search for: protocol_subnet

Hello, Here is a patch for protocol_subnet.c with two modifications : - in tunnelserver mode, tinc must check subnets in the ".../hosts/owner" config file, not in "c->config_tree" (which is the configuration of the meta-connection from which we receive the ADD_SUBNET message). - this checking can be made befor...

...h example, but there are others) > and it is not very flexible, but I would disagree that it is > unmanageable. In ChaosVPN we use StrictSubnets, and additionally the following patch on the core-nodes where (nearly) everyone connects to: (cut&paste whitespace damaged) diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c index 06dafbc..e2d4bfc 100644 --- a/src/protocol_subnet.c +++ b/src/protocol_subnet.c @@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char *request) { if(strictsubnets) { logger(DEBUG_ALWAYS, LOG_WARNING, "Ignoring unauthorized %s...

...; and it is not very flexible, but I would disagree that it is > > unmanageable. > > In ChaosVPN we use StrictSubnets, and additionally the following patch > on the core-nodes where (nearly) everyone connects to: > > (cut&paste whitespace damaged) > > diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c > index 06dafbc..e2d4bfc 100644 > --- a/src/protocol_subnet.c > +++ b/src/protocol_subnet.c > @@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char > *request) { > if(strictsubnets) { > logger(DEBUG_ALWAYS, LOG_WARNI...

...; and it is not very flexible, but I would disagree that it is > > unmanageable. > > In ChaosVPN we use StrictSubnets, and additionally the following patch > on the core-nodes where (nearly) everyone connects to: > > (cut&paste whitespace damaged) > > diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c > index 06dafbc..e2d4bfc 100644 > --- a/src/protocol_subnet.c > +++ b/src/protocol_subnet.c > @@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char > *request) { > if(strictsubnets) { > logger(DEBUG_ALWAYS, LOG_WARNI...

On 7 December 2015 at 17:20, Florent B <florent at coppint.com> wrote: > I have a cluster of 5 nodes, running Proxmox 4, and Tinc as "virtual > switch" for my nodes : on each node, a bridge "vmbr1" where Tinc is > connected, provides me a secured network for my VMs (connected to that > bridge). > > When I move (hot move) a VM from a host to another, I

...inged = true; c->last_ping_time = now; return send_request(c, "%d", PING); @@ -139,7 +139,7 @@ { cp(); - c->status.pinged = false; + c->status.st.pinged = false; /* Succesful connection, reset timeout if this is an outgoing connection. */ diff -ubr tinc-1.0.8/src/protocol_subnet.c tinc-1.0.8.my/src/protocol_subnet.c --- tinc-1.0.8/src/protocol_subnet.c Wed Apr 26 15:53:05 2006 +++ tinc-1.0.8.my/src/protocol_subnet.c Thu Sep 25 11:19:53 2008 @@ -134,7 +134,7 @@ *(new = new_subnet()) = s; subnet_add(owner, new); - if(owner->status.reachable) + if(owner->status.st...

TL;DR: a proposal for a new tinc feature that allows nodes to filter ADD_SUBNET messages based on the metaconnection on which they are received, so that nodes can't impersonate each other's VPN Subnets. Similar to StrictSubnets in spirit, but way more flexible. BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK In terms of metaconnections (I'm not discussing data tunnels here), one of

...c() function) it looks like tinc is not really able to > migrate MAC addresses from one node to another in the way you'd > expect. It will add the MAC address to the new node, but will not > remove it from the other. It actually does, search for the comment "Fast handoff" in protocol_subnet.c. It should cause the old MAC entry to be removed in at most PingTimeout (which defaults to 5) seconds. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc...

...usr/local/share/locale\" -DLOCALSTATEDIR=\"/usr/local/var\" -g -O2 -o tincd conf.o connection.o edge.o event.o graph.o logger.o meta.o net.o net_packet.o net_setup.o net_socket.o netutl.o node.o process.o protocol.o protocol_auth.o protocol_edge.o protocol_misc.o protocol_key.o protocol_subnet.o route.o subnet.o tincd.o ../lib/libvpn.a -lcrypto -lz -llzo graph.o: In function `sssp_bfs':/usr/src/tinc/src/graph.c:278: undefined reference to `device' ... tincd.o: In function `main':/usr/src/tinc/src/tincd.c:504: undefined reference to `dump_device_stats' collect2: ld re...

...in.o dummy_device.o edge.o event.o fake-getaddrinfo.o fake-getnameinfo.o getopt.o getopt1.o graph.o list.o logger.o meta.o multicast_device.o net.o net_packet.o net_setup.o net_socket.o netutl.o node.o pidfile.o process.o protocol.o protocol_auth.o protocol_edge.o protocol_misc.o protocol_key.o protocol_subnet.o raw_socket_device.o route.o subnet.o tincd.o utils.o xmalloc.o bsd/device.o -lcrypto -lz -llzo2 clang: warning: argument unused during compilation: '-pie' Undefined symbols for architecture x86_64: "_res_9_init", referenced from: _main_loop in net.o ld: symbo...

...VPN with a statement like: Subnet = 10.0.0.0/8 But I should add every Mac address of the tap interfaces of the clients. This is not feasible, because I also guess these mac addresses change everytime a tap interface is created. What I did to fix my problem was to patch this file at line 109: src/protocol_subnet.c:109 deleting the if statement that was preventing to add "Subnets" So I just deleted from line 109 to 130. Of course this is a dirty hack that works in my particular setup. Now the ARP lookup on the server works fine. before the server was sending the traffic to ALL the clients, so w...

...nc/src/net_socket.c U tinc/src/netutl.c U tinc/src/netutl.h U tinc/src/node.c U tinc/src/node.h U tinc/src/process.c U tinc/src/process.h U tinc/src/protocol.c U tinc/src/protocol.h U tinc/src/protocol_auth.c U tinc/src/protocol_edge.c U tinc/src/protocol_key.c U tinc/src/protocol_misc.c U tinc/src/protocol_subnet.c U tinc/src/route.c U tinc/src/route.h U tinc/src/subnet.c U tinc/src/subnet.h U tinc/src/tincd.c cvs server: Updating tinc/src/cygwin U tinc/src/cygwin/device.c cvs server: Updating tinc/src/darwin U tinc/src/darwin/device.c cvs server: Updating tinc/src/freebsd U tinc/src/freebsd/device.c cvs se...