Minor security: lock roots to only be reachable via World IPs.

node/Node.cpp

@@ -633,6 +633,9 @@ bool Node::shouldUsePathForZeroTierTraffic(const Address &ztaddr,const InetAddre
 	if (!Path::isAddressValidForPath(remoteAddress))
 		return false;
 
+	if (RR->topology->isProhibitedEndpoint(ztaddr,remoteAddress))
+		return false;
+
 	{
 		Mutex::Lock _l(_networks_m);
 		for(std::vector< std::pair< uint64_t, SharedPtr<Network> > >::const_iterator i=_networks.begin();i!=_networks.end();++i) {

node/Topology.cpp

@@ -264,6 +264,23 @@ void Topology::setUpstream(const Address &a,bool upstream)
 		RR->sw->requestWhois(a);
 }
 
+bool Topology::isProhibitedEndpoint(const Address &ztaddr,const InetAddress &ipaddr) const
+{
+	Mutex::Lock _l(_lock);
+
+	if (std::find(_rootAddresses.begin(),_rootAddresses.end(),ztaddr) != _rootAddresses.end()) {
+		for(std::vector<World::Root>::const_iterator r(_world.roots().begin());r!=_world.roots().end();++r) {
+			for(std::vector<InetAddress>::const_iterator e(r->stableEndpoints.begin());e!=r->stableEndpoints.end();++e) {
+				if (ipaddr.ipsEqual(*e))
+					return false;
+			}
+		}
+		return true;
+	}
+
+	return false;
+}
+
 bool Topology::worldUpdateIfValid(const World &newWorld)
 {
 	Mutex::Lock _l(_lock);

node/Topology.hpp

@@ -163,6 +163,22 @@ public:
 	 */
 	void setUpstream(const Address &a,bool upstream);
 
+	/**
+	 * Check for prohibited endpoints
+	 *
+	 * Right now this returns true if the designated ZT address is a root and if
+	 * the IP (IP only, not port) does not equal any of the IPs defined in the
+	 * current World. This is an extra little security feature in case root keys
+	 * get appropriated or something.
+	 *
+	 * Otherwise it returns false.
+	 *
+	 * @param ztaddr ZeroTier address
+	 * @param ipaddr IP address
+	 * @return True if this ZT/IP pair should not be allowed to be used
+	 */
+	bool isProhibitedEndpoint(const Address &ztaddr,const InetAddress &ipaddr) const;
+
 	/**
 	 * @return Vector of active upstream addresses (including roots)
 	 */