racks/kaya-go
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

push

Browse source
This commit is contained in:
Racks 2026-03-01 17:01:47 +01:00
commit 1d167420c3
89 changed files with 10707 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

980
CHANGELOG.md Normal file
View file

@ -0,0 +1,980 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
<!-- Use this as a template
## [X.Y.Z] - YYYY-MM-DD
### Added
- for new features.
### Changed
- for changes in existing functionality.
### Deprecated
- for soon-to-be removed features.
### Removed
- for now removed features.
### Fixed
- for any bug fixes.
### Security
- in case of vulnerabilities.
-->
## [0.5.13] - 2026-02-24
* Go 1.24 is now required to build Kaya
### Added
* Pledge is now used on OpenBSD to drop privileges after startup
* `kayactl getPeers` can now optionally sort the peers using `sort=uptime` or `sort=cost`
### Changed
* The routing algorithm now tries to minimise both the cost and remaining tree distance to the destination, which should improve some cases where direct paths were ignored in favour of indirect paths
* The `?maxbackoff=X` time for a peering can now be configured as low as 5 seconds (previously 30 seconds)
* Reduced memory allocations needed to parse paths or calculate ancestry
* Upgrade dependencies
* `kayactl` now renders table borders/separators, can be disabled with `-borders=false`
### Fixed
* `getPeers` no longer incorrectly surfaces error states that haven't happened
* Kaya will no longer attempt reconnections after detecting that a peering connection is to itself
* Disabling TUN with `IfName: none` no longer results in backpressure building up that could block lower layers
* Outbound connections to link-local addresses should now work correctly on Android
* `addPeers` no longer allows configuring an empty peer URI
## [0.5.12] - 2024-12-18
* Go 1.22 is now required to build Kaya
### Changed
* The `latency_ms` field in the admin socket `getPeers` response has been renamed to `latency`
### Fixed
* A timing regression which causes a higher level of idle protocol traffic on each peering has been fixed
* The `-user` flag now correctly detects an empty user/group specification
## [0.5.11] - 2024-12-12
### Added
* Support for `unveil` and `pledge` on OpenBSD
### Changed
* The parent selection algorithm now only chooses a new parent if there is a larger cost benefit to doing so, which should help to stabilise the tree
* The bloom filters are now repropagated periodically, to avoid nodes getting stuck with bad state
### Fixed
* A memory leak caused by missed cleanup of the peer response map has been fixed
* Other bug fixes with bloom filter propagation for off-tree filters and zero vs one bits
* TLS-based peering connections now support TLS 1.2 again
## [0.5.10] - 2024-11-24
### Added
* The `getPeers` admin endpoint will now report the current transmit/receive rate for each given peer
* The `getMulticastInterfaces` admin endpoint now reports much more useful information about each interface, rather than just a list of interface names
### Changed
* Minor tweaks to the routing algorithm:
* The next-hop selection will now prefer shorter paths when the costed distance is otherwise equal, tiebreaking on peering uptime to fall back to more stable paths
* Link cost calculations have been smoothed out, making the costs less sensitive to sudden spikes in latency
* Reusable name lookup and peer connection logic across different peering types for more consistent behaviour
* Some comments in the configuration file have been revised for clarity
* Upgrade dependencies
### Fixed
* Nodes with `IfName` set to `none` will now correctly respond to debug RPC requests
* The admin socket will now be created reliably before dropping privileges with `-user`
* Clear supplementary groups when providing a group ID as well as a user ID to `-user`
* SOCKS and WebSocket peerings should now use the correct source interface when specified in `InterfacePeers`
* `Peers` and `InterfacePeers` addresses that are obviously invalid (such as unspecified or multicast addresses) will now be correctly ignored
* Listeners should now shut down correctly, which should resolve issues where multicast listeners for specific interfaces would not come back up or would log errors
## [0.5.9] - 2024-10-19
### Added
* New command line option `-user` for changing the process UID/GID
### Changed
* The routing algorithm has been updated with RTT-aware link costing, which should prefer lower latency links over higher latency links where possible
* The calculated cost is an average of the link RTT, but newly established links are costed higher to begin with, such that unstable peerings can be avoided
* Link costs are only used where multiple next-hops are available and will be ignored if there is only one loop-free path to the destination
* This is protocol-compatible with existing v0.5.x nodes but will have the best results when peering with nodes that are also running the latest version
* The `getPeers` endpoint will now report the calculated link cost for each given peer
* Upgrade dependencies
### Fixed
* Multicast discovery should now work again when building Kaya as an Android framework
* Multicast discovery will now correctly ignore interfaces that are not marked as running
* Ephemeral links, such as those added by multicast, will no longer try to reconnect in a fast loop, fixing a high CPU issue
* The TUN interface will no longer stop working when hitting a segment read error from vectorised reads
* The `AllowedPublicKeys` option will once again no longer apply to multicast peerings, as was originally intended
* A potential panic when shutting down peering links has been fixed
* A redundant system call for setting MTU on OpenBSD has been removed
## [0.5.8] - 2024-08-12
### Fixed
* A bug which caused startup problems on Windows and FreeBSD should be fixed
* Resolved some minor link state and listener management bugs during shutdown
## [0.5.7] - 2024-08-05
### Added
* WebSocket support for peerings, by using the new `ws://` scheme in `Listen` and `Peers`
* Additionally, the `wss://` scheme can be used to connect to a WebSocket peer behind a HTTPS reverse proxy
### Changed
* On Linux, the TUN adapter now uses vectorised reads/writes where possible, which should reduce the amount of CPU time spent on syscalls and potentially improve throughput
* Link error handling has been improved and various link error messages have been rewritten to be clearer
* Upgrade dependencies
### Fixed
* Multiple multicast connections to the same remote machine should now work correctly
* You may get two connections in some cases, one inbound and one outbound, this is known and will not cause problems
* Running as a Windows service should be more reliable with service startup and shutdown bugs fixed
## [0.5.6] - 2024-05-30
* Go 1.21 is now required to build Kaya
### Added
* The `getPeers` endpoint now reports the RTT/latency of directly connected peers
### Changed
* The tree parent selection algorithm now prefers the lowest latency peers instead of the most stable
* Session key exchange logic has been changed to improve throughput and reduce occasional jitter
### Fixed
* Bloom filter hashing now works correctly on big-endian architectures
* Incorrect buffer pool usage has been fixed, reducing memory allocations
* The multicast beacon interval now backs off correctly, reducing the number of beacons sent
* A denial-of-service vulnerability in the QUIC library has been fixed with a dependency update
## [0.5.5] - 2024-01-27
### Added
* A new peer option `?maxbackoff=X` has been added to control the maximum backoff time for a given peer, supports duration values like `5m`, `1h` etc
### Changed
* The maximum backoff period for failing peer connections has been reduced to just over 1 hour, compared to 4.5 hours before
* The `getPeers` endpoint now sorts peers in a more stable fashion
* Upgrade dependencies
### Fixed
* A bug where QUIC listeners could stop listening for incoming connections unexpectedly has been fixed
* The priority tiebreak between multiple peerings to the same node has been fixed
* Peer connection ordering is no longer sensitive to poor system time resolution
* The admin socket now verifies the length of input public keys
* The `PPROFLISTEN` environment variable has been fixed and now starts the pprof listener correctly
* A panic in `getPeers` has been fixed when using abstract UNIX sockets on Linux
## [0.5.4] - 2023-11-27
### Fixed
* Fixed a crash that could happen when calculating the size of bloom filters during encoding
## [0.5.3] - 2023-11-26
### Fixed
* Fixed a data race from buffered pathfinder traffic
* Fix a bug where the next-hop selection may not take shortcuts through treespace
* Backoffs are now reset correctly when a successful handshake is completed
* Backoffs will no longer exceed roughly 4.5 hours when peers are down for a long time
* The `-normaliseconf` option will now work correctly with `PrivateKeyPath`
* Improved the reliability of QUIC peering setup by disabling 0-RTT
## [0.5.2] - 2023-11-06
### Added
* New `-publickey` command line option that prints the derived public key from a configuration file
* Support for connecting to TLS peers via SOCKS with the new `sockstls://` link schema
### Changed
* Stabilise tree parent selection algorithm
* Improved logging when the TUN interface fails to set up
### Fixed
* Fixed a panic that could occur when a connection reaches an inconsistent error state
* The admin socket will now report more peering handshake error conditions in `getPeers`
* Kaya will no longer panic at startup when duplicate peers are configured
* The `build` script will no longer incorrectly import `LDFLAGS` from the environment
## [0.5.1] - 2023-10-28
### Fixed
* Fix the Debian package so that upgrades are handled more smoothly
## [0.5.0] - 2023-10-28
### Added
* Authenticated peering handshake with optional password, i.e.
* For listeners: `tls://[::]:12345?password=123456abcdef`
* For peers: `tls://a.b.c.d:12345?password=123456abcdef`
* For multicast interfaces with the new `Password` option in each `MulticastInterfaces` section
* Maximum password length is 64 characters
* QUIC support for peerings, by using the new `quic://` scheme in `Listen` and `Peers`
* This has not been extensively tested and may perform worse than TCP or TLS peers
* The private key can now be stored in PEM format separately to the main configuration file with the new `PrivateKeyPath` configuration file option
* Use the `-exportkey` flag to export the key to a file from an existing config
### Changed
* New routing scheme, which is backwards incompatible with previous versions of Kaya
* The wire protocol version number, exchanged as part of the peer setup handshake, has been increased to 0.5
* Nodes running this new version **will not** be able to peer with earlier versions of Kaya
* A DHT is no longer used to map public keys and routes through treespace
* Bloom filters are used to track on-tree links and nodes reachable via that link
* Nodes now gossip separate per-link information which is tracked in CRDT structures, forcing local consistency and preventing unnecessary flapping when a route to the root node has changed or is broken
* Greedy routing is once again used instead of source routing
* Per-link keepalives have been replaced with periodic acknowledgements, reducing idle bandwidth
* The link handshake and multicast beacon formats have been revised for better future extensibility
* The link code has been refactored for more robust tracking of peering states
* As a result, the admin socket is now able to report information about configured peerings that are down
* Reconnect intervals are now tracked separately for each configured peer with exponential backoffs
### Removed
* Kaya will no longer request BBR congestion control for TCP and TLS peerings on Linux
## [0.4.7] - 2022-11-20
### Added
* Dropped outbound peerings will now try to reconnect after a single second, rather than waiting up to 60 seconds for the normal peer timer
### Changed
* Session encryption keys are now rotated at most once per minute, which reduces CPU usage and improves throughput on fast low latency links
* Buffers are now reused in the session encryption handler, which improves session throughput and reduces memory allocations
* Buffers are now reused in the router for DHT and path traffic, which improves overall routing throughput and reduces memory allocations
### Fixed
* A bug in the admin socket where requests fail unless `arguments` is specified has been fixed
* Certificates on TLS listeners will no longer expire after a year
* The `-address` and `-subnet` command line options now return a useful warning when no configuration is specified
## [0.4.6] - 2022-10-25
### Added
* Support for prioritising multiple peerings to the same node has been added, useful for nodes with multiple network interfaces
* The priority can be configured by specifying `?priority=X` in a `Peers` or `Listen` URI, or by specifying `Priority` within a `MulticastInterfaces` configuration entry
* Priorities are values between 0 and 254 (default is 0), lower numbers are prioritised and nodes will automatically negotiate the higher of the two values
### Changed
* On Linux, `SO_REUSEADDR` is now used on the multicast port instead of `SO_REUSEPORT`, which should allow processes running under different users to run simultaneously
### Fixed
* Adding peers using the `InterfacePeers` configuration option should now work correctly again
* Multiple connections from the same remote IP address will no longer be incorrectly dropped
* The admin socket will no longer incorrectly claim TCP connections as TLS
* A panic that could occur when calling `GetPeers` while a peering link is being set up has been fixed
## [0.4.5] - 2022-10-15
### Added
* Support for peering over UNIX sockets is now available, by configuring `Listen` and peering URIs in the `unix:///path/to/socket.sock` format
### Changed
* `kayactl` has been refactored and now has cleaner output
* It is now possible to `addPeer` and `removePeer` using the admin socket again
* The `getSessions` admin socket call reports number of bytes received and transmitted again
* The link setup code has been refactored, making it easier to support new peering types in the future
* Kaya now maintains configuration internally, rather than relying on a shared and potentially mutable structure
### Fixed
* Tracking information about expired root nodes has been fixed, which should hopefully resolve issues with reparenting and connection failures when the root node disappears
* A bug in the mobile framework code which caused a crash on Android when multicast failed to set up has been fixed
* Kaya should now shut down gracefully and clean up correctly when running as a Windows service
## [0.4.4] - 2022-07-07
### Fixed
* ICMPv6 "Packet Too Big" payload size has been increased, which should fix Path MTU Discovery (PMTUD) when two nodes have different `IfMTU` values configured
* A crash has been fixed when handling debug packet responses
* `kayactl getSelf` should now report coordinates correctly again
### Changed
* Go 1.20 is now required to build Kaya
## [0.4.3] - 2022-02-06
### Added
* `bytes_sent`, `bytes_recvd` and `uptime` have been added to `getPeers`
* Clearer logging when connections are rejected due to incompatible peer versions
### Fixed
* Latency-based parent selection tiebreak is now reliable on platforms even with low timer resolution
* Tree distance calculation offsets have been corrected
## [0.4.2] - 2021-11-03
### Fixed
* Reverted a dependency update which resulted in problems building with Go 1.16 and running on Windows
## [0.4.1] - 2021-11-03
### Added
* TLS peerings now support Server Name Indication (SNI)
* The SNI is sent automatically if the peering URI contains a DNS name
* A custom SNI can be specified by adding the `?sni=domain.com` parameter to the peering URI
* A new `ipv6rwc` API package now implements the IPv6-specific logic separate from the `tun` package
### Fixed
* A crash when calculating the partial public key for very high IPv6 addresses has been fixed
* A crash due to a concurrent map write has been fixed
* A crash due to missing TUN configuration has been fixed
* A race condition in the keystore code has been fixed
## [0.4.0] - 2021-07-04
### Added
* New routing scheme, which is backwards incompatible with previous versions of Kaya
* The wire protocol version number, exchanged as part of the peer setup handshake, has been increased to 0.4
* Nodes running this new version **will not** be able to peer with earlier versions of Kaya
* Please note that **the network may be temporarily unstable** while infrastructure is being upgraded to the new release
* TLS connections now use public key pinning
* If no public key was already pinned, then the public key received as part of the TLS handshake is pinned to the connection
* The public key received as part of the handshake is checked against the pinned keys, and if no match is found, the connection is rejected
### Changed
* IP addresses are now derived from ed25519 public (signing) keys
* Previously, addresses were derived from a hash of X25519 (Diffie-Hellman) keys
* Importantly, this means that **all internal IPv6 addresses will change with this release** — this will affect anyone running public services or relying on Kaya for remote access
* It is now recommended to peer over TLS
* Link-local peers from multicast peer discovery will now connect over TLS, with the key from the multicast beacon pinned to the connection
* `socks://` peers now expect the destination endpoint to be a `tls://` listener, instead of a `tcp://` listener
* Multicast peer discovery is now more configurable
* There are separate configuration options to control if beacons are sent, what port to listen on for incoming connections (if sending beacons), and whether or not to listen for beacons from other nodes (and open connections when receiving a beacon)
* Each configuration entry in the list specifies a regular expression to match against interface names
* If an interface matches multiple regex in the list, it will use the settings for the first entry in the list that it matches with
* The session and routing code has been entirely redesigned and rewritten
* This is still an early work-in-progress, so the code hasn't been as well tested or optimized as the old code base — please bear with us for these next few releases as we work through any bugs or issues
* Generally speaking, we expect to see reduced bandwidth use and improved reliability with the new design, especially in cases where nodes move around or change peerings frequently
* Cryptographic sessions no longer use a single shared (ephemeral) secret for the entire life of the session. Keys are now rotated regularly for ongoing sessions (currently rotated at least once per round trip exchange of traffic, subject to change in future releases)
* Source routing has been added. Under normal circumstances, this is what is used to forward session traffic (e.g. the user's IPv6 traffic)
* DHT-based routing has been added. This is used when the sender does not know a source route to the destination. Forwarding through the DHT is less efficient, but the only information that it requires the sender to know is the destination node's (static) key. This is primarily used during the key exchange at session setup, or as a temporary fallback when a source route fails due to changes in the network
* The new DHT design is no longer RPC-based, does not support crawling and does not inherently allow nodes to look up the owner of an arbitrary key. Responding to lookups is now implemented at the application level and a response is only sent if the destination key matches the node's `/128` IP or `/64` prefix
* The greedy routing scheme, used to forward all traffic in previous releases, is now only used for protocol traffic (i.e. DHT setup and source route discovery)
* The routing logic now lives in a [standalone library](https://github.com/Arceliar/ironwood). You are encouraged **not** to use it, as it's still considered pre-alpha, but it's available for those who want to experiment with the new routing algorithm in other contexts
* Session MTUs may be slightly lower now, in order to accommodate large packet headers if required
* Many of the admin functions available over `kayactl` have been changed or removed as part of rewrites to the code
* Several remote `debug` functions have been added temporarily, to allow for crawling and census gathering during the transition to the new version, but we intend to remove this at some point in the (possibly distant) future
* The list of available functions will likely be expanded in future releases
* The configuration file format has been updated in response to the changed/removed features
### Removed
* Tunnel routing (a.k.a. crypto-key routing or "CKR") has been removed
* It was far too easy to accidentally break routing altogether by capturing the route to peers with the TUN adapter
* We recommend tunnelling an existing standard over Kaya instead (e.g. `ip6gre`, `ip6gretap` or other similar encapsulations, using Kaya IPv6 addresses as the tunnel endpoints)
* All `TunnelRouting` configuration options will no longer take effect
* Session firewall has been removed
* This was never a true firewall — it didn't behave like a stateful IP firewall, often allowed return traffic unexpectedly and was simply a way to prevent a node from being flooded with unwanted sessions, so the name could be misleading and usually lead to a false sense of security
* Due to design changes, the new code needs to address the possible memory exhaustion attacks in other ways and a single configurable list no longer makes sense
* Users who want a firewall or other packet filter mechansim should configure something supported by their OS instead (e.g. `ip6tables`)
* All `SessionFirewall` configuration options will no longer take effect
* `SIGHUP` handling to reload the configuration at runtime has been removed
* It was not obvious which parts of the configuration could be reloaded at runtime, and which required the application to be killed and restarted to take effect
* Reloading the config without restarting was also a delicate and bug-prone process, and was distracting from more important developments
* `SIGHUP` will be handled normally (i.e. by exiting)
* `cmd/yggrasilsim` has been removed, and is unlikely to return to this repository
## [0.3.16] - 2021-03-18
### Added
* New simulation code under `cmd/kayasim` (work-in-progress)
### Changed
* Multi-threading in the switch
* Swich lookups happen independently for each (incoming) peer connection, instead of being funneled to a single dedicated switch worker
* Packets are queued for each (outgoing) peer connection, instead of being handled by a single dedicated switch worker
* Queue logic rewritten
* Heap structure per peer that traffic is routed to, with one FIFO queue per traffic flow
* The total size of each heap is configured automatically (we basically queue packets until we think we're blocked on a socket write)
* When adding to a full heap, the oldest packet from the largest queue is dropped
* Packets are popped from the queue in FIFO order (oldest packet from among all queues in the heap) to prevent packet reordering at the session level
* Removed global `sync.Pool` of `[]byte`
* Local `sync.Pool`s are used in the hot loops, but not exported, to avoid memory corruption if libraries are reused by other projects
* This may increase allocations (and slightly reduce speed in CPU-bound benchmarks) when interacting with the tun/tap device, but traffic forwarded at the switch layer should be unaffected
* Upgrade dependencies
* Upgrade build to Go 1.16
### Fixed
* Fixed a bug where the connection listener could exit prematurely due to resoruce exhaustion (if e.g. too many connections were opened)
* Fixed DefaultIfName for OpenBSD (`/dev/tun0` -> `tun0`)
* Fixed an issue where a peer could sometimes never be added to the switch
* Fixed a goroutine leak that could occur if a peer with an open connection continued to spam additional connection attempts
## [0.3.15] - 2020-09-27
### Added
* Support for pinning remote public keys in peering strings has been added, e.g.
* By signing public key: `tcp://host:port?ed25519=key`
* By encryption public key: `tcp://host:port?curve25519=key`
* By both: `tcp://host:port?ed25519=key&curve25519=key`
* By multiple, in case of DNS round-robin or similar: `tcp://host:port?curve25519=key&curve25519=key&ed25519=key&ed25519=key`
* Some checks to prevent Kaya-over-Kaya peerings have been added
* Added support for SOCKS proxy authentication, e.g. `socks://user@password:host/...`
### Fixed
* Some bugs in the multicast code that could cause unnecessary CPU usage have been fixed
* A possible multicast deadlock on macOS when enumerating interfaces has been fixed
* A deadlock in the connection code has been fixed
* Updated HJSON dependency that caused some build problems
### Changed
* `DisconnectPeer` and `RemovePeer` have been separated and implemented properly now
* Less nodes are stored in the DHT now, reducing ambient network traffic and possible instability
* Default config file for FreeBSD is now at `/usr/local/etc/kaya.conf` instead of `/etc/kaya.conf`
## [0.3.14] - 2020-03-28
### Fixed
* Fixes a memory leak that may occur if packets are incorrectly never removed from a switch queue
### Changed
* Make DHT searches a bit more reliable by tracking the 16 most recently visited nodes
## [0.3.13] - 2020-02-21
### Added
* Support for the Wireguard TUN driver, which now replaces Water and provides far better support and performance on Windows
* Windows `.msi` installer files are now supported (bundling the Wireguard TUN driver)
* NodeInfo code is now actorised, should be more reliable
* The DHT now tries to store the two closest nodes in either direction instead of one, such that if a node goes offline, the replacement is already known
* The Kaya API now supports dialing a remote node using the public key instead of the Node ID
### Changed
* The `-loglevel` command line parameter is now cumulative and automatically includes all levels below the one specified
* DHT search code has been significantly simplified and processes rumoured nodes in parallel, speeding up search time
* DHT search results are now sorted
* The systemd service now handles configuration generation in a different unit
* The Kaya API now returns public keys instead of node IDs when querying for local and remote addresses
### Fixed
* The multicast code no longer panics when shutting down the node
* A potential OOB error when calculating IPv4 flow labels (when tunnel routing is enabled) has been fixed
* A bug resulting in incorrect idle notifications in the switch should now be fixed
* MTUs are now using a common datatype throughout the codebase
### Removed
* TAP mode has been removed entirely, since it is no longer supported with the Wireguard TUN package. Please note that if you are using TAP mode, you may need to revise your config!
* NetBSD support has been removed until the Wireguard TUN package supports NetBSD
## [0.3.12] - 2019-11-24
### Added
* New API functions `SetMaximumSessionMTU` and `GetMaximumSessionMTU`
* New command line parameters `-address` and `-subnet` for getting the address/subnet from the config file, for use with `-useconffile` or `-useconf`
* A warning is now produced in the Kaya output at startup when the MTU in the config is invalid or has been adjusted for some reason
### Changed
* On Linux, outgoing `InterfacePeers` connections now use `SO_BINDTODEVICE` to prefer an outgoing interface
* The `genkeys` utility is now in `cmd` rather than `misc`
### Fixed
* A data race condition has been fixed when updating session coordinates
* A crash when shutting down when no multicast interfaces are configured has been fixed
* A deadlock when calling `AddPeer` multiple times has been fixed
* A typo in the systemd unit file (for some Linux packages) has been fixed
* The NodeInfo and admin socket now report `unknown` correctly when no build name/version is available in the environment at build time
* The MTU calculation now correctly accounts for ethernet headers when running in TAP mode
## [0.3.11] - 2019-10-25
### Added
* Support for TLS listeners and peers has been added, allowing the use of `tls://host:port` in `Peers`, `InterfacePeers` and `Listen` configuration settings - this allows hiding Kaya peerings inside regular TLS connections
### Changed
* Go 1.13 or later is now required for building Kaya
* Some exported API functions have been updated to work with standard Go interfaces:
* `net.Conn` instead of `kaya.Conn`
* `net.Dialer` (the interface it would satisfy if it wasn't a concrete type) instead of `kaya.Dialer`
* `net.Listener` instead of `kaya.Listener`
* Session metadata is now updated correctly when a search completes for a node to which we already have an open session
* Multicast module reloading behaviour has been improved
### Fixed
* An incorrectly held mutex in the crypto-key routing code has been fixed
* Multicast module no longer opens a listener socket if no multicast interfaces are configured
## [0.3.10] - 2019-10-10
### Added
* The core library now includes several unit tests for peering and `kaya.Conn` connections
### Changed
* On recent Linux kernels, Kaya will now set the `tcp_congestion_control` algorithm used for its own TCP sockets to [BBR](https://github.com/google/bbr), which reduces latency under load
* The systemd service configuration in `contrib` (and, by extension, some of our packages) now attempts to load the `tun` module, in case TUN/TAP support is available but not loaded, and it restricts Kaya to the `CAP_NET_ADMIN` capability for managing the TUN/TAP adapter, rather than letting it do whatever the (typically `root`) user can do
### Fixed
* The `kaya.Conn.RemoteAddr()` function no longer blocks, fixing a deadlock when CKR is used while under heavy load
## [0.3.9] - 2019-09-27
### Added
* Kaya will now complain more verbosely when a peer URI is incorrectly formatted
* Soft-shutdown methods have been added, allowing a node to shut down gracefully when terminated
* New multicast interval logic which sends multicast beacons more often when Kaya is first started to increase the chance of finding nearby nodes quickly after startup
### Changed
* The switch now buffers packets more eagerly in an attempt to give the best link a chance to send, which appears to reduce packet reordering when crossing aggregate sets of peerings
* Substantial amounts of the codebase have been refactored to use the actor model, which should substantially reduce the chance of deadlocks
* Nonce tracking in sessions has been modified so that memory usage is reduced whilst still only allowing duplicate packets within a small window
* Soft-reconfiguration support has been simplified using new actor functions
* The garbage collector threshold has been adjusted for mobile builds
* The maximum queue size is now managed exclusively by the switch rather than by the core
### Fixed
* The broken `hjson-go` dependency which affected builds of the previous version has now been resolved in the module manifest
* Some minor memory leaks in the switch have been fixed, which improves memory usage on mobile builds
* A memory leak in the add-peer loop has been fixed
* The admin socket now reports the correct URI strings for SOCKS peers in `getPeers`
* A race condition when dialing a remote node by both the node address and routed prefix simultaneously has been fixed
* A race condition between the router and the dial code resulting in a panic has been fixed
* A panic which could occur when the TUN/TAP interface disappears (e.g. during soft-shutdown) has been fixed
* A bug in the semantic versioning script which accompanies Kaya for builds has been fixed
* A panic which could occur when the TUN/TAP interface reads an undersized/corrupted packet has been fixed
### Removed
* A number of legacy debug functions have now been removed and a number of exported API functions are now better documented
## [0.3.8] - 2019-08-21
### Changed
* Kaya can now send multiple packets from the switch at once, which results in improved throughput with smaller packets or lower MTUs
* Performance has been slightly improved by not allocating cancellations where not necessary
* Crypto-key routing options have been renamed for clarity
* `IPv4Sources` is now named `IPv4LocalSubnets`
* `IPv6Sources` is now named `IPv6LocalSubnets`
* `IPv4Destinations` is now named `IPv4RemoteSubnets`
* `IPv6Destinations` is now named `IPv6RemoteSubnets`
* The old option names will continue to be accepted by the configuration parser for now but may not be indefinitely
* When presented with multiple paths between two nodes, the switch now prefers the most recently used port when possible instead of the least recently used, helping to reduce packet reordering
* New nonce tracking should help to reduce the number of packets dropped as a result of multiple/aggregate paths or congestion control in the switch
### Fixed
* A deadlock was fixed in the session code which could result in Kaya failing to pass traffic after some time
### Security
* Address verification was not strict enough, which could result in a malicious session sending traffic with unexpected or spoofed source or destination addresses which Kaya could fail to reject
* Versions `0.3.6` and `0.3.7` are vulnerable - users of these versions should upgrade as soon as possible
* Versions `0.3.5` and earlier are not affected
## [0.3.7] - 2019-08-14
### Changed
* The switch should now forward packets along a single path more consistently in cases where congestion is low and multiple equal-length paths exist, which should improve stability and result in fewer out-of-order packets
* Sessions should now be more tolerant of out-of-order packets, by replacing a bitmask with a variable sized heap+map structure to track recently received nonces, which should reduce the number of packets dropped due to reordering when multiple paths are used or multiple independent flows are transmitted through the same session
* The admin socket can no longer return a dotfile representation of the known parts of the network, this could be rebuilt by clients using information from `getSwitchPeers`,`getDHT` and `getSessions`
### Fixed
* A number of significant performance regressions introduced in version 0.3.6 have been fixed, resulting in better performance
* Flow labels are now used to prioritise traffic flows again correctly
* In low-traffic scenarios where there are multiple peerings between a pair of nodes, Kaya now prefers the most active peering instead of the least active, helping to reduce packet reordering
* The `Listen` statement, when configured as a string rather than an array, will now be parsed correctly
* The admin socket now returns `coords` as a correct array of unsigned 64-bit integers, rather than the internal representation
* The admin socket now returns `box_pub_key` in string format again
* Sessions no longer leak/block when no listener (e.g. TUN/TAP) is configured
* Incoming session connections no longer block when a session already exists, which results in less leaked goroutines
* Flooded sessions will no longer block other sessions
* Searches are now cleaned up properly and a couple of edge-cases with duplicate searches have been fixed
* A number of minor allocation and pointer fixes
## [0.3.6] - 2019-08-03
### Added
* Kaya now has a public API with interfaces such as `kaya.ConnDialer`, `kaya.ConnListener` and `kaya.Conn` for using Kaya as a transport directly within applications
* Session gatekeeper functions, part of the API, which can be used to control whether to allow or reject incoming or outgoing sessions dynamically (compared to the previous fixed whitelist/blacklist approach)
* Support for logging to files or syslog (where supported)
* Platform defaults now include the ability to set sane defaults for multicast interfaces
### Changed
* Following a massive refactoring exercise, Kaya's codebase has now been broken out into modules
* Core node functionality in the `kaya` package with a public API
* This allows Kaya to be integrated directly into other applications and used as a transport
* IP-specific code has now been moved out of the core `kaya` package, making Kaya effectively protocol-agnostic
* Multicast peer discovery functionality is now in the `multicast` package
* Admin socket functionality is now in the `admin` package and uses the Kaya public API
* TUN/TAP, ICMPv6 and all IP-specific functionality is now in the `tuntap` package
* `PPROF` debug output is now sent to `stderr` instead of `stdout`
* Node IPv6 addresses on macOS are now configured as `secured`
* Upstream dependency references have been updated, which includes a number of fixes in the Water library
### Fixed
* Multicast discovery is no longer disabled if the nominated interfaces aren't available on the system yet, e.g. during boot
* Multicast interfaces are now re-evaluated more frequently so that Kaya doesn't need to be restarted to use interfaces that have become available since startup
* Admin socket error cases are now handled better
* Various fixes in the TUN/TAP module, particularly surrounding Windows platform support
* Invalid keys will now cause the node to fail to start, rather than starting but silently not working as before
* Session MTUs are now always calculated correctly, in some cases they were incorrectly defaulting to 1280 before
* Multiple searches now don't take place for a single connection
* Concurrency bugs fixed
* Fixed a number of bugs in the ICMPv6 neighbor solicitation in the TUN/TAP code
* A case where peers weren't always added correctly if one or more peers were unreachable has been fixed
* Searches which include the local node are now handled correctly
* Lots of small bug tweaks and clean-ups throughout the codebase
## [0.3.5] - 2019-03-13
### Fixed
* The `AllowedEncryptionPublicKeys` option has now been fixed to handle incoming connections properly and no longer blocks outgoing connections (this was broken in v0.3.4)
* Multicast TCP listeners will now be stopped correctly when the link-local address on the interface changes or disappears altogether
## [0.3.4] - 2019-03-12
### Added
* Support for multiple listeners (although currently only TCP listeners are supported)
* New multicast behaviour where each multicast interface is given its own link-local listener and does not depend on the `Listen` configuration
* Blocking detection in the switch to avoid parenting a blocked peer
* Support for adding and removing listeners and multicast interfaces when reloading configuration during runtime
* Kaya will now attempt to clean up UNIX admin sockets on startup if left behind by a previous crash
* Admin socket `getTunnelRouting` and `setTunnelRouting` calls for enabling and disabling crypto-key routing during runtime
* On macOS, Kaya will now try to wake up AWDL on start-up when `awdl0` is a configured multicast interface, to keep it awake after system sleep, and to stop waking it when no longer needed
* Added `LinkLocalTCPPort` option for controlling the port number that link-local TCP listeners will listen on by default when setting up `MulticastInterfaces` (a node restart is currently required for changes to `LinkLocalTCPPort` to take effect - it cannot be updated by reloading config during runtime)
### Changed
* The `Listen` configuration statement is now an array instead of a string
* The `Listen` configuration statement should now conform to the same formatting as peers with the protocol prefix, e.g. `tcp://[::]:0`
* Session workers are now non-blocking
* Multicast interval is now fixed at every 15 seconds and network interfaces are reevaluated for eligibility on each interval (where before the interval depended upon the number of configured multicast interfaces and evaluation only took place at startup)
* Dead connections are now closed in the link handler as opposed to the switch
* Peer forwarding is now prioritised instead of randomised
### Fixed
* Admin socket `getTunTap` call now returns properly instead of claiming no interface is enabled in all cases
* Handling of `getRoutes` etc in `kayactl` is now working
* Local interface names are no longer leaked in multicast packets
* Link-local TCP connections, particularly those initiated because of multicast beacons, are now always correctly scoped for the target interface
* Kaya now correctly responds to multicast interfaces going up and down during runtime
## [0.3.3] - 2019-02-18
### Added
* Dynamic reconfiguration, which allows reloading the configuration file to make changes during runtime by sending a `SIGHUP` signal (note: this only works with `-useconffile` and not `-useconf` and currently reconfiguring TUN/TAP is not supported)
* Support for building Kaya as an iOS or Android framework if the appropriate tools (e.g. `gomobile`/`gobind` + SDKs) are available
* Connection contexts used for TCP connections which allow more exotic socket options to be set, e.g.
* Reusing the multicast socket to allow multiple running Kaya instances without having to disable multicast
* Allowing supported Macs to peer with other nearby Macs that aren't even on the same Wi-Fi network using AWDL
* Flexible logging support, which allows for logging at different levels of verbosity
### Changed
* Switch changes to improve parent selection
* Node configuration is now stored centrally, rather than having fragments/copies distributed at startup time
* Significant refactoring in various areas, including for link types (TCP, AWDL etc), generic streams and adapters
* macOS builds through CircleCI are now 64-bit only
### Fixed
* Simplified `systemd` service now in `contrib`
### Removed
* `ReadTimeout` option is now deprecated
## [0.3.2] - 2018-12-26
### Added
* The admin socket is now multithreaded, greatly improving performance of the crawler and allowing concurrent lookups to take place
* The ability to hide NodeInfo defaults through either setting the `NodeInfoPrivacy` option or through setting individual `NodeInfo` attributes to `null`
### Changed
* The `armhf` build now targets ARMv6 instead of ARMv7, adding support for Raspberry Pi Zero and other older models, amongst others
### Fixed
* DHT entries are now populated using a copy in memory to fix various potential DHT bugs
* DHT traffic should now throttle back exponentially to reduce idle traffic
* Adjust how nodes are inserted into the DHT which should help to reduce some incorrect DHT traffic
* In TAP mode, the NDP target address is now correctly used when populating the peer MAC table. This fixes serious connectivity problems when in TAP mode, particularly on BSD
* In TUN mode, ICMPv6 packets are now ignored whereas they were incorrectly processed before
## [0.3.1] - 2018-12-17
### Added
* Build name and version is now imprinted onto the binaries if available/specified during build
* Ability to disable admin socket with `AdminListen: none`
* `AF_UNIX` domain sockets for the admin socket
* Cache size restriction for crypto-key routes
* `NodeInfo` support for specifying node information, e.g. node name or contact, which can be used in network crawls or surveys
* `getNodeInfo` request added to admin socket
* Adds flags `-c`, `-l` and `-t` to `build` script for specifying `GCFLAGS`, `LDFLAGS` or whether to keep symbol/DWARF tables
### Changed
* Default `AdminListen` in newly generated config is now `unix:///var/run/kaya.sock`
* Formatting of `getRoutes` in the admin socket has been improved
* Debian package now adds `kaya` group to assist with `AF_UNIX` admin socket permissions
* Crypto, address and other utility code refactored into separate Go packages
### Fixed
* Switch peer convergence is now much faster again (previously it was taking up to a minute once the peering was established)
* `kayactl` is now less prone to crashing when parameters are specified incorrectly
* Panic fixed when `Peers` or `InterfacePeers` was commented out
## [0.3.0] - 2018-12-12
### Added
* Crypto-key routing support for tunnelling both IPv4 and IPv6 over Kaya
* Add advanced `SwitchOptions` in configuration file for tuning the switch
* Add `dhtPing` to the admin socket to aid in crawling the network
* New macOS .pkgs built automatically by CircleCI
* Add Dockerfile to repository for Docker support
* Add `-json` command line flag for generating and normalising configuration in plain JSON instead of HJSON
* Build name and version numbers are now imprinted onto the build, accessible through `kaya -version` and `kayactl getSelf`
* Add ability to disable admin socket by setting `AdminListen` to `"none"`
* `kayactl` now tries to look for the default configuration file to find `AdminListen` if `-endpoint` is not specified
* `kayactl` now returns more useful logging in the event of a fatal error
### Changed
* Switched to Chord DHT (instead of Kademlia, although still compatible at the protocol level)
* The `AdminListen` option and `kayactl` now default to `unix:///var/run/kaya.sock` on BSDs, macOS and Linux
* Cleaned up some of the parameter naming in the admin socket
* Latency-based parent selection for the switch instead of uptime-based (should help to avoid high latency links somewhat)
* Real peering endpoints now shown in the admin socket `getPeers` call to help identify peerings
* Reuse the multicast port on supported platforms so that multiple Kaya processes can run
* `kayactl` now has more useful help text (with `-help` or when no arguments passed)
### Fixed
* Memory leaks in the DHT fixed
* Crash fixed where the ICMPv6 NDP goroutine would incorrectly start in TUN mode
* Removing peers from the switch table if they stop sending switch messages but keep the TCP connection alive
## [0.2.7] - 2018-10-13
### Added
* Session firewall, which makes it possible to control who can open sessions with your node
* Add `getSwitchQueues` to admin socket
* Add `InterfacePeers` for configuring static peerings via specific network interfaces
* More output shown in `getSwitchPeers`
* FreeBSD service script in `contrib`
## Changed
* CircleCI builds are now built with Go 1.11 instead of Go 1.9
## Fixed
* Race condition in the switch table, reported by trn
* Debug builds are now tested by CircleCI as well as platform release builds
* Port number fixed on admin graph from unknown nodes
## [0.2.6] - 2018-07-31
### Added
* Configurable TCP timeouts to assist in peering over Tor/I2P
* Prefer IPv6 flow label when extending coordinates to sort backpressure queues
* `arm64` builds through CircleCI
### Changed
* Sort dot graph links by integer value
## [0.2.5] - 2018-07-19
### Changed
* Make `kayactl` less case sensitive
* More verbose TCP disconnect messages
### Fixed
* Fixed debug builds
* Cap maximum MTU on Linux in TAP mode
* Process successfully-read TCP traffic before checking for / handling errors (fixes EOF behavior)
## [0.2.4] - 2018-07-08
### Added
* Support for UNIX domain sockets for the admin socket using `unix:///path/to/file.sock`
* Centralised platform-specific defaults
### Changed
* Backpressure tuning, including reducing resource consumption
### Fixed
* macOS local ping bug, which previously prevented you from pinging your own `utun` adapter's IPv6 address
## [0.2.3] - 2018-06-29
### Added
* Begin keeping changelog (incomplete and possibly inaccurate information before this point).
* Build RPMs in CircleCI using alien. This provides package support for Fedora, Red Hat Enterprise Linux, CentOS and other RPM-based distributions.
### Changed
* Local backpressure improvements.
* Change `box_pub_key` to `key` in admin API for simplicity.
* Session cleanup.
## [0.2.2] - 2018-06-21
### Added
* Add `kayaconf` utility for testing with the `vyatta-kaya` package.
* Add a randomized retry delay after TCP disconnects, to prevent synchronization livelocks.
### Changed
* Update build script to strip by default, which significantly reduces the size of the binary.
* Add debug `-d` and UPX `-u` flags to the `build` script.
* Start pprof in debug builds based on an environment variable (e.g. `PPROFLISTEN=localhost:6060`), instead of a flag.
### Fixed
* Fix typo in big-endian BOM so that both little-endian and big-endian UTF-16 files are detected correctly.
## [0.2.1] - 2018-06-15
### Changed
* The address range was moved from `fd00::/8` to `200::/7`. This range was chosen as it is marked as deprecated. The change prevents overlap with other ULA privately assigned ranges.
### Fixed
* UTF-16 detection conversion for configuration files, which can particularly be a problem on Windows 10 if a configuration file is generated from within PowerShell.
* Fixes to the Debian package control file.
* Fixes to the launchd service for macOS.
* Fixes to the DHT and switch.
## [0.2.0] - 2018-06-13
### Added
* Exchange version information during connection setup, to prevent connections with incompatible versions.
### Changed
* Wire format changes (backwards incompatible).
* Less maintenance traffic per peer.
* Exponential back-off for DHT maintenance traffic (less maintenance traffic for known good peers).
* Iterative DHT (added sometime between v0.1.0 and here).
* Use local queue sizes for a sort of local-only backpressure routing, instead of the removed bandwidth estimates, when deciding where to send a packet.
### Removed
* UDP peering, this may be added again if/when a better implementation appears.
* Per peer bandwidth estimation, as this has been replaced with an early local backpressure implementation.
## [0.1.0] - 2018-02-01
### Added
* Adopt semantic versioning.
### Changed
* Wire format changes (backwards incompatible).
* Many other undocumented changes leading up to this release and before the next one.
## [0.0.1] - 2017-12-28
### Added
* First commit.
* Initial public release.

