inside.go 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345
  1. package nebula
  2. import (
  3. "sync/atomic"
  4. "github.com/flynn/noise"
  5. "github.com/sirupsen/logrus"
  6. "github.com/slackhq/nebula/firewall"
  7. "github.com/slackhq/nebula/header"
  8. "github.com/slackhq/nebula/iputil"
  9. "github.com/slackhq/nebula/udp"
  10. )
  11. func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *firewall.Packet, nb, out []byte, q int, localCache firewall.ConntrackCache) {
  12. err := newPacket(packet, false, fwPacket)
  13. if err != nil {
  14. f.l.WithField("packet", packet).Debugf("Error while validating outbound packet: %s", err)
  15. return
  16. }
  17. // Ignore local broadcast packets
  18. if f.dropLocalBroadcast && fwPacket.RemoteIP == f.localBroadcast {
  19. return
  20. }
  21. // Ignore packets from self to self
  22. if fwPacket.RemoteIP == f.myVpnIp {
  23. return
  24. }
  25. // Ignore broadcast packets
  26. if f.dropMulticast && isMulticast(fwPacket.RemoteIP) {
  27. return
  28. }
  29. hostinfo := f.getOrHandshake(fwPacket.RemoteIP)
  30. if hostinfo == nil {
  31. if f.l.Level >= logrus.DebugLevel {
  32. f.l.WithField("vpnIp", fwPacket.RemoteIP).
  33. WithField("fwPacket", fwPacket).
  34. Debugln("dropping outbound packet, vpnIp not in our CIDR or in unsafe routes")
  35. }
  36. return
  37. }
  38. ci := hostinfo.ConnectionState
  39. if ci.ready == false {
  40. // Because we might be sending stored packets, lock here to stop new things going to
  41. // the packet queue.
  42. ci.queueLock.Lock()
  43. if !ci.ready {
  44. hostinfo.cachePacket(f.l, header.Message, 0, packet, f.sendMessageNow, f.cachedPacketMetrics)
  45. ci.queueLock.Unlock()
  46. return
  47. }
  48. ci.queueLock.Unlock()
  49. }
  50. dropReason := f.firewall.Drop(packet, *fwPacket, false, hostinfo, f.caPool, localCache)
  51. if dropReason == nil {
  52. f.sendNoMetrics(header.Message, 0, ci, hostinfo, nil, packet, nb, out, q)
  53. } else if f.l.Level >= logrus.DebugLevel {
  54. hostinfo.logger(f.l).
  55. WithField("fwPacket", fwPacket).
  56. WithField("reason", dropReason).
  57. Debugln("dropping outbound packet")
  58. }
  59. }
  60. func (f *Interface) Handshake(vpnIp iputil.VpnIp) {
  61. f.getOrHandshake(vpnIp)
  62. }
  63. // getOrHandshake returns nil if the vpnIp is not routable
  64. func (f *Interface) getOrHandshake(vpnIp iputil.VpnIp) *HostInfo {
  65. //TODO: we can find contains without converting back to bytes
  66. if f.hostMap.vpnCIDR.Contains(vpnIp.ToIP()) == false {
  67. vpnIp = f.inside.RouteFor(vpnIp)
  68. if vpnIp == 0 {
  69. return nil
  70. }
  71. }
  72. hostinfo, err := f.hostMap.PromoteBestQueryVpnIp(vpnIp, f)
  73. //if err != nil || hostinfo.ConnectionState == nil {
  74. if err != nil {
  75. hostinfo, err = f.handshakeManager.pendingHostMap.QueryVpnIp(vpnIp)
  76. if err != nil {
  77. hostinfo = f.handshakeManager.AddVpnIp(vpnIp, f.initHostInfo)
  78. }
  79. }
  80. ci := hostinfo.ConnectionState
  81. if ci != nil && ci.eKey != nil && ci.ready {
  82. return hostinfo
  83. }
  84. // Handshake is not ready, we need to grab the lock now before we start the handshake process
  85. hostinfo.Lock()
  86. defer hostinfo.Unlock()
  87. // Double check, now that we have the lock
  88. ci = hostinfo.ConnectionState
  89. if ci != nil && ci.eKey != nil && ci.ready {
  90. return hostinfo
  91. }
  92. // If we have already created the handshake packet, we don't want to call the function at all.
