Deprecate IPv4Sources and IPv6Sources options in crypto-key routing, these options were not well understood and increased the complexity of configuring CKR vs Wireguard or similar

2025-04-30 07:05:06 +03:00 · 2019-08-18 21:58:28 +01:00 · 2019-08-18 21:58:28 +01:00 · 322f83a247
commit 322f83a247
parent 009d9c9ec0
4 changed files with 0 additions and 181 deletions
--- a/src/config/config.go
+++ b/src/config/config.go
@ -76,9 +76,7 @@ type SessionFirewall struct {
 type TunnelRouting struct {
 	Enable           bool              `comment:"Enable or disable tunnel routing."`
 	IPv6Destinations map[string]string `comment:"IPv6 CIDR subnets, mapped to the EncryptionPublicKey to which they\nshould be routed, e.g. { \"aaaa:bbbb:cccc::/e\": \"boxpubkey\", ... }"`
-	IPv6Sources      []string          `comment:"Optional IPv6 source subnets which are allowed to be tunnelled in\naddition to this node's Yggdrasil address/subnet. If not\nspecified, only traffic originating from this node's Yggdrasil\naddress or subnet will be tunnelled."`
 	IPv4Destinations map[string]string `comment:"IPv4 CIDR subnets, mapped to the EncryptionPublicKey to which they\nshould be routed, e.g. { \"a.b.c.d/e\": \"boxpubkey\", ... }"`
-	IPv4Sources      []string          `comment:"IPv4 source subnets which are allowed to be tunnelled. Unlike for\nIPv6, this option is required for bridging IPv4 traffic. Only\ntraffic with a source matching these subnets will be tunnelled."`
 }

 // SwitchOptions contains tuning options for the switch
--- a/src/tuntap/admin.go
+++ b/src/tuntap/admin.go
@ -4,7 +4,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"net"

 	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
 )
@ -66,13 +65,6 @@ func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
 		t.ckr.setEnabled(enabled)
 		return admin.Info{"enabled": enabled}, nil
 	})
-	a.AddHandler("addSourceSubnet", []string{"subnet"}, func(in admin.Info) (admin.Info, error) {
-		if err := t.ckr.addSourceSubnet(in["subnet"].(string)); err == nil {
-			return admin.Info{"added": []string{in["subnet"].(string)}}, nil
-		} else {
-			return admin.Info{"not_added": []string{in["subnet"].(string)}}, errors.New("Failed to add source subnet")
-		}
-	})
 	a.AddHandler("addRoute", []string{"subnet", "box_pub_key"}, func(in admin.Info) (admin.Info, error) {
 		if err := t.ckr.addRoute(in["subnet"].(string), in["box_pub_key"].(string)); err == nil {
 			return admin.Info{"added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
@ -80,17 +72,6 @@ func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
 			return admin.Info{"not_added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, errors.New("Failed to add route")
 		}
 	})
-	a.AddHandler("getSourceSubnets", []string{}, func(in admin.Info) (admin.Info, error) {
-		var subnets []string
-		getSourceSubnets := func(snets []net.IPNet) {
-			for _, subnet := range snets {
-				subnets = append(subnets, subnet.String())
-			}
-		}
-		getSourceSubnets(t.ckr.ipv4sources)
-		getSourceSubnets(t.ckr.ipv6sources)
-		return admin.Info{"source_subnets": subnets}, nil
-	})
 	a.AddHandler("getRoutes", []string{}, func(in admin.Info) (admin.Info, error) {
 		routes := make(admin.Info)
 		getRoutes := func(ckrs []cryptokey_route) {
@ -102,13 +83,6 @@ func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
 		getRoutes(t.ckr.ipv6routes)
 		return admin.Info{"routes": routes}, nil
 	})
-	a.AddHandler("removeSourceSubnet", []string{"subnet"}, func(in admin.Info) (admin.Info, error) {
-		if err := t.ckr.removeSourceSubnet(in["subnet"].(string)); err == nil {
-			return admin.Info{"removed": []string{in["subnet"].(string)}}, nil
-		} else {
-			return admin.Info{"not_removed": []string{in["subnet"].(string)}}, errors.New("Failed to remove source subnet")
-		}
-	})
 	a.AddHandler("removeRoute", []string{"subnet", "box_pub_key"}, func(in admin.Info) (admin.Info, error) {
 		if err := t.ckr.removeRoute(in["subnet"].(string), in["box_pub_key"].(string)); err == nil {
 			return admin.Info{"removed": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
--- a/src/tuntap/ckr.go
+++ b/src/tuntap/ckr.go
@ -25,8 +25,6 @@ type cryptokey struct {
 	ipv6routes   []cryptokey_route
 	ipv4cache    map[address.Address]cryptokey_route
 	ipv6cache    map[address.Address]cryptokey_route
-	ipv4sources  []net.IPNet
-	ipv6sources  []net.IPNet
 	mutexroutes  sync.RWMutex
 	mutexcaches  sync.RWMutex
 	mutexsources sync.RWMutex
@ -84,28 +82,6 @@ func (c *cryptokey) configure() error {
 		}
 	}

-	// Clear out existing sources
-	c.mutexsources.Lock()
-	c.ipv6sources = make([]net.IPNet, 0)
-	c.ipv4sources = make([]net.IPNet, 0)
-	c.mutexsources.Unlock()
-
-	// Add IPv6 sources
-	c.ipv6sources = make([]net.IPNet, 0)
-	for _, source := range current.TunnelRouting.IPv6Sources {
-		if err := c.addSourceSubnet(source); err != nil {
-			return err
-		}
-	}
-
-	// Add IPv4 sources
-	c.ipv4sources = make([]net.IPNet, 0)
-	for _, source := range current.TunnelRouting.IPv4Sources {
-		if err := c.addSourceSubnet(source); err != nil {
-			return err
-		}
-	}
-
 	// Wipe the caches
 	c.mutexcaches.Lock()
 	c.ipv4cache = make(map[address.Address]cryptokey_route, 0)
@ -126,92 +102,6 @@ func (c *cryptokey) isEnabled() bool {
 	return ok && enabled
 }

