mirror of
https://github.com/netbirdio/netbird.git
synced 2025-06-21 10:18:50 +02:00
removed macs from hash, added 3 attempts for the same keys
This commit is contained in:
parent
dd9ed1dfa7
commit
660388889a
@ -11,16 +11,18 @@ import (
|
|||||||
const (
|
const (
|
||||||
filterTimeout = 5 * time.Minute // Duration to secure the previous login information in the filter
|
filterTimeout = 5 * time.Minute // Duration to secure the previous login information in the filter
|
||||||
|
|
||||||
reconnThreshold = 5 * time.Minute
|
reconnThreshold = 5 * time.Minute
|
||||||
blockDuration = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit
|
blockDuration = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit
|
||||||
reconnLimitForBan = 30 // Number of reconnections within the reconnTreshold that triggers a ban
|
reconnLimitForBan = 30 // Number of reconnections within the reconnTreshold that triggers a ban
|
||||||
|
differentMetaReconnects = 3 // Number of reconnections with different metadata that triggers a ban of one peer
|
||||||
)
|
)
|
||||||
|
|
||||||
type config struct {
|
type config struct {
|
||||||
filterTimeout time.Duration
|
filterTimeout time.Duration
|
||||||
reconnThreshold time.Duration
|
reconnThreshold time.Duration
|
||||||
blockDuration time.Duration
|
blockDuration time.Duration
|
||||||
reconnLimitForBan int
|
reconnLimitForBan int
|
||||||
|
differentMetaReconnects int
|
||||||
}
|
}
|
||||||
|
|
||||||
type loginFilter struct {
|
type loginFilter struct {
|
||||||
@ -39,10 +41,11 @@ type metahash struct {
|
|||||||
|
|
||||||
func initCfg() *config {
|
func initCfg() *config {
|
||||||
return &config{
|
return &config{
|
||||||
filterTimeout: filterTimeout,
|
filterTimeout: filterTimeout,
|
||||||
reconnThreshold: reconnThreshold,
|
reconnThreshold: reconnThreshold,
|
||||||
blockDuration: blockDuration,
|
blockDuration: blockDuration,
|
||||||
reconnLimitForBan: reconnLimitForBan,
|
reconnLimitForBan: reconnLimitForBan,
|
||||||
|
differentMetaReconnects: differentMetaReconnects,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -86,7 +89,7 @@ func (l *loginFilter) allowLogin(wgPubKey string, metaHash uint64) bool {
|
|||||||
if mh.banned && time.Since(mh.lastSeen) < l.cfg.blockDuration {
|
if mh.banned && time.Since(mh.lastSeen) < l.cfg.blockDuration {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout {
|
if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout && mh.counter > l.cfg.differentMetaReconnects {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
return true
|
return true
|
||||||
@ -101,12 +104,6 @@ func (l *loginFilter) removeLogin(wgPubKey string) {
|
|||||||
func metaHash(meta nbpeer.PeerSystemMeta, pubip string) uint64 {
|
func metaHash(meta nbpeer.PeerSystemMeta, pubip string) uint64 {
|
||||||
h := fnv.New64a()
|
h := fnv.New64a()
|
||||||
|
|
||||||
if len(meta.NetworkAddresses) != 0 {
|
|
||||||
for _, na := range meta.NetworkAddresses {
|
|
||||||
h.Write([]byte(na.Mac))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
h.Write([]byte(meta.WtVersion))
|
h.Write([]byte(meta.WtVersion))
|
||||||
h.Write([]byte(meta.OSVersion))
|
h.Write([]byte(meta.OSVersion))
|
||||||
h.Write([]byte(meta.KernelVersion))
|
h.Write([]byte(meta.KernelVersion))
|
||||||
|
@ -14,10 +14,11 @@ import (
|
|||||||
|
|
