Work in progress...

node/CertificateOfMembership.hpp

@@ -163,6 +163,15 @@ public:
 		deserialize(b,startAt);
 	}
 
+	/**
+	 * @return True if there's something here
+	 */
+	inline operator bool() const
+		throw()
+	{
+		return (_qualifiers.size() != 0);
+	}
+
 	/**
 	 * Check for presence of all required fields common to all networks
 	 *

node/Network.cpp

@@ -30,23 +30,17 @@
 #include <stdlib.h>
 #include <math.h>
 
-#include <algorithm>
-
-#include "Constants.hpp"
+#include "Network.hpp"
 #include "RuntimeEnvironment.hpp"
 #include "NodeConfig.hpp"
-#include "Network.hpp"
 #include "Switch.hpp"
 #include "Packet.hpp"
-#include "Utils.hpp"
 #include "Buffer.hpp"
 
 #define ZT_NETWORK_CERT_WRITE_BUF_SIZE 524288
 
 namespace ZeroTier {
 
-const Network::MulticastRates::Rate Network::MulticastRates::GLOBAL_DEFAULT_RATE(65535,65535,64);
-
 const char *Network::statusString(const Status s)
 	throw()
 {
@@ -73,7 +67,6 @@ Network::~Network()
 }
 
 SharedPtr<Network> Network::newInstance(const RuntimeEnvironment *renv,uint64_t id)
-	throw(std::runtime_error)
 {
 	// Tag to identify tap device -- used on some OSes like Windows
 	char tag[32];
@@ -85,59 +78,35 @@ SharedPtr<Network> Network::newInstance(const RuntimeEnvironment *renv,uint64_t
 	// that then causes the Network instance to be deleted before it is finished
 	// being constructed. C++ edge cases, how I love thee.
 	SharedPtr<Network> nw(new Network());
+	nw->_id = id;
 	nw->_ready = false; // disable handling of Ethernet frames during construct
 	nw->_r = renv;
 	nw->_tap = new EthernetTap(renv,tag,renv->identity.address().toMAC(),ZT_IF_MTU,&_CBhandleTapData,nw.ptr());
-	nw->_isOpen = false;
-	nw->_emulateArp = false;
-	nw->_emulateNdp = false;
-	nw->_arpCacheTtl = 0;
-	nw->_ndpCacheTtl = 0;
-	nw->_multicastPrefixBits = ZT_DEFAULT_MULTICAST_PREFIX_BITS;
-	nw->_multicastDepth = ZT_DEFAULT_MULTICAST_DEPTH;
-	nw->_status = NETWORK_WAITING_FOR_FIRST_AUTOCONF;
-	memset(nw->_etWhitelist,0,sizeof(nw->_etWhitelist));
-	nw->_id = id;
 	nw->_lastConfigUpdate = 0;
+	nw->_status = NETWORK_WAITING_FOR_FIRST_AUTOCONF;
 	nw->_destroyOnDelete = false;
 	if (nw->controller() == renv->identity.address()) // netconf masters can't really join networks
 		throw std::runtime_error("cannot join a network for which I am the netconf master");
 	nw->_restoreState();
 	nw->_ready = true; // enable handling of Ethernet frames
 	nw->requestConfiguration();
+
 	return nw;
 }
 
-void Network::setConfiguration(const Network::Config &conf,bool saveToDisk)
+void Network::setConfiguration(const Dictionary &conf,bool saveToDisk)
 {
-	Mutex::Lock _l(_lock);
 	try {
-		if (conf.networkId() == _id) { // sanity check
-			_configuration = conf;
-
-			// Grab some things from conf for faster lookup and memoize them
-			_myCertificate = conf.certificateOfMembership();
-			_mcRates = conf.multicastRates();
-			_staticAddresses = conf.staticAddresses();
-			_isOpen = conf.isOpen();
-			_emulateArp = conf.emulateArp();
-			_emulateNdp = conf.emulateNdp();
-			_arpCacheTtl = conf.arpCacheTtl();
-			_ndpCacheTtl = conf.ndpCacheTtl();
-			_multicastPrefixBits = conf.multicastPrefixBits();
-			_multicastDepth = conf.multicastDepth();
+		SharedPtr<NetworkConfig> newConfig(new NetworkConfig(conf));
+		if ((newConfig->networkId() == _id)&&(newConfig->issuedTo() == _r->identity.address())) {
+			Mutex::Lock _l(_lock);
+			_config = newConfig;
 
