From 5c50bdd0e58843c4579b9ae3d1a04b3ae1ca80ce Mon Sep 17 00:00:00 2001 From: Tom Carroll <34632752+tomc797@users.noreply.github.com> Date: Wed, 7 Jun 2023 23:50:38 -0700 Subject: [PATCH] Disregard route if update is a subnet of tun's address. As the tun_ip is derived from dns_block, set the tun's address prefix length equal to dns_block prefix length. Then ignore any route updates that are a subnet of the tun's address. This becomes helpful when large number of DNS intercepts are employed (say wildcard), each causing a /32 route to be added. Signed-off-by: Tom Carroll <4632752+tomc797@users.noreply.github.com> --- .../ziti-edge-tunnel/netif_driver/linux/tun.c | 62 +++++++++++++++++-- .../ziti-edge-tunnel/netif_driver/linux/tun.h | 1 + 2 files changed, 58 insertions(+), 5 deletions(-) diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c index 75a3b2862..2860e427c 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c @@ -126,6 +126,36 @@ static void route_updates_done(uv_work_t *wr, int status) { free(wr); } +static int ipv6_equal_prefix(const struct in6_addr *addr1, const struct in6_addr *addr2, unsigned int prefixlen) +{ + const uint32_t *a1 = addr1->s6_addr32; + const uint32_t *a2 = addr2->s6_addr32; + unsigned int nw = prefixlen / 32; + unsigned int nb = prefixlen % 32; + + if (memcmp(a1, a2, 4*nw)) + return 0; + + return !(nb && ((a1[nw] ^ a2[nw]) & htonl(0xffffffffUL << (32 - nb)))); +} + +static int tun_check_prefix(netif_handle tun, const char *cidr) +{ + ziti_address *ifa = &tun->addr; + ziti_address range; + + if (parse_ziti_address_str(&range, cidr) < 0 || range.type != ziti_address_cidr) + return -1; + + if (range.addr.cidr.af != ifa->addr.cidr.af) + return -1; + + if (range.addr.cidr.bits < ifa->addr.cidr.bits) + return 0; + + return ipv6_equal_prefix(&range.addr.cidr.ip, &ifa->addr.cidr.ip, ifa->addr.cidr.bits); +} + static void process_routes_updates(uv_work_t *wr) { struct rt_process_cmd *cmd = wr->data; @@ -153,6 +183,12 @@ static void process_routes_updates(uv_work_t *wr) { // action == 1: add unsigned action = (uintptr_t) value; if (action == i) { + /* + * Ignore update if the prefix is a subnetwork of the tun's network + */ + if (tun_check_prefix(cmd->tun, prefix) > 0) + continue; + int len = snprintf(buf, sizeof(buf), "route %s %s dev %s\n", verb, prefix, cmd->tun->name); if (len < 0 || (size_t) len >= sizeof buf) { if (len > 0) errno = ENOMEM; @@ -450,16 +486,32 @@ netif_driver tun_open(uv_loop_t *loop, uint32_t tun_ip, uint32_t dns_ip, const c driver->exclude_rt = tun_exclude_rt; driver->commit_routes = tun_commit_routes; + ziti_address range; + unsigned int prefixlen; + if (!dns_block || + parse_ziti_address_str(&range, dns_block) < 0 || + range.type != ziti_address_cidr || + range.addr.cidr.bits > 32) { + prefixlen = 32; + } else { + prefixlen = range.addr.cidr.bits; + } + tun->addr = (ziti_address) { + .type = ziti_address_cidr, + .addr.cidr.af = AF_INET, + .addr.cidr.bits = prefixlen, + .addr.cidr.ip = { .s6_addr32 = { tun_ip } } + }; + run_command("ip link set %s up", tun->name); - run_command("ip addr add %s dev %s", inet_ntoa(*(struct in_addr*)&tun_ip), tun->name); + run_command("ip addr add %s/%d dev %s scope link", + inet_ntoa((struct in_addr){ .s_addr = tun->addr.addr.cidr.ip.s6_addr32[0] }), + tun->addr.addr.cidr.bits, + tun->name); if (dns_ip) { init_dns_maintainer(loop, tun->name, dns_ip); } - if (dns_block) { - run_command("ip route add %s dev %s", dns_block, tun->name); - } - return driver; } diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/tun.h b/programs/ziti-edge-tunnel/netif_driver/linux/tun.h index 73c83cd8d..6e10b8e57 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/tun.h +++ b/programs/ziti-edge-tunnel/netif_driver/linux/tun.h @@ -24,6 +24,7 @@ struct netif_handle_s { int fd; char name[IFNAMSIZ]; + ziti_address addr; model_map *route_updates; };