Commit Graph

292 Commits

Author SHA1 Message Date
Adam Ierymenko
ab9afbc749 (1) Public networks now get COMs even though they do not gate with them since they will need them to push auth for multicast stuff, (2) added a bunch of rate limit circuit breakers for anti-DOS, (3) cleanup. 2016-09-09 11:36:10 -07:00
Adam Ierymenko
0d4109a9f1 More refactoring to clean up code, and add a gate function to make sure we do not handle OK packets we did not expect. This hardens up a few potential edge cases around security, since such messages might be used to e.g. pollute a cache and DOS under certain conditions. 2016-09-09 08:43:58 -07:00
Adam Ierymenko
c9ee8612e4 Credential TTL (tags/capabilities) should be credential time max delta, since we could get pushed one that is newer. 2016-09-07 12:12:52 -07:00
Adam Ierymenko
74afef8eb1 Think through and refine a few things in rules, especially edge case TEE and REDIRECT behavior and semantics. 2016-08-31 16:50:22 -07:00
Adam Ierymenko
54489a7f61 rename SAMENESS to DIFFERENCE which is less confusing 2016-08-31 14:14:58 -07:00
Adam Ierymenko
8e3004591b Add overlooked MATCH_ICMP to rule set. 2016-08-31 14:01:15 -07:00
Adam Ierymenko
7a00036954 Tweak log length to fit JSON for members within two 4096-kb blocks. 2016-08-29 18:10:02 -07:00
Adam Ierymenko
914c42537c Type fixes. 2016-08-29 17:48:36 -07:00
Adam Ierymenko
77c2bf3ad9 Kill dead field from network JSON. 2016-08-29 14:47:19 -07:00
Adam Ierymenko
297b1b4258 Another tiny API bug fix. 2016-08-26 14:16:55 -07:00
Adam Ierymenko
35ac995d05 Fix setting of v6AssignMode in controller. 2016-08-26 14:04:27 -07:00
Adam Ierymenko
ded5a53a6c Documentation updates, add rules engine revision to network config request meta-data. 2016-08-26 10:38:43 -07:00
Adam Ierymenko
d637988ccf Fix chicken or egg problem in tags, and better filter debug instrumentation. 2016-08-25 18:21:20 -07:00
Adam Ierymenko
858e8c5217 one more... 2016-08-25 16:28:54 -07:00
Adam Ierymenko
df1ce856c9 A little bit more controller code cleanup. 2016-08-25 16:25:28 -07:00
Adam Ierymenko
b5e0d014ab Controller bug fixes 2016-08-25 16:08:40 -07:00
Adam Ierymenko
5eaf397a94 Add a debug log feature in the filter, which only works if enabled in Network.cpp. 2016-08-25 13:31:23 -07:00
Adam Ierymenko
1814016eb7 Add daemon thread to controller and move network member cache refreshes there. 2016-08-25 11:26:45 -07:00
Adam Ierymenko
6ecb42b031 docs and null check in controller code 2016-08-25 10:46:03 -07:00
Adam Ierymenko
60bc291414 Add noAutoAssignIps for member of networks. 2016-08-24 17:05:43 -07:00
Adam Ierymenko
ccea3d04d6 Push NETWORK_CONFIG_REFRESH on POSTs to /member/... in controller. 2016-08-24 14:28:16 -07:00
Adam Ierymenko
8e3463d47a Add length limit to TEE and REDIRECT, and completely factor out old C json-parser to eliminate a dependency. 2016-08-24 13:37:57 -07:00
Adam Ierymenko
8d594f8b53 cleanup 2016-08-23 16:05:10 -07:00
Adam Ierymenko
5f4df0c6a9 Controller cleanup and perf improvements. 2016-08-23 15:30:36 -07:00
Adam Ierymenko
32fa061700 Compute credential TTL et al. 2016-08-23 13:02:59 -07:00
Adam Ierymenko
9a3c652a51 Get rid of expiration in Capability and Tag and move this to NetworkConfig so it can be set network-wide and reset if needed. Also add NetworkConfig field for this and centralize checking of credential time validity. 2016-08-22 18:06:46 -07:00
Adam Ierymenko
b0d888d235 Signing of Capability and Tag objects. 2016-08-22 14:25:59 -07:00
Adam Ierymenko
4dce71879f . 2016-08-18 18:18:50 -07:00
Adam Ierymenko
