received(_path,hops(),packetId(),Packet::VERB_FRAME,0,Packet::VERB_NOP,trustEstablished); } catch ( ... ) { - TRACE("dropped FRAME from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped FRAME from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -604,86 +550,70 @@ bool IncomingPacket::_doFRAME(const RuntimeEnvironment *RR,const SharedPtr bool IncomingPacket::_doEXT_FRAME(const RuntimeEnvironment *RR,const SharedPtr &peer) { try { - const uint64_t nwid = at(ZT_PROTO_VERB_EXT_FRAME_IDX_NETWORK_ID); - const SharedPtr network(RR->node->network(nwid)); + SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_EXT_FRAME_IDX_NETWORK_ID))); if (network) { - const unsigned int flags = (*this)[ZT_PROTO_VERB_EXT_FRAME_IDX_FLAGS]; - - unsigned int comLen = 0; - if ((flags & 0x01) != 0) { // inline COM with EXT_FRAME is deprecated but still used with old peers - CertificateOfMembership com; - comLen = com.deserialize(*this,ZT_PROTO_VERB_EXT_FRAME_IDX_COM); - if (com) - network->addCredential(com); - } - - if (!network->gate(peer)) { - TRACE("dropped EXT_FRAME from %s(%s): not a member of private network %.16llx",peer->address().toString().c_str(),_path->address().toString().c_str(),network->id()); - _sendErrorNeedCredentials(RR,peer,nwid); - peer->received(_path,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,false); - return true; - } - if (size() > ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD) { - const unsigned int etherType = at(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_ETHERTYPE); - const MAC to(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_TO,ZT_PROTO_VERB_EXT_FRAME_LEN_TO),ZT_PROTO_VERB_EXT_FRAME_LEN_TO); - const MAC from(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_FROM,ZT_PROTO_VERB_EXT_FRAME_LEN_FROM),ZT_PROTO_VERB_EXT_FRAME_LEN_FROM); - const unsigned int frameLen = size() - (comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD); - const uint8_t *const frameData = (const uint8_t *)field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD,frameLen); + const unsigned int flags = (*this)[ZT_PROTO_VERB_EXT_FRAME_IDX_FLAGS]; - if ((!from)||(from.isMulticast())||(from == network->mac())) { - TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: invalid source MAC %s",from.toString().c_str(),peer->address().toString().c_str(),_path->address().toString().c_str(),to.toString().c_str(),from.toString().c_str()); - peer->received(_path,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true); // trustEstablished because COM is okay + unsigned int comLen = 0; + if ((flags & 0x01) != 0) { + CertificateOfMembership com; + comLen = com.deserialize(*this,ZT_PROTO_VERB_EXT_FRAME_IDX_COM); + peer->validateAndSetNetworkMembershipCertificate(network->id(),com); + } + + if (!network->isAllowed(peer)) { + TRACE("dropped EXT_FRAME from %s(%s): not a member of private network %.16llx",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),network->id()); + _sendErrorNeedCertificate(RR,peer,network->id()); return true; } - switch (network->filterIncomingPacket(peer,RR->identity.address(),from,to,frameData,frameLen,etherType,0)) { - case 1: - if (from != MAC(peer->address(),nwid)) { - if (network->config().permitsBridging(peer->address())) { - network->learnBridgeRoute(from,peer->address()); - } else { - TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: sender not allowed to bridge into %.16llx",from.toString().c_str(),peer->address().toString().c_str(),_path->address().toString().c_str(),to.toString().c_str(),network->id()); - peer->received(_path,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true); // trustEstablished because COM is okay - return true; - } - } else if (to != network->mac()) { - if (to.isMulticast()) { - if (network->config().multicastLimit == 0) { - TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: network %.16llx does not allow multicast",from.toString().c_str(),peer->address().toString().c_str(),_path->address().toString().c_str(),to.toString().c_str(),network->id()); - peer->received(_path,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true); // trustEstablished because COM is okay - return true; - } - } else if (!network->config().permitsBridging(RR->identity.address())) { - TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: I cannot bridge to %.16llx or bridging disabled on network",from.toString().c_str(),peer->address().toString().c_str(),_path->address().toString().c_str(),to.toString().c_str(),network->id()); - peer->received(_path,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true); // trustEstablished because COM is okay - return true; - } - } - // fall through -- 2 means accept regardless of bridging checks or other restrictions - case 2: - RR->node->putFrame(nwid,network->userPtr(),from,to,etherType,0,(const void *)frameData,frameLen); - break; + // Everything after flags must be adjusted based on the length + // of the certificate, if there was one... + + const unsigned int etherType = at(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_ETHERTYPE); + if (!network->config().permitsEtherType(etherType)) { + TRACE("dropped EXT_FRAME from %s(%s): ethertype %.4x not allowed on network %.16llx",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),(unsigned int)etherType,(unsigned long long)network->id()); + return true; } + + const MAC to(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_TO,ZT_PROTO_VERB_EXT_FRAME_LEN_TO),ZT_PROTO_VERB_EXT_FRAME_LEN_TO); + const MAC from(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_FROM,ZT_PROTO_VERB_EXT_FRAME_LEN_FROM),ZT_PROTO_VERB_EXT_FRAME_LEN_FROM); + + if (to.isMulticast()) { + TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: destination is multicast, must use MULTICAST_FRAME",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str()); + return true; + } + + if ((!from)||(from.isMulticast())||(from == network->mac())) { + TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: invalid source MAC",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str()); + return true; + } + + if (from != MAC(peer->address(),network->id())) { + if (network->config().permitsBridging(peer->address())) { + network->learnBridgeRoute(from,peer->address()); + } else { + TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: sender not allowed to bridge into %.16llx",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str(),network->id()); + return true; + } + } else if (to != network->mac()) { + if (!network->config().permitsBridging(RR->identity.address())) { + TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: I cannot bridge to %.16llx or bridging disabled on network",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str(),network->id()); + return true; + } + } + + const unsigned int payloadLen = size() - (comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD); + RR->node->putFrame(network->id(),network->userPtr(),from,to,etherType,0,field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD,payloadLen),payloadLen); } - if ((flags & 0x10) != 0) { - Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK); - outp.append((uint8_t)Packet::VERB_EXT_FRAME); - outp.append((uint64_t)packetId()); - outp.append((uint64_t)nwid); - outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); - } - - peer->received(_path,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP); } else { - TRACE("dropped EXT_FRAME from %s(%s): we are not connected to network %.16llx",source().toString().c_str(),_path->address().toString().c_str(),at(ZT_PROTO_VERB_FRAME_IDX_NETWORK_ID)); - _sendErrorNeedCredentials(RR,peer,nwid); - peer->received(_path,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,false); + TRACE("dropped EXT_FRAME from %s(%s): we are not connected to network %.16llx",source().toString().c_str(),_remoteAddress.toString().c_str(),at(ZT_PROTO_VERB_FRAME_IDX_NETWORK_ID)); } } catch ( ... ) { - TRACE("dropped EXT_FRAME from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped EXT_FRAME from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -691,11 +621,6 @@ bool IncomingPacket::_doEXT_FRAME(const RuntimeEnvironment *RR,const SharedPtr

&peer) { try { - if (!peer->rateGateEchoRequest(RR->node->now())) { - TRACE("dropped ECHO from %s(%s): rate limit circuit breaker tripped",source().toString().c_str(),_path->address().toString().c_str()); - return true; - } - const uint64_t pid = packetId(); Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK); outp.append((unsigned char)Packet::VERB_ECHO); @@ -703,11 +628,10 @@ bool IncomingPacket::_doECHO(const RuntimeEnvironment *RR,const SharedPtr if (size() > ZT_PACKET_IDX_PAYLOAD) outp.append(reinterpret_cast(data()) + ZT_PACKET_IDX_PAYLOAD,size() - ZT_PACKET_IDX_PAYLOAD); outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); - - peer->received(_path,hops(),pid,Packet::VERB_ECHO,0,Packet::VERB_NOP,false); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); + peer->received(_localAddress,_remoteAddress,hops(),pid,Packet::VERB_ECHO,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped ECHO from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped ECHO from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -717,145 +641,34 @@ bool IncomingPacket::_doMULTICAST_LIKE(const RuntimeEnvironment *RR,const Shared try { const uint64_t now = RR->node->now(); - uint64_t authOnNetwork[256]; // cache for approved network IDs - unsigned int authOnNetworkCount = 0; - SharedPtr network; - bool trustEstablished = false; - // Iterate through 18-byte network,MAC,ADI tuples for(unsigned int ptr=ZT_PACKET_IDX_PAYLOAD;ptr(ptr); - - bool auth = false; - for(unsigned int i=0;iid() != nwid)) - network = RR->node->network(nwid); - const bool authOnNet = ((network)&&(network->gate(peer))); - if (!authOnNet) - _sendErrorNeedCredentials(RR,peer,nwid); - trustEstablished |= authOnNet; - if (authOnNet||RR->mc->cacheAuthorized(peer->address(),nwid,now)) { - auth = true; - if (authOnNetworkCount < 256) // sanity check, packets can't really be this big - authOnNetwork[authOnNetworkCount++] = nwid; - } - } - - if (auth) { - const MulticastGroup group(MAC(field(ptr + 8,6),6),at(ptr + 14)); - RR->mc->add(now,nwid,group,peer->address()); - } + const MulticastGroup group(MAC(field(ptr + 8,6),6),at(ptr + 14)); + RR->mc->add(now,nwid,group,peer->address()); } - peer->received(_path,hops(),packetId(),Packet::VERB_MULTICAST_LIKE,0,Packet::VERB_NOP,trustEstablished); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_MULTICAST_LIKE,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped MULTICAST_LIKE from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped MULTICAST_LIKE from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } -bool IncomingPacket::_doNETWORK_CREDENTIALS(const RuntimeEnvironment *RR,const SharedPtr &peer) +bool IncomingPacket::_doNETWORK_MEMBERSHIP_CERTIFICATE(const RuntimeEnvironment *RR,const SharedPtr &peer) { try { - if (!peer->rateGateCredentialsReceived(RR->node->now())) { - TRACE("dropped NETWORK_CREDENTIALS from %s(%s): rate limit circuit breaker tripped",source().toString().c_str(),_path->address().toString().c_str()); - return true; - } - CertificateOfMembership com; - Capability cap; - Tag tag; - Revocation revocation; - bool trustEstablished = false; - unsigned int p = ZT_PACKET_IDX_PAYLOAD; - while ((p < size())&&((*this)[p])) { - p += com.deserialize(*this,p); - if (com) { - const SharedPtr network(RR->node->network(com.networkId())); - if (network) { - switch (network->addCredential(com)) { - case Membership::ADD_REJECTED: - break; - case Membership::ADD_ACCEPTED_NEW: - case Membership::ADD_ACCEPTED_REDUNDANT: - trustEstablished = true; - break; - case Membership::ADD_DEFERRED_FOR_WHOIS: - return false; - } - } else RR->mc->addCredential(com,false); - } - } - ++p; // skip trailing 0 after COMs if present - - if (p < size()) { // older ZeroTier versions do not send capabilities, tags, or revocations - const unsigned int numCapabilities = at(p); p += 2; - for(unsigned int i=0;i network(RR->node->network(cap.networkId())); - if (network) { - switch (network->addCredential(cap)) { - case Membership::ADD_REJECTED: - break; - case Membership::ADD_ACCEPTED_NEW: - case Membership::ADD_ACCEPTED_REDUNDANT: - trustEstablished = true; - break; - case Membership::ADD_DEFERRED_FOR_WHOIS: - return false; - } - } - } - - const unsigned int numTags = at(p); p += 2; - for(unsigned int i=0;i network(RR->node->network(tag.networkId())); - if (network) { - switch (network->addCredential(tag)) { - case Membership::ADD_REJECTED: - break; - case Membership::ADD_ACCEPTED_NEW: - case Membership::ADD_ACCEPTED_REDUNDANT: - trustEstablished = true; - break; - case Membership::ADD_DEFERRED_FOR_WHOIS: - return false; - } - } - } - - const unsigned int numRevocations = at(p); p += 2; - for(unsigned int i=0;i network(RR->node->network(revocation.networkId())); - if (network) { - switch(network->addCredential(peer->address(),revocation)) { - case Membership::ADD_REJECTED: - break; - case Membership::ADD_ACCEPTED_NEW: - case Membership::ADD_ACCEPTED_REDUNDANT: - trustEstablished = true; - break; - case Membership::ADD_DEFERRED_FOR_WHOIS: - return false; - } - } - } + unsigned int ptr = ZT_PACKET_IDX_PAYLOAD; + while (ptr < size()) { + ptr += com.deserialize(*this,ptr); + peer->validateAndSetNetworkMembershipCertificate(com.networkId(),com); } - peer->received(_path,hops(),packetId(),Packet::VERB_NETWORK_CREDENTIALS,0,Packet::VERB_NOP,trustEstablished); - } catch (std::exception &exc) { - TRACE("dropped NETWORK_CREDENTIALS from %s(%s): %s",source().toString().c_str(),_path->address().toString().c_str(),exc.what()); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_NETWORK_MEMBERSHIP_CERTIFICATE,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped NETWORK_CREDENTIALS from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped NETWORK_MEMBERSHIP_CERTIFICATE from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -864,134 +677,117 @@ bool IncomingPacket::_doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *RR,cons { try { const uint64_t nwid = at(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_NETWORK_ID); - const unsigned int hopCount = hops(); - const uint64_t requestPacketId = packetId(); - bool trustEstablished = false; + + const unsigned int metaDataLength = at(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT_LEN); + const uint8_t *metaDataBytes = (const uint8_t *)field(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT,metaDataLength); + + NetworkConfigRequestMetaData metaData; + bool haveNewStyleMetaData = false; + for(unsigned int i=0;i md(metaDataBytes,metaDataLength); + metaData.deserialize(md,0); // the meta-data deserializer automatically skips old-style meta-data + } else { +#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF + const Dictionary oldStyleMetaData((const char *)metaDataBytes,metaDataLength); + metaData.majorVersion = (unsigned int)oldStyleMetaData.getHexUInt(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MAJOR_VERSION,0); + metaData.minorVersion = (unsigned int)oldStyleMetaData.getHexUInt(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MINOR_VERSION,0); + metaData.revision = (unsigned int)oldStyleMetaData.getHexUInt(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_REVISION,0); +#endif + } + + //const uint64_t haveRevision = ((ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT + metaDataLength + 8) <= size()) ? at(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT + metaDataLength) : 0ULL; + + const unsigned int h = hops(); + const uint64_t pid = packetId(); + peer->received(_localAddress,_remoteAddress,h,pid,Packet::VERB_NETWORK_CONFIG_REQUEST,0,Packet::VERB_NOP); if (RR->localNetworkController) { - const unsigned int metaDataLength = at(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT_LEN); - const char *metaDataBytes = (const char *)field(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT,metaDataLength); - const Dictionary metaData(metaDataBytes,metaDataLength); + Buffer<8194> netconf; + switch(RR->localNetworkController->doNetworkConfigRequest((h > 0) ? InetAddress() : _remoteAddress,RR->identity,peer->identity(),nwid,metaData,netconf)) { - NetworkConfig *netconf = new NetworkConfig(); - try { - switch(RR->localNetworkController->doNetworkConfigRequest((hopCount > 0) ? InetAddress() : _path->address(),RR->identity,peer->identity(),nwid,metaData,*netconf)) { + case NetworkController::NETCONF_QUERY_OK: { + Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK); + outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST); + outp.append(pid); + outp.append(nwid); + outp.append((uint16_t)netconf.size()); + outp.append(netconf.data(),(unsigned int)netconf.size()); + outp.compress(); + outp.armor(peer->key(),true); + if (outp.size() > ZT_PROTO_MAX_PACKET_LENGTH) { // sanity check + //TRACE("NETWORK_CONFIG_REQUEST failed: internal error: netconf size %u is too large",(unsigned int)netconfStr.length()); + } else { + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); + } + } break; - case NetworkController::NETCONF_QUERY_OK: { - trustEstablished = true; - Dictionary *dconf = new Dictionary(); - try { - if (netconf->toDictionary(*dconf,metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_VERSION,0) < 6)) { - uint64_t configUpdateId = RR->node->prng(); - if (!configUpdateId) ++configUpdateId; - const unsigned int totalSize = dconf->sizeBytes(); - unsigned int chunkIndex = 0; - while (chunkIndex < totalSize) { - const unsigned int chunkLen = std::min(totalSize - chunkIndex,(unsigned int)(ZT_UDP_DEFAULT_PAYLOAD_MTU - (ZT_PACKET_IDX_PAYLOAD + 256))); - Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK); - outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST); - outp.append(requestPacketId); + case NetworkController::NETCONF_QUERY_OBJECT_NOT_FOUND: { + Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR); + outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST); + outp.append(pid); + outp.append((unsigned char)Packet::ERROR_OBJ_NOT_FOUND); + outp.append(nwid); + outp.armor(peer->key(),true); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); + } break; - const unsigned int sigStart = outp.size(); - outp.append(nwid); - outp.append((uint16_t)chunkLen); - outp.append((const void *)(dconf->data() + chunkIndex),chunkLen); + case NetworkController::NETCONF_QUERY_ACCESS_DENIED: { + Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR); + outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST); + outp.append(pid); + outp.append((unsigned char)Packet::ERROR_NETWORK_ACCESS_DENIED_); + outp.append(nwid); + outp.armor(peer->key(),true); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); + } break; - outp.append((uint8_t)0); // no flags - outp.append((uint64_t)configUpdateId); - outp.append((uint32_t)totalSize); - outp.append((uint32_t)chunkIndex); + case NetworkController::NETCONF_QUERY_INTERNAL_SERVER_ERROR: + // TRACE("NETWORK_CONFIG_REQUEST failed: internal error: %s",netconf.get("error","(unknown)").c_str()); + break; - C25519::Signature sig(RR->identity.sign(reinterpret_cast(outp.data()) + sigStart,outp.size() - sigStart)); - outp.append((uint8_t)1); - outp.append((uint16_t)ZT_C25519_SIGNATURE_LEN); - outp.append(sig.data,ZT_C25519_SIGNATURE_LEN); + case NetworkController::NETCONF_QUERY_IGNORE: + break; - outp.compress(); - RR->sw->send(outp,true); - chunkIndex += chunkLen; - } - } - delete dconf; - } catch ( ... ) { - delete dconf; - throw; - } - } break; + default: + TRACE("NETWORK_CONFIG_REQUEST failed: invalid return value from NetworkController::doNetworkConfigRequest()"); + break; - case NetworkController::NETCONF_QUERY_OBJECT_NOT_FOUND: { - Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR); - outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST); - outp.append(requestPacketId); - outp.append((unsigned char)Packet::ERROR_OBJ_NOT_FOUND); - outp.append(nwid); - outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); - } break; - - case NetworkController::NETCONF_QUERY_ACCESS_DENIED: { - Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR); - outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST); - outp.append(requestPacketId); - outp.append((unsigned char)Packet::ERROR_NETWORK_ACCESS_DENIED_); - outp.append(nwid); - outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); - } break; - - case NetworkController::NETCONF_QUERY_INTERNAL_SERVER_ERROR: - break; - case NetworkController::NETCONF_QUERY_IGNORE: - break; - default: - TRACE("NETWORK_CONFIG_REQUEST failed: invalid return value from NetworkController::doNetworkConfigRequest()"); - break; - } - delete netconf; - } catch ( ... ) { - delete netconf; - throw; } } else { Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR); outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST); - outp.append(requestPacketId); + outp.append(pid); outp.append((unsigned char)Packet::ERROR_UNSUPPORTED_OPERATION); outp.append(nwid); outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } - - peer->received(_path,hopCount,requestPacketId,Packet::VERB_NETWORK_CONFIG_REQUEST,0,Packet::VERB_NOP,trustEstablished); - } catch (std::exception &exc) { - fprintf(stderr,"WARNING: network config request failed with exception: %s" ZT_EOL_S,exc.what()); - TRACE("dropped NETWORK_CONFIG_REQUEST from %s(%s): %s",source().toString().c_str(),_path->address().toString().c_str(),exc.what()); } catch ( ... ) { - fprintf(stderr,"WARNING: network config request failed with exception: unknown exception" ZT_EOL_S); - TRACE("dropped NETWORK_CONFIG_REQUEST from %s(%s): unknown exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped NETWORK_CONFIG_REQUEST from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } -bool IncomingPacket::_doNETWORK_CONFIG(const RuntimeEnvironment *RR,const SharedPtr &peer) +bool IncomingPacket::_doNETWORK_CONFIG_REFRESH(const RuntimeEnvironment *RR,const SharedPtr &peer) { try { - const SharedPtr network(RR->node->network(at(ZT_PACKET_IDX_PAYLOAD))); - if (network) { - const uint64_t configUpdateId = network->handleConfigChunk(*this,ZT_PACKET_IDX_PAYLOAD); - if (configUpdateId) { - Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK); - outp.append((uint8_t)Packet::VERB_ECHO); - outp.append((uint64_t)packetId()); - outp.append((uint64_t)network->id()); - outp.append((uint64_t)configUpdateId); - outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); - } + unsigned int ptr = ZT_PACKET_IDX_PAYLOAD; + while ((ptr + 8) <= size()) { + uint64_t nwid = at(ptr); + SharedPtr nw(RR->node->network(nwid)); + if ((nw)&&(peer->address() == nw->controller())) + nw->requestConfiguration(); + ptr += 8; } - peer->received(_path,hops(),packetId(),Packet::VERB_NETWORK_CONFIG,0,Packet::VERB_NOP,false); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_NETWORK_CONFIG_REFRESH,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped NETWORK_CONFIG_REFRESH from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped NETWORK_CONFIG_REFRESH from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -1000,32 +796,12 @@ bool IncomingPacket::_doMULTICAST_GATHER(const RuntimeEnvironment *RR,const Shar { try { const uint64_t nwid = at(ZT_PROTO_VERB_MULTICAST_GATHER_IDX_NETWORK_ID); - const unsigned int flags = (*this)[ZT_PROTO_VERB_MULTICAST_GATHER_IDX_FLAGS]; const MulticastGroup mg(MAC(field(ZT_PROTO_VERB_MULTICAST_GATHER_IDX_MAC,6),6),at(ZT_PROTO_VERB_MULTICAST_GATHER_IDX_ADI)); const unsigned int gatherLimit = at(ZT_PROTO_VERB_MULTICAST_GATHER_IDX_GATHER_LIMIT); - //TRACE("<address().toString().c_str(),gatherLimit,nwid,mg.toString().c_str()); + //TRACE("< network(RR->node->network(nwid)); - - if ((flags & 0x01) != 0) { - try { - CertificateOfMembership com; - com.deserialize(*this,ZT_PROTO_VERB_MULTICAST_GATHER_IDX_COM); - if (com) { - if (network) - network->addCredential(com); - else RR->mc->addCredential(com,false); - } - } catch ( ... ) { - TRACE("MULTICAST_GATHER from %s(%s): discarded invalid COM",peer->address().toString().c_str(),_path->address().toString().c_str()); - } - } - - const bool trustEstablished = ((network)&&(network->gate(peer))); - if (!trustEstablished) - _sendErrorNeedCredentials(RR,peer,nwid); - if ( ( trustEstablished || RR->mc->cacheAuthorized(peer->address(),nwid,RR->node->now()) ) && (gatherLimit > 0) ) { + if (gatherLimit) { Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK); outp.append((unsigned char)Packet::VERB_MULTICAST_GATHER); outp.append(packetId()); @@ -1033,21 +809,20 @@ bool IncomingPacket::_doMULTICAST_GATHER(const RuntimeEnvironment *RR,const Shar mg.mac().appendTo(outp); outp.append((uint32_t)mg.adi()); const unsigned int gatheredLocally = RR->mc->gather(peer->address(),nwid,mg,outp,gatherLimit); - if (gatheredLocally > 0) { + if (gatheredLocally) { outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } - // If we are a member of a cluster, distribute this GATHER across it #ifdef ZT_ENABLE_CLUSTER if ((RR->cluster)&&(gatheredLocally < gatherLimit)) RR->cluster->sendDistributedQuery(*this); #endif } - peer->received(_path,hops(),packetId(),Packet::VERB_MULTICAST_GATHER,0,Packet::VERB_NOP,trustEstablished); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_MULTICAST_GATHER,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped MULTICAST_GATHER from %s(%s): unexpected exception",peer->address().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped MULTICAST_GATHER from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -1064,23 +839,16 @@ bool IncomingPacket::_doMULTICAST_FRAME(const RuntimeEnvironment *RR,const Share unsigned int offset = 0; if ((flags & 0x01) != 0) { - // This is deprecated but may still be sent by old peers CertificateOfMembership com; offset += com.deserialize(*this,ZT_PROTO_VERB_MULTICAST_FRAME_IDX_COM); - if (com) - network->addCredential(com); + peer->validateAndSetNetworkMembershipCertificate(nwid,com); } - if (!network->gate(peer)) { - TRACE("dropped MULTICAST_FRAME from %s(%s): not a member of private network %.16llx",peer->address().toString().c_str(),_path->address().toString().c_str(),(unsigned long long)network->id()); - _sendErrorNeedCredentials(RR,peer,nwid); - peer->received(_path,hops(),packetId(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,false); - return true; - } - - if (network->config().multicastLimit == 0) { - TRACE("dropped MULTICAST_FRAME from %s(%s): network %.16llx does not allow multicast",peer->address().toString().c_str(),_path->address().toString().c_str(),(unsigned long long)network->id()); - peer->received(_path,hops(),packetId(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,false); + // Check membership after we've read any included COM, since + // that cert might be what we needed. + if (!network->isAllowed(peer)) { + TRACE("dropped MULTICAST_FRAME from %s(%s): not a member of private network %.16llx",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),(unsigned long long)network->id()); + _sendErrorNeedCertificate(RR,peer,network->id()); return true; } @@ -1100,36 +868,30 @@ bool IncomingPacket::_doMULTICAST_FRAME(const RuntimeEnvironment *RR,const Share const MulticastGroup to(MAC(field(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_DEST_MAC,6),6),at(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_DEST_ADI)); const unsigned int etherType = at(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_ETHERTYPE); - const unsigned int frameLen = size() - (offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME); + const unsigned int payloadLen = size() - (offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME); - //TRACE("<address().toString().c_str(),flags,frameLen); + //TRACE("<address().toString().c_str(),flags,payloadLen); - if ((frameLen > 0)&&(frameLen <= ZT_IF_MTU)) { + if ((payloadLen > 0)&&(payloadLen <= ZT_IF_MTU)) { if (!to.mac().isMulticast()) { - TRACE("dropped MULTICAST_FRAME from %s@%s(%s) to %s: destination is unicast, must use FRAME or EXT_FRAME",from.toString().c_str(),peer->address().toString().c_str(),_path->address().toString().c_str(),to.toString().c_str()); - peer->received(_path,hops(),packetId(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,true); // trustEstablished because COM is okay + TRACE("dropped MULTICAST_FRAME from %s@%s(%s) to %s: destination is unicast, must use FRAME or EXT_FRAME",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str()); return true; } if ((!from)||(from.isMulticast())||(from == network->mac())) { - TRACE("dropped MULTICAST_FRAME from %s@%s(%s) to %s: invalid source MAC",from.toString().c_str(),peer->address().toString().c_str(),_path->address().toString().c_str(),to.toString().c_str()); - peer->received(_path,hops(),packetId(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,true); // trustEstablished because COM is okay + TRACE("dropped MULTICAST_FRAME from %s@%s(%s) to %s: invalid source MAC",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str()); return true; } - if (from != MAC(peer->address(),nwid)) { + if (from != MAC(peer->address(),network->id())) { if (network->config().permitsBridging(peer->address())) { network->learnBridgeRoute(from,peer->address()); } else { - TRACE("dropped MULTICAST_FRAME from %s@%s(%s) to %s: sender not allowed to bridge into %.16llx",from.toString().c_str(),peer->address().toString().c_str(),_path->address().toString().c_str(),to.toString().c_str(),network->id()); - peer->received(_path,hops(),packetId(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,true); // trustEstablished because COM is okay + TRACE("dropped MULTICAST_FRAME from %s@%s(%s) to %s: sender not allowed to bridge into %.16llx",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str(),network->id()); return true; } } - const uint8_t *const frameData = (const uint8_t *)field(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME,frameLen); - if (network->filterIncomingPacket(peer,RR->identity.address(),from,to.mac(),frameData,frameLen,etherType,0) > 0) { - RR->node->putFrame(nwid,network->userPtr(),from,to.mac(),etherType,0,(const void *)frameData,frameLen); - } + RR->node->putFrame(network->id(),network->userPtr(),from,to.mac(),etherType,0,field(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME,payloadLen),payloadLen); } if (gatherLimit) { @@ -1142,17 +904,14 @@ bool IncomingPacket::_doMULTICAST_FRAME(const RuntimeEnvironment *RR,const Share outp.append((unsigned char)0x02); // flag 0x02 = contains gather results if (RR->mc->gather(peer->address(),nwid,to,outp,gatherLimit)) { outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } } + } // else ignore -- not a member of this network - peer->received(_path,hops(),packetId(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,true); - } else { - _sendErrorNeedCredentials(RR,peer,nwid); - peer->received(_path,hops(),packetId(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,false); - } + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped MULTICAST_FRAME from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped MULTICAST_FRAME from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -1163,9 +922,8 @@ bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const Sha const uint64_t now = RR->node->now(); // First, subject this to a rate limit - if (!peer->rateGatePushDirectPaths(now)) { - TRACE("dropped PUSH_DIRECT_PATHS from %s(%s): circuit breaker tripped",source().toString().c_str(),_path->address().toString().c_str()); - peer->received(_path,hops(),packetId(),Packet::VERB_PUSH_DIRECT_PATHS,0,Packet::VERB_NOP,false); + if (!peer->shouldRespondToDirectPathPush(now)) { + TRACE("dropped PUSH_DIRECT_PATHS from %s(%s): circuit breaker tripped",source().toString().c_str(),_remoteAddress.toString().c_str()); return true; } @@ -1191,15 +949,15 @@ bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const Sha bool redundant = false; if ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_CLUSTER_REDIRECT) != 0) { - peer->setClusterOptimal(a); + peer->setClusterOptimalPathForAddressFamily(a); } else { redundant = peer->hasActivePathTo(now,a); } - if ( ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_FORGET_PATH) == 0) && (!redundant) && (RR->node->shouldUsePathForZeroTierTraffic(_path->localAddress(),a)) ) { + if ( ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_FORGET_PATH) == 0) && (!redundant) && (RR->node->shouldUsePathForZeroTierTraffic(_localAddress,a)) ) { if (++countPerScope[(int)a.ipScope()][0] <= ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY) { TRACE("attempting to contact %s at pushed direct path %s",peer->address().toString().c_str(),a.toString().c_str()); - peer->attemptToContactAt(InetAddress(),a,now); + peer->sendHELLO(InetAddress(),a,now); } else { TRACE("ignoring contact for %s at %s -- too many per scope",peer->address().toString().c_str(),a.toString().c_str()); } @@ -1210,15 +968,15 @@ bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const Sha bool redundant = false; if ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_CLUSTER_REDIRECT) != 0) { - peer->setClusterOptimal(a); + peer->setClusterOptimalPathForAddressFamily(a); } else { redundant = peer->hasActivePathTo(now,a); } - if ( ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_FORGET_PATH) == 0) && (!redundant) && (RR->node->shouldUsePathForZeroTierTraffic(_path->localAddress(),a)) ) { + if ( ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_FORGET_PATH) == 0) && (!redundant) && (RR->node->shouldUsePathForZeroTierTraffic(_localAddress,a)) ) { if (++countPerScope[(int)a.ipScope()][1] <= ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY) { TRACE("attempting to contact %s at pushed direct path %s",peer->address().toString().c_str(),a.toString().c_str()); - peer->attemptToContactAt(InetAddress(),a,now); + peer->sendHELLO(InetAddress(),a,now); } else { TRACE("ignoring contact for %s at %s -- too many per scope",peer->address().toString().c_str(),a.toString().c_str()); } @@ -1228,9 +986,9 @@ bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const Sha ptr += addrLen; } - peer->received(_path,hops(),packetId(),Packet::VERB_PUSH_DIRECT_PATHS,0,Packet::VERB_NOP,false); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_PUSH_DIRECT_PATHS,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped PUSH_DIRECT_PATHS from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped PUSH_DIRECT_PATHS from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -1252,7 +1010,7 @@ bool IncomingPacket::_doCIRCUIT_TEST(const RuntimeEnvironment *RR,const SharedPt // Tracks total length of variable length fields, initialized to originator credential length below unsigned int vlf; - // Originator credentials -- right now only a network ID for which the originator is controller or is authorized by controller is allowed + // Originator credentials const unsigned int originatorCredentialLength = vlf = at(ZT_PACKET_IDX_PAYLOAD + 23); uint64_t originatorCredentialNetworkId = 0; if (originatorCredentialLength >= 1) { @@ -1271,8 +1029,7 @@ bool IncomingPacket::_doCIRCUIT_TEST(const RuntimeEnvironment *RR,const SharedPt // Verify signature -- only tests signed by their originators are allowed const unsigned int signatureLength = at(ZT_PACKET_IDX_PAYLOAD + 27 + vlf); if (!originator->identity().verify(field(ZT_PACKET_IDX_PAYLOAD,27 + vlf),27 + vlf,field(ZT_PACKET_IDX_PAYLOAD + 29 + vlf,signatureLength),signatureLength)) { - TRACE("dropped CIRCUIT_TEST from %s(%s): signature by originator %s invalid",source().toString().c_str(),_path->address().toString().c_str(),originatorAddress.toString().c_str()); - peer->received(_path,hops(),packetId(),Packet::VERB_CIRCUIT_TEST,0,Packet::VERB_NOP,false); + TRACE("dropped CIRCUIT_TEST from %s(%s): signature by originator %s invalid",source().toString().c_str(),_remoteAddress.toString().c_str(),originatorAddress.toString().c_str()); return true; } vlf += signatureLength; @@ -1281,24 +1038,46 @@ bool IncomingPacket::_doCIRCUIT_TEST(const RuntimeEnvironment *RR,const SharedPt // into the one we send along to next hops. const unsigned int lengthOfSignedPortionAndSignature = 29 + vlf; - // Add length of second "additional fields" section. - vlf += at(ZT_PACKET_IDX_PAYLOAD + 29 + vlf); - - uint64_t reportFlags = 0; + // Get previous hop's credential, if any + const unsigned int previousHopCredentialLength = at(ZT_PACKET_IDX_PAYLOAD + 29 + vlf); + CertificateOfMembership previousHopCom; + if (previousHopCredentialLength >= 1) { + switch((*this)[ZT_PACKET_IDX_PAYLOAD + 31 + vlf]) { + case 0x01: { // network certificate of membership for previous hop + const unsigned int phcl = previousHopCom.deserialize(*this,ZT_PACKET_IDX_PAYLOAD + 32 + vlf); + if (phcl != (previousHopCredentialLength - 1)) { + TRACE("dropped CIRCUIT_TEST from %s(%s): previous hop COM invalid (%u != %u)",source().toString().c_str(),_remoteAddress.toString().c_str(),phcl,(previousHopCredentialLength - 1)); + return true; + } + } break; + default: break; + } + } + vlf += previousHopCredentialLength; // Check credentials (signature already verified) + NetworkConfig originatorCredentialNetworkConfig; if (originatorCredentialNetworkId) { - SharedPtr network(RR->node->network(originatorCredentialNetworkId)); - if ((!network)||(!network->config().circuitTestingAllowed(originatorAddress))) { - TRACE("dropped CIRCUIT_TEST from %s(%s): originator %s specified network ID %.16llx as credential, and we don't belong to that network or originator is not allowed'",source().toString().c_str(),_path->address().toString().c_str(),originatorAddress.toString().c_str(),originatorCredentialNetworkId); - peer->received(_path,hops(),packetId(),Packet::VERB_CIRCUIT_TEST,0,Packet::VERB_NOP,false); + if (Network::controllerFor(originatorCredentialNetworkId) == originatorAddress) { + SharedPtr nw(RR->node->network(originatorCredentialNetworkId)); + if ((nw)&&(nw->hasConfig())) { + originatorCredentialNetworkConfig = nw->config(); + if ( ( (originatorCredentialNetworkConfig.isPublic()) || (peer->address() == originatorAddress) || ((originatorCredentialNetworkConfig.com)&&(previousHopCom)&&(originatorCredentialNetworkConfig.com.agreesWith(previousHopCom))) ) ) { + TRACE("CIRCUIT_TEST %.16llx received from hop %s(%s) and originator %s with valid network ID credential %.16llx (verified from originator and next hop)",testId,source().toString().c_str(),_remoteAddress.toString().c_str(),originatorAddress.toString().c_str(),originatorCredentialNetworkId); + } else { + TRACE("dropped CIRCUIT_TEST from %s(%s): originator %s specified network ID %.16llx as credential, and previous hop %s did not supply a valid COM",source().toString().c_str(),_remoteAddress.toString().c_str(),originatorAddress.toString().c_str(),originatorCredentialNetworkId,peer->address().toString().c_str()); + return true; + } + } else { + TRACE("dropped CIRCUIT_TEST from %s(%s): originator %s specified network ID %.16llx as credential, and we are not a member",source().toString().c_str(),_remoteAddress.toString().c_str(),originatorAddress.toString().c_str(),originatorCredentialNetworkId); + return true; + } + } else { + TRACE("dropped CIRCUIT_TEST from %s(%s): originator %s specified network ID as credential, is not controller for %.16llx",source().toString().c_str(),_remoteAddress.toString().c_str(),originatorAddress.toString().c_str(),originatorCredentialNetworkId); return true; } - if (network->gate(peer)) - reportFlags |= ZT_CIRCUIT_TEST_REPORT_FLAGS_UPSTREAM_AUTHORIZED_IN_PATH; } else { - TRACE("dropped CIRCUIT_TEST from %s(%s): originator %s did not specify a credential or credential type",source().toString().c_str(),_path->address().toString().c_str(),originatorAddress.toString().c_str()); - peer->received(_path,hops(),packetId(),Packet::VERB_CIRCUIT_TEST,0,Packet::VERB_NOP,false); + TRACE("dropped CIRCUIT_TEST from %s(%s): originator %s did not specify a credential or credential type",source().toString().c_str(),_remoteAddress.toString().c_str(),originatorAddress.toString().c_str()); return true; } @@ -1316,9 +1095,9 @@ bool IncomingPacket::_doCIRCUIT_TEST(const RuntimeEnvironment *RR,const SharedPt remainingHopsPtr += ZT_ADDRESS_LENGTH; SharedPtr nhp(RR->topology->getPeer(nextHop[h])); if (nhp) { - SharedPtr nhbp(nhp->getBestPath(now,false)); - if ((nhbp)&&(nhbp->alive(now))) - nextHopBestPathAddress[h] = nhbp->address(); + Path *const rp = nhp->getBestPath(now); + if (rp) + nextHopBestPathAddress[h] = rp->address(); } } } @@ -1337,26 +1116,32 @@ bool IncomingPacket::_doCIRCUIT_TEST(const RuntimeEnvironment *RR,const SharedPt outp.append((uint16_t)ZT_PLATFORM_UNSPECIFIED); outp.append((uint16_t)ZT_ARCHITECTURE_UNSPECIFIED); outp.append((uint16_t)0); // error code, currently unused - outp.append((uint64_t)reportFlags); + outp.append((uint64_t)0); // flags, currently unused outp.append((uint64_t)packetId()); peer->address().appendTo(outp); outp.append((uint8_t)hops()); - _path->localAddress().serialize(outp); - _path->address().serialize(outp); + _localAddress.serialize(outp); + _remoteAddress.serialize(outp); outp.append((uint16_t)0); // no additional fields outp.append((uint8_t)breadth); for(unsigned int h=0;hsw->send(outp,true); + RR->sw->send(outp,true,0); } // If there are next hops, forward the test along through the graph if (breadth > 0) { Packet outp(Address(),RR->identity.address(),Packet::VERB_CIRCUIT_TEST); outp.append(field(ZT_PACKET_IDX_PAYLOAD,lengthOfSignedPortionAndSignature),lengthOfSignedPortionAndSignature); - outp.append((uint16_t)0); // no additional fields + const unsigned int previousHopCredentialPos = outp.size(); + outp.append((uint16_t)0); // no previous hop credentials: default + if ((originatorCredentialNetworkConfig)&&(!originatorCredentialNetworkConfig.isPublic())&&(originatorCredentialNetworkConfig.com)) { + outp.append((uint8_t)0x01); // COM + originatorCredentialNetworkConfig.com.serialize(outp); + outp.setAt(previousHopCredentialPos,(uint16_t)(outp.size() - (previousHopCredentialPos + 2))); + } if (remainingHopsPtr < size()) outp.append(field(remainingHopsPtr,size() - remainingHopsPtr),size() - remainingHopsPtr); @@ -1364,14 +1149,14 @@ bool IncomingPacket::_doCIRCUIT_TEST(const RuntimeEnvironment *RR,const SharedPt if (RR->identity.address() != nextHop[h]) { // next hops that loop back to the current hop are not valid outp.newInitializationVector(); outp.setDestination(nextHop[h]); - RR->sw->send(outp,true); + RR->sw->send(outp,true,originatorCredentialNetworkId); } } } - peer->received(_path,hops(),packetId(),Packet::VERB_CIRCUIT_TEST,0,Packet::VERB_NOP,false); + peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_CIRCUIT_TEST,0,Packet::VERB_NOP); } catch ( ... ) { - TRACE("dropped CIRCUIT_TEST from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped CIRCUIT_TEST from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -1386,6 +1171,7 @@ bool IncomingPacket::_doCIRCUIT_TEST_REPORT(const RuntimeEnvironment *RR,const S report.upstream = Address(field(ZT_PACKET_IDX_PAYLOAD + 52,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH).toInt(); report.testId = at(ZT_PACKET_IDX_PAYLOAD + 8); report.timestamp = at(ZT_PACKET_IDX_PAYLOAD); + report.remoteTimestamp = at(ZT_PACKET_IDX_PAYLOAD + 16); report.sourcePacketId = at(ZT_PACKET_IDX_PAYLOAD + 44); report.flags = at(ZT_PACKET_IDX_PAYLOAD + 36); report.sourcePacketHopCount = (*this)[ZT_PACKET_IDX_PAYLOAD + 57]; // end of fixed length headers: 58 @@ -1413,10 +1199,8 @@ bool IncomingPacket::_doCIRCUIT_TEST_REPORT(const RuntimeEnvironment *RR,const S } RR->node->postCircuitTestReport(&report); - - peer->received(_path,hops(),packetId(),Packet::VERB_CIRCUIT_TEST_REPORT,0,Packet::VERB_NOP,false); } catch ( ... ) { - TRACE("dropped CIRCUIT_TEST_REPORT from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped CIRCUIT_TEST_REPORT from %s(%s): unexpected exception",source().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } @@ -1424,20 +1208,8 @@ bool IncomingPacket::_doCIRCUIT_TEST_REPORT(const RuntimeEnvironment *RR,const S bool IncomingPacket::_doREQUEST_PROOF_OF_WORK(const RuntimeEnvironment *RR,const SharedPtr &peer) { try { - // If this were allowed from anyone, it would itself be a DOS vector. Right - // now we only allow it from roots and controllers of networks you have joined. - bool allowed = RR->topology->isUpstream(peer->identity()); - if (!allowed) { - std::vector< SharedPtr > allNetworks(RR->node->allNetworks()); - for(std::vector< SharedPtr >::const_iterator n(allNetworks.begin());n!=allNetworks.end();++n) { - if (peer->address() == (*n)->controller()) { - allowed = true; - break; - } - } - } - - if (allowed) { + // Right now this is only allowed from root servers -- may be allowed from controllers and relays later. + if (RR->topology->isRoot(peer->identity())) { const uint64_t pid = packetId(); const unsigned int difficulty = (*this)[ZT_PACKET_IDX_PAYLOAD + 1]; const unsigned int challengeLength = at(ZT_PACKET_IDX_PAYLOAD + 2); @@ -1459,46 +1231,32 @@ bool IncomingPacket::_doREQUEST_PROOF_OF_WORK(const RuntimeEnvironment *RR,const outp.append((uint16_t)sizeof(result)); outp.append(result,sizeof(result)); outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } else { Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR); outp.append((unsigned char)Packet::VERB_REQUEST_PROOF_OF_WORK); outp.append(pid); outp.append((unsigned char)Packet::ERROR_INVALID_REQUEST); outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),RR->node->now()); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); } } break; default: - TRACE("dropped REQUEST_PROOF_OF_WORK from %s(%s): unrecognized proof of work type",peer->address().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped REQUEST_PROOF_OF_WORK from %s(%s): unrecognized proof of work type",peer->address().toString().c_str(),_remoteAddress.toString().c_str()); break; } - peer->received(_path,hops(),pid,Packet::VERB_REQUEST_PROOF_OF_WORK,0,Packet::VERB_NOP,false); + peer->received(_localAddress,_remoteAddress,hops(),pid,Packet::VERB_REQUEST_PROOF_OF_WORK,0,Packet::VERB_NOP); } else { - TRACE("dropped REQUEST_PROOF_OF_WORK from %s(%s): not trusted enough",peer->address().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped REQUEST_PROOF_OF_WORK from %s(%s): not trusted enough",peer->address().toString().c_str(),_remoteAddress.toString().c_str()); } } catch ( ... ) { - TRACE("dropped REQUEST_PROOF_OF_WORK from %s(%s): unexpected exception",peer->address().toString().c_str(),_path->address().toString().c_str()); + TRACE("dropped REQUEST_PROOF_OF_WORK from %s(%s): unexpected exception",peer->address().toString().c_str(),_remoteAddress.toString().c_str()); } return true; } -void IncomingPacket::_sendErrorNeedCredentials(const RuntimeEnvironment *RR,const SharedPtr &peer,const uint64_t nwid) -{ - const uint64_t now = RR->node->now(); - if (peer->rateGateOutgoingComRequest(now)) { - Packet outp(source(),RR->identity.address(),Packet::VERB_ERROR); - outp.append((uint8_t)verb()); - outp.append(packetId()); - outp.append((uint8_t)Packet::ERROR_NEED_MEMBERSHIP_CERTIFICATE); - outp.append(nwid); - outp.armor(peer->key(),true); - _path->send(RR,outp.data(),outp.size(),now); - } -} - void IncomingPacket::computeSalsa2012Sha512ProofOfWork(unsigned int difficulty,const void *challenge,unsigned int challengeLength,unsigned char result[16]) { unsigned char salsabuf[131072]; // 131072 == protocol constant, size of memory buffer for this proof of work function @@ -1577,4 +1335,15 @@ bool IncomingPacket::testSalsa2012Sha512ProofOfWorkResult(unsigned int difficult return true; } +void IncomingPacket::_sendErrorNeedCertificate(const RuntimeEnvironment *RR,const SharedPtr &peer,uint64_t nwid) +{ + Packet outp(source(),RR->identity.address(),Packet::VERB_ERROR); + outp.append((unsigned char)verb()); + outp.append(packetId()); + outp.append((unsigned char)Packet::ERROR_NEED_MEMBERSHIP_CERTIFICATE); + outp.append(nwid); + outp.armor(peer->key(),true); + RR->node->putPacket(_localAddress,_remoteAddress,outp.data(),outp.size()); +} + } // namespace ZeroTier diff --git a/zerotierone/node/IncomingPacket.hpp b/zerotierone/node/IncomingPacket.hpp index c363221..96e46c0 100644 --- a/zerotierone/node/IncomingPacket.hpp +++ b/zerotierone/node/IncomingPacket.hpp @@ -22,7 +22,7 @@ #include #include "Packet.hpp" -#include "Path.hpp" +#include "InetAddress.hpp" #include "Utils.hpp" #include "MulticastGroup.hpp" #include "Peer.hpp" @@ -56,40 +56,59 @@ class IncomingPacket : public Packet public: IncomingPacket() : Packet(), - _receiveTime(0) + _receiveTime(0), + _localAddress(), + _remoteAddress() { } + IncomingPacket(const IncomingPacket &p) + { + // All fields including InetAddress are memcpy'able + memcpy(this,&p,sizeof(IncomingPacket)); + } + /** * Create a new packet-in-decode * * @param data Packet data * @param len Packet length - * @param path Path over which packet arrived + * @param localAddress Local interface address + * @param remoteAddress Address from which packet came * @param now Current time * @throws std::out_of_range Range error processing packet */ - IncomingPacket(const void *data,unsigned int len,const SharedPtr &path,uint64_t now) : - Packet(data,len), - _receiveTime(now), - _path(path) + IncomingPacket(const void *data,unsigned int len,const InetAddress &localAddress,const InetAddress &remoteAddress,uint64_t now) : + Packet(data,len), + _receiveTime(now), + _localAddress(localAddress), + _remoteAddress(remoteAddress) { } + inline IncomingPacket &operator=(const IncomingPacket &p) + { + // All fields including InetAddress are memcpy'able + memcpy(this,&p,sizeof(IncomingPacket)); + return *this; + } + /** * Init packet-in-decode in place * * @param data Packet data * @param len Packet length - * @param path Path over which packet arrived + * @param localAddress Local interface address + * @param remoteAddress Address from which packet came * @param now Current time * @throws std::out_of_range Range error processing packet */ - inline void init(const void *data,unsigned int len,const SharedPtr &path,uint64_t now) + inline void init(const void *data,unsigned int len,const InetAddress &localAddress,const InetAddress &remoteAddress,uint64_t now) { copyFrom(data,len); _receiveTime = now; - _path = path; + _localAddress = localAddress; + _remoteAddress = remoteAddress; } /** @@ -99,12 +118,21 @@ public: * about whether the packet was valid. A rejection is 'complete.' * * Once true is returned, this must not be called again. The packet's state - * may no longer be valid. + * may no longer be valid. The only exception is deferred decoding. In this + * case true is returned to indicate to the normal decode path that it is + * finished with the packet. The packet will have added itself to the + * deferred queue and will expect tryDecode() to be called one more time + * with deferred set to true. + * + * Deferred decoding is performed by DeferredPackets.cpp and should not be + * done elsewhere. Under deferred decoding packets only get one shot and + * so the return value of tryDecode() is ignored. * * @param RR Runtime environment + * @param deferred If true, this is a deferred decode and the return is ignored * @return True if decoding and processing is complete, false if caller should try again */ - bool tryDecode(const RuntimeEnvironment *RR); + bool tryDecode(const RuntimeEnvironment *RR,bool deferred); /** * @return Time of packet receipt / start of decode @@ -136,7 +164,7 @@ private: // These are called internally to handle packet contents once it has // been authenticated, decrypted, decompressed, and classified. bool _doERROR(const RuntimeEnvironment *RR,const SharedPtr &peer); - bool _doHELLO(const RuntimeEnvironment *RR,const bool alreadyAuthenticated); + bool _doHELLO(const RuntimeEnvironment *RR,SharedPtr &peer); // can be called with NULL peer, while all others cannot bool _doOK(const RuntimeEnvironment *RR,const SharedPtr &peer); bool _doWHOIS(const RuntimeEnvironment *RR,const SharedPtr &peer); bool _doRENDEZVOUS(const RuntimeEnvironment *RR,const SharedPtr &peer); @@ -144,9 +172,9 @@ private: bool _doEXT_FRAME(const RuntimeEnvironment *RR,const SharedPtr &peer); bool _doECHO(const RuntimeEnvironment *RR,const SharedPtr &peer); bool _doMULTICAST_LIKE(const RuntimeEnvironment *RR,const SharedPtr &peer); - bool _doNETWORK_CREDENTIALS(const RuntimeEnvironment *RR,const SharedPtr &peer); + bool _doNETWORK_MEMBERSHIP_CERTIFICATE(const RuntimeEnvironment *RR,const SharedPtr &peer); bool _doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *RR,const SharedPtr &peer); - bool _doNETWORK_CONFIG(const RuntimeEnvironment *RR,const SharedPtr &peer); + bool _doNETWORK_CONFIG_REFRESH(const RuntimeEnvironment *RR,const SharedPtr &peer); bool _doMULTICAST_GATHER(const RuntimeEnvironment *RR,const SharedPtr &peer); bool _doMULTICAST_FRAME(const RuntimeEnvironment *RR,const SharedPtr &peer); bool _doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const SharedPtr &peer); @@ -154,10 +182,12 @@ private: bool _doCIRCUIT_TEST_REPORT(const RuntimeEnvironment *RR,const SharedPtr &peer); bool _doREQUEST_PROOF_OF_WORK(const RuntimeEnvironment *RR,const SharedPtr &peer); - void _sendErrorNeedCredentials(const RuntimeEnvironment *RR,const SharedPtr &peer,const uint64_t nwid); + // Send an ERROR_NEED_MEMBERSHIP_CERTIFICATE to a peer indicating that an updated cert is needed to communicate + void _sendErrorNeedCertificate(const RuntimeEnvironment *RR,const SharedPtr &peer,uint64_t nwid); uint64_t _receiveTime; - SharedPtr _path; + InetAddress _localAddress; + InetAddress _remoteAddress; }; } // namespace ZeroTier diff --git a/zerotierone/node/InetAddress.cpp b/zerotierone/node/InetAddress.cpp index 1244690..dca772e 100644 --- a/zerotierone/node/InetAddress.cpp +++ b/zerotierone/node/InetAddress.cpp @@ -113,7 +113,7 @@ void InetAddress::set(const std::string &ip,unsigned int port) sin6->sin6_port = Utils::hton((uint16_t)port); if (inet_pton(AF_INET6,ip.c_str(),(void *)&(sin6->sin6_addr.s6_addr)) <= 0) memset(this,0,sizeof(InetAddress)); - } else if (ip.find('.') != std::string::npos) { + } else { struct sockaddr_in *sin = reinterpret_cast(this); ss_family = AF_INET; sin->sin_port = Utils::hton((uint16_t)port); @@ -279,8 +279,6 @@ bool InetAddress::containsAddress(const InetAddress &addr) const switch(ss_family) { case AF_INET: { const unsigned int bits = netmaskBits(); - if (bits == 0) - return true; return ( (Utils::ntoh((uint32_t)reinterpret_cast(&addr)->sin_addr.s_addr) >> (32 - bits)) == (Utils::ntoh((uint32_t)reinterpret_cast(this)->sin_addr.s_addr) >> (32 - bits)) ); } case AF_INET6: { @@ -395,6 +393,7 @@ bool InetAddress::operator<(const InetAddress &a) const } InetAddress InetAddress::makeIpv6LinkLocal(const MAC &mac) + throw() { struct sockaddr_in6 sin6; sin6.sin6_family = AF_INET6; @@ -419,6 +418,7 @@ InetAddress InetAddress::makeIpv6LinkLocal(const MAC &mac) } InetAddress InetAddress::makeIpv6rfc4193(uint64_t nwid,uint64_t zeroTierAddress) + throw() { InetAddress r; struct sockaddr_in6 *const sin6 = reinterpret_cast(&r); @@ -443,25 +443,4 @@ InetAddress InetAddress::makeIpv6rfc4193(uint64_t nwid,uint64_t zeroTierAddress) return r; } -InetAddress InetAddress::makeIpv66plane(uint64_t nwid,uint64_t zeroTierAddress) -{ - nwid ^= (nwid >> 32); - InetAddress r; - struct sockaddr_in6 *const sin6 = reinterpret_cast(&r); - sin6->sin6_family = AF_INET6; - sin6->sin6_addr.s6_addr[0] = 0xfc; - sin6->sin6_addr.s6_addr[1] = (uint8_t)(nwid >> 24); - sin6->sin6_addr.s6_addr[2] = (uint8_t)(nwid >> 16); - sin6->sin6_addr.s6_addr[3] = (uint8_t)(nwid >> 8); - sin6->sin6_addr.s6_addr[4] = (uint8_t)nwid; - sin6->sin6_addr.s6_addr[5] = (uint8_t)(zeroTierAddress >> 32); - sin6->sin6_addr.s6_addr[6] = (uint8_t)(zeroTierAddress >> 24); - sin6->sin6_addr.s6_addr[7] = (uint8_t)(zeroTierAddress >> 16); - sin6->sin6_addr.s6_addr[8] = (uint8_t)(zeroTierAddress >> 8); - sin6->sin6_addr.s6_addr[9] = (uint8_t)zeroTierAddress; - sin6->sin6_addr.s6_addr[15] = 0x01; - sin6->sin6_port = Utils::hton((uint16_t)40); - return r; -} - } // namespace ZeroTier diff --git a/zerotierone/node/InetAddress.hpp b/zerotierone/node/InetAddress.hpp index 6f070fb..b60a5a3 100644 --- a/zerotierone/node/InetAddress.hpp +++ b/zerotierone/node/InetAddress.hpp @@ -231,6 +231,7 @@ struct InetAddress : public sockaddr_storage * @param port Port, 0 to 65535 */ inline void setPort(unsigned int port) + throw() { switch(ss_family) { case AF_INET: @@ -242,25 +243,6 @@ struct InetAddress : public sockaddr_storage } } - /** - * @return True if this network/netmask route describes a default route (e.g. 0.0.0.0/0) - */ - inline bool isDefaultRoute() const - { - switch(ss_family) { - case AF_INET: - return ( (reinterpret_cast(this)->sin_addr.s_addr == 0) && (reinterpret_cast(this)->sin_port == 0) ); - case AF_INET6: - const uint8_t *ipb = reinterpret_cast(reinterpret_cast(this)->sin6_addr.s6_addr); - for(int i=0;i<16;++i) { - if (ipb[i]) - return false; - } - return (reinterpret_cast(this)->sin6_port == 0); - } - return false; - } - /** * @return ASCII IP/port format representation */ @@ -300,19 +282,6 @@ struct InetAddress : public sockaddr_storage */ inline unsigned int netmaskBits() const throw() { return port(); } - /** - * @return True if netmask bits is valid for the address type - */ - inline bool netmaskBitsValid() const - { - const unsigned int n = port(); - switch(ss_family) { - case AF_INET: return (n <= 32); - case AF_INET6: return (n <= 128); - } - return false; - } - /** * Alias for port() * @@ -369,6 +338,7 @@ struct InetAddress : public sockaddr_storage * @return pointer to raw address bytes or NULL if not available */ inline const void *rawIpData() const + throw() { switch(ss_family) { case AF_INET: return (const void *)&(reinterpret_cast(this)->sin_addr.s_addr); @@ -377,25 +347,6 @@ struct InetAddress : public sockaddr_storage } } - /** - * @return InetAddress containing only the IP portion of this address and a zero port, or NULL if not IPv4 or IPv6 - */ - inline InetAddress ipOnly() const - { - InetAddress r; - switch(ss_family) { - case AF_INET: - r.ss_family = AF_INET; - reinterpret_cast(&r)->sin_addr.s_addr = reinterpret_cast(this)->sin_addr.s_addr; - break; - case AF_INET6: - r.ss_family = AF_INET6; - memcpy(reinterpret_cast(&r)->sin6_addr.s6_addr,reinterpret_cast(this)->sin6_addr.s6_addr,16); - break; - } - return r; - } - /** * Performs an IP-only comparison or, if that is impossible, a memcmp() * @@ -414,25 +365,6 @@ struct InetAddress : public sockaddr_storage return false; } - inline unsigned long hashCode() const - { - if (ss_family == AF_INET) { - return ((unsigned long)reinterpret_cast(this)->sin_addr.s_addr + (unsigned long)reinterpret_cast(this)->sin_port); - } else if (ss_family == AF_INET6) { - unsigned long tmp = reinterpret_cast(this)->sin6_port; - const uint8_t *a = reinterpret_cast(reinterpret_cast(this)->sin6_addr.s6_addr); - for(long i=0;i<16;++i) - reinterpret_cast(&tmp)[i % sizeof(tmp)] ^= a[i]; - return tmp; - } else { - unsigned long tmp = reinterpret_cast(this)->sin6_port; - const uint8_t *a = reinterpret_cast(this); - for(long i=0;i(&tmp)[i % sizeof(tmp)] ^= a[i]; - return tmp; - } - } - /** * Set to null/zero */ @@ -521,7 +453,8 @@ struct InetAddress : public sockaddr_storage * @param mac MAC address seed * @return IPv6 link-local address */ - static InetAddress makeIpv6LinkLocal(const MAC &mac); + static InetAddress makeIpv6LinkLocal(const MAC &mac) + throw(); /** * Compute private IPv6 unicast address from network ID and ZeroTier address @@ -564,12 +497,8 @@ struct InetAddress : public sockaddr_storage * @param zeroTierAddress 40-bit device address (in least significant 40 bits, highest 24 bits ignored) * @return IPv6 private unicast address with /88 netmask */ - static InetAddress makeIpv6rfc4193(uint64_t nwid,uint64_t zeroTierAddress); - - /** - * Compute a private IPv6 "6plane" unicast address from network ID and ZeroTier address - */ - static InetAddress makeIpv66plane(uint64_t nwid,uint64_t zeroTierAddress); + static InetAddress makeIpv6rfc4193(uint64_t nwid,uint64_t zeroTierAddress) + throw(); }; } // namespace ZeroTier diff --git a/zerotierone/node/MulticastGroup.hpp b/zerotierone/node/MulticastGroup.hpp index be4e808..dbf3899 100644 --- a/zerotierone/node/MulticastGroup.hpp +++ b/zerotierone/node/MulticastGroup.hpp @@ -60,6 +60,16 @@ public: { } + MulticastGroup(const char *s) + { + fromString(s); + } + + MulticastGroup(const std::string &s) + { + fromString(s.c_str()); + } + /** * Derive the multicast group used for address resolution (ARP/NDP) for an IP * @@ -96,6 +106,22 @@ public: return std::string(buf); } + /** + * Parse a human-readable multicast group + * + * @param s Multicast group in hex MAC/ADI format + */ + inline void fromString(const char *s) + { + char hex[17]; + unsigned int hexlen = 0; + while ((*s)&&(*s != '/')&&(hexlen < (sizeof(hex) - 1))) + hex[hexlen++] = *s; + hex[hexlen] = (char)0; + _mac.fromString(hex); + _adi = (*s == '/') ? (uint32_t)Utils::hexStrToULong(s + 1) : (uint32_t)0; + } + /** * @return Multicast address */ diff --git a/zerotierone/node/Multicaster.cpp b/zerotierone/node/Multicaster.cpp index 8743e8f..1dfa67d 100644 --- a/zerotierone/node/Multicaster.cpp +++ b/zerotierone/node/Multicaster.cpp @@ -34,8 +34,8 @@ namespace ZeroTier { Multicaster::Multicaster(const RuntimeEnvironment *renv) : RR(renv), - _groups(256), - _gatherAuth(256) + _groups(1024), + _groups_m() { } @@ -152,10 +152,10 @@ std::vector

