Added -c parameter in supernode to list the allowed communities

6 years ago · e8cad3e5ec
9 changed files with 1341 additions and 196 deletions
--- a/allowed_communities.sample
+++ b/allowed_communities.sample
@ -0,0 +1,5 @@
 #
 # List of allowed communities
 #
 hello
 world
--- a/edge.c
+++ b/edge.c
@ -147,7 +147,7 @@ static void help() {
  printf("-k <encrypt key>         | Encryption key (ASCII) - also N2N_KEY=<encrypt key>. Not with -K.\n");
  printf("-K <key file>            | Specify a key schedule file to load. Not with -k.\n");
  printf("-s <netmask>             | Edge interface netmask in dotted decimal notation (255.255.255.0).\n");
-  printf("-l <supernode host:port> | Supernode IP:port\n");
+  printf("-l <supernode host:port> | Supernode IP:port. Repeat -l for multiple supernodes configuration\n");
  printf("-b                       | Periodically resolve supernode IP\n");
  printf("                         | (when supernodes are running on dynamic IPs)\n");
  printf("-p <local port>          | Fixed local UDP port.\n");
--- a/edge_utils.c
+++ b/edge_utils.c
@ -264,19 +264,12 @@ void set_peer_operational(n2n_edge_t * eee,
      scan = scan->next;
    }
-  if(scan)
+  if(scan) {
    {
      /* Remove scan from pending_peers. */
      if(prev)
        {
 	prev->next = scan->next;
        }
      else
        {
 	eee->pending_peers = scan->next;
        }
      /* Add scan to known_peers. */
      scan->next = eee->known_peers;
@ -298,10 +291,8 @@ void set_peer_operational(n2n_edge_t * eee,
      scan->last_seen = time(NULL);
    }
  else
    {
    traceEvent(TRACE_DEBUG, "Failed to find sender in pending_peers.");
 }
 }
 /* ************************************** */
--- a/n2n.c
+++ b/n2n.c
@ -264,6 +264,7 @@ void print_n2n_version() {
 */
 struct peer_info * find_peer_by_mac(struct peer_info * list, const n2n_mac_t mac)
 {
  /* TODO - replace a list with a hashtable */
  while(list != NULL)
    {
      if(0 == memcmp(mac, list->mac_addr, 6))
--- a/n2n.h
+++ b/n2n.h
@ -102,7 +102,9 @@ typedef struct ether_hdr ether_hdr_t;
 #include <unistd.h>
 #include <assert.h>
 #include <sys/stat.h>
 #include "minilzo.h"
 #include "uthash.h"
 #define closesocket(a) close(a)
 #endif /* #ifndef WIN32 */
--- a/sn.c
+++ b/sn.c
@ -20,7 +20,6 @@
 #include "n2n.h"
 #define N2N_SN_LPORT_DEFAULT 7654
 #define N2N_SN_PKTBUF_SIZE   2048
@ -50,6 +49,12 @@ struct n2n_sn {
 typedef struct n2n_sn n2n_sn_t;
 struct n2n_allowed_communities {
  char  community[N2N_COMMUNITY_SIZE];
  UT_hash_handle   hh; /* makes this structure hashable */
 };
 static struct n2n_allowed_communities *allowed_communities = NULL;
 static int try_forward( n2n_sn_t * sss, 
                        const n2n_common_t * cmn,
@ -107,8 +112,7 @@ static void deinit_sn( n2n_sn_t * sss )
 *  If the supernode has been put into a pre-shutdown phase then this lifetime
 *  should not allow registrations to continue beyond the shutdown point.
