Deprecate IPv4Sources and IPv6Sources options in crypto-key routing, these options were not well understood and increased the complexity of configuring CKR vs Wireguard or similar

2025-04-30 07:05:06 +03:00 · 2019-08-18 21:58:28 +01:00 · 2019-08-18 21:58:28 +01:00 · 322f83a247
commit 322f83a247
parent 009d9c9ec0
4 changed files with 0 additions and 181 deletions
--- a/src/config/config.go
+++ b/src/config/config.go
@ -76,9 +76,7 @@ type SessionFirewall struct {
 type TunnelRouting struct {
 	Enable           bool              `comment:"Enable or disable tunnel routing."`
 	IPv6Destinations map[string]string `comment:"IPv6 CIDR subnets, mapped to the EncryptionPublicKey to which they\nshould be routed, e.g. { \"aaaa:bbbb:cccc::/e\": \"boxpubkey\", ... }"`
 	IPv6Sources      []string          `comment:"Optional IPv6 source subnets which are allowed to be tunnelled in\naddition to this node's Yggdrasil address/subnet. If not\nspecified, only traffic originating from this node's Yggdrasil\naddress or subnet will be tunnelled."`
 	IPv4Destinations map[string]string `comment:"IPv4 CIDR subnets, mapped to the EncryptionPublicKey to which they\nshould be routed, e.g. { \"a.b.c.d/e\": \"boxpubkey\", ... }"`
 	IPv4Sources      []string          `comment:"IPv4 source subnets which are allowed to be tunnelled. Unlike for\nIPv6, this option is required for bridging IPv4 traffic. Only\ntraffic with a source matching these subnets will be tunnelled."`
 }
 // SwitchOptions contains tuning options for the switch
--- a/src/tuntap/admin.go
+++ b/src/tuntap/admin.go
@ -4,7 +4,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"net"
 	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
 )
@ -66,13 +65,6 @@ func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
 		t.ckr.setEnabled(enabled)
 		return admin.Info{"enabled": enabled}, nil
 	})
 	a.AddHandler("addSourceSubnet", []string{"subnet"}, func(in admin.Info) (admin.Info, error) {
 		if err := t.ckr.addSourceSubnet(in["subnet"].(string)); err == nil {
 			return admin.Info{"added": []string{in["subnet"].(string)}}, nil
 		} else {
 			return admin.Info{"not_added": []string{in["subnet"].(string)}}, errors.New("Failed to add source subnet")
 		}
 	})
 	a.AddHandler("addRoute", []string{"subnet", "box_pub_key"}, func(in admin.Info) (admin.Info, error) {
 		if err := t.ckr.addRoute(in["subnet"].(string), in["box_pub_key"].(string)); err == nil {
 			return admin.Info{"added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
@ -80,17 +72,6 @@ func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
 			return admin.Info{"not_added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, errors.New("Failed to add route")
 		}
 	})
 	a.AddHandler("getSourceSubnets", []string{}, func(in admin.Info) (admin.Info, error) {
 		var subnets []string
 		getSourceSubnets := func(snets []net.IPNet) {
 			for _, subnet := range snets {
 				subnets = append(subnets, subnet.String())
 			}
 		}
 		getSourceSubnets(t.ckr.ipv4sources)
 		getSourceSubnets(t.ckr.ipv6sources)
 		return admin.Info{"source_subnets": subnets}, nil
 	})
 	a.AddHandler("getRoutes", []string{}, func(in admin.Info) (admin.Info, error) {
 		routes := make(admin.Info)
 		getRoutes := func(ckrs []cryptokey_route) {
@ -102,13 +83,6 @@ func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
 		getRoutes(t.ckr.ipv6routes)
 		return admin.Info{"routes": routes}, nil
 	})
 	a.AddHandler("removeSourceSubnet", []string{"subnet"}, func(in admin.Info) (admin.Info, error) {
 		if err := t.ckr.removeSourceSubnet(in["subnet"].(string)); err == nil {
 			return admin.Info{"removed": []string{in["subnet"].(string)}}, nil
 		} else {
 			return admin.Info{"not_removed": []string{in["subnet"].(string)}}, errors.New("Failed to remove source subnet")
 		}
 	})
 	a.AddHandler("removeRoute", []string{"subnet", "box_pub_key"}, func(in admin.Info) (admin.Info, error) {
 		if err := t.ckr.removeRoute(in["subnet"].(string), in["box_pub_key"].(string)); err == nil {
 			return admin.Info{"removed": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
--- a/src/tuntap/ckr.go
+++ b/src/tuntap/ckr.go
@ -25,8 +25,6 @@ type cryptokey struct {
 	ipv6routes   []cryptokey_route
 	ipv4cache    map[address.Address]cryptokey_route
 	ipv6cache    map[address.Address]cryptokey_route
 	ipv4sources  []net.IPNet
 	ipv6sources  []net.IPNet
 	mutexroutes  sync.RWMutex
 	mutexcaches  sync.RWMutex
 	mutexsources sync.RWMutex
@ -84,28 +82,6 @@ func (c *cryptokey) configure() error {
 		}
 	}
 	// Clear out existing sources
 	c.mutexsources.Lock()
 	c.ipv6sources = make([]net.IPNet, 0)
 	c.ipv4sources = make([]net.IPNet, 0)
 	c.mutexsources.Unlock()
 	// Add IPv6 sources
 	c.ipv6sources = make([]net.IPNet, 0)
 	for _, source := range current.TunnelRouting.IPv6Sources {
 		if err := c.addSourceSubnet(source); err != nil {
 			return err
 		}
 	}
 	// Add IPv4 sources
 	c.ipv4sources = make([]net.IPNet, 0)
 	for _, source := range current.TunnelRouting.IPv4Sources {
 		if err := c.addSourceSubnet(source); err != nil {
 			return err
 		}
 	}
 	// Wipe the caches
 	c.mutexcaches.Lock()
 	c.ipv4cache = make(map[address.Address]cryptokey_route, 0)
@ -126,92 +102,6 @@ func (c *cryptokey) isEnabled() bool {
 	return ok && enabled
 }
 // Check whether the given address (with the address length specified in bytes)
 // matches either the current node's address, the node's routed subnet or the
 // list of subnets specified in IPv4Sources/IPv6Sources.
