Commit Graph

329 Commits

Author SHA1 Message Date
Adam Ierymenko
9eaa3756f8 Fix deadlock-causing regression in Network. 2016-09-30 12:22:54 -07:00
Adam Ierymenko
4fe9a4fe83 Fix memory leak. 2016-09-28 16:13:59 -07:00
Adam Ierymenko
9f550292fe Simply network auth logic and always sent error on auth failure even for unknown networks to prevent forensics. 2016-09-27 13:49:43 -07:00
Adam Ierymenko
cc4bacc199 Cleanup, and implement compression disable flag for networks. 2016-09-27 12:22:25 -07:00
Adam Ierymenko
15c07c58b6 Refactored network config chunking to sign every chunk to prevent stupid DOS attack potential, and implement network config fast propagate (though we probably will not use this for a bit). 2016-09-27 11:33:48 -07:00
Adam Ierymenko
eac3667ec1 Bunch more refactoring and work on revocations, etc. 2016-09-26 16:17:02 -07:00
Adam Ierymenko
1f74dd4589 Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00
Adam Ierymenko
d3524f3609 Refactor COM stuff a bit, and respond to COM requests a bit more readily for rapid setup. Will need to revisit later. 2016-09-20 21:21:34 -07:00
Adam Ierymenko
68e549233d Revise bearer token code in controller, and add relay policy as a meta-data item presented to controller by nodes (to facilitate future meshiness). 2016-09-15 13:17:37 -07:00
Adam Ierymenko
15402933bc Add physical MTU recommendation hint to network config via API. 2016-09-14 16:55:25 -07:00
Adam Ierymenko
83abc00aae docs 2016-09-13 14:58:59 -07:00
Adam Ierymenko
ab9afbc749 (1) Public networks now get COMs even though they do not gate with them since they will need them to push auth for multicast stuff, (2) added a bunch of rate limit circuit breakers for anti-DOS, (3) cleanup. 2016-09-09 11:36:10 -07:00
Adam Ierymenko
ef87069957 Fix gating of multicast GATHER replies since these can come from upstream, etc., and fix an issue with sending ECHO to recheck marginal paths. 2016-09-09 09:32:00 -07:00
Adam Ierymenko
0d4109a9f1 More refactoring to clean up code, and add a gate function to make sure we do not handle OK packets we did not expect. This hardens up a few potential edge cases around security, since such messages might be used to e.g. pollute a cache and DOS under certain conditions. 2016-09-09 08:43:58 -07:00
Adam Ierymenko
16df2c3363 Clean up handling of COMs, network access control, and fix a backward compatiblity issue. 2016-09-08 19:48:05 -07:00
Adam Ierymenko
1f6b13b7fd Fix bug causing null addresses to get in memberships[] hash. 2016-09-08 16:09:56 -07:00
Adam Ierymenko
daf8a66ced More correct and efficient to initialize member relationship push stuff lazily when member is learned. 2016-09-07 15:47:20 -07:00
Adam Ierymenko
20278bb9e4 Also send MULTICAST_LIKEs to controllers. 2016-09-07 15:34:34 -07:00
Adam Ierymenko
1908aa55f5 Refactor MULTICAST_LIKE pushing to eliminate redundant and unnecessary pushes and simplify code. 2016-09-07 15:15:52 -07:00
Adam Ierymenko
eebcf08084 Tweaks to new Path code for dual-stack operation, and other fixes. 2016-09-03 15:39:05 -07:00
Adam Ierymenko
22271f2a49 Cleanup. 2016-09-01 13:36:41 -07:00
Adam Ierymenko
8b6d23b9f6 Optimize filter code a bit, and add a network-level setting for what should happen if an unsupported or unknown MATCH is encountered in a rules table. 2016-09-01 12:07:17 -07:00