  93. if !hostinfo.HandshakeReady {
  94. ixHandshakeStage0(f, vpnIp, hostinfo)
  95. // FIXME: Maybe make XX selectable, but probably not since psk makes it nearly pointless for us.
  96. //xx_handshakeStage0(f, ip, hostinfo)
  97. // If this is a static host, we don't need to wait for the HostQueryReply
  98. // We can trigger the handshake right now
  99. if _, ok := f.lightHouse.GetStaticHostList()[vpnIp]; ok {
  100. select {
  101. case f.handshakeManager.trigger <- vpnIp:
  102. default:
  103. }
  104. }
  105. }
  106. return hostinfo
  107. }
  108. // initHostInfo is the init function to pass to (*HandshakeManager).AddVpnIP that
  109. // will create the initial Noise ConnectionState
  110. func (f *Interface) initHostInfo(hostinfo *HostInfo) {
  111. hostinfo.ConnectionState = f.newConnectionState(f.l, true, noise.HandshakeIX, []byte{}, 0)
  112. }
  113. func (f *Interface) sendMessageNow(t header.MessageType, st header.MessageSubType, hostInfo *HostInfo, p, nb, out []byte) {
  114. fp := &firewall.Packet{}
  115. err := newPacket(p, false, fp)
  116. if err != nil {
  117. f.l.Warnf("error while parsing outgoing packet for firewall check; %v", err)
  118. return
  119. }
  120. // check if packet is in outbound fw rules
  121. dropReason := f.firewall.Drop(p, *fp, false, hostInfo, f.caPool, nil)
  122. if dropReason != nil {
  123. if f.l.Level >= logrus.DebugLevel {
  124. f.l.WithField("fwPacket", fp).
  125. WithField("reason", dropReason).
  126. Debugln("dropping cached packet")
  127. }
  128. return
  129. }
  130. f.sendNoMetrics(header.Message, st, hostInfo.ConnectionState, hostInfo, nil, p, nb, out, 0)
  131. }
  132. // SendMessageToVpnIp handles real ip:port lookup and sends to the current best known address for vpnIp
  133. func (f *Interface) SendMessageToVpnIp(t header.MessageType, st header.MessageSubType, vpnIp iputil.VpnIp, p, nb, out []byte) {
  134. hostInfo := f.getOrHandshake(vpnIp)
  135. if hostInfo == nil {
  136. if f.l.Level >= logrus.DebugLevel {
  137. f.l.WithField("vpnIp", vpnIp).
  138. Debugln("dropping SendMessageToVpnIp, vpnIp not in our CIDR or in unsafe routes")
  139. }
  140. return
  141. }
  142. if !hostInfo.ConnectionState.ready {
  143. // Because we might be sending stored packets, lock here to stop new things going to
  144. // the packet queue.