212a5af9a5 Capabilities and tags in POST JSON. 2016-08-18 14:37:56 -07:00
Adam Ierymenko
1cadbfb4d1 Little fixes. 2016-08-18 13:47:02 -07:00
Adam Ierymenko
f119c4a456 Cache network members for performance, add network non-persisted fields. 2016-08-18 12:59:48 -07:00
Adam Ierymenko
faa9a06bf5 Controller fixes... 2016-08-17 17:37:37 -07:00
Adam Ierymenko
b7ebf6edbf Cleanup and log how member was authorized. 2016-08-17 13:54:32 -07:00
Adam Ierymenko
b72847d504 Finally implement network join auth tokens, at least at the protocol level. 2016-08-17 13:41:45 -07:00
Adam Ierymenko
168b86fdcd Controller docs and API fix. 2016-08-17 12:27:07 -07:00
Adam Ierymenko
a13f4d8353 We now always build the controller in ZeroTier One, at least for desktop and server targets. Also means that ZeroTier One now requires C++11. (Still keeping C++11 out of the core in node/ though.) 2016-08-17 10:42:32 -07:00
Adam Ierymenko
cc808cc2dd Rules parsing stuff. 2016-08-17 10:25:25 -07:00
Adam Ierymenko
ce001198d8 . 2016-08-16 16:57:45 -07:00
Adam Ierymenko
c0639ccd37 Just about ready to test. 2016-08-16 16:46:08 -07:00
Adam Ierymenko
58701c1ca8 . 2016-08-16 14:08:08 -07:00
Adam Ierymenko
b08ca49580 More controller work -- it builds! 2016-08-16 14:05:17 -07:00
Adam Ierymenko
bd15262e54 Bunch of rule JSON stuff. 2016-08-15 18:49:50 -07:00
Adam Ierymenko
3cb2e1197f . 2016-08-12 15:32:45 -07:00
Adam Ierymenko
c30f74987f Starting refactor of controller... 2016-08-12 11:30:27 -07:00
Adam Ierymenko
22e44c762b More rules engine work: key/value pair matching for microsegmentation. 2016-07-28 10:58:10 -07:00
Adam Ierymenko
0e2964261f docs 2016-07-08 13:42:04 -07:00
Adam Ierymenko
ffe7d8d024 docs 2016-07-08 13:40:21 -07:00
Adam Ierymenko
c01ebbcbde docs 2016-07-08 13:38:47 -07:00
Adam Ierymenko
a6e5914aa7 docs 2016-07-08 13:37:51 -07:00
Adam Ierymenko
6d8de214eb Docs and controller API version 2016-07-08 13:10:02 -07:00
Adam Ierymenko
2d7c58540f v6AssignMode bug fix 2016-07-07 17:05:12 -07:00
Adam Ierymenko
951038a304 Ignore /bits in IP assignments and just copy it from the corresponding LAN-local route. Having each managed IP assignment have its own bits field was just a source of user error and poor UX and was completely worthless. 2016-07-07 16:28:43 -07:00
Adam Ierymenko
b9329dc49a Fix to IPv6 picking for small ranges. 2016-07-07 15:55:40 -07:00
Adam Ierymenko
6e08e1ae97 A few controller changes: (1) assign managed IPs that are assigned regardless of "assign mode" which now only controls auto-assignment or special addressing, (2) support proper issuing of managed IPv6 IPs, (3) support IPv6 auto-assign ranges 2016-07-07 15:42:10 -07:00
Adam Ierymenko
dd1d2b4d00 GitHub issue #343 -- fix authorizedMemberCount 2016-07-07 14:49:54 -07:00
Adam Ierymenko
030dfde38e Unused printf removal while we are at it. 2016-06-29 18:14:49 -07:00
Adam Ierymenko
bb63646682 Fix broken SQL in controller. 2016-06-29 11:37:28 -07:00
Adam Ierymenko
d9eacd1616 Controller fixes... 2016-06-29 17:02:03 +00:00
Adam Ierymenko
0410fd4824 Refactor recent member request history to fix performance problem in controller. 2016-06-28 12:44:47 -07:00
Adam Ierymenko
12037961ff small perf improvement in sqlite db. 2016-06-27 18:48:02 -07:00
Adam Ierymenko
8c572dead1 Query optimization. 2016-06-27 18:28:18 -07:00
Adam Ierymenko
3ddfebe742 dead code removal 2016-06-27 17:15:39 -07:00
Adam Ierymenko
972bbb7e06 Allow further concurrency on network controller. 2016-06-27 17:14:47 -07:00
Adam Ierymenko
3740b83f63 Don't back up sqlite db if it hasn't changed to prevent constant thrashing on inactive controllers. 2016-06-24 06:53:23 -07:00
