Commit Graph

298 Commits

Author SHA1 Message Date
Adam Ierymenko
78d548458b Capabilities basically work but need to refactor a bit for performance reasons. 2017-02-06 16:38:48 -08:00
Adam Ierymenko
9ddc2a4331 Add a break action to rules engine to make capabilities easier to use. 2017-02-06 14:00:49 -08:00
Adam Ierymenko
5dbebc513a Minor send path refactor to make packet I/O work on clusters if they are members of networks. Also fix a crash if compiled in cluster mode but no cluster is enabled. 2017-02-01 12:00:25 -08:00
Adam Ierymenko
ed31cb76d6 Fix to cluster network configs. 2017-01-30 16:04:05 -08:00
Adam Ierymenko
0b3b994241 Relay policy can now be computed. 2017-01-27 14:05:09 -08:00
Adam Ierymenko
c8554504f3 . 2016-12-22 18:37:46 -08:00
Adam Ierymenko
6b12d86209 Add a workaround for an edge case in TEE/REDIRECT if we are the inbound destination and teeing is only being done on the outbound side. 2016-12-22 18:06:35 -08:00
Adam Ierymenko
fe530548bb Fix MATCH_RANDOM in controller. 2016-12-22 16:57:45 -08:00
Adam Ierymenko
2eaff6d484 Fix to characteristcs in rules engine. 2016-12-22 16:36:38 -08:00
Adam Ierymenko
226123ca08 Refactor controller to permit sending of pushes as well as just replies to config requests. 2016-11-10 11:54:47 -08:00
Adam Ierymenko
27d997a2e5 . 2016-10-13 15:17:17 -07:00
Adam Ierymenko
6469aa9df9 typo 2016-10-13 14:28:39 -07:00
Adam Ierymenko
ce6b5bc6f5 . 2016-10-13 14:21:24 -07:00
Adam Ierymenko
4f3775bb86 Fix ICMP match. 2016-10-13 14:21:00 -07:00
Adam Ierymenko
8850a8610a Fix filter trace. 2016-10-13 13:59:17 -07:00
Adam Ierymenko
e53f63ca87 Broke down and added an OR to the rules engine. It is now possible to have a series of MATCHes that are ORed. 2016-10-11 12:00:16 -07:00
Adam Ierymenko
45c4ccb153 Add a tags both equal match. 2016-10-05 16:38:42 -07:00
Adam Ierymenko
adeb7e7da0 Make capability flags match more user-friendly and appropriate since "match any flag" is generally what we want. 2016-10-05 12:54:46 -07:00
Adam Ierymenko
988049f39b Add new rule to rules engine: random match. 2016-09-30 14:07:00 -07:00
Adam Ierymenko
9eaa3756f8 Fix deadlock-causing regression in Network. 2016-09-30 12:22:54 -07:00
Adam Ierymenko
4fe9a4fe83 Fix memory leak. 2016-09-28 16:13:59 -07:00
Adam Ierymenko
9f550292fe Simply network auth logic and always sent error on auth failure even for unknown networks to prevent forensics. 2016-09-27 13:49:43 -07:00
Adam Ierymenko
cc4bacc199 Cleanup, and implement compression disable flag for networks. 2016-09-27 12:22:25 -07:00
Adam Ierymenko
15c07c58b6 Refactored network config chunking to sign every chunk to prevent stupid DOS attack potential, and implement network config fast propagate (though we probably will not use this for a bit). 2016-09-27 11:33:48 -07:00
Adam Ierymenko
eac3667ec1 Bunch more refactoring and work on revocations, etc. 2016-09-26 16:17:02 -07:00
Adam Ierymenko
1f74dd4589 Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00
Adam Ierymenko
d3524f3609 Refactor COM stuff a bit, and respond to COM requests a bit more readily for rapid setup. Will need to revisit later. 2016-09-20 21:21:34 -07:00
Adam Ierymenko
68e549233d Revise bearer token code in controller, and add relay policy as a meta-data item presented to controller by nodes (to facilitate future meshiness). 2016-09-15 13:17:37 -07:00
Adam Ierymenko
15402933bc Add physical MTU recommendation hint to network config via API. 2016-09-14 16:55:25 -07:00
Adam Ierymenko
83abc00aae docs 2016-09-13 14:58:59 -07:00
Adam Ierymenko
ab9afbc749 (1) Public networks now get COMs even though they do not gate with them since they will need them to push auth for multicast stuff, (2) added a bunch of rate limit circuit breakers for anti-DOS, (3) cleanup. 2016-09-09 11:36:10 -07:00
Adam Ierymenko
ef87069957 Fix gating of multicast GATHER replies since these can come from upstream, etc., and fix an issue with sending ECHO to recheck marginal paths. 2016-09-09 09:32:00 -07:00
Adam Ierymenko
