4 years ago · bf4bb414dd
--- a/osdep/Binder.hpp
+++ b/osdep/Binder.hpp
@@ -40,7 +40,7 @@
 
				 #endif
			
 
				 #endif
			
 
				 
			
 
				-#if defined(__APPLE__) && defined(TARGET_OS_MAC)
			
 
				+#if defined(__unix__) && !defined(__LINUX__)
			
 
				 #include <net/if.h>
			
 
				 #include <netinet6/in6_var.h>
			
 
				 #include <sys/ioctl.h>
			
@@ -311,8 +311,7 @@ class Binder {
 
				 			if (! gotViaProc) {
			
 
				 				struct ifaddrs* ifatbl = (struct ifaddrs*)0;
			
 
				 				struct ifaddrs* ifa;
			
 
				-
			
 
				-#if defined(__APPLE__)
			
 
				+#if defined(__unix__) && !defined(__LINUX__)
			
 
				 				// set up an IPv6 socket so we can check the state of interfaces via SIOCGIFAFLAG_IN6
			
 
				 				int infoSock = socket(AF_INET6, SOCK_DGRAM, 0);
			
 
				 #endif
			
@@ -321,8 +320,8 @@ class Binder {
 
				 					while (ifa) {
			
 
				 						if ((ifa->ifa_name) && (ifa->ifa_addr)) {
			
 
				 							InetAddress ip = *(ifa->ifa_addr);
			
 
				-#if defined(__APPLE__) && defined(TARGET_OS_MAC)
			
 
				-							// Check if the address is an IPv6 Temporary Address, macOS version
			
 
				+#if defined(__unix__) && !defined(__LINUX__)
			
 
				+							// Check if the address is an IPv6 Temporary Address, macOS/BSD version
			
 
				 							if (ifa->ifa_addr->sa_family == AF_INET6) {
			
 
				 								struct sockaddr_in6* sa6 = (struct sockaddr_in6*)ifa->ifa_addr;
			
 
				 								struct in6_ifreq ifr6;
			
@@ -369,7 +368,7 @@ class Binder {
 
				 				else {
			
 
				 					interfacesEnumerated = false;
			
 
				 				}
			
 
				-#if defined(__APPLE__)
			
 
				+#if defined(__unix__) && !defined(__LINUX__)
			
 
				 				close(infoSock);
			
 
				 #endif
			
 
				 			}
			
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -725,15 +725,24 @@ public:
 
				 			OSUtils::ztsnprintf(portstr,sizeof(portstr),"%u",_ports[0]);
			
 
				 			OSUtils::writeFile((_homePath + ZT_PATH_SEPARATOR_S "zerotier-one.port").c_str(),std::string(portstr));
			
 
				 
			
 
				-			// Attempt to bind to a secondary port chosen from our ZeroTier address.
			
 
				+			// Attempt to bind to a secondary port.
			
 
				 			// This exists because there are buggy NATs out there that fail if more
			
 
				 			// than one device behind the same NAT tries to use the same internal
			
 
				 			// private address port number. Buggy NATs are a running theme.
			
 
				+			//
			
 
				+			// This used to pick the secondary port based on the node ID until we
			
 
				+			// discovered another problem: buggy routers and malicious traffic 
			
 
				+			// "detection".  A lot of routers have such things built in these days
			
 
				+			// and mis-detect ZeroTier traffic as malicious and block it resulting
			
 
				+			// in a node that appears to be in a coma.  Secondary ports are now 
			
 
				+			// randomized on startup.
			
 
				 			if (_allowSecondaryPort) {
			
 
				 				if (_secondaryPort) {
			
 
				 					_ports[1] = _secondaryPort;
			
 
				 				} else {
			
 
				-					_ports[1] = 20000 + ((unsigned int)_node->address() % 45500);
			
 
				+					unsigned int randp = 0;
			
 
				+					Utils::getSecureRandom(&randp,sizeof(randp));
			
 
				+					_ports[1] = 20000 + (randp % 45500);
			
 
				 					for(int i=0;;++i) {
			
 
				 						if (i > 1000) {
			
 
				 							_ports[1] = 0;