j3d1/tinc
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Add the StrictSubnets option.

Browse source 
When this option is enabled, tinc will not accept dynamic updates of Subnets
from other nodes, but will only use Subnets read from local host config files
to build its routing table.
This commit is contained in:
Guus Sliepen 2010-03-02 00:18:44 +01:00
parent 9fed0ec34b
commit 5038964032
7 changed files with 35 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
doc/tinc.conf.5.in
View file

@ -308,11 +308,18 @@ specified in the configuration file.
When this option is used the priority of the tincd process will be adjusted. When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN. Increasing the priority may help to reduce latency and packet loss on the VPN.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental .It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons, When this option is enabled tinc will only use Subnet statements which are
and will only allow nodes and subnets on the VPN which are present in the present in the host config files in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory. directory.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow connections with nodes for which host config files are present in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
Setting this options also implicitly sets StrictSubnets.
.El .El
.Sh HOST CONFIGURATION FILES .Sh HOST CONFIGURATION FILES

9
doc/tinc.texi
View file

@ -928,11 +928,18 @@ specified in the configuration file.
When this option is used the priority of the tincd process will be adjusted. When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN. Increasing the priority may help to reduce latency and packet loss on the VPN.
@cindex StrictSubnets
@item StrictSubnets <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
@cindex TunnelServer @cindex TunnelServer
@item TunnelServer = <yes|no> (no) [experimental] @item TunnelServer = <yes|no> (no) [experimental]
When this option is enabled tinc will no longer forward information between other tinc daemons, When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow nodes and subnets on the VPN which are present in the and will only allow connections with nodes for which host config files are present in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory. @file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
Setting this options also implicitly sets StrictSubnets.
@end table @end table

2
src/net.c
View file

@ -68,7 +68,7 @@ static void purge(void) {
for(snode = n->subnet_tree->head; snode; snode = snext) { for(snode = n->subnet_tree->head; snode; snode = snext) {
snext = snode->next; snext = snode->next;
s = snode->data; s = snode->data;
if(!tunnelserver) if(!strictsubnets)
send_del_subnet(broadcast, s); send_del_subnet(broadcast, s);
subnet_del(n, s); subnet_del(n, s);
} }

4
src/net_setup.c
View file

@ -339,7 +339,9 @@ bool setup_myself(void) {
if(myself->options & OPTION_TCPONLY) if(myself->options & OPTION_TCPONLY)
myself->options |= OPTION_INDIRECT; myself->options |= OPTION_INDIRECT;
get_config_bool(lookup_config(config_tree, "StrictSubnets"), &strictsubnets);
get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver); get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
strictsubnets |= tunnelserver;
if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) { if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) {
if(!strcasecmp(mode, "router")) if(!strcasecmp(mode, "router"))
@ -485,7 +487,7 @@ bool setup_myself(void) {
graph(); graph();
if(tunnelserver) if(strictsubnets)
load_all_subnets(); load_all_subnets();
/* Open device */ /* Open device */

1
src/protocol.c
View file

@ -29,6 +29,7 @@
#include "xalloc.h" #include "xalloc.h"
bool tunnelserver = false; bool tunnelserver = false;
bool strictsubnets = false;
/* Jumptable for the request handlers */ /* Jumptable for the request handlers */

1
src/protocol.h
View file

@ -53,6 +53,7 @@ typedef struct past_request_t {
} past_request_t; } past_request_t;
extern bool tunnelserver; extern bool tunnelserver;
extern bool strictsubnets;
/* Maximum size of strings in a request. /* Maximum size of strings in a request.
* scanf terminates %2048s with a NUL character, * scanf terminates %2048s with a NUL character,

11
src/protocol_subnet.c
View file

@ -112,6 +112,13 @@ bool add_subnet_h(connection_t *c) {
return true; return true;
} }
/* Ignore if strictsubnets is true, but forward it to others */
if(strictsubnets) {
forward_request(c);
return true;
}
/* If everything is correct, add the subnet to the list of the owner */ /* If everything is correct, add the subnet to the list of the owner */
*(new = new_subnet()) = s; *(new = new_subnet()) = s;
@ -198,6 +205,8 @@ bool del_subnet_h(connection_t *c) {
if(!find) { if(!find) {
ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for %s which does not appear in his subnet tree", ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for %s which does not appear in his subnet tree",
"DEL_SUBNET", c->name, c->hostname, name); "DEL_SUBNET", c->name, c->hostname, name);
if(strictsubnets)
forward_request(c);
return true; return true;
} }
@ -216,6 +225,8 @@ bool del_subnet_h(connection_t *c) {
/* Tell the rest */ /* Tell the rest */
forward_request(c); forward_request(c);
if(strictsubnets)
return true;
/* Finally, delete it. */ /* Finally, delete it. */