Fix testify lint errors

.github/workflows/gofmt.yml

@@ -18,7 +18,7 @@ jobs:
 
     - uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.23'
         check-latest: true
 
     - name: Install goimports

.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.23'
           check-latest: true
 
       - name: Build
@@ -37,7 +37,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.23'
           check-latest: true
 
       - name: Build
@@ -70,12 +70,12 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.23'
           check-latest: true
 
       - name: Import certificates
         if: env.HAS_SIGNING_CREDS == 'true'
-        uses: Apple-Actions/import-codesign-certs@v5
+        uses: Apple-Actions/import-codesign-certs@v3
         with:
           p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
           p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}

.github/workflows/smoke.yml

@@ -22,7 +22,7 @@ jobs:
 
     - uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.23'
         check-latest: true
 
     - name: build

.github/workflows/test.yml

@@ -22,7 +22,7 @@ jobs:
 
     - uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.23'
         check-latest: true
 
     - name: Build
@@ -32,9 +32,9 @@ jobs:
       run: make vet
 
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@v7
+      uses: golangci/golangci-lint-action@v6
       with:
-        version: v2.0
+        version: v1.64
 
     - name: Test
       run: make test
@@ -60,7 +60,7 @@ jobs:
 
     - uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.23'
         check-latest: true
 
     - name: Build
@@ -102,7 +102,7 @@ jobs:
 
     - uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.23'
         check-latest: true
 
     - name: Build nebula
@@ -115,9 +115,9 @@ jobs:
       run: make vet
 
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@v7
+      uses: golangci/golangci-lint-action@v6
       with:
-        version: v2.0
+        version: v1.64
 
     - name: Test
       run: make test

.golangci.yaml

@@ -1,23 +1,9 @@
-version: "2"
+# yaml-language-server: $schema=https://golangci-lint.run/jsonschema/golangci.jsonschema.json
 linters:
-  default: none
+  # Disable all linters.
+  # Default: false
+  disable-all: true
+  # Enable specific linter
+  # https://golangci-lint.run/usage/linters/#enabled-by-default
   enable:
     - testifylint
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
-formatters:
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$

CHANGELOG.md

@@ -7,13 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Changed
-
-- `default_local_cidr_any` now defaults to false, meaning that any firewall rule
-  intended to target an `unsafe_routes` entry must explicitly declare it via the
-  `local_cidr` field. This is almost always the intended behavior. This flag is
-  deprecated and will be removed in a future release.
-
 ## [1.9.4] - 2024-09-09
 
 ### Added

allow_list.go

@@ -36,7 +36,7 @@ type AllowListNameRule struct {
 
 func NewLocalAllowListFromConfig(c *config.C, k string) (*LocalAllowList, error) {
 	var nameRules []AllowListNameRule
-	handleKey := func(key string, value any) (bool, error) {
+	handleKey := func(key string, value interface{}) (bool, error) {
 		if key == "interfaces" {
 			var err error
 			nameRules, err = getAllowListInterfaces(k, value)
@@ -70,7 +70,7 @@ func NewRemoteAllowListFromConfig(c *config.C, k, rangesKey string) (*RemoteAllo
 
 // If the handleKey func returns true, the rest of the parsing is skipped
 // for this key. This allows parsing of special values like `interfaces`.
-func newAllowListFromConfig(c *config.C, k string, handleKey func(key string, value any) (bool, error)) (*AllowList, error) {
+func newAllowListFromConfig(c *config.C, k string, handleKey func(key string, value interface{}) (bool, error)) (*AllowList, error) {
 	r := c.Get(k)
 	if r == nil {
 		return nil, nil
@@ -81,8 +81,8 @@ func newAllowListFromConfig(c *config.C, k string, handleKey func(key string, va
 
 // If the handleKey func returns true, the rest of the parsing is skipped
 // for this key. This allows parsing of special values like `interfaces`.
-func newAllowList(k string, raw any, handleKey func(key string, value any) (bool, error)) (*AllowList, error) {
+func newAllowList(k string, raw interface{}, handleKey func(key string, value interface{}) (bool, error)) (*AllowList, error) {
-	rawMap, ok := raw.(map[string]any)
+	rawMap, ok := raw.(map[interface{}]interface{})
 	if !ok {
 		return nil, fmt.Errorf("config `%s` has invalid type: %T", k, raw)
 	}
@@ -100,7 +100,12 @@ func newAllowList(k string, raw any, handleKey func(key string, value any) (bool
 	rules4 := allowListRules{firstValue: true, allValuesMatch: true, defaultSet: false}
 	rules6 := allowListRules{firstValue: true, allValuesMatch: true, defaultSet: false}
 
-	for rawCIDR, rawValue := range rawMap {
+	for rawKey, rawValue := range rawMap {
+		rawCIDR, ok := rawKey.(string)
+		if !ok {
+			return nil, fmt.Errorf("config `%s` has invalid key (type %T): %v", k, rawKey, rawKey)
+		}
+
 		if handleKey != nil {
 			handled, err := handleKey(rawCIDR, rawValue)
 			if err != nil {
@@ -111,7 +116,7 @@ func newAllowList(k string, raw any, handleKey func(key string, value any) (bool
 			}
 		}
 
-		value, ok := config.AsBool(rawValue)
+		value, ok := rawValue.(bool)
 		if !ok {
 			return nil, fmt.Errorf("config `%s` has invalid value (type %T): %v", k, rawValue, rawValue)
 		}
@@ -168,18 +173,22 @@ func newAllowList(k string, raw any, handleKey func(key string, value any) (bool
 	return &AllowList{cidrTree: tree}, nil
 }
 
-func getAllowListInterfaces(k string, v any) ([]AllowListNameRule, error) {
+func getAllowListInterfaces(k string, v interface{}) ([]AllowListNameRule, error) {
 	var nameRules []AllowListNameRule
 
-	rawRules, ok := v.(map[string]any)
+	rawRules, ok := v.(map[interface{}]interface{})
 	if !ok {
 		return nil, fmt.Errorf("config `%s.interfaces` is invalid (type %T): %v", k, v, v)
 	}
 
 	firstEntry := true
 	var allValues bool
-	for name, rawAllow := range rawRules {
+	for rawName, rawAllow := range rawRules {
-		allow, ok := config.AsBool(rawAllow)
+		name, ok := rawName.(string)
+		if !ok {
+			return nil, fmt.Errorf("config `%s.interfaces` has invalid key (type %T): %v", k, rawName, rawName)
+		}
+		allow, ok := rawAllow.(bool)
 		if !ok {
 			return nil, fmt.Errorf("config `%s.interfaces` has invalid value (type %T): %v", k, rawAllow, rawAllow)
 		}
@@ -215,11 +224,16 @@ func getRemoteAllowRanges(c *config.C, k string) (*bart.Table[*AllowList], error
 
 	remoteAllowRanges := new(bart.Table[*AllowList])
 
-	rawMap, ok := value.(map[string]any)
+	rawMap, ok := value.(map[interface{}]interface{})
 	if !ok {
 		return nil, fmt.Errorf("config `%s` has invalid type: %T", k, value)
 	}
-	for rawCIDR, rawValue := range rawMap {
+	for rawKey, rawValue := range rawMap {
+		rawCIDR, ok := rawKey.(string)
+		if !ok {
+			return nil, fmt.Errorf("config `%s` has invalid key (type %T): %v", k, rawKey, rawKey)
+		}
+
 		allowList, err := newAllowList(fmt.Sprintf("%s.%s", k, rawCIDR), rawValue, nil)
 		if err != nil {
 			return nil, err

allow_list_test.go

@@ -15,37 +15,37 @@ import (
 func TestNewAllowListFromConfig(t *testing.T) {
 	l := test.NewLogger()
 	c := config.NewC(l)
-	c.Settings["allowlist"] = map[string]any{
+	c.Settings["allowlist"] = map[interface{}]interface{}{
 		"192.168.0.0": true,
 	}
 	r, err := newAllowListFromConfig(c, "allowlist", nil)
 	require.EqualError(t, err, "config `allowlist` has invalid CIDR: 192.168.0.0. netip.ParsePrefix(\"192.168.0.0\"): no '/'")
 	assert.Nil(t, r)
 
-	c.Settings["allowlist"] = map[string]any{
+	c.Settings["allowlist"] = map[interface{}]interface{}{
 		"192.168.0.0/16": "abc",
 	}
-	_, err = newAllowListFromConfig(c, "allowlist", nil)
+	r, err = newAllowListFromConfig(c, "allowlist", nil)
 	require.EqualError(t, err, "config `allowlist` has invalid value (type string): abc")
 
-	c.Settings["allowlist"] = map[string]any{
+	c.Settings["allowlist"] = map[interface{}]interface{}{
 		"192.168.0.0/16": true,
 		"10.0.0.0/8":     false,
 	}
-	_, err = newAllowListFromConfig(c, "allowlist", nil)
+	r, err = newAllowListFromConfig(c, "allowlist", nil)
 	require.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for 0.0.0.0/0")
 
-	c.Settings["allowlist"] = map[string]any{
+	c.Settings["allowlist"] = map[interface{}]interface{}{
 		"0.0.0.0/0":      true,
 		"10.0.0.0/8":     false,
 		"10.42.42.0/24":  true,
 		"fd00::/8":       true,
 		"fd00:fd00::/16": false,
 	}
-	_, err = newAllowListFromConfig(c, "allowlist", nil)
+	r, err = newAllowListFromConfig(c, "allowlist", nil)
 	require.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for ::/0")
 
-	c.Settings["allowlist"] = map[string]any{
+	c.Settings["allowlist"] = map[interface{}]interface{}{
 		"0.0.0.0/0":     true,
 		"10.0.0.0/8":    false,
 		"10.42.42.0/24": true,
@@ -55,7 +55,7 @@ func TestNewAllowListFromConfig(t *testing.T) {
 		assert.NotNil(t, r)
 	}
 
-	c.Settings["allowlist"] = map[string]any{
+	c.Settings["allowlist"] = map[interface{}]interface{}{
 		"0.0.0.0/0":      true,
 		"10.0.0.0/8":     false,
 		"10.42.42.0/24":  true,
@@ -70,29 +70,29 @@ func TestNewAllowListFromConfig(t *testing.T) {
 
 	// Test interface names
 
-	c.Settings["allowlist"] = map[string]any{
+	c.Settings["allowlist"] = map[interface{}]interface{}{
-		"interfaces": map[string]any{
+		"interfaces": map[interface{}]interface{}{
 			`docker.*`: "foo",
 		},
 	}
-	_, err = NewLocalAllowListFromConfig(c, "allowlist")
+	lr, err := NewLocalAllowListFromConfig(c, "allowlist")
 	require.EqualError(t, err, "config `allowlist.interfaces` has invalid value (type string): foo")
 
-	c.Settings["allowlist"] = map[string]any{
+	c.Settings["allowlist"] = map[interface{}]interface{}{
-		"interfaces": map[string]any{
+		"interfaces": map[interface{}]interface{}{
 			`docker.*`: false,
 			`eth.*`:    true,
 		},
 	}
-	_, err = NewLocalAllowListFromConfig(c, "allowlist")
+	lr, err = NewLocalAllowListFromConfig(c, "allowlist")
 	require.EqualError(t, err, "config `allowlist.interfaces` values must all be the same true/false value")
 
-	c.Settings["allowlist"] = map[string]any{
+	c.Settings["allowlist"] = map[interface{}]interface{}{
-		"interfaces": map[string]any{
+		"interfaces": map[interface{}]interface{}{
 			`docker.*`: false,
 		},
 	}
-	lr, err := NewLocalAllowListFromConfig(c, "allowlist")
+	lr, err = NewLocalAllowListFromConfig(c, "allowlist")
 	if assert.NoError(t, err) {
 		assert.NotNil(t, lr)
 	}

bits.go

@@ -18,7 +18,7 @@ type Bits struct {
 func NewBits(bits uint64) *Bits {
 	return &Bits{
 		length:             bits,
-		bits:               make([]bool, bits),
+		bits:               make([]bool, bits, bits),
 		current:            0,
 		lostCounter:        metrics.GetOrRegisterCounter("network.packets.lost", nil),
 		dupeCounter:        metrics.GetOrRegisterCounter("network.packets.duplicate", nil),
@@ -28,7 +28,7 @@ func NewBits(bits uint64) *Bits {
 
 func (b *Bits) Check(l logrus.FieldLogger, i uint64) bool {
 	// If i is the next number, return true.
-	if i > b.current || (i == 0 && !b.firstSeen && b.current < b.length) {
+	if i > b.current || (i == 0 && b.firstSeen == false && b.current < b.length) {
 		return true
 	}
 
@@ -51,7 +51,7 @@ func (b *Bits) Update(l *logrus.Logger, i uint64) bool {
 	// If i is the next number, return true and update current.
 	if i == b.current+1 {
 		// Report missed packets, we can only understand what was missed after the first window has been gone through
-		if i > b.length && !b.bits[i%b.length] {
+		if i > b.length && b.bits[i%b.length] == false {
 			b.lostCounter.Inc(1)
 		}
 		b.bits[i%b.length] = true
@@ -104,7 +104,7 @@ func (b *Bits) Update(l *logrus.Logger, i uint64) bool {
 	}
 
 	// Allow for the 0 packet to come in within the first window
-	if i == 0 && !b.firstSeen && b.current < b.length {
+	if i == 0 && b.firstSeen == false && b.current < b.length {
 		b.firstSeen = true
 		b.bits[i%b.length] = true
 		return true
@@ -122,7 +122,7 @@ func (b *Bits) Update(l *logrus.Logger, i uint64) bool {
 			return false
 		}
 
-		if b.bits[i%b.length] {
+		if b.bits[i%b.length] == true {
 			if l.Level >= logrus.DebugLevel {
 				l.WithField("receiveWindow", m{"accepted": false, "currentCounter": b.current, "incomingCounter": i, "reason": "old duplicate"}).
 					Debug("Receive window")

cert/cert_v1.go

@@ -20,6 +20,8 @@ import (
 	"google.golang.org/protobuf/proto"
 )
 
+const publicKeyLen = 32
+
 type certificateV1 struct {
 	details   detailsV1
 	signature []byte
@@ -39,7 +41,7 @@ type detailsV1 struct {
 	curve Curve
 }
 
-type m = map[string]any
+type m map[string]interface{}
 
 func (c *certificateV1) Version() Version {
 	return Version1

cert/cert_v2_test.go

@@ -113,14 +113,14 @@ func TestCertificateV2_MarshalJSON(t *testing.T) {
 		signature: []byte("1234567890abcedf1234567890abcedf1234567890abcedf1234567890abcedf"),
 	}
 
