Acasă Explorează Ajutor
Autentificare
golang
/
nebula
oglindă de https://github.com/slackhq/nebula
2
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Răsfoiți Sursa

drop unroutable packets (#267)

Currently, if a packet arrives on the tun device with a destination that
is not a routable Nebula IP, `queryUnsafeRoute` converts that IP to
0.0.0.0 and we store that packet and try to look up that IP with the
lighthouse. This doesn't make any sense to do, if we get a packet that
is unroutable we should just drop it.

Note, we have a few configurable options like `drop_local_broadcast`
and `drop_multicast` which do this for a few specific types, but since
no packets like this will send correctly I think we should just drop
anything that is unroutable.
Wade Simmons 5 ani în urmă
părinte
a54f3fc681
comite
ac557f381b
1 a modificat fișierele cu 26 adăugiri și 0 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 26 0
      inside.go

+ 26 - 0
inside.go
Vizualizați fișierul 

@@ -30,6 +30,14 @@ func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *FirewallPacket,
 
 	}
 
 
 	hostinfo := f.getOrHandshake(fwPacket.RemoteIP)
 
+	if hostinfo == nil {
 
+		if l.Level >= logrus.DebugLevel {
 
+			l.WithField("vpnIp", IntIp(fwPacket.RemoteIP)).
 
+				WithField("fwPacket", fwPacket).
 
+				Debugln("dropping outbound packet, vpnIp not in our CIDR or in unsafe routes")
 
+		}
 
+		return
 
+	}
 
 	ci := hostinfo.ConnectionState
 
 
 	if ci.ready == false {
 
@@ -59,9 +67,13 @@ func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *FirewallPacket,
 
 	}
 
 }
 
 
+// getOrHandshake returns nil if the vpnIp is not routable
 
 func (f *Interface) getOrHandshake(vpnIp uint32) *HostInfo {
 
 	if f.hostMap.vpnCIDR.Contains(int2ip(vpnIp)) == false {
 
 		vpnIp = f.hostMap.queryUnsafeRoute(vpnIp)
 
+		if vpnIp == 0 {
 
+			return nil
 
+		}
 
 	}
 
 	hostinfo, err := f.hostMap.PromoteBestQueryVpnIP(vpnIp, f)
 
 
@@ -136,6 +148,13 @@ func (f *Interface) sendMessageNow(t NebulaMessageType, st NebulaMessageSubType,
 
 // SendMessageToVpnIp handles real ip:port lookup and sends to the current best known address for vpnIp
 
 func (f *Interface) SendMessageToVpnIp(t NebulaMessageType, st NebulaMessageSubType, vpnIp uint32, p, nb, out []byte) {
 
 	hostInfo := f.getOrHandshake(vpnIp)
 
+	if hostInfo == nil {
 
+		if l.Level >= logrus.DebugLevel {
 
+			l.WithField("vpnIp", IntIp(vpnIp)).
 
+				Debugln("dropping SendMessageToVpnIp, vpnIp not in our CIDR or in unsafe routes")
 
+		}
 
+		return
 
+	}
 
 
 	if !hostInfo.ConnectionState.ready {
 
 		// Because we might be sending stored packets, lock here to stop new things going to
 
@@ -160,6 +179,13 @@ func (f *Interface) sendMessageToVpnIp(t NebulaMessageType, st NebulaMessageSubT
 
 // SendMessageToAll handles real ip:port lookup and sends to all known addresses for vpnIp
 
 func (f *Interface) SendMessageToAll(t NebulaMessageType, st NebulaMessageSubType, vpnIp uint32, p, nb, out []byte) {
 
 	hostInfo := f.getOrHandshake(vpnIp)
 
+	if hostInfo == nil {
 
+		if l.Level >= logrus.DebugLevel {
 
+			l.WithField("vpnIp", IntIp(vpnIp)).
 
+				Debugln("dropping SendMessageToAll, vpnIp not in our CIDR or in unsafe routes")
 
+		}
 
+		return
 
+	}
 
 
 	if hostInfo.ConnectionState.ready == false {
 
 		// Because we might be sending stored packets, lock here to stop new things going to