Commit Graph

273 Commits

Author SHA1 Message Date
Adam Ierymenko
1f74dd4589 Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00
Adam Ierymenko
d3524f3609 Refactor COM stuff a bit, and respond to COM requests a bit more readily for rapid setup. Will need to revisit later. 2016-09-20 21:21:34 -07:00
Adam Ierymenko
68e549233d Revise bearer token code in controller, and add relay policy as a meta-data item presented to controller by nodes (to facilitate future meshiness). 2016-09-15 13:17:37 -07:00
Adam Ierymenko
15402933bc Add physical MTU recommendation hint to network config via API. 2016-09-14 16:55:25 -07:00
Adam Ierymenko
83abc00aae docs 2016-09-13 14:58:59 -07:00
Adam Ierymenko
ab9afbc749 (1) Public networks now get COMs even though they do not gate with them since they will need them to push auth for multicast stuff, (2) added a bunch of rate limit circuit breakers for anti-DOS, (3) cleanup. 2016-09-09 11:36:10 -07:00
Adam Ierymenko
ef87069957 Fix gating of multicast GATHER replies since these can come from upstream, etc., and fix an issue with sending ECHO to recheck marginal paths. 2016-09-09 09:32:00 -07:00
Adam Ierymenko
0d4109a9f1 More refactoring to clean up code, and add a gate function to make sure we do not handle OK packets we did not expect. This hardens up a few potential edge cases around security, since such messages might be used to e.g. pollute a cache and DOS under certain conditions. 2016-09-09 08:43:58 -07:00
Adam Ierymenko
16df2c3363 Clean up handling of COMs, network access control, and fix a backward compatiblity issue. 2016-09-08 19:48:05 -07:00
Adam Ierymenko
1f6b13b7fd Fix bug causing null addresses to get in memberships[] hash. 2016-09-08 16:09:56 -07:00
Adam Ierymenko
daf8a66ced More correct and efficient to initialize member relationship push stuff lazily when member is learned. 2016-09-07 15:47:20 -07:00
Adam Ierymenko
20278bb9e4 Also send MULTICAST_LIKEs to controllers. 2016-09-07 15:34:34 -07:00
Adam Ierymenko
1908aa55f5 Refactor MULTICAST_LIKE pushing to eliminate redundant and unnecessary pushes and simplify code. 2016-09-07 15:15:52 -07:00
Adam Ierymenko
eebcf08084 Tweaks to new Path code for dual-stack operation, and other fixes. 2016-09-03 15:39:05 -07:00
Adam Ierymenko
22271f2a49 Cleanup. 2016-09-01 13:36:41 -07:00
Adam Ierymenko
8b6d23b9f6 Optimize filter code a bit, and add a network-level setting for what should happen if an unsupported or unknown MATCH is encountered in a rules table. 2016-09-01 12:07:17 -07:00
Adam Ierymenko
25056de5d3 Also need to send credentials when TEEing and REDIRECTing. 2016-08-31 17:56:59 -07:00
Adam Ierymenko
994b25af4e Simplify some logic. 2016-08-31 17:45:55 -07:00
Adam Ierymenko
74afef8eb1 Think through and refine a few things in rules, especially edge case TEE and REDIRECT behavior and semantics. 2016-08-31 16:50:22 -07:00
Adam Ierymenko
54489a7f61 rename SAMENESS to DIFFERENCE which is less confusing 2016-08-31 14:14:58 -07:00
Adam Ierymenko
8e3004591b Add overlooked MATCH_ICMP to rule set. 2016-08-31 14:01:15 -07:00
Adam Ierymenko
cb63babac4 Debug output fixes. 2016-08-29 16:38:10 -07:00
Adam Ierymenko
ac1c127b68 Debug output fixes. 2016-08-29 16:24:08 -07:00
Adam Ierymenko
cb82193333 Debug output fixes. 2016-08-29 16:19:26 -07:00
Adam Ierymenko
f0636ffd4a EXT_FRAME messages should always be accepted if we are the destination for a matching TEE or REDIRECT rule. 2016-08-29 15:54:06 -07:00
Adam Ierymenko
51a420671f Make rules engine debug a bit more verbose. 2016-08-29 15:17:34 -07:00
Adam Ierymenko
7223685b96 . 2016-08-26 15:30:20 -07:00
Adam Ierymenko
e7dff1c785 Change logic a little for self-as-destination in TEE and REDIRECT. 2016-08-26 15:28:31 -07:00
