remove session firewall, this can't prevent memory use so it's better to just use OS native tools

This commit is contained in:
Arceliar 2021-06-06 02:35:02 -05:00
parent 838bca083d
commit e7da3d72c4
5 changed files with 3 additions and 100 deletions

View File

@ -281,7 +281,6 @@ func main() {
n.admin = &admin.AdminSocket{} n.admin = &admin.AdminSocket{}
n.multicast = &multicast.Multicast{} n.multicast = &multicast.Multicast{}
n.tuntap = &tuntap.TunAdapter{} n.tuntap = &tuntap.TunAdapter{}
n.tuntap.SetSessionGatekeeper(n.sessionFirewall)
// Start the admin socket // Start the admin socket
if err := n.admin.Init(&n.core, cfg, logger, nil); err != nil { if err := n.admin.Init(&n.core, cfg, logger, nil); err != nil {
logger.Errorln("An error occurred initialising admin socket:", err) logger.Errorln("An error occurred initialising admin socket:", err)
@ -326,62 +325,3 @@ func (n *node) shutdown() {
_ = n.tuntap.Stop() _ = n.tuntap.Stop()
n.core.Stop() n.core.Stop()
} }
func (n *node) sessionFirewall(pubkey ed25519.PublicKey, initiator bool) bool {
n.config.RLock()
defer n.config.RUnlock()
// Allow by default if the session firewall is disabled
if !n.config.SessionFirewall.Enable {
return true
}
// Reject blacklisted nodes
for _, b := range n.config.SessionFirewall.BlacklistPublicKeys {
key, err := hex.DecodeString(b)
if err == nil {
if bytes.Equal(key, pubkey) {
return false
}
}
}
// Allow whitelisted nodes
for _, b := range n.config.SessionFirewall.WhitelistPublicKeys {
key, err := hex.DecodeString(b)
if err == nil {
if bytes.Equal(key, pubkey) {
return true
}
}
}
// Allow outbound sessions if appropriate
if n.config.SessionFirewall.AlwaysAllowOutbound {
if initiator {
return true
}
}
// Look and see if the pubkey is that of a direct peer
var isDirectPeer bool
for _, peer := range n.core.GetPeers() {
if bytes.Equal(peer.Key[:], pubkey[:]) {
isDirectPeer = true
break
}
}
// Allow direct peers if appropriate
if n.config.SessionFirewall.AllowFromDirect && isDirectPeer {
return true
}
// Allow remote nodes if appropriate
if n.config.SessionFirewall.AllowFromRemote && !isDirectPeer {
return true
}
// Finally, default-deny if not matching any of the above rules
return false
}