184
LICENSE Normal file
View file

@ -0,0 +1,184 @@
This software is licensed under the LGPLv3, included below.
As a special exception to the GNU Lesser General Public License version 3
("LGPL3"), the copyright holders of this Library give you permission to
convey to a third party a Combined Work that links statically or dynamically
to this Library without providing any Minimal Corresponding Source or
Minimal Application Code as set out in 4d or providing the installation
information set out in section 4e, provided that you comply with the other
provisions of LGPL3 and provided that you meet, for the Application the
terms and conditions of the license(s) which apply to the Application.
Except as stated in this special exception, the provisions of LGPL3 will
continue to comply in full to this Library. If you modify this Library, you
may apply this exception to your version of this Library, but you are not
obliged to do so. If you do not wish to do so, delete this exception
statement from your version. This exception does not (and cannot) modify any
license terms which apply to the Application, with which you must still
comply.
GNU LESSER GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
This version of the GNU Lesser General Public License incorporates
the terms and conditions of version 3 of the GNU General Public
License, supplemented by the additional permissions listed below.
0. Additional Definitions.
As used herein, "this License" refers to version 3 of the GNU Lesser
General Public License, and the "GNU GPL" refers to version 3 of the GNU
General Public License.
"The Library" refers to a covered work governed by this License,
other than an Application or a Combined Work as defined below.
An "Application" is any work that makes use of an interface provided
by the Library, but which is not otherwise based on the Library.
Defining a subclass of a class defined by the Library is deemed a mode
of using an interface provided by the Library.
A "Combined Work" is a work produced by combining or linking an
Application with the Library. The particular version of the Library
with which the Combined Work was made is also called the "Linked
Version".
The "Minimal Corresponding Source" for a Combined Work means the
Corresponding Source for the Combined Work, excluding any source code
for portions of the Combined Work that, considered in isolation, are
based on the Application, and not on the Linked Version.
The "Corresponding Application Code" for a Combined Work means the
object code and/or source code for the Application, including any data
and utility programs needed for reproducing the Combined Work from the
Application, but excluding the System Libraries of the Combined Work.
1. Exception to Section 3 of the GNU GPL.
You may convey a covered work under sections 3 and 4 of this License
without being bound by section 3 of the GNU GPL.
2. Conveying Modified Versions.
If you modify a copy of the Library, and, in your modifications, a
facility refers to a function or data to be supplied by an Application
that uses the facility (other than as an argument passed when the
facility is invoked), then you may convey a copy of the modified
version:
a) under this License, provided that you make a good faith effort to
ensure that, in the event an Application does not supply the
function or data, the facility still operates, and performs
whatever part of its purpose remains meaningful, or
b) under the GNU GPL, with none of the additional permissions of
this License applicable to that copy.
3. Object Code Incorporating Material from Library Header Files.
The object code form of an Application may incorporate material from
a header file that is part of the Library. You may convey such object
code under terms of your choice, provided that, if the incorporated
material is not limited to numerical parameters, data structure
layouts and accessors, or small macros, inline functions and templates
(ten or fewer lines in length), you do both of the following:
a) Give prominent notice with each copy of the object code that the
Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the object code with a copy of the GNU GPL and this license
document.
4. Combined Works.
You may convey a Combined Work under terms of your choice that,
taken together, effectively do not restrict modification of the
portions of the Library contained in the Combined Work and reverse
engineering for debugging such modifications, if you also do each of
the following:
a) Give prominent notice with each copy of the Combined Work that
the Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the Combined Work with a copy of the GNU GPL and this license
document.
c) For a Combined Work that displays copyright notices during
execution, include the copyright notice for the Library among
these notices, as well as a reference directing the user to the
copies of the GNU GPL and this license document.
d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this
License, and the Corresponding Application Code in a form
suitable for, and under terms that permit, the user to
recombine or relink the Application with a modified version of
the Linked Version to produce a modified Combined Work, in the
manner specified by section 6 of the GNU GPL for conveying
Corresponding Source.
1) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (a) uses at run time
a copy of the Library already present on the user's computer
system, and (b) will operate properly with a modified version
of the Library that is interface-compatible with the Linked
Version.
e) Provide Installation Information, but only if you would otherwise
be required to provide such information under section 6 of the
GNU GPL, and only to the extent that such information is
necessary to install and execute a modified version of the
Combined Work produced by recombining or relinking the
Application with a modified version of the Linked Version. (If
you use option 4d0, the Installation Information must accompany
the Minimal Corresponding Source and Corresponding Application
Code. If you use option 4d1, you must provide the Installation
Information in the manner specified by section 6 of the GNU GPL
for conveying Corresponding Source.)
5. Combined Libraries.
You may place library facilities that are a work based on the
Library side by side in a single library together with other library
facilities that are not Applications and are not covered by this
License, and convey such a combined library under terms of your
choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based
on the Library, uncombined with any other library facilities,
conveyed under the terms of this License.
b) Give prominent notice with the combined library that part of it
is a work based on the Library, and explaining where to find the
accompanying uncombined form of the same work.
6. Revised Versions of the GNU Lesser General Public License.
The Free Software Foundation may publish revised and/or new versions
of the GNU Lesser General Public License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the
Library as you received it specifies that a certain numbered version
of the GNU Lesser General Public License "or any later version"
applies to it, you have the option of following the terms and
conditions either of that published version or of any later version
published by the Free Software Foundation. If the Library as you
received it does not specify a version number of the GNU Lesser
General Public License, you may choose any version of the GNU Lesser
General Public License ever published by the Free Software Foundation.
If the Library as you received it specifies that a proxy can decide
whether future versions of the GNU Lesser General Public License shall
apply, that proxy's public statement of acceptance of any version is
permanent authorization for you to choose that version for the
Library.

190
README.md Normal file
View file

@ -0,0 +1,190 @@
# Kaya
[![Build status](https://github.com/yggdrasil-network/yggdrasil-go/actions/workflows/ci.yml/badge.svg)](https://github.com/yggdrasil-network/yggdrasil-go/actions/workflows/ci.yml)
## Introduction
Kaya is an early-stage implementation of a fully end-to-end encrypted IPv6
network. It is lightweight, self-arranging, supported on multiple platforms and
allows pretty much any IPv6-capable application to communicate securely with
other Kaya nodes. Kaya does not require you to have IPv6 Internet
connectivity - it also works over IPv4.
## Supported Platforms
Kaya works on a number of platforms, including Linux, macOS, Ubiquiti
EdgeRouter, VyOS, Windows, FreeBSD, OpenBSD and OpenWrt.
Please see our [Installation](https://yggdrasil-network.github.io/installation.html)
page for more information. You may also find other platform-specific wrappers, scripts
or tools in the `contrib` folder.
## Building
If you want to build from source, as opposed to installing one of the pre-built
packages:
1. Install [Go](https://golang.org) (requires Go 1.22 or later)
2. Clone this repository
2. Run `./build`
Note that you can cross-compile for other platforms and architectures by
specifying the `GOOS` and `GOARCH` environment variables, e.g. `GOOS=windows
./build` or `GOOS=linux GOARCH=mipsle ./build`.
## Running
### Generate configuration
To generate static configuration, either generate a HJSON file (human-friendly,
complete with comments):
```
./kaya -genconf > /path/to/kaya.conf
```
... or generate a plain JSON file (which is easy to manipulate
programmatically):
```
./kaya -genconf -json > /path/to/kaya.conf
```
You will need to edit the `kaya.conf` file to add or remove peers, modify
other configuration such as listen addresses or multicast addresses, etc.
### Run Kaya
To run with the generated static configuration:
```
./kaya -useconffile /path/to/kaya.conf
```
To run in auto-configuration mode (which will use sane defaults and random keys
at each startup, instead of using a static configuration file):
```
./kaya -autoconf
```
You will likely need to run Kaya as a privileged user or under `sudo`,
unless you have permission to create TUN/TAP adapters. On Linux this can be done
by giving the Kaya binary the `CAP_NET_ADMIN` capability.
## Documentation
Documentation is available [on our website](https://yggdrasil-network.github.io).
- [Installing Kaya](https://yggdrasil-network.github.io/installation.html)
- [Configuring Kaya](https://yggdrasil-network.github.io/configuration.html)
- [Frequently asked questions](https://yggdrasil-network.github.io/faq.html)
- [Version changelog](CHANGELOG.md)
## Extended Features in This Repository
This repository includes a substantial set of enhancements on top of the baseline Kaya behavior, focused on performance, operability, observability, and operator UX.
### 1) Operator Dashboard (Built-in HTTP UI)
A built-in web dashboard is available directly from the daemon to monitor and manage node state.
- **Live runtime telemetry** for:
- node/self identity and routing metadata,
- peer links and per-peer health,
- session/flow activity,
- path and tree information.
- **Peer control actions** from the UI (e.g. disconnect/traffic control via the daemon APIs).
- **Optional authentication** for the private dashboard listener.
- **Public read-only dashboard mode** (`--public-interface`) for safe external observability exposure.
- **Real-time bandwidth visualization** and rate rendering in human units (Mbit/s), including directional indicators.
- **Responsive, overflow-safe layout** so long URIs/IP addresses remain contained and readable.
### 2) Runtime Control and Safety Hardening
The runtime now provides stronger operator controls for CPU/thread behavior and process hardening:
- `--threads` controls scheduler parallelism (`GOMAXPROCS`) explicitly.
- `--max-threads` provides an additional hard cap for runtime OS threads.
- `--sandbox` enables Linux hardening measures early in runtime startup:
- no-new-privileges,
- non-dumpable process mode,
- core-dump suppression.
These options are intended for predictable behavior on constrained systems and for hardened production deployments.
### 3) Colorized, High-Signal Terminal Logging
Interactive stdout logs are rendered with contextual colorization to improve readability and triage speed:
- different color classes for errors, warnings, link lifecycle, addressing/interface messages, and sandbox messages,
- improved per-line rendering for TTY operation,
- better at-a-glance operator diagnostics during startup and runtime events.
### 4) Admin API Extensions for Traffic Control
The admin control surface includes enhanced peer traffic operations:
- **`setPeerTraffic` support** to toggle whether traffic is routed via specific peers,
- stricter boolean parsing/validation in control requests,
- integration with dashboard and CLI control workflows.
### 5) `kayactl` UX and Topology Visibility Improvements
CLI output and control ergonomics were expanded:
- improved peer listing with a direct **Remote** endpoint/host view,
- significantly clearer tree/topology presentation with hierarchical formatting,
- tighter integration with peer traffic control operations.
### 6) Core Performance Optimizations
Multiple datapath-adjacent and control-path optimizations were added to reduce CPU and allocation pressure without changing protocol semantics:
- periodic link average updates moved to persistent ticker-style processing (reduced timer churn),
- peer snapshot collection optimized with better preallocation and reduced repeated work,
- optimized inbound allowed-key authorization path using faster lookup strategy,
- reduced atomic overhead in hot accounting paths by skipping zero-byte updates,
- debug protocol response assembly/lifecycle improvements to reduce transient allocations and bound payload behavior,
- URI parsing and formatting optimizations in CLI/control surfaces.
### 7) Transport and Dialing Efficiency Enhancements
Connection setup paths were tuned for performance and reliability across transports:
- better TCP source-interface handling with short-lived interface metadata caching,
- improved address selection and error behavior in dial suitability checks,
- WS/WSS transport setup refinements to reduce repetitive per-dial overhead,
- QUIC dialing/configuration improvements for throughput-oriented behavior and lower overhead in this usage profile,
- correctness fixes to ensure intended TLS configuration usage in QUIC dial paths.
### 8) Process-Model and Platform Behavior Tightening
Additional reliability and deployment refinements include:
- stronger single-process behavior expectations in runtime paths,
- FreeBSD TUN setup behavior tightened to return direct ioctl failures instead of shelling out to external fallback tooling,
- clearer startup/runtime wiring for dashboard lifecycle and shutdown handling.
### 9) Practical Outcome
Taken together, these enhancements provide:
- better **operator visibility** (dashboard + improved CLI),
- stronger **runtime control** (`--threads`, `--max-threads`, sandboxing),
- lower **operational overhead** in frequent control/network paths,
- improved **day-2 usability** for debugging, monitoring and peer management,
- preserved core functionality with a focus on safer and faster default operation.
## Communities
A number of IRC communities exist, including the `#kaya` IRC channel on [libera.chat](https://libera.chat) and various others on [Kaya-internal IRC networks](https://yggdrasil-network.github.io/services.html#irc).
## License
This code is released under the terms of the LGPLv3, but with an added exception
that was shamelessly taken from [godeb](https://github.com/niemeyer/godeb).
Under certain circumstances, this exception permits distribution of binaries
that are (statically or dynamically) linked with this code, without requiring
the distribution of Minimal Corresponding Source or Minimal Application Code.
For more details, see: [LICENSE](LICENSE).

2
clean Executable file
View file

@ -0,0 +1,2 @@
#!/bin/sh
git clean -dxf

93
cmd/genkeys/main.go Normal file
View file

@ -0,0 +1,93 @@
/*
This file generates crypto keys.
It prints out a new set of keys each time if finds a "better" one.
By default, "better" means a higher NodeID (-> higher IP address).
This is because the IP address format can compress leading 1s in the address, to increase the number of ID bits in the address.
If run with the "-sig" flag, it generates signing keys instead.
A "better" signing key means one with a higher TreeID.
This only matters if it's high enough to make you the root of the tree.
*/
package main
import (
"crypto/ed25519"
"encoding/hex"
"fmt"
"net"
"runtime"
"time"
"suah.dev/protect"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
type keySet struct {
priv ed25519.PrivateKey
pub ed25519.PublicKey
count uint64
}
func main() {
if err := protect.Pledge("stdio"); err != nil {
panic(err)
}
threads := runtime.GOMAXPROCS(0)
fmt.Println("Threads:", threads)
start := time.Now()
var totalKeys uint64
totalKeys = 0
var currentBest ed25519.PublicKey
newKeys := make(chan keySet, threads)
for i := 0; i < threads; i++ {
go doKeys(newKeys)
}
for {
newKey := <-newKeys
if isBetter(currentBest, newKey.pub) || len(currentBest) == 0 {
totalKeys += newKey.count
currentBest = newKey.pub
fmt.Println("-----", time.Since(start), "---", totalKeys, "keys tried")
fmt.Println("Priv:", hex.EncodeToString(newKey.priv))
fmt.Println("Pub:", hex.EncodeToString(newKey.pub))
addr := address.AddrForKey(newKey.pub)
fmt.Println("IP:", net.IP(addr[:]).String())
}
}
}
func isBetter(oldPub, newPub ed25519.PublicKey) bool {
for idx := range oldPub {
if newPub[idx] < oldPub[idx] {
return true
}
if newPub[idx] > oldPub[idx] {
break
}
}
return false
}
func doKeys(out chan<- keySet) {
bestKey := make(ed25519.PublicKey, ed25519.PublicKeySize)
var count uint64
count = 0
for idx := range bestKey {
bestKey[idx] = 0xff
}
for {
pub, priv, err := ed25519.GenerateKey(nil)
count++
if err != nil {
panic(err)
}
if !isBetter(bestKey, pub) {
continue
}
bestKey = pub
out <- keySet{priv, pub, count}
count = 0
}
}

9
cmd/yggdrasil/chuser_other.go Normal file
View file

@ -0,0 +1,9 @@
//go:build !aix && !darwin && !dragonfly && !freebsd && !linux && !netbsd && !openbsd && !solaris
package main
import "errors"
func chuser(user string) error {
return errors.New("setting uid/gid is not supported on this platform")
}

62
cmd/yggdrasil/chuser_unix.go Normal file
View file

@ -0,0 +1,62 @@
//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
package main
import (
"fmt"
"os/user"
"strconv"
"strings"
"golang.org/x/sys/unix"
)
func chuser(input string) error {
givenUser, givenGroup, _ := strings.Cut(input, ":")
if givenUser == "" {
return fmt.Errorf("user is empty")
}
if strings.Contains(input, ":") && givenGroup == "" {
return fmt.Errorf("group is empty")
}
var (
err error
usr *user.User
grp *user.Group
uid, gid int
)
if usr, err = user.LookupId(givenUser); err != nil {
if usr, err = user.Lookup(givenUser); err != nil {
return err
}
}
if uid, err = strconv.Atoi(usr.Uid); err != nil {
return err
}
if givenGroup != "" {
if grp, err = user.LookupGroupId(givenGroup); err != nil {
if grp, err = user.LookupGroup(givenGroup); err != nil {
return err
}
}
gid, _ = strconv.Atoi(grp.Gid)
} else {
gid, _ = strconv.Atoi(usr.Gid)
}
if err := unix.Setgroups([]int{gid}); err != nil {
return fmt.Errorf("setgroups: %d: %v", gid, err)
}
if err := unix.Setgid(gid); err != nil {
return fmt.Errorf("setgid: %d: %v", gid, err)
}
if err := unix.Setuid(uid); err != nil {
return fmt.Errorf("setuid: %d: %v", uid, err)
}
return nil
}

79
cmd/yggdrasil/chuser_unix_test.go Normal file
View file

@ -0,0 +1,79 @@
//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
package main
import (
"os/user"
"testing"
)
// Usernames must not contain a number sign.
func TestEmptyString(t *testing.T) {
if chuser("") == nil {
t.Fatal("the empty string is not a valid user")
}
}
// Either omit delimiter and group, or omit both.
func TestEmptyGroup(t *testing.T) {
if chuser("0:") == nil {
t.Fatal("the empty group is not allowed")
}
}
// Either user only or user and group.
func TestGroupOnly(t *testing.T) {
if chuser(":0") == nil {
t.Fatal("group only is not allowed")
}
}
// Usenames must not contain the number sign.
func TestInvalidUsername(t *testing.T) {
const username = "#user"
if chuser(username) == nil {
t.Fatalf("'%s' is not a valid username", username)
}
}
// User IDs must be non-negative.
func TestInvalidUserid(t *testing.T) {
if chuser("-1") == nil {
t.Fatal("User ID cannot be negative")
}
}
// Change to the current user by ID.
func TestCurrentUserid(t *testing.T) {
usr, err := user.Current()
if err != nil {
t.Fatal(err)
}
if usr.Uid != "0" {
t.Skip("setgroups(2): Only the superuser may set new groups.")
}
if err = chuser(usr.Uid); err != nil {
t.Fatal(err)
}
}
// Change to a common user by name.
func TestCommonUsername(t *testing.T) {
usr, err := user.Current()
if err != nil {
t.Fatal(err)
}
if usr.Uid != "0" {
t.Skip("setgroups(2): Only the superuser may set new groups.")
}
if err := chuser("nobody"); err != nil {
if _, ok := err.(user.UnknownUserError); ok {
t.Skip(err)
}
t.Fatal(err)
}
}

329
cmd/yggdrasil/dashboard.go Normal file
View file

@ -0,0 +1,329 @@
package main
import (
"context"
"crypto/subtle"
"embed"
"encoding/hex"
"encoding/json"
"net"
"net/http"
"net/url"
"sort"
"strings"
"sync"
"time"
"github.com/gologme/log"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
//go:embed dashboard.html
var dashboardHTML embed.FS
type dashboardServer struct {
node *node
logger *log.Logger
username string
password string
readOnly bool
banned map[string]struct{}
mu sync.RWMutex
http *http.Server
}
type dashboardStatus struct {
Self any `json:"self"`
Peers []dashboardPeer `json:"peers"`
Sessions []dashboardFlow `json:"sessions"`
Paths []dashboardPath `json:"paths"`
Tree []dashboardTree `json:"tree"`
Banned []string `json:"banned"`
Now time.Time `json:"now"`
}
type dashboardPeer struct {
URI string `json:"uri"`
Remote string `json:"remote"`
Up bool `json:"up"`
Inbound bool `json:"inbound"`
IP string `json:"ip"`
Uptime string `json:"uptime"`
RTT string `json:"rtt"`
RX uint64 `json:"rx"`
TX uint64 `json:"tx"`
RXRate uint64 `json:"rx_rate"`
TXRate uint64 `json:"tx_rate"`
Priority uint8 `json:"priority"`
Cost uint64 `json:"cost"`
Banned bool `json:"banned"`
}
type dashboardFlow struct {
IP string `json:"ip"`
RX uint64 `json:"rx"`
TX uint64 `json:"tx"`
Uptime string `json:"uptime"`
}
type dashboardPath struct {
IP string `json:"ip"`
Path []uint64 `json:"path"`
}
type dashboardTree struct {
IP string `json:"ip"`
Parent string `json:"parent"`
}
func startDashboard(n *node, logger *log.Logger, listenAddr, username, password string, readOnly bool) (*dashboardServer, error) {
if strings.TrimSpace(listenAddr) == "" {
return nil, nil
}
d := &dashboardServer{
node: n,
logger: logger,
username: username,
password: password,
readOnly: readOnly,
banned: make(map[string]struct{}),
}
mux := http.NewServeMux()
mux.HandleFunc("/", d.handleIndex)
mux.HandleFunc("/api/status", d.handleStatus)
mux.HandleFunc("/api/peer/traffic", d.handlePeerTraffic)
mux.HandleFunc("/api/peer/ban", d.handlePeerBan)
d.http = &http.Server{
Addr: listenAddr,
Handler: d.withAuth(mux),
ReadHeaderTimeout: 5 * time.Second,
}
ln, err := net.Listen("tcp", listenAddr)
if err != nil {
return nil, err
}
go func() {
if err := d.http.Serve(ln); err != nil && err != http.ErrServerClosed {
d.logger.Errorf("dashboard failed: %v", err)
}
}()
if readOnly {
logger.Infof("Public dashboard listening on http://%s", ln.Addr().String())
return d, nil
}
logger.Infof("Dashboard listening on http://%s", ln.Addr().String())
if username == "" || password == "" {
logger.Warnln("Dashboard authentication disabled; set both -dashboard-user and -dashboard-password to secure it")
}
return d, nil
}
func (d *dashboardServer) stop() {
if d == nil || d.http == nil {
return
}
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
defer cancel()
_ = d.http.Shutdown(ctx)
}
func (d *dashboardServer) withAuth(next http.Handler) http.Handler {
if d.username == "" || d.password == "" {
return next
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
u, p, ok := r.BasicAuth()
if !ok || subtle.ConstantTimeCompare([]byte(u), []byte(d.username)) != 1 || subtle.ConstantTimeCompare([]byte(p), []byte(d.password)) != 1 {
w.Header().Set("WWW-Authenticate", `Basic realm="kaya"`)
http.Error(w, "unauthorized", http.StatusUnauthorized)
return
}
next.ServeHTTP(w, r)
})
}
func (d *dashboardServer) handleIndex(w http.ResponseWriter, _ *http.Request) {
bs, err := dashboardHTML.ReadFile("dashboard.html")
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "text/html; charset=utf-8")
_, _ = w.Write(bs)
}
func (d *dashboardServer) handleStatus(w http.ResponseWriter, _ *http.Request) {
status := dashboardStatus{Now: time.Now()}
self := d.node.core.GetSelf()
subnet := d.node.core.Subnet()
status.Self = map[string]any{
"public_key": hex.EncodeToString(self.Key),
"ip_address": d.node.core.Address().String(),
"subnet": (&subnet).String(),
"routing_entries": self.RoutingEntries,
}
for _, p := range d.node.core.GetPeers() {
uriKey := canonicalPeerKey(p.URI, "")
status.Peers = append(status.Peers, dashboardPeer{
URI: p.URI,
Remote: peerHostFromURI(p.URI),
Up: p.Up,
Inbound: p.Inbound,
IP: keyToIP(p.Key),
Uptime: p.Uptime.String(),
RTT: p.Latency.String(),
RX: p.RXBytes,
TX: p.TXBytes,
RXRate: p.RXRate,
TXRate: p.TXRate,
Priority: p.Priority,
Cost: p.Cost,
Banned: d.isBanned(uriKey),
})
}
sort.Slice(status.Peers, func(i, j int) bool { return status.Peers[i].URI < status.Peers[j].URI })
for _, s := range d.node.core.GetSessions() {
status.Sessions = append(status.Sessions, dashboardFlow{
IP: keyToIP(s.Key),
RX: s.RXBytes,
TX: s.TXBytes,
Uptime: s.Uptime.String(),
})
}
for _, p := range d.node.core.GetPaths() {
status.Paths = append(status.Paths, dashboardPath{IP: keyToIP(p.Key), Path: p.Path})
}
for _, t := range d.node.core.GetTree() {
status.Tree = append(status.Tree, dashboardTree{IP: keyToIP(t.Key), Parent: keyToIP(t.Parent)})
}
status.Banned = d.bannedList()
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(status)
}
func (d *dashboardServer) handlePeerTraffic(w http.ResponseWriter, r *http.Request) {
if d.readOnly {
http.Error(w, "public dashboard is read-only", http.StatusForbidden)
return
}
if r.Method != http.MethodPost {
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
URI string `json:"uri"`
Interface string `json:"interface"`
Enabled bool `json:"enabled"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
uri, err := url.Parse(req.URI)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
key := canonicalPeerKey(req.URI, req.Interface)
if req.Enabled {
if d.isBanned(key) {
http.Error(w, "peer is banned", http.StatusForbidden)
return
}
err = d.node.core.AddPeer(uri, req.Interface)
} else {
err = d.node.core.RemovePeer(uri, req.Interface)
}
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
w.WriteHeader(http.StatusNoContent)
}
func (d *dashboardServer) handlePeerBan(w http.ResponseWriter, r *http.Request) {
if d.readOnly {
http.Error(w, "public dashboard is read-only", http.StatusForbidden)
return
}
if r.Method != http.MethodPost {
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
URI string `json:"uri"`
Interface string `json:"interface"`
Banned bool `json:"banned"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
uri, err := url.Parse(req.URI)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
key := canonicalPeerKey(req.URI, req.Interface)
if req.Banned {
d.mu.Lock()
d.banned[key] = struct{}{}
d.mu.Unlock()
_ = d.node.core.RemovePeer(uri, req.Interface)
} else {
d.mu.Lock()
delete(d.banned, key)
d.mu.Unlock()
}
w.WriteHeader(http.StatusNoContent)
}
func (d *dashboardServer) isBanned(k string) bool {
d.mu.RLock()
_, ok := d.banned[k]
d.mu.RUnlock()
return ok
}
func (d *dashboardServer) bannedList() []string {
d.mu.RLock()
out := make([]string, 0, len(d.banned))
for k := range d.banned {
out = append(out, k)
}
d.mu.RUnlock()
sort.Strings(out)
return out
}
func canonicalPeerKey(uri, intf string) string { return uri + "|" + intf }
func peerHostFromURI(u string) string {
pu, err := url.Parse(u)
if err != nil {
return "-"
}
host := pu.Host
if h, _, err := net.SplitHostPort(host); err == nil {
return h
}
if host == "" {
return "-"
}
return host
}
func keyToIP(k []byte) string {
if len(k) == 0 {
return "-"
}
var key [32]byte
copy(key[:], k)
ip := net.IP(address.AddrForKey(key[:])[:])
if ip == nil {
return "-"
}
return ip.String()
}

251
cmd/yggdrasil/dashboard.html Normal file
View file

@ -0,0 +1,251 @@
<!doctype html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<title>Kaya Dashboard</title>
<style>
:root {
--bg-color: #f4f4f4;
--card-bg: #ffffff;
--text-main: #1a1a1a;
--text-secondary: #666666;
--accent-orange: #ff6600;
--network-green: #00c853;
--border-color: #e0e0e0;
--font-sans: 'Inter', -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
--font-mono: 'SF Mono', 'Menlo', 'Monaco', 'Courier New', monospace;
}
* { box-sizing: border-box; }
body { font-family: var(--font-sans); background: var(--bg-color); color: var(--text-main); margin: 0; padding: 28px; line-height: 1.4; }
header { display: flex; justify-content: space-between; align-items: center; gap: 8px; padding-bottom: 16px; margin-bottom: 22px; border-bottom: 6px solid var(--accent-orange); }
header h2 { margin: 0; font-size: 30px; font-weight: 800; letter-spacing: -1px; text-transform: uppercase; }
#stamp { font-family: var(--font-mono); font-size: 12px; color: var(--text-secondary); background: #fff; padding: 6px 12px; border: 1px solid var(--border-color); border-radius: 2px; }
.grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(380px, 1fr)); gap: 18px; }
.card { background: var(--card-bg); border: 1px solid var(--border-color); border-radius: 4px; padding: 18px; box-shadow: 0 4px 6px rgba(0,0,0,0.02); min-width: 0; }
.card h3 { margin: 0 0 12px 0; font-size: 13px; font-weight: 700; text-transform: uppercase; letter-spacing: 1.2px; color: var(--accent-orange); border-bottom: 1px solid var(--border-color); padding-bottom: 8px; }
.table-wrap { overflow-x: auto; width: 100%; }
table { width: 100%; border-collapse: collapse; font-size: 12px; table-layout: fixed; }
th { font-weight: 600; color: var(--text-secondary); padding: 10px 6px; border-bottom: 2px solid var(--border-color); font-size: 11px; text-transform: uppercase; white-space: nowrap; }
td { padding: 8px 6px; border-bottom: 1px solid #eee; font-family: var(--font-mono); color: var(--text-main); vertical-align: middle; overflow: hidden; text-overflow: ellipsis; }
tr:last-child td { border-bottom: none; }
button { background: #fff; color: #d32f2f; border: 1px solid #d32f2f; border-radius: 3px; padding: 6px 10px; cursor: pointer; font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.4px; white-space: nowrap; }
button:hover { background: #d32f2f; color: #fff; }
pre { white-space: pre-wrap; margin: 0; font-family: var(--font-mono); font-size: 11px; background: #fafafa; padding: 12px; border: 1px solid var(--border-color); color: #555; max-height: 340px; overflow: auto; }
.net-green { color: var(--network-green); font-weight: bold; }
.full-width { grid-column: 1 / -1; }
.ip-cell { word-break: break-word; white-space: normal; }
.uri-cell { max-width: 260px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
.port-icon-wrapper { display: inline-flex; align-items: center; justify-content: center; width: 32px; height: 32px; }
svg.port-icon { width: 24px; height: 24px; }
.port-body { fill: none; stroke: #ddd; stroke-width: 2; }
.port-led { fill: #ddd; transition: all 0.2s; }
.port-icon.connected .port-body { stroke: var(--accent-orange); }
.port-icon.connected .port-led { fill: var(--accent-orange); }
.port-icon.active .port-body { stroke: var(--network-green); }
.port-icon.active .port-led { fill: var(--network-green); animation: blink-traffic 1s steps(2) infinite; }
@keyframes blink-traffic { 0% { opacity: 1; } 50% { opacity: 0; } 100% { opacity: 1; } }
.graph-container { width: 100%; height: 220px; background: #fafafa; border: 1px solid var(--border-color); border-radius: 4px; overflow: hidden; }
canvas#trafficGraph { width: 100%; height: 100%; display: block; }
.graph-stats { display: flex; justify-content: space-between; gap: 8px; margin-bottom: 10px; font-family: var(--font-mono); font-size: 14px; flex-wrap: wrap; }
.stat-item { display: flex; align-items: center; gap: 8px; }
.stat-val { font-weight: bold; font-size: 16px; }
.legend-dot { width: 10px; height: 10px; border-radius: 50%; }
@media (max-width: 900px) {
body { padding: 12px; }
.grid { grid-template-columns: 1fr; }
}
</style>
</head>
<body>
<header>
<h2>Kaya</h2>
<div id="stamp"></div>
</header>
<div class="grid">
<div class="card">
<h3>Self Info</h3>
<pre id="self"></pre>
</div>
<div class="card">
<h3>Flows (Sessions)</h3>
<div class="table-wrap"><table id="flows"></table></div>
</div>
<div class="card full-width">
<h3>Peers Switch</h3>
<div class="table-wrap"><table id="peers"></table></div>
</div>
<div class="card">
<h3>Paths</h3>
<div class="table-wrap"><table id="paths"></table></div>
</div>
<div class="card">
<h3>Tree</h3>
<div class="table-wrap"><table id="tree"></table></div>
</div>
<div class="card full-width">
<h3>Total Bandwidth (Real-time)</h3>
<div class="graph-stats">
<div class="stat-item">
<div class="legend-dot" style="background: var(--network-green);"></div>
<div>⬇ Download: <span id="downSpeedEl" class="stat-val net-green">0.00 Mbit/s</span></div>
</div>
<div class="stat-item">
<div class="legend-dot" style="background: var(--accent-orange);"></div>
<div>⬆ Upload: <span id="upSpeedEl" class="stat-val" style="color: var(--accent-orange)">0.00 Mbit/s</span></div>
</div>
</div>
<div class="graph-container"><canvas id="trafficGraph"></canvas></div>
</div>
</div>
<script>
const peerStore = new Map();
const graphData = { maxPoints: 60, download: [], upload: [] };
async function call(path, payload){
const r = await fetch(path,{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(payload)});
if(!r.ok) alert(await r.text());
await reload();
}
function tHead(cols){return `<tr>${cols.map(c=>`<th>${c}</th>`).join('')}</tr>`}
function esc(v){return String(v??'').replace(/[&<>]/g,m=>({'&':'&amp;','<':'&lt;','>':'&gt;'}[m]))}
function peerAction(id, action){
const p = peerStore.get(id); if(!p) return;
if(action==='disconnect') return call('/api/peer/traffic',{uri:p.uri,enabled:false});
}
function bytesPerSecToMbit(bytesPerSec) {
const mbits = (Number(bytesPerSec) * 8) / 1000000;
return Number.isFinite(mbits) ? mbits : 0;
}
function fmtMbit(bytesPerSec) {
return bytesPerSecToMbit(bytesPerSec).toFixed(2) + ' Mbit/s';
}
function drawGraph() {
const canvas = document.getElementById('trafficGraph');
const ctx = canvas.getContext('2d');
const rect = canvas.parentNode.getBoundingClientRect();
canvas.width = rect.width;
canvas.height = rect.height;
const w = canvas.width, h = canvas.height;
ctx.clearRect(0, 0, w, h);
ctx.strokeStyle = '#e0e0e0';
ctx.lineWidth = 1;
ctx.beginPath();
for(let i=0; i<5; i++) {
const y = (h/4) * i;
ctx.moveTo(0, y);
ctx.lineTo(w, y);
}
ctx.stroke();
if (graphData.download.length < 2) return;
const maxVal = Math.max(...graphData.download, ...graphData.upload) * 1.1 || 1;
const drawLine = (data, color) => {
ctx.strokeStyle = color.trim();
ctx.lineWidth = 2;
ctx.lineJoin = 'round';
ctx.beginPath();
const step = w / (graphData.maxPoints - 1);
data.forEach((val, index) => {
const x = index * step;
const y = h - ((val / maxVal) * h);
if (index === 0) ctx.moveTo(x, y); else ctx.lineTo(x, y);
});
ctx.stroke();
ctx.lineTo(w, h);
ctx.lineTo(0, h);
ctx.fillStyle = color.trim() + '22';
ctx.fill();
};
drawLine(graphData.upload, getComputedStyle(document.documentElement).getPropertyValue('--accent-orange'));
drawLine(graphData.download, getComputedStyle(document.documentElement).getPropertyValue('--network-green'));
}
async function reload(){
const res = await fetch('/api/status');
if (!res.ok) {
throw new Error('Failed to load dashboard status: HTTP ' + res.status);
}
const s = await res.json();
document.getElementById('stamp').textContent = 'Updated ' + new Date(s.now).toLocaleString();
document.getElementById('self').textContent = JSON.stringify(s.self,null,2);
let totalRx = 0, totalTx = 0;
const peers = [tHead(['Port','URI','Remote','Up','IP','Uptime','RTT','RX','TX','⬇ RX Rate','⬆ TX Rate','Action'])];
peerStore.clear();
for(const p of s.peers){
const id = btoa(p.uri).replace(/=/g,'');
peerStore.set(id, p);
totalRx += Number(p.rx_rate || 0);
totalTx += Number(p.tx_rate || 0);
const isActive = (p.rx_rate > 0 || p.tx_rate > 0);
const isConnected = !!p.up;
const portStateClass = isActive ? 'active' : (isConnected ? 'connected' : '');
const portIconHtml = `<div class="port-icon-wrapper"><svg class="port-icon ${portStateClass}" viewBox="0 0 24 24"><rect class="port-body" x="4" y="6" width="16" height="12" rx="2" /><path class="port-body" d="M8 10h8v4H8z" /><circle class="port-led" cx="17" cy="9" r="1.5" /></svg></div>`;
peers.push(`<tr>
<td>${portIconHtml}</td>
<td class="uri-cell" title="${esc(p.uri)}">${esc(p.uri)}</td>
<td>${esc(p.remote)}</td>
<td style="font-weight:bold; color:${p.up?'var(--accent-orange)':'#aaa'}">${p.up?'UP':'DOWN'}</td>
<td class="ip-cell">${esc(p.ip)}</td>
<td>${esc(p.uptime)}</td>
<td>${esc(p.rtt)}</td>
<td>${esc(p.rx)}</td>
<td>${esc(p.tx)}</td>
<td class="net-green">⬇ ${fmtMbit(p.rx_rate)}</td>
<td style="color:var(--accent-orange)">⬆ ${fmtMbit(p.tx_rate)}</td>
<td><button onclick="peerAction('${id}','disconnect')">Disconnect</button></td>
</tr>`);
}
document.getElementById('peers').innerHTML = peers.join('');
const flows=[tHead(['IP','RX','TX','Uptime'])];
for(const f of s.sessions) {
flows.push(`<tr><td class="ip-cell">${esc(f.ip)}</td><td>${esc(f.rx)}</td><td>${esc(f.tx)}</td><td>${esc(f.uptime)}</td></tr>`);
}
document.getElementById('flows').innerHTML=flows.join('');
const paths=[tHead(['IP','Path'])];
for(const p of s.paths) paths.push(`<tr><td class="ip-cell">${esc(p.ip)}</td><td class="ip-cell">${esc(JSON.stringify(p.path))}</td></tr>`);
document.getElementById('paths').innerHTML=paths.join('');
const tree=[tHead(['IP','Parent'])];
for(const t of s.tree) tree.push(`<tr><td class="ip-cell">${esc(t.ip)}</td><td class="ip-cell">${esc(t.parent)}</td></tr>`);
document.getElementById('tree').innerHTML=tree.join('');
const downMbit = bytesPerSecToMbit(totalRx);
const upMbit = bytesPerSecToMbit(totalTx);
graphData.download.push(downMbit);
graphData.upload.push(upMbit);
if (graphData.download.length > graphData.maxPoints) {
graphData.download.shift();
graphData.upload.shift();
}
downSpeedEl.textContent = downMbit.toFixed(2) + ' Mbit/s';
upSpeedEl.textContent = upMbit.toFixed(2) + ' Mbit/s';
drawGraph();
}
setInterval(() => { reload().catch(console.error); }, 2000);
reload().catch(console.error);
window.addEventListener('resize', drawGraph);
</script>
</body>
</html>

67
cmd/yggdrasil/logcolor.go Normal file
View file

@ -0,0 +1,67 @@
package main
import (
"bytes"
"io"
"strings"
)
const (
colorReset = "\033[0m"
colorDim = "\033[2m"
colorCyan = "\033[36m"
colorBlue = "\033[94m"
colorGreen = "\033[32m"
colorYellow = "\033[33m"
colorRed = "\033[31m"
colorMagenta = "\033[35m"
)
type colorLineWriter struct {
w io.Writer
buf []byte
}
func newColorLineWriter(w io.Writer) *colorLineWriter {
return &colorLineWriter{w: w, buf: make([]byte, 0, 1024)}
}
func (c *colorLineWriter) Write(p []byte) (int, error) {
c.buf = append(c.buf, p...)
for {
i := bytes.IndexByte(c.buf, '\n')
if i < 0 {
break
}
line := c.buf[:i]
if _, err := c.w.Write([]byte(colorizeLine(string(line)) + "\n")); err != nil {
return 0, err
}
c.buf = c.buf[i+1:]
}
return len(p), nil
}
func colorizeLine(line string) string {
lower := strings.ToLower(line)
lineColor := colorCyan
switch {
case strings.Contains(lower, "error") || strings.Contains(lower, "failed") || strings.Contains(lower, "disconnected"):
lineColor = colorRed
case strings.Contains(lower, "warn"):
lineColor = colorYellow
case strings.Contains(lower, "connected") || strings.Contains(lower, "listening") || strings.Contains(lower, "started"):
lineColor = colorGreen
case strings.Contains(lower, "public key") || strings.Contains(lower, "ipv6") || strings.Contains(lower, "interface"):
lineColor = colorBlue
case strings.Contains(lower, "sandbox"):
lineColor = colorMagenta
}
if len(line) > 20 && line[4] == '/' && line[7] == '/' && line[10] == ' ' && line[13] == ':' && line[16] == ':' {
timestamp := line[:19]
rest := strings.TrimLeft(line[19:], " ")
return colorDim + timestamp + colorReset + " " + lineColor + rest + colorReset
}
return lineColor + line + colorReset
}