Multicaster::getMembers(uint64_t nwid,const MulticastGroup } void Multicaster::send( + const CertificateOfMembership *com, unsigned int limit, uint64_t now, uint64_t nwid, - bool disableCompression, const std::vector
&alwaysSendTo, const MulticastGroup &mg, const MAC &src, @@ -194,7 +194,7 @@ void Multicaster::send( RR, now, nwid, - disableCompression, + com, limit, 1, // we'll still gather a little from peers to keep multicast list fresh src, @@ -226,38 +226,33 @@ void Multicaster::send( if ((gs.members.empty())||((now - gs.lastExplicitGather) >= ZT_MULTICAST_EXPLICIT_GATHER_DELAY)) { gs.lastExplicitGather = now; + SharedPtr explicitGatherPeers[2]; + explicitGatherPeers[0] = RR->topology->getBestRoot(); + explicitGatherPeers[1] = RR->topology->getPeer(Network::controllerFor(nwid)); + for(unsigned int k=0;k<2;++k) { + const SharedPtr &p = explicitGatherPeers[k]; + if (!p) + continue; + //TRACE(">>MC upstream GATHER up to %u for group %.16llx/%s",gatherLimit,nwid,mg.toString().c_str()); - Address explicitGatherPeers[16]; - unsigned int numExplicitGatherPeers = 0; - SharedPtr bestRoot(RR->topology->getBestRoot()); - if (bestRoot) - explicitGatherPeers[numExplicitGatherPeers++] = bestRoot->address(); - explicitGatherPeers[numExplicitGatherPeers++] = Network::controllerFor(nwid); - SharedPtr network(RR->node->network(nwid)); - if (network) { - std::vector
anchors(network->config().anchors()); - for(std::vector
::const_iterator a(anchors.begin());a!=anchors.end();++a) { - if (*a != RR->identity.address()) { - explicitGatherPeers[numExplicitGatherPeers++] = *a; - if (numExplicitGatherPeers == 16) - break; - } + const CertificateOfMembership *com = (CertificateOfMembership *)0; + { + SharedPtr nw(RR->node->network(nwid)); + if ((nw)&&(nw->hasConfig())&&(nw->config().com)&&(nw->config().isPrivate())&&(p->needsOurNetworkMembershipCertificate(nwid,now,true))) + com = &(nw->config().com); } - } - for(unsigned int k=0;kconfig().com) ? &(network->config().com) : (const CertificateOfMembership *)0) : (const CertificateOfMembership *)0; - Packet outp(explicitGatherPeers[k],RR->identity.address(),Packet::VERB_MULTICAST_GATHER); + Packet outp(p->address(),RR->identity.address(),Packet::VERB_MULTICAST_GATHER); outp.append(nwid); - outp.append((uint8_t)((com) ? 0x01 : 0x00)); + outp.append((uint8_t)(com ? 0x01 : 0x00)); mg.mac().appendTo(outp); outp.append((uint32_t)mg.adi()); outp.append((uint32_t)gatherLimit); if (com) com->serialize(outp); - RR->node->expectReplyTo(outp.packetId()); - RR->sw->send(outp,true); + RR->sw->send(outp,true,0); } + gatherLimit = 0; } gs.txQueue.push_back(OutboundMulticast()); @@ -267,7 +262,7 @@ void Multicaster::send( RR, now, nwid, - disableCompression, + com, limit, gatherLimit, src, @@ -304,62 +299,42 @@ void Multicaster::send( void Multicaster::clean(uint64_t now) { - { - Mutex::Lock _l(_groups_m); - Multicaster::Key *k = (Multicaster::Key *)0; - MulticastGroupStatus *s = (MulticastGroupStatus *)0; - Hashtable::Iterator mm(_groups); - while (mm.next(k,s)) { - for(std::list::iterator tx(s->txQueue.begin());tx!=s->txQueue.end();) { - if ((tx->expired(now))||(tx->atLimit())) - s->txQueue.erase(tx++); - else ++tx; - } + Mutex::Lock _l(_groups_m); - unsigned long count = 0; - { - std::vector::iterator reader(s->members.begin()); - std::vector::iterator writer(reader); - while (reader != s->members.end()) { - if ((now - reader->timestamp) < ZT_MULTICAST_LIKE_EXPIRE) { - *writer = *reader; - ++writer; - ++count; - } - ++reader; + Multicaster::Key *k = (Multicaster::Key *)0; + MulticastGroupStatus *s = (MulticastGroupStatus *)0; + Hashtable::Iterator mm(_groups); + while (mm.next(k,s)) { + for(std::list::iterator tx(s->txQueue.begin());tx!=s->txQueue.end();) { + if ((tx->expired(now))||(tx->atLimit())) + s->txQueue.erase(tx++); + else ++tx; + } + + unsigned long count = 0; + { + std::vector::iterator reader(s->members.begin()); + std::vector::iterator writer(reader); + while (reader != s->members.end()) { + if ((now - reader->timestamp) < ZT_MULTICAST_LIKE_EXPIRE) { + *writer = *reader; + ++writer; + ++count; } - } - - if (count) { - s->members.resize(count); - } else if (s->txQueue.empty()) { - _groups.erase(*k); - } else { - s->members.clear(); + ++reader; } } - } - { - Mutex::Lock _l(_gatherAuth_m); - _GatherAuthKey *k = (_GatherAuthKey *)0; - uint64_t *ts = (uint64_t *)ts; - Hashtable<_GatherAuthKey,uint64_t>::Iterator i(_gatherAuth); - while (i.next(k,ts)) { - if ((now - *ts) >= ZT_MULTICAST_CREDENTIAL_EXPIRATON) - _gatherAuth.erase(*k); + if (count) { + s->members.resize(count); + } else if (s->txQueue.empty()) { + _groups.erase(*k); + } else { + s->members.clear(); } } } -void Multicaster::addCredential(const CertificateOfMembership &com,bool alreadyValidated) -{ - if ((alreadyValidated)||(com.verify(RR) == 0)) { - Mutex::Lock _l(_gatherAuth_m); - _gatherAuth[_GatherAuthKey(com.networkId(),com.issuedTo())] = RR->node->now(); - } -} - void Multicaster::_add(uint64_t now,uint64_t nwid,const MulticastGroup &mg,MulticastGroupStatus &gs,const Address &member) { // assumes _groups_m is locked diff --git a/zerotierone/node/Multicaster.hpp b/zerotierone/node/Multicaster.hpp index 5c94cd3..c43c8d9 100644 --- a/zerotierone/node/Multicaster.hpp +++ b/zerotierone/node/Multicaster.hpp @@ -150,10 +150,10 @@ public: /** * Send a multicast * + * @param com Certificate of membership to include or NULL for none * @param limit Multicast limit * @param now Current time * @param nwid Network ID - * @param disableCompression Disable packet payload compression? * @param alwaysSendTo Send to these peers first and even if not included in subscriber list * @param mg Multicast group * @param src Source Ethernet MAC address or NULL to skip in packet and compute from ZT address (non-bridged mode) @@ -162,10 +162,10 @@ public: * @param len Length of packet data */ void send( + const CertificateOfMembership *com, unsigned int limit, uint64_t now, uint64_t nwid, - bool disableCompression, const std::vector
&alwaysSendTo, const MulticastGroup &mg, const MAC &src, @@ -181,52 +181,12 @@ public: */ void clean(uint64_t now); - /** - * Add an authorization credential - * - * The Multicaster keeps its own track of when valid credentials of network - * membership are presented. This allows it to control MULTICAST_LIKE - * GATHER authorization for networks this node does not belong to. - * - * @param com Certificate of membership - * @param alreadyValidated If true, COM has already been checked and found to be valid and signed - */ - void addCredential(const CertificateOfMembership &com,bool alreadyValidated); - - /** - * Check authorization for GATHER and LIKE for non-network-members - * - * @param a Address of peer - * @param nwid Network ID - * @param now Current time - * @return True if GATHER and LIKE should be allowed - */ - bool cacheAuthorized(const Address &a,const uint64_t nwid,const uint64_t now) const - { - Mutex::Lock _l(_gatherAuth_m); - const uint64_t *p = _gatherAuth.get(_GatherAuthKey(nwid,a)); - return ((p)&&((now - *p) < ZT_MULTICAST_CREDENTIAL_EXPIRATON)); - } - private: void _add(uint64_t now,uint64_t nwid,const MulticastGroup &mg,MulticastGroupStatus &gs,const Address &member); const RuntimeEnvironment *RR; - Hashtable _groups; Mutex _groups_m; - - struct _GatherAuthKey - { - _GatherAuthKey() : member(0),networkId(0) {} - _GatherAuthKey(const uint64_t nwid,const Address &a) : member(a.toInt()),networkId(nwid) {} - inline unsigned long hashCode() const { return (member ^ networkId); } - inline bool operator==(const _GatherAuthKey &k) const { return ((member == k.member)&&(networkId == k.networkId)); } - uint64_t member; - uint64_t networkId; - }; - Hashtable< _GatherAuthKey,uint64_t > _gatherAuth; - Mutex _gatherAuth_m; }; } // namespace ZeroTier diff --git a/zerotierone/node/Network.cpp b/zerotierone/node/Network.cpp index 52abbcf..c1c3414 100644 --- a/zerotierone/node/Network.cpp +++ b/zerotierone/node/Network.cpp @@ -22,585 +22,59 @@ #include #include "Constants.hpp" -#include "../version.h" #include "Network.hpp" #include "RuntimeEnvironment.hpp" -#include "MAC.hpp" -#include "Address.hpp" -#include "InetAddress.hpp" #include "Switch.hpp" -#include "Buffer.hpp" #include "Packet.hpp" +#include "Buffer.hpp" #include "NetworkController.hpp" #include "Node.hpp" -#include "Peer.hpp" -// Uncomment to make the rules engine dump trace info to stdout -//#define ZT_RULES_ENGINE_DEBUGGING 1 +#include "../version.h" namespace ZeroTier { -namespace { - -#ifdef ZT_RULES_ENGINE_DEBUGGING -#define FILTER_TRACE(f,...) { Utils::snprintf(dpbuf,sizeof(dpbuf),f,##__VA_ARGS__); dlog.push_back(std::string(dpbuf)); } -static const char *_rtn(const ZT_VirtualNetworkRuleType rt) -{ - switch(rt) { - case ZT_NETWORK_RULE_ACTION_DROP: return "ACTION_DROP"; - case ZT_NETWORK_RULE_ACTION_ACCEPT: return "ACTION_ACCEPT"; - case ZT_NETWORK_RULE_ACTION_TEE: return "ACTION_TEE"; - case ZT_NETWORK_RULE_ACTION_WATCH: return "ACTION_WATCH"; - case ZT_NETWORK_RULE_ACTION_REDIRECT: return "ACTION_REDIRECT"; - case ZT_NETWORK_RULE_ACTION_DEBUG_LOG: return "ACTION_DEBUG_LOG"; - case ZT_NETWORK_RULE_MATCH_SOURCE_ZEROTIER_ADDRESS: return "MATCH_SOURCE_ZEROTIER_ADDRESS"; - case ZT_NETWORK_RULE_MATCH_DEST_ZEROTIER_ADDRESS: return "MATCH_DEST_ZEROTIER_ADDRESS"; - case ZT_NETWORK_RULE_MATCH_VLAN_ID: return "MATCH_VLAN_ID"; - case ZT_NETWORK_RULE_MATCH_VLAN_PCP: return "MATCH_VLAN_PCP"; - case ZT_NETWORK_RULE_MATCH_VLAN_DEI: return "MATCH_VLAN_DEI"; - case ZT_NETWORK_RULE_MATCH_ETHERTYPE: return "MATCH_ETHERTYPE"; - case ZT_NETWORK_RULE_MATCH_MAC_SOURCE: return "MATCH_MAC_SOURCE"; - case ZT_NETWORK_RULE_MATCH_MAC_DEST: return "MATCH_MAC_DEST"; - case ZT_NETWORK_RULE_MATCH_IPV4_SOURCE: return "MATCH_IPV4_SOURCE"; - case ZT_NETWORK_RULE_MATCH_IPV4_DEST: return "MATCH_IPV4_DEST"; - case ZT_NETWORK_RULE_MATCH_IPV6_SOURCE: return "MATCH_IPV6_SOURCE"; - case ZT_NETWORK_RULE_MATCH_IPV6_DEST: return "MATCH_IPV6_DEST"; - case ZT_NETWORK_RULE_MATCH_IP_TOS: return "MATCH_IP_TOS"; - case ZT_NETWORK_RULE_MATCH_IP_PROTOCOL: return "MATCH_IP_PROTOCOL"; - case ZT_NETWORK_RULE_MATCH_ICMP: return "MATCH_ICMP"; - case ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE: return "MATCH_IP_SOURCE_PORT_RANGE"; - case ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE: return "MATCH_IP_DEST_PORT_RANGE"; - case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS: return "MATCH_CHARACTERISTICS"; - case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE: return "MATCH_FRAME_SIZE_RANGE"; - case ZT_NETWORK_RULE_MATCH_TAGS_DIFFERENCE: return "MATCH_TAGS_DIFFERENCE"; - case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_AND: return "MATCH_TAGS_BITWISE_AND"; - case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_OR: return "MATCH_TAGS_BITWISE_OR"; - case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_XOR: return "MATCH_TAGS_BITWISE_XOR"; - default: return "???"; - } -} -static const void _dumpFilterTrace(const char *ruleName,uint8_t thisSetMatches,bool inbound,const Address &ztSource,const Address &ztDest,const MAC &macSource,const MAC &macDest,const std::vector &dlog,unsigned int frameLen,unsigned int etherType,const char *msg) -{ - static volatile unsigned long cnt = 0; - printf("%.6lu %c %s %s frameLen=%u etherType=%u" ZT_EOL_S, - cnt++, - ((thisSetMatches) ? 'Y' : '.'), - ruleName, - ((inbound) ? "INBOUND" : "OUTBOUND"), - frameLen, - etherType - ); - for(std::vector::const_iterator m(dlog.begin());m!=dlog.end();++m) - printf(" | %s" ZT_EOL_S,m->c_str()); - printf(" + %c %s->%s %.2x:%.2x:%.2x:%.2x:%.2x:%.2x->%.2x:%.2x:%.2x:%.2x:%.2x:%.2x" ZT_EOL_S, - ((thisSetMatches) ? 'Y' : '.'), - ztSource.toString().c_str(), - ztDest.toString().c_str(), - (unsigned int)macSource[0], - (unsigned int)macSource[1], - (unsigned int)macSource[2], - (unsigned int)macSource[3], - (unsigned int)macSource[4], - (unsigned int)macSource[5], - (unsigned int)macDest[0], - (unsigned int)macDest[1], - (unsigned int)macDest[2], - (unsigned int)macDest[3], - (unsigned int)macDest[4], - (unsigned int)macDest[5] - ); - if (msg) - printf(" + (%s)" ZT_EOL_S,msg); -} -#else -#define FILTER_TRACE(f,...) {} -#endif // ZT_RULES_ENGINE_DEBUGGING - -// Returns true if packet appears valid; pos and proto will be set -static bool _ipv6GetPayload(const uint8_t *frameData,unsigned int frameLen,unsigned int &pos,unsigned int &proto) -{ - if (frameLen < 40) - return false; - pos = 40; - proto = frameData[6]; - while (pos <= frameLen) { - switch(proto) { - case 0: // hop-by-hop options - case 43: // routing - case 60: // destination options - case 135: // mobility options - if ((pos + 8) > frameLen) - return false; // invalid! - proto = frameData[pos]; - pos += ((unsigned int)frameData[pos + 1] * 8) + 8; - break; - - //case 44: // fragment -- we currently can't parse these and they are deprecated in IPv6 anyway - //case 50: - //case 51: // IPSec ESP and AH -- we have to stop here since this is encrypted stuff - default: - return true; - } - } - return false; // overflow == invalid -} - -enum _doZtFilterResult -{ - DOZTFILTER_NO_MATCH, - DOZTFILTER_DROP, - DOZTFILTER_REDIRECT, - DOZTFILTER_ACCEPT, - DOZTFILTER_SUPER_ACCEPT -}; -static _doZtFilterResult _doZtFilter( - const RuntimeEnvironment *RR, - const NetworkConfig &nconf, - const Membership *membership, // can be NULL - const bool inbound, - const Address &ztSource, - Address &ztDest, // MUTABLE -- is changed on REDIRECT actions - const MAC &macSource, - const MAC &macDest, - const uint8_t *const frameData, - const unsigned int frameLen, - const unsigned int etherType, - const unsigned int vlanId, - const ZT_VirtualNetworkRule *rules, // cannot be NULL - const unsigned int ruleCount, - Address &cc, // MUTABLE -- set to TEE destination if TEE action is taken or left alone otherwise - unsigned int &ccLength, // MUTABLE -- set to length of packet payload to TEE - bool &ccWatch) // MUTABLE -- set to true for WATCH target as opposed to normal TEE -{ -#ifdef ZT_RULES_ENGINE_DEBUGGING - char dpbuf[1024]; // used by FILTER_TRACE macro - std::vector dlog; -#endif // ZT_RULES_ENGINE_DEBUGGING - - // The default match state for each set of entries starts as 'true' since an - // ACTION with no MATCH entries preceding it is always taken. - uint8_t thisSetMatches = 1; - - for(unsigned int rn=0;rnidentity.address()) { - if (inbound) { -#ifdef ZT_RULES_ENGINE_DEBUGGING - _dumpFilterTrace(_rtn(rt),thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,"interpreted as super-ACCEPT on inbound since we are target"); -#endif // ZT_RULES_ENGINE_DEBUGGING - return DOZTFILTER_SUPER_ACCEPT; - } else { -#ifdef ZT_RULES_ENGINE_DEBUGGING - _dumpFilterTrace(_rtn(rt),thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,"skipped as no-op on outbound since we are target"); - dlog.clear(); -#endif // ZT_RULES_ENGINE_DEBUGGING - } - } else if (fwdAddr == ztDest) { -#ifdef ZT_RULES_ENGINE_DEBUGGING - _dumpFilterTrace(_rtn(rt),thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,"skipped as no-op because destination is already target"); - dlog.clear(); -#endif // ZT_RULES_ENGINE_DEBUGGING - } else { - if (rt == ZT_NETWORK_RULE_ACTION_REDIRECT) { -#ifdef ZT_RULES_ENGINE_DEBUGGING - _dumpFilterTrace("ACTION_REDIRECT",thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0); -#endif // ZT_RULES_ENGINE_DEBUGGING - ztDest = fwdAddr; - return DOZTFILTER_REDIRECT; - } else { -#ifdef ZT_RULES_ENGINE_DEBUGGING - _dumpFilterTrace("ACTION_TEE",thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0); - dlog.clear(); -#endif // ZT_RULES_ENGINE_DEBUGGING - cc = fwdAddr; - ccLength = (rules[rn].v.fwd.length != 0) ? ((frameLen < (unsigned int)rules[rn].v.fwd.length) ? frameLen : (unsigned int)rules[rn].v.fwd.length) : frameLen; - ccWatch = (rt == ZT_NETWORK_RULE_ACTION_WATCH); - } - } - } continue; - - // This is a no-op that exists for use with rules engine tracing and isn't for use in production - case ZT_NETWORK_RULE_ACTION_DEBUG_LOG: // a no-op target specifically for debugging purposes -#ifdef ZT_RULES_ENGINE_DEBUGGING - _dumpFilterTrace("ACTION_DEBUG_LOG",thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0); - dlog.clear(); -#endif // ZT_RULES_ENGINE_DEBUGGING - continue; - - // Unrecognized ACTIONs are ignored as no-ops - default: -#ifdef ZT_RULES_ENGINE_DEBUGGING - _dumpFilterTrace(_rtn(rt),thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0); - dlog.clear(); -#endif // ZT_RULES_ENGINE_DEBUGGING - continue; - } - } else { -#ifdef ZT_RULES_ENGINE_DEBUGGING - _dumpFilterTrace(_rtn(rt),thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0); - dlog.clear(); -#endif // ZT_RULES_ENGINE_DEBUGGING - thisSetMatches = 1; // reset to default true for next batch of entries - continue; - } - } - - // Circuit breaker: skip further MATCH entries up to next ACTION if match state is false - if (!thisSetMatches) - continue; - - // If this was not an ACTION evaluate next MATCH and update thisSetMatches with (AND [result]) - uint8_t thisRuleMatches = 0; - switch(rt) { - case ZT_NETWORK_RULE_MATCH_SOURCE_ZEROTIER_ADDRESS: - thisRuleMatches = (uint8_t)(rules[rn].v.zt == ztSource.toInt()); - FILTER_TRACE("%u %s %c %.10llx==%.10llx -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),rules[rn].v.zt,ztSource.toInt(),(unsigned int)thisRuleMatches); - break; - case ZT_NETWORK_RULE_MATCH_DEST_ZEROTIER_ADDRESS: - thisRuleMatches = (uint8_t)(rules[rn].v.zt == ztDest.toInt()); - FILTER_TRACE("%u %s %c %.10llx==%.10llx -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),rules[rn].v.zt,ztDest.toInt(),(unsigned int)thisRuleMatches); - break; - case ZT_NETWORK_RULE_MATCH_VLAN_ID: - thisRuleMatches = (uint8_t)(rules[rn].v.vlanId == (uint16_t)vlanId); - FILTER_TRACE("%u %s %c %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.vlanId,(unsigned int)vlanId,(unsigned int)thisRuleMatches); - break; - case ZT_NETWORK_RULE_MATCH_VLAN_PCP: - // NOT SUPPORTED YET - thisRuleMatches = (uint8_t)(rules[rn].v.vlanPcp == 0); - FILTER_TRACE("%u %s %c %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.vlanPcp,0,(unsigned int)thisRuleMatches); - break; - case ZT_NETWORK_RULE_MATCH_VLAN_DEI: - // NOT SUPPORTED YET - thisRuleMatches = (uint8_t)(rules[rn].v.vlanDei == 0); - FILTER_TRACE("%u %s %c %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.vlanDei,0,(unsigned int)thisRuleMatches); - break; - case ZT_NETWORK_RULE_MATCH_ETHERTYPE: - thisRuleMatches = (uint8_t)(rules[rn].v.etherType == (uint16_t)etherType); - FILTER_TRACE("%u %s %c %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.etherType,etherType,(unsigned int)thisRuleMatches); - break; - case ZT_NETWORK_RULE_MATCH_MAC_SOURCE: - thisRuleMatches = (uint8_t)(MAC(rules[rn].v.mac,6) == macSource); - FILTER_TRACE("%u %s %c %.12llx=%.12llx -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),rules[rn].v.mac,macSource.toInt(),(unsigned int)thisRuleMatches); - break; - case ZT_NETWORK_RULE_MATCH_MAC_DEST: - thisRuleMatches = (uint8_t)(MAC(rules[rn].v.mac,6) == macDest); - FILTER_TRACE("%u %s %c %.12llx=%.12llx -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),rules[rn].v.mac,macDest.toInt(),(unsigned int)thisRuleMatches); - break; - case ZT_NETWORK_RULE_MATCH_IPV4_SOURCE: - if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)) { - thisRuleMatches = (uint8_t)(InetAddress((const void *)&(rules[rn].v.ipv4.ip),4,rules[rn].v.ipv4.mask).containsAddress(InetAddress((const void *)(frameData + 12),4,0))); - FILTER_TRACE("%u %s %c %s contains %s -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),InetAddress((const void *)&(rules[rn].v.ipv4.ip),4,rules[rn].v.ipv4.mask).toString().c_str(),InetAddress((const void *)(frameData + 12),4,0).toIpString().c_str(),(unsigned int)thisRuleMatches); - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not IPv4] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - break; - case ZT_NETWORK_RULE_MATCH_IPV4_DEST: - if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)) { - thisRuleMatches = (uint8_t)(InetAddress((const void *)&(rules[rn].v.ipv4.ip),4,rules[rn].v.ipv4.mask).containsAddress(InetAddress((const void *)(frameData + 16),4,0))); - FILTER_TRACE("%u %s %c %s contains %s -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),InetAddress((const void *)&(rules[rn].v.ipv4.ip),4,rules[rn].v.ipv4.mask).toString().c_str(),InetAddress((const void *)(frameData + 16),4,0).toIpString().c_str(),(unsigned int)thisRuleMatches); - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not IPv4] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - break; - case ZT_NETWORK_RULE_MATCH_IPV6_SOURCE: - if ((etherType == ZT_ETHERTYPE_IPV6)&&(frameLen >= 40)) { - thisRuleMatches = (uint8_t)(InetAddress((const void *)rules[rn].v.ipv6.ip,16,rules[rn].v.ipv6.mask).containsAddress(InetAddress((const void *)(frameData + 8),16,0))); - FILTER_TRACE("%u %s %c %s contains %s -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),InetAddress((const void *)rules[rn].v.ipv6.ip,16,rules[rn].v.ipv6.mask).toString().c_str(),InetAddress((const void *)(frameData + 8),16,0).toIpString().c_str(),(unsigned int)thisRuleMatches); - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not IPv6] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - break; - case ZT_NETWORK_RULE_MATCH_IPV6_DEST: - if ((etherType == ZT_ETHERTYPE_IPV6)&&(frameLen >= 40)) { - thisRuleMatches = (uint8_t)(InetAddress((const void *)rules[rn].v.ipv6.ip,16,rules[rn].v.ipv6.mask).containsAddress(InetAddress((const void *)(frameData + 24),16,0))); - FILTER_TRACE("%u %s %c %s contains %s -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),InetAddress((const void *)rules[rn].v.ipv6.ip,16,rules[rn].v.ipv6.mask).toString().c_str(),InetAddress((const void *)(frameData + 24),16,0).toIpString().c_str(),(unsigned int)thisRuleMatches); - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not IPv6] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - break; - case ZT_NETWORK_RULE_MATCH_IP_TOS: - if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)) { - thisRuleMatches = (uint8_t)(rules[rn].v.ipTos == ((frameData[1] & 0xfc) >> 2)); - FILTER_TRACE("%u %s %c (IPv4) %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.ipTos,(unsigned int)((frameData[1] & 0xfc) >> 2),(unsigned int)thisRuleMatches); - } else if ((etherType == ZT_ETHERTYPE_IPV6)&&(frameLen >= 40)) { - const uint8_t trafficClass = ((frameData[0] << 4) & 0xf0) | ((frameData[1] >> 4) & 0x0f); - thisRuleMatches = (uint8_t)(rules[rn].v.ipTos == ((trafficClass & 0xfc) >> 2)); - FILTER_TRACE("%u %s %c (IPv6) %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.ipTos,(unsigned int)((trafficClass & 0xfc) >> 2),(unsigned int)thisRuleMatches); - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not IP] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - break; - case ZT_NETWORK_RULE_MATCH_IP_PROTOCOL: - if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)) { - thisRuleMatches = (uint8_t)(rules[rn].v.ipProtocol == frameData[9]); - FILTER_TRACE("%u %s %c (IPv4) %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.ipProtocol,(unsigned int)frameData[9],(unsigned int)thisRuleMatches); - } else if (etherType == ZT_ETHERTYPE_IPV6) { - unsigned int pos = 0,proto = 0; - if (_ipv6GetPayload(frameData,frameLen,pos,proto)) { - thisRuleMatches = (uint8_t)(rules[rn].v.ipProtocol == (uint8_t)proto); - FILTER_TRACE("%u %s %c (IPv6) %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.ipProtocol,proto,(unsigned int)thisRuleMatches); - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [invalid IPv6] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not IP] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - break; - case ZT_NETWORK_RULE_MATCH_ICMP: - if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)) { - if (frameData[9] == 0x01) { - const unsigned int ihl = (frameData[0] & 0xf) * 32; - if (frameLen >= (ihl + 2)) { - if (rules[rn].v.icmp.type == frameData[ihl]) { - if ((rules[rn].v.icmp.flags & 0x01) != 0) { - thisRuleMatches = (uint8_t)(frameData[ihl+1] == rules[rn].v.icmp.code); - } else { - thisRuleMatches = 1; - } - } else { - thisRuleMatches = 0; - } - FILTER_TRACE("%u %s %c (IPv4) icmp-type:%d==%d icmp-code:%d==%d -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(int)frameData[ihl],(int)rules[rn].v.icmp.type,(int)frameData[ihl+1],(((rules[rn].v.icmp.flags & 0x01) != 0) ? (int)rules[rn].v.icmp.code : -1),(unsigned int)thisRuleMatches); - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [IPv4 frame invalid] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not ICMP] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - } else if (etherType == ZT_ETHERTYPE_IPV6) { - unsigned int pos = 0,proto = 0; - if (_ipv6GetPayload(frameData,frameLen,pos,proto)) { - if ((proto == 0x3a)&&(frameLen >= (pos+2))) { - if (rules[rn].v.icmp.type == frameData[pos]) { - if ((rules[rn].v.icmp.flags & 0x01) != 0) { - thisRuleMatches = (uint8_t)(frameData[pos+1] == rules[rn].v.icmp.code); - } else { - thisRuleMatches = 1; - } - } else { - thisRuleMatches = 0; - } - FILTER_TRACE("%u %s %c (IPv4) icmp-type:%d==%d icmp-code:%d==%d -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(int)frameData[pos],(int)rules[rn].v.icmp.type,(int)frameData[pos+1],(((rules[rn].v.icmp.flags & 0x01) != 0) ? (int)rules[rn].v.icmp.code : -1),(unsigned int)thisRuleMatches); - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not ICMPv6] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [invalid IPv6] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not IP] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - break; - break; - case ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE: - case ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE: - if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)) { - const unsigned int headerLen = 4 * (frameData[0] & 0xf); - int p = -1; - switch(frameData[9]) { // IP protocol number - // All these start with 16-bit source and destination port in that order - case 0x06: // TCP - case 0x11: // UDP - case 0x84: // SCTP - case 0x88: // UDPLite - if (frameLen > (headerLen + 4)) { - unsigned int pos = headerLen + ((rt == ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE) ? 2 : 0); - p = (int)frameData[pos++] << 8; - p |= (int)frameData[pos]; - } - break; - } - - thisRuleMatches = (p >= 0) ? (uint8_t)((p >= (int)rules[rn].v.port[0])&&(p <= (int)rules[rn].v.port[1])) : (uint8_t)0; - FILTER_TRACE("%u %s %c (IPv4) %d in %d-%d -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),p,(int)rules[rn].v.port[0],(int)rules[rn].v.port[1],(unsigned int)thisRuleMatches); - } else if (etherType == ZT_ETHERTYPE_IPV6) { - unsigned int pos = 0,proto = 0; - if (_ipv6GetPayload(frameData,frameLen,pos,proto)) { - int p = -1; - switch(proto) { // IP protocol number - // All these start with 16-bit source and destination port in that order - case 0x06: // TCP - case 0x11: // UDP - case 0x84: // SCTP - case 0x88: // UDPLite - if (frameLen > (pos + 4)) { - if (rt == ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE) pos += 2; - p = (int)frameData[pos++] << 8; - p |= (int)frameData[pos]; - } - break; - } - thisRuleMatches = (p > 0) ? (uint8_t)((p >= (int)rules[rn].v.port[0])&&(p <= (int)rules[rn].v.port[1])) : (uint8_t)0; - FILTER_TRACE("%u %s %c (IPv6) %d in %d-%d -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),p,(int)rules[rn].v.port[0],(int)rules[rn].v.port[1],(unsigned int)thisRuleMatches); - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [invalid IPv6] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c [frame not IP] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '=')); - } - break; - case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS: { - uint64_t cf = (inbound) ? ZT_RULE_PACKET_CHARACTERISTICS_INBOUND : 0ULL; - if (macDest.isMulticast()) cf |= ZT_RULE_PACKET_CHARACTERISTICS_MULTICAST; - if (macDest.isBroadcast()) cf |= ZT_RULE_PACKET_CHARACTERISTICS_BROADCAST; - if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)&&(frameData[9] == 0x06)) { - const unsigned int headerLen = 4 * (frameData[0] & 0xf); - cf |= (uint64_t)frameData[headerLen + 13]; - cf |= (((uint64_t)(frameData[headerLen + 12] & 0x0f)) << 8); - } else if (etherType == ZT_ETHERTYPE_IPV6) { - unsigned int pos = 0,proto = 0; - if (_ipv6GetPayload(frameData,frameLen,pos,proto)) { - if ((proto == 0x06)&&(frameLen > (pos + 14))) { - cf |= (uint64_t)frameData[pos + 13]; - cf |= (((uint64_t)(frameData[pos + 12] & 0x0f)) << 8); - } - } - } - thisRuleMatches = (uint8_t)((cf & rules[rn].v.characteristics[0]) == rules[rn].v.characteristics[1]); - FILTER_TRACE("%u %s %c (%.16llx & %.16llx)==%.16llx -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),cf,rules[rn].v.characteristics[0],rules[rn].v.characteristics[1],(unsigned int)thisRuleMatches); - } break; - case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE: - thisRuleMatches = (uint8_t)((frameLen >= (unsigned int)rules[rn].v.frameSize[0])&&(frameLen <= (unsigned int)rules[rn].v.frameSize[1])); - FILTER_TRACE("%u %s %c %u in %u-%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),frameLen,(unsigned int)rules[rn].v.frameSize[0],(unsigned int)rules[rn].v.frameSize[1],(unsigned int)thisRuleMatches); - break; - case ZT_NETWORK_RULE_MATCH_TAGS_DIFFERENCE: - case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_AND: - case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_OR: - case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_XOR: { - const Tag *const localTag = std::lower_bound(&(nconf.tags[0]),&(nconf.tags[nconf.tagCount]),rules[rn].v.tag.id,Tag::IdComparePredicate()); - if ((localTag != &(nconf.tags[nconf.tagCount]))&&(localTag->id() == rules[rn].v.tag.id)) { - const Tag *const remoteTag = ((membership) ? membership->getTag(nconf,rules[rn].v.tag.id) : (const Tag *)0); - if (remoteTag) { - const uint32_t ltv = localTag->value(); - const uint32_t rtv = remoteTag->value(); - if (rt == ZT_NETWORK_RULE_MATCH_TAGS_DIFFERENCE) { - const uint32_t diff = (ltv > rtv) ? (ltv - rtv) : (rtv - ltv); - thisRuleMatches = (uint8_t)(diff <= rules[rn].v.tag.value); - FILTER_TRACE("%u %s %c TAG %u local:%u remote:%u difference:%u<=%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id,ltv,rtv,diff,(unsigned int)rules[rn].v.tag.value,thisRuleMatches); - } else if (rt == ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_AND) { - thisRuleMatches = (uint8_t)((ltv & rtv) == rules[rn].v.tag.value); - FILTER_TRACE("%u %s %c TAG %u local:%.8x & remote:%.8x == %.8x -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id,ltv,rtv,(unsigned int)rules[rn].v.tag.value,(unsigned int)thisRuleMatches); - } else if (rt == ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_OR) { - thisRuleMatches = (uint8_t)((ltv | rtv) == rules[rn].v.tag.value); - FILTER_TRACE("%u %s %c TAG %u local:%.8x | remote:%.8x == %.8x -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id,ltv,rtv,(unsigned int)rules[rn].v.tag.value,(unsigned int)thisRuleMatches); - } else if (rt == ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_XOR) { - thisRuleMatches = (uint8_t)((ltv ^ rtv) == rules[rn].v.tag.value); - FILTER_TRACE("%u %s %c TAG %u local:%.8x ^ remote:%.8x == %.8x -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id,ltv,rtv,(unsigned int)rules[rn].v.tag.value,(unsigned int)thisRuleMatches); - } else { // sanity check, can't really happen - thisRuleMatches = 0; - } - } else { - if (inbound) { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c remote tag %u not found -> 0 (inbound side is strict)",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id); - } else { - thisRuleMatches = 1; - FILTER_TRACE("%u %s %c remote tag %u not found -> 1 (outbound side is not strict)",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id); - } - } - } else { - thisRuleMatches = 0; - FILTER_TRACE("%u %s %c local tag %u not found -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id); - } - } break; - - // The result of an unsupported MATCH is configurable at the network - // level via a flag. - default: - thisRuleMatches = (uint8_t)((nconf.flags & ZT_NETWORKCONFIG_FLAG_RULES_RESULT_OF_UNSUPPORTED_MATCH) != 0); - break; - } - - // State of equals state AND result of last MATCH (possibly NOTed depending on bit 0x80) - thisSetMatches &= (thisRuleMatches ^ ((rules[rn].t >> 7) & 1)); - } - - return DOZTFILTER_NO_MATCH; -} - -} // anonymous namespace - const ZeroTier::MulticastGroup Network::BROADCAST(ZeroTier::MAC(0xffffffffffffULL),0); Network::Network(const RuntimeEnvironment *renv,uint64_t nwid,void *uptr) : RR(renv), _uPtr(uptr), _id(nwid), - _lastAnnouncedMulticastGroupsUpstream(0), _mac(renv->identity.address(),nwid), + _enabled(true), _portInitialized(false), _lastConfigUpdate(0), _destroyed(false), _netconfFailure(NETCONF_FAILURE_NONE), _portError(0) { - for(int i=0;i *dconf = new Dictionary(); - NetworkConfig *nconf = new NetworkConfig(); - try { - std::string conf(RR->node->dataStoreGet(confn)); - if (conf.length()) { - dconf->load(conf.c_str()); - if (nconf->fromDictionary(*dconf)) { - this->_setConfiguration(*nconf,false); + // These files are no longer used, so clean them. + RR->node->dataStoreDelete(mcdbn); + + if (_id == ZT_TEST_NETWORK_ID) { + applyConfiguration(NetworkConfig::createTestNetworkConfig(RR->identity.address())); + + // Save a one-byte CR to persist membership in the test network + RR->node->dataStorePut(confn,"\n",1,false); + } else { + bool gotConf = false; + try { + std::string conf(RR->node->dataStoreGet(confn)); + if (conf.length()) { + this->setConfiguration((const void *)conf.data(),(unsigned int)conf.length(),false); _lastConfigUpdate = 0; // we still want to re-request a new config from the network gotConf = true; } - } - } catch ( ... ) {} // ignore invalids, we'll re-request - delete nconf; - delete dconf; + } catch ( ... ) {} // ignore invalids, we'll re-request - if (!gotConf) { - // Save a one-byte CR to persist membership while we request a real netconf - RR->node->dataStorePut(confn,"\n",1,false); + if (!gotConf) { + // Save a one-byte CR to persist membership while we request a real netconf + RR->node->dataStorePut(confn,"\n",1,false); + } } if (!_portInitialized) { @@ -626,231 +100,6 @@ Network::~Network() } } -bool Network::filterOutgoingPacket( - const bool noTee, - const Address &ztSource, - const Address &ztDest, - const MAC &macSource, - const MAC &macDest, - const uint8_t *frameData, - const unsigned int frameLen, - const unsigned int etherType, - const unsigned int vlanId) -{ - const uint64_t now = RR->node->now(); - Address ztFinalDest(ztDest); - int localCapabilityIndex = -1; - bool accept = false; - - Mutex::Lock _l(_lock); - - Membership *const membership = (ztDest) ? _memberships.get(ztDest) : (Membership *)0; - - Address cc; - unsigned int ccLength = 0; - bool ccWatch = false; - switch(_doZtFilter(RR,_config,membership,false,ztSource,ztFinalDest,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.rules,_config.ruleCount,cc,ccLength,ccWatch)) { - - case DOZTFILTER_NO_MATCH: - for(unsigned int c=0;c<_config.capabilityCount;++c) { - ztFinalDest = ztDest; // sanity check, shouldn't be possible if there was no match - Address cc2; - unsigned int ccLength2 = 0; - bool ccWatch2 = false; - switch (_doZtFilter(RR,_config,membership,false,ztSource,ztFinalDest,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.capabilities[c].rules(),_config.capabilities[c].ruleCount(),cc2,ccLength2,ccWatch2)) { - case DOZTFILTER_NO_MATCH: - case DOZTFILTER_DROP: // explicit DROP in a capability just terminates its evaluation and is an anti-pattern - break; - - case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztFinalDest will have been changed in _doZtFilter() - case DOZTFILTER_ACCEPT: - case DOZTFILTER_SUPER_ACCEPT: // no difference in behavior on outbound side - localCapabilityIndex = (int)c; - accept = true; - - if ((!noTee)&&(cc2)) { - Membership &m2 = _membership(cc2); - m2.pushCredentials(RR,now,cc2,_config,localCapabilityIndex,false); - - Packet outp(cc2,RR->identity.address(),Packet::VERB_EXT_FRAME); - outp.append(_id); - outp.append((uint8_t)(ccWatch2 ? 0x16 : 0x02)); - macDest.appendTo(outp); - macSource.appendTo(outp); - outp.append((uint16_t)etherType); - outp.append(frameData,ccLength2); - outp.compress(); - RR->sw->send(outp,true); - } - - break; - } - if (accept) - break; - } - break; - - case DOZTFILTER_DROP: - return false; - - case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztFinalDest will have been changed in _doZtFilter() - case DOZTFILTER_ACCEPT: - case DOZTFILTER_SUPER_ACCEPT: // no difference in behavior on outbound side - accept = true; - break; - } - - if (accept) { - if (membership) - membership->pushCredentials(RR,now,ztDest,_config,localCapabilityIndex,false); - - if ((!noTee)&&(cc)) { - Membership &m2 = _membership(cc); - m2.pushCredentials(RR,now,cc,_config,localCapabilityIndex,false); - - Packet outp(cc,RR->identity.address(),Packet::VERB_EXT_FRAME); - outp.append(_id); - outp.append((uint8_t)(ccWatch ? 0x16 : 0x02)); - macDest.appendTo(outp); - macSource.appendTo(outp); - outp.append((uint16_t)etherType); - outp.append(frameData,ccLength); - outp.compress(); - RR->sw->send(outp,true); - } - - if ((ztDest != ztFinalDest)&&(ztFinalDest)) { - Membership &m2 = _membership(ztFinalDest); - m2.pushCredentials(RR,now,ztFinalDest,_config,localCapabilityIndex,false); - - Packet outp(ztFinalDest,RR->identity.address(),Packet::VERB_EXT_FRAME); - outp.append(_id); - outp.append((uint8_t)0x04); - macDest.appendTo(outp); - macSource.appendTo(outp); - outp.append((uint16_t)etherType); - outp.append(frameData,frameLen); - outp.compress(); - RR->sw->send(outp,true); - - return false; // DROP locally, since we redirected - } else { - return true; - } - } else { - return false; - } -} - -int Network::filterIncomingPacket( - const SharedPtr &sourcePeer, - const Address &ztDest, - const MAC &macSource, - const MAC &macDest, - const uint8_t *frameData, - const unsigned int frameLen, - const unsigned int etherType, - const unsigned int vlanId) -{ - Address ztFinalDest(ztDest); - int accept = 0; - - Mutex::Lock _l(_lock); - - Membership &membership = _membership(sourcePeer->address()); - - Address cc; - unsigned int ccLength = 0; - bool ccWatch = false; - switch (_doZtFilter(RR,_config,&membership,true,sourcePeer->address(),ztFinalDest,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.rules,_config.ruleCount,cc,ccLength,ccWatch)) { - - case DOZTFILTER_NO_MATCH: { - Membership::CapabilityIterator mci(membership,_config); - const Capability *c; - while ((c = mci.next())) { - ztFinalDest = ztDest; // sanity check, should be unmodified if there was no match - Address cc2; - unsigned int ccLength2 = 0; - bool ccWatch2 = false; - switch(_doZtFilter(RR,_config,&membership,true,sourcePeer->address(),ztFinalDest,macSource,macDest,frameData,frameLen,etherType,vlanId,c->rules(),c->ruleCount(),cc2,ccLength2,ccWatch2)) { - case DOZTFILTER_NO_MATCH: - case DOZTFILTER_DROP: // explicit DROP in a capability just terminates its evaluation and is an anti-pattern - break; - case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztDest will have been changed in _doZtFilter() - case DOZTFILTER_ACCEPT: - accept = 1; // ACCEPT - break; - case DOZTFILTER_SUPER_ACCEPT: - accept = 2; // super-ACCEPT - break; - } - - if (accept) { - if (cc2) { - _membership(cc2).pushCredentials(RR,RR->node->now(),cc2,_config,-1,false); - - Packet outp(cc2,RR->identity.address(),Packet::VERB_EXT_FRAME); - outp.append(_id); - outp.append((uint8_t)(ccWatch2 ? 0x1c : 0x08)); - macDest.appendTo(outp); - macSource.appendTo(outp); - outp.append((uint16_t)etherType); - outp.append(frameData,ccLength2); - outp.compress(); - RR->sw->send(outp,true); - } - break; - } - } - } break; - - case DOZTFILTER_DROP: - return 0; // DROP - - case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztFinalDest will have been changed in _doZtFilter() - case DOZTFILTER_ACCEPT: - accept = 1; // ACCEPT - break; - case DOZTFILTER_SUPER_ACCEPT: - accept = 2; // super-ACCEPT - break; - } - - if (accept) { - if (cc) { - _membership(cc).pushCredentials(RR,RR->node->now(),cc,_config,-1,false); - - Packet outp(cc,RR->identity.address(),Packet::VERB_EXT_FRAME); - outp.append(_id); - outp.append((uint8_t)(ccWatch ? 0x1c : 0x08)); - macDest.appendTo(outp); - macSource.appendTo(outp); - outp.append((uint16_t)etherType); - outp.append(frameData,ccLength); - outp.compress(); - RR->sw->send(outp,true); - } - - if ((ztDest != ztFinalDest)&&(ztFinalDest)) { - _membership(ztFinalDest).pushCredentials(RR,RR->node->now(),ztFinalDest,_config,-1,false); - - Packet outp(ztFinalDest,RR->identity.address(),Packet::VERB_EXT_FRAME); - outp.append(_id); - outp.append((uint8_t)0x0a); - macDest.appendTo(outp); - macSource.appendTo(outp); - outp.append((uint16_t)etherType); - outp.append(frameData,frameLen); - outp.compress(); - RR->sw->send(outp,true); - - return 0; // DROP locally, since we redirected - } - } - - return accept; -} - bool Network::subscribedToMulticastGroup(const MulticastGroup &mg,bool includeBridgedGroups) const { Mutex::Lock _l(_lock); @@ -858,179 +107,141 @@ bool Network::subscribedToMulticastGroup(const MulticastGroup &mg,bool includeBr return true; else if (includeBridgedGroups) return _multicastGroupsBehindMe.contains(mg); - return false; + else return false; } void Network::multicastSubscribe(const MulticastGroup &mg) { - Mutex::Lock _l(_lock); - if (!std::binary_search(_myMulticastGroups.begin(),_myMulticastGroups.end(),mg)) { - _myMulticastGroups.insert(std::upper_bound(_myMulticastGroups.begin(),_myMulticastGroups.end(),mg),mg); - _sendUpdatesToMembers(&mg); + { + Mutex::Lock _l(_lock); + if (std::binary_search(_myMulticastGroups.begin(),_myMulticastGroups.end(),mg)) + return; + _myMulticastGroups.push_back(mg); + std::sort(_myMulticastGroups.begin(),_myMulticastGroups.end()); } + _announceMulticastGroups(); } void Network::multicastUnsubscribe(const MulticastGroup &mg) { Mutex::Lock _l(_lock); - std::vector::iterator i(std::lower_bound(_myMulticastGroups.begin(),_myMulticastGroups.end(),mg)); - if ( (i != _myMulticastGroups.end()) && (*i == mg) ) - _myMulticastGroups.erase(i); + std::vector nmg; + for(std::vector::const_iterator i(_myMulticastGroups.begin());i!=_myMulticastGroups.end();++i) { + if (*i != mg) + nmg.push_back(*i); + } + if (nmg.size() != _myMulticastGroups.size()) + _myMulticastGroups.swap(nmg); } -uint64_t Network::handleConfigChunk(const Packet &chunk,unsigned int ptr) +bool Network::tryAnnounceMulticastGroupsTo(const SharedPtr &peer) { - const unsigned int start = ptr; - - ptr += 8; // skip network ID, which is already obviously known - const unsigned int chunkLen = chunk.at(ptr); ptr += 2; - const void *chunkData = chunk.field(ptr,chunkLen); ptr += chunkLen; - Mutex::Lock _l(_lock); - - _IncomingConfigChunk *c = (_IncomingConfigChunk *)0; - uint64_t chunkId = 0; - uint64_t configUpdateId; - unsigned long totalLength,chunkIndex; - if (ptr < chunk.size()) { - const bool fastPropagate = ((chunk[ptr++] & 0x01) != 0); - configUpdateId = chunk.at(ptr); ptr += 8; - totalLength = chunk.at(ptr); ptr += 4; - chunkIndex = chunk.at(ptr); ptr += 4; - - if (((chunkIndex + chunkLen) > totalLength)||(totalLength >= ZT_NETWORKCONFIG_DICT_CAPACITY)) { // >= since we need room for a null at the end - TRACE("discarded chunk from %s: invalid length or length overflow",chunk.source().toString().c_str()); - return 0; - } - - if ((chunk[ptr] != 1)||(chunk.at(ptr + 1) != ZT_C25519_SIGNATURE_LEN)) { - TRACE("discarded chunk from %s: unrecognized signature type",chunk.source().toString().c_str()); - return 0; - } - const uint8_t *sig = reinterpret_cast(chunk.field(ptr + 3,ZT_C25519_SIGNATURE_LEN)); - - // We can use the signature, which is unique per chunk, to get a per-chunk ID for local deduplication use - for(unsigned int i=0;i<16;++i) - reinterpret_cast(&chunkId)[i & 7] ^= sig[i]; - - // Find existing or new slot for this update and check if this is a duplicate chunk - for(int i=0;ihaveChunks;++j) { - if (c->haveChunkIds[j] == chunkId) - return 0; - } - - break; - } else if ((!c)||(_incomingConfigChunks[i].ts < c->ts)) { - c = &(_incomingConfigChunks[i]); - } - } - - // If it's not a duplicate, check chunk signature - const Identity controllerId(RR->topology->getIdentity(controller())); - if (!controllerId) { // we should always have the controller identity by now, otherwise how would we have queried it the first time? - TRACE("unable to verify chunk from %s: don't have controller identity",chunk.source().toString().c_str()); - return 0; - } - if (!controllerId.verify(chunk.field(start,ptr - start),ptr - start,sig,ZT_C25519_SIGNATURE_LEN)) { - TRACE("discarded chunk from %s: signature check failed",chunk.source().toString().c_str()); - return 0; - } - - // New properly verified chunks can be flooded "virally" through the network - if (fastPropagate) { - Address *a = (Address *)0; - Membership *m = (Membership *)0; - Hashtable::Iterator i(_memberships); - while (i.next(a,m)) { - if ((*a != chunk.source())&&(*a != controller())) { - Packet outp(*a,RR->identity.address(),Packet::VERB_NETWORK_CONFIG); - outp.append(reinterpret_cast(chunk.data()) + start,chunk.size() - start); - RR->sw->send(outp,true); - } - } - } - } else if (chunk.source() == controller()) { - // Legacy support for OK(NETWORK_CONFIG_REQUEST) from older controllers - chunkId = chunk.packetId(); - configUpdateId = chunkId; - totalLength = chunkLen; - chunkIndex = 0; - - if (totalLength >= ZT_NETWORKCONFIG_DICT_CAPACITY) - return 0; - - for(int i=0;its)) - c = &(_incomingConfigChunks[i]); - } - } else { - TRACE("discarded single-chunk unsigned legacy config: this is only allowed if the sender is the controller itself"); - return 0; + if ( + (_isAllowed(peer)) || + (peer->address() == this->controller()) || + (RR->topology->isRoot(peer->identity())) + ) { + _announceMulticastGroupsTo(peer,_allMulticastGroups()); + return true; } + return false; +} - ++c->ts; // newer is higher, that's all we need - - if (c->updateId != configUpdateId) { - c->updateId = configUpdateId; - c->haveChunks = 0; - c->haveBytes = 0; - } - if (c->haveChunks >= ZT_NETWORK_MAX_UPDATE_CHUNKS) +bool Network::applyConfiguration(const NetworkConfig &conf) +{ + if (_destroyed) // sanity check return false; - c->haveChunkIds[c->haveChunks++] = chunkId; - - memcpy(c->data.unsafeData() + chunkIndex,chunkData,chunkLen); - c->haveBytes += chunkLen; - - if (c->haveBytes == totalLength) { - c->data.unsafeData()[c->haveBytes] = (char)0; // ensure null terminated - - NetworkConfig *const nc = new NetworkConfig(); - try { - if (nc->fromDictionary(c->data)) { - this->_setConfiguration(*nc,true); - return configUpdateId; + try { + if ((conf.networkId == _id)&&(conf.issuedTo == RR->identity.address())) { + ZT_VirtualNetworkConfig ctmp; + bool portInitialized; + { + Mutex::Lock _l(_lock); + _config = conf; + _lastConfigUpdate = RR->node->now(); + _netconfFailure = NETCONF_FAILURE_NONE; + _externalConfig(&ctmp); + portInitialized = _portInitialized; + _portInitialized = true; } - delete nc; - } catch ( ... ) { - delete nc; + _portError = RR->node->configureVirtualNetworkPort(_id,&_uPtr,(portInitialized) ? ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE : ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_UP,&ctmp); + return true; + } else { + TRACE("ignored invalid configuration for network %.16llx (configuration contains mismatched network ID or issued-to address)",(unsigned long long)_id); } + } catch (std::exception &exc) { + TRACE("ignored invalid configuration for network %.16llx (%s)",(unsigned long long)_id,exc.what()); + } catch ( ... ) { + TRACE("ignored invalid configuration for network %.16llx (unknown exception)",(unsigned long long)_id); } + return false; +} +int Network::setConfiguration(const void *confBytes,unsigned int confLen,bool saveToDisk) +{ + try { + if (confLen <= 1) + return 0; + + NetworkConfig newConfig; + + // Find the length of any string-serialized old-style Dictionary, + // including its terminating NULL (if any). If this is before + // the end of the config, that tells us there is a new-style + // binary config which is preferred. + unsigned int dictLen = 0; + while (dictLen < confLen) { + if (!