2019-11-19 10:00:20 -07:00
|
|
|
package nebula
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"sync"
|
2021-03-05 19:18:33 -07:00
|
|
|
"sync/atomic"
|
2019-11-19 10:00:20 -07:00
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/rcrowley/go-metrics"
|
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
"github.com/slackhq/nebula/cert"
|
|
|
|
)
|
|
|
|
|
|
|
|
//const ProbeLen = 100
|
|
|
|
const PromoteEvery = 1000
|
|
|
|
const MaxRemotes = 10
|
|
|
|
|
|
|
|
// How long we should prevent roaming back to the previous IP.
|
|
|
|
// This helps prevent flapping due to packets already in flight
|
2021-03-01 09:14:34 -07:00
|
|
|
const RoamingSuppressSeconds = 2
|
2019-11-19 10:00:20 -07:00
|
|
|
|
|
|
|
type HostMap struct {
|
|
|
|
sync.RWMutex //Because we concurrently read and write to our maps
|
|
|
|
name string
|
|
|
|
Indexes map[uint32]*HostInfo
|
2020-11-23 12:51:16 -07:00
|
|
|
RemoteIndexes map[uint32]*HostInfo
|
2019-11-19 10:00:20 -07:00
|
|
|
Hosts map[uint32]*HostInfo
|
|
|
|
preferredRanges []*net.IPNet
|
|
|
|
vpnCIDR *net.IPNet
|
|
|
|
defaultRoute uint32
|
2019-12-12 09:34:17 -07:00
|
|
|
unsafeRoutes *CIDRTree
|
2020-06-26 11:45:48 -06:00
|
|
|
metricsEnabled bool
|
2021-03-26 08:46:30 -06:00
|
|
|
l *logrus.Logger
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
type HostInfo struct {
|
2021-03-05 19:18:33 -07:00
|
|
|
sync.RWMutex
|
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
remote *udpAddr
|
2021-03-31 09:26:35 -06:00
|
|
|
Remotes []*udpAddr
|
2019-11-19 10:00:20 -07:00
|
|
|
promoteCounter uint32
|
|
|
|
ConnectionState *ConnectionState
|
|
|
|
handshakeStart time.Time
|
|
|
|
HandshakeReady bool
|
|
|
|
HandshakeCounter int
|
|
|
|
HandshakeComplete bool
|
|
|
|
HandshakePacket map[uint8][]byte
|
|
|
|
packetStore []*cachedPacket
|
|
|
|
remoteIndexId uint32
|
|
|
|
localIndexId uint32
|
|
|
|
hostId uint32
|
|
|
|
recvError int
|
2019-12-12 09:34:17 -07:00
|
|
|
remoteCidr *CIDRTree
|
2019-11-19 10:00:20 -07:00
|
|
|
|
2021-03-31 09:26:35 -06:00
|
|
|
// This is a list of remotes that we have tried to handshake with and have returned from the wrong vpn ip.
|
|
|
|
// They should not be tried again during a handshake
|
|
|
|
badRemotes []*udpAddr
|
|
|
|
|
2021-03-01 18:06:01 -07:00
|
|
|
// lastRebindCount is the other side of Interface.rebindCount, if these values don't match then we need to ask LH
|
|
|
|
// for a punch from the remote end of this tunnel. The goal being to prime their conntrack for our traffic just like
|
|
|
|
// with a handshake
|
|
|
|
lastRebindCount int8
|
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
lastRoam time.Time
|
|
|
|
lastRoamRemote *udpAddr
|
|
|
|
}
|
|
|
|
|
|
|
|
type cachedPacket struct {
|
|
|
|
messageType NebulaMessageType
|
|
|
|
messageSubType NebulaMessageSubType
|
|
|
|
callback packetCallback
|
|
|
|
packet []byte
|
|
|
|
}
|
|
|
|
|
|
|
|
type packetCallback func(t NebulaMessageType, st NebulaMessageSubType, h *HostInfo, p, nb, out []byte)
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
func NewHostMap(l *logrus.Logger, name string, vpnCIDR *net.IPNet, preferredRanges []*net.IPNet) *HostMap {
|
2019-11-19 10:00:20 -07:00
|
|
|
h := map[uint32]*HostInfo{}
|
|
|
|
i := map[uint32]*HostInfo{}
|
2020-11-23 12:51:16 -07:00
|
|
|
r := map[uint32]*HostInfo{}
|
2019-11-19 10:00:20 -07:00
|
|
|
m := HostMap{
|
|
|
|
name: name,
|
|
|
|
Indexes: i,
|
2020-11-23 12:51:16 -07:00
|
|
|
RemoteIndexes: r,
|
2019-11-19 10:00:20 -07:00
|
|
|
Hosts: h,
|
|
|
|
preferredRanges: preferredRanges,
|
|
|
|
vpnCIDR: vpnCIDR,
|
|
|
|
defaultRoute: 0,
|
2019-12-12 09:34:17 -07:00
|
|
|
unsafeRoutes: NewCIDRTree(),
|
2021-03-26 08:46:30 -06:00
|
|
|
l: l,
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
return &m
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateStats takes a name and reports host and index counts to the stats collection system
|
|
|
|
func (hm *HostMap) EmitStats(name string) {
|
|
|
|
hm.RLock()
|
|
|
|
hostLen := len(hm.Hosts)
|
|
|
|
indexLen := len(hm.Indexes)
|
2020-11-23 12:51:16 -07:00
|
|
|
remoteIndexLen := len(hm.RemoteIndexes)
|
2019-11-19 10:00:20 -07:00
|
|
|
hm.RUnlock()
|
|
|
|
|
|
|
|
metrics.GetOrRegisterGauge("hostmap."+name+".hosts", nil).Update(int64(hostLen))