||||||
func testCfg() *config {
|
func testCfg() *config {
|
||||||
return &config{
|
return &config{
|
||||||
filterTimeout: 20 * time.Millisecond,
|
filterTimeout: 20 * time.Millisecond,
|
||||||
reconnThreshold: 50 * time.Millisecond,
|
reconnThreshold: 50 * time.Millisecond,
|
||||||
blockDuration: 100 * time.Millisecond,
|
blockDuration: 100 * time.Millisecond,
|
||||||
reconnLimitForBan: 3,
|
reconnLimitForBan: 3,
|
||||||
|
differentMetaReconnects: 1,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -99,6 +100,10 @@ func (s *LoginFilterTestSuite) TestDifferentHashIsBlockedWhenActive() {
|
|||||||
meta1 := uint64(23424223423)
|
meta1 := uint64(23424223423)
|
||||||
meta2 := uint64(99878798987987)
|
meta2 := uint64(99878798987987)
|
||||||
|
|
||||||
|
for range s.filter.cfg.differentMetaReconnects {
|
||||||
|
s.filter.addLogin(pubKey, meta1)
|
||||||
|
}
|
||||||
|
|
||||||
s.filter.addLogin(pubKey, meta1)
|
s.filter.addLogin(pubKey, meta1)
|
||||||
|
|
||||||
s.False(s.filter.allowLogin(pubKey, meta2))
|
s.False(s.filter.allowLogin(pubKey, meta2))
|
||||||
@ -177,12 +182,6 @@ func BenchmarkHashingMethods(b *testing.B) {
|
|||||||
func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string {
|
func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string {
|
||||||
h := fnv.New64a()
|
h := fnv.New64a()
|
||||||
|
|
||||||
if len(meta.NetworkAddresses) != 0 {
|
|
||||||
for _, na := range meta.NetworkAddresses {
|
|
||||||
h.Write([]byte(na.Mac))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
h.Write([]byte(meta.WtVersion))
|
h.Write([]byte(meta.WtVersion))
|
||||||
h.Write([]byte(meta.OSVersion))
|
h.Write([]byte(meta.OSVersion))
|
||||||
h.Write([]byte(meta.KernelVersion))
|
h.Write([]byte(meta.KernelVersion))
|
||||||
@ -194,9 +193,8 @@ func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func builderString(meta nbpeer.PeerSystemMeta, pubip string) string {
|
func builderString(meta nbpeer.PeerSystemMeta, pubip string) string {
|
||||||
mac := getMacAddress(meta.NetworkAddresses)
|
|
||||||
estimatedSize := len(meta.WtVersion) + len(meta.OSVersion) + len(meta.KernelVersion) + len(meta.Hostname) + len(meta.SystemSerialNumber) +
|
estimatedSize := len(meta.WtVersion) + len(meta.OSVersion) + len(meta.KernelVersion) + len(meta.Hostname) + len(meta.SystemSerialNumber) +
|
||||||
len(pubip) + len(mac) + 6
|
len(pubip) + 5
|
||||||
|
|
||||||
var b strings.Builder
|
var b strings.Builder
|
||||||
b.Grow(estimatedSize)
|
b.Grow(estimatedSize)
|
||||||
@ -212,19 +210,6 @@ func builderString(meta nbpeer.PeerSystemMeta, pubip string) string {
|
|||||||
b.WriteString(meta.SystemSerialNumber)
|
b.WriteString(meta.SystemSerialNumber)
|
||||||
b.WriteByte('|')
|
b.WriteByte('|')
|
||||||
b.WriteString(pubip)
|
b.WriteString(pubip)
|
||||||
b.WriteByte('|')
|
|
||||||
b.WriteString(mac)
|
|
||||||
|
|
||||||
return b.String()
|
return b.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
func getMacAddress(nas []nbpeer.NetworkAddress) string {
|
|
||||||
if len(nas) == 0 {
|
|
||||||
return ""
|
|
||||||
}
|
|
||||||
macs := make([]string, 0, len(nas))
|
|
||||||
for _, na := range nas {
|
|
||||||
macs = append(macs, na.Mac)
|
|
||||||
}
|
|
||||||
return strings.Join(macs, "/")
|
|
||||||
}
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user