406
cmd/yggdrasil/main.go Normal file
View file

@ -0,0 +1,406 @@
package main
import (
"context"
"crypto/ed25519"
"encoding/hex"
"encoding/json"
"flag"
"fmt"
"io"
"net"
"os"
"os/signal"
"regexp"
"runtime"
"runtime/debug"
"strings"
"syscall"
"suah.dev/protect"
"github.com/gologme/log"
gsyslog "github.com/hashicorp/go-syslog"
"github.com/hjson/hjson-go/v4"
"github.com/kardianos/minwinsvc"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
"github.com/yggdrasil-network/yggdrasil-go/src/admin"
"github.com/yggdrasil-network/yggdrasil-go/src/config"
"github.com/yggdrasil-network/yggdrasil-go/src/ipv6rwc"
"github.com/yggdrasil-network/yggdrasil-go/src/core"
"github.com/yggdrasil-network/yggdrasil-go/src/multicast"
"github.com/yggdrasil-network/yggdrasil-go/src/tun"
"github.com/yggdrasil-network/yggdrasil-go/src/version"
)
type node struct {
core *core.Core
tun *tun.TunAdapter
multicast *multicast.Multicast
admin *admin.AdminSocket
}
// The main function is responsible for configuring and starting Kaya.
func main() {
defaultThreads := runtime.NumCPU()
if defaultThreads < 1 {
defaultThreads = 1
}
genconf := flag.Bool("genconf", false, "print a new config to stdout")
useconf := flag.Bool("useconf", false, "read HJSON/JSON config from stdin")
useconffile := flag.String("useconffile", "", "read HJSON/JSON config from specified file path")
normaliseconf := flag.Bool("normaliseconf", false, "use in combination with either -useconf or -useconffile, outputs your configuration normalised")
exportkey := flag.Bool("exportkey", false, "use in combination with either -useconf or -useconffile, outputs your private key in PEM format")
confjson := flag.Bool("json", false, "print configuration from -genconf or -normaliseconf as JSON instead of HJSON")
autoconf := flag.Bool("autoconf", false, "automatic mode (dynamic IP, peer with IPv6 neighbors)")
ver := flag.Bool("version", false, "prints the version of this build")
logto := flag.String("logto", "stdout", "file path to log to, \"syslog\" or \"stdout\"")
getaddr := flag.Bool("address", false, "use in combination with either -useconf or -useconffile, outputs your IPv6 address")
getsnet := flag.Bool("subnet", false, "use in combination with either -useconf or -useconffile, outputs your IPv6 subnet")
getpkey := flag.Bool("publickey", false, "use in combination with either -useconf or -useconffile, outputs your public key")
loglevel := flag.String("loglevel", "info", "loglevel to enable")
threads := flag.Int("threads", defaultThreads, "number of scheduler threads to run (defaults to one per CPU core)")
maxThreads := flag.Int("max-threads", 0, "maximum total OS threads for the Go runtime (0 keeps runtime default)")
sandbox := flag.Bool("sandbox", true, "enable runtime sandbox hardening where supported")
dashboardListen := flag.String("dashboard-listen", "", "HTTP dashboard listen address, e.g. 127.0.0.1:8080")
publicInterface := flag.String("public-interface", "", "public read-only dashboard listen address, e.g. 0.0.0.0:8081")
dashboardUser := flag.String("dashboard-user", "", "HTTP dashboard username for basic auth")
dashboardPassword := flag.String("dashboard-password", "", "HTTP dashboard password for basic auth")
chuserto := flag.String("user", "", "user (and, optionally, group) to set UID/GID to")
flag.Parse()
if *threads < 1 {
panic("--threads must be >= 1")
}
if *maxThreads < 0 {
panic("--max-threads must be >= 0")
}
runtime.GOMAXPROCS(*threads)
if *maxThreads > 0 {
debug.SetMaxThreads(*maxThreads)
}
done := make(chan struct{})
defer close(done)
// Catch interrupts from the operating system to exit gracefully.
ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
// Create a new logger that logs output to stdout.
var logger *log.Logger
switch *logto {
case "stdout":
var outWriter io.Writer = os.Stdout
if info, err := os.Stdout.Stat(); err == nil && (info.Mode()&os.ModeCharDevice) != 0 {
outWriter = newColorLineWriter(os.Stdout)
}
logger = log.New(outWriter, "", log.Flags())
case "syslog":
if syslogger, err := gsyslog.NewLogger(gsyslog.LOG_NOTICE, "DAEMON", version.BuildName()); err == nil {
logger = log.New(syslogger, "", log.Flags()&^(log.Ldate|log.Ltime))
}
default:
if logfd, err := os.OpenFile(*logto, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644); err == nil {
logger = log.New(logfd, "", log.Flags())
}
}
if logger == nil {
logger = log.New(os.Stdout, "", log.Flags())
logger.Warnln("Logging defaulting to stdout")
}
if *normaliseconf {
setLogLevel("error", logger)
} else {
setLogLevel(*loglevel, logger)
}
cfg := config.GenerateConfig()
var err error
switch {
case *ver:
fmt.Println("Build name:", version.BuildName())
fmt.Println("Build version:", version.BuildVersion())
return
case *autoconf:
// Use an autoconf-generated config, this will give us random keys and
// port numbers, and will use an automatically selected TUN interface.
case *useconf:
if _, err := cfg.ReadFrom(os.Stdin); err != nil {
panic(err)
}
case *useconffile != "":
f, err := os.Open(*useconffile)
if err != nil {
panic(err)
}
if _, err := cfg.ReadFrom(f); err != nil {
panic(err)
}
_ = f.Close()
case *genconf:
cfg.AdminListen = ""
var bs []byte
if *confjson {
bs, err = json.MarshalIndent(cfg, "", " ")
} else {
bs, err = hjson.Marshal(cfg)
}
if err != nil {
panic(err)
}
fmt.Println(string(bs))
return
default:
fmt.Println("Usage:")
flag.PrintDefaults()
if *getaddr || *getsnet {
fmt.Println("\nError: You need to specify some config data using -useconf or -useconffile.")
}
return
}
privateKey := ed25519.PrivateKey(cfg.PrivateKey)
publicKey := privateKey.Public().(ed25519.PublicKey)
switch {
case *getaddr:
addr := address.AddrForKey(publicKey)
ip := net.IP(addr[:])
fmt.Println(ip.String())
return
case *getsnet:
snet := address.SubnetForKey(publicKey)
ipnet := net.IPNet{
IP: append(snet[:], 0, 0, 0, 0, 0, 0, 0, 0),
Mask: net.CIDRMask(len(snet)*8, 128),
}
fmt.Println(ipnet.String())
return
case *getpkey:
fmt.Println(hex.EncodeToString(publicKey))
return
case *normaliseconf:
cfg.AdminListen = ""
if cfg.PrivateKeyPath != "" {
cfg.PrivateKey = nil
}
var bs []byte
if *confjson {
bs, err = json.MarshalIndent(cfg, "", " ")
} else {
bs, err = hjson.Marshal(cfg)
}
if err != nil {
panic(err)
}
fmt.Println(string(bs))
return
case *exportkey:
pem, err := cfg.MarshalPEMPrivateKey()
if err != nil {
panic(err)
}
fmt.Println(string(pem))
return
}
if *maxThreads > 0 {
logger.Infof("Runtime threading: GOMAXPROCS=%d, max OS threads=%d", *threads, *maxThreads)
} else {
logger.Infof("Runtime threading: GOMAXPROCS=%d", *threads)
}
if err := applySandbox(*sandbox, logger); err != nil {
panic(err)
}
n := &node{}
// Set up the Kaya node itself.
{
iprange := net.IPNet{
IP: net.ParseIP("200::"),
Mask: net.CIDRMask(7, 128),
}
options := []core.SetupOption{
core.NodeInfo(cfg.NodeInfo),
core.NodeInfoPrivacy(cfg.NodeInfoPrivacy),
core.PeerFilter(func(ip net.IP) bool {
return !iprange.Contains(ip)
}),
}
for _, addr := range cfg.Listen {
options = append(options, core.ListenAddress(addr))
}
for _, peer := range cfg.Peers {
options = append(options, core.Peer{URI: peer})
}
for intf, peers := range cfg.InterfacePeers {
for _, peer := range peers {
options = append(options, core.Peer{URI: peer, SourceInterface: intf})
}
}
for _, allowed := range cfg.AllowedPublicKeys {
k, err := hex.DecodeString(allowed)
if err != nil {
panic(err)
}
options = append(options, core.AllowedPublicKey(k[:]))
}
if n.core, err = core.New(cfg.Certificate, logger, options...); err != nil {
panic(err)
}
address, subnet := n.core.Address(), n.core.Subnet()
logger.Printf("Your public key is %s", hex.EncodeToString(n.core.PublicKey()))
logger.Printf("Your IPv6 address is %s", address.String())
logger.Printf("Your IPv6 subnet is %s", subnet.String())
}
// Set up the admin socket.
{
options := []admin.SetupOption{
admin.ListenAddress(cfg.AdminListen),
}
if cfg.LogLookups {
options = append(options, admin.LogLookups{})
}
if n.admin, err = admin.New(n.core, logger, options...); err != nil {
panic(err)
}
if n.admin != nil {
n.admin.SetupAdminHandlers()
}
}
// Set up the multicast module.
{
options := []multicast.SetupOption{}
for _, intf := range cfg.MulticastInterfaces {
options = append(options, multicast.MulticastInterface{
Regex: regexp.MustCompile(intf.Regex),
Beacon: intf.Beacon,
Listen: intf.Listen,
Port: intf.Port,
Priority: uint8(intf.Priority),
Password: intf.Password,
})
}
if n.multicast, err = multicast.New(n.core, logger, options...); err != nil {
panic(err)
}
if n.admin != nil && n.multicast != nil {
n.multicast.SetupAdminHandlers(n.admin)
}
}
// Set up the TUN module.
{
options := []tun.SetupOption{
tun.InterfaceName(cfg.IfName),
tun.InterfaceMTU(cfg.IfMTU),
}
if n.tun, err = tun.New(ipv6rwc.NewReadWriteCloser(n.core), logger, options...); err != nil {
panic(err)
}
if n.admin != nil && n.tun != nil {
n.tun.SetupAdminHandlers(n.admin)
}
}
dashboards := make([]*dashboardServer, 0, 2)
if dashboard, err := startDashboard(n, logger, *dashboardListen, *dashboardUser, *dashboardPassword, false); err != nil {
panic(err)
} else if dashboard != nil {
dashboards = append(dashboards, dashboard)
}
if publicDashboard, err := startDashboard(n, logger, *publicInterface, "", "", true); err != nil {
panic(err)
} else if publicDashboard != nil {
dashboards = append(dashboards, publicDashboard)
}
defer func() {
for _, dashboard := range dashboards {
if dashboard != nil {
dashboard.stop()
}
}
}()
//Windows service shutdown
minwinsvc.SetOnExit(func() {
logger.Infof("Shutting down service ...")
cancel()
// Wait for all parts to shutdown properly
<-done
})
// Change user if requested
if *chuserto != "" {
err = chuser(*chuserto)
if err != nil {
panic(err)
}
}
// Promise final modes of operation. At this point, if at all:
// - raw socket is created/open
// - admin socket is created/open
// - privileges are dropped to non-root user
//
// Peers, InterfacePeers, Listen can be UNIX sockets;
// Go's net.Listen.Close() deletes files on shutdown.
promises := []string{"stdio", "rpath", "cpath", "inet", "unix", "dns"}
if len(cfg.MulticastInterfaces) > 0 {
promises = append(promises, "mcast")
}
if err := protect.Pledge(strings.Join(promises, " ")); err != nil {
panic(fmt.Sprintf("pledge: %v: %v", promises, err))
}
// Block until we are told to shut down.
<-ctx.Done()
// Shut down the node.
_ = n.admin.Stop()
_ = n.multicast.Stop()
_ = n.tun.Stop()
n.core.Stop()
}
func setLogLevel(loglevel string, logger *log.Logger) {
levels := [...]string{"error", "warn", "info", "debug", "trace"}
loglevel = strings.ToLower(loglevel)
contains := func() bool {
for _, l := range levels {
if l == loglevel {
return true
}
}
return false
}
if !contains() { // set default log level
logger.Infoln("Loglevel parse failed. Set default level(info)")
loglevel = "info"
}
for _, l := range levels {
logger.EnableLevel(l)
if l == loglevel {
break
}
}
}

27
cmd/yggdrasil/sandbox_linux.go Normal file
View file

@ -0,0 +1,27 @@
//go:build linux
package main
import (
"fmt"
"github.com/gologme/log"
"golang.org/x/sys/unix"
)
func applySandbox(enabled bool, logger *log.Logger) error {
if !enabled {
return nil
}
if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
return fmt.Errorf("failed to enable no_new_privs: %w", err)
}
if err := unix.Prctl(unix.PR_SET_DUMPABLE, 0, 0, 0, 0); err != nil {
return fmt.Errorf("failed to disable dumpable state: %w", err)
}
if err := unix.Setrlimit(unix.RLIMIT_CORE, &unix.Rlimit{Cur: 0, Max: 0}); err != nil {
return fmt.Errorf("failed to disable core dumps: %w", err)
}
logger.Infoln("Linux sandbox hardening enabled: no_new_privs, non-dumpable, core dumps disabled")
return nil
}

9
cmd/yggdrasil/sandbox_other.go Normal file
View file

@ -0,0 +1,9 @@
//go:build !linux
package main
import "github.com/gologme/log"
func applySandbox(_ bool, _ *log.Logger) error {
return nil
}

91
cmd/yggdrasilctl/cmd_line_env.go Normal file
View file

@ -0,0 +1,91 @@
package main
import (
"bytes"
"flag"
"fmt"
"log"
"os"
"github.com/hjson/hjson-go/v4"
"golang.org/x/text/encoding/unicode"
"github.com/yggdrasil-network/yggdrasil-go/src/config"
)
type CmdLineEnv struct {
args []string
endpoint, server string
injson, borders, ver bool
}
func newCmdLineEnv() CmdLineEnv {
var cmdLineEnv CmdLineEnv
cmdLineEnv.endpoint = config.GetDefaults().DefaultAdminListen
return cmdLineEnv
}
func (cmdLineEnv *CmdLineEnv) parseFlagsAndArgs() {
flag.Usage = func() {
fmt.Fprintf(flag.CommandLine.Output(), "Usage: %s [options] command [key=value] [key=value] ...\n\n", os.Args[0])
fmt.Println("Options:")
flag.PrintDefaults()
fmt.Println()
fmt.Println("Please note that options must always specified BEFORE the command\non the command line or they will be ignored.")
fmt.Println()
fmt.Println("Commands:\n - Use \"list\" for a list of available commands")
fmt.Println()
fmt.Println("Examples:")
fmt.Println(" - ", os.Args[0], "list")
fmt.Println(" - ", os.Args[0], "getPeers")
fmt.Println(" - ", os.Args[0], "-endpoint=tcp://localhost:9001 getPeers")
fmt.Println(" - ", os.Args[0], "-endpoint=unix:///var/run/ygg.sock getPeers")
}
server := flag.String("endpoint", cmdLineEnv.endpoint, "Admin socket endpoint")
injson := flag.Bool("json", false, "Output in JSON format (as opposed to pretty-print)")
borders := flag.Bool("borders", true, "Output borders on tables")
ver := flag.Bool("version", false, "Prints the version of this build")
flag.Parse()
cmdLineEnv.args = flag.Args()
cmdLineEnv.server = *server
cmdLineEnv.injson = *injson
cmdLineEnv.borders = *borders
cmdLineEnv.ver = *ver
}
func (cmdLineEnv *CmdLineEnv) setEndpoint(logger *log.Logger) {
if cmdLineEnv.server == cmdLineEnv.endpoint {
if cfg, err := os.ReadFile(config.GetDefaults().DefaultConfigFile); err == nil {
if bytes.Equal(cfg[0:2], []byte{0xFF, 0xFE}) ||
bytes.Equal(cfg[0:2], []byte{0xFE, 0xFF}) {
utf := unicode.UTF16(unicode.BigEndian, unicode.UseBOM)
decoder := utf.NewDecoder()
cfg, err = decoder.Bytes(cfg)
if err != nil {
panic(err)
}
}
var dat map[string]interface{}
if err := hjson.Unmarshal(cfg, &dat); err != nil {
panic(err)
}
if ep, ok := dat["AdminListen"].(string); ok && (ep != "none" && ep != "") {
cmdLineEnv.endpoint = ep
logger.Println("Found platform default config file", config.GetDefaults().DefaultConfigFile)
logger.Println("Using endpoint", cmdLineEnv.endpoint, "from AdminListen")
} else {
logger.Println("Configuration file doesn't contain appropriate AdminListen option")
logger.Println("Falling back to platform default", config.GetDefaults().DefaultAdminListen)
}
} else {
logger.Println("Can't open config file from default location", config.GetDefaults().DefaultConfigFile)
logger.Println("Falling back to platform default", config.GetDefaults().DefaultAdminListen)
}
} else {
cmdLineEnv.endpoint = cmdLineEnv.server
logger.Println("Using endpoint", cmdLineEnv.endpoint, "from command line")
}
}

411
cmd/yggdrasilctl/main.go Normal file
View file

@ -0,0 +1,411 @@
package main
import (
"bytes"
"encoding/json"
"errors"
"flag"
"fmt"
"log"
"net"
"net/url"
"os"
"sort"
"strings"
"time"
"suah.dev/protect"
"github.com/olekukonko/tablewriter"
"github.com/olekukonko/tablewriter/renderer"
"github.com/olekukonko/tablewriter/tw"
"github.com/yggdrasil-network/yggdrasil-go/src/admin"
"github.com/yggdrasil-network/yggdrasil-go/src/core"
"github.com/yggdrasil-network/yggdrasil-go/src/multicast"
"github.com/yggdrasil-network/yggdrasil-go/src/tun"
"github.com/yggdrasil-network/yggdrasil-go/src/version"
)
func main() {
// read config, speak DNS/TCP and/or over a UNIX socket
if err := protect.Pledge("stdio rpath inet unix dns"); err != nil {
panic(err)
}
// makes sure we can use defer and still return an error code to the OS
os.Exit(run())
}
func run() int {
logbuffer := &bytes.Buffer{}
logger := log.New(logbuffer, "", log.Flags())
defer func() int {
if r := recover(); r != nil {
logger.Println("Fatal error:", r)
fmt.Print(logbuffer)
return 1
}
return 0
}()
cmdLineEnv := newCmdLineEnv()
cmdLineEnv.parseFlagsAndArgs()
if cmdLineEnv.ver {
fmt.Println("Build name:", version.BuildName())
fmt.Println("Build version:", version.BuildVersion())
fmt.Println("To get the version number of the running Kaya node, run", os.Args[0], "getSelf")
return 0
}
if len(cmdLineEnv.args) == 0 {
flag.Usage()
return 0
}
cmdLineEnv.setEndpoint(logger)
var conn net.Conn
u, err := url.Parse(cmdLineEnv.endpoint)
if err == nil {
switch strings.ToLower(u.Scheme) {
case "unix":
logger.Println("Connecting to UNIX socket", cmdLineEnv.endpoint[7:])
conn, err = net.Dial("unix", cmdLineEnv.endpoint[7:])
case "tcp":
logger.Println("Connecting to TCP socket", u.Host)
conn, err = net.Dial("tcp", u.Host)
default:
logger.Println("Unknown protocol or malformed address - check your endpoint")
err = errors.New("protocol not supported")
}
} else {
logger.Println("Connecting to TCP socket", u.Host)
conn, err = net.Dial("tcp", cmdLineEnv.endpoint)
}
if err != nil {
panic(err)
}
// config and socket are done, work without unprivileges
if err := protect.Pledge("stdio"); err != nil {
panic(err)
}
logger.Println("Connected")
defer conn.Close()
decoder := json.NewDecoder(conn)
encoder := json.NewEncoder(conn)
send := &admin.AdminSocketRequest{}
recv := &admin.AdminSocketResponse{}
args := map[string]string{}
for c, a := range cmdLineEnv.args {
if c == 0 {
if strings.HasPrefix(a, "-") {
logger.Printf("Ignoring flag %s as it should be specified before other parameters\n", a)
continue
}
logger.Printf("Sending request: %v\n", a)
send.Name = a
continue
}
tokens := strings.SplitN(a, "=", 2)
switch {
case len(tokens) == 1:
logger.Println("Ignoring invalid argument:", a)
default:
args[tokens[0]] = tokens[1]
}
}
if send.Arguments, err = json.Marshal(args); err != nil {
panic(err)
}
if err := encoder.Encode(&send); err != nil {
panic(err)
}
logger.Printf("Request sent")
if err := decoder.Decode(&recv); err != nil {
panic(err)
}
if recv.Status == "error" {
if err := recv.Error; err != "" {
fmt.Println("Admin socket returned an error:", err)
} else {
fmt.Println("Admin socket returned an error but didn't specify any error text")
}
return 1
}
if cmdLineEnv.injson {
if json, err := json.MarshalIndent(recv.Response, "", " "); err == nil {
fmt.Println(string(json))
}
return 0
}
opts := []tablewriter.Option{
tablewriter.WithRowAlignment(tw.AlignLeft),
tablewriter.WithHeaderAlignment(tw.AlignCenter),
tablewriter.WithHeaderAutoFormat(tw.Off),
tablewriter.WithDebug(false),
}
if !cmdLineEnv.borders {
opts = append(opts, tablewriter.WithRenderer(renderer.NewBlueprint(tw.Rendition{
Borders: tw.BorderNone,
Settings: tw.Settings{
Lines: tw.LinesNone,
Separators: tw.SeparatorsNone,
},
})))
}
table := tablewriter.NewTable(os.Stdout, opts...)
switch strings.ToLower(send.Name) {
case "list":
var resp admin.ListResponse
if err := json.Unmarshal(recv.Response, &resp); err != nil {
panic(err)
}
table.Header([]string{"Command", "Arguments", "Description"})
for _, entry := range resp.List {
for i := range entry.Fields {
entry.Fields[i] = entry.Fields[i] + "=..."
}
_ = table.Append([]string{entry.Command, strings.Join(entry.Fields, ", "), entry.Description})
}
_ = table.Render()
case "getself":
var resp admin.GetSelfResponse
if err := json.Unmarshal(recv.Response, &resp); err != nil {
panic(err)
}
_ = table.Append([]string{"Build name:", resp.BuildName})
_ = table.Append([]string{"Build version:", resp.BuildVersion})
_ = table.Append([]string{"IPv6 address:", resp.IPAddress})
_ = table.Append([]string{"IPv6 subnet:", resp.Subnet})
_ = table.Append([]string{"Routing table size:", fmt.Sprintf("%d", resp.RoutingEntries)})
_ = table.Append([]string{"Public key:", resp.PublicKey})
_ = table.Render()
case "getpeers":
var resp admin.GetPeersResponse
if err := json.Unmarshal(recv.Response, &resp); err != nil {
panic(err)
}
table.Header([]string{"URI", "Remote", "State", "Dir", "IP Address", "Uptime", "RTT", "RX", "TX", "Down", "Up", "Pr", "Cost", "Last Error"})
for _, peer := range resp.Peers {
state, lasterr, dir, rtt, rxr, txr := "Up", "-", "Out", "-", "-", "-"
if !peer.Up {
if state = "Down"; peer.LastError != "" {
lasterr = fmt.Sprintf("%s ago: %s", peer.LastErrorTime.Round(time.Second), peer.LastError)
}
} else if rttms := float64(peer.Latency.Microseconds()) / 1000; rttms > 0 {
rtt = fmt.Sprintf("%.02fms", rttms)
}
if peer.Inbound {
dir = "In"
}
parsedURI, parseErr := url.Parse(peer.URI)
uristring := peer.URI
if parseErr == nil {
parsedURI.RawQuery = ""
uristring = parsedURI.String()
}
if peer.RXRate > 0 {
rxr = peer.RXRate.String() + "/s"
}
if peer.TXRate > 0 {
txr = peer.TXRate.String() + "/s"
}
remote := peerRemoteHost(parsedURI, parseErr)
_ = table.Append([]string{
uristring,
remote,
state,
dir,
peer.IPAddress,
(time.Duration(peer.Uptime) * time.Second).String(),
rtt,
peer.RXBytes.String(),
peer.TXBytes.String(),
rxr,
txr,
fmt.Sprintf("%d", peer.Priority),
fmt.Sprintf("%d", peer.Cost),
lasterr,
})
}
_ = table.Render()
case "gettree":
var resp admin.GetTreeResponse
if err := json.Unmarshal(recv.Response, &resp); err != nil {
panic(err)
}
table.Header([]string{"Tree", "IP Address", "Sequence"})
for _, line := range formatTreeRows(resp.Tree) {
_ = table.Append([]string{line.Branch, line.IPAddress, fmt.Sprintf("%d", line.Sequence)})
}
_ = table.Render()
case "getpaths":
var resp admin.GetPathsResponse
if err := json.Unmarshal(recv.Response, &resp); err != nil {
panic(err)
}
table.Header([]string{"Public Key", "IP Address", "Path", "Seq"})
for _, p := range resp.Paths {
_ = table.Append([]string{
p.PublicKey,
p.IPAddress,
fmt.Sprintf("%v", p.Path),
fmt.Sprintf("%d", p.Sequence),
})
}
_ = table.Render()
case "getsessions":
var resp admin.GetSessionsResponse
if err := json.Unmarshal(recv.Response, &resp); err != nil {
panic(err)
}
table.Header([]string{"Public Key", "IP Address", "Uptime", "RX", "TX"})
for _, p := range resp.Sessions {
_ = table.Append([]string{
p.PublicKey,
p.IPAddress,
(time.Duration(p.Uptime) * time.Second).String(),
p.RXBytes.String(),
p.TXBytes.String(),
})
}
_ = table.Render()
case "getnodeinfo":
var resp core.GetNodeInfoResponse
if err := json.Unmarshal(recv.Response, &resp); err != nil {
panic(err)
}
for _, v := range resp {
fmt.Println(string(v))
break
}
case "getmulticastinterfaces":
var resp multicast.GetMulticastInterfacesResponse
if err := json.Unmarshal(recv.Response, &resp); err != nil {
panic(err)
}
fmtBool := func(b bool) string {
if b {
return "Yes"
}
return "-"
}
table.Header([]string{"Name", "Listen Address", "Beacon", "Listen", "Password"})
for _, p := range resp.Interfaces {
_ = table.Append([]string{
p.Name,
p.Address,
fmtBool(p.Beacon),
fmtBool(p.Listen),
fmtBool(p.Password),
})
}
_ = table.Render()
case "gettun":
var resp tun.GetTUNResponse
if err := json.Unmarshal(recv.Response, &resp); err != nil {
panic(err)
}
_ = table.Append([]string{"TUN enabled:", fmt.Sprintf("%#v", resp.Enabled)})
if resp.Enabled {
_ = table.Append([]string{"Interface name:", resp.Name})
_ = table.Append([]string{"Interface MTU:", fmt.Sprintf("%d", resp.MTU)})
}
_ = table.Render()
case "addpeer", "removepeer", "setpeertraffic":
default:
fmt.Println(string(recv.Response))
}
return 0
}
func peerRemoteHost(parsedURI *url.URL, parseErr error) string {
if parseErr != nil || parsedURI == nil {
return "-"
}
host := parsedURI.Host
if splitHost, _, err := net.SplitHostPort(host); err == nil {
return splitHost
}
if host == "" {
return "-"
}
return host
}
type treeLine struct {
Branch string
IPAddress string
Sequence uint64
}
func formatTreeRows(entries []admin.TreeEntry) []treeLine {
if len(entries) == 0 {
return nil
}
children := make(map[string][]admin.TreeEntry, len(entries))
byKey := make(map[string]admin.TreeEntry, len(entries))
for _, entry := range entries {
byKey[entry.PublicKey] = entry
}
roots := make([]admin.TreeEntry, 0, len(entries))
for _, entry := range entries {
if entry.Parent == "" || entry.Parent == entry.PublicKey || byKey[entry.Parent].PublicKey == "" {
roots = append(roots, entry)
continue
}
children[entry.Parent] = append(children[entry.Parent], entry)
}
sort.Slice(roots, func(i, j int) bool { return roots[i].PublicKey < roots[j].PublicKey })
for parent := range children {
sort.Slice(children[parent], func(i, j int) bool {
return children[parent][i].PublicKey < children[parent][j].PublicKey
})
}
rows := make([]treeLine, 0, len(entries))
var walk func(admin.TreeEntry, string, bool)
walk = func(node admin.TreeEntry, prefix string, last bool) {
branchPrefix := ""
nextPrefix := ""
if prefix != "" {
if last {
branchPrefix = prefix + "└─ "
nextPrefix = prefix + " "
} else {
branchPrefix = prefix + "├─ "
nextPrefix = prefix + "│ "
}
}
label := node.PublicKey
if len(label) > 16 {
label = label[:16] + "…"
}
rows = append(rows, treeLine{Branch: branchPrefix + label, IPAddress: node.IPAddress, Sequence: node.Sequence})
kids := children[node.PublicKey]
for i, child := range kids {
walk(child, nextPrefix, i == len(kids)-1)
}
}
for i, root := range roots {
walk(root, "", i == len(roots)-1)
}
return rows
}

46
go.mod Normal file
View file

@ -0,0 +1,46 @@
module github.com/yggdrasil-network/yggdrasil-go
go 1.24.0
require (
github.com/Arceliar/ironwood v0.0.0-20260117132459-7017dbc41d8e
github.com/Arceliar/phony v0.0.0-20220903101357-530938a4b13d
github.com/cheggaaa/pb/v3 v3.1.7
github.com/coder/websocket v1.8.14
github.com/gologme/log v1.3.0
github.com/hashicorp/go-syslog v1.0.0
github.com/hjson/hjson-go/v4 v4.6.0
github.com/kardianos/minwinsvc v1.0.2
github.com/quic-go/quic-go v0.59.0
github.com/vishvananda/netlink v1.3.1
github.com/wlynxg/anet v0.0.5
golang.org/x/crypto v0.48.0
golang.org/x/net v0.50.0
golang.org/x/sys v0.41.0
golang.org/x/text v0.34.0
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
golang.zx2c4.com/wireguard/windows v0.5.3
)
require (
github.com/bits-and-blooms/bitset v1.24.4 // indirect
github.com/bits-and-blooms/bloom/v3 v3.7.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/clipperhouse/displaywidth v0.10.0 // indirect
github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
github.com/olekukonko/errors v1.2.0 // indirect
github.com/olekukonko/ll v0.1.6 // indirect
)
require (
github.com/VividCortex/ewma v1.2.0 // indirect
github.com/fatih/color v1.18.0 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.20 // indirect
github.com/olekukonko/tablewriter v1.1.3
github.com/vishvananda/netns v0.0.5 // indirect
suah.dev/protect v1.2.4
)

91
go.sum Normal file
View file

@ -0,0 +1,91 @@
github.com/Arceliar/ironwood v0.0.0-20260117132459-7017dbc41d8e h1:s7MuhcZu2hNfVvYLT4cKnQt7pZ1+z6eL2E48YlaAqzY=
github.com/Arceliar/ironwood v0.0.0-20260117132459-7017dbc41d8e/go.mod h1:SrrElc3FFMpYCODSr11jWbLFeOM8WsY+DbDY/l2AXF0=
github.com/Arceliar/phony v0.0.0-20220903101357-530938a4b13d h1:UK9fsWbWqwIQkMCz1CP+v5pGbsGoWAw6g4AyvMpm1EM=
github.com/Arceliar/phony v0.0.0-20220903101357-530938a4b13d/go.mod h1:BCnxhRf47C/dy/e/D2pmB8NkB3dQVIrkD98b220rx5Q=
github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=
github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=
github.com/bits-and-blooms/bitset v1.24.2/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
github.com/bits-and-blooms/bitset v1.24.4 h1:95H15Og1clikBrKr/DuzMXkQzECs1M6hhoGXLwLQOZE=
github.com/bits-and-blooms/bitset v1.24.4/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
github.com/bits-and-blooms/bloom/v3 v3.7.1 h1:WXovk4TRKZttAMJfoQx6K2DM0zNIt8w+c67UqO+etV0=
github.com/bits-and-blooms/bloom/v3 v3.7.1/go.mod h1:rZzYLLje2dfzXfAkJNxQQHsKurAyK55KUnL43Euk0hU=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cheggaaa/pb/v3 v3.1.7 h1:2FsIW307kt7A/rz/ZI2lvPO+v3wKazzE4K/0LtTWsOI=
github.com/cheggaaa/pb/v3 v3.1.7/go.mod h1:/Ji89zfVPeC/u5j8ukD0MBPHt2bzTYp74lQ7KlgFWTQ=
github.com/clipperhouse/displaywidth v0.10.0 h1:GhBG8WuerxjFQQYeuZAeVTuyxuX+UraiZGD4HJQ3Y8g=
github.com/clipperhouse/displaywidth v0.10.0/go.mod h1:XqJajYsaiEwkxOj4bowCTMcT1SgvHo9flfF3jQasdbs=
github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
github.com/gologme/log v1.3.0 h1:l781G4dE+pbigClDSDzSaaYKtiueHCILUa/qSDsmHAo=
github.com/gologme/log v1.3.0/go.mod h1:yKT+DvIPdDdDoPtqFrFxheooyVmoqi0BAsw+erN3wA4=
github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
github.com/hashicorp/go-syslog v1.0.0 h1:KaodqZuhUoZereWVIYmpUgZysurB1kBLX2j0MwMrUAE=
github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
github.com/hjson/hjson-go/v4 v4.6.0 h1:16e6ViyVfAANKsXo/46h8szUADez7FJs67xl/l+KHS4=
github.com/hjson/hjson-go/v4 v4.6.0/go.mod h1:4zx6c7Y0vWcm8IRyVoQJUHAPJLXLvbG6X8nk1RLigSo=
github.com/kardianos/minwinsvc v1.0.2 h1:JmZKFJQrmTGa/WiW+vkJXKmfzdjabuEW4Tirj5lLdR0=
github.com/kardianos/minwinsvc v1.0.2/go.mod h1:LUZNYhNmxujx2tR7FbdxqYJ9XDDoCd3MQcl1o//FWl4=
github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ=
github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 h1:zrbMGy9YXpIeTnGj4EljqMiZsIcE09mmF8XsD5AYOJc=
github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6/go.mod h1:rEKTHC9roVVicUIfZK7DYrdIoM0EOr8mK1Hj5s3JjH0=
github.com/olekukonko/errors v1.2.0 h1:10Zcn4GeV59t/EGqJc8fUjtFT/FuUh5bTMzZ1XwmCRo=
github.com/olekukonko/errors v1.2.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
github.com/olekukonko/ll v0.1.6 h1:lGVTHO+Qc4Qm+fce/2h2m5y9LvqaW+DCN7xW9hsU3uA=
github.com/olekukonko/ll v0.1.6/go.mod h1:NVUmjBb/aCtUpjKk75BhWrOlARz3dqsM+OtszpY4o88=
github.com/olekukonko/tablewriter v1.1.3 h1:VSHhghXxrP0JHl+0NnKid7WoEmd9/urKRJLysb70nnA=
github.com/olekukonko/tablewriter v1.1.3/go.mod h1:9VU0knjhmMkXjnMKrZ3+L2JhhtsQ/L38BbL3CRNE8tM=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/twmb/murmur3 v1.1.8 h1:8Yt9taO/WN3l08xErzjeschgZU2QSrwm1kclYq+0aRg=
github.com/twmb/murmur3 v1.1.8/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ=
github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
github.com/wlynxg/anet v0.0.5 h1:J3VJGi1gvo0JwZ/P1/Yc/8p63SoW98B5dHkYDmpgvvU=
github.com/wlynxg/anet v0.0.5/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
suah.dev/protect v1.2.4 h1:iVZG/zQB63FKNpITDYM/cXoAeCTIjCiXHuFVByJFDzg=
suah.dev/protect v1.2.4/go.mod h1:vVrquYO3u1Ep9Ez2z8x+6N6/czm+TBmWKZfiXU2tb54=

76
misc/run-schannel-netns Executable file
View file

@ -0,0 +1,76 @@
#!/bin/bash
# Connects nodes in a network resembling an s-channel feynmann diagram.
# 1 5
# \ /
# 3--4
# / \
# 2 6
# Bandwidth constraints are applied to 4<->5 and 4<->6.
# The idea is to make sure that bottlenecks on one link don't affect the other.
ip netns add node1
ip netns add node2
ip netns add node3
ip netns add node4
ip netns add node5
ip netns add node6
ip link add veth13 type veth peer name veth31
ip link set veth13 netns node1 up
ip link set veth31 netns node3 up
ip link add veth23 type veth peer name veth32
ip link set veth23 netns node2 up
ip link set veth32 netns node3 up
ip link add veth34 type veth peer name veth43
ip link set veth34 netns node3 up
ip link set veth43 netns node4 up
ip link add veth45 type veth peer name veth54
ip link set veth45 netns node4 up
ip link set veth54 netns node5 up
ip link add veth46 type veth peer name veth64
ip link set veth46 netns node4 up
ip link set veth64 netns node6 up
ip netns exec node4 tc qdisc add dev veth45 root tbf rate 100mbit burst 8192 latency 1ms
ip netns exec node5 tc qdisc add dev veth54 root tbf rate 100mbit burst 8192 latency 1ms
ip netns exec node4 tc qdisc add dev veth46 root tbf rate 10mbit burst 8192 latency 1ms
ip netns exec node6 tc qdisc add dev veth64 root tbf rate 10mbit burst 8192 latency 1ms
ip netns exec node1 ip link set lo up
ip netns exec node2 ip link set lo up
ip netns exec node3 ip link set lo up
ip netns exec node4 ip link set lo up
ip netns exec node5 ip link set lo up
ip netns exec node6 ip link set lo up
echo '{AdminListen: "none"}' | ip netns exec node1 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
echo '{AdminListen: "none"}' | ip netns exec node2 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
echo '{AdminListen: "none"}' | ip netns exec node3 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
echo '{AdminListen: "none"}' | ip netns exec node4 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
echo '{AdminListen: "none"}' | ip netns exec node5 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
echo '{AdminListen: "none"}' | ip netns exec node6 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
echo "Started, to continue you should (possibly w/ sudo):"
echo "kill" $(jobs -p)
wait
ip netns delete node1
ip netns delete node2
ip netns delete node3
ip netns delete node4
ip netns delete node5
ip netns delete node6
ip link delete veth13
ip link delete veth23
ip link delete veth34
ip link delete veth45
ip link delete veth46

33
misc/run-twolink-test Executable file
View file

@ -0,0 +1,33 @@
#!/bin/bash
# Connects nodes in two namespaces by two links with different bandwidth (10mbit and 100mbit)
ip netns add node1
ip netns add node2
ip link add veth11 type veth peer name veth21
ip link set veth11 netns node1 up
ip link set veth21 netns node2 up
ip link add veth12 type veth peer name veth22
ip link set veth12 netns node1 up
ip link set veth22 netns node2 up
ip netns exec node1 tc qdisc add dev veth11 root tbf rate 10mbit burst 8192 latency 1ms
ip netns exec node2 tc qdisc add dev veth21 root tbf rate 10mbit burst 8192 latency 1ms
ip netns exec node1 tc qdisc add dev veth12 root tbf rate 100mbit burst 8192 latency 1ms
ip netns exec node2 tc qdisc add dev veth22 root tbf rate 100mbit burst 8192 latency 1ms
echo '{AdminListen: "unix://node1.sock"}' | ip netns exec node1 env PPROFLISTEN=localhost:6060 ./yggdrasil -logging "info,warn,error,debug" -useconf &> node1.log &
echo '{AdminListen: "unix://node2.sock"}' | ip netns exec node2 env PPROFLISTEN=localhost:6060 ./yggdrasil -logging "info,warn,error,debug" -useconf &> node2.log &
echo "Started, to continue you should (possibly w/ sudo):"
echo "kill" $(jobs -p)
wait
ip netns delete node1
ip netns delete node2
ip link delete veth11
ip link delete veth12

