Refactor COM stuff a bit, and respond to COM requests a bit more readily for rapid setup. Will need to revisit later.

2025-04-29 23:39:46 +00:00 · 2016-09-20 21:21:34 -07:00 · 2016-09-20 21:21:34 -07:00 · d3524f3609
commit d3524f3609
parent 68e549233d
11 changed files with 94 additions and 154 deletions
--- a/node/Constants.hpp
+++ b/node/Constants.hpp
@ -296,7 +296,12 @@
 /**
 * General rate limit timeout for multiple packet types (HELLO, etc.)
 */
-#define ZT_PEER_GENERAL_INBOUND_RATE_LIMIT 1000
+#define ZT_PEER_GENERAL_INBOUND_RATE_LIMIT 500
 /**
 * General limit for max RTT for requests over the network
 */
 #define ZT_GENERAL_RTT_LIMIT 5000
 /**
 * Delay between requests for updated network autoconf information
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@ -153,29 +153,22 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,const SharedPtr<Peer>
 				break;
 			case Packet::ERROR_IDENTITY_COLLISION:
-				// Roots are the only peers currently permitted to state authoritatively
+				// FIXME: for federation this will need a payload with a signature or something.
 				// that an identity has collided. When this occurs the node should be shut
 				// down and a new identity created. The odds of this ever happening are
 				// very low.
 				if (RR->topology->isRoot(peer->identity()))
 					RR->node->postEvent(ZT_EVENT_FATAL_ERROR_IDENTITY_COLLISION);
 				break;
 			case Packet::ERROR_NEED_MEMBERSHIP_CERTIFICATE: {
-				// This error can be sent in response to any packet that fails network
+				// Peers can send this in response to frames if they do not have a recent enough COM from us
 				// authorization. We only listen to it if it's from a peer that has recently
 				// been authorized on this network.
 				SharedPtr<Network> network(RR->node->network(at<uint64_t>(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD)));
 				if ((network)&&(network->recentlyAllowedOnNetwork(peer))) {
 				const uint64_t now = RR->node->now();
-					if (peer->rateGateComRequest(now)) {
+				if ( (network) && (network->config().com) && (peer->rateGateComRequest(now)) ) {
 					Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NETWORK_CREDENTIALS);
 					network->config().com.serialize(outp);
 					outp.append((uint8_t)0);
 					outp.armor(peer->key(),true);
 					_path->send(RR,outp.data(),outp.size(),now);
 				}
 				}
 			}	break;
 			case Packet::ERROR_NETWORK_ACCESS_DENIED_: {
--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@ -154,23 +154,6 @@ public:
 		return nconf.com.agreesWith(_com);
 	}
 	/**
 	 * @return True if this member has been on this network recently (or network is public)
 	 */
 	inline bool recentlyAllowedOnNetwork(const NetworkConfig &nconf) const
 	{
 		if (nconf.isPublic())
 			return true;
 		if (_com) {
 			const uint64_t a = _com.timestamp().first;
 			if ((_blacklistBefore)&&(a <= _blacklistBefore))
 				return false;
 			const uint64_t b = nconf.com.timestamp().first;
 			return ((a <= b) ? ((b - a) <= ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA) : true);
 		}
 		return false;
 	}
 	/**
 	 * Check whether a capability or tag is within its max delta from the timestamp of our network config and newer than any blacklist cutoff time
 	 *
@ -259,10 +242,7 @@ public:
 	 *
 	 * @param ts Blacklist cutoff
 	 */
-	inline void blacklistBefore(const uint64_t ts)
+	inline void blacklistBefore(const uint64_t ts) { _blacklistBefore = ts; }
 	{
 		_blacklistBefore = ts;
 	}
 	/**
 	 * Clean up old or stale entries
--- a/node/Network.cpp
+++ b/node/Network.cpp
