adding a reg_config.toml with template for subnet overrides

cmd/registration-server/main.go

@@ -33,25 +33,25 @@ type regServer interface {
 
 // config defines the variables and options from the toml config file
 type config struct {
-	DNSListenAddr              string   `toml:"dns_listen_addr"`
-	Domain                     string   `toml:"domain"`
-	DNSPrivkeyPath             string   `toml:"dns_private_key_path"`
-	APIPort                    uint16   `toml:"api_port"`
-	ZMQAuthVerbose             bool     `toml:"zmq_auth_verbose"`
-	ZMQAuthType                string   `toml:"zmq_auth_type"`
-	ZMQPort                    uint16   `toml:"zmq_port"`
-	ZMQBindAddr                string   `toml:"zmq_bind_addr"`
-	ZMQPrivateKeyPath          string   `toml:"zmq_privkey_path"`
-	StationPublicKeys          []string `toml:"station_pubkeys"`
-	ClientConfPath             string   `toml:"clientconf_path"`
-	latestClientConf           *pb.ClientConf
-	LogLevel                   string                `toml:"log_level"`
-	LogMetricsInterval         uint16                `toml:"log_metrics_interval"`
-	EnforceSubnetOverrides     bool                  `toml:"enforce_subnet_overrides"`
-	PrcntMinConnsToOverride    float64               `toml:"prcnt_min_conns_to_override"`
-	PrcntPrefixConnsToOverride float64               `toml:"prcnt_prefix_conns_to_override"`
-	OverrideSubnets            []regprocessor.Subnet `toml:"override_subnets"`
-	ExclusionsFromOverride     []regprocessor.Subnet `toml:"excluded_subnets_from_overrides"`
+	DNSListenAddr             string   `toml:"dns_listen_addr"`
+	Domain                    string   `toml:"domain"`
+	DNSPrivkeyPath            string   `toml:"dns_private_key_path"`
+	APIPort                   uint16   `toml:"api_port"`
+	ZMQAuthVerbose            bool     `toml:"zmq_auth_verbose"`
+	ZMQAuthType               string   `toml:"zmq_auth_type"`
+	ZMQPort                   uint16   `toml:"zmq_port"`
+	ZMQBindAddr               string   `toml:"zmq_bind_addr"`
+	ZMQPrivateKeyPath         string   `toml:"zmq_privkey_path"`
+	StationPublicKeys         []string `toml:"station_pubkeys"`
+	ClientConfPath            string   `toml:"clientconf_path"`
+	latestClientConf          *pb.ClientConf
+	LogLevel                  string                `toml:"log_level"`
+	LogMetricsInterval        uint16                `toml:"log_metrics_interval"`
+	EnforceSubnetOverrides    bool                  `toml:"enforce_subnet_overrides"`
+	PrcntMinRegsToOverride    float64               `toml:"prcnt_min_regs_to_override"`
+	PrcntPrefixRegsToOverride float64               `toml:"prcnt_prefix_regs_to_override"`
+	OverrideSubnets           []regprocessor.Subnet `toml:"override_subnet"`
+	ExclusionsFromOverride    []regprocessor.Subnet `toml:"excluded_subnet_from_overrides"`
 }
 
 var defaultTransports = map[pb.TransportType]lib.Transport{
@@ -197,9 +197,9 @@ func main() {
 
 	switch conf.ZMQAuthType {
 	case "CURVE":
-		processor, err = regprocessor.NewRegProcessor(conf.ZMQBindAddr, conf.ZMQPort, zmqPrivkey, conf.ZMQAuthVerbose, conf.StationPublicKeys, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinConnsToOverride, conf.PrcntPrefixConnsToOverride)
+		processor, err = regprocessor.NewRegProcessor(conf.ZMQBindAddr, conf.ZMQPort, zmqPrivkey, conf.ZMQAuthVerbose, conf.StationPublicKeys, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinRegsToOverride, conf.PrcntPrefixRegsToOverride)
 	case "NULL":
-		processor, err = regprocessor.NewRegProcessorNoAuth(conf.ZMQBindAddr, conf.ZMQPort, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinConnsToOverride, conf.PrcntPrefixConnsToOverride)
+		processor, err = regprocessor.NewRegProcessorNoAuth(conf.ZMQBindAddr, conf.ZMQPort, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinRegsToOverride, conf.PrcntPrefixRegsToOverride)
 	default:
 		log.Fatalf("Unknown ZMQ auth type: %s", conf.ZMQAuthType)
 	}

