Reimplement get/setTunnelRouting, add/removeSourceSubnet, add/removeRoute, getRoutes, getSourceSubnets, make CKR threadsafe

2025-04-28 22:25:07 +03:00 · 2019-05-20 21:45:33 +01:00 · 2019-05-20 21:45:33 +01:00 · 70774fc3de
commit 70774fc3de
parent 5b8d8a9341
2 changed files with 158 additions and 127 deletions
--- a/src/tuntap/ckr.go
+++ b/src/tuntap/ckr.go
@ -7,6 +7,8 @@ import (
 	"fmt"
 	"net"
 	"sort"
+	"sync"
+	"sync/atomic"

 	"github.com/yggdrasil-network/yggdrasil-go/src/address"
 	"github.com/yggdrasil-network/yggdrasil-go/src/crypto"
@ -16,15 +18,18 @@ import (
 // allow traffic for non-Yggdrasil ranges to be routed over Yggdrasil.

 type cryptokey struct {
-	tun         *TunAdapter
-	enabled     bool
-	reconfigure chan chan error
-	ipv4routes  []cryptokey_route
-	ipv6routes  []cryptokey_route
-	ipv4cache   map[address.Address]cryptokey_route
-	ipv6cache   map[address.Address]cryptokey_route
-	ipv4sources []net.IPNet
-	ipv6sources []net.IPNet
+	tun          *TunAdapter
+	enabled      atomic.Value // bool
+	reconfigure  chan chan error
+	ipv4routes   []cryptokey_route
+	ipv6routes   []cryptokey_route
+	ipv4cache    map[address.Address]cryptokey_route
+	ipv6cache    map[address.Address]cryptokey_route
+	ipv4sources  []net.IPNet
+	ipv6sources  []net.IPNet
+	mutexroutes  sync.RWMutex
+	mutexcaches  sync.RWMutex
+	mutexsources sync.RWMutex
 }

 type cryptokey_route struct {
@ -58,8 +63,10 @@ func (c *cryptokey) configure() error {
 	c.setEnabled(c.tun.config.Current.TunnelRouting.Enable)

 	// Clear out existing routes
+	c.mutexroutes.Lock()
 	c.ipv6routes = make([]cryptokey_route, 0)
 	c.ipv4routes = make([]cryptokey_route, 0)
+	c.mutexroutes.Unlock()

 	// Add IPv6 routes
 	for ipv6, pubkey := range c.tun.config.Current.TunnelRouting.IPv6Destinations {
@ -76,8 +83,10 @@ func (c *cryptokey) configure() error {
 	}

 	// Clear out existing sources
+	c.mutexsources.Lock()
 	c.ipv6sources = make([]net.IPNet, 0)
 	c.ipv4sources = make([]net.IPNet, 0)
+	c.mutexsources.Unlock()

 	// Add IPv6 sources
 	c.ipv6sources = make([]net.IPNet, 0)
@ -96,26 +105,31 @@ func (c *cryptokey) configure() error {
 	}

 	// Wipe the caches
+	c.mutexcaches.Lock()
 	c.ipv4cache = make(map[address.Address]cryptokey_route, 0)
 	c.ipv6cache = make(map[address.Address]cryptokey_route, 0)
+	c.mutexcaches.Unlock()

 	return nil
 }

 // Enable or disable crypto-key routing.
 func (c *cryptokey) setEnabled(enabled bool) {
-	c.enabled = enabled
+	c.enabled.Store(true)
 }

 // Check if crypto-key routing is enabled.
 func (c *cryptokey) isEnabled() bool {
-	return c.enabled
+	return c.enabled.Load().(bool)
 }

 // Check whether the given address (with the address length specified in bytes)
 // matches either the current node's address, the node's routed subnet or the
 // list of subnets specified in IPv4Sources/IPv6Sources.
 func (c *cryptokey) isValidSource(addr address.Address, addrlen int) bool {
+	c.mutexsources.RLock()
+	defer c.mutexsources.RUnlock()
+
 	ip := net.IP(addr[:addrlen])