0d4109a9f1 More refactoring to clean up code, and add a gate function to make sure we do not handle OK packets we did not expect. This hardens up a few potential edge cases around security, since such messages might be used to e.g. pollute a cache and DOS under certain conditions. 2016-09-09 08:43:58 -07:00
Adam Ierymenko
16df2c3363 Clean up handling of COMs, network access control, and fix a backward compatiblity issue. 2016-09-08 19:48:05 -07:00
Adam Ierymenko
1f6b13b7fd Fix bug causing null addresses to get in memberships[] hash. 2016-09-08 16:09:56 -07:00
Adam Ierymenko
daf8a66ced More correct and efficient to initialize member relationship push stuff lazily when member is learned. 2016-09-07 15:47:20 -07:00
Adam Ierymenko
20278bb9e4 Also send MULTICAST_LIKEs to controllers. 2016-09-07 15:34:34 -07:00
Adam Ierymenko
1908aa55f5 Refactor MULTICAST_LIKE pushing to eliminate redundant and unnecessary pushes and simplify code. 2016-09-07 15:15:52 -07:00
Adam Ierymenko
eebcf08084 Tweaks to new Path code for dual-stack operation, and other fixes. 2016-09-03 15:39:05 -07:00
Adam Ierymenko
22271f2a49 Cleanup. 2016-09-01 13:36:41 -07:00
Adam Ierymenko
8b6d23b9f6 Optimize filter code a bit, and add a network-level setting for what should happen if an unsupported or unknown MATCH is encountered in a rules table. 2016-09-01 12:07:17 -07:00
Adam Ierymenko
25056de5d3 Also need to send credentials when TEEing and REDIRECTing. 2016-08-31 17:56:59 -07:00
Adam Ierymenko
994b25af4e Simplify some logic. 2016-08-31 17:45:55 -07:00
Adam Ierymenko
74afef8eb1 Think through and refine a few things in rules, especially edge case TEE and REDIRECT behavior and semantics. 2016-08-31 16:50:22 -07:00
Adam Ierymenko
54489a7f61 rename SAMENESS to DIFFERENCE which is less confusing 2016-08-31 14:14:58 -07:00
Adam Ierymenko
8e3004591b Add overlooked MATCH_ICMP to rule set. 2016-08-31 14:01:15 -07:00
Adam Ierymenko
cb63babac4 Debug output fixes. 2016-08-29 16:38:10 -07:00
Adam Ierymenko
ac1c127b68 Debug output fixes. 2016-08-29 16:24:08 -07:00
Adam Ierymenko
cb82193333 Debug output fixes. 2016-08-29 16:19:26 -07:00
Adam Ierymenko
f0636ffd4a EXT_FRAME messages should always be accepted if we are the destination for a matching TEE or REDIRECT rule. 2016-08-29 15:54:06 -07:00
Adam Ierymenko
51a420671f Make rules engine debug a bit more verbose. 2016-08-29 15:17:34 -07:00
Adam Ierymenko
7223685b96 . 2016-08-26 15:30:20 -07:00
Adam Ierymenko
e7dff1c785 Change logic a little for self-as-destination in TEE and REDIRECT. 2016-08-26 15:28:31 -07:00
Adam Ierymenko
a5383d83d8 Do not TEE or REDIRECT to self. 2016-08-26 15:25:00 -07:00
Adam Ierymenko
fb5217761b Add missing names in filter debug code. 2016-08-26 13:20:55 -07:00
Adam Ierymenko
90f3e94565 Always output trace info when debugging rules. 2016-08-26 12:21:44 -07:00
Adam Ierymenko
ded5a53a6c Documentation updates, add rules engine revision to network config request meta-data. 2016-08-26 10:38:43 -07:00
Adam Ierymenko
d637988ccf Fix chicken or egg problem in tags, and better filter debug instrumentation. 2016-08-25 18:21:20 -07:00
Adam Ierymenko
b5e0d014ab Controller bug fixes 2016-08-25 16:08:40 -07:00
Adam Ierymenko
5eaf397a94 Add a debug log feature in the filter, which only works if enabled in Network.cpp. 2016-08-25 13:31:23 -07:00
Adam Ierymenko
2cdda38dc4 It basically works... at least on current controllers. 2016-08-24 15:26:18 -07:00
Adam Ierymenko
ccea3d04d6 Push NETWORK_CONFIG_REFRESH on POSTs to /member/... in controller. 2016-08-24 14:28:16 -07:00
Adam Ierymenko
8e3463d47a Add length limit to TEE and REDIRECT, and completely factor out old C json-parser to eliminate a dependency. 2016-08-24 13:37:57 -07:00
Adam Ierymenko
0a7a33ef8f Instantaneous blacklisting and credential revocation. 2016-08-23 13:46:36 -07:00
Adam Ierymenko
68b4ca9b31 Cleanup. 2016-08-23 11:52:10 -07:00
Adam Ierymenko
77f7dcf40a Obsolete "test network" removal. 2016-08-23 09:39:38 -07:00
Adam Ierymenko
9a3c652a51 Get rid of expiration in Capability and Tag and move this to NetworkConfig so it can be set network-wide and reset if needed. Also add NetworkConfig field for this and centralize checking of credential time validity. 2016-08-22 18:06:46 -07:00
