secondary ports are no longer based on the node ID and fully randomized instead

2025-04-08 03:34:14 +00:00 · 2021-05-27 15:41:11 -07:00 · 2021-05-27 15:41:11 -07:00 · 4fed56443e
commit 4fed56443e
parent 1859365f9d
1 changed files with 11 additions and 2 deletions
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@ -725,15 +725,24 @@ public:
 			OSUtils::ztsnprintf(portstr,sizeof(portstr),"%u",_ports[0]);
 			OSUtils::writeFile((_homePath + ZT_PATH_SEPARATOR_S "zerotier-one.port").c_str(),std::string(portstr));

-			// Attempt to bind to a secondary port chosen from our ZeroTier address.
+			// Attempt to bind to a secondary port.
 			// This exists because there are buggy NATs out there that fail if more
 			// than one device behind the same NAT tries to use the same internal
 			// private address port number. Buggy NATs are a running theme.
+			//
+			// This used to pick the secondary port based on the node ID until we
+			// discovered another problem: buggy routers and malicious traffic 
+			// "detection".  A lot of routers have such things built in these days
+			// and mis-detect ZeroTier traffic as malicious and block it resulting
+			// in a node that appears to be in a coma.  Secondary ports are now 
+			// randomized on startup.
 			if (_allowSecondaryPort) {
 				if (_secondaryPort) {
 					_ports[1] = _secondaryPort;
 				} else {
-					_ports[1] = 20000 + ((unsigned int)_node->address() % 45500);
+					unsigned int randp = 0;
+					Utils::getSecureRandom(&randp,sizeof(randp));
+					_ports[1] = 20000 + (randp % 45500);
 					for(int i=0;;++i) {
 						if (i > 1000) {
 							_ports[1] = 0;