(reinterpret_cast(confBytes)[dictLen++])) + break; + } + + if (dictLen < (confLen - 2)) { + Buffer<8194> tmp(reinterpret_cast(confBytes) + dictLen,confLen - dictLen); + newConfig.deserialize(tmp,0); + } else { +#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF + newConfig.fromDictionary(reinterpret_cast(confBytes),confLen); // throws if invalid +#else + return 0; +#endif + } + + if (!newConfig) + return 0; + + { + Mutex::Lock _l(_lock); + if (_config == newConfig) + return 1; // OK config, but duplicate of what we already have + } + + if (applyConfiguration(newConfig)) { + if (saveToDisk) { + char n[128]; + Utils::snprintf(n,sizeof(n),"networks.d/%.16llx.conf",_id); + RR->node->dataStorePut(n,confBytes,confLen,true); + } + return 2; // OK and configuration has changed + } + } catch ( ... ) { + TRACE("ignored invalid configuration for network %.16llx",(unsigned long long)_id); + } return 0; } void Network::requestConfiguration() { - const Address ctrl(controller()); + if (_id == ZT_TEST_NETWORK_ID) // pseudo-network-ID, uses locally generated static config + return; - Dictionary rmd; - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_VERSION,(uint64_t)ZT_NETWORKCONFIG_VERSION); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_VENDOR,(uint64_t)ZT_VENDOR_ZEROTIER); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_PROTOCOL_VERSION,(uint64_t)ZT_PROTO_VERSION); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MAJOR_VERSION,(uint64_t)ZEROTIER_ONE_VERSION_MAJOR); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MINOR_VERSION,(uint64_t)ZEROTIER_ONE_VERSION_MINOR); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_REVISION,(uint64_t)ZEROTIER_ONE_VERSION_REVISION); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_NETWORK_RULES,(uint64_t)ZT_MAX_NETWORK_RULES); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_NETWORK_CAPABILITIES,(uint64_t)ZT_MAX_NETWORK_CAPABILITIES); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_CAPABILITY_RULES,(uint64_t)ZT_MAX_CAPABILITY_RULES); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_NETWORK_TAGS,(uint64_t)ZT_MAX_NETWORK_TAGS); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_FLAGS,(uint64_t)0); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_RULES_ENGINE_REV,(uint64_t)ZT_RULES_ENGINE_REVISION); - rmd.add(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_RELAY_POLICY,(uint64_t)RR->node->relayPolicy()); - - if (ctrl == RR->identity.address()) { + if (controller() == RR->identity.address()) { if (RR->localNetworkController) { - NetworkConfig nconf; - switch(RR->localNetworkController->doNetworkConfigRequest(InetAddress(),RR->identity,RR->identity,_id,rmd,nconf)) { - case NetworkController::NETCONF_QUERY_OK: { - Mutex::Lock _l(_lock); - this->_setConfiguration(nconf,true); - } return; + Buffer<8194> tmp; + switch(RR->localNetworkController->doNetworkConfigRequest(InetAddress(),RR->identity,RR->identity,_id,NetworkConfigRequestMetaData(),tmp)) { + case NetworkController::NETCONF_QUERY_OK: + this->setConfiguration(tmp.data(),tmp.size(),true); + return; case NetworkController::NETCONF_QUERY_OBJECT_NOT_FOUND: this->setNotFound(); return; @@ -1046,46 +257,19 @@ void Network::requestConfiguration() } } - TRACE("requesting netconf for network %.16llx from controller %s",(unsigned long long)_id,ctrl.toString().c_str()); + TRACE("requesting netconf for network %.16llx from controller %s",(unsigned long long)_id,controller().toString().c_str()); - Packet outp(ctrl,RR->identity.address(),Packet::VERB_NETWORK_CONFIG_REQUEST); + NetworkConfigRequestMetaData metaData; + metaData.initWithDefaults(); + Buffer<4096> mds; + metaData.serialize(mds); // this always includes legacy fields to support old controllers + + Packet outp(controller(),RR->identity.address(),Packet::VERB_NETWORK_CONFIG_REQUEST); outp.append((uint64_t)_id); - const unsigned int rmdSize = rmd.sizeBytes(); - outp.append((uint16_t)rmdSize); - outp.append((const void *)rmd.data(),rmdSize); - if (_config) { - outp.append((uint64_t)_config.revision); - outp.append((uint64_t)_config.timestamp); - } else { - outp.append((unsigned char)0,16); - } - RR->node->expectReplyTo(outp.packetId()); - outp.compress(); - RR->sw->send(outp,true); -} - -bool Network::gate(const SharedPtr &peer) -{ - const uint64_t now = RR->node->now(); - Mutex::Lock _l(_lock); - try { - if (_config) { - Membership *m = _memberships.get(peer->address()); - if ( (_config.isPublic()) || ((m)&&(m->isAllowedOnNetwork(_config))) ) { - if (!m) - m = &(_membership(peer->address())); - m->pushCredentials(RR,now,peer->address(),_config,-1,false); - if (m->shouldLikeMulticasts(now)) { - _announceMulticastGroupsTo(peer->address(),_allMulticastGroups()); - m->likingMulticasts(now); - } - return true; - } - } - } catch ( ... ) { - TRACE("gate() check failed for peer %s: unexpected exception",peer->address().toString().c_str()); - } - return false; + outp.append((uint16_t)mds.size()); + outp.append(mds.data(),mds.size()); + outp.append((_config) ? (uint64_t)_config.revision : (uint64_t)0); + RR->sw->send(outp,true,0); } void Network::clean() @@ -1105,16 +289,6 @@ void Network::clean() _multicastGroupsBehindMe.erase(*mg); } } - - { - Address *a = (Address *)0; - Membership *m = (Membership *)0; - Hashtable::Iterator i(_memberships); - while (i.next(a,m)) { - if (!RR->topology->getPeerNoCache(*a)) - _memberships.erase(*a); - } - } } void Network::learnBridgeRoute(const MAC &mac,const Address &addr) @@ -1160,57 +334,24 @@ void Network::learnBridgedMulticastGroup(const MulticastGroup &mg,uint64_t now) const unsigned long tmp = (unsigned long)_multicastGroupsBehindMe.size(); _multicastGroupsBehindMe.set(mg,now); if (tmp != _multicastGroupsBehindMe.size()) - _sendUpdatesToMembers(&mg); + _announceMulticastGroups(); } -Membership::AddCredentialResult Network::addCredential(const CertificateOfMembership &com) +void Network::setEnabled(bool enabled) { - if (com.networkId() != _id) - return Membership::ADD_REJECTED; - const Address a(com.issuedTo()); Mutex::Lock _l(_lock); - Membership &m = _membership(a); - const Membership::AddCredentialResult result = m.addCredential(RR,_config,com); - if ((result == Membership::ADD_ACCEPTED_NEW)||(result == Membership::ADD_ACCEPTED_REDUNDANT)) { - m.pushCredentials(RR,RR->node->now(),a,_config,-1,false); - RR->mc->addCredential(com,true); + if (_enabled != enabled) { + _enabled = enabled; + ZT_VirtualNetworkConfig ctmp; + _externalConfig(&ctmp); + _portError = RR->node->configureVirtualNetworkPort(_id,&_uPtr,ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE,&ctmp); } - return result; -} - -Membership::AddCredentialResult Network::addCredential(const Address &sentFrom,const Revocation &rev) -{ - if (rev.networkId() != _id) - return Membership::ADD_REJECTED; - - Mutex::Lock _l(_lock); - Membership &m = _membership(rev.target()); - - const Membership::AddCredentialResult result = m.addCredential(RR,_config,rev); - - if ((result == Membership::ADD_ACCEPTED_NEW)&&(rev.fastPropagate())) { - Address *a = (Address *)0; - Membership *m = (Membership *)0; - Hashtable::Iterator i(_memberships); - while (i.next(a,m)) { - if ((*a != sentFrom)&&(*a != rev.signer())) { - Packet outp(*a,RR->identity.address(),Packet::VERB_NETWORK_CREDENTIALS); - outp.append((uint8_t)0x00); // no COM - outp.append((uint16_t)0); // no capabilities - outp.append((uint16_t)0); // no tags - outp.append((uint16_t)1); // one revocation! - rev.serialize(outp); - RR->sw->send(outp,true); - } - } - } - - return result; } void Network::destroy() { Mutex::Lock _l(_lock); + _enabled = false; _destroyed = true; } @@ -1231,39 +372,6 @@ ZT_VirtualNetworkStatus Network::_status() const } } -int Network::_setConfiguration(const NetworkConfig &nconf,bool saveToDisk) -{ - // assumes _lock is locked - try { - if ((nconf.issuedTo != RR->identity.address())||(nconf.networkId != _id)) - return 0; - if (_config == nconf) - return 1; // OK config, but duplicate of what we already have - - ZT_VirtualNetworkConfig ctmp; - _config = nconf; - _lastConfigUpdate = RR->node->now(); - _netconfFailure = NETCONF_FAILURE_NONE; - _externalConfig(&ctmp); - const bool oldPortInitialized = _portInitialized; - _portInitialized = true; - _portError = RR->node->configureVirtualNetworkPort(_id,&_uPtr,(oldPortInitialized) ? ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE : ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_UP,&ctmp); - - if (saveToDisk) { - char n[64]; - Utils::snprintf(n,sizeof(n),"networks.d/%.16llx.conf",_id); - Dictionary d; - if (nconf.toDictionary(d,false)) - RR->node->dataStorePut(n,(const void *)d.data(),d.sizeBytes(),true); - } - - return 2; // OK and configuration has changed - } catch ( ... ) { - TRACE("ignored invalid configuration for network %.16llx",(unsigned long long)_id); - } - return 0; -} - void Network::_externalConfig(ZT_VirtualNetworkConfig *ec) const { // assumes _lock is locked @@ -1275,14 +383,20 @@ void Network::_externalConfig(ZT_VirtualNetworkConfig *ec) const ec->status = _status(); ec->type = (_config) ? (_config.isPrivate() ? ZT_NETWORK_TYPE_PRIVATE : ZT_NETWORK_TYPE_PUBLIC) : ZT_NETWORK_TYPE_PRIVATE; ec->mtu = ZT_IF_MTU; - ec->physicalMtu = ZT_UDP_DEFAULT_PAYLOAD_MTU - (ZT_PACKET_IDX_PAYLOAD + 16); ec->dhcp = 0; std::vector
ab(_config.activeBridges()); ec->bridge = ((_config.allowPassiveBridging())||(std::find(ab.begin(),ab.end(),RR->identity.address()) != ab.end())) ? 1 : 0; ec->broadcastEnabled = (_config) ? (_config.enableBroadcast() ? 1 : 0) : 0; ec->portError = _portError; + ec->enabled = (_enabled) ? 1 : 0; ec->netconfRevision = (_config) ? (unsigned long)_config.revision : 0; + ec->multicastSubscriptionCount = std::min((unsigned int)_myMulticastGroups.size(),(unsigned int)ZT_MAX_NETWORK_MULTICAST_SUBSCRIPTIONS); + for(unsigned int i=0;imulticastSubscriptionCount;++i) { + ec->multicastSubscriptions[i].mac = _myMulticastGroups[i].mac().toInt(); + ec->multicastSubscriptions[i].adi = _myMulticastGroups[i].adi(); + } + ec->assignedAddressCount = 0; for(unsigned int i=0;iassignedAddresses[i]),0,sizeof(struct sockaddr_storage)); } } - - ec->routeCount = 0; - for(unsigned int i=0;iroutes[i]),&(_config.routes[i]),sizeof(ZT_VirtualNetworkRoute)); - ++ec->routeCount; - } else { - memset(&(ec->routes[i]),0,sizeof(ZT_VirtualNetworkRoute)); - } - } } -void Network::_sendUpdatesToMembers(const MulticastGroup *const newMulticastGroup) +bool Network::_isAllowed(const SharedPtr &peer) const { // Assumes _lock is locked - const uint64_t now = RR->node->now(); - - std::vector groups; - if (newMulticastGroup) - groups.push_back(*newMulticastGroup); - else groups = _allMulticastGroups(); - - if ((newMulticastGroup)||((now - _lastAnnouncedMulticastGroupsUpstream) >= ZT_MULTICAST_ANNOUNCE_PERIOD)) { - if (!newMulticastGroup) - _lastAnnouncedMulticastGroupsUpstream = now; - - // Announce multicast groups to upstream peers (roots, etc.) and also send - // them our COM so that MULTICAST_GATHER can be authenticated properly. - const std::vector
upstreams(RR->topology->upstreamAddresses()); - for(std::vector
::const_iterator a(upstreams.begin());a!=upstreams.end();++a) { - if (_config.com) { - Packet outp(*a,RR->identity.address(),Packet::VERB_NETWORK_CREDENTIALS); - _config.com.serialize(outp); - outp.append((uint8_t)0x00); - RR->sw->send(outp,true); - } - _announceMulticastGroupsTo(*a,groups); - } - - // Also announce to controller, and send COM to simplify and generalize behavior even though in theory it does not need it - const Address c(controller()); - if ( (std::find(upstreams.begin(),upstreams.end(),c) == upstreams.end()) && (!_memberships.contains(c)) ) { - if (_config.com) { - Packet outp(c,RR->identity.address(),Packet::VERB_NETWORK_CREDENTIALS); - _config.com.serialize(outp); - outp.append((uint8_t)0x00); - RR->sw->send(outp,true); - } - _announceMulticastGroupsTo(c,groups); - } + try { + if (!_config) + return false; + if (_config.isPublic()) + return true; + return ((_config.com)&&(peer->networkMembershipCertificatesAgree(_id,_config.com))); + } catch (std::exception &exc) { + TRACE("isAllowed() check failed for peer %s: unexpected exception: %s",peer->address().toString().c_str(),exc.what()); + } catch ( ... ) { + TRACE("isAllowed() check failed for peer %s: unexpected exception: unknown exception",peer->address().toString().c_str()); } + return false; // default position on any failure +} - // Make sure that all "network anchors" have Membership records so we will - // push multicasts to them. Note that _membership() also does this but in a - // piecemeal on-demand fashion. - const std::vector
anchors(_config.anchors()); - for(std::vector
::const_iterator a(anchors.begin());a!=anchors.end();++a) - _membership(*a); - - // Send credentials and multicast LIKEs to members, upstreams, and controller +class _MulticastAnnounceAll +{ +public: + _MulticastAnnounceAll(const RuntimeEnvironment *renv,Network *nw) : + _now(renv->node->now()), + _controller(nw->controller()), + _network(nw), + _anchors(nw->config().anchors()), + _rootAddresses(renv->topology->rootAddresses()) + {} + inline void operator()(Topology &t,const SharedPtr &p) { - Address *a = (Address *)0; - Membership *m = (Membership *)0; - Hashtable::Iterator i(_memberships); - while (i.next(a,m)) { - m->pushCredentials(RR,now,*a,_config,-1,false); - if ( ((newMulticastGroup)||(m->shouldLikeMulticasts(now))) && (m->isAllowedOnNetwork(_config)) ) { - if (!newMulticastGroup) - m->likingMulticasts(now); - _announceMulticastGroupsTo(*a,groups); - } + if ( (_network->_isAllowed(p)) || // FIXME: this causes multicast LIKEs for public networks to get spammed + (p->address() == _controller) || + (std::find(_rootAddresses.begin(),_rootAddresses.end(),p->address()) != _rootAddresses.end()) || + (std::find(_anchors.begin(),_anchors.end(),p->address()) != _anchors.end()) ) { + peers.push_back(p); } } -} - -void Network::_announceMulticastGroupsTo(const Address &peer,const std::vector &allMulticastGroups) + std::vector< SharedPtr > peers; +private: + const uint64_t _now; + const Address _controller; + Network *const _network; + const std::vector
_anchors; + const std::vector
_rootAddresses; +}; +void Network::_announceMulticastGroups() { // Assumes _lock is locked - Packet outp(peer,RR->identity.address(),Packet::VERB_MULTICAST_LIKE); + std::vector allMulticastGroups(_allMulticastGroups()); + _MulticastAnnounceAll gpfunc(RR,this); + RR->topology->eachPeer<_MulticastAnnounceAll &>(gpfunc); + for(std::vector< SharedPtr >::const_iterator i(gpfunc.peers.begin());i!=gpfunc.peers.end();++i) + _announceMulticastGroupsTo(*i,allMulticastGroups); +} - for(std::vector::const_iterator mg(allMulticastGroups.begin());mg!=allMulticastGroups.end();++mg) { - if ((outp.size() + 24) >= ZT_PROTO_MAX_PACKET_LENGTH) { - outp.compress(); - RR->sw->send(outp,true); - outp.reset(peer,RR->identity.address(),Packet::VERB_MULTICAST_LIKE); - } +void Network::_announceMulticastGroupsTo(const SharedPtr &peer,const std::vector &allMulticastGroups) const +{ + // Assumes _lock is locked - // network ID, MAC, ADI - outp.append((uint64_t)_id); - mg->mac().appendTo(outp); - outp.append((uint32_t)mg->adi()); + // We push COMs ahead of MULTICAST_LIKE since they're used for access control -- a COM is a public + // credential so "over-sharing" isn't really an issue (and we only do so with roots). + if ((_config)&&(_config.com)&&(!_config.isPublic())&&(peer->needsOurNetworkMembershipCertificate(_id,RR->node->now(),true))) { + Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NETWORK_MEMBERSHIP_CERTIFICATE); + _config.com.serialize(outp); + RR->sw->send(outp,true,0); } - if (outp.size() > ZT_PROTO_MIN_PACKET_LENGTH) { - outp.compress(); - RR->sw->send(outp,true); + { + Packet outp(peer->address(),RR->identity.address(),Packet::VERB_MULTICAST_LIKE); + + for(std::vector::const_iterator mg(allMulticastGroups.begin());mg!=allMulticastGroups.end();++mg) { + if ((outp.size() + 18) >= ZT_UDP_DEFAULT_PAYLOAD_MTU) { + RR->sw->send(outp,true,0); + outp.reset(peer->address(),RR->identity.address(),Packet::VERB_MULTICAST_LIKE); + } + + // network ID, MAC, ADI + outp.append((uint64_t)_id); + mg->mac().appendTo(outp); + outp.append((uint32_t)mg->adi()); + } + + if (outp.size() > ZT_PROTO_MIN_PACKET_LENGTH) + RR->sw->send(outp,true,0); } } std::vector Network::_allMulticastGroups() const { // Assumes _lock is locked + std::vector mgs; mgs.reserve(_myMulticastGroups.size() + _multicastGroupsBehindMe.size() + 1); mgs.insert(mgs.end(),_myMulticastGroups.begin(),_myMulticastGroups.end()); @@ -1402,13 +506,8 @@ std::vector Network::_allMulticastGroups() const mgs.push_back(Network::BROADCAST); std::sort(mgs.begin(),mgs.end()); mgs.erase(std::unique(mgs.begin(),mgs.end()),mgs.end()); + return mgs; } -Membership &Network::_membership(const Address &a) -{ - // assumes _lock is locked - return _memberships[a]; -} - } // namespace ZeroTier diff --git a/zerotierone/node/Network.hpp b/zerotierone/node/Network.hpp index 527d304..9d280fb 100644 --- a/zerotierone/node/Network.hpp +++ b/zerotierone/node/Network.hpp @@ -40,17 +40,14 @@ #include "MAC.hpp" #include "Dictionary.hpp" #include "Multicaster.hpp" -#include "Membership.hpp" #include "NetworkConfig.hpp" #include "CertificateOfMembership.hpp" -#define ZT_NETWORK_MAX_INCOMING_UPDATES 3 -#define ZT_NETWORK_MAX_UPDATE_CHUNKS ((ZT_NETWORKCONFIG_DICT_CAPACITY / 1024) + 1) - namespace ZeroTier { class RuntimeEnvironment; class Peer; +class _MulticastAnnounceAll; /** * A virtual LAN @@ -58,6 +55,7 @@ class Peer; class Network : NonCopyable { friend class SharedPtr; + friend class _MulticastAnnounceAll; // internal function object public: /** @@ -65,11 +63,6 @@ public: */ static const MulticastGroup BROADCAST; - /** - * Compute primary controller device ID from network ID - */ - static inline Address controllerFor(uint64_t nwid) throw() { return Address(nwid >> 24); } - /** * Construct a new network * @@ -84,78 +77,43 @@ public: ~Network(); - inline uint64_t id() const { return _id; } - inline Address controller() const { return Address(_id >> 24); } - inline bool multicastEnabled() const { return (_config.multicastLimit > 0); } - inline bool hasConfig() const { return (_config); } - inline uint64_t lastConfigUpdate() const throw() { return _lastConfigUpdate; } - inline ZT_VirtualNetworkStatus status() const { Mutex::Lock _l(_lock); return _status(); } - inline const NetworkConfig &config() const { return _config; } - inline const MAC &mac() const { return _mac; } - /** - * Apply filters to an outgoing packet - * - * This applies filters from our network config and, if that doesn't match, - * our capabilities in ascending order of capability ID. Additional actions - * such as TEE may be taken, and credentials may be pushed, so this is not - * side-effect-free. It's basically step one in sending something over VL2. - * - * @param noTee If true, do not TEE anything anywhere (for two-pass filtering as done with multicast and bridging) - * @param ztSource Source ZeroTier address - * @param ztDest Destination ZeroTier address - * @param macSource Ethernet layer source address - * @param macDest Ethernet layer destination address - * @param frameData Ethernet frame data - * @param frameLen Ethernet frame payload length - * @param etherType 16-bit ethernet type ID - * @param vlanId 16-bit VLAN ID - * @return True if packet should be sent, false if dropped or redirected + * @return Network ID */ - bool filterOutgoingPacket( - const bool noTee, - const Address &ztSource, - const Address &ztDest, - const MAC &macSource, - const MAC &macDest, - const uint8_t *frameData, - const unsigned int frameLen, - const unsigned int etherType, - const unsigned int vlanId); + inline uint64_t id() const throw() { return _id; } /** - * Apply filters to an incoming packet - * - * This applies filters from our network config and, if that doesn't match, - * the peer's capabilities in ascending order of capability ID. If there is - * a match certain actions may be taken such as sending a copy of the packet - * to a TEE or REDIRECT target. - * - * @param sourcePeer Source Peer - * @param ztDest Destination ZeroTier address - * @param macSource Ethernet layer source address - * @param macDest Ethernet layer destination address - * @param frameData Ethernet frame data - * @param frameLen Ethernet frame payload length - * @param etherType 16-bit ethernet type ID - * @param vlanId 16-bit VLAN ID - * @return 0 == drop, 1 == accept, 2 == accept even if bridged + * @return Address of network's controller (most significant 40 bits of ID) */ - int filterIncomingPacket( - const SharedPtr &sourcePeer, - const Address &ztDest, - const MAC &macSource, - const MAC &macDest, - const uint8_t *frameData, - const unsigned int frameLen, - const unsigned int etherType, - const unsigned int vlanId); + inline Address controller() const throw() { return Address(_id >> 24); } + + /** + * @param nwid Network ID + * @return Address of network's controller + */ + static inline Address controllerFor(uint64_t nwid) throw() { return Address(nwid >> 24); } + + /** + * @return Multicast group memberships for this network's port (local, not learned via bridging) + */ + inline std::vector multicastGroups() const + { + Mutex::Lock _l(_lock); + return _myMulticastGroups; + } + + /** + * @return All multicast groups including learned groups that are behind any bridges we're attached to + */ + inline std::vector allMulticastGroups() const + { + Mutex::Lock _l(_lock); + return _allMulticastGroups(); + } /** - * Check whether we are subscribed to a multicast group - * * @param mg Multicast group - * @param includeBridgedGroups If true, also check groups we've learned via bridging + * @param includeBridgedGroups If true, also include any groups we've learned via bridging * @return True if this network endpoint / peer is a member */ bool subscribedToMulticastGroup(const MulticastGroup &mg,bool includeBridgedGroups) const; @@ -175,17 +133,30 @@ public: void multicastUnsubscribe(const MulticastGroup &mg); /** - * Handle an inbound network config chunk + * Announce multicast groups to a peer if that peer is authorized on this network * - * This is called from IncomingPacket to handle incoming network config - * chunks via OK(NETWORK_CONFIG_REQUEST) or NETWORK_CONFIG. It verifies - * each chunk and once assembled applies the configuration. - * - * @param chunk Packet containing chunk - * @param ptr Index of chunk and related fields in packet - * @return Update ID if update was fully assembled and accepted or 0 otherwise + * @param peer Peer to try to announce multicast groups to + * @return True if peer was authorized and groups were announced */ - uint64_t handleConfigChunk(const Packet &chunk,unsigned int ptr); + bool tryAnnounceMulticastGroupsTo(const SharedPtr &peer); + + /** + * Apply a NetworkConfig to this network + * + * @param conf Configuration in NetworkConfig form + * @return True if configuration was accepted + */ + bool applyConfiguration(const NetworkConfig &conf); + + /** + * Set or update this network's configuration + * + * @param confBytes Network configuration in old-style Dictionary or new-style serialized format + * @param confLen Length of network configuration in bytes + * @param saveToDisk IF true (default), write config to disk + * @return 0 -- rejected, 1 -- accepted but not new, 2 -- accepted new config + */ + int setConfiguration(const void *confBytes,unsigned int confLen,bool saveToDisk); /** * Set netconf failure to 'access denied' -- called in IncomingPacket when controller reports this @@ -197,7 +168,7 @@ public: } /** - * Set netconf failure to 'not found' -- called by IncomingPacket when controller reports this + * Set netconf failure to 'not found' -- called by PacketDecider when controller reports this */ inline void setNotFound() { @@ -211,24 +182,73 @@ public: void requestConfiguration(); /** - * Determine whether this peer is permitted to communicate on this network + * @param peer Peer to check + * @return True if peer is allowed to communicate on this network */ - bool gate(const SharedPtr &peer); + inline bool isAllowed(const SharedPtr &peer) const + { + Mutex::Lock _l(_lock); + return _isAllowed(peer); + } /** - * Do periodic cleanup and housekeeping tasks + * Perform cleanup and possibly save state */ void clean(); /** - * Push state to members such as multicast group memberships and latest COM (if needed) + * @return Time of last updated configuration or 0 if none */ - inline void sendUpdatesToMembers() + inline uint64_t lastConfigUpdate() const throw() { return _lastConfigUpdate; } + + /** + * @return Status of this network + */ + inline ZT_VirtualNetworkStatus status() const { Mutex::Lock _l(_lock); - _sendUpdatesToMembers((const MulticastGroup *)0); + return _status(); } + /** + * @param ec Buffer to fill with externally-visible network configuration + */ + inline void externalConfig(ZT_VirtualNetworkConfig *ec) const + { + Mutex::Lock _l(_lock); + _externalConfig(ec); + } + + /** + * Get current network config + * + * This returns a const reference to the network config in place, which is safe + * to concurrently access but *may* change during access. Normally this isn't a + * problem, but if it is use configCopy(). + * + * @return Network configuration (may be a null config if we don't have one yet) + */ + inline const NetworkConfig &config() const { return _config; } + + /** + * @return A thread-safe copy of our NetworkConfig instead of a const reference + */ + inline NetworkConfig configCopy() const + { + Mutex::Lock _l(_lock); + return _config; + } + + /** + * @return True if this network has a valid config + */ + inline bool hasConfig() const { return (_config); } + + /** + * @return Ethernet MAC address for this network's local interface + */ + inline const MAC &mac() const throw() { return _mac; } + /** * Find the node on this network that has this MAC behind it (if any) * @@ -239,7 +259,9 @@ public: { Mutex::Lock _l(_lock); const Address *const br = _remoteBridgeRoutes.get(mac); - return ((br) ? *br : Address()); + if (br) + return *br; + return Address(); } /** @@ -259,48 +281,14 @@ public: void learnBridgedMulticastGroup(const MulticastGroup &mg,uint64_t now); /** - * Validate a credential and learn it if it passes certificate and other checks + * @return True if traffic on this network's tap is enabled */ - Membership::AddCredentialResult addCredential(const CertificateOfMembership &com); + inline bool enabled() const throw() { return _enabled; } /** - * Validate a credential and learn it if it passes certificate and other checks + * @param enabled Should traffic be allowed on this network? */ - inline Membership::AddCredentialResult addCredential(const Capability &cap) - { - if (cap.networkId() != _id) - return Membership::ADD_REJECTED; - Mutex::Lock _l(_lock); - return _membership(cap.issuedTo()).addCredential(RR,_config,cap); - } - - /** - * Validate a credential and learn it if it passes certificate and other checks - */ - inline Membership::AddCredentialResult addCredential(const Tag &tag) - { - if (tag.networkId() != _id) - return Membership::ADD_REJECTED; - Mutex::Lock _l(_lock); - return _membership(tag.issuedTo()).addCredential(RR,_config,tag); - } - - /** - * Validate a credential and learn it if it passes certificate and other checks - */ - Membership::AddCredentialResult addCredential(const Address &sentFrom,const Revocation &rev); - - /** - * Force push credentials (COM, etc.) to a peer now - * - * @param to Destination peer address - * @param now Current time - */ - inline void pushCredentialsNow(const Address &to,const uint64_t now) - { - Mutex::Lock _l(_lock); - _membership(to).pushCredentials(RR,now,to,_config,-1,true); - } + void setEnabled(bool enabled); /** * Destroy this network @@ -312,57 +300,40 @@ public: void destroy(); /** - * Get this network's config for export via the ZT core API - * - * @param ec Buffer to fill with externally-visible network configuration - */ - inline void externalConfig(ZT_VirtualNetworkConfig *ec) const - { - Mutex::Lock _l(_lock); - _externalConfig(ec); - } - - /** - * @return Externally usable pointer-to-pointer exported via the core API + * @return Pointer to user PTR (modifiable user ptr used in API) */ inline void **userPtr() throw() { return &_uPtr; } + inline bool operator==(const Network &n) const throw() { return (_id == n._id); } + inline bool operator!=(const Network &n) const throw() { return (_id != n._id); } + inline bool operator<(const Network &n) const throw() { return (_id < n._id); } + inline bool operator>(const Network &n) const throw() { return (_id > n._id); } + inline bool operator<=(const Network &n) const throw() { return (_id <= n._id); } + inline bool operator>=(const Network &n) const throw() { return (_id >= n._id); } + private: - int _setConfiguration(const NetworkConfig &nconf,bool saveToDisk); ZT_VirtualNetworkStatus _status() const; void _externalConfig(ZT_VirtualNetworkConfig *ec) const; // assumes _lock is locked - bool _gate(const SharedPtr &peer); - void _sendUpdatesToMembers(const MulticastGroup *const newMulticastGroup); - void _announceMulticastGroupsTo(const Address &peer,const std::vector &allMulticastGroups); + bool _isAllowed(const SharedPtr &peer) const; + void _announceMulticastGroups(); + void _announceMulticastGroupsTo(const SharedPtr &peer,const std::vector &allMulticastGroups) const; std::vector _allMulticastGroups() const; - Membership &_membership(const Address &a); - const RuntimeEnvironment *const RR; + const RuntimeEnvironment *RR; void *_uPtr; - const uint64_t _id; - uint64_t _lastAnnouncedMulticastGroupsUpstream; + uint64_t _id; MAC _mac; // local MAC address - bool _portInitialized; + volatile bool _enabled; + volatile bool _portInitialized; std::vector< MulticastGroup > _myMulticastGroups; // multicast groups that we belong to (according to tap) Hashtable< MulticastGroup,uint64_t > _multicastGroupsBehindMe; // multicast groups that seem to be behind us and when we last saw them (if we are a bridge) Hashtable< MAC,Address > _remoteBridgeRoutes; // remote addresses where given MACs are reachable (for tracking devices behind remote bridges) NetworkConfig _config; - uint64_t _lastConfigUpdate; + volatile uint64_t _lastConfigUpdate; - struct _IncomingConfigChunk - { - uint64_t ts; - uint64_t updateId; - uint64_t haveChunkIds[ZT_NETWORK_MAX_UPDATE_CHUNKS]; - unsigned long haveChunks; - unsigned long haveBytes; - Dictionary data; - }; - _IncomingConfigChunk _incomingConfigChunks[ZT_NETWORK_MAX_INCOMING_UPDATES]; - - bool _destroyed; + volatile bool _destroyed; enum { NETCONF_FAILURE_NONE, @@ -370,9 +341,7 @@ private: NETCONF_FAILURE_NOT_FOUND, NETCONF_FAILURE_INIT_FAILED } _netconfFailure; - int _portError; // return value from port config callback - - Hashtable _memberships; + volatile int _portError; // return value from port config callback Mutex _lock; diff --git a/zerotierone/node/NetworkConfig.cpp b/zerotierone/node/NetworkConfig.cpp index 6acc48e..58a48fa 100644 --- a/zerotierone/node/NetworkConfig.cpp +++ b/zerotierone/node/NetworkConfig.cpp @@ -18,328 +18,163 @@ #include -#include - #include "NetworkConfig.hpp" #include "Utils.hpp" namespace ZeroTier { -bool NetworkConfig::toDictionary(Dictionary &d,bool includeLegacy) const -{ - Buffer *tmp = new Buffer(); - - try { - d.clear(); - - // Try to put the more human-readable fields first - - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_VERSION,(uint64_t)ZT_NETWORKCONFIG_VERSION)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID,this->networkId)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,this->timestamp)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA,this->credentialTimeMaxDelta)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_REVISION,this->revision)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,this->issuedTo)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_FLAGS,this->flags)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_LIMIT,(uint64_t)this->multicastLimit)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_TYPE,(uint64_t)this->type)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NAME,this->name)) return false; - #ifdef ZT_SUPPORT_OLD_STYLE_NETCONF - if (includeLegacy) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ALLOW_PASSIVE_BRIDGING_OLD,this->allowPassiveBridging())) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ENABLE_BROADCAST_OLD,this->enableBroadcast())) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_PRIVATE_OLD,this->isPrivate())) return false; - std::string v4s; - for(unsigned int i=0;istaticIps[i].ss_family == AF_INET) { - if (v4s.length() > 0) - v4s.push_back(','); - v4s.append(this->staticIps[i].toString()); - } - } - if (v4s.length() > 0) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC_OLD,v4s.c_str())) return false; - } - std::string v6s; - for(unsigned int i=0;istaticIps[i].ss_family == AF_INET6) { - if (v6s.length() > 0) - v6s.push_back(','); - v6s.append(this->staticIps[i].toString()); - } - } - if (v6s.length() > 0) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC_OLD,v6s.c_str())) return false; - } +void NetworkConfig::fromDictionary(const char *ds,unsigned int dslen) +{ + static const std::string zero("0"); + static const std::string one("1"); - std::string ets; - unsigned int et = 0; - ZT_VirtualNetworkRuleType lastrt = ZT_NETWORK_RULE_ACTION_ACCEPT; - for(unsigned int i=0;i 0) - ets.push_back(','); - char tmp2[16]; - Utils::snprintf(tmp2,sizeof(tmp2),"%x",et); - ets.append(tmp2); + Dictionary d(ds,dslen); + + memset(this,0,sizeof(NetworkConfig)); + + // NOTE: d.get(name) throws if not found, d.get(name,default) returns default + + networkId = Utils::hexStrToU64(d.get(ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID,"0").c_str()); + if (!networkId) + throw std::invalid_argument("configuration contains zero network ID"); + + timestamp = Utils::hexStrToU64(d.get(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,"0").c_str()); + revision = Utils::hexStrToU64(d.get(ZT_NETWORKCONFIG_DICT_KEY_REVISION,"1").c_str()); // older controllers don't send this, so default to 1 + issuedTo = Address(d.get(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,"0")); + + multicastLimit = Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_LIMIT,zero).c_str()); + if (multicastLimit == 0) multicastLimit = ZT_MULTICAST_DEFAULT_LIMIT; + + flags |= ((Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_ALLOW_PASSIVE_BRIDGING,zero).c_str()) != 0) ? ZT_NETWORKCONFIG_FLAG_ALLOW_PASSIVE_BRIDGING : 0); + flags |= ((Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_ENABLE_BROADCAST,one).c_str()) != 0) ? ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST : 0); + + this->type = (Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_PRIVATE,one).c_str()) != 0) ? ZT_NETWORK_TYPE_PRIVATE : ZT_NETWORK_TYPE_PUBLIC; + + std::string nametmp(d.get(ZT_NETWORKCONFIG_DICT_KEY_NAME,"")); + for(unsigned long i=0;((i activeBridgesSplit(Utils::split(d.get(ZT_NETWORKCONFIG_DICT_KEY_ACTIVE_BRIDGES,"").c_str(),",","","")); + for(std::vector::const_iterator a(activeBridgesSplit.begin());a!=activeBridgesSplit.end();++a) { + if (a->length() == ZT_ADDRESS_LENGTH_HEX) { // ignore empty or garbage fields + Address tmp(*a); + if (!tmp.isReserved()) { + uint64_t specialist = tmp.toInt(); + for(unsigned int i=0;i 0) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES_OLD,ets.c_str())) return false; - } - - if (this->com) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP_OLD,this->com.toString().c_str())) return false; - } - - std::string ab; - for(unsigned int i=0;ispecialistCount;++i) { - if ((this->specialists[i] & ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE) != 0) { - if (ab.length() > 0) - ab.push_back(','); - ab.append(Address(this->specialists[i]).toString().c_str()); - } - } - if (ab.length() > 0) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ACTIVE_BRIDGES_OLD,ab.c_str())) return false; + if ((specialist)&&(specialistCount < ZT_MAX_NETWORK_SPECIALISTS)) + specialists[specialistCount++] = specialist | ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE; } } + } + + std::string ipAddrs(d.get(ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC,std::string())); + { + std::string v6s(d.get(ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC,std::string())); + if (v6s.length()) { + if (ipAddrs.length()) + ipAddrs.push_back(','); + ipAddrs.append(v6s); + } + } + std::vector ipAddrsSplit(Utils::split(ipAddrs.c_str(),",","","")); + for(std::vector::const_iterator ipstr(ipAddrsSplit.begin());ipstr!=ipAddrsSplit.end();++ipstr) { + InetAddress addr(*ipstr); + switch(addr.ss_family) { + case AF_INET: + if ((!addr.netmaskBits())||(addr.netmaskBits() > 32)) + continue; + break; + case AF_INET6: + if ((!addr.netmaskBits())||(addr.netmaskBits() > 128)) + continue; + break; + default: // ignore unrecognized address types or junk/empty fields + continue; + } + if (!addr.isNetwork()) { + if ((staticIpCount < ZT_MAX_ZT_ASSIGNED_ADDRESSES)&&(std::find(&(staticIps[0]),&(staticIps[staticIpCount]),addr) == &(staticIps[staticIpCount]))) + staticIps[staticIpCount++] = addr; + } + } + std::sort(&(staticIps[0]),&(staticIps[staticIpCount])); + + /* Old versions don't support gateways anyway, so ignore this in old netconfs + std::vector gatewaysSplit(Utils::split(d.get(ZT_NETWORKCONFIG_DICT_KEY_GATEWAYS,"").c_str(),",","","")); + for(std::vector::const_iterator gwstr(gatewaysSplit.begin());gwstr!=gatewaysSplit.end();++gwstr) { + InetAddress gw(*gwstr); + if ((gw)&&(_gatewayCount < ZT_MAX_NETWORK_GATEWAYS)&&(std::find(&(_gateways[0]),&(_gateways[_gatewayCount]),gw) == &(_gateways[_gatewayCount]))) + _gateways[_gatewayCount++] = gw; + } + std::sort(&(_gateways[0]),&(_gateways[_gatewayCount])); + */ + + std::vector relaysSplit(Utils::split(d.get(ZT_NETWORKCONFIG_DICT_KEY_RELAYS,"").c_str(),",","","")); + for(std::vector::const_iterator r(relaysSplit.begin());r!=relaysSplit.end();++r) { + if (r->length() >= ZT_ADDRESS_LENGTH_HEX) { + Address zt(r->substr(0,ZT_ADDRESS_LENGTH_HEX).c_str()); + InetAddress phy[2]; + unsigned int phyCount = 0; + const std::size_t semi(r->find(';')); + if ((semi > ZT_ADDRESS_LENGTH_HEX)&&(semi < (r->length() - 2))) { + std::vector phySplit(Utils::split(r->substr(semi+1).c_str(),",","","")); + for(std::vector::const_iterator p(phySplit.begin());((p!=phySplit.end())&&(phyCount < 2));++p) { + phy[phyCount] = InetAddress(*p); + if (phy[phyCount]) + ++phyCount; + else phy[phyCount].zero(); + } + } + + uint64_t specialist = zt.toInt(); + for(unsigned int i=0;i ets(Utils::split(d.get(ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES,"").c_str(),",","","")); + for(std::vector::const_iterator et(ets.begin());et!=ets.end();++et) { + unsigned int et2 = Utils::hexStrToUInt(et->c_str()) & 0xffff; + if ((ruleCount + 1) < ZT_MAX_NETWORK_RULES) { + if (et2) { + rules[ruleCount].t = ZT_NETWORK_RULE_MATCH_ETHERTYPE; + rules[ruleCount].v.etherType = (uint16_t)et2; + ++ruleCount; + } + rules[ruleCount++].t = ZT_NETWORK_RULE_ACTION_ACCEPT; + } + } + + this->com.fromString(d.get(ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP,std::string())); +} + #endif // ZT_SUPPORT_OLD_STYLE_NETCONF - // Then add binary blobs - - if (this->com) { - tmp->clear(); - this->com.serialize(*tmp); - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_COM,*tmp)) return false; - } - - tmp->clear(); - for(unsigned int i=0;icapabilityCount;++i) - this->capabilities[i].serialize(*tmp); - if (tmp->size()) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CAPABILITIES,*tmp)) return false; - } - - tmp->clear(); - for(unsigned int i=0;itagCount;++i) - this->tags[i].serialize(*tmp); - if (tmp->size()) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_TAGS,*tmp)) return false; - } - - tmp->clear(); - for(unsigned int i=0;ispecialistCount;++i) - tmp->append((uint64_t)this->specialists[i]); - if (tmp->size()) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SPECIALISTS,*tmp)) return false; - } - - tmp->clear(); - for(unsigned int i=0;irouteCount;++i) { - reinterpret_cast(&(this->routes[i].target))->serialize(*tmp); - reinterpret_cast(&(this->routes[i].via))->serialize(*tmp); - tmp->append((uint16_t)this->routes[i].flags); - tmp->append((uint16_t)this->routes[i].metric); - } - if (tmp->size()) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ROUTES,*tmp)) return false; - } - - tmp->clear(); - for(unsigned int i=0;istaticIpCount;++i) - this->staticIps[i].serialize(*tmp); - if (tmp->size()) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_STATIC_IPS,*tmp)) return false; - } - - if (this->ruleCount) { - tmp->clear(); - Capability::serializeRules(*tmp,rules,ruleCount); - if (tmp->size()) { - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_RULES,*tmp)) return false; - } - } - - delete tmp; - } catch ( ... ) { - delete tmp; - throw; - } - - return true; -} - -bool NetworkConfig::fromDictionary(const Dictionary &d) -{ - Buffer *tmp = new Buffer(); - - try { - memset(this,0,sizeof(NetworkConfig)); - - // Fields that are always present, new or old - this->networkId = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID,0); - if (!this->networkId) { - delete tmp; - return false; - } - this->timestamp = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,0); - this->credentialTimeMaxDelta = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA,0); - this->revision = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_REVISION,0); - this->issuedTo = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,0); - if (!this->issuedTo) { - delete tmp; - return false; - } - this->multicastLimit = (unsigned int)d.getUI(ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_LIMIT,0); - d.get(ZT_NETWORKCONFIG_DICT_KEY_NAME,this->name,sizeof(this->name)); - - if (d.getUI(ZT_NETWORKCONFIG_DICT_KEY_VERSION,0) < 6) { - #ifdef ZT_SUPPORT_OLD_STYLE_NETCONF - char tmp2[1024]; - - // Decode legacy fields if version is old - if (d.getB(ZT_NETWORKCONFIG_DICT_KEY_ALLOW_PASSIVE_BRIDGING_OLD)) - this->flags |= ZT_NETWORKCONFIG_FLAG_ALLOW_PASSIVE_BRIDGING; - if (d.getB(ZT_NETWORKCONFIG_DICT_KEY_ENABLE_BROADCAST_OLD)) - this->flags |= ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST; - this->flags |= ZT_NETWORKCONFIG_FLAG_ENABLE_IPV6_NDP_EMULATION; // always enable for old-style netconf - this->type = (d.getB(ZT_NETWORKCONFIG_DICT_KEY_PRIVATE_OLD,true)) ? ZT_NETWORK_TYPE_PRIVATE : ZT_NETWORK_TYPE_PUBLIC; - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC_OLD,tmp2,sizeof(tmp2)) > 0) { - char *saveptr = (char *)0; - for(char *f=Utils::stok(tmp2,",",&saveptr);(f);f=Utils::stok((char *)0,",",&saveptr)) { - if (this->staticIpCount >= ZT_MAX_ZT_ASSIGNED_ADDRESSES) break; - InetAddress ip(f); - if (!ip.isNetwork()) - this->staticIps[this->staticIpCount++] = ip; - } - } - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC_OLD,tmp2,sizeof(tmp2)) > 0) { - char *saveptr = (char *)0; - for(char *f=Utils::stok(tmp2,",",&saveptr);(f);f=Utils::stok((char *)0,",",&saveptr)) { - if (this->staticIpCount >= ZT_MAX_ZT_ASSIGNED_ADDRESSES) break; - InetAddress ip(f); - if (!ip.isNetwork()) - this->staticIps[this->staticIpCount++] = ip; - } - } - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP_OLD,tmp2,sizeof(tmp2)) > 0) { - this->com.fromString(tmp2); - } - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES_OLD,tmp2,sizeof(tmp2)) > 0) { - char *saveptr = (char *)0; - for(char *f=Utils::stok(tmp2,",",&saveptr);(f);f=Utils::stok((char *)0,",",&saveptr)) { - unsigned int et = Utils::hexStrToUInt(f) & 0xffff; - if ((this->ruleCount + 2) > ZT_MAX_NETWORK_RULES) break; - if (et > 0) { - this->rules[this->ruleCount].t = (uint8_t)ZT_NETWORK_RULE_MATCH_ETHERTYPE; - this->rules[this->ruleCount].v.etherType = (uint16_t)et; - ++this->ruleCount; - } - this->rules[this->ruleCount++].t = (uint8_t)ZT_NETWORK_RULE_ACTION_ACCEPT; - } - } else { - this->rules[0].t = ZT_NETWORK_RULE_ACTION_ACCEPT; - this->ruleCount = 1; - } - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_ACTIVE_BRIDGES_OLD,tmp2,sizeof(tmp2)) > 0) { - char *saveptr = (char *)0; - for(char *f=Utils::stok(tmp2,",",&saveptr);(f);f=Utils::stok((char *)0,",",&saveptr)) { - this->addSpecialist(Address(f),ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE); - } - } - #else - delete tmp; - return false; - #endif // ZT_SUPPORT_OLD_STYLE_NETCONF - } else { - // Otherwise we can use the new fields - this->flags = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_FLAGS,0); - this->type = (ZT_VirtualNetworkType)d.getUI(ZT_NETWORKCONFIG_DICT_KEY_TYPE,(uint64_t)ZT_NETWORK_TYPE_PRIVATE); - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_COM,*tmp)) - this->com.deserialize(*tmp,0); - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_CAPABILITIES,*tmp)) { - try { - unsigned int p = 0; - while (p < tmp->size()) { - Capability cap; - p += cap.deserialize(*tmp,p); - this->capabilities[this->capabilityCount++] = cap; - } - } catch ( ... ) {} - std::sort(&(this->capabilities[0]),&(this->capabilities[this->capabilityCount])); - } - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_TAGS,*tmp)) { - try { - unsigned int p = 0; - while (p < tmp->size()) { - Tag tag; - p += tag.deserialize(*tmp,p); - this->tags[this->tagCount++] = tag; - } - } catch ( ... ) {} - std::sort(&(this->tags[0]),&(this->tags[this->tagCount])); - } - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_SPECIALISTS,*tmp)) { - unsigned int p = 0; - while (((p + 8) <= tmp->size())&&(specialistCount < ZT_MAX_NETWORK_SPECIALISTS)) { - this->specialists[this->specialistCount++] = tmp->at(p); - p += 8; - } - } - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_ROUTES,*tmp)) { - unsigned int p = 0; - while ((p < tmp->size())&&(routeCount < ZT_MAX_NETWORK_ROUTES)) { - p += reinterpret_cast(&(this->routes[this->routeCount].target))->deserialize(*tmp,p); - p += reinterpret_cast(&(this->routes[this->routeCount].via))->deserialize(*tmp,p); - this->routes[this->routeCount].flags = tmp->at(p); p += 2; - this->routes[this->routeCount].metric = tmp->at(p); p += 2; - ++this->routeCount; - } - } - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_STATIC_IPS,*tmp)) { - unsigned int p = 0; - while ((p < tmp->size())&&(staticIpCount < ZT_MAX_ZT_ASSIGNED_ADDRESSES)) { - p += this->staticIps[this->staticIpCount++].deserialize(*tmp,p); - } - } - - if (d.get(ZT_NETWORKCONFIG_DICT_KEY_RULES,*tmp)) { - this->ruleCount = 0; - unsigned int p = 0; - Capability::deserializeRules(*tmp,p,this->rules,this->ruleCount,ZT_MAX_NETWORK_RULES); - } - } - - //printf("~~~\n%s\n~~~\n",d.data()); - //dump(); - //printf("~~~\n"); - - delete tmp; - return true; - } catch ( ... ) { - delete tmp; - return false; - } -} - } // namespace ZeroTier diff --git a/zerotierone/node/NetworkConfig.hpp b/zerotierone/node/NetworkConfig.hpp index a548e86..a7ed77b 100644 --- a/zerotierone/node/NetworkConfig.hpp +++ b/zerotierone/node/NetworkConfig.hpp @@ -35,51 +35,26 @@ #include "MulticastGroup.hpp" #include "Address.hpp" #include "CertificateOfMembership.hpp" -#include "Capability.hpp" -#include "Tag.hpp" + +#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF #include "Dictionary.hpp" -#include "Identity.hpp" - -/** - * Default maximum time delta for COMs, tags, and capabilities - * - * The current value is two hours, providing ample time for a controller to - * experience fail-over, etc. - */ -#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA 7200000ULL - -/** - * Default minimum credential TTL and maxDelta for COM timestamps - * - * This is just slightly over three minutes and provides three retries for - * all currently online members to refresh. - */ -#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MIN_MAX_DELTA 185000ULL +#include +#endif /** * Flag: allow passive bridging (experimental) */ -#define ZT_NETWORKCONFIG_FLAG_ALLOW_PASSIVE_BRIDGING 0x0000000000000001ULL +#define ZT_NETWORKCONFIG_FLAG_ALLOW_PASSIVE_BRIDGING 0x0001 /** * Flag: enable broadcast */ -#define ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST 0x0000000000000002ULL +#define ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST 0x0002 /** - * Flag: enable IPv6 NDP emulation for certain V6 address patterns + * Device is a network preferred relay */ -#define ZT_NETWORKCONFIG_FLAG_ENABLE_IPV6_NDP_EMULATION 0x0000000000000004ULL - -/** - * Flag: result of unrecognized MATCH entries in a rules table: match if set, no-match if clear - */ -#define ZT_NETWORKCONFIG_FLAG_RULES_RESULT_OF_UNSUPPORTED_MATCH 0x0000000000000008ULL - -/** - * Flag: disable frame compression - */ -#define ZT_NETWORKCONFIG_FLAG_DISABLE_COMPRESSION 0x0000000000000010ULL +#define ZT_NETWORKCONFIG_SPECIALIST_TYPE_NETWORK_PREFERRED_RELAY 0x0000010000000000ULL /** * Device is an active bridge @@ -87,62 +62,24 @@ #define ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE 0x0000020000000000ULL /** - * Anchors are stable devices on this network that can cache multicast info, etc. + * An anchor is a device that is willing to be one and has been online/stable for a long time on this network */ #define ZT_NETWORKCONFIG_SPECIALIST_TYPE_ANCHOR 0x0000040000000000ULL -/** - * Device can send CIRCUIT_TESTs for this network - */ -#define ZT_NETWORKCONFIG_SPECIALIST_TYPE_CIRCUIT_TESTER 0x0000080000000000ULL - namespace ZeroTier { -// Dictionary capacity needed for max size network config -#define ZT_NETWORKCONFIG_DICT_CAPACITY (4096 + (sizeof(ZT_VirtualNetworkRule) * ZT_MAX_NETWORK_RULES) + (sizeof(Capability) * ZT_MAX_NETWORK_CAPABILITIES) + (sizeof(Tag) * ZT_MAX_NETWORK_TAGS)) - -// Dictionary capacity needed for max size network meta-data -#define ZT_NETWORKCONFIG_METADATA_DICT_CAPACITY 1024 - -// Network config version -#define ZT_NETWORKCONFIG_VERSION 7 +#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF // Fields for meta-data sent with network config requests - -// Network config version -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_VERSION "v" -// Protocol version (see Packet.hpp) -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_PROTOCOL_VERSION "pv" -// Software vendor -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_VENDOR "vend" -// Software major version #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MAJOR_VERSION "majv" -// Software minor version #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MINOR_VERSION "minv" -// Software revision #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_REVISION "revv" -// Rules engine revision -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_RULES_ENGINE_REV "revr" -// Maximum number of rules per network this node can accept -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_NETWORK_RULES "mr" -// Maximum number of capabilities this node can accept -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_NETWORK_CAPABILITIES "mc" -// Maximum number of rules per capability this node can accept -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_CAPABILITY_RULES "mcr" -// Maximum number of tags this node can accept -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_NETWORK_TAGS "mt" -// Network join authorization token (if any) -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_AUTH "a" -// Network configuration meta-data flags -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_FLAGS "f" -// Relay policy for this node -#define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_RELAY_POLICY "rp" -// These dictionary keys are short so they don't take up much room. -// By convention we use upper case for binary blobs, but it doesn't really matter. +// These dictionary keys are short so they don't take up much room in +// netconf response packets. -// network config version -#define ZT_NETWORKCONFIG_DICT_KEY_VERSION "v" +// integer(hex)[,integer(hex),...] +#define ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES "et" // network ID #define ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID "nwid" // integer(hex) @@ -151,57 +88,34 @@ namespace ZeroTier { #define ZT_NETWORKCONFIG_DICT_KEY_REVISION "r" // address of member #define ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO "id" -// flags(hex) -#define ZT_NETWORKCONFIG_DICT_KEY_FLAGS "f" // integer(hex) #define ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_LIMIT "ml" -// network type (hex) -#define ZT_NETWORKCONFIG_DICT_KEY_TYPE "t" +// 0/1 +#define ZT_NETWORKCONFIG_DICT_KEY_PRIVATE "p" // text #define ZT_NETWORKCONFIG_DICT_KEY_NAME "n" -// credential time max delta in ms -#define ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA "ctmd" -// binary serialized certificate of membership -#define ZT_NETWORKCONFIG_DICT_KEY_COM "C" -// specialists (binary array of uint64_t) -#define ZT_NETWORKCONFIG_DICT_KEY_SPECIALISTS "S" -// routes (binary blob) -#define ZT_NETWORKCONFIG_DICT_KEY_ROUTES "RT" -// static IPs (binary blob) -#define ZT_NETWORKCONFIG_DICT_KEY_STATIC_IPS "I" -// rules (binary blob) -#define ZT_NETWORKCONFIG_DICT_KEY_RULES "R" -// capabilities (binary blobs) -#define ZT_NETWORKCONFIG_DICT_KEY_CAPABILITIES "CAP" -// tags (binary blobs) -#define ZT_NETWORKCONFIG_DICT_KEY_TAGS "TAG" -// curve25519 signature -#define ZT_NETWORKCONFIG_DICT_KEY_SIGNATURE "C25519" - -// Legacy fields -- these are obsoleted but are included when older clients query - -// boolean (now a flag) -#define ZT_NETWORKCONFIG_DICT_KEY_ALLOW_PASSIVE_BRIDGING_OLD "pb" -// boolean (now a flag) -#define ZT_NETWORKCONFIG_DICT_KEY_ENABLE_BROADCAST_OLD "eb" +// text +#define ZT_NETWORKCONFIG_DICT_KEY_DESC "d" // IP/bits[,IP/bits,...] // Note that IPs that end in all zeroes are routes with no assignment in them. -#define ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC_OLD "v4s" +#define ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC "v4s" // IP/bits[,IP/bits,...] // Note that IPs that end in all zeroes are routes with no assignment in them. -#define ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC_OLD "v6s" +#define ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC "v6s" +// serialized CertificateOfMembership +#define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP "com" // 0/1 -#define ZT_NETWORKCONFIG_DICT_KEY_PRIVATE_OLD "p" -// integer(hex)[,integer(hex),...] -#define ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES_OLD "et" -// string-serialized CertificateOfMembership -#define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP_OLD "com" +#define ZT_NETWORKCONFIG_DICT_KEY_ENABLE_BROADCAST "eb" +// 0/1 +#define ZT_NETWORKCONFIG_DICT_KEY_ALLOW_PASSIVE_BRIDGING "pb" // node[,node,...] -#define ZT_NETWORKCONFIG_DICT_KEY_ACTIVE_BRIDGES_OLD "ab" +#define ZT_NETWORKCONFIG_DICT_KEY_ACTIVE_BRIDGES "ab" // node;IP/port[,node;IP/port] -#define ZT_NETWORKCONFIG_DICT_KEY_RELAYS_OLD "rl" +#define ZT_NETWORKCONFIG_DICT_KEY_RELAYS "rl" +// IP/metric[,IP/metric,...] +#define ZT_NETWORKCONFIG_DICT_KEY_GATEWAYS "gw" -// End legacy fields +#endif // ZT_SUPPORT_OLD_STYLE_NETCONF /** * Network configuration received from network controller nodes @@ -212,6 +126,58 @@ namespace ZeroTier { class NetworkConfig { public: + /** + * Network preferred relay with optional physical endpoint addresses + * + * This is used by the convenience relays() method. + */ + struct Relay + { + Address address; + InetAddress phy4,phy6; + }; + + /** + * Create an instance of a NetworkConfig for the test network ID + * + * The test network ID is defined as ZT_TEST_NETWORK_ID. This is a + * "fake" network with no real controller and default options. + * + * @param self This node's ZT address + * @return Configuration for test network ID + */ + static inline NetworkConfig createTestNetworkConfig(const Address &self) + { + NetworkConfig nc; + + nc.networkId = ZT_TEST_NETWORK_ID; + nc.timestamp = 1; + nc.revision = 1; + nc.issuedTo = self; + nc.multicastLimit = ZT_MULTICAST_DEFAULT_LIMIT; + nc.flags = ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST; + nc.type = ZT_NETWORK_TYPE_PUBLIC; + + nc.rules[0].t = ZT_NETWORK_RULE_ACTION_ACCEPT; + nc.ruleCount = 1; + + Utils::snprintf(nc.name,sizeof(nc.name),"ZT_TEST_NETWORK"); + + // Make up a V4 IP from 'self' in the 10.0.0.0/8 range -- no + // guarantee of uniqueness but collisions are unlikely. + uint32_t ip = (uint32_t)((self.toInt() & 0x00ffffff) | 0x0a000000); // 10.x.x.x + if ((ip & 0x000000ff) == 0x000000ff) ip ^= 0x00000001; // but not ending in .255 + if ((ip & 0x000000ff) == 0x00000000) ip ^= 0x00000001; // or .0 + nc.staticIps[0] = InetAddress(Utils::hton(ip),8); + + // Assign an RFC4193-compliant IPv6 address -- will never collide + nc.staticIps[1] = InetAddress::makeIpv6rfc4193(ZT_TEST_NETWORK_ID,self.toInt()); + + nc.staticIpCount = 2; + + return nc; + } + NetworkConfig() { memset(this,0,sizeof(NetworkConfig)); @@ -229,21 +195,24 @@ public: } /** - * Write this network config to a dictionary for transport - * - * @param d Dictionary - * @param includeLegacy If true, include legacy fields for old node versions - * @return True if dictionary was successfully created, false if e.g. overflow + * @param etherType Ethernet frame type to check + * @return True if allowed on this network */ - bool toDictionary(Dictionary &d,bool includeLegacy) const; - - /** - * Read this network config from a dictionary - * - * @param d Dictionary (non-const since it might be modified during parse, should not be used after call) - * @return True if dictionary was valid and network config successfully initialized - */ - bool fromDictionary(const Dictionary &d); + inline bool permitsEtherType(unsigned int etherType) const + { + unsigned int et = 0; + for(unsigned int i=0;iflags & ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST) != 0); } - /** - * @return True if IPv6 NDP emulation should be allowed for certain "magic" IPv6 address patterns - */ - inline bool ndpEmulation() const throw() { return ((this->flags & ZT_NETWORKCONFIG_FLAG_ENABLE_IPV6_NDP_EMULATION) != 0); } - - /** - * @return True if frames should not be compressed - */ - inline bool disableCompression() const throw() { return ((this->flags & ZT_NETWORKCONFIG_FLAG_DISABLE_COMPRESSION) != 0); } - /** * @return Network type is public (no access control) */ @@ -302,16 +261,40 @@ public: } /** - * @param a Address to check - * @return True if address is an anchor + * Get pinned physical address for a given ZeroTier address, if any + * + * @param zt ZeroTier address + * @param af Address family (e.g. AF_INET) or 0 for the first we find of any type + * @return Physical address, if any */ - inline bool isAnchor(const Address &a) const + inline InetAddress findPinnedAddress(const Address &zt,unsigned int af) const { - for(unsigned int i=0;i relays() const + { + std::vector r; + for(unsigned int i=0;i> 24) & 0xffffffffffULL)) - return true; for(unsigned int i=0;i + inline void serialize(Buffer &b) const { - const uint64_t aint = a.toInt(); - for(unsigned int i=0;i 255) nl = 255; // sanity check + b.append((uint8_t)nl); + b.append((const void *)name,nl); + + b.append((uint16_t)specialistCount); + for(unsigned int i=0;i(&(routes[i].target))->serialize(b); + reinterpret_cast(&(routes[i].via))->serialize(b); + } + + b.append((uint16_t)staticIpCount); + for(unsigned int i=0;icom.serialize(b); + + b.append((uint16_t)0); // extended bytes, currently 0 since unused } - const Capability *capability(const uint32_t id) const + template + inline unsigned int deserialize(const Buffer &b,unsigned int startAt = 0) { - for(unsigned int i=0;i(p) != 1) + throw std::invalid_argument("unrecognized version"); + p += 2; + + networkId = b.template at(p); p += 8; + timestamp = b.template at(p); p += 8; + revision = b.template at(p); p += 8; + issuedTo.