From c4db5a4c921c748c54c79fe4fd17892fcce32c6b Mon Sep 17 00:00:00 2001 From: 0x90-n Date: Mon, 11 Nov 2024 13:11:06 -0700 Subject: [PATCH] adding a reg_config.toml with template for subnet overrides --- cmd/registration-server/main.go | 42 +++++++++++----------- cmd/registration-server/reg_config.toml | 29 +++++++++++++++ pkg/regserver/regprocessor/regprocessor.go | 28 +++++++-------- 3 files changed, 64 insertions(+), 35 deletions(-) diff --git a/cmd/registration-server/main.go b/cmd/registration-server/main.go index 6a0234b8..eee17120 100644 --- a/cmd/registration-server/main.go +++ b/cmd/registration-server/main.go @@ -33,25 +33,25 @@ type regServer interface { // config defines the variables and options from the toml config file type config struct { - DNSListenAddr string `toml:"dns_listen_addr"` - Domain string `toml:"domain"` - DNSPrivkeyPath string `toml:"dns_private_key_path"` - APIPort uint16 `toml:"api_port"` - ZMQAuthVerbose bool `toml:"zmq_auth_verbose"` - ZMQAuthType string `toml:"zmq_auth_type"` - ZMQPort uint16 `toml:"zmq_port"` - ZMQBindAddr string `toml:"zmq_bind_addr"` - ZMQPrivateKeyPath string `toml:"zmq_privkey_path"` - StationPublicKeys []string `toml:"station_pubkeys"` - ClientConfPath string `toml:"clientconf_path"` - latestClientConf *pb.ClientConf - LogLevel string `toml:"log_level"` - LogMetricsInterval uint16 `toml:"log_metrics_interval"` - EnforceSubnetOverrides bool `toml:"enforce_subnet_overrides"` - PrcntMinConnsToOverride float64 `toml:"prcnt_min_conns_to_override"` - PrcntPrefixConnsToOverride float64 `toml:"prcnt_prefix_conns_to_override"` - OverrideSubnets []regprocessor.Subnet `toml:"override_subnets"` - ExclusionsFromOverride []regprocessor.Subnet `toml:"excluded_subnets_from_overrides"` + DNSListenAddr string `toml:"dns_listen_addr"` + Domain string `toml:"domain"` + DNSPrivkeyPath string `toml:"dns_private_key_path"` + APIPort uint16 `toml:"api_port"` + ZMQAuthVerbose bool `toml:"zmq_auth_verbose"` + ZMQAuthType string `toml:"zmq_auth_type"` + ZMQPort uint16 `toml:"zmq_port"` + ZMQBindAddr string `toml:"zmq_bind_addr"` + ZMQPrivateKeyPath string `toml:"zmq_privkey_path"` + StationPublicKeys []string `toml:"station_pubkeys"` + ClientConfPath string `toml:"clientconf_path"` + latestClientConf *pb.ClientConf + LogLevel string `toml:"log_level"` + LogMetricsInterval uint16 `toml:"log_metrics_interval"` + EnforceSubnetOverrides bool `toml:"enforce_subnet_overrides"` + PrcntMinRegsToOverride float64 `toml:"prcnt_min_regs_to_override"` + PrcntPrefixRegsToOverride float64 `toml:"prcnt_prefix_regs_to_override"` + OverrideSubnets []regprocessor.Subnet `toml:"override_subnet"` + ExclusionsFromOverride []regprocessor.Subnet `toml:"excluded_subnet_from_overrides"` } var defaultTransports = map[pb.TransportType]lib.Transport{ @@ -197,9 +197,9 @@ func main() { switch conf.ZMQAuthType { case "CURVE": - processor, err = regprocessor.NewRegProcessor(conf.ZMQBindAddr, conf.ZMQPort, zmqPrivkey, conf.ZMQAuthVerbose, conf.StationPublicKeys, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinConnsToOverride, conf.PrcntPrefixConnsToOverride) + processor, err = regprocessor.NewRegProcessor(conf.ZMQBindAddr, conf.ZMQPort, zmqPrivkey, conf.ZMQAuthVerbose, conf.StationPublicKeys, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinRegsToOverride, conf.PrcntPrefixRegsToOverride) case "NULL": - processor, err = regprocessor.NewRegProcessorNoAuth(conf.ZMQBindAddr, conf.ZMQPort, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinConnsToOverride, conf.PrcntPrefixConnsToOverride) + processor, err = regprocessor.NewRegProcessorNoAuth(conf.ZMQBindAddr, conf.ZMQPort, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinRegsToOverride, conf.PrcntPrefixRegsToOverride) default: log.Fatalf("Unknown ZMQ auth type: %s", conf.ZMQAuthType) } diff --git a/cmd/registration-server/reg_config.toml b/cmd/registration-server/reg_config.toml index bc470647..867bb82b 