-// Check whether the given address (with the address length specified in bytes)
-// matches either the current node's address, the node's routed subnet or the
-// list of subnets specified in IPv4Sources/IPv6Sources.
-func (c *cryptokey) isValidSource(addr address.Address, addrlen int) bool {
-	c.mutexsources.RLock()
-	defer c.mutexsources.RUnlock()
-
-	ip := net.IP(addr[:addrlen])
-
-	if addrlen == net.IPv6len {
-		// Does this match our node's address?
-		if bytes.Equal(addr[:16], c.tun.addr[:16]) {
-			return true
-		}
-
-		// Does this match our node's subnet?
-		if bytes.Equal(addr[:8], c.tun.subnet[:8]) {
-			return true
-		}
-	}
-
-	// Does it match a configured CKR source?
-	if c.isEnabled() {
-		// Build our references to the routing sources
-		var routingsources *[]net.IPNet
-
-		// Check if the prefix is IPv4 or IPv6
-		if addrlen == net.IPv6len {
-			routingsources = &c.ipv6sources
-		} else if addrlen == net.IPv4len {
-			routingsources = &c.ipv4sources
-		} else {
-			return false
-		}
-
-		for _, subnet := range *routingsources {
-			if subnet.Contains(ip) {
-				return true
-			}
-		}
-	}
-
-	// Doesn't match any of the above
-	return false
-}
-
-// Adds a source subnet, which allows traffic with these source addresses to
-// be tunnelled using crypto-key routing.
-func (c *cryptokey) addSourceSubnet(cidr string) error {
-	c.mutexsources.Lock()
-	defer c.mutexsources.Unlock()
-
-	// Is the CIDR we've been given valid?
-	_, ipnet, err := net.ParseCIDR(cidr)
-	if err != nil {
-		return err
-	}
-
-	// Get the prefix length and size
-	_, prefixsize := ipnet.Mask.Size()
-
-	// Build our references to the routing sources
-	var routingsources *[]net.IPNet
-
-	// Check if the prefix is IPv4 or IPv6
-	if prefixsize == net.IPv6len*8 {
-		routingsources = &c.ipv6sources
-	} else if prefixsize == net.IPv4len*8 {
-		routingsources = &c.ipv4sources
-	} else {
-		return errors.New("Unexpected prefix size")
-	}
-
-	// Check if we already have this CIDR
-	for _, subnet := range *routingsources {
-		if subnet.String() == ipnet.String() {
-			return errors.New("Source subnet already configured")
-		}
-	}
-
-	// Add the source subnet
-	*routingsources = append(*routingsources, *ipnet)
-	c.tun.log.Infoln("Added CKR source subnet", cidr)
-	return nil
-}
-
 // Adds a destination route for the given CIDR to be tunnelled to the node
 // with the given BoxPubKey.
 func (c *cryptokey) addRoute(cidr string, dest string) error {
@ -369,44 +259,6 @@ func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (c
 	return crypto.BoxPubKey{}, errors.New(fmt.Sprintf("No route to %s", ip.String()))
 }

-// Removes a source subnet, which allows traffic with these source addresses to
-// be tunnelled using crypto-key routing.
-func (c *cryptokey) removeSourceSubnet(cidr string) error {
-	c.mutexsources.Lock()
-	defer c.mutexsources.Unlock()
-
-	// Is the CIDR we've been given valid?
-	_, ipnet, err := net.ParseCIDR(cidr)
-	if err != nil {
-		return err
-	}
-
-	// Get the prefix length and size
-	_, prefixsize := ipnet.Mask.Size()
-
-	// Build our references to the routing sources
-	var routingsources *[]net.IPNet
-
-	// Check if the prefix is IPv4 or IPv6
-	if prefixsize == net.IPv6len*8 {
-		routingsources = &c.ipv6sources
-	} else if prefixsize == net.IPv4len*8 {
-		routingsources = &c.ipv4sources
-	} else {
-		return errors.New("Unexpected prefix size")
-	}
-
-	// Check if we already have this CIDR
-	for idx, subnet := range *routingsources {
-		if subnet.String() == ipnet.String() {
-			*routingsources = append((*routingsources)[:idx], (*routingsources)[idx+1:]...)
-			c.tun.log.Infoln("Removed CKR source subnet", cidr)
-			return nil
-		}
-	}
-	return errors.New("Source subnet not found")
-}
-
 // Removes a destination route for the given CIDR to be tunnelled to the node
 // with the given BoxPubKey.
 func (c *cryptokey) removeRoute(cidr string, dest string) error {
--- a/src/tuntap/iface.go
+++ b/src/tuntap/iface.go
@ -187,11 +187,6 @@ func (tun *TunAdapter) readerPacketHandler(ch chan []byte) {
 			tun.log.Traceln("Unknown packet type, dropping")
 			continue
 		}
-		if tun.ckr.isEnabled() && !tun.ckr.isValidSource(srcAddr, addrlen) {
-			// The packet had a source address that doesn't belong to us or our
-			// configured crypto-key routing source subnets
-			continue
-		}
 		if !dstAddr.IsValid() && !dstSnet.IsValid() {
 			if key, err := tun.ckr.getPublicKeyForAddress(dstAddr, addrlen); err == nil {
 				// A public key was found, get the node ID for the search