@ -648,11 +648,12 @@ bool Network::filterOutgoingPacket(
 {
 	uint32_t remoteTagIds[ZT_MAX_NETWORK_TAGS];
 	uint32_t remoteTagValues[ZT_MAX_NETWORK_TAGS];
-	Address ztDest2(ztDest);
+	Address ztFinalDest(ztDest);
 	Address cc;
 	const Capability *relevantCap = (const Capability *)0;
 	unsigned int ccLength = 0;
 	bool accept = false;
 	const uint64_t now = RR->node->now();
 	Mutex::Lock _l(_lock);
@ -663,26 +664,27 @@ bool Network::filterOutgoingPacket(
 		remoteTagCount = m->getAllTags(_config,remoteTagIds,remoteTagValues,ZT_MAX_NETWORK_TAGS);
 	}
-	switch(_doZtFilter(RR,_config,false,ztSource,ztDest2,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.rules,_config.ruleCount,_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount,cc,ccLength)) {
+	switch(_doZtFilter(RR,_config,false,ztSource,ztFinalDest,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.rules,_config.ruleCount,_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount,cc,ccLength)) {
 		case DOZTFILTER_NO_MATCH:
 			for(unsigned int c=0;c<_config.capabilityCount;++c) {
-				ztDest2 = ztDest; // sanity check
+				ztFinalDest = ztDest; // sanity check
 				Address cc2;
 				unsigned int ccLength2 = 0;
-				switch (_doZtFilter(RR,_config,false,ztSource,ztDest2,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.capabilities[c].rules(),_config.capabilities[c].ruleCount(),_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount,cc2,ccLength2)) {
+				switch (_doZtFilter(RR,_config,false,ztSource,ztFinalDest,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.capabilities[c].rules(),_config.capabilities[c].ruleCount(),_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount,cc2,ccLength2)) {
 					case DOZTFILTER_NO_MATCH:
 					case DOZTFILTER_DROP: // explicit DROP in a capability just terminates its evaluation and is an anti-pattern
 						break;
-					case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztDest2 will have been changed in _doZtFilter()
+					case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztFinalDest will have been changed in _doZtFilter()
 					case DOZTFILTER_ACCEPT:
 					case DOZTFILTER_SUPER_ACCEPT: // no difference in behavior on outbound side
 						relevantCap = &(_config.capabilities[c]);
 						accept = true;
 						if ((!noTee)&&(cc2)) {
-							_membership(cc2).sendCredentialsIfNeeded(RR,RR->node->now(),cc2,_config,relevantCap);
+							Membership &m2 = _membership(cc2);
 							m2.sendCredentialsIfNeeded(RR,now,cc2,_config,relevantCap);
 							Packet outp(cc2,RR->identity.address(),Packet::VERB_EXT_FRAME);
 							outp.append(_id);
@ -705,7 +707,7 @@ bool Network::filterOutgoingPacket(
 		case DOZTFILTER_DROP:
 			return false;
-		case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztDest2 will have been changed in _doZtFilter()
+		case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztFinalDest will have been changed in _doZtFilter()
 		case DOZTFILTER_ACCEPT:
 		case DOZTFILTER_SUPER_ACCEPT: // no difference in behavior on outbound side
 			accept = true;
@ -714,7 +716,8 @@ bool Network::filterOutgoingPacket(
 	if (accept) {
 		if ((!noTee)&&(cc)) {
-			_membership(cc).sendCredentialsIfNeeded(RR,RR->node->now(),cc,_config,relevantCap);
+			Membership &m2 = _membership(cc);
 			m2.sendCredentialsIfNeeded(RR,now,cc,_config,relevantCap);
 			Packet outp(cc,RR->identity.address(),Packet::VERB_EXT_FRAME);
 			outp.append(_id);
@ -727,10 +730,11 @@ bool Network::filterOutgoingPacket(
 			RR->sw->send(outp,true);
 		}
-		if ((ztDest != ztDest2)&&(ztDest2)) {
