From b4b067bf12489a0b3e701515959f81ca96a29240 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Mon, 4 May 2015 18:34:30 -0700 Subject: [PATCH] So we need to keep track of external surface per reporter, since some NATs assign different external IPs for each external destination. Keeping just one known surface could create a race condition. --- node/IncomingPacket.cpp | 4 +- node/InetAddress.hpp | 3 -- node/Node.cpp | 1 + node/SelfAwareness.cpp | 93 +++++++++++++++++++++++++---------------- node/SelfAwareness.hpp | 36 ++++++++++++++-- 5 files changed, 92 insertions(+), 45 deletions(-) diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index 453e3945d..7833382a0 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -273,7 +273,7 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR) trusted = true; } if (destAddr) - RR->sa->iam(id.address(),_remoteAddress,destAddr,trusted); + RR->sa->iam(id.address(),_remoteAddress,destAddr,trusted,RR->node->now()); Packet outp(id.address(),RR->identity.address(),Packet::VERB_OK); @@ -358,7 +358,7 @@ bool IncomingPacket::_doOK(const RuntimeEnvironment *RR,const SharedPtr &p trusted = true; } if (destAddr) - RR->sa->iam(peer->address(),_remoteAddress,destAddr,trusted); + RR->sa->iam(peer->address(),_remoteAddress,destAddr,trusted,RR->node->now()); } break; case Packet::VERB_WHOIS: { diff --git a/node/InetAddress.hpp b/node/InetAddress.hpp index 0cc4542ba..5b7251745 100644 --- a/node/InetAddress.hpp +++ b/node/InetAddress.hpp @@ -63,9 +63,6 @@ struct InetAddress : public sockaddr_storage /** * IP address scope - * - * Do not change these numeric index values without taking a look - * at SelfAwareness. Values 1-5 are mapped onto an array index. */ enum IpScope { diff --git a/node/Node.cpp b/node/Node.cpp index 7d5bbe8b4..654465e8d 100644 --- a/node/Node.cpp +++ b/node/Node.cpp @@ -264,6 +264,7 @@ ZT1_ResultCode Node::processBackgroundTasks(uint64_t now,volatile uint64_t *next try { RR->topology->clean(now); + RR->sa->clean(now); } catch ( ... ) { return ZT1_RESULT_FATAL_ERROR_INTERNAL; } diff --git a/node/SelfAwareness.cpp b/node/SelfAwareness.cpp index b1830ef03..1e1f09f76 100644 --- a/node/SelfAwareness.cpp +++ b/node/SelfAwareness.cpp @@ -37,6 +37,9 @@ #include "Packet.hpp" #include "Peer.hpp" +// Entry timeout -- make it fairly long since this is just to prevent stale buildup +#define ZT_SELFAWARENESS_ENTRY_TIMEOUT 3600000 + namespace ZeroTier { class _ResetWithinScope @@ -64,53 +67,59 @@ private: SelfAwareness::SelfAwareness(const RuntimeEnvironment *renv) : RR(renv) { - memset(_lastPhysicalAddress,0,sizeof(_lastPhysicalAddress)); } SelfAwareness::~SelfAwareness() { } -void SelfAwareness::iam(const Address &reporter,const InetAddress &reporterPhysicalAddress,const InetAddress &myPhysicalAddress,bool trusted) +void SelfAwareness::iam(const Address &reporter,const InetAddress &reporterPhysicalAddress,const InetAddress &myPhysicalAddress,bool trusted,uint64_t now) { - // This code depends on the numeric values assigned to scopes in InetAddress.hpp - const unsigned int scope = (unsigned int)myPhysicalAddress.ipScope(); - if ((scope > 0)&&(scope < (unsigned int)InetAddress::IP_SCOPE_LOOPBACK)) { - if ( (!trusted) && ((scope == (unsigned int)InetAddress::IP_SCOPE_GLOBAL)||(scope != (unsigned int)reporterPhysicalAddress.ipScope())) ) { - /* For now only trusted peers are permitted to inform us of changes to - * our global Internet IP or to changes of NATed IPs. We'll let peers on - * private, shared, or link-local networks inform us of changes as long - * as they too are at the same scope. This discrimination avoids a DoS - * attack in which an attacker could force us to reset our connections. */ + const InetAddress::IpScope scope = myPhysicalAddress.ipScope(); + + switch(scope) { + case InetAddress::IP_SCOPE_NONE: + case InetAddress::IP_SCOPE_LOOPBACK: + case InetAddress::IP_SCOPE_MULTICAST: return; - } else { - Mutex::Lock _l(_lock); - InetAddress &lastPhy = _lastPhysicalAddress[scope - 1]; - if (!lastPhy) { - TRACE("learned physical address %s for scope %u from reporter %s(%s) (replaced )",myPhysicalAddress.toString().c_str(),scope,reporter.toString().c_str(),reporterPhysicalAddress.toString().c_str()); - lastPhy = myPhysicalAddress; - } else if (lastPhy != myPhysicalAddress) { - TRACE("learned physical address %s for scope %u from reporter %s(%s) (replaced %s, resetting within scope)",myPhysicalAddress.toString().c_str(),scope,reporter.toString().c_str(),reporterPhysicalAddress.toString().c_str(),lastPhy.toString().c_str()); - lastPhy = myPhysicalAddress; - uint64_t now = RR->node->now(); + case InetAddress::IP_SCOPE_GLOBAL: + if ((!trusted)||(scope != reporterPhysicalAddress.ipScope())) + return; + break; + default: + if (scope != reporterPhysicalAddress.ipScope()) + return; + break; + } - _ResetWithinScope rset(RR,now,(InetAddress::IpScope)scope); - RR->topology->eachPeer<_ResetWithinScope &>(rset); + Mutex::Lock _l(_phy_m); - // For all peers for whom we forgot an address, send a packet indirectly if - // they are still considered alive so that we will re-establish direct links. - SharedPtr sn(RR->topology->getBestSupernode()); - if (sn) { - Path *snp = sn->getBestPath(now); - if (snp) { - for(std::vector< SharedPtr >::const_iterator p(rset.peersReset.begin());p!