1 rok pred · 3356e03d85
--- a/connection_manager.go
+++ b/connection_manager.go
@@ -432,7 +432,7 @@ func (n *connectionManager) isInvalidCertificate(now time.Time, hostinfo *HostIn
 
				 		return false
			
 
				 	}
			
 
				 
			
 
				-	if !n.intf.disconnectInvalid && err != cert.ErrBlockListed {
			
 
				+	if !n.intf.disconnectInvalid.Load() && err != cert.ErrBlockListed {
			
 
				 		// Block listed certificates should always be disconnected
			
 
				 		return false
			
 
				 	}
			
--- a/connection_manager_test.go
+++ b/connection_manager_test.go
@@ -253,18 +253,18 @@ func Test_NewConnectionManagerTest_DisconnectInvalid(t *testing.T) {
 
				 
			
 
				 	lh := newTestLighthouse()
			
 
				 	ifce := &Interface{
			
 
				-		hostMap:           hostMap,
			
 
				-		inside:            &test.NoopTun{},
			
 
				-		outside:           &udp.NoopConn{},
			
 
				-		firewall:          &Firewall{},
			
 
				-		lightHouse:        lh,
			
 
				-		handshakeManager:  NewHandshakeManager(l, hostMap, lh, &udp.NoopConn{}, defaultHandshakeConfig),
			
 
				-		l:                 l,
			
 
				-		disconnectInvalid: true,
			
 
				-		pki:               &PKI{},
			
 
				+		hostMap:          hostMap,
			
 
				+		inside:           &test.NoopTun{},
			
 
				+		outside:          &udp.NoopConn{},
			
 
				+		firewall:         &Firewall{},
			
 
				+		lightHouse:       lh,
			
 
				+		handshakeManager: NewHandshakeManager(l, hostMap, lh, &udp.NoopConn{}, defaultHandshakeConfig),
			
 
				+		l:                l,
			
 
				+		pki:              &PKI{},
			
 
				 	}
			
 
				 	ifce.pki.cs.Store(cs)
			
 
				 	ifce.pki.caPool.Store(ncp)
			
 
				+	ifce.disconnectInvalid.Store(true)
			
 
				 
			
 
				 	// Create manager
			
 
				 	ctx, cancel := context.WithCancel(context.Background())
			
--- a/examples/config.yml
+++ b/examples/config.yml
@@ -11,7 +11,7 @@ pki:
 
				   #blocklist:
			
 
				   #  - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72
			
 
				   # disconnect_invalid is a toggle to force a client to be disconnected if the certificate is expired or invalid.
			
 
				-  #disconnect_invalid: false
			
 
				+  #disconnect_invalid: true
			
 
				 
			
 
				 # The static host map defines a set of hosts with fixed IP addresses on the internet (or any network).
			
 
				 # A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.
			
--- a/interface.go
+++ b/interface.go
@@ -40,7 +40,6 @@ type InterfaceConfig struct {
 
				 	routines                int
			
 
				 	MessageMetrics          *MessageMetrics
			
 
				 	version                 string
			
 
				-	disconnectInvalid       bool
			
 
				 	relayManager            *relayManager
			
 
				 	punchy                  *Punchy
			
 
				 
			
@@ -69,7 +68,7 @@ type Interface struct {
 
				 	dropLocalBroadcast bool
			
 
				 	dropMulticast      bool
			
 
				 	routines           int
			
 
				-	disconnectInvalid  bool
			
 
				+	disconnectInvalid  atomic.Bool
			
 
				 	closed             atomic.Bool
			
 
				 	relayManager       *relayManager
			
 
				 
			
@@ -176,7 +175,6 @@ func NewInterface(ctx context.Context, c *InterfaceConfig) (*Interface, error) {
 
				 		version:            c.version,
			
 
				 		writers:            make([]udp.Conn, c.routines),
			
 
				 		readers:            make([]io.ReadWriteCloser, c.routines),
			
 
				-		disconnectInvalid:  c.disconnectInvalid,
			
 
				 		myVpnIp:            myVpnIp,
			
 
				 		relayManager:       c.relayManager,
			
 
				 
			
@@ -294,12 +292,24 @@ func (f *Interface) listenIn(reader io.ReadWriteCloser, i int) {
 
				 func (f *Interface) RegisterConfigChangeCallbacks(c *config.C) {
			
 
				 	c.RegisterReloadCallback(f.reloadFirewall)
			
 
				 	c.RegisterReloadCallback(f.reloadSendRecvError)
			
 
				+	c.RegisterReloadCallback(f.reloadDisconnectInvalid)
			
 
				 	c.RegisterReloadCallback(f.reloadMisc)
			
 
				+
			
 
				 	for _, udpConn := range f.writers {
			
 
				 		c.RegisterReloadCallback(udpConn.ReloadConfig)
			
 
				 	}
			
 
				 }
			
 
				 
			
 
				+func (f *Interface) reloadDisconnectInvalid(c *config.C) {
			
 
				+	initial := c.InitialLoad()
			
 
				+	if initial || c.HasChanged("pki.disconnect_invalid") {
			
 
				+		f.disconnectInvalid.Store(c.GetBool("pki.disconnect_invalid", true))
			
 
				+		if !initial {
			
 
				+			f.l.Infof("pki.disconnect_invalid changed to %v", f.disconnectInvalid.Load())
			
 
				+		}
			
 
				+	}
			
 
				+}
			
 
				+
			
 
				 func (f *Interface) reloadFirewall(c *config.C) {
			
 
				 	//TODO: need to trigger/detect if the certificate changed too
			
 
				 	if c.HasChanged("firewall") == false {
			
--- a/main.go
+++ b/main.go
@@ -273,7 +273,6 @@ func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logg
 
				 		routines:                routines,
			
 
				 		MessageMetrics:          messageMetrics,
			
 
				 		version:                 buildVersion,
			
 
				-		disconnectInvalid:       c.GetBool("pki.disconnect_invalid", false),
			
 
				 		relayManager:            NewRelayManager(ctx, l, hostMap, c),
			
 
				 		punchy:                  punchy,
			
 
				 
			
@@ -303,6 +302,7 @@ func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logg
 
				 		lightHouse.ifce = ifce
			
 
				 
			
 
				 		ifce.RegisterConfigChangeCallbacks(c)
			
 
				+		ifce.reloadDisconnectInvalid(c)
			
 
				 		ifce.reloadSendRecvError(c)
			
 
				 
			
 
				 		handshakeManager.f = ifce