View File

@ -40,21 +40,10 @@ type NodeConfig struct {
LinkLocalTCPPort uint16 `comment:"The port number to be used for the link-local TCP listeners for the\nconfigured MulticastInterfaces. This option does not affect listeners\nspecified in the Listen option. Unless you plan to firewall link-local\ntraffic, it is best to leave this as the default value of 0. This\noption cannot currently be changed by reloading config during runtime."` LinkLocalTCPPort uint16 `comment:"The port number to be used for the link-local TCP listeners for the\nconfigured MulticastInterfaces. This option does not affect listeners\nspecified in the Listen option. Unless you plan to firewall link-local\ntraffic, it is best to leave this as the default value of 0. This\noption cannot currently be changed by reloading config during runtime."`
IfName string `comment:"Local network interface name for TUN adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN."` IfName string `comment:"Local network interface name for TUN adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN."`
IfMTU uint64 `comment:"Maximum Transmission Unit (MTU) size for your local TUN interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."` IfMTU uint64 `comment:"Maximum Transmission Unit (MTU) size for your local TUN interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
SessionFirewall SessionFirewall `comment:"The session firewall controls who can send/receive network traffic\nto/from. This is useful if you want to protect this node without\nresorting to using a real firewall. This does not affect traffic\nbeing routed via this node to somewhere else. Rules are prioritised as\nfollows: blacklist, whitelist, always allow outgoing, direct, remote."`
NodeInfoPrivacy bool `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Yggdrasil version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."` NodeInfoPrivacy bool `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Yggdrasil version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."`
NodeInfo map[string]interface{} `comment:"Optional node info. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."` NodeInfo map[string]interface{} `comment:"Optional node info. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."`
} }
// SessionFirewall controls the session firewall configuration.
type SessionFirewall struct {
Enable bool `comment:"Enable or disable the session firewall. If disabled, network traffic\nfrom any node will be allowed. If enabled, the below rules apply."`
AllowFromDirect bool `comment:"Allow network traffic from directly connected peers."`
AllowFromRemote bool `comment:"Allow network traffic from remote nodes on the network that you are\nnot directly peered with."`
AlwaysAllowOutbound bool `comment:"Allow outbound network traffic regardless of AllowFromDirect or\nAllowFromRemote. This does allow a remote node to send unsolicited\ntraffic back to you for the length of the session."`
WhitelistPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."`
BlacklistPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."`
}
// Generates default configuration and returns a pointer to the resulting // Generates default configuration and returns a pointer to the resulting
// NodeConfig. This is used when outputting the -genconf parameter and also when // NodeConfig. This is used when outputting the -genconf parameter and also when
// using -autoconf. // using -autoconf.
@ -76,10 +65,6 @@ func GenerateConfig() *NodeConfig {
cfg.MulticastInterfaces = defaults.GetDefaults().DefaultMulticastInterfaces cfg.MulticastInterfaces = defaults.GetDefaults().DefaultMulticastInterfaces
cfg.IfName = defaults.GetDefaults().DefaultIfName cfg.IfName = defaults.GetDefaults().DefaultIfName
cfg.IfMTU = defaults.GetDefaults().DefaultIfMTU cfg.IfMTU = defaults.GetDefaults().DefaultIfMTU
cfg.SessionFirewall.Enable = false
cfg.SessionFirewall.AllowFromDirect = true
cfg.SessionFirewall.AllowFromRemote = true
cfg.SessionFirewall.AlwaysAllowOutbound = true
cfg.NodeInfoPrivacy = false cfg.NodeInfoPrivacy = false
return &cfg return &cfg

View File

@ -116,9 +116,6 @@ func (tun *TunAdapter) write() {
continue // bad local address/subnet continue // bad local address/subnet
} }
info := tun.store.update(ed25519.PublicKey(from.(iwt.Addr))) info := tun.store.update(ed25519.PublicKey(from.(iwt.Addr)))
if info == nil {
continue // Blocked by the gatekeeper
}
if srcAddr != info.address && srcSubnet != info.subnet { if srcAddr != info.address && srcSubnet != info.subnet {
continue // bad remote address/subnet continue // bad remote address/subnet
} }

View File

@ -113,18 +113,6 @@ func (k *keyStore) update(key ed25519.PublicKey) *keyInfo {
info.key = kArray info.key = kArray
info.address = *address.AddrForKey(ed25519.PublicKey(info.key[:])) info.address = *address.AddrForKey(ed25519.PublicKey(info.key[:]))
info.subnet = *address.SubnetForKey(ed25519.PublicKey(info.key[:])) info.subnet = *address.SubnetForKey(ed25519.PublicKey(info.key[:]))
var isOutgoing bool
if k.addrBuffer[info.address] != nil {
isOutgoing = true
}
if k.subnetBuffer[info.subnet] != nil {
isOutgoing = true
}
if !k.tun.gatekeeper(key, isOutgoing) {
// Blocked by the gatekeeper, so don't create an entry for this
k.mutex.Unlock()
return nil
}
k.keyToInfo[info.key] = info k.keyToInfo[info.key] = info
k.addrToInfo[info.address] = info k.addrToInfo[info.address] = info
k.subnetToInfo[info.subnet] = info k.subnetToInfo[info.subnet] = info

View File

@ -45,16 +45,9 @@ type TunAdapter struct {
//mutex sync.RWMutex // Protects the below //mutex sync.RWMutex // Protects the below
isOpen bool isOpen bool
isEnabled bool // Used by the writer to drop sessionTraffic if not enabled isEnabled bool // Used by the writer to drop sessionTraffic if not enabled
gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool
proto protoHandler proto protoHandler
} }
func (tun *TunAdapter) SetSessionGatekeeper(gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool) {
phony.Block(tun, func() {
tun.gatekeeper = gatekeeper
})
}
// Gets the maximum supported MTU for the platform based on the defaults in // Gets the maximum supported MTU for the platform based on the defaults in
// defaults.GetDefaults(). // defaults.GetDefaults().
func getSupportedMTU(mtu uint64) uint64 { func getSupportedMTU(mtu uint64) uint64 {