Stowage/nebula
2
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-10-19 15:53:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix recv_error receipt limit allowance for v1.9.x (#1459)

Browse source 
* Fix recv_error receipt limit allowance

* backport #1463 recv_error behavior changes

---------

Co-authored-by: JackDoan <me@jackdoan.com>
This commit is contained in:
Nate Brown 2025-09-04 15:52:32 -05:00 committed by GitHub
parent 1d73e463cd
commit 22af56f156
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 8 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

9
hostmap.go
View file

@ -22,7 +22,6 @@ const defaultPromoteEvery = 1000 // Count of packets sent before we try mo
const defaultReQueryEvery = 5000 // Count of packets sent before re-querying a hostinfo to the lighthouse const defaultReQueryEvery = 5000 // Count of packets sent before re-querying a hostinfo to the lighthouse
const defaultReQueryWait = time.Minute // Minimum amount of seconds to wait before re-querying a hostinfo the lighthouse. Evaluated every ReQueryEvery const defaultReQueryWait = time.Minute // Minimum amount of seconds to wait before re-querying a hostinfo the lighthouse. Evaluated every ReQueryEvery
const MaxRemotes = 10 const MaxRemotes = 10
const maxRecvError = 4
// MaxHostInfosPerVpnIp is the max number of hostinfos we will track for a given vpn ip // MaxHostInfosPerVpnIp is the max number of hostinfos we will track for a given vpn ip
// 5 allows for an initial handshake and each host pair re-handshaking twice // 5 allows for an initial handshake and each host pair re-handshaking twice
@ -220,7 +219,6 @@ type HostInfo struct {
remoteIndexId uint32 remoteIndexId uint32
localIndexId uint32 localIndexId uint32
vpnIp netip.Addr vpnIp netip.Addr
recvError atomic.Uint32
remoteCidr *bart.Table[struct{}] remoteCidr *bart.Table[struct{}]
relayState RelayState relayState RelayState
@ -705,13 +703,6 @@ func (i *HostInfo) SetRemoteIfPreferred(hm *HostMap, newRemote netip.AddrPort) b
return false return false
} }
func (i *HostInfo) RecvErrorExceeded() bool {
if i.recvError.Add(1) >= maxRecvError {
return true
}
return true
}
func (i *HostInfo) CreateRemoteCIDR(c *cert.NebulaCertificate) { func (i *HostInfo) CreateRemoteCIDR(c *cert.NebulaCertificate) {
if len(c.Details.Ips) == 1 && len(c.Details.Subnets) == 0 { if len(c.Details.Ips) == 1 && len(c.Details.Subnets) == 0 {
// Simple case, no CIDRTree needed // Simple case, no CIDRTree needed

18
outside.go
View file

@ -286,16 +286,18 @@ func (f *Interface) handleHostRoaming(hostinfo *HostInfo, ip netip.AddrPort) {
} }
// handleEncrypted returns true if a packet should be processed, false otherwise
func (f *Interface) handleEncrypted(ci *ConnectionState, addr netip.AddrPort, h *header.H) bool { func (f *Interface) handleEncrypted(ci *ConnectionState, addr netip.AddrPort, h *header.H) bool {
// If connectionstate exists and the replay protector allows, process packet // If connectionstate does not exist, send a recv error, if possible, to encourage a fast reconnect
// Else, send recv errors for 300 seconds after a restart to allow fast reconnection. if ci == nil {
if ci == nil || !ci.window.Check(f.l, h.MessageCounter) {
if addr.IsValid() { if addr.IsValid() {
f.maybeSendRecvError(addr, h.RemoteIndex) f.maybeSendRecvError(addr, h.RemoteIndex)
return false
} else {
return false
} }
return false
}
// If the window check fails, refuse to process the packet, but don't send a recv error
if !ci.window.Check(f.l, h.MessageCounter) {
return false
} }
return true return true
@ -458,10 +460,6 @@ func (f *Interface) handleRecvError(addr netip.AddrPort, h *header.H) {
return return
} }
if !hostinfo.RecvErrorExceeded() {
return
}
if hostinfo.remote.IsValid() && hostinfo.remote != addr { if hostinfo.remote.IsValid() && hostinfo.remote != addr {
f.l.Infoln("Someone spoofing recv_errors? ", addr, hostinfo.remote) f.l.Infoln("Someone spoofing recv_errors? ", addr, hostinfo.remote)
return return