|
|
|
|
metrics.GetOrRegisterGauge("hostmap."+name+".indexes", nil).Update(int64(indexLen))
|
2020-11-23 12:51:16 -07:00
|
|
|
metrics.GetOrRegisterGauge("hostmap."+name+".remoteIndexes", nil).Update(int64(remoteIndexLen))
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) GetIndexByVpnIP(vpnIP uint32) (uint32, error) {
|
|
|
|
hm.RLock()
|
|
|
|
if i, ok := hm.Hosts[vpnIP]; ok {
|
|
|
|
index := i.localIndexId
|
|
|
|
hm.RUnlock()
|
|
|
|
return index, nil
|
|
|
|
}
|
|
|
|
hm.RUnlock()
|
|
|
|
return 0, errors.New("vpn IP not found")
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) Add(ip uint32, hostinfo *HostInfo) {
|
|
|
|
hm.Lock()
|
|
|
|
hm.Hosts[ip] = hostinfo
|
|
|
|
hm.Unlock()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) AddVpnIP(vpnIP uint32) *HostInfo {
|
|
|
|
h := &HostInfo{}
|
|
|
|
hm.RLock()
|
|
|
|
if _, ok := hm.Hosts[vpnIP]; !ok {
|
|
|
|
hm.RUnlock()
|
|
|
|
h = &HostInfo{
|
2021-03-31 09:26:35 -06:00
|
|
|
Remotes: []*udpAddr{},
|
2019-11-19 10:00:20 -07:00
|
|
|
promoteCounter: 0,
|
|
|
|
hostId: vpnIP,
|
|
|
|
HandshakePacket: make(map[uint8][]byte, 0),
|
|
|
|
}
|
|
|
|
hm.Lock()
|
|
|
|
hm.Hosts[vpnIP] = h
|
|
|
|
hm.Unlock()
|
|
|
|
return h
|
|
|
|
} else {
|
|
|
|
h = hm.Hosts[vpnIP]
|
|
|
|
hm.RUnlock()
|
|
|
|
return h
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) DeleteVpnIP(vpnIP uint32) {
|
|
|
|
hm.Lock()
|
|
|
|
delete(hm.Hosts, vpnIP)
|
|
|
|
if len(hm.Hosts) == 0 {
|
|
|
|
hm.Hosts = map[uint32]*HostInfo{}
|
|
|
|
}
|
|
|
|
hm.Unlock()
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
if hm.l.Level >= logrus.DebugLevel {
|
|
|
|
hm.l.WithField("hostMap", m{"mapName": hm.name, "vpnIp": IntIp(vpnIP), "mapTotalSize": len(hm.Hosts)}).
|
2019-11-19 10:00:20 -07:00
|
|
|
Debug("Hostmap vpnIp deleted")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-11-23 12:51:16 -07:00
|
|
|
// Only used by pendingHostMap when the remote index is not initially known
|
|
|
|
func (hm *HostMap) addRemoteIndexHostInfo(index uint32, h *HostInfo) {
|
|
|
|
hm.Lock()
|
|
|
|
h.remoteIndexId = index
|
|
|
|
hm.RemoteIndexes[index] = h
|
|
|
|
hm.Unlock()
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
if hm.l.Level > logrus.DebugLevel {
|
|
|
|
hm.l.WithField("hostMap", m{"mapName": hm.name, "indexNumber": index, "mapTotalSize": len(hm.Indexes),
|
2020-11-23 12:51:16 -07:00
|
|
|
"hostinfo": m{"existing": true, "localIndexId": h.localIndexId, "hostId": IntIp(h.hostId)}}).
|
|
|
|
Debug("Hostmap remoteIndex added")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
func (hm *HostMap) AddVpnIPHostInfo(vpnIP uint32, h *HostInfo) {
|
|
|
|
hm.Lock()
|
|
|
|
h.hostId = vpnIP
|
|
|
|
hm.Hosts[vpnIP] = h
|
2020-11-23 12:51:16 -07:00
|
|
|
hm.Indexes[h.localIndexId] = h
|
|
|
|
hm.RemoteIndexes[h.remoteIndexId] = h
|
2019-11-19 10:00:20 -07:00
|
|
|
hm.Unlock()
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
if hm.l.Level > logrus.DebugLevel {
|
|
|
|
hm.l.WithField("hostMap", m{"mapName": hm.name, "vpnIp": IntIp(vpnIP), "mapTotalSize": len(hm.Hosts),
|
2019-11-19 10:00:20 -07:00
|
|
|
"hostinfo": m{"existing": true, "localIndexId": h.localIndexId, "hostId": IntIp(h.hostId)}}).
|
|
|
|
Debug("Hostmap vpnIp added")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-01 10:40:46 -07:00
|
|
|
// This is only called in pendingHostmap, to cleanup an inbound handshake
|
2019-11-19 10:00:20 -07:00
|
|
|
func (hm *HostMap) DeleteIndex(index uint32) {
|
|
|
|
hm.Lock()
|
2021-03-01 10:40:46 -07:00
|
|
|
hostinfo, ok := hm.Indexes[index]
|
|
|
|
if ok {
|
|
|
|
delete(hm.Indexes, index)
|
|
|
|
delete(hm.RemoteIndexes, hostinfo.remoteIndexId)
|
|
|
|
|
|
|
|
// Check if we have an entry under hostId that matches the same hostinfo
|
|
|
|
// instance. Clean it up as well if we do.
|
2021-03-12 12:16:25 -07:00
|
|
|
hostinfo2, ok := hm.Hosts[hostinfo.hostId]
|
2021-03-01 10:40:46 -07:00
|
|
|
if ok && hostinfo2 == hostinfo {
|
|
|
|
delete(hm.Hosts, hostinfo.hostId)
|
|
|
|
}
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
hm.Unlock()
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
if hm.l.Level >= logrus.DebugLevel {
|
|
|
|
hm.l.WithField("hostMap", m{"mapName": hm.name, "indexNumber": index, "mapTotalSize": len(hm.Indexes)}).
