nebula/overlay/tun_disabled.go

package overlay

import (
	"fmt"
	"io"
	"net/netip"
	"strings"

	"github.com/rcrowley/go-metrics"
	"github.com/sirupsen/logrus"
	"github.com/slackhq/nebula/iputil"
)

type disabledTun struct {
	read chan []byte
	cidr netip.Prefix

	// Track these metrics since we don't have the tun device to do it for us
	tx metrics.Counter
	rx metrics.Counter
	l  *logrus.Logger
}

func newDisabledTun(cidr netip.Prefix, queueLen int, metricsEnabled bool, l *logrus.Logger) *disabledTun {
	tun := &disabledTun{
		cidr: cidr,
		read: make(chan []byte, queueLen),
		l:    l,
	}

	if metricsEnabled {
		tun.tx = metrics.GetOrRegisterCounter("messages.tx.message", nil)
		tun.rx = metrics.GetOrRegisterCounter("messages.rx.message", nil)
	} else {
		tun.tx = &metrics.NilCounter{}
		tun.rx = &metrics.NilCounter{}
	}

	return tun
}

func (*disabledTun) Activate() error {
	return nil
}

func (*disabledTun) RouteFor(addr netip.Addr) netip.Addr {
	return netip.Addr{}
}

func (t *disabledTun) Cidr() netip.Prefix {
	return t.cidr
}

func (*disabledTun) Name() string {
	return "disabled"
}

func (t *disabledTun) Read(b []byte) (int, error) {
	r, ok := <-t.read
	if !ok {
		return 0, io.EOF
	}

	if len(r) > len(b) {
		return 0, fmt.Errorf("packet larger than mtu: %d > %d bytes", len(r), len(b))
	}

	t.tx.Inc(1)
	if t.l.Level >= logrus.DebugLevel {
		t.l.WithField("raw", prettyPacket(r)).Debugf("Write payload")
	}

	return copy(b, r), nil
}

func (t *disabledTun) handleICMPEchoRequest(b []byte) bool {
	out := make([]byte, len(b))
	out = iputil.CreateICMPEchoResponse(b, out)
	if out == nil {
		return false
	}

	// attempt to write it, but don't block
	select {
	case t.read <- out:
	default:
		t.l.Debugf("tun_disabled: dropped ICMP Echo Reply response")
	}

	return true
}

func (t *disabledTun) Write(b []byte) (int, error) {
	t.rx.Inc(1)

	// Check for ICMP Echo Request before spending time doing the full parsing
	if t.handleICMPEchoRequest(b) {
		if t.l.Level >= logrus.DebugLevel {
			t.l.WithField("raw", prettyPacket(b)).Debugf("Disabled tun responded to ICMP Echo Request")
		}
	} else if t.l.Level >= logrus.DebugLevel {
		t.l.WithField("raw", prettyPacket(b)).Debugf("Disabled tun received unexpected payload")
	}
	return len(b), nil
}

func (t *disabledTun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
	return t, nil
}

func (t *disabledTun) Close() error {
	if t.read != nil {
		close(t.read)
		t.read = nil
	}
	return nil
}

type prettyPacket []byte

func (p prettyPacket) String() string {
	var s strings.Builder

	for i, b := range p {
		if i > 0 && i%8 == 0 {
			s.WriteString(" ")
		}
		s.WriteString(fmt.Sprintf("%02x ", b))
	}

	return s.String()
}
Move all of tun into overlay (#577) 2021-11-12 06:37:29 +08:00			`package overlay`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00
			`import (`
			`"fmt"`
			`"io"`
Switch most everything to netip in prep for ipv6 in the overlay (#1173) 2024-07-31 23:18:56 +08:00			`"net/netip"`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`"strings"`

tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`"github.com/rcrowley/go-metrics"`
			`"github.com/sirupsen/logrus"`
Push route handling into overlay, a few more nits fixed (#581) 2021-11-13 01:19:28 +08:00			`"github.com/slackhq/nebula/iputil"`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`)`