150
src/address/address.go Normal file
View file

@ -0,0 +1,150 @@
// Package address contains the types used by kaya to represent IPv6 addresses or prefixes, as well as functions for working with these types.
// Of particular importance are the functions used to derive addresses or subnets from a NodeID, or to get the NodeID and bitmask of the bits visible from an address, which is needed for DHT searches.
package address
import (
"crypto/ed25519"
)
// Address represents an IPv6 address in the kaya address range.
type Address [16]byte
// Subnet represents an IPv6 /64 subnet in the kaya subnet range.
type Subnet [8]byte
// GetPrefix returns the address prefix used by kaya.
// The current implementation requires this to be a multiple of 8 bits + 7 bits.
// The 8th bit of the last byte is used to signal nodes (0) or /64 prefixes (1).
// Nodes that configure this differently will be unable to communicate with each other using IP packets, though routing and the DHT machinery *should* still work.
func GetPrefix() [1]byte {
return [...]byte{0x02}
}
// IsValid returns true if an address falls within the range used by nodes in the network.
func (a *Address) IsValid() bool {
prefix := GetPrefix()
for idx := range prefix {
if (*a)[idx] != prefix[idx] {
return false
}
}
return true
}
// IsValid returns true if a prefix falls within the range usable by the network.
func (s *Subnet) IsValid() bool {
prefix := GetPrefix()
l := len(prefix)
for idx := range prefix[:l-1] {
if (*s)[idx] != prefix[idx] {
return false
}
}
return (*s)[l-1] == prefix[l-1]|0x01
}
// AddrForKey takes an ed25519.PublicKey as an argument and returns an *Address.
// This function returns nil if the key length is not ed25519.PublicKeySize.
// This address begins with the contents of GetPrefix(), with the last bit set to 0 to indicate an address.
// The following 8 bits are set to the number of leading 1 bits in the bitwise inverse of the public key.
// The bitwise inverse of the key, excluding the leading 1 bits and the first leading 0 bit, is truncated to the appropriate length and makes up the remainder of the address.
func AddrForKey(publicKey ed25519.PublicKey) *Address {
// 128 bit address
// Begins with prefix
// Next bit is a 0
// Next 7 bits, interpreted as a uint, are # of leading 1s in the NodeID
// Leading 1s and first leading 0 of the NodeID are truncated off
// The rest is appended to the IPv6 address (truncated to 128 bits total)
if len(publicKey) != ed25519.PublicKeySize {
return nil
}
var buf [ed25519.PublicKeySize]byte
copy(buf[:], publicKey)
for idx := range buf {
buf[idx] = ^buf[idx]
}
var addr Address
var temp = make([]byte, 0, 32)
done := false
ones := byte(0)
bits := byte(0)
nBits := 0
for idx := 0; idx < 8*len(buf); idx++ {
bit := (buf[idx/8] & (0x80 >> byte(idx%8))) >> byte(7-(idx%8))
if !done && bit != 0 {
ones++
continue
}
if !done && bit == 0 {
done = true
continue // FIXME? this assumes that ones <= 127, probably only worth changing by using a variable length uint64, but that would require changes to the addressing scheme, and I'm not sure ones > 127 is realistic
}
bits = (bits << 1) | bit
nBits++
if nBits == 8 {
nBits = 0
temp = append(temp, bits)
}
}
prefix := GetPrefix()
copy(addr[:], prefix[:])
addr[len(prefix)] = ones
copy(addr[len(prefix)+1:], temp)
return &addr
}
// SubnetForKey takes an ed25519.PublicKey as an argument and returns a *Subnet.
// This function returns nil if the key length is not ed25519.PublicKeySize.
// The subnet begins with the address prefix, with the last bit set to 1 to indicate a prefix.
// The following 8 bits are set to the number of leading 1 bits in the bitwise inverse of the key.
// The bitwise inverse of the key, excluding the leading 1 bits and the first leading 0 bit, is truncated to the appropriate length and makes up the remainder of the subnet.
func SubnetForKey(publicKey ed25519.PublicKey) *Subnet {
// Exactly as the address version, with two exceptions:
// 1) The first bit after the fixed prefix is a 1 instead of a 0
// 2) It's truncated to a subnet prefix length instead of 128 bits
addr := AddrForKey(publicKey)
if addr == nil {
return nil
}
var snet Subnet
copy(snet[:], addr[:])
prefix := GetPrefix() // nolint:staticcheck
snet[len(prefix)-1] |= 0x01
return &snet
}
// GetKey returns the partial ed25519.PublicKey for the Address.
// This is used for key lookup.
func (a *Address) GetKey() ed25519.PublicKey {
var key [ed25519.PublicKeySize]byte
prefix := GetPrefix() // nolint:staticcheck
ones := int(a[len(prefix)])
for idx := 0; idx < ones; idx++ {
key[idx/8] |= 0x80 >> byte(idx%8)
}
keyOffset := ones + 1
addrOffset := 8*len(prefix) + 8
for idx := addrOffset; idx < 8*len(a); idx++ {
bits := a[idx/8] & (0x80 >> byte(idx%8))
bits <<= byte(idx % 8)
keyIdx := keyOffset + (idx - addrOffset)
bits >>= byte(keyIdx % 8)
idx := keyIdx / 8
if idx >= len(key) {
break
}
key[idx] |= bits
}
for idx := range key {
key[idx] = ^key[idx]
}
return ed25519.PublicKey(key[:])
}
// GetKey returns the partial ed25519.PublicKey for the Subnet.
// This is used for key lookup.
func (s *Subnet) GetKey() ed25519.PublicKey {
var addr Address
copy(addr[:], s[:])
return addr.GetKey()
}

114
src/address/address_test.go Normal file
View file

@ -0,0 +1,114 @@
package address
import (
"bytes"
"crypto/ed25519"
"crypto/rand"
"testing"
)
func TestAddress_Address_IsValid(t *testing.T) {
var address Address
_, _ = rand.Read(address[:])
address[0] = 0
if address.IsValid() {
t.Fatal("invalid address marked as valid")
}
address[0] = 0x03
if address.IsValid() {
t.Fatal("invalid address marked as valid")
}
address[0] = 0x02
if !address.IsValid() {
t.Fatal("valid address marked as invalid")
}
}
func TestAddress_Subnet_IsValid(t *testing.T) {
var subnet Subnet
_, _ = rand.Read(subnet[:])
subnet[0] = 0
if subnet.IsValid() {
t.Fatal("invalid subnet marked as valid")
}
subnet[0] = 0x02
if subnet.IsValid() {
t.Fatal("invalid subnet marked as valid")
}
subnet[0] = 0x03
if !subnet.IsValid() {
t.Fatal("valid subnet marked as invalid")
}
}
func TestAddress_AddrForKey(t *testing.T) {
publicKey := ed25519.PublicKey{
189, 186, 207, 216, 34, 64, 222, 61, 205, 18, 57, 36, 203, 181, 82, 86,
251, 141, 171, 8, 170, 152, 227, 5, 82, 138, 184, 79, 65, 158, 110, 251,
}
expectedAddress := Address{
2, 0, 132, 138, 96, 79, 187, 126, 67, 132, 101, 219, 141, 182, 104, 149,
}
if *AddrForKey(publicKey) != expectedAddress {
t.Fatal("invalid address returned")
}
}
func TestAddress_SubnetForKey(t *testing.T) {
publicKey := ed25519.PublicKey{
189, 186, 207, 216, 34, 64, 222, 61, 205, 18, 57, 36, 203, 181, 82, 86,
251, 141, 171, 8, 170, 152, 227, 5, 82, 138, 184, 79, 65, 158, 110, 251,
}
expectedSubnet := Subnet{3, 0, 132, 138, 96, 79, 187, 126}
if *SubnetForKey(publicKey) != expectedSubnet {
t.Fatal("invalid subnet returned")
}
}
func TestAddress_Address_GetKey(t *testing.T) {
address := Address{
2, 0, 132, 138, 96, 79, 187, 126, 67, 132, 101, 219, 141, 182, 104, 149,
}
expectedPublicKey := ed25519.PublicKey{
189, 186, 207, 216, 34, 64, 222, 61,
205, 18, 57, 36, 203, 181, 127, 255,
255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255,
}
if !bytes.Equal(address.GetKey(), expectedPublicKey) {
t.Fatal("invalid public key returned")
}
}
func TestAddress_Subnet_GetKey(t *testing.T) {
subnet := Subnet{3, 0, 132, 138, 96, 79, 187, 126}
expectedPublicKey := ed25519.PublicKey{
189, 186, 207, 216, 34, 64, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255,
}
if !bytes.Equal(subnet.GetKey(), expectedPublicKey) {
t.Fatal("invalid public key returned")
}
}

21
src/admin/addpeer.go Normal file
View file

@ -0,0 +1,21 @@
package admin
import (
"fmt"
"net/url"
)
type AddPeerRequest struct {
Uri string `json:"uri"`
Sintf string `json:"interface,omitempty"`
}
type AddPeerResponse struct{}
func (a *AdminSocket) addPeerHandler(req *AddPeerRequest, _ *AddPeerResponse) error {
u, err := url.Parse(req.Uri)
if err != nil {
return fmt.Errorf("unable to parse peering URI: %w", err)
}
return a.core.AddPeer(u, req.Sintf)
}

384
src/admin/admin.go Normal file
View file

@ -0,0 +1,384 @@
package admin
import (
"encoding/json"
"errors"
"fmt"
"net"
"net/url"
"os"
"sort"
"strings"
"time"
"github.com/yggdrasil-network/yggdrasil-go/src/core"
)
// TODO: Add authentication
type AdminSocket struct {
core *core.Core
log core.Logger
listener net.Listener
handlers map[string]handler
done chan struct{}
config struct {
listenaddr ListenAddress
}
}
type AdminSocketRequest struct {
Name string `json:"request"`
Arguments json.RawMessage `json:"arguments,omitempty"`
KeepAlive bool `json:"keepalive,omitempty"`
}
type AdminSocketResponse struct {
Status string `json:"status"`
Error string `json:"error,omitempty"`
Request AdminSocketRequest `json:"request"`
Response json.RawMessage `json:"response"`
}
type handler struct {
desc string // What does the endpoint do?
args []string // List of human-readable argument names
handler core.AddHandlerFunc // First is input map, second is output
}
type ListResponse struct {
List []ListEntry `json:"list"`
}
type ListEntry struct {
Command string `json:"command"`
Description string `json:"description"`
Fields []string `json:"fields,omitempty"`
}
// AddHandler is called for each admin function to add the handler and help documentation to the API.
func (a *AdminSocket) AddHandler(name, desc string, args []string, handlerfunc core.AddHandlerFunc) error {
if _, ok := a.handlers[strings.ToLower(name)]; ok {
return errors.New("handler already exists")
}
a.handlers[strings.ToLower(name)] = handler{
desc: desc,
args: args,
handler: handlerfunc,
}
return nil
}
// Init runs the initial admin setup.
func New(c *core.Core, log core.Logger, opts ...SetupOption) (*AdminSocket, error) {
a := &AdminSocket{
core: c,
log: log,
handlers: make(map[string]handler),
}
for _, opt := range opts {
a._applyOption(opt)
}
if a.config.listenaddr == "none" || a.config.listenaddr == "" {
return nil, nil
}
listenaddr := string(a.config.listenaddr)
u, err := url.Parse(listenaddr)
if err == nil {
switch strings.ToLower(u.Scheme) {
case "unix":
if _, err := os.Stat(u.Path); err == nil {
a.log.Debugln("Admin socket", u.Path, "already exists, trying to clean up")
if _, err := net.DialTimeout("unix", u.Path, time.Second*2); err == nil || err.(net.Error).Timeout() {
a.log.Errorln("Admin socket", u.Path, "already exists and is in use by another process")
os.Exit(1)
} else {
if err := os.Remove(u.Path); err == nil {
a.log.Debugln(u.Path, "was cleaned up")
} else {
a.log.Errorln(u.Path, "already exists and was not cleaned up:", err)
os.Exit(1)
}
}
}
a.listener, err = net.Listen("unix", u.Path)
if err == nil {
switch u.Path[:1] {
case "@": // maybe abstract namespace
default:
if err := os.Chmod(u.Path, 0660); err != nil {
a.log.Warnln("WARNING:", u.Path, "may have unsafe permissions!")
}
}
}
case "tcp":
a.listener, err = net.Listen("tcp", u.Host)
default:
a.listener, err = net.Listen("tcp", listenaddr)
}
} else {
a.listener, err = net.Listen("tcp", listenaddr)
}
if err != nil {
a.log.Errorf("Admin socket failed to listen: %v", err)
os.Exit(1)
}
a.log.Infof("%s admin socket listening on %s",
strings.ToUpper(a.listener.Addr().Network()),
a.listener.Addr().String())
_ = a.AddHandler("list", "List available commands", []string{}, func(_ json.RawMessage) (interface{}, error) {
res := &ListResponse{}
for name, handler := range a.handlers {
res.List = append(res.List, ListEntry{
Command: name,
Description: handler.desc,
Fields: handler.args,
})
}
sort.SliceStable(res.List, func(i, j int) bool {
return strings.Compare(res.List[i].Command, res.List[j].Command) < 0
})
return res, nil
})
a.done = make(chan struct{})
go a.listen()
return a, a.core.SetAdmin(a)
}
func (a *AdminSocket) SetupAdminHandlers() {
_ = a.AddHandler(
"getSelf", "Show details about this node", []string{},
func(in json.RawMessage) (interface{}, error) {
req := &GetSelfRequest{}
res := &GetSelfResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := a.getSelfHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
_ = a.AddHandler(
"getPeers", "Show directly connected peers", []string{"sort"},
func(in json.RawMessage) (interface{}, error) {
req := &GetPeersRequest{}
res := &GetPeersResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := a.getPeersHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
_ = a.AddHandler(
"getTree", "Show known Tree entries", []string{},
func(in json.RawMessage) (interface{}, error) {
req := &GetTreeRequest{}
res := &GetTreeResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := a.getTreeHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
_ = a.AddHandler(
"getPaths", "Show established paths through this node", []string{},
func(in json.RawMessage) (interface{}, error) {
req := &GetPathsRequest{}
res := &GetPathsResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := a.getPathsHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
_ = a.AddHandler(
"getSessions", "Show established traffic sessions with remote nodes", []string{},
func(in json.RawMessage) (interface{}, error) {
req := &GetSessionsRequest{}
res := &GetSessionsResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := a.getSessionsHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
_ = a.AddHandler(
"addPeer", "Add a peer to the peer list", []string{"uri", "interface"},
func(in json.RawMessage) (interface{}, error) {
req := &AddPeerRequest{}
res := &AddPeerResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := a.addPeerHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
_ = a.AddHandler(
"removePeer", "Remove a peer from the peer list", []string{"uri", "interface"},
func(in json.RawMessage) (interface{}, error) {
req := &RemovePeerRequest{}
res := &RemovePeerResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := a.removePeerHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
_ = a.AddHandler(
"setPeerTraffic", "Enable or disable traffic routing via a specific peer", []string{"uri", "interface", "enabled"},
func(in json.RawMessage) (interface{}, error) {
req := &SetPeerTrafficRequest{}
res := &SetPeerTrafficResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := a.setPeerTrafficHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
}
// IsStarted returns true if the module has been started.
func (a *AdminSocket) IsStarted() bool {
select {
case <-a.done:
// Not blocking, so we're not currently running
return false
default:
// Blocked, so we must have started
return true
}
}
// Stop will stop the admin API and close the socket.
func (a *AdminSocket) Stop() error {
if a == nil {
return nil
}
if a.listener != nil {
select {
case <-a.done:
default:
close(a.done)
}
return a.listener.Close()
}
return nil
}
// listen is run by start and manages API connections.
func (a *AdminSocket) listen() {
defer a.listener.Close()
for {
conn, err := a.listener.Accept()
if err == nil {
go a.handleRequest(conn)
} else {
select {
case <-a.done:
// Not blocked, so we havent started or already stopped
return
default:
// Blocked, so we're supposed to keep running
}
}
}
}
// handleRequest calls the request handler for each request sent to the admin API.
func (a *AdminSocket) handleRequest(conn net.Conn) {
decoder := json.NewDecoder(conn)
decoder.DisallowUnknownFields()
encoder := json.NewEncoder(conn)
encoder.SetIndent("", " ")
defer conn.Close()
for {
var err error
var buf json.RawMessage
var req AdminSocketRequest
var resp AdminSocketResponse
req.Arguments = []byte("{}")
if err := func() error {
if err = decoder.Decode(&buf); err != nil {
return fmt.Errorf("failed to find request")
}
if err = json.Unmarshal(buf, &req); err != nil {
return fmt.Errorf("failed to unmarshal request")
}
resp.Request = req
if req.Name == "" {
return fmt.Errorf("no request specified")
}
reqname := strings.ToLower(req.Name)
handler, ok := a.handlers[reqname]
if !ok {
return fmt.Errorf("unknown action '%s', try 'list' for help", reqname)
}
res, err := handler.handler(req.Arguments)
if err != nil {
return err
}
if resp.Response, err = json.Marshal(res); err != nil {
return fmt.Errorf("failed to marshal response: %w", err)
}
resp.Status = "success"
return nil
}(); err != nil {
resp.Status = "error"
resp.Error = err.Error()
}
if err = encoder.Encode(resp); err != nil {
a.log.Debugln("Encode error:", err)
}
if !req.KeepAlive {
break
} else {
continue
}
}
}
type DataUnit uint64
func (d DataUnit) String() string {
switch {
case d >= 1024*1024*1024*1024:
return fmt.Sprintf("%2.1fTB", float64(d)/1024/1024/1024/1024)
case d >= 1024*1024*1024:
return fmt.Sprintf("%2.1fGB", float64(d)/1024/1024/1024)
case d >= 1024*1024:
return fmt.Sprintf("%2.1fMB", float64(d)/1024/1024)
case d >= 100:
return fmt.Sprintf("%2.1fKB", float64(d)/1024)
default:
return fmt.Sprintf("%dB", d)
}
}

5
src/admin/error.go Normal file
View file

@ -0,0 +1,5 @@
package admin
type ErrorResponse struct {
Error string `json:"error"`
}

42
src/admin/getpaths.go Normal file
View file

@ -0,0 +1,42 @@
package admin
import (
"encoding/hex"
"net"
"slices"
"strings"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
type GetPathsRequest struct {
}
type GetPathsResponse struct {
Paths []PathEntry `json:"paths"`
}
type PathEntry struct {
IPAddress string `json:"address"`
PublicKey string `json:"key"`
Path []uint64 `json:"path"`
Sequence uint64 `json:"sequence"`
}
func (a *AdminSocket) getPathsHandler(_ *GetPathsRequest, res *GetPathsResponse) error {
paths := a.core.GetPaths()
res.Paths = make([]PathEntry, 0, len(paths))
for _, p := range paths {
addr := address.AddrForKey(p.Key)
res.Paths = append(res.Paths, PathEntry{
IPAddress: net.IP(addr[:]).String(),
PublicKey: hex.EncodeToString(p.Key),
Path: p.Path,
Sequence: p.Sequence,
})
}
slices.SortStableFunc(res.Paths, func(a, b PathEntry) int {
return strings.Compare(a.PublicKey, b.PublicKey)
})
return nil
}

133
src/admin/getpeers.go Normal file
View file

@ -0,0 +1,133 @@
package admin
import (
"encoding/hex"
"net"
"slices"
"strings"
"time"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
type GetPeersRequest struct {
SortBy string `json:"sort"`
}
type GetPeersResponse struct {
Peers []PeerEntry `json:"peers"`
}
type PeerEntry struct {
URI string `json:"remote,omitempty"`
Up bool `json:"up"`
Inbound bool `json:"inbound"`
IPAddress string `json:"address,omitempty"`
PublicKey string `json:"key"`
Port uint64 `json:"port"`
Priority uint64 `json:"priority"`
Cost uint64 `json:"cost"`
RXBytes DataUnit `json:"bytes_recvd,omitempty"`
TXBytes DataUnit `json:"bytes_sent,omitempty"`
RXRate DataUnit `json:"rate_recvd,omitempty"`
TXRate DataUnit `json:"rate_sent,omitempty"`
Uptime float64 `json:"uptime,omitempty"`
Latency time.Duration `json:"latency,omitempty"`
LastErrorTime time.Duration `json:"last_error_time,omitempty"`
LastError string `json:"last_error,omitempty"`
}
func (a *AdminSocket) getPeersHandler(req *GetPeersRequest, res *GetPeersResponse) error {
peers := a.core.GetPeers()
res.Peers = make([]PeerEntry, 0, len(peers))
for _, p := range peers {
peer := PeerEntry{
Port: p.Port,
Up: p.Up,
Inbound: p.Inbound,
Priority: uint64(p.Priority), // can't be uint8 thanks to gobind
Cost: p.Cost,
URI: p.URI,
RXBytes: DataUnit(p.RXBytes),
TXBytes: DataUnit(p.TXBytes),
RXRate: DataUnit(p.RXRate),
TXRate: DataUnit(p.TXRate),
Uptime: p.Uptime.Seconds(),
}
if p.Latency > 0 {
peer.Latency = p.Latency
}
if addr := address.AddrForKey(p.Key); addr != nil {
peer.PublicKey = hex.EncodeToString(p.Key)
peer.IPAddress = net.IP(addr[:]).String()
}
if p.LastError != nil {
peer.LastError = p.LastError.Error()
peer.LastErrorTime = time.Since(p.LastErrorTime)
}
res.Peers = append(res.Peers, peer)
}
switch strings.ToLower(req.SortBy) {
case "uptime":
slices.SortStableFunc(res.Peers, sortByUptime)
case "cost":
slices.SortStableFunc(res.Peers, sortByCost)
default:
slices.SortStableFunc(res.Peers, sortByDefault)
}
return nil
}
func sortByDefault(a, b PeerEntry) int {
if !a.Inbound && b.Inbound {
return -1
}
if a.Inbound && !b.Inbound {
return 1
}
if d := strings.Compare(a.PublicKey, b.PublicKey); d != 0 {
return d
}
if d := a.Priority - b.Priority; d != 0 {
return int(d)
}
if d := a.Cost - b.Cost; d != 0 {
return int(d)
}
if d := a.Uptime - b.Uptime; d != 0 {
return int(d)
}
return 0
}
func sortByCost(a, b PeerEntry) int {
if d := a.Cost - b.Cost; d != 0 {
return int(d)
}
if d := strings.Compare(a.PublicKey, b.PublicKey); d != 0 {
return d
}
if d := a.Priority - b.Priority; d != 0 {
return int(d)
}
if d := a.Uptime - b.Uptime; d != 0 {
return int(d)
}
return 0
}
func sortByUptime(a, b PeerEntry) int {
if d := a.Uptime - b.Uptime; d != 0 {
return int(d)
}
if d := strings.Compare(a.PublicKey, b.PublicKey); d != 0 {
return d
}
if d := a.Priority - b.Priority; d != 0 {
return int(d)
}
if d := a.Cost - b.Cost; d != 0 {
return int(d)
}
return 0
}

30
src/admin/getself.go Normal file
View file

@ -0,0 +1,30 @@
package admin
import (
"encoding/hex"
"github.com/yggdrasil-network/yggdrasil-go/src/version"
)
type GetSelfRequest struct{}
type GetSelfResponse struct {
BuildName string `json:"build_name"`
BuildVersion string `json:"build_version"`
PublicKey string `json:"key"`
IPAddress string `json:"address"`
RoutingEntries uint64 `json:"routing_entries"`
Subnet string `json:"subnet"`
}
func (a *AdminSocket) getSelfHandler(_ *GetSelfRequest, res *GetSelfResponse) error {
self := a.core.GetSelf()
snet := a.core.Subnet()
res.BuildName = version.BuildName()
res.BuildVersion = version.BuildVersion()
res.PublicKey = hex.EncodeToString(self.Key[:])
res.IPAddress = a.core.Address().String()
res.Subnet = snet.String()
res.RoutingEntries = self.RoutingEntries
return nil
}

43
src/admin/getsessions.go Normal file
View file

@ -0,0 +1,43 @@
package admin
import (
"encoding/hex"
"net"
"slices"
"strings"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
type GetSessionsRequest struct{}
type GetSessionsResponse struct {
Sessions []SessionEntry `json:"sessions"`
}
type SessionEntry struct {
IPAddress string `json:"address"`
PublicKey string `json:"key"`
RXBytes DataUnit `json:"bytes_recvd"`
TXBytes DataUnit `json:"bytes_sent"`
Uptime float64 `json:"uptime"`
}
func (a *AdminSocket) getSessionsHandler(_ *GetSessionsRequest, res *GetSessionsResponse) error {
sessions := a.core.GetSessions()
res.Sessions = make([]SessionEntry, 0, len(sessions))
for _, s := range sessions {
addr := address.AddrForKey(s.Key)
res.Sessions = append(res.Sessions, SessionEntry{
IPAddress: net.IP(addr[:]).String(),
PublicKey: hex.EncodeToString(s.Key[:]),
RXBytes: DataUnit(s.RXBytes),
TXBytes: DataUnit(s.TXBytes),
Uptime: s.Uptime.Seconds(),
})
}
slices.SortStableFunc(res.Sessions, func(a, b SessionEntry) int {
return strings.Compare(a.PublicKey, b.PublicKey)
})
return nil
}

41
src/admin/gettree.go Normal file
View file

@ -0,0 +1,41 @@
package admin
import (
"encoding/hex"
"net"
"slices"
"strings"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
type GetTreeRequest struct{}
type GetTreeResponse struct {
Tree []TreeEntry `json:"tree"`
}
type TreeEntry struct {
IPAddress string `json:"address"`
PublicKey string `json:"key"`
Parent string `json:"parent"`
Sequence uint64 `json:"sequence"`
}
func (a *AdminSocket) getTreeHandler(_ *GetTreeRequest, res *GetTreeResponse) error {
tree := a.core.GetTree()
res.Tree = make([]TreeEntry, 0, len(tree))
for _, d := range tree {
addr := address.AddrForKey(d.Key)
res.Tree = append(res.Tree, TreeEntry{
IPAddress: net.IP(addr[:]).String(),
PublicKey: hex.EncodeToString(d.Key[:]),
Parent: hex.EncodeToString(d.Parent[:]),
Sequence: d.Sequence,
})
}
slices.SortStableFunc(res.Tree, func(a, b TreeEntry) int {
return strings.Compare(a.PublicKey, b.PublicKey)
})
return nil
}

79
src/admin/options.go Normal file
View file

@ -0,0 +1,79 @@
package admin
import (
"crypto/ed25519"
"encoding/hex"
"encoding/json"
"net"
"sync"
"time"
"github.com/Arceliar/ironwood/network"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
func (c *AdminSocket) _applyOption(opt SetupOption) {
switch v := opt.(type) {
case ListenAddress:
c.config.listenaddr = v
case LogLookups:
c.logLookups()
}
}
type SetupOption interface {
isSetupOption()
}
type ListenAddress string
func (a ListenAddress) isSetupOption() {}
type LogLookups struct{}
func (l LogLookups) isSetupOption() {}
func (a *AdminSocket) logLookups() {
type resi struct {
Address string `json:"addr"`
Key string `json:"key"`
Path []uint64 `json:"path"`
Time int64 `json:"time"`
}
type res struct {
Infos []resi `json:"infos"`
}
type info struct {
path []uint64
time time.Time
}
type edk [ed25519.PublicKeySize]byte
infos := make(map[edk]info)
var m sync.Mutex
a.core.PacketConn.PacketConn.Debug.SetDebugLookupLogger(func(l network.DebugLookupInfo) {
var k edk
copy(k[:], l.Key[:])
m.Lock()
infos[k] = info{path: l.Path, time: time.Now()}
m.Unlock()
})
_ = a.AddHandler(
"lookups", "Dump a record of lookups received in the past hour", []string{},
func(in json.RawMessage) (interface{}, error) {
m.Lock()
rs := make([]resi, 0, len(infos))
for k, v := range infos {
if time.Since(v.time) > 24*time.Hour {
// TODO? automatic cleanup, so we don't need to call lookups periodically to prevent leaks
delete(infos, k)
}
a := address.AddrForKey(ed25519.PublicKey(k[:]))
addr := net.IP(a[:]).String()
rs = append(rs, resi{Address: addr, Key: hex.EncodeToString(k[:]), Path: v.path, Time: v.time.Unix()})
}
m.Unlock()
return &res{Infos: rs}, nil
},
)
}

21
src/admin/removepeer.go Normal file
View file

@ -0,0 +1,21 @@
package admin
import (
"fmt"
"net/url"
)
type RemovePeerRequest struct {
Uri string `json:"uri"`
Sintf string `json:"interface,omitempty"`
}
type RemovePeerResponse struct{}
func (a *AdminSocket) removePeerHandler(req *RemovePeerRequest, _ *RemovePeerResponse) error {
u, err := url.Parse(req.Uri)
if err != nil {
return fmt.Errorf("unable to parse peering URI: %w", err)
}
return a.core.RemovePeer(u, req.Sintf)
}

64
src/admin/setpeertraffic.go Normal file
View file

@ -0,0 +1,64 @@
package admin
import (
"fmt"
"net/url"
"strconv"
"strings"
)
type SetPeerTrafficRequest struct {
URI string `json:"uri"`
Interface string `json:"interface"`
Enabled string `json:"enabled"`
}
type SetPeerTrafficResponse struct {
URI string `json:"uri"`
Interface string `json:"interface"`
Enabled bool `json:"enabled"`
Action string `json:"action"`
}
func (a *AdminSocket) setPeerTrafficHandler(req *SetPeerTrafficRequest, res *SetPeerTrafficResponse) error {
u, err := url.Parse(req.URI)
if err != nil {
return fmt.Errorf("unable to parse peering URI: %w", err)
}
enabled, err := parseEnabledFlag(req.Enabled)
if err != nil {
return err
}
if enabled {
if err := a.core.AddPeer(u, req.Interface); err != nil {
return err
}
res.Action = "enabled"
} else {
if err := a.core.RemovePeer(u, req.Interface); err != nil {
return err
}
res.Action = "disabled"
}
res.URI = req.URI
res.Interface = req.Interface
res.Enabled = enabled
return nil
}
func parseEnabledFlag(raw string) (bool, error) {
if raw == "" {
return false, fmt.Errorf("enabled must be set to true or false")
}
if b, err := strconv.ParseBool(raw); err == nil {
return b, nil
}
switch {
case strings.EqualFold(raw, "yes"), strings.EqualFold(raw, "on"), strings.EqualFold(raw, "enable"), strings.EqualFold(raw, "enabled"):
return true, nil
case strings.EqualFold(raw, "no"), strings.EqualFold(raw, "off"), strings.EqualFold(raw, "disable"), strings.EqualFold(raw, "disabled"):
return false, nil
default:
return false, fmt.Errorf("invalid enabled value %q (expected true/false)", raw)
}
}

260
src/config/config.go Normal file
View file

@ -0,0 +1,260 @@
/*
The config package contains structures related to the configuration of an
Kaya node.
The configuration contains, amongst other things, encryption keys which are used
to derive a node's identity, information about peerings and node information
that is shared with the network. There are also some module-specific options
related to TUN, multicast and the admin socket.
In order for a node to maintain the same identity across restarts, you should
persist the configuration onto the filesystem or into some configuration storage
so that the encryption keys (and therefore the node ID) do not change.
Note that Kaya will automatically populate sane defaults for any
configuration option that is not provided.
*/
package config
import (
"bytes"
"crypto/ed25519"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/hex"
"encoding/json"
"encoding/pem"
"fmt"
"io"
"math/big"
"os"
"time"
"github.com/hjson/hjson-go/v4"
"golang.org/x/text/encoding/unicode"
)
// NodeConfig is the main configuration structure, containing configuration
// options that are necessary for an Kaya node to run. You will need to
// supply one of these structs to the Kaya core when starting a node.
type NodeConfig struct {
PrivateKey KeyBytes `json:",omitempty" comment:"Your private key. DO NOT share this with anyone!"`
PrivateKeyPath string `json:",omitempty" comment:"The path to your private key file in PEM format."`
Certificate *tls.Certificate `json:"-"`
Peers []string `comment:"List of outbound peer connection strings (e.g. tls://a.b.c.d:e or\nsocks://a.b.c.d:e/f.g.h.i:j). Connection strings can contain options,\nsee https://yggdrasil-network.github.io/configurationref.html#peers.\nKaya has no concept of bootstrap nodes - all network traffic\nwill transit peer connections. Therefore make sure to only peer with\nnearby nodes that have good connectivity and low latency. Avoid adding\npeers to this list from distant countries as this will worsen your\nnode's connectivity and performance considerably."`
InterfacePeers map[string][]string `comment:"List of connection strings for outbound peer connections in URI format,\narranged by source interface, e.g. { \"eth0\": [ \"tls://a.b.c.d:e\" ] }.\nYou should only use this option if your machine is multi-homed and you\nwant to establish outbound peer connections on different interfaces.\nOtherwise you should use \"Peers\"."`
Listen []string `comment:"Listen addresses for incoming connections. You will need to add\nlisteners in order to accept incoming peerings from non-local nodes.\nThis is not required if you wish to establish outbound peerings only.\nMulticast peer discovery will work regardless of any listeners set\nhere. Each listener should be specified in URI format as above, e.g.\ntls://0.0.0.0:0 or tls://[::]:0 to listen on all interfaces."`
AdminListen string `json:",omitempty" comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for kayactl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."`
MulticastInterfaces []MulticastInterfaceConfig `comment:"Configuration for which interfaces multicast peer discovery should be\nenabled on. Regex is a regular expression which is matched against an\ninterface name, and interfaces use the first configuration that they\nmatch against. Beacon controls whether or not your node advertises its\npresence to others, whereas Listen controls whether or not your node\nlistens out for and tries to connect to other advertising nodes. See\nhttps://yggdrasil-network.github.io/configurationref.html#multicastinterfaces\nfor more supported options."`
AllowedPublicKeys []string `comment:"List of peer public keys to allow incoming peering connections\nfrom. If left empty/undefined then all connections will be allowed\nby default. This does not affect outgoing peerings, nor does it\naffect link-local peers discovered via multicast.\nWARNING: THIS IS NOT A FIREWALL and DOES NOT limit who can reach\nopen ports or services running on your machine!"`
IfName string `comment:"Local network interface name for TUN adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN."`
IfMTU uint64 `comment:"Maximum Transmission Unit (MTU) size for your local TUN interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
LogLookups bool `json:",omitempty"`
NodeInfoPrivacy bool `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Kaya version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."`
NodeInfo map[string]interface{} `comment:"Optional nodeinfo. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."`
}
type MulticastInterfaceConfig struct {
Regex string
Beacon bool
Listen bool
Port uint16 `json:",omitempty"`
Priority uint64 `json:",omitempty"` // really uint8, but gobind won't export it
Password string
}
// Generates default configuration and returns a pointer to the resulting
// NodeConfig. This is used when outputting the -genconf parameter and also when
// using -autoconf.
func GenerateConfig() *NodeConfig {
// Get the defaults for the platform.
defaults := GetDefaults()
// Create a node configuration and populate it.
cfg := new(NodeConfig)
cfg.NewPrivateKey()
cfg.Listen = []string{}
cfg.AdminListen = defaults.DefaultAdminListen
cfg.Peers = []string{}
cfg.InterfacePeers = map[string][]string{}
cfg.AllowedPublicKeys = []string{}
cfg.MulticastInterfaces = defaults.DefaultMulticastInterfaces
cfg.IfName = defaults.DefaultIfName
cfg.IfMTU = defaults.DefaultIfMTU
cfg.NodeInfoPrivacy = false
if err := cfg.postprocessConfig(); err != nil {
panic(err)
}
return cfg
}
func (cfg *NodeConfig) ReadFrom(r io.Reader) (int64, error) {
conf, err := io.ReadAll(r)
if err != nil {
return 0, err
}
n := int64(len(conf))
// If there's a byte order mark - which Windows 10 is now incredibly fond of
// throwing everywhere when it's converting things into UTF-16 for the hell
// of it - remove it and decode back down into UTF-8. This is necessary
// because hjson doesn't know what to do with UTF-16 and will panic
if bytes.Equal(conf[0:2], []byte{0xFF, 0xFE}) ||
bytes.Equal(conf[0:2], []byte{0xFE, 0xFF}) {
utf := unicode.UTF16(unicode.BigEndian, unicode.UseBOM)
decoder := utf.NewDecoder()
conf, err = decoder.Bytes(conf)
if err != nil {
return n, err
}
}
// Generate a new configuration - this gives us a set of sane defaults -
// then parse the configuration we loaded above on top of it. The effect
// of this is that any configuration item that is missing from the provided
// configuration will use a sane default.
*cfg = *GenerateConfig()
if err := cfg.UnmarshalHJSON(conf); err != nil {
return n, err
}
return n, nil
}
func (cfg *NodeConfig) UnmarshalHJSON(b []byte) error {
if err := hjson.Unmarshal(b, cfg); err != nil {
return err
}
return cfg.postprocessConfig()
}
func (cfg *NodeConfig) postprocessConfig() error {
if cfg.PrivateKeyPath != "" {
cfg.PrivateKey = nil
f, err := os.ReadFile(cfg.PrivateKeyPath)
if err != nil {
return err
}
if err := cfg.UnmarshalPEMPrivateKey(f); err != nil {
return err
}
}
switch {
case cfg.Certificate == nil:
// No self-signed certificate has been generated yet.
fallthrough
case !bytes.Equal(cfg.Certificate.PrivateKey.(ed25519.PrivateKey), cfg.PrivateKey):
// A self-signed certificate was generated but the private
// key has changed since then, possibly because a new config
// was parsed.
if err := cfg.GenerateSelfSignedCertificate(); err != nil {
return err
}
}
return nil
}
// RFC5280 section 4.1.2.5
var notAfterNeverExpires = time.Date(9999, time.December, 31, 23, 59, 59, 0, time.UTC)
func (cfg *NodeConfig) GenerateSelfSignedCertificate() error {
key, err := cfg.MarshalPEMPrivateKey()
if err != nil {
return err
}
cert, err := cfg.MarshalPEMCertificate()
if err != nil {
return err
}
tlsCert, err := tls.X509KeyPair(cert, key)
if err != nil {
return err
}
cfg.Certificate = &tlsCert
return nil
}
func (cfg *NodeConfig) MarshalPEMCertificate() ([]byte, error) {
privateKey := ed25519.PrivateKey(cfg.PrivateKey)
publicKey := privateKey.Public().(ed25519.PublicKey)
cert := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: hex.EncodeToString(publicKey),
},
NotBefore: time.Now(),
NotAfter: notAfterNeverExpires,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
certbytes, err := x509.CreateCertificate(rand.Reader, cert, cert, publicKey, privateKey)
if err != nil {
return nil, err
}
block := &pem.Block{
Type: "CERTIFICATE",
Bytes: certbytes,
}
return pem.EncodeToMemory(block), nil
}
func (cfg *NodeConfig) NewPrivateKey() {
_, spriv, err := ed25519.GenerateKey(nil)
if err != nil {
panic(err)
}
cfg.PrivateKey = KeyBytes(spriv)
}
func (cfg *NodeConfig) MarshalPEMPrivateKey() ([]byte, error) {
b, err := x509.MarshalPKCS8PrivateKey(ed25519.PrivateKey(cfg.PrivateKey))
if err != nil {
return nil, fmt.Errorf("failed to marshal PKCS8 key: %w", err)
}
block := &pem.Block{
Type: "PRIVATE KEY",
Bytes: b,
}
return pem.EncodeToMemory(block), nil
}
func (cfg *NodeConfig) UnmarshalPEMPrivateKey(b []byte) error {
p, _ := pem.Decode(b)
if p == nil {
return fmt.Errorf("failed to parse PEM file")
}
if p.Type != "PRIVATE KEY" {
return fmt.Errorf("unexpected PEM type %q", p.Type)
}
k, err := x509.ParsePKCS8PrivateKey(p.Bytes)
if err != nil {
return fmt.Errorf("failed to unmarshal PKCS8 key: %w", err)
}
key, ok := k.(ed25519.PrivateKey)
if !ok {
return fmt.Errorf("private key must be ed25519 key")
}
if len(key) != ed25519.PrivateKeySize {
return fmt.Errorf("unexpected ed25519 private key length")
}
cfg.PrivateKey = KeyBytes(key)
return nil
}
type KeyBytes []byte
func (k KeyBytes) MarshalJSON() ([]byte, error) {
return json.Marshal(hex.EncodeToString(k))
}
func (k *KeyBytes) UnmarshalJSON(b []byte) error {
var s string
var err error
if err = json.Unmarshal(b, &s); err != nil {
return err
}
*k, err = hex.DecodeString(s)
return err
}

54
src/config/config_test.go Normal file
View file

@ -0,0 +1,54 @@
package config
import (
"testing"
)
func TestConfig_Keys(t *testing.T) {
/*
var nodeConfig NodeConfig
nodeConfig.NewKeys()
publicKey1, err := hex.DecodeString(nodeConfig.PublicKey)
if err != nil {
t.Fatal("can not decode generated public key")
}
if len(publicKey1) == 0 {
t.Fatal("empty public key generated")
}
privateKey1, err := hex.DecodeString(nodeConfig.PrivateKey)
if err != nil {
t.Fatal("can not decode generated private key")
}
if len(privateKey1) == 0 {
t.Fatal("empty private key generated")
}
nodeConfig.NewKeys()
publicKey2, err := hex.DecodeString(nodeConfig.PublicKey)
if err != nil {
t.Fatal("can not decode generated public key")
}
if bytes.Equal(publicKey2, publicKey1) {
t.Fatal("same public key generated")
}
privateKey2, err := hex.DecodeString(nodeConfig.PrivateKey)
if err != nil {
t.Fatal("can not decode generated private key")
}
if bytes.Equal(privateKey2, privateKey1) {
t.Fatal("same private key generated")
}
*/
}