-	_, err := nc.MarshalJSON()
+	b, err := nc.MarshalJSON()
 	require.ErrorIs(t, err, ErrMissingDetails)
 
 	rd, err := nc.details.Marshal()
 	require.NoError(t, err)
 
 	nc.rawDetails = rd
-	b, err := nc.MarshalJSON()
+	b, err = nc.MarshalJSON()
 	require.NoError(t, err)
 	assert.JSONEq(
 		t,
@@ -174,9 +174,8 @@ func TestCertificateV2_VerifyPrivateKey(t *testing.T) {
 	require.ErrorIs(t, err, ErrInvalidPrivateKey)
 
 	c, _, priv, _ = NewTestCert(Version2, Curve_P256, ca2, caKey2, "test", time.Time{}, time.Time{}, nil, nil, nil)
-	_, _, curve, err = UnmarshalPrivateKeyFromPEM(priv)
+	rawPriv, b, curve, err = UnmarshalPrivateKeyFromPEM(priv)
-	assert.Equal(t, err, nil)
+
-	assert.Equal(t, curve, Curve_P256)
 	err = c.VerifyPrivateKey(Curve_P256, priv[:16])
 	require.ErrorIs(t, err, ErrInvalidPrivateKey)
 
@@ -262,7 +261,6 @@ func TestCertificateV2_marshalForSigningStability(t *testing.T) {
 	assert.Equal(t, expectedRawDetails, db)
 
 	expectedForSigning, err := hex.DecodeString(expectedRawDetailsStr + "00313233343536373839306162636564666768696a313233343536373839306162")
-	require.NoError(t, err)
 	b, err := nc.marshalForSigning()
 	require.NoError(t, err)
 	assert.Equal(t, expectedForSigning, b)

cert/crypto.go

@@ -227,9 +227,6 @@ func UnmarshalNebulaEncryptedData(b []byte) (*NebulaEncryptedData, error) {
 }
 
 func unmarshalArgon2Parameters(params *RawNebulaArgon2Parameters) (*Argon2Parameters, error) {
-	// Are we testing the compilers types here?
-	// No value of int32 is lewss than math.MinInt32.
-	// By definition these checks can never be true.
 	if params.Version < math.MinInt32 || params.Version > math.MaxInt32 {
 		return nil, fmt.Errorf("Argon2Parameters Version must be at least %d and no more than %d", math.MinInt32, math.MaxInt32)
 	}

cert/crypto_test.go

@@ -10,14 +10,14 @@ import (
 
 func TestNewArgon2Parameters(t *testing.T) {
 	p := NewArgon2Parameters(64*1024, 4, 3)
-	assert.Equal(t, &Argon2Parameters{
+	assert.EqualValues(t, &Argon2Parameters{
 		version:     argon2.Version,
 		Memory:      64 * 1024,
 		Parallelism: 4,
 		Iterations:  3,
 	}, p)
 	p = NewArgon2Parameters(2*1024*1024, 2, 1)
-	assert.Equal(t, &Argon2Parameters{
+	assert.EqualValues(t, &Argon2Parameters{
 		version:     argon2.Version,
 		Memory:      2 * 1024 * 1024,
 		Parallelism: 2,
@@ -72,14 +72,12 @@ qrlJ69wer3ZUHFXA
 	require.EqualError(t, err, "key was not 64 bytes, is invalid ed25519 private key")
 	assert.Nil(t, k)
 	assert.Equal(t, rest, appendByteSlices(invalidBanner, invalidPem))
-	assert.Equal(t, curve, Curve_CURVE25519)
 
 	// Fail due to invalid banner
 	curve, k, rest, err = DecryptAndUnmarshalSigningPrivateKey(passphrase, rest)
 	require.EqualError(t, err, "bytes did not contain a proper nebula encrypted Ed25519/ECDSA private key banner")
 	assert.Nil(t, k)
 	assert.Equal(t, rest, invalidPem)
-	assert.Equal(t, curve, Curve_CURVE25519)
 
 	// Fail due to ivalid PEM format, because
 	// it's missing the requisite pre-encapsulation boundary.
@@ -87,14 +85,12 @@ qrlJ69wer3ZUHFXA
 	require.EqualError(t, err, "input did not contain a valid PEM encoded block")
 	assert.Nil(t, k)
 	assert.Equal(t, rest, invalidPem)
-	assert.Equal(t, curve, Curve_CURVE25519)
 
 	// Fail due to invalid passphrase
 	curve, k, rest, err = DecryptAndUnmarshalSigningPrivateKey([]byte("invalid passphrase"), privKey)
 	require.EqualError(t, err, "invalid passphrase or corrupt private key")
 	assert.Nil(t, k)
 	assert.Equal(t, []byte{}, rest)
-	assert.Equal(t, curve, Curve_CURVE25519)
 }
 
 func TestEncryptAndMarshalSigningPrivateKey(t *testing.T) {

cert/helper_test.go

@@ -21,9 +21,6 @@ func NewTestCaCert(version Version, curve Curve, before, after time.Time, networ
 	switch curve {
 	case Curve_CURVE25519:
 		pub, priv, err = ed25519.GenerateKey(rand.Reader)
-		if err != nil {
-			panic(err)
-		}
 	case Curve_P256:
 		privk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 		if err != nil {

cert/pem_test.go

@@ -97,14 +97,12 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 	// Fail due to short key
 	k, rest, curve, err = UnmarshalSigningPrivateKeyFromPEM(rest)
 	assert.Nil(t, k)
-	assert.Equal(t, Curve_CURVE25519, curve)
 	assert.Equal(t, rest, appendByteSlices(invalidBanner, invalidPem))
 	require.EqualError(t, err, "key was not 64 bytes, is invalid Ed25519 private key")
 
 	// Fail due to invalid banner
 	k, rest, curve, err = UnmarshalSigningPrivateKeyFromPEM(rest)
 	assert.Nil(t, k)
-	assert.Equal(t, Curve_CURVE25519, curve)
 	assert.Equal(t, rest, invalidPem)
 	require.EqualError(t, err, "bytes did not contain a proper Ed25519/ECDSA private key banner")
 
@@ -112,7 +110,6 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 	// it's missing the requisite pre-encapsulation boundary.
 	k, rest, curve, err = UnmarshalSigningPrivateKeyFromPEM(rest)
 	assert.Nil(t, k)
-	assert.Equal(t, Curve_CURVE25519, curve)
 	assert.Equal(t, rest, invalidPem)
 	require.EqualError(t, err, "input did not contain a valid PEM encoded block")
 }
@@ -162,14 +159,12 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
 	// Fail due to short key
 	k, rest, curve, err = UnmarshalPrivateKeyFromPEM(rest)
 	assert.Nil(t, k)
-	assert.Equal(t, Curve_CURVE25519, curve)
 	assert.Equal(t, rest, appendByteSlices(invalidBanner, invalidPem))
 	require.EqualError(t, err, "key was not 32 bytes, is invalid CURVE25519 private key")
 
 	// Fail due to invalid banner
 	k, rest, curve, err = UnmarshalPrivateKeyFromPEM(rest)
 	assert.Nil(t, k)
-	assert.Equal(t, Curve_CURVE25519, curve)
 	assert.Equal(t, rest, invalidPem)
 	require.EqualError(t, err, "bytes did not contain a proper private key banner")
 
@@ -177,7 +172,6 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
 	// it's missing the requisite pre-encapsulation boundary.
 	k, rest, curve, err = UnmarshalPrivateKeyFromPEM(rest)
 	assert.Nil(t, k)
-	assert.Equal(t, Curve_CURVE25519, curve)
 	assert.Equal(t, rest, invalidPem)
 	require.EqualError(t, err, "input did not contain a valid PEM encoded block")
 }
@@ -281,14 +275,12 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
 	// Fail due to short key
 	k, rest, curve, err = UnmarshalPublicKeyFromPEM(rest)
 	assert.Nil(t, k)
-	assert.Equal(t, Curve_CURVE25519, curve)
 	assert.Equal(t, rest, appendByteSlices(invalidBanner, invalidPem))
 	require.EqualError(t, err, "key was not 32 bytes, is invalid CURVE25519 public key")
 
 	// Fail due to invalid banner
 	k, rest, curve, err = UnmarshalPublicKeyFromPEM(rest)
 	assert.Nil(t, k)
-	assert.Equal(t, Curve_CURVE25519, curve)
 	require.EqualError(t, err, "bytes did not contain a proper public key banner")
 	assert.Equal(t, rest, invalidPem)
 
@@ -296,7 +288,6 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
 	// it's missing the requisite pre-encapsulation boundary.
 	k, rest, curve, err = UnmarshalPublicKeyFromPEM(rest)
 	assert.Nil(t, k)
-	assert.Equal(t, Curve_CURVE25519, curve)
 	assert.Equal(t, rest, invalidPem)
 	require.EqualError(t, err, "input did not contain a valid PEM encoded block")
 }

cert/sign_test.go

@@ -37,7 +37,6 @@ func TestCertificateV1_Sign(t *testing.T) {
 	}
 
 	pub, priv, err := ed25519.GenerateKey(rand.Reader)
-	require.NoError(t, err)
 	c, err := tbs.Sign(&certificateV1{details: detailsV1{notBefore: before, notAfter: after}}, Curve_CURVE25519, priv)
 	require.NoError(t, err)
 	assert.NotNil(t, c)

cert_test/cert.go

@@ -22,9 +22,6 @@ func NewTestCaCert(version cert.Version, curve cert.Curve, before, after time.Ti
 	switch curve {
 	case cert.Curve_CURVE25519:
 		pub, priv, err = ed25519.GenerateKey(rand.Reader)
-		if err != nil {
-			panic(err)
-		}
 	case cert.Curve_P256:
 		privk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 		if err != nil {

cmd/nebula-cert/ca.go

@@ -81,7 +81,7 @@ func parseArgonParameters(memory uint, parallelism uint, iterations uint) (*cert
 	return cert.NewArgon2Parameters(uint32(memory), uint8(parallelism), uint32(iterations)), nil
 }
 
-func ca(args []string, out io.Writer, _ io.Writer, pr PasswordReader) error {
+func ca(args []string, out io.Writer, errOut io.Writer, pr PasswordReader) error {
 	cf := newCaFlags()
 	err := cf.set.Parse(args)
 	if err != nil {

cmd/nebula-cert/ca_test.go

@@ -90,26 +90,26 @@ func Test_ca(t *testing.T) {
 	assertHelpError(t, ca(
 		[]string{"-version", "1", "-out-key", "nope", "-out-crt", "nope", "duration", "100m"}, ob, eb, nopw,
 	), "-name is required")
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// ipv4 only ips
 	assertHelpError(t, ca([]string{"-version", "1", "-name", "ipv6", "-ips", "100::100/100"}, ob, eb, nopw), "invalid -networks definition: v1 certificates can only be ipv4, have 100::100/100")
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// ipv4 only subnets
 	assertHelpError(t, ca([]string{"-version", "1", "-name", "ipv6", "-subnets", "100::100/100"}, ob, eb, nopw), "invalid -unsafe-networks definition: v1 certificates can only be ipv4, have 100::100/100")
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// failed key write
 	ob.Reset()
 	eb.Reset()
 	args := []string{"-version", "1", "-name", "test", "-duration", "100m", "-out-crt", "/do/not/write/pleasecrt", "-out-key", "/do/not/write/pleasekey"}
 	require.EqualError(t, ca(args, ob, eb, nopw), "error while writing out-key: open /do/not/write/pleasekey: "+NoSuchDirError)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// create temp key file
 	keyF, err := os.CreateTemp("", "test.key")
@@ -121,8 +121,8 @@ func Test_ca(t *testing.T) {
 	eb.Reset()
 	args = []string{"-version", "1", "-name", "test", "-duration", "100m", "-out-crt", "/do/not/write/pleasecrt", "-out-key", keyF.Name()}
 	require.EqualError(t, ca(args, ob, eb, nopw), "error while writing out-crt: open /do/not/write/pleasecrt: "+NoSuchDirError)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// create temp cert file
 	crtF, err := os.CreateTemp("", "test.crt")
@@ -135,8 +135,8 @@ func Test_ca(t *testing.T) {
 	eb.Reset()
 	args = []string{"-version", "1", "-name", "test", "-duration", "100m", "-groups", "1,,   2    ,        ,,,3,4,5", "-out-crt", crtF.Name(), "-out-key", keyF.Name()}
 	require.NoError(t, ca(args, ob, eb, nopw))
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// read cert and key files
 	rb, _ := os.ReadFile(keyF.Name())
@@ -158,7 +158,7 @@ func Test_ca(t *testing.T) {
 	assert.Empty(t, lCrt.UnsafeNetworks())
 	assert.Len(t, lCrt.PublicKey(), 32)
 	assert.Equal(t, time.Duration(time.Minute*100), lCrt.NotAfter().Sub(lCrt.NotBefore()))
-	assert.Empty(t, lCrt.Issuer())
+	assert.Equal(t, "", lCrt.Issuer())
 	assert.True(t, lCrt.CheckSignature(lCrt.PublicKey()))
 
 	// test encrypted key
@@ -169,7 +169,7 @@ func Test_ca(t *testing.T) {
 	args = []string{"-version", "1", "-encrypt", "-name", "test", "-duration", "100m", "-groups", "1,2,3,4,5", "-out-crt", crtF.Name(), "-out-key", keyF.Name()}
 	require.NoError(t, ca(args, ob, eb, testpw))
 	assert.Equal(t, pwPromptOb, ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// read encrypted key file and verify default params
 	rb, _ = os.ReadFile(keyF.Name())
@@ -197,7 +197,7 @@ func Test_ca(t *testing.T) {
 	args = []string{"-version", "1", "-encrypt", "-name", "test", "-duration", "100m", "-groups", "1,2,3,4,5", "-out-crt", crtF.Name(), "-out-key", keyF.Name()}
 	require.Error(t, ca(args, ob, eb, errpw))
 	assert.Equal(t, pwPromptOb, ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// test when user fails to enter a password
 	os.Remove(keyF.Name())
@@ -207,7 +207,7 @@ func Test_ca(t *testing.T) {
 	args = []string{"-version", "1", "-encrypt", "-name", "test", "-duration", "100m", "-groups", "1,2,3,4,5", "-out-crt", crtF.Name(), "-out-key", keyF.Name()}
 	require.EqualError(t, ca(args, ob, eb, nopw), "no passphrase specified, remove -encrypt flag to write out-key in plaintext")
 	assert.Equal(t, strings.Repeat(pwPromptOb, 5), ob.String()) // prompts 5 times before giving up
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// create valid cert/key for overwrite tests
 	os.Remove(keyF.Name())
@@ -222,8 +222,8 @@ func Test_ca(t *testing.T) {
 	eb.Reset()
 	args = []string{"-version", "1", "-name", "test", "-duration", "100m", "-groups", "1,,   2    ,        ,,,3,4,5", "-out-crt", crtF.Name(), "-out-key", keyF.Name()}
 	require.EqualError(t, ca(args, ob, eb, nopw), "refusing to overwrite existing CA key: "+keyF.Name())
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// test that we won't overwrite existing key file
 	os.Remove(keyF.Name())
@@ -231,8 +231,8 @@ func Test_ca(t *testing.T) {
 	eb.Reset()
 	args = []string{"-version", "1", "-name", "test", "-duration", "100m", "-groups", "1,,   2    ,        ,,,3,4,5", "-out-crt", crtF.Name(), "-out-key", keyF.Name()}
 	require.EqualError(t, ca(args, ob, eb, nopw), "refusing to overwrite existing CA cert: "+crtF.Name())
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	os.Remove(keyF.Name())
 