Adam Ierymenko
a5383d83d8 Do not TEE or REDIRECT to self. 2016-08-26 15:25:00 -07:00
Adam Ierymenko
fb5217761b Add missing names in filter debug code. 2016-08-26 13:20:55 -07:00
Adam Ierymenko
90f3e94565 Always output trace info when debugging rules. 2016-08-26 12:21:44 -07:00
Adam Ierymenko
ded5a53a6c Documentation updates, add rules engine revision to network config request meta-data. 2016-08-26 10:38:43 -07:00
Adam Ierymenko
d637988ccf Fix chicken or egg problem in tags, and better filter debug instrumentation. 2016-08-25 18:21:20 -07:00
Adam Ierymenko
b5e0d014ab Controller bug fixes 2016-08-25 16:08:40 -07:00
Adam Ierymenko
5eaf397a94 Add a debug log feature in the filter, which only works if enabled in Network.cpp. 2016-08-25 13:31:23 -07:00
Adam Ierymenko
2cdda38dc4 It basically works... at least on current controllers. 2016-08-24 15:26:18 -07:00
Adam Ierymenko
ccea3d04d6 Push NETWORK_CONFIG_REFRESH on POSTs to /member/... in controller. 2016-08-24 14:28:16 -07:00
Adam Ierymenko
8e3463d47a Add length limit to TEE and REDIRECT, and completely factor out old C json-parser to eliminate a dependency. 2016-08-24 13:37:57 -07:00
Adam Ierymenko
0a7a33ef8f Instantaneous blacklisting and credential revocation. 2016-08-23 13:46:36 -07:00
Adam Ierymenko
68b4ca9b31 Cleanup. 2016-08-23 11:52:10 -07:00
Adam Ierymenko
77f7dcf40a Obsolete "test network" removal. 2016-08-23 09:39:38 -07:00
Adam Ierymenko
9a3c652a51 Get rid of expiration in Capability and Tag and move this to NetworkConfig so it can be set network-wide and reset if needed. Also add NetworkConfig field for this and centralize checking of credential time validity. 2016-08-22 18:06:46 -07:00
Adam Ierymenko
7d906df805 Better instrumentation for filter, and filter bug fixes. 2016-08-10 14:27:52 -07:00
Adam Ierymenko
d166b494ee Rule parse fix. 2016-08-10 13:41:22 -07:00
Adam Ierymenko
c9d7845fea Minor bug fix and some instrumentation stuff for testing. 2016-08-09 17:00:01 -07:00
Adam Ierymenko
e1310a764a More cleanup and removal of cruft due to obsolete network-specific relays (will be replaced with federation stuff). 2016-08-09 15:45:26 -07:00
Adam Ierymenko
4d498b3765 Handling of multi-part chunked network configs on the inbound side. 2016-08-09 13:14:38 -07:00
Adam Ierymenko
2ba9343607 Encode and decode of tags and capabilities in NetworkConfig. 2016-08-09 08:32:42 -07:00
Adam Ierymenko
00fd9c3a15 It builds... almost ready to test some rules engine stuff. 2016-08-08 17:33:26 -07:00
Adam Ierymenko
8007ca56aa Refactor and tie-up of capabilities and tags and packet evaluation points. Some optimization is possible here but it is minor and we will make it work first. 2016-08-08 16:50:00 -07:00
Adam Ierymenko
4d7f625aa1 . 2016-08-05 15:55:38 -07:00
Adam Ierymenko
e2f783ebbd . 2016-08-05 15:02:01 -07:00
Adam Ierymenko
331382cf2f More cleanup and a tiny federation prep item. 2016-08-04 12:14:13 -07:00
Adam Ierymenko
5cf410490e . 2016-08-04 10:18:33 -07:00
Adam Ierymenko
7e6e56e2bc Bunch of work on pushing and replication of tags and capabilities, and protocol cleanup. 2016-08-03 18:04:08 -07:00
Adam Ierymenko
b2d048aa0e Make Dictionary templatable so it can be used where we want a higher capacity. 2016-06-21 07:32:58 -07:00
Adam Ierymenko
e09c1a1c11 Big refactor mostly builds. We now have a uniform backward compatible netconf. 2016-06-16 12:28:43 -07:00
Adam Ierymenko
4446dbde5e Big refactor in service code to prep for plumbing through route management. 2016-06-14 10:09:26 -07:00
Adam Ierymenko
9161eebc68 Carry virtual network routes through to API. 2016-06-07 12:15:19 -07:00
Adam Ierymenko