-			_lastConfigUpdate = Utils::now();
-
-			_tap->setIps(_staticAddresses);
-			_tap->setDisplayName((std::string("ZeroTier One [") + conf.name() + "]").c_str());
-
-			// Expand ethertype whitelist into fast-lookup bit field (more memoization)
-			memset(_etWhitelist,0,sizeof(_etWhitelist));
-			std::set<unsigned int> wl(conf.etherTypes());
-			for(std::set<unsigned int>::const_iterator t(wl.begin());t!=wl.end();++t)
-				_etWhitelist[*t / 8] |= (unsigned char)(1 << (*t % 8));
+			if (newConfig->staticIps().size())
+				_tap->setIps(newConfig->staticIps());
+			_tap->setDisplayName((std::string("ZeroTier One [") + newConfig->name() + "]").c_str());
 
+			_lastConfigUpdate = Utils::now();
 			_status = NETWORK_OK;
 
 			if (saveToDisk) {
@@ -146,23 +115,13 @@ void Network::setConfiguration(const Network::Config &conf,bool saveToDisk)
 					LOG("error: unable to write network configuration file at: %s",confPath.c_str());
 				}
 			}
+		} else {
+			LOG("ignored invalid configuration for network %.16llx (configuration contains mismatched network ID or issued-to address)",(unsigned long long)_id);
 		}
+	} catch (std::exception &exc) {
+		LOG("ignored invalid configuration for network %.16llx (%s)",(unsigned long long)_id,exc.what());
 	} catch ( ... ) {
-		// If conf is invalid, reset everything
-		_configuration = Config();
-
-		_myCertificate = CertificateOfMembership();
-		_mcRates = MulticastRates();
-		_staticAddresses.clear();
-		_isOpen = false;
-		_emulateArp = false;
-		_emulateNdp = false;
-		_arpCacheTtl = 0;
-		_ndpCacheTtl = 0;
-		_status = NETWORK_WAITING_FOR_FIRST_AUTOCONF;
-
-		_lastConfigUpdate = 0;
-		LOG("unexpected exception handling config for network %.16llx, retrying fetch...",(unsigned long long)_id);
+		LOG("ignored invalid configuration for network %.16llx (unknown exception)",(unsigned long long)_id);
 	}
 }
 
@@ -196,15 +155,18 @@ void Network::addMembershipCertificate(const CertificateOfMembership &cert)
 
 bool Network::isAllowed(const Address &peer) const
 {
-	// Exceptions can occur if we do not yet have *our* configuration.
 	try {
 		Mutex::Lock _l(_lock);
-		if (_isOpen)
-			return true; // network is public
+
+		if (!_config)
+			return false;
+		if (_config->isOpen())
+			return true;
+
 		std::map<Address,CertificateOfMembership>::const_iterator pc(_membershipCertificates.find(peer));
 		if (pc == _membershipCertificates.end())
 			return false; // no certificate on file
-		return _myCertificate.agreesWith(pc->second); // is other cert valid against ours?
+		return _config->com().agreesWith(pc->second); // is other cert valid against ours?
 	} catch (std::exception &exc) {
 		TRACE("isAllowed() check failed for peer %s: unexpected exception: %s",peer.toString().c_str(),exc.what());
 	} catch ( ... ) {
@@ -216,22 +178,21 @@ bool Network::isAllowed(const Address &peer) const
 void Network::clean()
 {
 	Mutex::Lock _l(_lock);
-	uint64_t timestampMaxDelta = _myCertificate.timestampMaxDelta();
-	if (_isOpen) {
+	if ((_config)&&(_config->isOpen())) {
 		// Open (public) networks do not track certs or cert pushes at all.
 		_membershipCertificates.clear();
 		_lastPushedMembershipCertificate.clear();
-	} else if (timestampMaxDelta) {
+	} else if (_config) {
 		// Clean certificates that are no longer valid from the cache.
 		for(std::map<Address,CertificateOfMembership>::iterator c=(_membershipCertificates.begin());c!=_membershipCertificates.end();) {
-			if (_myCertificate.agreesWith(c->second))
+			if (_config->com().agreesWith(c->second))
 				++c;
 			else _membershipCertificates.erase(c++);
 		}
 
