mirrors/nebula
1
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2026-03-10 00:31:54 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

it works again but linux is pickier than I thought, I need to refactor even more

Browse source
This commit is contained in:
JackDoan 2026-02-17 15:15:10 -06:00
parent 7498c6846d
commit 37abdd7f96
2 changed files with 20 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
firewall.go
View file

@ -356,7 +356,9 @@ func (f *Firewall) GetRuleHashes() string {
func (f *Firewall) SetSNATAddressFromInterface(i *Interface) {
//address-mutation-avoidance is done inside Interface, the firewall doesn't need to care
//todo should snatted conntracks get expired out? Probably not needed until if/when we allow reload
f.snatAddr = i.inside.SNATAddress().Addr()
if f.hasUnsafeNetworks { //todo this logic???
f.snatAddr = i.inside.SNATAddress().Addr()
}
}
func (f *Firewall) ShouldUnSNAT(fp *firewall.Packet) bool {

23
overlay/tun_linux.go
View file

@ -329,7 +329,7 @@ func (t *tun) addIPs(link netlink.Link) error {
}
}
if t.snatAddr.IsValid() && len(t.vpnNetworks) > 0 { //TODO unsafe-routers should be able to snat and be snatted
if t.snatAddr.IsValid() && len(t.unsafeNetworks) == 0 { //TODO unsafe-routers should be able to snat and be snatted
newAddrs = append(newAddrs, &netlink.Addr{
IPNet: &net.IPNet{
IP: t.snatAddr.Addr().AsSlice(),
@ -431,11 +431,11 @@ func (t *tun) Activate() error {
}
}
//TODO snat and be snatted
//if t.snatAddr.IsValid() {
// if err = t.setDefaultRoute(t.snatAddr); err != nil {
// return fmt.Errorf("failed to set default route MTU for %s: %w", t.snatAddr, err)
// }
//}
if t.snatAddr.IsValid() && len(t.unsafeNetworks) == 0 {
if err = t.setDefaultRoute(t.snatAddr); err != nil {
return fmt.Errorf("failed to set default route MTU for %s: %w", t.snatAddr, err)
}
}
// Set the routes
if err = t.addRoutes(false); err != nil {
@ -448,6 +448,14 @@ func (t *tun) Activate() error {
return fmt.Errorf("failed to run tun device: %s", err)
}
//todo hmmmmmm
if len(t.unsafeNetworks) != 0 {
err = os.WriteFile(fmt.Sprintf("/proc/sys/net/ipv4/conf/%s/accept_local", t.Device), []byte("1"), os.FileMode(0o644))
if err != nil {
return err
}
}
return nil
}
@ -556,6 +564,9 @@ func (t *tun) addRoutes(logErrors bool) error {
}
}
if len(t.unsafeNetworks) == 0 {
return nil
}
return t.setSnatRoute()
}