93b673043c Fix new binary meta-data deserialization and add some debug code (will disable later). 2016-05-16 18:37:37 -07:00
Adam Ierymenko
548730660b Ready to test whole new netconf refactor. 2016-05-11 10:19:14 -07:00
Adam Ierymenko
8b9519f0af Simplify a bunch of NetworkConfig stuff by eliminating accessors, also makes network controller easier to refactor. 2016-05-06 16:13:11 -07:00
Adam Ierymenko
529515d1d1 Changes to how new-style binary network configs are detected, and a new-style binary serialized meta-data representation. 2016-05-06 13:29:10 -07:00
Adam Ierymenko
59eb09d063 Deserialize new style netconf. 2016-04-26 17:20:31 -07:00
Adam Ierymenko
90e1262a8b More refactoring to remove old Dictionary dependencies. 2016-04-26 08:20:03 -07:00
Adam Ierymenko
2f18a92e20 Cleanup in numerous places, reduce network chattiness around MULTICAST_LIKE, and fix a "how was that working" latent bug causing some control traffic to take the scenic route. 2016-04-19 12:09:35 -07:00
Adam Ierymenko
51fecc0be9 Refactor Network for new NetworkConfig. 2016-04-12 12:16:29 -07:00
Adam Ierymenko
6f854c8391 NetworkConfig refactor part 1 2016-04-12 12:11:34 -07:00
Adam Ierymenko
4e4fd51117 boring doc stuff 2016-01-12 14:04:55 -08:00
Adam Ierymenko
3883ac08c7 Docs and cleanup. 2016-01-12 13:17:30 -08:00
Adam Ierymenko
d6f0f1a82a Use network user ptr in lookup for Ethernet frame handling to eliminate map lookup. 2016-01-12 11:34:22 -08:00
Adam Ierymenko
83ef98a9dc Add a network-associated user ptr in API. 2016-01-12 11:04:35 -08:00
Adam Ierymenko
16bc3e0398 Factor out RemotePath subclass of Path -- no longer needed, just cruft. 2015-10-27 15:00:16 -07:00
Adam Ierymenko
35676217e8 Refactor multicast group announcement to work directly or indirectly. 2015-10-23 14:50:07 -07:00
Adam Ierymenko
7d62dbe9f7 Tune NAT-t keepalives so that timing is better obeyed, clean up a build warning, and fix a potential source of network recursion (though harmless). 2015-10-07 11:57:59 -07:00
Adam Ierymenko
57c857e89a Fix TRACE output. 2015-10-06 06:57:00 -07:00
Grant Limberg
c16ad053b6 no toString() method on peer. Commenting out for now. 2015-10-02 19:39:46 -07:00
Adam Ierymenko
d6676a9d6c Always announce multicast groups, not just to peers with direct links, and push network COMs to any MULTICAST_LIKE recipient for future use. 2015-10-01 12:50:19 -07:00
Adam Ierymenko
9405150b11 Restore group announcement on Peer::receive() but centralize packet composition in one place. 2015-10-01 11:37:02 -07:00
Adam Ierymenko
a3db7d0728 Refactor: move network COMs out of Network and into Peer in prep for tightening up multicast lookup and other things. 2015-10-01 11:11:52 -07:00
Adam Ierymenko
f69454ec98 (1) Make ZT_ naming convention consistent (get rid of ZT1_), (2) Make local interface a full sockaddr_storage instead of an int identifier, which turns out to be better for multi-homing and other uses. 2015-09-24 16:21:36 -07:00
Adam Ierymenko
0d386f1c31 Add a bit of useful testing instrumentation to SqliteNetworkController. 2015-09-08 11:35:55 -07:00
Adam Ierymenko
307e44f7c8 Two for one! (std::map removal) 2015-09-04 14:14:32 -07:00
Adam Ierymenko
d1341578d8 ... and another one! 2015-09-04 13:53:48 -07:00
Adam Ierymenko
7b8ce16057 Another std::map<> dies. 2015-09-04 13:42:19 -07:00
Adam Ierymenko
facb009a1d Add security notice to auto-update info in -h output, and fix a missing paren. 2015-07-31 09:50:55 -07:00
Adam Ierymenko
8d09c37140 Remove a bit of redundant logic, and also announce MULTICAST_LIKEs to controllers (for future use). 2015-07-31 09:37:13 -07:00
Adam Ierymenko
3ba54c7e35 Eliminate some poorly thought out optimizations from the netconf/controller interaction,
and go ahead and bump version to 1.0.4.