 		// Clean entries from the last pushed tracking map if they're so old as
 		// to be no longer relevant.
-		uint64_t forgetIfBefore = Utils::now() - (timestampMaxDelta * 3);
+		uint64_t forgetIfBefore = Utils::now() - (_config->com().timestampMaxDelta() * 3ULL);
 		for(std::map<Address,uint64_t>::iterator lp(_lastPushedMembershipCertificate.begin());lp!=_lastPushedMembershipCertificate.end();) {
 			if (lp->second < forgetIfBefore)
 				_lastPushedMembershipCertificate.erase(lp++);
@@ -260,7 +221,7 @@ void Network::_CBhandleTapData(void *arg,const MAC &from,const MAC &to,unsigned
 
 void Network::_pushMembershipCertificate(const Address &peer,bool force,uint64_t now)
 {
-	uint64_t timestampMaxDelta = _myCertificate.timestampMaxDelta();
+	uint64_t timestampMaxDelta = _config->com().timestampMaxDelta();
 	if (!timestampMaxDelta)
 		return; // still waiting on my own cert
 
@@ -269,7 +230,7 @@ void Network::_pushMembershipCertificate(const Address &peer,bool force,uint64_t
 		lastPushed = now;
 
 		Packet outp(peer,_r->identity.address(),Packet::VERB_NETWORK_MEMBERSHIP_CERTIFICATE);
-		_myCertificate.serialize(outp);
+		_config->com().serialize(outp);
 		_r->sw->send(outp,true);
 	}
 }
@@ -291,7 +252,7 @@ void Network::_restoreState()
 		if (Utils::readFile(confPath.c_str(),confs)) {
 			try {
 				if (confs.length())
-					setConfiguration(Config(confs),false);
+					setConfiguration(Dictionary(confs),false);
 			} catch ( ... ) {} // ignore invalid config on disk, we will re-request from netconf master
 		} else {
 			// If the conf file isn't present, "touch" it so we'll remember
@@ -303,7 +264,7 @@ void Network::_restoreState()
 	}
 
 	// Read most recent multicast cert dump
-	if ((!_isOpen)&&(Utils::fileExists(mcdbPath.c_str()))) {
+	if ((_config)&&(!_config->isOpen())&&(Utils::fileExists(mcdbPath.c_str()))) {
 		CertificateOfMembership com;
 		Mutex::Lock _l(_lock);
 
@@ -314,10 +275,10 @@ void Network::_restoreState()
 			try {
 				char magic[6];
 				if ((fread(magic,6,1,mcdb) == 1)&&(!memcmp("ZTMCD0",magic,6))) {
-					for(;;) {
+					long rlen = 0;
+					do {
 						long rlen = (long)fread(buf.data() + buf.size(),1,ZT_NETWORK_CERT_WRITE_BUF_SIZE - buf.size(),mcdb);
-						if (rlen <= 0)
-							break;
+						if (rlen < 0) rlen = 0;
 						buf.setSize(buf.size() + (unsigned int)rlen);
 						unsigned int ptr = 0;
 						while ((ptr < (ZT_NETWORK_CERT_WRITE_BUF_SIZE / 2))&&(ptr < buf.size())) {
@@ -329,7 +290,7 @@ void Network::_restoreState()
 							memmove(buf.data(),buf.data() + ptr,buf.size() - ptr);
 							buf.setSize(buf.size() - ptr);
 						}
-					}
+					} while (rlen > 0);
 					fclose(mcdb);
 				} else {
 					fclose(mcdb);
@@ -351,7 +312,10 @@ void Network::_dumpMulticastCerts()
 	std::string mcdbPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + idString() + ".mcerts");
 	Mutex::Lock _l(_lock);
 
-	if ((!_id)||(_isOpen)) {
+	if (!_config)
+		return;
+
+	if ((!_id)||(_config->isOpen())) {
 		Utils::rm(mcdbPath);
 		return;
 	}

node/Network.hpp

@@ -38,6 +38,7 @@
 #include <stdexcept>
 
 #include "Constants.hpp"
+#include "NonCopyable.hpp"
 #include "Utils.hpp"
 #include "EthernetTap.hpp"
 #include "Address.hpp"
@@ -45,12 +46,12 @@
 #include "SharedPtr.hpp"
 #include "AtomicCounter.hpp"
 #include "MulticastGroup.hpp"
-#include "NonCopyable.hpp"
 #include "MAC.hpp"
 #include "Dictionary.hpp"
 #include "Identity.hpp"
 #include "InetAddress.hpp"
 #include "BandwidthAccount.hpp"
+#include "NetworkConfig.hpp"
 #include "CertificateOfMembership.hpp"
 
 namespace ZeroTier {
@@ -68,320 +69,43 @@ class NodeConfig;
  * node.
  *
  * Open networks do not track membership. Anyone is allowed to communicate
- * over them.
- *
- * Closed networks track membership by way of timestamped signatures. When
- * the network requests its configuration, one of the fields returned is
- * a signature for the identity of the peer on the network. This signature
- * includes a timestamp. When a peer communicates with other peers on a
- * closed network, it periodically (and pre-emptively) propagates this
- * signature to the peers with which it is communicating. Peers reject
- * packets with an error if no recent signature is on file.
+ * over them. For closed networks, each peer must distribute a certificate
+ * regularly that proves that they are allowed to communicate.
  */
 class Network : NonCopyable
 {
 	friend class SharedPtr<Network>;
 	friend class NodeConfig;
 