			`type disabledTun struct {`
Don't use a global logger (#423) 2021-03-26 22:46:30 +08:00			`read chan []byte`
Switch most everything to netip in prep for ipv6 in the overlay (#1173) 2024-07-31 23:18:56 +08:00			`cidr netip.Prefix`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00
			`// Track these metrics since we don't have the tun device to do it for us`
			`tx metrics.Counter`
			`rx metrics.Counter`
Don't use a global logger (#423) 2021-03-26 22:46:30 +08:00			`l *logrus.Logger`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`}`

Switch most everything to netip in prep for ipv6 in the overlay (#1173) 2024-07-31 23:18:56 +08:00			`func newDisabledTun(cidr netip.Prefix, queueLen int, metricsEnabled bool, l logrus.Logger) disabledTun {`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`tun := &disabledTun{`
Don't use a global logger (#423) 2021-03-26 22:46:30 +08:00			`cidr: cidr,`
			`read: make(chan []byte, queueLen),`
			`l: l,`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`}`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00
			`if metricsEnabled {`
			`tun.tx = metrics.GetOrRegisterCounter("messages.tx.message", nil)`
			`tun.rx = metrics.GetOrRegisterCounter("messages.rx.message", nil)`
			`} else {`
			`tun.tx = &metrics.NilCounter{}`
			`tun.rx = &metrics.NilCounter{}`
			`}`

			`return tun`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`}`

			`func (*disabledTun) Activate() error {`
			`return nil`
			`}`

Switch most everything to netip in prep for ipv6 in the overlay (#1173) 2024-07-31 23:18:56 +08:00			`func (*disabledTun) RouteFor(addr netip.Addr) netip.Addr {`
			`return netip.Addr{}`
Push route handling into overlay, a few more nits fixed (#581) 2021-11-13 01:19:28 +08:00			`}`

Switch most everything to netip in prep for ipv6 in the overlay (#1173) 2024-07-31 23:18:56 +08:00			`func (t *disabledTun) Cidr() netip.Prefix {`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`return t.cidr`
			`}`

Remove WriteRaw, cidrTree -> routeTree to better describe its purpose, remove redundancy from field names (#582) 2021-11-13 02:47:09 +08:00			`func (*disabledTun) Name() string {`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`return "disabled"`
			`}`

			`func (t *disabledTun) Read(b []byte) (int, error) {`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`r, ok := <-t.read`
			`if !ok {`
			`return 0, io.EOF`
			`}`

			`if len(r) > len(b) {`
			`return 0, fmt.Errorf("packet larger than mtu: %d > %d bytes", len(r), len(b))`
			`}`

			`t.tx.Inc(1)`
Don't use a global logger (#423) 2021-03-26 22:46:30 +08:00			`if t.l.Level >= logrus.DebugLevel {`
			`t.l.WithField("raw", prettyPacket(r)).Debugf("Write payload")`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`}`

			`return copy(b, r), nil`
			`}`

			`func (t *disabledTun) handleICMPEchoRequest(b []byte) bool {`
firewall: add option to send REJECT replies (#738) * firewall: add option to send REJECT replies This change allows you to configure the firewall to send REJECT packets when a packet is denied. firewall: # Action to take when a packet is not allowed by the firewall rules. # Can be one of: # `drop` (default): silently drop the packet. # `reject`: send a reject reply. # - For TCP, this will be a RST "Connection Reset" packet. # - For other protocols, this will be an ICMP port unreachable packet. outbound_action: drop inbound_action: drop These packets are only sent to established tunnels, and only on the overlay network (currently IPv4 only). $ ping -c1 192.168.100.3 PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data. From 192.168.100.3 icmp_seq=2 Destination Port Unreachable --- 192.168.100.3 ping statistics --- 2 packets transmitted, 0 received, +1 errors, 100% packet loss, time 31ms $ nc -nzv 192.168.100.3 22 (UNKNOWN) [192.168.100.3] 22 (?) : Connection refused This change also modifies the smoke test to capture tcpdump pcaps from both the inside and outside to inspect what is going on over the wire. It also now does TCP and UDP packet tests using the Nmap version of ncat. * calculate seq and ack the same was as the kernel The logic a bit confusing, so we copy it straight from how the kernel does iptables `--reject-with tcp-reset`: - https://github.com/torvalds/linux/blob/v5.19/net/ipv4/netfilter/nf_reject_ipv4.c#L193-L221 * cleanup 2023-03-14 03:08:40 +08:00			`out := make([]byte, len(b))`
			`out = iputil.CreateICMPEchoResponse(b, out)`
			`if out == nil {`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`return false`
			`}`