 }

cmd/nebula-cert/keygen.go

@@ -29,7 +29,7 @@ func newKeygenFlags() *keygenFlags {
 	return &cf
 }
 
-func keygen(args []string, _ io.Writer, _ io.Writer) error {
+func keygen(args []string, out io.Writer, errOut io.Writer) error {
 	cf := newKeygenFlags()
 	err := cf.set.Parse(args)
 	if err != nil {

cmd/nebula-cert/keygen_test.go

@@ -37,20 +37,20 @@ func Test_keygen(t *testing.T) {
 
 	// required args
 	assertHelpError(t, keygen([]string{"-out-pub", "nope"}, ob, eb), "-out-key is required")
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	assertHelpError(t, keygen([]string{"-out-key", "nope"}, ob, eb), "-out-pub is required")
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// failed key write
 	ob.Reset()
 	eb.Reset()
 	args := []string{"-out-pub", "/do/not/write/pleasepub", "-out-key", "/do/not/write/pleasekey"}
 	require.EqualError(t, keygen(args, ob, eb), "error while writing out-key: open /do/not/write/pleasekey: "+NoSuchDirError)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// create temp key file
 	keyF, err := os.CreateTemp("", "test.key")
@@ -62,8 +62,8 @@ func Test_keygen(t *testing.T) {
 	eb.Reset()
 	args = []string{"-out-pub", "/do/not/write/pleasepub", "-out-key", keyF.Name()}
 	require.EqualError(t, keygen(args, ob, eb), "error while writing out-pub: open /do/not/write/pleasepub: "+NoSuchDirError)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// create temp pub file
 	pubF, err := os.CreateTemp("", "test.pub")
@@ -75,8 +75,8 @@ func Test_keygen(t *testing.T) {
 	eb.Reset()
 	args = []string{"-out-pub", pubF.Name(), "-out-key", keyF.Name()}
 	require.NoError(t, keygen(args, ob, eb))
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// read cert and key files
 	rb, _ := os.ReadFile(keyF.Name())

cmd/nebula-cert/main.go

@@ -17,7 +17,7 @@ func (he *helpError) Error() string {
 	return he.s
 }
 
-func newHelpErrorf(s string, v ...any) error {
+func newHelpErrorf(s string, v ...interface{}) error {
 	return &helpError{s: fmt.Sprintf(s, v...)}
 }
 

cmd/nebula-cert/main_test.go

@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"os"
 	"testing"
@@ -76,7 +77,7 @@ func assertHelpError(t *testing.T, err error, msg string) {
 	case *helpError:
 		// good
 	default:
-		t.Fatalf("err was not a helpError: %q, expected %q", err, msg)
+		t.Fatal(fmt.Sprintf("err was not a helpError: %q, expected %q", err, msg))
 	}
 
 	require.EqualError(t, err, msg)

cmd/nebula-cert/p11_stub.go

@@ -10,7 +10,7 @@ func p11Supported() bool {
 	return false
 }
 
-func p11Flag(_ *flag.FlagSet) *string {
+func p11Flag(set *flag.FlagSet) *string {
 	var ret = ""
 	return &ret
 }

cmd/nebula-cert/print.go

@@ -1,12 +1,12 @@
 package main
 
 import (
-	"bytes"
 	"encoding/json"
 	"flag"
 	"fmt"
 	"io"
 	"os"
+	"strings"
 
 	"github.com/skip2/go-qrcode"
 	"github.com/slackhq/nebula/cert"
@@ -29,7 +29,7 @@ func newPrintFlags() *printFlags {
 	return &pf
 }
 
-func printCert(args []string, out io.Writer, _ io.Writer) error {
+func printCert(args []string, out io.Writer, errOut io.Writer) error {
 	pf := newPrintFlags()
 	err := pf.set.Parse(args)
 	if err != nil {
@@ -72,7 +72,7 @@ func printCert(args []string, out io.Writer, _ io.Writer) error {
 			qrBytes = append(qrBytes, b...)
 		}
 
-		if len(rawCert) == 0 || len(bytes.TrimSpace(rawCert)) == 0 {
+		if rawCert == nil || len(rawCert) == 0 || strings.TrimSpace(string(rawCert)) == "" {
 			break
 		}
 

cmd/nebula-cert/print_test.go

@@ -43,16 +43,16 @@ func Test_printCert(t *testing.T) {
 
 	// no path
 	err := printCert([]string{}, ob, eb)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	assertHelpError(t, err, "-path is required")
 
 	// no cert at path
 	ob.Reset()
 	eb.Reset()
 	err = printCert([]string{"-path", "does_not_exist"}, ob, eb)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	require.EqualError(t, err, "unable to read cert; open does_not_exist: "+NoSuchFileError)
 
 	// invalid cert at path
@@ -64,8 +64,8 @@ func Test_printCert(t *testing.T) {
 
 	tf.WriteString("-----BEGIN NOPE-----")
 	err = printCert([]string{"-path", tf.Name()}, ob, eb)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	require.EqualError(t, err, "error while unmarshaling cert: input did not contain a valid PEM encoded block")
 
 	// test multiple certs
@@ -155,7 +155,7 @@ func Test_printCert(t *testing.T) {
 `,
 		ob.String(),
 	)
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// test json
 	ob.Reset()
@@ -177,7 +177,7 @@ func Test_printCert(t *testing.T) {
 `,
 		ob.String(),
 	)
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 }
 
 // NewTestCaCert will generate a CA cert

cmd/nebula-cert/verify.go

@@ -1,12 +1,12 @@
 package main
 
 import (
-	"bytes"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/slackhq/nebula/cert"
@@ -52,7 +52,7 @@ func verify(args []string, out io.Writer, errOut io.Writer) error {
 			return fmt.Errorf("error while adding ca cert to pool: %w", err)
 		}
 
-		if len(rawCACert) == 0 || len(bytes.TrimSpace(rawCACert)) == 0 {
+		if rawCACert == nil || len(rawCACert) == 0 || strings.TrimSpace(string(rawCACert)) == "" {
 			break
 		}
 	}

cmd/nebula-cert/verify_test.go

@@ -38,19 +38,19 @@ func Test_verify(t *testing.T) {
 
 	// required args
 	assertHelpError(t, verify([]string{"-ca", "derp"}, ob, eb), "-crt is required")
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	assertHelpError(t, verify([]string{"-crt", "derp"}, ob, eb), "-ca is required")
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 
 	// no ca at path
 	ob.Reset()
 	eb.Reset()
 	err := verify([]string{"-ca", "does_not_exist", "-crt", "does_not_exist"}, ob, eb)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	require.EqualError(t, err, "error while reading ca: open does_not_exist: "+NoSuchFileError)
 
 	// invalid ca at path
@@ -62,8 +62,8 @@ func Test_verify(t *testing.T) {
 
 	caFile.WriteString("-----BEGIN NOPE-----")
 	err = verify([]string{"-ca", caFile.Name(), "-crt", "does_not_exist"}, ob, eb)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	require.EqualError(t, err, "error while adding ca cert to pool: input did not contain a valid PEM encoded block")
 
 	// make a ca for later
@@ -76,8 +76,8 @@ func Test_verify(t *testing.T) {
 
 	// no crt at path
 	err = verify([]string{"-ca", caFile.Name(), "-crt", "does_not_exist"}, ob, eb)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	require.EqualError(t, err, "unable to read crt: open does_not_exist: "+NoSuchFileError)
 
 	// invalid crt at path
@@ -89,15 +89,15 @@ func Test_verify(t *testing.T) {
 
 	certFile.WriteString("-----BEGIN NOPE-----")
 	err = verify([]string{"-ca", caFile.Name(), "-crt", certFile.Name()}, ob, eb)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	require.EqualError(t, err, "error while parsing crt: input did not contain a valid PEM encoded block")
 
 	// unverifiable cert at path
 	crt, _ := NewTestCert(ca, caPriv, "test-cert", time.Now().Add(time.Hour*-1), time.Now().Add(time.Hour), nil, nil, nil)
 	// Slightly evil hack to modify the certificate after it was sealed to generate an invalid signature
 	pub := crt.PublicKey()
-	for i := range pub {
+	for i, _ := range pub {
 		pub[i] = 0
 	}
 	b, _ = crt.MarshalPEM()
@@ -106,8 +106,8 @@ func Test_verify(t *testing.T) {
 	certFile.Write(b)
 
 	err = verify([]string{"-ca", caFile.Name(), "-crt", certFile.Name()}, ob, eb)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	require.ErrorIs(t, err, cert.ErrSignatureMismatch)
 
 	// verified cert at path
@@ -118,7 +118,7 @@ func Test_verify(t *testing.T) {
 	certFile.Write(b)
 
 	err = verify([]string{"-ca", caFile.Name(), "-crt", certFile.Name()}, ob, eb)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
-	assert.Empty(t, eb.String())
+	assert.Equal(t, "", eb.String())
 	require.NoError(t, err)
 }

cmd/nebula-service/service.go

@@ -51,7 +51,10 @@ func (p *program) Stop(s service.Service) error {
 
 func fileExists(filename string) bool {
 	_, err := os.Stat(filename)
-	return !os.IsNotExist(err)
+	if os.IsNotExist(err) {
+		return false
+	}
+	return true
 }
 
 func doService(configPath *string, configTest *bool, build string, serviceFlag *string) {

config/config.go

@@ -17,14 +17,14 @@ import (
 
 	"dario.cat/mergo"
 	"github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v2"
 )
 
 type C struct {
 	path        string
 	files       []string
-	Settings    map[string]any
+	Settings    map[interface{}]interface{}
-	oldSettings map[string]any
+	oldSettings map[interface{}]interface{}
 	callbacks   []func(*C)
 	l           *logrus.Logger
 	reloadLock  sync.Mutex
@@ -32,7 +32,7 @@ type C struct {
 
 func NewC(l *logrus.Logger) *C {
 	return &C{
-		Settings: make(map[string]any),
+		Settings: make(map[interface{}]interface{}),
 		l:        l,
 	}
 }
@@ -63,7 +63,7 @@ func (c *C) Load(path string) error {
 
 func (c *C) LoadString(raw string) error {
 	if raw == "" {
-		return errors.New("empty configuration")
+		return errors.New("Empty configuration")
 	}
 	return c.parseRaw([]byte(raw))
 }
@@ -92,8 +92,8 @@ func (c *C) HasChanged(k string) bool {
 	}
 
 	var (
-		nv any
+		nv interface{}
-		ov any
+		ov interface{}
 	)
 
 	if k == "" {
@@ -147,7 +147,7 @@ func (c *C) ReloadConfig() {
 	c.reloadLock.Lock()
 	defer c.reloadLock.Unlock()
 
-	c.oldSettings = make(map[string]any)
+	c.oldSettings = make(map[interface{}]interface{})
 	for k, v := range c.Settings {
 		c.oldSettings[k] = v
 	}
@@ -167,7 +167,7 @@ func (c *C) ReloadConfigString(raw string) error {
 	c.reloadLock.Lock()
 	defer c.reloadLock.Unlock()
 
-	c.oldSettings = make(map[string]any)
+	c.oldSettings = make(map[interface{}]interface{})
 	for k, v := range c.Settings {
 		c.oldSettings[k] = v
 	}
@@ -201,7 +201,7 @@ func (c *C) GetStringSlice(k string, d []string) []string {
 		return d
 	}
 
-	rv, ok := r.([]any)
+	rv, ok := r.([]interface{})
 	if !ok {
 		return d
 	}
@@ -215,13 +215,13 @@ func (c *C) GetStringSlice(k string, d []string) []string {
 }
 
 // GetMap will get the map for k or return the default d if not found or invalid
-func (c *C) GetMap(k string, d map[string]any) map[string]any {
+func (c *C) GetMap(k string, d map[interface{}]interface{}) map[interface{}]interface{} {
 	r := c.Get(k)
 	if r == nil {
 		return d
 	}
 
-	v, ok := r.(map[string]any)
+	v, ok := r.(map[interface{}]interface{})
 	if !ok {
 		return d
 	}
@@ -243,7 +243,7 @@ func (c *C) GetInt(k string, d int) int {
 // GetUint32 will get the uint32 for k or return the default d if not found or invalid
 func (c *C) GetUint32(k string, d uint32) uint32 {
 	r := c.GetInt(k, int(d))
-	if r < 0 || uint64(r) > uint64(math.MaxUint32) {
+	if uint64(r) > uint64(math.MaxUint32) {
 		return d
 	}
 	return uint32(r)
@@ -266,22 +266,6 @@ func (c *C) GetBool(k string, d bool) bool {
 	return v
 }
 
-func AsBool(v any) (value bool, ok bool) {
-	switch x := v.(type) {
-	case bool:
-		return x, true
-	case string:
-		switch x {
-		case "y", "yes":
-			return true, true
-		case "n", "no":
-			return false, true
-		}
-	}
-
-	return false, false
-}
-
 // GetDuration will get the duration for k or return the default d if not found or invalid
 func (c *C) GetDuration(k string, d time.Duration) time.Duration {
 	r := c.GetString(k, "")
@@ -292,7 +276,7 @@ func (c *C) GetDuration(k string, d time.Duration) time.Duration {
 	return v
 }
 
-func (c *C) Get(k string) any {
+func (c *C) Get(k string) interface{} {
 	return c.get(k, c.Settings)
 }
 
@@ -300,10 +284,10 @@ func (c *C) IsSet(k string) bool {
 	return c.get(k, c.Settings) != nil
 }
 
