mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2024-12-23 14:52:24 +00:00
Refactor rules table in-memory structure in new NetworkConfig to permit far more rules with better space efficiency.
This commit is contained in:
parent
368efaa2ba
commit
d736074301
@ -107,9 +107,9 @@ extern "C" {
|
|||||||
#define ZT_MAX_NETWORK_STATIC_DEVICES 32
|
#define ZT_MAX_NETWORK_STATIC_DEVICES 32
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of rules per network (can be increased)
|
* Maximum number of rule table entries per network (can be increased)
|
||||||
*/
|
*/
|
||||||
#define ZT_MAX_NETWORK_RULES 64
|
#define ZT_MAX_NETWORK_RULES 256
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of multicast group subscriptions per network
|
* Maximum number of multicast group subscriptions per network
|
||||||
@ -432,102 +432,235 @@ enum ZT_VirtualNetworkType
|
|||||||
*/
|
*/
|
||||||
enum ZT_VirtualNetworkRuleAction
|
enum ZT_VirtualNetworkRuleAction
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* Drop frame
|
||||||
|
*/
|
||||||
ZT_NETWORK_RULE_ACTION_DROP = 0,
|
ZT_NETWORK_RULE_ACTION_DROP = 0,
|
||||||
ZT_NETWORK_RULE_ACTION_ACCEPT = 1
|
|
||||||
|
/**
|
||||||
|
* Accept and pass frame
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_ACTION_ACCEPT = 1,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Forward a copy of this frame to an observer (in datum.zt[1])
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_ACTION_TEE = 2,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Redirect frame to ZeroTier device in datum.zt[1] regardless of Ethernet addressing or anything else
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_ACTION_REDIRECT = 3
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Datum type (variant) that a rule matches
|
||||||
|
*/
|
||||||
|
enum ZT_VirtualNetworkRuleMatches
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Matches all packets (no criteria)
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_ALL = 0,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Source ZeroTier address -- analogous to an Ethernet port ID on a switch
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_SOURCE_ZEROTIER_ADDRESS = 1,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Destination ZeroTier address -- analogous to an Ethernet port ID on a switch
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_DEST_ZEROTIER_ADDRESS = 2,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ethernet VLAN ID
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_VLAN_ID = 3,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ethernet VLAN PCP
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_VLAN_PCP = 4,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ethernet VLAN DEI
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_VLAN_DEI = 5,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ethernet frame type
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_ETHERTYPE = 6,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Source Ethernet MAC address
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_MAC_SOURCE = 7,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Destination Ethernet MAC address
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_MAC_DEST = 8,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Source IPv4 address
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_IPV4_SOURCE = 9,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Destination IPv4 address
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_IPV4_DEST = 10,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Source IPv6 address
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_IPV6_SOURCE = 11,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Destination IPv6 address
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_IPV6_DEST = 12,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* IP TOS (type of service)
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_IP_TOS = 13,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* IP protocol
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_IP_PROTOCOL = 14,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* IP source port range (start-end, inclusive)
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_IP_SOURCE_PORT_RANGE = 15,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* IP destination port range (start-end, inclusive)
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_IP_DEST_PORT_RANGE = 16,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Packet characteristic flags
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_FLAGS = 17,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Frame size range (start-end, inclusive)
|
||||||
|
*/
|
||||||
|
ZT_NETWORK_RULE_MATCHES_FRAME_SIZE_RANGE = 18
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Network flow rule
|
* Network flow rule
|
||||||
*
|
*
|
||||||
* Currently only etherType is supported! Other flags will have no effect
|
* NOTE: Currently (1.1.x) only etherType is supported! Other things will
|
||||||
* until the rules engine is fully implemented.
|
* have no effect until the rules engine is fully implemented.
|
||||||
|
*
|
||||||
|
* Multiple entries in the table can have the same ruleNo. This indicates
|
||||||
|
* a row with multiple matching criteria.
|
||||||
|
*
|
||||||
|
* This gives the table a much more space-efficient compressed representation,
|
||||||
|
* allowing far more rules to be efficiently sent in small netconf structures.
|
||||||
*/
|
*/
|
||||||
typedef struct
|
typedef struct
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
* Rule sort order
|
* Rule number and sort order
|
||||||
|
*
|
||||||
|
* Multiple entries in the table can have the same ruleNo. This causes them
|
||||||
|
* to be matched as an AND together, e.g. both IP source and IP source port.
