diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index 5b3ccb85c..4e7f371a4 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -1,6 +1,10 @@
ZeroTier Release Notes
======
+# 2021-09-21 -- Version 1.6.6
+
+ * Point release to back-port additional endpoint-side mitigations against vulnerability announced by Pulse Security.
+
# 2021-04-13 -- Version 1.6.5
* Fix a bug in potential network path filtering that could in some circumstances lead to "software laser" effects.
diff --git a/ext/installfiles/mac/ZeroTier One.pkgproj b/ext/installfiles/mac/ZeroTier One.pkgproj
index fcc1676c0..bcc461afb 100755
--- a/ext/installfiles/mac/ZeroTier One.pkgproj
+++ b/ext/installfiles/mac/ZeroTier One.pkgproj
@@ -689,7 +689,7 @@
USE_HFS+_COMPRESSION
VERSION
- 1.6.5
+ 1.6.6
TYPE
0
@@ -865,6 +865,13 @@
PROJECT_SETTINGS
+ ADVANCED_OPTIONS
+
+ installer-script.options:hostArchitectures
+
+ x86_64,arm64
+
+
BUILD_FORMAT
0
BUILD_PATH
diff --git a/osdep/ManagedRoute.cpp b/osdep/ManagedRoute.cpp
index 85f2c67c9..4c1214a66 100644
--- a/osdep/ManagedRoute.cpp
+++ b/osdep/ManagedRoute.cpp
@@ -250,14 +250,26 @@ static void _routeCmd(const char *op,const InetAddress &target,const InetAddress
char iptmp[64];
if (via) {
if ((ifscope)&&(ifscope[0])) {
+#ifdef ZT_TRACE
+ fprintf(stderr, "DEBUG: route %s -ifscope %s %s %s" ZT_EOL_S, ifscope,((target.ss_family == AF_INET6) ? "-inet6" : "-inet"),target.toString(ttmp),via.toIpString(iptmp));
+#endif
::execl(ZT_BSD_ROUTE_CMD,ZT_BSD_ROUTE_CMD,op,"-ifscope",ifscope,((target.ss_family == AF_INET6) ? "-inet6" : "-inet"),target.toString(ttmp),via.toIpString(iptmp),(const char *)0);
} else {
+#ifdef ZT_TRACE
+ fprintf(stderr, "DEBUG: route %s %s %s %s" ZT_EOL_S, op,((target.ss_family == AF_INET6) ? "-inet6" : "-inet"),target.toString(ttmp),via.toIpString(iptmp));
+#endif
::execl(ZT_BSD_ROUTE_CMD,ZT_BSD_ROUTE_CMD,op,((target.ss_family == AF_INET6) ? "-inet6" : "-inet"),target.toString(ttmp),via.toIpString(iptmp),(const char *)0);
}
} else if ((localInterface)&&(localInterface[0])) {
if ((ifscope)&&(ifscope[0])) {
+#ifdef ZT_TRACE
+ fprintf(stderr, "DEBUG: route %s -ifscope %s %s %s -interface %s" ZT_EOL_S, op, ifscope,((target.ss_family == AF_INET6) ? "-inet6" : "-inet"),target.toString(ttmp),localInterface);
+#endif
::execl(ZT_BSD_ROUTE_CMD,ZT_BSD_ROUTE_CMD,op,"-ifscope",ifscope,((target.ss_family == AF_INET6) ? "-inet6" : "-inet"),target.toString(ttmp),"-interface",localInterface,(const char *)0);
} else {
+#ifdef ZT_TRACE
+ fprintf(stderr, "DEBUG: route %s %s %s -interface %s" ZT_EOL_S, op,((target.ss_family == AF_INET6) ? "-inet6" : "-inet"),target.toString(ttmp),localInterface);
+#endif
::execl(ZT_BSD_ROUTE_CMD,ZT_BSD_ROUTE_CMD,op,((target.ss_family == AF_INET6) ? "-inet6" : "-inet"),target.toString(ttmp),"-interface",localInterface,(const char *)0);
}
}
@@ -393,9 +405,7 @@ ManagedRoute::ManagedRoute(const InetAddress &target,const InetAddress &via,cons
}
ManagedRoute::~ManagedRoute()
-{
- this->remove();
-}
+{}
/* Linux NOTE: for default route override, some Linux distributions will
* require a change to the rp_filter parameter. A value of '1' will prevent
@@ -427,6 +437,24 @@ bool ManagedRoute::sync()
#ifdef __BSD__ // ------------------------------------------------------------
+ if (_device[0]) {
+ bool haveDevice = false;
+ struct ifaddrs *ifa = (struct ifaddrs *)0;
+ if (!getifaddrs(&ifa)) {
+ struct ifaddrs *p = ifa;
+ while (p) {
+ if ((p->ifa_name)&&(!strcmp(_device, p->ifa_name))) {
+ haveDevice = true;
+ break;
+ }
+ p = p->ifa_next;
+ }
+ freeifaddrs(ifa);
+ }
+ if (!haveDevice)
+ return false;
+ }
+
// Find lowest metric system route that this route should override (if any)
InetAddress newSystemVia;
char newSystemDevice[128];
@@ -471,23 +499,25 @@ bool ManagedRoute::sync()
if (_systemVia) {
_routeCmd("add",leftt,_systemVia,_systemDevice,(const char *)0);
- _routeCmd("change",leftt,_systemVia,_systemDevice,(const char *)0);
+ //_routeCmd("change",leftt,_systemVia,_systemDevice,(const char *)0);
if (rightt) {
_routeCmd("add",rightt,_systemVia,_systemDevice,(const char *)0);
- _routeCmd("change",rightt,_systemVia,_systemDevice,(const char *)0);
+ //_routeCmd("change",rightt,_systemVia,_systemDevice,(const char *)0);
}
}
}
if (!_applied.count(leftt)) {
- _applied[leftt] = false; // not ifscoped
+ _applied[leftt] = !_via;
+ _routeCmd("delete",leftt,_via,(const char *)0,(_via) ? (const char *)0 : _device);
_routeCmd("add",leftt,_via,(const char *)0,(_via) ? (const char *)0 : _device);
- _routeCmd("change",leftt,_via,(const char *)0,(_via) ? (const char *)0 : _device);
+ //_routeCmd("change",leftt,_via,(const char *)0,(_via) ? (const char *)0 : _device);
}
if ((rightt)&&(!_applied.count(rightt))) {
- _applied[rightt] = false; // not ifscoped
+ _applied[rightt] = !_via;
+ _routeCmd("delete",rightt,_via,(const char *)0,(_via) ? (const char *)0 : _device);
_routeCmd("add",rightt,_via,(const char *)0,(_via) ? (const char *)0 : _device);
- _routeCmd("change",rightt,_via,(const char *)0,(_via) ? (const char *)0 : _device);
+ //_routeCmd("change",rightt,_via,(const char *)0,(_via) ? (const char *)0 : _device);
}
#endif // __BSD__ ------------------------------------------------------------
@@ -566,4 +596,4 @@ void ManagedRoute::remove()
_applied.clear();
}
-} // namespace ZeroTier
\ No newline at end of file
+} // namespace ZeroTier
diff --git a/version.h b/version.h
index d6c2612e0..81286f557 100644
--- a/version.h
+++ b/version.h
@@ -27,7 +27,7 @@
/**
* Revision
*/
-#define ZEROTIER_ONE_VERSION_REVISION 5
+#define ZEROTIER_ONE_VERSION_REVISION 6
/**
* Build version