-func (c *C) get(k string, v any) any {
+func (c *C) get(k string, v interface{}) interface{} {
 	parts := strings.Split(k, ".")
 	for _, p := range parts {
-		m, ok := v.(map[string]any)
+		m, ok := v.(map[interface{}]interface{})
 		if !ok {
 			return nil
 		}
@@ -362,7 +346,7 @@ func (c *C) addFile(path string, direct bool) error {
 }
 
 func (c *C) parseRaw(b []byte) error {
-	var m map[string]any
+	var m map[interface{}]interface{}
 
 	err := yaml.Unmarshal(b, &m)
 	if err != nil {
@@ -374,7 +358,7 @@ func (c *C) parseRaw(b []byte) error {
 }
 
 func (c *C) parse() error {
-	var m map[string]any
+	var m map[interface{}]interface{}
 
 	for _, path := range c.files {
 		b, err := os.ReadFile(path)
@@ -382,7 +366,7 @@ func (c *C) parse() error {
 			return err
 		}
 
-		var nm map[string]any
+		var nm map[interface{}]interface{}
 		err = yaml.Unmarshal(b, &nm)
 		if err != nil {
 			return err

config/config_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/slackhq/nebula/test"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v2"
 )
 
 func TestConfig_Load(t *testing.T) {
@@ -19,7 +19,7 @@ func TestConfig_Load(t *testing.T) {
 	// invalid yaml
 	c := NewC(l)
 	os.WriteFile(filepath.Join(dir, "01.yaml"), []byte(" invalid yaml"), 0644)
-	require.EqualError(t, c.Load(dir), "yaml: unmarshal errors:\n  line 1: cannot unmarshal !!str `invalid...` into map[string]interface {}")
+	require.EqualError(t, c.Load(dir), "yaml: unmarshal errors:\n  line 1: cannot unmarshal !!str `invalid...` into map[interface {}]interface {}")
 
 	// simple multi config merge
 	c = NewC(l)
@@ -31,8 +31,8 @@ func TestConfig_Load(t *testing.T) {
 	os.WriteFile(filepath.Join(dir, "01.yaml"), []byte("outer:\n  inner: hi"), 0644)
 	os.WriteFile(filepath.Join(dir, "02.yml"), []byte("outer:\n  inner: override\nnew: hi"), 0644)
 	require.NoError(t, c.Load(dir))
-	expected := map[string]any{
+	expected := map[interface{}]interface{}{
-		"outer": map[string]any{
+		"outer": map[interface{}]interface{}{
 			"inner": "override",
 		},
 		"new": "hi",
@@ -44,12 +44,12 @@ func TestConfig_Get(t *testing.T) {
 	l := test.NewLogger()
 	// test simple type
 	c := NewC(l)
-	c.Settings["firewall"] = map[string]any{"outbound": "hi"}
+	c.Settings["firewall"] = map[interface{}]interface{}{"outbound": "hi"}
 	assert.Equal(t, "hi", c.Get("firewall.outbound"))
 
 	// test complex type
-	inner := []map[string]any{{"port": "1", "code": "2"}}
+	inner := []map[interface{}]interface{}{{"port": "1", "code": "2"}}
-	c.Settings["firewall"] = map[string]any{"outbound": inner}
+	c.Settings["firewall"] = map[interface{}]interface{}{"outbound": inner}
 	assert.EqualValues(t, inner, c.Get("firewall.outbound"))
 
 	// test missing
@@ -59,7 +59,7 @@ func TestConfig_Get(t *testing.T) {
 func TestConfig_GetStringSlice(t *testing.T) {
 	l := test.NewLogger()
 	c := NewC(l)
-	c.Settings["slice"] = []any{"one", "two"}
+	c.Settings["slice"] = []interface{}{"one", "two"}
 	assert.Equal(t, []string{"one", "two"}, c.GetStringSlice("slice", []string{}))
 }
 
@@ -101,14 +101,14 @@ func TestConfig_HasChanged(t *testing.T) {
 	// Test key change
 	c = NewC(l)
 	c.Settings["test"] = "hi"
-	c.oldSettings = map[string]any{"test": "no"}
+	c.oldSettings = map[interface{}]interface{}{"test": "no"}
 	assert.True(t, c.HasChanged("test"))
 	assert.True(t, c.HasChanged(""))
 
 	// No key change
 	c = NewC(l)
 	c.Settings["test"] = "hi"
-	c.oldSettings = map[string]any{"test": "hi"}
+	c.oldSettings = map[interface{}]interface{}{"test": "hi"}
 	assert.False(t, c.HasChanged("test"))
 	assert.False(t, c.HasChanged(""))
 }
@@ -184,11 +184,11 @@ firewall:
 `),
 	}
 
-	var m map[string]any
+	var m map[any]any
 
 	// merge the same way config.parse() merges
 	for _, b := range configs {
-		var nm map[string]any
+		var nm map[any]any
 		err := yaml.Unmarshal(b, &nm)
 		require.NoError(t, err)
 
@@ -205,15 +205,15 @@ firewall:
 	t.Logf("Merged Config as YAML:\n%s", mYaml)
 
 	// If a bug is present, some items might be replaced instead of merged like we expect
-	expected := map[string]any{
+	expected := map[any]any{
-		"firewall": map[string]any{
+		"firewall": map[any]any{
 			"inbound": []any{
-				map[string]any{"host": "any", "port": "any", "proto": "icmp"},
+				map[any]any{"host": "any", "port": "any", "proto": "icmp"},
-				map[string]any{"groups": []any{"server"}, "port": 443, "proto": "tcp"},
+				map[any]any{"groups": []any{"server"}, "port": 443, "proto": "tcp"},
-				map[string]any{"groups": []any{"webapp"}, "port": 443, "proto": "tcp"}},
+				map[any]any{"groups": []any{"webapp"}, "port": 443, "proto": "tcp"}},
 			"outbound": []any{
-				map[string]any{"host": "any", "port": "any", "proto": "any"}}},
+				map[any]any{"host": "any", "port": "any", "proto": "any"}}},
-		"listen": map[string]any{
+		"listen": map[any]any{
 			"host": "0.0.0.0",
 			"port": 4242,
 		},

connection_manager.go

@@ -154,7 +154,7 @@ func (n *connectionManager) Run(ctx context.Context) {
 	defer clockSource.Stop()
 
 	p := []byte("")
-	nb := make([]byte, 12)
+	nb := make([]byte, 12, 12)
 	out := make([]byte, mtu)
 
 	for {
@@ -355,7 +355,7 @@ func (n *connectionManager) makeTrafficDecision(localIndex uint32, now time.Time
 			decision = tryRehandshake
 
 		} else {
-			if n.shouldSwapPrimary(hostinfo) {
+			if n.shouldSwapPrimary(hostinfo, primary) {
 				decision = swapPrimary
 			} else {
 				// migrate the relays to the primary, if in use.
@@ -384,7 +384,7 @@ func (n *connectionManager) makeTrafficDecision(localIndex uint32, now time.Time
 	}
 
 	decision := doNothing
-	if hostinfo.ConnectionState != nil && mainHostInfo {
+	if hostinfo != nil && hostinfo.ConnectionState != nil && mainHostInfo {
 		if !outTraffic {
 			// If we aren't sending or receiving traffic then its an unused tunnel and we don't to test the tunnel.
 			// Just maintain NAT state if configured to do so.
@@ -421,7 +421,7 @@ func (n *connectionManager) makeTrafficDecision(localIndex uint32, now time.Time
 	return decision, hostinfo, nil
 }
 
-func (n *connectionManager) shouldSwapPrimary(current *HostInfo) bool {
+func (n *connectionManager) shouldSwapPrimary(current, primary *HostInfo) bool {
 	// The primary tunnel is the most recent handshake to complete locally and should work entirely fine.
 	// If we are here then we have multiple tunnels for a host pair and neither side believes the same tunnel is primary.
 	// Let's sort this out.
@@ -498,7 +498,7 @@ func (n *connectionManager) tryRehandshake(hostinfo *HostInfo) {
 	cs := n.intf.pki.getCertState()
 	curCrt := hostinfo.ConnectionState.myCert
 	myCrt := cs.getCertificate(curCrt.Version())
-	if curCrt.Version() >= cs.initiatingVersion && bytes.Equal(curCrt.Signature(), myCrt.Signature()) {
+	if curCrt.Version() >= cs.defaultVersion && bytes.Equal(curCrt.Signature(), myCrt.Signature()) == true {
 		// The current tunnel is using the latest certificate and version, no need to rehandshake.
 		return
 	}

connection_manager_test.go

@@ -44,7 +44,7 @@ func Test_NewConnectionManagerTest(t *testing.T) {
 	hostMap.preferredRanges.Store(&preferredRanges)
 
 	cs := &CertState{
-		initiatingVersion: cert.Version1,
+		defaultVersion:   cert.Version1,
 		privateKey:       []byte{},
 		v1Cert:           &dummyCert{version: cert.Version1},
 		v1HandshakeBytes: []byte{},
@@ -69,7 +69,7 @@ func Test_NewConnectionManagerTest(t *testing.T) {
 	punchy := NewPunchyFromConfig(l, config.NewC(l))
 	nc := newConnectionManager(ctx, l, ifce, 5, 10, punchy)
 	p := []byte("")
-	nb := make([]byte, 12)
+	nb := make([]byte, 12, 12)
 	out := make([]byte, mtu)
 
 	// Add an ip we have established a connection w/ to hostmap
@@ -126,7 +126,7 @@ func Test_NewConnectionManagerTest2(t *testing.T) {
 	hostMap.preferredRanges.Store(&preferredRanges)
 
 	cs := &CertState{
-		initiatingVersion: cert.Version1,
+		defaultVersion:   cert.Version1,
 		privateKey:       []byte{},
 		v1Cert:           &dummyCert{version: cert.Version1},
 		v1HandshakeBytes: []byte{},
@@ -151,7 +151,7 @@ func Test_NewConnectionManagerTest2(t *testing.T) {
 	punchy := NewPunchyFromConfig(l, config.NewC(l))
 	nc := newConnectionManager(ctx, l, ifce, 5, 10, punchy)
 	p := []byte("")
-	nb := make([]byte, 12)
+	nb := make([]byte, 12, 12)
 	out := make([]byte, mtu)
 
 	// Add an ip we have established a connection w/ to hostmap
@@ -241,7 +241,7 @@ func Test_NewConnectionManagerTest_DisconnectInvalid(t *testing.T) {
 	require.NoError(t, err)
 
 	cachedPeerCert, err := ncp.VerifyCertificate(now.Add(time.Second), peerCert)
-	require.NoError(t, err)
+
 	cs := &CertState{
 		privateKey:       []byte{},
 		v1Cert:           &dummyCert{},

connection_state.go

@@ -27,7 +27,7 @@ type ConnectionState struct {
 	writeLock      sync.Mutex
 }
 
-func NewConnectionState(l *logrus.Logger, cs *CertState, crt cert.Certificate, initiator bool, pattern noise.HandshakePattern) (*ConnectionState, error) {
+func NewConnectionState(l *logrus.Logger, cs *CertState, crt cert.Certificate, initiator bool, pattern noise.HandshakePattern, psk []byte) (*ConnectionState, error) {
 	var dhFunc noise.DHFunc
 	switch crt.Curve() {
 	case cert.Curve_CURVE25519:
@@ -61,8 +61,7 @@ func NewConnectionState(l *logrus.Logger, cs *CertState, crt cert.Certificate, i
 		Pattern:               pattern,
 		Initiator:             initiator,
 		StaticKeypair:         static,
-		//NOTE: These should come from CertState (pki.go) when we finally implement it
+		PresharedKey:          psk,
-		PresharedKey:          []byte{},
 		PresharedKeyPlacement: 0,
 	})
 	if err != nil {

control.go

@@ -215,7 +215,7 @@ func (c *Control) CloseTunnel(vpnIp netip.Addr, localOnly bool) bool {
 			hostInfo.ConnectionState,
 			hostInfo,
 			[]byte{},
-			make([]byte, 12),
+			make([]byte, 12, 12),
 			make([]byte, mtu),
 		)
 	}
@@ -231,7 +231,7 @@ func (c *Control) CloseAllTunnels(excludeLighthouses bool) (closed int) {
 		if excludeLighthouses && c.f.lightHouse.IsAnyLighthouseAddr(h.vpnAddrs) {
 			return
 		}
-		c.f.send(header.CloseTunnel, 0, h.ConnectionState, h, []byte{}, make([]byte, 12), make([]byte, mtu))
+		c.f.send(header.CloseTunnel, 0, h.ConnectionState, h, []byte{}, make([]byte, 12, 12), make([]byte, mtu))
 		c.f.closeTunnel(h)
 
 		c.l.WithField("vpnAddrs", h.vpnAddrs).WithField("udpAddr", h.remote).
@@ -282,7 +282,9 @@ func copyHostInfo(h *HostInfo, preferredRanges []netip.Prefix) ControlHostInfo {
 		CurrentRemote:          h.remote,
 	}
 
-	copy(chi.VpnAddrs, h.vpnAddrs)
+	for i, a := range h.vpnAddrs {
+		chi.VpnAddrs[i] = a
+	}
 
 	if h.ConnectionState != nil {
 		chi.MessageCounter = h.ConnectionState.messageCounter.Load()

control_test.go

@@ -27,10 +27,12 @@ func TestControl_GetHostInfoByVpnIp(t *testing.T) {
 
 	ipNet := net.IPNet{
 		IP:   remote1.Addr().AsSlice(),
+		Mask: net.IPMask{255, 255, 255, 0},
 	}
 
 	ipNet2 := net.IPNet{
 		IP:   remote2.Addr().AsSlice(),
+		Mask: net.IPMask{255, 255, 255, 0},
 	}
 
 	remotes := NewRemoteList([]netip.Addr{netip.IPv4Unspecified()}, nil)
@@ -99,7 +101,7 @@ func TestControl_GetHostInfoByVpnIp(t *testing.T) {
 
 	// Make sure we don't have any unexpected fields
 	assertFields(t, []string{"VpnAddrs", "LocalIndex", "RemoteIndex", "RemoteAddrs", "Cert", "MessageCounter", "CurrentRemote", "CurrentRelaysToMe", "CurrentRelaysThroughMe"}, thi)
-	assert.Equal(t, &expectedInfo, thi)
+	assert.EqualValues(t, &expectedInfo, thi)
 	test.AssertDeepCopyEqual(t, &expectedInfo, thi)
 
 	// Make sure we don't panic if the host info doesn't have a cert yet
@@ -108,7 +110,7 @@ func TestControl_GetHostInfoByVpnIp(t *testing.T) {
 	})
 }
 
-func assertFields(t *testing.T, expected []string, actualStruct any) {
+func assertFields(t *testing.T, expected []string, actualStruct interface{}) {
 	val := reflect.ValueOf(actualStruct).Elem()
 	fields := make([]string, val.NumField())
 	for i := 0; i < val.NumField(); i++ {

dns_server_test.go

@@ -38,24 +38,24 @@ func TestParsequery(t *testing.T) {
 func Test_getDnsServerAddr(t *testing.T) {
 	c := config.NewC(nil)
 