+		if ((ztDest != ztFinalDest)&&(ztFinalDest)) {
-			_membership(ztDest2).sendCredentialsIfNeeded(RR,RR->node->now(),ztDest2,_config,relevantCap);
+			Membership &m2 = _membership(ztFinalDest);
 			m2.sendCredentialsIfNeeded(RR,now,ztFinalDest,_config,relevantCap);
-			Packet outp(ztDest2,RR->identity.address(),Packet::VERB_EXT_FRAME);
+			Packet outp(ztFinalDest,RR->identity.address(),Packet::VERB_EXT_FRAME);
 			outp.append(_id);
 			outp.append((uint8_t)0x02); // TEE/REDIRECT from outbound side: 0x02
 			macDest.appendTo(outp);
@ -742,11 +746,13 @@ bool Network::filterOutgoingPacket(
 			return false; // DROP locally, since we redirected
 		} else if (m) {
-			m->sendCredentialsIfNeeded(RR,RR->node->now(),ztDest,_config,relevantCap);
+			m->sendCredentialsIfNeeded(RR,now,ztDest,_config,relevantCap);
 		}
 		}
-	return accept;
+		return true;
 	} else {
 		return false;
 	}
 }
 int Network::filterIncomingPacket(
@ -761,7 +767,7 @@ int Network::filterIncomingPacket(
 {
 	uint32_t remoteTagIds[ZT_MAX_NETWORK_TAGS];
 	uint32_t remoteTagValues[ZT_MAX_NETWORK_TAGS];
-	Address ztDest2(ztDest);
+	Address ztFinalDest(ztDest);
 	Address cc;
 	unsigned int ccLength = 0;
 	int accept = 0;
@ -771,16 +777,16 @@ int Network::filterIncomingPacket(
 	Membership &m = _membership(sourcePeer->address());
 	const unsigned int remoteTagCount = m.getAllTags(_config,remoteTagIds,remoteTagValues,ZT_MAX_NETWORK_TAGS);
-	switch (_doZtFilter(RR,_config,true,sourcePeer->address(),ztDest2,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.rules,_config.ruleCount,_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount,cc,ccLength)) {
+	switch (_doZtFilter(RR,_config,true,sourcePeer->address(),ztFinalDest,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.rules,_config.ruleCount,_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount,cc,ccLength)) {
 		case DOZTFILTER_NO_MATCH: {
 			Membership::CapabilityIterator mci(m);
 			const Capability *c;
 			while ((c = mci.next(_config))) {
-				ztDest2 = ztDest; // sanity check
+				ztFinalDest = ztDest; // sanity check
 				Address cc2;
 				unsigned int ccLength2 = 0;
-				switch(_doZtFilter(RR,_config,true,sourcePeer->address(),ztDest2,macSource,macDest,frameData,frameLen,etherType,vlanId,c->rules(),c->ruleCount(),_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount,cc2,ccLength2)) {
+				switch(_doZtFilter(RR,_config,true,sourcePeer->address(),ztFinalDest,macSource,macDest,frameData,frameLen,etherType,vlanId,c->rules(),c->ruleCount(),_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount,cc2,ccLength2)) {
 					case DOZTFILTER_NO_MATCH:
 					case DOZTFILTER_DROP: // explicit DROP in a capability just terminates its evaluation and is an anti-pattern
 						break;
@ -815,7 +821,7 @@ int Network::filterIncomingPacket(
 		case DOZTFILTER_DROP:
 			return 0; // DROP
-		case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztDest2 will have been changed in _doZtFilter()
+		case DOZTFILTER_REDIRECT: // interpreted as ACCEPT but ztFinalDest will have been changed in _doZtFilter()
 		case DOZTFILTER_ACCEPT:
 			accept = 1; // ACCEPT
 			break;
@ -839,10 +845,10 @@ int Network::filterIncomingPacket(
 			RR->sw->send(outp,true);
 		}
-		if ((ztDest != ztDest2)&&(ztDest2)) {
+		if ((ztDest != ztFinalDest)&&(ztFinalDest)) {
-			_membership(ztDest2).sendCredentialsIfNeeded(RR,RR->node->now(),ztDest2,_config,(const Capability *)0);
+			_membership(ztFinalDest).sendCredentialsIfNeeded(RR,RR->node->now(),ztFinalDest,_config,(const Capability *)0);
-			Packet outp(ztDest2,RR->identity.address(),Packet::VERB_EXT_FRAME);
