Integrate Filter into OutboundMulticast properly.

10 years ago · 37d139177d
4 changed files with 76 additions and 13 deletions
--- a/node/Filter.hpp
+++ b/node/Filter.hpp
@ -21,8 +21,6 @@

 #include <stdint.h>

-#include <vector>
-
 #include "Constants.hpp"
 #include "../include/ZeroTierOne.h"
 #include "Address.hpp"
--- a/node/Network.hpp
+++ b/node/Network.hpp
@ -77,6 +77,62 @@ public:

 	~Network();

+	/**
+	 * Apply filters to an outgoing packet
+	 *
+	 * This applies filters from our network config and, if that doesn't match,
+	 * our capabilities in ascending order of capability ID. If there is a match
+	 * certain actions may be taken such as pushing credentials to ztDest and
+	 * sending a copy of the packet to a TEE or REDIRECT target.
+	 *
+	 * @param ztSource Source ZeroTier address
+	 * @param ztDest Destination ZeroTier address
+	 * @param macSource Ethernet layer source address
+	 * @param macDest Ethernet layer destination address
+	 * @param frameData Ethernet frame data
+	 * @param frameLen Ethernet frame payload length
+	 * @param etherType 16-bit ethernet type ID
+	 * @param vlanId 16-bit VLAN ID
+	 * @return True if packet should be sent to destination peer
+	 */
+	bool filterOutgoingPacket(
+		const Address &ztSource,
+		const Address &ztDest,
+		const MAC &macSource,
+		const MAC &macDest,
+		const uint8_t *frameData,
+		const unsigned int frameLen,
+		const unsigned int etherType,
+		const unsigned int vlanId);
+
+	/**
+	 * Apply filters to an incoming packet
+	 *
+	 * This applies filters from our network config and, if that doesn't match,
+	 * the peer's capabilities in ascending order of capability ID. If there is
+	 * a match certain actions may be taken such as sending a copy of the packet
+	 * to a TEE or REDIRECT target.
+	 *
+	 * @param ztSource Source Peer (to save an extra lookup)
+	 * @param ztDest Destination ZeroTier address
+	 * @param macSource Ethernet layer source address
+	 * @param macDest Ethernet layer destination address
+	 * @param frameData Ethernet frame data
+	 * @param frameLen Ethernet frame payload length
+	 * @param etherType 16-bit ethernet type ID
+	 * @param vlanId 16-bit VLAN ID
+	 * @return True if packet should be accepted locally
+	 */
+	bool filterIncomingPacket(
+		const SharedPtr<Peer> &ztSource,
+		const Address &ztDest,
+		const MAC &macSource,
+		const MAC &macDest,
+		const uint8_t *frameData,
+		const unsigned int frameLen,
+		const unsigned int etherType,
+		const unsigned int vlanId);
+
 	/**
 	 * @return Network ID
 	 */
--- a/node/OutboundMulticast.cpp
+++ b/node/OutboundMulticast.cpp
@ -41,7 +41,13 @@ void OutboundMulticast::init(
 {
 	_timestamp = timestamp;
 	_nwid = nwid;
+	if (src)
+		_macSrc = src;
+	else _macSrc.fromAddress(RR->identity.address(),nwid);
+	_macDest = dest.mac();
 	_limit = limit;
+	_frameLen = (len < ZT_MAX_MTU) ? len : ZT_MAX_MTU;
+	_etherType = etherType;

 	uint8_t flags = 0;
 	if (gatherLimit) flags |= 0x02;
@ -68,23 +74,21 @@ void OutboundMulticast::init(
 	dest.mac().appendTo(_packet);
 	_packet.append((uint32_t)dest.adi());
 	_packet.append((uint16_t)etherType);
-	_packet.append(payload,len);
+	_packet.append(payload,_frameLen);
 	_packet.compress();
+
+	memcpy(_frameData,payload,_frameLen);
 }

 void OutboundMulticast::sendOnly(const RuntimeEnvironment *RR,const Address &toAddr)
 {
-	// TODO: apply Filter
-
-	SharedPtr<Peer> peer(RR->topology->getPeer(toAddr));
-	if (peer) {
-		// TODO: push creds if needed
+	const SharedPtr<Network> nw(RR->node->network(_nwid));
+	if ((nw)&&(nw->filterOutgoingPacket(RR->identity.address(),toAddr,_macSrc,_macDest,_frameData,_frameLen,_etherType,0))) {
+		//TRACE(">>MC %.16llx -> %s",(unsigned long long)this,toAddr.toString().c_str());
+		_packet.newInitializationVector();
+		_packet.setDestination(toAddr);
+		RR->sw->send(_packet,true,_nwid);
 	}
-
-	//TRACE(">>MC %.16llx -> %s",(unsigned long long)this,toAddr.toString().c_str());
-	_packet.newInitializationVector();
-	_packet.setDestination(toAddr);
-	RR->sw->send(_packet,true,_nwid);
 }

 } // namespace ZeroTier
--- a/node/OutboundMulticast.hpp
+++ b/node/OutboundMulticast.hpp
@ -133,9 +133,14 @@ public:
 private:
 	uint64_t _timestamp;
 	uint64_t _nwid;
+	MAC _macSrc;
+	MAC _macDest;
 	unsigned int _limit;
+	unsigned int _frameLen;
+	unsigned int _etherType;
 	Packet _packet;
 	std::vector<Address> _alreadySentTo;
+	uint8_t _frameData[ZT_MAX_MTU];
 };

 } // namespace ZeroTier