Always allow link-local peerings again

2025-11-04 03:05:07 +03:00 · 2022-10-22 16:23:25 +01:00 · 2022-10-22 16:23:25 +01:00 · d66b3ffb7a
commit d66b3ffb7a
parent 63c4cb5c21
3 changed files with 20 additions and 23 deletions
--- a/src/core/link.go
+++ b/src/core/link.go
@ -272,8 +272,7 @@ func (intf *link) handler() error {
 		var key keyArray
 		copy(key[:], meta.key)
 		if _, allowed := pinned[key]; !allowed {
-			intf.links.core.log.Errorf("Failed to connect to node: %q sent ed25519 key that does not match pinned keys", intf.name())
-			return fmt.Errorf("failed to connect: host sent ed25519 key that does not match pinned keys")
+			return fmt.Errorf("node public key that does not match pinned keys")
 		}
 	}
 	// Check if we're authorized to connect to this key / IP
@ -286,30 +285,32 @@ func (intf *link) handler() error {
 		}
 	}
 	if intf.incoming && !intf.force && !isallowed {
-		intf.links.core.log.Warnf("%s connection from %s forbidden: AllowedPublicKeys does not contain key %s",
-			strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.key))
 		_ = intf.close()
-		return fmt.Errorf("forbidden connection")
+		return fmt.Errorf("node public key %q is not in AllowedPublicKeys", hex.EncodeToString(meta.key))
 	}

 	phony.Block(intf.links, func() {
 		intf.links._links[intf.info] = intf
 	})

+	dir := "outbound"
+	if intf.incoming {
+		dir = "inbound"
+	}
 	remoteAddr := net.IP(address.AddrForKey(meta.key)[:]).String()
 	remoteStr := fmt.Sprintf("%s@%s", remoteAddr, intf.info.remote)
 	localStr := intf.conn.LocalAddr()
-	intf.links.core.log.Infof("Connected %s: %s, source %s",
-		strings.ToUpper(intf.info.linkType), remoteStr, localStr)
+	intf.links.core.log.Infof("Connected %s %s: %s, source %s",
+		dir, strings.ToUpper(intf.info.linkType), remoteStr, localStr)

 	err = intf.links.core.HandleConn(meta.key, intf.conn)
 	switch err {
 	case io.EOF, net.ErrClosed, nil:
-		intf.links.core.log.Infof("Disconnected %s: %s, source %s",
-			strings.ToUpper(intf.info.linkType), remoteStr, localStr)
+		intf.links.core.log.Infof("Disconnected %s %s: %s, source %s",
+			dir, strings.ToUpper(intf.info.linkType), remoteStr, localStr)
 	default:
-		intf.links.core.log.Infof("Disconnected %s: %s, source %s; error: %s",
-			strings.ToUpper(intf.info.linkType), remoteStr, localStr, err)
+		intf.links.core.log.Infof("Disconnected %s %s: %s, source %s; error: %s",
+			dir, strings.ToUpper(intf.info.linkType), remoteStr, localStr, err)
 	}
 	return nil
 }
@ -318,10 +319,6 @@ func (intf *link) close() error {
 	return intf.conn.Close()
 }

-func (intf *link) name() string {
-	return intf.lname
-}
-
 func linkInfoFor(linkType, sintf, remote string) linkInfo {
 	if h, _, err := net.SplitHostPort(remote); err == nil {
 		remote = h
--- a/src/core/link_tcp.go
+++ b/src/core/link_tcp.go
@ -47,7 +47,7 @@ func (l *linkTCP) dial(url *url.URL, options linkOptions, sintf string) error {
 	if err != nil {
 		return err
 	}
-	return l.handler(url.String(), info, conn, options, false)
+	return l.handler(url.String(), info, conn, options, false, false)
 }

 func (l *linkTCP) listen(url *url.URL, sintf string) (*Listener, error) {
@ -84,7 +84,7 @@ func (l *linkTCP) listen(url *url.URL, sintf string) (*Listener, error) {
 			addr := conn.RemoteAddr().(*net.TCPAddr)
 			name := fmt.Sprintf("tcp://%s", addr)
 			info := linkInfoFor("tcp", sintf, strings.SplitN(addr.IP.String(), "%", 2)[0])
-			if err = l.handler(name, info, conn, linkOptions{}, true); err != nil {
+			if err = l.handler(name, info, conn, linkOptions{}, true, addr.IP.IsLinkLocalUnicast()); err != nil {
 				l.core.log.Errorln("Failed to create inbound link:", err)
 			}
 		}
@ -95,13 +95,13 @@ func (l *linkTCP) listen(url *url.URL, sintf string) (*Listener, error) {
 	return entry, nil
 }

-func (l *linkTCP) handler(name string, info linkInfo, conn net.Conn, options linkOptions, incoming bool) error {
+func (l *linkTCP) handler(name string, info linkInfo, conn net.Conn, options linkOptions, incoming, force bool) error {
 	return l.links.create(
 		conn,     // connection
 		name,     // connection name
 		info,     // connection info
 		incoming, // not incoming
-		false,    // not forced
+		force,    // not forced
 		options,  // connection options
 	)
 }
--- a/src/core/link_tls.go
+++ b/src/core/link_tls.go
@ -69,7 +69,7 @@ func (l *linkTLS) dial(url *url.URL, options linkOptions, sintf, sni string) err
 	if err != nil {
 		return err
 	}
-	return l.handler(url.String(), info, conn, options, false)
+	return l.handler(url.String(), info, conn, options, false, false)
 }

 func (l *linkTLS) listen(url *url.URL, sintf string) (*Listener, error) {
@ -107,7 +107,7 @@ func (l *linkTLS) listen(url *url.URL, sintf string) (*Listener, error) {
 			addr := conn.RemoteAddr().(*net.TCPAddr)
 			name := fmt.Sprintf("tls://%s", addr)
 			info := linkInfoFor("tls", sintf, strings.SplitN(addr.IP.String(), "%", 2)[0])
-			if err = l.handler(name, info, conn, linkOptions{}, true); err != nil {
+			if err = l.handler(name, info, conn, linkOptions{}, true, addr.IP.IsLinkLocalUnicast()); err != nil {
 				l.core.log.Errorln("Failed to create inbound link:", err)
 			}
 		}
@ -165,6 +165,6 @@ func (l *linkTLS) generateConfig() (*tls.Config, error) {
 	}, nil
 }

-func (l *linkTLS) handler(name string, info linkInfo, conn net.Conn, options linkOptions, incoming bool) error {
-	return l.tcp.handler(name, info, conn, options, incoming)
+func (l *linkTLS) handler(name string, info linkInfo, conn net.Conn, options linkOptions, incoming, force bool) error {
+	return l.tcp.handler(name, info, conn, options, incoming, force)
 }