2019-01-02 00:55:51 +00:00
|
|
|
/* SPDX-License-Identifier: MIT
|
2018-05-03 13:04:00 +00:00
|
|
|
*
|
2021-01-28 16:52:15 +00:00
|
|
|
* Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
|
2018-05-03 13:04:00 +00:00
|
|
|
*/
|
|
|
|
|
2019-03-03 03:04:41 +00:00
|
|
|
package device
|
2017-05-30 20:36:49 +00:00
|
|
|
|
2017-06-04 19:48:15 +00:00
|
|
|
import (
|
2021-02-10 17:19:11 +00:00
|
|
|
"container/list"
|
2017-06-28 21:45:45 +00:00
|
|
|
"errors"
|
2018-05-14 13:49:20 +00:00
|
|
|
"math/bits"
|
2017-06-04 19:48:15 +00:00
|
|
|
"net"
|
2018-05-13 17:33:41 +00:00
|
|
|
"sync"
|
2018-05-14 13:49:20 +00:00
|
|
|
"unsafe"
|
2017-06-04 19:48:15 +00:00
|
|
|
)
|
|
|
|
|
2021-06-03 12:50:28 +00:00
|
|
|
type parentIndirection struct {
|
|
|
|
parentBit **trieEntry
|
|
|
|
parentBitType uint8
|
|
|
|
}
|
|
|
|
|
2018-05-13 17:33:41 +00:00
|
|
|
type trieEntry struct {
|
2021-06-03 11:51:03 +00:00
|
|
|
peer *Peer
|
|
|
|
child [2]*trieEntry
|
2021-06-03 12:50:28 +00:00
|
|
|
parent parentIndirection
|
2021-06-03 11:51:03 +00:00
|
|
|
cidr uint8
|
|
|
|
bitAtByte uint8
|
|
|
|
bitAtShift uint8
|
|
|
|
bits net.IP
|
|
|
|
perPeerElem *list.Element
|
2017-05-30 20:36:49 +00:00
|
|
|
}
|
|
|
|
|
2018-05-14 13:49:20 +00:00
|
|
|
func isLittleEndian() bool {
|
|
|
|
one := uint32(1)
|
|
|
|
return *(*byte)(unsafe.Pointer(&one)) != 0
|
|
|
|
}
|
|
|
|
|
|
|
|
func swapU32(i uint32) uint32 {
|
|
|
|
if !isLittleEndian() {
|
|
|
|
return i
|
|
|
|
}
|
|
|
|
|
|
|
|
return bits.ReverseBytes32(i)
|
|
|
|
}
|
|
|
|
|
|
|
|
func swapU64(i uint64) uint64 {
|
|
|
|
if !isLittleEndian() {
|
|
|
|
return i
|
|
|
|
}
|
|
|
|
|
|
|
|
return bits.ReverseBytes64(i)
|
|
|
|
}
|
|
|
|
|
2021-06-03 11:51:03 +00:00
|
|
|
func commonBits(ip1 net.IP, ip2 net.IP) uint8 {
|
2018-05-14 13:49:20 +00:00
|
|
|
size := len(ip1)
|
|
|
|
if size == net.IPv4len {
|
|
|
|
a := (*uint32)(unsafe.Pointer(&ip1[0]))
|
|
|
|
b := (*uint32)(unsafe.Pointer(&ip2[0]))
|
|
|
|
x := *a ^ *b
|
2021-06-03 11:51:03 +00:00
|
|
|
return uint8(bits.LeadingZeros32(swapU32(x)))
|
2018-05-14 13:49:20 +00:00
|
|
|
} else if size == net.IPv6len {
|
|
|
|
a := (*uint64)(unsafe.Pointer(&ip1[0]))
|
|
|
|
b := (*uint64)(unsafe.Pointer(&ip2[0]))
|
|
|
|
x := *a ^ *b
|
|
|
|
if x != 0 {
|
2021-06-03 11:51:03 +00:00
|
|
|
return uint8(bits.LeadingZeros64(swapU64(x)))
|
2017-05-30 20:36:49 +00:00
|
|
|
}
|
2018-05-14 13:49:20 +00:00
|
|
|
a = (*uint64)(unsafe.Pointer(&ip1[8]))
|
|
|
|
b = (*uint64)(unsafe.Pointer(&ip2[8]))
|
|
|
|
x = *a ^ *b
|
2021-06-03 11:51:03 +00:00
|
|
|
return 64 + uint8(bits.LeadingZeros64(swapU64(x)))
|
2018-05-14 13:49:20 +00:00
|
|
|
} else {
|
|
|
|
panic("Wrong size bit string")
|
2017-05-30 20:36:49 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-26 22:44:37 +00:00
|
|
|
func (node *trieEntry) addToPeerEntries() {
|