+			Packet outp(ztFinalDest,RR->identity.address(),Packet::VERB_EXT_FRAME);
 			outp.append(_id);
 			outp.append((uint8_t)0x06); // TEE/REDIRECT from inbound side: 0x06
 			macDest.appendTo(outp);
@ -1063,15 +1069,18 @@ bool Network::gate(const SharedPtr<Peer> &peer,const Packet::Verb verb,const uin
 	Mutex::Lock _l(_lock);
 	try {
 		if (_config) {
-			Membership &m = _membership(peer->address());
+			Membership *m = _memberships.get(peer->address());
-			const bool allow = m.isAllowedOnNetwork(_config);
+			if ( (_config.isPublic()) || ((m)&&(m->isAllowedOnNetwork(_config))) ) {
-			if (allow) {
+				if (!m)
-				m.sendCredentialsIfNeeded(RR,now,peer->address(),_config,(const Capability *)0);
+					m = &(_membership(peer->address()));
-				if (m.shouldLikeMulticasts(now)) {
+				m->sendCredentialsIfNeeded(RR,now,peer->address(),_config,(const Capability *)0);
 				if (m->shouldLikeMulticasts(now)) {
 					_announceMulticastGroupsTo(peer->address(),_allMulticastGroups());
-					m.likingMulticasts(now);
+					m->likingMulticasts(now);
 				}
-			} else if (m.recentlyAllowedOnNetwork(_config)&&peer->rateGateRequestCredentials(now)) {
+				return true;
 			} else {
 				if (peer->rateGateRequestCredentials(now)) {
 					Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR);
 					outp.append((uint8_t)verb);
 					outp.append(packetId);
@ -1079,7 +1088,7 @@ bool Network::gate(const SharedPtr<Peer> &peer,const Packet::Verb verb,const uin
 					outp.append(_id);
 					RR->sw->send(outp,true);
 				}
-			return allow;
+			}
 		}
 	} catch ( ... ) {
 		TRACE("gate() check failed for peer %s: unexpected exception",peer->address().toString().c_str());
@ -1092,15 +1101,6 @@ bool Network::gateMulticastGatherReply(const SharedPtr<Peer> &peer,const Packet:
 	return ( (peer->address() == controller()) || RR->topology->isUpstream(peer->identity()) || gate(peer,verb,packetId) || _config.isAnchor(peer->address()) );
 }
 bool Network::recentlyAllowedOnNetwork(const SharedPtr<Peer> &peer) const
 {
 	Mutex::Lock _l(_lock);
 	const Membership *m = _memberships.get(peer->address());
 	if (m)
 		return m->recentlyAllowedOnNetwork(_config);
 	return false;
 }
 void Network::clean()
 {
 	const uint64_t now = RR->node->now();
@ -1308,8 +1308,7 @@ void Network::_sendUpdatesToMembers(const MulticastGroup *const newMulticastGrou
 		Membership *m = (Membership *)0;
 		Hashtable<Address,Membership>::Iterator i(_memberships);
 		while (i.next(a,m)) {
-			if ( (m->recentlyAllowedOnNetwork(_config)) || (std::find(anchors.begin(),anchors.end(),*a) != anchors.end()) ) {
+			m->sendCredentialsIfNeeded(RR,now,*a,_config,(const Capability *)0);
 				m->sendCredentialsIfNeeded(RR,RR->node->now(),*a,_config,(const Capability *)0);
 			if ( ((newMulticastGroup)||(m->shouldLikeMulticasts(now))) && (m->isAllowedOnNetwork(_config)) ) {
 				if (!newMulticastGroup)
 					m->likingMulticasts(now);
@ -1318,7 +1317,6 @@ void Network::_sendUpdatesToMembers(const MulticastGroup *const newMulticastGrou
 		}
 	}
 }
 }
 void Network::_announceMulticastGroupsTo(const Address &peer,const std::vector<MulticastGroup> &allMulticastGroups)
 {
--- a/node/Network.hpp
+++ b/node/Network.hpp
@ -248,7 +248,10 @@ public:
 	void requestConfiguration();
 	/**
-	 * Membership check gate for incoming packets related to this network
+	 * Determine whether this peer is permitted to communicate on this network
 	 *
 	 * This also performs certain periodic actions such as pushing renewed
 	 * credentials to peers or requesting them if not present.
