personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-11-22 16:34:25 +01:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
648 Commits 45 Branches 23 Tags
e7f01390a3a52a0118638e56e1fca27cb623e037
Commit Graph

58 Commits

Author SHA1 Message Date
JackDoan
e7f01390a3 broken chkpt 2025-11-13 12:02:25 -06:00
JackDoan
c645a45438 what about with bad GRO on UDP 2025-11-13 12:02:25 -06:00
JackDoan
42591c2042 this is awful, but also it's about 20% better 2025-11-13 12:02:25 -06:00
JackDoan
1f043f84f3 not sure if switching to this epoll actually helped 2025-11-13 12:02:25 -06:00
JackDoan
987f45baf0 yeah 2025-11-13 12:02:25 -06:00
JackDoan
edff19a05b yeah 2025-11-13 12:02:25 -06:00
JackDoan
e0f93c9d4b yeah 2025-11-13 12:02:25 -06:00
JackDoan
aab3333615 move things I'm gclog-ing to the bottom 2025-11-13 12:02:25 -06:00
JackDoan
ea1a9e5785 pull deps in for optimization, maybe slice back out later 2025-11-13 12:02:25 -06:00
JackDoan
1a51ee7884 it works I guess 2025-11-13 12:02:25 -06:00
JackDoan
9b29a3fe14 christ 2025-11-13 12:02:25 -06:00
JackDoan
e7176bca01 tx is good? 2025-11-13 12:02:25 -06:00
JackDoan
e3be0943fd checkpt 2025-11-13 12:02:24 -06:00
JackDoan
6e22bfeeb1 vhost 2025-11-13 12:01:59 -06:00
Nate Brown
45c1d3eab3 Support for multi proto tun device on OpenBSD (#1495) 2025-10-08 16:56:42 -05:00
Nate Brown
eb89839d13 Support for multi proto tun device on NetBSD (#1492) 2025-10-07 20:17:50 -05:00
Nate Brown
fb7f0c3657 Use x/net/route to manage routes directly (#1488) 2025-10-03 10:59:53 -05:00
sl274
b1f53d8d25 Support IPv6 tunneling in FreeBSD (#1399) 
Recent merge of cert-v2 support introduced the ability to tunnel IPv6. However, FreeBSD's IPv6 tunneling does not work for 2 reasons:
* The ifconfig commands did not work for IPv6 addresses
* The tunnel device was not configured for link-layer mode, so it only supported IPv4

This PR improves FreeBSD tunneling support in 3 ways:
* Use ioctl instead of exec'ing ifconfig to configure the interface, with additional logic to support IPv6
* Configure the tunnel in link-layer mode, allowing IPv6 traffic
* Use readv() and writev() to communicate with the tunnel device, to avoid the need to copy the packet buffer
 2025-10-02 21:54:30 -05:00
Jack Doan
65cc253c19 prevent linux from assigning ipv6 link-local addresses (#1476) 2025-09-09 13:25:23 -05:00
Jack Doan
768325c9b4 cert-v2 chores (#1466) 2025-09-05 15:08:22 -05:00
Wade Simmons
5cff83b282 netlink: ignore route updates with no destination (#1437) 
Currently we assume each route update must have a destination, but we
should check that it is set before we try to use it.

See: #1436
 2025-08-25 13:05:35 -05:00
Andriyanov Nikita
e5ce8966d6 add netlink options (#1326) 
* add netlink options

* force use buffer

* fix namings and add config examples

* fix linter
 2025-04-21 13:44:33 -04:00
Wade Simmons
36bc9dd261 fix parseUnsafeRoutes for yaml.v3 (#1371) 
We switched to yaml.v3 with #1148, but missed this spot that was still
casting into `map[any]any` when yaml.v3 makes it `map[string]any`. Also
clean up a few more `interface{}` that were added as we changed them all
to `any` with #1148.
 2025-04-01 09:49:26 -04:00
Wade Simmons
879852c32a upgrade to yaml.v3 (#1148)
Some checks failed
gofmt / Run gofmt (push) Successful in 37s
Details
smoke-extra / Run extra smoke tests (push) Failing after 20s
Details
smoke / Run multi node smoke test (push) Failing after 1m25s
Details
Build and test / Build all and test on ubuntu-linux (push) Failing after 18m51s
Details
Build and test / Build and test on linux with boringcrypto (push) Failing after 2m44s
Details
Build and test / Build and test on linux with pkcs11 (push) Failing after 2m27s
Details
Build and test / Build and test on macos-latest (push) Has been cancelled
Details
Build and test / Build and test on windows-latest (push) Has been cancelled
Details 
* upgrade to yaml.v3

The main nice fix here is that maps unmarshal into `map[string]any`
instead of `map[any]any`, so it cleans things up a bit.