-	c.Settings["lighthouse"] = map[string]any{
+	c.Settings["lighthouse"] = map[interface{}]interface{}{
-		"dns": map[string]any{
+		"dns": map[interface{}]interface{}{
 			"host": "0.0.0.0",
 			"port": "1",
 		},
 	}
 	assert.Equal(t, "0.0.0.0:1", getDnsServerAddr(c))
 
-	c.Settings["lighthouse"] = map[string]any{
+	c.Settings["lighthouse"] = map[interface{}]interface{}{
-		"dns": map[string]any{
+		"dns": map[interface{}]interface{}{
 			"host": "::",
 			"port": "1",
 		},
 	}
 	assert.Equal(t, "[::]:1", getDnsServerAddr(c))
 
-	c.Settings["lighthouse"] = map[string]any{
+	c.Settings["lighthouse"] = map[interface{}]interface{}{
-		"dns": map[string]any{
+		"dns": map[interface{}]interface{}{
 			"host": "[::]",
 			"port": "1",
 		},
@@ -63,8 +63,8 @@ func Test_getDnsServerAddr(t *testing.T) {
 	assert.Equal(t, "[::]:1", getDnsServerAddr(c))
 
 	// Make sure whitespace doesn't mess us up
-	c.Settings["lighthouse"] = map[string]any{
+	c.Settings["lighthouse"] = map[interface{}]interface{}{
-		"dns": map[string]any{
+		"dns": map[interface{}]interface{}{
 			"host": "[::] ",
 			"port": "1",
 		},

e2e/handshakes_test.go

@@ -20,7 +20,7 @@ import (
 	"github.com/slackhq/nebula/udp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v2"
 )
 
 func BenchmarkHotPath(b *testing.B) {
@@ -991,7 +991,7 @@ func TestRehandshaking(t *testing.T) {
 	require.NoError(t, err)
 	var theirNewConfig m
 	require.NoError(t, yaml.Unmarshal(rc, &theirNewConfig))
-	theirFirewall := theirNewConfig["firewall"].(map[string]any)
+	theirFirewall := theirNewConfig["firewall"].(map[interface{}]interface{})
 	theirFirewall["inbound"] = []m{{
 		"proto": "any",
 		"port":  "any",
@@ -1087,7 +1087,7 @@ func TestRehandshakingLoser(t *testing.T) {
 	require.NoError(t, err)
 	var myNewConfig m
 	require.NoError(t, yaml.Unmarshal(rc, &myNewConfig))
-	theirFirewall := myNewConfig["firewall"].(map[string]any)
+	theirFirewall := myNewConfig["firewall"].(map[interface{}]interface{})
 	theirFirewall["inbound"] = []m{{
 		"proto": "any",
 		"port":  "any",
@@ -1224,3 +1224,135 @@ func TestV2NonPrimaryWithLighthouse(t *testing.T) {
 	myControl.Stop()
 	theirControl.Stop()
 }
+
+func TestPSK(t *testing.T) {
+	tests := []struct {
+		name         string
+		myPskMode    nebula.PskMode
+		theirPskMode nebula.PskMode
+	}{
+		// All accepting
+		{
+			name:         "both accepting",
+			myPskMode:    nebula.PskAccepting,
+			theirPskMode: nebula.PskAccepting,
+		},
+
+		// accepting and sending both ways
+		{
+			name:         "accepting to sending",
+			myPskMode:    nebula.PskAccepting,
+			theirPskMode: nebula.PskSending,
+		},
+		{
+			name:         "sending to accepting",
+			myPskMode:    nebula.PskSending,
+			theirPskMode: nebula.PskAccepting,
+		},
+
+		// All sending
+		{
+			name:         "sending to sending",
+			myPskMode:    nebula.PskSending,
+			theirPskMode: nebula.PskSending,
+		},
+
+		// enforced and sending both ways
+		{
+			name:         "enforced to sending",
+			myPskMode:    nebula.PskEnforced,
+			theirPskMode: nebula.PskSending,
+		},
+		{
+			name:         "sending to enforced",
+			myPskMode:    nebula.PskSending,
+			theirPskMode: nebula.PskEnforced,
+		},
+
+		// All enforced
+		{
+			name:         "both enforced",
+			myPskMode:    nebula.PskEnforced,
+			theirPskMode: nebula.PskEnforced,
+		},
+
+		// Enforced can technically handshake with an accepting node, but it is bad to be in this state
+		{
+			name:         "enforced to accepting",
+			myPskMode:    nebula.PskEnforced,
+			theirPskMode: nebula.PskAccepting,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			var myPskSettings, theirPskSettings m
+
+			switch test.myPskMode {
+			case nebula.PskAccepting:
+				myPskSettings = m{"psk": &m{"mode": "accepting", "keys": []string{"garbage0", "this is a key"}}}
+			case nebula.PskSending:
+				myPskSettings = m{"psk": &m{"mode": "sending", "keys": []string{"this is a key", "garbage1"}}}
+			case nebula.PskEnforced:
+				myPskSettings = m{"psk": &m{"mode": "enforced", "keys": []string{"this is a key", "garbage2"}}}
+			}
+
+			switch test.theirPskMode {
+			case nebula.PskAccepting:
+				theirPskSettings = m{"psk": &m{"mode": "accepting", "keys": []string{"garbage3", "this is a key"}}}
+			case nebula.PskSending:
+				theirPskSettings = m{"psk": &m{"mode": "sending", "keys": []string{"this is a key", "garbage4"}}}
+			case nebula.PskEnforced:
+				theirPskSettings = m{"psk": &m{"mode": "enforced", "keys": []string{"this is a key", "garbage5"}}}
+			}
+
+			ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
+			myControl, myVpnIp, myUdpAddr, _ := newSimpleServer(cert.Version2, ca, caKey, "me", "10.0.0.1/24", myPskSettings)
+			theirControl, theirVpnIp, theirUdpAddr, _ := newSimpleServer(cert.Version2, ca, caKey, "them", "10.0.0.2/24", theirPskSettings)
+
+			myControl.InjectLightHouseAddr(theirVpnIp[0].Addr(), theirUdpAddr)
+			r := router.NewR(t, myControl, theirControl)
+
+			// Start the servers
+			myControl.Start()
+			theirControl.Start()
+
+			t.Log("Route until we see our cached packet flow")
+			myControl.InjectTunUDPPacket(theirVpnIp[0].Addr(), 80, myVpnIp[0].Addr(), 80, []byte("Hi from me"))
+			r.RouteForAllExitFunc(func(p *udp.Packet, c *nebula.Control) router.ExitType {
+				h := &header.H{}
+				err := h.Parse(p.Data)
+				if err != nil {
+					panic(err)
+				}
+
+				// If this is the stage 1 handshake packet and I am configured to send with a psk, my cert name should
+				// not appear. It would likely be more obvious to unmarshal the payload and check but this works fine for now
+				if test.myPskMode == nebula.PskEnforced || test.myPskMode == nebula.PskSending {
+					if h.Type == 0 && h.MessageCounter == 1 {
+						assert.NotContains(t, string(p.Data), "test me")
+					}
+				}
+
+				if p.To == theirUdpAddr && h.Type == 1 {
+					return router.RouteAndExit
+				}
+
+				return router.KeepRouting
+			})
+
+			t.Log("My cached packet should be received by them")
+			myCachedPacket := theirControl.GetFromTun(true)
+			assertUdpPacket(t, []byte("Hi from me"), myCachedPacket, myVpnIp[0].Addr(), theirVpnIp[0].Addr(), 80, 80)
+
+			t.Log("Test the tunnel with them")
+			assertHostInfoPair(t, myUdpAddr, theirUdpAddr, myVpnIp, theirVpnIp, myControl, theirControl)
+			assertTunnel(t, myVpnIp[0].Addr(), theirVpnIp[0].Addr(), myControl, theirControl, r)
+
+			myControl.Stop()
+			theirControl.Stop()
+			//TODO: assert hostmaps
+		})
+	}
+
+}

e2e/helpers_test.go

@@ -22,10 +22,10 @@ import (
 	"github.com/slackhq/nebula/config"
 	"github.com/slackhq/nebula/e2e/router"
 	"github.com/stretchr/testify/assert"
-	"gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v2"
 )
 
-type m = map[string]any
+type m map[string]interface{}
 
 // newSimpleServer creates a nebula instance with many assumptions
 func newSimpleServer(v cert.Version, caCrt cert.Certificate, caKey []byte, name string, sVpnNetworks string, overrides m) (*nebula.Control, []netip.Prefix, netip.AddrPort, *config.C) {

e2e/router/router.go

@@ -111,10 +111,6 @@ type ExitFunc func(packet *udp.Packet, receiver *nebula.Control) ExitType
 func NewR(t testing.TB, controls ...*nebula.Control) *R {
 	ctx, cancel := context.WithCancel(context.Background())
 
-	if err := os.MkdirAll("mermaid", 0755); err != nil {
-		panic(err)
-	}
-
 	r := &R{
 		controls:     make(map[netip.AddrPort]*nebula.Control),
 		vpnControls:  make(map[netip.Addr]*nebula.Control),
@@ -194,6 +190,9 @@ func (r *R) renderFlow() {
 		return
 	}
 
+	if err := os.MkdirAll(filepath.Dir(r.fn), 0755); err != nil {
+		panic(err)
+	}
 	f, err := os.OpenFile(r.fn, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0644)
 	if err != nil {
 		panic(err)

examples/config.yml

@@ -13,11 +13,43 @@ pki:
   # disconnect_invalid is a toggle to force a client to be disconnected if the certificate is expired or invalid.
   #disconnect_invalid: true
 
-  # initiating_version controls which certificate version is used when initiating handshakes.
+  # default_version controls which certificate version is used in handshakes.
   # This setting only applies if both a v1 and a v2 certificate are configured, in which case it will default to `1`.
   # Once all hosts in the mesh are configured with both a v1 and v2 certificate then this should be changed to `2`.
   # After all hosts in the mesh are using a v2 certificate then v1 certificates are no longer needed.
-  # initiating_version: 1
+  # default_version: 1
+
+  # psk can be used to mask the contents of handshakes.
+  psk:
+    # `mode` defines how the pre shared keys can be used in a handshake.
+    # `accepting` (the default) will initiate handshakes using an empty key and will try to use any keys provided when
+    # receiving handshakes, including an empty key.
+    # `sending` will initiate handshakes with the first key provided and will try to use any keys provided when
+    # receiving handshakes, including an empty key.
+    # `enforced` will initiate handshakes with the first psk key provided and will try to use any keys provided when
+    # responding to handshakes. An empty key will not be allowed.
+    #
+    # To change a mesh from not using a psk to enforcing psk:
+    # 1. Leave `mode` as `accepting` and configure `psk.keys` to match on all nodes in the mesh and reload.
+    # 2. Change `mode` to `sending` on all nodes in the mesh and reload.
+    # 3. Change `mode` to `enforced` on all nodes in the mesh and reload.
+    #mode: accepting
+
+    # The keys provided are sent through hkdf to ensure the shared secret used in the noise protocol is the
+    # correct byte length.
+    #
+    # Only the first key is used for outbound handshakes but all keys provided will be tried in the order specified, on
+    # incoming handshakes. This is to allow for psk rotation.
+    #
+    # To rotate a primary key:
+    # 1. Put the new key in the 2nd slot on every node in the mesh and reload.
+    # 2. Move the key from the 2nd slot to the 1st slot, the old primary key is now in the 2nd slot, reload.
+    # 3. Remove the old primary key once it is no longer in use on every node in the mesh and reload.
+    #keys:
+    # - shared secret string, this one is used in all outbound handshakes # This is the primary key used when sending handshakes
+    # - this is a fallback key, received handshakes can use this
+    # - another fallback, received handshakes can use this one too
+    # - "\x68\x65\x6c\x6c\x6f\x20\x66\x72\x69\x65\x6e\x64\x73" # for raw bytes if you desire
 
 # The static host map defines a set of hosts with fixed IP addresses on the internet (or any network).
 # A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.
@@ -239,28 +271,7 @@ tun:
 
   # Unsafe routes allows you to route traffic over nebula to non-nebula nodes
   # Unsafe routes should be avoided unless you have hosts/services that cannot run nebula
-  # Supports weighted ECMP if you define a list of gateways, this can be used for load balancing or redundancy to hosts outside of nebula
+  # NOTE: The nebula certificate of the "via" node *MUST* have the "route" defined as a subnet in its certificate
-  # NOTES:
-  # * You will only see a single gateway in the routing table if you are not on linux
-  # * If a gateway is not reachable through the overlay another gateway will be selected to send the traffic through, ignoring weights
-  #
-  # unsafe_routes:
-  # # Multiple gateways without defining a weight defaults to a weight of 1, this will balance traffic equally between the three gateways
-  # - route: 192.168.87.0/24
-  #   via:
-  #     - gateway: 10.0.0.1
-  #     - gateway: 10.0.0.2
-  #     - gateway: 10.0.0.3
-  # # Multiple gateways with a weight, this will balance traffic accordingly
-  # - route: 192.168.87.0/24
-  #   via:
-  #     - gateway: 10.0.0.1
-  #       weight: 10
-  #     - gateway: 10.0.0.2
-  #       weight: 5
-  #
-  # NOTE: The nebula certificate of the "via" node(s) *MUST* have the "route" defined as a subnet in its certificate
-  # `via`: single node or list of gateways to use for this route
   # `mtu`: will default to tun mtu if this option is not specified
   # `metric`: will default to 0 if this option is not specified
   # `install`: will default to true, controls whether this route is installed in the systems routing table.
@@ -334,7 +345,6 @@ logging:
   # after receiving the response for lighthouse queries
   #trigger_buffer: 64
 
-
 # Nebula security group configuration
 firewall:
   # Action to take when a packet is not allowed by the firewall rules.
@@ -346,11 +356,11 @@ firewall:
   outbound_action: drop
   inbound_action: drop
 
