From 660388889a8378916ff484dee9a6c2dbd94a2e19 Mon Sep 17 00:00:00 2001
From: crn4 <vladimir.klementyev@gmail.com>
Date: Thu, 19 Jun 2025 19:40:17 +0200
Subject: [PATCH] removed macs from hash, added 3 attempts for the same keys

---
 management/server/loginfilter.go      | 33 ++++++++++++-------------
 management/server/loginfilter_test.go | 35 ++++++++-------------------
 2 files changed, 25 insertions(+), 43 deletions(-)

diff --git a/management/server/loginfilter.go b/management/server/loginfilter.go
index da7656c09..6c6d369c8 100644
--- a/management/server/loginfilter.go
+++ b/management/server/loginfilter.go
@@ -11,16 +11,18 @@ import (
 const (
 	filterTimeout = 5 * time.Minute // Duration to secure the previous login information in the filter
 
-	reconnThreshold   = 5 * time.Minute
-	blockDuration     = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit
-	reconnLimitForBan = 30               // Number of reconnections within the reconnTreshold that triggers a ban
+	reconnThreshold         = 5 * time.Minute
+	blockDuration           = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit
+	reconnLimitForBan       = 30               // Number of reconnections within the reconnTreshold that triggers a ban
+	differentMetaReconnects = 3                // Number of reconnections with different metadata that triggers a ban of one peer
 )
 
 type config struct {
-	filterTimeout     time.Duration
-	reconnThreshold   time.Duration
-	blockDuration     time.Duration
-	reconnLimitForBan int
+	filterTimeout           time.Duration
+	reconnThreshold         time.Duration
+	blockDuration           time.Duration
+	reconnLimitForBan       int
+	differentMetaReconnects int
 }
 
 type loginFilter struct {
@@ -39,10 +41,11 @@ type metahash struct {
 
 func initCfg() *config {
 	return &config{
-		filterTimeout:     filterTimeout,
-		reconnThreshold:   reconnThreshold,
-		blockDuration:     blockDuration,
-		reconnLimitForBan: reconnLimitForBan,
+		filterTimeout:           filterTimeout,
+		reconnThreshold:         reconnThreshold,
+		blockDuration:           blockDuration,
+		reconnLimitForBan:       reconnLimitForBan,
+		differentMetaReconnects: differentMetaReconnects,
 	}
 }
 
@@ -86,7 +89,7 @@ func (l *loginFilter) allowLogin(wgPubKey string, metaHash uint64) bool {
 	if mh.banned && time.Since(mh.lastSeen) < l.cfg.blockDuration {
 		return false
 	}
-	if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout {
+	if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout && mh.counter > l.cfg.differentMetaReconnects {
 		return false
 	}
 	return true
@@ -101,12 +104,6 @@ func (l *loginFilter) removeLogin(wgPubKey string) {
 func metaHash(meta nbpeer.PeerSystemMeta, pubip string) uint64 {
 	h := fnv.New64a()
 
-	if len(meta.NetworkAddresses) != 0 {
-		for _, na := range meta.NetworkAddresses {
-			h.Write([]byte(na.Mac))
-		}
-	}
-
 	h.Write([]byte(meta.WtVersion))
 	h.Write([]byte(meta.OSVersion))
 	h.Write([]byte(meta.KernelVersion))
diff --git a/management/server/loginfilter_test.go b/management/server/loginfilter_test.go
index 21a2673aa..4c2694ec1 100644
--- a/management/server/loginfilter_test.go
+++ b/management/server/loginfilter_test.go
@@ -14,10 +14,11 @@ import (
 
 func testCfg() *config {
 	return &config{
-		filterTimeout:     20 * time.Millisecond,
-		reconnThreshold:   50 * time.Millisecond,
-		blockDuration:     100 * time.Millisecond,
-		reconnLimitForBan: 3,
+		filterTimeout:           20 * time.Millisecond,
+		reconnThreshold:         50 * time.Millisecond,
+		blockDuration:           100 * time.Millisecond,
+		reconnLimitForBan:       3,
+		differentMetaReconnects: 1,
 	}
 }
 
@@ -99,6 +100,10 @@ func (s *LoginFilterTestSuite) TestDifferentHashIsBlockedWhenActive() {
 	meta1 := uint64(23424223423)
 	meta2 := uint64(99878798987987)
 
+	for range s.filter.cfg.differentMetaReconnects {
+		s.filter.addLogin(pubKey, meta1)
+	}
+
 	s.filter.addLogin(pubKey, meta1)
 
 	s.False(s.filter.allowLogin(pubKey, meta2))
@@ -177,12 +182,6 @@ func BenchmarkHashingMethods(b *testing.B) {
 func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string {
 	h := fnv.New64a()
 
-	if len(meta.NetworkAddresses) != 0 {
-		for _, na := range meta.NetworkAddresses {
-			h.Write([]byte(na.Mac))
-		}
-	}
-
 	h.Write([]byte(meta.WtVersion))
 	h.Write([]byte(meta.OSVersion))
 	h.Write([]byte(meta.KernelVersion))
@@ -194,9 +193,8 @@ func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string {
 }
 
 func builderString(meta nbpeer.PeerSystemMeta, pubip string) string {
-	mac := getMacAddress(meta.NetworkAddresses)
 	estimatedSize := len(meta.WtVersion) + len(meta.OSVersion) + len(meta.KernelVersion) + len(meta.Hostname) + len(meta.SystemSerialNumber) +
-		len(pubip) + len(mac) + 6
+		len(pubip) + 5
 
 	var b strings.Builder
 	b.Grow(estimatedSize)
@@ -212,19 +210,6 @@ func builderString(meta nbpeer.PeerSystemMeta, pubip string) string {
 	b.WriteString(meta.SystemSerialNumber)
 	b.WriteByte('|')
 	b.WriteString(pubip)
-	b.WriteByte('|')
-	b.WriteString(mac)
 
 	return b.String()
 }
-
-func getMacAddress(nas []nbpeer.NetworkAddress) string {
-	if len(nas) == 0 {
-		return ""
-	}
-	macs := make([]string, 0, len(nas))
-	for _, na := range nas {
-		macs = append(macs, na.Mac)
-	}
-	return strings.Join(macs, "/")
-}