cmd/registration-server/reg_config.toml

@@ -45,3 +45,32 @@ bidirectional_api_generation = 957
 
 # Path on disk to the latest ClientConfig file that the station should use
 clientconf_path = "/var/lib/conjure/ClientConf"
+
+# Whether to apply the below subnet overrides to clients bidirectional api registrations
+enforce_subnet_overrides = true
+
+# Percentage of bidirectional api registrations to override per transport
+prcnt_min_regs_to_override = 100
+prcnt_prefix_regs_to_override = 100
+
+# Subnets to use when overriding clients bidirectional api registrations
+[[override_subnet]]
+cidr = "X.X.X.X/32"
+weight = 10.7
+port = 443
+transport = "Min_Transport"
+
+[[override_subnet]]
+cidr = "X.X.X.X/24"
+weight = 10
+port = 80
+transport = "Prefix_Transport"
+prefix_id = 1
+
+# Subnets to refrain from overriding when clients bidirectional api registrations pick a v4 phantom inside them
+[[excluded_subnet_from_overrides]]
+cidr = "X.X.X.X/25"
+# For future features that can exclude subnets according to weight, port, or transport
+weight = 28.7
+port = 80
+transport = "Min_Transport"

pkg/regserver/regprocessor/regprocessor.go

@@ -89,8 +89,8 @@ type RegProcessor struct {
 	prefixOverrideSubnetsCumulativeWeights []float64
 	prefixOverrideSubnets                  []Subnet
 	exclusionsFromOverride                 []Subnet
-	prcntMinConnsToOverride                float64
-	prcntPrefixConnsToOverride             float64
+	prcntMinRegsToOverride                 float64
+	prcntPrefixRegsToOverride              float64
 }
 
 type Subnet struct {
@@ -255,7 +255,7 @@ func processOverrideSubnetsWeights(subnets []Subnet) []float64 {
 }
 
 // NewRegProcessor initialize a new RegProcessor
-func NewRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVerbose bool, stationPublicKeys []string, metrics *metrics.Metrics, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinConnsToOverride float64, prcntPrefixConnsToOverride float64) (*RegProcessor, error) {
+func NewRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVerbose bool, stationPublicKeys []string, metrics *metrics.Metrics, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinRegsToOverride float64, prcntPrefixRegsToOverride float64) (*RegProcessor, error) {
 
 	if len(privkey) != ed25519.PrivateKeySize {
 		// We require the 64 byte [private_key][public_key] format to Sign using crypto/ed25519
@@ -267,7 +267,7 @@ func NewRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVer
 		return nil, err
 	}
 
-	regProcessor, err := newRegProcessor(zmqBindAddr, zmqPort, privkey, authVerbose, stationPublicKeys, enforceSubnetOverrides, overrideSubnets, exclusionsFromOverride, prcntMinConnsToOverride, prcntPrefixConnsToOverride)
+	regProcessor, err := newRegProcessor(zmqBindAddr, zmqPort, privkey, authVerbose, stationPublicKeys, enforceSubnetOverrides, overrideSubnets, exclusionsFromOverride, prcntMinRegsToOverride, prcntPrefixRegsToOverride)
 	if err != nil {
 		return nil, err
 	}
@@ -279,7 +279,7 @@ func NewRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVer
 
 // initializes the registration processor without the phantom selector which can be added by a
 // wrapping function before it is returned. This function is required for testing.
-func newRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVerbose bool, stationPublicKeys []string, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinConnsToOverride float64, prcntPrefixConnsToOverride float64) (*RegProcessor, error) {
+func newRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVerbose bool, stationPublicKeys []string, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinRegsToOverride float64, prcntPrefixRegsToOverride float64) (*RegProcessor, error) {
 	sock, err := zmq.NewSocket(zmq.PUB)
 	if err != nil {
 		return nil, fmt.Errorf("%w: %v", ErrZmqSocket, err)
@@ -315,7 +315,7 @@ func newRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVer
 		regOverrides = interfaces.Overrides([]interfaces.RegOverride{overrides.NewRandPrefixOverride()})
 	}
 
-	prcntMinConnsToOverride, prcntPrefixConnsToOverride = validateOverridePercentages(prcntMinConnsToOverride, prcntPrefixConnsToOverride)
+	prcntMinRegsToOverride, prcntPrefixRegsToOverride = validateOverridePercentages(prcntMinRegsToOverride, prcntPrefixRegsToOverride)
 
 	minOverrideSubnets, prefixOverrideSubnets := splitOverrideSubnets(overrideSubnets)
 