|
2019-11-19 10:00:20 -07:00
|
|
|
Debug("Hostmap index deleted")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-01 10:40:46 -07:00
|
|
|
// This is used to cleanup on recv_error
|
|
|
|
func (hm *HostMap) DeleteReverseIndex(index uint32) {
|
|
|
|
hm.Lock()
|
|
|
|
hostinfo, ok := hm.RemoteIndexes[index]
|
|
|
|
if ok {
|
|
|
|
delete(hm.Indexes, hostinfo.localIndexId)
|
|
|
|
delete(hm.RemoteIndexes, index)
|
|
|
|
|
|
|
|
// Check if we have an entry under hostId that matches the same hostinfo
|
|
|
|
// instance. Clean it up as well if we do (they might not match in pendingHostmap)
|
|
|
|
var hostinfo2 *HostInfo
|
|
|
|
hostinfo2, ok = hm.Hosts[hostinfo.hostId]
|
|
|
|
if ok && hostinfo2 == hostinfo {
|
|
|
|
delete(hm.Hosts, hostinfo.hostId)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
hm.Unlock()
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
if hm.l.Level >= logrus.DebugLevel {
|
|
|
|
hm.l.WithField("hostMap", m{"mapName": hm.name, "indexNumber": index, "mapTotalSize": len(hm.Indexes)}).
|
2021-03-01 10:40:46 -07:00
|
|
|
Debug("Hostmap remote index deleted")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-11-23 12:51:16 -07:00
|
|
|
func (hm *HostMap) DeleteHostInfo(hostinfo *HostInfo) {
|
|
|
|
hm.Lock()
|
2021-03-01 10:40:46 -07:00
|
|
|
|
|
|
|
// Check if this same hostId is in the hostmap with a different instance.
|
|
|
|
// This could happen if we have an entry in the pending hostmap with different
|
|
|
|
// index values than the one in the main hostmap.
|
|
|
|
hostinfo2, ok := hm.Hosts[hostinfo.hostId]
|
|
|
|
if ok && hostinfo2 != hostinfo {
|
|
|
|
delete(hm.Hosts, hostinfo2.hostId)
|
|
|
|
delete(hm.Indexes, hostinfo2.localIndexId)
|
|
|
|
delete(hm.RemoteIndexes, hostinfo2.remoteIndexId)
|
|
|
|
}
|
|
|
|
|
2020-11-23 12:51:16 -07:00
|
|
|
delete(hm.Hosts, hostinfo.hostId)
|
|
|
|
if len(hm.Hosts) == 0 {
|
|
|
|
hm.Hosts = map[uint32]*HostInfo{}
|
|
|
|
}
|
|
|
|
delete(hm.Indexes, hostinfo.localIndexId)
|
|
|
|
if len(hm.Indexes) == 0 {
|
|
|
|
hm.Indexes = map[uint32]*HostInfo{}
|
|
|
|
}
|
|
|
|
delete(hm.RemoteIndexes, hostinfo.remoteIndexId)
|
|
|
|
if len(hm.RemoteIndexes) == 0 {
|
|
|
|
hm.RemoteIndexes = map[uint32]*HostInfo{}
|
|
|
|
}
|
|
|
|
hm.Unlock()
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
if hm.l.Level >= logrus.DebugLevel {
|
|
|
|
hm.l.WithField("hostMap", m{"mapName": hm.name, "mapTotalSize": len(hm.Hosts),
|
2020-11-23 12:51:16 -07:00
|
|
|
"vpnIp": IntIp(hostinfo.hostId), "indexNumber": hostinfo.localIndexId, "remoteIndexNumber": hostinfo.remoteIndexId}).
|
|
|
|
Debug("Hostmap hostInfo deleted")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
func (hm *HostMap) QueryIndex(index uint32) (*HostInfo, error) {
|
|
|
|
//TODO: we probably just want ot return bool instead of error, or at least a static error
|
|
|
|
hm.RLock()
|
|
|
|
if h, ok := hm.Indexes[index]; ok {
|
|
|
|
hm.RUnlock()
|
|
|
|
return h, nil
|
|
|
|
} else {
|
|
|
|
hm.RUnlock()
|
|
|
|
return nil, errors.New("unable to find index")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) QueryReverseIndex(index uint32) (*HostInfo, error) {
|
|
|
|
hm.RLock()
|
2020-11-23 12:51:16 -07:00
|
|
|
if h, ok := hm.RemoteIndexes[index]; ok {
|
|
|
|
hm.RUnlock()
|
|
|
|
return h, nil
|
|
|
|
} else {
|
|
|
|
hm.RUnlock()
|
|
|
|
return nil, fmt.Errorf("unable to find reverse index or connectionstate nil in %s hostmap", hm.name)
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) AddRemote(vpnIp uint32, remote *udpAddr) *HostInfo {
|
|
|
|
hm.Lock()
|
|
|
|
i, v := hm.Hosts[vpnIp]
|
|
|
|
if v {
|
2021-03-18 19:37:24 -06:00
|
|
|
i.AddRemote(remote)
|
2019-11-19 10:00:20 -07:00
|
|
|
} else {
|
|
|
|
i = &HostInfo{
|
2021-03-31 09:26:35 -06:00
|
|
|
Remotes: []*udpAddr{remote.Copy()},
|
2019-11-19 10:00:20 -07:00
|
|
|
promoteCounter: 0,
|
|
|
|
hostId: vpnIp,
|
|
|
|
HandshakePacket: make(map[uint8][]byte, 0),
|
|
|
|
}
|
2021-03-31 09:26:35 -06:00
|
|
|
i.remote = i.Remotes[0]
|
2019-11-19 10:00:20 -07:00
|
|
|
hm.Hosts[vpnIp] = i
|
2021-03-26 08:46:30 -06:00
|
|
|
if hm.l.Level >= logrus.DebugLevel {
|
|
|
|
hm.l.WithField("hostMap", m{"mapName": hm.name, "vpnIp": IntIp(vpnIp), "udpAddr": remote, "mapTotalSize": len(hm.Hosts)}).