-public:
-	/**
-	 * Preload and rates of accrual for multicast group bandwidth limits
-	 *
-	 * Key is multicast group in lower case hex format: MAC (without :s) /
-	 * ADI (hex). Value is preload, maximum balance, and rate of accrual in
-	 * hex.
-	 */
-	class MulticastRates : private Dictionary
-	{
-	public:
-		/**
-		 * Preload and accrual parameter tuple
-		 */
-		struct Rate
-		{
-			Rate() {}
-			Rate(uint32_t pl,uint32_t maxb,uint32_t acc)
-			{
-				preload = pl;
-				maxBalance = maxb;
-				accrual = acc;
-			}
-			uint32_t preload;
-			uint32_t maxBalance;
-			uint32_t accrual;
-		};
-
-		MulticastRates() {}
-		MulticastRates(const char *s) : Dictionary(s) {}
-		MulticastRates(const std::string &s) : Dictionary(s) {}
-		inline std::string toString() const { return Dictionary::toString(); }
-
-		/**
-		 * A very minimal default rate, fast enough for ARP
-		 */
-		static const Rate GLOBAL_DEFAULT_RATE;
-
-		/**
-		 * @return Default rate, or GLOBAL_DEFAULT_RATE if not specified
-		 */
-		inline Rate defaultRate() const
-		{
-			Rate r;
-			const_iterator dfl(find("*"));
-			if (dfl == end())
-				return GLOBAL_DEFAULT_RATE;
-			return _toRate(dfl->second);
-		}
+private:
+	// Only NodeConfig can create, only SharedPtr can delete
 
-		/**
-		 * Get the rate for a given multicast group
-		 *
-		 * @param mg Multicast group
-		 * @return Rate or default() rate if not specified
-		 */
-		inline Rate get(const MulticastGroup &mg) const
-		{
-			const_iterator r(find(mg.toString()));
-			if (r == end())
-				return defaultRate();
-			return _toRate(r->second);
-		}
+	// Actual construction happens in newInstance()
+	Network() throw() : _tap((EthernetTap *)0) {}
 
-	private:
-		static inline Rate _toRate(const std::string &s)
-		{
-			char tmp[16384];
-			Utils::scopy(tmp,sizeof(tmp),s.c_str());
-			Rate r(0,0,0);
-			char *saveptr = (char *)0;
-			unsigned int fn = 0;
-			for(char *f=Utils::stok(tmp,",",&saveptr);(f);f=Utils::stok((char *)0,",",&saveptr)) {
-				switch(fn++) {
-					case 0:
-						r.preload = (uint32_t)Utils::hexStrToULong(f);
-						break;
-					case 1:
-						r.maxBalance = (uint32_t)Utils::hexStrToULong(f);
-						break;
-					case 2:
-						r.accrual = (uint32_t)Utils::hexStrToULong(f);
-						break;
-				}
-			}
-			return r;
-		}
-	};
+	~Network();
 
 	/**
-	 * A network configuration for a given node
-	 *
-	 * Configuration fields:
-	 *
-	 * nwid=<hex network ID> (required)
-	 * name=short name
-	 * desc=long(er) description
-	 * com=Serialized certificate of membership
-	 * mr=MulticastRates (serialized dictionary)
-	 * md=multicast propagation depth
-	 * mpb=multicast propagation prefix bits (2^mpb packets are sent by origin)
-	 * o=open network? (1 or 0, default false if missing)
-	 * et=ethertype whitelist (comma-delimited list of ethertypes in decimal)
-	 * v4s=IPv4 static assignments / netmasks (comma-delimited)
-	 * v6s=IPv6 static assignments / netmasks (comma-delimited)
+	 * Create a new Network instance and restore any saved state
 	 *
-	 * Notes:
+	 * If there is no saved state, a dummy .conf is created on disk to remember
+	 * this network across restarts.
 	 *
-	 * If zero appears in the 'et' list, the sense is inverted. It becomes an
-	 * ethertype blacklist instead of a whitelist and anything not blacklisted
-	 * is permitted.
+	 * @param renv Runtime environment
+	 * @param id Network ID
+	 * @return Reference counted pointer to new network
+	 * @throws std::runtime_error Unable to create tap device or other fatal error
 	 */
-	class Config : private Dictionary
-	{
-	public:
-		Config() {}
-		Config(const char *s) : Dictionary(s) {}
-		Config(const std::string &s) : Dictionary(s) {}
-		inline std::string toString() const { return Dictionary::toString(); }
-
-		/**
-		 * @return True if configuration is valid and contains required fields
-		 */
-		inline operator bool() const throw() { return (find("nwid") != end()); }
-
-		/**
-		 * @return Network ID
-		 * @throws std::invalid_argument Network ID field missing
-		 */
-		inline uint64_t networkId() const
-			throw(std::invalid_argument)
-		{
-			return Utils::hexStrToU64(get("nwid").c_str());
-		}
+	static SharedPtr<Network> newInstance(const RuntimeEnvironment *renv,uint64_t id);
 