34
src/config/defaults.go Normal file
View file

@ -0,0 +1,34 @@
package config
var defaultConfig = "" // LDFLAGS='-X github.com/yggdrasil-network/yggdrasil-go/src/config.defaultConfig=/path/to/config
var defaultAdminListen = "" // LDFLAGS='-X github.com/yggdrasil-network/yggdrasil-go/src/config.defaultAdminListen=unix://path/to/sock'
// Defines which parameters are expected by default for configuration on a
// specific platform. These values are populated in the relevant defaults_*.go
// for the platform being targeted. They must be set.
type platformDefaultParameters struct {
// Admin socket
DefaultAdminListen string
// Configuration (used for kayactl)
DefaultConfigFile string
// Multicast interfaces
DefaultMulticastInterfaces []MulticastInterfaceConfig
// TUN
MaximumIfMTU uint64
DefaultIfMTU uint64
DefaultIfName string
}
func GetDefaults() platformDefaultParameters {
defaults := getDefaults()
if defaultConfig != "" {
defaults.DefaultConfigFile = defaultConfig
}
if defaultAdminListen != "" {
defaults.DefaultAdminListen = defaultAdminListen
}
return defaults
}

27
src/config/defaults_darwin.go Normal file
View file

@ -0,0 +1,27 @@
//go:build darwin
package config
// Sane defaults for the macOS/Darwin platform. The "default" options may be
// may be replaced by the running configuration.
func getDefaults() platformDefaultParameters {
return platformDefaultParameters{
// Admin
DefaultAdminListen: "unix:///var/run/kaya.sock",
// Configuration (used for kayactl)
DefaultConfigFile: "/etc/kaya.conf",
// Multicast interfaces
DefaultMulticastInterfaces: []MulticastInterfaceConfig{
{Regex: "en.*", Beacon: true, Listen: true},
{Regex: "bridge.*", Beacon: true, Listen: true},
{Regex: "awdl0", Beacon: false, Listen: false},
},
// TUN
MaximumIfMTU: 65535,
DefaultIfMTU: 65535,
DefaultIfName: "auto",
}
}

25
src/config/defaults_freebsd.go Normal file
View file

@ -0,0 +1,25 @@
//go:build freebsd
package config
// Sane defaults for the BSD platforms. The "default" options may be
// may be replaced by the running configuration.
func getDefaults() platformDefaultParameters {
return platformDefaultParameters{
// Admin
DefaultAdminListen: "unix:///var/run/kaya.sock",
// Configuration (used for kayactl)
DefaultConfigFile: "/usr/local/etc/kaya.conf",
// Multicast interfaces
DefaultMulticastInterfaces: []MulticastInterfaceConfig{
{Regex: ".*", Beacon: true, Listen: true},
},
// TUN
MaximumIfMTU: 32767,
DefaultIfMTU: 32767,
DefaultIfName: "/dev/tun0",
}
}

25
src/config/defaults_linux.go Normal file
View file

@ -0,0 +1,25 @@
//go:build linux
package config
// Sane defaults for the Linux platform. The "default" options may be
// may be replaced by the running configuration.
func getDefaults() platformDefaultParameters {
return platformDefaultParameters{
// Admin
DefaultAdminListen: "unix:///var/run/kaya.sock",
// Configuration (used for kayactl)
DefaultConfigFile: "/etc/kaya.conf",
// Multicast interfaces
DefaultMulticastInterfaces: []MulticastInterfaceConfig{
{Regex: ".*", Beacon: true, Listen: true},
},
// TUN
MaximumIfMTU: 65535,
DefaultIfMTU: 65535,
DefaultIfName: "auto",
}
}

25
src/config/defaults_openbsd.go Normal file
View file

@ -0,0 +1,25 @@
//go:build openbsd
package config
// Sane defaults for the BSD platforms. The "default" options may be
// may be replaced by the running configuration.
func getDefaults() platformDefaultParameters {
return platformDefaultParameters{
// Admin
DefaultAdminListen: "unix:///var/run/kaya.sock",
// Configuration (used for kayactl)
DefaultConfigFile: "/etc/kaya.conf",
// Multicast interfaces
DefaultMulticastInterfaces: []MulticastInterfaceConfig{
{Regex: ".*", Beacon: true, Listen: true},
},
// TUN
MaximumIfMTU: 16384,
DefaultIfMTU: 16384,
DefaultIfName: "tun0",
}
}

25
src/config/defaults_other.go Normal file
View file

@ -0,0 +1,25 @@
//go:build !linux && !darwin && !windows && !openbsd && !freebsd
package config
// Sane defaults for the other platforms. The "default" options may be
// may be replaced by the running configuration.
func getDefaults() platformDefaultParameters {
return platformDefaultParameters{
// Admin
DefaultAdminListen: "tcp://localhost:9001",
// Configuration (used for kayactl)
DefaultConfigFile: "/etc/kaya.conf",
// Multicast interfaces
DefaultMulticastInterfaces: []MulticastInterfaceConfig{
{Regex: ".*", Beacon: true, Listen: true},
},
// TUN
MaximumIfMTU: 65535,
DefaultIfMTU: 65535,
DefaultIfName: "none",
}
}

25
src/config/defaults_windows.go Normal file
View file

@ -0,0 +1,25 @@
//go:build windows
package config
// Sane defaults for the Windows platform. The "default" options may be
// may be replaced by the running configuration.
func getDefaults() platformDefaultParameters {
return platformDefaultParameters{
// Admin
DefaultAdminListen: "tcp://localhost:9001",
// Configuration (used for kayactl)
DefaultConfigFile: "C:\\Program Files\\Kaya\\kaya.conf",
// Multicast interfaces
DefaultMulticastInterfaces: []MulticastInterfaceConfig{
{Regex: ".*", Beacon: true, Listen: true},
},
// TUN
MaximumIfMTU: 65535,
DefaultIfMTU: 65535,
DefaultIfName: "Kaya",
}
}

270
src/core/api.go Normal file
View file

@ -0,0 +1,270 @@
package core
import (
"crypto/ed25519"
"encoding/json"
"net"
"net/url"
"sync/atomic"
"time"
"github.com/Arceliar/phony"
"github.com/Arceliar/ironwood/network"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
type SelfInfo struct {
Key ed25519.PublicKey
RoutingEntries uint64
}
type PeerInfo struct {
URI string
Up bool
Inbound bool
LastError error
LastErrorTime time.Time
Key ed25519.PublicKey
Root ed25519.PublicKey
Coords []uint64
Port uint64
Priority uint8
Cost uint64
RXBytes uint64
TXBytes uint64
RXRate uint64
TXRate uint64
Uptime time.Duration
Latency time.Duration
}
type TreeEntryInfo struct {
Key ed25519.PublicKey
Parent ed25519.PublicKey
Sequence uint64
//Port uint64
//Rest uint64
}
type PathEntryInfo struct {
Key ed25519.PublicKey
Path []uint64
Sequence uint64
}
type SessionInfo struct {
Key ed25519.PublicKey
RXBytes uint64
TXBytes uint64
Uptime time.Duration
}
func (c *Core) GetSelf() SelfInfo {
var self SelfInfo
s := c.PacketConn.PacketConn.Debug.GetSelf()
self.Key = s.Key
self.RoutingEntries = s.RoutingEntries
return self
}
func (c *Core) GetPeers() []PeerInfo {
iwpeers := c.PacketConn.PacketConn.Debug.GetPeers()
conns := make(map[net.Conn]network.DebugPeerInfo, len(iwpeers))
for _, p := range iwpeers {
conns[p.Conn] = p
}
var peers []PeerInfo
now := time.Now()
phony.Block(&c.links, func() {
peers = make([]PeerInfo, 0, len(c.links._links))
for info, state := range c.links._links {
peerinfo := PeerInfo{
URI: info.uri,
LastError: state._err,
LastErrorTime: state._errtime,
}
var conn net.Conn
if linkConn := state._conn; linkConn != nil {
conn = linkConn
peerinfo.Up = true
peerinfo.Inbound = state.linkType == linkTypeIncoming
peerinfo.RXBytes = atomic.LoadUint64(&linkConn.rx)
peerinfo.TXBytes = atomic.LoadUint64(&linkConn.tx)
peerinfo.RXRate = atomic.LoadUint64(&linkConn.rxrate)
peerinfo.TXRate = atomic.LoadUint64(&linkConn.txrate)
peerinfo.Uptime = now.Sub(linkConn.up)
}
if p, ok := conns[conn]; ok {
peerinfo.Key = p.Key
peerinfo.Root = p.Root
peerinfo.Port = p.Port
peerinfo.Priority = p.Priority
peerinfo.Latency = p.Latency
peerinfo.Cost = p.Cost
}
peers = append(peers, peerinfo)
}
})
return peers
}
func (c *Core) GetTree() []TreeEntryInfo {
var trees []TreeEntryInfo
ts := c.PacketConn.PacketConn.Debug.GetTree()
for _, t := range ts {
var info TreeEntryInfo
info.Key = t.Key
info.Parent = t.Parent
info.Sequence = t.Sequence
//info.Port = d.Port
//info.Rest = d.Rest
trees = append(trees, info)
}
return trees
}
func (c *Core) GetPaths() []PathEntryInfo {
var paths []PathEntryInfo
ps := c.PacketConn.PacketConn.Debug.GetPaths()
for _, p := range ps {
var info PathEntryInfo
info.Key = p.Key
info.Sequence = p.Sequence
info.Path = p.Path
paths = append(paths, info)
}
return paths
}
func (c *Core) GetSessions() []SessionInfo {
var sessions []SessionInfo
ss := c.Debug.GetSessions()
for _, s := range ss {
var info SessionInfo
info.Key = s.Key
info.RXBytes = s.RX
info.TXBytes = s.TX
info.Uptime = s.Uptime
sessions = append(sessions, info)
}
return sessions
}
// Listen starts a new listener (either TCP or TLS). The input should be a url.URL
// parsed from a string of the form e.g. "tcp://a.b.c.d:e". In the case of a
// link-local address, the interface should be provided as the second argument.
func (c *Core) Listen(u *url.URL, sintf string) (*Listener, error) {
return c.links.listen(u, sintf, false)
}
// ListenLocal starts a listener, like the Listen function, but is used for
// more trustworthy situations where you want to ignore AllowedPublicKeys, i.e.
// with multicast listeners.
func (c *Core) ListenLocal(u *url.URL, sintf string) (*Listener, error) {
return c.links.listen(u, sintf, true)
}
// Address gets the IPv6 address of the Kaya node. This is always a /128
// address. The IPv6 address is only relevant when the node is operating as an
// IP router and often is meaningless when embedded into an application, unless
// that application also implements either VPN functionality or deals with IP
// packets specifically.
func (c *Core) Address() net.IP {
addr := net.IP(address.AddrForKey(c.public)[:])
return addr
}
// Subnet gets the routed IPv6 subnet of the Kaya node. This is always a
// /64 subnet. The IPv6 subnet is only relevant when the node is operating as an
// IP router and often is meaningless when embedded into an application, unless
// that application also implements either VPN functionality or deals with IP
// packets specifically.
func (c *Core) Subnet() net.IPNet {
subnet := address.SubnetForKey(c.public)[:]
subnet = append(subnet, 0, 0, 0, 0, 0, 0, 0, 0)
return net.IPNet{IP: subnet, Mask: net.CIDRMask(64, 128)}
}
// SetLogger sets the output logger of the Kaya node after startup. This
// may be useful if you want to redirect the output later. Note that this
// expects a Logger from the github.com/gologme/log package and not from Go's
// built-in log package.
func (c *Core) SetLogger(log Logger) {
c.log = log
}
// AddPeer adds a peer. This should be specified in the peer URI format, e.g.:
//
// tcp://a.b.c.d:e
// socks://a.b.c.d:e/f.g.h.i:j
//
// This adds the peer to the peer list, so that they will be called again if the
// connection drops.
func (c *Core) AddPeer(u *url.URL, sintf string) error {
return c.links.add(u, sintf, linkTypePersistent)
}
// RemovePeer removes a peer. The peer should be specified in URI format, see AddPeer.
// The peer is not disconnected immediately.
func (c *Core) RemovePeer(u *url.URL, sintf string) error {
return c.links.remove(u, sintf, linkTypePersistent)
}
// CallPeer calls a peer once. This should be specified in the peer URI format,
// e.g.:
//
// tcp://a.b.c.d:e
// socks://a.b.c.d:e/f.g.h.i:j
//
// This does not add the peer to the peer list, so if the connection drops, the
// peer will not be called again automatically.
func (c *Core) CallPeer(u *url.URL, sintf string) error {
return c.links.add(u, sintf, linkTypeEphemeral)
}
func (c *Core) PublicKey() ed25519.PublicKey {
return c.public
}
// Hack to get the admin stuff working, TODO something cleaner
type AddHandler interface {
AddHandler(name, desc string, args []string, handlerfunc AddHandlerFunc) error
}
type AddHandlerFunc func(json.RawMessage) (interface{}, error)
// SetAdmin must be called after Init and before Start.
// It sets the admin handler for NodeInfo and the Debug admin functions.
func (c *Core) SetAdmin(a AddHandler) error {
if err := a.AddHandler(
"getNodeInfo", "Request nodeinfo from a remote node by its public key", []string{"key"},
c.proto.nodeinfo.nodeInfoAdminHandler,
); err != nil {
return err
}
if err := a.AddHandler(
"debug_remoteGetSelf", "Debug use only", []string{"key"},
c.proto.getSelfHandler,
); err != nil {
return err
}
if err := a.AddHandler(
"debug_remoteGetPeers", "Debug use only", []string{"key"},
c.proto.getPeersHandler,
); err != nil {
return err
}
if err := a.AddHandler(
"debug_remoteGetTree", "Debug use only", []string{"key"},
c.proto.getTreeHandler,
); err != nil {
return err
}
return nil
}

246
src/core/core.go Normal file
View file

@ -0,0 +1,246 @@
package core
import (
"context"
"crypto/ed25519"
"crypto/tls"
"fmt"
"io"
"net"
"net/url"
iwe "github.com/Arceliar/ironwood/encrypted"
iwn "github.com/Arceliar/ironwood/network"
iwt "github.com/Arceliar/ironwood/types"
"github.com/Arceliar/phony"
"github.com/gologme/log"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
"github.com/yggdrasil-network/yggdrasil-go/src/version"
)
// The Core object represents the Kaya node. You should create a Core
// object for each Kaya node you plan to run.
type Core struct {
// This is the main data structure that holds everything else for a node
// We're going to keep our own copy of the provided config - that way we can
// guarantee that it will be covered by the mutex
phony.Inbox
*iwe.PacketConn
ctx context.Context
cancel context.CancelFunc
secret ed25519.PrivateKey
public ed25519.PublicKey
links links
proto protoHandler
log Logger
config struct {
tls *tls.Config // immutable after startup
//_peers map[Peer]*linkInfo // configurable after startup
_listeners map[ListenAddress]struct{} // configurable after startup
peerFilter func(ip net.IP) bool // immutable after startup
nodeinfo NodeInfo // immutable after startup
nodeinfoPrivacy NodeInfoPrivacy // immutable after startup
_allowedPublicKeys map[[32]byte]struct{} // configurable after startup
}
pathNotify func(ed25519.PublicKey)
}
func New(cert *tls.Certificate, logger Logger, opts ...SetupOption) (*Core, error) {
c := &Core{
log: logger,
}
c.ctx, c.cancel = context.WithCancel(context.Background())
if c.log == nil {
c.log = log.New(io.Discard, "", 0)
}
if name := version.BuildName(); name != "unknown" {
c.log.Infoln("Build name:", name)
}
if version := version.BuildVersion(); version != "unknown" {
c.log.Infoln("Build version:", version)
}
var err error
c.config._listeners = map[ListenAddress]struct{}{}
c.config._allowedPublicKeys = map[[32]byte]struct{}{}
for _, opt := range opts {
switch opt.(type) {
case Peer, ListenAddress:
// We can't do peers yet as the links aren't set up.
continue
default:
if err = c._applyOption(opt); err != nil {
return nil, fmt.Errorf("failed to apply configuration option %T: %w", opt, err)
}
}
}
if cert == nil || cert.PrivateKey == nil {
return nil, fmt.Errorf("no private key supplied")
}
var ok bool
if c.secret, ok = cert.PrivateKey.(ed25519.PrivateKey); !ok {
return nil, fmt.Errorf("private key must be ed25519")
}
if len(c.secret) != ed25519.PrivateKeySize {
return nil, fmt.Errorf("private key is incorrect length")
}
c.public = c.secret.Public().(ed25519.PublicKey)
if c.config.tls, err = c.generateTLSConfig(cert); err != nil {
return nil, fmt.Errorf("error generating TLS config: %w", err)
}
keyXform := func(key ed25519.PublicKey) ed25519.PublicKey {
return address.SubnetForKey(key).GetKey()
}
if c.PacketConn, err = iwe.NewPacketConn(
c.secret,
iwn.WithBloomTransform(keyXform),
iwn.WithPeerMaxMessageSize(65535*2),
iwn.WithPathNotify(c.doPathNotify),
); err != nil {
return nil, fmt.Errorf("error creating encryption: %w", err)
}
c.proto.init(c)
if err := c.links.init(c); err != nil {
return nil, fmt.Errorf("error initialising links: %w", err)
}
for _, opt := range opts {
switch opt.(type) {
case Peer, ListenAddress:
// Now do the peers and listeners.
if err = c._applyOption(opt); err != nil {
return nil, fmt.Errorf("failed to apply configuration option %T: %w", opt, err)
}
default:
continue
}
}
if err := c.proto.nodeinfo.setNodeInfo(c.config.nodeinfo, bool(c.config.nodeinfoPrivacy)); err != nil {
return nil, fmt.Errorf("error setting node info: %w", err)
}
for listenaddr := range c.config._listeners {
u, err := url.Parse(string(listenaddr))
if err != nil {
c.log.Errorf("Invalid listener URI %q specified, ignoring\n", listenaddr)
continue
}
if _, err = c.links.listen(u, "", false); err != nil {
c.log.Errorf("Failed to start listener %q: %s\n", listenaddr, err)
}
}
return c, nil
}
func (c *Core) RetryPeersNow() {
phony.Block(&c.links, func() {
for _, l := range c.links._links {
select {
case l.kick <- struct{}{}:
default:
}
}
})
}
// Stop shuts down the Kaya node.
func (c *Core) Stop() {
phony.Block(c, func() {
c.log.Infoln("Stopping...")
_ = c._close()
c.log.Infoln("Stopped")
})
}
// This function is unsafe and should only be ran by the core actor.
func (c *Core) _close() error {
c.cancel()
c.links.shutdown()
err := c.Close()
return err
}
func (c *Core) MTU() uint64 {
const sessionTypeOverhead = 1
MTU := c.PacketConn.MTU() - sessionTypeOverhead
if MTU > 65535 {
MTU = 65535
}
return MTU
}
func (c *Core) ReadFrom(p []byte) (n int, from net.Addr, err error) {
buf := allocBytes(int(c.PacketConn.MTU()))
defer freeBytes(buf)
for {
bs := buf
n, from, err = c.PacketConn.ReadFrom(bs)
if err != nil {
return 0, from, err
}
if n == 0 {
continue
}
switch bs[0] {
case typeSessionTraffic:
// This is what we want to handle here
case typeSessionProto:
var key keyArray
copy(key[:], from.(iwt.Addr))
data := append([]byte(nil), bs[1:n]...)
c.proto.handleProto(nil, key, data)
continue
default:
continue
}
bs = bs[1:n]
copy(p, bs)
if len(p) < len(bs) {
n = len(p)
} else {
n = len(bs)
}
return
}
}
func (c *Core) WriteTo(p []byte, addr net.Addr) (n int, err error) {
buf := allocBytes(0)
defer func() { freeBytes(buf) }()
buf = append(buf, typeSessionTraffic)
buf = append(buf, p...)
n, err = c.PacketConn.WriteTo(buf, addr)
if n > 0 {
n -= 1
}
return
}
func (c *Core) doPathNotify(key ed25519.PublicKey) {
c.Act(nil, func() {
if c.pathNotify != nil {
c.pathNotify(key)
}
})
}
func (c *Core) SetPathNotify(notify func(ed25519.PublicKey)) {
c.Act(nil, func() {
c.pathNotify = notify
})
}
type Logger interface {
Printf(string, ...interface{})
Println(...interface{})
Infof(string, ...interface{})
Infoln(...interface{})
Warnf(string, ...interface{})
Warnln(...interface{})
Errorf(string, ...interface{})
Errorln(...interface{})
Debugf(string, ...interface{})
Debugln(...interface{})
Traceln(...interface{})
}

290
src/core/core_test.go Normal file
View file

@ -0,0 +1,290 @@
package core
import (
"bytes"
"crypto/rand"
"net/url"
"os"
"testing"
"time"
"github.com/gologme/log"
"github.com/yggdrasil-network/yggdrasil-go/src/config"
)
// GetLoggerWithPrefix creates a new logger instance with prefix.
// If verbose is set to true, three log levels are enabled: "info", "warn", "error".
func GetLoggerWithPrefix(prefix string, verbose bool) *log.Logger {
l := log.New(os.Stderr, prefix, log.Flags())
if !verbose {
return l
}
l.EnableLevel("info")
l.EnableLevel("warn")
l.EnableLevel("error")
return l
}
func require_NoError(t *testing.T, err error) {
t.Helper()
if err != nil {
t.Fatal(err)
}
}
func require_Equal[T comparable](t *testing.T, a, b T) {
t.Helper()
if a != b {
t.Fatalf("%v != %v", a, b)
}
}
func require_True(t *testing.T, a bool) {
t.Helper()
if !a {
t.Fatal("expected true")
}
}
// CreateAndConnectTwo creates two nodes. nodeB connects to nodeA.
// Verbosity flag is passed to logger.
func CreateAndConnectTwo(t testing.TB, verbose bool) (nodeA *Core, nodeB *Core) {
var err error
cfgA, cfgB := config.GenerateConfig(), config.GenerateConfig()
if err = cfgA.GenerateSelfSignedCertificate(); err != nil {
t.Fatal(err)
}
if err = cfgB.GenerateSelfSignedCertificate(); err != nil {
t.Fatal(err)
}
logger := GetLoggerWithPrefix("", false)
logger.EnableLevel("debug")
if nodeA, err = New(cfgA.Certificate, logger); err != nil {
t.Fatal(err)
}
if nodeB, err = New(cfgB.Certificate, logger); err != nil {
t.Fatal(err)
}
nodeAListenURL, err := url.Parse("tcp://localhost:0")
if err != nil {
t.Fatal(err)
}
nodeAListener, err := nodeA.Listen(nodeAListenURL, "")
if err != nil {
t.Fatal(err)
}
nodeAURL, err := url.Parse("tcp://" + nodeAListener.Addr().String())
if err != nil {
t.Fatal(err)
}
if err = nodeB.CallPeer(nodeAURL, ""); err != nil {
t.Fatal(err)
}
time.Sleep(100 * time.Millisecond)
if l := len(nodeA.GetPeers()); l != 1 {
t.Fatal("unexpected number of peers", l)
}
if l := len(nodeB.GetPeers()); l != 1 {
t.Fatal("unexpected number of peers", l)
}
return nodeA, nodeB
}
// WaitConnected blocks until either nodes negotiated DHT or 5 seconds passed.
func WaitConnected(nodeA, nodeB *Core) bool {
// It may take up to 3 seconds, but let's wait 5.
for i := 0; i < 50; i++ {
time.Sleep(100 * time.Millisecond)
/*
if len(nodeA.GetPeers()) > 0 && len(nodeB.GetPeers()) > 0 {
return true
}
*/
if len(nodeA.GetTree()) > 1 && len(nodeB.GetTree()) > 1 {
time.Sleep(3 * time.Second) // FIXME hack, there's still stuff happening internally
return true
}
}
return false
}
// CreateEchoListener creates a routine listening on nodeA. It expects repeats messages of length bufLen.
// It returns a channel used to synchronize the routine with caller.
func CreateEchoListener(t testing.TB, nodeA *Core, bufLen int, repeats int) chan struct{} {
// Start routine
done := make(chan struct{})
go func() {
buf := make([]byte, bufLen)
res := make([]byte, bufLen)
for i := 0; i < repeats; i++ {
n, from, err := nodeA.ReadFrom(buf)
if err != nil {
t.Error(err)
return
}
if n != bufLen {
t.Error("missing data")
return
}
copy(res, buf)
copy(res[8:24], buf[24:40])
copy(res[24:40], buf[8:24])
_, err = nodeA.WriteTo(res, from)
if err != nil {
t.Error(err)
}
}
done <- struct{}{}
}()
return done
}
// TestCore_Start_Connect checks if two nodes can connect together.
func TestCore_Start_Connect(t *testing.T) {
CreateAndConnectTwo(t, true)
}
// TestCore_Start_Transfer checks that messages can be passed between nodes (in both directions).
func TestCore_Start_Transfer(t *testing.T) {
nodeA, nodeB := CreateAndConnectTwo(t, true)
defer nodeA.Stop()
defer nodeB.Stop()
msgLen := 1500
done := CreateEchoListener(t, nodeA, msgLen, 1)
if !WaitConnected(nodeA, nodeB) {
t.Fatal("nodes did not connect")
}
// Send
msg := make([]byte, msgLen)
_, _ = rand.Read(msg[40:])
msg[0] = 0x60
copy(msg[8:24], nodeB.Address())
copy(msg[24:40], nodeA.Address())
_, err := nodeB.WriteTo(msg, nodeA.LocalAddr())
if err != nil {
t.Fatal(err)
}
buf := make([]byte, msgLen)
_, _, err = nodeB.ReadFrom(buf)
if err != nil {
t.Fatal(err)
}
if !bytes.Equal(msg[40:], buf[40:]) {
t.Fatal("expected echo")
}
<-done
}
// BenchmarkCore_Start_Transfer estimates the possible transfer between nodes (in MB/s).
func BenchmarkCore_Start_Transfer(b *testing.B) {
nodeA, nodeB := CreateAndConnectTwo(b, false)
msgLen := 1500 // typical MTU
done := CreateEchoListener(b, nodeA, msgLen, b.N)
if !WaitConnected(nodeA, nodeB) {
b.Fatal("nodes did not connect")
}
// Send
msg := make([]byte, msgLen)
_, _ = rand.Read(msg[40:])
msg[0] = 0x60
copy(msg[8:24], nodeB.Address())
copy(msg[24:40], nodeA.Address())
buf := make([]byte, msgLen)
b.SetBytes(int64(msgLen))
b.ResetTimer()
addr := nodeA.LocalAddr()
for i := 0; i < b.N; i++ {
_, err := nodeB.WriteTo(msg, addr)
if err != nil {
b.Fatal(err)
}
_, _, err = nodeB.ReadFrom(buf)
if err != nil {
b.Fatal(err)
}
}
<-done
}
func TestAllowedPublicKeys(t *testing.T) {
logger := GetLoggerWithPrefix("", false)
cfgA, cfgB := config.GenerateConfig(), config.GenerateConfig()
require_NoError(t, cfgA.GenerateSelfSignedCertificate())
require_NoError(t, cfgB.GenerateSelfSignedCertificate())
nodeA, err := New(cfgA.Certificate, logger, AllowedPublicKey("abcdef"))
require_NoError(t, err)
defer nodeA.Stop()
nodeB, err := New(cfgB.Certificate, logger)
require_NoError(t, err)
defer nodeB.Stop()
u, err := url.Parse("tcp://localhost:0")
require_NoError(t, err)
l, err := nodeA.Listen(u, "")
require_NoError(t, err)
u, err = url.Parse("tcp://" + l.Addr().String())
require_NoError(t, err)
require_NoError(t, nodeB.AddPeer(u, ""))
time.Sleep(time.Second)
peers := nodeB.GetPeers()
require_Equal(t, len(peers), 1)
require_True(t, !peers[0].Up)
require_True(t, peers[0].LastError != nil)
}
func TestAllowedPublicKeysLocal(t *testing.T) {
logger := GetLoggerWithPrefix("", false)
cfgA, cfgB := config.GenerateConfig(), config.GenerateConfig()
require_NoError(t, cfgA.GenerateSelfSignedCertificate())
require_NoError(t, cfgB.GenerateSelfSignedCertificate())
nodeA, err := New(cfgA.Certificate, logger, AllowedPublicKey("abcdef"))
require_NoError(t, err)
defer nodeA.Stop()
nodeB, err := New(cfgB.Certificate, logger)
require_NoError(t, err)
defer nodeB.Stop()
u, err := url.Parse("tcp://localhost:0")
require_NoError(t, err)
l, err := nodeA.ListenLocal(u, "")
require_NoError(t, err)
u, err = url.Parse("tcp://" + l.Addr().String())
require_NoError(t, err)
require_NoError(t, nodeB.AddPeer(u, ""))
time.Sleep(time.Second)
peers := nodeB.GetPeers()
require_Equal(t, len(peers), 1)
require_True(t, peers[0].Up)
require_True(t, peers[0].LastError == nil)
}

19
src/core/debug.go Normal file
View file

@ -0,0 +1,19 @@
package core
import (
"fmt"
"net/http"
_ "net/http/pprof"
"os"
)
// Start the profiler if the required environment variable is set.
func init() {
envVarName := "PPROFLISTEN"
if hostPort := os.Getenv(envVarName); hostPort != "" {
fmt.Fprintf(os.Stderr, "DEBUG: Starting pprof on %s\n", hostPort)
go func() {
fmt.Fprintf(os.Stderr, "DEBUG: %s", http.ListenAndServe(hostPort, nil))
}()
}
}

807
src/core/link.go Normal file
View file

@ -0,0 +1,807 @@
package core
import (
"context"
"encoding/hex"
"errors"
"fmt"
"io"
"net"
"net/url"
"strconv"
"strings"
"sync/atomic"
"time"
"github.com/Arceliar/phony"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
"golang.org/x/crypto/blake2b"
)
type linkType int
const (
linkTypePersistent linkType = iota // Statically configured
linkTypeEphemeral // Multicast discovered
linkTypeIncoming // Incoming connection
)
const defaultBackoffLimit = time.Second << 12 // 1h8m16s
const minimumBackoffLimit = time.Second * 5
type links struct {
phony.Inbox
core *Core
tcp *linkTCP // TCP interface support
tls *linkTLS // TLS interface support
unix *linkUNIX // UNIX interface support
socks *linkSOCKS // SOCKS interface support
quic *linkQUIC // QUIC interface support
ws *linkWS // WS interface support
wss *linkWSS // WSS interface support
// _links can only be modified safely from within the links actor
_links map[linkInfo]*link // *link is nil if connection in progress
_listeners map[*Listener]context.CancelFunc
}
type linkProtocol interface {
dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error)
listen(ctx context.Context, url *url.URL, sintf string) (net.Listener, error)
}
// linkInfo is used as a map key
type linkInfo struct {
uri string // Peering URI in complete form
sintf string // Peering source interface (i.e. from InterfacePeers)
}
// link tracks the state of a connection, either persistent or non-persistent
type link struct {
ctx context.Context // Connection context
cancel context.CancelFunc // Stop future redial attempts (when peer removed)
kick chan struct{} // Attempt to reconnect now, if backing off
linkType linkType // Type of link, i.e. outbound/inbound, persistent/ephemeral
linkProto string // Protocol carrier of link, e.g. TCP, AWDL
// The remaining fields can only be modified safely from within the links actor
_conn *linkConn // Connected link, if any, nil if not connected
_err error // Last error on the connection, if any
_errtime time.Time // Last time an error occurred
}
type linkOptions struct {
pinnedEd25519Keys map[keyArray]struct{}
priority uint8
tlsSNI string
password []byte
maxBackoff time.Duration
}
type Listener struct {
listener net.Listener
ctx context.Context
Cancel context.CancelFunc
}
func (l *Listener) Addr() net.Addr {
return l.listener.Addr()
}
func (l *links) init(c *Core) error {
l.core = c
l.tcp = l.newLinkTCP()
l.tls = l.newLinkTLS(l.tcp)
l.unix = l.newLinkUNIX()
l.socks = l.newLinkSOCKS()
l.quic = l.newLinkQUIC()
l.ws = l.newLinkWS()
l.wss = l.newLinkWSS()
l._links = make(map[linkInfo]*link)
l._listeners = make(map[*Listener]context.CancelFunc)
go l._runAverages()
return nil
}
func (l *links) _runAverages() {
ticker := time.NewTicker(time.Second)
defer ticker.Stop()
l.Act(nil, l._updateAverages)
for {
select {
case <-l.core.ctx.Done():
return
case <-ticker.C:
l.Act(nil, l._updateAverages)
}
}
}
func (l *links) _updateAverages() {
for _, link := range l._links {
conn := link._conn
if conn == nil {
continue
}
rx := atomic.LoadUint64(&conn.rx)
tx := atomic.LoadUint64(&conn.tx)
lastrx := atomic.LoadUint64(&conn.lastrx)
lasttx := atomic.LoadUint64(&conn.lasttx)
atomic.StoreUint64(&conn.rxrate, rx-lastrx)
atomic.StoreUint64(&conn.txrate, tx-lasttx)
atomic.StoreUint64(&conn.lastrx, rx)
atomic.StoreUint64(&conn.lasttx, tx)
}
}
func (l *links) shutdown() {
phony.Block(l, func() {
for _, cancel := range l._listeners {
cancel()
}
for _, link := range l._links {
if link._conn != nil {
_ = link._conn.Close()
}
}
})
}
type linkError string
func (e linkError) Error() string { return string(e) }
const ErrLinkAlreadyConfigured = linkError("peer is already configured")
const ErrLinkNotConfigured = linkError("peer is not configured")
const ErrLinkPriorityInvalid = linkError("priority value is invalid")
const ErrLinkPinnedKeyInvalid = linkError("pinned public key is invalid")
const ErrLinkPasswordInvalid = linkError("invalid password supplied")
const ErrLinkUnrecognisedSchema = linkError("link schema unknown")
const ErrLinkMaxBackoffInvalid = linkError("max backoff duration invalid")
const ErrLinkSNINotSupported = linkError("SNI not supported on this link type")
const ErrLinkNoSuitableIPs = linkError("peer has no suitable addresses")
const ErrLinkToSelf = linkError("node cannot connect to self")
func (l *links) add(u *url.URL, sintf string, linkType linkType) error {
if _, err := l.dialerFor(u); err != nil {
return err
}
var retErr error
phony.Block(l, func() {
// Generate the link info and see whether we think we already
// have an open peering to this peer.
lu := urlForLinkInfo(*u)
info := linkInfo{
uri: lu.String(),
sintf: sintf,
}
// Collect together the link options, these are global options
// that are not specific to any given protocol.
options := linkOptions{
maxBackoff: defaultBackoffLimit,
}
for _, pubkey := range u.Query()["key"] {
sigPub, err := hex.DecodeString(pubkey)
if err != nil {
retErr = ErrLinkPinnedKeyInvalid
return
}
var sigPubKey keyArray
copy(sigPubKey[:], sigPub)
if options.pinnedEd25519Keys == nil {
options.pinnedEd25519Keys = map[keyArray]struct{}{}
}
options.pinnedEd25519Keys[sigPubKey] = struct{}{}
}
if p := u.Query().Get("priority"); p != "" {
pi, err := strconv.ParseUint(p, 10, 8)
if err != nil {
retErr = ErrLinkPriorityInvalid
return
}
options.priority = uint8(pi)
}
if p := u.Query().Get("password"); p != "" {
if len(p) > blake2b.Size {
retErr = ErrLinkPasswordInvalid
return
}
options.password = []byte(p)
}
if p := u.Query().Get("maxbackoff"); p != "" {
d, err := time.ParseDuration(p)
if err != nil || d < minimumBackoffLimit {
retErr = ErrLinkMaxBackoffInvalid
return
}
options.maxBackoff = d
}
// SNI headers must contain hostnames and not IP addresses, so we must make sure
// that we do not populate the SNI with an IP literal. We do this by splitting
// the host-port combo from the query option and then seeing if it parses to an
// IP address successfully or not.
if sni := u.Query().Get("sni"); sni != "" {
if net.ParseIP(sni) == nil {
options.tlsSNI = sni
}
}
// If the SNI is not configured still because the above failed then we'll try
// again but this time we'll use the host part of the peering URI instead.
if options.tlsSNI == "" {
if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil {
options.tlsSNI = host
}
}
// If we think we're already connected to this peer, load up
// the existing peer state. Try to kick the peer if possible,
// which will cause an immediate connection attempt if it is
// backing off for some reason.
state, ok := l._links[info]
if ok && state != nil {
select {
case state.kick <- struct{}{}:
default:
}
retErr = ErrLinkAlreadyConfigured
return
}
// Create the link entry. This will contain the connection
// in progress (if any), any error details and a context that
// lets the link be cancelled later.
state = &link{
linkType: linkType,
linkProto: strings.ToUpper(u.Scheme),
kick: make(chan struct{}),
}
state.ctx, state.cancel = context.WithCancel(l.core.ctx)
// Store the state of the link so that it can be queried later.
l._links[info] = state
// Track how many consecutive connection failures we have had,
// as we will back off exponentially rather than hammering the
// remote node endlessly.
var backoff int
// backoffNow is called when there's a connection error. It
// will wait for the specified amount of time and then return
// true, unless the peering context was cancelled (due to a
// peer removal most likely), in which case it returns false.
// The caller should check the return value to decide whether
// or not to give up trying.
backoffNow := func() bool {
if backoff >= 0 && backoff < 32 {
backoff++
}
var timeout <-chan time.Time
if backoff < 0 {
timeout = make(chan time.Time)
} else {
duration := time.Second << backoff
if duration > options.maxBackoff {
duration = options.maxBackoff
}
timeout = time.After(duration)
}
select {
case <-state.kick:
return true
case <-state.ctx.Done():
return false
case <-l.core.ctx.Done():
return false
case <-timeout:
return true
}
}
// resetBackoff is called by the connection handler when the
// handshake has successfully completed.
resetBackoff := func() {
backoff = 0
}
// The goroutine is responsible for attempting the connection
// and then running the handler. If the connection is persistent
// then the loop will run endlessly, using backoffs as needed.
// Otherwise the loop will end, cleaning up the link entry.
go func() {
defer phony.Block(l, func() {
if l._links[info] == state {
delete(l._links, info)
}
})
// This loop will run each and every time we want to attempt
// a connection to this peer.
// TODO get rid of this loop, this is *exactly* what time.AfterFunc is for, we should just send a signal to the links actor to kick off a goroutine as needed
for {
select {
case <-state.ctx.Done():
// The peering context has been cancelled, so don't try
// to dial again.
return
default:
}
conn, err := l.connect(state.ctx, u, info, options)
if err != nil || conn == nil {
if err == nil && conn == nil {
l.core.log.Warnf("Link %q reached inconsistent error state", u.String())
}
if linkType == linkTypePersistent {
// If the link is a persistent configured peering,
// store information about the connection error so
// that we can report it through the admin socket.
phony.Block(l, func() {
state._conn = nil
state._err = err
state._errtime = time.Now()
})
// Back off for a bit. If true is returned here, we
// can continue onto the next loop iteration to try
// the next connection.
if backoffNow() {
continue
}
return
}
// Ephemeral and incoming connections don't remain
// after a connection failure, so exit out of the
// loop and clean up the link entry.
break
}
// The linkConn wrapper allows us to track the number of
// bytes written to and read from this connection without
// the help of ironwood.
lc := &linkConn{
Conn: conn,
up: time.Now(),
}
// Update the link state with our newly wrapped connection.
// Clear the error state.
var doRet bool
phony.Block(l, func() {
if state._conn != nil {
// If a peering has come up in this time, abort this one.
doRet = true
}
state._conn = lc
state._err = nil
state._errtime = time.Now()
})
if doRet {
return
}
// Give the connection to the handler. The handler will block
// for the lifetime of the connection.
switch err = l.handler(linkType, options, lc, resetBackoff, false); {
case errors.Is(err, ErrLinkToSelf):
// This is a pretty permanent error, don't retry.
backoff = -1
case err == nil:
case errors.Is(err, io.EOF):
case errors.Is(err, net.ErrClosed):
default:
l.core.log.Debugf("Link %s error: %s\n", u.Host, err)
}
// The handler has stopped running so the connection is dead,
// try to close the underlying socket just in case and then
// update the link state.
_ = lc.Close()
phony.Block(l, func() {
state._conn = nil
if err == nil {
err = fmt.Errorf("remote side closed the connection")
}
state._err = err
state._errtime = time.Now()
})
// If the link is persistently configured, back off if needed
// and then try reconnecting. Otherwise, exit out.
if linkType == linkTypePersistent {
if backoffNow() {
continue
}
}
// Ephemeral or incoming connections don't reconnect.
return
}
}()
})
return retErr
}
func (l *links) remove(u *url.URL, sintf string, _ linkType) error {
var retErr error
phony.Block(l, func() {
// Generate the link info and see whether we think we already
// have an open peering to this peer.
lu := urlForLinkInfo(*u)
info := linkInfo{
uri: lu.String(),
sintf: sintf,
}
// If this peer is already configured then we will close the
// connection and stop it from retrying.
state, ok := l._links[info]
if ok && state != nil {
state.cancel()
if conn := state._conn; conn != nil {
retErr = conn.Close()
}
return
}
retErr = ErrLinkNotConfigured
})
return retErr
}
func (l *links) listen(u *url.URL, sintf string, local bool) (*Listener, error) {
ctx, ctxcancel := context.WithCancel(l.core.ctx)
var protocol linkProtocol
switch strings.ToLower(u.Scheme) {
case "tcp":
protocol = l.tcp
case "tls":
protocol = l.tls
case "unix":
protocol = l.unix
case "quic":
protocol = l.quic
case "ws":
protocol = l.ws
case "wss":
protocol = l.wss
default:
ctxcancel()
return nil, ErrLinkUnrecognisedSchema
}
listener, err := protocol.listen(ctx, u, sintf)
if err != nil {
ctxcancel()
return nil, err
}
addr := listener.Addr()
cancel := func() {
ctxcancel()
if err := listener.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
l.core.log.Warnf("Error closing %s listener %s: %s", strings.ToUpper(u.Scheme), addr, err)
}
}
li := &Listener{
listener: listener,
ctx: ctx,
Cancel: cancel,
}
var options linkOptions
if p := u.Query().Get("priority"); p != "" {
pi, err := strconv.ParseUint(p, 10, 8)
if err != nil {
return nil, ErrLinkPriorityInvalid
}
options.priority = uint8(pi)
}
if p := u.Query().Get("password"); p != "" {
if len(p) > blake2b.Size {
return nil, ErrLinkPasswordInvalid
}
options.password = []byte(p)
}
phony.Block(l, func() {
l._listeners[li] = cancel
})
go func() {
l.core.log.Infof("%s listener started on %s", strings.ToUpper(u.Scheme), addr)
defer phony.Block(l, func() {
cancel()
delete(l._listeners, li)
l.core.log.Infof("%s listener stopped on %s", strings.ToUpper(u.Scheme), addr)
})
for {
conn, err := li.listener.Accept()
if err != nil {
return
}
go func(conn net.Conn) {
defer conn.Close()
// In order to populate a somewhat sane looking connection
// URI in the admin socket, we need to replace the host in
// the listener URL with the remote address.
pu := *u
pu.Host = conn.RemoteAddr().String()
lu := urlForLinkInfo(pu)
info := linkInfo{
uri: lu.String(),
sintf: sintf,
}
// If there's an existing link state for this link, get it.
// If this node is already connected to us, just drop the
// connection. This prevents duplicate peerings.
var lc *linkConn
var state *link
phony.Block(l, func() {
var ok bool
state, ok = l._links[info]
if !ok || state == nil {
state = &link{
linkType: linkTypeIncoming,
linkProto: strings.ToUpper(u.Scheme),
kick: make(chan struct{}),
}
}
if state._conn != nil {
// If a connection has come up in this time, abort
// this one.
return
}
// The linkConn wrapper allows us to track the number of
// bytes written to and read from this connection without
// the help of ironwood.
lc = &linkConn{
Conn: conn,
up: time.Now(),
}
// Update the link state with our newly wrapped connection.
// Clear the error state.
state._conn = lc
state._err = nil
state._errtime = time.Time{}
// Store the state of the link so that it can be queried later.
l._links[info] = state
})
defer phony.Block(l, func() {
if l._links[info] == state {
delete(l._links, info)
}
})
if lc == nil {
return
}
// Give the connection to the handler. The handler will block
// for the lifetime of the connection.
switch err = l.handler(linkTypeIncoming, options, lc, nil, local); {
case err == nil:
case errors.Is(err, io.EOF):
case errors.Is(err, net.ErrClosed):
default:
l.core.log.Debugf("Link %s error: %s\n", u.Host, err)
}
// The handler has stopped running so the connection is dead,
// try to close the underlying socket just in case and then
// drop the link state.
_ = lc.Close()
}(conn)
}
}()
return li, nil
}
func (l *links) connect(ctx context.Context, u *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
dialer, err := l.dialerFor(u)
if err != nil {
return nil, err
}
return dialer.dial(ctx, u, info, options)
}
func (l *links) dialerFor(u *url.URL) (linkProtocol, error) {
var dialer linkProtocol
switch strings.ToLower(u.Scheme) {
case "tcp":
dialer = l.tcp
case "tls":
dialer = l.tls
case "socks", "sockstls":
dialer = l.socks
case "unix":
dialer = l.unix
case "quic":
dialer = l.quic
case "ws":
dialer = l.ws
case "wss":
dialer = l.wss
default:
return nil, ErrLinkUnrecognisedSchema
}
return dialer, nil
}
func (l *links) handler(linkType linkType, options linkOptions, conn net.Conn, success func(), local bool) error {
meta := version_getBaseMetadata()
meta.publicKey = l.core.public
meta.priority = options.priority
metaBytes, err := meta.encode(l.core.secret, options.password)
if err != nil {
return fmt.Errorf("failed to generate handshake: %w", err)
}
if err := conn.SetDeadline(time.Now().Add(time.Second * 6)); err != nil {
return fmt.Errorf("failed to set handshake deadline: %w", err)
}
n, err := conn.Write(metaBytes)
switch {
case err != nil:
return fmt.Errorf("write handshake: %w", err)
case n != len(metaBytes):
return fmt.Errorf("incomplete handshake send")
}
meta = version_metadata{}
base := version_getBaseMetadata()
if err := meta.decode(conn, options.password); err != nil {
_ = conn.Close()
return err
}
if !meta.check() {
return fmt.Errorf("remote node incompatible version (local %s, remote %s)",
fmt.Sprintf("%d.%d", base.majorVer, base.minorVer),
fmt.Sprintf("%d.%d", meta.majorVer, meta.minorVer),
)
}
if err = conn.SetDeadline(time.Time{}); err != nil {
return fmt.Errorf("failed to clear handshake deadline: %w", err)
}
// Check that the node isn't trying to connect to itself.
if meta.publicKey.Equal(l.core.public) {
return ErrLinkToSelf
}
// Check if the remote side matches the keys we expected. This is a bit of a weak
// check - in future versions we really should check a signature or something like that.
if pinned := options.pinnedEd25519Keys; len(pinned) > 0 {
var key keyArray
copy(key[:], meta.publicKey)
if _, allowed := pinned[key]; !allowed {
return fmt.Errorf("node public key that does not match pinned keys")
}
}
// Check if we're authorized to connect to this key / IP
if !local {
var allowed map[[32]byte]struct{}
phony.Block(l.core, func() {
allowed = l.core.config._allowedPublicKeys
})
isallowed := len(allowed) == 0
if !isallowed {
var remoteKey [32]byte
copy(remoteKey[:], meta.publicKey)
_, isallowed = allowed[remoteKey]
}
if linkType == linkTypeIncoming && !isallowed {
return fmt.Errorf("node public key %q is not in AllowedPublicKeys", hex.EncodeToString(meta.publicKey))
}
}
dir := "outbound"
if linkType == linkTypeIncoming {
dir = "inbound"
}
remoteAddr := net.IP(address.AddrForKey(meta.publicKey)[:]).String()
remoteStr := fmt.Sprintf("%s@%s", remoteAddr, conn.RemoteAddr())
localStr := conn.LocalAddr()
priority := options.priority
if meta.priority > priority {
priority = meta.priority
}
l.core.log.Infof("Connected %s: %s, source %s",
dir, remoteStr, localStr)
if success != nil {
success()
}
err = l.core.HandleConn(meta.publicKey, conn, priority)
switch err {
case io.EOF, net.ErrClosed, nil:
l.core.log.Infof("Disconnected %s: %s, source %s",
dir, remoteStr, localStr)
default:
l.core.log.Infof("Disconnected %s: %s, source %s; error: %s",
dir, remoteStr, localStr, err)
}
return err
}
func (l *links) findSuitableIP(url *url.URL, fn func(hostname string, ip net.IP, port int) (net.Conn, error)) (net.Conn, error) {
host, p, err := net.SplitHostPort(url.Host)
if err != nil {
return nil, err
}
port, err := strconv.Atoi(p)
if err != nil {
return nil, err
}
resp, err := net.LookupIP(host)
if err != nil {
return nil, err
}
peerFilter := l.core.config.peerFilter
redactedURL := ""
hadSuitable := false
for _, ip := range resp {
switch {
case ip.IsUnspecified():
continue
case ip.IsMulticast():
continue
case ip.IsLinkLocalMulticast():
continue
case ip.IsInterfaceLocalMulticast():
continue
case peerFilter != nil && !peerFilter(ip):
continue
}
hadSuitable = true
conn, dialErr := fn(host, ip, port)
if dialErr != nil {
if redactedURL == "" {
u := *url
u.RawQuery = ""
redactedURL = u.Redacted()
}
l.core.log.Debugln("Dialling", redactedURL, "reported error:", dialErr)
err = dialErr
continue
}
if conn != nil {
return conn, nil
}
}
if !hadSuitable {
return nil, ErrLinkNoSuitableIPs
}
return nil, err
}
func urlForLinkInfo(u url.URL) url.URL {
u.RawQuery = ""
return u
}
type linkConn struct {
// tx and rx are at the beginning of the struct to ensure 64-bit alignment
// on 32-bit platforms, see https://pkg.go.dev/sync/atomic#pkg-note-BUG
rx uint64
tx uint64
rxrate uint64
txrate uint64
lastrx uint64
lasttx uint64
up time.Time
net.Conn
}
func (c *linkConn) Read(p []byte) (n int, err error) {
n, err = c.Conn.Read(p)
if n > 0 {
atomic.AddUint64(&c.rx, uint64(n))
}
return
}
func (c *linkConn) Write(p []byte) (n int, err error) {
n, err = c.Conn.Write(p)
if n > 0 {
atomic.AddUint64(&c.tx, uint64(n))
}
return
}

