ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2024-12-21 13:57:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

EXT_FRAME messages should always be accepted if we are the destination for a matching TEE or REDIRECT rule.

Browse Source
This commit is contained in:
Adam Ierymenko 2016-08-29 15:54:06 -07:00
parent 51a420671f
commit f0636ffd4a
3 changed files with 43 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
node/IncomingPacket.cpp
View File

@ -596,13 +596,11 @@ bool IncomingPacket::_doEXT_FRAME(const RuntimeEnvironment *RR,const SharedPtr<P
return true; return true;
} }
// Everything after flags must be adjusted based on the length
// of the certificate, if there was one...
const unsigned int etherType = at<uint16_t>(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_ETHERTYPE); const unsigned int etherType = at<uint16_t>(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_ETHERTYPE);
const MAC to(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_TO,ZT_PROTO_VERB_EXT_FRAME_LEN_TO),ZT_PROTO_VERB_EXT_FRAME_LEN_TO); const MAC to(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_TO,ZT_PROTO_VERB_EXT_FRAME_LEN_TO),ZT_PROTO_VERB_EXT_FRAME_LEN_TO);
const MAC from(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_FROM,ZT_PROTO_VERB_EXT_FRAME_LEN_FROM),ZT_PROTO_VERB_EXT_FRAME_LEN_FROM); const MAC from(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_FROM,ZT_PROTO_VERB_EXT_FRAME_LEN_FROM),ZT_PROTO_VERB_EXT_FRAME_LEN_FROM);
const unsigned int frameLen = size() - (comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD);
const uint8_t *const frameData = (const uint8_t *)field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD,frameLen);
if ((!from)||(from.isMulticast())||(from == network->mac())) { if ((!from)||(from.isMulticast())||(from == network->mac())) {
TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: invalid source MAC",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str()); TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: invalid source MAC",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str());
@ -610,6 +608,8 @@ bool IncomingPacket::_doEXT_FRAME(const RuntimeEnvironment *RR,const SharedPtr<P
return true; return true;
} }
switch (network->filterIncomingPacket(peer,RR->identity.address(),from,to,frameData,frameLen,etherType,0)) {
case 1:
if (from != MAC(peer->address(),network->id())) { if (from != MAC(peer->address(),network->id())) {
if (network->config().permitsBridging(peer->address())) { if (network->config().permitsBridging(peer->address())) {
network->learnBridgeRoute(from,peer->address()); network->learnBridgeRoute(from,peer->address());
@ -625,11 +625,11 @@ bool IncomingPacket::_doEXT_FRAME(const RuntimeEnvironment *RR,const SharedPtr<P
return true; return true;
} }
} }
// fall through -- 2 means accept regardless of bridging state
const unsigned int frameLen = size() - (comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD); case 2:
const uint8_t *const frameData = (const uint8_t *)field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD,frameLen);
if (network->filterIncomingPacket(peer,RR->identity.address(),from,to,frameData,frameLen,etherType,0))
RR->node->putFrame(network->id(),network->userPtr(),from,to,etherType,0,(const void *)frameData,frameLen); RR->node->putFrame(network->id(),network->userPtr(),from,to,etherType,0,(const void *)frameData,frameLen);
break;
}
peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true); peer->received(_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true);
} }

