Skip to content

Commit

Permalink
remove session firewall, this can't prevent memory use so it's better…
Browse files Browse the repository at this point in the history
… to just use OS native tools
  • Loading branch information
Arceliar committed Jun 6, 2021
1 parent 838bca0 commit e7da3d7
Show file tree
Hide file tree
Showing 5 changed files with 3 additions and 100 deletions.
60 changes: 0 additions & 60 deletions cmd/yggdrasil/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,6 @@ func main() {
n.admin = &admin.AdminSocket{}
n.multicast = &multicast.Multicast{}
n.tuntap = &tuntap.TunAdapter{}
n.tuntap.SetSessionGatekeeper(n.sessionFirewall)
// Start the admin socket
if err := n.admin.Init(&n.core, cfg, logger, nil); err != nil {
logger.Errorln("An error occurred initialising admin socket:", err)
Expand Down Expand Up @@ -326,62 +325,3 @@ func (n *node) shutdown() {
_ = n.tuntap.Stop()
n.core.Stop()
}

func (n *node) sessionFirewall(pubkey ed25519.PublicKey, initiator bool) bool {
n.config.RLock()
defer n.config.RUnlock()

// Allow by default if the session firewall is disabled
if !n.config.SessionFirewall.Enable {
return true
}

// Reject blacklisted nodes
for _, b := range n.config.SessionFirewall.BlacklistPublicKeys {
key, err := hex.DecodeString(b)
if err == nil {
if bytes.Equal(key, pubkey) {
return false
}
}
}

// Allow whitelisted nodes
for _, b := range n.config.SessionFirewall.WhitelistPublicKeys {
key, err := hex.DecodeString(b)
if err == nil {
if bytes.Equal(key, pubkey) {
return true
}
}
}

// Allow outbound sessions if appropriate
if n.config.SessionFirewall.AlwaysAllowOutbound {
if initiator {
return true
}
}

// Look and see if the pubkey is that of a direct peer
var isDirectPeer bool
for _, peer := range n.core.GetPeers() {
if bytes.Equal(peer.Key[:], pubkey[:]) {
isDirectPeer = true
break
}
}

// Allow direct peers if appropriate
if n.config.SessionFirewall.AllowFromDirect && isDirectPeer {
return true
}

// Allow remote nodes if appropriate
if n.config.SessionFirewall.AllowFromRemote && !isDirectPeer {
return true
}

// Finally, default-deny if not matching any of the above rules
return false
}
15 changes: 0 additions & 15 deletions src/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,21 +40,10 @@ type NodeConfig struct {
LinkLocalTCPPort uint16 `comment:"The port number to be used for the link-local TCP listeners for the\nconfigured MulticastInterfaces. This option does not affect listeners\nspecified in the Listen option. Unless you plan to firewall link-local\ntraffic, it is best to leave this as the default value of 0. This\noption cannot currently be changed by reloading config during runtime."`
IfName string `comment:"Local network interface name for TUN adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN."`
IfMTU uint64 `comment:"Maximum Transmission Unit (MTU) size for your local TUN interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
SessionFirewall SessionFirewall `comment:"The session firewall controls who can send/receive network traffic\nto/from. This is useful if you want to protect this node without\nresorting to using a real firewall. This does not affect traffic\nbeing routed via this node to somewhere else. Rules are prioritised as\nfollows: blacklist, whitelist, always allow outgoing, direct, remote."`
NodeInfoPrivacy bool `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Yggdrasil version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."`
NodeInfo map[string]interface{} `comment:"Optional node info. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."`
}

// SessionFirewall controls the session firewall configuration.
type SessionFirewall struct {
Enable bool `comment:"Enable or disable the session firewall. If disabled, network traffic\nfrom any node will be allowed. If enabled, the below rules apply."`
AllowFromDirect bool `comment:"Allow network traffic from directly connected peers."`
AllowFromRemote bool `comment:"Allow network traffic from remote nodes on the network that you are\nnot directly peered with."`
AlwaysAllowOutbound bool `comment:"Allow outbound network traffic regardless of AllowFromDirect or\nAllowFromRemote. This does allow a remote node to send unsolicited\ntraffic back to you for the length of the session."`
WhitelistPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."`
BlacklistPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."`
}

// Generates default configuration and returns a pointer to the resulting
// NodeConfig. This is used when outputting the -genconf parameter and also when
// using -autoconf.
Expand All @@ -76,10 +65,6 @@ func GenerateConfig() *NodeConfig {
cfg.MulticastInterfaces = defaults.GetDefaults().DefaultMulticastInterfaces
cfg.IfName = defaults.GetDefaults().DefaultIfName
cfg.IfMTU = defaults.GetDefaults().DefaultIfMTU
cfg.SessionFirewall.Enable = false
cfg.SessionFirewall.AllowFromDirect = true
cfg.SessionFirewall.AllowFromRemote = true
cfg.SessionFirewall.AlwaysAllowOutbound = true
cfg.NodeInfoPrivacy = false

return &cfg
Expand Down
3 changes: 0 additions & 3 deletions src/tuntap/iface.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,6 @@ func (tun *TunAdapter) write() {
continue // bad local address/subnet
}
info := tun.store.update(ed25519.PublicKey(from.(iwt.Addr)))
if info == nil {
continue // Blocked by the gatekeeper
}
if srcAddr != info.address && srcSubnet != info.subnet {
continue // bad remote address/subnet
}
Expand Down
12 changes: 0 additions & 12 deletions src/tuntap/keystore.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,18 +113,6 @@ func (k *keyStore) update(key ed25519.PublicKey) *keyInfo {
info.key = kArray
info.address = *address.AddrForKey(ed25519.PublicKey(info.key[:]))
info.subnet = *address.SubnetForKey(ed25519.PublicKey(info.key[:]))
var isOutgoing bool
if k.addrBuffer[info.address] != nil {
isOutgoing = true
}
if k.subnetBuffer[info.subnet] != nil {
isOutgoing = true
}
if !k.tun.gatekeeper(key, isOutgoing) {
// Blocked by the gatekeeper, so don't create an entry for this
k.mutex.Unlock()
return nil
}
k.keyToInfo[info.key] = info
k.addrToInfo[info.address] = info
k.subnetToInfo[info.subnet] = info
Expand Down
13 changes: 3 additions & 10 deletions src/tuntap/tun.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,16 +43,9 @@ type TunAdapter struct {
iface tun.Device
phony.Inbox // Currently only used for _handlePacket from the reader, TODO: all the stuff that currently needs a mutex below
//mutex sync.RWMutex // Protects the below
isOpen bool
isEnabled bool // Used by the writer to drop sessionTraffic if not enabled
gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool
proto protoHandler
}

func (tun *TunAdapter) SetSessionGatekeeper(gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool) {
phony.Block(tun, func() {
tun.gatekeeper = gatekeeper
})
isOpen bool
isEnabled bool // Used by the writer to drop sessionTraffic if not enabled
proto protoHandler
}

// Gets the maximum supported MTU for the platform based on the defaults in
Expand Down

0 comments on commit e7da3d7

Please sign in to comment.