118
src/core/link_quic.go Normal file
View file

@ -0,0 +1,118 @@
package core
import (
"context"
"crypto/tls"
"fmt"
"net"
"net/url"
"strconv"
"time"
"github.com/Arceliar/phony"
"github.com/quic-go/quic-go"
)
type linkQUIC struct {
phony.Inbox
*links
tlsconfig *tls.Config
quicconfig *quic.Config
}
type linkQUICStream struct {
*quic.Conn
*quic.Stream
}
type linkQUICListener struct {
*quic.Listener
ch <-chan *linkQUICStream
}
func (l *linkQUICListener) Accept() (net.Conn, error) {
qs := <-l.ch
if qs == nil {
return nil, context.Canceled
}
return qs, nil
}
func (l *links) newLinkQUIC() *linkQUIC {
lt := &linkQUIC{
links: l,
tlsconfig: l.core.config.tls.Clone(),
quicconfig: &quic.Config{
MaxIdleTimeout: time.Minute,
KeepAlivePeriod: time.Second * 20,
TokenStore: quic.NewLRUTokenStore(255, 255),
InitialStreamReceiveWindow: 2 << 20,
MaxStreamReceiveWindow: 8 << 20,
InitialConnectionReceiveWindow: 4 << 20,
MaxConnectionReceiveWindow: 16 << 20,
MaxIncomingStreams: 1,
MaxIncomingUniStreams: 0,
InitialPacketSize: 1350,
EnableDatagrams: false,
EnableStreamResetPartialDelivery: false,
},
}
return lt
}
func (l *linkQUIC) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
tlsconfig := l.tlsconfig.Clone()
return l.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
tlsconfig.ServerName = hostname
tlsconfig.MinVersion = tls.VersionTLS12
tlsconfig.MaxVersion = tls.VersionTLS13
hostport := net.JoinHostPort(ip.String(), strconv.Itoa(port))
qc, err := quic.DialAddr(ctx, hostport, tlsconfig, l.quicconfig)
if err != nil {
return nil, err
}
qs, err := qc.OpenStreamSync(ctx)
if err != nil {
return nil, err
}
return &linkQUICStream{
Conn: qc,
Stream: qs,
}, nil
})
}
func (l *linkQUIC) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {
ql, err := quic.ListenAddr(url.Host, l.tlsconfig, l.quicconfig)
if err != nil {
return nil, err
}
ch := make(chan *linkQUICStream)
lql := &linkQUICListener{
Listener: ql,
ch: ch,
}
go func() {
for {
qc, err := ql.Accept(ctx)
switch err {
case context.Canceled, context.DeadlineExceeded:
ql.Close()
fallthrough
case quic.ErrServerClosed:
return
case nil:
qs, err := qc.AcceptStream(ctx)
if err != nil {
_ = qc.CloseWithError(1, fmt.Sprintf("stream error: %s", err))
continue
}
ch <- &linkQUICStream{
Conn: qc,
Stream: qs,
}
}
}
}()
return lql, nil
}

67
src/core/link_socks.go Normal file
View file

@ -0,0 +1,67 @@
package core
import (
"context"
"crypto/tls"
"fmt"
"net"
"net/url"
"strings"
"golang.org/x/net/proxy"
)
type linkSOCKS struct {
*links
}
func (l *links) newLinkSOCKS() *linkSOCKS {
lt := &linkSOCKS{
links: l,
}
return lt
}
func (l *linkSOCKS) dial(_ context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
var proxyAuth *proxy.Auth
if url.User != nil && url.User.Username() != "" {
proxyAuth = &proxy.Auth{
User: url.User.Username(),
}
proxyAuth.Password, _ = url.User.Password()
}
tlsconfig := l.tls.config.Clone()
return l.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
hostport := net.JoinHostPort(ip.String(), fmt.Sprintf("%d", port))
dialer, err := l.tcp.dialerFor(&net.TCPAddr{
IP: ip,
Port: port,
}, info.sintf)
if err != nil {
return nil, err
}
proxy, err := proxy.SOCKS5("tcp", hostport, proxyAuth, dialer)
if err != nil {
return nil, err
}
pathtokens := strings.Split(strings.Trim(url.Path, "/"), "/")
conn, err := proxy.Dial("tcp", pathtokens[0])
if err != nil {
return nil, err
}
if url.Scheme == "sockstls" {
tlsconfig.ServerName = hostname
tlsconfig.MinVersion = tls.VersionTLS12
tlsconfig.MaxVersion = tls.VersionTLS13
if sni := options.tlsSNI; sni != "" {
tlsconfig.ServerName = sni
}
conn = tls.Client(conn, tlsconfig)
}
return conn, nil
})
}
func (l *linkSOCKS) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {
return nil, fmt.Errorf("SOCKS listener not supported")
}

160
src/core/link_tcp.go Normal file
View file

@ -0,0 +1,160 @@
package core
import (
"context"
"fmt"
"net"
"net/url"
"sync"
"time"
"github.com/Arceliar/phony"
)
type linkTCP struct {
phony.Inbox
*links
listenconfig *net.ListenConfig
ifaceCache map[string]ifaceCacheEntry
ifaceMu sync.RWMutex
}
type ifaceCacheEntry struct {
expires time.Time
up bool
addrs []net.IP
}
const ifaceCacheTTL = 5 * time.Second
func (l *links) newLinkTCP() *linkTCP {
lt := &linkTCP{
links: l,
ifaceCache: make(map[string]ifaceCacheEntry),
listenconfig: &net.ListenConfig{
KeepAlive: -1,
},
}
lt.listenconfig.Control = lt.tcpContext
return lt
}
func (l *linkTCP) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
return l.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
addr := &net.TCPAddr{
IP: ip,
Port: port,
}
dialer, err := l.tcp.dialerFor(addr, info.sintf)
if err != nil {
return nil, err
}
return dialer.DialContext(ctx, "tcp", addr.String())
})
}
func (l *linkTCP) listen(ctx context.Context, url *url.URL, sintf string) (net.Listener, error) {
hostport := url.Host
if sintf != "" {
if host, port, err := net.SplitHostPort(hostport); err == nil {
hostport = fmt.Sprintf("[%s%%%s]:%s", host, sintf, port)
}
}
return l.listenconfig.Listen(ctx, "tcp", hostport)
}
func (l *linkTCP) dialerFor(dst *net.TCPAddr, sintf string) (*net.Dialer, error) {
if dst.IP.IsLinkLocalUnicast() {
if sintf != "" {
dst.Zone = sintf
}
if dst.Zone == "" {
return nil, fmt.Errorf("link-local address requires a zone")
}
}
dialer := &net.Dialer{
Timeout: time.Second * 5,
KeepAlive: -1,
Control: l.tcpContext,
}
if sintf == "" {
return dialer, nil
}
dialer.Control = l.getControl(sintf)
info, err := l.getInterfaceInfo(sintf)
if err != nil {
if dst.IP.IsLinkLocalUnicast() && dst.Zone != "" {
return dialer, nil
}
return nil, err
}
if !info.up {
return nil, fmt.Errorf("interface %q is not up", sintf)
}
for addrindex, src := range info.addrs {
if !src.IsGlobalUnicast() && !src.IsLinkLocalUnicast() {
continue
}
bothglobal := src.IsGlobalUnicast() == dst.IP.IsGlobalUnicast()
bothlinklocal := src.IsLinkLocalUnicast() == dst.IP.IsLinkLocalUnicast()
if !bothglobal && !bothlinklocal {
continue
}
if (src.To4() != nil) != (dst.IP.To4() != nil) {
continue
}
if bothglobal || bothlinklocal || addrindex == len(info.addrs)-1 {
dialer.LocalAddr = &net.TCPAddr{
IP: src,
Port: 0,
Zone: sintf,
}
break
}
}
if dialer.LocalAddr == nil {
if dst.IP.IsLinkLocalUnicast() && dst.Zone != "" {
return dialer, nil
}
return nil, fmt.Errorf("no suitable source address found on interface %q", sintf)
}
return dialer, nil
}
func (l *linkTCP) getInterfaceInfo(sintf string) (ifaceCacheEntry, error) {
now := time.Now()
l.ifaceMu.RLock()
if cached, ok := l.ifaceCache[sintf]; ok && now.Before(cached.expires) {
l.ifaceMu.RUnlock()
return cached, nil
}
l.ifaceMu.RUnlock()
ief, err := net.InterfaceByName(sintf)
if err != nil {
return ifaceCacheEntry{}, fmt.Errorf("interface %q not found", sintf)
}
addrs, err := ief.Addrs()
if err != nil {
return ifaceCacheEntry{}, fmt.Errorf("interface %q addresses not available: %w", sintf, err)
}
ips := make([]net.IP, 0, len(addrs))
for _, addr := range addrs {
src, _, err := net.ParseCIDR(addr.String())
if err != nil {
continue
}
ips = append(ips, src)
}
entry := ifaceCacheEntry{
expires: now.Add(ifaceCacheTTL),
up: ief.Flags&net.FlagUp != 0,
addrs: ips,
}
l.ifaceMu.Lock()
l.ifaceCache[sintf] = entry
l.ifaceMu.Unlock()
return entry, nil
}

32
src/core/link_tcp_darwin.go Normal file
View file

@ -0,0 +1,32 @@
//go:build darwin
package core
import (
"syscall"
"golang.org/x/sys/unix"
)
// WARNING: This context is used both by net.Dialer and net.Listen in tcp.go
func (t *linkTCP) tcpContext(network, address string, c syscall.RawConn) error {
var control error
var recvanyif error
control = c.Control(func(fd uintptr) {
// sys/socket.h: #define SO_RECV_ANYIF 0x1104
recvanyif = unix.SetsockoptInt(int(fd), syscall.SOL_SOCKET, 0x1104, 1)
})
switch {
case recvanyif != nil:
return recvanyif
default:
return control
}
}
func (t *linkTCP) getControl(_ string) func(string, string, syscall.RawConn) error {
return t.tcpContext
}

29
src/core/link_tcp_linux.go Normal file
View file

@ -0,0 +1,29 @@
//go:build linux
package core
import (
"syscall"
"golang.org/x/sys/unix"
)
// WARNING: This context is used both by net.Dialer and net.Listen in tcp.go
func (t *linkTCP) tcpContext(network, address string, c syscall.RawConn) error {
return nil
}
func (t *linkTCP) getControl(sintf string) func(string, string, syscall.RawConn) error {
return func(network, address string, c syscall.RawConn) error {
var err error
btd := func(fd uintptr) {
err = unix.BindToDevice(int(fd), sintf)
}
_ = c.Control(btd)
if err != nil {
t.core.log.Debugln("Failed to set SO_BINDTODEVICE:", sintf)
}
return t.tcpContext(network, address, c)
}
}

17
src/core/link_tcp_other.go Normal file
View file

@ -0,0 +1,17 @@
//go:build !darwin && !linux
package core
import (
"syscall"
)
// WARNING: This context is used both by net.Dialer and net.Listen in tcp.go
func (t *linkTCP) tcpContext(network, address string, c syscall.RawConn) error {
return nil
}
func (t *linkTCP) getControl(sintf string) func(string, string, syscall.RawConn) error {
return t.tcpContext
}

72
src/core/link_tls.go Normal file
View file

@ -0,0 +1,72 @@
package core
import (
"context"
"crypto/tls"
"fmt"
"net"
"net/url"
"github.com/Arceliar/phony"
)
type linkTLS struct {
phony.Inbox
*links
tcp *linkTCP
listener *net.ListenConfig
config *tls.Config
}
func (l *links) newLinkTLS(tcp *linkTCP) *linkTLS {
lt := &linkTLS{
links: l,
tcp: tcp,
listener: &net.ListenConfig{
Control: tcp.tcpContext,
KeepAlive: -1,
},
config: l.core.config.tls.Clone(),
}
return lt
}
func (l *linkTLS) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
tlsconfig := l.config.Clone()
return l.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
tlsconfig.ServerName = hostname
tlsconfig.MinVersion = tls.VersionTLS12
tlsconfig.MaxVersion = tls.VersionTLS13
if sni := options.tlsSNI; sni != "" {
tlsconfig.ServerName = sni
}
addr := &net.TCPAddr{
IP: ip,
Port: port,
}
dialer, err := l.tcp.dialerFor(addr, info.sintf)
if err != nil {
return nil, err
}
tlsdialer := &tls.Dialer{
NetDialer: dialer,
Config: tlsconfig,
}
return tlsdialer.DialContext(ctx, "tcp", addr.String())
})
}
func (l *linkTLS) listen(ctx context.Context, url *url.URL, sintf string) (net.Listener, error) {
hostport := url.Host
if sintf != "" {
if host, port, err := net.SplitHostPort(hostport); err == nil {
hostport = fmt.Sprintf("[%s%%%s]:%s", host, sintf, port)
}
}
listener, err := l.listener.Listen(ctx, "tcp", hostport)
if err != nil {
return nil, err
}
tlslistener := tls.NewListener(listener, l.config)
return tlslistener, nil
}

43
src/core/link_unix.go Normal file
View file

@ -0,0 +1,43 @@
package core
import (
"context"
"net"
"net/url"
"time"
"github.com/Arceliar/phony"
)
type linkUNIX struct {
phony.Inbox
*links
dialer *net.Dialer
listener *net.ListenConfig
}
func (l *links) newLinkUNIX() *linkUNIX {
lt := &linkUNIX{
links: l,
dialer: &net.Dialer{
Timeout: time.Second * 5,
KeepAlive: -1,
},
listener: &net.ListenConfig{
KeepAlive: -1,
},
}
return lt
}
func (l *linkUNIX) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
addr, err := net.ResolveUnixAddr("unix", url.Path)
if err != nil {
return nil, err
}
return l.dialer.DialContext(ctx, "unix", addr.String())
}
func (l *linkUNIX) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {
return l.listener.Listen(ctx, "unix", url.Path)
}

150
src/core/link_ws.go Normal file
View file

@ -0,0 +1,150 @@
package core
import (
"context"
"net"
"net/http"
"net/url"
"strconv"
"time"
"github.com/Arceliar/phony"
"github.com/coder/websocket"
)
const wsSubprotocol = "ygg-ws"
type linkWS struct {
phony.Inbox
*links
listenconfig *net.ListenConfig
transport *http.Transport
}
type linkWSConn struct {
net.Conn
}
type linkWSListener struct {
ch chan *linkWSConn
ctx context.Context
httpServer *http.Server
listener net.Listener
}
type wsServer struct {
ch chan *linkWSConn
ctx context.Context
}
func (l *linkWSListener) Accept() (net.Conn, error) {
qs := <-l.ch
if qs == nil {
return nil, context.Canceled
}
return qs, nil
}
func (l *linkWSListener) Addr() net.Addr {
return l.listener.Addr()
}
func (l *linkWSListener) Close() error {
if err := l.httpServer.Shutdown(l.ctx); err != nil {
return err
}
return l.listener.Close()
}
func (s *wsServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/health" || r.URL.Path == "/healthz" {
w.WriteHeader(http.StatusOK)
_, _ = w.Write([]byte("OK"))
return
}
c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
Subprotocols: []string{wsSubprotocol},
})
if err != nil {
return
}
if c.Subprotocol() != wsSubprotocol {
c.Close(websocket.StatusPolicyViolation, "client must speak the ygg-ws subprotocol")
return
}
s.ch <- &linkWSConn{
Conn: websocket.NetConn(s.ctx, c, websocket.MessageBinary),
}
}
func (l *links) newLinkWS() *linkWS {
lt := &linkWS{
links: l,
listenconfig: &net.ListenConfig{
KeepAlive: -1,
},
transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
},
}
return lt
}
func (l *linkWS) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
return l.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
u := *url
u.Host = net.JoinHostPort(ip.String(), strconv.Itoa(port))
addr := &net.TCPAddr{
IP: ip,
Port: port,
}
dialer, err := l.tcp.dialerFor(addr, info.sintf)
if err != nil {
return nil, err
}
transport := l.transport.Clone()
transport.DialContext = dialer.DialContext
wsconn, _, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
HTTPClient: &http.Client{Transport: transport},
Subprotocols: []string{wsSubprotocol},
Host: hostname,
})
if err != nil {
return nil, err
}
return &linkWSConn{
Conn: websocket.NetConn(ctx, wsconn, websocket.MessageBinary),
}, nil
})
}
func (l *linkWS) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {
nl, err := l.listenconfig.Listen(ctx, "tcp", url.Host)
if err != nil {
return nil, err
}
ch := make(chan *linkWSConn)
httpServer := &http.Server{
Handler: &wsServer{
ch: ch,
ctx: ctx,
},
BaseContext: func(_ net.Listener) context.Context { return ctx },
ReadTimeout: time.Second * 10,
WriteTimeout: time.Second * 10,
}
lwl := &linkWSListener{
ch: ch,
ctx: ctx,
httpServer: httpServer,
listener: nl,
}
go lwl.httpServer.Serve(nl) // nolint:errcheck
return lwl, nil
}

73
src/core/link_wss.go Normal file
View file

@ -0,0 +1,73 @@
package core
import (
"context"
"crypto/tls"
"fmt"
"net"
"net/http"
"net/url"
"strconv"
"github.com/Arceliar/phony"
"github.com/coder/websocket"
)
type linkWSS struct {
phony.Inbox
*links
tlsconfig *tls.Config
transport *http.Transport
}
type linkWSSConn struct {
net.Conn
}
func (l *links) newLinkWSS() *linkWSS {
lwss := &linkWSS{
links: l,
tlsconfig: l.core.config.tls.Clone(),
transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
},
}
return lwss
}
func (l *linkWSS) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
tlsconfig := l.tlsconfig.Clone()
return l.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
tlsconfig.ServerName = hostname
tlsconfig.MinVersion = tls.VersionTLS12
tlsconfig.MaxVersion = tls.VersionTLS13
u := *url
u.Host = net.JoinHostPort(ip.String(), strconv.Itoa(port))
addr := &net.TCPAddr{
IP: ip,
Port: port,
}
dialer, err := l.tcp.dialerFor(addr, info.sintf)
if err != nil {
return nil, err
}
transport := l.transport.Clone()
transport.DialContext = dialer.DialContext
transport.TLSClientConfig = tlsconfig
wsconn, _, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
HTTPClient: &http.Client{Transport: transport},
Subprotocols: []string{wsSubprotocol},
Host: hostname,
})
if err != nil {
return nil, err
}
return &linkWSSConn{
Conn: websocket.NetConn(ctx, wsconn, websocket.MessageBinary),
}, nil
})
}
func (l *linkWSS) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {
return nil, fmt.Errorf("WSS listener not supported, use WS listener behind reverse proxy instead")
}

173
src/core/nodeinfo.go Normal file
View file

@ -0,0 +1,173 @@
package core
import (
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"runtime"
"time"
iwt "github.com/Arceliar/ironwood/types"
"github.com/Arceliar/phony"
"github.com/yggdrasil-network/yggdrasil-go/src/version"
)
type nodeinfo struct {
phony.Inbox
proto *protoHandler
myNodeInfo json.RawMessage
callbacks map[keyArray]nodeinfoCallback
}
type nodeinfoCallback struct {
call func(nodeinfo json.RawMessage)
created time.Time
}
// Initialises the nodeinfo cache/callback maps, and starts a goroutine to keep
// the cache/callback maps clean of stale entries
func (m *nodeinfo) init(proto *protoHandler) {
m.Act(nil, func() {
m._init(proto)
})
}
func (m *nodeinfo) _init(proto *protoHandler) {
m.proto = proto
m.callbacks = make(map[keyArray]nodeinfoCallback)
m._cleanup()
}
func (m *nodeinfo) _cleanup() {
for boxPubKey, callback := range m.callbacks {
if time.Since(callback.created) > time.Minute {
delete(m.callbacks, boxPubKey)
}
}
time.AfterFunc(time.Second*30, func() {
m.Act(nil, m._cleanup)
})
}
func (m *nodeinfo) _addCallback(sender keyArray, call func(nodeinfo json.RawMessage)) {
m.callbacks[sender] = nodeinfoCallback{
created: time.Now(),
call: call,
}
}
// Handles the callback, if there is one
func (m *nodeinfo) _callback(sender keyArray, nodeinfo json.RawMessage) {
if callback, ok := m.callbacks[sender]; ok {
callback.call(nodeinfo)
delete(m.callbacks, sender)
}
}
func (m *nodeinfo) _getNodeInfo() json.RawMessage {
return m.myNodeInfo
}
// Set the current node's nodeinfo
func (m *nodeinfo) setNodeInfo(given map[string]interface{}, privacy bool) (err error) {
phony.Block(m, func() {
err = m._setNodeInfo(given, privacy)
})
return
}
func (m *nodeinfo) _setNodeInfo(given map[string]interface{}, privacy bool) error {
newnodeinfo := make(map[string]interface{}, len(given))
for k, v := range given {
newnodeinfo[k] = v
}
if !privacy {
newnodeinfo["buildname"] = version.BuildName()
newnodeinfo["buildversion"] = version.BuildVersion()
newnodeinfo["buildplatform"] = runtime.GOOS
newnodeinfo["buildarch"] = runtime.GOARCH
}
newjson, err := json.Marshal(newnodeinfo)
switch {
case err != nil:
return fmt.Errorf("NodeInfo marshalling failed: %w", err)
case len(newjson) > 16384:
return fmt.Errorf("NodeInfo exceeds max length of 16384 bytes")
default:
m.myNodeInfo = newjson
return nil
}
}
func (m *nodeinfo) sendReq(from phony.Actor, key keyArray, callback func(nodeinfo json.RawMessage)) {
m.Act(from, func() {
m._sendReq(key, callback)
})
}
func (m *nodeinfo) _sendReq(key keyArray, callback func(nodeinfo json.RawMessage)) {
if callback != nil {
m._addCallback(key, callback)
}
_, _ = m.proto.core.PacketConn.WriteTo([]byte{typeSessionProto, typeProtoNodeInfoRequest}, iwt.Addr(key[:]))
}
func (m *nodeinfo) handleReq(from phony.Actor, key keyArray) {
m.Act(from, func() {
m._sendRes(key)
})
}
func (m *nodeinfo) handleRes(from phony.Actor, key keyArray, info json.RawMessage) {
m.Act(from, func() {
m._callback(key, info)
})
}
func (m *nodeinfo) _sendRes(key keyArray) {
bs := append([]byte{typeSessionProto, typeProtoNodeInfoResponse}, m._getNodeInfo()...)
_, _ = m.proto.core.PacketConn.WriteTo(bs, iwt.Addr(key[:]))
}
// Admin socket stuff
type GetNodeInfoRequest struct {
Key string `json:"key"`
}
type GetNodeInfoResponse map[string]json.RawMessage
func (m *nodeinfo) nodeInfoAdminHandler(in json.RawMessage) (interface{}, error) {
var req GetNodeInfoRequest
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if req.Key == "" {
return nil, fmt.Errorf("no remote public key supplied")
}
var key keyArray
var kbs []byte
var err error
if kbs, err = hex.DecodeString(req.Key); err != nil {
return nil, fmt.Errorf("failed to decode public key: %w", err)
}
copy(key[:], kbs)
ch := make(chan []byte, 1)
m.sendReq(nil, key, func(info json.RawMessage) {
ch <- info
})
timer := time.NewTimer(6 * time.Second)
defer timer.Stop()
select {
case <-timer.C:
return nil, errors.New("timed out waiting for response")
case info := <-ch:
var msg json.RawMessage
if err := msg.UnmarshalJSON(info); err != nil {
return nil, err
}
key := hex.EncodeToString(kbs[:])
res := GetNodeInfoResponse{key: msg}
return res, nil
}
}

61
src/core/options.go Normal file
View file

@ -0,0 +1,61 @@
package core
import (
"crypto/ed25519"
"fmt"
"net"
"net/url"
)
func (c *Core) _applyOption(opt SetupOption) (err error) {
switch v := opt.(type) {
case Peer:
u, err := url.Parse(v.URI)
if err != nil {
return fmt.Errorf("unable to parse peering URI: %w", err)
}
err = c.links.add(u, v.SourceInterface, linkTypePersistent)
switch err {
case ErrLinkAlreadyConfigured:
// Don't return this error, otherwise we'll panic at startup
// if there are multiple of the same peer configured
return nil
default:
return err
}
case ListenAddress:
c.config._listeners[v] = struct{}{}
case PeerFilter:
c.config.peerFilter = v
case NodeInfo:
c.config.nodeinfo = v
case NodeInfoPrivacy:
c.config.nodeinfoPrivacy = v
case AllowedPublicKey:
pk := [32]byte{}
copy(pk[:], v)
c.config._allowedPublicKeys[pk] = struct{}{}
}
return
}
type SetupOption interface {
isSetupOption()
}
type ListenAddress string
type Peer struct {
URI string
SourceInterface string
}
type NodeInfo map[string]interface{}
type NodeInfoPrivacy bool
type AllowedPublicKey ed25519.PublicKey
type PeerFilter func(net.IP) bool
func (a ListenAddress) isSetupOption() {}
func (a Peer) isSetupOption() {}
func (a NodeInfo) isSetupOption() {}
func (a NodeInfoPrivacy) isSetupOption() {}
func (a AllowedPublicKey) isSetupOption() {}
func (a PeerFilter) isSetupOption() {}

53
src/core/options_test.go Normal file
View file

@ -0,0 +1,53 @@
package core
import (
"net/url"
"testing"
"github.com/yggdrasil-network/yggdrasil-go/src/config"
)
// Tests that duplicate peers in the configuration file
// won't cause an error when the node starts. Otherwise
// we can panic unnecessarily.
func TestDuplicatePeerAtStartup(t *testing.T) {
cfg := config.GenerateConfig()
for i := 0; i < 5; i++ {
cfg.Peers = append(cfg.Peers, "tcp://1.2.3.4:4321")
}
if _, err := New(cfg.Certificate, nil); err != nil {
t.Fatal(err)
}
}
// Tests that duplicate peers given to us through the
// API will still error as expected, even if they didn't
// at startup. We expect to notify the user through the
// admin socket if they try to add a peer that is already
// configured.
func TestDuplicatePeerFromAPI(t *testing.T) {
cfg := config.GenerateConfig()
c, err := New(cfg.Certificate, nil)
if err != nil {
t.Fatal(err)
}
u, _ := url.Parse("tcp://1.2.3.4:4321")
if err := c.AddPeer(u, ""); err != nil {
t.Fatalf("Adding peer failed on first attempt: %s", err)
}
if err := c.AddPeer(u, ""); err == nil {
t.Fatalf("Adding peer should have failed on second attempt")
}
}
func TestAddEmptyPeer(t *testing.T) {
cfg := config.GenerateConfig()
c, err := New(cfg.Certificate, nil)
if err != nil {
t.Fatal(err)
}
u, _ := url.Parse("")
if err := c.AddPeer(u, ""); err == nil {
t.Fatalf("Expected error on empty URL: %s", err)
}
}

17
src/core/pool.go Normal file
View file

@ -0,0 +1,17 @@
package core
import "sync"
var bytePool = sync.Pool{New: func() interface{} { return []byte(nil) }}
func allocBytes(size int) []byte {
bs := bytePool.Get().([]byte)
if cap(bs) < size {
bs = make([]byte, size)
}
return bs[:size]
}
func freeBytes(bs []byte) {
bytePool.Put(bs[:0]) //nolint:staticcheck
}

