personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-11-12 17:03:58 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

honor remote_allow_ilst in hole punch response

Browse Source 
When we receive a "hole punch notification" from a Lighthouse, we send
a hole punch packet to every remote of that host, even if we don't
include those remotes in our "remote_allow_list". Change the logic here
to check if the remote IP is in our allow list before sending the hole
punch packet.
This commit is contained in:
Wade Simmons 2024-07-23 11:13:52 -04:00
parent e6009b8491
commit 1170ff1477
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lighthouse.go
View File

@ -1125,12 +1125,18 @@ func (lhh *LightHouseHandler) handleHostPunchNotification(n *NebulaMeta, vpnIp i
}
}
remoteVpnIp := iputil.VpnIp(n.Details.VpnIp)
remoteAllowList := lhh.lh.GetRemoteAllowList()
for _, a := range n.Details.Ip4AndPorts {
punch(NewUDPAddrFromLH4(a))
if remoteAllowList.AllowIpV4(remoteVpnIp, iputil.VpnIp(a.Ip)) {
punch(NewUDPAddrFromLH4(a))
}
}
for _, a := range n.Details.Ip6AndPorts {
punch(NewUDPAddrFromLH6(a))
if remoteAllowList.AllowIpV6(remoteVpnIp, a.Hi, a.Lo) {
punch(NewUDPAddrFromLH6(a))
}
}
// This sends a nebula test packet to the host trying to contact us. In the case