 	if addrlen == net.IPv6len {
@ -158,6 +172,9 @@ func (c *cryptokey) isValidSource(addr address.Address, addrlen int) bool {
 // Adds a source subnet, which allows traffic with these source addresses to
 // be tunnelled using crypto-key routing.
 func (c *cryptokey) addSourceSubnet(cidr string) error {
+	c.mutexsources.Lock()
+	defer c.mutexsources.Unlock()
+
 	// Is the CIDR we've been given valid?
 	_, ipnet, err := net.ParseCIDR(cidr)
 	if err != nil {
@ -195,6 +212,11 @@ func (c *cryptokey) addSourceSubnet(cidr string) error {
 // Adds a destination route for the given CIDR to be tunnelled to the node
 // with the given BoxPubKey.
 func (c *cryptokey) addRoute(cidr string, dest string) error {
+	c.mutexroutes.Lock()
+	c.mutexcaches.Lock()
+	defer c.mutexroutes.Unlock()
+	defer c.mutexcaches.Unlock()
+
 	// Is the CIDR we've been given valid?
 	ipaddr, ipnet, err := net.ParseCIDR(cidr)
 	if err != nil {
@ -269,6 +291,8 @@ func (c *cryptokey) addRoute(cidr string, dest string) error {
 // length specified in bytes) from the crypto-key routing table. An error is
 // returned if the address is not suitable or no route was found.
 func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (crypto.BoxPubKey, error) {
+	c.mutexcaches.RLock()
+
 	// Check if the address is a valid Yggdrasil address - if so it
 	// is exempt from all CKR checking
 	if addr.IsValid() {
@ -281,10 +305,8 @@ func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (c

 	// Check if the prefix is IPv4 or IPv6
 	if addrlen == net.IPv6len {
-		routingtable = &c.ipv6routes
 		routingcache = &c.ipv6cache
 	} else if addrlen == net.IPv4len {
-		routingtable = &c.ipv4routes
 		routingcache = &c.ipv4cache
 	} else {
 		return crypto.BoxPubKey{}, errors.New("Unexpected prefix size")
@ -292,9 +314,24 @@ func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (c

 	// Check if there's a cache entry for this addr
 	if route, ok := (*routingcache)[addr]; ok {
+		c.mutexcaches.RUnlock()
 		return route.destination, nil
 	}

+	c.mutexcaches.RUnlock()
+
+	c.mutexroutes.RLock()
+	defer c.mutexroutes.RUnlock()
+
+	// Check if the prefix is IPv4 or IPv6
+	if addrlen == net.IPv6len {
+		routingtable = &c.ipv6routes
+	} else if addrlen == net.IPv4len {
+		routingtable = &c.ipv4routes
+	} else {
+		return crypto.BoxPubKey{}, errors.New("Unexpected prefix size")
+	}
+
 	// No cache was found - start by converting the address into a net.IP
 	ip := make(net.IP, addrlen)
 	copy(ip[:addrlen], addr[:])
@ -304,6 +341,9 @@ func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (c
 	for _, route := range *routingtable {
 		// Does this subnet match the given IP?
 		if route.subnet.Contains(ip) {
+			c.mutexcaches.Lock()
+			defer c.mutexcaches.Unlock()
+
 			// Check if the routing cache is above a certain size, if it is evict
 			// a random entry so we can make room for this one. We take advantage
 			// of the fact that the iteration order is random here
@ -329,6 +369,9 @@ func (c *cryptokey) getPublicKeyForAddress(addr address.Address, addrlen int) (c
 // Removes a source subnet, which allows traffic with these source addresses to
 // be tunnelled using crypto-key routing.
 func (c *cryptokey) removeSourceSubnet(cidr string) error {
+	c.mutexsources.Lock()
+	defer c.mutexsources.Unlock()
+
 	// Is the CIDR we've been given valid?
 	_, ipnet, err := net.ParseCIDR(cidr)
 	if err != nil {
@ -364,6 +407,11 @@ func (c *cryptokey) removeSourceSubnet(cidr string) error {
 // Removes a destination route for the given CIDR to be tunnelled to the node
 // with the given BoxPubKey.
 func (c *cryptokey) removeRoute(cidr string, dest string) error {
+	c.mutexroutes.Lock()
+	c.mutexcaches.Lock()
+	defer c.mutexroutes.Unlock()
+	defer c.mutexcaches.Unlock()
+
 	// Is the CIDR we've been given valid?
 	_, ipnet, err := net.ParseCIDR(cidr)
 	if err != nil {
@ -403,7 +451,7 @@ func (c *cryptokey) removeRoute(cidr string, dest string) error {
 			for k := range *routingcache {
 				delete(*routingcache, k)
 			}
-			c.tun.log.Infoln("Removed CKR destination subnet %s via %s\n", cidr, dest)
+			c.tun.log.Infof("Removed CKR destination subnet %s via %s\n", cidr, dest)
 			return nil
 		}
 	}