(1) Disable firewall openers (its easy to re-enable), (2) Do some prep work for making supernode topology hot-updatable.

node/Constants.hpp

@@ -228,7 +228,7 @@
 /**
  * Default number of bits in multicast propagation prefix
  */
-#define ZT_DEFAULT_MULTICAST_PREFIX_BITS 1
+#define ZT_DEFAULT_MULTICAST_PREFIX_BITS 2
 
 /**
  * Default max depth (TTL) for multicast propagation
@@ -272,8 +272,10 @@
  *
  * This should be lower than the UDP conversation entry timeout in most
  * stateful firewalls.
+ *
+ * Uncomment to disable firewall openers.
  */
-#define ZT_FIREWALL_OPENER_DELAY 30000
+//#define ZT_FIREWALL_OPENER_DELAY 30000
 
 /**
  * Number of hops to open via firewall opener packets
@@ -284,7 +286,7 @@
  * 2 should permit traversal of double-NAT configurations, such as from inside
  * a VM running behind local NAT on a host that is itself behind NAT.
  */
-#define ZT_FIREWALL_OPENER_HOPS 2
+//#define ZT_FIREWALL_OPENER_HOPS 2
 
 /**
  * Delay between requests for updated network autoconf information
@@ -363,6 +365,9 @@
 
 /**
  * Delay in milliseconds between firewall opener and real packet for NAT-t
+ *
+ * If firewall openers are disbled, it just waits this long before sending
+ * NAT-t packets.
  */
 #define ZT_RENDEZVOUS_NAT_T_DELAY 500
 

node/Node.cpp

@@ -656,7 +656,9 @@ Node::ReasonForTermination Node::run()
 					lastPingCheck = now;
 					try {
 						_r->topology->eachPeer(Topology::PingPeersThatNeedPing(_r,now));
+#ifdef ZT_FIREWALL_OPENER_DELAY
 						_r->topology->eachPeer(Topology::OpenPeersThatNeedFirewallOpener(_r,now));
+#endif
 					} catch (std::exception &exc) {
 						LOG("unexpected exception running ping check cycle: %s",exc.what());
 					} catch ( ... ) {

node/Peer.cpp

@@ -25,6 +25,7 @@
  * LLC. Start here: http://www.zerotier.com/
  */
 
+#include "Constants.hpp"
 #include "Peer.hpp"
 #include "Switch.hpp"
 #include "AntiRecursion.hpp"
@@ -180,6 +181,7 @@ Path::Type Peer::send(const RuntimeEnvironment *_r,const void *data,unsigned int
 	return Path::PATH_TYPE_NULL;
 }
 
+#ifdef ZT_FIREWALL_OPENER_DELAY
 bool Peer::sendFirewallOpener(const RuntimeEnvironment *_r,uint64_t now)
 {
 	bool sent = false;
@@ -194,6 +196,7 @@ bool Peer::sendFirewallOpener(const RuntimeEnvironment *_r,uint64_t now)
 
 	return sent;
 }
+#endif
 
 bool Peer::sendPing(const RuntimeEnvironment *_r,uint64_t now)
 {

node/Peer.hpp

@@ -142,6 +142,7 @@ public:
 	 */
 	Path::Type send(const RuntimeEnvironment *_r,const void *data,unsigned int len,uint64_t now);
 
+#ifdef ZT_FIREWALL_OPENER_DELAY
 	/**
 	 * Send firewall opener to all UDP paths
 	 * 
@@ -150,6 +151,7 @@ public:
 	 * @return True if send appears successful for at least one address type
 	 */
 	bool sendFirewallOpener(const RuntimeEnvironment *_r,uint64_t now);
+#endif
 
 	/**
 	 * Send HELLO to a peer via all direct paths available

node/SocketManager.cpp

@@ -463,6 +463,7 @@ bool SocketManager::send(const InetAddress &to,bool tcp,bool autoConnectTcp,cons
 	return false;
 }
 