@@ -336,16 +336,16 @@ func newRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVer
 		minOverrideSubnetsCumulativeWeights:    minOverrideSubnetsCumulativeWeights,
 		prefixOverrideSubnetsCumulativeWeights: prefixOverrideSubnetsCumulativeWeights,
 		exclusionsFromOverride:                 make([]Subnet, len(exclusionsFromOverride)),
-		prcntMinConnsToOverride:                prcntMinConnsToOverride,
-		prcntPrefixConnsToOverride:             prcntPrefixConnsToOverride,
+		prcntMinRegsToOverride:                 prcntMinRegsToOverride,
+		prcntPrefixRegsToOverride:              prcntPrefixRegsToOverride,
 	}
 	copy(rp.exclusionsFromOverride, exclusionsFromOverride)
 
 	return rp, nil
 }
 
 // NewRegProcessorNoAuth creates a regprocessor without authentication to zmq address
-func NewRegProcessorNoAuth(zmqBindAddr string, zmqPort uint16, metrics *metrics.Metrics, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinConnsToOverride float64, prcntPrefixConnsToOverride float64) (*RegProcessor, error) {
+func NewRegProcessorNoAuth(zmqBindAddr string, zmqPort uint16, metrics *metrics.Metrics, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinRegsToOverride float64, prcntPrefixRegsToOverride float64) (*RegProcessor, error) {
 	sock, err := zmq.NewSocket(zmq.PUB)
 	if err != nil {
 		return nil, ErrZmqSocket
@@ -361,7 +361,7 @@ func NewRegProcessorNoAuth(zmqBindAddr string, zmqPort uint16, metrics *metrics.
 		return nil, err
 	}
 
-	prcntMinConnsToOverride, prcntPrefixConnsToOverride = validateOverridePercentages(prcntMinConnsToOverride, prcntPrefixConnsToOverride)
+	prcntMinRegsToOverride, prcntPrefixRegsToOverride = validateOverridePercentages(prcntMinRegsToOverride, prcntPrefixRegsToOverride)
 
 	minOverrideSubnets, prefixOverrideSubnets := splitOverrideSubnets(overrideSubnets)
 
@@ -382,8 +382,8 @@ func NewRegProcessorNoAuth(zmqBindAddr string, zmqPort uint16, metrics *metrics.
 		minOverrideSubnetsCumulativeWeights:    minOverrideSubnetsCumulativeWeights,
 		prefixOverrideSubnetsCumulativeWeights: prefixOverrideSubnetsCumulativeWeights,
 		exclusionsFromOverride:                 make([]Subnet, len(exclusionsFromOverride)),
-		prcntMinConnsToOverride:                prcntMinConnsToOverride,
-		prcntPrefixConnsToOverride:             prcntPrefixConnsToOverride,
+		prcntMinRegsToOverride:                 prcntMinRegsToOverride,
+		prcntPrefixRegsToOverride:              prcntPrefixRegsToOverride,
 	}
 	copy(rp.exclusionsFromOverride, exclusionsFromOverride)
 
@@ -599,7 +599,7 @@ func (p *RegProcessor) processBdReq(c2sPayload *pb.C2SWrapper) (*pb.Registration
 
 		// ignore prior choices and begin experimental overrides for Min and Prefix transports only
 		if transportType == pb.TransportType_Min {
-			if randNumFloat < p.prcntMinConnsToOverride {
+			if randNumFloat < p.prcntMinRegsToOverride {
 				if p.minOverrideSubnets == nil {
 					// reg_conf.toml does not contain subnet overrides for Min transport
 					return regResp, nil
@@ -631,7 +631,7 @@ func (p *RegProcessor) processBdReq(c2sPayload *pb.C2SWrapper) (*pb.Registration
 			// Override the Phantom IPv4 for clients with the Prefix transport
 			// and override the transport type only if c2s.GetDisableRegistrarOverrides() is false
 			if !c2s.GetDisableRegistrarOverrides() {
-				if randNumFloat < p.prcntPrefixConnsToOverride {
+				if randNumFloat < p.prcntPrefixRegsToOverride {
 					if p.prefixOverrideSubnets == nil {
 						// reg_conf.toml does not contain subnet overrides for Prefix transport
 						return regResp, nil