2021-02-10 17:19:11 +00:00
|
|
|
node.perPeerElem = node.peer.trieEntries.PushBack(node)
|
2021-01-26 22:44:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (node *trieEntry) removeFromPeerEntries() {
|
2021-02-10 17:19:11 +00:00
|
|
|
if node.perPeerElem != nil {
|
|
|
|
node.peer.trieEntries.Remove(node.perPeerElem)
|
|
|
|
node.perPeerElem = nil
|
2021-01-26 22:44:37 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-05-13 17:33:41 +00:00
|
|
|
func (node *trieEntry) choose(ip net.IP) byte {
|
2021-06-03 11:51:03 +00:00
|
|
|
return (ip[node.bitAtByte] >> node.bitAtShift) & 1
|
2017-06-01 19:31:30 +00:00
|
|
|
}
|
|
|
|
|
2021-01-26 22:44:37 +00:00
|
|
|
func (node *trieEntry) maskSelf() {
|
|
|
|
mask := net.CIDRMask(int(node.cidr), len(node.bits)*8)
|
|
|
|
for i := 0; i < len(mask); i++ {
|
|
|
|
node.bits[i] &= mask[i]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-03 12:50:28 +00:00
|
|
|
func (node *trieEntry) nodePlacement(ip net.IP, cidr uint8) (parent *trieEntry, exact bool) {
|
|
|
|
for node != nil && node.cidr <= cidr && commonBits(node.bits, ip) >= node.cidr {
|
|
|
|
parent = node
|
|
|
|
if parent.cidr == cidr {
|
|
|
|
exact = true
|
|
|
|
return
|
|
|
|
}
|
|
|
|
bit := node.choose(ip)
|
|
|
|
node = node.child[bit]
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
2017-06-01 19:31:30 +00:00
|
|
|
|
2021-06-03 12:50:28 +00:00
|
|
|
func (trie parentIndirection) insert(ip net.IP, cidr uint8, peer *Peer) {
|
|
|
|
if *trie.parentBit == nil {
|
2021-01-26 22:44:37 +00:00
|
|
|
node := &trieEntry{
|
2021-06-03 11:51:03 +00:00
|
|
|
peer: peer,
|
2021-06-03 12:50:28 +00:00
|
|
|
parent: trie,
|
|
|
|
bits: ip,
|
2021-06-03 11:51:03 +00:00
|
|
|
cidr: cidr,
|
|
|
|
bitAtByte: cidr / 8,
|
|
|
|
bitAtShift: 7 - (cidr % 8),
|
2017-05-30 20:36:49 +00:00
|
|
|
}
|
2021-01-26 22:44:37 +00:00
|
|
|
node.maskSelf()
|
|
|
|
node.addToPeerEntries()
|
2021-06-03 12:50:28 +00:00
|
|
|
*trie.parentBit = node
|
|
|
|
return
|
2017-05-30 20:36:49 +00:00
|
|
|
}
|
2021-06-03 12:50:28 +00:00
|
|
|
node, exact := (*trie.parentBit).nodePlacement(ip, cidr)
|
|
|
|
if exact {
|
|
|
|
node.removeFromPeerEntries()
|
|
|
|
node.peer = peer
|
|
|
|
node.addToPeerEntries()
|
|
|
|
return
|
2017-05-30 20:36:49 +00:00
|
|
|
}
|
|
|
|
|
2018-05-13 17:33:41 +00:00
|
|
|
newNode := &trieEntry{
|
2021-06-03 11:51:03 +00:00
|
|
|
peer: peer,
|
2021-06-03 12:50:28 +00:00
|
|
|
bits: ip,
|
2021-06-03 11:51:03 +00:00
|
|
|
cidr: cidr,
|
|
|
|
bitAtByte: cidr / 8,
|
|
|
|
bitAtShift: 7 - (cidr % 8),
|
2017-05-30 20:36:49 +00:00
|
|
|
}
|
2021-01-26 22:44:37 +00:00
|
|
|
newNode.maskSelf()
|
|
|
|
newNode.addToPeerEntries()
|
2017-05-30 20:36:49 +00:00
|
|
|
|
2021-06-03 12:50:28 +00:00
|
|
|
var down *trieEntry
|
|
|
|
if node == nil {
|
|
|
|
down = *trie.parentBit
|
|
|
|
} else {
|
|
|
|
bit := node.choose(ip)
|
|
|