+#ifdef ZT_FIREWALL_OPENER_DELAY
 bool SocketManager::sendFirewallOpener(const InetAddress &to,int hopLimit)
 {
 	if (to.isV4()) {
@@ -474,6 +475,7 @@ bool SocketManager::sendFirewallOpener(const InetAddress &to,int hopLimit)
 	}
 	return false;
 }
+#endif
 
 void SocketManager::poll(unsigned long timeout)
 {

node/SocketManager.hpp

@@ -35,6 +35,7 @@
 #include <stdexcept>
 
 #include "Constants.hpp"
+
 #include "SharedPtr.hpp"
 #include "InetAddress.hpp"
 #include "Socket.hpp"
@@ -108,7 +109,9 @@ public:
 	 * @param to Destination address
 	 * @param hopLimit IP TTL
 	 */
+#ifdef ZT_FIREWALL_OPENER_DELAY
 	bool sendFirewallOpener(const InetAddress &to,int hopLimit);
+#endif
 
 	/**
 	 * Perform I/O polling operation (e.g. select())

node/Switch.cpp

@@ -461,7 +461,9 @@ bool Switch::unite(const Address &p1,const Address &p2,bool force)
 
 void Switch::contact(const SharedPtr<Peer> &peer,const InetAddress &atAddr)
 {
+#ifdef ZT_FIREWALL_OPENER_HOPS
 	_r->sm->sendFirewallOpener(atAddr,ZT_FIREWALL_OPENER_HOPS);
+#endif
 
 	{
 		Mutex::Lock _l(_contactQueue_m);

node/Topology.hpp

@@ -194,6 +194,7 @@ public:
 			f(*this,*p);
 	}
 
+#ifdef ZT_FIREWALL_OPENER_DELAY
 	/**
 	 * Function object to collect peers that need a firewall opener sent
 	 */
@@ -214,6 +215,7 @@ public:
 		uint64_t _now;
 		const RuntimeEnvironment *_r;
 	};
+#endif
 
 	/**
 	 * Pings all peers that need a ping sent, excluding supernodes

topology/README.md

@@ -0,0 +1,9 @@
+This folder contains the source files to compile the signed network topology dictionary.
+Users outside ZeroTier won't find this useful except for documentation purposes, since
+this dictionary must be signed by a valid topology signing key to be considered valid. These
+keys are hard-coded into the source and distributed with all versions of the app.
+
+A default value for this dictionary is included in node/Defaults.cpp, and the following
+URL is periodically checked for updates:
+
+http://download.zerotier.com/sys/topology

topology/supernodes/36f63d6574

@@ -0,0 +1,5 @@
+id=36f63d6574:0:67a776487a1a99b32f413329f2b67c43fbf6152e42c6b66e89043e69d93e48314c7d709b58a83016bd2612dd89400b856e18c553da94892f7d3ca16bf2c92c24
+udp=198.211.127.172/9993
+tcp=198.211.127.172/443
+desc=Amsterdam, Netherlands
+dns=shub-niggurath.zerotier.com

topology/supernodes/7e19876aba

@@ -0,0 +1,5 @@
+id=7e19876aba:0:2a6e2b2318930f60eb097f70d0f4b028b2cd6d3d0c63c014b9039ff35390e41181f216fb2e6fa8d95c1ee9667156411905c3dccfea78d8c6dfafba688170b3fa
+udp=198.199.97.220/9993
+tcp=198.199.97.220/443
+desc=San Francisco, California, USA
+dns=nyarlathotep.zerotier.com

topology/supernodes/8acf059fe3

@@ -0,0 +1,5 @@
+id=8acf059fe3:0:482f6ee5dfe902319b419de5bdc765209c0ecda38c4d6e4fcf0d33658398b4527dcd22f93112fb9befd02fd78bf7261b333fc105d192a623ca9e50fc60b374a5
+udp=162.243.77.111/9993
+tcp=162.243.77.111/443
+desc=New York, New York, USA
+dns=cthulhu.zerotier.com