100644 --- a/cmd/registration-server/reg_config.toml +++ b/cmd/registration-server/reg_config.toml @@ -45,3 +45,32 @@ bidirectional_api_generation = 957 # Path on disk to the latest ClientConfig file that the station should use clientconf_path = "/var/lib/conjure/ClientConf" + +# Whether to apply the below subnet overrides to clients bidirectional api registrations +enforce_subnet_overrides = true + +# Percentage of bidirectional api registrations to override per transport +prcnt_min_regs_to_override = 100 +prcnt_prefix_regs_to_override = 100 + +# Subnets to use when overriding clients bidirectional api registrations +[[override_subnet]] +cidr = "X.X.X.X/32" +weight = 10.7 +port = 443 +transport = "Min_Transport" + +[[override_subnet]] +cidr = "X.X.X.X/24" +weight = 10 +port = 80 +transport = "Prefix_Transport" +prefix_id = 1 + +# Subnets to refrain from overriding when clients bidirectional api registrations pick a v4 phantom inside them +[[excluded_subnet_from_overrides]] +cidr = "X.X.X.X/25" +# For future features that can exclude subnets according to weight, port, or transport +weight = 28.7 +port = 80 +transport = "Min_Transport" diff --git a/pkg/regserver/regprocessor/regprocessor.go b/pkg/regserver/regprocessor/regprocessor.go index 15e0b5a4..080d77ed 100644 --- a/pkg/regserver/regprocessor/regprocessor.go +++ b/pkg/regserver/regprocessor/regprocessor.go @@ -89,8 +89,8 @@ type RegProcessor struct { prefixOverrideSubnetsCumulativeWeights []float64 prefixOverrideSubnets []Subnet exclusionsFromOverride []Subnet - prcntMinConnsToOverride float64 - prcntPrefixConnsToOverride float64 + prcntMinRegsToOverride float64 + prcntPrefixRegsToOverride float64 } type Subnet struct { @@ -255,7 +255,7 @@ func processOverrideSubnetsWeights(subnets []Subnet) []float64 { } // NewRegProcessor initialize a new RegProcessor -func NewRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVerbose bool, stationPublicKeys []string, metrics *metrics.Metrics, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinConnsToOverride float64, prcntPrefixConnsToOverride float64) (*RegProcessor, error) { +func NewRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVerbose bool, stationPublicKeys []string, metrics *metrics.Metrics, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinRegsToOverride float64, prcntPrefixRegsToOverride float64) (*RegProcessor, error) { if len(privkey) != ed25519.PrivateKeySize { // We require the 64 byte [private_key][public_key] format to Sign using crypto/ed25519 @@ -267,7 +267,7 @@ func NewRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVer return nil, err } - regProcessor, err := newRegProcessor(zmqBindAddr, zmqPort, privkey, authVerbose, stationPublicKeys, enforceSubnetOverrides, overrideSubnets, exclusionsFromOverride, prcntMinConnsToOverride, prcntPrefixConnsToOverride) + regProcessor, err := newRegProcessor(zmqBindAddr, zmqPort, privkey, authVerbose, stationPublicKeys, enforceSubnetOverrides, overrideSubnets, exclusionsFromOverride, prcntMinRegsToOverride, prcntPrefixRegsToOverride) if err != nil { return nil, err } @@ -279,7 +279,7 @@ func NewRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVer // initializes the registration processor without the phantom selector which can be added by a // wrapping function before it is returned. This function is required for testing. -func newRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVerbose bool, stationPublicKeys []string, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinConnsToOverride float64, prcntPrefixConnsToOverride float64) (*RegProcessor, error) { +func newRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVerbose bool, stationPublicKeys []string, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinRegsToOverride float64, prcntPrefixRegsToOverride float64) (*RegProcessor, error) { sock, err := zmq.NewSocket(zmq.PUB) if err != nil { return nil, fmt.Errorf("%w: %v", ErrZmqSocket, err) @@ -315,7 +315,7 @@ func newRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVer regOverrides = interfaces.Overrides([]interfaces.RegOverride{overrides.NewRandPrefixOverride()}) } - prcntMinConnsToOverride, prcntPrefixConnsToOverride = validateOverridePercentages(prcntMinConnsToOverride, prcntPrefixConnsToOverride) + prcntMinRegsToOverride, prcntPrefixRegsToOverride = validateOverridePercentages(prcntMinRegsToOverride, prcntPrefixRegsToOverride) minOverrideSubnets, prefixOverrideSubnets := splitOverrideSubnets(overrideSubnets) @@ -336,8 +336,8 @@ func newRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVer minOverrideSubnetsCumulativeWeights: minOverrideSubnetsCumulativeWeights, prefixOverrideSubnetsCumulativeWeights: prefixOverrideSubnetsCumulativeWeights, exclusionsFromOverride: make([]Subnet, len(exclusionsFromOverride)), - prcntMinConnsToOverride: prcntMinConnsToOverride, - prcntPrefixConnsToOverride: prcntPrefixConnsToOverride, + prcntMinRegsToOverride: prcntMinRegsToOverride, + prcntPrefixRegsToOverride: prcntPrefixRegsToOverride, } copy(rp.exclusionsFromOverride, exclusionsFromOverride) @@ -345,7 +345,7 @@ func newRegProcessor(zmqBindAddr string, zmqPort uint16, privkey []byte, authVer } // NewRegProcessorNoAuth creates a regprocessor without authentication to zmq address -func NewRegProcessorNoAuth(zmqBindAddr string, zmqPort uint16, metrics *metrics.Metrics, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinConnsToOverride float64, prcntPrefixConnsToOverride float64) (*RegProcessor, error) { +func NewRegProcessorNoAuth(zmqBindAddr string, zmqPort uint16, metrics *metrics.Metrics, enforceSubnetOverrides bool, overrideSubnets []Subnet, exclusionsFromOverride []Subnet, prcntMinRegsToOverride float64, prcntPrefixRegsToOverride float64) (*RegProcessor, error) { sock, err := zmq.NewSocket(zmq.PUB) if err != nil { return nil, ErrZmqSocket @@ -361,7 +361,7 @@ func NewRegProcessorNoAuth(zmqBindAddr string, zmqPort uint16, metrics *metrics. return nil, err } - prcntMinConnsToOverride, prcntPrefixConnsToOverride = validateOverridePercentages(prcntMinConnsToOverride, prcntPrefixConnsToOverride) + prcntMinRegsToOverride, prcntPrefixRegsToOverride = validateOverridePercentages(prcntMinRegsToOverride, prcntPrefixRegsToOverride) minOverrideSubnets, prefixOverrideSubnets := splitOverrideSubnets(overrideSubnets) @@ -382,8 +382,8 @@ func NewRegProcessorNoAuth(zmqBindAddr string, zmqPort uint16, metrics *metrics. minOverrideSubnetsCumulativeWeights: minOverrideSubnetsCumulativeWeights, prefixOverrideSubnetsCumulativeWeights: prefixOverrideSubnetsCumulativeWeights, exclusionsFromOverride: make([]Subnet, len(exclusionsFromOverride)), - prcntMinConnsToOverride: prcntMinConnsToOverride, - prcntPrefixConnsToOverride: prcntPrefixConnsToOverride, + prcntMinRegsToOverride: prcntMinRegsToOverride, + prcntPrefixRegsToOverride: prcntPrefixRegsToOverride, } copy(rp.exclusionsFromOverride, exclusionsFromOverride) @@ -599,7 +599,7 @@ func (p *RegProcessor) processBdReq(c2sPayload *pb.C2SWrapper) (*pb.Registration // ignore prior choices and begin experimental overrides for Min and Prefix transports only if transportType == pb.TransportType_Min { - if randNumFloat < p.prcntMinConnsToOverride { + if randNumFloat < p.prcntMinRegsToOverride { if p.minOverrideSubnets == nil { // reg_conf.toml does not contain subnet overrides for Min transport return regResp, nil @@ -631,7 +631,7 @@ func (p *RegProcessor) processBdReq(c2sPayload *pb.C2SWrapper) (*pb.Registration // Override the Phantom IPv4 for clients with the Prefix transport // and override the transport type only if c2s.GetDisableRegistrarOverrides() is false if !c2s.GetDisableRegistrarOverrides() { - if randNumFloat < p.prcntPrefixConnsToOverride { + if randNumFloat < p.prcntPrefixRegsToOverride { if p.prefixOverrideSubnets == nil { // reg_conf.toml does not contain subnet overrides for Prefix transport return regResp, nil