Adam Ierymenko
25056de5d3 Also need to send credentials when TEEing and REDIRECTing. 2016-08-31 17:56:59 -07:00
Adam Ierymenko
994b25af4e Simplify some logic. 2016-08-31 17:45:55 -07:00
Adam Ierymenko
74afef8eb1 Think through and refine a few things in rules, especially edge case TEE and REDIRECT behavior and semantics. 2016-08-31 16:50:22 -07:00
Adam Ierymenko
54489a7f61 rename SAMENESS to DIFFERENCE which is less confusing 2016-08-31 14:14:58 -07:00
Adam Ierymenko
8e3004591b Add overlooked MATCH_ICMP to rule set. 2016-08-31 14:01:15 -07:00
Adam Ierymenko
cb63babac4 Debug output fixes. 2016-08-29 16:38:10 -07:00
Adam Ierymenko
ac1c127b68 Debug output fixes. 2016-08-29 16:24:08 -07:00
Adam Ierymenko
cb82193333 Debug output fixes. 2016-08-29 16:19:26 -07:00
Adam Ierymenko
f0636ffd4a EXT_FRAME messages should always be accepted if we are the destination for a matching TEE or REDIRECT rule. 2016-08-29 15:54:06 -07:00
Adam Ierymenko
51a420671f Make rules engine debug a bit more verbose. 2016-08-29 15:17:34 -07:00
Adam Ierymenko
7223685b96 . 2016-08-26 15:30:20 -07:00
Adam Ierymenko
e7dff1c785 Change logic a little for self-as-destination in TEE and REDIRECT. 2016-08-26 15:28:31 -07:00
Adam Ierymenko
a5383d83d8 Do not TEE or REDIRECT to self. 2016-08-26 15:25:00 -07:00
Adam Ierymenko
fb5217761b Add missing names in filter debug code. 2016-08-26 13:20:55 -07:00
Adam Ierymenko
90f3e94565 Always output trace info when debugging rules. 2016-08-26 12:21:44 -07:00
Adam Ierymenko
ded5a53a6c Documentation updates, add rules engine revision to network config request meta-data. 2016-08-26 10:38:43 -07:00
Adam Ierymenko
d637988ccf Fix chicken or egg problem in tags, and better filter debug instrumentation. 2016-08-25 18:21:20 -07:00
Adam Ierymenko
b5e0d014ab Controller bug fixes 2016-08-25 16:08:40 -07:00
Adam Ierymenko
5eaf397a94 Add a debug log feature in the filter, which only works if enabled in Network.cpp. 2016-08-25 13:31:23 -07:00
Adam Ierymenko
2cdda38dc4 It basically works... at least on current controllers. 2016-08-24 15:26:18 -07:00
Adam Ierymenko
ccea3d04d6 Push NETWORK_CONFIG_REFRESH on POSTs to /member/... in controller. 2016-08-24 14:28:16 -07:00
Adam Ierymenko
8e3463d47a Add length limit to TEE and REDIRECT, and completely factor out old C json-parser to eliminate a dependency. 2016-08-24 13:37:57 -07:00
Adam Ierymenko
0a7a33ef8f Instantaneous blacklisting and credential revocation. 2016-08-23 13:46:36 -07:00
Adam Ierymenko
68b4ca9b31 Cleanup. 2016-08-23 11:52:10 -07:00
Adam Ierymenko
77f7dcf40a Obsolete "test network" removal. 2016-08-23 09:39:38 -07:00
Adam Ierymenko
9a3c652a51 Get rid of expiration in Capability and Tag and move this to NetworkConfig so it can be set network-wide and reset if needed. Also add NetworkConfig field for this and centralize checking of credential time validity. 2016-08-22 18:06:46 -07:00
Adam Ierymenko
7d906df805 Better instrumentation for filter, and filter bug fixes. 2016-08-10 14:27:52 -07:00
Adam Ierymenko
d166b494ee Rule parse fix. 2016-08-10 13:41:22 -07:00
Adam Ierymenko
c9d7845fea Minor bug fix and some instrumentation stuff for testing. 2016-08-09 17:00:01 -07:00
