vpn
/
nebula
-ын хуулбар https://github.com/slackhq/nebula.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253
							package nebula

import (
	"github.com/sirupsen/logrus"
	"sync"
	"time"
)

// TODO: incount and outcount are intended as a shortcut to locking the mutexes for every single packet
// and something like every 10 packets we could lock, send 10, then unlock for a moment

type connectionManager struct {
	hostMap      *HostMap
	in           map[uint32]struct{}
	inLock       *sync.RWMutex
	inCount      int
	out          map[uint32]struct{}
	outLock      *sync.RWMutex
	outCount     int
	TrafficTimer *SystemTimerWheel
	intf         *Interface

	pendingDeletion      map[uint32]int
	pendingDeletionLock  *sync.RWMutex
	pendingDeletionTimer *SystemTimerWheel

	checkInterval           int
	pendingDeletionInterval int

	// I wanted to call one matLock
}

func newConnectionManager(intf *Interface, checkInterval, pendingDeletionInterval int) *connectionManager {
	nc := &connectionManager{
		hostMap:                 intf.hostMap,
		in:                      make(map[uint32]struct{}),
		inLock:                  &sync.RWMutex{},
		inCount:                 0,
		out:                     make(map[uint32]struct{}),
		outLock:                 &sync.RWMutex{},
		outCount:                0,
		TrafficTimer:            NewSystemTimerWheel(time.Millisecond*500, time.Second*60),
		intf:                    intf,
		pendingDeletion:         make(map[uint32]int),
		pendingDeletionLock:     &sync.RWMutex{},
		pendingDeletionTimer:    NewSystemTimerWheel(time.Millisecond*500, time.Second*60),
		checkInterval:           checkInterval,
		pendingDeletionInterval: pendingDeletionInterval,
	}
	nc.Start()
	return nc
}

func (n *connectionManager) In(ip uint32) {
	n.inLock.RLock()
	// If this already exists, return
	if _, ok := n.in[ip]; ok {
		n.inLock.RUnlock()
		return
	}
	n.inLock.RUnlock()
	n.inLock.Lock()
	n.in[ip] = struct{}{}
	n.inLock.Unlock()
}

func (n *connectionManager) Out(ip uint32) {
	n.outLock.RLock()
	// If this already exists, return
	if _, ok := n.out[ip]; ok {
		n.outLock.RUnlock()
		return
	}
	n.outLock.RUnlock()
	n.outLock.Lock()
	// double check since we dropped the lock temporarily
	if _, ok := n.out[ip]; ok {
		n.outLock.Unlock()
		return
	}
	n.out[ip] = struct{}{}
	n.AddTrafficWatch(ip, n.checkInterval)
	n.outLock.Unlock()
}

func (n *connectionManager) CheckIn(vpnIP uint32) bool {
	n.inLock.RLock()
	if _, ok := n.in[vpnIP]; ok {
		n.inLock.RUnlock()
		return true
	}
	n.inLock.RUnlock()
	return false
}

func (n *connectionManager) ClearIP(ip uint32) {
	n.inLock.Lock()
	n.outLock.Lock()
	delete(n.in, ip)
	delete(n.out, ip)
	n.inLock.Unlock()
	n.outLock.Unlock()
}

func (n *connectionManager) ClearPendingDeletion(ip uint32) {
	n.pendingDeletionLock.Lock()
	delete(n.pendingDeletion, ip)
	n.pendingDeletionLock.Unlock()
}

func (n *connectionManager) AddPendingDeletion(ip uint32) {
	n.pendingDeletionLock.Lock()
	if _, ok := n.pendingDeletion[ip]; ok {
		n.pendingDeletion[ip] += 1
	} else {
		n.pendingDeletion[ip] = 0
	}
	n.pendingDeletionTimer.Add(ip, time.Second*time.Duration(n.pendingDeletionInterval))
	n.pendingDeletionLock.Unlock()
}

func (n *connectionManager) checkPendingDeletion(ip uint32) bool {
	n.pendingDeletionLock.RLock()
	if _, ok := n.pendingDeletion[ip]; ok {

		n.pendingDeletionLock.RUnlock()
		return true
	}
	n.pendingDeletionLock.RUnlock()
	return false
}

