Always disconnect block listed hosts (#858)

2025-11-22 08:24:25 +01:00 · 2023-05-04 16:09:42 -05:00
parent 5fe8f45d05
commit 702e1c59bd
4 changed files with 22 additions and 14 deletions
--- a/connection_manager.go
+++ b/connection_manager.go
@@ -8,6 +8,7 @@ import (

 	"github.com/rcrowley/go-metrics"
 	"github.com/sirupsen/logrus"
+	"github.com/slackhq/nebula/cert"
 	"github.com/slackhq/nebula/header"
 	"github.com/slackhq/nebula/iputil"
 	"github.com/slackhq/nebula/udp"
@@ -419,12 +420,9 @@ func (n *connectionManager) swapPrimary(current, primary *HostInfo) {
 }

 // isInvalidCertificate will check if we should destroy a tunnel if pki.disconnect_invalid is true and
-// the certificate is no longer valid
+// the certificate is no longer valid. Block listed certificates will skip the pki.disconnect_invalid
+// check and return true.
 func (n *connectionManager) isInvalidCertificate(now time.Time, hostinfo *HostInfo) bool {
-	if !n.intf.disconnectInvalid {
-		return false
-	}
-
 	remoteCert := hostinfo.GetCert()
 	if remoteCert == nil {
 		return false
@@ -435,6 +433,11 @@ func (n *connectionManager) isInvalidCertificate(now time.Time, hostinfo *HostIn
 		return false
 	}

+	if !n.intf.disconnectInvalid && err != cert.ErrBlockListed {
+		// Block listed certificates should always be disconnected
+		return false
+	}
+
 	fingerprint, _ := remoteCert.Sha256Sum()
 	hostinfo.logger(n.l).WithError(err).
 		WithField("fingerprint", fingerprint).