void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-05 03:53:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add a workaround for an edge case in TEE/REDIRECT if we are the inbound destination and teeing is only being done on the outbound side.

Browse source
This commit is contained in:
Adam Ierymenko 2016-12-22 18:06:35 -08:00
parent fe530548bb
commit 6b12d86209
1 changed files with 22 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
node/Network.cpp
View file

@ -178,6 +178,9 @@ static _doZtFilterResult _doZtFilter(
std::vector<std::string> dlog; std::vector<std::string> dlog;
#endif // ZT_RULES_ENGINE_DEBUGGING #endif // ZT_RULES_ENGINE_DEBUGGING
// Set to true if we are a TEE/REDIRECT/WATCH target
bool superAccept = false;
// The default match state for each set of entries starts as 'true' since an // The default match state for each set of entries starts as 'true' since an
// ACTION with no MATCH entries preceding it is always taken. // ACTION with no MATCH entries preceding it is always taken.
uint8_t thisSetMatches = 1; uint8_t thisSetMatches = 1;
@ -199,7 +202,7 @@ static _doZtFilterResult _doZtFilter(
#ifdef ZT_RULES_ENGINE_DEBUGGING #ifdef ZT_RULES_ENGINE_DEBUGGING
_dumpFilterTrace("ACTION_ACCEPT",thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0); _dumpFilterTrace("ACTION_ACCEPT",thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0);
#endif // ZT_RULES_ENGINE_DEBUGGING #endif // ZT_RULES_ENGINE_DEBUGGING
return DOZTFILTER_ACCEPT; // match, accept packet return (superAccept ? DOZTFILTER_SUPER_ACCEPT : DOZTFILTER_ACCEPT); // match, accept packet
// These are initially handled together since preliminary logic is common // These are initially handled together since preliminary logic is common
case ZT_NETWORK_RULE_ACTION_TEE: case ZT_NETWORK_RULE_ACTION_TEE:
@ -264,6 +267,22 @@ static _doZtFilterResult _doZtFilter(
continue; continue;
} }
} else { } else {
// If this is an incoming packet and we are a TEE or REDIRECT target, we should
// super-accept if we accept at all. This will cause us to accept redirected or
// tee'd packets in spite of MAC and ZT addressing checks.
if (inbound) {
switch(rt) {
case ZT_NETWORK_RULE_ACTION_TEE:
case ZT_NETWORK_RULE_ACTION_WATCH:
case ZT_NETWORK_RULE_ACTION_REDIRECT:
if (RR->identity.address() == rules[rn].v.fwd.address)
superAccept = true;
break;
default:
break;
}
}
#ifdef ZT_RULES_ENGINE_DEBUGGING #ifdef ZT_RULES_ENGINE_DEBUGGING
_dumpFilterTrace(_rtn(rt),thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0); _dumpFilterTrace(_rtn(rt),thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0);
dlog.clear(); dlog.clear();
@ -541,12 +560,12 @@ static _doZtFilterResult _doZtFilter(
thisRuleMatches = 0; thisRuleMatches = 0;
} }
} else { } else {
if (inbound) { if ((inbound)&&(!superAccept)) {
thisRuleMatches = 0; thisRuleMatches = 0;
FILTER_TRACE("%u %s %c remote tag %u not found -> 0 (inbound side is strict)",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id); FILTER_TRACE("%u %s %c remote tag %u not found -> 0 (inbound side is strict)",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id);
} else { } else {
thisRuleMatches = 1; thisRuleMatches = 1;
FILTER_TRACE("%u %s %c remote tag %u not found -> 1 (outbound side is not strict)",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id); FILTER_TRACE("%u %s %c remote tag %u not found -> 1 (outbound side and TEE/REDIRECT targets are not strict)",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id);
} }
} }
} else { } else {