 	 *
 	 * @param peer Peer to check
 	 * @param verb Packet verb
@ -262,12 +265,6 @@ public:
 	 */
 	bool gateMulticastGatherReply(const SharedPtr<Peer> &peer,const Packet::Verb verb,const uint64_t packetId);
 	/**
 	 * @param peer Peer to check
 	 * @return True if peer has recently been a valid member of this network
 	 */
 	bool recentlyAllowedOnNetwork(const SharedPtr<Peer> &peer) const;
 	/**
 	 * Perform cleanup and possibly save state
 	 */
--- a/node/Node.cpp
+++ b/node/Node.cpp
@ -241,7 +241,7 @@ public:
 			}
 			lastReceiveFromUpstream = std::max(p->lastReceive(),lastReceiveFromUpstream);
-		} else if (p->activelyTransferringFrames(_now)) {
+		} else if (p->isActive(_now)) {
 			// Normal nodes get their preferred link kept alive if the node has generated frame traffic recently
 			p->doPingAndKeepalive(_now,-1);
 		}
--- a/node/Peer.cpp
+++ b/node/Peer.cpp
@ -41,7 +41,6 @@ namespace ZeroTier {
 static uint32_t _natKeepaliveBuf = 0;
 Peer::Peer(const RuntimeEnvironment *renv,const Identity &myIdentity,const Identity &peerIdentity) :
 	_lastUsed(0),
 	_lastReceive(0),
 	_lastUnicastFrame(0),
 	_lastMulticastFrame(0),
@ -408,19 +407,16 @@ bool Peer::hasActiveDirectPath(uint64_t now) const
 	return false;
 }
-bool Peer::resetWithinScope(InetAddress::IpScope scope,int inetAddressFamily,uint64_t now)
+void Peer::resetWithinScope(InetAddress::IpScope scope,int inetAddressFamily,uint64_t now)
 {
 	Mutex::Lock _l(_paths_m);
 	bool resetSomething = false;
 	for(unsigned int p=0;p<_numPaths;++p) {
 		if ( (_paths[p].path->address().ss_family == inetAddressFamily) && (_paths[p].path->address().ipScope() == scope) ) {
 			attemptToContactAt(_paths[p].path->localAddress(),_paths[p].path->address(),now);
 			_paths[p].path->sent(now);
-			_paths[p].lastReceive >>= 2; // de-prioritize heavily vs. other paths, will get reset if we get OK(HELLO) or other traffic
+			_paths[p].lastReceive = 0; // path will not be used unless it speaks again
 			resetSomething = true;
 		}
 	}
 	return resetSomething;
 }
 void Peer::getBestActiveAddresses(uint64_t now,InetAddress &v4,InetAddress &v6) const
--- a/node/Peer.hpp
+++ b/node/Peer.hpp
@ -68,18 +68,6 @@ public:
 	 */
 	Peer(const RuntimeEnvironment *renv,const Identity &myIdentity,const Identity &peerIdentity);
 	/**
 	 * @return Time peer record was last used in any way
 	 */
 	inline uint64_t lastUsed() const throw() { return _lastUsed; }
 	/**
 	 * Log a use of this peer record (done by Topology when peers are looked up)
 	 *
 	 * @param now New time of last use
 	 */
 	inline void use(uint64_t now) throw() { _lastUsed = now; }
 	/**
 	 * @return This peer's ZT address (short for identity().address())
 	 */
@ -194,15 +182,14 @@ public:
 	/**
 	 * Reset paths within a given IP scope and address family
 	 *
-	 * Resetting a path involves sending a HELLO to it and then de-prioritizing
+	 * Resetting a path involves sending an ECHO to it and then deactivating
-	 * it vs. other paths.
+	 * it until or unless it responds.