For a while in 1.0.3 -dev I was trying to optimize out repeated network controller
requests by using a ratcheting mechanism. If the client received a network config
that was indeed different from the one it had, it would respond by instantlly
requesting it again.

Not sure what I was thinking. It's fundamentally unsafe to respond to a message
with another message of the same type -- it risks a race condition. In this case
that's exactly what could happen.

It just isn't worth the added complexity to avoid a tiny, tiny amount of network
overhead, so I've taken this whole path out.

A few extra bytes every two minutes isn't worth fretting about, but as I recall
the reason for this optimization was to save CPU on the controller. This can be
achieved by just caching responses in memory *there* and serving those same
responses back out if they haven't changed.

I think I developed that 'ratcheting' stuff before I went full time on this. It's
hard to develop stuff like this without hours of sustained focus.
2015-07-23 09:50:10 -07:00
Adam Ierymenko
07ea4fd4f9 Fix potential bug in controller config request. 2015-07-07 10:02:48 -07:00
Adam Ierymenko
f398952a6c Revert some bad docs in Packet -- I think we will still use that. Also rename addMembershipCertificate to more security-descriptive validateAndAddMembershipCertificate, give it a return value, and drop unused force parameter. 2015-07-07 08:14:41 -07:00
Adam Ierymenko
dbee1b38b3 Fix semantics of std::unique() to actually remove duplicates (hidden memory leak?) 2015-06-29 10:21:28 -07:00
Kees Bos
8a68624dae Fix cert verification check for self signed signatures 2015-06-26 07:22:13 +02:00
Adam Ierymenko
57c7992c78 GitHub issue #191 - kill intra-network multicast rate limits (which were not well supported or easily configurable anyway) -- this is really left over from the old collaborative multicast propagation algorithm. New algorithm (in for a while) has been sender-side replication in which sender "pays" all bandwidth, which intrinsically limits multicast. 2015-06-26 12:36:45 -07:00
Adam Ierymenko
7bae95836c Root server terminology cleanup, and tighten up a security check by checking full identity of peers instead of just address. 2015-06-19 10:23:25 -07:00
Kees Bos
a425bbc673 Renamed supernode to rootserver 2015-05-06 12:05:20 +02:00
Adam Ierymenko
960ceb4791 Rest of GitHub issue #140 implementation. 2015-06-01 17:50:44 -07:00
Adam Ierymenko
b3b9af0dd8 Fix for GitHub issue #170 2015-06-01 11:56:15 -07:00
Adam Ierymenko
5e3c6d9e0d Some nodeJS work, and apply fix from GitHub issue #166 plus a small optimization to avoid repeated calls to _allMulticastGroups(). 2015-05-25 14:21:05 -07:00
Adam Ierymenko
bdce679d84 Should fix deadlock issue in GitHub issue #166 2015-05-13 16:55:18 -07:00
Adam Ierymenko
f5848972f9 Windows now builds and runs selftest correctly, and fixed a Windows (and possibly other platforms) issue in Phy<>. 2015-04-24 15:05:28 -07:00