diff --git a/node/Node.cpp b/node/Node.cpp index 11f763653..ed60817f5 100644 --- a/node/Node.cpp +++ b/node/Node.cpp @@ -633,6 +633,9 @@ bool Node::shouldUsePathForZeroTierTraffic(const Address &ztaddr,const InetAddre if (!Path::isAddressValidForPath(remoteAddress)) return false; + if (RR->topology->isProhibitedEndpoint(ztaddr,remoteAddress)) + return false; + { Mutex::Lock _l(_networks_m); for(std::vector< std::pair< uint64_t, SharedPtr > >::const_iterator i=_networks.begin();i!=_networks.end();++i) { diff --git a/node/Topology.cpp b/node/Topology.cpp index 517934fbe..bf51b5854 100644 --- a/node/Topology.cpp +++ b/node/Topology.cpp @@ -264,6 +264,23 @@ void Topology::setUpstream(const Address &a,bool upstream) RR->sw->requestWhois(a); } +bool Topology::isProhibitedEndpoint(const Address &ztaddr,const InetAddress &ipaddr) const +{ + Mutex::Lock _l(_lock); + + if (std::find(_rootAddresses.begin(),_rootAddresses.end(),ztaddr) != _rootAddresses.end()) { + for(std::vector::const_iterator r(_world.roots().begin());r!=_world.roots().end();++r) { + for(std::vector::const_iterator e(r->stableEndpoints.begin());e!=r->stableEndpoints.end();++e) { + if (ipaddr.ipsEqual(*e)) + return false; + } + } + return true; + } + + return false; +} + bool Topology::worldUpdateIfValid(const World &newWorld) { Mutex::Lock _l(_lock); diff --git a/node/Topology.hpp b/node/Topology.hpp index 8e1d28cb0..90ad70831 100644 --- a/node/Topology.hpp +++ b/node/Topology.hpp @@ -163,6 +163,22 @@ public: */ void setUpstream(const Address &a,bool upstream); + /** + * Check for prohibited endpoints + * + * Right now this returns true if the designated ZT address is a root and if + * the IP (IP only, not port) does not equal any of the IPs defined in the + * current World. This is an extra little security feature in case root keys + * get appropriated or something. + * + * Otherwise it returns false. + * + * @param ztaddr ZeroTier address + * @param ipaddr IP address + * @return True if this ZT/IP pair should not be allowed to be used + */ + bool isProhibitedEndpoint(const Address &ztaddr,const InetAddress &ipaddr) const; + /** * @return Vector of active upstream addresses (including roots) */