Adam Ierymenko
90cdef8400 Forgot NDP emulation flag. 2016-06-24 06:43:23 -07:00
Adam Ierymenko
ee649ae69a Add 6plane assignment support to network controller, and cleanup. 2016-06-24 06:40:50 -07:00
Adam Ierymenko
20d155e630 . 2016-06-24 05:21:25 -07:00
Adam Ierymenko
b2d048aa0e Make Dictionary templatable so it can be used where we want a higher capacity. 2016-06-21 07:32:58 -07:00
Adam Ierymenko
37afa876a7 Linux bug fixes, small controller fix. 2016-06-17 00:21:58 +00:00
Adam Ierymenko
20d4dada40 Refactor controller for new merged format. 2016-06-16 16:05:57 -07:00
Adam Ierymenko
769351b30f Fix to routes config in controller API. 2016-06-13 15:58:00 -07:00
Adam Ierymenko
734cbb2f1e Controller modifications for default route are ready to test. Will require slight changes in ZeroTier Central when it goes live. 2016-06-10 15:58:35 -07:00
Adam Ierymenko
acbe8ad398 More controller work, and some RedHat fixes. 2016-06-10 08:26:27 -07:00
Adam Ierymenko
9898066b47 Remove some deprecated stuff in controller -- not done yet. 2016-06-09 11:02:42 -07:00
Adam Ierymenko
7e68791bee Fix include for system json-parser. 2016-06-08 12:57:22 -07:00
Adam Ierymenko
683254a0db Don't bother signing if we are not using the legacy netconf. 2016-06-07 11:17:38 -07:00
Adam Ierymenko
2885aea65c Only send new format netconf for PV>=6 2016-06-07 11:13:18 -07:00
Adam Ierymenko
7ee3743c3d Refactor controller to send both old and new format netconf. 2016-05-11 08:49:15 -07:00
Adam Ierymenko
8b9519f0af Simplify a bunch of NetworkConfig stuff by eliminating accessors, also makes network controller easier to refactor. 2016-05-06 16:13:11 -07:00
Adam Ierymenko
2b3e1d5c10 Ignore IP assignment pool ranges that begin with 0.0.0.0 or that contain no IPs. 2016-03-24 13:34:01 -07:00
Adam Ierymenko
2c328d61ad Do not auto-assign IP addresses on bridges. IPs can still be assigned manually. 2016-03-24 13:32:01 -07:00
Adam Ierymenko
9f31cbd8b8 Make /network/???/active return more info. 2016-03-17 13:05:51 -07:00
Adam Ierymenko
9b59bcd995 Clean controller circuit test memory. 2016-02-22 15:48:27 -08:00
Adam Ierymenko
69a438d64d Small tweak to active threshold. 2016-02-19 09:10:31 -08:00
Adam Ierymenko
10bb9919f1 Tweak certificate of membership revision/time tolerance to eliminate boundary packet loss issues occasionally seen in the wild. 2016-02-10 09:32:42 -08:00
Adam Ierymenko
69b1da2e1d return 200 instead of 404 when test is fetched 2016-02-04 16:27:25 -08:00
Adam Ierymenko
dc3d899e70 Return test ID when we post a test. 2016-02-04 16:09:26 -08:00
Adam Ierymenko
78c1d9006a flood protection fix 2016-02-04 14:39:43 -08:00
Adam Ierymenko
5dad73647d Lengthen backup period again 2016-02-04 14:22:54 -08:00
Adam Ierymenko
13b39a0c3e SQLite perf tuning 2016-02-04 14:03:37 -08:00
Adam Ierymenko
90801a94d3 Track client version and tell whether active nodes support circuit test. 2016-02-04 13:38:42 -08:00
Adam Ierymenko
fab6f4450d /active subpath off networks 2016-02-04 12:17:55 -08:00
Adam Ierymenko
2e04dc03f2 Logging to NodeHistory, SQL queries. 2016-02-03 18:10:56 -08:00
Adam Ierymenko
f8eb6b0067 Add NodeHistory table on sqlite controller. 2016-02-03 13:56:35 -08:00
Adam Ierymenko
9cb4bbe2b8 Save test results for circuit tests in memory and then cancel the test and send the results when the test is queried later. This way you can POST a test and then come GET the result at the appointed time. 2016-01-26 12:42:44 -08:00
Ren Jie
21656ba015 Update controller README.md
Sync make parameter with code.
