Home Explore Help
Sign In
cpp
/
ZeroTierOne
mirror of https://github.com/zerotier/ZeroTierOne
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Always use HELLO to contact, and we now confirm newly learned paths via a two-way handshake to prevent half-connects.

Adam Ierymenko 10 years ago
parent
eae2c89b09
commit
24608d5ca3
3 changed files with 88 additions and 56 deletions
Split View Show Diff Stats
  1. 65 24
      node/Peer.cpp
  2. 13 0
      node/Peer.hpp
  3. 10 32
      node/Switch.cpp

+ 65 - 24
node/Peer.cpp
View File 

@@ -25,6 +25,8 @@
 
  * LLC. Start here: http://www.zerotier.com/
 
  */
 
 
+#include "../version.h"
 
+
 
 #include "Constants.hpp"
 
 #include "Peer.hpp"
 
 #include "Node.hpp"
 
@@ -68,38 +70,48 @@ void Peer::received(
 
 	_lastReceive = now;
 
 
 	if (!hops) {
 
+		bool pathIsConfirmed = false;
 
+
 
 		/* Learn new paths from direct (hops == 0) packets */
 
 		{
 
 			unsigned int np = _numPaths;
 
-
 
-			bool havePath = false;
 
 			for(unsigned int p=0;p<np;++p) {
 
 				if (_paths[p].address() == remoteAddr) {
 
 					_paths[p].received(now,linkDesperation);
 
-					havePath = true;
 
+					pathIsConfirmed = true;
 
 					break;
 
 				}
 
 			}
 
 
-			if (!havePath) {
 
-				Path *slot = (Path *)0;
 
-				if (np < ZT_PEER_MAX_PATHS) {
 
-					// Add new path
 
-					slot = &(_paths[np++]);
 
-				} else {
 
-					// Replace oldest non-fixed path
 
-					uint64_t slotLRmin = 0xffffffffffffffffULL;
 
-					for(unsigned int p=0;p<ZT_PEER_MAX_PATHS;++p) {
 
-						if ((!_paths[p].fixed())&&(_paths[p].lastReceived() <= slotLRmin)) {
 
-							slotLRmin = _paths[p].lastReceived();
 
-							slot = &(_paths[p]);
 
+			if (!pathIsConfirmed) {
 
+				if ((verb == Packet::VERB_OK)&&(inReVerb == Packet::VERB_HELLO)) {
 
+					// Learn paths if they've been confirmed via a HELLO
 
+					Path *slot = (Path *)0;
 
+					if (np < ZT_PEER_MAX_PATHS) {
 
+						// Add new path
 
+						slot = &(_paths[np++]);
 
+					} else {
 
+						// Replace oldest non-fixed path
 
+						uint64_t slotLRmin = 0xffffffffffffffffULL;
 
+						for(unsigned int p=0;p<ZT_PEER_MAX_PATHS;++p) {
 
+							if ((!_paths[p].fixed())&&(_paths[p].lastReceived() <= slotLRmin)) {
 
+								slotLRmin = _paths[p].lastReceived();
 
+								slot = &(_paths[p]);
 
+							}
 
 						}
 
 					}
 
-				}
 
-				if (slot) {
 
-					slot->init(remoteAddr,false);
 
-					slot->received(now,linkDesperation);
 
-					_numPaths = np;
 
+					if (slot) {
 
+						slot->init(remoteAddr,false);
 
+						slot->received(now,linkDesperation);
 
+						_numPaths = np;
 
+						pathIsConfirmed = true;
 
+					}
 
+				} else {
 
+					/* If this path is not known, send a HELLO. We don't learn
 
+					 * paths without confirming that a bidirectional link is in
 
+					 * fact present, but any packet that decodes and authenticates
 
+					 * correctly is considered valid. */
 
+					attemptToContactAt(RR,remoteAddr,linkDesperation,now);
 
 				}
 
 			}
 
 		}
 
@@ -107,7 +119,7 @@ void Peer::received(
 
 		/* Announce multicast groups of interest to direct peers if they are
 
 		 * considered authorized members of a given network. Also announce to
 
 		 * supernodes and network controllers. */
 
-		if ((now - _lastAnnouncedTo) >= ((ZT_MULTICAST_LIKE_EXPIRE / 2) - 1000)) {
 
+		if ((pathIsConfirmed)&&((now - _lastAnnouncedTo) >= ((ZT_MULTICAST_LIKE_EXPIRE / 2) - 1000))) {
 