-  # THIS FLAG IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE. (Defaults to false.)
+  # Controls the default value for local_cidr. Default is true, will be deprecated after v1.9 and defaulted to false.
-  # This setting only affects nebula hosts exposing unsafe_routes. When set to false, each inbound rule must contain a
+  # This setting only affects nebula hosts with subnets encoded in their certificate. A nebula host acting as an
-  # `local_cidr` if the intention is to allow traffic to flow to an unsafe route. When set to true, every firewall rule
+  # unsafe router with `default_local_cidr_any: true` will expose their unsafe routes to every inbound rule regardless
-  # will apply to all configured unsafe_routes regardless of the actual destination of the packet, unless `local_cidr`
+  # of the actual destination for the packet. Setting this to false requires each inbound rule to contain a `local_cidr`
-  # is explicitly defined. This is usually not the desired behavior and should be avoided!
+  # if the intention is to allow traffic to flow to an unsafe route.
   #default_local_cidr_any: false
 
   conntrack:
@@ -368,9 +378,11 @@ firewall:
   #   group: `any` or a literal group name, ie `default-group`
   #   groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
   #   cidr: a remote CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6.
-  #   local_cidr: a local CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. This can be used to filter destinations when using unsafe_routes.
+  #   local_cidr: a local CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. This could be used to filter destinations when using unsafe_routes.
-  #     By default, this is set to only the VPN (overlay) networks assigned via the certificate networks field unless `default_local_cidr_any` is set to true.
+  #     If no unsafe networks are present in the certificate(s) or `default_local_cidr_any` is true then the default is any ipv4 or ipv6 network.
-  #     If there are unsafe_routes present in this config file, `local_cidr` should be set appropriately for the intended us case.
+  #     Otherwise the default is any vpn network assigned to via the certificate.
+  #     `default_local_cidr_any` defaults to false and is deprecated, it will be removed in a future release.
+  #     If there are unsafe routes present its best to set `local_cidr` to whatever best fits the situation.
   #   ca_name: An issuing CA name
   #   ca_sha: An issuing CA shasum
 

firewall.go

@@ -331,7 +331,7 @@ func AddFirewallRulesFromConfig(l *logrus.Logger, inbound bool, c *config.C, fw
 		return nil
 	}
 
-	rs, ok := r.([]any)
+	rs, ok := r.([]interface{})
 	if !ok {
 		return fmt.Errorf("%s failed to parse, should be an array of rules", table)
 	}
@@ -606,7 +606,7 @@ func (f *Firewall) evict(p firewall.Packet) {
 		return
 	}
 
-	newT := time.Until(t.Expires)
+	newT := t.Expires.Sub(time.Now())
 
 	// Timeout is in the future, re-add the timer
 	if newT > 0 {
@@ -832,7 +832,7 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.CachedCertificate) bool
 	}
 
 	// Shortcut path for if groups, hosts, or cidr contained an `any`
-	if fr.Any.match(p) {
+	if fr.Any.match(p, c) {
 		return true
 	}
 
@@ -849,21 +849,21 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.CachedCertificate) bool
 			found = true
 		}
 
-		if found && sg.LocalCIDR.match(p) {
+		if found && sg.LocalCIDR.match(p, c) {
 			return true
 		}
 	}
 
 	if fr.Hosts != nil {
 		if flc, ok := fr.Hosts[c.Certificate.Name()]; ok {
-			if flc.match(p) {
+			if flc.match(p, c) {
 				return true
 			}
 		}
 	}
 
 	for _, v := range fr.CIDR.Supernets(netip.PrefixFrom(p.RemoteAddr, p.RemoteAddr.BitLen())) {
-		if v.match(p) {
+		if v.match(p, c) {
 			return true
 		}
 	}
@@ -892,7 +892,7 @@ func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp netip.Prefix) error {
 	return nil
 }
 
-func (flc *firewallLocalCIDR) match(p firewall.Packet) bool {
+func (flc *firewallLocalCIDR) match(p firewall.Packet, c *cert.CachedCertificate) bool {
 	if flc == nil {
 		return false
 	}
@@ -918,15 +918,15 @@ type rule struct {
 	CASha     string
 }
 
-func convertRule(l *logrus.Logger, p any, table string, i int) (rule, error) {
+func convertRule(l *logrus.Logger, p interface{}, table string, i int) (rule, error) {
 	r := rule{}
 
-	m, ok := p.(map[string]any)
+	m, ok := p.(map[interface{}]interface{})
 	if !ok {
 		return r, errors.New("could not parse rule")
 	}
 
-	toString := func(k string, m map[string]any) string {
+	toString := func(k string, m map[interface{}]interface{}) string {
 		v, ok := m[k]
 		if !ok {
 			return ""
@@ -944,7 +944,7 @@ func convertRule(l *logrus.Logger, p any, table string, i int) (rule, error) {
 	r.CASha = toString("ca_sha", m)
 
 	// Make sure group isn't an array
-	if v, ok := m["group"].([]any); ok {
+	if v, ok := m["group"].([]interface{}); ok {
 		if len(v) > 1 {
 			return r, errors.New("group should contain a single value, an array with more than one entry was provided")
 		}

firewall/packet.go

@@ -6,7 +6,7 @@ import (
 	"net/netip"
 )
 
-type m = map[string]any
+type m map[string]interface{}
 
 const (
 	ProtoAny    = 0 // When we want to handle HOPOPT (0) we can change this, if ever

firewall_test.go

@@ -35,27 +35,22 @@ func TestNewFirewall(t *testing.T) {
 	assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
 
 	fw = NewFirewall(l, time.Second, time.Hour, time.Minute, c)
-	conntrack = fw.Conntrack
 	assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
 	assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
 
 	fw = NewFirewall(l, time.Hour, time.Second, time.Minute, c)
-	conntrack = fw.Conntrack
 	assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
 	assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
 
 	fw = NewFirewall(l, time.Hour, time.Minute, time.Second, c)
-	conntrack = fw.Conntrack
 	assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
 	assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
 
 	fw = NewFirewall(l, time.Minute, time.Hour, time.Second, c)
-	conntrack = fw.Conntrack
 	assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
 	assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
 
 	fw = NewFirewall(l, time.Minute, time.Second, time.Hour, c)
-	conntrack = fw.Conntrack
 	assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
 	assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
 }
@@ -636,53 +631,53 @@ func TestNewFirewallFromConfig(t *testing.T) {
 	require.NoError(t, err)
 
 	conf := config.NewC(l)
-	conf.Settings["firewall"] = map[string]any{"outbound": "asdf"}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": "asdf"}
 	_, err = NewFirewallFromConfig(l, cs, conf)
 	require.EqualError(t, err, "firewall.outbound failed to parse, should be an array of rules")
 
 	// Test both port and code
 	conf = config.NewC(l)
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "1", "code": "2"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{"port": "1", "code": "2"}}}
 	_, err = NewFirewallFromConfig(l, cs, conf)
 	require.EqualError(t, err, "firewall.outbound rule #0; only one of port or code should be provided")
 
 	// Test missing host, group, cidr, ca_name and ca_sha
 	conf = config.NewC(l)
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{}}}
 	_, err = NewFirewallFromConfig(l, cs, conf)
 	require.EqualError(t, err, "firewall.outbound rule #0; at least one of host, group, cidr, local_cidr, ca_name, or ca_sha must be provided")
 
 	// Test code/port error
 	conf = config.NewC(l)
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "a", "host": "testh"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{"code": "a", "host": "testh"}}}
 	_, err = NewFirewallFromConfig(l, cs, conf)
 	require.EqualError(t, err, "firewall.outbound rule #0; code was not a number; `a`")
 
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "a", "host": "testh"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{"port": "a", "host": "testh"}}}
 	_, err = NewFirewallFromConfig(l, cs, conf)
 	require.EqualError(t, err, "firewall.outbound rule #0; port was not a number; `a`")
 
 	// Test proto error
 	conf = config.NewC(l)
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "1", "host": "testh"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{"code": "1", "host": "testh"}}}
 	_, err = NewFirewallFromConfig(l, cs, conf)
 	require.EqualError(t, err, "firewall.outbound rule #0; proto was not understood; ``")
 
 	// Test cidr parse error
 	conf = config.NewC(l)
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "1", "cidr": "testh", "proto": "any"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{"code": "1", "cidr": "testh", "proto": "any"}}}
 	_, err = NewFirewallFromConfig(l, cs, conf)
 	require.EqualError(t, err, "firewall.outbound rule #0; cidr did not parse; netip.ParsePrefix(\"testh\"): no '/'")
 
 	// Test local_cidr parse error
 	conf = config.NewC(l)
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "1", "local_cidr": "testh", "proto": "any"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{"code": "1", "local_cidr": "testh", "proto": "any"}}}
 	_, err = NewFirewallFromConfig(l, cs, conf)
 	require.EqualError(t, err, "firewall.outbound rule #0; local_cidr did not parse; netip.ParsePrefix(\"testh\"): no '/'")
 
 	// Test both group and groups
 	conf = config.NewC(l)
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "group": "a", "groups": []string{"b", "c"}}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "group": "a", "groups": []string{"b", "c"}}}}
 	_, err = NewFirewallFromConfig(l, cs, conf)
 	require.EqualError(t, err, "firewall.inbound rule #0; only one of group or groups should be defined, both provided")
 }
@@ -692,28 +687,28 @@ func TestAddFirewallRulesFromConfig(t *testing.T) {
 	// Test adding tcp rule
 	conf := config.NewC(l)
 	mf := &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "1", "proto": "tcp", "host": "a"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "tcp", "host": "a"}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, false, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: false, proto: firewall.ProtoTCP, startPort: 1, endPort: 1, groups: nil, host: "a", ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
 
 	// Test adding udp rule
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "1", "proto": "udp", "host": "a"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "udp", "host": "a"}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, false, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: false, proto: firewall.ProtoUDP, startPort: 1, endPort: 1, groups: nil, host: "a", ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
 
 	// Test adding icmp rule
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "1", "proto": "icmp", "host": "a"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"outbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "icmp", "host": "a"}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, false, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: false, proto: firewall.ProtoICMP, startPort: 1, endPort: 1, groups: nil, host: "a", ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
 
 	// Test adding any rule
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "host": "a"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "host": "a"}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, host: "a", ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
 
@@ -721,49 +716,49 @@ func TestAddFirewallRulesFromConfig(t *testing.T) {
 	cidr := netip.MustParsePrefix("10.0.0.0/8")
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "cidr": cidr.String()}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "cidr": cidr.String()}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, ip: cidr, localIp: netip.Prefix{}}, mf.lastCall)
 
 	// Test adding rule with local_cidr
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "local_cidr": cidr.String()}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "local_cidr": cidr.String()}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, ip: netip.Prefix{}, localIp: cidr}, mf.lastCall)
 
 	// Test adding rule with ca_sha
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "ca_sha": "12312313123"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "ca_sha": "12312313123"}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, ip: netip.Prefix{}, localIp: netip.Prefix{}, caSha: "12312313123"}, mf.lastCall)
 
 	// Test adding rule with ca_name
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "ca_name": "root01"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "ca_name": "root01"}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, ip: netip.Prefix{}, localIp: netip.Prefix{}, caName: "root01"}, mf.lastCall)
 
 	// Test single group
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "group": "a"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "group": "a"}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: []string{"a"}, ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
 
 	// Test single groups
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "groups": "a"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "groups": "a"}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: []string{"a"}, ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
 
 	// Test multiple AND groups
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "groups": []string{"a", "b"}}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "groups": []string{"a", "b"}}}}
 	require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
 	assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: []string{"a", "b"}, ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
 
@@ -771,7 +766,7 @@ func TestAddFirewallRulesFromConfig(t *testing.T) {
 	conf = config.NewC(l)
 	mf = &mockFirewall{}
 	mf.nextCallReturn = errors.New("test error")
-	conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "host": "a"}}}
+	conf.Settings["firewall"] = map[interface{}]interface{}{"inbound": []interface{}{map[interface{}]interface{}{"port": "1", "proto": "any", "host": "a"}}}
 	require.EqualError(t, AddFirewallRulesFromConfig(l, true, conf, mf), "firewall.inbound rule #0; `test error`")
 }
 
@@ -781,8 +776,8 @@ func TestFirewall_convertRule(t *testing.T) {
 	l.SetOutput(ob)
 
 	// Ensure group array of 1 is converted and a warning is printed
-	c := map[string]any{
+	c := map[interface{}]interface{}{
-		"group": []any{"group1"},
+		"group": []interface{}{"group1"},
 	}
 
 	r, err := convertRule(l, c, "test", 1)
@@ -792,17 +787,17 @@ func TestFirewall_convertRule(t *testing.T) {
 
 	// Ensure group array of > 1 is errord
 	ob.Reset()
-	c = map[string]any{
+	c = map[interface{}]interface{}{
-		"group": []any{"group1", "group2"},
+		"group": []interface{}{"group1", "group2"},
 	}
 
 	r, err = convertRule(l, c, "test", 1)
-	assert.Empty(t, ob.String())
+	assert.Equal(t, "", ob.String())
 	require.Error(t, err, "group should contain a single value, an array with more than one entry was provided")
 
 	// Make sure a well formed group is alright
 	ob.Reset()
-	c = map[string]any{
+	c = map[interface{}]interface{}{
 		"group": "group1",
 	}
 

go.mod

@@ -2,7 +2,7 @@ module github.com/slackhq/nebula
 
 go 1.23.6
 
-toolchain go1.24.1
+toolchain go1.23.7
 
 require (
 	dario.cat/mergo v1.0.1
@@ -10,11 +10,11 @@ require (
 	github.com/armon/go-radix v1.0.0
 	github.com/cyberdelia/go-metrics-graphite v0.0.0-20161219230853-39f87cc3b432
 	github.com/flynn/noise v1.1.0
-	github.com/gaissmai/bart v0.20.1
+	github.com/gaissmai/bart v0.18.1
 	github.com/gogo/protobuf v1.3.2
 	github.com/google/gopacket v1.1.19
 	github.com/kardianos/service v1.2.2
-	github.com/miekg/dns v1.1.65
+	github.com/miekg/dns v1.1.63
 	github.com/miekg/pkcs11 v1.1.2-0.20231115102856-9078ad6b9d4b
 	github.com/nbrownus/go-metrics-prometheus v0.0.0-20210712211119-974a6260965f
 	github.com/prometheus/client_golang v1.21.1
@@ -24,17 +24,17 @@ require (
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6
 	github.com/stretchr/testify v1.10.0
 	github.com/vishvananda/netlink v1.3.0
-	golang.org/x/crypto v0.37.0
+	golang.org/x/crypto v0.36.0
 	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090
-	golang.org/x/net v0.38.0
+	golang.org/x/net v0.37.0
-	golang.org/x/sync v0.13.0
+	golang.org/x/sync v0.12.0
-	golang.org/x/sys v0.32.0
+	golang.org/x/sys v0.31.0
-	golang.org/x/term v0.31.0
+	golang.org/x/term v0.30.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/protobuf v1.36.6
+	google.golang.org/protobuf v1.36.5
-	gopkg.in/yaml.v3 v3.0.1
+	gopkg.in/yaml.v2 v2.4.0
 	gvisor.dev/gvisor v0.0.0-20240423190808-9d7a357edefe
 )
 