2016-01-12 22:51:08 +08:00
Adam Ierymenko
436c1fac1d Selectively move over changes from "edge" to "dev" excluding netcon. 2015-12-21 16:15:39 -08:00
Adam Ierymenko
523412edfb Abort backup in progress if thread is told to shut down. 2015-11-03 16:03:00 -08:00
Adam Ierymenko
f7a407ffa0 Tweak timings and use lock in backup to make it a bit faster and still permit main thread to work. 2015-11-03 15:56:24 -08:00
Adam Ierymenko
7903f24a8f Create periodic backup copies of controller.db in network controller from the main process itself to facilitate easier and safer backups of controller.db. 2015-11-03 15:52:10 -08:00
Adam Ierymenko
eff1fe3c61 Create files for each hop (more convenient) and fix a packet parse bug. 2015-10-09 16:22:34 -07:00
Adam Ierymenko
7d01fab132 Reorg fields to be in same order as FS scheme. 2015-10-09 15:18:01 -07:00
Adam Ierymenko
aec13b50fd Be a bit more verbose in circuit test reports to more clearly track current and upstream hop in graph traversal history. 2015-10-09 15:05:26 -07:00
Adam Ierymenko
a95fa379cc Circuit tests basically work but need some tweaks, and fix some issues found with valgrind. 2015-10-09 14:51:38 -07:00
Adam Ierymenko
6b5bb0b278 Eliminate format string warnings. 2015-10-09 12:22:13 -07:00
Adam Ierymenko
59da8b2a4b Logging of circuit test results to disk. 2015-10-08 15:44:06 -07:00
Adam Ierymenko
a3876353ca Abiltiy to post a test via the controller web API, and parsing of CIRCUIT_TEST_REPORT messages. 2015-10-08 13:25:38 -07:00
Adam Ierymenko
7394ec6f6a Prep in controller code to run tests. 2015-10-06 15:56:18 -07:00
Adam Ierymenko
a7bd1eaa40 Never assign v4 IPs ending in .255 even within range. 2015-09-28 15:28:30 -07:00
Adam Ierymenko
ddf3d1f949 Controller side support for IPv6 assignment. 2015-09-18 13:35:00 -07:00
Adam Ierymenko
610ab0750c Drop Sqlite-based Log table for now and switch to an in-memory log for recent activity. Log table gets too big on busy nodes. Should probably support push of events to some kind of event system later. 2015-09-15 10:59:23 -07:00
Adam Ierymenko
ef316ced3b Fix JSON. 2015-09-14 11:59:43 -07:00
Adam Ierymenko
cd005341c5 Extra statement to clean up Members -- cascade did not seem to work, possibly due to dual key. 2015-09-11 15:02:26 -07:00
Adam Ierymenko
a35fa7ac93 Add expansion of netconf in _test field. 2015-09-10 15:14:10 -07:00
Adam Ierymenko
bebe3d7cfa Fix deadlock in test mode. 2015-09-10 14:47:04 -07:00
Adam Ierymenko
1f7a41cff8 Fix to allowing identity to be populated if not present. 2015-09-10 14:37:34 -07:00
Adam Ierymenko
4fbcad2468 Allow identity to be populated for newly inserted Member objects to permit transfer from old network controller and testing. 2015-09-08 13:02:42 -07:00
Adam Ierymenko
0d386f1c31 Add a bit of useful testing instrumentation to SqliteNetworkController. 2015-09-08 11:35:55 -07:00
Adam Ierymenko
2aa1b5d9b7 Add clock helper field to both member and network to permit time duration calculation easily. 2015-08-24 12:44:07 -07:00
Adam Ierymenko
9a5be0a092 typo 2015-08-24 11:24:33 -07:00
Adam Ierymenko
4da794b389 Add authorizedMemberCount to controller network config records. 2015-08-19 11:43:56 -07:00
Adam Ierymenko
0a5429cab0 Lookup of member must be a left outer join in case the member is being manually inserted before we see the node. 2015-08-17 21:08:02 +00:00
Adam Ierymenko
fcc5bf1e66 Go ahead and spec out controller DB support for AuthToken -- GitHub issue #211 -- even though full implementation won't make it into 1.0.4. 2015-07-29 15:09:23 -07:00
Adam Ierymenko
d57ea671d7 Add version to log. 2015-07-24 09:59:17 -07:00
Adam Ierymenko
d647a587a1 (1) Fix updating of network revision counter on member change.
(2) Go back to timestamp as certificate revision number. This is simpler
    and more robust than using the network revision number for this and
    forcing network revision fast-forward, which could cause some peers
    to fall off the horizon when you don't want them to.
2015-07-23 17:18:20 -07:00
Adam Ierymenko
b3516c599b Add a rate limiting circuit breaker to the network controller to prevent flooding attacks and race conditions. 2015-07-23 10:10:17 -07:00
Adam Ierymenko
3ba54c7e35 Eliminate some poorly thought out optimizations from the netconf/controller interaction,
and go ahead and bump version to 1.0.4.