|
down = node.child[bit]
|
|
|
|
if down == nil {
|
|
|
|
newNode.parent = parentIndirection{&node.child[bit], bit}
|
|
|
|
node.child[bit] = newNode
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
common := commonBits(down.bits, ip)
|
2021-06-03 11:51:03 +00:00
|
|
|
if common < cidr {
|
|
|
|
cidr = common
|
|
|
|
}
|
2021-06-03 12:50:28 +00:00
|
|
|
parent := node
|
2017-05-30 20:36:49 +00:00
|
|
|
|
2017-06-01 19:31:30 +00:00
|
|
|
if newNode.cidr == cidr {
|
2021-06-03 12:50:28 +00:00
|
|
|
bit := newNode.choose(down.bits)
|
|
|
|
down.parent = parentIndirection{&newNode.child[bit], bit}
|
|
|
|
newNode.child[bit] = down
|
|
|
|
if parent == nil {
|
|
|
|
newNode.parent = trie
|
|
|
|
*trie.parentBit = newNode
|
|
|
|
} else {
|
|
|
|
bit := parent.choose(newNode.bits)
|
|
|
|
newNode.parent = parentIndirection{&parent.child[bit], bit}
|
|
|
|
parent.child[bit] = newNode
|
|
|
|
}
|
|
|
|
return
|
2017-06-01 19:31:30 +00:00
|
|
|
}
|
|
|
|
|
2021-06-03 12:50:28 +00:00
|
|
|
node = &trieEntry{
|
|
|
|
bits: append([]byte{}, newNode.bits...),
|
2021-06-03 11:51:03 +00:00
|
|
|
cidr: cidr,
|
|
|
|
bitAtByte: cidr / 8,
|
|
|
|
bitAtShift: 7 - (cidr % 8),
|
2017-05-30 20:36:49 +00:00
|
|
|
}
|
2021-06-03 12:50:28 +00:00
|
|
|
node.maskSelf()
|
|
|
|
|
|
|
|
bit := node.choose(down.bits)
|
|
|
|
down.parent = parentIndirection{&node.child[bit], bit}
|
|
|
|
node.child[bit] = down
|
|
|
|
bit = node.choose(newNode.bits)
|
|
|
|
newNode.parent = parentIndirection{&node.child[bit], bit}
|
|
|
|
node.child[bit] = newNode
|
|
|
|
if parent == nil {
|
|
|
|
node.parent = trie
|
|
|
|
*trie.parentBit = node
|
|
|
|
} else {
|
|
|
|
bit := parent.choose(node.bits)
|
|
|
|
node.parent = parentIndirection{&parent.child[bit], bit}
|
|
|
|
parent.child[bit] = node
|
|
|
|
}
|
2017-06-01 19:31:30 +00:00
|
|
|
}
|
|
|
|
|
2018-05-13 17:33:41 +00:00
|
|
|
func (node *trieEntry) lookup(ip net.IP) *Peer {
|
2017-06-01 19:31:30 +00:00
|
|
|
var found *Peer
|
2021-06-03 11:51:03 +00:00
|
|
|
size := uint8(len(ip))
|
2017-06-04 19:48:15 +00:00
|
|
|
for node != nil && commonBits(node.bits, ip) >= node.cidr {
|
2017-06-01 19:31:30 +00:00
|
|
|
if node.peer != nil {
|
|
|
|
found = node.peer
|
|
|
|
}
|
2021-06-03 11:51:03 +00:00
|
|
|
if node.bitAtByte == size {
|
2017-06-01 19:31:30 +00:00
|
|
|
break
|
|
|
|
}
|
2017-06-04 19:48:15 +00:00
|
|
|
bit := node.choose(ip)
|
2017-06-01 19:31:30 +00:00
|
|
|
node = node.child[bit]
|
|
|
|
}
|
|
|
|
return found
|
|
|
|
}
|
2017-05-30 20:36:49 +00:00
|
|
|
|
2018-05-13 17:33:41 +00:00
|
|
|
type AllowedIPs struct {
|
|
|
|
IPv4 *trieEntry
|
|
|
|
IPv6 *trieEntry
|
|
|
|
mutex sync.RWMutex
|
|
|
|
}
|
|
|
|
|
2021-06-03 11:51:03 +00:00
|
|
|
func (table *AllowedIPs) EntriesForPeer(peer *Peer, cb func(ip net.IP, cidr uint8) bool) {
|
2018-05-13 17:33:41 +00:00
|
|
|