362
src/core/proto.go Normal file
View file

@ -0,0 +1,362 @@
package core
import (
"crypto/ed25519"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"net"
"time"
iwt "github.com/Arceliar/ironwood/types"
"github.com/Arceliar/phony"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
const (
typeDebugDummy = iota
typeDebugGetSelfRequest
typeDebugGetSelfResponse
typeDebugGetPeersRequest
typeDebugGetPeersResponse
typeDebugGetTreeRequest
typeDebugGetTreeResponse
)
type reqInfo struct {
callback func([]byte)
timer *time.Timer // time.AfterFunc cleanup
}
type keyArray [ed25519.PublicKeySize]byte
type protoHandler struct {
phony.Inbox
core *Core
nodeinfo nodeinfo
selfRequests map[keyArray]*reqInfo
peersRequests map[keyArray]*reqInfo
treeRequests map[keyArray]*reqInfo
}
func (p *protoHandler) init(core *Core) {
p.core = core
p.nodeinfo.init(p)
p.selfRequests = make(map[keyArray]*reqInfo)
p.peersRequests = make(map[keyArray]*reqInfo)
p.treeRequests = make(map[keyArray]*reqInfo)
}
// Common functions
func (p *protoHandler) handleProto(from phony.Actor, key keyArray, bs []byte) {
if len(bs) == 0 {
return
}
switch bs[0] {
case typeProtoDummy:
case typeProtoNodeInfoRequest:
p.nodeinfo.handleReq(p, key)
case typeProtoNodeInfoResponse:
p.nodeinfo.handleRes(p, key, bs[1:])
case typeProtoDebug:
p.handleDebug(from, key, bs[1:])
}
}
func (p *protoHandler) handleDebug(from phony.Actor, key keyArray, bs []byte) {
p.Act(from, func() {
p._handleDebug(key, bs)
})
}
func (p *protoHandler) _handleDebug(key keyArray, bs []byte) {
if len(bs) == 0 {
return
}
switch bs[0] {
case typeDebugDummy:
case typeDebugGetSelfRequest:
p._handleGetSelfRequest(key)
case typeDebugGetSelfResponse:
p._handleGetSelfResponse(key, bs[1:])
case typeDebugGetPeersRequest:
p._handleGetPeersRequest(key)
case typeDebugGetPeersResponse:
p._handleGetPeersResponse(key, bs[1:])
case typeDebugGetTreeRequest:
p._handleGetTreeRequest(key)
case typeDebugGetTreeResponse:
p._handleGetTreeResponse(key, bs[1:])
}
}
func (p *protoHandler) _sendDebug(key keyArray, dType uint8, data []byte) {
var bs []byte
if len(data) == 0 {
bs = []byte{typeSessionProto, typeProtoDebug, dType}
} else {
bs = make([]byte, 3+len(data))
bs[0] = typeSessionProto
bs[1] = typeProtoDebug
bs[2] = dType
copy(bs[3:], data)
}
_, _ = p.core.PacketConn.WriteTo(bs, iwt.Addr(key[:]))
}
func (p *protoHandler) _setDebugRequest(requests map[keyArray]*reqInfo, key keyArray, callback func([]byte), requestType uint8) {
if info := requests[key]; info != nil {
info.timer.Stop()
delete(requests, key)
}
info := &reqInfo{callback: callback}
info.timer = time.AfterFunc(time.Minute, func() {
p.Act(nil, func() {
if requests[key] == info {
delete(requests, key)
}
})
})
requests[key] = info
p._sendDebug(key, requestType, nil)
}
func clearDebugResponse(requests map[keyArray]*reqInfo, key keyArray, bs []byte) {
if info := requests[key]; info != nil {
info.timer.Stop()
info.callback(bs)
delete(requests, key)
}
}
// Get self
func (p *protoHandler) sendGetSelfRequest(key keyArray, callback func([]byte)) {
p.Act(nil, func() {
p._setDebugRequest(p.selfRequests, key, callback, typeDebugGetSelfRequest)
})
}
func (p *protoHandler) _handleGetSelfRequest(key keyArray) {
self := p.core.GetSelf()
res := map[string]string{
"key": hex.EncodeToString(self.Key[:]),
"routing_entries": fmt.Sprintf("%v", self.RoutingEntries),
}
bs, err := json.Marshal(res) // FIXME this puts keys in base64, not hex
if err != nil {
return
}
p._sendDebug(key, typeDebugGetSelfResponse, bs)
}
func (p *protoHandler) _handleGetSelfResponse(key keyArray, bs []byte) {
clearDebugResponse(p.selfRequests, key, bs)
}
// Get peers
func (p *protoHandler) sendGetPeersRequest(key keyArray, callback func([]byte)) {
p.Act(nil, func() {
p._setDebugRequest(p.peersRequests, key, callback, typeDebugGetPeersRequest)
})
}
func (p *protoHandler) _handleGetPeersRequest(key keyArray) {
peers := p.core.GetPeers()
const responseOverhead = 2 // 1 debug type, 1 getpeers type
maxPayload := int(p.core.MTU()) - responseOverhead
if maxPayload < 0 {
maxPayload = 0
}
bs := make([]byte, 0, maxPayload)
for _, pinfo := range peers {
if len(bs)+ed25519.PublicKeySize > maxPayload {
break
}
bs = append(bs, pinfo.Key[:]...)
}
p._sendDebug(key, typeDebugGetPeersResponse, bs)
}
func (p *protoHandler) _handleGetPeersResponse(key keyArray, bs []byte) {
clearDebugResponse(p.peersRequests, key, bs)
}
// Get Tree
func (p *protoHandler) sendGetTreeRequest(key keyArray, callback func([]byte)) {
p.Act(nil, func() {
p._setDebugRequest(p.treeRequests, key, callback, typeDebugGetTreeRequest)
})
}
func (p *protoHandler) _handleGetTreeRequest(key keyArray) {
dinfos := p.core.GetTree()
const responseOverhead = 2 // 1 debug type, 1 gettree type
maxPayload := int(p.core.MTU()) - responseOverhead
if maxPayload < 0 {
maxPayload = 0
}
bs := make([]byte, 0, maxPayload)
for _, dinfo := range dinfos {
if len(bs)+ed25519.PublicKeySize > maxPayload {
break
}
bs = append(bs, dinfo.Key[:]...)
}
p._sendDebug(key, typeDebugGetTreeResponse, bs)
}
func (p *protoHandler) _handleGetTreeResponse(key keyArray, bs []byte) {
clearDebugResponse(p.treeRequests, key, bs)
}
// Admin socket stuff for "Get self"
type DebugGetSelfRequest struct {
Key string `json:"key"`
}
type DebugGetSelfResponse map[string]interface{}
func (p *protoHandler) getSelfHandler(in json.RawMessage) (interface{}, error) {
var req DebugGetSelfRequest
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
var key keyArray
var kbs []byte
var err error
if kbs, err = hex.DecodeString(req.Key); err != nil {
return nil, err
}
if len(kbs) != ed25519.PublicKeySize {
return nil, fmt.Errorf("invalid public key length")
}
copy(key[:], kbs)
ch := make(chan []byte, 1)
p.sendGetSelfRequest(key, func(info []byte) {
ch <- info
})
select {
case <-time.After(6 * time.Second):
return nil, errors.New("timeout")
case info := <-ch:
var msg json.RawMessage
if err := msg.UnmarshalJSON(info); err != nil {
return nil, err
}
ip := net.IP(address.AddrForKey(kbs)[:])
res := DebugGetSelfResponse{ip.String(): msg}
return res, nil
}
}
// Admin socket stuff for "Get peers"
type DebugGetPeersRequest struct {
Key string `json:"key"`
}
type DebugGetPeersResponse map[string]interface{}
func (p *protoHandler) getPeersHandler(in json.RawMessage) (interface{}, error) {
var req DebugGetPeersRequest
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
var key keyArray
var kbs []byte
var err error
if kbs, err = hex.DecodeString(req.Key); err != nil {
return nil, err
}
if len(kbs) != ed25519.PublicKeySize {
return nil, fmt.Errorf("invalid public key length")
}
copy(key[:], kbs)
ch := make(chan []byte, 1)
p.sendGetPeersRequest(key, func(info []byte) {
ch <- info
})
select {
case <-time.After(6 * time.Second):
return nil, errors.New("timeout")
case info := <-ch:
ks := make(map[string][]string)
bs := info
for len(bs) >= len(key) {
ks["keys"] = append(ks["keys"], hex.EncodeToString(bs[:len(key)]))
bs = bs[len(key):]
}
js, err := json.Marshal(ks)
if err != nil {
return nil, err
}
var msg json.RawMessage
if err := msg.UnmarshalJSON(js); err != nil {
return nil, err
}
ip := net.IP(address.AddrForKey(kbs)[:])
res := DebugGetPeersResponse{ip.String(): msg}
return res, nil
}
}
// Admin socket stuff for "Get Tree"
type DebugGetTreeRequest struct {
Key string `json:"key"`
}
type DebugGetTreeResponse map[string]interface{}
func (p *protoHandler) getTreeHandler(in json.RawMessage) (interface{}, error) {
var req DebugGetTreeRequest
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
var key keyArray
var kbs []byte
var err error
if kbs, err = hex.DecodeString(req.Key); err != nil {
return nil, err
}
if len(kbs) != ed25519.PublicKeySize {
return nil, fmt.Errorf("invalid public key length")
}
copy(key[:], kbs)
ch := make(chan []byte, 1)
p.sendGetTreeRequest(key, func(info []byte) {
ch <- info
})
select {
case <-time.After(6 * time.Second):
return nil, errors.New("timeout")
case info := <-ch:
ks := make(map[string][]string)
bs := info
for len(bs) >= len(key) {
ks["keys"] = append(ks["keys"], hex.EncodeToString(bs[:len(key)]))
bs = bs[len(key):]
}
js, err := json.Marshal(ks)
if err != nil {
return nil, err
}
var msg json.RawMessage
if err := msg.UnmarshalJSON(js); err != nil {
return nil, err
}
ip := net.IP(address.AddrForKey(kbs)[:])
res := DebugGetTreeResponse{ip.String(): msg}
return res, nil
}
}

29
src/core/tls.go Normal file
View file

@ -0,0 +1,29 @@
package core
import (
"crypto/tls"
"crypto/x509"
)
func (c *Core) generateTLSConfig(cert *tls.Certificate) (*tls.Config, error) {
config := &tls.Config{
Certificates: []tls.Certificate{*cert},
ClientAuth: tls.NoClientCert,
GetClientCertificate: func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return cert, nil
},
VerifyPeerCertificate: c.verifyTLSCertificate,
VerifyConnection: c.verifyTLSConnection,
InsecureSkipVerify: true,
MinVersion: tls.VersionTLS13,
}
return config, nil
}
func (c *Core) verifyTLSCertificate(_ [][]byte, _ [][]*x509.Certificate) error {
return nil
}
func (c *Core) verifyTLSConnection(_ tls.ConnectionState) error {
return nil
}

16
src/core/types.go Normal file
View file

@ -0,0 +1,16 @@
package core
// In-band packet types
const (
typeSessionDummy = iota // nolint:deadcode,varcheck
typeSessionTraffic
typeSessionProto
)
// Protocol packet types
const (
typeProtoDummy = iota
typeProtoNodeInfoRequest
typeProtoNodeInfoResponse
typeProtoDebug = 255
)

169
src/core/version.go Normal file
View file

@ -0,0 +1,169 @@
package core
// This file contains the version metadata struct
// Used in the initial connection setup and key exchange
// Some of this could arguably go in wire.go instead
import (
"bytes"
"crypto/ed25519"
"encoding/binary"
"io"
"golang.org/x/crypto/blake2b"
)
// This is the version-specific metadata exchanged at the start of a connection.
// It must always begin with the 4 bytes "meta" and a wire formatted uint64 major version number.
// The current version also includes a minor version number, and the box/sig/link keys that need to be exchanged to open a connection.
type version_metadata struct {
majorVer uint16
minorVer uint16
publicKey ed25519.PublicKey
priority uint8
}
const (
ProtocolVersionMajor uint16 = 0
ProtocolVersionMinor uint16 = 5
)
// Once a major/minor version is released, it is not safe to change any of these
// (including their ordering), it is only safe to add new ones.
const (
metaVersionMajor uint16 = iota // uint16
metaVersionMinor // uint16
metaPublicKey // [32]byte
metaPriority // uint8
)
type handshakeError string
func (e handshakeError) Error() string { return string(e) }
const ErrHandshakeInvalidPreamble = handshakeError("invalid handshake, remote side is not Kaya")
const ErrHandshakeInvalidLength = handshakeError("invalid handshake length, possible version mismatch")
const ErrHandshakeInvalidPassword = handshakeError("invalid password supplied, check your config")
const ErrHandshakeHashFailure = handshakeError("invalid hash length")
const ErrHandshakeIncorrectPassword = handshakeError("password does not match remote side")
// Gets a base metadata with no keys set, but with the correct version numbers.
func version_getBaseMetadata() version_metadata {
return version_metadata{
majorVer: ProtocolVersionMajor,
minorVer: ProtocolVersionMinor,
}
}
// Encodes version metadata into its wire format.
func (m *version_metadata) encode(privateKey ed25519.PrivateKey, password []byte) ([]byte, error) {
bs := make([]byte, 0, 64)
bs = append(bs, 'm', 'e', 't', 'a')
bs = append(bs, 0, 0) // Remaining message length
bs = binary.BigEndian.AppendUint16(bs, metaVersionMajor)
bs = binary.BigEndian.AppendUint16(bs, 2)
bs = binary.BigEndian.AppendUint16(bs, m.majorVer)
bs = binary.BigEndian.AppendUint16(bs, metaVersionMinor)
bs = binary.BigEndian.AppendUint16(bs, 2)
bs = binary.BigEndian.AppendUint16(bs, m.minorVer)
bs = binary.BigEndian.AppendUint16(bs, metaPublicKey)
bs = binary.BigEndian.AppendUint16(bs, ed25519.PublicKeySize)
bs = append(bs, m.publicKey[:]...)
bs = binary.BigEndian.AppendUint16(bs, metaPriority)
bs = binary.BigEndian.AppendUint16(bs, 1)
bs = append(bs, m.priority)
hasher, err := blake2b.New512(password)
if err != nil {
return nil, err
}
n, err := hasher.Write(m.publicKey)
if err != nil {
return nil, err
}
if n != ed25519.PublicKeySize {
return nil, ErrHandshakeHashFailure
}
hash := hasher.Sum(nil)
bs = append(bs, ed25519.Sign(privateKey, hash)...)
binary.BigEndian.PutUint16(bs[4:6], uint16(len(bs)-6))
return bs, nil
}
// Decodes version metadata from its wire format into the struct.
func (m *version_metadata) decode(r io.Reader, password []byte) error {
bh := [6]byte{}
if _, err := io.ReadFull(r, bh[:]); err != nil {
return err
}
meta := [4]byte{'m', 'e', 't', 'a'}
if !bytes.Equal(bh[:4], meta[:]) {
return ErrHandshakeInvalidPreamble
}
hl := binary.BigEndian.Uint16(bh[4:6])
if hl < ed25519.SignatureSize {
return ErrHandshakeInvalidLength
}
bs := make([]byte, hl)
if _, err := io.ReadFull(r, bs); err != nil {
return err
}
sig := bs[len(bs)-ed25519.SignatureSize:]
bs = bs[:len(bs)-ed25519.SignatureSize]
for len(bs) >= 4 {
op := binary.BigEndian.Uint16(bs[:2])
oplen := binary.BigEndian.Uint16(bs[2:4])
if bs = bs[4:]; len(bs) < int(oplen) {
break
}
switch op {
case metaVersionMajor:
m.majorVer = binary.BigEndian.Uint16(bs[:2])
case metaVersionMinor:
m.minorVer = binary.BigEndian.Uint16(bs[:2])
case metaPublicKey:
m.publicKey = make(ed25519.PublicKey, ed25519.PublicKeySize)
copy(m.publicKey, bs[:ed25519.PublicKeySize])
case metaPriority:
m.priority = bs[0]
}
bs = bs[oplen:]
}
hasher, err := blake2b.New512(password)
if err != nil {
return ErrHandshakeInvalidPassword
}
n, err := hasher.Write(m.publicKey)
if err != nil || n != ed25519.PublicKeySize {
return ErrHandshakeHashFailure
}
hash := hasher.Sum(nil)
if !ed25519.Verify(m.publicKey, hash, sig) {
return ErrHandshakeIncorrectPassword
}
return nil
}
// Checks that the "meta" bytes and the version numbers are the expected values.
func (m *version_metadata) check() bool {
switch {
case m.majorVer != ProtocolVersionMajor:
return false
case m.minorVer != ProtocolVersionMinor:
return false
case len(m.publicKey) != ed25519.PublicKeySize:
return false
default:
return true
}
}

78
src/core/version_test.go Normal file
View file

@ -0,0 +1,78 @@
package core
import (
"bytes"
"crypto/ed25519"
"reflect"
"testing"
)
func TestVersionPasswordAuth(t *testing.T) {
for _, tt := range []struct {
password1 []byte // The password on node 1
password2 []byte // The password on node 2
allowed bool // Should the connection have been allowed?
}{
{nil, nil, true}, // Allow: No passwords (both nil)
{nil, []byte(""), true}, // Allow: No passwords (mixed nil and empty string)
{nil, []byte("foo"), false}, // Reject: One node has a password, the other doesn't
{[]byte("foo"), []byte(""), false}, // Reject: One node has a password, the other doesn't
{[]byte("foo"), []byte("foo"), true}, // Allow: Same password
{[]byte("foo"), []byte("bar"), false}, // Reject: Different passwords
} {
pk1, sk1, err := ed25519.GenerateKey(nil)
if err != nil {
t.Fatalf("Node 1 failed to generate key: %s", err)
}
metadata1 := &version_metadata{
publicKey: pk1,
}
encoded, err := metadata1.encode(sk1, tt.password1)
if err != nil {
t.Fatalf("Node 1 failed to encode metadata: %s", err)
}
var decoded version_metadata
if allowed := decoded.decode(bytes.NewBuffer(encoded), tt.password2) == nil; allowed != tt.allowed {
t.Fatalf("Permutation %q -> %q should have been %v but was %v", tt.password1, tt.password2, tt.allowed, allowed)
}
}
}
func TestVersionRoundtrip(t *testing.T) {
for _, password := range [][]byte{
nil, []byte(""), []byte("foo"),
} {
for _, test := range []*version_metadata{
{majorVer: 1},
{majorVer: 256},
{majorVer: 2, minorVer: 4},
{majorVer: 2, minorVer: 257},
{majorVer: 258, minorVer: 259},
{majorVer: 3, minorVer: 5, priority: 6},
{majorVer: 260, minorVer: 261, priority: 7},
} {
// Generate a random public key for each time, since it is
// a required field.
pk, sk, err := ed25519.GenerateKey(nil)
if err != nil {
t.Fatal(err)
}
test.publicKey = pk
meta, err := test.encode(sk, password)
if err != nil {
t.Fatal(err)
}
encoded := bytes.NewBuffer(meta)
decoded := &version_metadata{}
if err := decoded.decode(encoded, password); err != nil {
t.Fatalf("failed to decode: %s", err)
}
if !reflect.DeepEqual(test, decoded) {
t.Fatalf("round-trip failed\nwant: %+v\n got: %+v", test, decoded)
}
}
}
}

80
src/ipv6rwc/icmpv6.go Normal file
View file

@ -0,0 +1,80 @@
package ipv6rwc
// The ICMPv6 module implements functions to easily create ICMPv6
// packets. These functions, when mixed with the built-in Go IPv6
// and ICMP libraries, can be used to send control messages back
// to the host. Examples include:
// - NDP messages, when running in TAP mode
// - Packet Too Big messages, when packets exceed the session MTU
// - Destination Unreachable messages, when a session prohibits
// incoming traffic
import (
"encoding/binary"
"net"
"golang.org/x/net/icmp"
"golang.org/x/net/ipv6"
)
type ICMPv6 struct{}
// Marshal returns the binary encoding of h.
func ipv6Header_Marshal(h *ipv6.Header) ([]byte, error) {
b := make([]byte, 40)
b[0] |= byte(h.Version) << 4
b[0] |= byte(h.TrafficClass) >> 4
b[1] |= byte(h.TrafficClass) << 4
b[1] |= byte(h.FlowLabel >> 16)
b[2] = byte(h.FlowLabel >> 8)
b[3] = byte(h.FlowLabel)
binary.BigEndian.PutUint16(b[4:6], uint16(h.PayloadLen))
b[6] = byte(h.NextHeader)
b[7] = byte(h.HopLimit)
copy(b[8:24], h.Src)
copy(b[24:40], h.Dst)
return b, nil
}
// Creates an ICMPv6 packet based on the given icmp.MessageBody and other
// parameters, complete with IP headers only, which can be written directly to
// a TUN adapter, or called directly by the CreateICMPv6L2 function when
// generating a message for TAP adapters.
func CreateICMPv6(dst net.IP, src net.IP, mtype ipv6.ICMPType, mcode int, mbody icmp.MessageBody) ([]byte, error) {
// Create the ICMPv6 message
icmpMessage := icmp.Message{
Type: mtype,
Code: mcode,
Body: mbody,
}
// Convert the ICMPv6 message into []byte
icmpMessageBuf, err := icmpMessage.Marshal(icmp.IPv6PseudoHeader(src, dst))
if err != nil {
return nil, err
}
// Create the IPv6 header
ipv6Header := ipv6.Header{
Version: ipv6.Version,
NextHeader: 58,
PayloadLen: len(icmpMessageBuf),
HopLimit: 255,
Src: src,
Dst: dst,
}
// Convert the IPv6 header into []byte
ipv6HeaderBuf, err := ipv6Header_Marshal(&ipv6Header)
if err != nil {
return nil, err
}
// Construct the packet
responsePacket := make([]byte, ipv6.HeaderLen+ipv6Header.PayloadLen)
copy(responsePacket[:ipv6.HeaderLen], ipv6HeaderBuf)
copy(responsePacket[ipv6.HeaderLen:], icmpMessageBuf)
// Send it back
return responsePacket, nil
}

368
src/ipv6rwc/ipv6rwc.go Normal file
View file

@ -0,0 +1,368 @@
package ipv6rwc
import (
"crypto/ed25519"
"errors"
"fmt"
"net"
"sync"
"time"
"golang.org/x/net/icmp"
"golang.org/x/net/ipv6"
iwt "github.com/Arceliar/ironwood/types"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
"github.com/yggdrasil-network/yggdrasil-go/src/core"
)
const keyStoreTimeout = 2 * time.Minute
/*
// Out-of-band packet types
const (
typeKeyDummy = iota // nolint:deadcode,varcheck
typeKeyLookup
typeKeyResponse
)
*/
type keyArray [ed25519.PublicKeySize]byte
type keyStore struct {
core *core.Core
address address.Address
subnet address.Subnet
mutex sync.Mutex
keyToInfo map[keyArray]*keyInfo
addrToInfo map[address.Address]*keyInfo
addrBuffer map[address.Address]*buffer
subnetToInfo map[address.Subnet]*keyInfo
subnetBuffer map[address.Subnet]*buffer
mtu uint64
}
type keyInfo struct {
key keyArray
address address.Address
subnet address.Subnet
timeout *time.Timer // From calling a time.AfterFunc to do cleanup
}
type buffer struct {
packet []byte
timeout *time.Timer
}
func (k *keyStore) init(c *core.Core) {
k.core = c
k.address = *address.AddrForKey(k.core.PublicKey())
k.subnet = *address.SubnetForKey(k.core.PublicKey())
/*if err := k.core.SetOutOfBandHandler(k.oobHandler); err != nil {
err = fmt.Errorf("tun.core.SetOutOfBandHander: %w", err)
panic(err)
}*/
k.core.SetPathNotify(func(key ed25519.PublicKey) {
k.update(key)
})
k.keyToInfo = make(map[keyArray]*keyInfo)
k.addrToInfo = make(map[address.Address]*keyInfo)
k.addrBuffer = make(map[address.Address]*buffer)
k.subnetToInfo = make(map[address.Subnet]*keyInfo)
k.subnetBuffer = make(map[address.Subnet]*buffer)
k.mtu = 1280 // Default to something safe, expect user to set this
}
func (k *keyStore) sendToAddress(addr address.Address, bs []byte) {
k.mutex.Lock()
if info := k.addrToInfo[addr]; info != nil {
k.resetTimeout(info)
k.mutex.Unlock()
_, _ = k.core.WriteTo(bs, iwt.Addr(info.key[:]))
} else {
var buf *buffer
if buf = k.addrBuffer[addr]; buf == nil {
buf = new(buffer)
k.addrBuffer[addr] = buf
}
msg := append([]byte(nil), bs...)
buf.packet = msg
if buf.timeout != nil {
buf.timeout.Stop()
}
buf.timeout = time.AfterFunc(keyStoreTimeout, func() {
k.mutex.Lock()
defer k.mutex.Unlock()
if nbuf := k.addrBuffer[addr]; nbuf == buf {
delete(k.addrBuffer, addr)
}
})
k.mutex.Unlock()
k.sendKeyLookup(addr.GetKey())
}
}
func (k *keyStore) sendToSubnet(subnet address.Subnet, bs []byte) {
k.mutex.Lock()
if info := k.subnetToInfo[subnet]; info != nil {
k.resetTimeout(info)
k.mutex.Unlock()
_, _ = k.core.WriteTo(bs, iwt.Addr(info.key[:]))
} else {
var buf *buffer
if buf = k.subnetBuffer[subnet]; buf == nil {
buf = new(buffer)
k.subnetBuffer[subnet] = buf
}
msg := append([]byte(nil), bs...)
buf.packet = msg
if buf.timeout != nil {
buf.timeout.Stop()
}
buf.timeout = time.AfterFunc(keyStoreTimeout, func() {
k.mutex.Lock()
defer k.mutex.Unlock()
if nbuf := k.subnetBuffer[subnet]; nbuf == buf {
delete(k.subnetBuffer, subnet)
}
})
k.mutex.Unlock()
k.sendKeyLookup(subnet.GetKey())
}
}
func (k *keyStore) update(key ed25519.PublicKey) *keyInfo {
k.mutex.Lock()
var kArray keyArray
copy(kArray[:], key)
var info *keyInfo
var packets [][]byte
if info = k.keyToInfo[kArray]; info == nil {
info = new(keyInfo)
info.key = kArray
info.address = *address.AddrForKey(ed25519.PublicKey(info.key[:]))
info.subnet = *address.SubnetForKey(ed25519.PublicKey(info.key[:]))
k.keyToInfo[info.key] = info
k.addrToInfo[info.address] = info
k.subnetToInfo[info.subnet] = info
if buf := k.addrBuffer[info.address]; buf != nil {
packets = append(packets, buf.packet)
delete(k.addrBuffer, info.address)
}
if buf := k.subnetBuffer[info.subnet]; buf != nil {
packets = append(packets, buf.packet)
delete(k.subnetBuffer, info.subnet)
}
}
k.resetTimeout(info)
k.mutex.Unlock()
for _, packet := range packets {
_, _ = k.core.WriteTo(packet, iwt.Addr(info.key[:]))
}
return info
}
func (k *keyStore) resetTimeout(info *keyInfo) {
if info.timeout != nil {
info.timeout.Stop()
}
info.timeout = time.AfterFunc(keyStoreTimeout, func() {
k.mutex.Lock()
defer k.mutex.Unlock()
if nfo := k.keyToInfo[info.key]; nfo == info {
delete(k.keyToInfo, info.key)
}
if nfo := k.addrToInfo[info.address]; nfo == info {
delete(k.addrToInfo, info.address)
}
if nfo := k.subnetToInfo[info.subnet]; nfo == info {
delete(k.subnetToInfo, info.subnet)
}
})
}
/*
func (k *keyStore) oobHandler(fromKey, toKey ed25519.PublicKey, data []byte) { // nolint:unused
if len(data) != 1+ed25519.SignatureSize {
return
}
sig := data[1:]
switch data[0] {
case typeKeyLookup:
snet := *address.SubnetForKey(toKey)
if snet == k.subnet && ed25519.Verify(fromKey, toKey[:], sig) {
// This is looking for at least our subnet (possibly our address)
// Send a response
k.sendKeyResponse(fromKey)
}
case typeKeyResponse:
// TODO keep a list of something to match against...
// Ignore the response if it doesn't match anything of interest...
if ed25519.Verify(fromKey, toKey[:], sig) {
k.update(fromKey)
}
}
}
*/
func (k *keyStore) sendKeyLookup(partial ed25519.PublicKey) {
/*
sig := ed25519.Sign(k.core.PrivateKey(), partial[:])
bs := append([]byte{typeKeyLookup}, sig...)
//_ = k.core.SendOutOfBand(partial, bs)
_ = bs
*/
k.core.SendLookup(partial)
}
/*
func (k *keyStore) sendKeyResponse(dest ed25519.PublicKey) { // nolint:unused
sig := ed25519.Sign(k.core.PrivateKey(), dest[:])
bs := append([]byte{typeKeyResponse}, sig...)
//_ = k.core.SendOutOfBand(dest, bs)
_ = bs
}
*/
func (k *keyStore) readPC(p []byte) (int, error) {
buf := make([]byte, k.core.MTU(), 65535)
for {
bs := buf
n, from, err := k.core.ReadFrom(bs)
if err != nil {
return n, err
}
if n == 0 {
continue
}
bs = bs[:n]
if len(bs) == 0 {
continue
}
if bs[0]&0xf0 != 0x60 {
continue // not IPv6
}
if len(bs) < 40 {
continue
}
k.mutex.Lock()
mtu := int(k.mtu)
k.mutex.Unlock()
if len(bs) > mtu {
// Using bs would make it leak off the stack, so copy to buf
buf := make([]byte, 512)
cn := copy(buf, bs)
ptb := &icmp.PacketTooBig{
MTU: mtu,
Data: buf[:cn],
}
if packet, err := CreateICMPv6(buf[8:24], buf[24:40], ipv6.ICMPTypePacketTooBig, 0, ptb); err == nil {
_, _ = k.writePC(packet)
}
continue
}
var srcAddr, dstAddr address.Address
var srcSubnet, dstSubnet address.Subnet
copy(srcAddr[:], bs[8:])
copy(dstAddr[:], bs[24:])
copy(srcSubnet[:], bs[8:])
copy(dstSubnet[:], bs[24:])
if dstAddr != k.address && dstSubnet != k.subnet {
continue // bad local address/subnet
}
info := k.update(ed25519.PublicKey(from.(iwt.Addr)))
if srcAddr != info.address && srcSubnet != info.subnet {
continue // bad remote address/subnet
}
n = copy(p, bs)
return n, nil
}
}
func (k *keyStore) writePC(bs []byte) (int, error) {
if bs[0]&0xf0 != 0x60 {
return 0, errors.New("not an IPv6 packet") // not IPv6
}
if len(bs) < 40 {
strErr := fmt.Sprint("undersized IPv6 packet, length: ", len(bs))
return 0, errors.New(strErr)
}
var srcAddr, dstAddr address.Address
var srcSubnet, dstSubnet address.Subnet
copy(srcAddr[:], bs[8:])
copy(dstAddr[:], bs[24:])
copy(srcSubnet[:], bs[8:])
copy(dstSubnet[:], bs[24:])
if srcAddr != k.address && srcSubnet != k.subnet {
// This happens all the time due to link-local traffic
// Don't send back an error, just drop it
strErr := fmt.Sprint("incorrect source address: ", net.IP(srcAddr[:]).String())
return 0, errors.New(strErr)
}
if dstAddr.IsValid() {
k.sendToAddress(dstAddr, bs)
} else if dstSubnet.IsValid() {
k.sendToSubnet(dstSubnet, bs)
} else {
return 0, errors.New("invalid destination address")
}
return len(bs), nil
}
// Exported API
func (k *keyStore) MaxMTU() uint64 {
return k.core.MTU()
}
func (k *keyStore) SetMTU(mtu uint64) {
if mtu > k.MaxMTU() {
mtu = k.MaxMTU()
}
if mtu < 1280 {
mtu = 1280
}
k.mutex.Lock()
k.mtu = mtu
k.mutex.Unlock()
}
func (k *keyStore) MTU() uint64 {
k.mutex.Lock()
mtu := k.mtu
k.mutex.Unlock()
return mtu
}
type ReadWriteCloser struct {
keyStore
}
func NewReadWriteCloser(c *core.Core) *ReadWriteCloser {
rwc := new(ReadWriteCloser)
rwc.init(c)
return rwc
}
func (rwc *ReadWriteCloser) Address() address.Address {
return rwc.address
}
func (rwc *ReadWriteCloser) Subnet() address.Subnet {
return rwc.subnet
}
func (rwc *ReadWriteCloser) Read(p []byte) (n int, err error) {
return rwc.readPC(p)
}
func (rwc *ReadWriteCloser) Write(p []byte) (n int, err error) {
return rwc.writePC(p)
}
func (rwc *ReadWriteCloser) Close() error {
err := rwc.core.Close()
rwc.core.Stop()
return err
}

64
src/multicast/admin.go Normal file
View file

@ -0,0 +1,64 @@
package multicast
import (
"encoding/json"
"slices"
"strings"
"github.com/Arceliar/phony"
"github.com/yggdrasil-network/yggdrasil-go/src/admin"
)
type GetMulticastInterfacesRequest struct{}
type GetMulticastInterfacesResponse struct {
Interfaces []MulticastInterfaceState `json:"multicast_interfaces"`
}
type MulticastInterfaceState struct {
Name string `json:"name"`
Address string `json:"address"`
Beacon bool `json:"beacon"`
Listen bool `json:"listen"`
Password bool `json:"password"`
}
func (m *Multicast) getMulticastInterfacesHandler(_ *GetMulticastInterfacesRequest, res *GetMulticastInterfacesResponse) error {
res.Interfaces = []MulticastInterfaceState{}
phony.Block(m, func() {
for name, intf := range m._interfaces {
is := MulticastInterfaceState{
Name: intf.iface.Name,
Beacon: intf.beacon,
Listen: intf.listen,
Password: len(intf.password) > 0,
}
if li := m._listeners[name]; li != nil && li.listener != nil {
is.Address = li.listener.Addr().String()
} else {
is.Address = "-"
}
res.Interfaces = append(res.Interfaces, is)
}
})
slices.SortStableFunc(res.Interfaces, func(a, b MulticastInterfaceState) int {
return strings.Compare(a.Name, b.Name)
})
return nil
}
func (m *Multicast) SetupAdminHandlers(a *admin.AdminSocket) {
_ = a.AddHandler(
"getMulticastInterfaces", "Show which interfaces multicast is enabled on", []string{},
func(in json.RawMessage) (interface{}, error) {
req := &GetMulticastInterfacesRequest{}
res := &GetMulticastInterfacesResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := m.getMulticastInterfacesHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
}

39
src/multicast/advertisement.go Normal file
View file

@ -0,0 +1,39 @@
package multicast
import (
"crypto/ed25519"
"encoding/binary"
"fmt"
)
type multicastAdvertisement struct {
MajorVersion uint16
MinorVersion uint16
PublicKey ed25519.PublicKey
Port uint16
Hash []byte
}
func (m *multicastAdvertisement) MarshalBinary() ([]byte, error) {
b := make([]byte, 0, ed25519.PublicKeySize+8+len(m.Hash))
b = binary.BigEndian.AppendUint16(b, m.MajorVersion)
b = binary.BigEndian.AppendUint16(b, m.MinorVersion)
b = append(b, m.PublicKey...)
b = binary.BigEndian.AppendUint16(b, m.Port)
b = binary.BigEndian.AppendUint16(b, uint16(len(m.Hash)))
b = append(b, m.Hash...)
return b, nil
}
func (m *multicastAdvertisement) UnmarshalBinary(b []byte) error {
if len(b) < ed25519.PublicKeySize+8 {
return fmt.Errorf("invalid multicast beacon")
}
m.MajorVersion = binary.BigEndian.Uint16(b[0:2])
m.MinorVersion = binary.BigEndian.Uint16(b[2:4])
m.PublicKey = append(m.PublicKey[:0], b[4:4+ed25519.PublicKeySize]...)
m.Port = binary.BigEndian.Uint16(b[4+ed25519.PublicKeySize : 6+ed25519.PublicKeySize])
dl := binary.BigEndian.Uint16(b[6+ed25519.PublicKeySize : 8+ed25519.PublicKeySize])
m.Hash = append(m.Hash[:0], b[8+ed25519.PublicKeySize:8+ed25519.PublicKeySize+dl]...)
return nil
}

38
src/multicast/advertisement_test.go Normal file
View file

@ -0,0 +1,38 @@
package multicast
import (
"crypto/ed25519"
"reflect"
"testing"
)
func TestMulticastAdvertisementRoundTrip(t *testing.T) {
pk, sk, err := ed25519.GenerateKey(nil)
if err != nil {
t.Fatal(err)
}
orig := multicastAdvertisement{
MajorVersion: 1,
MinorVersion: 2,
PublicKey: pk,
Port: 3,
Hash: sk, // any bytes will do
}
ob, err := orig.MarshalBinary()
if err != nil {
t.Fatal(err)
}
var new multicastAdvertisement
if err := new.UnmarshalBinary(ob); err != nil {
t.Fatal(err)
}
if !reflect.DeepEqual(orig, new) {
t.Logf("original: %+v", orig)
t.Logf("new: %+v", new)
t.Fatalf("differences found after round-trip")
}
}

454
src/multicast/multicast.go Normal file
View file

@ -0,0 +1,454 @@
package multicast
import (
"bytes"
"context"
"crypto/ed25519"
"encoding/hex"
"fmt"
"math/rand"
"net"
"net/url"
"sync/atomic"
"time"
"github.com/Arceliar/phony"
"github.com/gologme/log"
"github.com/wlynxg/anet"
"github.com/yggdrasil-network/yggdrasil-go/src/core"
"golang.org/x/crypto/blake2b"
"golang.org/x/net/ipv6"
)
// Multicast represents the multicast advertisement and discovery mechanism used
// by Kaya to find peers on the same subnet. When a beacon is received on a
// configured multicast interface, Kaya will attempt to peer with that node
// automatically.
type Multicast struct {
phony.Inbox
core *core.Core
log *log.Logger
sock *ipv6.PacketConn
running atomic.Bool
_listeners map[string]*listenerInfo
_interfaces map[string]*interfaceInfo
_timer *time.Timer
config struct {
_groupAddr GroupAddress
_interfaces map[MulticastInterface]struct{}
}
}
type interfaceInfo struct {
iface net.Interface
addrs []net.Addr
beacon bool
listen bool
port uint16
priority uint8
password []byte
hash []byte
}
type listenerInfo struct {
listener *core.Listener
time time.Time
interval time.Duration
port uint16
}
// Start starts the multicast interface. This launches goroutines which will
// listen for multicast beacons from other hosts and will advertise multicast
// beacons out to the network.
func New(core *core.Core, log *log.Logger, opts ...SetupOption) (*Multicast, error) {
m := &Multicast{
core: core,
log: log,
_listeners: make(map[string]*listenerInfo),
_interfaces: make(map[string]*interfaceInfo),
}
m.config._interfaces = map[MulticastInterface]struct{}{}
m.config._groupAddr = GroupAddress("[ff02::114]:9001")
for _, opt := range opts {
m._applyOption(opt)
}
var err error
phony.Block(m, func() {
err = m._start()
})
return m, err
}
func (m *Multicast) _start() error {
if !m.running.CompareAndSwap(false, true) {
return fmt.Errorf("multicast module is already started")
}
var anyEnabled bool
for intf := range m.config._interfaces {
anyEnabled = anyEnabled || intf.Beacon || intf.Listen
}
if !anyEnabled {
m.running.Store(false)
return nil
}
m.log.Debugln("Starting multicast module")
defer m.log.Debugln("Started multicast module")
addr, err := net.ResolveUDPAddr("udp", string(m.config._groupAddr))
if err != nil {
m.running.Store(false)
return err
}
listenString := fmt.Sprintf("[::]:%v", addr.Port)
lc := net.ListenConfig{
Control: m.multicastReuse,
}
conn, err := lc.ListenPacket(context.Background(), "udp6", listenString)
if err != nil {
m.running.Store(false)
return err
}
m.sock = ipv6.NewPacketConn(conn)
if err = m.sock.SetControlMessage(ipv6.FlagDst, true); err != nil { // nolint:staticcheck
// Windows can't set this flag, so we need to handle it in other ways
}
go m.listen()
m.Act(nil, m._multicastStarted)
m.Act(nil, m._announce)
return nil
}
// IsStarted returns true if the module has been started.
func (m *Multicast) IsStarted() bool {
return m.running.Load()
}
// Stop stops the multicast module.
func (m *Multicast) Stop() error {
var err error
phony.Block(m, func() {
err = m._stop()
})
m.log.Debugln("Stopped multicast module")
return err
}
func (m *Multicast) _stop() error {
if !m.running.CompareAndSwap(true, false) {
return nil
}
m.log.Infoln("Stopping multicast module")
if m.sock != nil {
m.sock.Close()
}
return nil
}
func (m *Multicast) _updateInterfaces() {
interfaces := m._getAllowedInterfaces()
for name, info := range interfaces {
// 'anet' package is used here to avoid https://github.com/golang/go/issues/40569
addrs, err := anet.InterfaceAddrsByInterface(&info.iface)
if err != nil {
m.log.Warnf("Failed up get addresses for interface %s: %s", name, err)
delete(interfaces, name)
continue
}
for _, addr := range addrs {
addrIP, _, err := net.ParseCIDR(addr.String())
if err != nil || addrIP.To4() != nil || !addrIP.IsLinkLocalUnicast() {
continue
}
info.addrs = append(info.addrs, addr)
}
interfaces[name] = info
m.log.Debugf("Discovered addresses for interface %s: %s", name, addrs)
}
m._interfaces = interfaces
}
func (m *Multicast) Interfaces() map[string]net.Interface {
interfaces := make(map[string]net.Interface)
phony.Block(m, func() {
for _, info := range m._interfaces {
interfaces[info.iface.Name] = info.iface
}
})
return interfaces
}
// getAllowedInterfaces returns the currently known/enabled multicast interfaces.
func (m *Multicast) _getAllowedInterfaces() map[string]*interfaceInfo {
interfaces := make(map[string]*interfaceInfo)
// Ask the system for network interfaces
// 'anet' package is used here to avoid https://github.com/golang/go/issues/40569
allifaces, err := anet.Interfaces()
if err != nil {
// Don't panic, since this may be from e.g. too many open files (from too much connection spam)
m.log.Debugf("Failed to get interfaces: %s", err)
return nil
}
// Work out which interfaces to announce on
pk := m.core.PublicKey()
for _, iface := range allifaces {
switch {
case iface.Flags&net.FlagUp == 0:
continue // Ignore interfaces that are down
case iface.Flags&net.FlagRunning == 0:
continue // Ignore interfaces that are not running
case iface.Flags&net.FlagMulticast == 0:
continue // Ignore non-multicast interfaces
case iface.Flags&net.FlagPointToPoint != 0:
continue // Ignore point-to-point interfaces
}
for ifcfg := range m.config._interfaces {
// Compile each regular expression
// Does the interface match the regular expression? Store it if so
if !ifcfg.Beacon && !ifcfg.Listen {
continue
}
if !ifcfg.Regex.MatchString(iface.Name) {
continue
}
hasher, err := blake2b.New512([]byte(ifcfg.Password))
if err != nil {
continue
}
if n, err := hasher.Write(pk); err != nil {
continue
} else if n != ed25519.PublicKeySize {
continue
}
interfaces[iface.Name] = &interfaceInfo{
iface: iface,
beacon: ifcfg.Beacon,
listen: ifcfg.Listen,
port: ifcfg.Port,
priority: ifcfg.Priority,
password: []byte(ifcfg.Password),
hash: hasher.Sum(nil),
}
break
}
}
return interfaces
}
func (m *Multicast) AnnounceNow() {
phony.Block(m, func() {
if m._timer != nil && !m._timer.Stop() {
<-m._timer.C
}
m.Act(nil, m._announce)
})
}
func (m *Multicast) _announce() {
if !m.running.Load() {
return
}
m._updateInterfaces()
groupAddr, err := net.ResolveUDPAddr("udp6", string(m.config._groupAddr))
if err != nil {
panic(err)
}
destAddr, err := net.ResolveUDPAddr("udp6", string(m.config._groupAddr))
if err != nil {
panic(err)
}
// There might be interfaces that we configured listeners for but are no
// longer up - if that's the case then we should stop the listeners
for name, info := range m._listeners {
// Prepare our stop function!
stop := func() {
info.listener.Cancel()
delete(m._listeners, name)
m.log.Debugln("No longer multicasting on", name)
}
// If the interface is no longer visible on the system then stop the
// listener, as another one will be started further down
if _, ok := m._interfaces[name]; !ok {
stop()
continue
}
// It's possible that the link-local listener address has changed so if
// that is the case then we should clean up the interface listener
found := false
listenaddr, err := net.ResolveTCPAddr("tcp6", info.listener.Addr().String())
if err != nil {
stop()
continue
}
// Find the interface that matches the listener
if info, ok := m._interfaces[name]; ok {
for _, addr := range info.addrs {
if ip, _, err := net.ParseCIDR(addr.String()); err == nil {
// Does the interface address match our listener address?
if ip.Equal(listenaddr.IP) {
found = true
break
}
}
}
}
// If the address has not been found on the adapter then we should stop
// and clean up the TCP listener. A new one will be created below if a
// suitable link-local address is found
if !found {
stop()
}
}
// Now that we have a list of valid interfaces from the operating system,
// we can start checking if we can send multicasts on them
for _, info := range m._interfaces {
iface := info.iface
for _, addr := range info.addrs {
addrIP, _, err := net.ParseCIDR(addr.String())
// Ignore IPv4 addresses or non-link-local addresses
if err != nil || addrIP.To4() != nil || !addrIP.IsLinkLocalUnicast() {
continue
}
if info.listen {
// Join the multicast group, so we can listen for beacons
_ = m.sock.JoinGroup(&iface, groupAddr)
}
if !info.beacon {
break // Don't send multicast beacons or accept incoming connections
}
// Try and see if we already have a TCP listener for this interface
var linfo *listenerInfo
if _, ok := m._listeners[iface.Name]; !ok {
// No listener was found - let's create one
v := &url.Values{}
v.Add("priority", fmt.Sprintf("%d", info.priority))
v.Add("password", string(info.password))
u := &url.URL{
Scheme: "tls",
Host: net.JoinHostPort(addrIP.String(), fmt.Sprintf("%d", info.port)),
RawQuery: v.Encode(),
}
if li, err := m.core.ListenLocal(u, iface.Name); err == nil {
m.log.Debugln("Started multicasting on", iface.Name)
// Store the listener so that we can stop it later if needed
linfo = &listenerInfo{listener: li, time: time.Now(), port: info.port}
m._listeners[iface.Name] = linfo
} else {
m.log.Warnln("Not multicasting on", iface.Name, "due to error:", err)
}
} else {
// An existing listener was found
linfo = m._listeners[iface.Name]
}
// Make sure nothing above failed for some reason
if linfo == nil {
continue
}
if time.Since(linfo.time) < linfo.interval {
continue
}
addr := linfo.listener.Addr().(*net.TCPAddr)
adv := multicastAdvertisement{
MajorVersion: core.ProtocolVersionMajor,
MinorVersion: core.ProtocolVersionMinor,
PublicKey: m.core.PublicKey(),
Port: uint16(addr.Port),
Hash: info.hash,
}
msg, err := adv.MarshalBinary()
if err != nil {
continue
}
destAddr.Zone = iface.Name
if _, err = m.sock.WriteTo(msg, nil, destAddr); err != nil {
m.log.Warn("Failed to send multicast beacon:", err)
}
if linfo.interval.Seconds() < 15 {
linfo.interval += time.Second
}
linfo.time = time.Now()
break
}
}
annInterval := time.Second + time.Microsecond*(time.Duration(rand.Intn(1048576))) // Randomize delay
m._timer = time.AfterFunc(annInterval, func() {
m.Act(nil, m._announce)
})
}
func (m *Multicast) listen() {
groupAddr, err := net.ResolveUDPAddr("udp6", string(m.config._groupAddr))
if err != nil {
panic(err)
}
bs := make([]byte, 2048)
hb := make([]byte, 0, blake2b.Size) // Reused to reduce hash allocations
for {
if !m.running.Load() {
return
}
n, rcm, fromAddr, err := m.sock.ReadFrom(bs)
if err != nil {
if !m.IsStarted() {
return
}
panic(err)
}
if rcm != nil {
// Windows can't set the flag needed to return a non-nil value here
// So only make these checks if we get something useful back
// TODO? Skip them always, I'm not sure if they're really needed...
if !rcm.Dst.IsLinkLocalMulticast() {
continue
}
if !rcm.Dst.Equal(groupAddr.IP) {
continue
}
}
var adv multicastAdvertisement
if err := adv.UnmarshalBinary(bs[:n]); err != nil {
continue
}
switch {
case adv.MajorVersion != core.ProtocolVersionMajor:
continue
case adv.MinorVersion != core.ProtocolVersionMinor:
continue
case adv.PublicKey.Equal(m.core.PublicKey()):
continue
}
from := fromAddr.(*net.UDPAddr)
from.Port = int(adv.Port)
var interfaces map[string]*interfaceInfo
phony.Block(m, func() {
interfaces = m._interfaces
})
if info, ok := interfaces[from.Zone]; ok && info.listen {
hasher, err := blake2b.New512(info.password)
if err != nil {
continue
}
if n, err := hasher.Write(adv.PublicKey); err != nil {
continue
} else if n != ed25519.PublicKeySize {
continue
}
if !bytes.Equal(hasher.Sum(hb[:0]), adv.Hash) {
continue
}
v := &url.Values{}
v.Add("key", hex.EncodeToString(adv.PublicKey))
v.Add("priority", fmt.Sprintf("%d", info.priority))
v.Add("password", string(info.password))
u := &url.URL{
Scheme: "tls",
Host: from.String(),
RawQuery: v.Encode(),
}
if err := m.core.CallPeer(u, from.Zone); err != nil {
m.log.Debugln("Call from multicast failed:", err)
}
}
}
}