29
node/Network.cpp
View File

@ -77,7 +77,9 @@ static const char *_rtn(const ZT_VirtualNetworkRuleType rt)
} }
static const void _dumpFilterTrace(const char *ruleName,uint8_t thisSetMatches,bool noRedirect,bool inbound,const Address &ztSource,const Address &ztDest,const MAC &macSource,const MAC &macDest,const std::vector<std::string> &dlog,unsigned int frameLen,unsigned int etherType,const char *msg) static const void _dumpFilterTrace(const char *ruleName,uint8_t thisSetMatches,bool noRedirect,bool inbound,const Address &ztSource,const Address &ztDest,const MAC &macSource,const MAC &macDest,const std::vector<std::string> &dlog,unsigned int frameLen,unsigned int etherType,const char *msg)
{ {
printf("!! %c %s inbound=%d noRedirect=%d frameLen=%u etherType=%u" ZT_EOL_S, static volatile unsigned long cnt = 0;
printf("%.6lu %c %s inbound=%d noRedirect=%d frameLen=%u etherType=%u" ZT_EOL_S,
cnt,
((thisSetMatches) ? 'Y' : '.'), ((thisSetMatches) ? 'Y' : '.'),
ruleName, ruleName,
(int)inbound, (int)inbound,
@ -140,7 +142,7 @@ static bool _ipv6GetPayload(const uint8_t *frameData,unsigned int frameLen,unsig
return false; // overflow == invalid return false; // overflow == invalid
} }
// 0 == no match, -1 == match/drop, 1 == match/accept // 0 == no match, -1 == match/drop, 1 == match/accept, 2 == match/accept even if bridged
static int _doZtFilter( static int _doZtFilter(
const RuntimeEnvironment *RR, const RuntimeEnvironment *RR,
const bool noRedirect, const bool noRedirect,
@ -212,9 +214,8 @@ static int _doZtFilter(
// REDIRECT as DROP since we are the destination. // REDIRECT as DROP since we are the destination.
#ifdef ZT_RULES_ENGINE_DEBUGGING #ifdef ZT_RULES_ENGINE_DEBUGGING
_dumpFilterTrace(_rtn(rt),thisSetMatches,noRedirect,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,"ignored since we are the destination"); _dumpFilterTrace(_rtn(rt),thisSetMatches,noRedirect,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,"ignored since we are the destination");
dlog.clear();
#endif // ZT_RULES_ENGINE_DEBUGGING #endif // ZT_RULES_ENGINE_DEBUGGING
thisSetMatches = 1; return 2; // we should "super-accept" this packet since we are the TEE or REDIRECT destination
} else { } else {
if (!noRedirect) { if (!noRedirect) {
Packet outp(fwdAddr,RR->identity.address(),Packet::VERB_EXT_FRAME); Packet outp(fwdAddr,RR->identity.address(),Packet::VERB_EXT_FRAME);
@ -580,6 +581,7 @@ bool Network::filterOutgoingPacket(
m.sendCredentialsIfNeeded(RR,RR->node->now(),ztDest,_config,(const Capability *)0); m.sendCredentialsIfNeeded(RR,RR->node->now(),ztDest,_config,(const Capability *)0);
return false; return false;
case 1: case 1:
case 2:
if (ztDest) if (ztDest)
m.sendCredentialsIfNeeded(RR,RR->node->now(),ztDest,_config,(const Capability *)0); m.sendCredentialsIfNeeded(RR,RR->node->now(),ztDest,_config,(const Capability *)0);
return true; return true;
@ -592,6 +594,7 @@ bool Network::filterOutgoingPacket(
m.sendCredentialsIfNeeded(RR,RR->node->now(),ztDest,_config,(const Capability *)0); m.sendCredentialsIfNeeded(RR,RR->node->now(),ztDest,_config,(const Capability *)0);
return false; return false;
case 1: case 1:
case 2:
if (ztDest) if (ztDest)
m.sendCredentialsIfNeeded(RR,RR->node->now(),ztDest,_config,&(_config.capabilities[c])); m.sendCredentialsIfNeeded(RR,RR->node->now(),ztDest,_config,&(_config.capabilities[c]));
return true; return true;
@ -601,7 +604,7 @@ bool Network::filterOutgoingPacket(
return false; return false;
} }
bool Network::filterIncomingPacket( int Network::filterIncomingPacket(
const SharedPtr<Peer> &sourcePeer, const SharedPtr<Peer> &sourcePeer,
const Address &ztDest, const Address &ztDest,
const MAC &macSource, const MAC &macSource,
@ -620,24 +623,22 @@ bool Network::filterIncomingPacket(
const unsigned int remoteTagCount = m.getAllTags(_config,remoteTagIds,remoteTagValues,ZT_MAX_NETWORK_TAGS); const unsigned int remoteTagCount = m.getAllTags(_config,remoteTagIds,remoteTagValues,ZT_MAX_NETWORK_TAGS);
switch (_doZtFilter(RR,false,_config,true,sourcePeer->address(),ztDest,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.rules,_config.ruleCount,_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount)) { switch (_doZtFilter(RR,false,_config,true,sourcePeer->address(),ztDest,macSource,macDest,frameData,frameLen,etherType,vlanId,_config.rules,_config.ruleCount,_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount)) {
case -1: case -1: return 0;
return false; case 1: return 1;
case 1: case 2: return 2;
return true;
} }
Membership::CapabilityIterator mci(m); Membership::CapabilityIterator mci(m);
const Capability *c; const Capability *c;
while ((c = mci.next(_config))) { while ((c = mci.next(_config))) {
switch(_doZtFilter(RR,false,_config,false,sourcePeer->address(),ztDest,macSource,macDest,frameData,frameLen,etherType,vlanId,c->rules(),c->ruleCount(),_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount)) { switch(_doZtFilter(RR,false,_config,false,sourcePeer->address(),ztDest,macSource,macDest,frameData,frameLen,etherType,vlanId,c->rules(),c->ruleCount(),_config.tags,_config.tagCount,remoteTagIds,remoteTagValues,remoteTagCount)) {
case -1: case -1: return 0;
return false; case 1: return 1;
case 1: case 2: return 2;
return true;
} }
} }
return false; return 0;
} }
bool Network::subscribedToMulticastGroup(const MulticastGroup &mg,bool includeBridgedGroups) const bool Network::subscribedToMulticastGroup(const MulticastGroup &mg,bool includeBridgedGroups) const

4
node/Network.hpp
View File

@ -124,9 +124,9 @@ public:
* @param frameLen Ethernet frame payload length * @param frameLen Ethernet frame payload length
* @param etherType 16-bit ethernet type ID * @param etherType 16-bit ethernet type ID
* @param vlanId 16-bit VLAN ID * @param vlanId 16-bit VLAN ID
* @return True if packet should be accepted locally * @return 0 == drop, 1 == accept, 2 == accept even if bridged
*/ */
bool filterIncomingPacket( int filterIncomingPacket(
const SharedPtr<Peer> &sourcePeer, const SharedPtr<Peer> &sourcePeer,
const Address &ztDest, const Address &ztDest,
const MAC &macSource, const MAC &macSource,