table.mutex.RLock()
|
|
|
|
defer table.mutex.RUnlock()
|
|
|
|
|
2021-02-10 17:19:11 +00:00
|
|
|
for elem := peer.trieEntries.Front(); elem != nil; elem = elem.Next() {
|
|
|
|
node := elem.Value.(*trieEntry)
|
2021-01-26 22:44:37 +00:00
|
|
|
if !cb(node.bits, node.cidr) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
2018-05-13 17:33:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (table *AllowedIPs) RemoveByPeer(peer *Peer) {
|
|
|
|
table.mutex.Lock()
|
|
|
|
defer table.mutex.Unlock()
|
|
|
|
|
2021-06-03 13:40:09 +00:00
|
|
|
var next *list.Element
|
|
|
|
for elem := peer.trieEntries.Front(); elem != nil; elem = next {
|
|
|
|
next = elem.Next()
|
|
|
|
node := elem.Value.(*trieEntry)
|
|
|
|
|
|
|
|
node.removeFromPeerEntries()
|
|
|
|
node.peer = nil
|
|
|
|
if node.child[0] != nil && node.child[1] != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
bit := 0
|
|
|
|
if node.child[0] == nil {
|
|
|
|
bit = 1
|
|
|
|
}
|
|
|
|
child := node.child[bit]
|
|
|
|
if child != nil {
|
|
|
|
child.parent = node.parent
|
|
|
|
}
|
|
|
|
*node.parent.parentBit = child
|
|
|
|
if node.child[0] != nil || node.child[1] != nil || node.parent.parentBitType > 1 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
parent := (*trieEntry)(unsafe.Pointer(uintptr(unsafe.Pointer(node.parent.parentBit)) - unsafe.Offsetof(node.child) - unsafe.Sizeof(node.child[0])*uintptr(node.parent.parentBitType)))
|
|
|
|
if parent.peer != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
child = parent.child[node.parent.parentBitType^1]
|
|
|
|
if child != nil {
|
|
|
|
child.parent = parent.parent
|
|
|
|
}
|
|
|
|
*parent.parent.parentBit = child
|
|
|
|
}
|
2018-05-13 17:33:41 +00:00
|
|
|
}
|
|
|
|
|
2021-06-03 11:51:03 +00:00
|
|
|
func (table *AllowedIPs) Insert(ip net.IP, cidr uint8, peer *Peer) {
|
2018-05-13 17:33:41 +00:00
|
|
|
table.mutex.Lock()
|
|
|
|
defer table.mutex.Unlock()
|
|
|
|
|
|
|
|
switch len(ip) {
|
|
|
|
case net.IPv6len:
|
2021-06-03 12:50:28 +00:00
|
|
|
parentIndirection{&table.IPv6, 2}.insert(ip, cidr, peer)
|
2018-05-13 17:33:41 +00:00
|
|
|
case net.IPv4len:
|
2021-06-03 12:50:28 +00:00
|
|
|
parentIndirection{&table.IPv4, 2}.insert(ip, cidr, peer)
|
2018-05-13 17:33:41 +00:00
|
|
|
default:
|
|
|
|
panic(errors.New("inserting unknown address type"))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-03 14:12:29 +00:00
|
|
|
func (table *AllowedIPs) Lookup(address []byte) *Peer {
|
2018-05-13 17:33:41 +00:00
|
|
|
table.mutex.RLock()
|
|
|
|
defer table.mutex.RUnlock()
|
2021-06-03 14:12:29 +00:00
|
|
|
switch len(address) {
|
|
|
|
case net.IPv6len:
|
|
|
|
return table.IPv6.lookup(address)
|
|
|
|
case net.IPv4len:
|
|
|
|
return table.IPv4.lookup(address)
|
|
|
|
default:
|
|
|
|
panic(errors.New("looking up unknown address type"))
|
|
|
|
}
|
2018-05-13 17:33:41 +00:00
|
|
|
}
|