-		/**
-		 * Get this network's short name, or its ID in hex if unspecified
-		 *
-		 * @return Short name of this network (e.g. "earth")
-		 */
-		inline std::string name() const
-		{
-			const_iterator n(find("name"));
-			if (n == end())
-				return get("nwid");
-			return n->second;
-		}
-
-		/**
-		 * @return Long description of network or empty string if not present
-		 */
-		inline std::string desc() const
-		{
-			return get("desc",std::string());
-		}
-
-		/**
-		 * @return Certificate of membership for this network, or empty cert if none
-		 */
-		inline CertificateOfMembership certificateOfMembership() const
-		{
-			const_iterator cm(find("com"));
-			if (cm == end())
-				return CertificateOfMembership();
-			else return CertificateOfMembership(cm->second);
-		}
-
-		/**
-		 * @return True if this network emulates IPv4 ARP for assigned addresses
-		 */
-		inline bool emulateArp() const
-		{
-			const_iterator e(find("eARP"));
-			if (e == end())
-				return false;
-			else return (e->second == "1");
-		}
-
-		/**
-		 * @return True if this network emulates IPv6 NDP for assigned addresses
-		 */
-		inline bool emulateNdp() const
-		{
-			const_iterator e(find("eNDP"));
-			if (e == end())
-				return false;
-			else return (e->second == "1");
-		}
-
-		/**
-		 * @return ARP cache TTL in seconds or 0 for no ARP caching
-		 */
-		inline unsigned int arpCacheTtl() const
-		{
-			const_iterator ttl(find("cARP"));
-			if (ttl == end())
-				return 0;
-			return Utils::hexStrToUInt(ttl->second.c_str());
-		}
-
-		/**
-		 * @return NDP cache TTL in seconds or 0 for no NDP caching
-		 */
-		inline unsigned int ndpCacheTtl() const
-		{
-			const_iterator ttl(find("cNDP"));
-			if (ttl == end())
-				return 0;
-			return Utils::hexStrToUInt(ttl->second.c_str());
-		}
-
-		/**
-		 * @return Multicast rates for this network
-		 */
-		inline MulticastRates multicastRates() const
-		{
-			const_iterator mr(find("mr"));
-			if (mr == end())
-				return MulticastRates();
-			else return MulticastRates(mr->second);
-		}
-
-		/**
-		 * @return Number of bits in propagation prefix for this network
-		 */
-		inline unsigned int multicastPrefixBits() const
-		{
-			const_iterator mpb(find("mpb"));
-			if (mpb == end())
-				return ZT_DEFAULT_MULTICAST_PREFIX_BITS;
-			unsigned int tmp = Utils::hexStrToUInt(mpb->second.c_str());
-			if (tmp)
-				return tmp;
-			else return ZT_DEFAULT_MULTICAST_PREFIX_BITS;
-		}
-
-		/**
-		 * @return Maximum multicast propagation depth for this network
-		 */
-		inline unsigned int multicastDepth() const
-		{
-			const_iterator md(find("md"));
-			if (md == end())
-				return ZT_DEFAULT_MULTICAST_DEPTH;
-			unsigned int tmp = Utils::hexStrToUInt(md->second.c_str());
-			if (tmp)
-				return tmp;
-			else return ZT_DEFAULT_MULTICAST_DEPTH;
-		}
-
-		/**
-		 * @return True if this is an open non-access-controlled network
-		 */
-		inline bool isOpen() const
-		{
-			const_iterator o(find("o"));
-			if (o == end())
-				return false;
-			else if (!o->second.length())
-				return false;
-			else return (o->second[0] == '1');
-		}
-
-		/**
-		 * @return Network ethertype whitelist
-		 */
-		inline std::set<unsigned int> etherTypes() const
-		{
-			char tmp[16384];
-			char *saveptr = (char *)0;
-			std::set<unsigned int> et;
-			if (!Utils::scopy(tmp,sizeof(tmp),get("et","").c_str()))
-				return et; // sanity check, packet can't really be that big
-			for(char *f=Utils::stok(tmp,",",&saveptr);(f);f=Utils::stok((char *)0,",",&saveptr)) {
-				unsigned int t = Utils::hexStrToUInt(f);
-				if (t)
-					et.insert(t);
-			}
-			return et;
-		}
-
-		/**
-		 * @return All static addresses / netmasks, IPv4 or IPv6
-		 */
-		inline std::set<InetAddress> staticAddresses() const
-		{
-			std::set<InetAddress> sa;
-			std::vector<std::string> ips(Utils::split(get("v4s","").c_str(),",","",""));
-			for(std::vector<std::string>::const_iterator i(ips.begin());i!=ips.end();++i)
-				sa.insert(InetAddress(*i));
-			ips = Utils::split(get("v6s","").c_str(),",","","");
-			for(std::vector<std::string>::const_iterator i(ips.begin());i!=ips.end();++i)
-				sa.insert(InetAddress(*i));
-			return sa;
-		}
-	};
+	/**
+	 * Causes all persistent disk presence to be erased on delete
+	 */
+	inline void destroyOnDelete() throw() { _destroyOnDelete = true; }
 
