Add regexp to limit which link-local IPv6 zones allow peering, and check that a peer isn't from within the networks address block (prevents accidental tunneling)

This commit is contained in:
Arceliar 2018-01-09 02:08:54 -06:00
parent b76fcbb402
commit ef1e0c902f
4 changed files with 26 additions and 1 deletions

View File

@ -2,6 +2,7 @@ package yggdrasil
import "io/ioutil" import "io/ioutil"
import "log" import "log"
import "regexp"
type Core struct { type Core struct {
// This is the main data structure that holds everything else for a node // This is the main data structure that holds everything else for a node
@ -23,6 +24,7 @@ type Core struct {
tcp *tcpInterface tcp *tcpInterface
udp *udpInterface udp *udpInterface
log *log.Logger log *log.Logger
ifceExpr *regexp.Regexp // the zone of link-local IPv6 peers must match this
} }
func (c *Core) Init() { func (c *Core) Init() {

View File

@ -11,6 +11,7 @@ import _ "golang.org/x/net/ipv6" // TODO put this somewhere better
import "fmt" import "fmt"
import "net" import "net"
import "log" import "log"
import "regexp"
// Core // Core
@ -334,6 +335,10 @@ func (c *Core) DEBUG_setLogger(log *log.Logger) {
c.log = log c.log = log
} }
func (c *Core) DEBUG_setIfceExpr(expr *regexp.Regexp) {
c.ifceExpr = expr
}
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
func DEBUG_simLinkPeers(p, q *peer) { func DEBUG_simLinkPeers(p, q *peer) {

View File

@ -281,6 +281,15 @@ func (iface *udpInterface) reader() {
msg := bs[:n] msg := bs[:n]
addr := connAddr(udpAddr.String()) addr := connAddr(udpAddr.String())
if udp_isKeys(msg) { if udp_isKeys(msg) {
var them address
copy(them[:], udpAddr.IP.To16())
if them.isValid() {
continue
}
if udpAddr.IP.IsLinkLocalUnicast() &&
!iface.core.ifceExpr.MatchString(udpAddr.Zone) {
continue
}
iface.handleKeys(msg, addr) iface.handleKeys(msg, addr)
} else { } else {
iface.handlePacket(msg, addr) iface.handlePacket(msg, addr)

View File

@ -10,6 +10,7 @@ import "net"
import "os" import "os"
import "os/signal" import "os/signal"
import "time" import "time"
import "regexp"
import _ "net/http/pprof" import _ "net/http/pprof"
import "net/http" import "net/http"
@ -35,6 +36,7 @@ type nodeConfig struct {
SigPub string SigPub string
SigPriv string SigPriv string
Multicast bool Multicast bool
LinkLocal string
IfName string IfName string
} }
@ -62,6 +64,11 @@ func (n *node) init(cfg *nodeConfig, logger *log.Logger) {
} }
n.core.DEBUG_init(boxPub, boxPriv, sigPub, sigPriv) n.core.DEBUG_init(boxPub, boxPriv, sigPub, sigPriv)
n.core.DEBUG_setLogger(logger) n.core.DEBUG_setLogger(logger)
ifceExpr, err := regexp.Compile(cfg.LinkLocal)
if err != nil {
panic(err)
}
n.core.DEBUG_setIfceExpr(ifceExpr)
logger.Println("Starting interface...") logger.Println("Starting interface...")
n.core.DEBUG_setupAndStartGlobalUDPInterface(cfg.Listen) n.core.DEBUG_setupAndStartGlobalUDPInterface(cfg.Listen)
logger.Println("Started interface") logger.Println("Started interface")
@ -91,6 +98,7 @@ func generateConfig() *nodeConfig {
cfg.SigPriv = hex.EncodeToString(spriv[:]) cfg.SigPriv = hex.EncodeToString(spriv[:])
cfg.Peers = []string{} cfg.Peers = []string{}
cfg.Multicast = true cfg.Multicast = true
cfg.LinkLocal = ""
cfg.IfName = "auto" cfg.IfName = "auto"
return &cfg return &cfg
} }
@ -210,7 +218,8 @@ func main() {
panic(err) panic(err)
} }
decoder := json.NewDecoder(bytes.NewReader(config)) decoder := json.NewDecoder(bytes.NewReader(config))
err = decoder.Decode(&cfg) cfg = generateConfig()
err = decoder.Decode(cfg)
if err != nil { if err != nil {
panic(err) panic(err)
} }