add listen.send_recv_error config option (#670)

By default, Nebula replies to packets it has no tunnel for with a `recv_error` packet. This packet helps speed up re-connection in the case that Nebula on either side did not shut down cleanly. This response can be abused as a way to discover if Nebula is running on a host though. This option lets you configure if you want to send `recv_error` packets always, never, or only to private network remotes. valid values: always, never, private This setting is reloadable with SIGHUP.
2026-02-15 17:24:23 +01:00 · 2022-06-27 12:37:54 -04:00
parent 85ec807b7e
commit 7b9287709c
5 changed files with 83 additions and 1 deletions
--- a/outside.go
+++ b/outside.go
@@ -273,7 +273,7 @@ func (f *Interface) handleEncrypted(ci *ConnectionState, addr *udp.Addr, h *head
 	// Else, send recv errors for 300 seconds after a restart to allow fast reconnection.
 	if ci == nil || !ci.window.Check(f.l, h.MessageCounter) {
 		if addr != nil {
-			f.sendRecvError(addr, h.RemoteIndex)
+			f.maybeSendRecvError(addr, h.RemoteIndex)
 			return false
 		} else {
 			return false
@@ -402,6 +402,12 @@ func (f *Interface) decryptToTun(hostinfo *HostInfo, messageCounter uint64, out
 	}
 }

+func (f *Interface) maybeSendRecvError(endpoint *udp.Addr, index uint32) {
+	if f.sendRecvErrorConfig.ShouldSendRecvError(endpoint.IP) {
+		f.sendRecvError(endpoint, index)
+	}
+}
+
 func (f *Interface) sendRecvError(endpoint *udp.Addr, index uint32) {
 	f.messageMetrics.Tx(header.RecvError, 0, 1)