@@ -50,7 +50,8 @@ require (
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
-	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.30.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -24,8 +24,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/flynn/noise v1.1.0 h1:KjPQoQCEFdZDiP03phOvGi11+SVVhBG2wOWAorLsstg=
 github.com/flynn/noise v1.1.0/go.mod h1:xbMo+0i6+IGbYdJhF31t2eR1BIU0CYc12+BNAKwUTag=
-github.com/gaissmai/bart v0.20.1 h1:igNss0zDsSY8e+ophKgD9KJVPKBOo7uSVjyKCL7nIzo=
+github.com/gaissmai/bart v0.18.1 h1:bX2j560JC1MJpoEDevBGvXL5OZ1mkls320Vl8Igb5QQ=
-github.com/gaissmai/bart v0.20.1/go.mod h1:JJzMAhNF5Rjo4SF4jWBrANuJfqY+FvsFhW7t1UZJ+XY=
+github.com/gaissmai/bart v0.18.1/go.mod h1:JJzMAhNF5Rjo4SF4jWBrANuJfqY+FvsFhW7t1UZJ+XY=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -83,8 +83,8 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/miekg/dns v1.1.65 h1:0+tIPHzUW0GCge7IiK3guGP57VAw7hoPDfApjkMD1Fc=
+github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
-github.com/miekg/dns v1.1.65/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
+github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
 github.com/miekg/pkcs11 v1.1.2-0.20231115102856-9078ad6b9d4b h1:J/AzCvg5z0Hn1rqZUJjpbzALUmkKX0Zwbc/i4fw7Sfk=
 github.com/miekg/pkcs11 v1.1.2-0.20231115102856-9078ad6b9d4b/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -156,16 +156,16 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20230725093048-515e97ebf090 h1:Di6/M8l0O2lCLc6VVRWhgCiApHV8MnQurBnFSHsQtNY=
 golang.org/x/exp v0.0.0-20230725093048-515e97ebf090/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
-golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -176,8 +176,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -185,8 +185,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -204,11 +204,11 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -219,8 +219,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
-golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -239,8 +239,8 @@ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miE
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -251,6 +251,8 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

handshake_ix.go

@@ -25,7 +25,7 @@ func ixHandshakeStage0(f *Interface, hh *HandshakeHostInfo) bool {
 
 	// If we're connecting to a v6 address we must use a v2 cert
 	cs := f.pki.getCertState()
-	v := cs.initiatingVersion
+	v := cs.defaultVersion
 	for _, a := range hh.hostinfo.vpnAddrs {
 		if a.Is6() {
 			v = cert.Version2
@@ -50,7 +50,7 @@ func ixHandshakeStage0(f *Interface, hh *HandshakeHostInfo) bool {
 			Error("Unable to handshake with host because no certificate handshake bytes is available")
 	}
 
-	ci, err := NewConnectionState(f.l, cs, crt, true, noise.HandshakeIX)
+	ci, err := NewConnectionState(f.l, cs, crt, true, noise.HandshakeIX, cs.psk.primary)
 	if err != nil {
 		f.l.WithError(err).WithField("vpnAddrs", hh.hostinfo.vpnAddrs).
 			WithField("handshake", m{"stage": 0, "style": "ix_psk0"}).
@@ -71,8 +71,7 @@ func ixHandshakeStage0(f *Interface, hh *HandshakeHostInfo) bool {
 
 	hsBytes, err := hs.Marshal()
 	if err != nil {
-		f.l.WithError(err).WithField("vpnAddrs", hh.hostinfo.vpnAddrs).
+		f.l.WithError(err).WithField("vpnAddrs", hh.hostinfo.vpnAddrs).WithField("certVersion", v).
-			WithField("certVersion", v).
 			WithField("handshake", m{"stage": 0, "style": "ix_psk0"}).Error("Failed to marshal handshake message")
 		return false
 	}
@@ -101,38 +100,57 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 	if crt == nil {
 		f.l.WithField("udpAddr", addr).
 			WithField("handshake", m{"stage": 0, "style": "ix_psk0"}).
-			WithField("certVersion", cs.initiatingVersion).
+			WithField("certVersion", cs.defaultVersion).
 			Error("Unable to handshake with host because no certificate is available")
 	}
 
-	ci, err := NewConnectionState(f.l, cs, crt, false, noise.HandshakeIX)
+	var (
+		err error
+		ci  *ConnectionState
+		msg []byte
+	)
+
+	hs := &NebulaHandshake{}
+
+	for _, psk := range cs.psk.keys {
+		ci, err = NewConnectionState(f.l, cs, crt, false, noise.HandshakeIX, psk)
 		if err != nil {
+			//TODO: should be bother logging this, if we have multiple psks and the error is unrelated it will be verbose.
 			f.l.WithError(err).WithField("udpAddr", addr).
 				WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).
 				Error("Failed to create connection state")
+			continue
+		}
+
+		msg, _, _, err = ci.H.ReadMessage(nil, packet[header.Len:])
+		if err != nil {
+			// Calls to ReadMessage with an incorrect psk should fail, try the next one if we have one
+			continue
+		}
+
+		// Sometimes ReadMessage returns fine with a nil psk even if the handshake is using a psk, ensure our protobuf
+		// comes out clean as well
+		err = hs.Unmarshal(msg)
+		if err == nil {
+			// There was no error, we can continue with this handshake
+			break
+		}
+
+		// The unmarshal failed, try the next psk if we have one
+	}
+
+	// We finished with an error, log it and get out
+	if err != nil || hs.Details == nil {
+		// We aren't logging the error here because we can't be sure of the failure when using psk
+		f.l.WithField("udpAddr", addr).
+			WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).
+			Error("Was unable to decrypt the handshake")
 		return
 	}
 
 	// Mark packet 1 as seen so it doesn't show up as missed
 	ci.window.Update(f.l, 1)
 
-	msg, _, _, err := ci.H.ReadMessage(nil, packet[header.Len:])
-	if err != nil {
-		f.l.WithError(err).WithField("udpAddr", addr).
-			WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).
-			Error("Failed to call noise.ReadMessage")
-		return
-	}
-
-	hs := &NebulaHandshake{}
-	err = hs.Unmarshal(msg)
-	if err != nil || hs.Details == nil {
-		f.l.WithError(err).WithField("udpAddr", addr).
-			WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).
-			Error("Failed unmarshal handshake message")
-		return
-	}
-
 	rc, err := cert.Recombine(cert.Version(hs.Details.CertVersion), hs.Details.Cert, ci.H.PeerStatic(), ci.Curve())
 	if err != nil {
 		f.l.WithError(err).WithField("udpAddr", addr).
@@ -186,7 +204,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 	var vpnAddrs []netip.Addr
 	var filteredNetworks []netip.Prefix
 	certName := remoteCert.Certificate.Name()
-	certVersion := remoteCert.Certificate.Version()
 	fingerprint := remoteCert.Fingerprint
 	issuer := remoteCert.Certificate.Issuer()
 
@@ -196,7 +213,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 		if found {
 			f.l.WithField("vpnAddr", vpnAddr).WithField("udpAddr", addr).
 				WithField("certName", certName).
-				WithField("certVersion", certVersion).
 				WithField("fingerprint", fingerprint).
 				WithField("issuer", issuer).
 				WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).Error("Refusing to handshake with myself")
@@ -215,7 +231,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 	if len(vpnAddrs) == 0 {
 		f.l.WithError(err).WithField("udpAddr", addr).
 			WithField("certName", certName).
-			WithField("certVersion", certVersion).
 			WithField("fingerprint", fingerprint).
 			WithField("issuer", issuer).
 			WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).Error("No usable vpn addresses from host, refusing handshake")
@@ -235,7 +250,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 	if err != nil {
 		f.l.WithError(err).WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
 			WithField("certName", certName).
-			WithField("certVersion", certVersion).
 			WithField("fingerprint", fingerprint).
 			WithField("issuer", issuer).
 			WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).Error("Failed to generate index")
@@ -258,7 +272,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 
 	f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
 		WithField("certName", certName).
-		WithField("certVersion", certVersion).
 		WithField("fingerprint", fingerprint).
 		WithField("issuer", issuer).
 		WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
@@ -270,7 +283,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 	if hs.Details.Cert == nil {
 		f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
 			WithField("certName", certName).
-			WithField("certVersion", certVersion).
 			WithField("fingerprint", fingerprint).
 			WithField("issuer", issuer).
 			WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
@@ -288,7 +300,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 	if err != nil {
 		f.l.WithError(err).WithField("vpnAddrs", hostinfo.vpnAddrs).WithField("udpAddr", addr).
 			WithField("certName", certName).
-			WithField("certVersion", certVersion).
 			WithField("fingerprint", fingerprint).
 			WithField("issuer", issuer).
 			WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).Error("Failed to marshal handshake message")
@@ -300,7 +311,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 	if err != nil {
 		f.l.WithError(err).WithField("vpnAddrs", hostinfo.vpnAddrs).WithField("udpAddr", addr).
 			WithField("certName", certName).
-			WithField("certVersion", certVersion).
 			WithField("fingerprint", fingerprint).
 			WithField("issuer", issuer).
 			WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).Error("Failed to call noise.WriteMessage")
@@ -308,7 +318,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 	} else if dKey == nil || eKey == nil {
 		f.l.WithField("vpnAddrs", hostinfo.vpnAddrs).WithField("udpAddr", addr).
 			WithField("certName", certName).
-			WithField("certVersion", certVersion).
 			WithField("fingerprint", fingerprint).
 			WithField("issuer", issuer).
 			WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).Error("Noise did not arrive at a key")
@@ -343,7 +352,7 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 			if existing.SetRemoteIfPreferred(f.hostMap, addr) {
 				// Send a test packet to ensure the other side has also switched to
 				// the preferred remote
-				f.SendMessageToVpnAddr(header.Test, header.TestRequest, vpnAddrs[0], []byte(""), make([]byte, 12), make([]byte, mtu))
+				f.SendMessageToVpnAddr(header.Test, header.TestRequest, vpnAddrs[0], []byte(""), make([]byte, 12, 12), make([]byte, mtu))
 			}
 
 			msg = existing.HandshakePacket[2]
@@ -376,7 +385,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 			// This means there was an existing tunnel and this handshake was older than the one we are currently based on
 			f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
 				WithField("certName", certName).
-				WithField("certVersion", certVersion).
 				WithField("oldHandshakeTime", existing.lastHandshakeTime).
 				WithField("newHandshakeTime", hostinfo.lastHandshakeTime).
 				WithField("fingerprint", fingerprint).
@@ -386,13 +394,12 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 				Info("Handshake too old")
 
 			// Send a test packet to trigger an authenticated tunnel test, this should suss out any lingering tunnel issues
-			f.SendMessageToVpnAddr(header.Test, header.TestRequest, vpnAddrs[0], []byte(""), make([]byte, 12), make([]byte, mtu))
+			f.SendMessageToVpnAddr(header.Test, header.TestRequest, vpnAddrs[0], []byte(""), make([]byte, 12, 12), make([]byte, mtu))
 			return
 		case ErrLocalIndexCollision:
 			// This means we failed to insert because of collision on localIndexId. Just let the next handshake packet retry
 			f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
 				WithField("certName", certName).
-				WithField("certVersion", certVersion).
 				WithField("fingerprint", fingerprint).
 				WithField("issuer", issuer).
 				WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
@@ -405,7 +412,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 			// And we forget to update it here
 			f.l.WithError(err).WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
 				WithField("certName", certName).
-				WithField("certVersion", certVersion).
 				WithField("fingerprint", fingerprint).
 				WithField("issuer", issuer).
 				WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
@@ -422,7 +428,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 		if err != nil {
 			f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
 				WithField("certName", certName).
-				WithField("certVersion", certVersion).
 				WithField("fingerprint", fingerprint).
 				WithField("issuer", issuer).
 				WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
@@ -431,7 +436,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 		} else {
 			f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
 				WithField("certName", certName).
-				WithField("certVersion", certVersion).
 				WithField("fingerprint", fingerprint).
 				WithField("issuer", issuer).
 				WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
@@ -450,7 +454,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 		f.SendVia(via.relayHI, via.relay, msg, make([]byte, 12), make([]byte, mtu), false)
 		f.l.WithField("vpnAddrs", vpnAddrs).WithField("relay", via.relayHI.vpnAddrs[0]).
 			WithField("certName", certName).
-			WithField("certVersion", certVersion).
 			WithField("fingerprint", fingerprint).
 			WithField("issuer", issuer).
 			WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
@@ -461,6 +464,8 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 	f.connectionManager.AddTrafficWatch(hostinfo.localIndexId)
 
 	hostinfo.remotes.ResetBlockedRemotes()
+
+	return
 }
 
 func ixHandshakeStage2(f *Interface, addr netip.AddrPort, via *ViaSender, hh *HandshakeHostInfo, packet []byte, h *header.H) bool {
@@ -553,7 +558,6 @@ func ixHandshakeStage2(f *Interface, addr netip.AddrPort, via *ViaSender, hh *Ha
 
 	vpnNetworks := remoteCert.Certificate.Networks()
 	certName := remoteCert.Certificate.Name()
-	certVersion := remoteCert.Certificate.Version()
 	fingerprint := remoteCert.Fingerprint
 	issuer := remoteCert.Certificate.Issuer()
 
@@ -588,7 +592,6 @@ func ixHandshakeStage2(f *Interface, addr netip.AddrPort, via *ViaSender, hh *Ha
 	if len(vpnAddrs) == 0 {
 		f.l.WithError(err).WithField("udpAddr", addr).
 			WithField("certName", certName).
-			WithField("certVersion", certVersion).
 			WithField("fingerprint", fingerprint).
 			WithField("issuer", issuer).
 			WithField("handshake", m{"stage": 2, "style": "ix_psk0"}).Error("No usable vpn addresses from host, refusing handshake")
@@ -598,9 +601,7 @@ func ixHandshakeStage2(f *Interface, addr netip.AddrPort, via *ViaSender, hh *Ha
 	// Ensure the right host responded
 	if !slices.Contains(vpnAddrs, hostinfo.vpnAddrs[0]) {
 		f.l.WithField("intendedVpnAddrs", hostinfo.vpnAddrs).WithField("haveVpnNetworks", vpnNetworks).
-			WithField("udpAddr", addr).
+			WithField("udpAddr", addr).WithField("certName", certName).
-			WithField("certName", certName).
-			WithField("certVersion", certVersion).
 			WithField("handshake", m{"stage": 2, "style": "ix_psk0"}).
 			Info("Incorrect host responded to handshake")
 