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH; + multicastLimit = (unsigned int)b.template at(p); p += 4; + flags = (unsigned int)b.template at(p); p += 4; + type = (ZT_VirtualNetworkType)b[p++]; + + unsigned int nl = (unsigned int)b[p++]; + memcpy(this->name,b.field(p,nl),std::min(nl,(unsigned int)ZT_MAX_NETWORK_SHORT_NAME_LENGTH)); + p += nl; + // _name will always be null terminated since field size is ZT_MAX_NETWORK_SHORT_NAME_LENGTH + 1 + + specialistCount = (unsigned int)b.template at(p); p += 2; + if (specialistCount > ZT_MAX_NETWORK_SPECIALISTS) + throw std::invalid_argument("overflow (specialists)"); + for(unsigned int i=0;i(p); p += 8; } - return (Capability *)0; + + routeCount = (unsigned int)b.template at(p); p += 2; + if (routeCount > ZT_MAX_NETWORK_ROUTES) + throw std::invalid_argument("overflow (routes)"); + for(unsigned int i=0;i(&(routes[i].target))->deserialize(b,p); + p += reinterpret_cast(&(routes[i].via))->deserialize(b,p); + } + + staticIpCount = (unsigned int)b.template at(p); p += 2; + if (staticIpCount > ZT_MAX_ZT_ASSIGNED_ADDRESSES) + throw std::invalid_argument("overflow (static IPs)"); + for(unsigned int i=0;i(p); p += 2; + if (pinnedCount > ZT_MAX_NETWORK_PINNED) + throw std::invalid_argument("overflow (static addresses)"); + for(unsigned int i=0;i(p); p += 2; + if (ruleCount > ZT_MAX_NETWORK_RULES) + throw std::invalid_argument("overflow (rules)"); + for(unsigned int i=0;i(p); + break; + case ZT_NETWORK_RULE_MATCH_VLAN_PCP: + rules[i].v.vlanPcp = (uint8_t)b[p]; + break; + case ZT_NETWORK_RULE_MATCH_VLAN_DEI: + rules[i].v.vlanDei = (uint8_t)b[p]; + break; + case ZT_NETWORK_RULE_MATCH_ETHERTYPE: + rules[i].v.etherType = b.template at(p); + break; + case ZT_NETWORK_RULE_MATCH_MAC_SOURCE: + case ZT_NETWORK_RULE_MATCH_MAC_DEST: + memcpy(rules[i].v.mac,b.field(p,6),6); + break; + case ZT_NETWORK_RULE_MATCH_IPV4_SOURCE: + case ZT_NETWORK_RULE_MATCH_IPV4_DEST: + memcpy(&(rules[i].v.ipv4.ip),b.field(p,4),4); + rules[i].v.ipv4.mask = (uint8_t)b[p+4]; + break; + case ZT_NETWORK_RULE_MATCH_IPV6_SOURCE: + case ZT_NETWORK_RULE_MATCH_IPV6_DEST: + memcpy(rules[i].v.ipv6.ip,b.field(p,16),16); + rules[i].v.ipv6.mask = (uint8_t)b[p+16]; + break; + case ZT_NETWORK_RULE_MATCH_IP_TOS: + rules[i].v.ipTos = (uint8_t)b[p]; + break; + case ZT_NETWORK_RULE_MATCH_IP_PROTOCOL: + rules[i].v.ipProtocol = (uint8_t)b[p]; + break; + case ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE: + case ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE: + rules[i].v.port[0] = b.template at(p); + rules[i].v.port[1] = b.template at(p+2); + break; + case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS: + rules[i].v.characteristics = b.template at(p); + break; + case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE: + rules[i].v.frameSize[0] = b.template at(p); + rules[i].v.frameSize[1] = b.template at(p+2); + break; + case ZT_NETWORK_RULE_MATCH_TCP_RELATIVE_SEQUENCE_NUMBER_RANGE: + rules[i].v.tcpseq[0] = b.template at(p); + rules[i].v.tcpseq[1] = b.template at(p + 4); + break; + } + p += rlen; + } + + p += this->com.deserialize(b,p); + + p += b.template at(p) + 2; + + return (p - startAt); } - const Tag *tag(const uint32_t id) const - { - for(unsigned int i=0;i(&(routes[i].target))->toString().c_str()); - printf(" routes[i].via==%s\n",reinterpret_cast(&(routes[i].via))->toIpString().c_str()); - printf(" routes[i].flags==%.4x\n",(unsigned int)routes[i].flags); - printf(" routes[i].metric==%u\n",(unsigned int)routes[i].metric); + printf(" routes[i].target==%s\n",reinterpret_cast(&(routes[i].target))->toString().c_str()); + printf(" routes[i].via==%s\n",reinterpret_cast(&(routes[i].via))->toString().c_str()); } printf("staticIpCount==%u\n",staticIpCount); for(unsigned int i=0;itoString().c_str()); + printf(" pinned[i].phy==%s\n",pinned[i].zt->toString().c_str()); + } printf("ruleCount==%u\n",ruleCount); printf("name==%s\n",name); printf("com==%s\n",com.toString().c_str()); @@ -435,11 +650,6 @@ public: */ uint64_t timestamp; - /** - * Max difference between timestamp and tag/capability timestamp - */ - uint64_t credentialTimeMaxDelta; - /** * Controller-side revision counter for this configuration */ @@ -450,16 +660,16 @@ public: */ Address issuedTo; - /** - * Flags (64-bit) - */ - uint64_t flags; - /** * Maximum number of recipients per multicast (not including active bridges) */ unsigned int multicastLimit; + /** + * Flags (32-bit) + */ + unsigned int flags; + /** * Number of specialists */ @@ -485,16 +695,6 @@ public: */ unsigned int ruleCount; - /** - * Number of capabilities - */ - unsigned int capabilityCount; - - /** - * Number of tags - */ - unsigned int tagCount; - /** * Specialist devices * @@ -514,20 +714,21 @@ public: InetAddress staticIps[ZT_MAX_ZT_ASSIGNED_ADDRESSES]; /** - * Base network rules + * Pinned devices with physical address hints + * + * These can be used to specify a physical address where a given device + * can be reached. It's usually used with network relays (specialists). + */ + struct { + Address zt; + InetAddress phy; + } pinned[ZT_MAX_NETWORK_PINNED]; + + /** + * Rules table */ ZT_VirtualNetworkRule rules[ZT_MAX_NETWORK_RULES]; - /** - * Capabilities for this node on this network, in ascending order of capability ID - */ - Capability capabilities[ZT_MAX_NETWORK_CAPABILITIES]; - - /** - * Tags for this node on this network, in ascending order of tag ID - */ - Tag tags[ZT_MAX_NETWORK_TAGS]; - /** * Network type (currently just public or private) */ diff --git a/zerotierone/node/NetworkController.hpp b/zerotierone/node/NetworkController.hpp index db95dd1..4ab6403 100644 --- a/zerotierone/node/NetworkController.hpp +++ b/zerotierone/node/NetworkController.hpp @@ -22,15 +22,15 @@ #include #include "Constants.hpp" -#include "Dictionary.hpp" -#include "NetworkConfig.hpp" +#include "InetAddress.hpp" +#include "Address.hpp" +#include "Identity.hpp" +#include "NetworkConfigRequestMetaData.hpp" +#include "Buffer.hpp" namespace ZeroTier { class RuntimeEnvironment; -class Identity; -class Address; -struct InetAddress; /** * Interface for network controller implementations @@ -67,16 +67,16 @@ public: * @param identity Originating peer ZeroTier identity * @param nwid 64-bit network ID * @param metaData Meta-data bundled with request (if any) - * @param nc NetworkConfig to fill with results - * @return Returns NETCONF_QUERY_OK if result 'nc' is valid, or an error code on error + * @param result Buffer to receive serialized network configuration data (any existing data in buffer is preserved) + * @return Returns NETCONF_QUERY_OK if result dictionary is valid, or an error code on error */ virtual NetworkController::ResultCode doNetworkConfigRequest( const InetAddress &fromAddr, const Identity &signingId, const Identity &identity, uint64_t nwid, - const Dictionary &metaData, - NetworkConfig &nc) = 0; + const NetworkConfigRequestMetaData &metaData, + Buffer<8194> &result) = 0; }; } // namespace ZeroTier diff --git a/zerotierone/node/Node.cpp b/zerotierone/node/Node.cpp index db9b8ea..bedbba9 100644 --- a/zerotierone/node/Node.cpp +++ b/zerotierone/node/Node.cpp @@ -37,6 +37,7 @@ #include "Identity.hpp" #include "SelfAwareness.hpp" #include "Cluster.hpp" +#include "DeferredPackets.hpp" const struct sockaddr_storage ZT_SOCKADDR_NULL = {0}; @@ -71,14 +72,10 @@ Node::Node( _prngStreamPtr(0), _now(now), _lastPingCheck(0), - _lastHousekeepingRun(0), - _relayPolicy(ZT_RELAY_POLICY_TRUSTED) + _lastHousekeepingRun(0) { _online = false; - memset(_expectingRepliesToBucketPtr,0,sizeof(_expectingRepliesToBucketPtr)); - memset(_expectingRepliesTo,0,sizeof(_expectingRepliesTo)); - // Use Salsa20 alone as a high-quality non-crypto PRNG { char foo[32]; @@ -111,7 +108,9 @@ Node::Node( RR->mc = new Multicaster(RR); RR->topology = new Topology(RR); RR->sa = new SelfAwareness(RR); + RR->dp = new DeferredPackets(RR); } catch ( ... ) { + delete RR->dp; delete RR->sa; delete RR->topology; delete RR->mc; @@ -119,9 +118,6 @@ Node::Node( throw; } - if (RR->topology->amRoot()) - _relayPolicy = ZT_RELAY_POLICY_ALWAYS; - postEvent(ZT_EVENT_UP); } @@ -131,11 +127,12 @@ Node::~Node() _networks.clear(); // ensure that networks are destroyed before shutdow + RR->dpEnabled = 0; + delete RR->dp; delete RR->sa; delete RR->topology; delete RR->mc; delete RR->sw; - #ifdef ZT_ENABLE_CLUSTER delete RR->cluster; #endif @@ -176,10 +173,11 @@ ZT_ResultCode Node::processVirtualNetworkFrame( class _PingPeersThatNeedPing { public: - _PingPeersThatNeedPing(const RuntimeEnvironment *renv,uint64_t now) : + _PingPeersThatNeedPing(const RuntimeEnvironment *renv,uint64_t now,const std::vector &relays) : lastReceiveFromUpstream(0), RR(renv), _now(now), + _relays(relays), _world(RR->topology->world()) { } @@ -210,6 +208,25 @@ public: } } + if (!upstream) { + // If I am a root server, only ping other root servers -- roots don't ping "down" + // since that would just be a waste of bandwidth and could potentially cause route + // flapping in Cluster mode. + if (RR->topology->amRoot()) + return; + + // Check for network preferred relays, also considered 'upstream' and thus always + // pinged to keep links up. If they have stable addresses we will try them there. + for(std::vector::const_iterator r(_relays.begin());r!=_relays.end();++r) { + if (r->address == p->address()) { + stableEndpoint4 = r->phy4; + stableEndpoint6 = r->phy6; + upstream = true; + break; + } + } + } + if (upstream) { // "Upstream" devices are roots and relays and get special treatment -- they stay alive // forever and we try to keep (if available) both IPv4 and IPv6 channels open to them. @@ -237,19 +254,20 @@ public: // way whatsoever. This will e.g. find network preferred relays that lack // stable endpoints by using root servers. Packet outp(p->address(),RR->identity.address(),Packet::VERB_NOP); - RR->sw->send(outp,true); + RR->sw->send(outp,true,0); } lastReceiveFromUpstream = std::max(p->lastReceive(),lastReceiveFromUpstream); - } else if (p->isActive(_now)) { + } else if (p->activelyTransferringFrames(_now)) { // Normal nodes get their preferred link kept alive if the node has generated frame traffic recently - p->doPingAndKeepalive(_now,-1); + p->doPingAndKeepalive(_now,0); } } private: const RuntimeEnvironment *RR; uint64_t _now; + const std::vector &_relays; World _world; }; @@ -265,20 +283,27 @@ ZT_ResultCode Node::processBackgroundTasks(uint64_t now,volatile uint64_t *nextB _lastPingCheck = now; // Get relays and networks that need config without leaving the mutex locked + std::vector< NetworkConfig::Relay > networkRelays; std::vector< SharedPtr > needConfig; { Mutex::Lock _l(_networks_m); for(std::vector< std::pair< uint64_t,SharedPtr > >::const_iterator n(_networks.begin());n!=_networks.end();++n) { - if (((now - n->second->lastConfigUpdate()) >= ZT_NETWORK_AUTOCONF_DELAY)||(!n->second->hasConfig())) + if (((now - n->second->lastConfigUpdate()) >= ZT_NETWORK_AUTOCONF_DELAY)||(!n->second->hasConfig())) { needConfig.push_back(n->second); - n->second->sendUpdatesToMembers(); + } + if (n->second->hasConfig()) { + std::vector r(n->second->config().relays()); + networkRelays.insert(networkRelays.end(),r.begin(),r.end()); + } } } + + // Request updated configuration for networks that need it for(std::vector< SharedPtr >::const_iterator n(needConfig.begin());n!=needConfig.end();++n) (*n)->requestConfiguration(); // Do pings and keepalives - _PingPeersThatNeedPing pfunc(RR,now); + _PingPeersThatNeedPing pfunc(RR,now,networkRelays); RR->topology->eachPeer<_PingPeersThatNeedPing &>(pfunc); // Update online status, post status change as event @@ -324,12 +349,6 @@ ZT_ResultCode Node::processBackgroundTasks(uint64_t now,volatile uint64_t *nextB return ZT_RESULT_OK; } -ZT_ResultCode Node::setRelayPolicy(enum ZT_RelayPolicy rp) -{ - _relayPolicy = rp; - return ZT_RESULT_OK; -} - ZT_ResultCode Node::join(uint64_t nwid,void *uptr) { Mutex::Lock _l(_networks_m); @@ -419,16 +438,15 @@ ZT_PeerList *Node::peers() const p->latency = pi->second->latency(); p->role = RR->topology->isRoot(pi->second->identity()) ? ZT_PEER_ROLE_ROOT : ZT_PEER_ROLE_LEAF; - std::vector< std::pair< SharedPtr,bool > > paths(pi->second->paths(_now)); - SharedPtr bestp(pi->second->getBestPath(_now,false)); + std::vector paths(pi->second->paths()); + Path *bestPath = pi->second->getBestPath(_now); p->pathCount = 0; - for(std::vector< std::pair< SharedPtr,bool > >::iterator path(paths.begin());path!=paths.end();++path) { - memcpy(&(p->paths[p->pathCount].address),&(path->first->address()),sizeof(struct sockaddr_storage)); - p->paths[p->pathCount].lastSend = path->first->lastOut(); - p->paths[p->pathCount].lastReceive = path->first->lastIn(); - p->paths[p->pathCount].expired = path->second; - p->paths[p->pathCount].preferred = (path->first == bestp) ? 1 : 0; - p->paths[p->pathCount].trustedPathId = RR->topology->getOutboundPathTrust(path->first->address()); + for(std::vector::iterator path(paths.begin());path!=paths.end();++path) { + memcpy(&(p->paths[p->pathCount].address),&(path->address()),sizeof(struct sockaddr_storage)); + p->paths[p->pathCount].lastSend = path->lastSend(); + p->paths[p->pathCount].lastReceive = path->lastReceived(); + p->paths[p->pathCount].active = path->active(_now) ? 1 : 0; + p->paths[p->pathCount].preferred = ((bestPath)&&(*path == *bestPath)) ? 1 : 0; ++p->pathCount; } } @@ -524,7 +542,7 @@ ZT_ResultCode Node::circuitTestBegin(ZT_CircuitTest *test,void (*reportCallback) for(unsigned int a=0;ahops[0].breadth;++a) { outp.newInitializationVector(); outp.setDestination(Address(test->hops[0].addresses[a])); - RR->sw->send(outp,true); + RR->sw->send(outp,true,0); } } catch ( ... ) { return ZT_RESULT_FATAL_ERROR_INTERNAL; // probably indicates FIFO too big for packet @@ -620,6 +638,18 @@ void Node::clusterStatus(ZT_ClusterStatus *cs) memset(cs,0,sizeof(ZT_ClusterStatus)); } +void Node::backgroundThreadMain() +{ + ++RR->dpEnabled; + for(;;) { + try { + if (RR->dp->process() < 0) + break; + } catch ( ... ) {} // sanity check -- should not throw + } + --RR->dpEnabled; +} + /****************************************************************************/ /* Node methods used only within node/ */ /****************************************************************************/ @@ -715,11 +745,6 @@ void Node::postCircuitTestReport(const ZT_CircuitTestReport *report) (reinterpret_cast((*i)->_internalPtr))(reinterpret_cast(this),*i,report); } -void Node::setTrustedPaths(const struct sockaddr_storage *networks,const uint64_t *ids,unsigned int count) -{ - RR->topology->setTrustedPaths(reinterpret_cast(networks),ids,count); -} - } // namespace ZeroTier /****************************************************************************/ @@ -810,15 +835,6 @@ enum ZT_ResultCode ZT_Node_processBackgroundTasks(ZT_Node *node,uint64_t now,vol } } -enum ZT_ResultCode ZT_Node_setRelayPolicy(ZT_Node *node,enum ZT_RelayPolicy rp) -{ - try { - return reinterpret_cast(node)->setRelayPolicy(rp); - } catch ( ... ) { - return ZT_RESULT_FATAL_ERROR_INTERNAL; - } -} - enum ZT_ResultCode ZT_Node_join(ZT_Node *node,uint64_t nwid,void *uptr) { try { @@ -998,10 +1014,10 @@ void ZT_Node_clusterStatus(ZT_Node *node,ZT_ClusterStatus *cs) } catch ( ... ) {} } -void ZT_Node_setTrustedPaths(ZT_Node *node,const struct sockaddr_storage *networks,const uint64_t *ids,unsigned int count) +void ZT_Node_backgroundThreadMain(ZT_Node *node) { try { - reinterpret_cast(node)->setTrustedPaths(networks,ids,count); + reinterpret_cast(node)->backgroundThreadMain(); } catch ( ... ) {} } diff --git a/zerotierone/node/Node.hpp b/zerotierone/node/Node.hpp index 1146253..6ac23ca 100644 --- a/zerotierone/node/Node.hpp +++ b/zerotierone/node/Node.hpp @@ -44,10 +44,6 @@ #define TRACE(f,...) {} #endif -// Bit mask for "expecting reply" hash -#define ZT_EXPECTING_REPLIES_BUCKET_MASK1 255 -#define ZT_EXPECTING_REPLIES_BUCKET_MASK2 31 - namespace ZeroTier { /** @@ -91,7 +87,6 @@ public: unsigned int frameLength, volatile uint64_t *nextBackgroundTaskDeadline); ZT_ResultCode processBackgroundTasks(uint64_t now,volatile uint64_t *nextBackgroundTaskDeadline); - ZT_ResultCode setRelayPolicy(enum ZT_RelayPolicy rp); ZT_ResultCode join(uint64_t nwid,void *uptr); ZT_ResultCode leave(uint64_t nwid,void **uptr); ZT_ResultCode multicastSubscribe(uint64_t nwid,uint64_t multicastGroup,unsigned long multicastAdi); @@ -122,9 +117,18 @@ public: void clusterRemoveMember(unsigned int memberId); void clusterHandleIncomingMessage(const void *msg,unsigned int len); void clusterStatus(ZT_ClusterStatus *cs); + void backgroundThreadMain(); // Internal functions ------------------------------------------------------ + /** + * Convenience threadMain() for easy background thread launch + * + * This allows background threads to be launched with Thread::start + * that will run against this node. + */ + inline void threadMain() throw() { this->backgroundThreadMain(); } + /** * @return Time as of last call to run() */ @@ -244,43 +248,26 @@ public: */ inline int configureVirtualNetworkPort(uint64_t nwid,void **nuptr,ZT_VirtualNetworkConfigOperation op,const ZT_VirtualNetworkConfig *nc) { return _virtualNetworkConfigFunction(reinterpret_cast(this),_uPtr,nwid,nuptr,op,nc); } + /** + * @return True if we appear to be online + */ inline bool online() const throw() { return _online; } - inline ZT_RelayPolicy relayPolicy() const { return _relayPolicy; } #ifdef ZT_TRACE void postTrace(const char *module,unsigned int line,const char *fmt,...); #endif + /** + * @return Next 64-bit random number (not for cryptographic use) + */ uint64_t prng(); + + /** + * Post a circuit test report to any listeners for a given test ID + * + * @param report Report (includes test ID) + */ void postCircuitTestReport(const ZT_CircuitTestReport *report); - void setTrustedPaths(const struct sockaddr_storage *networks,const uint64_t *ids,unsigned int count); - - /** - * Register that we are expecting a reply to a packet ID - * - * @param packetId Packet ID to expect reply to - */ - inline void expectReplyTo(const uint64_t packetId) - { - const unsigned long bucket = (unsigned long)(packetId & ZT_EXPECTING_REPLIES_BUCKET_MASK1); - _expectingRepliesTo[bucket][_expectingRepliesToBucketPtr[bucket]++ & ZT_EXPECTING_REPLIES_BUCKET_MASK2] = packetId; - } - - /** - * Check whether a given packet ID is something we are expecting a reply to - * - * @param packetId Packet ID to check - * @return True if we're expecting a reply - */ - inline bool expectingReplyTo(const uint64_t packetId) const - { - const unsigned long bucket = (unsigned long)(packetId & ZT_EXPECTING_REPLIES_BUCKET_MASK1); - for(unsigned long i=0;i<=ZT_EXPECTING_REPLIES_BUCKET_MASK2;++i) { - if (_expectingRepliesTo[bucket][i] == packetId) - return true; - } - return false; - } private: inline SharedPtr _network(uint64_t nwid) const @@ -298,9 +285,6 @@ private: void *_uPtr; // _uptr (lower case) is reserved in Visual Studio :P - uint8_t _expectingRepliesToBucketPtr[ZT_EXPECTING_REPLIES_BUCKET_MASK1 + 1]; - uint64_t _expectingRepliesTo[ZT_EXPECTING_REPLIES_BUCKET_MASK1 + 1][ZT_EXPECTING_REPLIES_BUCKET_MASK2 + 1]; - ZT_DataStoreGetFunction _dataStoreGetFunction; ZT_DataStorePutFunction _dataStorePutFunction; ZT_WirePacketSendFunction _wirePacketSendFunction; @@ -327,7 +311,6 @@ private: uint64_t _now; uint64_t _lastPingCheck; uint64_t _lastHousekeepingRun; - ZT_RelayPolicy _relayPolicy; bool _online; }; diff --git a/zerotierone/node/OutboundMulticast.cpp b/zerotierone/node/OutboundMulticast.cpp index 2f6bf98..eea1132 100644 --- a/zerotierone/node/OutboundMulticast.cpp +++ b/zerotierone/node/OutboundMulticast.cpp @@ -21,9 +21,8 @@ #include "OutboundMulticast.hpp" #include "Switch.hpp" #include "Network.hpp" +#include "CertificateOfMembership.hpp" #include "Node.hpp" -#include "Peer.hpp" -#include "Topology.hpp" namespace ZeroTier { @@ -31,7 +30,7 @@ void OutboundMulticast::init( const RuntimeEnvironment *RR, uint64_t timestamp, uint64_t nwid, - bool disableCompression, + const CertificateOfMembership *com, unsigned int limit, unsigned int gatherLimit, const MAC &src, @@ -40,25 +39,16 @@ void OutboundMulticast::init( const void *payload, unsigned int len) { - uint8_t flags = 0; - _timestamp = timestamp; _nwid = nwid; - if (src) { - _macSrc = src; - flags |= 0x04; - } else { - _macSrc.fromAddress(RR->identity.address(),nwid); - } - _macDest = dest.mac(); _limit = limit; - _frameLen = (len < ZT_MAX_MTU) ? len : ZT_MAX_MTU; - _etherType = etherType; + uint8_t flags = 0; if (gatherLimit) flags |= 0x02; + if (src) flags |= 0x04; /* - TRACE(">>MC %.16llx INIT %.16llx/%s limit %u gatherLimit %u from %s to %s length %u", + TRACE(">>MC %.16llx INIT %.16llx/%s limit %u gatherLimit %u from %s to %s length %u com==%d", (unsigned long long)this, nwid, dest.toString().c_str(), @@ -66,36 +56,58 @@ void OutboundMulticast::init( gatherLimit, (src) ? src.toString().c_str() : MAC(RR->identity.address(),nwid).toString().c_str(), dest.toString().c_str(), - len); + len, + (com) ? 1 : 0); */ - _packet.setSource(RR->identity.address()); - _packet.setVerb(Packet::VERB_MULTICAST_FRAME); - _packet.append((uint64_t)nwid); - _packet.append(flags); - if (gatherLimit) _packet.append((uint32_t)gatherLimit); - if (src) src.appendTo(_packet); - dest.mac().appendTo(_packet); - _packet.append((uint32_t)dest.adi()); - _packet.append((uint16_t)etherType); - _packet.append(payload,_frameLen); - if (!disableCompression) - _packet.compress(); + _packetNoCom.setSource(RR->identity.address()); + _packetNoCom.setVerb(Packet::VERB_MULTICAST_FRAME); + _packetNoCom.append((uint64_t)nwid); + _packetNoCom.append(flags); + if (gatherLimit) _packetNoCom.append((uint32_t)gatherLimit); + if (src) src.appendTo(_packetNoCom); + dest.mac().appendTo(_packetNoCom); + _packetNoCom.append((uint32_t)dest.adi()); + _packetNoCom.append((uint16_t)etherType); + _packetNoCom.append(payload,len); + _packetNoCom.compress(); - memcpy(_frameData,payload,_frameLen); + if (com) { + _haveCom = true; + flags |= 0x01; + + _packetWithCom.setSource(RR->identity.address()); + _packetWithCom.setVerb(Packet::VERB_MULTICAST_FRAME); + _packetWithCom.append((uint64_t)nwid); + _packetWithCom.append(flags); + com->serialize(_packetWithCom); + if (gatherLimit) _packetWithCom.append((uint32_t)gatherLimit); + if (src) src.appendTo(_packetWithCom); + dest.mac().appendTo(_packetWithCom); + _packetWithCom.append((uint32_t)dest.adi()); + _packetWithCom.append((uint16_t)etherType); + _packetWithCom.append(payload,len); + _packetWithCom.compress(); + } else _haveCom = false; } void OutboundMulticast::sendOnly(const RuntimeEnvironment *RR,const Address &toAddr) { - const SharedPtr nw(RR->node->network(_nwid)); - Address toAddr2(toAddr); - if ((nw)&&(nw->filterOutgoingPacket(true,RR->identity.address(),toAddr2,_macSrc,_macDest,_frameData,_frameLen,_etherType,0))) { - //TRACE(">>MC %.16llx -> %s",(unsigned long long)this,toAddr.toString().c_str()); - _packet.newInitializationVector(); - _packet.setDestination(toAddr2); - RR->node->expectReplyTo(_packet.packetId()); - RR->sw->send(_packet,true); + if (_haveCom) { + SharedPtr peer(RR->topology->getPeer(toAddr)); + if ( (!peer) || (peer->needsOurNetworkMembershipCertificate(_nwid,RR->node->now(),true)) ) { + //TRACE(">>MC %.16llx -> %s (with COM)",(unsigned long long)this,toAddr.toString().c_str()); + _packetWithCom.newInitializationVector(); + _packetWithCom.setDestination(toAddr); + RR->sw->send(_packetWithCom,true,_nwid); + return; + } } + + //TRACE(">>MC %.16llx -> %s (without COM)",(unsigned long long)this,toAddr.toString().c_str()); + _packetNoCom.newInitializationVector(); + _packetNoCom.setDestination(toAddr); + RR->sw->send(_packetNoCom,true,_nwid); } } // namespace ZeroTier diff --git a/zerotierone/node/OutboundMulticast.hpp b/zerotierone/node/OutboundMulticast.hpp index 6370d0d..3818172 100644 --- a/zerotierone/node/OutboundMulticast.hpp +++ b/zerotierone/node/OutboundMulticast.hpp @@ -56,7 +56,7 @@ public: * @param RR Runtime environment * @param timestamp Creation time * @param nwid Network ID - * @param disableCompression Disable compression of frame payload + * @param com Certificate of membership or NULL if none available * @param limit Multicast limit for desired number of packets to send * @param gatherLimit Number to lazily/implicitly gather with this frame or 0 for none * @param src Source MAC address of frame or NULL to imply compute from sender ZT address @@ -70,7 +70,7 @@ public: const RuntimeEnvironment *RR, uint64_t timestamp, uint64_t nwid, - bool disableCompression, + const CertificateOfMembership *com, unsigned int limit, unsigned int gatherLimit, const MAC &src, @@ -127,22 +127,17 @@ public: if (std::find(_alreadySentTo.begin(),_alreadySentTo.end(),toAddr) == _alreadySentTo.end()) { sendAndLog(RR,toAddr); return true; - } else { - return false; - } + } else return false; } private: uint64_t _timestamp; uint64_t _nwid; - MAC _macSrc; - MAC _macDest; unsigned int _limit; - unsigned int _frameLen; - unsigned int _etherType; - Packet _packet; + Packet _packetNoCom; + Packet _packetWithCom; std::vector
_alreadySentTo; - uint8_t _frameData[ZT_MAX_MTU]; + bool _haveCom; }; } // namespace ZeroTier diff --git a/zerotierone/node/Packet.cpp b/zerotierone/node/Packet.cpp index 3b8e138..3330a92 100644 --- a/zerotierone/node/Packet.cpp +++ b/zerotierone/node/Packet.cpp @@ -22,7 +22,7 @@ namespace ZeroTier { const unsigned char Packet::ZERO_KEY[32] = { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }; -#ifdef ZT_TRACE +//#ifdef ZT_TRACE const char *Packet::verbString(Verb v) throw() @@ -38,16 +38,15 @@ const char *Packet::verbString(Verb v) case VERB_EXT_FRAME: return "EXT_FRAME"; case VERB_ECHO: return "ECHO"; case VERB_MULTICAST_LIKE: return "MULTICAST_LIKE"; - case VERB_NETWORK_CREDENTIALS: return "NETWORK_CREDENTIALS"; + case VERB_NETWORK_MEMBERSHIP_CERTIFICATE: return "NETWORK_MEMBERSHIP_CERTIFICATE"; case VERB_NETWORK_CONFIG_REQUEST: return "NETWORK_CONFIG_REQUEST"; - case VERB_NETWORK_CONFIG: return "NETWORK_CONFIG_REFRESH"; + case VERB_NETWORK_CONFIG_REFRESH: return "NETWORK_CONFIG_REFRESH"; case VERB_MULTICAST_GATHER: return "MULTICAST_GATHER"; case VERB_MULTICAST_FRAME: return "MULTICAST_FRAME"; case VERB_PUSH_DIRECT_PATHS: return "PUSH_DIRECT_PATHS"; case VERB_CIRCUIT_TEST: return "CIRCUIT_TEST"; case VERB_CIRCUIT_TEST_REPORT: return "CIRCUIT_TEST_REPORT"; case VERB_REQUEST_PROOF_OF_WORK: return "REQUEST_PROOF_OF_WORK"; - case VERB_USER_MESSAGE: return "USER_MESSAGE"; } return "(unknown)"; } @@ -69,7 +68,7 @@ const char *Packet::errorString(ErrorCode e) return "(unknown)"; } -#endif // ZT_TRACE +//#endif // ZT_TRACE void Packet::armor(const void *key,bool encryptPayload) { diff --git a/zerotierone/node/Packet.hpp b/zerotierone/node/Packet.hpp index cc3d323..b367ec6 100644 --- a/zerotierone/node/Packet.hpp +++ b/zerotierone/node/Packet.hpp @@ -34,11 +34,7 @@ #include "Utils.hpp" #include "Buffer.hpp" -#ifdef ZT_USE_SYSTEM_LZ4 -#include -#else #include "../ext/lz4/lz4.h" -#endif /** * Protocol version -- incremented only for major changes @@ -51,23 +47,14 @@ * + Yet another multicast redesign * + New crypto completely changes key agreement cipher * 4 - 0.6.0 ... 1.0.6 - * + BREAKING CHANGE: New identity format based on hashcash design - * 5 - 1.1.0 ... 1.1.5 + * + New identity format based on hashcash design + * 5 - 1.1.0 ... CURRENT * + Supports circuit test, proof of work, and echo * + Supports in-band world (root server definition) updates * + Clustering! (Though this will work with protocol v4 clients.) * + Otherwise backward compatible with protocol v4 - * 6 - 1.1.5 ... 1.1.10 - * + Network configuration format revisions including binary values - * 7 - 1.1.10 -- 1.2.0 - * + Introduce trusted paths for local SDN use - * 8 - 1.2.0 -- CURRENT - * + Multipart network configurations for large network configs - * + Tags and Capabilities - * + Inline push of CertificateOfMembership deprecated - * + Certificates of representation for federation and mesh */ -#define ZT_PROTO_VERSION 8 +#define ZT_PROTO_VERSION 5 /** * Minimum supported protocol version @@ -106,21 +93,10 @@ #define ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012 1 /** - * Cipher suite: NONE + * DEPRECATED payload encrypted flag, will be removed for re-use soon. * - * This differs from POLY1305/NONE in that *no* crypto is done, not even - * authentication. This is for trusted local LAN interconnects for internal - * SDN use within a data center. - * - * For this mode the MAC field becomes a trusted path ID and must match the - * configured ID of a trusted path or the packet is discarded. - */ -#define ZT_PROTO_CIPHER_SUITE__NO_CRYPTO_TRUSTED_PATH 2 - -/** - * DEPRECATED payload encrypted flag, may be re-used in the future. - * - * This has been replaced by the three-bit cipher suite selection field. + * This has been replaced by the two-bit cipher suite selection field where + * a value of 0 indicates unencrypted (but authenticated) messages. */ #define ZT_PROTO_FLAG_ENCRYPTED 0x80 @@ -307,7 +283,6 @@ #define ZT_PROTO_VERB_MULTICAST_GATHER_IDX_MAC (ZT_PROTO_VERB_MULTICAST_GATHER_IDX_FLAGS + 1) #define ZT_PROTO_VERB_MULTICAST_GATHER_IDX_ADI (ZT_PROTO_VERB_MULTICAST_GATHER_IDX_MAC + 6) #define ZT_PROTO_VERB_MULTICAST_GATHER_IDX_GATHER_LIMIT (ZT_PROTO_VERB_MULTICAST_GATHER_IDX_ADI + 4) -#define ZT_PROTO_VERB_MULTICAST_GATHER_IDX_COM (ZT_PROTO_VERB_MULTICAST_GATHER_IDX_GATHER_LIMIT + 4) // Note: COM, GATHER_LIMIT, and SOURCE_MAC are optional, and so are specified without size #define ZT_PROTO_VERB_MULTICAST_FRAME_IDX_NETWORK_ID (ZT_PACKET_IDX_PAYLOAD) @@ -355,7 +330,7 @@ namespace ZeroTier { * <[5] destination ZT address> * <[5] source ZT address> * <[1] flags/cipher/hops> - * <[8] 64-bit MAC (or trusted path ID in trusted path mode)> + * <[8] 64-bit MAC> * [... -- begin encryption envelope -- ...] * <[1] encrypted flags (MS 3 bits) and verb (LS 5 bits)> * [... verb-specific payload ...] @@ -528,7 +503,7 @@ public: /** * No operation (ignored, no reply) */ - VERB_NOP = 0x00, + VERB_NOP = 0, /** * Announcement of a node's existence: @@ -539,7 +514,7 @@ public: * <[8] timestamp (ms since epoch)> * <[...] binary serialized identity (see Identity)> * <[1] destination address type> - * [<[...] destination address to which packet was sent>] + * [<[...] destination address>] * <[8] 64-bit world ID of current world> * <[8] 64-bit timestamp of current world> * @@ -571,7 +546,7 @@ public: * * ERROR has no payload. */ - VERB_HELLO = 0x01, + VERB_HELLO = 1, /** * Error response: @@ -580,7 +555,7 @@ public: * <[1] error code> * <[...] error-dependent payload> */ - VERB_ERROR = 0x02, + VERB_ERROR = 2, /** * Success response: @@ -588,29 +563,25 @@ public: * <[8] in-re packet ID> * <[...] request-specific payload> */ - VERB_OK = 0x03, + VERB_OK = 3, /** * Query an identity by address: * <[5] address to look up> - * [<[...] additional addresses to look up> * * OK response payload: * <[...] binary serialized identity> - * [<[...] additional binary serialized identities>] * * If querying a cluster, duplicate OK responses may occasionally occur. - * These must be tolerated, which is easy since they'll have info you - * already have. + * These should be discarded. * - * If the address is not found, no response is generated. The semantics - * of WHOIS is similar to ARP and NDP in that persistent retrying can - * be performed. + * If the address is not found, no response is generated. WHOIS requests + * will time out much like ARP requests and similar do in L2. */ - VERB_WHOIS = 0x04, + VERB_WHOIS = 4, /** - * Relay-mediated NAT traversal or firewall punching initiation: + * Meet another node at a given protocol address: * <[1] flags (unused, currently 0)> * <[5] ZeroTier address of peer that might be found at this address> * <[2] 16-bit protocol address port> @@ -624,9 +595,18 @@ public: * * Upon receipt a peer sends HELLO to establish a direct link. * + * Nodes should implement rate control, limiting the rate at which they + * respond to these packets to prevent their use in DDOS attacks. Nodes + * may also ignore these messages if a peer is not known or is not being + * actively communicated with. + * + * Unfortunately the physical address format in this message pre-dates + * InetAddress's serialization format. :( ZeroTier is four years old and + * yes we've accumulated a tiny bit of cruft here and there. + * * No OK or ERROR is generated. */ - VERB_RENDEZVOUS = 0x05, + VERB_RENDEZVOUS = 5, /** * ZT-to-ZT unicast ethernet frame (shortened EXT_FRAME): @@ -642,44 +622,31 @@ public: * ERROR may be generated if a membership certificate is needed for a * closed network. Payload will be network ID. */ - VERB_FRAME = 0x06, + VERB_FRAME = 6, /** * Full Ethernet frame with MAC addressing and optional fields: * <[8] 64-bit network ID> * <[1] flags> + * [<[...] certificate of network membership>] * <[6] destination MAC or all zero for destination node> * <[6] source MAC or all zero for node of origin> * <[2] 16-bit ethertype> * <[...] ethernet payload> * * Flags: - * 0x01 - Certificate of network membership attached (DEPRECATED) - * 0x02 - Most significant bit of subtype (see below) - * 0x04 - Middle bit of subtype (see below) - * 0x08 - Least significant bit of subtype (see below) - * 0x10 - ACK requested in the form of OK(EXT_FRAME) + * 0x01 - Certificate of network membership is attached * - * Subtypes (0..7): - * 0x0 - Normal frame (bridging can be determined by checking MAC) - * 0x1 - TEEd outbound frame - * 0x2 - REDIRECTed outbound frame - * 0x3 - WATCHed outbound frame (TEE with ACK, ACK bit also set) - * 0x4 - TEEd inbound frame - * 0x5 - REDIRECTed inbound frame - * 0x6 - WATCHed inbound frame - * 0x7 - (reserved for future use) - * - * An extended frame carries full MAC addressing, making it a - * superset of VERB_FRAME. It is used for bridged traffic, - * redirected or observed traffic via rules, and can in theory - * be used for multicast though MULTICAST_FRAME exists for that - * purpose and has additional options and capabilities. + * An extended frame carries full MAC addressing, making them a + * superset of VERB_FRAME. They're used for bridging or when we + * want to attach a certificate since FRAME does not support that. * - * OK payload (if ACK flag is set): - * <[8] 64-bit network ID> + * Multicast frames may not be sent as EXT_FRAME. + * + * ERROR may be generated if a membership certificate is needed for a + * closed network. Payload will be network ID. */ - VERB_EXT_FRAME = 0x07, + VERB_EXT_FRAME = 7, /** * ECHO request (a.k.a. ping): @@ -689,7 +656,7 @@ public: * is generated. Response to ECHO requests is optional and ECHO may be * ignored if a node detects a possible flood. */ - VERB_ECHO = 0x08, + VERB_ECHO = 8, /** * Announce interest in multicast group(s): @@ -703,116 +670,77 @@ public: * controllers and root servers. In the current network, root servers * will provide the service of final multicast cache. * - * VERB_NETWORK_CREDENTIALS should be pushed along with this, especially - * if using upstream (e.g. root) nodes as multicast databases. This allows - * GATHERs to be authenticated. + * It is recommended that NETWORK_MEMBERSHIP_CERTIFICATE pushes be sent + * along with MULTICAST_LIKE when pushing LIKEs to peers that do not + * share a network membership (such as root servers), since this can be + * used to authenticate GATHER requests and limit responses to peers + * authorized to talk on a network. (Should be an optional field here, + * but saving one or two packets every five minutes is not worth an + * ugly hack or protocol rev.) * * OK/ERROR are not generated. */ - VERB_MULTICAST_LIKE = 0x09, + VERB_MULTICAST_LIKE = 9, /** - * Network credentials push: + * Network member certificate replication/push: * <[...] serialized certificate of membership> - * [<[...] additional certificates of membership>] - * <[1] 0x00, null byte marking end of COM array> - * <[2] 16-bit number of capabilities> - * <[...] one or more serialized Capability> - * <[2] 16-bit number of tags> - * <[...] one or more serialized Tags> - * <[2] 16-bit number of revocations> - * <[...] one or more serialized Revocations> + * [ ... additional certificates may follow ...] * - * This can be sent by anyone at any time to push network credentials. - * These will of course only be accepted if they are properly signed. - * Credentials can be for any number of networks. - * - * The use of a zero byte to terminate the COM section is for legacy - * backward compatiblity. Newer fields are prefixed with a length. + * This is sent in response to ERROR_NEED_MEMBERSHIP_CERTIFICATE and may + * be pushed at any other time to keep exchanged certificates up to date. * * OK/ERROR are not generated. */ - VERB_NETWORK_CREDENTIALS = 0x0a, + VERB_NETWORK_MEMBERSHIP_CERTIFICATE = 10, /** * Network configuration request: * <[8] 64-bit network ID> * <[2] 16-bit length of request meta-data dictionary> * <[...] string-serialized request meta-data> - * <[8] 64-bit revision of netconf we currently have> - * <[8] 64-bit timestamp of netconf we currently have> + * [<[8] 64-bit revision of netconf we currently have>] * * This message requests network configuration from a node capable of - * providing it. + * providing it. If the optional revision is included, a response is + * only generated if there is a newer network configuration available. * - * Respones to this are always whole configs intended for the recipient. - * For patches and other updates a NETWORK_CONFIG is sent instead. - * - * It would be valid and correct as of 1.2.0 to use NETWORK_CONFIG always, - * but OK(NTEWORK_CONFIG_REQUEST) should be sent for compatibility. - * * OK response payload: * <[8] 64-bit network ID> - * <[2] 16-bit length of network configuration dictionary chunk> - * <[...] network configuration dictionary (may be incomplete)> - * [ ... end of legacy single chunk response ... ] - * <[1] 8-bit flags> - * <[8] 64-bit config update ID (should never be 0)> - * <[4] 32-bit total length of assembled dictionary> - * <[4] 32-bit index of chunk> - * [ ... end signed portion ... ] - * <[1] 8-bit chunk signature type> - * <[2] 16-bit length of chunk signature> - * <[...] chunk signature> + * <[2] 16-bit length of network configuration dictionary> + * <[...] network configuration dictionary> * - * The chunk signature signs the entire payload of the OK response. - * Currently only one signature type is supported: ed25519 (1). + * OK returns a Dictionary (string serialized) containing the network's + * configuration and IP address assignment information for the querying + * node. It also contains a membership certificate that the querying + * node can push to other peers to demonstrate its right to speak on + * a given network. * - * Each config chunk is signed to prevent memory exhaustion or - * traffic crowding DOS attacks against config fragment assembly. - * - * If the packet is from the network controller it is permitted to end - * before the config update ID or other chunking related or signature - * fields. This is to support older controllers that don't include - * these fields and may be removed in the future. + * When a new network configuration is received, another config request + * should be sent with the new netconf's revision. This confirms receipt + * and also causes any subsequent changes to rapidly propagate as this + * cycle will repeat until there are no changes. This is optional but + * recommended behavior. * * ERROR response payload: * <[8] 64-bit network ID> + * + * UNSUPPORTED_OPERATION is returned if this service is not supported, + * and OBJ_NOT_FOUND if the queried network ID was not found. */ - VERB_NETWORK_CONFIG_REQUEST = 0x0b, + VERB_NETWORK_CONFIG_REQUEST = 11, /** - * Network configuration data push: - * <[8] 64-bit network ID> - * <[2] 16-bit length of network configuration dictionary chunk> - * <[...] network configuration dictionary (may be incomplete)> - * <[1] 8-bit flags> - * <[8] 64-bit config update ID (should never be 0)> - * <[4] 32-bit total length of assembled dictionary> - * <[4] 32-bit index of chunk> - * [ ... end signed portion ... ] - * <[1] 8-bit chunk signature type> - * <[2] 16-bit length of chunk signature> - * <[...] chunk signature> + * Network configuration refresh request: + * <[...] array of 64-bit network IDs> * - * This is a direct push variant for network config updates. It otherwise - * carries the same payload as OK(NETWORK_CONFIG_REQUEST) and has the same - * semantics. + * This can be sent by the network controller to inform a node that it + * should now make a NETWORK_CONFIG_REQUEST. * - * The legacy mode missing the additional chunking fields is not supported - * here. - * - * Flags: - * 0x01 - Use fast propagation - * - * An OK should be sent if the config is successfully received and - * accepted. - * - * OK payload: - * <[8] 64-bit network ID> - * <[8] 64-bit config update ID> + * It does not generate an OK or ERROR message, and is treated only as + * a hint to refresh now. */ - VERB_NETWORK_CONFIG = 0x0c, + VERB_NETWORK_CONFIG_REFRESH = 12, /** * Request endpoints for multicast distribution: @@ -821,10 +749,10 @@ public: * <[6] MAC address of multicast group being queried> * <[4] 32-bit ADI for multicast group being queried> * <[4] 32-bit requested max number of multicast peers> - * [<[...] network certificate of membership>] + * [<[...] network certificate of membership>] * * Flags: - * 0x01 - COM is attached + * 0x01 - Network certificate of membership is attached * * This message asks a peer for additional known endpoints that have * LIKEd a given multicast group. It's sent when the sender wishes @@ -834,9 +762,6 @@ public: * More than one OK response can occur if the response is broken up across * multiple packets or if querying a clustered node. * - * The COM should be included so that upstream nodes that are not - * members of our network can validate our request. - * * OK response payload: * <[8] 64-bit network ID> * <[6] MAC address of multicast group being queried> @@ -848,12 +773,13 @@ public: * * ERROR is not generated; queries that return no response are dropped. */ - VERB_MULTICAST_GATHER = 0x0d, + VERB_MULTICAST_GATHER = 13, /** * Multicast frame: * <[8] 64-bit network ID> * <[1] flags> + * [<[...] network certificate of membership>] * [<[4] 32-bit implicit gather limit>] * [<[6] source MAC>] * <[6] destination MAC (multicast address)> @@ -862,7 +788,7 @@ public: * <[...] ethernet payload> * * Flags: - * 0x01 - Network certificate of membership attached (DEPRECATED) + * 0x01 - Network certificate of membership is attached * 0x02 - Implicit gather limit field is present * 0x04 - Source MAC is specified -- otherwise it's computed from sender * @@ -877,11 +803,11 @@ public: * <[6] MAC address of multicast group> * <[4] 32-bit ADI for multicast group> * <[1] flags> - * [<[...] network certficate of membership (DEPRECATED)>] + * [<[...] network certficate of membership>] * [<[...] implicit gather results if flag 0x01 is set>] * * OK flags (same bits as request flags): - * 0x01 - OK includes certificate of network membership (DEPRECATED) + * 0x01 - OK includes certificate of network membership * 0x02 - OK includes implicit gather results * * ERROR response payload: @@ -889,9 +815,7 @@ public: * <[6] multicast group MAC> * <[4] 32-bit multicast group ADI> */ - VERB_MULTICAST_FRAME = 0x0e, - - // 0x0f is reserved for an old deprecated message + VERB_MULTICAST_FRAME = 14, /** * Push of potential endpoints for direct communication: @@ -927,7 +851,7 @@ public: * * OK and ERROR are not generated. */ - VERB_PUSH_DIRECT_PATHS = 0x10, + VERB_PUSH_DIRECT_PATHS = 16, /** * Source-routed circuit test message: @@ -943,17 +867,21 @@ public: * [ ... end of signed portion of request ... ] * <[2] 16-bit length of signature of request> * <[...] signature of request by originator> - * <[2] 16-bit length of additional fields> - * [[...] additional fields] + * <[2] 16-bit previous hop credential length (including type)> + * [[1] previous hop credential type] + * [[...] previous hop credential] * <[...] next hop(s) in path> * * Flags: - * 0x01 - Report back to originator at all hops + * 0x01 - Report back to originator at middle hops * 0x02 - Report back to originator at last hop * * Originator credential types: * 0x01 - 64-bit network ID for which originator is controller * + * Previous hop credential types: + * 0x01 - Certificate of network membership + * * Path record format: * <[1] 8-bit flags (unused, must be zero)> * <[1] 8-bit breadth (number of next hops)> @@ -1002,25 +930,25 @@ public: * <[8] 64-bit timestamp (echoed from original> * <[8] 64-bit test ID (echoed from original)> */ - VERB_CIRCUIT_TEST = 0x11, + VERB_CIRCUIT_TEST = 17, /** * Circuit test hop report: - * <[8] 64-bit timestamp (echoed from original test)> - * <[8] 64-bit test ID (echoed from original test)> + * <[8] 64-bit timestamp (from original test)> + * <[8] 64-bit test ID (from original test)> * <[8] 64-bit reserved field (set to 0, currently unused)> * <[1] 8-bit vendor ID (set to 0, currently unused)> * <[1] 8-bit reporter protocol version> - * <[1] 8-bit reporter software major version> - * <[1] 8-bit reporter software minor version> - * <[2] 16-bit reporter software revision> - * <[2] 16-bit reporter OS/platform or 0 if not specified> - * <[2] 16-bit reporter architecture or 0 if not specified> + * <[1] 8-bit reporter major version> + * <[1] 8-bit reporter minor version> + * <[2] 16-bit reporter revision> + * <[2] 16-bit reporter OS/platform> + * <[2] 16-bit reporter architecture> * <[2] 16-bit error code (set to 0, currently unused)> - * <[8] 64-bit report flags> - * <[8] 64-bit packet ID of received CIRCUIT_TEST packet> - * <[5] upstream ZeroTier address from which CIRCUIT_TEST was received> - * <[1] 8-bit packet hop count of received CIRCUIT_TEST> + * <[8] 64-bit report flags (set to 0, currently unused)> + * <[8] 64-bit source packet ID> + * <[5] upstream ZeroTier address from which test was received> + * <[1] 8-bit source packet hop count (ZeroTier hop count)> * <[...] local wire address on which packet was received> * <[...] remote wire address from which packet was received> * <[2] 16-bit length of additional fields> @@ -1032,9 +960,6 @@ public: * <[5] ZeroTier address of next hop> * <[...] current best direct path address, if any, 0 if none> * - * Report flags: - * 0x1 - Upstream peer in circuit test path allowed in path (e.g. network COM valid) - * * Circuit test reports can be sent by hops in a circuit test to report * back results. They should include information about the sender as well * as about the paths to which next hops are being sent. @@ -1042,7 +967,7 @@ public: * If a test report is received and no circuit test was sent, it should be * ignored. This message generates no OK or ERROR response. */ - VERB_CIRCUIT_TEST_REPORT = 0x12, + VERB_CIRCUIT_TEST_REPORT = 18, /** * Request proof of work: @@ -1085,18 +1010,7 @@ public: * * ERROR has no payload. */ - VERB_REQUEST_PROOF_OF_WORK = 0x13, - - /** - * A message with arbitrary user-definable content: - * <[8] 64-bit arbitrary message type ID> - * [<[...] message payload>] - * - * This can be used to send arbitrary messages over VL1. It generates no - * OK or ERROR and has no special semantics outside of whatever the user - * (via the ZeroTier core API) chooses to give it. - */ - VERB_USER_MESSAGE = 0x14 + VERB_REQUEST_PROOF_OF_WORK = 19 }; /** @@ -1105,39 +1019,39 @@ public: enum ErrorCode { /* No error, not actually used in transit */ - ERROR_NONE = 0x00, + ERROR_NONE = 0, /* Invalid request */ - ERROR_INVALID_REQUEST = 0x01, + ERROR_INVALID_REQUEST = 1, /* Bad/unsupported protocol version */ - ERROR_BAD_PROTOCOL_VERSION = 0x02, + ERROR_BAD_PROTOCOL_VERSION = 2, /* Unknown object queried */ - ERROR_OBJ_NOT_FOUND = 0x03, + ERROR_OBJ_NOT_FOUND = 3, /* HELLO pushed an identity whose address is already claimed */ - ERROR_IDENTITY_COLLISION = 0x04, + ERROR_IDENTITY_COLLISION = 4, /* Verb or use case not supported/enabled by this node */ - ERROR_UNSUPPORTED_OPERATION = 0x05, + ERROR_UNSUPPORTED_OPERATION = 5, - /* Network membership certificate update needed */ - ERROR_NEED_MEMBERSHIP_CERTIFICATE = 0x06, + /* Message to private network rejected -- no unexpired certificate on file */ + ERROR_NEED_MEMBERSHIP_CERTIFICATE = 6, /* Tried to join network, but you're not a member */ - ERROR_NETWORK_ACCESS_DENIED_ = 0x07, /* extra _ at end to avoid Windows name conflict */ + ERROR_NETWORK_ACCESS_DENIED_ = 7, /* extra _ to avoid Windows name conflict */ /* Multicasts to this group are not wanted */ - ERROR_UNWANTED_MULTICAST = 0x08 + ERROR_UNWANTED_MULTICAST = 8 }; -#ifdef ZT_TRACE +//#ifdef ZT_TRACE static const char *verbString(Verb v) throw(); static const char *errorString(ErrorCode e) throw(); -#endif +//#endif template Packet(const Buffer &b) : @@ -1297,6 +1211,7 @@ public: */ inline unsigned int cipher() const { + // Note: this uses the new cipher spec field, which is incompatible with <1.0.0 peers return (((unsigned int)(*this)[ZT_PACKET_IDX_FLAGS] & 0x38) >> 3); } @@ -1307,30 +1222,12 @@ public: { unsigned char &b = (*this)[ZT_PACKET_IDX_FLAGS]; b = (b & 0xc7) | (unsigned char)((c << 3) & 0x38); // bits: FFCCCHHH - // Set DEPRECATED "encrypted" flag -- used by pre-1.0.3 peers + // DEPRECATED "encrypted" flag -- used by pre-1.0.3 peers if (c == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012) b |= ZT_PROTO_FLAG_ENCRYPTED; else b &= (~ZT_PROTO_FLAG_ENCRYPTED); } - /** - * Get the trusted path ID for this packet (only meaningful if cipher is trusted path) - * - * @return Trusted path ID (from MAC field) - */ - inline uint64_t trustedPathId() const { return at(ZT_PACKET_IDX_MAC); } - - /** - * Set this packet's trusted path ID and set the cipher spec to trusted path - * - * @param tpid Trusted path ID - */ - inline void setTrusted(const uint64_t tpid) - { - setCipher(ZT_PROTO_CIPHER_SUITE__NO_CRYPTO_TRUSTED_PATH); - setAt(ZT_PACKET_IDX_MAC,tpid); - } - /** * Get this packet's unique ID (the IV field interpreted as uint64_t) * @@ -1374,10 +1271,6 @@ public: /** * Verify and (if encrypted) decrypt packet * - * This does not handle trusted path mode packets and will return false - * for these. These are handled in IncomingPacket if the sending physical - * address and MAC field match a trusted path. - * * @param key 32-byte key * @return False if packet is invalid or failed MAC authenticity check */ diff --git a/zerotierone/node/Path.cpp b/zerotierone/node/Path.cpp index 5592bac..5692af6 100644 --- a/zerotierone/node/Path.cpp +++ b/zerotierone/node/Path.cpp @@ -25,7 +25,7 @@ namespace ZeroTier { bool Path::send(const RuntimeEnvironment *RR,const void *data,unsigned int len,uint64_t now) { if (RR->node->putPacket(_localAddress,address(),data,len)) { - _lastOut = now; + sent(now); return true; } return false; diff --git a/zerotierone/node/Path.hpp b/zerotierone/node/Path.hpp index 5993be6..c88c295 100644 --- a/zerotierone/node/Path.hpp +++ b/zerotierone/node/Path.hpp @@ -27,9 +27,27 @@ #include "Constants.hpp" #include "InetAddress.hpp" -#include "SharedPtr.hpp" -#include "AtomicCounter.hpp" -#include "NonCopyable.hpp" + +// Note: if you change these flags check the logic below. Some of it depends +// on these bits being what they are. + +/** + * Flag indicating that this path is suboptimal + * + * Clusters set this flag on remote paths if GeoIP or other routing decisions + * indicate that a peer should be handed off to another cluster member. + */ +#define ZT_PATH_FLAG_CLUSTER_SUBOPTIMAL 0x0001 + +/** + * Flag indicating that this path is optimal + * + * Peers set this flag on paths that are pushed by a cluster and indicated as + * optimal. A second flag is needed since we want to prioritize cluster optimal + * paths and de-prioritize sub-optimal paths and for new paths we don't know + * which one they are. So we want a trinary state: optimal, suboptimal, unknown. + */ +#define ZT_PATH_FLAG_CLUSTER_OPTIMAL 0x0002 /** * Maximum return value of preferenceRank() @@ -41,100 +59,89 @@ namespace ZeroTier { class RuntimeEnvironment; /** - * A path across the physical network + * Base class for paths + * + * The base Path class is an immutable value. */ -class Path : NonCopyable +class Path { - friend class SharedPtr; - public: - /** - * Efficient unique key for paths in a Hashtable - */ - class HashKey - { - public: - HashKey() {} - - HashKey(const InetAddress &l,const InetAddress &r) - { - // This is an ad-hoc bit packing algorithm to yield unique keys for - // remote addresses and their local-side counterparts if defined. - // Portability across runtimes is not needed. - if (r.ss_family == AF_INET) { - _k[0] = (uint64_t)reinterpret_cast(&r)->sin_addr.s_addr; - _k[1] = (uint64_t)reinterpret_cast(&r)->sin_port; - if (l.ss_family == AF_INET) { - _k[2] = (uint64_t)reinterpret_cast(&l)->sin_addr.s_addr; - _k[3] = (uint64_t)reinterpret_cast(&r)->sin_port; - } else { - _k[2] = 0; - _k[3] = 0; - } - } else if (r.ss_family == AF_INET6) { - const uint8_t *a = reinterpret_cast(reinterpret_cast(&r)->sin6_addr.s6_addr); - uint8_t *b = reinterpret_cast(_k); - for(unsigned int i=0;i<16;++i) b[i] = a[i]; - _k[2] = ~((uint64_t)reinterpret_cast(&r)->sin6_port); - if (l.ss_family == AF_INET6) { - _k[2] ^= ((uint64_t)reinterpret_cast(&r)->sin6_port) << 32; - a = reinterpret_cast(reinterpret_cast(&l)->sin6_addr.s6_addr); - b += 24; - for(unsigned int i=0;i<8;++i) b[i] = a[i]; - a += 8; - for(unsigned int i=0;i<8;++i) b[i] ^= a[i]; - } - } else { - _k[0] = 0; - _k[1] = 0; - _k[2] = 0; - _k[3] = 0; - } - } - - inline unsigned long hashCode() const { return (unsigned long)(_k[0] + _k[1] + _k[2] + _k[3]); } - - inline bool operator==(const HashKey &k) const { return ( (_k[0] == k._k[0]) && (_k[1] == k._k[1]) && (_k[2] == k._k[2]) && (_k[3] == k._k[3]) ); } - inline bool operator!