* add config.AsBool

Since yaml.v3 doesn't automatically convert yes to bool now, for
backwards compat

* use type aliases for m

* more cleanup

* more cleanup

* more cleanup

* go mod cleanup
 2025-03-31 16:08:34 -04:00
dioss-Machiel
f86953ca56 Implement ECMP for unsafe_routes (#1332)
Some checks failed
gofmt / Run gofmt (push) Successful in 27s
Details
smoke-extra / Run extra smoke tests (push) Failing after 18s
Details
smoke / Run multi node smoke test (push) Failing after 1m26s
Details
Build and test / Build all and test on ubuntu-linux (push) Failing after 21m43s
Details
Build and test / Build and test on linux with boringcrypto (push) Failing after 3m45s
Details
Build and test / Build and test on linux with pkcs11 (push) Failing after 2m59s
Details
Build and test / Build and test on macos-latest (push) Has been cancelled
Details
Build and test / Build and test on windows-latest (push) Has been cancelled
Details
2025-03-24 17:15:59 -05:00
Caleb Jasik
088af8edb2 Enable running testifylint in CI (#1350)
Some checks failed
gofmt / Run gofmt (push) Successful in 10s
Details
smoke-extra / Run extra smoke tests (push) Failing after 18s
Details
smoke / Run multi node smoke test (push) Failing after 1m28s
Details
Build and test / Build all and test on ubuntu-linux (push) Failing after 19m44s
Details
Build and test / Build and test on linux with boringcrypto (push) Failing after 3m1s
Details
Build and test / Build and test on linux with pkcs11 (push) Failing after 3m6s
Details
Build and test / Build and test on macos-latest (push) Has been cancelled
Details
Build and test / Build and test on windows-latest (push) Has been cancelled
Details
2025-03-10 17:38:14 -05:00
Caleb Jasik
612637f529 Fix testifylint lint errors (#1321)
Some checks failed
gofmt / Run gofmt (push) Successful in 11s
Details
smoke-extra / Run extra smoke tests (push) Failing after 19s
Details
smoke / Run multi node smoke test (push) Failing after 1m28s
Details
Build and test / Build all and test on ubuntu-linux (push) Failing after 19m3s
Details
Build and test / Build and test on linux with boringcrypto (push) Failing after 2m44s
Details
Build and test / Build and test on linux with pkcs11 (push) Failing after 2m54s
Details
Build and test / Build and test on macos-latest (push) Has been cancelled
Details
Build and test / Build and test on windows-latest (push) Has been cancelled
Details 
* Fix bool-compare

* Fix empty

* Fix encoded-compare

* Fix error-is-as

* Fix error-nil

* Fix expected-actual

* Fix len
 2025-03-10 10:18:34 -04:00
Nate Brown
d97ed57a19 V2 certificate format (#1216) 
Co-authored-by: Nate Brown <nbrown.us@gmail.com>
Co-authored-by: Jack Doan <jackdoan@rivian.com>
Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com>
Co-authored-by: Jack Doan <me@jackdoan.com>
 2025-03-06 11:28:26 -06:00
Nate Brown
e264a0ff88 Switch most everything to netip in prep for ipv6 in the overlay (#1173) 2024-07-31 10:18:56 -05:00
John Maguire
b5c3486796 Push Docker images as part of the release workflow (#1037) 2024-05-02 09:37:11 -04:00
Nate Brown
bbb15f8cb1 Unsafe route reload (#1083) 2024-03-28 15:17:28 -05:00
John Maguire
af2fc48378 Fix mobile builds (#1035) 2023-12-06 16:18:21 -05:00
Tristan Rice
1083279a45 add gvisor based service library (#965) 
* add service/ library
 2023-11-21 11:50:18 -05:00
Nate Brown
5181cb0474 Use generics for CIDRTrees to avoid casting issues (#1004) 2023-11-02 17:05:08 -05:00
Nate Brown
5fccbb8676 Retry wintun creation (#985) 2023-10-16 10:06:43 -05:00
Nate Brown
0bffa76b5e Build for openbsd (#812) 2023-07-27 14:27:35 -05:00
c0repwn3r
03e70210a5 Add support for NetBSD (#916) 2023-07-27 13:44:47 -05:00
Nate Brown
9c6592b159 Guard e2e udp and tun channels when closed (#934) 2023-07-26 12:52:14 -05:00
John Maguire
8ba5d64dbc Add support for naming FreeBSD tun devices (#903) 2023-06-22 12:13:31 -04:00
Nate Brown
a9cb2e06f4 Add ability to respect the system route table for unsafe route on linux (#839) 2023-05-09 10:36:55 -05:00
Nate Brown
397fe5f879 Add ability to skip installing unsafe routes on the os routing table (#831) 2023-04-10 12:32:37 -05:00
brad-defined
2801fb2286 Fix relay (#827) 
Co-authored-by: Nate Brown <nbrown.us@gmail.com>
 2023-03-30 11:09:20 -05:00
Wade Simmons
6e0ae4f9a3 firewall: add option to send REJECT replies (#738) 
* firewall: add option to send REJECT replies