+public:
 	/**
-	 * Status for networks
+	 * Possible network states
 	 */
 	enum Status
 	{
@@ -398,42 +122,6 @@ public:
 	static const char *statusString(const Status s)
 		throw();
 
-private:
-	// Only NodeConfig can create, only SharedPtr can delete
-
-	// Actual construction happens in newInstance()
-	Network()
-		throw() :
-		_tap((EthernetTap *)0)
-	{
-	}
-
-	~Network();
-
-	/**
-	 * Create a new Network instance and restore any saved state
-	 *
-	 * If there is no saved state, a dummy .conf is created on disk to remember
-	 * this network across restarts.
-	 *
-	 * @param renv Runtime environment
-	 * @param id Network ID
-	 * @return Reference counted pointer to new network
-	 * @throws std::runtime_error Unable to create tap device or other fatal error
-	 */
-	static SharedPtr<Network> newInstance(const RuntimeEnvironment *renv,uint64_t id)
-		throw(std::runtime_error);
-
-	/**
-	 * Causes all persistent disk presence to be erased on delete
-	 */
-	inline void destroyOnDelete()
-		throw()
-	{
-		_destroyOnDelete = true;
-	}
-
-public:
 	/**
 	 * @return Network ID
 	 */
@@ -459,36 +147,6 @@ public:
 		return std::string(buf);
 	}
 
-	/**
-	 * @return True if network is open (no membership required)
-	 */
-	inline bool isOpen() const
-		throw()
-	{
-		Mutex::Lock _l(_lock);
-		return _isOpen;
-	}
-
-	/**
-	 * @return True if this network emulates IPv4 ARP for assigned addresses
-	 */
-	inline bool emulateArp() const
-		throw()
-	{
-		Mutex::Lock _l(_lock);
-		return _emulateArp;
-	}
-
-	/**
-	 * @return True if this network emulates IPv6 NDP for assigned addresses
-	 */
-	inline bool emulateNdp() const
-		throw()
-	{
-		Mutex::Lock _l(_lock);
-		return _emulateNdp;
-	}
-
 	/**
 	 * Update multicast groups for this network's tap
 	 *
@@ -518,7 +176,7 @@ public:
 	 * @param conf Configuration in key/value dictionary form
 	 * @param saveToDisk IF true (default), write config to disk
 	 */
-	void setConfiguration(const Config &conf,bool saveToDisk = true);
+	void setConfiguration(const Dictionary &conf,bool saveToDisk = true);
 
 	/**
 	 * Causes this network to request an updated configuration from its master node now
@@ -528,7 +186,8 @@ public:
 	/**
 	 * Add or update a membership certificate
 	 *
-	 * The certificate must already have been validated via signature checking.
+	 * This cert must have been signature checked first. Certs older than the
+	 * cert on file are ignored and the newer cert remains in the database.
 	 *
 	 * @param cert Certificate of membership
 	 */
@@ -544,7 +203,7 @@ public:
 	inline void pushMembershipCertificate(const Address &peer,bool force,uint64_t now)
 	{
 		Mutex::Lock _l(_lock);
-		if (!_isOpen)
+		if ((_config)&&(!_config->isOpen()))
 			_pushMembershipCertificate(peer,force,now);
 	}
 