=(const HashKey &k) const { return (!(*this == k)); } - - private: - uint64_t _k[4]; - }; - Path() : - _lastOut(0), - _lastIn(0), - _lastTrustEstablishedPacketReceived(0), + _lastSend(0), + _lastPing(0), + _lastKeepalive(0), + _lastReceived(0), _addr(), _localAddress(), + _flags(0), _ipScope(InetAddress::IP_SCOPE_NONE) { } Path(const InetAddress &localAddress,const InetAddress &addr) : - _lastOut(0), - _lastIn(0), - _lastTrustEstablishedPacketReceived(0), + _lastSend(0), + _lastPing(0), + _lastKeepalive(0), + _lastReceived(0), _addr(addr), _localAddress(localAddress), + _flags(0), _ipScope(addr.ipScope()) { } + inline Path &operator=(const Path &p) + { + if (this != &p) + memcpy(this,&p,sizeof(Path)); + return *this; + } + /** - * Called when a packet is received from this remote path, regardless of content + * Called when a packet is sent to this remote path + * + * This is called automatically by Path::send(). + * + * @param t Time of send + */ + inline void sent(uint64_t t) { _lastSend = t; } + + /** + * Called when we've sent a ping or echo + * + * @param t Time of send + */ + inline void pinged(uint64_t t) { _lastPing = t; } + + /** + * Called when we send a NAT keepalive + * + * @param t Time of send + */ + inline void sentKeepalive(uint64_t t) { _lastKeepalive = t; } + + /** + * Called when a packet is received from this remote path * * @param t Time of receive */ - inline void received(const uint64_t t) { _lastIn = t; } + inline void received(uint64_t t) + { + _lastReceived = t; + _probation = 0; + } /** - * Set time last trusted packet was received (done in Peer::received()) + * @param now Current time + * @return True if this path appears active */ - inline void trustedPacketReceived(const uint64_t t) { _lastTrustEstablishedPacketReceived = t; } + inline bool active(uint64_t now) const + { + return ( ((now - _lastReceived) < ZT_PATH_ACTIVITY_TIMEOUT) && (_probation < ZT_PEER_DEAD_PATH_DETECTION_MAX_PROBATION) ); + } /** - * Send a packet via this path (last out time is also updated) + * Send a packet via this path * * @param RR Runtime environment * @param data Packet data @@ -144,43 +151,117 @@ public: */ bool send(const RuntimeEnvironment *RR,const void *data,unsigned int len,uint64_t now); - /** - * Manually update last sent time - * - * @param t Time of send - */ - inline void sent(const uint64_t t) { _lastOut = t; } - /** * @return Address of local side of this path or NULL if unspecified */ - inline const InetAddress &localAddress() const { return _localAddress; } + inline const InetAddress &localAddress() const throw() { return _localAddress; } + + /** + * @return Time of last send to this path + */ + inline uint64_t lastSend() const throw() { return _lastSend; } + + /** + * @return Time we last pinged or dead path checked this link + */ + inline uint64_t lastPing() const throw() { return _lastPing; } + + /** + * @return Time of last keepalive + */ + inline uint64_t lastKeepalive() const throw() { return _lastKeepalive; } + + /** + * @return Time of last receive from this path + */ + inline uint64_t lastReceived() const throw() { return _lastReceived; } /** * @return Physical address */ - inline const InetAddress &address() const { return _addr; } + inline const InetAddress &address() const throw() { return _addr; } /** * @return IP scope -- faster shortcut for address().ipScope() */ - inline InetAddress::IpScope ipScope() const { return _ipScope; } + inline InetAddress::IpScope ipScope() const throw() { return _ipScope; } /** - * @return True if path has received a trust established packet (e.g. common network membership) in the past ZT_TRUST_EXPIRATION ms + * @param f Valuve of ZT_PATH_FLAG_CLUSTER_SUBOPTIMAL and inverse of ZT_PATH_FLAG_CLUSTER_OPTIMAL (both are changed) */ - inline bool trustEstablished(const uint64_t now) const { return ((now - _lastTrustEstablishedPacketReceived) < ZT_TRUST_EXPIRATION); } - - /** - * @return Preference rank, higher == better - */ - inline unsigned int preferenceRank() const + inline void setClusterSuboptimal(bool f) { - // This causes us to rank paths in order of IP scope rank (see InetAdddress.hpp) but - // within each IP scope class to prefer IPv6 over IPv4. + if (f) { + _flags = (_flags | ZT_PATH_FLAG_CLUSTER_SUBOPTIMAL) & ~ZT_PATH_FLAG_CLUSTER_OPTIMAL; + } else { + _flags = (_flags | ZT_PATH_FLAG_CLUSTER_OPTIMAL) & ~ZT_PATH_FLAG_CLUSTER_SUBOPTIMAL; + } + } + + /** + * @return True if ZT_PATH_FLAG_CLUSTER_SUBOPTIMAL is set + */ + inline bool isClusterSuboptimal() const { return ((_flags & ZT_PATH_FLAG_CLUSTER_SUBOPTIMAL) != 0); } + + /** + * @return True if ZT_PATH_FLAG_CLUSTER_OPTIMAL is set + */ + inline bool isClusterOptimal() const { return ((_flags & ZT_PATH_FLAG_CLUSTER_OPTIMAL) != 0); } + + /** + * @return Preference rank, higher == better (will be less than 255) + */ + inline unsigned int preferenceRank() const throw() + { + /* First, since the scope enum values in InetAddress.hpp are in order of + * use preference rank, we take that. Then we multiple by two, yielding + * a sequence like 0, 2, 4, 6, etc. Then if it's IPv6 we add one. This + * makes IPv6 addresses of a given scope outrank IPv4 addresses of the + * same scope -- e.g. 1 outranks 0. This makes us prefer IPv6, but not + * if the address scope/class is of a fundamentally lower rank. */ return ( ((unsigned int)_ipScope << 1) | (unsigned int)(_addr.ss_family == AF_INET6) ); } + /** + * @return This path's overall quality score (higher is better) + */ + inline uint64_t score() const throw() + { + // This is a little bit convoluted because we try to be branch-free, using multiplication instead of branches for boolean flags + + // Start with the last time this path was active, and add a fudge factor to prevent integer underflow if _lastReceived is 0 + uint64_t score = _lastReceived + (ZT_PEER_DIRECT_PING_DELAY * (ZT_PEER_DEAD_PATH_DETECTION_MAX_PROBATION + 1)); + + // Increase score based on path preference rank, which is based on IP scope and address family + score += preferenceRank() * (ZT_PEER_DIRECT_PING_DELAY / ZT_PATH_MAX_PREFERENCE_RANK); + + // Increase score if this is known to be an optimal path to a cluster + score += (uint64_t)(_flags & ZT_PATH_FLAG_CLUSTER_OPTIMAL) * (ZT_PEER_DIRECT_PING_DELAY / 2); // /2 because CLUSTER_OPTIMAL is flag 0x0002 + + // Decrease score if this is known to be a sub-optimal path to a cluster + score -= (uint64_t)(_flags & ZT_PATH_FLAG_CLUSTER_SUBOPTIMAL) * ZT_PEER_DIRECT_PING_DELAY; + + // Penalize for missed ECHO tests in dead path detection + score -= (uint64_t)((ZT_PEER_DIRECT_PING_DELAY / 2) * _probation); + + return score; + } + + /** + * @return True if path is considered reliable (no NAT keepalives etc. are needed) + */ + inline bool reliable() const throw() + { + if (_addr.ss_family == AF_INET) + return ((_ipScope != InetAddress::IP_SCOPE_GLOBAL)&&(_ipScope != InetAddress::IP_SCOPE_PSEUDOPRIVATE)); + return true; + } + + /** + * @return True if address is non-NULL + */ + inline operator bool() const throw() { return (_addr); } + /** * Check whether this address is valid for a ZeroTier path * @@ -191,6 +272,7 @@ public: * @return True if address is good for ZeroTier path use */ static inline bool isAddressValidForPath(const InetAddress &a) + throw() { if ((a.ss_family == AF_INET)||(a.ss_family == AF_INET6)) { switch(a.ipScope()) { @@ -222,33 +304,60 @@ public: } /** - * @return True if path appears alive + * @return Current path probation count (for dead path detect) */ - inline bool alive(const uint64_t now) const { return ((now - _lastIn) <= ZT_PATH_ALIVE_TIMEOUT); } + inline unsigned int probation() const { return _probation; } /** - * @return True if this path needs a heartbeat + * Increase this path's probation violation count (for dead path detect) */ - inline bool needsHeartbeat(const uint64_t now) const { return ((now - _lastOut) >= ZT_PATH_HEARTBEAT_PERIOD); } + inline void increaseProbation() { ++_probation; } - /** - * @return Last time we sent something - */ - inline uint64_t lastOut() const { return _lastOut; } + template + inline void serialize(Buffer &b) const + { + b.append((uint8_t)2); // version + b.append((uint64_t)_lastSend); + b.append((uint64_t)_lastPing); + b.append((uint64_t)_lastKeepalive); + b.append((uint64_t)_lastReceived); + _addr.serialize(b); + _localAddress.serialize(b); + b.append((uint16_t)_flags); + b.append((uint16_t)_probation); + } - /** - * @return Last time we received anything - */ - inline uint64_t lastIn() const { return _lastIn; } + template + inline unsigned int deserialize(const Buffer &b,unsigned int startAt = 0) + { + unsigned int p = startAt; + if (b[p++] != 2) + throw std::invalid_argument("invalid serialized Path"); + _lastSend = b.template at(p); p += 8; + _lastPing = b.template at(p); p += 8; + _lastKeepalive = b.template at(p); p += 8; + _lastReceived = b.template at(p); p += 8; + p += _addr.deserialize(b,p); + p += _localAddress.deserialize(b,p); + _flags = b.template at(p); p += 2; + _probation = b.template at(p); p += 2; + _ipScope = _addr.ipScope(); + return (p - startAt); + } + + inline bool operator==(const Path &p) const { return ((p._addr == _addr)&&(p._localAddress == _localAddress)); } + inline bool operator!=(const Path &p) const { return ((p._addr != _addr)||(p._localAddress != _localAddress)); } private: - uint64_t _lastOut; - uint64_t _lastIn; - uint64_t _lastTrustEstablishedPacketReceived; + uint64_t _lastSend; + uint64_t _lastPing; + uint64_t _lastKeepalive; + uint64_t _lastReceived; InetAddress _addr; InetAddress _localAddress; + unsigned int _flags; + unsigned int _probation; InetAddress::IpScope _ipScope; // memoize this since it's a computed value checked often - AtomicCounter __refCount; }; } // namespace ZeroTier diff --git a/zerotierone/node/Peer.cpp b/zerotierone/node/Peer.cpp index 87882da..cc58100 100644 --- a/zerotierone/node/Peer.cpp +++ b/zerotierone/node/Peer.cpp @@ -27,13 +27,9 @@ #include "Cluster.hpp" #include "Packet.hpp" -#ifndef AF_MAX -#if AF_INET > AF_INET6 -#define AF_MAX AF_INET -#else -#define AF_MAX AF_INET6 -#endif -#endif +#include + +#define ZT_PEER_PATH_SORT_INTERVAL 5000 namespace ZeroTier { @@ -41,20 +37,15 @@ namespace ZeroTier { static uint32_t _natKeepaliveBuf = 0; Peer::Peer(const RuntimeEnvironment *renv,const Identity &myIdentity,const Identity &peerIdentity) : + RR(renv), + _lastUsed(0), _lastReceive(0), _lastUnicastFrame(0), _lastMulticastFrame(0), + _lastAnnouncedTo(0), _lastDirectPathPushSent(0), _lastDirectPathPushReceive(0), - _lastCredentialRequestSent(0), - _lastWhoisRequestReceived(0), - _lastEchoRequestReceived(0), - _lastComRequestReceived(0), - _lastComRequestSent(0), - _lastCredentialsReceived(0), - _lastTrustEstablishedPacketReceived(0), - RR(renv), - _remoteClusterOptimal4(0), + _lastPathSort(0), _vProto(0), _vMajor(0), _vMinor(0), @@ -63,31 +54,29 @@ Peer::Peer(const RuntimeEnvironment *renv,const Identity &myIdentity,const Ident _numPaths(0), _latency(0), _directPathPushCutoffCount(0), - _credentialsCutoffCount(0) + _networkComs(4), + _lastPushedComs(4) { - memset(_remoteClusterOptimal6,0,sizeof(_remoteClusterOptimal6)); if (!myIdentity.agree(peerIdentity,_key,ZT_PEER_SECRET_KEY_LENGTH)) throw std::runtime_error("new peer identity key agreement failed"); } void Peer::received( - const SharedPtr &path, - const unsigned int hops, - const uint64_t packetId, - const Packet::Verb verb, - const uint64_t inRePacketId, - const Packet::Verb inReVerb, - const bool trustEstablished) + const InetAddress &localAddr, + const InetAddress &remoteAddr, + unsigned int hops, + uint64_t packetId, + Packet::Verb verb, + uint64_t inRePacketId, + Packet::Verb inReVerb) { - const uint64_t now = RR->node->now(); - #ifdef ZT_ENABLE_CLUSTER bool suboptimalPath = false; if ((RR->cluster)&&(hops == 0)) { // Note: findBetterEndpoint() is first since we still want to check // for a better endpoint even if we don't actually send a redirect. InetAddress redirectTo; - if ( (verb != Packet::VERB_OK) && (verb != Packet::VERB_ERROR) && (verb != Packet::VERB_RENDEZVOUS) && (verb != Packet::VERB_PUSH_DIRECT_PATHS) && (RR->cluster->findBetterEndpoint(redirectTo,_id.address(),path->address(),false)) ) { + if ( (verb != Packet::VERB_OK) && (verb != Packet::VERB_ERROR) && (verb != Packet::VERB_RENDEZVOUS) && (verb != Packet::VERB_PUSH_DIRECT_PATHS) && (RR->cluster->findBetterEndpoint(redirectTo,_id.address(),remoteAddr,false)) ) { if (_vProto >= 5) { // For newer peers we can send a more idiomatic verb: PUSH_DIRECT_PATHS. Packet outp(_id.address(),RR->identity.address(),Packet::VERB_PUSH_DIRECT_PATHS); @@ -105,7 +94,7 @@ void Peer::received( } outp.append((uint16_t)redirectTo.port()); outp.armor(_key,true); - path->send(RR,outp.data(),outp.size(),now); + RR->node->putPacket(localAddr,remoteAddr,outp.data(),outp.size()); } else { // For older peers we use RENDEZVOUS to coax them into contacting us elsewhere. Packet outp(_id.address(),RR->identity.address(),Packet::VERB_RENDEZVOUS); @@ -120,226 +109,94 @@ void Peer::received( outp.append(redirectTo.rawIpData(),16); } outp.armor(_key,true); - path->send(RR,outp.data(),outp.size(),now); + RR->node->putPacket(localAddr,remoteAddr,outp.data(),outp.size()); } suboptimalPath = true; } } #endif + const uint64_t now = RR->node->now(); _lastReceive = now; if ((verb == Packet::VERB_FRAME)||(verb == Packet::VERB_EXT_FRAME)) _lastUnicastFrame = now; else if (verb == Packet::VERB_MULTICAST_FRAME) _lastMulticastFrame = now; - if (trustEstablished) { - _lastTrustEstablishedPacketReceived = now; - path->trustedPacketReceived(now); - } - if (hops == 0) { bool pathIsConfirmed = false; - { - Mutex::Lock _l(_paths_m); - for(unsigned int p=0;p<_numPaths;++p) { - if (_paths[p].path->address() == path->address()) { - _paths[p].lastReceive = now; - _paths[p].path = path; // local address may have changed! + unsigned int np = _numPaths; + for(unsigned int p=0;pnode->shouldUsePathForZeroTierTraffic(path->localAddress(),path->address())) ) { + if ((!pathIsConfirmed)&&(RR->node->shouldUsePathForZeroTierTraffic(localAddr,remoteAddr))) { if (verb == Packet::VERB_OK) { - Mutex::Lock _l(_paths_m); - // Since this is a new path, figure out where to put it (possibly replacing an old/dead one) - unsigned int slot; - if (_numPaths < ZT_MAX_PEER_NETWORK_PATHS) { - slot = _numPaths++; + Path *slot = (Path *)0; + if (np < ZT_MAX_PEER_NETWORK_PATHS) { + slot = &(_paths[np++]); } else { - // First try to replace the worst within the same address family, if possible - int worstSlot = -1; - uint64_t worstScore = 0xffffffffffffffffULL; - for(unsigned int p=0;p<_numPaths;++p) { - if (_paths[p].path->address().ss_family == path->address().ss_family) { - const uint64_t s = _pathScore(p,now); - if (s < worstScore) { - worstScore = s; - worstSlot = (int)p; - } - } - } - if (worstSlot >= 0) { - slot = (unsigned int)worstSlot; - } else { - // If we can't find one with the same family, replace the worst of any family - slot = ZT_MAX_PEER_NETWORK_PATHS - 1; - for(unsigned int p=0;p<_numPaths;++p) { - const uint64_t s = _pathScore(p,now); - if (s < worstScore) { - worstScore = s; - slot = p; + uint64_t slotWorstScore = 0xffffffffffffffffULL; + for(unsigned int p=0;preceived(now); +#ifdef ZT_ENABLE_CLUSTER + slot->setClusterSuboptimal(suboptimalPath); +#endif + _numPaths = np; + } + #ifdef ZT_ENABLE_CLUSTER - _paths[slot].localClusterSuboptimal = suboptimalPath; if (RR->cluster) RR->cluster->broadcastHavePeer(_id); #endif + } else { - TRACE("got %s via unknown path %s(%s), confirming...",Packet::verbString(verb),_id.address().toString().c_str(),path->address().toString().c_str()); - attemptToContactAt(path->localAddress(),path->address(),now); - path->sent(now); - } - } - } else if (trustEstablished) { - // Send PUSH_DIRECT_PATHS if hops>0 (relayed) and we have a trust relationship (common network membership) -#ifdef ZT_ENABLE_CLUSTER - // Cluster mode disables normal PUSH_DIRECT_PATHS in favor of cluster-based peer redirection - const bool haveCluster = (RR->cluster); -#else - const bool haveCluster = false; -#endif - if ( ((now - _lastDirectPathPushSent) >= ZT_DIRECT_PATH_PUSH_INTERVAL) && (!haveCluster) ) { - _lastDirectPathPushSent = now; - std::vector pathsToPush; + TRACE("got %s via unknown path %s(%s), confirming...",Packet::verbString(verb),_id.address().toString().c_str(),remoteAddr.toString().c_str()); - std::vector dps(RR->node->directPaths()); - for(std::vector::const_iterator i(dps.begin());i!=dps.end();++i) - pathsToPush.push_back(*i); - - std::vector sym(RR->sa->getSymmetricNatPredictions()); - for(unsigned long i=0,added=0;inode->prng() % sym.size()]); - if (std::find(pathsToPush.begin(),pathsToPush.end(),tmp) == pathsToPush.end()) { - pathsToPush.push_back(tmp); - if (++added >= ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY) - break; + if ( (_vProto >= 5) && ( !((_vMajor == 1)&&(_vMinor == 1)&&(_vRevision == 0)) ) ) { + Packet outp(_id.address(),RR->identity.address(),Packet::VERB_ECHO); + outp.armor(_key,true); + RR->node->putPacket(localAddr,remoteAddr,outp.data(),outp.size()); + } else { + sendHELLO(localAddr,remoteAddr,now); } - } - if (pathsToPush.size() > 0) { -#ifdef ZT_TRACE - std::string ps; - for(std::vector::const_iterator p(pathsToPush.begin());p!=pathsToPush.end();++p) { - if (ps.length() > 0) - ps.push_back(','); - ps.append(p->toString()); - } - TRACE("pushing %u direct paths to %s: %s",(unsigned int)pathsToPush.size(),_id.address().toString().c_str(),ps.c_str()); -#endif - - std::vector::const_iterator p(pathsToPush.begin()); - while (p != pathsToPush.end()) { - Packet outp(_id.address(),RR->identity.address(),Packet::VERB_PUSH_DIRECT_PATHS); - outp.addSize(2); // leave room for count - - unsigned int count = 0; - while ((p != pathsToPush.end())&&((outp.size() + 24) < 1200)) { - uint8_t addressType = 4; - switch(p->ss_family) { - case AF_INET: - break; - case AF_INET6: - addressType = 6; - break; - default: // we currently only push IP addresses - ++p; - continue; - } - - outp.append((uint8_t)0); // no flags - outp.append((uint16_t)0); // no extensions - outp.append(addressType); - outp.append((uint8_t)((addressType == 4) ? 6 : 18)); - outp.append(p->rawIpData(),((addressType == 4) ? 4 : 16)); - outp.append((uint16_t)p->port()); - - ++count; - ++p; - } - - if (count) { - outp.setAt(ZT_PACKET_IDX_PAYLOAD,(uint16_t)count); - outp.armor(_key,true); - path->send(RR,outp.data(),outp.size(),now); - } - } - } - } - } -} - -bool Peer::hasActivePathTo(uint64_t now,const InetAddress &addr) const -{ - Mutex::Lock _l(_paths_m); - for(unsigned int p=0;p<_numPaths;++p) { - if ( (_paths[p].path->address() == addr) && ((now - _paths[p].lastReceive) <= ZT_PEER_PATH_EXPIRATION) && (_paths[p].path->alive(now)) ) - return true; - } - return false; -} - -bool Peer::sendDirect(const void *data,unsigned int len,uint64_t now,bool forceEvenIfDead) -{ - Mutex::Lock _l(_paths_m); - - int bestp = -1; - uint64_t best = 0ULL; - for(unsigned int p=0;p<_numPaths;++p) { - if ( ((now - _paths[p].lastReceive) <= ZT_PEER_PATH_EXPIRATION) && (_paths[p].path->alive(now)||(forceEvenIfDead)) ) { - const uint64_t s = _pathScore(p,now); - if (s >= best) { - best = s; - bestp = (int)p; } } } - if (bestp >= 0) { - return _paths[bestp].path->send(RR,data,len,now); - } else { - return false; + if ((now - _lastAnnouncedTo) >= ((ZT_MULTICAST_LIKE_EXPIRE / 2) - 1000)) { + _lastAnnouncedTo = now; + const std::vector< SharedPtr > networks(RR->node->allNetworks()); + for(std::vector< SharedPtr >::const_iterator n(networks.begin());n!=networks.end();++n) + (*n)->tryAnnounceMulticastGroupsTo(SharedPtr(this)); } } -SharedPtr Peer::getBestPath(uint64_t now,bool includeExpired) -{ - Mutex::Lock _l(_paths_m); - - int bestp = -1; - uint64_t best = 0ULL; - for(unsigned int p=0;p<_numPaths;++p) { - if ( ((now - _paths[p].lastReceive) <= ZT_PEER_PATH_EXPIRATION) || (includeExpired) ) { - const uint64_t s = _pathScore(p,now); - if (s >= best) { - best = s; - bestp = (int)p; - } - } - } - - if (bestp >= 0) { - return _paths[bestp].path; - } else { - return SharedPtr(); - } -} - -void Peer::sendHELLO(const InetAddress &localAddr,const InetAddress &atAddress,uint64_t now) +void Peer::sendHELLO(const InetAddress &localAddr,const InetAddress &atAddress,uint64_t now,unsigned int ttl) { Packet outp(_id.address(),RR->identity.address(),Packet::VERB_HELLO); outp.append((unsigned char)ZT_PROTO_VERSION); @@ -351,103 +208,351 @@ void Peer::sendHELLO(const InetAddress &localAddr,const InetAddress &atAddress,u atAddress.serialize(outp); outp.append((uint64_t)RR->topology->worldId()); outp.append((uint64_t)RR->topology->worldTimestamp()); - RR->node->expectReplyTo(outp.packetId()); - outp.armor(_key,false); // HELLO is sent in the clear - RR->node->putPacket(localAddr,atAddress,outp.data(),outp.size()); -} -void Peer::attemptToContactAt(const InetAddress &localAddr,const InetAddress &atAddress,uint64_t now) -{ - if ( (_vProto >= 5) && ( !((_vMajor == 1)&&(_vMinor == 1)&&(_vRevision == 0)) ) ) { - Packet outp(_id.address(),RR->identity.address(),Packet::VERB_ECHO); - RR->node->expectReplyTo(outp.packetId()); - outp.armor(_key,true); - RR->node->putPacket(localAddr,atAddress,outp.data(),outp.size()); - } else { - sendHELLO(localAddr,atAddress,now); - } + outp.armor(_key,false); // HELLO is sent in the clear + RR->node->putPacket(localAddr,atAddress,outp.data(),outp.size(),ttl); } bool Peer::doPingAndKeepalive(uint64_t now,int inetAddressFamily) { - Mutex::Lock _l(_paths_m); + Path *p = (Path *)0; - int bestp = -1; - uint64_t best = 0ULL; - for(unsigned int p=0;p<_numPaths;++p) { - if ( ((now - _paths[p].lastReceive) <= ZT_PEER_PATH_EXPIRATION) && ((inetAddressFamily < 0)||((int)_paths[p].path->address().ss_family == inetAddressFamily)) ) { - const uint64_t s = _pathScore(p,now); - if (s >= best) { - best = s; - bestp = (int)p; - } - } + if (inetAddressFamily != 0) { + p = _getBestPath(now,inetAddressFamily); + } else { + p = _getBestPath(now); } - if (bestp >= 0) { - if ((now - _paths[bestp].lastReceive) >= ZT_PEER_PING_PERIOD) { - attemptToContactAt(_paths[bestp].path->localAddress(),_paths[bestp].path->address(),now); - _paths[bestp].path->sent(now); - } else if (_paths[bestp].path->needsHeartbeat(now)) { + if (p) { + if ((now - p->lastReceived()) >= ZT_PEER_DIRECT_PING_DELAY) { + //TRACE("PING %s(%s) after %llums/%llums send/receive inactivity",_id.address().toString().c_str(),p->address().toString().c_str(),now - p->lastSend(),now - p->lastReceived()); + sendHELLO(p->localAddress(),p->address(),now); + p->sent(now); + p->pinged(now); + } else if ( ((now - std::max(p->lastSend(),p->lastKeepalive())) >= ZT_NAT_KEEPALIVE_DELAY) && (!p->reliable()) ) { + //TRACE("NAT keepalive %s(%s) after %llums/%llums send/receive inactivity",_id.address().toString().c_str(),p->address().toString().c_str(),now - p->lastSend(),now - p->lastReceived()); _natKeepaliveBuf += (uint32_t)((now * 0x9e3779b1) >> 1); // tumble this around to send constantly varying (meaningless) payloads - _paths[bestp].path->send(RR,&_natKeepaliveBuf,sizeof(_natKeepaliveBuf),now); + RR->node->putPacket(p->localAddress(),p->address(),&_natKeepaliveBuf,sizeof(_natKeepaliveBuf)); + p->sentKeepalive(now); + } else { + //TRACE("no PING or NAT keepalive: addr==%s reliable==%d %llums/%llums send/receive inactivity",p->address().toString().c_str(),(int)p->reliable(),now - p->lastSend(),now - p->lastReceived()); } return true; - } else { - return false; } -} -bool Peer::hasActiveDirectPath(uint64_t now) const -{ - Mutex::Lock _l(_paths_m); - for(unsigned int p=0;p<_numPaths;++p) { - if (((now - _paths[p].lastReceive) <= ZT_PEER_PATH_EXPIRATION)&&(_paths[p].path->alive(now))) - return true; - } return false; } -void Peer::resetWithinScope(InetAddress::IpScope scope,int inetAddressFamily,uint64_t now) +bool Peer::pushDirectPaths(const InetAddress &localAddr,const InetAddress &toAddress,uint64_t now,bool force,bool includePrivatePaths) { - Mutex::Lock _l(_paths_m); - for(unsigned int p=0;p<_numPaths;++p) { - if ( (_paths[p].path->address().ss_family == inetAddressFamily) && (_paths[p].path->address().ipScope() == scope) ) { - attemptToContactAt(_paths[p].path->localAddress(),_paths[p].path->address(),now); - _paths[p].path->sent(now); - _paths[p].lastReceive = 0; // path will not be used unless it speaks again +#ifdef ZT_ENABLE_CLUSTER + // Cluster mode disables normal PUSH_DIRECT_PATHS in favor of cluster-based peer redirection + if (RR->cluster) + return false; +#endif + + if (!force) { + if ((now - _lastDirectPathPushSent) < ZT_DIRECT_PATH_PUSH_INTERVAL) + return false; + else _lastDirectPathPushSent = now; + } + + std::vector pathsToPush; + + std::vector dps(RR->node->directPaths()); + for(std::vector::const_iterator i(dps.begin());i!=dps.end();++i) { + if ((includePrivatePaths)||(i->ipScope() == InetAddress::IP_SCOPE_GLOBAL)) + pathsToPush.push_back(*i); + } + + std::vector sym(RR->sa->getSymmetricNatPredictions()); + for(unsigned long i=0,added=0;inode->prng() % sym.size()]); + if (std::find(pathsToPush.begin(),pathsToPush.end(),tmp) == pathsToPush.end()) { + pathsToPush.push_back(tmp); + if (++added >= ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY) + break; } } + if (pathsToPush.empty()) + return false; + +#ifdef ZT_TRACE + { + std::string ps; + for(std::vector::const_iterator p(pathsToPush.begin());p!=pathsToPush.end();++p) { + if (ps.length() > 0) + ps.push_back(','); + ps.append(p->toString()); + } + TRACE("pushing %u direct paths to %s: %s",(unsigned int)pathsToPush.size(),_id.address().toString().c_str(),ps.c_str()); + } +#endif + + std::vector::const_iterator p(pathsToPush.begin()); + while (p != pathsToPush.end()) { + Packet outp(_id.address(),RR->identity.address(),Packet::VERB_PUSH_DIRECT_PATHS); + outp.addSize(2); // leave room for count + + unsigned int count = 0; + while ((p != pathsToPush.end())&&((outp.size() + 24) < 1200)) { + uint8_t addressType = 4; + switch(p->ss_family) { + case AF_INET: + break; + case AF_INET6: + addressType = 6; + break; + default: // we currently only push IP addresses + ++p; + continue; + } + + outp.append((uint8_t)0); // no flags + outp.append((uint16_t)0); // no extensions + outp.append(addressType); + outp.append((uint8_t)((addressType == 4) ? 6 : 18)); + outp.append(p->rawIpData(),((addressType == 4) ? 4 : 16)); + outp.append((uint16_t)p->port()); + + ++count; + ++p; + } + + if (count) { + outp.setAt(ZT_PACKET_IDX_PAYLOAD,(uint16_t)count); + outp.armor(_key,true); + RR->node->putPacket(localAddr,toAddress,outp.data(),outp.size(),0); + } + } + + return true; +} + +bool Peer::resetWithinScope(InetAddress::IpScope scope,uint64_t now) +{ + unsigned int np = _numPaths; + unsigned int x = 0; + unsigned int y = 0; + while (x < np) { + if (_paths[x].address().ipScope() == scope) { + // Resetting a path means sending a HELLO and then forgetting it. If we + // get OK(HELLO) then it will be re-learned. + sendHELLO(_paths[x].localAddress(),_paths[x].address(),now); + } else { + _paths[y++] = _paths[x]; + } + ++x; + } + _numPaths = y; + return (y < np); } void Peer::getBestActiveAddresses(uint64_t now,InetAddress &v4,InetAddress &v6) const { - Mutex::Lock _l(_paths_m); - - int bestp4 = -1,bestp6 = -1; - uint64_t best4 = 0ULL,best6 = 0ULL; - for(unsigned int p=0;p<_numPaths;++p) { - if ( ((now - _paths[p].lastReceive) <= ZT_PEER_PATH_EXPIRATION) && (_paths[p].path->alive(now)) ) { - if (_paths[p].path->address().ss_family == AF_INET) { - const uint64_t s = _pathScore(p,now); - if (s >= best4) { - best4 = s; - bestp4 = (int)p; - } - } else if (_paths[p].path->address().ss_family == AF_INET6) { - const uint64_t s = _pathScore(p,now); - if (s >= best6) { - best6 = s; - bestp6 = (int)p; + uint64_t bestV4 = 0,bestV6 = 0; + for(unsigned int p=0,np=_numPaths;p= bestV4) { + bestV4 = lr; + v4 = _paths[p].address(); + } + } else if (_paths[p].address().isV6()) { + if (lr >= bestV6) { + bestV6 = lr; + v6 = _paths[p].address(); + } } } } } +} - if (bestp4 >= 0) - v4 = _paths[bestp4].path->address(); - if (bestp6 >= 0) - v6 = _paths[bestp6].path->address(); +bool Peer::networkMembershipCertificatesAgree(uint64_t nwid,const CertificateOfMembership &com) const +{ + Mutex::Lock _l(_networkComs_m); + const _NetworkCom *ourCom = _networkComs.get(nwid); + if (ourCom) + return ourCom->com.agreesWith(com); + return false; +} + +bool Peer::validateAndSetNetworkMembershipCertificate(uint64_t nwid,const CertificateOfMembership &com) +{ + // Sanity checks + if ((!com)||(com.issuedTo() != _id.address())) + return false; + + // Return true if we already have this *exact* COM + { + Mutex::Lock _l(_networkComs_m); + _NetworkCom *ourCom = _networkComs.get(nwid); + if ((ourCom)&&(ourCom->com == com)) + return true; + } + + // Check signature, log and return if cert is invalid + if (com.signedBy() != Network::controllerFor(nwid)) { + TRACE("rejected network membership certificate for %.16llx signed by %s: signer not a controller of this network",(unsigned long long)nwid,com.signedBy().toString().c_str()); + return false; // invalid signer + } + + if (com.signedBy() == RR->identity.address()) { + + // We are the controller: RR->identity.address() == controller() == cert.signedBy() + // So, verify that we signed th cert ourself + if (!com.verify(RR->identity)) { + TRACE("rejected network membership certificate for %.16llx self signed by %s: signature check failed",(unsigned long long)nwid,com.signedBy().toString().c_str()); + return false; // invalid signature + } + + } else { + + SharedPtr signer(RR->topology->getPeer(com.signedBy())); + + if (!signer) { + // This would be rather odd, since this is our controller... could happen + // if we get packets before we've gotten config. + RR->sw->requestWhois(com.signedBy()); + return false; // signer unknown + } + + if (!com.verify(signer->identity())) { + TRACE("rejected network membership certificate for %.16llx signed by %s: signature check failed",(unsigned long long)nwid,com.signedBy().toString().c_str()); + return false; // invalid signature + } + } + + // If we made it past all those checks, add or update cert in our cert info store + { + Mutex::Lock _l(_networkComs_m); + _networkComs.set(nwid,_NetworkCom(RR->node->now(),com)); + } + + return true; +} + +bool Peer::needsOurNetworkMembershipCertificate(uint64_t nwid,uint64_t now,bool updateLastPushedTime) +{ + Mutex::Lock _l(_networkComs_m); + uint64_t &lastPushed = _lastPushedComs[nwid]; + const uint64_t tmp = lastPushed; + if (updateLastPushedTime) + lastPushed = now; + return ((now - tmp) >= (ZT_NETWORK_AUTOCONF_DELAY / 3)); +} + +void Peer::clean(uint64_t now) +{ + { + unsigned int np = _numPaths; + unsigned int x = 0; + unsigned int y = 0; + while (x < np) { + if (_paths[x].active(now)) + _paths[y++] = _paths[x]; + ++x; + } + _numPaths = y; + } + + { + Mutex::Lock _l(_networkComs_m); + { + uint64_t *k = (uint64_t *)0; + _NetworkCom *v = (_NetworkCom *)0; + Hashtable< uint64_t,_NetworkCom >::Iterator i(_networkComs); + while (i.next(k,v)) { + if ( (!RR->node->belongsToNetwork(*k)) && ((now - v->ts) >= ZT_PEER_NETWORK_COM_EXPIRATION) ) + _networkComs.erase(*k); + } + } + { + uint64_t *k = (uint64_t *)0; + uint64_t *v = (uint64_t *)0; + Hashtable< uint64_t,uint64_t >::Iterator i(_lastPushedComs); + while (i.next(k,v)) { + if ((now - *v) > (ZT_NETWORK_AUTOCONF_DELAY * 2)) + _lastPushedComs.erase(*k); + } + } + } +} + +void Peer::_doDeadPathDetection(Path &p,const uint64_t now) +{ + /* Dead path detection: if we have sent something to this peer and have not + * yet received a reply, double check this path. The majority of outbound + * packets including Ethernet frames do generate some kind of reply either + * immediately or at some point in the near future. This will occasionally + * (every NO_ANSWER_TIMEOUT ms) check paths unnecessarily if traffic that + * does not generate a response is being sent such as multicast announcements + * or frames belonging to unidirectional UDP protocols, but the cost is very + * tiny and the benefit in reliability is very large. This takes care of many + * failure modes including crap NATs that forget links and spurious changes + * to physical network topology that cannot be otherwise detected. + * + * Each time we do this we increment a probation counter in the path. This + * counter is reset on any packet receive over this path. If it reaches the + * MAX_PROBATION threshold the path is considred dead. */ + + if ( + (p.lastSend() > p.lastReceived()) && + ((p.lastSend() - p.lastReceived()) >= ZT_PEER_DEAD_PATH_DETECTION_NO_ANSWER_TIMEOUT) && + ((now - p.lastPing()) >= ZT_PEER_DEAD_PATH_DETECTION_NO_ANSWER_TIMEOUT) && + (!p.isClusterSuboptimal()) && + (!RR->topology->amRoot()) + ) { + TRACE("%s(%s) does not seem to be answering in a timely manner, checking if dead (probation == %u)",_id.address().toString().c_str(),p.address().toString().c_str(),p.probation()); + + if ( (_vProto >= 5) && ( !((_vMajor == 1)&&(_vMinor == 1)&&(_vRevision == 0)) ) ) { + Packet outp(_id.address(),RR->identity.address(),Packet::VERB_ECHO); + outp.armor(_key,true); + p.send(RR,outp.data(),outp.size(),now); + p.pinged(now); + } else { + sendHELLO(p.localAddress(),p.address(),now); + p.sent(now); + p.pinged(now); + } + + p.increaseProbation(); + } +} + +Path *Peer::_getBestPath(const uint64_t now) +{ + Path *bestPath = (Path *)0; + uint64_t bestPathScore = 0; + for(unsigned int i=0;i<_numPaths;++i) { + const uint64_t score = _paths[i].score(); + if ((score >= bestPathScore)&&(_paths[i].active(now))) { + bestPathScore = score; + bestPath = &(_paths[i]); + } + } + if (bestPath) + _doDeadPathDetection(*bestPath,now); + return bestPath; +} + +Path *Peer::_getBestPath(const uint64_t now,int inetAddressFamily) +{ + Path *bestPath = (Path *)0; + uint64_t bestPathScore = 0; + for(unsigned int i=0;i<_numPaths;++i) { + const uint64_t score = _paths[i].score(); + if (((int)_paths[i].address().ss_family == inetAddressFamily)&&(score >= bestPathScore)&&(_paths[i].active(now))) { + bestPathScore = score; + bestPath = &(_paths[i]); + } + } + if (bestPath) + _doDeadPathDetection(*bestPath,now); + return bestPath; } } // namespace ZeroTier diff --git a/zerotierone/node/Peer.hpp b/zerotierone/node/Peer.hpp index d0589cc..445535c 100644 --- a/zerotierone/node/Peer.hpp +++ b/zerotierone/node/Peer.hpp @@ -31,6 +31,7 @@ #include "../include/ZeroTierOne.h" #include "RuntimeEnvironment.hpp" +#include "CertificateOfMembership.hpp" #include "Path.hpp" #include "Address.hpp" #include "Utils.hpp" @@ -43,6 +44,10 @@ #include "Mutex.hpp" #include "NonCopyable.hpp" +// Very rough computed estimate: (8 + 256 + 80 + (16 * 64) + (128 * 256) + (128 * 16)) +// 1048576 provides tons of headroom -- overflow would just cause peer not to be persisted +#define ZT_PEER_SUGGESTED_SERIALIZATION_BUFFER_SIZE 1048576 + namespace ZeroTier { /** @@ -68,6 +73,18 @@ public: */ Peer(const RuntimeEnvironment *renv,const Identity &myIdentity,const Identity &peerIdentity); + /** + * @return Time peer record was last used in any way + */ + inline uint64_t lastUsed() const throw() { return _lastUsed; } + + /** + * Log a use of this peer record (done by Topology when peers are looked up) + * + * @param now New time of last use + */ + inline void use(uint64_t now) throw() { _lastUsed = now; } + /** * @return This peer's ZT address (short for identity().address()) */ @@ -84,167 +101,149 @@ public: * This is called by the decode pipe when a packet is proven to be authentic * and appears to be valid. * - * @param path Path over which packet was received + * @param RR Runtime environment + * @param localAddr Local address + * @param remoteAddr Internet address of sender * @param hops ZeroTier (not IP) hops * @param packetId Packet ID * @param verb Packet verb * @param inRePacketId Packet ID in reply to (default: none) * @param inReVerb Verb in reply to (for OK/ERROR, default: VERB_NOP) - * @param trustEstablished If true, some form of non-trivial trust (like allowed in network) has been established */ void received( - const SharedPtr &path, - const unsigned int hops, - const uint64_t packetId, - const Packet::Verb verb, - const uint64_t inRePacketId, - const Packet::Verb inReVerb, - const bool trustEstablished); + const InetAddress &localAddr, + const InetAddress &remoteAddr, + unsigned int hops, + uint64_t packetId, + Packet::Verb verb, + uint64_t inRePacketId = 0, + Packet::Verb inReVerb = Packet::VERB_NOP); + + /** + * Get the current best direct path to this peer + * + * @param now Current time + * @return Best path or NULL if there are no active direct paths + */ + inline Path *getBestPath(uint64_t now) { return _getBestPath(now); } /** * @param now Current time * @param addr Remote address * @return True if we have an active path to this destination */ - bool hasActivePathTo(uint64_t now,const InetAddress &addr) const; + inline bool hasActivePathTo(uint64_t now,const InetAddress &addr) const + { + for(unsigned int p=0;p<_numPaths;++p) { + if ((_paths[p].active(now))&&(_paths[p].address() == addr)) + return true; + } + return false; + } /** - * Set which known path for an address family is optimal + * Set all paths in the same ss_family that are not this one to cluster suboptimal + * + * Addresses in other families are not affected. * * @param addr Address to make exclusive */ - inline void setClusterOptimal(const InetAddress &addr) + inline void setClusterOptimalPathForAddressFamily(const InetAddress &addr) { - if (addr.ss_family == AF_INET) { - _remoteClusterOptimal4 = (uint32_t)reinterpret_cast(&addr)->sin_addr.s_addr; - } else if (addr.ss_family == AF_INET6) { - memcpy(_remoteClusterOptimal6,reinterpret_cast(&addr)->sin6_addr.s6_addr,16); + for(unsigned int p=0;p<_numPaths;++p) { + if (_paths[p].address().ss_family == addr.ss_family) { + _paths[p].setClusterSuboptimal(_paths[p].address() != addr); + } } } /** - * Send via best direct path + * Send via best path * * @param data Packet data * @param len Packet length * @param now Current time - * @param forceEvenIfDead If true, send even if the path is not 'alive' - * @return True if we actually sent something + * @return Path used on success or NULL on failure */ - bool sendDirect(const void *data,unsigned int len,uint64_t now,bool forceEvenIfDead); - - /** - * Get the best current direct path - * - * @param now Current time - * @param includeDead If true, include even expired paths - * @return Best current path or NULL if none - */ - SharedPtr getBestPath(uint64_t now,bool includeExpired); + inline Path *send(const void *data,unsigned int len,uint64_t now) + { + Path *const bestPath = getBestPath(now); + if (bestPath) { + if (bestPath->send(RR,data,len,now)) + return bestPath; + } + return (Path *)0; + } /** * Send a HELLO to this peer at a specified physical address * - * No statistics or sent times are updated here. + * This does not update any statistics. It's used to send initial HELLOs + * for NAT traversal and path verification. * * @param localAddr Local address * @param atAddress Destination address * @param now Current time + * @param ttl Desired IP TTL (default: 0 to leave alone) */ - void sendHELLO(const InetAddress &localAddr,const InetAddress &atAddress,uint64_t now); - - /** - * Send ECHO (or HELLO for older peers) to this peer at the given address - * - * No statistics or sent times are updated here. - * - * @param localAddr Local address - * @param atAddress Destination address - * @param now Current time - */ - void attemptToContactAt(const InetAddress &localAddr,const InetAddress &atAddress,uint64_t now); + void sendHELLO(const InetAddress &localAddr,const InetAddress &atAddress,uint64_t now,unsigned int ttl = 0); /** * Send pings or keepalives depending on configured timeouts * * @param now Current time - * @param inetAddressFamily Keep this address family alive, or -1 for any - * @return True if we have at least one direct path of the given family (or any if family is -1) + * @param inetAddressFamily Keep this address family alive, or 0 to simply pick current best ignoring family + * @return True if at least one direct path seems alive */ bool doPingAndKeepalive(uint64_t now,int inetAddressFamily); /** + * Push direct paths back to self if we haven't done so in the configured timeout + * + * @param localAddr Local address + * @param toAddress Remote address to send push to (usually from path) * @param now Current time - * @return True if this peer has at least one active and alive direct path + * @param force If true, push regardless of rate limit + * @param includePrivatePaths If true, include local interface address paths (should only be done to peers with a trust relationship) + * @return True if something was actually sent */ - bool hasActiveDirectPath(uint64_t now) const; + bool pushDirectPaths(const InetAddress &localAddr,const InetAddress &toAddress,uint64_t now,bool force,bool includePrivatePaths); /** - * Reset paths within a given IP scope and address family - * - * Resetting a path involves sending an ECHO to it and then deactivating - * it until or unless it responds. - * - * @param scope IP scope - * @param inetAddressFamily Family e.g. AF_INET - * @param now Current time + * @return All known direct paths to this peer (active or inactive) */ - void resetWithinScope(InetAddress::IpScope scope,int inetAddressFamily,uint64_t now); - - /** - * Get most recently active path addresses for IPv4 and/or IPv6 - * - * Note that v4 and v6 are not modified if they are not found, so - * initialize these to a NULL address to be able to check. - * - * @param now Current time - * @param v4 Result parameter to receive active IPv4 address, if any - * @param v6 Result parameter to receive active IPv6 address, if any - */ - void getBestActiveAddresses(uint64_t now,InetAddress &v4,InetAddress &v6) const; - - /** - * @param now Current time - * @return All known direct paths to this peer and whether they are expired (true == expired) - */ - inline std::vector< std::pair< SharedPtr,bool > > paths(const uint64_t now) const + inline std::vector paths() const { - std::vector< std::pair< SharedPtr,bool > > pp; - Mutex::Lock _l(_paths_m); + std::vector pp; for(unsigned int p=0,np=_numPaths;p,bool >(_paths[p].path,(now - _paths[p].lastReceive) > ZT_PEER_PATH_EXPIRATION)); + pp.push_back(_paths[p]); return pp; } /** * @return Time of last receive of anything, whether direct or relayed */ - inline uint64_t lastReceive() const { return _lastReceive; } - - /** - * @return True if we've heard from this peer in less than ZT_PEER_ACTIVITY_TIMEOUT - */ - inline bool isAlive(const uint64_t now) const { return ((now - _lastReceive) < ZT_PEER_ACTIVITY_TIMEOUT); } + inline uint64_t lastReceive() const throw() { return _lastReceive; } /** * @return Time of most recent unicast frame received */ - inline uint64_t lastUnicastFrame() const { return _lastUnicastFrame; } + inline uint64_t lastUnicastFrame() const throw() { return _lastUnicastFrame; } /** * @return Time of most recent multicast frame received */ - inline uint64_t lastMulticastFrame() const { return _lastMulticastFrame; } + inline uint64_t lastMulticastFrame() const throw() { return _lastMulticastFrame; } /** * @return Time of most recent frame of any kind (unicast or multicast) */ - inline uint64_t lastFrame() const { return std::max(_lastUnicastFrame,_lastMulticastFrame); } + inline uint64_t lastFrame() const throw() { return std::max(_lastUnicastFrame,_lastMulticastFrame); } /** * @return True if this peer has sent us real network traffic recently */ - inline uint64_t isActive(uint64_t now) const { return ((now - lastFrame()) < ZT_PEER_ACTIVITY_TIMEOUT); } + inline uint64_t activelyTransferringFrames(uint64_t now) const throw() { return ((now - lastFrame()) < ZT_PEER_ACTIVITY_TIMEOUT); } /** * @return Latency in milliseconds or 0 if unknown @@ -270,7 +269,7 @@ public: unsigned int l = _latency; if (!l) l = 0xffff; - return (l * (((unsigned int)tsr / (ZT_PEER_PING_PERIOD + 1000)) + 1)); + return (l * (((unsigned int)tsr / (ZT_PEER_DIRECT_PING_DELAY + 1000)) + 1)); } /** @@ -286,25 +285,47 @@ public: else _latency = std::min(l,(unsigned int)65535); } + /** + * @param now Current time + * @return True if this peer has at least one active direct path + */ + inline bool hasActiveDirectPath(uint64_t now) const + { + for(unsigned int p=0;p<_numPaths;++p) { + if (_paths[p].active(now)) + return true; + } + return false; + } + #ifdef ZT_ENABLE_CLUSTER /** * @param now Current time * @return True if this peer has at least one active direct path that is not cluster-suboptimal */ - inline bool hasLocalClusterOptimalPath(uint64_t now) const + inline bool hasClusterOptimalPath(uint64_t now) const { for(unsigned int p=0,np=_numPaths;palive(now)) && (!_paths[p].localClusterSuboptimal) ) + if ((_paths[p].active(now))&&(!