p2p: use /16 filtering on IPv4-within-IPv6 addresses

IPv6 addresses include a range that can map IPv4 addresses,
which allowed those mapped addresses to bypass filtering.

This filter should be replaced by AS filtering at some point.
This commit is contained in:
moneromooo-monero 2020-10-25 16:22:01 +00:00
parent 3cbb44a2fd
commit 1f04a3186b
No known key found for this signature in database
GPG key ID: 686F07454D6CEFC3

View file

@ -1432,6 +1432,20 @@ namespace nodetool
const uint32_t actual_ip = na.as<const epee::net_utils::ipv4_network_address>().ip(); const uint32_t actual_ip = na.as<const epee::net_utils::ipv4_network_address>().ip();
classB.insert(actual_ip & 0x0000ffff); classB.insert(actual_ip & 0x0000ffff);
} }
#if BOOST_VERSION > 106600
else if (cntxt.m_remote_address.get_type_id() == epee::net_utils::ipv6_network_address::get_type_id())
{
const epee::net_utils::network_address na = cntxt.m_remote_address;
const boost::asio::ip::address_v6 &actual_ip = na.as<const epee::net_utils::ipv6_network_address>().ip();
if (actual_ip.is_v4_mapped())
{
boost::asio::ip::address_v4 v4ip = make_address_v4(boost::asio::ip::v4_mapped, actual_ip);
uint32_t actual_ipv4;
memcpy(&actual_ipv4, v4ip.to_bytes().data(), sizeof(actual_ipv4));
classB.insert(actual_ipv4 & ntohl(0xffff0000));
}
}
#endif
return true; return true;
}); });
} }
@ -1452,6 +1466,20 @@ namespace nodetool
uint32_t actual_ip = na.as<const epee::net_utils::ipv4_network_address>().ip(); uint32_t actual_ip = na.as<const epee::net_utils::ipv4_network_address>().ip();
skip = classB.find(actual_ip & 0x0000ffff) != classB.end(); skip = classB.find(actual_ip & 0x0000ffff) != classB.end();
} }
#if BOOST_VERSION > 106600
else if (skip_duplicate_class_B && pe.adr.get_type_id() == epee::net_utils::ipv6_network_address::get_type_id())
{
const epee::net_utils::network_address na = pe.adr;
const boost::asio::ip::address_v6 &actual_ip = na.as<const epee::net_utils::ipv6_network_address>().ip();
if (actual_ip.is_v4_mapped())
{
boost::asio::ip::address_v4 v4ip = make_address_v4(boost::asio::ip::v4_mapped, actual_ip);
uint32_t actual_ipv4;
memcpy(&actual_ipv4, v4ip.to_bytes().data(), sizeof(actual_ipv4));
skip = classB.find(actual_ipv4 & ntohl(0xffff0000)) != classB.end();
}
}
#endif
if (skip) if (skip)
++skipped; ++skipped;
else if (next_needed_pruning_stripe == 0 || pe.pruning_seed == 0) else if (next_needed_pruning_stripe == 0 || pe.pruning_seed == 0)
@ -1464,11 +1492,11 @@ namespace nodetool
if (skipped == 0 || !filtered.empty()) if (skipped == 0 || !filtered.empty())
break; break;
if (skipped) if (skipped)
MINFO("Skipping " << skipped << " possible peers as they share a class B with existing peers"); MDEBUG("Skipping " << skipped << " possible peers as they share a class B with existing peers");
} }
if (filtered.empty()) if (filtered.empty())
{ {
MDEBUG("No available peer in " << (use_white_list ? "white" : "gray") << " list filtered by " << next_needed_pruning_stripe); MINFO("No available peer in " << (use_white_list ? "white" : "gray") << " list filtered by " << next_needed_pruning_stripe);
return false; return false;
} }
if (use_white_list) if (use_white_list)