This change allows you to configure the firewall to send REJECT packets
when a packet is denied.

    firewall:
      # Action to take when a packet is not allowed by the firewall rules.
      # Can be one of:
      #   `drop` (default): silently drop the packet.
      #   `reject`: send a reject reply.
      #     - For TCP, this will be a RST "Connection Reset" packet.
      #     - For other protocols, this will be an ICMP port unreachable packet.
      outbound_action: drop
      inbound_action: drop

These packets are only sent to established tunnels, and only on the
overlay network (currently IPv4 only).

    $ ping -c1 192.168.100.3
    PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data.
    From 192.168.100.3 icmp_seq=2 Destination Port Unreachable

    --- 192.168.100.3 ping statistics ---
    2 packets transmitted, 0 received, +1 errors, 100% packet loss, time 31ms

    $ nc -nzv 192.168.100.3 22
    (UNKNOWN) [192.168.100.3] 22 (?) : Connection refused

This change also modifies the smoke test to capture tcpdump pcaps from
both the inside and outside to inspect what is going on over the wire.
It also now does TCP and UDP packet tests using the Nmap version of
ncat.

* calculate seq and ack the same was as the kernel

The logic a bit confusing, so we copy it straight from how the kernel
does iptables `--reject-with tcp-reset`:

- https://github.com/torvalds/linux/blob/v5.19/net/ipv4/netfilter/nf_reject_ipv4.c#L193-L221

* cleanup
 2023-03-13 15:08:40 -04:00
Nate Brown
92cc32f844 Remove handshake race avoidance (#820) 
Co-authored-by: Wade Simmons <wadey@slack-corp.com>
 2023-03-13 12:35:14 -05:00
John Maguire
85f5849d0b Fix a hang when shutting down Android (#772) 2022-11-11 10:18:43 -06:00
Nate Brown
feb3e1317f Add a simple benchmark to e2e tests (#739) 2022-09-01 09:44:58 -05:00
Nate Brown
b1eeb5f3b8 Support unsafe_routes on mobile again (#729) 2022-08-05 09:58:10 -05:00
Nate Brown
0d1ee4214a Add relay e2e tests and output some mermaid sequence diagrams (#691) 2022-06-27 12:33:29 -05:00
Wade Simmons
45d1d2b6c6 Update dependencies - 2022-04 (#664) 
Updated  github.com/kardianos/service         https://github.com/kardianos/service/compare/v1.2.0...v1.2.1
    Updated  github.com/miekg/dns                 https://github.com/miekg/dns/compare/v1.1.43...v1.1.48
    Updated  github.com/prometheus/client_golang  https://github.com/prometheus/client_golang/compare/v1.11.0...v1.12.1
    Updated  github.com/prometheus/common         https://github.com/prometheus/common/compare/v0.32.1...v0.33.0
    Updated  github.com/stretchr/testify          https://github.com/stretchr/testify/compare/v1.7.0...v1.7.1
    Updated  golang.org/x/crypto                  5770296d90...ae2d96664a
    Updated  golang.org/x/net                     69e39bad7d...749bd193bc
    Updated  golang.org/x/sys                     7861aae155...289d7a0edf
    Updated  golang.zx2c4.com/wireguard/windows   v0.5.1...v0.5.3
    Updated  google.golang.org/protobuf           v1.27.1...v1.28.0
 2022-04-18 12:12:25 -04:00
Nate Brown
bbe0a032bb Fix windows unsafe_routes regression (#648) 2022-03-09 13:23:29 -06:00