Adam Ierymenko
e1310a764a More cleanup and removal of cruft due to obsolete network-specific relays (will be replaced with federation stuff). 2016-08-09 15:45:26 -07:00
Adam Ierymenko
4d498b3765 Handling of multi-part chunked network configs on the inbound side. 2016-08-09 13:14:38 -07:00
Adam Ierymenko
2ba9343607 Encode and decode of tags and capabilities in NetworkConfig. 2016-08-09 08:32:42 -07:00
Adam Ierymenko
00fd9c3a15 It builds... almost ready to test some rules engine stuff. 2016-08-08 17:33:26 -07:00
Adam Ierymenko
8007ca56aa Refactor and tie-up of capabilities and tags and packet evaluation points. Some optimization is possible here but it is minor and we will make it work first. 2016-08-08 16:50:00 -07:00
Adam Ierymenko
4d7f625aa1 . 2016-08-05 15:55:38 -07:00
Adam Ierymenko
e2f783ebbd . 2016-08-05 15:02:01 -07:00
Adam Ierymenko
331382cf2f More cleanup and a tiny federation prep item. 2016-08-04 12:14:13 -07:00
Adam Ierymenko
5cf410490e . 2016-08-04 10:18:33 -07:00
Adam Ierymenko
7e6e56e2bc Bunch of work on pushing and replication of tags and capabilities, and protocol cleanup. 2016-08-03 18:04:08 -07:00
Adam Ierymenko
b2d048aa0e Make Dictionary templatable so it can be used where we want a higher capacity. 2016-06-21 07:32:58 -07:00
Adam Ierymenko
e09c1a1c11 Big refactor mostly builds. We now have a uniform backward compatible netconf. 2016-06-16 12:28:43 -07:00
Adam Ierymenko
4446dbde5e Big refactor in service code to prep for plumbing through route management. 2016-06-14 10:09:26 -07:00
Adam Ierymenko
9161eebc68 Carry virtual network routes through to API. 2016-06-07 12:15:19 -07:00
Adam Ierymenko
93b673043c Fix new binary meta-data deserialization and add some debug code (will disable later). 2016-05-16 18:37:37 -07:00
Adam Ierymenko
548730660b Ready to test whole new netconf refactor. 2016-05-11 10:19:14 -07:00
Adam Ierymenko
8b9519f0af Simplify a bunch of NetworkConfig stuff by eliminating accessors, also makes network controller easier to refactor. 2016-05-06 16:13:11 -07:00
Adam Ierymenko
529515d1d1 Changes to how new-style binary network configs are detected, and a new-style binary serialized meta-data representation. 2016-05-06 13:29:10 -07:00
Adam Ierymenko
59eb09d063 Deserialize new style netconf. 2016-04-26 17:20:31 -07:00
Adam Ierymenko
90e1262a8b More refactoring to remove old Dictionary dependencies. 2016-04-26 08:20:03 -07:00
Adam Ierymenko
2f18a92e20 Cleanup in numerous places, reduce network chattiness around MULTICAST_LIKE, and fix a "how was that working" latent bug causing some control traffic to take the scenic route. 2016-04-19 12:09:35 -07:00
Adam Ierymenko
51fecc0be9 Refactor Network for new NetworkConfig. 2016-04-12 12:16:29 -07:00
Adam Ierymenko
6f854c8391 NetworkConfig refactor part 1 2016-04-12 12:11:34 -07:00
Adam Ierymenko
4e4fd51117 boring doc stuff 2016-01-12 14:04:55 -08:00
Adam Ierymenko
3883ac08c7 Docs and cleanup. 2016-01-12 13:17:30 -08:00
Adam Ierymenko
d6f0f1a82a Use network user ptr in lookup for Ethernet frame handling to eliminate map lookup. 2016-01-12 11:34:22 -08:00
Adam Ierymenko
83ef98a9dc Add a network-associated user ptr in API. 2016-01-12 11:04:35 -08:00
