mirrors/nebula
1
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-12-06 02:30:57 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

don't send recv errors for packets outside the connection window anymore (#1463)
Some checks are pending
gofmt / Run gofmt (push) Waiting to run
Details
smoke-extra / Run extra smoke tests (push) Waiting to run
Details
smoke / Run multi node smoke test (push) Waiting to run
Details
Build and test / Build all and test on ubuntu-linux (push) Waiting to run
Details
Build and test / Build and test on linux with boringcrypto (push) Waiting to run
Details
Build and test / Build and test on linux with pkcs11 (push) Waiting to run
Details
Build and test / Build and test on macos-latest (push) Waiting to run
Details
Build and test / Build and test on windows-latest (push) Waiting to run
Details

Browse source 
* don't send recv errors for packets outside the connection window anymore

* Pull in fix from #1459, add my opinion on maxRecvError

* remove recv_error counter entirely
This commit is contained in:
Jack Doan 2025-09-03 11:52:52 -05:00 committed by GitHub
parent 5cff83b282
commit 4bea299265
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 9 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

10
hostmap.go
View file

@ -17,12 +17,10 @@ import (
"github.com/slackhq/nebula/header" "github.com/slackhq/nebula/header"
) )
// const ProbeLen = 100
const defaultPromoteEvery = 1000 // Count of packets sent before we try moving a tunnel to a preferred underlay ip address const defaultPromoteEvery = 1000 // Count of packets sent before we try moving a tunnel to a preferred underlay ip address
const defaultReQueryEvery = 5000 // Count of packets sent before re-querying a hostinfo to the lighthouse const defaultReQueryEvery = 5000 // Count of packets sent before re-querying a hostinfo to the lighthouse
const defaultReQueryWait = time.Minute // Minimum amount of seconds to wait before re-querying a hostinfo the lighthouse. Evaluated every ReQueryEvery const defaultReQueryWait = time.Minute // Minimum amount of seconds to wait before re-querying a hostinfo the lighthouse. Evaluated every ReQueryEvery
const MaxRemotes = 10 const MaxRemotes = 10
const maxRecvError = 4
// MaxHostInfosPerVpnIp is the max number of hostinfos we will track for a given vpn ip // MaxHostInfosPerVpnIp is the max number of hostinfos we will track for a given vpn ip
// 5 allows for an initial handshake and each host pair re-handshaking twice // 5 allows for an initial handshake and each host pair re-handshaking twice
@ -226,7 +224,6 @@ type HostInfo struct {
// The host may have other vpn addresses that are outside our // The host may have other vpn addresses that are outside our
// vpn networks but were removed because they are not usable // vpn networks but were removed because they are not usable
vpnAddrs []netip.Addr vpnAddrs []netip.Addr
recvError atomic.Uint32
// networks are both all vpn and unsafe networks assigned to this host // networks are both all vpn and unsafe networks assigned to this host
networks *bart.Lite networks *bart.Lite
@ -733,13 +730,6 @@ func (i *HostInfo) SetRemoteIfPreferred(hm *HostMap, newRemote netip.AddrPort) b
return false return false
} }
func (i *HostInfo) RecvErrorExceeded() bool {
if i.recvError.Add(1) >= maxRecvError {
return true
}
return true
}
func (i *HostInfo) buildNetworks(networks, unsafeNetworks []netip.Prefix) { func (i *HostInfo) buildNetworks(networks, unsafeNetworks []netip.Prefix) {
if len(networks) == 1 && len(unsafeNetworks) == 0 { if len(networks) == 1 && len(unsafeNetworks) == 0 {
// Simple case, no CIDRTree needed // Simple case, no CIDRTree needed

16
outside.go
View file

@ -254,16 +254,18 @@ func (f *Interface) handleHostRoaming(hostinfo *HostInfo, udpAddr netip.AddrPort
} }
// handleEncrypted returns true if a packet should be processed, false otherwise
func (f *Interface) handleEncrypted(ci *ConnectionState, addr netip.AddrPort, h *header.H) bool { func (f *Interface) handleEncrypted(ci *ConnectionState, addr netip.AddrPort, h *header.H) bool {
// If connectionstate exists and the replay protector allows, process packet // If connectionstate does not exist, send a recv error, if possible, to encourage a fast reconnect
// Else, send recv errors for 300 seconds after a restart to allow fast reconnection. if ci == nil {
if ci == nil || !ci.window.Check(f.l, h.MessageCounter) {
if addr.IsValid() { if addr.IsValid() {
f.maybeSendRecvError(addr, h.RemoteIndex) f.maybeSendRecvError(addr, h.RemoteIndex)
return false }
} else {
return false return false
} }
// If the window check fails, refuse to process the packet, but don't send a recv error
if !ci.window.Check(f.l, h.MessageCounter) {
return false
} }
return true return true
@ -537,10 +539,6 @@ func (f *Interface) handleRecvError(addr netip.AddrPort, h *header.H) {
return return
} }
if !hostinfo.RecvErrorExceeded() {
return
}
if hostinfo.remote.IsValid() && hostinfo.remote != addr { if hostinfo.remote.IsValid() && hostinfo.remote != addr {
f.l.Infoln("Someone spoofing recv_errors? ", addr, hostinfo.remote) f.l.Infoln("Someone spoofing recv_errors? ", addr, hostinfo.remote)
return return