 			_lastAnnouncedTo = now;
 
 
 			const bool isSupernode = RR->topology->isSupernode(_id.address());
 
@@ -144,6 +156,37 @@ void Peer::received(
 
 		_lastMulticastFrame = now;
 
 }
 
 
+void Peer::attemptToContactAt(const RuntimeEnvironment *RR,const InetAddress &atAddress,unsigned int linkDesperation,uint64_t now)
 
+{
 
+	Packet outp(_id.address(),RR->identity.address(),Packet::VERB_HELLO);
 
+	outp.append((unsigned char)ZT_PROTO_VERSION);
 
+	outp.append((unsigned char)ZEROTIER_ONE_VERSION_MAJOR);
 
+	outp.append((unsigned char)ZEROTIER_ONE_VERSION_MINOR);
 
+	outp.append((uint16_t)ZEROTIER_ONE_VERSION_REVISION);
 
+	outp.append(now);
 
+
 
+	RR->identity.serialize(outp,false);
 
+
 
+	switch(atAddress.ss_family) {
 
+		case AF_INET:
 
+			outp.append((unsigned char)ZT_PROTO_DEST_ADDRESS_TYPE_IPV4);
 
+			outp.append(atAddress.rawIpData(),4);
 
+			outp.append((uint16_t)atAddress.port());
 
+			break;
 
+		case AF_INET6:
 
+			outp.append((unsigned char)ZT_PROTO_DEST_ADDRESS_TYPE_IPV6);
 
+			outp.append(atAddress.rawIpData(),16);
 
+			outp.append((uint16_t)atAddress.port());
 
+			break;
 
+		default:
 
+			outp.append((unsigned char)ZT_PROTO_DEST_ADDRESS_TYPE_NONE);
 
+			break;
 
+	}
 
+
 
+	outp.armor(_key,false); // HELLO is sent in the clear
 
+	RR->node->putPacket(atAddress,outp.data(),outp.size(),linkDesperation);
 
+}
 
+
 
 void Peer::addPath(const Path &newp)
 
 {
 
 	unsigned int np = _numPaths;
 
@@ -200,9 +243,7 @@ void Peer::resetWithinScope(const RuntimeEnvironment *RR,InetAddress::IpScope sc
 
 	while (x < np) {
 
 		if (_paths[x].address().ipScope() == scope) {
 
 			if (_paths[x].fixed()) {
 
-				Packet outp(_id.address(),RR->identity.address(),Packet::VERB_NOP);
 
-				outp.armor(_key,false);
 
-				RR->node->putPacket(_paths[x].address(),outp.data(),outp.size(),_paths[x].desperation(now));
 
+				attemptToContactAt(RR,_paths[x].address(),_paths[x].desperation(now),now);
 
 				_paths[y++] = _paths[x]; // keep fixed paths
 
 			}
 
 		} else {

+ 13 - 0
node/Peer.hpp
View File 

@@ -169,6 +169,19 @@ public:
 
 		return (Path *)0;
 
 	}
 
 
+	/**
 
+	 * Send a HELLO to this peer at a specified physical address
 
+	 *
 
+	 * This does not update any statistics. It's used to send initial HELLOs
 
+	 * for NAT traversal and path verification.
 
+	 *
 
+	 * @param RR Runtime environment
 
+	 * @param atAddress Destination address
 
+	 * @param linkDesperation Link desperation
 
+	 * @param now Current time
 
+	 */
 
+	void attemptToContactAt(const RuntimeEnvironment *RR,const InetAddress &atAddress,unsigned int linkDesperation,uint64_t now);
 
+
 
 	/**
 
 	 * @return All known direct paths to this peer
 
 	 */

+ 10 - 32
node/Switch.cpp
View File 

@@ -265,20 +265,6 @@ void Switch::send(const Packet &packet,bool encrypt)
 
 	}
 
 }
 
 
-#if 0
 
-void Switch::sendHELLO(const Address &dest)
 
-{
 
-	Packet outp(dest,RR->identity.address(),Packet::VERB_HELLO);
 
-	outp.append((unsigned char)ZT_PROTO_VERSION);
 