_paths[p].isClusterSuboptimal())) return true; } return false; } #endif + /** + * Reset paths within a given scope + * + * @param scope IP scope of paths to reset + * @param now Current time + * @return True if at least one path was forgotten + */ + bool resetWithinScope(InetAddress::IpScope scope,uint64_t now); + /** * @return 256-bit secret symmetric encryption key */ - inline const unsigned char *key() const { return _key; } + inline const unsigned char *key() const throw() { return _key; } /** * Set the currently known remote version of this peer's client @@ -322,22 +343,69 @@ public: _vRevision = (uint16_t)vrev; } - inline unsigned int remoteVersionProtocol() const { return _vProto; } - inline unsigned int remoteVersionMajor() const { return _vMajor; } - inline unsigned int remoteVersionMinor() const { return _vMinor; } - inline unsigned int remoteVersionRevision() const { return _vRevision; } + inline unsigned int remoteVersionProtocol() const throw() { return _vProto; } + inline unsigned int remoteVersionMajor() const throw() { return _vMajor; } + inline unsigned int remoteVersionMinor() const throw() { return _vMinor; } + inline unsigned int remoteVersionRevision() const throw() { return _vRevision; } - inline bool remoteVersionKnown() const { return ((_vMajor > 0)||(_vMinor > 0)||(_vRevision > 0)); } + inline bool remoteVersionKnown() const throw() { return ((_vMajor > 0)||(_vMinor > 0)||(_vRevision > 0)); } /** - * @return True if peer has received a trust established packet (e.g. common network membership) in the past ZT_TRUST_EXPIRATION ms + * Get most recently active path addresses for IPv4 and/or IPv6 + * + * Note that v4 and v6 are not modified if they are not found, so + * initialize these to a NULL address to be able to check. + * + * @param now Current time + * @param v4 Result parameter to receive active IPv4 address, if any + * @param v6 Result parameter to receive active IPv6 address, if any */ - inline bool trustEstablished(const uint64_t now) const { return ((now - _lastTrustEstablishedPacketReceived) < ZT_TRUST_EXPIRATION); } + void getBestActiveAddresses(uint64_t now,InetAddress &v4,InetAddress &v6) const; /** - * Rate limit gate for VERB_PUSH_DIRECT_PATHS + * Check network COM agreement with this peer + * + * @param nwid Network ID + * @param com Another certificate of membership + * @return True if supplied COM agrees with ours, false if not or if we don't have one */ - inline bool rateGatePushDirectPaths(const uint64_t now) + bool networkMembershipCertificatesAgree(uint64_t nwid,const CertificateOfMembership &com) const; + + /** + * Check the validity of the COM and add/update if valid and new + * + * @param nwid Network ID + * @param com Externally supplied COM + */ + bool validateAndSetNetworkMembershipCertificate(uint64_t nwid,const CertificateOfMembership &com); + + /** + * @param nwid Network ID + * @param now Current time + * @param updateLastPushedTime If true, go ahead and update the last pushed time regardless of return value + * @return Whether or not this peer needs another COM push from us + */ + bool needsOurNetworkMembershipCertificate(uint64_t nwid,uint64_t now,bool updateLastPushedTime); + + /** + * Perform periodic cleaning operations + * + * @param now Current time + */ + void clean(uint64_t now); + + /** + * Update direct path push stats and return true if we should respond + * + * This is a circuit breaker to make VERB_PUSH_DIRECT_PATHS not particularly + * useful as a DDOS amplification attack vector. Otherwise a malicious peer + * could send loads of these and cause others to bombard arbitrary IPs with + * traffic. + * + * @param now Current time + * @return True if we should respond + */ + inline bool shouldRespondToDirectPathPush(const uint64_t now) { if ((now - _lastDirectPathPushReceive) <= ZT_PUSH_DIRECT_PATHS_CUTOFF_TIME) ++_directPathPushCutoffCount; @@ -346,78 +414,6 @@ public: return (_directPathPushCutoffCount < ZT_PUSH_DIRECT_PATHS_CUTOFF_LIMIT); } - /** - * Rate limit gate for VERB_NETWORK_CREDENTIALS - */ - inline bool rateGateCredentialsReceived(const uint64_t now) - { - if ((now - _lastCredentialsReceived) <= ZT_PEER_CREDENTIALS_CUTOFF_TIME) - ++_credentialsCutoffCount; - else _credentialsCutoffCount = 0; - _lastCredentialsReceived = now; - return (_directPathPushCutoffCount < ZT_PEER_CREDEITIALS_CUTOFF_LIMIT); - } - - /** - * Rate limit gate for sending of ERROR_NEED_MEMBERSHIP_CERTIFICATE - */ - inline bool rateGateRequestCredentials(const uint64_t now) - { - if ((now - _lastCredentialRequestSent) >= ZT_PEER_GENERAL_RATE_LIMIT) { - _lastCredentialRequestSent = now; - return true; - } - return false; - } - - /** - * Rate limit gate for inbound WHOIS requests - */ - inline bool rateGateInboundWhoisRequest(const uint64_t now) - { - if ((now - _lastWhoisRequestReceived) >= ZT_PEER_GENERAL_RATE_LIMIT) { - _lastWhoisRequestReceived = now; - return true; - } - return false; - } - - /** - * Rate limit gate for inbound ECHO requests - */ - inline bool rateGateEchoRequest(const uint64_t now) - { - if ((now - _lastEchoRequestReceived) >= ZT_PEER_GENERAL_RATE_LIMIT) { - _lastEchoRequestReceived = now; - return true; - } - return false; - } - - /** - * Rate gate incoming requests for network COM - */ - inline bool rateGateIncomingComRequest(const uint64_t now) - { - if ((now - _lastComRequestReceived) >= ZT_PEER_GENERAL_RATE_LIMIT) { - _lastComRequestReceived = now; - return true; - } - return false; - } - - /** - * Rate gate outgoing requests for network COM - */ - inline bool rateGateOutgoingComRequest(const uint64_t now) - { - if ((now - _lastComRequestSent) >= ZT_PEER_GENERAL_RATE_LIMIT) { - _lastComRequestSent = now; - return true; - } - return false; - } - /** * Find a common set of addresses by which two peers can link, if any * @@ -438,67 +434,168 @@ public: else return std::pair(); } -private: - inline uint64_t _pathScore(const unsigned int p,const uint64_t now) const + template + inline void serialize(Buffer &b) const { - uint64_t s = ZT_PEER_PING_PERIOD + _paths[p].lastReceive + (uint64_t)(_paths[p].path->preferenceRank() * (ZT_PEER_PING_PERIOD / ZT_PATH_MAX_PREFERENCE_RANK)); + Mutex::Lock _l(_networkComs_m); - if (_paths[p].path->address().ss_family == AF_INET) { - s += (uint64_t)(ZT_PEER_PING_PERIOD * (unsigned long)(reinterpret_cast(&(_paths[p].path->address()))->sin_addr.s_addr == _remoteClusterOptimal4)); - } else if (_paths[p].path->address().ss_family == AF_INET6) { - uint64_t clusterWeight = ZT_PEER_PING_PERIOD; - const uint8_t *a = reinterpret_cast(reinterpret_cast(&(_paths[p].path->address()))->sin6_addr.s6_addr); - for(long i=0;i<16;++i) { - if (a[i] != _remoteClusterOptimal6[i]) { - clusterWeight = 0; - break; - } + const unsigned int recSizePos = b.size(); + b.addSize(4); // space for uint32_t field length + + b.append((uint16_t)1); // version of serialized Peer data + + _id.serialize(b,false); + + b.append((uint64_t)_lastUsed); + b.append((uint64_t)_lastReceive); + b.append((uint64_t)_lastUnicastFrame); + b.append((uint64_t)_lastMulticastFrame); + b.append((uint64_t)_lastAnnouncedTo); + b.append((uint64_t)_lastDirectPathPushSent); + b.append((uint64_t)_lastDirectPathPushReceive); + b.append((uint64_t)_lastPathSort); + b.append((uint16_t)_vProto); + b.append((uint16_t)_vMajor); + b.append((uint16_t)_vMinor); + b.append((uint16_t)_vRevision); + b.append((uint32_t)_latency); + b.append((uint16_t)_directPathPushCutoffCount); + + b.append((uint16_t)_numPaths); + for(unsigned int i=0;i<_numPaths;++i) + _paths[i].serialize(b); + + b.append((uint32_t)_networkComs.size()); + { + uint64_t *k = (uint64_t *)0; + _NetworkCom *v = (_NetworkCom *)0; + Hashtable::Iterator i(const_cast(this)->_networkComs); + while (i.next(k,v)) { + b.append((uint64_t)*k); + b.append((uint64_t)v->ts); + v->com.serialize(b); } - s += clusterWeight; } - s += (ZT_PEER_PING_PERIOD / 2) * (uint64_t)_paths[p].path->alive(now); + b.append((uint32_t)_lastPushedComs.size()); + { + uint64_t *k = (uint64_t *)0; + uint64_t *v = (uint64_t *)0; + Hashtable::Iterator i(const_cast(this)->_lastPushedComs); + while (i.next(k,v)) { + b.append((uint64_t)*k); + b.append((uint64_t)*v); + } + } -#ifdef ZT_ENABLE_CLUSTER - s -= ZT_PEER_PING_PERIOD * (uint64_t)_paths[p].localClusterSuboptimal; -#endif - - return s; + b.template setAt(recSizePos,(uint32_t)(b.size() - (recSizePos + 4))); // set size } - uint8_t _key[ZT_PEER_SECRET_KEY_LENGTH]; - uint8_t _remoteClusterOptimal6[16]; + /** + * Create a new Peer from a serialized instance + * + * @param renv Runtime environment + * @param myIdentity This node's identity + * @param b Buffer containing serialized Peer data + * @param p Pointer to current position in buffer, will be updated in place as buffer is read (value/result) + * @return New instance of Peer or NULL if serialized data was corrupt or otherwise invalid (may also throw an exception via Buffer) + */ + template + static inline SharedPtr deserializeNew(const RuntimeEnvironment *renv,const Identity &myIdentity,const Buffer &b,unsigned int &p) + { + const unsigned int recSize = b.template at(p); p += 4; + if ((p + recSize) > b.size()) + return SharedPtr(); // size invalid + if (b.template at(p) != 1) + return SharedPtr(); // version mismatch + p += 2; + + Identity npid; + p += npid.deserialize(b,p); + if (!npid) + return SharedPtr(); + + SharedPtr np(new Peer(renv,myIdentity,npid)); + + np->_lastUsed = b.template at(p); p += 8; + np->_lastReceive = b.template at(p); p += 8; + np->_lastUnicastFrame = b.template at(p); p += 8; + np->_lastMulticastFrame = b.template at(p); p += 8; + np->_lastAnnouncedTo = b.template at(p); p += 8; + np->_lastDirectPathPushSent = b.template at(p); p += 8; + np->_lastDirectPathPushReceive = b.template at(p); p += 8; + np->_lastPathSort = b.template at(p); p += 8; + np->_vProto = b.template at(p); p += 2; + np->_vMajor = b.template at(p); p += 2; + np->_vMinor = b.template at(p); p += 2; + np->_vRevision = b.template at(p); p += 2; + np->_latency = b.template at(p); p += 4; + np->_directPathPushCutoffCount = b.template at(p); p += 2; + + const unsigned int numPaths = b.template at(p); p += 2; + for(unsigned int i=0;i_paths[np->_numPaths++].deserialize(b,p); + } else { + // Skip any paths beyond max, but still read stream + Path foo; + p += foo.deserialize(b,p); + } + } + + const unsigned int numNetworkComs = b.template at(p); p += 4; + for(unsigned int i=0;i_networkComs[b.template at(p)]; p += 8; + c.ts = b.template at(p); p += 8; + p += c.com.deserialize(b,p); + } + + const unsigned int numLastPushed = b.template at(p); p += 4; + for(unsigned int i=0;i(p); p += 8; + const uint64_t ts = b.template at(p); p += 8; + np->_lastPushedComs.set(nwid,ts); + } + + return np; + } + +private: + void _doDeadPathDetection(Path &p,const uint64_t now); + Path *_getBestPath(const uint64_t now); + Path *_getBestPath(const uint64_t now,int inetAddressFamily); + + unsigned char _key[ZT_PEER_SECRET_KEY_LENGTH]; // computed with key agreement, not serialized + + const RuntimeEnvironment *RR; + uint64_t _lastUsed; uint64_t _lastReceive; // direct or indirect uint64_t _lastUnicastFrame; uint64_t _lastMulticastFrame; + uint64_t _lastAnnouncedTo; uint64_t _lastDirectPathPushSent; uint64_t _lastDirectPathPushReceive; - uint64_t _lastCredentialRequestSent; - uint64_t _lastWhoisRequestReceived; - uint64_t _lastEchoRequestReceived; - uint64_t _lastComRequestReceived; - uint64_t _lastComRequestSent; - uint64_t _lastCredentialsReceived; - uint64_t _lastTrustEstablishedPacketReceived; - const RuntimeEnvironment *RR; - uint32_t _remoteClusterOptimal4; + uint64_t _lastPathSort; uint16_t _vProto; uint16_t _vMajor; uint16_t _vMinor; uint16_t _vRevision; Identity _id; - struct { - uint64_t lastReceive; - SharedPtr path; -#ifdef ZT_ENABLE_CLUSTER - bool localClusterSuboptimal; -#endif - } _paths[ZT_MAX_PEER_NETWORK_PATHS]; - Mutex _paths_m; + Path _paths[ZT_MAX_PEER_NETWORK_PATHS]; unsigned int _numPaths; unsigned int _latency; unsigned int _directPathPushCutoffCount; - unsigned int _credentialsCutoffCount; + + struct _NetworkCom + { + _NetworkCom() {} + _NetworkCom(uint64_t t,const CertificateOfMembership &c) : ts(t),com(c) {} + uint64_t ts; + CertificateOfMembership com; + }; + Hashtable _networkComs; + Hashtable _lastPushedComs; + Mutex _networkComs_m; AtomicCounter __refCount; }; diff --git a/zerotierone/node/RuntimeEnvironment.hpp b/zerotierone/node/RuntimeEnvironment.hpp index 7ba1c98..1f52773 100644 --- a/zerotierone/node/RuntimeEnvironment.hpp +++ b/zerotierone/node/RuntimeEnvironment.hpp @@ -35,6 +35,7 @@ class Multicaster; class NetworkController; class SelfAwareness; class Cluster; +class DeferredPackets; /** * Holds global state for an instance of ZeroTier::Node @@ -50,9 +51,11 @@ public: ,mc((Multicaster *)0) ,topology((Topology *)0) ,sa((SelfAwareness *)0) + ,dp((DeferredPackets *)0) #ifdef ZT_ENABLE_CLUSTER ,cluster((Cluster *)0) #endif + ,dpEnabled(0) { } @@ -79,9 +82,15 @@ public: Multicaster *mc; Topology *topology; SelfAwareness *sa; + DeferredPackets *dp; + #ifdef ZT_ENABLE_CLUSTER Cluster *cluster; #endif + + // This is set to >0 if background threads are waiting on deferred + // packets, otherwise 'dp' should not be used. + volatile int dpEnabled; }; } // namespace ZeroTier diff --git a/zerotierone/node/SelfAwareness.cpp b/zerotierone/node/SelfAwareness.cpp index e84b7b6..8bed0c5 100644 --- a/zerotierone/node/SelfAwareness.cpp +++ b/zerotierone/node/SelfAwareness.cpp @@ -33,29 +33,37 @@ #include "Switch.hpp" // Entry timeout -- make it fairly long since this is just to prevent stale buildup -#define ZT_SELFAWARENESS_ENTRY_TIMEOUT 600000 +#define ZT_SELFAWARENESS_ENTRY_TIMEOUT 3600000 namespace ZeroTier { class _ResetWithinScope { public: - _ResetWithinScope(uint64_t now,int inetAddressFamily,InetAddress::IpScope scope) : + _ResetWithinScope(uint64_t now,InetAddress::IpScope scope) : _now(now), - _family(inetAddressFamily), _scope(scope) {} - inline void operator()(Topology &t,const SharedPtr &p) { p->resetWithinScope(_scope,_family,_now); } + inline void operator()(Topology &t,const SharedPtr &p) + { + if (p->resetWithinScope(_scope,_now)) + peersReset.push_back(p); + } + + std::vector< SharedPtr > peersReset; private: uint64_t _now; - int _family; InetAddress::IpScope _scope; }; SelfAwareness::SelfAwareness(const RuntimeEnvironment *renv) : RR(renv), - _phy(128) + _phy(32) +{ +} + +SelfAwareness::~SelfAwareness() { } @@ -71,11 +79,9 @@ void SelfAwareness::iam(const Address &reporter,const InetAddress &receivedOnLoc if ( (trusted) && ((now - entry.ts) < ZT_SELFAWARENESS_ENTRY_TIMEOUT) && (!entry.mySurface.ipsEqual(myPhysicalAddress)) ) { // Changes to external surface reported by trusted peers causes path reset in this scope - TRACE("physical address %s for scope %u as seen from %s(%s) differs from %s, resetting paths in scope",myPhysicalAddress.toString().c_str(),(unsigned int)scope,reporter.toString().c_str(),reporterPhysicalAddress.toString().c_str(),entry.mySurface.toString().c_str()); - entry.mySurface = myPhysicalAddress; entry.ts = now; - entry.trusted = trusted; + TRACE("physical address %s for scope %u as seen from %s(%s) differs from %s, resetting paths in scope",myPhysicalAddress.toString().c_str(),(unsigned int)scope,reporter.toString().c_str(),reporterPhysicalAddress.toString().c_str(),entry.mySurface.toString().c_str()); // Erase all entries in this scope that were not reported from this remote address to prevent 'thrashing' // due to multiple reports of endpoint change. @@ -90,14 +96,23 @@ void SelfAwareness::iam(const Address &reporter,const InetAddress &receivedOnLoc } } - // Reset all paths within this scope and address family - _ResetWithinScope rset(now,myPhysicalAddress.ss_family,(InetAddress::IpScope)scope); + // Reset all paths within this scope + _ResetWithinScope rset(now,(InetAddress::IpScope)scope); RR->topology->eachPeer<_ResetWithinScope &>(rset); + + // Send a NOP to all peers for whom we forgot a path. This will cause direct + // links to be re-established if possible, possibly using a root server or some + // other relay. + for(std::vector< SharedPtr >::const_iterator p(rset.peersReset.begin());p!=rset.peersReset.end();++p) { + if ((*p)->activelyTransferringFrames(now)) { + Packet outp((*p)->address(),RR->identity.address(),Packet::VERB_NOP); + RR->sw->send(outp,true,0); + } + } } else { // Otherwise just update DB to use to determine external surface info entry.mySurface = myPhysicalAddress; entry.ts = now; - entry.trusted = trusted; } } @@ -118,70 +133,49 @@ std::vector SelfAwareness::getSymmetricNatPredictions() /* This is based on ideas and strategies found here: * https://tools.ietf.org/html/draft-takeda-symmetric-nat-traversal-00 * - * For each IP address reported by a trusted (upstream) peer, we find - * the external port most recently reported by ANY peer for that IP. - * - * We only do any of this for global IPv4 addresses since private IPs - * and IPv6 are not going to have symmetric NAT. - * - * SECURITY NOTE: - * - * We never use IPs reported by non-trusted peers, since this could lead - * to a minor vulnerability whereby a peer could poison our cache with - * bad external surface reports via OK(HELLO) and then possibly coax us - * into suggesting their IP to other peers via PUSH_DIRECT_PATHS. This - * in turn could allow them to MITM flows. - * - * Since flows are encrypted and authenticated they could not actually - * read or modify traffic, but they could gather meta-data for forensics - * purpsoes or use this as a DOS attack vector. */ + * In short: a great many symmetric NATs allocate ports sequentially. + * This is common on enterprise and carrier grade NATs as well as consumer + * devices. This code generates a list of "you might try this" addresses by + * extrapolating likely port assignments from currently known external + * global IPv4 surfaces. These can then be included in a PUSH_DIRECT_PATHS + * message to another peer, causing it to possibly try these addresses and + * bust our local symmetric NAT. It works often enough to be worth the + * extra bit of code and does no harm in cases where it fails. */ - std::map< uint32_t,std::pair > maxPortByIp; - InetAddress theOneTrueSurface; + // Gather unique surfaces indexed by local received-on address and flag + // us as behind a symmetric NAT if there is more than one. + std::map< InetAddress,std::set > surfaces; bool symmetric = false; { Mutex::Lock _l(_phy_m); - - { // First get IPs from only trusted peers, and perform basic NAT type characterization - Hashtable< PhySurfaceKey,PhySurfaceEntry >::Iterator i(_phy); - PhySurfaceKey *k = (PhySurfaceKey *)0; - PhySurfaceEntry *e = (PhySurfaceEntry *)0; - while (i.next(k,e)) { - if ((e->trusted)&&(e->mySurface.ss_family == AF_INET)&&(e->mySurface.ipScope() == InetAddress::IP_SCOPE_GLOBAL)) { - if (!theOneTrueSurface) - theOneTrueSurface = e->mySurface; - else if (theOneTrueSurface != e->mySurface) - symmetric = true; - maxPortByIp[reinterpret_cast(&(e->mySurface))->sin_addr.s_addr] = std::pair(e->ts,e->mySurface.port()); - } - } - } - - { // Then find max port per IP from a trusted peer - Hashtable< PhySurfaceKey,PhySurfaceEntry >::Iterator i(_phy); - PhySurfaceKey *k = (PhySurfaceKey *)0; - PhySurfaceEntry *e = (PhySurfaceEntry *)0; - while (i.next(k,e)) { - if ((e->mySurface.ss_family == AF_INET)&&(e->mySurface.ipScope() == InetAddress::IP_SCOPE_GLOBAL)) { - std::map< uint32_t,std::pair >::iterator mp(maxPortByIp.find(reinterpret_cast(&(e->mySurface))->sin_addr.s_addr)); - if ((mp != maxPortByIp.end())&&(mp->second.first < e->ts)) { - mp->second.first = e->ts; - mp->second.second = e->mySurface.port(); - } - } + Hashtable< PhySurfaceKey,PhySurfaceEntry >::Iterator i(_phy); + PhySurfaceKey *k = (PhySurfaceKey *)0; + PhySurfaceEntry *e = (PhySurfaceEntry *)0; + while (i.next(k,e)) { + if ((e->mySurface.ss_family == AF_INET)&&(e->mySurface.ipScope() == InetAddress::IP_SCOPE_GLOBAL)) { + std::set &s = surfaces[k->receivedOnLocalAddress]; + s.insert(e->mySurface); + symmetric = symmetric||(s.size() > 1); } } } + // If we appear to be symmetrically NATed, generate and return extrapolations + // of those surfaces. Since PUSH_DIRECT_PATHS is sent multiple times, we + // probabilistically generate extrapolations of anywhere from +1 to +5 to + // increase the odds that it will work "eventually". if (symmetric) { std::vector r; - for(unsigned int k=1;k<=3;++k) { - for(std::map< uint32_t,std::pair >::iterator i(maxPortByIp.begin());i!=maxPortByIp.end();++i) { - unsigned int p = i->second.second + k; - if (p > 65535) p -= 64511; - InetAddress pred(&(i->first),4,p); - if (std::find(r.begin(),r.end(),pred) == r.end()) - r.push_back(pred); + for(std::map< InetAddress,std::set >::iterator si(surfaces.begin());si!=surfaces.end();++si) { + for(std::set::iterator i(si->second.begin());i!=si->second.end();++i) { + InetAddress ipp(*i); + unsigned int p = ipp.port() + 1 + ((unsigned int)RR->node->prng() & 3); + if (p >= 65535) + p -= 64510; // NATs seldom use ports <=1024 so wrap to 1025 + ipp.setPort(p); + if ((si->second.count(ipp) == 0)&&(std::find(r.begin(),r.end(),ipp) == r.end())) { + r.push_back(ipp); + } } } return r; diff --git a/zerotierone/node/SelfAwareness.hpp b/zerotierone/node/SelfAwareness.hpp index 4bdafeb..06c264a 100644 --- a/zerotierone/node/SelfAwareness.hpp +++ b/zerotierone/node/SelfAwareness.hpp @@ -36,6 +36,7 @@ class SelfAwareness { public: SelfAwareness(const RuntimeEnvironment *renv); + ~SelfAwareness(); /** * Called when a trusted remote peer informs us of our external network address @@ -81,10 +82,9 @@ private: { InetAddress mySurface; uint64_t ts; - bool trusted; - PhySurfaceEntry() : mySurface(),ts(0),trusted(false) {} - PhySurfaceEntry(const InetAddress &a,const uint64_t t) : mySurface(a),ts(t),trusted(false) {} + PhySurfaceEntry() : mySurface(),ts(0) {} + PhySurfaceEntry(const InetAddress &a,const uint64_t t) : mySurface(a),ts(t) {} }; const RuntimeEnvironment *RR; diff --git a/zerotierone/node/SharedPtr.hpp b/zerotierone/node/SharedPtr.hpp index 1dd3b43..3ff5ed1 100644 --- a/zerotierone/node/SharedPtr.hpp +++ b/zerotierone/node/SharedPtr.hpp @@ -119,39 +119,15 @@ public: inline T *ptr() const throw() { return _ptr; } /** - * Set this pointer to NULL + * Set this pointer to null */ inline void zero() { if (_ptr) { if (--_ptr->__refCount <= 0) delete _ptr; - _ptr = (T *)0; - } - } - - /** - * Set this pointer to NULL if this is the only pointer holding the object - * - * @return True if object was deleted and SharedPtr is now NULL (or was already NULL) - */ - inline bool reclaimIfWeak() - { - if (_ptr) { - if (++_ptr->__refCount <= 2) { - if (--_ptr->__refCount <= 1) { - delete _ptr; - _ptr = (T *)0; - return true; - } else { - return false; - } - } else { - return false; - } - } else { - return true; } + _ptr = (T *)0; } inline bool operator==(const SharedPtr &sp) const throw() { return (_ptr == sp._ptr); } diff --git a/zerotierone/node/Switch.cpp b/zerotierone/node/Switch.cpp index 75898d2..e7cda1b 100644 --- a/zerotierone/node/Switch.cpp +++ b/zerotierone/node/Switch.cpp @@ -73,9 +73,6 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from try { const uint64_t now = RR->node->now(); - SharedPtr path(RR->topology->getPath(localAddr,fromAddr)); - path->received(now); - if (len == 13) { /* LEGACY: before VERB_PUSH_DIRECT_PATHS, peers used broadcast * announcements on the LAN to solve the 'same network problem.' We @@ -93,11 +90,11 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from _lastBeaconResponse = now; Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NOP); outp.armor(peer->key(),true); - path->send(RR,outp.data(),outp.size(),now); + RR->node->putPacket(localAddr,fromAddr,outp.data(),outp.size()); } } - } else if (len > ZT_PROTO_MIN_FRAGMENT_LENGTH) { // SECURITY: min length check is important since we do some C-style stuff below! + } else if (len > ZT_PROTO_MIN_FRAGMENT_LENGTH) { // min length check is important! if (reinterpret_cast(data)[ZT_PACKET_FRAGMENT_IDX_FRAGMENT_INDICATOR] == ZT_PACKET_FRAGMENT_INDICATOR) { // Handle fragment ---------------------------------------------------- @@ -105,25 +102,14 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from const Address destination(fragment.destination()); if (destination != RR->identity.address()) { - switch(RR->node->relayPolicy()) { - case ZT_RELAY_POLICY_ALWAYS: - break; - case ZT_RELAY_POLICY_TRUSTED: - if (!path->trustEstablished(now)) - return; - break; - // case ZT_RELAY_POLICY_NEVER: - default: - return; - } - + // Fragment is not for us, so try to relay it if (fragment.hops() < ZT_RELAY_MAX_HOPS) { fragment.incrementHops(); // Note: we don't bother initiating NAT-t for fragments, since heads will set that off. // It wouldn't hurt anything, just redundant and unnecessary. SharedPtr relayTo = RR->topology->getPeer(destination); - if ((!relayTo)||(!relayTo->sendDirect(fragment.data(),fragment.size(),now,false))) { + if ((!relayTo)||(!relayTo->send(fragment.data(),fragment.size(),now))) { #ifdef ZT_ENABLE_CLUSTER if (RR->cluster) { RR->cluster->sendViaCluster(Address(),destination,fragment.data(),fragment.size(),false); @@ -134,7 +120,7 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from // Don't know peer or no direct path -- so relay via root server relayTo = RR->topology->getBestRoot(); if (relayTo) - relayTo->sendDirect(fragment.data(),fragment.size(),now,true); + relayTo->send(fragment.data(),fragment.size(),now); } } else { TRACE("dropped relay [fragment](%s) -> %s, max hops exceeded",fromAddr.toString().c_str(),destination.toString().c_str()); @@ -178,7 +164,7 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from for(unsigned int f=1;ffrag0.append(rq->frags[f - 1].payload(),rq->frags[f - 1].payloadLength()); - if (rq->frag0.tryDecode(RR)) { + if (rq->frag0.tryDecode(RR,false)) { rq->timestamp = 0; // packet decoded, free entry } else { rq->complete = true; // set complete flag but leave entry since it probably needs WHOIS or something @@ -214,25 +200,14 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from //TRACE("<< %.16llx %s -> %s (size: %u)",(unsigned long long)packet->packetId(),source.toString().c_str(),destination.toString().c_str(),packet->size()); if (destination != RR->identity.address()) { - switch(RR->node->relayPolicy()) { - case ZT_RELAY_POLICY_ALWAYS: - break; - case ZT_RELAY_POLICY_TRUSTED: - if (!path->trustEstablished(now)) - return; - break; - // case ZT_RELAY_POLICY_NEVER: - default: - return; - } - Packet packet(data,len); + // Packet is not for us, so try to relay it if (packet.hops() < ZT_RELAY_MAX_HOPS) { packet.incrementHops(); SharedPtr relayTo = RR->topology->getPeer(destination); - if ((relayTo)&&((relayTo->sendDirect(packet.data(),packet.size(),now,false)))) { + if ((relayTo)&&((relayTo->send(packet.data(),packet.size(),now)))) { Mutex::Lock _l(_lastUniteAttempt_m); uint64_t &luts = _lastUniteAttempt[_LastUniteKey(source,destination)]; if ((now - luts) >= ZT_MIN_UNITE_INTERVAL) { @@ -256,7 +231,7 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from #endif relayTo = RR->topology->getBestRoot(&source,1,true); if (relayTo) - relayTo->sendDirect(packet.data(),packet.size(),now,true); + relayTo->send(packet.data(),packet.size(),now); } } else { TRACE("dropped relay %s(%s) -> %s, max hops exceeded",packet.source().toString().c_str(),fromAddr.toString().c_str(),destination.toString().c_str()); @@ -273,7 +248,7 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from rq->timestamp = now; rq->packetId = packetId; - rq->frag0.init(data,len,path,now); + rq->frag0.init(data,len,localAddr,fromAddr,now); rq->totalFragments = 0; rq->haveFragments = 1; rq->complete = false; @@ -284,24 +259,24 @@ void Switch::onRemotePacket(const InetAddress &localAddr,const InetAddress &from // We have all fragments -- assemble and process full Packet //TRACE("packet %.16llx is complete, assembling and processing...",pid); - rq->frag0.init(data,len,path,now); + rq->frag0.init(data,len,localAddr,fromAddr,now); for(unsigned int f=1;ftotalFragments;++f) rq->frag0.append(rq->frags[f - 1].payload(),rq->frags[f - 1].payloadLength()); - if (rq->frag0.tryDecode(RR)) { + if (rq->frag0.tryDecode(RR,false)) { rq->timestamp = 0; // packet decoded, free entry } else { rq->complete = true; // set complete flag but leave entry since it probably needs WHOIS or something } } else { // Still waiting on more fragments, but keep the head - rq->frag0.init(data,len,path,now); + rq->frag0.init(data,len,localAddr,fromAddr,now); } } // else this is a duplicate head, ignore } else { // Packet is unfragmented, so just process it - IncomingPacket packet(data,len,path,now); - if (!packet.tryDecode(RR)) { + IncomingPacket packet(data,len,localAddr,fromAddr,now); + if (!packet.tryDecode(RR,false)) { Mutex::Lock _l(_rxQueue_m); RXQueueEntry *rq = &(_rxQueue[ZT_RX_QUEUE_SIZE - 1]); unsigned long i = ZT_RX_QUEUE_SIZE - 1; @@ -338,6 +313,12 @@ void Switch::onLocalEthernet(const SharedPtr &network,const MAC &from,c if (to == network->mac()) return; + // Check to make sure this protocol is allowed on this network + if (!network->config().permitsEtherType(etherType)) { + TRACE("%.16llx: ignored tap: %s -> %s: ethertype %s not allowed on network %.16llx",network->id(),from.toString().c_str(),to.toString().c_str(),etherTypeName(etherType),(unsigned long long)network->id()); + return; + } + // Check if this packet is from someone other than the tap -- i.e. bridged in bool fromBridged = false; if (from != network->mac()) { @@ -349,7 +330,8 @@ void Switch::onLocalEthernet(const SharedPtr &network,const MAC &from,c } if (to.isMulticast()) { - MulticastGroup multicastGroup(to,0); + // Destination is a multicast address (including broadcast) + MulticastGroup mg(to,0); if (to.isBroadcast()) { if ( (etherType == ZT_ETHERTYPE_ARP) && (len >= 28) && ((((const uint8_t *)data)[2] == 0x08)&&(((const uint8_t *)data)[3] == 0x00)&&(((const uint8_t *)data)[4] == 6)&&(((const uint8_t *)data)[5] == 4)&&(((const uint8_t *)data)[7] == 0x01)) ) { @@ -362,100 +344,75 @@ void Switch::onLocalEthernet(const SharedPtr &network,const MAC &from,c * them into multicasts by stuffing the IP address being queried into * the 32-bit ADI field. In practice this uses our multicast pub/sub * system to implement a kind of extended/distributed ARP table. */ - multicastGroup = MulticastGroup::deriveMulticastGroupForAddressResolution(InetAddress(((const unsigned char *)data) + 24,4,0)); + mg = MulticastGroup::deriveMulticastGroupForAddressResolution(InetAddress(((const unsigned char *)data) + 24,4,0)); } else if (!network->config().enableBroadcast()) { // Don't transmit broadcasts if this network doesn't want them TRACE("%.16llx: dropped broadcast since ff:ff:ff:ff:ff:ff is not enabled",network->id()); return; } } else if ((etherType == ZT_ETHERTYPE_IPV6)&&(len >= (40 + 8 + 16))) { - // IPv6 NDP emulation for certain very special patterns of private IPv6 addresses -- if enabled - if ((network->config().ndpEmulation())&&(reinterpret_cast(data)[6] == 0x3a)&&(reinterpret_cast(data)[40] == 0x87)) { // ICMPv6 neighbor solicitation - Address v6EmbeddedAddress; - const uint8_t *const pkt6 = reinterpret_cast(data) + 40 + 8; - const uint8_t *my6 = (const uint8_t *)0; - - // ZT-RFC4193 address: fdNN:NNNN:NNNN:NNNN:NN99:93DD:DDDD:DDDD / 88 (one /128 per actual host) - - // ZT-6PLANE address: fcXX:XXXX:XXDD:DDDD:DDDD:####:####:#### / 40 (one /80 per actual host) - // (XX - lower 32 bits of network ID XORed with higher 32 bits) - - // For these to work, we must have a ZT-managed address assigned in one of the - // above formats, and the query must match its prefix. + /* IPv6 NDP emulation on ZeroTier-RFC4193 addressed networks! This allows + * for multicast-free operation in IPv6 networks, which both improves + * performance and is friendlier to mobile and (especially) IoT devices. + * In the future there may be a no-multicast build option for embedded + * and IoT use and this will be the preferred addressing mode. Note that + * it plays nice with our L2 emulation philosophy and even with bridging. + * While "real" devices behind the bridge can't have ZT-RFC4193 addresses + * themselves, they can look these addresses up with NDP and it will + * work just fine. */ + if ((reinterpret_cast(data)[6] == 0x3a)&&(reinterpret_cast(data)[40] == 0x87)) { // ICMPv6 neighbor solicitation for(unsigned int sipk=0;sipkconfig().staticIpCount;++sipk) { - const InetAddress *const sip = &(network->config().staticIps[sipk]); - if (sip->ss_family == AF_INET6) { - my6 = reinterpret_cast(reinterpret_cast(&(*sip))->sin6_addr.s6_addr); - const unsigned int sipNetmaskBits = Utils::ntoh((uint16_t)reinterpret_cast(&(*sip))->sin6_port); - if ((sipNetmaskBits == 88)&&(my6[0] == 0xfd)&&(my6[9] == 0x99)&&(my6[10] == 0x93)) { // ZT-RFC4193 /88 ??? + const InetAddress *sip = &(network->config().staticIps[sipk]); + if ((sip->ss_family == AF_INET6)&&(Utils::ntoh((uint16_t)reinterpret_cast(&(*sip))->sin6_port) == 88)) { + const uint8_t *my6 = reinterpret_cast(reinterpret_cast(&(*sip))->sin6_addr.s6_addr); + if ((my6[0] == 0xfd)&&(my6[9] == 0x99)&&(my6[10] == 0x93)) { // ZT-RFC4193 == fd__:____:____:____:__99:93__:____:____ / 88 + const uint8_t *pkt6 = reinterpret_cast(data) + 40 + 8; unsigned int ptr = 0; while (ptr != 11) { if (pkt6[ptr] != my6[ptr]) break; ++ptr; } - if (ptr == 11) { // prefix match! - v6EmbeddedAddress.setTo(pkt6 + ptr,5); - break; - } - } else if (sipNetmaskBits == 40) { // ZT-6PLANE /40 ??? - const uint32_t nwid32 = (uint32_t)((network->id() ^ (network->id() >> 32)) & 0xffffffff); - if ( (my6[0] == 0xfc) && (my6[1] == (uint8_t)((nwid32 >> 24) & 0xff)) && (my6[2] == (uint8_t)((nwid32 >> 16) & 0xff)) && (my6[3] == (uint8_t)((nwid32 >> 8) & 0xff)) && (my6[4] == (uint8_t)(nwid32 & 0xff))) { - unsigned int ptr = 0; - while (ptr != 5) { - if (pkt6[ptr] != my6[ptr]) - break; - ++ptr; - } - if (ptr == 5) { // prefix match! - v6EmbeddedAddress.setTo(pkt6 + ptr,5); - break; + if (ptr == 11) { // /88 matches an assigned address on this network + const Address atPeer(pkt6 + ptr,5); + if (atPeer != RR->identity.address()) { + const MAC atPeerMac(atPeer,network->id()); + TRACE("ZT-RFC4193 NDP emulation: %.16llx: forging response for %s/%s",network->id(),atPeer.toString().c_str(),atPeerMac.toString().c_str()); + + uint8_t adv[72]; + adv[0] = 0x60; adv[1] = 0x00; adv[2] = 0x00; adv[3] = 0x00; + adv[4] = 0x00; adv[5] = 0x20; + adv[6] = 0x3a; adv[7] = 0xff; + for(int i=0;i<16;++i) adv[8 + i] = pkt6[i]; + for(int i=0;i<16;++i) adv[24 + i] = my6[i]; + adv[40] = 0x88; adv[41] = 0x00; + adv[42] = 0x00; adv[43] = 0x00; // future home of checksum + adv[44] = 0x60; adv[45] = 0x00; adv[46] = 0x00; adv[47] = 0x00; + for(int i=0;i<16;++i) adv[48 + i] = pkt6[i]; + adv[64] = 0x02; adv[65] = 0x01; + adv[66] = atPeerMac[0]; adv[67] = atPeerMac[1]; adv[68] = atPeerMac[2]; adv[69] = atPeerMac[3]; adv[70] = atPeerMac[4]; adv[71] = atPeerMac[5]; + + uint16_t pseudo_[36]; + uint8_t *const pseudo = reinterpret_cast(pseudo_); + for(int i=0;i<32;++i) pseudo[i] = adv[8 + i]; + pseudo[32] = 0x00; pseudo[33] = 0x00; pseudo[34] = 0x00; pseudo[35] = 0x20; + pseudo[36] = 0x00; pseudo[37] = 0x00; pseudo[38] = 0x00; pseudo[39] = 0x3a; + for(int i=0;i<32;++i) pseudo[40 + i] = adv[40 + i]; + uint32_t checksum = 0; + for(int i=0;i<36;++i) checksum += Utils::hton(pseudo_[i]); + while ((checksum >> 16)) checksum = (checksum & 0xffff) + (checksum >> 16); + checksum = ~checksum; + adv[42] = (checksum >> 8) & 0xff; + adv[43] = checksum & 0xff; + + RR->node->putFrame(network->id(),network->userPtr(),atPeerMac,from,ZT_ETHERTYPE_IPV6,0,adv,72); + return; // stop processing: we have handled this frame with a spoofed local reply so no need to send it anywhere } } } } } - - if ((v6EmbeddedAddress)&&(v6EmbeddedAddress != RR->identity.address())) { - const MAC peerMac(v6EmbeddedAddress,network->id()); - TRACE("IPv6 NDP emulation: %.16llx: forging response for %s/%s",network->id(),v6EmbeddedAddress.toString().c_str(),peerMac.toString().c_str()); - - uint8_t adv[72]; - adv[0] = 0x60; adv[1] = 0x00; adv[2] = 0x00; adv[3] = 0x00; - adv[4] = 0x00; adv[5] = 0x20; - adv[6] = 0x3a; adv[7] = 0xff; - for(int i=0;i<16;++i) adv[8 + i] = pkt6[i]; - for(int i=0;i<16;++i) adv[24 + i] = my6[i]; - adv[40] = 0x88; adv[41] = 0x00; - adv[42] = 0x00; adv[43] = 0x00; // future home of checksum - adv[44] = 0x60; adv[45] = 0x00; adv[46] = 0x00; adv[47] = 0x00; - for(int i=0;i<16;++i) adv[48 + i] = pkt6[i]; - adv[64] = 0x02; adv[65] = 0x01; - adv[66] = peerMac[0]; adv[67] = peerMac[1]; adv[68] = peerMac[2]; adv[69] = peerMac[3]; adv[70] = peerMac[4]; adv[71] = peerMac[5]; - - uint16_t pseudo_[36]; - uint8_t *const pseudo = reinterpret_cast(pseudo_); - for(int i=0;i<32;++i) pseudo[i] = adv[8 + i]; - pseudo[32] = 0x00; pseudo[33] = 0x00; pseudo[34] = 0x00; pseudo[35] = 0x20; - pseudo[36] = 0x00; pseudo[37] = 0x00; pseudo[38] = 0x00; pseudo[39] = 0x3a; - for(int i=0;i<32;++i) pseudo[40 + i] = adv[40 + i]; - uint32_t checksum = 0; - for(int i=0;i<36;++i) checksum += Utils::hton(pseudo_[i]); - while ((checksum >> 16)) checksum = (checksum & 0xffff) + (checksum >> 16); - checksum = ~checksum; - adv[42] = (checksum >> 8) & 0xff; - adv[43] = checksum & 0xff; - - RR->node->putFrame(network->id(),network->userPtr(),peerMac,from,ZT_ETHERTYPE_IPV6,0,adv,72); - return; // NDP emulation done. We have forged a "fake" reply, so no need to send actual NDP query. - } // else no NDP emulation - } // else no NDP emulation - } - - // Check this after NDP emulation, since that has to be allowed in exactly this case - if (network->config().multicastLimit == 0) { - TRACE("%.16llx: dropped multicast: not allowed on network",network->id()); - return; + } } /* Learn multicast groups for bridged-in hosts. @@ -463,70 +420,62 @@ void Switch::onLocalEthernet(const SharedPtr &network,const MAC &from,c * multicast addresses on bridge interfaces and subscribing each slave. * But in that case this does no harm, as the sets are just merged. */ if (fromBridged) - network->learnBridgedMulticastGroup(multicastGroup,RR->node->now()); + network->learnBridgedMulticastGroup(mg,RR->node->now()); - //TRACE("%.16llx: MULTICAST %s -> %s %s %u",network->id(),from.toString().c_str(),multicastGroup.toString().c_str(),etherTypeName(etherType),len); - - // First pass sets noTee to false, but noTee is set to true in OutboundMulticast to prevent duplicates. - if (!network->filterOutgoingPacket(false,RR->identity.address(),Address(),from,to,(const uint8_t *)data,len,etherType,vlanId)) { - TRACE("%.16llx: %s -> %s %s packet not sent: filterOutgoingPacket() returned false",network->id(),from.toString().c_str(),to.toString().c_str(),etherTypeName(etherType)); - return; - } + //TRACE("%.16llx: MULTICAST %s -> %s %s %u",network->id(),from.toString().c_str(),mg.toString().c_str(),etherTypeName(etherType),len); RR->mc->send( + ((!network->config().isPublic())&&(network->config().com)) ? &(network->config().com) : (const CertificateOfMembership *)0, network->config().multicastLimit, RR->node->now(), network->id(), - network->config().disableCompression(), network->config().activeBridges(), - multicastGroup, + mg, (fromBridged) ? from : MAC(), etherType, data, len); - } else if (to[0] == MAC::firstOctetForNetwork(network->id())) { + + return; + } + + if (to[0] == MAC::firstOctetForNetwork(network->id())) { // Destination is another ZeroTier peer on the same network Address toZT(to.toAddress(network->id())); // since in-network MACs are derived from addresses and network IDs, we can reverse this SharedPtr toPeer(RR->topology->getPeer(toZT)); - - if (!network->filterOutgoingPacket(false,RR->identity.address(),toZT,from,to,(const uint8_t *)data,len,etherType,vlanId)) { - TRACE("%.16llx: %s -> %s %s packet not sent: filterOutgoingPacket() returned false",network->id(),from.toString().c_str(),to.toString().c_str(),etherTypeName(etherType)); - return; - } - - if (fromBridged) { + const bool includeCom = ( (network->config().isPrivate()) && (network->config().com) && ((!toPeer)||(toPeer->needsOurNetworkMembershipCertificate(network->id(),RR->node->now(),true))) ); + if ((fromBridged)||(includeCom)) { Packet outp(toZT,RR->identity.address(),Packet::VERB_EXT_FRAME); outp.append(network->id()); - outp.append((unsigned char)0x00); + if (includeCom) { + outp.append((unsigned char)0x01); // 0x01 -- COM included + network->config().com.serialize(outp); + } else { + outp.append((unsigned char)0x00); + } to.appendTo(outp); from.appendTo(outp); outp.append((uint16_t)etherType); outp.append(data,len); - if (!network->config().disableCompression()) - outp.compress(); - send(outp,true); + outp.compress(); + send(outp,true,network->id()); } else { Packet outp(toZT,RR->identity.address(),Packet::VERB_FRAME); outp.append(network->id()); outp.append((uint16_t)etherType); outp.append(data,len); - if (!network->config().disableCompression()) - outp.compress(); - send(outp,true); + outp.compress(); + send(outp,true,network->id()); } //TRACE("%.16llx: UNICAST: %s -> %s etherType==%s(%.4x) vlanId==%u len==%u fromBridged==%d includeCom==%d",network->id(),from.toString().c_str(),to.toString().c_str(),etherTypeName(etherType),etherType,vlanId,len,(int)fromBridged,(int)includeCom); - } else { - // Destination is bridged behind a remote peer - // We filter with a NULL destination ZeroTier address first. Filtrations - // for each ZT destination are also done below. This is the same rationale - // and design as for multicast. - if (!network->filterOutgoingPacket(false,RR->identity.address(),Address(),from,to,(const uint8_t *)data,len,etherType,vlanId)) { - TRACE("%.16llx: %s -> %s %s packet not sent: filterOutgoingPacket() returned false",network->id(),from.toString().c_str(),to.toString().c_str(),etherTypeName(etherType)); - return; - } + return; + } + + { + // Destination is bridged behind a remote peer Address bridges[ZT_MAX_BRIDGE_SPAM]; unsigned int numBridges = 0; @@ -561,34 +510,37 @@ void Switch::onLocalEthernet(const SharedPtr &network,const MAC &from,c } for(unsigned int b=0;bfilterOutgoingPacket(true,RR->identity.address(),bridges[b],from,to,(const uint8_t *)data,len,etherType,vlanId)) { - Packet outp(bridges[b],RR->identity.address(),Packet::VERB_EXT_FRAME); - outp.append(network->id()); - outp.append((uint8_t)0x00); - to.appendTo(outp); - from.appendTo(outp); - outp.append((uint16_t)etherType); - outp.append(data,len); - if (!network->config().disableCompression()) - outp.compress(); - send(outp,true); + SharedPtr bridgePeer(RR->topology->getPeer(bridges[b])); + Packet outp(bridges[b],RR->identity.address(),Packet::VERB_EXT_FRAME); + outp.append(network->id()); + if ( (network->config().isPrivate()) && (network->config().com) && ((!bridgePeer)||(bridgePeer->needsOurNetworkMembershipCertificate(network->id(),RR->node->now(),true))) ) { + outp.append((unsigned char)0x01); // 0x01 -- COM included + network->config().com.serialize(outp); } else { - TRACE("%.16llx: %s -> %s %s packet not sent: filterOutgoingPacket() returned false",network->id(),from.toString().c_str(),to.toString().c_str(),etherTypeName(etherType)); + outp.append((unsigned char)0); } + to.appendTo(outp); + from.appendTo(outp); + outp.append((uint16_t)etherType); + outp.append(data,len); + outp.compress(); + send(outp,true,network->id()); } } } -void Switch::send(const Packet &packet,bool encrypt) +void Switch::send(const Packet &packet,bool encrypt,uint64_t nwid) { if (packet.destination() == RR->identity.address()) { TRACE("BUG: caught attempt to send() to self, ignored"); return; } - if (!_trySend(packet,encrypt)) { + //TRACE(">> %s to %s (%u bytes, encrypt==%d, nwid==%.16llx)",Packet::verbString(packet.verb()),packet.destination().toString().c_str(),packet.size(),(int)encrypt,nwid); + + if (!_trySend(packet,encrypt,nwid)) { Mutex::Lock _l(_txQueue_m); - _txQueue.push_back(TXQueueEntry(packet.destination(),RR->node->now(),packet,encrypt)); + _txQueue.push_back(TXQueueEntry(packet.destination(),RR->node->now(),packet,encrypt,nwid)); } } @@ -638,7 +590,7 @@ bool Switch::unite(const Address &p1,const Address &p2) outp.append(cg.first.rawIpData(),4); } outp.armor(p1p->key(),true); - p1p->sendDirect(outp.data(),outp.size(),now,true); + p1p->send(outp.data(),outp.size(),now); } else { // Tell p2 where to find p1. Packet outp(p2,RR->identity.address(),Packet::VERB_RENDEZVOUS); @@ -653,7 +605,7 @@ bool Switch::unite(const Address &p1,const Address &p2) outp.append(cg.second.rawIpData(),4); } outp.armor(p2p->key(),true); - p2p->sendDirect(outp.data(),outp.size(),now,true); + p2p->send(outp.data(),outp.size(),now); } ++alt; // counts up and also flips LSB } @@ -661,6 +613,17 @@ bool Switch::unite(const Address &p1,const Address &p2) return true; } +void Switch::rendezvous(const SharedPtr &peer,const InetAddress &localAddr,const InetAddress &atAddr) +{ + TRACE("sending NAT-t message to %s(%s)",peer->address().toString().c_str(),atAddr.toString().c_str()); + const uint64_t now = RR->node->now(); + peer->sendHELLO(localAddr,atAddr,now,2); // first attempt: send low-TTL packet to 'open' local NAT + { + Mutex::Lock _l(_contactQueue_m); + _contactQueue.push_back(ContactQueueEntry(peer,now + ZT_NAT_T_TACTICAL_ESCALATION_DELAY,localAddr,atAddr)); + } +} + void Switch::requestWhois(const Address &addr) { bool inserted = false; @@ -691,7 +654,7 @@ void Switch::doAnythingWaitingForPeer(const SharedPtr &peer) while (i) { RXQueueEntry *rq = &(_rxQueue[--i]); if ((rq->timestamp)&&(rq->complete)) { - if (rq->frag0.tryDecode(RR)) + if (rq->frag0.tryDecode(RR,false)) rq->timestamp = 0; } } @@ -701,7 +664,7 @@ void Switch::doAnythingWaitingForPeer(const SharedPtr &peer) Mutex::Lock _l(_txQueue_m); for(std::list< TXQueueEntry >::iterator txi(_txQueue.begin());txi!=_txQueue.end();) { if (txi->dest == peer->address()) { - if (_trySend(txi->packet,txi->encrypt)) + if (_trySend(txi->packet,txi->encrypt,txi->nwid)) _txQueue.erase(txi++); else ++txi; } else ++txi; @@ -713,6 +676,42 @@ unsigned long Switch::doTimerTasks(uint64_t now) { unsigned long nextDelay = 0xffffffff; // ceiling delay, caller will cap to minimum + { // Iterate through NAT traversal strategies for entries in contact queue + Mutex::Lock _l(_contactQueue_m); + for(std::list::iterator qi(_contactQueue.begin());qi!=_contactQueue.end();) { + if (now >= qi->fireAtTime) { + if (!qi->peer->pushDirectPaths(qi->localAddr,qi->inaddr,now,true,false)) + qi->peer->sendHELLO(qi->localAddr,qi->inaddr,now); + _contactQueue.erase(qi++); + continue; + /* Old symmetric NAT buster code, obsoleted by port prediction alg in SelfAwareness but left around for now in case we revert + if (qi->strategyIteration == 0) { + // First strategy: send packet directly to destination + qi->peer->sendHELLO(qi->localAddr,qi->inaddr,now); + } else if (qi->strategyIteration <= 3) { + // Strategies 1-3: try escalating ports for symmetric NATs that remap sequentially + InetAddress tmpaddr(qi->inaddr); + int p = (int)qi->inaddr.port() + qi->strategyIteration; + if (p > 65535) + p -= 64511; + tmpaddr.setPort((unsigned int)p); + qi->peer->sendHELLO(qi->localAddr,tmpaddr,now); + } else { + // All strategies tried, expire entry + _contactQueue.erase(qi++); + continue; + } + ++qi->strategyIteration; + qi->fireAtTime = now + ZT_NAT_T_TACTICAL_ESCALATION_DELAY; + nextDelay = std::min(nextDelay,(unsigned long)ZT_NAT_T_TACTICAL_ESCALATION_DELAY); + */ + } else { + nextDelay = std::min(nextDelay,(unsigned long)(qi->fireAtTime - now)); + } + ++qi; // if qi was erased, loop will have continued before here + } + } + { // Retry outstanding WHOIS requests Mutex::Lock _l(_outstandingWhoisRequests_m); Hashtable< Address,WhoisRequest >::Iterator i(_outstandingWhoisRequests); @@ -740,7 +739,7 @@ unsigned long Switch::doTimerTasks(uint64_t now) { // Time out TX queue packets that never got WHOIS lookups or other info. Mutex::Lock _l(_txQueue_m); for(std::list< TXQueueEntry >::iterator txi(_txQueue.begin());txi!=_txQueue.end();) { - if (_trySend(txi->packet,txi->encrypt)) + if (_trySend(txi->packet,txi->encrypt,txi->nwid)) _txQueue.erase(txi++); else if ((now - txi->creationTime) > ZT_TRANSMIT_QUEUE_TIMEOUT) { TRACE("TX %s -> %s timed out",txi->packet.source().toString().c_str(),txi->packet.destination().toString().c_str()); @@ -765,41 +764,65 @@ unsigned long Switch::doTimerTasks(uint64_t now) Address Switch::_sendWhoisRequest(const Address &addr,const Address *peersAlreadyConsulted,unsigned int numPeersAlreadyConsulted) { - SharedPtr upstream(RR->topology->getBestRoot(peersAlreadyConsulted,numPeersAlreadyConsulted,false)); - if (upstream) { - Packet outp(upstream->address(),RR->identity.address(),Packet::VERB_WHOIS); + SharedPtr root(RR->topology->getBestRoot(peersAlreadyConsulted,numPeersAlreadyConsulted,false)); + if (root) { + Packet outp(root->address(),RR->identity.address(),Packet::VERB_WHOIS); addr.appendTo(outp); - RR->node->expectReplyTo(outp.packetId()); - send(outp,true); + outp.armor(root->key(),true); + if (root->send(outp.data(),outp.size(),RR->node->now())) + return root->address(); } return Address(); } -bool Switch::_trySend(const Packet &packet,bool encrypt) +bool Switch::_trySend(const Packet &packet,bool encrypt,uint64_t nwid) { - const SharedPtr peer(RR->topology->getPeer(packet.destination())); + SharedPtr peer(RR->topology->getPeer(packet.destination())); + if (peer) { const uint64_t now = RR->node->now(); - // First get the best path, and if it's dead (and this is not a root) - // we attempt to re-activate that path but this packet will flow - // upstream. If the path comes back alive, it will be used in the future. - // For roots we don't do the alive check since roots are not required - // to send heartbeats "down" and because we have to at least try to - // go somewhere. - - SharedPtr viaPath(peer->getBestPath(now,false)); - if ( (viaPath) && (!viaPath->alive(now)) && (!RR->topology->isRoot(peer->identity())) ) { - if ((now - viaPath->lastOut()) > std::max((now - viaPath->lastIn()) * 4,(uint64_t)ZT_PATH_MIN_REACTIVATE_INTERVAL)) - peer->attemptToContactAt(viaPath->localAddress(),viaPath->address(),now); - viaPath.zero(); + SharedPtr network; + if (nwid) { + network = RR->node->network(nwid); + if ((!network)||(!network->hasConfig())) + return false; // we probably just left this network, let its packets die } + + Path *viaPath = peer->getBestPath(now); + SharedPtr relay; + if (!viaPath) { - SharedPtr relay(RR->topology->getBestRoot()); - if ( (!relay) || (!(viaPath = relay->getBestPath(now,false))) ) { - if (!(viaPath = peer->getBestPath(now,true))) - return false; + if (network) { + unsigned int bestq = ~((unsigned int)0); // max unsigned int since quality is lower==better + unsigned int ptr = 0; + for(;;) { + const Address raddr(network->config().nextRelay(ptr)); + if (raddr) { + SharedPtr rp(RR->topology->getPeer(raddr)); + if (rp) { + const unsigned int q = rp->relayQuality(now); + if (q < bestq) { + bestq = q; + rp.swap(relay); + } + } + } else break; + } } + + if (!relay) + relay = RR->topology->getBestRoot(); + + if ( (!relay) || (!(viaPath = relay->getBestPath(now))) ) + return false; + } + // viaPath will not be null if we make it here + + // Push possible direct paths to us if we are relaying + if (relay) { + peer->pushDirectPaths(viaPath->localAddress(),viaPath->address(),now,false,( (network)&&(network->isAllowed(peer)) )); + viaPath->sent(now); } Packet tmp(packet); @@ -807,12 +830,7 @@ bool Switch::_trySend(const Packet &packet,bool encrypt) unsigned int chunkSize = std::min(tmp.size(),(unsigned int)ZT_UDP_DEFAULT_PAYLOAD_MTU); tmp.setFragmented(chunkSize < tmp.size()); - const uint64_t trustedPathId = RR->topology->getOutboundPathTrust(viaPath->address()); - if (trustedPathId) { - tmp.setTrusted(trustedPathId); - } else { - tmp.armor(peer->key(),encrypt); - } + tmp.armor(peer->key(),encrypt); if (viaPath->send(RR,tmp.data(),chunkSize,now)) { if (chunkSize < tmp.size()) { @@ -822,7 +840,7 @@ bool Switch::_trySend(const Packet &packet,bool encrypt) unsigned int fragsRemaining = (remaining / (ZT_UDP_DEFAULT_PAYLOAD_MTU - ZT_PROTO_MIN_FRAGMENT_LENGTH)); if ((fragsRemaining * (ZT_UDP_DEFAULT_PAYLOAD_MTU - ZT_PROTO_MIN_FRAGMENT_LENGTH)) < remaining) ++fragsRemaining; - const unsigned int totalFragments = fragsRemaining + 1; + unsigned int totalFragments = fragsRemaining + 1; for(unsigned int fno=1;fno &peer,const InetAddress &localAddr,const InetAddress &atAddr); + /** * Request WHOIS on a given address * @@ -137,7 +151,7 @@ public: private: Address _sendWhoisRequest(const Address &addr,const Address *peersAlreadyConsulted,unsigned int numPeersAlreadyConsulted); - bool _trySend(const Packet &packet,bool encrypt); + bool _trySend(const Packet &packet,bool encrypt,uint64_t nwid); const RuntimeEnvironment *const RR; uint64_t _lastBeaconResponse; @@ -191,14 +205,16 @@ private: struct TXQueueEntry { TXQueueEntry() {} - TXQueueEntry(Address d,uint64_t ct,const Packet &p,bool enc) : + TXQueueEntry(Address d,uint64_t ct,const Packet &p,bool enc,uint64_t nw) : dest(d), creationTime(ct), + nwid(nw), packet(p), encrypt(enc) {} Address dest; uint64_t creationTime; + uint64_t nwid; Packet packet; // unencrypted/unMAC'd packet -- this is done at send time bool encrypt; }; @@ -225,6 +241,26 @@ private: }; Hashtable< _LastUniteKey,uint64_t > _lastUniteAttempt; // key is always sorted in ascending order, for set-like behavior Mutex _lastUniteAttempt_m; + + // Active attempts to contact remote peers, including state of multi-phase NAT traversal + struct ContactQueueEntry + { + ContactQueueEntry() {} + ContactQueueEntry(const SharedPtr &p,uint64_t ft,const InetAddress &laddr,const InetAddress &a) : + peer(p), + fireAtTime(ft), + inaddr(a), + localAddr(laddr), + strategyIteration(0) {} + + SharedPtr peer; + uint64_t fireAtTime; + InetAddress inaddr; + InetAddress localAddr; + unsigned int strategyIteration; + }; + std::list _contactQueue; + Mutex _contactQueue_m; }; } // namespace ZeroTier diff --git a/zerotierone/node/Topology.cpp b/zerotierone/node/Topology.cpp index 12a7cc0..4105eae 100644 --- a/zerotierone/node/Topology.cpp +++ b/zerotierone/node/Topology.cpp @@ -44,10 +44,38 @@ static const unsigned char ZT_DEFAULT_WORLD[ZT_DEFAULT_WORLD_LENGTH] = {0x01,0x0 Topology::Topology(const RuntimeEnvironment *renv) : RR(renv), - _trustedPathCount(0), _amRoot(false) { - // Get cached world if present + std::string alls(RR->node->dataStoreGet("peers.save")); + const uint8_t *all = reinterpret_cast(alls.data()); + RR->node->dataStoreDelete("peers.save"); + + Buffer *deserializeBuf = new Buffer(); + unsigned int ptr = 0; + while ((ptr + 4) < alls.size()) { + try { + const unsigned int reclen = ( // each Peer serialized record is prefixed by a record length + ((((unsigned int)all[ptr]) & 0xff) << 24) | + ((((unsigned int)all[ptr + 1]) & 0xff) << 16) | + ((((unsigned int)all[ptr + 2]) & 0xff) << 8) | + (((unsigned int)all[ptr + 3]) & 0xff) + ); + unsigned int pos = 0; + deserializeBuf->copyFrom(all + ptr,reclen + 4); + SharedPtr p(Peer::deserializeNew(RR,RR->identity,*deserializeBuf,pos)); + ptr += pos; + if (!p) + break; // stop if invalid records + if (p->address() != RR->identity.address()) + _peers.set(p->address(),p); + } catch ( ... ) { + break; // stop if invalid records + } + } + delete deserializeBuf; + + clean(RR->node->now()); + std::string dsWorld(RR->node->dataStoreGet("world")); World cachedWorld; if (dsWorld.length() > 0) { @@ -58,8 +86,6 @@ Topology::Topology(const RuntimeEnvironment *renv) : cachedWorld = World(); // clear if cached world is invalid } } - - // Use default or cached world depending on which is shinier World defaultWorld; { Buffer wtmp(ZT_DEFAULT_WORLD,ZT_DEFAULT_WORLD_LENGTH); @@ -74,6 +100,34 @@ Topology::Topology(const RuntimeEnvironment *renv) : Topology::~Topology() { + Buffer *pbuf = 0; + try { + pbuf = new Buffer(); + std::string all; + + Address *a = (Address *)0; + SharedPtr *p = (SharedPtr *)0; + Hashtable< Address,SharedPtr >::Iterator i(_peers); + while (i.next(a,p)) { + if (std::find(_rootAddresses.begin(),_rootAddresses.end(),*a) == _rootAddresses.end()) { + pbuf->clear(); + try { + (*p)->serialize(*pbuf); + try { + all.append((const char *)pbuf->data(),pbuf->size()); + } catch ( ... ) { + return; // out of memory? just skip + } + } catch ( ... ) {} // peer too big? shouldn't happen, but it so skip + } + } + + RR->node->dataStorePut("peers.save",all,true); + + delete pbuf; + } catch ( ... ) { + delete pbuf; + } } SharedPtr Topology::addPeer(const SharedPtr &peer) @@ -96,6 +150,7 @@ SharedPtr Topology::addPeer(const SharedPtr &peer) np = hp; } + np->use(RR->node->now()); saveIdentity(np->identity()); return np; @@ -112,6 +167,7 @@ SharedPtr Topology::getPeer(const Address &zta) Mutex::Lock _l(_lock); const SharedPtr *const ap = _peers.get(zta); if (ap) { + (*ap)->use(RR->node->now()); return *ap; } } @@ -125,6 +181,7 @@ SharedPtr Topology::getPeer(const Address &zta) SharedPtr &ap = _peers[zta]; if (!ap) ap.swap(np); + ap->use(RR->node->now()); return ap; } } @@ -138,9 +195,7 @@ SharedPtr Topology::getPeer(const Address &zta) Identity Topology::getIdentity(const Address &zta) { - if (zta == RR->identity.address()) { - return RR->identity; - } else { + { Mutex::Lock _l(_lock); const SharedPtr *const ap = _peers.get(zta); if (ap) @@ -173,8 +228,10 @@ SharedPtr Topology::getBestRoot(const Address *avoid,unsigned int avoidCou if (_rootAddresses[p] == RR->identity.address()) { for(unsigned long q=1;q<_rootAddresses.size();++q) { const SharedPtr *const nextsn = _peers.get(_rootAddresses[(p + q) % _rootAddresses.size()]); - if ((nextsn)&&((*nextsn)->hasActiveDirectPath(now))) + if ((nextsn)&&((*nextsn)->hasActiveDirectPath(now))) { + (*nextsn)->use(now); return *nextsn; + } } break; } @@ -209,8 +266,10 @@ SharedPtr Topology::getBestRoot(const Address *avoid,unsigned int avoidCou } if (bestNotAvoid) { + (*bestNotAvoid)->use(now); return *bestNotAvoid; } else if ((!strictAvoid)&&(bestOverall)) { + (*bestOverall)->use(now); return *bestOverall; } @@ -221,7 +280,15 @@ SharedPtr Topology::getBestRoot(const Address *avoid,unsigned int avoidCou bool Topology::isUpstream(const Identity &id) const { - return isRoot(id); + if (isRoot(id)) + return true; + std::vector< SharedPtr > nws(RR->node->allNetworks()); + for(std::vector< SharedPtr >::const_iterator nw(nws.begin());nw!=nws.end();++nw) { + if ((*nw)->config().isRelay(id.address())) { + return true; + } + } + return false; } bool Topology::worldUpdateIfValid(const World &newWorld) @@ -244,22 +311,14 @@ bool Topology::worldUpdateIfValid(const World &newWorld) void Topology::clean(uint64_t now) { Mutex::Lock _l(_lock); - { - Hashtable< Address,SharedPtr >::Iterator i(_peers); - Address *a = (Address *)0; - SharedPtr *p = (SharedPtr *)0; - while (i.next(a,p)) { - if ( (!(*p)->isAlive(now)) && (std::find(_rootAddresses.begin(),_rootAddresses.end(),*a) == _rootAddresses.end()) ) - _peers.erase(*a); - } - } - { - Hashtable< Path::HashKey,SharedPtr >::Iterator i(_paths); - Path::HashKey *k = (Path::HashKey *)0; - SharedPtr *p = (SharedPtr *)0; - while (i.next(k,p)) { - if (p->reclaimIfWeak()) - _paths.erase(*k); + Hashtable< Address,SharedPtr >::Iterator i(_peers); + Address *a = (Address *)0; + SharedPtr *p = (SharedPtr *)0; + while (i.next(a,p)) { + if (((now - (*p)->lastUsed()) >= ZT_PEER_IN_MEMORY_EXPIRATION)&&(std::find(_rootAddresses.begin(),_rootAddresses.end(),*a) == _rootAddresses.end())) { + _peers.erase(*a); + } else { + (*p)->clean(now); } } } diff --git a/zerotierone/node/Topology.hpp b/zerotierone/node/Topology.hpp index e63766c..86fbb01 100644 --- a/zerotierone/node/Topology.hpp +++ b/zerotierone/node/Topology.hpp @@ -28,12 +28,10 @@ #include #include "Constants.hpp" -#include "../include/ZeroTierOne.h" #include "Address.hpp" #include "Identity.hpp" #include "Peer.hpp" -#include "Path.hpp" #include "Mutex.hpp" #include "InetAddress.hpp" #include "Hashtable.hpp" @@ -90,22 +88,6 @@ public: return SharedPtr(); } - /** - * Get a Path object for a given local and remote physical address, creating if needed - * - * @param l Local address or NULL for 'any' or 'wildcard' - * @param r Remote address - * @return Pointer to canonicalized Path object - */ - inline SharedPtr getPath(const InetAddress &l,const InetAddress &r) - { - Mutex::Lock _l(_lock); - SharedPtr &p = _paths[Path::HashKey(l,r)]; - if (!p) - p.setToUnsafe(new Path(l,r)); - return p; - } - /** * Get the identity of a peer * @@ -170,14 +152,6 @@ public: return _rootAddresses; } - /** - * @return Vector of active upstream addresses (including roots) - */ - inline std::vector