Adam Ierymenko
16bc3e0398 Factor out RemotePath subclass of Path -- no longer needed, just cruft. 2015-10-27 15:00:16 -07:00
Adam Ierymenko
35676217e8 Refactor multicast group announcement to work directly or indirectly. 2015-10-23 14:50:07 -07:00
Adam Ierymenko
7d62dbe9f7 Tune NAT-t keepalives so that timing is better obeyed, clean up a build warning, and fix a potential source of network recursion (though harmless). 2015-10-07 11:57:59 -07:00
Adam Ierymenko
57c857e89a Fix TRACE output. 2015-10-06 06:57:00 -07:00
Grant Limberg
c16ad053b6 no toString() method on peer. Commenting out for now. 2015-10-02 19:39:46 -07:00
Adam Ierymenko
d6676a9d6c Always announce multicast groups, not just to peers with direct links, and push network COMs to any MULTICAST_LIKE recipient for future use. 2015-10-01 12:50:19 -07:00
Adam Ierymenko
9405150b11 Restore group announcement on Peer::receive() but centralize packet composition in one place. 2015-10-01 11:37:02 -07:00
Adam Ierymenko
a3db7d0728 Refactor: move network COMs out of Network and into Peer in prep for tightening up multicast lookup and other things. 2015-10-01 11:11:52 -07:00
Adam Ierymenko
f69454ec98 (1) Make ZT_ naming convention consistent (get rid of ZT1_), (2) Make local interface a full sockaddr_storage instead of an int identifier, which turns out to be better for multi-homing and other uses. 2015-09-24 16:21:36 -07:00
Adam Ierymenko
0d386f1c31 Add a bit of useful testing instrumentation to SqliteNetworkController. 2015-09-08 11:35:55 -07:00
Adam Ierymenko
307e44f7c8 Two for one! (std::map removal) 2015-09-04 14:14:32 -07:00
Adam Ierymenko
d1341578d8 ... and another one! 2015-09-04 13:53:48 -07:00
Adam Ierymenko
7b8ce16057 Another std::map<> dies. 2015-09-04 13:42:19 -07:00
Adam Ierymenko
facb009a1d Add security notice to auto-update info in -h output, and fix a missing paren. 2015-07-31 09:50:55 -07:00
Adam Ierymenko
8d09c37140 Remove a bit of redundant logic, and also announce MULTICAST_LIKEs to controllers (for future use). 2015-07-31 09:37:13 -07:00
Adam Ierymenko
3ba54c7e35 Eliminate some poorly thought out optimizations from the netconf/controller interaction,
and go ahead and bump version to 1.0.4.

For a while in 1.0.3 -dev I was trying to optimize out repeated network controller
requests by using a ratcheting mechanism. If the client received a network config
that was indeed different from the one it had, it would respond by instantlly
requesting it again.

Not sure what I was thinking. It's fundamentally unsafe to respond to a message
with another message of the same type -- it risks a race condition. In this case
that's exactly what could happen.

It just isn't worth the added complexity to avoid a tiny, tiny amount of network
overhead, so I've taken this whole path out.

A few extra bytes every two minutes isn't worth fretting about, but as I recall
the reason for this optimization was to save CPU on the controller. This can be
achieved by just caching responses in memory *there* and serving those same
responses back out if they haven't changed.

I think I developed that 'ratcheting' stuff before I went full time on this. It's
hard to develop stuff like this without hours of sustained focus.