|
|
|
|
Debug("Hostmap remote ip added")
|
|
|
|
}
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
i.ForcePromoteBest(hm.preferredRanges)
|
|
|
|
hm.Unlock()
|
|
|
|
return i
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) QueryVpnIP(vpnIp uint32) (*HostInfo, error) {
|
|
|
|
return hm.queryVpnIP(vpnIp, nil)
|
|
|
|
}
|
|
|
|
|
|
|
|
// PromoteBestQueryVpnIP will attempt to lazily switch to the best remote every
|
|
|
|
// `PromoteEvery` calls to this function for a given host.
|
|
|
|
func (hm *HostMap) PromoteBestQueryVpnIP(vpnIp uint32, ifce *Interface) (*HostInfo, error) {
|
|
|
|
return hm.queryVpnIP(vpnIp, ifce)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) queryVpnIP(vpnIp uint32, promoteIfce *Interface) (*HostInfo, error) {
|
|
|
|
hm.RLock()
|
|
|
|
if h, ok := hm.Hosts[vpnIp]; ok {
|
|
|
|
if promoteIfce != nil {
|
|
|
|
h.TryPromoteBest(hm.preferredRanges, promoteIfce)
|
|
|
|
}
|
|
|
|
//fmt.Println(h.remote)
|
|
|
|
hm.RUnlock()
|
|
|
|
return h, nil
|
|
|
|
} else {
|
|
|
|
//return &net.UDPAddr{}, nil, errors.New("Unable to find host")
|
|
|
|
hm.RUnlock()
|
|
|
|
/*
|
|
|
|
if lightHouse != nil {
|
|
|
|
lightHouse.Query(vpnIp)
|
|
|
|
return nil, errors.New("Unable to find host")
|
|
|
|
}
|
|
|
|
*/
|
|
|
|
return nil, errors.New("unable to find host")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-12-12 09:34:17 -07:00
|
|
|
func (hm *HostMap) queryUnsafeRoute(ip uint32) uint32 {
|
|
|
|
r := hm.unsafeRoutes.MostSpecificContains(ip)
|
|
|
|
if r != nil {
|
|
|
|
return r.(uint32)
|
|
|
|
} else {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-12 12:16:25 -07:00
|
|
|
// We already have the hm Lock when this is called, so make sure to not call
|
|
|
|
// any other methods that might try to grab it again
|
|
|
|
func (hm *HostMap) addHostInfo(hostinfo *HostInfo, f *Interface) {
|
|
|
|
remoteCert := hostinfo.ConnectionState.peerCert
|
|
|
|
ip := ip2int(remoteCert.Details.Ips[0].IP)
|
2019-11-19 10:00:20 -07:00
|
|
|
|
2021-03-12 12:16:25 -07:00
|
|
|
f.lightHouse.AddRemoteAndReset(ip, hostinfo.remote)
|
|
|
|
if f.serveDns {
|
|
|
|
dnsR.Add(remoteCert.Details.Name+".", remoteCert.Details.Ips[0].IP.String())
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
|
2021-03-12 12:16:25 -07:00
|
|
|
hm.Hosts[hostinfo.hostId] = hostinfo
|
|
|
|
hm.Indexes[hostinfo.localIndexId] = hostinfo
|
|
|
|
hm.RemoteIndexes[hostinfo.remoteIndexId] = hostinfo
|
2019-11-19 10:00:20 -07:00
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
if hm.l.Level >= logrus.DebugLevel {
|
|
|
|
hm.l.WithField("hostMap", m{"mapName": hm.name, "vpnIp": IntIp(hostinfo.hostId), "mapTotalSize": len(hm.Hosts),
|
2021-03-12 12:16:25 -07:00
|
|
|
"hostinfo": m{"existing": true, "localIndexId": hostinfo.localIndexId, "hostId": IntIp(hostinfo.hostId)}}).
|
|
|
|
Debug("Hostmap vpnIp added")
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) ClearRemotes(vpnIP uint32) {
|
|
|
|
hm.Lock()
|
|
|
|
i := hm.Hosts[vpnIP]
|
|
|
|
if i == nil {
|
|
|
|
hm.Unlock()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
i.remote = nil
|
|
|
|
i.Remotes = nil
|
|
|
|
hm.Unlock()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) SetDefaultRoute(ip uint32) {
|
|
|
|
hm.defaultRoute = ip
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) PunchList() []*udpAddr {
|
|
|
|
var list []*udpAddr
|
|
|
|
hm.RLock()
|
|
|
|
for _, v := range hm.Hosts {
|
|
|
|
for _, r := range v.Remotes {
|
2021-03-31 09:26:35 -06:00
|
|
|
list = append(list, r)
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
// if h, ok := hm.Hosts[vpnIp]; ok {
|
|
|
|
// hm.Hosts[vpnIp].PromoteBest(hm.preferredRanges, false)
|
|
|
|
//fmt.Println(h.remote)
|
|
|
|
// }
|
|
|
|
}
|
|
|
|
hm.RUnlock()
|
|
|
|
return list
|
|
|
|
}
|
|
|
|
|
|
|
|
func (hm *HostMap) Punchy(conn *udpConn) {
|
2020-06-26 11:45:48 -06:00
|
|
|
var metricsTxPunchy metrics.Counter
|
|
|
|
if hm.metricsEnabled {
|
|
|
|
metricsTxPunchy = metrics.GetOrRegisterCounter("messages.tx.punchy", nil)
|
|
|
|
} else {
|
|
|
|
metricsTxPunchy = metrics.NilCounter{}
|
|
|
|
}
|
|
|
|
|
2021-03-18 19:37:24 -06:00
|
|
|
b := []byte{1}
|
2019-11-19 10:00:20 -07:00
|
|
|
for {
|
|
|
|
for _, addr := range hm.PunchList() {
|
2020-06-26 11:45:48 -06:00
