From: Guus Sliepen Date: Mon, 1 Mar 2010 23:18:44 +0000 (+0100) Subject: Add the StrictSubnets option. X-Git-Tag: release-1.0.13~16 X-Git-Url: https://tinc-vpn.org/git/browse?a=commitdiff_plain;h=5038964032ef55913b2d4741c67bf191b2208abb;p=tinc Add the StrictSubnets option. When this option is enabled, tinc will not accept dynamic updates of Subnets from other nodes, but will only use Subnets read from local host config files to build its routing table. --- diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in index e6b35532..6f8db9c0 100644 --- a/doc/tinc.conf.5.in +++ b/doc/tinc.conf.5.in @@ -308,11 +308,18 @@ specified in the configuration file. When this option is used the priority of the tincd process will be adjusted. Increasing the priority may help to reduce latency and packet loss on the VPN. +.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental +When this option is enabled tinc will only use Subnet statements which are +present in the host config files in the local +.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ +directory. + .It Va TunnelServer Li = yes | no Po no Pc Bq experimental When this option is enabled tinc will no longer forward information between other tinc daemons, -and will only allow nodes and subnets on the VPN which are present in the +and will only allow connections with nodes for which host config files are present in the local .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ directory. +Setting this options also implicitly sets StrictSubnets. .El .Sh HOST CONFIGURATION FILES diff --git a/doc/tinc.texi b/doc/tinc.texi index 71babb1c..5d0bf31f 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -928,11 +928,18 @@ specified in the configuration file. When this option is used the priority of the tincd process will be adjusted. Increasing the priority may help to reduce latency and packet loss on the VPN. +@cindex StrictSubnets +@item StrictSubnets (no) [experimental] +When this option is enabled tinc will only use Subnet statements which are +present in the host config files in the local +@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory. + @cindex TunnelServer @item TunnelServer = (no) [experimental] When this option is enabled tinc will no longer forward information between other tinc daemons, -and will only allow nodes and subnets on the VPN which are present in the +and will only allow connections with nodes for which host config files are present in the local @file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory. +Setting this options also implicitly sets StrictSubnets. @end table diff --git a/src/net.c b/src/net.c index feec8d6b..309ebe4e 100644 --- a/src/net.c +++ b/src/net.c @@ -68,7 +68,7 @@ static void purge(void) { for(snode = n->subnet_tree->head; snode; snode = snext) { snext = snode->next; s = snode->data; - if(!tunnelserver) + if(!strictsubnets) send_del_subnet(broadcast, s); subnet_del(n, s); } diff --git a/src/net_setup.c b/src/net_setup.c index cad84ccb..cb606caa 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -339,7 +339,9 @@ bool setup_myself(void) { if(myself->options & OPTION_TCPONLY) myself->options |= OPTION_INDIRECT; + get_config_bool(lookup_config(config_tree, "StrictSubnets"), &strictsubnets); get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver); + strictsubnets |= tunnelserver; if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) { if(!strcasecmp(mode, "router")) @@ -485,7 +487,7 @@ bool setup_myself(void) { graph(); - if(tunnelserver) + if(strictsubnets) load_all_subnets(); /* Open device */ diff --git a/src/protocol.c b/src/protocol.c index f09aff65..9d7c349f 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -29,6 +29,7 @@ #include "xalloc.h" bool tunnelserver = false; +bool strictsubnets = false; /* Jumptable for the request handlers */ diff --git a/src/protocol.h b/src/protocol.h index 703f74bf..2aed26d1 100644 --- a/src/protocol.h +++ b/src/protocol.h @@ -53,6 +53,7 @@ typedef struct past_request_t { } past_request_t; extern bool tunnelserver; +extern bool strictsubnets; /* Maximum size of strings in a request. * scanf terminates %2048s with a NUL character, diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c index 7098e2a0..c2846224 100644 --- a/src/protocol_subnet.c +++ b/src/protocol_subnet.c @@ -112,6 +112,13 @@ bool add_subnet_h(connection_t *c) { return true; } + /* Ignore if strictsubnets is true, but forward it to others */ + + if(strictsubnets) { + forward_request(c); + return true; + } + /* If everything is correct, add the subnet to the list of the owner */ *(new = new_subnet()) = s; @@ -198,6 +205,8 @@ bool del_subnet_h(connection_t *c) { if(!find) { ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for %s which does not appear in his subnet tree", "DEL_SUBNET", c->name, c->hostname, name); + if(strictsubnets) + forward_request(c); return true; } @@ -216,6 +225,8 @@ bool del_subnet_h(connection_t *c) { /* Tell the rest */ forward_request(c); + if(strictsubnets) + return true; /* Finally, delete it. */