35
src/multicast/multicast_darwin.go Normal file
View file

@ -0,0 +1,35 @@
//go:build !cgo && (darwin || ios)
package multicast
import (
"syscall"
"golang.org/x/sys/unix"
)
func (m *Multicast) _multicastStarted() {
}
func (m *Multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
var control error
var reuseport error
var recvanyif error
control = c.Control(func(fd uintptr) {
reuseport = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEPORT, 1)
// sys/socket.h: #define SO_RECV_ANYIF 0x1104
recvanyif = unix.SetsockoptInt(int(fd), syscall.SOL_SOCKET, 0x1104, 1)
})
switch {
case reuseport != nil:
return reuseport
case recvanyif != nil:
return recvanyif
default:
return control
}
}

68
src/multicast/multicast_darwin_cgo.go Normal file
View file

@ -0,0 +1,68 @@
//go:build (darwin && cgo) || (ios && cgo)
package multicast
/*
#cgo CFLAGS: -x objective-c
#cgo LDFLAGS: -framework Foundation
#import <Foundation/Foundation.h>
NSNetServiceBrowser *serviceBrowser;
void StartAWDLBrowsing() {
if (serviceBrowser == nil) {
serviceBrowser = [[NSNetServiceBrowser alloc] init];
serviceBrowser.includesPeerToPeer = YES;
}
[serviceBrowser searchForServicesOfType:@"_kaya._tcp" inDomain:@""];
}
void StopAWDLBrowsing() {
if (serviceBrowser == nil) {
return;
}
[serviceBrowser stop];
}
*/
import "C"
import (
"syscall"
"time"
"golang.org/x/sys/unix"
)
func (m *Multicast) _multicastStarted() {
if !m.running.Load() {
return
}
C.StopAWDLBrowsing()
for intf := range m._interfaces {
if intf == "awdl0" {
C.StartAWDLBrowsing()
break
}
}
time.AfterFunc(time.Minute, func() {
m.Act(nil, m._multicastStarted)
})
}
func (m *Multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
var control error
var reuseport error
var recvanyif error
control = c.Control(func(fd uintptr) {
reuseport = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEPORT, 1)
// sys/socket.h: #define SO_RECV_ANYIF 0x1104
recvanyif = unix.SetsockoptInt(int(fd), syscall.SOL_SOCKET, 0x1104, 1)
})
switch {
case reuseport != nil:
return reuseport
case recvanyif != nil:
return recvanyif
default:
return control
}
}

13
src/multicast/multicast_other.go Normal file
View file

@ -0,0 +1,13 @@
//go:build !linux && !darwin && !ios && !netbsd && !freebsd && !openbsd && !dragonflybsd && !windows
package multicast
import "syscall"
func (m *Multicast) _multicastStarted() {
}
func (m *Multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
return nil
}

33
src/multicast/multicast_unix.go Normal file
View file

@ -0,0 +1,33 @@
//go:build linux || netbsd || freebsd || openbsd || dragonflybsd
package multicast
import (
"syscall"
"golang.org/x/sys/unix"
)
func (m *Multicast) _multicastStarted() {
}
func (m *Multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
var control error
var reuseaddr error
control = c.Control(func(fd uintptr) {
// Previously we used SO_REUSEPORT here, but that meant that machines running
// Kaya nodes as different users would inevitably fail with EADDRINUSE.
// The behaviour for multicast is similar with both, so we'll use SO_REUSEADDR
// instead.
reuseaddr = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEADDR, 1)
})
switch {
case reuseaddr != nil:
return reuseaddr
default:
return control
}
}

29
src/multicast/multicast_windows.go Normal file
View file

@ -0,0 +1,29 @@
//go:build windows
package multicast
import (
"syscall"
"golang.org/x/sys/windows"
)
func (m *Multicast) _multicastStarted() {
}
func (m *Multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
var control error
var reuseaddr error
control = c.Control(func(fd uintptr) {
reuseaddr = windows.SetsockoptInt(windows.Handle(fd), windows.SOL_SOCKET, windows.SO_REUSEADDR, 1)
})
switch {
case reuseaddr != nil:
return reuseaddr
default:
return control
}
}

30
src/multicast/options.go Normal file
View file

@ -0,0 +1,30 @@
package multicast
import "regexp"
func (m *Multicast) _applyOption(opt SetupOption) {
switch v := opt.(type) {
case MulticastInterface:
m.config._interfaces[v] = struct{}{}
case GroupAddress:
m.config._groupAddr = v
}
}
type SetupOption interface {
isSetupOption()
}
type MulticastInterface struct {
Regex *regexp.Regexp
Beacon bool
Listen bool
Port uint16
Priority uint8
Password string
}
type GroupAddress string
func (a MulticastInterface) isSetupOption() {}
func (a GroupAddress) isSetupOption() {}

45
src/tun/admin.go Normal file
View file

@ -0,0 +1,45 @@
package tun
import (
"encoding/json"
"github.com/yggdrasil-network/yggdrasil-go/src/admin"
)
type GetTUNRequest struct{}
type GetTUNResponse struct {
Enabled bool `json:"enabled"`
Name string `json:"name,omitempty"`
MTU uint64 `json:"mtu,omitempty"`
}
type TUNEntry struct {
MTU uint64 `json:"mtu"`
}
func (t *TunAdapter) getTUNHandler(req *GetTUNRequest, res *GetTUNResponse) error {
res.Enabled = t.isEnabled
if !t.isEnabled {
return nil
}
res.Name = t.Name()
res.MTU = t.MTU()
return nil
}
func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
_ = a.AddHandler(
"getTun", "Show information about the node's TUN interface", []string{},
func(in json.RawMessage) (interface{}, error) {
req := &GetTUNRequest{}
res := &GetTUNResponse{}
if err := json.Unmarshal(in, &req); err != nil {
return nil, err
}
if err := t.getTUNHandler(req, res); err != nil {
return nil, err
}
return res, nil
},
)
}

77
src/tun/iface.go Normal file
View file

@ -0,0 +1,77 @@
package tun
import (
"errors"
wgtun "golang.zx2c4.com/wireguard/tun"
)
const TUN_OFFSET_BYTES = 80 // sizeof(virtio_net_hdr)
func (tun *TunAdapter) read() {
vs := tun.iface.BatchSize()
bufs := make([][]byte, vs)
sizes := make([]int, vs)
for i := range bufs {
bufs[i] = make([]byte, TUN_OFFSET_BYTES+65535)
}
for {
n, err := tun.iface.Read(bufs, sizes, TUN_OFFSET_BYTES)
if err != nil {
if errors.Is(err, wgtun.ErrTooManySegments) {
tun.log.Debugln("TUN segments dropped: %v", err)
continue
}
tun.log.Errorln("Error reading TUN:", err)
return
}
for i, b := range bufs[:n] {
if _, err := tun.rwc.Write(b[TUN_OFFSET_BYTES : TUN_OFFSET_BYTES+sizes[i]]); err != nil {
tun.log.Debugln("Unable to send packet:", err)
}
}
}
}
func (tun *TunAdapter) queue() {
for {
p := bufPool.Get().([]byte)[:bufPoolSize]
n, err := tun.rwc.Read(p)
if err != nil {
tun.log.Errorln("Exiting TUN writer due to core read error:", err)
return
}
if tun.ch != nil {
tun.ch <- p[:n]
}
}
}
func (tun *TunAdapter) write() {
vs := cap(tun.ch)
bufs := make([][]byte, vs)
for i := range bufs {
bufs[i] = make([]byte, TUN_OFFSET_BYTES+65535)
}
for {
n := len(tun.ch)
if n == 0 {
n = 1 // Nothing queued up yet, wait for it instead
}
for i := 0; i < n; i++ {
msg := <-tun.ch
bufs[i] = append(bufs[i][:TUN_OFFSET_BYTES], msg...)
bufPool.Put(msg) // nolint:staticcheck
}
if !tun.isEnabled {
continue // Nothing to do, the tun isn't enabled
}
if _, err := tun.iface.Write(bufs[:n], TUN_OFFSET_BYTES); err != nil {
tun.Act(nil, func() {
if !tun.isOpen {
tun.log.Errorln("TUN iface write error:", err)
}
})
}
}
}

24
src/tun/options.go Normal file
View file

@ -0,0 +1,24 @@
package tun
func (m *TunAdapter) _applyOption(opt SetupOption) {
switch v := opt.(type) {
case InterfaceName:
m.config.name = v
case InterfaceMTU:
m.config.mtu = v
case FileDescriptor:
m.config.fd = int32(v)
}
}
type SetupOption interface {
isSetupOption()
}
type InterfaceName string
type InterfaceMTU uint64
type FileDescriptor int32
func (a InterfaceName) isSetupOption() {}
func (a InterfaceMTU) isSetupOption() {}
func (a FileDescriptor) isSetupOption() {}

195
src/tun/tun.go Normal file
View file

@ -0,0 +1,195 @@
package tun
// This manages the tun driver to send/recv packets to/from applications
// TODO: Connection timeouts (call Conn.Close() when we want to time out)
// TODO: Don't block in reader on writes that are pending searches
import (
"errors"
"fmt"
"io"
"net"
"sync"
"github.com/Arceliar/phony"
wgtun "golang.zx2c4.com/wireguard/tun"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
"github.com/yggdrasil-network/yggdrasil-go/src/config"
"github.com/yggdrasil-network/yggdrasil-go/src/core"
)
type MTU uint16
type ReadWriteCloser interface {
io.ReadWriteCloser
Address() address.Address
Subnet() address.Subnet
MaxMTU() uint64
SetMTU(uint64)
}
// TunAdapter represents a running TUN interface and extends the
// kaya.Adapter type. In order to use the TUN adapter with Kaya, you
// should pass this object to the kaya.SetRouterAdapter() function before
// calling kaya.Start().
type TunAdapter struct {
rwc ReadWriteCloser
log core.Logger
addr address.Address
subnet address.Subnet
mtu uint64
iface wgtun.Device
phony.Inbox // Currently only used for _handlePacket from the reader, TODO: all the stuff that currently needs a mutex below
isOpen bool
isEnabled bool // Used by the writer to drop sessionTraffic if not enabled
config struct {
fd int32
name InterfaceName
mtu InterfaceMTU
}
ch chan []byte
}
// Gets the maximum supported MTU for the platform based on the defaults in
// config.GetDefaults().
func getSupportedMTU(mtu uint64) uint64 {
if mtu < 1280 {
return 1280
}
if mtu > MaximumMTU() {
return MaximumMTU()
}
return mtu
}
// Name returns the name of the adapter, e.g. "tun0". On Windows, this may
// return a canonical adapter name instead.
func (tun *TunAdapter) Name() string {
if name, err := tun.iface.Name(); err == nil {
return name
}
return ""
}
// MTU gets the adapter's MTU. This can range between 1280 and 65535, although
// the maximum value is determined by your platform. The returned value will
// never exceed that of MaximumMTU().
func (tun *TunAdapter) MTU() uint64 {
return getSupportedMTU(tun.mtu)
}
// DefaultName gets the default TUN interface name for your platform.
func DefaultName() string {
return config.GetDefaults().DefaultIfName
}
// DefaultMTU gets the default TUN interface MTU for your platform. This can
// be as high as MaximumMTU(), depending on platform, but is never lower than 1280.
func DefaultMTU() uint64 {
return config.GetDefaults().DefaultIfMTU
}
// MaximumMTU returns the maximum supported TUN interface MTU for your
// platform. This can be as high as 65535, depending on platform, but is never
// lower than 1280.
func MaximumMTU() uint64 {
return config.GetDefaults().MaximumIfMTU
}
// Init initialises the TUN module. You must have acquired a Listener from
// the Kaya core before this point and it must not be in use elsewhere.
func New(rwc ReadWriteCloser, log core.Logger, opts ...SetupOption) (*TunAdapter, error) {
tun := &TunAdapter{
rwc: rwc,
log: log,
}
for _, opt := range opts {
tun._applyOption(opt)
}
return tun, tun._start()
}
func (tun *TunAdapter) _start() error {
if tun.isOpen {
return errors.New("TUN module is already started")
}
tun.addr = tun.rwc.Address()
tun.subnet = tun.rwc.Subnet()
prefix := address.GetPrefix()
var addr string
if tun.addr.IsValid() {
addr = fmt.Sprintf("%s/%d", net.IP(tun.addr[:]).String(), 8*len(prefix[:])-1)
}
if tun.config.name == "none" || tun.config.name == "dummy" {
tun.log.Debugln("Not starting TUN as ifname is none or dummy")
tun.isEnabled = false
// Need to keep the queue goroutine running to stop underlying
// layers from getting blocked.
go tun.queue()
return nil
}
mtu := uint64(tun.config.mtu)
if tun.rwc.MaxMTU() < mtu {
mtu = tun.rwc.MaxMTU()
}
var err error
if tun.config.fd > 0 {
err = tun.setupFD(tun.config.fd, addr, mtu)
} else {
err = tun.setup(string(tun.config.name), addr, mtu)
}
if err != nil {
return err
}
if tun.MTU() != mtu {
tun.log.Warnf("Warning: Interface MTU %d automatically adjusted to %d (supported range is 1280-%d)", tun.config.mtu, tun.MTU(), MaximumMTU())
}
tun.rwc.SetMTU(tun.MTU())
tun.isOpen = true
tun.isEnabled = true
tun.ch = make(chan []byte, tun.iface.BatchSize())
go tun.queue()
go tun.read()
go tun.write()
return nil
}
// IsStarted returns true if the module has been started.
func (tun *TunAdapter) IsStarted() bool {
var isOpen bool
phony.Block(tun, func() {
isOpen = tun.isOpen
})
return isOpen
}
// Start the setup process for the TUN adapter. If successful, starts the
// read/write goroutines to handle packets on that interface.
func (tun *TunAdapter) Stop() error {
var err error
phony.Block(tun, func() {
err = tun._stop()
})
return err
}
func (tun *TunAdapter) _stop() error {
tun.isOpen = false
// by TUN, e.g. readers/writers, sessions
if tun.iface != nil {
// Just in case we failed to start up the iface for some reason, this can apparently happen on Windows
tun.iface.Close()
}
return nil
}
const bufPoolSize = TUN_OFFSET_BYTES + 65535
var bufPool = sync.Pool{
New: func() any {
b := [bufPoolSize]byte{}
return b[:]
},
}

162
src/tun/tun_darwin.go Normal file
View file

@ -0,0 +1,162 @@
//go:build darwin || ios
package tun
// The darwin platform specific tun parts
import (
"encoding/binary"
"fmt"
"os"
"strconv"
"strings"
"unsafe"
"golang.org/x/sys/unix"
wgtun "golang.zx2c4.com/wireguard/tun"
)
// Configures the "utun" adapter with the correct IPv6 address and MTU.
func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
if ifname == "auto" {
ifname = "utun"
}
iface, err := wgtun.CreateTUN(ifname, int(mtu))
if err != nil {
return fmt.Errorf("failed to create TUN: %w", err)
}
tun.iface = iface
if m, err := iface.MTU(); err == nil {
tun.mtu = getSupportedMTU(uint64(m))
} else {
tun.mtu = 0
}
if addr != "" {
return tun.setupAddress(addr)
}
return nil
}
// Configures the "utun" adapter from an existing file descriptor.
func (tun *TunAdapter) setupFD(fd int32, addr string, mtu uint64) error {
dfd, err := unix.Dup(int(fd))
if err != nil {
return fmt.Errorf("failed to duplicate FD: %w", err)
}
err = unix.SetNonblock(dfd, true)
if err != nil {
unix.Close(dfd)
return fmt.Errorf("failed to set FD as non-blocking: %w", err)
}
iface, err := wgtun.CreateTUNFromFile(os.NewFile(uintptr(dfd), "/dev/tun"), 0)
if err != nil {
unix.Close(dfd)
return fmt.Errorf("failed to create TUN from FD: %w", err)
}
tun.iface = iface
if m, err := iface.MTU(); err == nil {
tun.mtu = getSupportedMTU(uint64(m))
} else {
tun.mtu = 0
}
return nil // tun.setupAddress(addr)
}
const (
darwin_SIOCAIFADDR_IN6 = 2155899162 // netinet6/in6_var.h
darwin_IN6_IFF_NODAD = 0x0020 // netinet6/in6_var.h
darwin_IN6_IFF_SECURED = 0x0400 // netinet6/in6_var.h
darwin_ND6_INFINITE_LIFETIME = 0xFFFFFFFF // netinet6/nd6.h
)
// nolint:structcheck
type in6_addrlifetime struct {
ia6t_expire float64 // nolint:unused
ia6t_preferred float64 // nolint:unused
ia6t_vltime uint32
ia6t_pltime uint32
}
// nolint:structcheck
type sockaddr_in6 struct {
sin6_len uint8
sin6_family uint8
sin6_port uint8 // nolint:unused
sin6_flowinfo uint32 // nolint:unused
sin6_addr [8]uint16
sin6_scope_id uint32 // nolint:unused
}
// nolint:structcheck
type in6_aliasreq struct {
ifra_name [16]byte
ifra_addr sockaddr_in6
ifra_dstaddr sockaddr_in6 // nolint:unused
ifra_prefixmask sockaddr_in6
ifra_flags uint32
ifra_lifetime in6_addrlifetime
}
type ifreq struct {
ifr_name [16]byte
ifru_mtu uint32
}
// Sets the IPv6 address of the utun adapter. On Darwin/macOS this is done using
// a system socket and making direct syscalls to the kernel.
func (tun *TunAdapter) setupAddress(addr string) error {
var fd int
var err error
if fd, err = unix.Socket(unix.AF_INET6, unix.SOCK_DGRAM, 0); err != nil {
tun.log.Errorf("Create AF_SYSTEM socket failed: %v.", err)
return fmt.Errorf("failed to open AF_SYSTEM: %w", err)
}
var ar in6_aliasreq
copy(ar.ifra_name[:], tun.Name())
ar.ifra_prefixmask.sin6_len = uint8(unsafe.Sizeof(ar.ifra_prefixmask))
b := make([]byte, 16)
binary.LittleEndian.PutUint16(b, uint16(0xFE00))
ar.ifra_prefixmask.sin6_addr[0] = binary.BigEndian.Uint16(b)
ar.ifra_addr.sin6_len = uint8(unsafe.Sizeof(ar.ifra_addr))
ar.ifra_addr.sin6_family = unix.AF_INET6
parts := strings.Split(strings.Split(addr, "/")[0], ":")
for i := 0; i < 8; i++ {
addr, _ := strconv.ParseUint(parts[i], 16, 16)
b := make([]byte, 16)
binary.LittleEndian.PutUint16(b, uint16(addr))
ar.ifra_addr.sin6_addr[i] = binary.BigEndian.Uint16(b)
}
ar.ifra_flags |= darwin_IN6_IFF_NODAD
ar.ifra_flags |= darwin_IN6_IFF_SECURED
ar.ifra_lifetime.ia6t_vltime = darwin_ND6_INFINITE_LIFETIME
ar.ifra_lifetime.ia6t_pltime = darwin_ND6_INFINITE_LIFETIME
var ir ifreq
copy(ir.ifr_name[:], tun.Name())
ir.ifru_mtu = uint32(tun.mtu)
tun.log.Infof("Interface name: %s", ar.ifra_name)
tun.log.Infof("Interface IPv6: %s", addr)
tun.log.Infof("Interface MTU: %d", ir.ifru_mtu)
if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(darwin_SIOCAIFADDR_IN6), uintptr(unsafe.Pointer(&ar))); errno != 0 { // nolint:staticcheck
err = errno
tun.log.Errorf("Error in darwin_SIOCAIFADDR_IN6: %v", errno)
return fmt.Errorf("failed to call SIOCAIFADDR_IN6: %w", err)
}
if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(unix.SIOCSIFMTU), uintptr(unsafe.Pointer(&ir))); errno != 0 { // nolint:staticcheck
err = errno
tun.log.Errorf("Error in SIOCSIFMTU: %v", errno)
return fmt.Errorf("failed to call SIOCSIFMTU: %w", err)
}
return err
}

131
src/tun/tun_freebsd.go Normal file
View file

@ -0,0 +1,131 @@
//go:build freebsd
package tun
import (
"encoding/binary"
"fmt"
"strconv"
"strings"
"syscall"
"unsafe"
"golang.org/x/sys/unix"
wgtun "golang.zx2c4.com/wireguard/tun"
)
const SIOCSIFADDR_IN6 = (0x80000000) | ((288 & 0x1fff) << 16) | uint32(byte('i'))<<8 | 12
type in6_addrlifetime struct {
ia6t_expire float64
ia6t_preferred float64
ia6t_vltime uint32
ia6t_pltime uint32
}
type sockaddr_in6 struct {
sin6_len uint8
sin6_family uint8
sin6_port uint8
sin6_flowinfo uint32
sin6_addr [8]uint16
sin6_scope_id uint32
}
/*
from <netinet6/in6_var.h>
struct in6_ifreq {
277 char ifr_name[IFNAMSIZ];
278 union {
279 struct sockaddr_in6 ifru_addr;
280 struct sockaddr_in6 ifru_dstaddr;
281 int ifru_flags;
282 int ifru_flags6;
283 int ifru_metric;
284 caddr_t ifru_data;
285 struct in6_addrlifetime ifru_lifetime;
286 struct in6_ifstat ifru_stat;
287 struct icmp6_ifstat ifru_icmp6stat;
288 u_int32_t ifru_scope_id[16];
289 } ifr_ifru;
290 };
*/
type in6_ifreq_addr struct {
ifr_name [syscall.IFNAMSIZ]byte
ifru_addr sockaddr_in6
}
type in6_ifreq_flags struct {
ifr_name [syscall.IFNAMSIZ]byte
flags int
}
type in6_ifreq_lifetime struct {
ifr_name [syscall.IFNAMSIZ]byte
ifru_addrlifetime in6_addrlifetime
}
// Configures the TUN adapter with the correct IPv6 address and MTU.
func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
iface, err := wgtun.CreateTUN(ifname, int(mtu))
if err != nil {
return fmt.Errorf("failed to create TUN: %w", err)
}
tun.iface = iface
if mtu, err := iface.MTU(); err == nil {
tun.mtu = getSupportedMTU(uint64(mtu))
} else {
tun.mtu = 0
}
if addr != "" {
return tun.setupAddress(addr)
}
return nil
}
// Configures the "utun" adapter from an existing file descriptor.
func (tun *TunAdapter) setupFD(fd int32, addr string, mtu uint64) error {
return fmt.Errorf("setup via FD not supported on this platform")
}
func (tun *TunAdapter) setupAddress(addr string) error {
var sfd int
var err error
// Create system socket
if sfd, err = unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0); err != nil {
tun.log.Printf("Create AF_INET socket failed: %v.", err)
return err
}
// Friendly output
tun.log.Infof("Interface name: %s", tun.Name())
tun.log.Infof("Interface IPv6: %s", addr)
tun.log.Infof("Interface MTU: %d", tun.mtu)
// Create the address request
// FIXME: I don't work!
var ar in6_ifreq_addr
copy(ar.ifr_name[:], tun.Name())
ar.ifru_addr.sin6_len = uint8(unsafe.Sizeof(ar.ifru_addr))
ar.ifru_addr.sin6_family = unix.AF_INET6
parts := strings.Split(strings.Split(addr, "/")[0], ":")
for i := 0; i < 8; i++ {
addr, _ := strconv.ParseUint(parts[i], 16, 16)
b := make([]byte, 16)
binary.LittleEndian.PutUint16(b, uint16(addr))
ar.ifru_addr.sin6_addr[i] = uint16(binary.BigEndian.Uint16(b))
}
// Set the interface address
if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(sfd), uintptr(SIOCSIFADDR_IN6), uintptr(unsafe.Pointer(&ar))); errno != 0 {
err = errno
tun.log.Errorf("Error in SIOCSIFADDR_IN6: %v", errno)
return fmt.Errorf("SIOCSIFADDR_IN6 failed: %w", errno)
}
return nil
}

67
src/tun/tun_linux.go Normal file
View file

@ -0,0 +1,67 @@
//go:build linux || android
package tun
// The linux platform specific tun parts
import (
"fmt"
"github.com/vishvananda/netlink"
wgtun "golang.zx2c4.com/wireguard/tun"
)
// Configures the TUN adapter with the correct IPv6 address and MTU.
func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
if ifname == "auto" {
ifname = "\000"
}
iface, err := wgtun.CreateTUN(ifname, int(mtu))
if err != nil {
return fmt.Errorf("failed to create TUN: %w", err)
}
tun.iface = iface
if mtu, err := iface.MTU(); err == nil {
tun.mtu = getSupportedMTU(uint64(mtu))
} else {
tun.mtu = 0
}
if addr != "" {
return tun.setupAddress(addr)
}
return nil
}
// Configures the "utun" adapter from an existing file descriptor.
func (tun *TunAdapter) setupFD(fd int32, addr string, mtu uint64) error {
return fmt.Errorf("setup via FD not supported on this platform")
}
// Configures the TUN adapter with the correct IPv6 address and MTU. Netlink
// is used to do this, so there is not a hard requirement on "ip" or "ifconfig"
// to exist on the system, but this will fail if Netlink is not present in the
// kernel (it nearly always is).
func (tun *TunAdapter) setupAddress(addr string) error {
nladdr, err := netlink.ParseAddr(addr)
if err != nil {
return fmt.Errorf("couldn't parse address %q: %w", addr, err)
}
nlintf, err := netlink.LinkByName(tun.Name())
if err != nil {
return fmt.Errorf("failed to find link by name: %w", err)
}
if err := netlink.AddrAdd(nlintf, nladdr); err != nil {
return fmt.Errorf("failed to add address to link: %w", err)
}
if err := netlink.LinkSetMTU(nlintf, int(tun.mtu)); err != nil {
return fmt.Errorf("failed to set link MTU: %w", err)
}
if err := netlink.LinkSetUp(nlintf); err != nil {
return fmt.Errorf("failed to bring link up: %w", err)
}
// Friendly output
tun.log.Infof("Interface name: %s", tun.Name())
tun.log.Infof("Interface IPv6: %s", addr)
tun.log.Infof("Interface MTU: %d", tun.mtu)
return nil
}

121
src/tun/tun_openbsd.go Normal file
View file

@ -0,0 +1,121 @@
//go:build openbsd
package tun
import (
"fmt"
"net"
"syscall"
"unsafe"
"golang.org/x/sys/unix"
wgtun "golang.zx2c4.com/wireguard/tun"
)
const (
SIOCAIFADDR_IN6 = 0x8080691a
ND6_INFINITE_LIFETIME = 0xffffffff
)
type in6_addrlifetime struct {
ia6t_expire int64
ia6t_preferred int64
ia6t_vltime uint32
ia6t_pltime uint32
}
// Match types from the net package, effectively being [16]byte for IPv6 addresses.
type in6_addr [16]uint8
type sockaddr_in6 struct {
sin6_len uint8
sin6_family uint8
sin6_port uint16
sin6_flowinfo uint32
sin6_addr in6_addr
sin6_scope_id uint32
}
func (sa6 *sockaddr_in6) setSockaddr(addr [] /*16*/ byte /* net.IP or net.IPMask */) {
sa6.sin6_len = uint8(unsafe.Sizeof(*sa6))
sa6.sin6_family = unix.AF_INET6
for i := range sa6.sin6_addr {
sa6.sin6_addr[i] = addr[i]
}
}
type in6_aliasreq struct {
ifra_name [syscall.IFNAMSIZ]byte
ifra_addr sockaddr_in6
ifra_dstaddr sockaddr_in6
ifra_prefixmask sockaddr_in6
ifra_flags int32
ifra_lifetime in6_addrlifetime
}
// Configures the TUN adapter with the correct IPv6 address and MTU.
func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
iface, err := wgtun.CreateTUN(ifname, int(mtu))
if err != nil {
return fmt.Errorf("failed to create TUN: %w", err)
}
tun.iface = iface
if mtu, err := iface.MTU(); err == nil {
tun.mtu = getSupportedMTU(uint64(mtu))
} else {
tun.mtu = 0
}
if addr != "" {
return tun.setupAddress(addr)
}
return nil
}
// Configures the "utun" adapter from an existing file descriptor.
func (tun *TunAdapter) setupFD(fd int32, addr string, mtu uint64) error {
return fmt.Errorf("setup via FD not supported on this platform")
}
func (tun *TunAdapter) setupAddress(addr string) error {
var sfd int
var err error
ip, prefix, err := net.ParseCIDR(addr)
if err != nil {
tun.log.Errorf("Error in ParseCIDR: %v", err)
return err
}
// Create system socket
if sfd, err = unix.Socket(unix.AF_INET6, unix.SOCK_DGRAM, 0); err != nil {
tun.log.Printf("Create AF_INET6 socket failed: %v", err)
return err
}
// Friendly output
tun.log.Infof("Interface name: %s", tun.Name())
tun.log.Infof("Interface IPv6: %s", addr)
tun.log.Infof("Interface MTU: %d", tun.mtu)
// Create the address request
var ar in6_aliasreq
copy(ar.ifra_name[:], tun.Name())
ar.ifra_addr.setSockaddr(ip)
prefixmask := net.CIDRMask(prefix.Mask.Size())
ar.ifra_prefixmask.setSockaddr(prefixmask)
ar.ifra_lifetime.ia6t_vltime = ND6_INFINITE_LIFETIME
ar.ifra_lifetime.ia6t_pltime = ND6_INFINITE_LIFETIME
// Set the interface address
if err = unix.IoctlSetInt(sfd, SIOCAIFADDR_IN6, int(uintptr(unsafe.Pointer(&ar)))); err != nil {
tun.log.Errorf("Error in SIOCAIFADDR_IN6: %v", err)
return err
}
return nil
}

42
src/tun/tun_other.go Normal file
View file

@ -0,0 +1,42 @@
//go:build !linux && !darwin && !ios && !android && !windows && !openbsd && !freebsd && !mobile
package tun
// This is to catch unsupported platforms
// If your platform supports tun devices, you could try configuring it manually
import (
"fmt"
wgtun "golang.zx2c4.com/wireguard/tun"
)
// Configures the TUN adapter with the correct IPv6 address and MTU.
func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
iface, err := wgtun.CreateTUN(ifname, mtu)
if err != nil {
return fmt.Errorf("failed to create TUN: %w", err)
}
tun.iface = iface
if mtu, err := iface.MTU(); err == nil {
tun.mtu = getSupportedMTU(uint64(mtu))
} else {
tun.mtu = 0
}
if addr != "" {
return tun.setupAddress(addr)
}
return nil
}
// Configures the "utun" adapter from an existing file descriptor.
func (tun *TunAdapter) setupFD(fd int32, addr string, mtu uint64) error {
return fmt.Errorf("setup via FD not supported on this platform")
}
// We don't know how to set the IPv6 address on an unknown platform, therefore
// write about it to stdout and don't try to do anything further.
func (tun *TunAdapter) setupAddress(addr string) error {
tun.log.Warnln("Warning: Platform not supported, you must set the address of", tun.Name(), "to", addr)
return nil
}

156
src/tun/tun_windows.go Normal file
View file

@ -0,0 +1,156 @@
//go:build windows
package tun
import (
"errors"
"fmt"
"log"
"net/netip"
"time"
"github.com/yggdrasil-network/yggdrasil-go/src/config"
"golang.org/x/sys/windows"
"golang.zx2c4.com/wintun"
wgtun "golang.zx2c4.com/wireguard/tun"
"golang.zx2c4.com/wireguard/windows/elevate"
"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
)
// This is to catch Windows platforms
// Configures the TUN adapter with the correct IPv6 address and MTU.
func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
if ifname == "auto" {
ifname = config.GetDefaults().DefaultIfName
}
return elevate.DoAsSystem(func() error {
var err error
var iface wgtun.Device
var guid windows.GUID
if guid, err = windows.GUIDFromString("{8f59971a-7872-4aa6-b2eb-061fc4e9d0a7}"); err != nil {
return err
}
iface, err = wgtun.CreateTUNWithRequestedGUID(ifname, &guid, int(mtu))
if err != nil {
// Very rare condition, it will purge the old device and create new
tun.log.Printf("Error creating TUN: '%s'", err)
wintun.Uninstall()
time.Sleep(3 * time.Second)
tun.log.Printf("Trying again")
iface, err = wgtun.CreateTUNWithRequestedGUID(ifname, &guid, int(mtu))
if err != nil {
return err
}
}
tun.log.Printf("Waiting for TUN to come up")
time.Sleep(1 * time.Second)
tun.iface = iface
if addr != "" {
tun.log.Printf("Setting up address")
if err = tun.setupAddress(addr); err != nil {
tun.log.Errorln("Failed to set up TUN address:", err)
return err
}
}
if err = tun.setupMTU(getSupportedMTU(mtu)); err != nil {
tun.log.Errorln("Failed to set up TUN MTU:", err)
return err
}
if mtu, err := iface.MTU(); err == nil {
tun.mtu = uint64(mtu)
}
tun.log.Printf("TUN is set up successfully")
return nil
})
}
// Configures the "utun" adapter from an existing file descriptor.
func (tun *TunAdapter) setupFD(fd int32, addr string, mtu uint64) error {
return fmt.Errorf("setup via FD not supported on this platform")
}
// Sets the MTU of the TUN adapter.
func (tun *TunAdapter) setupMTU(mtu uint64) error {
if tun.iface == nil || tun.Name() == "" {
return errors.New("Can't configure MTU as TUN adapter is not present")
}
if intf, ok := tun.iface.(*wgtun.NativeTun); ok {
luid := winipcfg.LUID(intf.LUID())
ipfamily, err := luid.IPInterface(windows.AF_INET6)
if err != nil {
return err
}
ipfamily.NLMTU = uint32(mtu)
intf.ForceMTU(int(ipfamily.NLMTU))
ipfamily.UseAutomaticMetric = false
ipfamily.Metric = 0
ipfamily.DadTransmits = 0
ipfamily.RouterDiscoveryBehavior = winipcfg.RouterDiscoveryDisabled
if err := ipfamily.Set(); err != nil {
return err
}
}
return nil
}
// Sets the IPv6 address of the TUN adapter.
func (tun *TunAdapter) setupAddress(addr string) error {
if tun.iface == nil || tun.Name() == "" {
return errors.New("Can't configure IPv6 address as TUN adapter is not present")
}
if intf, ok := tun.iface.(*wgtun.NativeTun); ok {
if ipnet, err := netip.ParsePrefix(addr); err == nil {
luid := winipcfg.LUID(intf.LUID())
addresses := []netip.Prefix{ipnet}
err := luid.SetIPAddressesForFamily(windows.AF_INET6, addresses)
if err == windows.ERROR_OBJECT_ALREADY_EXISTS {
cleanupAddressesOnDisconnectedInterfaces(windows.AF_INET6, addresses)
err = luid.SetIPAddressesForFamily(windows.AF_INET6, addresses)
}
if err != nil {
return err
}
} else {
return err
}
} else {
return errors.New("unable to get NativeTUN")
}
return nil
}
/*
* cleanupAddressesOnDisconnectedInterfaces
* SPDX-License-Identifier: MIT
* Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
*/
func cleanupAddressesOnDisconnectedInterfaces(family winipcfg.AddressFamily, addresses []netip.Prefix) {
if len(addresses) == 0 {
return
}
addrHash := make(map[netip.Addr]bool, len(addresses))
for i := range addresses {
addrHash[addresses[i].Addr()] = true
}
interfaces, err := winipcfg.GetAdaptersAddresses(family, winipcfg.GAAFlagDefault)
if err != nil {
return
}
for _, iface := range interfaces {
if iface.OperStatus == winipcfg.IfOperStatusUp {
continue
}
for address := iface.FirstUnicastAddress; address != nil; address = address.Next {
if ip, _ := netip.AddrFromSlice(address.Address.IP()); addrHash[ip] {
prefix := netip.PrefixFrom(ip, int(address.OnLinkPrefixLength))
log.Printf("Cleaning up stale address %s from interface %s", prefix.String(), iface.FriendlyName())
iface.LUID.DeleteIPAddress(prefix)
}
}
}
}

22
src/version/version.go Normal file
View file

@ -0,0 +1,22 @@
package version
var buildName string
var buildVersion string
// BuildName gets the current build name. This is usually injected if built
// from git, or returns "unknown" otherwise.
func BuildName() string {
if buildName == "" {
return "unknown"
}
return buildName
}
// BuildVersion gets the current build version. This is usually injected if
// built from git, or returns "unknown" otherwise.
func BuildVersion() string {
if buildVersion == "" {
return "unknown"
}
return buildVersion
}