|
|
|
metricsTxPunchy.Inc(1)
|
2021-03-18 19:37:24 -06:00
|
|
|
conn.WriteTo(b, addr)
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
time.Sleep(time.Second * 30)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-12-12 09:34:17 -07:00
|
|
|
func (hm *HostMap) addUnsafeRoutes(routes *[]route) {
|
|
|
|
for _, r := range *routes {
|
2021-03-26 08:46:30 -06:00
|
|
|
hm.l.WithField("route", r.route).WithField("via", r.via).Warn("Adding UNSAFE Route")
|
2019-12-12 09:34:17 -07:00
|
|
|
hm.unsafeRoutes.AddCIDR(r.route, ip2int(*r.via))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
func (i *HostInfo) MarshalJSON() ([]byte, error) {
|
|
|
|
return json.Marshal(m{
|
|
|
|
"remote": i.remote,
|
|
|
|
"remotes": i.Remotes,
|
|
|
|
"promote_counter": i.promoteCounter,
|
|
|
|
"connection_state": i.ConnectionState,
|
|
|
|
"handshake_start": i.handshakeStart,
|
|
|
|
"handshake_ready": i.HandshakeReady,
|
|
|
|
"handshake_counter": i.HandshakeCounter,
|
|
|
|
"handshake_complete": i.HandshakeComplete,
|
|
|
|
"handshake_packet": i.HandshakePacket,
|
|
|
|
"packet_store": i.packetStore,
|
|
|
|
"remote_index": i.remoteIndexId,
|
|
|
|
"local_index": i.localIndexId,
|
|
|
|
"host_id": int2ip(i.hostId),
|
|
|
|
"receive_errors": i.recvError,
|
|
|
|
"last_roam": i.lastRoam,
|
|
|
|
"last_roam_remote": i.lastRoamRemote,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) BindConnectionState(cs *ConnectionState) {
|
|
|
|
i.ConnectionState = cs
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) TryPromoteBest(preferredRanges []*net.IPNet, ifce *Interface) {
|
|
|
|
if i.remote == nil {
|
|
|
|
i.ForcePromoteBest(preferredRanges)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-03-26 13:01:05 -06:00
|
|
|
if atomic.AddUint32(&i.promoteCounter, 1)%PromoteEvery == 0 {
|
2019-11-19 10:00:20 -07:00
|
|
|
// return early if we are already on a preferred remote
|
2021-03-18 19:37:24 -06:00
|
|
|
rIP := i.remote.IP
|
2019-11-19 10:00:20 -07:00
|
|
|
for _, l := range preferredRanges {
|
|
|
|
if l.Contains(rIP) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// We re-query the lighthouse periodically while sending packets, so
|
|
|
|
// check for new remotes in our local lighthouse cache
|
|
|
|
ips := ifce.lightHouse.QueryCache(i.hostId)
|
|
|
|
for _, ip := range ips {
|
|
|
|
i.AddRemote(ip)
|
|
|
|
}
|
|
|
|
|
|
|
|
best, preferred := i.getBestRemote(preferredRanges)
|
|
|
|
if preferred && !best.Equals(i.remote) {
|
|
|
|
// Try to send a test packet to that host, this should
|
|
|
|
// cause it to detect a roaming event and switch remotes
|
|
|
|
ifce.send(test, testRequest, i.ConnectionState, i, best, []byte(""), make([]byte, 12, 12), make([]byte, mtu))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) ForcePromoteBest(preferredRanges []*net.IPNet) {
|
|
|
|
best, _ := i.getBestRemote(preferredRanges)
|
|
|
|
if best != nil {
|
|
|
|
i.remote = best
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) getBestRemote(preferredRanges []*net.IPNet) (best *udpAddr, preferred bool) {
|
|
|
|
if len(i.Remotes) > 0 {
|
|
|
|
for _, r := range i.Remotes {
|
|
|
|
for _, l := range preferredRanges {
|
2021-03-31 09:26:35 -06:00
|
|
|
if l.Contains(r.IP) {
|
|
|
|
return r, true
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-31 09:26:35 -06:00
|
|
|
if best == nil || !PrivateIP(r.IP) {
|
|
|
|
best = r
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
/*
|
|
|
|
for _, r := range i.Remotes {
|
|
|
|
// Must have > 80% probe success to be considered.
|
|
|
|
//fmt.Println("GRADE:", r.addr.IP, r.Grade())
|
|
|
|
if r.Grade() > float64(.8) {
|
|
|
|
if localToMe.Contains(r.addr.IP) == true {
|
|
|
|
best = r.addr
|
|
|
|
break
|
|
|
|
//i.remote = i.Remotes[c].addr
|
|
|
|
} else {
|
|
|
|
//}
|
|
|
|
}
|
|
|
|
*/
|
|
|
|
}
|
|
|
|
return best, false
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
|
|
|
|
// rotateRemote will move remote to the next ip in the list of remote ips for this host
|
|
|
|
// This is different than PromoteBest in that what is algorithmically best may not actually work.
|
|
|
|
// Only known use case is when sending a stage 0 handshake.
|
|
|
|
// It may be better to just send stage 0 handshakes to all known ips and sort it out in the receiver.