			`// attempt to write it, but don't block`
			`select {`
firewall: add option to send REJECT replies (#738) * firewall: add option to send REJECT replies This change allows you to configure the firewall to send REJECT packets when a packet is denied. firewall: # Action to take when a packet is not allowed by the firewall rules. # Can be one of: # `drop` (default): silently drop the packet. # `reject`: send a reject reply. # - For TCP, this will be a RST "Connection Reset" packet. # - For other protocols, this will be an ICMP port unreachable packet. outbound_action: drop inbound_action: drop These packets are only sent to established tunnels, and only on the overlay network (currently IPv4 only). $ ping -c1 192.168.100.3 PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data. From 192.168.100.3 icmp_seq=2 Destination Port Unreachable --- 192.168.100.3 ping statistics --- 2 packets transmitted, 0 received, +1 errors, 100% packet loss, time 31ms $ nc -nzv 192.168.100.3 22 (UNKNOWN) [192.168.100.3] 22 (?) : Connection refused This change also modifies the smoke test to capture tcpdump pcaps from both the inside and outside to inspect what is going on over the wire. It also now does TCP and UDP packet tests using the Nmap version of ncat. * calculate seq and ack the same was as the kernel The logic a bit confusing, so we copy it straight from how the kernel does iptables `--reject-with tcp-reset`: - https://github.com/torvalds/linux/blob/v5.19/net/ipv4/netfilter/nf_reject_ipv4.c#L193-L221 * cleanup 2023-03-14 03:08:40 +08:00			`case t.read <- out:`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`default:`
Don't use a global logger (#423) 2021-03-26 22:46:30 +08:00			`t.l.Debugf("tun_disabled: dropped ICMP Echo Reply response")`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`}`

			`return true`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`}`

			`func (t *disabledTun) Write(b []byte) (int, error) {`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`t.rx.Inc(1)`

			`// Check for ICMP Echo Request before spending time doing the full parsing`
			`if t.handleICMPEchoRequest(b) {`
Don't use a global logger (#423) 2021-03-26 22:46:30 +08:00			`if t.l.Level >= logrus.DebugLevel {`
			`t.l.WithField("raw", prettyPacket(b)).Debugf("Disabled tun responded to ICMP Echo Request")`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`}`
Don't use a global logger (#423) 2021-03-26 22:46:30 +08:00			`} else if t.l.Level >= logrus.DebugLevel {`
			`t.l.WithField("raw", prettyPacket(b)).Debugf("Disabled tun received unexpected payload")`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`}`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`return len(b), nil`
			`}`

Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2021-02-26 04:01:14 +08:00			`func (t *disabledTun) NewMultiQueueReader() (io.ReadWriteCloser, error) {`
			`return t, nil`
			`}`

Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`func (t *disabledTun) Close() error {`
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules. 2021-03-02 00:09:41 +08:00			`if t.read != nil {`
			`close(t.read)`
			`t.read = nil`
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user. 2020-08-10 21:15:55 +08:00			`}`
			`return nil`
			`}`

			`type prettyPacket []byte`

			`func (p prettyPacket) String() string {`
			`var s strings.Builder`

			`for i, b := range p {`
			`if i > 0 && i%8 == 0 {`
			`s.WriteString(" ")`
			`}`
			`s.WriteString(fmt.Sprintf("%02x ", b))`
			`}`

			`return s.String()`
			`}`