extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-06-21 10:18:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

removed macs from hash, added 3 attempts for the same keys

Browse Source
This commit is contained in:
crn4 2025-06-19 19:40:17 +02:00
parent dd9ed1dfa7
commit 660388889a
2 changed files with 25 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
management/server/loginfilter.go
View File

@ -11,16 +11,18 @@ import (
const ( const (
filterTimeout = 5 * time.Minute // Duration to secure the previous login information in the filter filterTimeout = 5 * time.Minute // Duration to secure the previous login information in the filter
reconnThreshold = 5 * time.Minute reconnThreshold = 5 * time.Minute
blockDuration = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit blockDuration = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit
reconnLimitForBan = 30 // Number of reconnections within the reconnTreshold that triggers a ban reconnLimitForBan = 30 // Number of reconnections within the reconnTreshold that triggers a ban
differentMetaReconnects = 3 // Number of reconnections with different metadata that triggers a ban of one peer
) )
type config struct { type config struct {
filterTimeout time.Duration filterTimeout time.Duration
reconnThreshold time.Duration reconnThreshold time.Duration
blockDuration time.Duration blockDuration time.Duration
reconnLimitForBan int reconnLimitForBan int
differentMetaReconnects int
} }
type loginFilter struct { type loginFilter struct {
@ -39,10 +41,11 @@ type metahash struct {
func initCfg() *config { func initCfg() *config {
return &config{ return &config{
filterTimeout: filterTimeout, filterTimeout: filterTimeout,
reconnThreshold: reconnThreshold, reconnThreshold: reconnThreshold,
blockDuration: blockDuration, blockDuration: blockDuration,
reconnLimitForBan: reconnLimitForBan, reconnLimitForBan: reconnLimitForBan,
differentMetaReconnects: differentMetaReconnects,
} }
} }
@ -86,7 +89,7 @@ func (l *loginFilter) allowLogin(wgPubKey string, metaHash uint64) bool {
if mh.banned && time.Since(mh.lastSeen) < l.cfg.blockDuration { if mh.banned && time.Since(mh.lastSeen) < l.cfg.blockDuration {
return false return false
} }
if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout { if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout && mh.counter > l.cfg.differentMetaReconnects {
return false return false
} }
return true return true
@ -101,12 +104,6 @@ func (l *loginFilter) removeLogin(wgPubKey string) {
func metaHash(meta nbpeer.PeerSystemMeta, pubip string) uint64 { func metaHash(meta nbpeer.PeerSystemMeta, pubip string) uint64 {
h := fnv.New64a() h := fnv.New64a()
if len(meta.NetworkAddresses) != 0 {
for _, na := range meta.NetworkAddresses {
h.Write([]byte(na.Mac))
}
}
h.Write([]byte(meta.WtVersion)) h.Write([]byte(meta.WtVersion))
h.Write([]byte(meta.OSVersion)) h.Write([]byte(meta.OSVersion))
h.Write([]byte(meta.KernelVersion)) h.Write([]byte(meta.KernelVersion))

35
management/server/loginfilter_test.go
View File

@ -14,10 +14,11 @@ import (
func testCfg() *config { func testCfg() *config {
return &config{ return &config{
filterTimeout: 20 * time.Millisecond, filterTimeout: 20 * time.Millisecond,
reconnThreshold: 50 * time.Millisecond, reconnThreshold: 50 * time.Millisecond,
blockDuration: 100 * time.Millisecond, blockDuration: 100 * time.Millisecond,
reconnLimitForBan: 3, reconnLimitForBan: 3,
differentMetaReconnects: 1,
} }
} }
@ -99,6 +100,10 @@ func (s *LoginFilterTestSuite) TestDifferentHashIsBlockedWhenActive() {
meta1 := uint64(23424223423) meta1 := uint64(23424223423)
meta2 := uint64(99878798987987) meta2 := uint64(99878798987987)
for range s.filter.cfg.differentMetaReconnects {
s.filter.addLogin(pubKey, meta1)
}
s.filter.addLogin(pubKey, meta1) s.filter.addLogin(pubKey, meta1)
s.False(s.filter.allowLogin(pubKey, meta2)) s.False(s.filter.allowLogin(pubKey, meta2))
@ -177,12 +182,6 @@ func BenchmarkHashingMethods(b *testing.B) {
func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string { func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string {
h := fnv.New64a() h := fnv.New64a()
if len(meta.NetworkAddresses) != 0 {
for _, na := range meta.NetworkAddresses {
h.Write([]byte(na.Mac))
}
}
h.Write([]byte(meta.WtVersion)) h.Write([]byte(meta.WtVersion))
h.Write([]byte(meta.OSVersion)) h.Write([]byte(meta.OSVersion))
h.Write([]byte(meta.KernelVersion)) h.Write([]byte(meta.KernelVersion))
@ -194,9 +193,8 @@ func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string {
} }
func builderString(meta nbpeer.PeerSystemMeta, pubip string) string { func builderString(meta nbpeer.PeerSystemMeta, pubip string) string {
mac := getMacAddress(meta.NetworkAddresses)
estimatedSize := len(meta.WtVersion) + len(meta.OSVersion) + len(meta.KernelVersion) + len(meta.Hostname) + len(meta.SystemSerialNumber) + estimatedSize := len(meta.WtVersion) + len(meta.OSVersion) + len(meta.KernelVersion) + len(meta.Hostname) + len(meta.SystemSerialNumber) +
len(pubip) + len(mac) + 6 len(pubip) + 5
var b strings.Builder var b strings.Builder
b.Grow(estimatedSize) b.Grow(estimatedSize)
@ -212,19 +210,6 @@ func builderString(meta nbpeer.PeerSystemMeta, pubip string) string {
b.WriteString(meta.SystemSerialNumber) b.WriteString(meta.SystemSerialNumber)
b.WriteByte('|') b.WriteByte('|')
b.WriteString(pubip) b.WriteString(pubip)
b.WriteByte('|')
b.WriteString(mac)
return b.String() return b.String()
} }
func getMacAddress(nas []nbpeer.NetworkAddress) string {
if len(nas) == 0 {
return ""
}
macs := make([]string, 0, len(nas))
for _, na := range nas {
macs = append(macs, na.Mac)
}
return strings.Join(macs, "/")
}