Adam Ierymenko
7d906df805 Better instrumentation for filter, and filter bug fixes. 2016-08-10 14:27:52 -07:00
Adam Ierymenko
d166b494ee Rule parse fix. 2016-08-10 13:41:22 -07:00
Adam Ierymenko
c9d7845fea Minor bug fix and some instrumentation stuff for testing. 2016-08-09 17:00:01 -07:00
Adam Ierymenko
e1310a764a More cleanup and removal of cruft due to obsolete network-specific relays (will be replaced with federation stuff). 2016-08-09 15:45:26 -07:00
Adam Ierymenko
4d498b3765 Handling of multi-part chunked network configs on the inbound side. 2016-08-09 13:14:38 -07:00
Adam Ierymenko
2ba9343607 Encode and decode of tags and capabilities in NetworkConfig. 2016-08-09 08:32:42 -07:00
Adam Ierymenko
00fd9c3a15 It builds... almost ready to test some rules engine stuff. 2016-08-08 17:33:26 -07:00
Adam Ierymenko
8007ca56aa Refactor and tie-up of capabilities and tags and packet evaluation points. Some optimization is possible here but it is minor and we will make it work first. 2016-08-08 16:50:00 -07:00
Adam Ierymenko
4d7f625aa1 . 2016-08-05 15:55:38 -07:00
Adam Ierymenko
e2f783ebbd . 2016-08-05 15:02:01 -07:00
Adam Ierymenko
331382cf2f More cleanup and a tiny federation prep item. 2016-08-04 12:14:13 -07:00
Adam Ierymenko
5cf410490e . 2016-08-04 10:18:33 -07:00
Adam Ierymenko
7e6e56e2bc Bunch of work on pushing and replication of tags and capabilities, and protocol cleanup. 2016-08-03 18:04:08 -07:00
Adam Ierymenko
b2d048aa0e Make Dictionary templatable so it can be used where we want a higher capacity. 2016-06-21 07:32:58 -07:00
Adam Ierymenko
e09c1a1c11 Big refactor mostly builds. We now have a uniform backward compatible netconf. 2016-06-16 12:28:43 -07:00
Adam Ierymenko
4446dbde5e Big refactor in service code to prep for plumbing through route management. 2016-06-14 10:09:26 -07:00
Adam Ierymenko
9161eebc68 Carry virtual network routes through to API. 2016-06-07 12:15:19 -07:00
Adam Ierymenko
93b673043c Fix new binary meta-data deserialization and add some debug code (will disable later). 2016-05-16 18:37:37 -07:00
Adam Ierymenko
548730660b Ready to test whole new netconf refactor. 2016-05-11 10:19:14 -07:00
Adam Ierymenko
8b9519f0af Simplify a bunch of NetworkConfig stuff by eliminating accessors, also makes network controller easier to refactor. 2016-05-06 16:13:11 -07:00
Adam Ierymenko
529515d1d1 Changes to how new-style binary network configs are detected, and a new-style binary serialized meta-data representation. 2016-05-06 13:29:10 -07:00
Adam Ierymenko
59eb09d063 Deserialize new style netconf. 2016-04-26 17:20:31 -07:00
Adam Ierymenko
90e1262a8b More refactoring to remove old Dictionary dependencies. 2016-04-26 08:20:03 -07:00
Adam Ierymenko
2f18a92e20 Cleanup in numerous places, reduce network chattiness around MULTICAST_LIKE, and fix a "how was that working" latent bug causing some control traffic to take the scenic route. 2016-04-19 12:09:35 -07:00
Adam Ierymenko
51fecc0be9 Refactor Network for new NetworkConfig. 2016-04-12 12:16:29 -07:00
Adam Ierymenko
6f854c8391 NetworkConfig refactor part 1 2016-04-12 12:11:34 -07:00
Adam Ierymenko
4e4fd51117 boring doc stuff 2016-01-12 14:04:55 -08:00
Adam Ierymenko
3883ac08c7 Docs and cleanup. 2016-01-12 13:17:30 -08:00
Adam Ierymenko
d6f0f1a82a Use network user ptr in lookup for Ethernet frame handling to eliminate map lookup. 2016-01-12 11:34:22 -08:00
Adam Ierymenko
83ef98a9dc Add a network-associated user ptr in API. 2016-01-12 11:04:35 -08:00
Adam Ierymenko
16bc3e0398 Factor out RemotePath subclass of Path -- no longer needed, just cruft. 2015-10-27 15:00:16 -07:00
Adam Ierymenko
35676217e8 Refactor multicast group announcement to work directly or indirectly. 2015-10-23 14:50:07 -07:00
Adam Ierymenko
7d62dbe9f7 Tune NAT-t keepalives so that timing is better obeyed, clean up a build warning, and fix a potential source of network recursion (though harmless). 2015-10-07 11:57:59 -07:00