2015-07-23 09:50:10 -07:00
Adam Ierymenko
07ea4fd4f9 Fix potential bug in controller config request. 2015-07-07 10:02:48 -07:00
Adam Ierymenko
f398952a6c Revert some bad docs in Packet -- I think we will still use that. Also rename addMembershipCertificate to more security-descriptive validateAndAddMembershipCertificate, give it a return value, and drop unused force parameter. 2015-07-07 08:14:41 -07:00
Adam Ierymenko
dbee1b38b3 Fix semantics of std::unique() to actually remove duplicates (hidden memory leak?) 2015-06-29 10:21:28 -07:00
Kees Bos
8a68624dae Fix cert verification check for self signed signatures 2015-06-26 07:22:13 +02:00
Adam Ierymenko
57c7992c78 GitHub issue #191 - kill intra-network multicast rate limits (which were not well supported or easily configurable anyway) -- this is really left over from the old collaborative multicast propagation algorithm. New algorithm (in for a while) has been sender-side replication in which sender "pays" all bandwidth, which intrinsically limits multicast. 2015-06-26 12:36:45 -07:00
Adam Ierymenko
7bae95836c Root server terminology cleanup, and tighten up a security check by checking full identity of peers instead of just address. 2015-06-19 10:23:25 -07:00
Kees Bos
a425bbc673 Renamed supernode to rootserver 2015-05-06 12:05:20 +02:00
Adam Ierymenko
960ceb4791 Rest of GitHub issue #140 implementation. 2015-06-01 17:50:44 -07:00
Adam Ierymenko
b3b9af0dd8 Fix for GitHub issue #170 2015-06-01 11:56:15 -07:00
Adam Ierymenko
5e3c6d9e0d Some nodeJS work, and apply fix from GitHub issue #166 plus a small optimization to avoid repeated calls to _allMulticastGroups(). 2015-05-25 14:21:05 -07:00
Adam Ierymenko
bdce679d84 Should fix deadlock issue in GitHub issue #166 2015-05-13 16:55:18 -07:00
Adam Ierymenko
f5848972f9 Windows now builds and runs selftest correctly, and fixed a Windows (and possibly other platforms) issue in Phy<>. 2015-04-24 15:05:28 -07:00
Adam Ierymenko
ea1859541c More cleanup, and fix for the extremely unlikely case of identity collision. 2015-04-15 18:32:25 -07:00
Adam Ierymenko
6369c264e2 Rename netconf to controller and NetworkConfigMaster to NetworkController for consistency. 2015-04-15 15:12:09 -07:00
Adam Ierymenko
1c9ca73065 Fix some deadlock issues, move awareness of broadcast subscription into core, other bug fixes. 2015-04-15 13:09:20 -07:00
Adam Ierymenko
67f1f1892f Bunch of tap stuff, IP address assignment hookups, etc. 2015-04-14 17:57:51 -07:00
Adam Ierymenko
347e98dcd2 Just return files from listDirectory() since that is all we need, fix network request on network restore logic, and remember saved networks in service/One 2015-04-14 15:32:05 -07:00
Adam Ierymenko
49d31613b9 Fix some minor issues, now to reintegrate taps. 2015-04-14 15:16:04 -07:00
Adam Ierymenko
4d5a6a25d3 Add events for packet decode errors, etc., and re-implement TRACE as an event. 2015-04-08 16:49:21 -07:00
Adam Ierymenko
bf2ff964e1 Utils::now() removal and a bunch of compile fixes. 2015-04-08 15:26:45 -07:00
Adam Ierymenko
59af674e74 Announce multicast groups on multicast subscribe. 2015-04-07 19:35:16 -07:00
Adam Ierymenko
76ad19f411 Use binary_search for multicast groups, which are kept in sorted order. 2015-04-06 19:41:55 -07:00
Adam Ierymenko
6807ccd710 Don't need to announce on multicast leave. 2015-04-06 18:28:18 -07:00
Adam Ierymenko
51f46a009a Multicast group join/leave and group membership announcement. 2015-04-06 18:27:24 -07:00
Adam Ierymenko
8001b2c0cb Network now calls port config function as per new API. 2015-04-06 16:52:52 -07:00
Adam Ierymenko
a86300c58f Network build fixes and cleanup of remaining internal references to _tap 2015-04-06 15:47:57 -07:00
Adam Ierymenko
5f51653f9c More cleanup. 2015-04-01 19:16:07 -07:00
Adam Ierymenko
0214dbc277 More cleanup. 2015-04-01 19:15:21 -07:00
Adam Ierymenko
