removed macs from hash, added 3 attempts for the same keys

2025-06-21 02:08:40 +02:00 · 2025-06-19 19:40:17 +02:00 · 2025-06-19 19:40:17 +02:00 · 660388889a
commit 660388889a
parent dd9ed1dfa7
2 changed files with 25 additions and 43 deletions
--- a/management/server/loginfilter.go
+++ b/management/server/loginfilter.go
@ -11,16 +11,18 @@ import (
 const (
 	filterTimeout = 5 * time.Minute // Duration to secure the previous login information in the filter

-	reconnThreshold   = 5 * time.Minute
-	blockDuration     = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit
-	reconnLimitForBan = 30               // Number of reconnections within the reconnTreshold that triggers a ban
+	reconnThreshold         = 5 * time.Minute
+	blockDuration           = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit
+	reconnLimitForBan       = 30               // Number of reconnections within the reconnTreshold that triggers a ban
+	differentMetaReconnects = 3                // Number of reconnections with different metadata that triggers a ban of one peer
 )

 type config struct {
-	filterTimeout     time.Duration
-	reconnThreshold   time.Duration
-	blockDuration     time.Duration
-	reconnLimitForBan int
+	filterTimeout           time.Duration
+	reconnThreshold         time.Duration
+	blockDuration           time.Duration
+	reconnLimitForBan       int
+	differentMetaReconnects int
 }

 type loginFilter struct {
@ -39,10 +41,11 @@ type metahash struct {

 func initCfg() *config {
 	return &config{
-		filterTimeout:     filterTimeout,
-		reconnThreshold:   reconnThreshold,
-		blockDuration:     blockDuration,
-		reconnLimitForBan: reconnLimitForBan,
+		filterTimeout:           filterTimeout,
+		reconnThreshold:         reconnThreshold,
+		blockDuration:           blockDuration,
+		reconnLimitForBan:       reconnLimitForBan,
+		differentMetaReconnects: differentMetaReconnects,
 	}
 }

@ -86,7 +89,7 @@ func (l *loginFilter) allowLogin(wgPubKey string, metaHash uint64) bool {
 	if mh.banned && time.Since(mh.lastSeen) < l.cfg.blockDuration {
 		return false
 	}
-	if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout {
+	if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout && mh.counter > l.cfg.differentMetaReconnects {
 		return false
 	}
 	return true
@ -101,12 +104,6 @@ func (l *loginFilter) removeLogin(wgPubKey string) {
 func metaHash(meta nbpeer.PeerSystemMeta, pubip string) uint64 {
 	h := fnv.New64a()

-	if len(meta.NetworkAddresses) != 0 {
-		for _, na := range meta.NetworkAddresses {
-			h.Write([]byte(na.Mac))
-		}
-	}
-
 	h.Write([]byte(meta.WtVersion))
 	h.Write([]byte(meta.OSVersion))
 	h.Write([]byte(meta.KernelVersion))
--- a/management/server/loginfilter_test.go
+++ b/management/server/loginfilter_test.go
@ -14,10 +14,11 @@ import (

 func testCfg() *config {
 	return &config{
-		filterTimeout:     20 * time.Millisecond,
-		reconnThreshold:   50 * time.Millisecond,
-		blockDuration:     100 * time.Millisecond,
-		reconnLimitForBan: 3,
+		filterTimeout:           20 * time.Millisecond,
+		reconnThreshold:         50 * time.Millisecond,
+		blockDuration:           100 * time.Millisecond,
+		reconnLimitForBan:       3,
+		differentMetaReconnects: 1,
 	}
 }

@ -99,6 +100,10 @@ func (s *LoginFilterTestSuite) TestDifferentHashIsBlockedWhenActive() {
 	meta1 := uint64(23424223423)
 	meta2 := uint64(99878798987987)

+	for range s.filter.cfg.differentMetaReconnects {
+		s.filter.addLogin(pubKey, meta1)
+	}
+
 	s.filter.addLogin(pubKey, meta1)

 	s.False(s.filter.allowLogin(pubKey, meta2))
@ -177,12 +182,6 @@ func BenchmarkHashingMethods(b *testing.B) {
 func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string {
 	h := fnv.New64a()

-	if len(meta.NetworkAddresses) != 0 {
-		for _, na := range meta.NetworkAddresses {
-			h.Write([]byte(na.Mac))
-		}
-	}
-
 	h.Write([]byte(meta.WtVersion))
 	h.Write([]byte(meta.OSVersion))
 	h.Write([]byte(meta.KernelVersion))
@ -194,9 +193,8 @@ func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string {
 }

 func builderString(meta nbpeer.PeerSystemMeta, pubip string) string {
-	mac := getMacAddress(meta.NetworkAddresses)
 	estimatedSize := len(meta.WtVersion) + len(meta.OSVersion) + len(meta.KernelVersion) + len(meta.Hostname) + len(meta.SystemSerialNumber) +
-		len(pubip) + len(mac) + 6
+		len(pubip) + 5

 	var b strings.Builder
 	b.Grow(estimatedSize)
@ -212,19 +210,6 @@ func builderString(meta nbpeer.PeerSystemMeta, pubip string) string {
 	b.WriteString(meta.SystemSerialNumber)
 	b.WriteByte('|')
 	b.WriteString(pubip)
-	b.WriteByte('|')
-	b.WriteString(mac)

 	return b.String()
 }
-
-func getMacAddress(nas []nbpeer.NetworkAddress) string {
-	if len(nas) == 0 {
-		return ""
-	}
-	macs := make([]string, 0, len(nas))
-	for _, na := range nas {
-		macs = append(macs, na.Mac)
-	}
-	return strings.Join(macs, "/")
-}