|
|
@@ -93,7 +93,10 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
|
|
|
if (to == network->mac())
|
|
|
return;
|
|
|
|
|
|
- // Check anti-recursion module to ensure that this is not ZeroTier talking over its own links
|
|
|
+ /* Check anti-recursion module to ensure that this is not ZeroTier talking over its own links.
|
|
|
+ * Note: even when we introduce a more purposeful binding of the main UDP port, this can
|
|
|
+ * still happen because Windows likes to send broadcasts over interfaces that have little
|
|
|
+ * to do with their intended target audience. :P */
|
|
|
if (!_r->antiRec->checkEthernetFrame(data.data(),data.size())) {
|
|
|
TRACE("%s: rejected recursively addressed ZeroTier packet by tail match (type %s, length: %u)",network->tapDeviceName().c_str(),etherTypeName(etherType),data.size());
|
|
|
return;
|
|
|
@@ -115,8 +118,9 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
|
|
|
fromBridged = true;
|
|
|
}
|
|
|
|
|
|
- // Multicast, either bridged or local source
|
|
|
if (to.isMulticast()) {
|
|
|
+ // Destination is a multicast address (including broadcast)
|
|
|
+
|
|
|
MulticastGroup mg(to,0);
|
|
|
|
|
|
if (to.isBroadcast()) {
|
|
|
@@ -131,11 +135,14 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- // Learn multicast groups for bridged-in hosts
|
|
|
+ /* Learn multicast groups for bridged-in hosts.
|
|
|
+ * Note that some OSes, most notably Linux, do this for you by learning
|
|
|
+ * multicast addresses on bridge interfaces and subscribing each slave.
|
|
|
+ * But in that case this does no harm, as the sets are just merged. */
|
|
|
if (fromBridged)
|
|
|
network->learnBridgedMulticastGroup(mg);
|
|
|
|
|
|
- // Check multicast/broadcast bandwidth quotas
|
|
|
+ // Check multicast/broadcast bandwidth quotas and reject if quota exceeded
|
|
|
if (!network->updateAndCheckMulticastBalance(_r->identity.address(),mg,data.size())) {
|
|
|
TRACE("%s: didn't multicast %d bytes, quota exceeded for multicast group %s",network->tapDeviceName().c_str(),(int)data.size(),mg.toString().c_str());
|
|
|
return;
|
|
|
@@ -191,10 +198,10 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
|
|
|
outp.append(bloomNonce);
|
|
|
outp.append((unsigned char)nconf->multicastPrefixBits());
|
|
|
outp.append((unsigned char)prefix);
|
|
|
- _r->identity.address().appendTo(outp);
|
|
|
+ _r->identity.address().appendTo(outp); // lower 40 bits of MCID are my address
|
|
|
outp.append((unsigned char)((mcid >> 16) & 0xff));
|
|
|
outp.append((unsigned char)((mcid >> 8) & 0xff));
|
|
|
- outp.append((unsigned char)(mcid & 0xff));
|
|
|
+ outp.append((unsigned char)(mcid & 0xff)); // upper 24 bits of MCID are from our counter
|
|
|
from.appendTo(outp);
|
|
|
mg.mac().appendTo(outp);
|
|
|
outp.append(mg.adi());
|
|
|
@@ -219,8 +226,9 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
|
|
|
return;
|
|
|
}
|
|
|
|
|
|
- // Destination is another ZeroTier node
|
|
|
if (to[0] == MAC::firstOctetForNetwork(network->id())) {
|
|
|
+ // Destination is another ZeroTier node
|
|
|
+
|
|
|
Address toZT(to.toAddress(network->id()));
|
|
|
if (network->isAllowed(toZT)) {
|
|
|
network->pushMembershipCertificate(toZT,false,Utils::now());
|
|
|
@@ -252,35 +260,45 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
|
|
|
return;