=rset.peersReset.end();++p) { - if ((*p)->alive(now)) { - TRACE("sending indirect NOP to %s via %s(%s) to re-establish link",(*p)->address().toString().c_str(),sn->address().toString().c_str(),snp->address().toString().c_str()); - Packet outp((*p)->address(),RR->identity.address(),Packet::VERB_NOP); - outp.armor((*p)->key(),true); - snp->send(RR,outp.data(),outp.size(),now); - } - } + PhySurfaceEntry &entry = _phy[PhySurfaceKey(reporter,scope)]; + + if (!entry.ts) { + entry.mySurface = myPhysicalAddress; + entry.ts = now; + TRACE("learned physical address %s for scope %u as seen from %s(%s) (replaced )",myPhysicalAddress.toString().c_str(),(unsigned int)scope,reporter.toString().c_str(),reporterPhysicalAddress.toString().c_str()); + } else if (entry.mySurface != myPhysicalAddress) { + entry.mySurface = myPhysicalAddress; + entry.ts = now; + TRACE("learned physical address %s for scope %u as seen from %s(%s) (replaced %s, resetting all in scope)",myPhysicalAddress.toString().c_str(),(unsigned int)scope,reporter.toString().c_str(),reporterPhysicalAddress.toString().c_str(),entry.mySurface.toString().c_str()); + + _ResetWithinScope rset(RR,now,(InetAddress::IpScope)scope); + RR->topology->eachPeer<_ResetWithinScope &>(rset); + + // For all peers for whom we forgot an address, send a packet indirectly if + // they are still considered alive so that we will re-establish direct links. + SharedPtr sn(RR->topology->getBestSupernode()); + if (sn) { + Path *snp = sn->getBestPath(now); + if (snp) { + for(std::vector< SharedPtr >::const_iterator p(rset.peersReset.begin());p!=rset.peersReset.end();++p) { + if ((*p)->alive(now)) { + TRACE("sending indirect NOP to %s via %s(%s) to re-establish link",(*p)->address().toString().c_str(),sn->address().toString().c_str(),snp->address().toString().c_str()); + Packet outp((*p)->address(),RR->identity.address(),Packet::VERB_NOP); + outp.armor((*p)->key(),true); + snp->send(RR,outp.data(),outp.size(),now); } } } @@ -118,4 +127,14 @@ void SelfAwareness::iam(const Address &reporter,const InetAddress &reporterPhysi } } +void SelfAwareness::clean(uint64_t now) +{ + Mutex::Lock _l(_phy_m); + for(std::map< PhySurfaceKey,PhySurfaceEntry >::iterator p(_phy.begin());p!=_phy.end();) { + if ((now - p->second.ts) >= ZT_SELFAWARENESS_ENTRY_TIMEOUT) + _phy.erase(p++); + else ++p; + } +} + } // namespace ZeroTier diff --git a/node/SelfAwareness.hpp b/node/SelfAwareness.hpp index 2eb9b59f1..4780fa5b5 100644 --- a/node/SelfAwareness.hpp +++ b/node/SelfAwareness.hpp @@ -28,6 +28,8 @@ #ifndef ZT_SELFAWARENESS_HPP #define ZT_SELFAWARENESS_HPP +#include + #include "InetAddress.hpp" #include "Address.hpp" #include "Mutex.hpp" @@ -52,13 +54,41 @@ public: * @param reporterPhysicalAddress Physical address that reporting peer seems to have * @param myPhysicalAddress Physical address that peer says we have * @param trusted True if this peer is trusted as an authority to inform us of external address changes + * @param now Current time */ - void iam(const Address &reporter,const InetAddress &reporterPhysicalAddress,const InetAddress &myPhysicalAddress,bool trusted); + void iam(const Address &reporter,const InetAddress &reporterPhysicalAddress,const InetAddress &myPhysicalAddress,bool trusted,uint64_t now); + + /** + * Clean up database periodically + * + * @param now Current time + */ + void clean(uint64_t now); private: + struct PhySurfaceKey + { + Address reporter; + InetAddress::IpScope scope; + + PhySurfaceKey() : reporter(),scope(InetAddress::IP_SCOPE_NONE) {} + PhySurfaceKey(const Address &r,InetAddress::IpScope s) : reporter(r),scope(s) {} + inline bool operator<(const PhySurfaceKey &k) const throw() { return ((reporter < k.reporter) ? true : ((reporter == k.reporter) ? ((int)scope < (int)k.scope) : false)); } + inline bool operator==(const PhySurfaceKey &k) const throw() { return ((reporter == k.reporter)&&(scope == k.scope)); } + }; + struct PhySurfaceEntry + { + InetAddress mySurface; + uint64_t ts; + + PhySurfaceEntry() : mySurface(),ts(0) {} + PhySurfaceEntry(const InetAddress &a,const uint64_t t) : mySurface(a),ts(t) {} + }; + const RuntimeEnvironment *RR; - Mutex _lock; - InetAddress _lastPhysicalAddress[5]; // 5 == the number of address classes we care about, see InetAddress.hpp and SelfAwareness.cpp + + std::map< PhySurfaceKey,PhySurfaceEntry > _phy; + Mutex _phy_m; }; } // namespace ZeroTier