mirror
/
devilutionX-ZeroTierOne
mirror of https://github.com/diasurgical/ZeroTierOne.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add a workaround for an edge case in TEE/REDIRECT if we are the inbound destination and teeing is only being done on the outbound side.

pull/1/head
Adam Ierymenko 9 years ago
parent
fe530548bb
commit
6b12d86209
1 changed files with 22 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 25
      node/Network.cpp

25
node/Network.cpp
Unescape View File

@ -178,6 +178,9 @@ static _doZtFilterResult _doZtFilter(
std::vector<std::string> dlog;
#endif // ZT_RULES_ENGINE_DEBUGGING
// Set to true if we are a TEE/REDIRECT/WATCH target
bool superAccept = false;
// The default match state for each set of entries starts as 'true' since an
// ACTION with no MATCH entries preceding it is always taken.
uint8_t thisSetMatches = 1;
@ -199,7 +202,7 @@ static _doZtFilterResult _doZtFilter(
#ifdef ZT_RULES_ENGINE_DEBUGGING
_dumpFilterTrace("ACTION_ACCEPT",thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0);
#endif // ZT_RULES_ENGINE_DEBUGGING
return DOZTFILTER_ACCEPT; // match, accept packet
return (superAccept ? DOZTFILTER_SUPER_ACCEPT : DOZTFILTER_ACCEPT); // match, accept packet
// These are initially handled together since preliminary logic is common
case ZT_NETWORK_RULE_ACTION_TEE:
@ -264,6 +267,22 @@ static _doZtFilterResult _doZtFilter(
continue;
}
} else {
// If this is an incoming packet and we are a TEE or REDIRECT target, we should
// super-accept if we accept at all. This will cause us to accept redirected or
// tee'd packets in spite of MAC and ZT addressing checks.
if (inbound) {
switch(rt) {
case ZT_NETWORK_RULE_ACTION_TEE:
case ZT_NETWORK_RULE_ACTION_WATCH:
case ZT_NETWORK_RULE_ACTION_REDIRECT:
if (RR->identity.address() == rules[rn].v.fwd.address)
superAccept = true;
break;
default:
break;
}
}
#ifdef ZT_RULES_ENGINE_DEBUGGING
_dumpFilterTrace(_rtn(rt),thisSetMatches,inbound,ztSource,ztDest,macSource,macDest,dlog,frameLen,etherType,(const char *)0);
dlog.clear();
@ -541,12 +560,12 @@ static _doZtFilterResult _doZtFilter(
thisRuleMatches = 0;
}
} else {
if (inbound) {
if ((inbound)&&(!superAccept)) {
thisRuleMatches = 0;
FILTER_TRACE("%u %s %c remote tag %u not found -> 0 (inbound side is strict)",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id);
} else {
thisRuleMatches = 1;
FILTER_TRACE("%u %s %c remote tag %u not found -> 1 (outbound side is not strict)",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id);
FILTER_TRACE("%u %s %c remote tag %u not found -> 1 (outbound side and TEE/REDIRECT targets are not strict)",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.tag.id);
}
}
} else {

Write Preview
Loading…
Cancel
Save