-	outp.append((unsigned char)ZEROTIER_ONE_VERSION_MAJOR);
 
-	outp.append((unsigned char)ZEROTIER_ONE_VERSION_MINOR);
 
-	outp.append((uint16_t)ZEROTIER_ONE_VERSION_REVISION);
 
-	outp.append(Utils::now());
 
-	RR->identity.serialize(outp,false);
 
-	send(outp,false);
 
-}
 
-#endif
 
-
 
 bool Switch::unite(const Address &p1,const Address &p2,bool force)
 
 {
 
 	if ((p1 == RR->identity.address())||(p2 == RR->identity.address()))
 
@@ -370,19 +356,10 @@ bool Switch::unite(const Address &p1,const Address &p2,bool force)
 
 void Switch::contact(const SharedPtr<Peer> &peer,const InetAddress &atAddr,unsigned int maxDesperation)
 
 {
 
 	TRACE("sending NAT-t message to %s(%s)",peer->address().toString().c_str(),atAddr.toString().c_str());
 
+	const uint64_t now = RR->node->now();
 
 
-	uint64_t now = RR->node->now();
 
-
 
-	Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NOP);
 
-	outp.armor(peer->key(),false);
 
-
 
-	/* Note that we don't log this as a "sent" packet or send it via the peer's
 
-	 * normal send() path. That's because this is a trial packet to an
 
-	 * unconfirmed address.
 
-	 *
 
-	 * First attempt is always at desperation zero. Then we escalate to max
 
-	 * before escalating through other NAT-t strategies. */
 
-	RR->node->putPacket(atAddr,outp.data(),outp.size(),0);
 
+	// Attempt to contact at zero desperation first
 
+	peer->attemptToContactAt(RR,atAddr,0,now);
 
 
 	// If we have not punched through after this timeout, open refreshing can of whupass
 
 	{
 
@@ -454,14 +431,13 @@ unsigned long Switch::doTimerTasks()
 
 				} else {
 
 					// Nope, nothing yet. Time to kill some kittens.
 
 
-					Packet outp(qi->peer->address(),RR->identity.address(),Packet::VERB_NOP);
 
-					outp.armor(qi->peer->key(),false);
 
-
 
 					switch(qi->strategyIteration++) {
 
+
 
 						case 0: {
 
 							// First strategy: rifle method: direct packet to known port
 
-							RR->node->putPacket(qi->inaddr,outp.data(),outp.size(),qi->currentDesperation);
 
+							qi->peer->attemptToContactAt(RR,qi->inaddr,qi->currentDesperation,now);
 
 						}	break;
 
+
 
 						case 1: {
 
 							// Second strategy: shotgun method up: try a few ports above
 
 							InetAddress tmpaddr(qi->inaddr);
 
@@ -469,9 +445,10 @@ unsigned long Switch::doTimerTasks()
 
 							for(int i=0;i<9;++i) {
 
 								if (++p > 0xffff) break;
 
 								tmpaddr.setPort((unsigned int)p);
 
-								RR->node->putPacket(tmpaddr,outp.data(),outp.size(),qi->currentDesperation);
 
+								qi->peer->attemptToContactAt(RR,tmpaddr,qi->currentDesperation,now);
 
 							}
 
 						}	break;
 
+
 
 						case 2: {
 
 							// Third strategy: shotgun method down: try a few ports below
 
 							InetAddress tmpaddr(qi->inaddr);
 
@@ -479,7 +456,7 @@ unsigned long Switch::doTimerTasks()
 
 							for(int i=0;i<3;++i) {
 
 								if (--p < 1024) break;
 
 								tmpaddr.setPort((unsigned int)p);
 
-								RR->node->putPacket(tmpaddr,outp.data(),outp.size(),qi->currentDesperation);
 
+								qi->peer->attemptToContactAt(RR,tmpaddr,qi->currentDesperation,now);
 
 							}
 
 
 							// Escalate link desperation after all strategies attempted
 
@@ -493,6 +470,7 @@ unsigned long Switch::doTimerTasks()
 
 								qi->strategyIteration = 0;
 
 							}
 
 						}	break;
 
+
 
 					}
 
 
 					qi->fireAtTime = now + ZT_NAT_T_TACTICAL_ESCALATION_DELAY;