1f28ce3980 Tons more refactoring: simplify Network, move explicit management of Tap out, redo COM serialization, etc. 2015-04-01 19:09:18 -07:00
Adam Ierymenko
fe94c9460b Phy is a better name than Wire, and other cleanup. 2015-03-31 11:52:10 -07:00
Adam Ierymenko
93012b0ee5 Re-incorporation: ZeroTier Networks -> ZeroTier, Inc. [Delaware] 2015-02-17 13:11:34 -08:00
Adam Ierymenko
0b84c10ccc Add confirmation step to new netconf, with the caveat that it will be disabled for older netconf servers to avoid race. Also add some comments. 2015-01-09 16:35:20 -05:00
Adam Ierymenko
60fb28a90a Cleanup, new C++ netconf code is almost ready to test! 2015-01-06 17:16:54 -08:00
Adam Ierymenko
b644d2a893 Add timestamp field to network config requests. 2015-01-05 17:51:50 -08:00
Adam Ierymenko
4e95384ad6 Cleanup, add tristate to config code in Network, and happy new year! 2015-01-05 17:47:59 -08:00
Adam Ierymenko
7b6f10e859 Optimization: we don't need to verify signatures on certs if they're certs we already have and have verified. 2014-11-13 12:40:51 -08:00
Adam Ierymenko
95f421024a Code cleanup, and fix some unsafe pointer handling in Network. 2014-10-29 13:57:37 -07:00
Adam Ierymenko
a8bd8fff93 Make several changes to eliminate potential deadlock or recursive lock conditions, and add back rescan of multicast groups on network startup. 2014-10-14 16:38:27 -07:00
Adam Ierymenko
a94b0e6a43 Get rid of rescanMulticastGroups() in Network thread since this can deadlock... the fact that this can happen is probably bad design. 2014-10-14 15:58:03 -07:00
Adam Ierymenko
42d644a57e More fixes to legacy support, and to a potential issue on quit. 2014-10-14 12:37:35 -07:00
Adam Ierymenko
03dc823ad7 (1) Back off a little on default max multicast limit since 128 is pretty bandwidth heavy, (2) add a little to default multicast rate limit since new MC algo is fairerererer, (3) decided not to involve netconf masters in multicast so take that out of list of who gets LIKEs. 2014-10-10 12:55:06 -07:00
Adam Ierymenko
d5e0f7e3e4 Reorg multicast packet, and a whole bunch of refactoring around the pushing of certificates of membership. 2014-10-09 12:42:25 -07:00
Adam Ierymenko
2c8321be1f Pull logic to always send new multicasts to supernode since we need to do that differently, re-add support for active bridges, and remove some gratuitous use of std::set where not needed. 2014-10-04 13:15:02 -07:00
Adam Ierymenko
496109fdcc Announce multicast group changes on network rescanMulticastGroups() 2014-10-03 18:27:42 -07:00
Adam Ierymenko
aad344bb84 Add test network support to Network. 2014-10-03 16:14:34 -07:00
Adam Ierymenko
e53d208ea4 Improve security posture by eliminating non-const data() accessor from Buffer. 2014-10-02 10:06:29 -07:00
Adam Ierymenko
b41437780b Add origin to new MULTICAST_FRAME, move security check for certs into Network to remove redundant code and bug-proneness, more work on IncomingPacket... 2014-09-30 17:26:34 -07:00
Adam Ierymenko
2659427864 Multicaster needs to be global, not per-network, and a bunch of other stuff. 2014-09-30 16:28:25 -07:00
Adam Ierymenko
8607aa7c3c Everything in for new multicast except IncomingPacket parsing... 2014-09-30 08:38:03 -07:00
Adam Ierymenko
2d41055bdc Some Network code cleanup. 2014-09-26 12:23:43 -07:00
Adam Ierymenko
027060dad1 Most of new multicast code builds... now on to packet parsing. 2014-09-25 22:13:31 -07:00
Adam Ierymenko
9e186bbd89 . 2014-09-25 15:57:43 -07:00
Adam Ierymenko
81b12b6826 Rename the ubiquitous _r pointer to RuntimeEnvironment to RR just to be a little more consistent about using _ to denote private member variables. 2014-09-24 13:53:03 -07:00
Adam Ierymenko
9180a30986 . 2014-09-24 09:01:58 -07:00
Adam Ierymenko
61d0f27d2a Make MulticastTopology have its own mutex. 2014-09-23 10:26:30 -07:00
Adam Ierymenko
954f9cbc13 Yet more WIP on mulitcast algo... 2014-09-22 13:18:24 -07:00