@@ -562,7 +221,7 @@ public:
 	inline void pushMembershipCertificate(const void *peers,unsigned int len,bool force,uint64_t now)
 	{
 		Mutex::Lock _l(_lock);
-		if (!_isOpen) {
+		if ((_config)&&(!_config->isOpen())) {
 			for(unsigned int i=0;i<len;i+=ZT_ADDRESS_LENGTH) {
 				Address a((char *)peers + i,ZT_ADDRESS_LENGTH);
 				if (a)
@@ -615,25 +274,7 @@ public:
 		throw()
 	{
 		Mutex::Lock _l(_lock);
-		return ((_status == NETWORK_OK)&&(_ready));
-	}
-
-	/**
-	 * Determine whether frames of a given ethernet type are allowed on this network
-	 *
-	 * @param etherType Ethernet frame type
-	 * @return True if network permits this type
-	 */
-	inline bool permitsEtherType(unsigned int etherType) const
-		throw()
-	{
-		if (!etherType)
-			return false;
-		else if (etherType > 65535)
-			return false;
-		else if ((_etWhitelist[0] & 1)) // if type 0 is in the whitelist, sense is inverted from whitelist to blacklist
-			return ((_etWhitelist[etherType / 8] & (unsigned char)(1 << (etherType & 7))) == 0);
-		else return ((_etWhitelist[etherType / 8] & (unsigned char)(1 << (etherType & 7))) != 0);
+		return ((_config)&&(_status == NETWORK_OK)&&(_ready));
 	}
 
 	/**
@@ -647,80 +288,68 @@ public:
 	inline bool updateAndCheckMulticastBalance(const Address &a,const MulticastGroup &mg,unsigned int bytes)
 	{
 		Mutex::Lock _l(_lock);
+		if (!_config)
+			return false;
 		std::pair<Address,MulticastGroup> k(a,mg);
 		std::map< std::pair<Address,MulticastGroup>,BandwidthAccount >::iterator bal(_multicastRateAccounts.find(k));
 		if (bal == _multicastRateAccounts.end()) {
-			MulticastRates::Rate r(_mcRates.get(mg));
+			NetworkConfig::MulticastRate r(_config->multicastRate(mg));
 			bal = _multicastRateAccounts.insert(std::pair< std::pair<Address,MulticastGroup>,BandwidthAccount >(k,BandwidthAccount(r.preload,r.maxBalance,r.accrual))).first;
 		}
 		return bal->second.deduct(bytes);
 	}
 
 	/**
-	 * @param fromPeer Peer attempting to bridge other Ethernet peers onto network
-	 * @return True if this network allows bridging
+	 * Get current network config or throw exception
+	 *
+	 * This version never returns null. Instead it throws a runtime error if
+	 * there is no current configuration. Callers should check isUp() first or
+	 * use config2() to get with the potential for null.
+	 *
+	 * Since it never returns null, it's safe to config()->whatever().
+	 *
+	 * @return Network configuration (never null)
+	 * @throws std::runtime_error Network configuration unavailable
 	 */
-	inline bool permitsBridging(const Address &fromPeer) const
-		throw()
+	inline SharedPtr<NetworkConfig> config() const
 	{
-		return false; // TODO: bridging not implemented yet
+		Mutex::Lock _l(_lock);
+		if (_config)
+			return _config;
+		throw std::runtime_error("no configuration");
 	}
 
 	/**
-	 * @return Bits in multicast restriciton prefix
+	 * @return Network configuration -- may be NULL
 	 */
-	inline unsigned int multicastPrefixBits() const throw() { return _multicastPrefixBits; }
-
-	/**
-	 * @return Max depth (TTL) for a multicast frame
-	 */
-	inline unsigned int multicastDepth() const throw() { return _multicastDepth; }
+	inline SharedPtr<NetworkConfig> config2() const
+		throw()
+	{
+		Mutex::Lock _l(_lock);
+		return _config;
+	}
 
 private:
 	static void _CBhandleTapData(void *arg,const MAC &from,const MAC &to,unsigned int etherType,const Buffer<4096> &data);
+
 	void _pushMembershipCertificate(const Address &peer,bool force,uint64_t now);
 	void _restoreState();
 	void _dumpMulticastCerts();
 
-	const RuntimeEnvironment *_r;
+	uint64_t _id;
 
