Add regexp to limit which link-local IPv6 zones allow peering, and check that a peer isn't from within the networks address block (prevents accidental tunneling)

2025-11-04 11:15:07 +03:00 · 2018-01-09 02:08:54 -06:00 · 2018-01-09 02:08:54 -06:00 · ef1e0c902f
commit ef1e0c902f
parent b76fcbb402
4 changed files with 26 additions and 1 deletions
--- a/src/yggdrasil/core.go
+++ b/src/yggdrasil/core.go
@ -2,6 +2,7 @@ package yggdrasil

 import "io/ioutil"
 import "log"
+import "regexp"

 type Core struct {
 	// This is the main data structure that holds everything else for a node
@ -23,6 +24,7 @@ type Core struct {
 	tcp         *tcpInterface
 	udp         *udpInterface
 	log         *log.Logger
+	ifceExpr    *regexp.Regexp // the zone of link-local IPv6 peers must match this
 }

 func (c *Core) Init() {
--- a/src/yggdrasil/debug.go
+++ b/src/yggdrasil/debug.go
@ -11,6 +11,7 @@ import _ "golang.org/x/net/ipv6" // TODO put this somewhere better
 import "fmt"
 import "net"
 import "log"
+import "regexp"

 // Core

@ -334,6 +335,10 @@ func (c *Core) DEBUG_setLogger(log *log.Logger) {
 	c.log = log
 }

+func (c *Core) DEBUG_setIfceExpr(expr *regexp.Regexp) {
+	c.ifceExpr = expr
+}
+
 ////////////////////////////////////////////////////////////////////////////////

 func DEBUG_simLinkPeers(p, q *peer) {
--- a/src/yggdrasil/udp.go
+++ b/src/yggdrasil/udp.go
@ -281,6 +281,15 @@ func (iface *udpInterface) reader() {
 		msg := bs[:n]
 		addr := connAddr(udpAddr.String())
 		if udp_isKeys(msg) {
+			var them address
+			copy(them[:], udpAddr.IP.To16())
+			if them.isValid() {
+				continue
+			}
+			if udpAddr.IP.IsLinkLocalUnicast() &&
+				!iface.core.ifceExpr.MatchString(udpAddr.Zone) {
+				continue
+			}
 			iface.handleKeys(msg, addr)
 		} else {
 			iface.handlePacket(msg, addr)