Audit changes

peer/init.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/netip"
 	"os"
+	"time"
 
 	"golang.org/x/crypto/nacl/sign"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -93,7 +94,7 @@ func initFromHub(hubURL, apiKey string, privKey wgtypes.Key) (LocalState, error)
 	req.SetBasicAuth("", apiKey)
 	req.Header.Set("Content-Type", "application/json")
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := (&http.Client{Timeout: time.Minute}).Do(req)
 	if err != nil {
 		return LocalState{}, fmt.Errorf("hub init: %w", err)
 	}

peer/multicast/receiver.go

@@ -63,13 +63,14 @@ func receiver(selfVPNIP netip.Addr, limiters []*ratelimiter.Limiter, ch chan<- P
 			continue
 		}
 
-		if err := limiters[packet.PeerIP].Limit(); err != nil {
-			log.Printf("Rate limited packet from peer IP %d.", packet.PeerIP)
+		// Slightly cheaper than limiting.
+		age := time.Since(time.Unix(packet.Timestamp, 0))
+		if age > maxPacketAge || age < -maxPacketAge {
 			continue
 		}
 
-		age := time.Since(time.Unix(packet.Timestamp, 0))
-		if age > maxPacketAge || age < -maxPacketAge {
+		if err := limiters[packet.PeerIP].Limit(); err != nil {
+			log.Printf("Rate limited packet from peer IP %d.", packet.PeerIP)
 			continue
 		}