For a while in 1.0.3 -dev I was trying to optimize out repeated network controller
requests by using a ratcheting mechanism. If the client received a network config
that was indeed different from the one it had, it would respond by instantlly
requesting it again.

Not sure what I was thinking. It's fundamentally unsafe to respond to a message
with another message of the same type -- it risks a race condition. In this case
that's exactly what could happen.

It just isn't worth the added complexity to avoid a tiny, tiny amount of network
overhead, so I've taken this whole path out.

A few extra bytes every two minutes isn't worth fretting about, but as I recall
the reason for this optimization was to save CPU on the controller. This can be
achieved by just caching responses in memory *there* and serving those same
responses back out if they haven't changed.

I think I developed that 'ratcheting' stuff before I went full time on this. It's
hard to develop stuff like this without hours of sustained focus.
2015-07-23 09:50:10 -07:00
Adam Ierymenko
e2a2993b18 Add a Log table to log queries for debugging and security logging. No JSON API support for querying the log yet, but will probably come via /network/###/member/###/log/... or something. 2015-07-22 14:01:49 -07:00
Kees Bos
53c7f61f98 Fix for output of empty (no members) network 2015-07-05 13:27:27 +02:00
Adam Ierymenko
7c761dea72 Fix to member listing: I wanted an object with member IDs as keys and member revisions as values, not an array. 2015-07-21 14:12:22 -07:00
Adam Ierymenko
3f8a5b8b76 List members in the form of a hash of member ID and member revision so code can quickly detect which members have changed. 2015-07-21 13:38:59 -07:00
Adam Ierymenko
a061aa3d87 Remove "members" from Network record and instead enumerate members via specific query to /network/nwid/member sub-path. More RESTful, scalable, and compatible with how OnePoint code works. 2015-07-21 12:57:01 -07:00
Adam Ierymenko
b343eac10d Fix IP auto-assign bug due to missing subnet routes. 2015-07-21 12:42:43 -07:00
Adam Ierymenko
649a12472b Report controllerInstanceId in all objects so that controller resets can be easily detected by whatever is using the service. 2015-07-21 10:39:29 -07:00
Adam Ierymenko
cac6be87ba Fix bug in rules JSON output. 2015-07-20 16:31:37 -07:00
Adam Ierymenko
38d34a7495 Proper handling of NULL entry for etherType in rules table. 2015-07-20 15:11:53 -07:00
Adam Ierymenko
fb4c3dd8d4 Fix string overwrite bug. 2015-07-20 14:31:33 -07:00
Adam Ierymenko
1ffd67e014 Get rid of false foreign key in Relay. 2015-07-20 14:28:30 -07:00
Adam Ierymenko
bca8886ff8 IP assignment pool range bug fix. 2015-07-17 15:09:28 -07:00
Adam Ierymenko
1f7bb67069 Fix some SQL and make instanceId more robustly random. 2015-07-17 13:09:53 -07:00
Adam Ierymenko
712e2785f2 Fix bad JSON in response. 2015-07-17 12:24:42 -07:00
Adam Ierymenko
5515909c1e Add a concept of an "instanceId" to the controller, which the OnePoint can use to determine whether it is the same running database instance it already knows. 2015-07-17 10:47:21 -07:00
Adam Ierymenko
0db7c94c90 Add memberRevision stuff to JSON output, and update docs. 2015-07-16 17:42:47 -07:00
Adam Ierymenko
99969b186b Add a concept of a member revision counter to networks. This can be used to select all members that have been added or changed since a given point. 2015-07-16 17:34:03 -07:00
Adam Ierymenko
f9f7de0ec7 Networks don't need their ID as a default name. 2015-07-14 15:54:56 -07:00
Adam Ierymenko
d27c14af48 Don't allow zero as a network number. 2015-07-14 12:32:57 -07:00
Adam Ierymenko
30e4a188d0 ipLocalRoutes now exposed via network objects in JSON controller API, and documentation changes. 2015-06-29 15:34:26 -07:00
Adam Ierymenko
5c9411a671 Untested -- modifications to support IP ranges instead of ip/mask for IP assignment pools, also add portId to Rule for future use. 2015-06-29 14:52:09 -07:00
Adam Ierymenko
48a2ad032a (1) Both nodeId and portId in Rule can be NULL, (2) remove on delete cascade since rules should never mysteriously disappear from the rules table. If it let you delete a node with rules, that would be a UI or cleanup function bug. 2015-06-29 10:47:47 -07:00
Adam Ierymenko
f05e62deae DB schema changes: separate portId in rules, ranges in IP assignment pools. (No code changes yet so code is broken.) 2015-06-29 10:40:31 -07:00