|
||||||
*/
|
*/
|
||||||
int ruleNo;
|
uint16_t ruleNo;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Source ZeroTier address ("port" on the global virtual switch) (0 == wildcard)
|
* Field that this rules table entry matches (enum ZT_VirtualNetworkRuleMatches)
|
||||||
*/
|
*/
|
||||||
uint64_t sourcePort;
|
uint8_t matches;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Destination ZeroTier address ("port" on the global virtual switch) (0 == wildcard)
|
* Action if rule matches (enum ZT_VirtualNetworkRuleAction)
|
||||||
*/
|
*/
|
||||||
uint64_t destPort;
|
uint8_t action;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* VLAN ID (-1 == wildcard)
|
* Union containing the datum for this rule
|
||||||
|
*
|
||||||
|
* The rule entry functions like a variant type, with the field of datum
|
||||||
|
* that is relevant/valid determined by the 'matches' enum.
|
||||||
*/
|
*/
|
||||||
int vlanId;
|
union {
|
||||||
|
/**
|
||||||
|
* IPv6 address in big-endian / network byte order
|
||||||
|
*/
|
||||||
|
uint8_t ipv6[16];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* VLAN PCP (-1 == wildcard)
|
* Flags (128 possible)
|
||||||
*/
|
*/
|
||||||
int vlanPcp;
|
uint8_t flags[16];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Ethernet type (-1 == wildcard)
|
* IPv4 address in big-endian / network byte order
|
||||||
*/
|
*/
|
||||||
int etherType;
|
uint32_t ipv4;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Source MAC address (least significant 48 bits, host byte order) (0 == wildcard)
|
* IP port range -- start-end inclusive -- host byte order
|
||||||
*/
|
*/
|
||||||
uint64_t macSource;
|
uint16_t port[2];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Destination MAC address (least significant 48 bits, host byte order) (0 == wildcard)
|
* Two possible 40-bit ZeroTier addresses in host byte order (least significant 40 bits of uint64_t)
|
||||||
|
*
|
||||||
|
* The first of these ([0]) is used in most cases e.g. matching ZT source
|
||||||
|
* address. The second is used as the observer for the TEE action.
|
||||||
*/
|
*/
|
||||||
uint64_t macDest;
|
uint64_t zt[2];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Source IP address (ss_family == 0 for wildcard)
|
* 48-bit Ethernet MAC address in big-endian order
|
||||||
*/
|
*/
|
||||||
struct sockaddr_storage ipSource;
|
uint8_t mac[6];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Destination IP address (ss_family == 0 for wildcard)
|
* VLAN ID in host byte order
|
||||||
*/
|
*/
|
||||||
struct sockaddr_storage ipDest;
|
uint16_t vlanId;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* IP type of service (-1 == wildcard)
|
* VLAN PCP (least significant 3 bits)
|
||||||
*/
|
*/
|
||||||
int ipTos;
|
uint8_t vlanPcp;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* IP protocol (-1 == wildcard)
|
* VLAN DEI (single bit / boolean)
|
||||||
*/
|
*/
|
||||||
int ipProtocol;
|
uint8_t vlanDei;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* IP source port (-1 == wildcard)
|
* Ethernet type in host byte order
|
||||||
*/
|
*/
|
||||||
int ipSourcePort;
|
uint16_t etherType;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* IP destination port (-1 == wildcard)
|
* IP protocol
|
||||||
*/
|
*/
|
||||||
int ipDestPort;
|
uint8_t ipProtocol;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Flags to match if set
|
* IP type of service
|
||||||
*/
|
*/
|
||||||
unsigned long flags;
|
uint8_t ipTos;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Flags to match if NOT set
|
* Ethernet packet size in host byte order (start-end, inclusive)
|
||||||
*/
|
*/
|
||||||
unsigned long invFlags;
|
uint16_t frameSize[2];
|
||||||
|
} datum;
|
||||||
/**
|
|
||||||
* Action if rule matches
|
|
||||||
*/
|
|
||||||
enum ZT_VirtualNetworkRuleAction action;
|
|
||||||
} ZT_VirtualNetworkRule;
|
} ZT_VirtualNetworkRule;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -286,6 +286,9 @@
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Delay between requests for updated network autoconf information
|
* Delay between requests for updated network autoconf information
|
||||||
|
*
|
||||||
|
* Don't lengthen this as it affects things like QoS / uptime monitoring
|
||||||
|
* via ZeroTier Central. This is the heartbeat, basically.