|
|
|
|
func (i *HostInfo) rotateRemote() {
|
|
|
|
// We have 0, can't rotate
|
|
|
|
if len(i.Remotes) < 1 {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if i.remote == nil {
|
2021-03-31 09:26:35 -06:00
|
|
|
i.remote = i.Remotes[0]
|
2019-11-19 10:00:20 -07:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// We want to look at all but the very last entry since that is handled at the end
|
|
|
|
for x := 0; x < len(i.Remotes)-1; x++ {
|
|
|
|
// Find our current position and move to the next one in the list
|
2021-03-31 09:26:35 -06:00
|
|
|
if i.Remotes[x].Equals(i.remote) {
|
|
|
|
i.remote = i.Remotes[x+1]
|
2019-11-19 10:00:20 -07:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Our current position was likely the last in the list, start over at 0
|
2021-03-31 09:26:35 -06:00
|
|
|
i.remote = i.Remotes[0]
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
func (i *HostInfo) cachePacket(l *logrus.Logger, t NebulaMessageType, st NebulaMessageSubType, packet []byte, f packetCallback) {
|
2019-11-19 10:00:20 -07:00
|
|
|
//TODO: return the error so we can log with more context
|
|
|
|
if len(i.packetStore) < 100 {
|
|
|
|
tempPacket := make([]byte, len(packet))
|
|
|
|
copy(tempPacket, packet)
|
|
|
|
//l.WithField("trace", string(debug.Stack())).Error("Caching packet", tempPacket)
|
|
|
|
i.packetStore = append(i.packetStore, &cachedPacket{t, st, f, tempPacket})
|
2021-03-05 19:18:33 -07:00
|
|
|
if l.Level >= logrus.DebugLevel {
|
2021-03-26 08:46:30 -06:00
|
|
|
i.logger(l).
|
2021-03-05 19:18:33 -07:00
|
|
|
WithField("length", len(i.packetStore)).
|
|
|
|
WithField("stored", true).
|
|
|
|
Debugf("Packet store")
|
|
|
|
}
|
2019-11-19 10:00:20 -07:00
|
|
|
|
|
|
|
} else if l.Level >= logrus.DebugLevel {
|
2021-03-26 08:46:30 -06:00
|
|
|
i.logger(l).
|
2019-11-19 10:00:20 -07:00
|
|
|
WithField("length", len(i.packetStore)).
|
|
|
|
WithField("stored", false).
|
|
|
|
Debugf("Packet store")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// handshakeComplete will set the connection as ready to communicate, as well as flush any stored packets
|
2021-03-26 08:46:30 -06:00
|
|
|
func (i *HostInfo) handshakeComplete(l *logrus.Logger) {
|
2019-11-19 10:00:20 -07:00
|
|
|
//TODO: I'm not certain the distinction between handshake complete and ConnectionState being ready matters because:
|
|
|
|
//TODO: HandshakeComplete means send stored packets and ConnectionState.ready means we are ready to send
|
|
|
|
//TODO: if the transition from HandhsakeComplete to ConnectionState.ready happens all within this function they are identical
|
|
|
|
|
|
|
|
i.ConnectionState.queueLock.Lock()
|
|
|
|
i.HandshakeComplete = true
|
|
|
|
//TODO: this should be managed by the handshake state machine to set it based on how many handshake were seen.
|
|
|
|
// Clamping it to 2 gets us out of the woods for now
|
2021-03-05 19:18:33 -07:00
|
|
|
atomic.StoreUint64(&i.ConnectionState.atomicMessageCounter, 2)
|
2021-03-22 17:25:06 -06:00
|
|
|
|
|
|
|
if l.Level >= logrus.DebugLevel {
|
2021-03-26 08:46:30 -06:00
|
|
|
i.logger(l).Debugf("Sending %d stored packets", len(i.packetStore))
|
2021-03-22 17:25:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
if len(i.packetStore) > 0 {
|
|
|
|
nb := make([]byte, 12, 12)
|
|
|
|
out := make([]byte, mtu)
|
|
|
|
for _, cp := range i.packetStore {
|
|
|
|
cp.callback(cp.messageType, cp.messageSubType, i, cp.packet, nb, out)
|
|
|
|
}
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
2021-03-22 17:25:06 -06:00
|
|
|
|
2021-03-31 09:26:35 -06:00
|
|
|
i.badRemotes = make([]*udpAddr, 0)
|
2019-11-19 10:00:20 -07:00
|
|
|
i.packetStore = make([]*cachedPacket, 0)
|
|
|
|
i.ConnectionState.ready = true
|
|
|
|
i.ConnectionState.queueLock.Unlock()
|
|
|
|
i.ConnectionState.certState = nil
|
|
|
|
}
|
|
|
|
|
2021-03-31 09:26:35 -06:00
|
|
|
func (i *HostInfo) CopyRemotes() []*udpAddr {
|
|
|
|
i.RLock()
|
|
|
|
rc := make([]*udpAddr, len(i.Remotes), len(i.Remotes))
|
|
|
|
for x, addr := range i.Remotes {
|
|
|
|
rc[x] = addr.Copy()
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
2021-03-31 09:26:35 -06:00
|
|
|
i.RUnlock()
|
|
|
|
return rc
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) GetCert() *cert.NebulaCertificate {
|
|
|
|
if i.ConnectionState != nil {
|
|
|
|
return i.ConnectionState.peerCert
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-03-18 19:37:24 -06:00
|
|
|
func (i *HostInfo) AddRemote(remote *udpAddr) *udpAddr {
|
2021-03-31 09:26:35 -06:00
|
|
|
if i.unlockedIsBadRemote(remote) {
|
|
|
|
return i.remote
|
|
|
|
}
|
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
for _, r := range i.Remotes {
|
2021-03-31 09:26:35 -06:00
|
|
|
if r.Equals(remote) {
|
|
|
|
return r
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
}
|
2021-03-31 09:26:35 -06:00
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
// Trim this down if necessary
|
|
|
|
if len(i.Remotes) > MaxRemotes {
|
|
|
|
i.Remotes = i.Remotes[len(i.Remotes)-MaxRemotes:]
|
|
|
|
}
|
2021-03-31 09:26:35 -06:00
|
|
|
|
|
|
|
rc := remote.Copy()
|
|
|
|
i.Remotes = append(i.Remotes, rc)
|
|
|
|
return rc
