personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2026-04-01 05:45:19 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

it works again but linux is pickier than I thought, I need to refactor even more

Browse Source
This commit is contained in:
JackDoan
2026-02-17 15:15:10 -06:00
parent 7498c6846d
commit 37abdd7f96
2 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
firewall.go
View File

@@ -356,7 +356,9 @@ func (f *Firewall) GetRuleHashes() string {
func (f *Firewall) SetSNATAddressFromInterface(i *Interface) { func (f *Firewall) SetSNATAddressFromInterface(i *Interface) {
//address-mutation-avoidance is done inside Interface, the firewall doesn't need to care //address-mutation-avoidance is done inside Interface, the firewall doesn't need to care
//todo should snatted conntracks get expired out? Probably not needed until if/when we allow reload //todo should snatted conntracks get expired out? Probably not needed until if/when we allow reload
f.snatAddr = i.inside.SNATAddress().Addr() if f.hasUnsafeNetworks { //todo this logic???
f.snatAddr = i.inside.SNATAddress().Addr()
}
} }
func (f *Firewall) ShouldUnSNAT(fp *firewall.Packet) bool { func (f *Firewall) ShouldUnSNAT(fp *firewall.Packet) bool {

23
overlay/tun_linux.go
View File

@@ -329,7 +329,7 @@ func (t *tun) addIPs(link netlink.Link) error {
} }
} }
if t.snatAddr.IsValid() && len(t.vpnNetworks) > 0 { //TODO unsafe-routers should be able to snat and be snatted if t.snatAddr.IsValid() && len(t.unsafeNetworks) == 0 { //TODO unsafe-routers should be able to snat and be snatted
newAddrs = append(newAddrs, &netlink.Addr{ newAddrs = append(newAddrs, &netlink.Addr{
IPNet: &net.IPNet{ IPNet: &net.IPNet{
IP: t.snatAddr.Addr().AsSlice(), IP: t.snatAddr.Addr().AsSlice(),
@@ -431,11 +431,11 @@ func (t *tun) Activate() error {
} }
} }
//TODO snat and be snatted //TODO snat and be snatted
//if t.snatAddr.IsValid() { if t.snatAddr.IsValid() && len(t.unsafeNetworks) == 0 {
// if err = t.setDefaultRoute(t.snatAddr); err != nil { if err = t.setDefaultRoute(t.snatAddr); err != nil {
// return fmt.Errorf("failed to set default route MTU for %s: %w", t.snatAddr, err) return fmt.Errorf("failed to set default route MTU for %s: %w", t.snatAddr, err)
// } }
//} }
// Set the routes // Set the routes
if err = t.addRoutes(false); err != nil { if err = t.addRoutes(false); err != nil {
@@ -448,6 +448,14 @@ func (t *tun) Activate() error {
return fmt.Errorf("failed to run tun device: %s", err) return fmt.Errorf("failed to run tun device: %s", err)
} }
//todo hmmmmmm
if len(t.unsafeNetworks) != 0 {
err = os.WriteFile(fmt.Sprintf("/proc/sys/net/ipv4/conf/%s/accept_local", t.Device), []byte("1"), os.FileMode(0o644))
if err != nil {
return err
}
}
return nil return nil
} }
@@ -556,6 +564,9 @@ func (t *tun) addRoutes(logErrors bool) error {
} }
} }
if len(t.unsafeNetworks) == 0 {
return nil
}
return t.setSnatRoute() return t.setSnatRoute()
} }