|
||||||
*/
|
*/
|
||||||
#define ZT_NETWORK_AUTOCONF_DELAY 60000
|
#define ZT_NETWORK_AUTOCONF_DELAY 60000
|
||||||
|
|
||||||
|
@ -56,16 +56,10 @@ NetworkConfig NetworkConfig::createTestNetworkConfig(const Address &self)
|
|||||||
nc._type = ZT_NETWORK_TYPE_PUBLIC;
|
nc._type = ZT_NETWORK_TYPE_PUBLIC;
|
||||||
nc._enableBroadcast = true;
|
nc._enableBroadcast = true;
|
||||||
|
|
||||||
nc._rules[nc._ruleCount].ruleNo = 0;
|
nc._rules[nc._ruleCount].ruleNo = 1;
|
||||||
nc._rules[nc._ruleCount].vlanId = -1;
|
nc._rules[nc._ruleCount].matches = (uint8_t)ZT_NETWORK_RULE_MATCHES_ALL;
|
||||||
nc._rules[nc._ruleCount].vlanPcp = -1;
|
nc._rules[nc._ruleCount].action = (uint8_t)ZT_NETWORK_RULE_ACTION_ACCEPT;
|
||||||
nc._rules[nc._ruleCount].etherType = -1;
|
nc._ruleCount = 1;
|
||||||
nc._rules[nc._ruleCount].ipTos = -1;
|
|
||||||
nc._rules[nc._ruleCount].ipProtocol = -1;
|
|
||||||
nc._rules[nc._ruleCount].ipSourcePort = -1;
|
|
||||||
nc._rules[nc._ruleCount].ipDestPort = -1;
|
|
||||||
nc._rules[nc._ruleCount].action = ZT_NETWORK_RULE_ACTION_ACCEPT;
|
|
||||||
++nc._ruleCount;
|
|
||||||
|
|
||||||
Utils::snprintf(nc._name,sizeof(nc._name),"ZT_TEST_NETWORK");
|
Utils::snprintf(nc._name,sizeof(nc._name),"ZT_TEST_NETWORK");
|
||||||
|
|
||||||
@ -213,14 +207,9 @@ void NetworkConfig::fromDictionary(const Dictionary &d)
|
|||||||
if (_ruleCount < ZT_MAX_NETWORK_RULES) {
|
if (_ruleCount < ZT_MAX_NETWORK_RULES) {
|
||||||
memset(&(_rules[_ruleCount]),0,sizeof(ZT_VirtualNetworkRule));
|
memset(&(_rules[_ruleCount]),0,sizeof(ZT_VirtualNetworkRule));
|
||||||
_rules[_ruleCount].ruleNo = rno; rno += 10;
|
_rules[_ruleCount].ruleNo = rno; rno += 10;
|
||||||
_rules[_ruleCount].vlanId = -1;
|
_rules[_ruleCount].matches = (uint8_t)((et2 == 0) ? ZT_NETWORK_RULE_MATCHES_ALL : ZT_NETWORK_RULE_MATCHES_ETHERTYPE);
|
||||||
_rules[_ruleCount].vlanPcp = -1;
|
_rules[_ruleCount].action = (uint8_t)ZT_NETWORK_RULE_ACTION_ACCEPT;
|
||||||
_rules[_ruleCount].etherType = (et2 == 0) ? -1 : (int)et2;
|
_rules[_ruleCount].datum.etherType = (uint16_t)et2;
|
||||||
_rules[_ruleCount].ipTos = -1;
|
|
||||||
_rules[_ruleCount].ipProtocol = -1;
|
|
||||||
_rules[_ruleCount].ipSourcePort = -1;
|
|
||||||
_rules[_ruleCount].ipDestPort = -1;
|
|
||||||
_rules[_ruleCount].action = ZT_NETWORK_RULE_ACTION_ACCEPT;
|
|
||||||
++_ruleCount;
|
++_ruleCount;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -133,8 +133,12 @@ public:
|
|||||||
inline bool permitsEtherType(unsigned int etherType) const
|
inline bool permitsEtherType(unsigned int etherType) const
|
||||||
{
|
{
|
||||||
for(unsigned int i=0;i<_ruleCount;++i) {
|
for(unsigned int i=0;i<_ruleCount;++i) {
|
||||||
if ((_rules[i].etherType < 0)||((unsigned int)_rules[i].etherType == etherType))
|
if ((ZT_VirtualNetworkRuleMatches)_rules[i].matches == ZT_NETWORK_RULE_MATCHES_ETHERTYPE) {
|
||||||
return (_rules[i].action == ZT_NETWORK_RULE_ACTION_ACCEPT);
|
if (_rules[i].datum.etherType == etherType)
|
||||||
|
return ((ZT_VirtualNetworkRuleAction)_rules[i].action == ZT_NETWORK_RULE_ACTION_ACCEPT);
|
||||||
|
} else if ((ZT_VirtualNetworkRuleMatches)_rules[i].matches == ZT_NETWORK_RULE_MATCHES_ALL) {
|
||||||
|
return ((ZT_VirtualNetworkRuleAction)_rules[i].action == ZT_NETWORK_RULE_ACTION_ACCEPT);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user