 func (c *cryptokey) isValidSource(addr address.Address, addrlen int) bool {
 	c.mutexsources.RLock()
 	defer c.mutexsources.RUnlock()
 	ip := net.IP(addr[:addrlen])
 	if addrlen == net.IPv6len {
 		// Does this match our node's address?
 		if bytes.Equal(addr[:16], c.tun.addr[:16]) {
 			return true
 		}
 		// Does this match our node's subnet?
 		if bytes.Equal(addr[:8], c.tun.subnet[:8]) {
 			return true
 		}
 	}
 	// Does it match a configured CKR source?
 	if c.isEnabled() {
 		// Build our references to the routing sources
 		var routingsources *[]net.IPNet
 		// Check if the prefix is IPv4 or IPv6
 		if addrlen == net.IPv6len {
 			routingsources = &c.ipv6sources
 		} else if addrlen == net.IPv4len {
 			routingsources = &c.ipv4sources
 		} else {
 			return false
 		}
 		for _, subnet := range *routingsources {
 			if subnet.Contains(ip) {
 				return true
 			}
 		}
 	}
 	// Doesn't match any of the above
 	return false
 }
 // Adds a source subnet, which allows traffic with these source addresses to
 // be tunnelled using crypto-key routing.
 func (c *cryptokey) addSourceSubnet(cidr string) error {
 	c.mutexsources.Lock()
 	defer c.mutexsources.Unlock()
 	// Is the CIDR we've been given valid?
 	_, ipnet, err := net.ParseCIDR(cidr)
 	if err != nil {
 		return err
 	}
 	// Get the prefix length and size
 	_, prefixsize := ipnet.Mask.Size()
 	// Build our references to the routing sources
 	var routingsources *[]net.IPNet
 	// Check if the prefix is IPv4 or IPv6
 	if prefixsize == net.IPv6len*8 {
 		routingsources = &c.ipv6sources
 	} else if prefixsize == net.IPv4len*8 {
 		routingsources = &c.ipv4sources
 	} else {
 		return errors.New("Unexpected prefix size")
 	}
 	// Check if we already have this CIDR
 	for _, subnet := range *routingsources {
 		if subnet.String() == ipnet.String() {
 			return errors.New("Source subnet already configured")
 		}
 	}
 	// Add the source subnet
 	*routingsources = append(*routingsources, *ipnet)
 	c.tun.log.Infoln("Added CKR source subnet", cidr)
 	return nil
 }
 // Adds a destination route for the given CIDR to be tunnelled to the node
 // with the given BoxPubKey.
 func (c *cryptokey) addRoute(cidr string, dest string) error {
@ -369,44 +259,6 @@ func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (c
 	return crypto.BoxPubKey{}, errors.New(fmt.Sprintf("No route to %s", ip.String()))
 }
 // Removes a source subnet, which allows traffic with these source addresses to
 // be tunnelled using crypto-key routing.
 func (c *cryptokey) removeSourceSubnet(cidr string) error {
 	c.mutexsources.Lock()
 	defer c.mutexsources.Unlock()
 	// Is the CIDR we've been given valid?
 	_, ipnet, err := net.ParseCIDR(cidr)
 	if err != nil {
 		return err
 	}
 	// Get the prefix length and size
 	_, prefixsize := ipnet.Mask.Size()
 	// Build our references to the routing sources
 	var routingsources *[]net.IPNet
 	// Check if the prefix is IPv4 or IPv6
 	if prefixsize == net.IPv6len*8 {
 		routingsources = &c.ipv6sources
 	} else if prefixsize == net.IPv4len*8 {
 		routingsources = &c.ipv4sources
 	} else {
 		return errors.New("Unexpected prefix size")
 	}
 	// Check if we already have this CIDR
 	for idx, subnet := range *routingsources {
 		if subnet.String() == ipnet.String() {
 			*routingsources = append((*routingsources)[:idx], (*routingsources)[idx+1:]...)
 			c.tun.log.Infoln("Removed CKR source subnet", cidr)
 			return nil
 		}
 	}
 	return errors.New("Source subnet not found")
 }
 // Removes a destination route for the given CIDR to be tunnelled to the node
 // with the given BoxPubKey.
 func (c *cryptokey) removeRoute(cidr string, dest string) error {
--- a/src/tuntap/iface.go
+++ b/src/tuntap/iface.go
@ -187,11 +187,6 @@ func (tun *TunAdapter) readerPacketHandler(ch chan []byte) {
 			tun.log.Traceln("Unknown packet type, dropping")
 			continue
 		}
 		if tun.ckr.isEnabled() && !tun.ckr.isValidSource(srcAddr, addrlen) {
 			// The packet had a source address that doesn't belong to us or our
 			// configured crypto-key routing source subnets
 			continue
 		}
 		if !dstAddr.IsValid() && !dstSnet.IsValid() {
 			if key, err := tun.ckr.getPublicKeyForAddress(dstAddr, addrlen); err == nil {
 				// A public key was found, get the node ID for the search