Add regexp to limit which link-local IPv6 zones allow peering, and check that a peer isn't from within the networks address block (prevents accidental tunneling)

2026-05-22 05:46:30 +03:00 · 2018-01-09 02:08:54 -06:00
parent b76fcbb402
commit ef1e0c902f
4 changed files with 26 additions and 1 deletions
--- a/src/yggdrasil/udp.go
+++ b/src/yggdrasil/udp.go
@@ -281,6 +281,15 @@ func (iface *udpInterface) reader() {
 		msg := bs[:n]
 		addr := connAddr(udpAddr.String())
 		if udp_isKeys(msg) {
+			var them address
+			copy(them[:], udpAddr.IP.To16())
+			if them.isValid() {
+				continue
+			}
+			if udpAddr.IP.IsLinkLocalUnicast() &&
+				!iface.core.ifceExpr.MatchString(udpAddr.Zone) {
+				continue
+			}
 			iface.handleKeys(msg, addr)
 		} else {
 			iface.handlePacket(msg, addr)