 	 *
 	 * @param scope IP scope
 	 * @param inetAddressFamily Family e.g. AF_INET
 	 * @param now Current time
 	 * @return True if we forgot at least one path
 	 */
-	bool resetWithinScope(InetAddress::IpScope scope,int inetAddressFamily,uint64_t now);
+	void resetWithinScope(InetAddress::IpScope scope,int inetAddressFamily,uint64_t now);
 	/**
 	 * Get most recently active path addresses for IPv4 and/or IPv6
@ -232,27 +219,32 @@ public:
 	/**
 	 * @return Time of last receive of anything, whether direct or relayed
 	 */
-	inline uint64_t lastReceive() const throw() { return _lastReceive; }
+	inline uint64_t lastReceive() const { return _lastReceive; }
 	/**
 	 * @return True if we've heard from this peer in less than ZT_PEER_ACTIVITY_TIMEOUT
 	 */
 	inline bool isAlive(const uint64_t now) const { return ((now - _lastReceive) < ZT_PEER_ACTIVITY_TIMEOUT); }
 	/**
 	 * @return Time of most recent unicast frame received
 	 */
-	inline uint64_t lastUnicastFrame() const throw() { return _lastUnicastFrame; }
+	inline uint64_t lastUnicastFrame() const { return _lastUnicastFrame; }
 	/**
 	 * @return Time of most recent multicast frame received
 	 */
-	inline uint64_t lastMulticastFrame() const throw() { return _lastMulticastFrame; }
+	inline uint64_t lastMulticastFrame() const { return _lastMulticastFrame; }
 	/**
 	 * @return Time of most recent frame of any kind (unicast or multicast)
 	 */
-	inline uint64_t lastFrame() const throw() { return std::max(_lastUnicastFrame,_lastMulticastFrame); }
+	inline uint64_t lastFrame() const { return std::max(_lastUnicastFrame,_lastMulticastFrame); }
 	/**
 	 * @return True if this peer has sent us real network traffic recently
 	 */
-	inline uint64_t activelyTransferringFrames(uint64_t now) const throw() { return ((now - lastFrame()) < ZT_PEER_ACTIVITY_TIMEOUT); }
+	inline uint64_t isActive(uint64_t now) const { return ((now - lastFrame()) < ZT_PEER_ACTIVITY_TIMEOUT); }
 	/**
 	 * @return Latency in milliseconds or 0 if unknown
@ -464,7 +456,6 @@ private:
 	uint8_t _key[ZT_PEER_SECRET_KEY_LENGTH];
 	uint8_t _remoteClusterOptimal6[16];
 	uint64_t _lastUsed;
 	uint64_t _lastReceive; // direct or indirect
 	uint64_t _lastUnicastFrame;
 	uint64_t _lastMulticastFrame;
--- a/node/SelfAwareness.cpp
+++ b/node/SelfAwareness.cpp
@ -45,9 +45,7 @@ public:
 		_family(inetAddressFamily),
 		_scope(scope) {}
-	inline void operator()(Topology &t,const SharedPtr<Peer> &p) { if (p->resetWithinScope(_scope,_family,_now)) peersReset.push_back(p); }
+	inline void operator()(Topology &t,const SharedPtr<Peer> &p) { p->resetWithinScope(_scope,_family,_now); }
 	std::vector< SharedPtr<Peer> > peersReset;
 private:
 	uint64_t _now;
@ -95,16 +93,6 @@ void SelfAwareness::iam(const Address &reporter,const InetAddress &receivedOnLoc
 		// Reset all paths within this scope and address family
 		_ResetWithinScope rset(now,myPhysicalAddress.ss_family,(InetAddress::IpScope)scope);
 		RR->topology->eachPeer<_ResetWithinScope &>(rset);
 		// Send a NOP to all peers for whom we forgot a path. This will cause direct
 		// links to be re-established if possible, possibly using a root server or some
 		// other relay.
 		for(std::vector< SharedPtr<Peer> >::const_iterator p(rset.peersReset.begin());p!=rset.peersReset.end();++p) {
 			if ((*p)->activelyTransferringFrames(now)) {
 				Packet outp((*p)->address(),RR->identity.address(),Packet::VERB_NOP);
 				RR->sw->send(outp,true);
 			}
 		}
 	} else {
 		// Otherwise just update DB to use to determine external surface info
 		entry.mySurface = myPhysicalAddress;
--- a/node/Switch.cpp
+++ b/node/Switch.cpp
@ -354,8 +354,7 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
 			return;
 		}
-		// Destination is a multicast address (including broadcast)
+		MulticastGroup multicastGroup(to,0);
 		MulticastGroup mg(to,0);
 		if (to.isBroadcast()) {
 			if ( (etherType == ZT_ETHERTYPE_ARP) && (len >= 28) && ((((const uint8_t *)data)[2] == 0x08)&&(((const uint8_t *)data)[3] == 0x00)&&(((const uint8_t *)data)[4] == 6)&&(((const uint8_t *)data)[5] == 4)&&(((const uint8_t *)data)[7] == 0x01)) ) {
@ -368,7 +367,7 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
 				 * them into multicasts by stuffing the IP address being queried into
 				 * the 32-bit ADI field. In practice this uses our multicast pub/sub
 				 * system to implement a kind of extended/distributed ARP table. */
-				mg = MulticastGroup::deriveMulticastGroupForAddressResolution(InetAddress(((const unsigned char *)data) + 24,4,0));
+				multicastGroup = MulticastGroup::deriveMulticastGroupForAddressResolution(InetAddress(((const unsigned char *)data) + 24,4,0));
 			} else if (!network->config().enableBroadcast()) {
 				// Don't transmit broadcasts if this network doesn't want them
 				TRACE("%.16llx: dropped broadcast since ff:ff:ff:ff:ff:ff is not enabled",network->id());
@ -463,9 +462,9 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
 		 * multicast addresses on bridge interfaces and subscribing each slave.