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
|
2021-03-18 19:37:24 -06:00
|
|
|
func (i *HostInfo) SetRemote(remote *udpAddr) {
|
2019-11-19 10:00:20 -07:00
|
|
|
i.remote = i.AddRemote(remote)
|
|
|
|
}
|
|
|
|
|
2021-03-31 09:26:35 -06:00
|
|
|
func (i *HostInfo) unlockedBlockRemote(remote *udpAddr) {
|
|
|
|
if !i.unlockedIsBadRemote(remote) {
|
|
|
|
// We copy here because we are taking something else's memory and we can't trust everything
|
|
|
|
i.badRemotes = append(i.badRemotes, remote.Copy())
|
|
|
|
}
|
|
|
|
|
|
|
|
for k, v := range i.Remotes {
|
|
|
|
if v.Equals(remote) {
|
|
|
|
i.Remotes[k] = i.Remotes[len(i.Remotes)-1]
|
|
|
|
i.Remotes = i.Remotes[:len(i.Remotes)-1]
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) unlockedIsBadRemote(remote *udpAddr) bool {
|
|
|
|
for _, v := range i.badRemotes {
|
|
|
|
if v.Equals(remote) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
func (i *HostInfo) ClearRemotes() {
|
|
|
|
i.remote = nil
|
2021-03-31 09:26:35 -06:00
|
|
|
i.Remotes = []*udpAddr{}
|
2019-11-19 10:00:20 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) ClearConnectionState() {
|
|
|
|
i.ConnectionState = nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) RecvErrorExceeded() bool {
|
|
|
|
if i.recvError < 3 {
|
|
|
|
i.recvError += 1
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2019-12-12 09:34:17 -07:00
|
|
|
func (i *HostInfo) CreateRemoteCIDR(c *cert.NebulaCertificate) {
|
2020-03-02 14:21:33 -07:00
|
|
|
if len(c.Details.Ips) == 1 && len(c.Details.Subnets) == 0 {
|
|
|
|
// Simple case, no CIDRTree needed
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-12-12 09:34:17 -07:00
|
|
|
remoteCidr := NewCIDRTree()
|
|
|
|
for _, ip := range c.Details.Ips {
|
|
|
|
remoteCidr.AddCIDR(&net.IPNet{IP: ip.IP, Mask: net.IPMask{255, 255, 255, 255}}, struct{}{})
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, n := range c.Details.Subnets {
|
|
|
|
remoteCidr.AddCIDR(n, struct{}{})
|
|
|
|
}
|
|
|
|
i.remoteCidr = remoteCidr
|
|
|
|
}
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
func (i *HostInfo) logger(l *logrus.Logger) *logrus.Entry {
|
2020-04-06 12:34:00 -06:00
|
|
|
if i == nil {
|
|
|
|
return logrus.NewEntry(l)
|
|
|
|
}
|
|
|
|
|
|
|
|
li := l.WithField("vpnIp", IntIp(i.hostId))
|
|
|
|
|
|
|
|
if connState := i.ConnectionState; connState != nil {
|
|
|
|
if peerCert := connState.peerCert; peerCert != nil {
|
|
|
|
li = li.WithField("certName", peerCert.Details.Name)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return li
|
|
|
|
}
|
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
//########################
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
|
|
|
func (hm *HostMap) DebugRemotes(vpnIp uint32) string {
|
|
|
|
s := "\n"
|
|
|
|
for _, h := range hm.Hosts {
|
|
|
|
for _, r := range h.Remotes {
|
|
|
|
s += fmt.Sprintf("%s : %d ## %v\n", r.addr.IP.String(), r.addr.Port, r.probes)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) HandleReply(addr *net.UDPAddr, counter int) {
|
|
|
|
for _, r := range i.Remotes {
|
|
|
|
if r.addr.IP.Equal(addr.IP) && r.addr.Port == addr.Port {
|
|
|
|
r.ProbeReceived(counter)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *HostInfo) Probes() []*Probe {
|
|
|
|
p := []*Probe{}
|
|
|
|
for _, d := range i.Remotes {
|
|
|
|
p = append(p, &Probe{Addr: d.addr, Counter: d.Probe()})
|
|
|
|
}
|
|
|
|
return p
|
|
|
|
}
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
// Utility functions
|
|
|
|
|
2021-03-26 08:46:30 -06:00
|
|
|
func localIps(l *logrus.Logger, allowList *AllowList) *[]net.IP {
|
2019-11-19 10:00:20 -07:00
|
|
|
//FIXME: This function is pretty garbage
|
|
|
|
var ips []net.IP
|
|
|
|
ifaces, _ := net.Interfaces()
|
|
|
|
for _, i := range ifaces {
|
Add lighthouse.{remoteAllowList,localAllowList} (#217)
These settings make it possible to blacklist / whitelist IP addresses
that are used for remote connections.
`lighthouse.remoteAllowList` filters which remote IPs are allow when
fetching from the lighthouse (or, if you are the lighthouse, which IPs
you store and forward to querying hosts). By default, any remote IPs are
allowed. You can provide CIDRs here with `true` to allow and `false` to
deny. The most specific CIDR rule applies to each remote. If all rules
are "allow", the default will be "deny", and vice-versa. If both "allow"
and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0"
as the default.
lighthouse:
remoteAllowList:
# Example to block IPs from this subnet from being used for remote IPs.
"172.16.0.0/12": false
# A more complicated example, allow public IPs but only private IPs from a specific subnet
"0.0.0.0/0": true
"10.0.0.0/8": false
"10.42.42.0/24": true
`lighthouse.localAllowList` has the same logic as above, but it applies
to the local addresses we advertise to the lighthouse. Additionally, you
can specify an `interfaces` map of regular expressions to match against
interface names. The regexp must match the entire name. All interface
rules must be either true or false (and the default rule will be the
inverse). CIDR rules are matched after interface name rules.