  145. hostInfo.ConnectionState.queueLock.Lock()
  146. if !hostInfo.ConnectionState.ready {
  147. hostInfo.cachePacket(f.l, t, st, p, f.sendMessageToVpnIp, f.cachedPacketMetrics)
  148. hostInfo.ConnectionState.queueLock.Unlock()
  149. return
  150. }
  151. hostInfo.ConnectionState.queueLock.Unlock()
  152. }
  153. f.sendMessageToVpnIp(t, st, hostInfo, p, nb, out)
  154. return
  155. }
  156. func (f *Interface) sendMessageToVpnIp(t header.MessageType, st header.MessageSubType, hostInfo *HostInfo, p, nb, out []byte) {
  157. f.send(t, st, hostInfo.ConnectionState, hostInfo, p, nb, out)
  158. }
  159. func (f *Interface) send(t header.MessageType, st header.MessageSubType, ci *ConnectionState, hostinfo *HostInfo, p, nb, out []byte) {
  160. f.messageMetrics.Tx(t, st, 1)
  161. f.sendNoMetrics(t, st, ci, hostinfo, nil, p, nb, out, 0)
  162. }
  163. func (f *Interface) sendTo(t header.MessageType, st header.MessageSubType, ci *ConnectionState, hostinfo *HostInfo, remote *udp.Addr, p, nb, out []byte) {
  164. f.messageMetrics.Tx(t, st, 1)
  165. f.sendNoMetrics(t, st, ci, hostinfo, remote, p, nb, out, 0)
  166. }
  167. // sendVia sends a payload through a Relay tunnel. No authentication or encryption is done
  168. // to the payload for the ultimate target host, making this a useful method for sending
  169. // handshake messages to peers through relay tunnels.
  170. // via is the HostInfo through which the message is relayed.
  171. // ad is the plaintext data to authenticate, but not encrypt
  172. // nb is a buffer used to store the nonce value, re-used for performance reasons.
  173. // out is a buffer used to store the result of the Encrypt operation
  174. // q indicates which writer to use to send the packet.
  175. func (f *Interface) SendVia(viaIfc interface{},
  176. relayIfc interface{},
  177. ad,
  178. nb,
  179. out []byte,
  180. nocopy bool,
  181. ) {
  182. via := viaIfc.(*HostInfo)
  183. relay := relayIfc.(*Relay)
  184. c := atomic.AddUint64(&via.ConnectionState.atomicMessageCounter, 1)
  185. out = header.Encode(out, header.Version, header.Message, header.MessageRelay, relay.RemoteIndex, c)
  186. f.connectionManager.Out(via.vpnIp)
  187. // Authenticate the header and payload, but do not encrypt for this message type.
  188. // The payload consists of the inner, unencrypted Nebula header, as well as the end-to-end encrypted payload.
  189. if len(out)+len(ad)+via.ConnectionState.eKey.Overhead() > cap(out) {
  190. via.logger(f.l).
  191. WithField("outCap", cap(out)).
  192. WithField("payloadLen", len(ad)).
  193. WithField("headerLen", len(out)).
  194. WithField("cipherOverhead", via.ConnectionState.eKey.Overhead()).
  195. Error("SendVia out buffer not large enough for relay")
  196. return
  197. }
  198. // The header bytes are written to the 'out' slice; Grow the slice to hold the header and associated data payload.
  199. offset := len(out)
  200. out = out[:offset+len(ad)]
  201. // In one call path, the associated data _is_ already stored in out. In other call paths, the associated data must
  202. // be copied into 'out'.
  203. if !nocopy {
  204. copy(out[offset:], ad)
  205. }
  206. var err error
  207. out, err = via.ConnectionState.eKey.EncryptDanger(out, out, nil, c, nb)
  208. if err != nil {
  209. via.logger(f.l).WithError(err).Info("Failed to EncryptDanger in sendVia")
  210. return
  211. }
  212. err = f.writers[0].WriteTo(out, via.remote)
  213. if err != nil {
  214. via.logger(f.l).WithError(err).Info("Failed to WriteTo in sendVia")
  215. }
  216. }
  217. func (f *Interface) sendNoMetrics(t header.MessageType, st header.MessageSubType, ci *ConnectionState, hostinfo *HostInfo, remote *udp.Addr, p, nb, out []byte, q int) {
  218. if ci.eKey == nil {
  219. //TODO: log warning
  220. return
  221. }
  222. useRelay := remote == nil && hostinfo.remote == nil
  223. fullOut := out
  224. if useRelay {
  225. if len(out) < header.Len {
  226. // out always has a capacity of mtu, but not always a length greater than the header.Len.