-	// Multicast bandwidth accounting for peers on this network
-	std::map< std::pair<Address,MulticastGroup>,BandwidthAccount > _multicastRateAccounts;
+	const RuntimeEnvironment *_r;
 
-	// Tap and tap multicast memberships for this node on this network
 	EthernetTap *_tap;
 	std::set<MulticastGroup> _multicastGroups;
 
-	// Membership certificates supplied by other peers on this network
+	std::map< std::pair<Address,MulticastGroup>,BandwidthAccount > _multicastRateAccounts;
 	std::map<Address,CertificateOfMembership> _membershipCertificates;
-
-	// The last time we sent a membership certificate to a given peer
 	std::map<Address,uint64_t> _lastPushedMembershipCertificate;
-
-	// Configuration from network master node -- and some memoized fields from
-	// the most recent _configuration we have.
-	Config _configuration;
-	CertificateOfMembership _myCertificate;
-	MulticastRates _mcRates;
-	std::set<InetAddress> _staticAddresses;
-	bool _isOpen;
-	bool _emulateArp;
-	bool _emulateNdp;
-	unsigned int _arpCacheTtl;
-	unsigned int _ndpCacheTtl;
-	unsigned int _multicastPrefixBits;
-	unsigned int _multicastDepth;
-
-	// Network status
-	Status _status;
-
-	// Ethertype whitelist bit field, set from config, for really fast lookup
-	unsigned char _etWhitelist[65536 / 8];
-
-	// Network ID -- master node is most significant 40 bits
-	uint64_t _id;
+	SharedPtr<NetworkConfig> _config;
 
 	volatile uint64_t _lastConfigUpdate;
+	volatile Status _status;
 	volatile bool _destroyOnDelete;
 	volatile bool _ready;
 

node/NetworkConfig.cpp

@@ -70,6 +70,13 @@ void NetworkConfig::_fromDictionary(const Dictionary &d)
 {
 	// NOTE: d.get(name) throws if not found, d.get(name,default) returns default
 
+	memset(_etWhitelist,0,sizeof(_etWhitelist));
+	std::vector<std::string> ets(Utils::split(d.get(ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES).c_str(),",","",""));
+	for(std::vector<std::string>::const_iterator et(ets.begin());et!=ets.end();++et) {
+		unsigned int tmp = Utils::hexStrToUInt(et->c_str()) & 0xffff;
+		_etWhitelist[tmp >> 3] |= (1 << (tmp & 7));
+	}
+
 	_nwid = Utils::hexStrToU64(d.get(ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID).c_str());
 	if (!_nwid)
 		throw std::invalid_argument("configuration contains zero network ID");

node/NetworkConfig.hpp

@@ -42,6 +42,7 @@
 #include "SharedPtr.hpp"
 #include "MulticastGroup.hpp"
 #include "Address.hpp"
+#include "CertificateOfMembership.hpp"
 
 namespace ZeroTier {
 
@@ -63,6 +64,7 @@ namespace ZeroTier {
 #define ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC "v4s"
 #define ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC "v6s"
 #define ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_RATES "mr"
+#define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP "com"
 
 /**
  * Network configuration received from netconf master nodes
@@ -97,10 +99,7 @@ public:
 	 * @param d Dictionary containing configuration
 	 * @throws std::invalid_argument Invalid configuration
 	 */
-	NetworkConfig(const Dictionary &d)
-	{
-		_fromDictionary(d);
-	}
+	NetworkConfig(const Dictionary &d) { _fromDictionary(d); }
 
 	/**
 	 * @param etherType Ethernet frame type to check
@@ -131,6 +130,17 @@ public:
 	inline const std::string &description() const throw() { return _description; }
 	inline const std::set<InetAddress> &staticIps() const throw() { return _staticIps; }
 	inline const std::map<MulticastGroup,MulticastRate> &multicastRates() const throw() { return _multicastRates; }
+	inline const CertificateOfMembership &com() const throw() { return _com; }
+
+	/**
+	 * @param fromPeer Peer attempting to bridge other Ethernet peers onto network
+	 * @return True if this network allows bridging
+	 */
+	inline bool permitsBridging(const Address &fromPeer) const
+		throw()
+	{
+		return false; // TODO: bridging not implemented yet
+	}
 
 	/**
 	 * @param mg Multicast group
@@ -160,6 +170,7 @@ private:
 	std::string _description;
 	std::set<InetAddress> _staticIps;
 	std::map<MulticastGroup,MulticastRate> _multicastRates;
+	CertificateOfMembership _com;
 
 	AtomicCounter __refCount;
 };