upstreamAddresses() const - { - return rootAddresses(); - } - /** * @return Current World (copy) */ @@ -278,70 +252,14 @@ public: */ inline bool amRoot() const throw() { return _amRoot; } - /** - * Get the outbound trusted path ID for a physical address, or 0 if none - * - * @param physicalAddress Physical address to which we are sending the packet - * @return Trusted path ID or 0 if none (0 is not a valid trusted path ID) - */ - inline uint64_t getOutboundPathTrust(const InetAddress &physicalAddress) - { - for(unsigned int i=0;i<_trustedPathCount;++i) { - if (_trustedPathNetworks[i].containsAddress(physicalAddress)) - return _trustedPathIds[i]; - } - return 0; - } - - /** - * Check whether in incoming trusted path marked packet is valid - * - * @param physicalAddress Originating physical address - * @param trustedPathId Trusted path ID from packet (from MAC field) - */ - inline bool shouldInboundPathBeTrusted(const InetAddress &physicalAddress,const uint64_t trustedPathId) - { - for(unsigned int i=0;i<_trustedPathCount;++i) { - if ((_trustedPathIds[i] == trustedPathId)&&(_trustedPathNetworks[i].containsAddress(physicalAddress))) - return true; - } - return false; - } - - /** - * Set trusted paths in this topology - * - * @param networks Array of networks (prefix/netmask bits) - * @param ids Array of trusted path IDs - * @param count Number of trusted paths (if larger than ZT_MAX_TRUSTED_PATHS overflow is ignored) - */ - inline void setTrustedPaths(const InetAddress *networks,const uint64_t *ids,unsigned int count) - { - if (count > ZT_MAX_TRUSTED_PATHS) - count = ZT_MAX_TRUSTED_PATHS; - Mutex::Lock _l(_lock); - for(unsigned int i=0;i > _peers; - Hashtable< Path::HashKey,SharedPtr > _paths; - std::vector< Address > _rootAddresses; std::vector< SharedPtr > _rootPeers; bool _amRoot; diff --git a/zerotierone/node/Utils.cpp b/zerotierone/node/Utils.cpp index 9d67fc2..00aeea3 100644 --- a/zerotierone/node/Utils.cpp +++ b/zerotierone/node/Utils.cpp @@ -262,24 +262,6 @@ std::vector Utils::split(const char *s,const char *const sep,const return fields; } -bool Utils::scopy(char *dest,unsigned int len,const char *src) -{ - if (!len) - return false; // sanity check - if (!src) { - *dest = (char)0; - return true; - } - char *end = dest + len; - while ((*dest++ = *src++)) { - if (dest == end) { - *(--dest) = (char)0; - return false; - } - } - return true; -} - unsigned int Utils::snprintf(char *buf,unsigned int len,const char *fmt,...) throw(std::length_error) { @@ -292,7 +274,6 @@ unsigned int Utils::snprintf(char *buf,unsigned int len,const char *fmt,...) if ((n >= (int)len)||(n < 0)) { if (len) buf[len - 1] = (char)0; - abort(); throw std::length_error("buf[] overflow in Utils::snprintf"); } diff --git a/zerotierone/node/Utils.hpp b/zerotierone/node/Utils.hpp index cfe5650..3f4cc76 100644 --- a/zerotierone/node/Utils.hpp +++ b/zerotierone/node/Utils.hpp @@ -49,6 +49,7 @@ public: * @return True if strings are equal */ static inline bool secureEq(const void *a,const void *b,unsigned int len) + throw() { uint8_t diff = 0; for(unsigned int i=0;i> 1) & (uint32_t)0x55555555); v = (v & (uint32_t)0x33333333) + ((v >> 2) & (uint32_t)0x33333333); @@ -272,6 +284,7 @@ public: * @return True if memory is all zero */ static inline bool isZero(const void *p,unsigned int len) + throw() { for(unsigned int i=0;i tmp; update.serialize(tmp,true); - return C25519::verify(_updatesMustBeSignedBy,tmp.data(),tmp.size(),update._signature); + return C25519::verify(_updateSigningKey,tmp.data(),tmp.size(),update._signature); } else return true; } return false; @@ -164,12 +164,12 @@ public: template inline void serialize(Buffer &b,bool forSign = false) const { - if (forSign) b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL); - - b.append((uint8_t)0x01); + if (forSign) + b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL); + b.append((uint8_t)0x01); // version -- only one valid value for now b.append((uint64_t)_id); b.append((uint64_t)_ts); - b.append(_updatesMustBeSignedBy.data,ZT_C25519_PUBLIC_KEY_LEN); + b.append(_updateSigningKey.data,ZT_C25519_PUBLIC_KEY_LEN); if (!forSign) b.append(_signature.data,ZT_C25519_SIGNATURE_LEN); b.append((uint8_t)_roots.size()); @@ -179,8 +179,8 @@ public: for(std::vector::const_iterator ep(r->stableEndpoints.begin());ep!=r->stableEndpoints.end();++ep) ep->serialize(b); } - - if (forSign) b.append((uint64_t)0xf7f7f7f7f7f7f7f7ULL); + if (forSign) + b.append((uint64_t)0xf7f7f7f7f7f7f7f7ULL); } template @@ -191,11 +191,11 @@ public: _roots.clear(); if (b[p++] != 0x01) - throw std::invalid_argument("invalid object type"); + throw std::invalid_argument("invalid World serialized version"); _id = b.template at(p); p += 8; _ts = b.template at(p); p += 8; - memcpy(_updatesMustBeSignedBy.data,b.field(p,ZT_C25519_PUBLIC_KEY_LEN),ZT_C25519_PUBLIC_KEY_LEN); p += ZT_C25519_PUBLIC_KEY_LEN; + memcpy(_updateSigningKey.data,b.field(p,ZT_C25519_PUBLIC_KEY_LEN),ZT_C25519_PUBLIC_KEY_LEN); p += ZT_C25519_PUBLIC_KEY_LEN; memcpy(_signature.data,b.field(p,ZT_C25519_SIGNATURE_LEN),ZT_C25519_SIGNATURE_LEN); p += ZT_C25519_SIGNATURE_LEN; unsigned int numRoots = b[p++]; if (numRoots > ZT_WORLD_MAX_ROOTS) @@ -216,13 +216,13 @@ public: return (p - startAt); } - inline bool operator==(const World &w) const throw() { return ((_id == w._id)&&(_ts == w._ts)&&(_updatesMustBeSignedBy == w._updatesMustBeSignedBy)&&(_signature == w._signature)&&(_roots == w._roots)); } + inline bool operator==(const World &w) const throw() { return ((_id == w._id)&&(_ts == w._ts)&&(_updateSigningKey == w._updateSigningKey)&&(_signature == w._signature)&&(_roots == w._roots)); } inline bool operator!=(const World &w) const throw() { return (!(*this == w)); } protected: uint64_t _id; uint64_t _ts; - C25519::Public _updatesMustBeSignedBy; + C25519::Public _updateSigningKey; C25519::Signature _signature; std::vector _roots; }; diff --git a/zerotierone/objects.mk b/zerotierone/objects.mk index 5738e76..d11e281 100644 --- a/zerotierone/objects.mk +++ b/zerotierone/objects.mk @@ -1,13 +1,15 @@ OBJS=\ - controller/EmbeddedNetworkController.o \ + ext/lz4/lz4.o \ + ext/json-parser/json.o \ + ext/http-parser/http_parser.o \ node/C25519.o \ - node/Capability.o \ node/CertificateOfMembership.o \ node/Cluster.o \ + node/DeferredPackets.o \ + node/Dictionary.o \ node/Identity.o \ node/IncomingPacket.o \ node/InetAddress.o \ - node/Membership.o \ node/Multicaster.o \ node/Network.o \ node/NetworkConfig.o \ @@ -17,16 +19,13 @@ OBJS=\ node/Path.o \ node/Peer.o \ node/Poly1305.o \ - node/Revocation.o \ node/Salsa20.o \ node/SelfAwareness.o \ node/SHA512.o \ node/Switch.o \ - node/Tag.o \ node/Topology.o \ node/Utils.o \ osdep/BackgroundResolver.o \ - osdep/ManagedRoute.o \ osdep/Http.o \ osdep/OSUtils.o \ service/ClusterGeoIpService.o \ diff --git a/zerotierone/one.cpp b/zerotierone/one.cpp index 6ad5c8e..9e03daa 100644 --- a/zerotierone/one.cpp +++ b/zerotierone/one.cpp @@ -48,12 +48,12 @@ #include #include -#include -#include #include "version.h" #include "include/ZeroTierOne.h" +#include "ext/json-parser/json.h" + #include "node/Identity.hpp" #include "node/CertificateOfMembership.hpp" #include "node/Utils.hpp" @@ -64,8 +64,6 @@ #include "service/OneService.hpp" -#include "ext/json/json.hpp" - #define ZT_PID_PATH "zerotier-one.pid" using namespace ZeroTier; @@ -84,8 +82,6 @@ static OneService *volatile zt1Service = (OneService *)0; /* zerotier-cli personality */ /****************************************************************************/ -// This is getting deprecated soon in favor of the stuff in cli/ - static void cliPrintHelp(const char *pn,FILE *out) { fprintf(out, @@ -95,21 +91,21 @@ static void cliPrintHelp(const char *pn,FILE *out) fprintf(out, COPYRIGHT_NOTICE ZT_EOL_S LICENSE_GRANT ZT_EOL_S); - fprintf(out,"Usage: %s [-switches] []" ZT_EOL_S"" ZT_EOL_S,pn); - fprintf(out,"Available switches:" ZT_EOL_S); - fprintf(out," -h - Display this help" ZT_EOL_S); - fprintf(out," -v - Show version" ZT_EOL_S); - fprintf(out," -j - Display full raw JSON output" ZT_EOL_S); - fprintf(out," -D - ZeroTier home path for parameter auto-detect" ZT_EOL_S); - fprintf(out," -p - HTTP port (default: auto)" ZT_EOL_S); - fprintf(out," -T - Authentication token (default: auto)" ZT_EOL_S); - fprintf(out,ZT_EOL_S"Available commands:" ZT_EOL_S); - fprintf(out," info - Display status info" ZT_EOL_S); - fprintf(out," listpeers - List all peers" ZT_EOL_S); - fprintf(out," listnetworks - List all networks" ZT_EOL_S); - fprintf(out," join - Join a network" ZT_EOL_S); - fprintf(out," leave - Leave a network" ZT_EOL_S); - fprintf(out," set - Set a network setting" ZT_EOL_S); + fprintf(out,"Usage: %s [-switches] []"ZT_EOL_S""ZT_EOL_S,pn); + fprintf(out,"Available switches:"ZT_EOL_S); + fprintf(out," -h - Display this help"ZT_EOL_S); + fprintf(out," -v - Show version"ZT_EOL_S); + fprintf(out," -j - Display full raw JSON output"ZT_EOL_S); + fprintf(out," -D - ZeroTier home path for parameter auto-detect"ZT_EOL_S); + fprintf(out," -p - HTTP port (default: auto)"ZT_EOL_S); + fprintf(out," -T - Authentication token (default: auto)"ZT_EOL_S); + //fprintf(out," -H - HTTP server bind address (default: 127.0.0.1)"ZT_EOL_S); + fprintf(out,ZT_EOL_S"Available commands:"ZT_EOL_S); + fprintf(out," info - Display status info"ZT_EOL_S); + fprintf(out," listpeers - List all peers"ZT_EOL_S); + fprintf(out," listnetworks - List all networks"ZT_EOL_S); + fprintf(out," join - Join a network"ZT_EOL_S); + fprintf(out," leave - Leave a network"ZT_EOL_S); } static std::string cliFixJsonCRs(const std::string &s) @@ -130,7 +126,10 @@ static int cli(int argc,char **argv) #endif { unsigned int port = 0; - std::string homeDir,command,arg1,arg2,authToken; + std::string homeDir; + std::string command; + std::string arg1; + std::string authToken; std::string ip("127.0.0.1"); bool json = false; for(int i=1;i 0xffff)) { - fprintf(stderr,"%s: missing port and zerotier-one.port not found in %s" ZT_EOL_S,argv[0],homeDir.c_str()); + fprintf(stderr,"%s: missing port and zerotier-one.port not found in %s"ZT_EOL_S,argv[0],homeDir.c_str()); return 2; } } @@ -245,7 +242,7 @@ static int cli(int argc,char **argv) } #endif if (!authToken.length()) { - fprintf(stderr,"%s: missing authentication token and authtoken.secret not found (or readable) in %s" ZT_EOL_S,argv[0],homeDir.c_str()); + fprintf(stderr,"%s: missing authentication token and authtoken.secret not found (or readable) in %s"ZT_EOL_S,argv[0],homeDir.c_str()); return 2; } } @@ -277,143 +274,227 @@ static int cli(int argc,char **argv) printf("%s",cliFixJsonCRs(responseBody).c_str()); return 0; } else { - printf("%u %s %s" ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); + printf("%u %s %s"ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); return 1; } } else if ((command == "info")||(command == "status")) { - const unsigned int scode = Http::GET(1024 * 1024 * 16,60000,(const struct sockaddr *)&addr,"/status",requestHeaders,responseHeaders,responseBody); - - nlohmann::json j; - try { - j = nlohmann::json::parse(responseBody); - } catch (std::exception &exc) { - printf("%u %s invalid JSON response (%s)" ZT_EOL_S,scode,command.c_str(),exc.what()); - return 1; - } catch ( ... ) { - printf("%u %s invalid JSON response (unknown exception)" ZT_EOL_S,scode,command.c_str()); - return 1; - } - + unsigned int scode = Http::GET( + 1024 * 1024 * 16, + 60000, + (const struct sockaddr *)&addr, + "/status", + requestHeaders, + responseHeaders, + responseBody); if (scode == 200) { - std::ostringstream out; if (json) { - out << j.dump(2) << ZT_EOL_S; + printf("%s",cliFixJsonCRs(responseBody).c_str()); + return 0; } else { - if (j.is_object()) - out << "200 info " << j["address"].get() << " " << j["version"].get() << " " << ((j["tcpFallbackActive"]) ? "TUNNELED" : ((j["online"]) ? "ONLINE" : "OFFLINE")) << ZT_EOL_S; + json_value *j = json_parse(responseBody.c_str(),responseBody.length()); + bool good = false; + if (j) { + if (j->type == json_object) { + const char *address = (const char *)0; + bool online = false; + const char *version = (const char *)0; + for(unsigned int k=0;ku.object.length;++k) { + if ((!strcmp(j->u.object.values[k].name,"address"))&&(j->u.object.values[k].value->type == json_string)) + address = j->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(j->u.object.values[k].name,"version"))&&(j->u.object.values[k].value->type == json_string)) + version = j->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(j->u.object.values[k].name,"online"))&&(j->u.object.values[k].value->type == json_boolean)) + online = (j->u.object.values[k].value->u.boolean != 0); + } + if ((address)&&(version)) { + printf("200 info %s %s %s"ZT_EOL_S,address,(online ? "ONLINE" : "OFFLINE"),version); + good = true; + } + } + json_value_free(j); + } + if (good) { + return 0; + } else { + printf("%u %s invalid JSON response"ZT_EOL_S,scode,command.c_str()); + return 1; + } } - printf("%s",out.str().c_str()); - return 0; } else { - printf("%u %s %s" ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); + printf("%u %s %s"ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); return 1; } } else if (command == "listpeers") { - const unsigned int scode = Http::GET(1024 * 1024 * 16,60000,(const struct sockaddr *)&addr,"/peer",requestHeaders,responseHeaders,responseBody); - - nlohmann::json j; - try { - j = nlohmann::json::parse(responseBody); - } catch (std::exception &exc) { - printf("%u %s invalid JSON response (%s)" ZT_EOL_S,scode,command.c_str(),exc.what()); - return 1; - } catch ( ... ) { - printf("%u %s invalid JSON response (unknown exception)" ZT_EOL_S,scode,command.c_str()); - return 1; - } - + unsigned int scode = Http::GET( + 1024 * 1024 * 16, + 60000, + (const struct sockaddr *)&addr, + "/peer", + requestHeaders, + responseHeaders, + responseBody); if (scode == 200) { - std::ostringstream out; if (json) { - out << j.dump(2) << ZT_EOL_S; + printf("%s",cliFixJsonCRs(responseBody).c_str()); + return 0; } else { - out << "200 listpeers " << ZT_EOL_S; - if (j.is_array()) { - for(unsigned long k=0;k "ZT_EOL_S); + json_value *j = json_parse(responseBody.c_str(),responseBody.length()); + if (j) { + if (j->type == json_array) { + for(unsigned int p=0;pu.array.length;++p) { + json_value *jp = j->u.array.values[p]; + if (jp->type == json_object) { + const char *address = (const char *)0; + std::string paths; + int64_t latency = 0; + int64_t versionMajor = -1,versionMinor = -1,versionRev = -1; + const char *role = (const char *)0; + for(unsigned int k=0;ku.object.length;++k) { + if ((!strcmp(jp->u.object.values[k].name,"address"))&&(jp->u.object.values[k].value->type == json_string)) + address = jp->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(jp->u.object.values[k].name,"versionMajor"))&&(jp->u.object.values[k].value->type == json_integer)) + versionMajor = jp->u.object.values[k].value->u.integer; + else if ((!strcmp(jp->u.object.values[k].name,"versionMinor"))&&(jp->u.object.values[k].value->type == json_integer)) + versionMinor = jp->u.object.values[k].value->u.integer; + else if ((!strcmp(jp->u.object.values[k].name,"versionRev"))&&(jp->u.object.values[k].value->type == json_integer)) + versionRev = jp->u.object.values[k].value->u.integer; + else if ((!strcmp(jp->u.object.values[k].name,"role"))&&(jp->u.object.values[k].value->type == json_string)) + role = jp->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(jp->u.object.values[k].name,"latency"))&&(jp->u.object.values[k].value->type == json_integer)) + latency = jp->u.object.values[k].value->u.integer; + else if ((!strcmp(jp->u.object.values[k].name,"paths"))&&(jp->u.object.values[k].value->type == json_array)) { + for(unsigned int pp=0;ppu.object.values[k].value->u.array.length;++pp) { + json_value *jpath = jp->u.object.values[k].value->u.array.values[pp]; + if (jpath->type == json_object) { + const char *paddr = (const char *)0; + int64_t lastSend = 0; + int64_t lastReceive = 0; + bool preferred = false; + bool active = false; + for(unsigned int kk=0;kku.object.length;++kk) { + if ((!strcmp(jpath->u.object.values[kk].name,"address"))&&(jpath->u.object.values[kk].value->type == json_string)) + paddr = jpath->u.object.values[kk].value->u.string.ptr; + else if ((!strcmp(jpath->u.object.values[kk].name,"lastSend"))&&(jpath->u.object.values[kk].value->type == json_integer)) + lastSend = jpath->u.object.values[kk].value->u.integer; + else if ((!strcmp(jpath->u.object.values[kk].name,"lastReceive"))&&(jpath->u.object.values[kk].value->type == json_integer)) + lastReceive = jpath->u.object.values[kk].value->u.integer; + else if ((!strcmp(jpath->u.object.values[kk].name,"preferred"))&&(jpath->u.object.values[kk].value->type == json_boolean)) + preferred = (jpath->u.object.values[kk].value->u.boolean != 0); + else if ((!strcmp(jpath->u.object.values[kk].name,"active"))&&(jpath->u.object.values[kk].value->type == json_boolean)) + active = (jpath->u.object.values[kk].value->u.boolean != 0); + } + if ((paddr)&&(active)) { + int64_t now = (int64_t)OSUtils::now(); + if (lastSend > 0) + lastSend = now - lastSend; + if (lastReceive > 0) + lastReceive = now - lastReceive; + char pathtmp[256]; + Utils::snprintf(pathtmp,sizeof(pathtmp),"%s;%lld;%lld;%s", + paddr, + lastSend, + lastReceive, + (preferred ? "preferred" : "active")); + if (paths.length()) + paths.push_back(','); + paths.append(pathtmp); + } + } + } + } + } + if ((address)&&(role)) { + char verstr[64]; + if ((versionMajor >= 0)&&(versionMinor >= 0)&&(versionRev >= 0)) + Utils::snprintf(verstr,sizeof(verstr),"%lld.%lld.%lld",versionMajor,versionMinor,versionRev); + else { + verstr[0] = '-'; + verstr[1] = (char)0; + } + printf("200 listpeers %s %s %lld %s %s"ZT_EOL_S,address,(paths.length()) ? paths.c_str() : "-",(long long)latency,verstr,role); } } } - if (bestPath.length() == 0) bestPath = "-"; - char ver[128]; - int64_t vmaj = p["versionMajor"]; - int64_t vmin = p["versionMinor"]; - int64_t vrev = p["versionRev"]; - if (vmaj >= 0) { - Utils::snprintf(ver,sizeof(ver),"%lld.%lld.%lld",vmaj,vmin,vrev); - } else { - ver[0] = '-'; - ver[1] = (char)0; - } - out << "200 listpeers " << p["address"].get() << " " << bestPath << " " << p["latency"] << " " << ver << " " << p["role"].get() << ZT_EOL_S; } + json_value_free(j); } + return 0; } - printf("%s",out.str().c_str()); - return 0; } else { - printf("%u %s %s" ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); + printf("%u %s %s"ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); return 1; } } else if (command == "listnetworks") { - const unsigned int scode = Http::GET(1024 * 1024 * 16,60000,(const struct sockaddr *)&addr,"/network",requestHeaders,responseHeaders,responseBody); - - nlohmann::json j; - try { - j = nlohmann::json::parse(responseBody); - } catch (std::exception &exc) { - printf("%u %s invalid JSON response (%s)" ZT_EOL_S,scode,command.c_str(),exc.what()); - return 1; - } catch ( ... ) { - printf("%u %s invalid JSON response (unknown exception)" ZT_EOL_S,scode,command.c_str()); - return 1; - } - + unsigned int scode = Http::GET( + 1024 * 1024 * 16, + 60000, + (const struct sockaddr *)&addr, + "/network", + requestHeaders, + responseHeaders, + responseBody); if (scode == 200) { - std::ostringstream out; if (json) { - out << j.dump(2) << ZT_EOL_S; + printf("%s",cliFixJsonCRs(responseBody).c_str()); + return 0; } else { - out << "200 listnetworks " << ZT_EOL_S; - if (j.is_array()) { - for(unsigned long i=0;i 0) aa.push_back(','); - aa.append(addr); + printf("200 listnetworks "ZT_EOL_S); + json_value *j = json_parse(responseBody.c_str(),responseBody.length()); + if (j) { + if (j->type == json_array) { + for(unsigned int p=0;pu.array.length;++p) { + json_value *jn = j->u.array.values[p]; + if (jn->type == json_object) { + const char *nwid = (const char *)0; + const char *name = ""; + const char *mac = (const char *)0; + const char *status = (const char *)0; + const char *type = (const char *)0; + const char *portDeviceName = ""; + std::string ips; + for(unsigned int k=0;ku.object.length;++k) { + if ((!strcmp(jn->u.object.values[k].name,"nwid"))&&(jn->u.object.values[k].value->type == json_string)) + nwid = jn->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(jn->u.object.values[k].name,"name"))&&(jn->u.object.values[k].value->type == json_string)) + name = jn->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(jn->u.object.values[k].name,"mac"))&&(jn->u.object.values[k].value->type == json_string)) + mac = jn->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(jn->u.object.values[k].name,"status"))&&(jn->u.object.values[k].value->type == json_string)) + status = jn->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(jn->u.object.values[k].name,"type"))&&(jn->u.object.values[k].value->type == json_string)) + type = jn->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(jn->u.object.values[k].name,"portDeviceName"))&&(jn->u.object.values[k].value->type == json_string)) + portDeviceName = jn->u.object.values[k].value->u.string.ptr; + else if ((!strcmp(jn->u.object.values[k].name,"assignedAddresses"))&&(jn->u.object.values[k].value->type == json_array)) { + for(unsigned int a=0;au.object.values[k].value->u.array.length;++a) { + json_value *aa = jn->u.object.values[k].value->u.array.values[a]; + if (aa->type == json_string) { + if (ips.length()) + ips.push_back(','); + ips.append(aa->u.string.ptr); + } + } } } + if ((nwid)&&(mac)&&(status)&&(type)) { + printf("200 listnetworks %s %s %s %s %s %s %s"ZT_EOL_S, + nwid, + (((name)&&(name[0])) ? name : "-"), + mac, + status, + type, + (((portDeviceName)&&(portDeviceName[0])) ? portDeviceName : "-"), + ((ips.length() > 0) ? ips.c_str() : "-")); + } } - if (aa.length() == 0) aa = "-"; - std::string name = n["name"]; - if (name.length() == 0) name = "-"; - out << "200 listnetworks " << n["nwid"].get() << " " << name << " " << n["mac"].get() << " " << n["status"].get() << " " << n["type"].get() << " " << n["portDeviceName"].get() << " " << aa << ZT_EOL_S; } } + json_value_free(j); } } - printf("%s",out.str().c_str()); - return 0; } else { - printf("%u %s %s" ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); + printf("%u %s %s"ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); return 1; } } else if (command == "join") { @@ -437,11 +518,11 @@ static int cli(int argc,char **argv) if (json) { printf("%s",cliFixJsonCRs(responseBody).c_str()); } else { - printf("200 join OK" ZT_EOL_S); + printf("200 join OK"ZT_EOL_S); } return 0; } else { - printf("%u %s %s" ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); + printf("%u %s %s"ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); return 1; } } else if (command == "leave") { @@ -461,51 +542,13 @@ static int cli(int argc,char **argv) if (json) { printf("%s",cliFixJsonCRs(responseBody).c_str()); } else { - printf("200 leave OK" ZT_EOL_S); + printf("200 leave OK"ZT_EOL_S); } return 0; } else { - printf("%u %s %s" ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); + printf("%u %s %s"ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); return 1; } - } else if (command == "set") { - if (arg1.length() != 16) { - cliPrintHelp(argv[0],stderr); - return 2; - } - std::size_t eqidx = arg2.find('='); - if (eqidx != std::string::npos) { - if ((arg2.substr(0,eqidx) == "allowManaged")||(arg2.substr(0,eqidx) == "allowGlobal")||(arg2.substr(0,eqidx) == "allowDefault")) { - char jsons[1024]; - Utils::snprintf(jsons,sizeof(jsons),"{\"%s\":%s}", - arg2.substr(0,eqidx).c_str(), - (((arg2.substr(eqidx,2) == "=t")||(arg2.substr(eqidx,2) == "=1")) ? "true" : "false")); - char cl[128]; - Utils::snprintf(cl,sizeof(cl),"%u",(unsigned int)strlen(jsons)); - requestHeaders["Content-Type"] = "application/json"; - requestHeaders["Content-Length"] = cl; - unsigned int scode = Http::POST( - 1024 * 1024 * 16, - 60000, - (const struct sockaddr *)&addr, - (std::string("/network/") + arg1).c_str(), - requestHeaders, - jsons, - strlen(jsons), - responseHeaders, - responseBody); - if (scode == 200) { - printf("%s",cliFixJsonCRs(responseBody).c_str()); - return 0; - } else { - printf("%u %s %s" ZT_EOL_S,scode,command.c_str(),responseBody.c_str()); - return 1; - } - } - } else { - cliPrintHelp(argv[0],stderr); - return 2; - } } else { cliPrintHelp(argv[0],stderr); return 0; @@ -527,13 +570,13 @@ static void idtoolPrintHelp(FILE *out,const char *pn) fprintf(out, COPYRIGHT_NOTICE ZT_EOL_S LICENSE_GRANT ZT_EOL_S); - fprintf(out,"Usage: %s []" ZT_EOL_S"" ZT_EOL_S"Commands:" ZT_EOL_S,pn); - fprintf(out," generate [] [] []" ZT_EOL_S); - fprintf(out," validate " ZT_EOL_S); - fprintf(out," getpublic " ZT_EOL_S); - fprintf(out," sign " ZT_EOL_S); - fprintf(out," verify " ZT_EOL_S); - fprintf(out," mkcom [ ...] (hexadecimal integers)" ZT_EOL_S); + fprintf(out,"Usage: %s []"ZT_EOL_S""ZT_EOL_S"Commands:"ZT_EOL_S,pn); + fprintf(out," generate [] [] []"ZT_EOL_S); + fprintf(out," validate "ZT_EOL_S); + fprintf(out," getpublic "ZT_EOL_S); + fprintf(out," sign "ZT_EOL_S); + fprintf(out," verify "ZT_EOL_S); + fprintf(out," mkcom [ ...] (hexadecimal integers)"ZT_EOL_S); } static Identity getIdFromArg(char *arg) @@ -589,15 +632,15 @@ static int idtool(int argc,char **argv) std::string idser = id.toString(true); if (argc >= 3) { if (!OSUtils::writeFile(argv[2],idser)) { - fprintf(stderr,"Error writing to %s" ZT_EOL_S,argv[2]); + fprintf(stderr,"Error writing to %s"ZT_EOL_S,argv[2]); return 1; - } else printf("%s written" ZT_EOL_S,argv[2]); + } else printf("%s written"ZT_EOL_S,argv[2]); if (argc >= 4) { idser = id.toString(false); if (!OSUtils::writeFile(argv[3],idser)) { - fprintf(stderr,"Error writing to %s" ZT_EOL_S,argv[3]); + fprintf(stderr,"Error writing to %s"ZT_EOL_S,argv[3]); return 1; - } else printf("%s written" ZT_EOL_S,argv[3]); + } else printf("%s written"ZT_EOL_S,argv[3]); } } else printf("%s",idser.c_str()); } else if (!strcmp(argv[1],"validate")) { @@ -608,14 +651,14 @@ static int idtool(int argc,char **argv) Identity id = getIdFromArg(argv[2]); if (!id) { - fprintf(stderr,"Identity argument invalid or file unreadable: %s" ZT_EOL_S,argv[2]); + fprintf(stderr,"Identity argument invalid or file unreadable: %s"ZT_EOL_S,argv[2]); return 1; } if (!id.locallyValidate()) { - fprintf(stderr,"%s FAILED validation." ZT_EOL_S,argv[2]); + fprintf(stderr,"%s FAILED validation."ZT_EOL_S,argv[2]); return 1; - } else printf("%s is a valid identity" ZT_EOL_S,argv[2]); + } else printf("%s is a valid identity"ZT_EOL_S,argv[2]); } else if (!strcmp(argv[1],"getpublic")) { if (argc < 3) { idtoolPrintHelp(stdout,argv[0]); @@ -624,7 +667,7 @@ static int idtool(int argc,char **argv) Identity id = getIdFromArg(argv[2]); if (!id) { - fprintf(stderr,"Identity argument invalid or file unreadable: %s" ZT_EOL_S,argv[2]); + fprintf(stderr,"Identity argument invalid or file unreadable: %s"ZT_EOL_S,argv[2]); return 1; } @@ -637,18 +680,18 @@ static int idtool(int argc,char **argv) Identity id = getIdFromArg(argv[2]); if (!id) { - fprintf(stderr,"Identity argument invalid or file unreadable: %s" ZT_EOL_S,argv[2]); + fprintf(stderr,"Identity argument invalid or file unreadable: %s"ZT_EOL_S,argv[2]); return 1; } if (!id.hasPrivate()) { - fprintf(stderr,"%s does not contain a private key (must use private to sign)" ZT_EOL_S,argv[2]); + fprintf(stderr,"%s does not contain a private key (must use private to sign)"ZT_EOL_S,argv[2]); return 1; } std::string inf; if (!OSUtils::readFile(argv[3],inf)) { - fprintf(stderr,"%s is not readable" ZT_EOL_S,argv[3]); + fprintf(stderr,"%s is not readable"ZT_EOL_S,argv[3]); return 1; } C25519::Signature signature = id.sign(inf.data(),(unsigned int)inf.length()); @@ -661,21 +704,21 @@ static int idtool(int argc,char **argv) Identity id = getIdFromArg(argv[2]); if (!id) { - fprintf(stderr,"Identity argument invalid or file unreadable: %s" ZT_EOL_S,argv[2]); + fprintf(stderr,"Identity argument invalid or file unreadable: %s"ZT_EOL_S,argv[2]); return 1; } std::string inf; if (!OSUtils::readFile(argv[3],inf)) { - fprintf(stderr,"%s is not readable" ZT_EOL_S,argv[3]); + fprintf(stderr,"%s is not readable"ZT_EOL_S,argv[3]); return 1; } std::string signature(Utils::unhex(argv[4])); if ((signature.length() > ZT_ADDRESS_LENGTH)&&(id.verify(inf.data(),(unsigned int)inf.length(),signature.data(),(unsigned int)signature.length()))) { - printf("%s signature valid" ZT_EOL_S,argv[3]); + printf("%s signature valid"ZT_EOL_S,argv[3]); } else { - fprintf(stderr,"%s signature check FAILED" ZT_EOL_S,argv[3]); + fprintf(stderr,"%s signature check FAILED"ZT_EOL_S,argv[3]); return 1; } } else if (!strcmp(argv[1],"mkcom")) { @@ -686,7 +729,7 @@ static int idtool(int argc,char **argv) Identity id = getIdFromArg(argv[2]); if ((!id)||(!id.hasPrivate())) { - fprintf(stderr,"Identity argument invalid, does not include private key, or file unreadable: %s" ZT_EOL_S,argv[2]); + fprintf(stderr,"Identity argument invalid, does not include private key, or file unreadable: %s"ZT_EOL_S,argv[2]); return 1; } @@ -701,7 +744,7 @@ static int idtool(int argc,char **argv) } } if (!com.sign(id)) { - fprintf(stderr,"Signature of certificate of membership failed." ZT_EOL_S); + fprintf(stderr,"Signature of certificate of membership failed."ZT_EOL_S); return 1; } @@ -895,27 +938,27 @@ static void printHelp(const char *cn,FILE *out) LICENSE_GRANT ZT_EOL_S); std::string updateUrl(OneService::autoUpdateUrl()); if (updateUrl.length()) - fprintf(out,"Automatic updates enabled:" ZT_EOL_S" %s" ZT_EOL_S" (all updates are securely authenticated by 256-bit ECDSA signature)" ZT_EOL_S"" ZT_EOL_S,updateUrl.c_str()); - fprintf(out,"Usage: %s [-switches] [home directory]" ZT_EOL_S"" ZT_EOL_S,cn); - fprintf(out,"Available switches:" ZT_EOL_S); - fprintf(out," -h - Display this help" ZT_EOL_S); - fprintf(out," -v - Show version" ZT_EOL_S); - fprintf(out," -U - Run as unprivileged user (skip privilege check)" ZT_EOL_S); - fprintf(out," -p - Port for UDP and TCP/HTTP (default: 9993, 0 for random)" ZT_EOL_S); + fprintf(out,"Automatic updates enabled:"ZT_EOL_S" %s"ZT_EOL_S" (all updates are securely authenticated by 256-bit ECDSA signature)"ZT_EOL_S""ZT_EOL_S,updateUrl.c_str()); + fprintf(out,"Usage: %s [-switches] [home directory]"ZT_EOL_S""ZT_EOL_S,cn); + fprintf(out,"Available switches:"ZT_EOL_S); + fprintf(out," -h - Display this help"ZT_EOL_S); + fprintf(out," -v - Show version"ZT_EOL_S); + fprintf(out," -U - Run as unprivileged user (skip privilege check)"ZT_EOL_S); + fprintf(out," -p - Port for UDP and TCP/HTTP (default: 9993, 0 for random)"ZT_EOL_S); #ifdef __UNIX_LIKE__ - fprintf(out," -d - Fork and run as daemon (Unix-ish OSes)" ZT_EOL_S); + fprintf(out," -d - Fork and run as daemon (Unix-ish OSes)"ZT_EOL_S); #endif // __UNIX_LIKE__ #ifdef __WINDOWS__ - fprintf(out," -C - Run from command line instead of as service (Windows)" ZT_EOL_S); - fprintf(out," -I - Install Windows service (Windows)" ZT_EOL_S); - fprintf(out," -R - Uninstall Windows service (Windows)" ZT_EOL_S); - fprintf(out," -D - Remove all instances of Windows tap device (Windows)" ZT_EOL_S); + fprintf(out," -C - Run from command line instead of as service (Windows)"ZT_EOL_S); + fprintf(out," -I - Install Windows service (Windows)"ZT_EOL_S); + fprintf(out," -R - Uninstall Windows service (Windows)"ZT_EOL_S); + fprintf(out," -D - Remove all instances of Windows tap device (Windows)"ZT_EOL_S); #endif // __WINDOWS__ - fprintf(out," -i - Generate and manage identities (zerotier-idtool)" ZT_EOL_S); - fprintf(out," -q - Query API (zerotier-cli)" ZT_EOL_S); + fprintf(out," -i - Generate and manage identities (zerotier-idtool)"ZT_EOL_S); + fprintf(out," -q - Query API (zerotier-cli)"ZT_EOL_S); } #ifdef __WINDOWS__ @@ -993,7 +1036,7 @@ int main(int argc,char **argv) break; case 'v': // Display version - printf("%d.%d.%d" ZT_EOL_S,ZEROTIER_ONE_VERSION_MAJOR,ZEROTIER_ONE_VERSION_MINOR,ZEROTIER_ONE_VERSION_REVISION); + printf("%d.%d.%d"ZT_EOL_S,ZEROTIER_ONE_VERSION_MAJOR,ZEROTIER_ONE_VERSION_MINOR,ZEROTIER_ONE_VERSION_REVISION); return 0; case 'i': // Invoke idtool personality @@ -1015,12 +1058,12 @@ int main(int argc,char **argv) case 'I': { // Install this binary as a Windows service if (IsCurrentUserLocalAdministrator() != TRUE) { - fprintf(stderr,"%s: must be run as a local administrator." ZT_EOL_S,argv[0]); + fprintf(stderr,"%s: must be run as a local administrator."ZT_EOL_S,argv[0]); return 1; } std::string ret(InstallService(ZT_SERVICE_NAME,ZT_SERVICE_DISPLAY_NAME,ZT_SERVICE_START_TYPE,ZT_SERVICE_DEPENDENCIES,ZT_SERVICE_ACCOUNT,ZT_SERVICE_PASSWORD)); if (ret.length()) { - fprintf(stderr,"%s: unable to install service: %s" ZT_EOL_S,argv[0],ret.c_str()); + fprintf(stderr,"%s: unable to install service: %s"ZT_EOL_S,argv[0],ret.c_str()); return 3; } return 0; @@ -1028,12 +1071,12 @@ int main(int argc,char **argv) case 'R': { // Uninstall this binary as Windows service if (IsCurrentUserLocalAdministrator() != TRUE) { - fprintf(stderr,"%s: must be run as a local administrator." ZT_EOL_S,argv[0]); + fprintf(stderr,"%s: must be run as a local administrator."ZT_EOL_S,argv[0]); return 1; } std::string ret(UninstallService(ZT_SERVICE_NAME)); if (ret.length()) { - fprintf(stderr,"%s: unable to uninstall service: %s" ZT_EOL_S,argv[0],ret.c_str()); + fprintf(stderr,"%s: unable to uninstall service: %s"ZT_EOL_S,argv[0],ret.c_str()); return 3; } return 0; @@ -1042,7 +1085,7 @@ int main(int argc,char **argv) case 'D': { std::string err = WindowsEthernetTap::destroyAllPersistentTapDevices(); if (err.length() > 0) { - fprintf(stderr,"%s: unable to uninstall one or more persistent tap devices: %s" ZT_EOL_S,argv[0],err.c_str()); + fprintf(stderr,"%s: unable to uninstall one or more persistent tap devices: %s"ZT_EOL_S,argv[0],err.c_str()); return 3; } return 0; @@ -1068,7 +1111,7 @@ int main(int argc,char **argv) if (!homeDir.length()) homeDir = OneService::platformDefaultHomePath(); if (!homeDir.length()) { - fprintf(stderr,"%s: no home path specified and no platform default available" ZT_EOL_S,argv[0]); + fprintf(stderr,"%s: no home path specified and no platform default available"ZT_EOL_S,argv[0]); return 1; } else { std::vector hpsp(Utils::split(homeDir.c_str(),ZT_PATH_SEPARATOR_S,"","")); @@ -1086,23 +1129,17 @@ int main(int argc,char **argv) } } - // This can be removed once the new controller code has been around for many versions - if (OSUtils::fileExists((homeDir + ZT_PATH_SEPARATOR_S + "controller.db").c_str(),true)) { - fprintf(stderr,"%s: FATAL: an old controller.db exists in %s -- see instructions in controller/README.md for how to migrate!" ZT_EOL_S,argv[0],homeDir.c_str()); - return 1; - } - #ifdef __UNIX_LIKE__ #ifndef ZT_ONE_NO_ROOT_CHECK if ((!skipRootCheck)&&(getuid() != 0)) { - fprintf(stderr,"%s: must be run as root (uid 0)" ZT_EOL_S,argv[0]); + fprintf(stderr,"%s: must be run as root (uid 0)"ZT_EOL_S,argv[0]); return 1; } #endif // !ZT_ONE_NO_ROOT_CHECK if (runAsDaemon) { long p = (long)fork(); if (p < 0) { - fprintf(stderr,"%s: could not fork" ZT_EOL_S,argv[0]); + fprintf(stderr,"%s: could not fork"ZT_EOL_S,argv[0]); return 1; } else if (p > 0) return 0; // forked @@ -1119,7 +1156,7 @@ int main(int argc,char **argv) // Running in "interactive" mode (mostly for debugging) if (IsCurrentUserLocalAdministrator() != TRUE) { if (!skipRootCheck) { - fprintf(stderr,"%s: must be run as a local administrator." ZT_EOL_S,argv[0]); + fprintf(stderr,"%s: must be run as a local administrator."ZT_EOL_S,argv[0]); return 1; } } else { @@ -1134,7 +1171,7 @@ int main(int argc,char **argv) if (CServiceBase::Run(zt1Service) == TRUE) { return 0; } else { - fprintf(stderr,"%s: unable to start service (try -h for help)" ZT_EOL_S,argv[0]); + fprintf(stderr,"%s: unable to start service (try -h for help)"ZT_EOL_S,argv[0]); return 1; } } @@ -1161,7 +1198,7 @@ int main(int argc,char **argv) case OneService::ONE_NORMAL_TERMINATION: break; case OneService::ONE_UNRECOVERABLE_ERROR: - fprintf(stderr,"%s: fatal error: %s" ZT_EOL_S,argv[0],zt1Service->fatalErrorMessage().c_str()); + fprintf(stderr,"%s: fatal error: %s"ZT_EOL_S,argv[0],zt1Service->fatalErrorMessage().c_str()); returnValue = 1; break; case OneService::ONE_IDENTITY_COLLISION: { diff --git a/zerotierone/osdep/BSDEthernetTap.cpp b/zerotierone/osdep/BSDEthernetTap.cpp index e8d36c9..3e0c226 100644 --- a/zerotierone/osdep/BSDEthernetTap.cpp +++ b/zerotierone/osdep/BSDEthernetTap.cpp @@ -34,6 +34,7 @@ #include #include #include +#include #include #include #include diff --git a/zerotierone/osdep/Binder.hpp b/zerotierone/osdep/Binder.hpp index 72456d3..7dcea41 100644 --- a/zerotierone/osdep/Binder.hpp +++ b/zerotierone/osdep/Binder.hpp @@ -37,10 +37,9 @@ #include #include #include -#include -#ifdef __LINUX__ -#include -#include + +#if !defined(__ANDROID__) + #include #endif #endif @@ -48,7 +47,6 @@ #include #include #include -#include #include "../node/NonCopyable.hpp" #include "../node/InetAddress.hpp" @@ -129,9 +127,14 @@ public: template void refresh(Phy &phy,unsigned int port,INTERFACE_CHECKER &ifChecker) { - std::map localIfAddrs; + std::vector localIfAddrs; + std::vector<_Binding> newBindings; + std::vector::const_iterator si; + std::vector::const_iterator ii; + typename std::vector<_Binding>::const_iterator bi; PhySocket *udps; //PhySocket *tcps; + InetAddress ip; Mutex::Lock _l(_lock); #ifdef __WINDOWS__ @@ -149,10 +152,11 @@ public: default: break; case InetAddress::IP_SCOPE_PSEUDOPRIVATE: case InetAddress::IP_SCOPE_GLOBAL: + //case InetAddress::IP_SCOPE_LINK_LOCAL: case InetAddress::IP_SCOPE_SHARED: case InetAddress::IP_SCOPE_PRIVATE: ip.setPort(port); - localIfAddrs.insert(std::pair(ip,std::string())); + localIfAddrs.push_back(ip); break; } } @@ -163,6 +167,7 @@ public: } #else // not __WINDOWS__ + #if !defined(__ANDROID__) struct ifaddrs *ifatbl = (struct ifaddrs *)0; struct ifaddrs *ifa; @@ -170,16 +175,17 @@ public: ifa = ifatbl; while (ifa) { if ((ifa->ifa_name)&&(ifa->ifa_addr)) { - InetAddress ip = *(ifa->ifa_addr); + ip = *(ifa->ifa_addr); if (ifChecker.shouldBindInterface(ifa->ifa_name,ip)) { switch(ip.ipScope()) { default: break; case InetAddress::IP_SCOPE_PSEUDOPRIVATE: case InetAddress::IP_SCOPE_GLOBAL: + //case InetAddress::IP_SCOPE_LINK_LOCAL: case InetAddress::IP_SCOPE_SHARED: case InetAddress::IP_SCOPE_PRIVATE: ip.setPort(port); - localIfAddrs.insert(std::pair(ip,std::string(ifa->ifa_name))); + localIfAddrs.push_back(ip); break; } } @@ -188,56 +194,43 @@ public: } freeifaddrs(ifatbl); } + #endif #endif // Default to binding to wildcard if we can't enumerate addresses - if (localIfAddrs.empty()) { - localIfAddrs.insert(std::pair(InetAddress((uint32_t)0,port),std::string())); - localIfAddrs.insert(std::pair(InetAddress((const void *)"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",16,port),std::string())); + if (localIfAddrs.size() == 0) { + localIfAddrs.push_back(InetAddress((uint32_t)0,port)); + localIfAddrs.push_back(InetAddress((const void *)"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",16,port)); } // Close any old bindings to anything that doesn't exist anymore - for(typename std::vector<_Binding>::const_iterator bi(_bindings.begin());bi!=_bindings.end();++bi) { - if (localIfAddrs.find(bi->address) == localIfAddrs.end()) { + for(bi=_bindings.begin();bi!=_bindings.end();++bi) { + if (std::find(localIfAddrs.begin(),localIfAddrs.end(),bi->address) == localIfAddrs.end()) { phy.close(bi->udpSock,false); phy.close(bi->tcpListenSock,false); } } - std::vector<_Binding> newBindings; - for(std::map::const_iterator ii(localIfAddrs.begin());ii!=localIfAddrs.end();++ii) { - typename std::vector<_Binding>::const_iterator bi(_bindings.begin()); - while (bi != _bindings.end()) { - if (bi->address == ii->first) { + for(ii=localIfAddrs.begin();ii!=localIfAddrs.end();++ii) { + // Copy over bindings that still are valid + for(bi=_bindings.begin();bi!=_bindings.end();++bi) { + if (bi->address == *ii) { newBindings.push_back(*bi); break; } - ++bi; } + // Add new bindings if (bi == _bindings.end()) { - udps = phy.udpBind(reinterpret_cast(&(ii->first)),(void *)0,ZT_UDP_DESIRED_BUF_SIZE); + udps = phy.udpBind(reinterpret_cast(&(*ii)),(void *)0,ZT_UDP_DESIRED_BUF_SIZE); if (udps) { //tcps = phy.tcpListen(reinterpret_cast(&ii),(void *)0); //if (tcps) { -#ifdef __LINUX__ - // Bind Linux sockets to their device so routes tha we manage do not override physical routes (wish all platforms had this!) - if (ii->second.length() > 0) { - int fd = (int)Phy::getDescriptor(udps); - char tmp[256]; - Utils::scopy(tmp,sizeof(tmp),ii->second.c_str()); - if (fd >= 0) { - if (setsockopt(fd,SOL_SOCKET,SO_BINDTODEVICE,tmp,strlen(tmp)) != 0) { - fprintf(stderr,"WARNING: unable to set SO_BINDTODEVICE to bind %s to %s\n",ii->first.toIpString().c_str(),ii->second.c_str()); - } - } - } -#endif // __LINUX__ newBindings.push_back(_Binding()); newBindings.back().udpSock = udps; //newBindings.back().tcpListenSock = tcps; - newBindings.back().address = ii->first; + newBindings.back().address = *ii; //} else { // phy.close(udps,false); //} @@ -245,6 +238,12 @@ public: } } + /* + for(bi=newBindings.begin();bi!=newBindings.end();++bi) { + printf("Binder: bound to %s\n",bi->address.toString().c_str()); + } + */ + // Swapping pointers and then letting the old one fall out of scope is faster than copying again _bindings.swap(newBindings); } diff --git a/zerotierone/osdep/Http.cpp b/zerotierone/osdep/Http.cpp index 064ccd0..ccdc6ba 100644 --- a/zerotierone/osdep/Http.cpp +++ b/zerotierone/osdep/Http.cpp @@ -25,12 +25,7 @@ #include "OSUtils.hpp" #include "../node/Constants.hpp" #include "../node/Utils.hpp" - -#ifdef ZT_USE_SYSTEM_HTTP_PARSER -#include -#else #include "../ext/http-parser/http_parser.h" -#endif namespace ZeroTier { @@ -38,18 +33,12 @@ namespace { static int ShttpOnMessageBegin(http_parser *parser); static int ShttpOnUrl(http_parser *parser,const char *ptr,size_t length); -#if (HTTP_PARSER_VERSION_MAJOR >= 2) && (HTTP_PARSER_VERSION_MINOR >= 2) static int ShttpOnStatus(http_parser *parser,const char *ptr,size_t length); -#else -static int ShttpOnStatus(http_parser *parser); -#endif static int ShttpOnHeaderField(http_parser *parser,const char *ptr,size_t length); static int ShttpOnValue(http_parser *parser,const char *ptr,size_t length); static int ShttpOnHeadersComplete(http_parser *parser); static int ShttpOnBody(http_parser *parser,const char *ptr,size_t length); static int ShttpOnMessageComplete(http_parser *parser); - -#if (HTTP_PARSER_VERSION_MAJOR >= 2) && (HTTP_PARSER_VERSION_MINOR >= 1) static const struct http_parser_settings HTTP_PARSER_SETTINGS = { ShttpOnMessageBegin, ShttpOnUrl, @@ -60,17 +49,6 @@ static const struct http_parser_settings HTTP_PARSER_SETTINGS = { ShttpOnBody, ShttpOnMessageComplete }; -#else -static const struct http_parser_settings HTTP_PARSER_SETTINGS = { - ShttpOnMessageBegin, - ShttpOnUrl, - ShttpOnHeaderField, - ShttpOnValue, - ShttpOnHeadersComplete, - ShttpOnBody, - ShttpOnMessageComplete -}; -#endif struct HttpPhyHandler { @@ -102,7 +80,7 @@ struct HttpPhyHandler phy->close(sock); } - inline void phyOnTcpWritable(PhySocket *sock,void **uptr) + inline void phyOnTcpWritable(PhySocket *sock,void **uptr, bool lwip_invoked) { if (writePtr < writeSize) { long n = phy->streamSend(sock,writeBuf + writePtr,writeSize - writePtr,true); @@ -148,18 +126,12 @@ static int ShttpOnUrl(http_parser *parser,const char *ptr,size_t length) { return 0; } -#if (HTTP_PARSER_VERSION_MAJOR >= 2) && (HTTP_PARSER_VERSION_MINOR >= 2) static int ShttpOnStatus(http_parser *parser,const char *ptr,size_t length) -#else -static int ShttpOnStatus(http_parser *parser) -#endif { - /* HttpPhyHandler *hh = reinterpret_cast(parser->data); hh->messageSize += (unsigned long)length; if (hh->messageSize > hh->maxResponseSize) return -1; - */ return 0; } static int ShttpOnHeaderField(http_parser *parser,const char *ptr,size_t length) diff --git a/zerotierone/osdep/LinuxEthernetTap.cpp b/zerotierone/osdep/LinuxEthernetTap.cpp index e336bb6..c66b7a3 100644 --- a/zerotierone/osdep/LinuxEthernetTap.cpp +++ b/zerotierone/osdep/LinuxEthernetTap.cpp @@ -95,12 +95,12 @@ LinuxEthernetTap::LinuxEthernetTap( // Try to recall our last device name, or pick an unused one if that fails. bool recalledDevice = false; std::string devmapbuf; - Dictionary<8194> devmap; + Dictionary devmap; if (OSUtils::readFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),devmapbuf)) { - devmap.load(devmapbuf.c_str()); - char desiredDevice[128]; - if (devmap.get(nwids,desiredDevice,sizeof(desiredDevice)) > 0) { - Utils::scopy(ifr.ifr_name,sizeof(ifr.ifr_name),desiredDevice); + devmap.fromString(devmapbuf); + std::string desiredDevice(devmap.get(nwids,"")); + if (desiredDevice.length() > 2) { + Utils::scopy(ifr.ifr_name,sizeof(ifr.ifr_name),desiredDevice.c_str()); Utils::snprintf(procpath,sizeof(procpath),"/proc/sys/net/ipv4/conf/%s",ifr.ifr_name); recalledDevice = (stat(procpath,&sbuf) != 0); } @@ -172,18 +172,17 @@ LinuxEthernetTap::LinuxEthernetTap( // Set close-on-exec so that devices cannot persist if we fork/exec for update ::fcntl(_fd,F_SETFD,fcntl(_fd,F_GETFD) | FD_CLOEXEC); - (void)::pipe(_shutdownSignalPipe); + ::pipe(_shutdownSignalPipe); - devmap.erase(nwids); - devmap.add(nwids,_dev.c_str()); - OSUtils::writeFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),(const void *)devmap.data(),devmap.sizeBytes()); + devmap[nwids] = _dev; + OSUtils::writeFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),devmap.toString()); _thread = Thread::start(this); } LinuxEthernetTap::~LinuxEthernetTap() { - (void)::write(_shutdownSignalPipe[1],"\0",1); // causes thread to exit + ::write(_shutdownSignalPipe[1],"\0",1); // causes thread to exit Thread::join(_thread); ::close(_fd); ::close(_shutdownSignalPipe[0]); @@ -254,7 +253,7 @@ bool LinuxEthernetTap::removeIp(const InetAddress &ip) if (!ip) return true; std::vector allIps(ips()); - if (std::find(allIps.begin(),allIps.end(),ip) != allIps.end()) { + if (!std::binary_search(allIps.begin(),allIps.end(),ip)) { if (___removeIp(_dev,ip)) return true; } @@ -294,7 +293,7 @@ std::vector LinuxEthernetTap::ips() const freeifaddrs(ifa); std::sort(r.begin(),r.end()); - r.erase(std::unique(r.begin(),r.end()),r.end()); + std::unique(r.begin(),r.end()); return r; } @@ -308,7 +307,7 @@ void LinuxEthernetTap::put(const MAC &from,const MAC &to,unsigned int etherType, *((uint16_t *)(putBuf + 12)) = htons((uint16_t)etherType); memcpy(putBuf + 14,data,len); len += 14; - (void)::write(_fd,putBuf,len); + ::write(_fd,putBuf,len); } } @@ -356,7 +355,7 @@ void LinuxEthernetTap::scanMulticastGroups(std::vector &added,st newGroups.push_back(MulticastGroup::deriveMulticastGroupForAddressResolution(*ip)); std::sort(newGroups.begin(),newGroups.end()); - newGroups.erase(std::unique(newGroups.begin(),newGroups.end()),newGroups.end()); + std::unique(newGroups.begin(),newGroups.end()); for(std::vector::iterator m(newGroups.begin());m!=newGroups.end();++m) { if (!std::binary_search(_multicastGroups.begin(),_multicastGroups.end(),*m)) diff --git a/zerotierone/osdep/OSUtils.cpp b/zerotierone/osdep/OSUtils.cpp index 086bb26..829322a 100644 --- a/zerotierone/osdep/OSUtils.cpp +++ b/zerotierone/osdep/OSUtils.cpp @@ -37,11 +37,7 @@ #endif #ifdef __WINDOWS__ -#include #include -#include -#include -#include #endif #include "OSUtils.hpp" @@ -107,86 +103,6 @@ std::vector OSUtils::listDirectory(const char *path) return r; } -std::vector OSUtils::listSubdirectories(const char *path) -{ - std::vector r; - -#ifdef __WINDOWS__ - HANDLE hFind; - WIN32_FIND_DATAA ffd; - if ((hFind = FindFirstFileA((std::string(path) + "\\*").c_str(),&ffd)) != INVALID_HANDLE_VALUE) { - do { - if ((strcmp(ffd.cFileName,"."))&&(strcmp(ffd.cFileName,".."))&&((ffd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0)) - r.push_back(std::string(ffd.cFileName)); - } while (FindNextFileA(hFind,&ffd)); - FindClose(hFind); - } -#else - struct dirent de; - struct dirent *dptr; - DIR *d = opendir(path); - if (!d) - return r; - dptr = (struct dirent *)0; - for(;;) { - if (readdir_r(d,&de,&dptr)) - break; - if (dptr) { - if ((strcmp(dptr->d_name,"."))&&(strcmp(dptr->d_name,".."))&&(dptr->d_type == DT_DIR)) - r.push_back(std::string(dptr->d_name)); - } else break; - } - closedir(d); -#endif - - return r; -} - -bool OSUtils::rmDashRf(const char *path) -{ -#ifdef __WINDOWS__ - HANDLE hFind; - WIN32_FIND_DATAA ffd; - if ((hFind = FindFirstFileA((std::string(path) + "\\*").c_str(),&ffd)) != INVALID_HANDLE_VALUE) { - do { - if ((strcmp(ffd.cFileName,".") != 0)&&(strcmp(ffd.cFileName,"..") != 0)) { - if ((ffd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) == 0) { - if (DeleteFileA((std::string(path) + ZT_PATH_SEPARATOR_S + ffd.cFileName).c_str()) == FALSE) - return false; - } else { - if (!rmDashRf((std::string(path) + ZT_PATH_SEPARATOR_S + ffd.cFileName).c_str())) - return false; - } - } - } while (FindNextFileA(hFind,&ffd)); - FindClose(hFind); - } - return (RemoveDirectoryA(path) != FALSE); -#else - struct dirent de; - struct dirent *dptr; - DIR *d = opendir(path); - if (!d) - return true; - dptr = (struct dirent *)0; - for(;;) { - if (readdir_r(d,&de,&dptr)) - break; - if ((dptr)&&(strcmp(dptr->d_name,".") != 0)&&(strcmp(dptr->d_name,"..") != 0)) { - std::string p(path); - p.push_back(ZT_PATH_SEPARATOR); - p.append(dptr->d_name); - if (unlink(p.c_str()) != 0) { - if (!rmDashRf(p.c_str())) - return false; - } - } else break; - } - closedir(d); - return (rmdir(path) == 0); -#endif -} - void OSUtils::lockDownFile(const char *path,bool isDir) { #ifdef __UNIX_LIKE__ @@ -311,42 +227,6 @@ bool OSUtils::writeFile(const char *path,const void *buf,unsigned int len) return false; } -std::string OSUtils::platformDefaultHomePath() -{ -#ifdef __UNIX_LIKE__ - -#ifdef __APPLE__ - // /Library/... on Apple - return std::string("/Library/Application Support/ZeroTier/One"); -#else - -#ifdef __BSD__ - // BSD likes /var/db instead of /var/lib - return std::string("/var/db/zerotier-one"); -#else - // Use /var/lib for Linux and other *nix - return std::string("/var/lib/zerotier-one"); -#endif - -#endif - -#else // not __UNIX_LIKE__ - -#ifdef __WINDOWS__ - // Look up app data folder on Windows, e.g. C:\ProgramData\... - char buf[16384]; - if (SUCCEEDED(SHGetFolderPathA(NULL,CSIDL_COMMON_APPDATA,NULL,0,buf))) - return (std::string(buf) + "\\ZeroTier\\One"); - else return std::string("C:\\ZeroTier\\One"); -#else - - return (std::string(ZT_PATH_SEPARATOR_S) + "ZeroTier" + ZT_PATH_SEPARATOR_S + "One"); // UNKNOWN PLATFORM - -#endif - -#endif // __UNIX_LIKE__ or not... -} - // Used to convert HTTP header names to ASCII lower case const unsigned char OSUtils::TOLOWER_TABLE[256] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, ' ', '!', '"', '#', '$', '%', '&', 0x27, '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', 0x7f, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff }; diff --git a/zerotierone/osdep/OSUtils.hpp b/zerotierone/osdep/OSUtils.hpp index 4f74344..80f7bfe 100644 --- a/zerotierone/osdep/OSUtils.hpp +++ b/zerotierone/osdep/OSUtils.hpp @@ -105,26 +105,10 @@ public: * This returns only files, not sub-directories. * * @param path Path to list - * @return Names of files in directory (without path prepended) + * @return Names of files in directory */ static std::vector listDirectory(const char *path); - /** - * List a directory's subdirectories - * - * @param path Path to list - * @return Names of subdirectories (without path prepended) - */ - static std::vector listSubdirectories(const char *path); - - /** - * Delete a directory and all its files and subdirectories recursively - * - * @param path Path to delete - * @return True on success - */ - static bool rmDashRf(const char *path); - /** * Set modes on a file to something secure * @@ -251,11 +235,6 @@ public: */ static inline char toLower(char c) throw() { return (char)OSUtils::TOLOWER_TABLE[(unsigned long)c]; } - /** - * @return Platform default ZeroTier One home path - */ - static std::string platformDefaultHomePath(); - private: static const unsigned char TOLOWER_TABLE[256]; }; diff --git a/zerotierone/osdep/OSXEthernetTap.cpp b/zerotierone/osdep/OSXEthernetTap.cpp index b358092..8ffd2bf 100644 --- a/zerotierone/osdep/OSXEthernetTap.cpp +++ b/zerotierone/osdep/OSXEthernetTap.cpp @@ -34,6 +34,7 @@ #include #include #include +#include #include #include #include @@ -43,7 +44,6 @@ #include #include #include -#include #include #include #include @@ -354,12 +354,12 @@ OSXEthernetTap::OSXEthernetTap( // Try to reopen the last device we had, if we had one and it's still unused. bool recalledDevice = false; std::string devmapbuf; - Dictionary<8194> devmap; + Dictionary devmap; if (OSUtils::readFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),devmapbuf)) { - devmap.load(devmapbuf.c_str()); - char desiredDevice[128]; - if (devmap.get(nwids,desiredDevice,sizeof(desiredDevice)) > 0) { - Utils::snprintf(devpath,sizeof(devpath),"/dev/%s",desiredDevice); + devmap.fromString(devmapbuf); + std::string desiredDevice(devmap.get(nwids,"")); + if (desiredDevice.length() > 2) { + Utils::snprintf(devpath,sizeof(devpath),"/dev/%s",desiredDevice.c_str()); if (stat(devpath,&stattmp) == 0) { _fd = ::open(devpath,O_RDWR); if (_fd > 0) { @@ -420,9 +420,8 @@ OSXEthernetTap::OSXEthernetTap( ++globalTapsRunning; - devmap.erase(nwids); - devmap.add(nwids,_dev.c_str()); - OSUtils::writeFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),(const void *)devmap.data(),devmap.sizeBytes()); + devmap[nwids] = _dev; + OSUtils::writeFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),devmap.toString()); _thread = Thread::start(this); } @@ -474,7 +473,7 @@ bool OSXEthernetTap::addIp(const InetAddress &ip) long cpid = (long)vfork(); if (cpid == 0) { - ::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),(ip.ss_family == AF_INET6) ? "inet6" : "inet",ip.toString().c_str(),"alias",(const char *)0); + ::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),ip.isV4() ? "inet" : "inet6",ip.toString().c_str(),"alias",(const char *)0); ::_exit(-1); } else if (cpid > 0) { int exitcode = -1; @@ -494,7 +493,7 @@ bool OSXEthernetTap::removeIp(const InetAddress &ip) if (*i == ip) { long cpid = (long)vfork(); if (cpid == 0) { - execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),(ip.ss_family == AF_INET6) ? "inet6" : "inet",ip.toIpString().c_str(),"-alias",(const char *)0); + execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"inet",ip.toIpString().c_str(),"-alias",(const char *)0); _exit(-1); } else if (cpid > 0) { int exitcode = -1; diff --git a/zerotierone/osdep/Phy.hpp b/zerotierone/osdep/Phy.hpp index eab8a31..307cc50 100644 --- a/zerotierone/osdep/Phy.hpp +++ b/zerotierone/osdep/Phy.hpp @@ -252,7 +252,7 @@ public: #if defined(_WIN32) || defined(_WIN64) ::send(_whackSendSocket,(const char *)this,1,0); #else - (void)(::write(_whackSendSocket,(PhySocket *)this,1)); + ::write(_whackSendSocket,(PhySocket *)this,1); #endif } @@ -545,6 +545,7 @@ public: #endif if (::bind(s,localAddress,(localAddress->sa_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))) { + perror("bind"); ZT_PHY_CLOSE_SOCKET(s); return (PhySocket *)0; } @@ -917,7 +918,7 @@ public: } if ((FD_ISSET(sock,&wfds))&&(FD_ISSET(sock,&_writefds))) { try { - _handler->phyOnTcpWritable((PhySocket *)&(*s),&(s->uptr)); + _handler->phyOnTcpWritable((PhySocket *)&(*s),&(s->uptr),false); } catch ( ... ) {} } } break; diff --git a/zerotierone/osdep/PortMapper.cpp b/zerotierone/osdep/PortMapper.cpp index d3a1938..888cd65 100644 --- a/zerotierone/osdep/PortMapper.cpp +++ b/zerotierone/osdep/PortMapper.cpp @@ -41,19 +41,9 @@ #endif #endif -#ifdef ZT_USE_SYSTEM_MINIUPNPC -#include -#include -#else #include "../ext/miniupnpc/miniupnpc.h" #include "../ext/miniupnpc/upnpcommands.h" -#endif - -#ifdef ZT_USE_SYSTEM_NATPMP -#include -#else #include "../ext/libnatpmp/natpmp.h" -#endif namespace ZeroTier { diff --git a/zerotierone/osdep/Thread.hpp b/zerotierone/osdep/Thread.hpp index 9f6fb5a..7fb38d8 100644 --- a/zerotierone/osdep/Thread.hpp +++ b/zerotierone/osdep/Thread.hpp @@ -125,18 +125,9 @@ public: throw() { memset(&_tid,0,sizeof(_tid)); - pthread_attr_init(&_tattr); - // This corrects for systems with abnormally small defaults (musl) and also - // shrinks the stack on systems with large defaults to save a bit of memory. - pthread_attr_setstacksize(&_tattr,524288); _started = false; } - ~Thread() - { - pthread_attr_destroy(&_tattr); - } - Thread(const Thread &t) throw() { @@ -166,7 +157,7 @@ public: { Thread t; t._started = true; - if (pthread_create(&t._tid,&t._tattr,&___zt_threadMain,instance)) + if (pthread_create(&t._tid,(const pthread_attr_t *)0,&___zt_threadMain,instance)) throw std::runtime_error("pthread_create() failed, unable to create thread"); return t; } @@ -193,7 +184,6 @@ public: private: pthread_t _tid; - pthread_attr_t _tattr; volatile bool _started; }; diff --git a/zerotierone/osdep/WindowsEthernetTap.cpp b/zerotierone/osdep/WindowsEthernetTap.cpp index 7e1a5a1..d60c0d5 100644 --- a/zerotierone/osdep/WindowsEthernetTap.cpp +++ b/zerotierone/osdep/WindowsEthernetTap.cpp @@ -861,14 +861,6 @@ void WindowsEthernetTap::scanMulticastGroups(std::vector &added, _multicastGroups.swap(newGroups); } -NET_IFINDEX WindowsEthernetTap::interfaceIndex() const -{ - NET_IFINDEX idx = -1; - if (ConvertInterfaceLuidToIndex(&_deviceLuid,&idx) == NO_ERROR) - return idx; - return -1; -} - void WindowsEthernetTap::threadMain() throw() { diff --git a/zerotierone/osdep/WindowsEthernetTap.hpp b/zerotierone/osdep/WindowsEthernetTap.hpp index 0bbb17d..5474126 100644 --- a/zerotierone/osdep/WindowsEthernetTap.hpp +++ b/zerotierone/osdep/WindowsEthernetTap.hpp @@ -105,7 +105,6 @@ public: inline const NET_LUID &luid() const { return _deviceLuid; } inline const GUID &guid() const { return _deviceGuid; } inline const std::string &instanceId() const { return _deviceInstanceId; } - NET_IFINDEX interfaceIndex() const; void threadMain() throw(); diff --git a/zerotierone/selftest.cpp b/zerotierone/selftest.cpp index aecccd2..33ec9e4 100644 --- a/zerotierone/selftest.cpp +++ b/zerotierone/selftest.cpp @@ -53,6 +53,10 @@ #include "osdep/PortMapper.hpp" #include "osdep/Thread.hpp" +#ifdef ZT_ENABLE_NETWORK_CONTROLLER +#include "controller/SqliteNetworkController.hpp" +#endif // ZT_ENABLE_NETWORK_CONTROLLER + #ifdef __WINDOWS__ #include #endif @@ -501,6 +505,19 @@ static int testCertificate() return -1; } + std::cout << "[certificate] Testing string serialization... "; + CertificateOfMembership copyA(cA.toString()); + CertificateOfMembership copyB(cB.toString()); + if (copyA != cA) { + std::cout << "FAIL" << std::endl; + return -1; + } + if (copyB != cB) { + std::cout << "FAIL" << std::endl; + return -1; + } + std::cout << "PASS" << std::endl; + std::cout << "[certificate] Generating two certificates that should not agree..."; cA = CertificateOfMembership(10000,100,1,idA.address()); cB = CertificateOfMembership(10101,100,1,idB.address()); @@ -747,65 +764,28 @@ static int testOther() } std::cout << "PASS" << std::endl; - std::cout << "[other] Testing/fuzzing Dictionary... "; std::cout.flush(); + std::cout << "[other] Testing Dictionary... "; std::cout.flush(); for(int k=0;k<1000;++k) { - Dictionary<8194> test; - char key[32][16]; - char value[32][128]; - for(unsigned int q=0;q<32;++q) { - Utils::snprintf(key[q],16,"%.8lx",(unsigned long)rand()); - int r = rand() % 128; - for(int x=0;x= 0) { - if (strcmp(value[r],tmp)) { - std::cout << "FAILED (invalid value)!" << std::endl; - return -1; - } - } else { - std::cout << "FAILED (can't find key '" << key[r] << "')!" << std::endl; - return -1; - } - } - for(unsigned int q=0;q<31;++q) { - char tmp[128]; - test.erase(key[q]); - if (test.get(key[q],tmp,sizeof(tmp)) >= 0) { - std::cout << "FAILED (key should have been erased)!" << std::endl; - return -1; - } - if (test.get(key[q+1],tmp,sizeof(tmp)) < 0) { - std::cout << "FAILED (key should NOT have been erased)!" << std::endl; - return -1; - } + std::string aser = a.toString(); + b.fromString(aser); + if (a != b) { + std::cout << "FAIL!" << std::endl; + return -1; } } - int foo = 0; - volatile int *volatile bar = &foo; // force compiler not to optimize out test.get() below - for(int k=0;k<200;++k) { - int r = rand() % 8194; - unsigned char tmp[8194]; - for(int q=0;q test((const char *)tmp); - for(unsigned int q=0;q<100;++q) { - char tmp[128]; - for(unsigned int x=0;x<128;++x) - tmp[x] = (char)(rand() & 0xff); - tmp[127] = (char)0; - char value[8194]; - *bar += test.get(tmp,value,sizeof(value)); - } - } - std::cout << "PASS (junk value to prevent optimization-out of test: " << foo << ")" << std::endl; + std::cout << "PASS" << std::endl; return 0; } @@ -958,6 +938,42 @@ static int testPhy() return 0; } +static int testSqliteNetworkController() +{ +#ifdef ZT_ENABLE_NETWORK_CONTROLLER + + OSUtils::rm("./selftest_network_controller.db"); + + try { + std::cout << "[network-controller] Generating signing identity..." << std::endl; + Identity signingId; + signingId.generate(); + + { + std::cout << "[network-controller] Creating database..." << std::endl; + SqliteNetworkController controller("./selftest_network_controller.db"); + std::cout << "[network-controller] Closing database..." << std::endl; + } + + { + std::cout << "[network-controller] Re-opening database..." << std::endl; + SqliteNetworkController controller("./selftest_network_controller.db"); + std::cout << "[network-controller] Closing database..." << std::endl; + } + } catch (std::runtime_error &exc) { + std::cout << "FAIL! (unexpected exception: " << exc.what() << ")" << std::endl; + return -1; + } catch ( ... ) { + std::cout << "FAIL! (unexpected exception: ...)" << std::endl; + return -1; + } + + OSUtils::rm("./selftest_network_controller.db"); + +#endif // ZT_ENABLE_NETWORK_CONTROLLER + return 0; +} + static int testResolver() { std::cout << "[resolver] Testing BackgroundResolver..."; std::cout.flush(); @@ -975,7 +991,6 @@ static int testResolver() return 0; } -/* static int testHttp() { std::map requestHeaders,responseHeaders; @@ -1018,7 +1033,6 @@ static int testHttp() return 0; } -*/ #ifdef __WINDOWS__ int _tmain(int argc, _TCHAR* argv[]) @@ -1076,6 +1090,7 @@ int main(int argc,char **argv) srand((unsigned int)time(0)); ///* + r |= testSqliteNetworkController(); r |= testOther(); r |= testCrypto(); r |= testPacket(); diff --git a/zerotierone/service/ControlPlane.cpp b/zerotierone/service/ControlPlane.cpp index 5c13563..060f49e 100644 --- a/zerotierone/service/ControlPlane.cpp +++ b/zerotierone/service/ControlPlane.cpp @@ -22,16 +22,12 @@ #include "../version.h" #include "../include/ZeroTierOne.h" -#ifdef ZT_USE_SYSTEM_HTTP_PARSER -#include -#else #include "../ext/http-parser/http_parser.h" + +#ifdef ZT_ENABLE_NETWORK_CONTROLLER +#include "../controller/SqliteNetworkController.hpp" #endif -#include "../ext/json/json.hpp" - -#include "../controller/EmbeddedNetworkController.hpp" - #include "../node/InetAddress.hpp" #include "../node/Node.hpp" #include "../node/Utils.hpp" @@ -59,6 +55,28 @@ static std::string _jsonEscape(const char *s) } static std::string _jsonEscape(const std::string &s) { return _jsonEscape(s.c_str()); } +static std::string _jsonEnumerate(const ZT_MulticastGroup *mg,unsigned int count) +{ + std::string buf; + char tmp[128]; + buf.push_back('['); + for(unsigned int i=0;i 0) + buf.push_back(','); + Utils::snprintf(tmp,sizeof(tmp),"\"%.2x:%.2x:%.2x:%.2x:%.2x:%.2x\\/%.8lx\"", + (unsigned int)((mg[i].mac >> 40) & 0xff), + (unsigned int)((mg[i].mac >> 32) & 0xff), + (unsigned int)((mg[i].mac >> 24) & 0xff), + (unsigned int)((mg[i].mac >> 16) & 0xff), + (unsigned int)((mg[i].mac >> 8) & 0xff), + (unsigned int)(mg[i].mac & 0xff), + (unsigned long)(mg[i].adi)); + buf.append(tmp); + } + buf.push_back(']'); + return buf; +} + static std::string _jsonEnumerate(const struct sockaddr_storage *ss,unsigned int count) { std::string buf; @@ -73,30 +91,8 @@ static std::string _jsonEnumerate(const struct sockaddr_storage *ss,unsigned int buf.push_back(']'); return buf; } -static std::string _jsonEnumerate(const ZT_VirtualNetworkRoute *routes,unsigned int count) -{ - std::string buf; - buf.push_back('['); - for(unsigned int i=0;i 0) - buf.push_back(','); - buf.append("{\"target\":\""); - buf.append(_jsonEscape(reinterpret_cast(&(routes[i].target))->toString())); - buf.append("\",\"via\":"); - if (routes[i].via.ss_family == routes[i].target.ss_family) { - buf.push_back('"'); - buf.append(_jsonEscape(reinterpret_cast(&(routes[i].via))->toIpString())); - buf.append("\","); - } else buf.append("null,"); - char tmp[1024]; - Utils::snprintf(tmp,sizeof(tmp),"\"flags\":%u,\"metric\":%u}",(unsigned int)routes[i].flags,(unsigned int)routes[i].metric); - buf.append(tmp); - } - buf.push_back(']'); - return buf; -} -static void _jsonAppend(unsigned int depth,std::string &buf,const ZT_VirtualNetworkConfig *nc,const std::string &portDeviceName,const OneService::NetworkSettings &localSettings) +static void _jsonAppend(unsigned int depth,std::string &buf,const ZT_VirtualNetworkConfig *nc,const std::string &portDeviceName) { char json[4096]; char prefix[32]; @@ -134,12 +130,9 @@ static void _jsonAppend(unsigned int depth,std::string &buf,const ZT_VirtualNetw "%s\t\"broadcastEnabled\": %s,\n" "%s\t\"portError\": %d,\n" "%s\t\"netconfRevision\": %lu,\n" + "%s\t\"multicastSubscriptions\": %s,\n" "%s\t\"assignedAddresses\": %s,\n" - "%s\t\"routes\": %s,\n" - "%s\t\"portDeviceName\": \"%s\",\n" - "%s\t\"allowManaged\": %s,\n" - "%s\t\"allowGlobal\": %s,\n" - "%s\t\"allowDefault\": %s\n" + "%s\t\"portDeviceName\": \"%s\"\n" "%s}", prefix, prefix,nc->nwid, @@ -153,19 +146,16 @@ static void _jsonAppend(unsigned int depth,std::string &buf,const ZT_VirtualNetw prefix,(nc->broadcastEnabled == 0) ? "false" : "true", prefix,nc->portError, prefix,nc->netconfRevision, + prefix,_jsonEnumerate(nc->multicastSubscriptions,nc->multicastSubscriptionCount).c_str(), prefix,_jsonEnumerate(nc->assignedAddresses,nc->assignedAddressCount).c_str(), - prefix,_jsonEnumerate(nc->routes,nc->routeCount).c_str(), prefix,_jsonEscape(portDeviceName).c_str(), - prefix,(localSettings.allowManaged) ? "true" : "false", - prefix,(localSettings.allowGlobal) ? "true" : "false", - prefix,(localSettings.allowDefault) ? "true" : "false", prefix); buf.append(json); } static std::string _jsonEnumerate(unsigned int depth,const ZT_PeerPhysicalPath *pp,unsigned int count) { - char json[2048]; + char json[1024]; char prefix[32]; if (depth >= sizeof(prefix)) // sanity check -- shouldn't be possible @@ -184,17 +174,13 @@ static std::string _jsonEnumerate(unsigned int depth,const ZT_PeerPhysicalPath * "%s\t\"lastSend\": %llu,\n" "%s\t\"lastReceive\": %llu,\n" "%s\t\"active\": %s,\n" - "%s\t\"expired\": %s,\n" - "%s\t\"preferred\": %s,\n" - "%s\t\"trustedPathId\": %llu\n" + "%s\t\"preferred\": %s\n" "%s}", prefix,_jsonEscape(reinterpret_cast(&(pp[i].address))->toString()).c_str(), prefix,pp[i].lastSend, prefix,pp[i].lastReceive, - prefix,(pp[i].expired != 0) ? "false" : "true", - prefix,(pp[i].expired == 0) ? "false" : "true", + prefix,(pp[i].active == 0) ? "false" : "true", prefix,(pp[i].preferred == 0) ? "false" : "true", - prefix,pp[i].trustedPathId, prefix); buf.append(json); } @@ -203,7 +189,7 @@ static std::string _jsonEnumerate(unsigned int depth,const ZT_PeerPhysicalPath * static void _jsonAppend(unsigned int depth,std::string &buf,const ZT_Peer *peer) { - char json[2048]; + char json[1024]; char prefix[32]; if (depth >= sizeof(prefix)) // sanity check -- shouldn't be possible @@ -215,7 +201,7 @@ static void _jsonAppend(unsigned int depth,std::string &buf,const ZT_Peer *peer) const char *prole = ""; switch(peer->role) { case ZT_PEER_ROLE_LEAF: prole = "LEAF"; break; - case ZT_PEER_ROLE_UPSTREAM: prole = "UPSTREAM"; break; + case ZT_PEER_ROLE_RELAY: prole = "RELAY"; break; case ZT_PEER_ROLE_ROOT: prole = "ROOT"; break; } @@ -250,7 +236,9 @@ static void _jsonAppend(unsigned int depth,std::string &buf,const ZT_Peer *peer) ControlPlane::ControlPlane(OneService *svc,Node *n,const char *uiStaticPath) : _svc(svc), _node(n), - _controller((EmbeddedNetworkController *)0), +#ifdef ZT_ENABLE_NETWORK_CONTROLLER + _controller((SqliteNetworkController *)0), +#endif _uiStaticPath((uiStaticPath) ? uiStaticPath : "") { } @@ -432,9 +420,7 @@ unsigned int ControlPlane::handleRequest( for(unsigned long i=0;inetworkCount;++i) { if (i > 0) responseBody.append(","); - OneService::NetworkSettings localSettings; - _svc->getNetworkSettings(nws->networks[i].nwid,localSettings); - _jsonAppend(1,responseBody,&(nws->networks[i]),_svc->portDeviceName(nws->networks[i].nwid),localSettings); + _jsonAppend(1,responseBody,&(nws->networks[i]),_svc->portDeviceName(nws->networks[i].nwid)); } responseBody.append("\n]\n"); scode = 200; @@ -444,9 +430,7 @@ unsigned int ControlPlane::handleRequest( for(unsigned long i=0;inetworkCount;++i) { if (nws->networks[i].nwid == wantnw) { responseContentType = "application/json"; - OneService::NetworkSettings localSettings; - _svc->getNetworkSettings(nws->networks[i].nwid,localSettings); - _jsonAppend(0,responseBody,&(nws->networks[i]),_svc->portDeviceName(nws->networks[i].nwid),localSettings); + _jsonAppend(0,responseBody,&(nws->networks[i]),_svc->portDeviceName(nws->networks[i].nwid)); responseBody.push_back('\n'); scode = 200; break; @@ -493,9 +477,13 @@ unsigned int ControlPlane::handleRequest( responseContentType = "text/plain"; scode = 200; } else { +#ifdef ZT_ENABLE_NETWORK_CONTROLLER if (_controller) scode = _controller->handleControlPlaneHttpGET(std::vector(ps.begin()+1,ps.end()),urlArgs,headers,body,responseBody,responseContentType); else scode = 404; +#else + scode = 404; +#endif } } else scode = 401; // isAuth == false @@ -514,27 +502,8 @@ unsigned int ControlPlane::handleRequest( if (nws) { for(unsigned long i=0;inetworkCount;++i) { if (nws->networks[i].nwid == wantnw) { - OneService::NetworkSettings localSettings; - _svc->getNetworkSettings(nws->networks[i].nwid,localSettings); - - try { - nlohmann::json j(nlohmann::json::parse(body)); - if (j.is_object()) { - auto allowManaged = j["allowManaged"]; - if (allowManaged.is_boolean()) localSettings.allowManaged = (bool)allowManaged; - auto allowGlobal = j["allowGlobal"]; - if (allowGlobal.is_boolean()) localSettings.allowGlobal = (bool)allowGlobal; - auto allowDefault = j["allowDefault"]; - if (allowDefault.is_boolean()) localSettings.allowDefault = (bool)allowDefault; - } - } catch ( ... ) { - // discard invalid JSON - } - - _svc->setNetworkSettings(nws->networks[i].nwid,localSettings); - responseContentType = "application/json"; - _jsonAppend(0,responseBody,&(nws->networks[i]),_svc->portDeviceName(nws->networks[i].nwid),localSettings); + _jsonAppend(0,responseBody,&(nws->networks[i]),_svc->portDeviceName(nws->networks[i].nwid)); responseBody.push_back('\n'); scode = 200; break; @@ -544,9 +513,13 @@ unsigned int ControlPlane::handleRequest( } else scode = 500; } } else { +#ifdef ZT_ENABLE_NETWORK_CONTROLLER if (_controller) scode = _controller->handleControlPlaneHttpPOST(std::vector(ps.begin()+1,ps.end()),urlArgs,headers,body,responseBody,responseContentType); else scode = 404; +#else + scode = 404; +#endif } } else scode = 401; // isAuth == false @@ -575,9 +548,13 @@ unsigned int ControlPlane::handleRequest( _node->freeQueryResult((void *)nws); } else scode = 500; } else { +#ifdef ZT_ENABLE_NETWORK_CONTROLLER if (_controller) scode = _controller->handleControlPlaneHttpDELETE(std::vector(ps.begin()+1,ps.end()),urlArgs,headers,body,responseBody,responseContentType); else scode = 404; +#else + scode = 404; +#endif } } else { diff --git a/zerotierone/service/ControlPlane.hpp b/zerotierone/service/ControlPlane.hpp index ec9b94d..08a9d6e 100644 --- a/zerotierone/service/ControlPlane.hpp +++ b/zerotierone/service/ControlPlane.hpp @@ -31,7 +31,7 @@ namespace ZeroTier { class OneService; class Node; -class EmbeddedNetworkController; +class SqliteNetworkController; struct InetAddress; /** @@ -43,16 +43,18 @@ public: ControlPlane(OneService *svc,Node *n,const char *uiStaticPath); ~ControlPlane(); +#ifdef ZT_ENABLE_NETWORK_CONTROLLER /** * Set controller, which will be available under /controller * * @param c Network controller instance */ - inline void setController(EmbeddedNetworkController *c) + inline void setController(SqliteNetworkController *c) { Mutex::Lock _l(_lock); _controller = c; } +#endif /** * Add an authentication token for API access @@ -87,7 +89,9 @@ public: private: OneService *const _svc; Node *const _node; - EmbeddedNetworkController *_controller; +#ifdef ZT_ENABLE_NETWORK_CONTROLLER + SqliteNetworkController *_controller; +#endif std::string _uiStaticPath; std::set _authTokens; Mutex _lock; diff --git a/zerotierone/service/OneService.cpp b/zerotierone/service/OneService.cpp old mode 100644 new mode 100755 index a9463c6..405b3ff --- a/zerotierone/service/OneService.cpp +++ b/zerotierone/service/OneService.cpp @@ -26,16 +26,11 @@ #include #include #include -#include #include "../version.h" #include "../include/ZeroTierOne.h" -#ifdef ZT_USE_SYSTEM_HTTP_PARSER -#include -#else #include "../ext/http-parser/http_parser.h" -#endif #include "../node/Constants.hpp" #include "../node/Mutex.hpp" @@ -52,7 +47,6 @@ #include "../osdep/BackgroundResolver.hpp" #include "../osdep/PortMapper.hpp" #include "../osdep/Binder.hpp" -#include "../osdep/ManagedRoute.hpp" #include "OneService.hpp" #include "ControlPlane.hpp" @@ -69,7 +63,11 @@ */ //#define ZT_BREAK_UDP -#include "../controller/EmbeddedNetworkController.hpp" +#ifdef ZT_ENABLE_NETWORK_CONTROLLER +#include "../controller/SqliteNetworkController.hpp" +#else +class SqliteNetworkController; +#endif // ZT_ENABLE_NETWORK_CONTROLLER #ifdef __WINDOWS__ #include @@ -82,18 +80,20 @@ #include #include #include +#if !defined(__ANDROID__) #include #endif +#endif // Include the right tap device driver for this platform -- add new platforms here -//#ifdef ZT_SERVICE_NETCON +#ifdef SDK // In network containers builds, use the virtual netcon endpoint instead of a tun/tap port driver -#include "../../src/SDK_EthernetTap.hpp" +#include "../src/SDK_EthernetTap.hpp" namespace ZeroTier { typedef NetconEthernetTap EthernetTap; } -//#else // not ZT_SERVICE_NETCON so pick a tap driver -/* +#else // not ZT_SDK so pick a tap driver + #ifdef __APPLE__ #include "../osdep/OSXEthernetTap.hpp" namespace ZeroTier { typedef OSXEthernetTap EthernetTap; } @@ -111,8 +111,7 @@ namespace ZeroTier { typedef WindowsEthernetTap EthernetTap; } namespace ZeroTier { typedef BSDEthernetTap EthernetTap; } #endif // __FreeBSD__ -#endif // ZT_SERVICE_NETCON -*/ +#endif // ZT_SDK // Sanity limits for HTTP #define ZT_MAX_HTTP_MESSAGE_SIZE (1024 * 1024 * 64) @@ -126,7 +125,7 @@ namespace ZeroTier { typedef BSDEthernetTap EthernetTap; } #define ZT_TAP_CHECK_MULTICAST_INTERVAL 5000 // Path under ZT1 home for controller database if controller is enabled -#define ZT_CONTROLLER_DB_PATH "controller.d" +#define ZT_CONTROLLER_DB_PATH "controller.db" // TCP fallback relay host -- geo-distributed using Amazon Route53 geo-aware DNS #define ZT_TCP_FALLBACK_RELAY "tcp-fallback.zerotier.com" @@ -198,33 +197,27 @@ public: * * file= * signedBy= - * ed25519= + * ed25519= * vMajor= * vMinor= * vRevision= */ - Dictionary<4096> nfo(body.c_str()); - char tmp[2048]; + Dictionary nfo(body); - if (nfo.get("vMajor",tmp,sizeof(tmp)) <= 0) return; - const unsigned int vMajor = Utils::strToUInt(tmp); - if (nfo.get("vMinor",tmp,sizeof(tmp)) <= 0) return; - const unsigned int vMinor = Utils::strToUInt(tmp); - if (nfo.get("vRevision",tmp,sizeof(tmp)) <= 0) return; - const unsigned int vRevision = Utils::strToUInt(tmp); + unsigned int vMajor = Utils::strToUInt(nfo.get("vMajor","0").c_str()); + unsigned int vMinor = Utils::strToUInt(nfo.get("vMinor","0").c_str()); + unsigned int vRevision = Utils::strToUInt(nfo.get("vRevision","0").c_str()); if (Utils::compareVersion(vMajor,vMinor,vRevision,ZEROTIER_ONE_VERSION_MAJOR,ZEROTIER_ONE_VERSION_MINOR,ZEROTIER_ONE_VERSION_REVISION) <= 0) { //fprintf(stderr,"UPDATE %u.%u.%u is not newer than our version\n",vMajor,vMinor,vRevision); return; } - if (nfo.get("signedBy",tmp,sizeof(tmp)) <= 0) return; Identity signedBy; - if ((!signedBy.fromString(tmp))||(!isValidSigningIdentity(signedBy))) { + if ((!signedBy.fromString(nfo.get("signedBy","")))||(!isValidSigningIdentity(signedBy))) { //fprintf(stderr,"UPDATE invalid signedBy or not authorized signing identity.\n"); return; } - if (nfo.get("file",tmp,sizeof(tmp)) <= 0) return; - std::string filePath(tmp); + std::string filePath(nfo.get("file","")); if ((!filePath.length())||(filePath.find("..") != std::string::npos)) return; filePath = httpPath + filePath; @@ -235,8 +228,7 @@ public: return; } - if (nfo.get("ed25519",tmp,sizeof(tmp)) <= 0) return; - std::string ed25519(Utils::unhex(tmp)); + std::string ed25519(Utils::unhex(nfo.get("ed25519",""))); if ((ed25519.length() == 0)||(!signedBy.verify(fileData.data(),(unsigned int)fileData.length(),ed25519.data(),(unsigned int)ed25519.length()))) { //fprintf(stderr,"UPDATE %s failed signature check!\n",filePath.c_str()); return; @@ -412,18 +404,12 @@ static void StapFrameHandler(void *uptr,uint64_t nwid,const MAC &from,const MAC static int ShttpOnMessageBegin(http_parser *parser); static int ShttpOnUrl(http_parser *parser,const char *ptr,size_t length); -#if (HTTP_PARSER_VERSION_MAJOR >= 2) && (HTTP_PARSER_VERSION_MINOR >= 2) static int ShttpOnStatus(http_parser *parser,const char *ptr,size_t length); -#else -static int ShttpOnStatus(http_parser *parser); -#endif static int ShttpOnHeaderField(http_parser *parser,const char *ptr,size_t length); static int ShttpOnValue(http_parser *parser,const char *ptr,size_t length); static int ShttpOnHeadersComplete(http_parser *parser); static int ShttpOnBody(http_parser *parser,const char *ptr,size_t length); static int ShttpOnMessageComplete(http_parser *parser); - -#if (HTTP_PARSER_VERSION_MAJOR >= 2) && (HTTP_PARSER_VERSION_MINOR >= 1) static const struct http_parser_settings HTTP_PARSER_SETTINGS = { ShttpOnMessageBegin, ShttpOnUrl, @@ -434,17 +420,6 @@ static const struct http_parser_settings HTTP_PARSER_SETTINGS = { ShttpOnBody, ShttpOnMessageComplete }; -#else -static const struct http_parser_settings HTTP_PARSER_SETTINGS = { - ShttpOnMessageBegin, - ShttpOnUrl, - ShttpOnHeaderField, - ShttpOnValue, - ShttpOnHeadersComplete, - ShttpOnBody, - ShttpOnMessageComplete -}; -#endif struct TcpConnection { @@ -484,12 +459,14 @@ public: const std::string _homePath; BackgroundResolver _tcpFallbackResolver; - EmbeddedNetworkController *_controller; +#ifdef ZT_ENABLE_NETWORK_CONTROLLER + SqliteNetworkController *_controller; +#endif Phy _phy; Node *_node; /* - * To attempt to handle NAT/gateway craziness we use three local UDP ports: + * To properly handle NAT/gateway craziness we use three local UDP ports: * * [0] is the normal/default port, usually 9993 * [1] is a port dervied from our ZeroTier address @@ -523,26 +500,10 @@ public: // Deadline for the next background task service function volatile uint64_t _nextBackgroundTaskDeadline; - // Configured networks - struct NetworkState - { - NetworkState() : - tap((EthernetTap *)0) - { - // Real defaults are in network 'up' code in network event handler - settings.allowManaged = true; - settings.allowGlobal = false; - settings.allowDefault = false; - } - - EthernetTap *tap; - ZT_VirtualNetworkConfig config; // memcpy() of raw config from core - std::vector managedIps; - std::list< SharedPtr > managedRoutes; - NetworkSettings settings; - }; - std::map _nets; - Mutex _nets_m; + // Tap devices by network ID + std::map< uint64_t,EthernetTap * > _taps; + std::map< uint64_t,std::vector > _tapAssignedIps; // ZeroTier assigned IPs, not user or dhcp assigned + Mutex _taps_m; // Active TCP/IP connections std::set< TcpConnection * > _tcpConnections; // no mutex for this since it's done in the main loop thread only @@ -574,7 +535,9 @@ public: OneServiceImpl(const char *hp,unsigned int port) : _homePath((hp) ? hp : ".") ,_tcpFallbackResolver(ZT_TCP_FALLBACK_RELAY) - ,_controller((EmbeddedNetworkController *)0) +#ifdef ZT_ENABLE_NETWORK_CONTROLLER + ,_controller((SqliteNetworkController *)0) +#endif ,_phy(this,false,true) ,_node((Node *)0) ,_controlPlane((ControlPlane *)0) @@ -666,7 +629,9 @@ public: #ifdef ZT_USE_MINIUPNPC delete _portMapper; #endif +#ifdef ZT_ENABLE_NETWORK_CONTROLLER delete _controller; +#endif #ifdef ZT_ENABLE_CLUSTER delete _clusterDefinition; #endif @@ -677,6 +642,7 @@ public: try { std::string authToken; { + std::string tokenStr(_homePath + ZT_PATH_SEPARATOR_S + "authtoken.secret"); std::string authTokenPath(_homePath + ZT_PATH_SEPARATOR_S + "authtoken.secret"); if (!OSUtils::readFile(authTokenPath.c_str(),authToken)) { unsigned char foo[24]; @@ -696,9 +662,6 @@ public: } authToken = _trimString(authToken); - // Clean up any legacy files if present - OSUtils::rm((_homePath + ZT_PATH_SEPARATOR_S + "peers.save").c_str()); - _node = new Node( OSUtils::now(), this, @@ -753,40 +716,10 @@ public: for(int i=0;i<3;++i) _portsBE[i] = Utils::hton((uint16_t)_ports[i]); - { - FILE *trustpaths = fopen((_homePath + ZT_PATH_SEPARATOR_S + "trustedpaths").c_str(),"r"); - uint64_t ids[ZT_MAX_TRUSTED_PATHS]; - InetAddress addresses[ZT_MAX_TRUSTED_PATHS]; - if (trustpaths) { - char buf[1024]; - unsigned int count = 0; - while ((fgets(buf,sizeof(buf),trustpaths))&&(count < ZT_MAX_TRUSTED_PATHS)) { - int fno = 0; - char *saveptr = (char *)0; - uint64_t trustedPathId = 0; - InetAddress trustedPathNetwork; - for(char *f=Utils::stok(buf,"=\r\n \t",&saveptr);(f);f=Utils::stok((char *)0,"=\r\n \t",&saveptr)) { - if (fno == 0) { - trustedPathId = Utils::hexStrToU64(f); - } else if (fno == 1) { - trustedPathNetwork = InetAddress(f); - } else break; - ++fno; - } - if ( (trustedPathId != 0) && ((trustedPathNetwork.ss_family == AF_INET)||(trustedPathNetwork.ss_family == AF_INET6)) && (trustedPathNetwork.ipScope() != InetAddress::IP_SCOPE_GLOBAL) && (trustedPathNetwork.netmaskBits() > 0) ) { - ids[count] = trustedPathId; - addresses[count] = trustedPathNetwork; - ++count; - } - } - fclose(trustpaths); - if (count) - _node->setTrustedPaths(reinterpret_cast(addresses),ids,count); - } - } - - _controller = new EmbeddedNetworkController(_node,(_homePath + ZT_PATH_SEPARATOR_S + ZT_CONTROLLER_DB_PATH).c_str()); +#ifdef ZT_ENABLE_NETWORK_CONTROLLER + _controller = new SqliteNetworkController(_node,(_homePath + ZT_PATH_SEPARATOR_S + ZT_CONTROLLER_DB_PATH).c_str(),(_homePath + ZT_PATH_SEPARATOR_S + "circuitTestResults.d").c_str()); _node->setNetconfMaster((void *)_controller); +#endif #ifdef ZT_ENABLE_CLUSTER if (OSUtils::fileExists((_homePath + ZT_PATH_SEPARATOR_S + "cluster").c_str())) { @@ -839,7 +772,10 @@ public: _controlPlane = new ControlPlane(this,_node,(_homePath + ZT_PATH_SEPARATOR_S + "ui").c_str()); _controlPlane->addAuthToken(authToken.c_str()); + +#ifdef ZT_ENABLE_NETWORK_CONTROLLER _controlPlane->setController(_controller); +#endif { // Remember networks from previous session std::vector networksDotD(OSUtils::listDirectory((_homePath + ZT_PATH_SEPARATOR_S + "networks.d").c_str())); @@ -850,6 +786,10 @@ public: } } + // Start two background threads to handle expensive ops out of line + Thread::start(_node); + Thread::start(_node); + _nextBackgroundTaskDeadline = 0; uint64_t clockShouldBe = OSUtils::now(); _lastRestart = clockShouldBe; @@ -881,7 +821,7 @@ public: restarted = true; } - // Refresh bindings in case device's interfaces have changed, and also sync routes to update any shadow routes (e.g. shadow default) + // Refresh bindings in case device's interfaces have changed if (((now - lastBindRefresh) >= ZT_BINDER_REFRESH_PERIOD)||(restarted)) { lastBindRefresh = now; for(int i=0;i<3;++i) { @@ -889,13 +829,6 @@ public: _bindings[i].refresh(_phy,_ports[i],*this); } } - { - Mutex::Lock _l(_nets_m); - for(std::map::iterator n(_nets.begin());n!=_nets.end();++n) { - if (n->second.tap) - syncManagedStuff(n->second,false,true); - } - } } uint64_t dl = _nextBackgroundTaskDeadline; @@ -921,16 +854,14 @@ public: if ((now - lastTapMulticastGroupCheck) >= ZT_TAP_CHECK_MULTICAST_INTERVAL) { lastTapMulticastGroupCheck = now; - Mutex::Lock _l(_nets_m); - for(std::map::const_iterator n(_nets.begin());n!=_nets.end();++n) { - if (n->second.tap) { - std::vector added,removed; - n->second.tap->scanMulticastGroups(added,removed); - for(std::vector::iterator m(added.begin());m!=added.end();++m) - _node->multicastSubscribe(n->first,m->mac().toInt(),m->adi()); - for(std::vector::iterator m(removed.begin());m!=removed.end();++m) - _node->multicastUnsubscribe(n->first,m->mac().toInt(),m->adi()); - } + Mutex::Lock _l(_taps_m); + for(std::map< uint64_t,EthernetTap *>::const_iterator t(_taps.begin());t!=_taps.end();++t) { + std::vector added,removed; + t->second->scanMulticastGroups(added,removed); + for(std::vector::iterator m(added.begin());m!=added.end();++m) + _node->multicastSubscribe(t->first,m->mac().toInt(),m->adi()); + for(std::vector::iterator m(removed.begin());m!=removed.end();++m) + _node->multicastUnsubscribe(t->first,m->mac().toInt(),m->adi()); } } @@ -972,10 +903,10 @@ public: } catch ( ... ) {} { - Mutex::Lock _l(_nets_m); - for(std::map::iterator n(_nets.begin());n!=_nets.end();++n) - delete n->second.tap; - _nets.clear(); + Mutex::Lock _l(_taps_m); + for(std::map< uint64_t,EthernetTap * >::iterator t(_taps.begin());t!=_taps.end();++t) + delete t->second; + _taps.clear(); } delete _controlPlane; @@ -1000,11 +931,11 @@ public: virtual std::string portDeviceName(uint64_t nwid) const { - Mutex::Lock _l(_nets_m); - std::map::const_iterator n(_nets.find(nwid)); - if ((n != _nets.end())&&(n->second.tap)) - return n->second.tap->deviceName(); - else return std::string(); + Mutex::Lock _l(_taps_m); + std::map< uint64_t,EthernetTap * >::const_iterator t(_taps.find(nwid)); + if (t != _taps.end()) + return t->second->deviceName(); + return std::string(); } virtual bool tcpFallbackActive() const @@ -1020,173 +951,35 @@ public: _phy.whack(); } - virtual bool getNetworkSettings(const uint64_t nwid,NetworkSettings &settings) const + // For ZT SDK API + + virtual void join(const char *hp) { - Mutex::Lock _l(_nets_m); - std::map::const_iterator n(_nets.find(nwid)); - if (n == _nets.end()) - return false; - memcpy(&settings,&(n->second.settings),sizeof(NetworkSettings)); - return true; + _node->join(Utils::hexStrToU64(hp),NULL); } + + virtual void leave(const char *hp) + { + _node->leave(Utils::hexStrToU64(hp),NULL); + } - virtual bool setNetworkSettings(const uint64_t nwid,const NetworkSettings &settings) + virtual std::string givenHomePath() + { + return _homePath; + } + + virtual std::map< uint64_t,EthernetTap * > getTaps() { - Mutex::Lock _l(_nets_m); + return _taps; + } - std::map::iterator n(_nets.find(nwid)); - if (n == _nets.end()) - return false; - memcpy(&(n->second.settings),&settings,sizeof(NetworkSettings)); - - char nlcpath[256]; - Utils::snprintf(nlcpath,sizeof(nlcpath),"%s" ZT_PATH_SEPARATOR_S "networks.d" ZT_PATH_SEPARATOR_S "%.16llx.local.conf",_homePath.c_str(),nwid); - FILE *out = fopen(nlcpath,"w"); - if (out) { - fprintf(out,"allowManaged=%d\n",(int)n->second.settings.allowManaged); - fprintf(out,"allowGlobal=%d\n",(int)n->second.settings.allowGlobal); - fprintf(out,"allowDefault=%d\n",(int)n->second.settings.allowDefault); - fclose(out); - } - - if (n->second.tap) - syncManagedStuff(n->second,true,true); - - return true; + virtual Node * getNode() + { + return _node; } // Begin private implementation methods - // Checks if a managed IP or route target is allowed - bool checkIfManagedIsAllowed(const NetworkState &n,const InetAddress &target) - { - if (!n.settings.allowManaged) - return false; - if (target.isDefaultRoute()) - return n.settings.allowDefault; - switch(target.ipScope()) { - case InetAddress::IP_SCOPE_NONE: - case InetAddress::IP_SCOPE_MULTICAST: - case InetAddress::IP_SCOPE_LOOPBACK: - case InetAddress::IP_SCOPE_LINK_LOCAL: - return false; - case InetAddress::IP_SCOPE_GLOBAL: - return n.settings.allowGlobal; - default: - return true; - } - } - - // Match only an IP from a vector of IPs -- used in syncManagedStuff() - bool matchIpOnly(const std::vector &ips,const InetAddress &ip) const - { - for(std::vector::const_iterator i(ips.begin());i!=ips.end();++i) { - if (i->ipsEqual(ip)) - return true; - } - return false; - } - - // Apply or update managed IPs for a configured network (be sure n.tap exists) - void syncManagedStuff(NetworkState &n,bool syncIps,bool syncRoutes) - { - // assumes _nets_m is locked - if (syncIps) { - std::vector newManagedIps; - newManagedIps.reserve(n.config.assignedAddressCount); - for(unsigned int i=0;i(&(n.config.assignedAddresses[i])); - if (checkIfManagedIsAllowed(n,*ii)) - newManagedIps.push_back(*ii); - } - std::sort(newManagedIps.begin(),newManagedIps.end()); - newManagedIps.erase(std::unique(newManagedIps.begin(),newManagedIps.end()),newManagedIps.end()); - - for(std::vector::iterator ip(n.managedIps.begin());ip!=n.managedIps.end();++ip) { - if (std::find(newManagedIps.begin(),newManagedIps.end(),*ip) == newManagedIps.end()) { - if (!n.tap->removeIp(*ip)) - fprintf(stderr,"ERROR: unable to remove ip address %s" ZT_EOL_S, ip->toString().c_str()); - } - } - for(std::vector::iterator ip(newManagedIps.begin());ip!=newManagedIps.end();++ip) { - if (std::find(n.managedIps.begin(),n.managedIps.end(),*ip) == n.managedIps.end()) { - if (!n.tap->addIp(*ip)) - fprintf(stderr,"ERROR: unable to add ip address %s" ZT_EOL_S, ip->toString().c_str()); - } - } - - n.managedIps.swap(newManagedIps); - } - - if (syncRoutes) { - char tapdev[64]; -#ifdef __WINDOWS__ - Utils::snprintf(tapdev,sizeof(tapdev),"%.16llx",(unsigned long long)n.tap->luid().Value); -#else - Utils::scopy(tapdev,sizeof(tapdev),n.tap->deviceName().c_str()); -#endif - - std::vector myIps(n.tap->ips()); - - // Nuke applied routes that are no longer in n.config.routes[] and/or are not allowed - for(std::list< SharedPtr >::iterator mr(n.managedRoutes.begin());mr!=n.managedRoutes.end();) { - bool haveRoute = false; - if ( (checkIfManagedIsAllowed(n,(*mr)->target())) && (((*mr)->via().ss_family != (*mr)->target().ss_family)||(!matchIpOnly(myIps,(*mr)->via()))) ) { - for(unsigned int i=0;i(&(n.config.routes[i].target)); - const InetAddress *const via = reinterpret_cast(&(n.config.routes[i].via)); - if ( ((*mr)->target() == *target) && ( ((via->ss_family == target->ss_family)&&((*mr)->via().ipsEqual(*via))) || (tapdev == (*mr)->device()) ) ) { - haveRoute = true; - break; - } - } - } - if (haveRoute) { - ++mr; - } else { - n.managedRoutes.erase(mr++); - } - } - - // Apply routes in n.config.routes[] that we haven't applied yet, and sync those we have in case shadow routes need to change - for(unsigned int i=0;i(&(n.config.routes[i].target)); - const InetAddress *const via = reinterpret_cast(&(n.config.routes[i].via)); - - if ( (!checkIfManagedIsAllowed(n,*target)) || ((via->ss_family == target->ss_family)&&(matchIpOnly(myIps,*via))) ) - continue; - - bool haveRoute = false; - - // Ignore routes implied by local managed IPs since adding the IP adds the route - for(std::vector::iterator ip(n.managedIps.begin());ip!=n.managedIps.end();++ip) { - if ((target->netmaskBits() == ip->netmaskBits())&&(target->containsAddress(*ip))) { - haveRoute = true; - break; - } - } - if (haveRoute) - continue; - - // If we've already applied this route, just sync it and continue - for(std::list< SharedPtr >::iterator mr(n.managedRoutes.begin());mr!=n.managedRoutes.end();++mr) { - if ( ((*mr)->target() == *target) && ( ((via->ss_family == target->ss_family)&&((*mr)->via().ipsEqual(*via))) || (tapdev == (*mr)->device()) ) ) { - haveRoute = true; - (*mr)->sync(); - break; - } - } - if (haveRoute) - continue; - - // Add and apply new routes - n.managedRoutes.push_back(SharedPtr(new ManagedRoute(*target,*via,tapdev))); - if (!n.managedRoutes.back()->sync()) - n.managedRoutes.pop_back(); - } - } - } - inline void phyOnDatagram(PhySocket *sock,void **uptr,const struct sockaddr *localAddr,const struct sockaddr *from,void *data,unsigned long len) { #ifdef ZT_ENABLE_CLUSTER @@ -1389,7 +1182,7 @@ public: } } - inline void phyOnTcpWritable(PhySocket *sock,void **uptr) + inline void phyOnTcpWritable(PhySocket *sock,void **uptr,bool lwip_invoked) { TcpConnection *tc = reinterpret_cast(*uptr); Mutex::Lock _l(tc->writeBuf_m); @@ -1419,17 +1212,15 @@ public: inline int nodeVirtualNetworkConfigFunction(uint64_t nwid,void **nuptr,enum ZT_VirtualNetworkConfigOperation op,const ZT_VirtualNetworkConfig *nwc) { - Mutex::Lock _l(_nets_m); - NetworkState &n = _nets[nwid]; - + Mutex::Lock _l(_taps_m); + std::map< uint64_t,EthernetTap * >::iterator t(_taps.find(nwid)); switch(op) { - case ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_UP: - if (!n.tap) { + if (t == _taps.end()) { try { - char friendlyName[128]; + char friendlyName[1024]; Utils::snprintf(friendlyName,sizeof(friendlyName),"ZeroTier One [%.16llx]",nwid); - n.tap = new EthernetTap( + t = _taps.insert(std::pair< uint64_t,EthernetTap *>(nwid,new EthernetTap( _homePath.c_str(), MAC(nwc->mac), nwc->mtu, @@ -1437,70 +1228,65 @@ public: nwid, friendlyName, StapFrameHandler, - (void *)this); - *nuptr = (void *)&n; - - char nlcpath[256]; - Utils::snprintf(nlcpath,sizeof(nlcpath),"%s" ZT_PATH_SEPARATOR_S "networks.d" ZT_PATH_SEPARATOR_S "%.16llx.local.conf",_homePath.c_str(),nwid); - std::string nlcbuf; - if (OSUtils::readFile(nlcpath,nlcbuf)) { - Dictionary<4096> nc; - nc.load(nlcbuf.c_str()); - n.settings.allowManaged = nc.getB("allowManaged",true); - n.settings.allowGlobal = nc.getB("allowGlobal",false); - n.settings.allowDefault = nc.getB("allowDefault",false); - } + (void *)this))).first; + *nuptr = (void *)t->second; } catch (std::exception &exc) { #ifdef __WINDOWS__ FILE *tapFailLog = fopen((_homePath + ZT_PATH_SEPARATOR_S"port_error_log.txt").c_str(),"a"); if (tapFailLog) { - fprintf(tapFailLog,"%.16llx: %s" ZT_EOL_S,(unsigned long long)nwid,exc.what()); + fprintf(tapFailLog,"%.16llx: %s"ZT_EOL_S,(unsigned long long)nwid,exc.what()); fclose(tapFailLog); } #else fprintf(stderr,"ERROR: unable to configure virtual network port: %s" ZT_EOL_S,exc.what()); #endif - _nets.erase(nwid); return -999; } catch ( ... ) { return -999; // tap init failed } } - // After setting up tap, fall through to CONFIG_UPDATE since we also want to do this... - + // fall through... case ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE: - memcpy(&(n.config),nwc,sizeof(ZT_VirtualNetworkConfig)); - if (n.tap) { // sanity check - syncManagedStuff(n,true,true); + if (t != _taps.end()) { + t->second->setEnabled(nwc->enabled != 0); + + std::vector &assignedIps = _tapAssignedIps[nwid]; + std::vector newAssignedIps; + for(unsigned int i=0;iassignedAddressCount;++i) + newAssignedIps.push_back(InetAddress(nwc->assignedAddresses[i])); + std::sort(newAssignedIps.begin(),newAssignedIps.end()); + newAssignedIps.erase(std::unique(newAssignedIps.begin(),newAssignedIps.end()),newAssignedIps.end()); + for(std::vector::iterator ip(newAssignedIps.begin());ip!=newAssignedIps.end();++ip) { + if (!std::binary_search(assignedIps.begin(),assignedIps.end(),*ip)) + if (!t->second->addIp(*ip)) + fprintf(stderr,"ERROR: unable to add ip address %s" ZT_EOL_S, ip->toString().c_str()); + } + for(std::vector::iterator ip(assignedIps.begin());ip!=assignedIps.end();++ip) { + if (!std::binary_search(newAssignedIps.begin(),newAssignedIps.end(),*ip)) + if (!t->second->removeIp(*ip)) + fprintf(stderr,"ERROR: unable to remove ip address %s" ZT_EOL_S, ip->toString().c_str()); + } + assignedIps.swap(newAssignedIps); } else { - _nets.erase(nwid); return -999; // tap init failed } break; - case ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_DOWN: case ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_DESTROY: - if (n.tap) { // sanity check + if (t != _taps.end()) { #ifdef __WINDOWS__ - std::string winInstanceId(n.tap->instanceId()); + std::string winInstanceId(t->second->instanceId()); #endif *nuptr = (void *)0; - delete n.tap; - _nets.erase(nwid); + delete t->second; + _taps.erase(t); + _tapAssignedIps.erase(nwid); #ifdef __WINDOWS__ if ((op == ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_DESTROY)&&(winInstanceId.length() > 0)) WindowsEthernetTap::deletePersistentTapDevice(winInstanceId.c_str()); #endif - if (op == ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_DESTROY) { - char nlcpath[256]; - Utils::snprintf(nlcpath,sizeof(nlcpath),"%s" ZT_PATH_SEPARATOR_S "networks.d" ZT_PATH_SEPARATOR_S "%.16llx.local.conf",_homePath.c_str(),nwid); - OSUtils::rm(nlcpath); - } - } else { - _nets.erase(nwid); } break; - } return 0; } @@ -1660,19 +1446,18 @@ public: inline void nodeVirtualNetworkFrameFunction(uint64_t nwid,void **nuptr,uint64_t sourceMac,uint64_t destMac,unsigned int etherType,unsigned int vlanId,const void *data,unsigned int len) { - NetworkState *n = reinterpret_cast(*nuptr); - if ((!n)||(!n->tap)) + EthernetTap *tap = reinterpret_cast(*nuptr); + if (!tap) return; - n->tap->put(MAC(sourceMac),MAC(destMac),etherType,data,len); + tap->put(MAC(sourceMac),MAC(destMac),etherType,data,len); } inline int nodePathCheckFunction(const struct sockaddr_storage *localAddr,const struct sockaddr_storage *remoteAddr) { - Mutex::Lock _l(_nets_m); - - for(std::map::const_iterator n(_nets.begin());n!=_nets.end();++n) { - if (n->second.tap) { - std::vector ips(n->second.tap->ips()); + Mutex::Lock _l(_taps_m); + for(std::map< uint64_t,EthernetTap * >::const_iterator t(_taps.begin());t!=_taps.end();++t) { + if (t->second) { + std::vector ips(t->second->ips()); for(std::vector::const_iterator i(ips.begin());i!=ips.end();++i) { if (i->containsAddress(*(reinterpret_cast(remoteAddr)))) { return 0; @@ -1680,13 +1465,6 @@ public: } } } - - /* Note: I do not think we need to scan for overlap with managed routes - * because of the "route forking" and interface binding that we do. This - * ensures (we hope) that ZeroTier traffic will still take the physical - * path even if its managed routes override this for other traffic. Will - * revisit if we see problems with this. */ - return 1; } @@ -1706,11 +1484,7 @@ public: if (_controlPlane) scode = _controlPlane->handleRequest(tc->from,tc->parser.method,tc->url,tc->headers,tc->body,data,contentType); else scode = 500; - } catch (std::exception &exc) { - fprintf(stderr,"WARNING: unexpected exception processing control HTTP request: %s" ZT_EOL_S,exc.what()); - scode = 500; } catch ( ... ) { - fprintf(stderr,"WARNING: unexpected exception processing control HTTP request: unknown exceptino" ZT_EOL_S); scode = 500; } @@ -1756,10 +1530,10 @@ public: if (isBlacklistedLocalInterfaceForZeroTierTraffic(ifname)) return false; - Mutex::Lock _l(_nets_m); - for(std::map::const_iterator n(_nets.begin());n!=_nets.end();++n) { - if (n->second.tap) { - std::vector ips(n->second.tap->ips()); + Mutex::Lock _l(_taps_m); + for(std::map< uint64_t,EthernetTap * >::const_iterator t(_taps.begin());t!=_taps.end();++t) { + if (t->second) { + std::vector ips(t->second->ips()); for(std::vector::const_iterator i(ips.begin());i!=ips.end();++i) { if (i->ipsEqual(ifaddr)) return false; @@ -1877,19 +1651,13 @@ static int ShttpOnUrl(http_parser *parser,const char *ptr,size_t length) tc->url.append(ptr,length); return 0; } -#if (HTTP_PARSER_VERSION_MAJOR >= 2) && (HTTP_PARSER_VERSION_MINOR >= 2) static int ShttpOnStatus(http_parser *parser,const char *ptr,size_t length) -#else -static int ShttpOnStatus(http_parser *parser) -#endif { - /* TcpConnection *tc = reinterpret_cast(parser->data); tc->messageSize += (unsigned long)length; if (tc->messageSize > ZT_MAX_HTTP_MESSAGE_SIZE) return -1; tc->status.append(ptr,length); - */ return 0; } static int ShttpOnHeaderField(http_parser *parser,const char *ptr,size_t length) @@ -1949,7 +1717,38 @@ static int ShttpOnMessageComplete(http_parser *parser) std::string OneService::platformDefaultHomePath() { - return OSUtils::platformDefaultHomePath(); +#ifdef __UNIX_LIKE__ + +#ifdef __APPLE__ + // /Library/... on Apple + return std::string("/Library/Application Support/ZeroTier/One"); +#else + +#ifdef __BSD__ + // BSD likes /var/db instead of /var/lib + return std::string("/var/db/zerotier-one"); +#else + // Use /var/lib for Linux and other *nix + return std::string("/var/lib/zerotier-one"); +#endif + +#endif + +#else // not __UNIX_LIKE__ + +#ifdef __WINDOWS__ + // Look up app data folder on Windows, e.g. C:\ProgramData\... + char buf[16384]; + if (SUCCEEDED(SHGetFolderPathA(NULL,CSIDL_COMMON_APPDATA,NULL,0,buf))) + return (std::string(buf) + "\\ZeroTier\\One"); + else return std::string("C:\\ZeroTier\\One"); +#else + + return std::string(); // UNKNOWN PLATFORM + +#endif + +#endif // __UNIX_LIKE__ or not... } std::string OneService::autoUpdateUrl() diff --git a/zerotierone/service/OneService.hpp b/zerotierone/service/OneService.hpp old mode 100644 new mode 100755 index 72ff7d8..56dec8a --- a/zerotierone/service/OneService.hpp +++ b/zerotierone/service/OneService.hpp @@ -20,11 +20,33 @@ #define ZT_ONESERVICE_HPP #include +#include + +#include "../node/Node.hpp" + +// Include the right tap device driver for this platform -- add new platforms here +#ifdef SDK + // In network containers builds, use the virtual netcon endpoint instead of a tun/tap port driver + #include "../src/SDK_EthernetTap.hpp" + namespace ZeroTier { typedef NetconEthernetTap EthernetTap; } +#endif // not ZT_SDK so pick a tap driver namespace ZeroTier { /** * Local service for ZeroTier One as system VPN/NFV provider + * + * If built with ZT_ENABLE_NETWORK_CONTROLLER defined, this includes and + * runs controller/SqliteNetworkController with a database called + * controller.db in the specified home directory. + * + * If built with ZT_AUTO_UPDATE, an official ZeroTier update URL is + * periodically checked and updates are automatically downloaded, verified + * against a built-in list of update signing keys, and installed. This is + * only supported for certain platforms. + * + * If built with ZT_ENABLE_CLUSTER, a 'cluster' file is checked and if + * present is read to determine the identity of other cluster members. */ class OneService { @@ -55,27 +77,6 @@ public: ONE_IDENTITY_COLLISION = 3 }; - /** - * Local settings for each network - */ - struct NetworkSettings - { - /** - * Allow this network to configure IP addresses and routes? - */ - bool allowManaged; - - /** - * Allow configuration of IPs and routes within global (Internet) IP space? - */ - bool allowGlobal; - - /** - * Allow overriding of system default routes for "full tunnel" operation? - */ - bool allowDefault; - }; - /** * @return Platform default home path or empty string if this platform doesn't have one */ @@ -139,28 +140,38 @@ public: */ virtual void terminate() = 0; +#ifdef SDK /** - * Get local settings for a network - * - * @param nwid Network ID - * @param settings Buffer to fill with local network settings - * @return True if network was found and settings is filled + * Joins a network */ - virtual bool getNetworkSettings(const uint64_t nwid,NetworkSettings &settings) const = 0; + virtual void join(const char *hp) = 0; + + /** + * Leaves a network + */ + virtual void leave(const char *hp) = 0; - /** - * Set local settings for a network + /** + * Returns the homePath given by the client application + * - Used for SDK mode + */ + virtual std::string givenHomePath() = 0; + + /* * - * @param nwid Network ID - * @param settings New network local settings - * @return True if network was found and setting modified */ - virtual bool setNetworkSettings(const uint64_t nwid,const NetworkSettings &settings) = 0; + virtual std::map< uint64_t,EthernetTap * > getTaps() = 0; + + /* + * + */ + virtual Node * getNode() = 0; /** * @return True if service is still running */ inline bool isRunning() const { return (this->reasonForTermination() == ONE_STILL_RUNNING); } +#endif protected: OneService() {} diff --git a/zerotierone/service/README.md b/zerotierone/service/README.md index 75c437d..05f340d 100644 --- a/zerotierone/service/README.md +++ b/zerotierone/service/README.md @@ -120,3 +120,133 @@ Path objects describe direct physical paths to peer. If no path objects are list fixedbooleanIf true, this is a statically-defined "fixed" pathno preferredbooleanIf true, this is the current preferred pathno + +### Network Controller API + +If ZeroTier One was built with *ZT\_ENABLE\_NETWORK\_CONTROLLER* defined, the following API paths are available. Otherwise these paths will return 404. + +#### /controller + + * Purpose: Check for controller function and return controller status + * Methods: GET + * Returns: { object } + + + + + + +
FieldTypeDescriptionWritable
controllerbooleanAlways 'true' if controller is runningno
apiVersionintegerJSON API version, currently 1no
clockintegerController system clock in ms since epochno
+ +#### /controller/network + + * Purpose: List all networks hosted by this controller + * Methods: GET + * Returns: [ string, ... ] + +This returns an array of 16-digit hexadecimal network IDs. Unlike /network under the top-level API, it does not dump full network information for all networks as this may be quite large for a large controller. + +#### /controller/network/\ + + * Purpose: Create, configure, and delete hosted networks + * Methods: GET, POST, DELETE + * Returns: { object } + +By making queries to this path you can create, configure, and delete networks. DELETE is final, so don't do it unless you really mean it. + +It's important to understand how network IDs work. The first ten digits (most significant 40 bits) of a network ID are the ZeroTier address of the controller. This is how clients find it. The last six digits (least significant 24 bits) are arbitrary and serve to identify the network uniquely on the controller. + +Thus a network's first ten digits *must* be the controller's address. If your controller is *deadbeef01*, then the networks it controls must have IDs like *deadbeef01feed02* or *deadbeef01beef03*. This API however *does not* enforce this requirement. It will allow you to add arbitrary network IDs, but they won't work since clients will never be able to find them. To create a new network with a random last six digits safely and atomically, you can POST to */controller/network/##########\_\_\_\_\_\_* where ########## is the controller's address and the underscores are as shown. This will pick a random unallocated network ID, which will be returned in the 'nwid' field of the returned JSON object. + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescriptionWritable
nwidstring16-digit hex network IDno
namestringShort network name (max: 127 chars)yes
privatebooleanFalse if public network, true for access controlyes
enableBroadcastbooleanTrue to allow Ethernet broadcast (ff:ff:ff:ff:ff:ff)yes
allowPassiveBridgingbooleanTrue to allow any member to bridge (experimental!)yes
v4AssignModestring'none', 'zt', or 'dhcp' (see below)yes
v6AssignModestring'none', 'zt', or 'dhcp' (see below)yes
multicastLimitintegerMaximum number of multicast recipients per multicast/broadcast addressyes
creationTimeintegerTime network was created in ms since epochno
revisionintegerNetwork config revision numberno
memberRevisionCounterintegerCurrent value of network revision counter (incremented after every member add or revision)no
clockintegerCurrent clock in ms since epoch (for convenience)no
authorizedMemberCountintegerNumber of authorized membersno
relays[object]Array of network-specific relay nodes (see below)yes
ipLocalRoutes[string]Array of IP network/netmask entries corresponding to networks routed directly via this interface (e.g. 10.0.0.0/8 to route 10.0.0.0 via this interface)
ipAssignmentPools[object]Array of IP auto-assignment pools for 'zt' assignment modeyes
rules[object]Array of network flow rules (see below)yes
+ +The network member list includes both authorized and unauthorized members. DELETE unauthorized members to remove them from the list. Relays, IP assignment pools, and rules are edited via direct POSTs to the network object. New values replace all previous values. + +Networks must have rules. If there are no rules, the default action is 'deny'. As also documented in the Rule object definition below, rules currently only support etherType and allow/deny. Thus to make a functioning network, add etherType allow entries for IPV4/ARP and/or IPv6. Alternately you can add a null allow entry to allow all traffic, causing the network to behave like a normal pass-through switch. + +**Relay object format:** + +Relay objects define network-specific preferred relay nodes. Traffic to peers on this network will preferentially use these relays if they are available, and otherwise will fall back to the global rootserver infrastructure. + + + + + +
FieldTypeDescription
addressstring10-digit ZeroTier address of relay node
phyAddressstringFixed path address in IP/port format e.g. 192.168.1.1/9993
+ +**IP assignment pool object format:** + +IP assignment pools are only used if they are within a network specified in ipLocalRoutes. + + + + + +
FieldTypeDescription
ipRangeStartstringStart of IP assignment range
ipRangeEndstringEnd of IP assignment range
+ +**Rule object format:** + + * **Note**: at the moment, only rules specifying allowed Ethernet types are used. The database supports a richer rule set, but this is not implemented yet in the client. Other types of rules will have no effect (yet). + +Rules are matched in order of ruleNo. If no rules match, the default action is 'drop'. To allow all traffic, create a single rule with all *null* fields and an action of 'accept'. + +Rule object fields can be *null*, in which case they are omitted from the object. A null field indicates "no match on this criteria." + +IP related fields apply only to Ethernet frames of type IPv4 or IPV6. Otherwise they are ignored. + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
ruleNointegerUser-defined rule ID and sort order
nodeIdstring10-digit hex ZeroTier address of node if this rule is local to only one member
sourcePortstring10-digit hex ZeroTier address of source port on virtual switch (source device address)
destPortstring10-digit hex ZeroTier address of destination port on virtual switch (destination device address)
vlanIdintegerEthernet VLAN ID
vlanPcpintegerEthernet VLAN priority code point (PCP) ID
etherTypeintegerEthernet frame type
macSourcestringEthernet source MAC address
macDeststringEthernet destination MAC address
ipSourcestringSource IP address
ipDeststringDestination IP address
ipTosintegerIP TOS field
ipProtocolintegerIP protocol
ipSourcePortintegerIP source port
ipDestPortintegerIP destination port
actionstringRule action: accept, drop, etc.
+ +#### /controller/network/\/member/\ + + * Purpose: Create, authorize, or remove a network member + * Methods: GET, POST, DELETE + * Returns: { object } + + + + + + + + + + + +
FieldTypeDescriptionWritable
nwidstring16-digit hex network IDno
clockintegerCurrent clock in ms since epoch (for convenience)no
addressstring10-digit hex ZeroTier addressno
authorizedbooleanIs member authorized?yes
activeBridgebooleanThis member is an active network bridgeyes
identitystringFull ZeroTier identity of memberno
ipAssignments[string]Array of IP/bits IP assignmentsyes
memberRevisionintegerMember revision counter value from network at time of last revision or member creationno
diff --git a/zerotierone/version.h b/zerotierone/version.h index 737b378..526a3cd 100644 --- a/zerotierone/version.h +++ b/zerotierone/version.h @@ -23,15 +23,18 @@ * Major version */ #define ZEROTIER_ONE_VERSION_MAJOR 1 +#define ZEROTIER_ONE_VERSION_MAJOR_S_HEX "1" /** * Minor version */ #define ZEROTIER_ONE_VERSION_MINOR 1 +#define ZEROTIER_ONE_VERSION_MINOR_S_HEX "1" /** * Revision */ -#define ZEROTIER_ONE_VERSION_REVISION 15 +#define ZEROTIER_ONE_VERSION_REVISION 5 +#define ZEROTIER_ONE_VERSION_REVISION_S_HEX "5" #endif diff --git a/zerotierone/windows/ZeroTierOne/ZeroTierOne.vcxproj b/zerotierone/windows/ZeroTierOne/ZeroTierOne.vcxproj index ed02213..ca91037 100644 --- a/zerotierone/windows/ZeroTierOne/ZeroTierOne.vcxproj +++ b/zerotierone/windows/ZeroTierOne/ZeroTierOne.vcxproj @@ -42,6 +42,7 @@ + @@ -65,7 +66,6 @@ - @@ -156,9 +156,7 @@ - - diff --git a/zerotierone/windows/ZeroTierOne/ZeroTierOne.vcxproj.filters b/zerotierone/windows/ZeroTierOne/ZeroTierOne.vcxproj.filters index eeeb8d2..ed1e941 100644 --- a/zerotierone/windows/ZeroTierOne/ZeroTierOne.vcxproj.filters +++ b/zerotierone/windows/ZeroTierOne/ZeroTierOne.vcxproj.filters @@ -114,6 +114,9 @@ Source Files\node + + Source Files\node + Source Files\node @@ -249,9 +252,6 @@ Source Files\ext\libnatpmp - - Source Files\osdep - @@ -536,12 +536,6 @@ Header Files\ext\libnatpmp - - Header Files\osdep - - - Header Files\osdep -