Default is all local IP addresses.
lighthouse:
localAllowList:
# Example to blacklist docker interfaces.
interfaces:
'docker.*': false
# Example to only advertise IPs in this subnet to the lighthouse.
"10.0.0.0/8": true
2020-04-08 13:36:43 -06:00
|
|
|
allow := allowList.AllowName(i.Name)
|
2021-03-31 09:26:35 -06:00
|
|
|
if l.Level >= logrus.TraceLevel {
|
|
|
|
l.WithField("interfaceName", i.Name).WithField("allow", allow).Trace("localAllowList.AllowName")
|
|
|
|
}
|
|
|
|
|
Add lighthouse.{remoteAllowList,localAllowList} (#217)
These settings make it possible to blacklist / whitelist IP addresses
that are used for remote connections.
`lighthouse.remoteAllowList` filters which remote IPs are allow when
fetching from the lighthouse (or, if you are the lighthouse, which IPs
you store and forward to querying hosts). By default, any remote IPs are
allowed. You can provide CIDRs here with `true` to allow and `false` to
deny. The most specific CIDR rule applies to each remote. If all rules
are "allow", the default will be "deny", and vice-versa. If both "allow"
and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0"
as the default.
lighthouse:
remoteAllowList:
# Example to block IPs from this subnet from being used for remote IPs.
"172.16.0.0/12": false
# A more complicated example, allow public IPs but only private IPs from a specific subnet
"0.0.0.0/0": true
"10.0.0.0/8": false
"10.42.42.0/24": true
`lighthouse.localAllowList` has the same logic as above, but it applies
to the local addresses we advertise to the lighthouse. Additionally, you
can specify an `interfaces` map of regular expressions to match against
interface names. The regexp must match the entire name. All interface
rules must be either true or false (and the default rule will be the
inverse). CIDR rules are matched after interface name rules.
Default is all local IP addresses.
lighthouse:
localAllowList:
# Example to blacklist docker interfaces.
interfaces:
'docker.*': false
# Example to only advertise IPs in this subnet to the lighthouse.
"10.0.0.0/8": true
2020-04-08 13:36:43 -06:00
|
|
|
if !allow {
|
|
|
|
continue
|
|
|
|
}
|
2019-11-19 10:00:20 -07:00
|
|
|
addrs, _ := i.Addrs()
|
|
|
|
for _, addr := range addrs {
|
|
|
|
var ip net.IP
|
|
|
|
switch v := addr.(type) {
|
|
|
|
case *net.IPNet:
|
|
|
|
//continue
|
|
|
|
ip = v.IP
|
|
|
|
case *net.IPAddr:
|
|
|
|
ip = v.IP
|
|
|
|
}
|
2021-03-18 19:37:24 -06:00
|
|
|
|
|
|
|
//TODO: Filtering out link local for now, this is probably the most correct thing
|
|
|
|
//TODO: Would be nice to filter out SLAAC MAC based ips as well
|
|
|
|
if ip.IsLoopback() == false && !ip.IsLinkLocalUnicast() {
|
|
|
|
allow := allowList.Allow(ip)
|
2021-03-31 09:26:35 -06:00
|
|
|
if l.Level >= logrus.TraceLevel {
|
|
|
|
l.WithField("localIp", ip).WithField("allow", allow).Trace("localAllowList.Allow")
|
|
|
|
}
|
Add lighthouse.{remoteAllowList,localAllowList} (#217)
These settings make it possible to blacklist / whitelist IP addresses
that are used for remote connections.
`lighthouse.remoteAllowList` filters which remote IPs are allow when
fetching from the lighthouse (or, if you are the lighthouse, which IPs
you store and forward to querying hosts). By default, any remote IPs are
allowed. You can provide CIDRs here with `true` to allow and `false` to
deny. The most specific CIDR rule applies to each remote. If all rules
are "allow", the default will be "deny", and vice-versa. If both "allow"
and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0"
as the default.
lighthouse:
remoteAllowList:
# Example to block IPs from this subnet from being used for remote IPs.
"172.16.0.0/12": false
# A more complicated example, allow public IPs but only private IPs from a specific subnet
"0.0.0.0/0": true
"10.0.0.0/8": false
"10.42.42.0/24": true
`lighthouse.localAllowList` has the same logic as above, but it applies
to the local addresses we advertise to the lighthouse. Additionally, you
can specify an `interfaces` map of regular expressions to match against
interface names. The regexp must match the entire name. All interface
rules must be either true or false (and the default rule will be the
inverse). CIDR rules are matched after interface name rules.
Default is all local IP addresses.
lighthouse:
localAllowList:
# Example to blacklist docker interfaces.
interfaces:
'docker.*': false
# Example to only advertise IPs in this subnet to the lighthouse.
"10.0.0.0/8": true
2020-04-08 13:36:43 -06:00
|
|
|
if !allow {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2019-11-19 10:00:20 -07:00
|
|
|
ips = append(ips, ip)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return &ips
|
|
|
|
}
|
|
|
|
|
|
|
|
func PrivateIP(ip net.IP) bool {
|
2021-03-18 19:37:24 -06:00
|
|
|
//TODO: Private for ipv6 or just let it ride?
|
2019-11-19 10:00:20 -07:00
|
|
|
private := false
|
|
|
|
_, private24BitBlock, _ := net.ParseCIDR("10.0.0.0/8")
|
|
|
|
_, private20BitBlock, _ := net.ParseCIDR("172.16.0.0/12")
|
|
|
|
_, private16BitBlock, _ := net.ParseCIDR("192.168.0.0/16")
|
|
|
|
private = private24BitBlock.Contains(ip) || private20BitBlock.Contains(ip) || private16BitBlock.Contains(ip)
|
|
|
|
return private
|
|
|
|
}
|