 		 * But in that case this does no harm, as the sets are just merged. */
 		if (fromBridged)
-			network->learnBridgedMulticastGroup(mg,RR->node->now());
+			network->learnBridgedMulticastGroup(multicastGroup,RR->node->now());
-		//TRACE("%.16llx: MULTICAST %s -> %s %s %u",network->id(),from.toString().c_str(),mg.toString().c_str(),etherTypeName(etherType),len);
+		//TRACE("%.16llx: MULTICAST %s -> %s %s %u",network->id(),from.toString().c_str(),multicastGroup.toString().c_str(),etherTypeName(etherType),len);
 		// First pass sets noTee to false, but noTee is set to true in OutboundMulticast to prevent duplicates.
 		if (!network->filterOutgoingPacket(false,RR->identity.address(),Address(),from,to,(const uint8_t *)data,len,etherType,vlanId)) {
@ -478,7 +477,7 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
 			RR->node->now(),
 			network->id(),
 			network->config().activeBridges(),
-			mg,
+			multicastGroup,
 			(fromBridged) ? from : MAC(),
 			etherType,
 			data,
--- a/node/Topology.cpp
+++ b/node/Topology.cpp
@ -96,7 +96,6 @@ SharedPtr<Peer> Topology::addPeer(const SharedPtr<Peer> &peer)
 		np = hp;
 	}
 	np->use(RR->node->now());
 	saveIdentity(np->identity());
 	return np;
@ -113,7 +112,6 @@ SharedPtr<Peer> Topology::getPeer(const Address &zta)
 		Mutex::Lock _l(_lock);
 		const SharedPtr<Peer> *const ap = _peers.get(zta);
 		if (ap) {
 			(*ap)->use(RR->node->now());
 			return *ap;
 		}
 	}
@ -127,7 +125,6 @@ SharedPtr<Peer> Topology::getPeer(const Address &zta)
 				SharedPtr<Peer> &ap = _peers[zta];
 				if (!ap)
 					ap.swap(np);
 				ap->use(RR->node->now());
 				return ap;
 			}
 		}
@ -176,11 +173,9 @@ SharedPtr<Peer> Topology::getBestRoot(const Address *avoid,unsigned int avoidCou
 			if (_rootAddresses[p] == RR->identity.address()) {
 				for(unsigned long q=1;q<_rootAddresses.size();++q) {
 					const SharedPtr<Peer> *const nextsn = _peers.get(_rootAddresses[(p + q) % _rootAddresses.size()]);
-					if ((nextsn)&&((*nextsn)->hasActiveDirectPath(now))) {
+					if ((nextsn)&&((*nextsn)->hasActiveDirectPath(now)))
 						(*nextsn)->use(now);
 						return *nextsn;
 				}
 				}
 				break;
 			}
 		}
@ -214,10 +209,8 @@ SharedPtr<Peer> Topology::getBestRoot(const Address *avoid,unsigned int avoidCou
 		}
 		if (bestNotAvoid) {
 			(*bestNotAvoid)->use(now);
 			return *bestNotAvoid;
 		} else if ((!strictAvoid)&&(bestOverall)) {
 			(*bestOverall)->use(now);
 			return *bestOverall;
 		}
@ -256,7 +249,7 @@ void Topology::clean(uint64_t now)
 		Address *a = (Address *)0;
 		SharedPtr<Peer> *p = (SharedPtr<Peer> *)0;
 		while (i.next(a,p)) {
-			if (((now - (*p)->lastUsed()) >= ZT_PEER_IN_MEMORY_EXPIRATION)&&(std::find(_rootAddresses.begin(),_rootAddresses.end(),*a) == _rootAddresses.end()))
+			if ( (!(*p)->isAlive(now)) && (std::find(_rootAddresses.begin(),_rootAddresses.end(),*a) == _rootAddresses.end()) )
 				_peers.erase(*a);
 		}
 	}