  227. // Grow it to make sure the next operation works.
  228. out = out[:header.Len]
  229. }
  230. // Save a header's worth of data at the front of the 'out' buffer.
  231. out = out[header.Len:]
  232. }
  233. //TODO: enable if we do more than 1 tun queue
  234. //ci.writeLock.Lock()
  235. c := atomic.AddUint64(&ci.atomicMessageCounter, 1)
  236. //l.WithField("trace", string(debug.Stack())).Error("out Header ", &Header{Version, t, st, 0, hostinfo.remoteIndexId, c}, p)
  237. out = header.Encode(out, header.Version, t, st, hostinfo.remoteIndexId, c)
  238. f.connectionManager.Out(hostinfo.vpnIp)
  239. // Query our LH if we haven't since the last time we've been rebound, this will cause the remote to punch against
  240. // all our IPs and enable a faster roaming.
  241. if t != header.CloseTunnel && hostinfo.lastRebindCount != f.rebindCount {
  242. //NOTE: there is an update hole if a tunnel isn't used and exactly 256 rebinds occur before the tunnel is
  243. // finally used again. This tunnel would eventually be torn down and recreated if this action didn't help.
  244. f.lightHouse.QueryServer(hostinfo.vpnIp, f)
  245. hostinfo.lastRebindCount = f.rebindCount
  246. if f.l.Level >= logrus.DebugLevel {
  247. f.l.WithField("vpnIp", hostinfo.vpnIp).Debug("Lighthouse update triggered for punch due to rebind counter")
  248. }
  249. }
  250. var err error
  251. out, err = ci.eKey.EncryptDanger(out, out, p, c, nb)
  252. //TODO: see above note on lock
  253. //ci.writeLock.Unlock()
  254. if err != nil {
  255. hostinfo.logger(f.l).WithError(err).
  256. WithField("udpAddr", remote).WithField("counter", c).
  257. WithField("attemptedCounter", c).
  258. Error("Failed to encrypt outgoing packet")
  259. return
  260. }
  261. if remote != nil {
  262. err = f.writers[q].WriteTo(out, remote)
  263. if err != nil {
  264. hostinfo.logger(f.l).WithError(err).
  265. WithField("udpAddr", remote).Error("Failed to write outgoing packet")
  266. }
  267. } else if hostinfo.remote != nil {
  268. err = f.writers[q].WriteTo(out, hostinfo.remote)
  269. if err != nil {
  270. hostinfo.logger(f.l).WithError(err).
  271. WithField("udpAddr", remote).Error("Failed to write outgoing packet")
  272. }
  273. } else {
  274. // Try to send via a relay
  275. for _, relayIP := range hostinfo.relayState.CopyRelayIps() {
  276. relayHostInfo, err := f.hostMap.QueryVpnIp(relayIP)
  277. if err != nil {
  278. hostinfo.logger(f.l).WithField("relayIp", relayIP).WithError(err).Info("sendNoMetrics failed to find HostInfo")
  279. continue
  280. }
  281. relay, ok := relayHostInfo.relayState.QueryRelayForByIp(hostinfo.vpnIp)
  282. if !ok {
  283. hostinfo.logger(f.l).
  284. WithField("relayIp", relayHostInfo.vpnIp).
  285. WithField("relayTarget", hostinfo.vpnIp).
  286. Info("sendNoMetrics relay missing object for target")
  287. continue
  288. }
  289. f.SendVia(relayHostInfo, relay, out, nb, fullOut[:header.Len+len(out)], true)
  290. break
  291. }
  292. }
  293. return
  294. }
  295. func isMulticast(ip iputil.VpnIp) bool {
  296. // Class D multicast
  297. if (((ip >> 24) & 0xff) & 0xf0) == 0xe0 {
  298. return true
  299. }
  300. return false
  301. }