|
|
|
}
|
|
|
|
|
|
- // Destination is behind another bridge
|
|
|
-
|
|
|
- Address bridges[ZT_MAX_BRIDGE_SPAM];
|
|
|
- unsigned int numBridges = 0;
|
|
|
-
|
|
|
- bridges[0] = network->findBridgeTo(to);
|
|
|
- if ((bridges[0])&&(bridges[0] != _r->identity.address())&&(network->isAllowed(bridges[0]))&&(network->permitsBridging(bridges[0]))) {
|
|
|
- ++numBridges;
|
|
|
- } else if (!nconf->activeBridges().empty()) {
|
|
|
- // If there is no known route, spam to up to ZT_MAX_BRIDGE_SPAM active bridges
|
|
|
- std::set<Address>::const_iterator ab(nconf->activeBridges().begin());
|
|
|
- if (nconf->activeBridges().size() <= ZT_MAX_BRIDGE_SPAM) {
|
|
|
- // If there are <= ZT_MAX_BRIDGE_SPAM active bridges, just take them all
|
|
|
- while (numBridges < nconf->activeBridges().size())
|
|
|
- bridges[numBridges++] = *(ab++);
|
|
|
- } else {
|
|
|
- // Otherwise do this less efficient multipass thing to pick randomly from an ordered set until we have enough
|
|
|
- while (numBridges < ZT_MAX_BRIDGE_SPAM) {
|
|
|
- if (ab == nconf->activeBridges().end())
|
|
|
- ab = nconf->activeBridges().begin();
|
|
|
- if (((unsigned long)_r->prng->next32() % (unsigned long)nconf->activeBridges().size()) == 0)
|
|
|
- bridges[numBridges++] = *(ab++);
|
|
|
- else ++ab;
|
|
|
+ {
|
|
|
+ // Destination is behind another bridge
|
|
|
+
|
|
|
+ Address bridges[ZT_MAX_BRIDGE_SPAM];
|
|
|
+ unsigned int numBridges = 0;
|
|
|
+
|
|
|
+ bridges[0] = network->findBridgeTo(to);
|
|
|
+ if ((bridges[0])&&(bridges[0] != _r->identity.address())&&(network->isAllowed(bridges[0]))&&(network->permitsBridging(bridges[0]))) {
|
|
|
+ // We have a known bridge route for this MAC.
|
|
|
+ ++numBridges;
|
|
|
+ } else if (!nconf->activeBridges().empty()) {
|
|
|
+ /* If there is no known route, spam to up to ZT_MAX_BRIDGE_SPAM active
|
|
|
+ * bridges. This is similar to what many switches do -- if they do not
|
|
|
+ * know which port corresponds to a MAC, they send it to all ports. If
|
|
|
+ * there aren't any active bridges, numBridges will stay 0 and packet
|
|
|
+ * is dropped. */
|
|
|
+ std::set<Address>::const_iterator ab(nconf->activeBridges().begin());
|
|
|
+ if (nconf->activeBridges().size() <= ZT_MAX_BRIDGE_SPAM) {
|
|
|
+ // If there are <= ZT_MAX_BRIDGE_SPAM active bridges, spam them all
|
|
|
+ while (ab != nconf->activeBridges().end()) {
|
|
|
+ if (network->isAllowed(*ab)) // config sanity check
|
|
|
+ bridges[numBridges++] = *ab;
|
|
|
+ ++ab;
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ // Otherwise pick a random set of them
|
|
|
+ while (numBridges < ZT_MAX_BRIDGE_SPAM) {
|
|
|
+ if (ab == nconf->activeBridges().end())
|
|
|
+ ab = nconf->activeBridges().begin();
|
|
|
+ if (((unsigned long)_r->prng->next32() % (unsigned long)nconf->activeBridges().size()) == 0) {
|
|
|
+ if (network->isAllowed(*ab)) // config sanity check
|
|
|
+ bridges[numBridges++] = *ab;
|
|
|
+ ++ab;
|
|
|
+ } else ++ab;
|
|
|
+ }
|
|
|
}
|
|
|
}
|
|
|
- }
|
|
|
|
|
|
- for(unsigned int b=0;b<numBridges;++b) {
|
|
|
- if (network->isAllowed(bridges[b])) {
|
|
|
+ for(unsigned int b=0;b<numBridges;++b) {
|
|
|
Packet outp(bridges[b],_r->identity.address(),Packet::VERB_EXT_FRAME);
|
|
|
outp.append(network->id());
|
|
|
outp.append((unsigned char)0);
|
Adam Ierymenko