personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2026-04-01 08:05:18 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Review nits

Browse Source
This commit is contained in:
Nate Brown
2026-02-27 17:49:31 -06:00
parent 7655a10108
commit 037459ef73
1 changed files with 12 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
firewall.go
View File

@@ -23,9 +23,14 @@ import (
"github.com/slackhq/nebula/firewall" "github.com/slackhq/nebula/firewall"
) )
var ErrCannotSNAT = errors.New("cannot snat this packet") var ErrCannotSNAT = errors.New("cannot SNAT this packet")
var ErrSNATIdentityMismatch = errors.New("refusing to SNAT for mismatched host") var ErrSNATIdentityMismatch = errors.New("refusing to SNAT for mismatched host")
const ipv4SourcePosition = 12
const ipv4DestinationPosition = 16
const sourcePortOffset = 0
const destinationPortOffset = 2
type FirewallInterface interface { type FirewallInterface interface {
AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error
} }
@@ -459,7 +464,7 @@ func (f *Firewall) unSnat(data []byte, fp *firewall.Packet) netip.Addr {
return netip.Addr{} return netip.Addr{}
} }
oldIP := netip.AddrPortFrom(f.snatAddr, fp.RemotePort) oldIP := netip.AddrPortFrom(f.snatAddr, fp.RemotePort)
rewritePacket(data, fp, oldIP, c.snat.Src, 16, 2) rewritePacket(data, fp, oldIP, c.snat.Src, ipv4DestinationPosition, destinationPortOffset)
return c.snat.SrcVpnIp return c.snat.SrcVpnIp
} }
@@ -496,6 +501,7 @@ func (f *Firewall) findUsableSNATPort(fp *firewall.Packet, c *conn) error {
if !ok { if !ok {
//yay, we can use this port //yay, we can use this port
//track the snatted flow with the same expiration as the unsnatted version //track the snatted flow with the same expiration as the unsnatted version
c.snat.SnatPort = fp.RemotePort
conntrack.Conns[*fp] = c conntrack.Conns[*fp] = c
return nil return nil
} }
@@ -538,13 +544,12 @@ func (f *Firewall) applySnat(data []byte, fp *firewall.Packet, c *conn, hostinfo
c.snat = nil c.snat = nil
return err return err
} }
c.snat.SnatPort = fp.RemotePort //may have been updated inside f.findUsableSNATPort
} else { } else {
return ErrCannotSNAT return ErrCannotSNAT
} }
newIP := netip.AddrPortFrom(f.snatAddr, c.snat.SnatPort) newIP := netip.AddrPortFrom(f.snatAddr, c.snat.SnatPort)
rewritePacket(data, fp, c.snat.Src, newIP, 12, 0) rewritePacket(data, fp, c.snat.Src, newIP, ipv4SourcePosition, sourcePortOffset)
return nil return nil
} }
@@ -695,18 +700,9 @@ func (f *Firewall) EmitStats() {
} }
func (f *Firewall) peek(fp firewall.Packet) *conn { func (f *Firewall) peek(fp firewall.Packet) *conn {
conntrack := f.Conntrack f.Conntrack.Lock()
conntrack.Lock() c := f.Conntrack.Conns[fp]
f.Conntrack.Unlock()
// Purge every time we test
ep, has := conntrack.TimerWheel.Purge()
if has {
f.evict(ep)
}
c := conntrack.Conns[fp]
conntrack.Unlock()
return c return c
} }