 */
-static uint16_t reg_lifetime( n2n_sn_t * sss )
+static uint16_t reg_lifetime( n2n_sn_t * sss ) {
 {
  return 120;
 }
@ -119,8 +123,7 @@ static int update_edge( n2n_sn_t * sss,
                        const n2n_mac_t edgeMac,
                        const n2n_community_t community,
                        const n2n_sock_t * sender_sock,
-                        time_t now)
+                        time_t now) {
 {
  macstr_t            mac_buf;
  n2n_sock_str_t      sockbuf;
  struct peer_info *  scan;
@ -378,6 +381,61 @@ static int process_mgmt( n2n_sn_t * sss,
  return 0;
 }
 /** Check if the specified community is allowed by the
 *  supernode configuration
 *  @return 0 = community not allowed, 1 = community allowed
 *
 */
 static int allowed_n2n_community(n2n_common_t *cmn) {
  if(allowed_communities != NULL) {
    struct n2n_allowed_communities *c;
    HASH_FIND_STR(allowed_communities, (const char*)cmn->community, c);
    return((c == NULL) ? 0 : 1);
  } else {
    /* If no allowed community is defined, all communities are allowed */
  }
  return(1);
 }
 /** Load the list of allowed communities. Existing/previous ones will be removed
 *
 */
 static int load_allowed_n2n_communities(char *path) {
  char buffer[4096], *line;
  FILE *fd = fopen(path, "r");
  struct n2n_allowed_communities *s, *tmp;
  u_int32_t num_communities = 0;
  if(fd == NULL) {
    traceEvent(TRACE_WARNING, "File %s not found", path);
    return -1;
  }
  HASH_ITER(hh, allowed_communities, s, tmp)
    free(s);
  while((line = fgets(buffer, sizeof(buffer), fd)) != NULL) {
    if((strlen(line) < 2) || line[0] == '#')
      continue;
    s = (struct n2n_allowed_communities*)malloc(sizeof(struct n2n_allowed_communities));
    if(s != NULL) {
      strncpy((char*)s->community, line, N2N_COMMUNITY_SIZE);
      HASH_ADD_STR(allowed_communities, community, s);
      num_communities++;
    }
  }
  fclose(fd);
  traceEvent(TRACE_NORMAL, "Loaded %u communities from %s",
 	     num_communities, path);
  return(0);
 }
 /** Examine a datagram and determine what to do with it.
 *
@ -565,11 +623,17 @@ static int process_udp( n2n_sn_t * sss,
    size_t                          encx=0;
    /* Edge requesting registration with us.  */        
    sss->stats.last_reg_super=now;
    ++(sss->stats.reg_super);
    decode_REGISTER_SUPER( &reg, &cmn, udp_buf, &rem, &idx );
    /*
      Before we move any further, we need to check if the requested
      community is allowed by the supernode. In case it is not we do
      not report any message back to the edge to hide the supernode
      existance (better from the security standpoint)
    */
    if(allowed_n2n_community(&cmn)) {
      cmn2.ttl = N2N_DEFAULT_TTL;
      cmn2.pc = n2n_register_super_ack;
      cmn2.flags = N2N_FLAGS_SOCKET | N2N_FLAGS_FROM_SUPERNODE;
@ -600,7 +664,7 @@ static int process_udp( n2n_sn_t * sss,
      traceEvent( TRACE_DEBUG, "Tx REGISTER_SUPER_ACK for %s [%s]",
 		  macaddr_str( mac_buf, reg.edgeMac ),
 		  sock_to_cstr( sockbuf, &(ack.sock) ) );
-
+    }
  }
  return 0;
@ -618,6 +682,7 @@ static void help()
 	 );
  printf("supernode ");
  printf("-l <lport> ");
  printf("-c <community file path> ");
  printf("[-f] ");
  printf("[-v] ");
  printf("\n\n");
@ -639,17 +704,21 @@ static int run_loop( n2n_sn_t * sss );
 /* *************************************************** */
-static int setOption(int optkey, char *optarg, n2n_sn_t *sss) {
+static int setOption(int optkey, char *_optarg, n2n_sn_t *sss) {
-  //traceEvent(TRACE_NORMAL, "Option %c = %s", optkey, optarg ? optarg : "");
+  //traceEvent(TRACE_NORMAL, "Option %c = %s", optkey, _optarg ? _optarg : "");
  switch(optkey) {
  case 'l': /* local-port */
    {
-      sss->lport = atoi(optarg);
+      sss->lport = atoi(_optarg);
      break;
    }
  case 'c': /* community file */
    load_allowed_n2n_communities(optarg);
    break;
  case 'f': /* foreground */
    {
      sss->daemon = 0;
@ -695,7 +764,7 @@ static int loadFromCLI(int argc, char * const argv[], n2n_sn_t *sss) {
  u_char c;
  while((c = getopt_long(argc, argv,
-			 "fl:vh",
+			 "fl:c:vh",
 			 long_options, NULL)) != '?') {
    if(c == 255) break;
    setOption(c, optarg, sss);
--- a/supernode.1
+++ b/supernode.1
@ -2,7 +2,7 @@
 .SH NAME
 supernode \- n2n supernode daemon
 .SH SYNOPSIS
-.B supernode \-l <port> [\-v]
+.B supernode \-l <port> -c <community file path>[\-v]
 .SH DESCRIPTION
 N2N is a peer-to-peer VPN system. Supernode is a node introduction registry,
 broadcast conduit and packet relay node for the n2n system. On startup supernode
@ -21,6 +21,9 @@ All logging goes to stdout.
 \-l <port>
 listen on the given UDP port
 .TP
 \-c <community file path>
 Load the list of allowed n2n communities from file. Default: all communities are allowed
 .TP
 \-v
 use verbose logging
 .TP
--- a/uthash.h
+++ b/uthash.h