func (n *connectionManager) AddTrafficWatch(vpnIP uint32, seconds int) {
	n.TrafficTimer.Add(vpnIP, time.Second*time.Duration(seconds))
}

func (n *connectionManager) Start() {
	go n.Run()
}

func (n *connectionManager) Run() {
	clockSource := time.Tick(500 * time.Millisecond)

	for now := range clockSource {
		n.HandleMonitorTick(now)
		n.HandleDeletionTick(now)
	}
}

func (n *connectionManager) HandleMonitorTick(now time.Time) {
	n.TrafficTimer.advance(now)
	for {
		ep := n.TrafficTimer.Purge()
		if ep == nil {
			break
		}

		vpnIP := ep.(uint32)

		// Check for traffic coming back in from this host.
		traf := n.CheckIn(vpnIP)

		// If we saw incoming packets from this ip, just return
		if traf {
			if l.Level >= logrus.DebugLevel {
				l.WithField("vpnIp", IntIp(vpnIP)).
					WithField("tunnelCheck", m{"state": "alive", "method": "passive"}).
					Debug("Tunnel status")
			}
			n.ClearIP(vpnIP)
			n.ClearPendingDeletion(vpnIP)
			continue
		}

		// If we didn't we may need to probe or destroy the conn
		hostinfo, err := n.hostMap.QueryVpnIP(vpnIP)
		if err != nil {
			l.Debugf("Not found in hostmap: %s", IntIp(vpnIP))
			n.ClearIP(vpnIP)
			n.ClearPendingDeletion(vpnIP)
			continue
		}

		l.WithField("vpnIp", IntIp(vpnIP)).
			WithField("tunnelCheck", m{"state": "testing", "method": "active"}).
			Debug("Tunnel status")

		if hostinfo != nil && hostinfo.ConnectionState != nil {
			// Send a test packet to trigger an authenticated tunnel test, this should suss out any lingering tunnel issues
			n.intf.SendMessageToVpnIp(test, testRequest, vpnIP, []byte(""), make([]byte, 12, 12), make([]byte, mtu))

		} else {
			l.Debugf("Hostinfo sadness: %s", IntIp(vpnIP))
		}
		n.AddPendingDeletion(vpnIP)
	}

}

func (n *connectionManager) HandleDeletionTick(now time.Time) {
	n.pendingDeletionTimer.advance(now)
	for {
		ep := n.pendingDeletionTimer.Purge()
		if ep == nil {
			break
		}

		vpnIP := ep.(uint32)

		// If we saw incoming packets from this ip, just return
		traf := n.CheckIn(vpnIP)
		if traf {
			l.WithField("vpnIp", IntIp(vpnIP)).
				WithField("tunnelCheck", m{"state": "alive", "method": "active"}).
				Debug("Tunnel status")
			n.ClearIP(vpnIP)
			n.ClearPendingDeletion(vpnIP)
			continue
		}

		hostinfo, err := n.hostMap.QueryVpnIP(vpnIP)
		if err != nil {
			n.ClearIP(vpnIP)
			n.ClearPendingDeletion(vpnIP)
			l.Debugf("Not found in hostmap: %s", IntIp(vpnIP))
			continue
		}

		// If it comes around on deletion wheel and hasn't resolved itself, delete
		if n.checkPendingDeletion(vpnIP) {
			cn := ""
			if hostinfo.ConnectionState != nil && hostinfo.ConnectionState.peerCert != nil {
				cn = hostinfo.ConnectionState.peerCert.Details.Name
			}
			l.WithField("vpnIp", IntIp(vpnIP)).
				WithField("tunnelCheck", m{"state": "dead", "method": "active"}).
				WithField("certName", cn).
				Info("Tunnel status")

			n.ClearIP(vpnIP)
			n.ClearPendingDeletion(vpnIP)
			// TODO: This is only here to let tests work. Should do proper mocking
			if n.intf.lightHouse != nil {
				n.intf.lightHouse.DeleteVpnIP(vpnIP)
			}
			n.hostMap.DeleteVpnIP(vpnIP)
			n.hostMap.DeleteIndex(hostinfo.localIndexId)
		} else {
			n.ClearIP(vpnIP)
			n.ClearPendingDeletion(vpnIP)
		}
	}
}