@@ -636,7 +637,6 @@ func ixHandshakeStage2(f *Interface, addr netip.AddrPort, via *ViaSender, hh *Ha
 	duration := time.Since(hh.startTime).Nanoseconds()
 	f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
 		WithField("certName", certName).
-		WithField("certVersion", certVersion).
 		WithField("fingerprint", fingerprint).
 		WithField("issuer", issuer).
 		WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
@@ -658,7 +658,7 @@ func ixHandshakeStage2(f *Interface, addr netip.AddrPort, via *ViaSender, hh *Ha
 	}
 
 	if len(hh.packetStore) > 0 {
-		nb := make([]byte, 12)
+		nb := make([]byte, 12, 12)
 		out := make([]byte, mtu)
 		for _, cp := range hh.packetStore {
 			cp.callback(cp.messageType, cp.messageSubType, hostinfo, cp.packet, nb, out)

handshake_manager_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/slackhq/nebula/test"
 	"github.com/slackhq/nebula/udp"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func Test_NewHandshakeManagerVpnIp(t *testing.T) {
@@ -23,11 +24,15 @@ func Test_NewHandshakeManagerVpnIp(t *testing.T) {
 
 	lh := newTestLighthouse()
 
+	psk, err := NewPsk(PskAccepting, nil)
+	require.NoError(t, err)
+
 	cs := &CertState{
-		initiatingVersion: cert.Version1,
+		defaultVersion:   cert.Version1,
 		privateKey:       []byte{},
 		v1Cert:           &dummyCert{version: cert.Version1},
 		v1HandshakeBytes: []byte{},
+		psk:              psk,
 	}
 
 	blah := NewHandshakeManager(l, mainHM, lh, &udp.NoopConn{}, defaultHandshakeConfig)
@@ -65,16 +70,30 @@ func Test_NewHandshakeManagerVpnIp(t *testing.T) {
 	assert.NotContains(t, blah.vpnIps, ip)
 }
 
+func testCountTimerWheelEntries(tw *LockingTimerWheel[netip.Addr]) (c int) {
+	for _, i := range tw.t.wheel {
+		n := i.Head
+		for n != nil {
+			c++
+			n = n.Next
+		}
+	}
+	return c
+}
+
 type mockEncWriter struct {
 }
 
 func (mw *mockEncWriter) SendMessageToVpnAddr(_ header.MessageType, _ header.MessageSubType, _ netip.Addr, _, _, _ []byte) {
+	return
 }
 
 func (mw *mockEncWriter) SendVia(_ *HostInfo, _ *Relay, _, _, _ []byte, _ bool) {
+	return
 }
 
 func (mw *mockEncWriter) SendMessageToHostInfo(_ header.MessageType, _ header.MessageSubType, _ *HostInfo, _, _, _ []byte) {
+	return
 }
 
 func (mw *mockEncWriter) Handshake(_ netip.Addr) {}
@@ -84,5 +103,5 @@ func (mw *mockEncWriter) GetHostInfo(_ netip.Addr) *HostInfo {
 }
 
 func (mw *mockEncWriter) GetCertState() *CertState {
-	return &CertState{initiatingVersion: cert.Version2}
+	return &CertState{defaultVersion: cert.Version2}
 }

header/header.go

@@ -19,11 +19,11 @@ import (
 // |-----------------------------------------------------------------------|
 // |                               payload...                              |
 
-type m = map[string]any
+type m map[string]interface{}
 
 const (
 	Version uint8 = 1
-	Len     int   = 16
+	Len           = 16
 )
 
 type MessageType uint8

hostmap.go

@@ -568,7 +568,7 @@ func (hm *HostMap) unlockedAddHostInfo(hostinfo *HostInfo, f *Interface) {
 		dnsR.Add(remoteCert.Certificate.Name()+".", hostinfo.vpnAddrs)
 	}
 	for _, addr := range hostinfo.vpnAddrs {
-		hm.unlockedInnerAddHostInfo(addr, hostinfo)
+		hm.unlockedInnerAddHostInfo(addr, hostinfo, f)
 	}
 
 	hm.Indexes[hostinfo.localIndexId] = hostinfo
@@ -581,7 +581,7 @@ func (hm *HostMap) unlockedAddHostInfo(hostinfo *HostInfo, f *Interface) {
 	}
 }
 
-func (hm *HostMap) unlockedInnerAddHostInfo(vpnAddr netip.Addr, hostinfo *HostInfo) {
+func (hm *HostMap) unlockedInnerAddHostInfo(vpnAddr netip.Addr, hostinfo *HostInfo, f *Interface) {
 	existing := hm.Hosts[vpnAddr]
 	hm.Hosts[vpnAddr] = hostinfo
 
@@ -648,7 +648,7 @@ func (i *HostInfo) TryPromoteBest(preferredRanges []netip.Prefix, ifce *Interfac
 
 			// Try to send a test packet to that host, this should
 			// cause it to detect a roaming event and switch remotes
-			ifce.sendTo(header.Test, header.TestRequest, i.ConnectionState, i, addr, []byte(""), make([]byte, 12), make([]byte, mtu))
+			ifce.sendTo(header.Test, header.TestRequest, i.ConnectionState, i, addr, []byte(""), make([]byte, 12, 12), make([]byte, mtu))
 		})
 	}
 
@@ -794,7 +794,7 @@ func localAddrs(l *logrus.Logger, allowList *LocalAllowList) []netip.Addr {
 			}
 			addr = addr.Unmap()
 
-			if !addr.IsLoopback() && !addr.IsLinkLocalUnicast() {
+			if addr.IsLoopback() == false && addr.IsLinkLocalUnicast() == false {
 				isAllowed := allowList.Allow(addr)
 				if l.Level >= logrus.TraceLevel {
 					l.WithField("localAddr", addr).WithField("allowed", isAllowed).Trace("localAllowList.Allow")

hostmap_test.go

@@ -210,8 +210,8 @@ func TestHostMap_reload(t *testing.T) {
 	assert.Empty(t, hm.GetPreferredRanges())
 
 	c.ReloadConfigString("preferred_ranges: [1.1.1.0/24, 10.1.1.0/24]")
-	assert.Equal(t, []string{"1.1.1.0/24", "10.1.1.0/24"}, toS(hm.GetPreferredRanges()))
+	assert.EqualValues(t, []string{"1.1.1.0/24", "10.1.1.0/24"}, toS(hm.GetPreferredRanges()))
 
 	c.ReloadConfigString("preferred_ranges: [1.1.1.1/32]")
-	assert.Equal(t, []string{"1.1.1.1/32"}, toS(hm.GetPreferredRanges()))
+	assert.EqualValues(t, []string{"1.1.1.1/32"}, toS(hm.GetPreferredRanges()))
 }

inside.go

@@ -8,7 +8,6 @@ import (
 	"github.com/slackhq/nebula/header"
 	"github.com/slackhq/nebula/iputil"
 	"github.com/slackhq/nebula/noiseutil"
-	"github.com/slackhq/nebula/routing"
 )
 
 func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *firewall.Packet, nb, out []byte, q int, localCache firewall.ConntrackCache) {
@@ -50,7 +49,7 @@ func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *firewall.Packet
 		return
 	}
 
-	hostinfo, ready := f.getOrHandshakeConsiderRouting(fwPacket, func(hh *HandshakeHostInfo) {
+	hostinfo, ready := f.getOrHandshake(fwPacket.RemoteAddr, func(hh *HandshakeHostInfo) {
 		hh.cachePacket(f.l, header.Message, 0, packet, f.sendMessageNow, f.cachedPacketMetrics)
 	})
 
@@ -122,94 +121,22 @@ func (f *Interface) rejectOutside(packet []byte, ci *ConnectionState, hostinfo *
 	f.sendNoMetrics(header.Message, 0, ci, hostinfo, netip.AddrPort{}, out, nb, packet, q)
 }
 
-// Handshake will attempt to initiate a tunnel with the provided vpn address if it is within our vpn networks. This is a no-op if the tunnel is already established or being established
 func (f *Interface) Handshake(vpnAddr netip.Addr) {
-	f.getOrHandshakeNoRouting(vpnAddr, nil)
+	f.getOrHandshake(vpnAddr, nil)
 }
 
-// getOrHandshakeNoRouting returns nil if the vpnAddr is not routable.
+// getOrHandshake returns nil if the vpnAddr is not routable.
 // If the 2nd return var is false then the hostinfo is not ready to be used in a tunnel
-func (f *Interface) getOrHandshakeNoRouting(vpnAddr netip.Addr, cacheCallback func(*HandshakeHostInfo)) (*HostInfo, bool) {
+func (f *Interface) getOrHandshake(vpnAddr netip.Addr, cacheCallback func(*HandshakeHostInfo)) (*HostInfo, bool) {
 	_, found := f.myVpnNetworksTable.Lookup(vpnAddr)
-	if found {
+	if !found {
+		vpnAddr = f.inside.RouteFor(vpnAddr)
+		if !vpnAddr.IsValid() {
+			return nil, false
+		}
+	}
+
 	return f.handshakeManager.GetOrHandshake(vpnAddr, cacheCallback)
-	}
-
-	return nil, false
-}
-
-// getOrHandshakeConsiderRouting will try to find the HostInfo to handle this packet, starting a handshake if necessary.
-// If the 2nd return var is false then the hostinfo is not ready to be used in a tunnel.
-func (f *Interface) getOrHandshakeConsiderRouting(fwPacket *firewall.Packet, cacheCallback func(*HandshakeHostInfo)) (*HostInfo, bool) {
-
-	destinationAddr := fwPacket.RemoteAddr
-
-	hostinfo, ready := f.getOrHandshakeNoRouting(destinationAddr, cacheCallback)
-
-	// Host is inside the mesh, no routing required
-	if hostinfo != nil {
-		return hostinfo, ready
-	}
-
-	gateways := f.inside.RoutesFor(destinationAddr)
-
-	switch len(gateways) {
-	case 0:
-		return nil, false
-	case 1:
-		// Single gateway route
-		return f.handshakeManager.GetOrHandshake(gateways[0].Addr(), cacheCallback)
-	default:
-		// Multi gateway route, perform ECMP categorization
-		gatewayAddr, balancingOk := routing.BalancePacket(fwPacket, gateways)
-
-		if !balancingOk {
-			// This happens if the gateway buckets were not calculated, this _should_ never happen
-			f.l.Error("Gateway buckets not calculated, fallback from ECMP to random routing. Please report this bug.")
-		}
-
-		var handshakeInfoForChosenGateway *HandshakeHostInfo
-		var hhReceiver = func(hh *HandshakeHostInfo) {
-			handshakeInfoForChosenGateway = hh
-		}
-
-		// Store the handshakeHostInfo for later.
-		// If this node is not reachable we will attempt other nodes, if none are reachable we will
-		// cache the packet for this gateway.
-		if hostinfo, ready = f.handshakeManager.GetOrHandshake(gatewayAddr, hhReceiver); ready {
-			return hostinfo, true
-		}
-
-		// It appears the selected gateway cannot be reached, find another gateway to fallback on.
-		// The current implementation breaks ECMP but that seems better than no connectivity.
-		// If ECMP is also required when a gateway is down then connectivity status
-		// for each gateway needs to be kept and the weights recalculated when they go up or down.
-		// This would also need to interact with unsafe_route updates through reloading the config or
-		// use of the use_system_route_table option
-
-		if f.l.Level >= logrus.DebugLevel {
-			f.l.WithField("destination", destinationAddr).
-				WithField("originalGateway", gatewayAddr).
-				Debugln("Calculated gateway for ECMP not available, attempting other gateways")
-		}
-
-		for i := range gateways {
-			// Skip the gateway that failed previously
-			if gateways[i].Addr() == gatewayAddr {
-				continue
-			}
-
-			// We do not need the HandshakeHostInfo since we cache the packet in the originally chosen gateway
-			if hostinfo, ready = f.handshakeManager.GetOrHandshake(gateways[i].Addr(), nil); ready {
-				return hostinfo, true
-			}
-		}
-
-		// No gateways reachable, cache the packet in the originally chosen gateway
-		cacheCallback(handshakeInfoForChosenGateway)
-		return hostinfo, false
-	}
-
 }
 
 func (f *Interface) sendMessageNow(t header.MessageType, st header.MessageSubType, hostinfo *HostInfo, p, nb, out []byte) {
@@ -236,7 +163,7 @@ func (f *Interface) sendMessageNow(t header.MessageType, st header.MessageSubTyp
 
 // SendMessageToVpnAddr handles real addr:port lookup and sends to the current best known address for vpnAddr
 func (f *Interface) SendMessageToVpnAddr(t header.MessageType, st header.MessageSubType, vpnAddr netip.Addr, p, nb, out []byte) {
-	hostInfo, ready := f.getOrHandshakeNoRouting(vpnAddr, func(hh *HandshakeHostInfo) {
+	hostInfo, ready := f.getOrHandshake(vpnAddr, func(hh *HandshakeHostInfo) {
 		hh.cachePacket(f.l, t, st, p, f.SendMessageToHostInfo, f.cachedPacketMetrics)
 	})
 

interface.go

@@ -266,7 +266,7 @@ func (f *Interface) listenOut(i int) {
 	plaintext := make([]byte, udp.MTU)
 	h := &header.H{}
 	fwPacket := &firewall.Packet{}
-	nb := make([]byte, 12)
+	nb := make([]byte, 12, 12)
 
 	li.ListenOut(func(fromUdpAddr netip.AddrPort, payload []byte) {
 		f.readOutsidePackets(fromUdpAddr, nil, plaintext[:0], payload, h, fwPacket, lhh, nb, i, ctCache.Get(f.l))
@@ -279,7 +279,7 @@ func (f *Interface) listenIn(reader io.ReadWriteCloser, i int) {
 	packet := make([]byte, mtu)
 	out := make([]byte, mtu)
 	fwPacket := &firewall.Packet{}
-	nb := make([]byte, 12)
+	nb := make([]byte, 12, 12)
 
 	conntrackCache := firewall.NewConntrackCacheTicker(f.conntrackCacheTimeout)
 
@@ -322,7 +322,7 @@ func (f *Interface) reloadDisconnectInvalid(c *config.C) {
 
 func (f *Interface) reloadFirewall(c *config.C) {
 	//TODO: need to trigger/detect if the certificate changed too
-	if !c.HasChanged("firewall") {
+	if c.HasChanged("firewall") == false {
 		f.l.Debug("No firewall config change detected")
 		return
 	}
@@ -410,7 +410,7 @@ func (f *Interface) emitStats(ctx context.Context, i time.Duration) {
 	udpStats := udp.NewUDPStatsEmitter(f.writers)
 
 	certExpirationGauge := metrics.GetOrRegisterGauge("certificate.ttl_seconds", nil)
-	certInitiatingVersion := metrics.GetOrRegisterGauge("certificate.initiating_version", nil)
+	certDefaultVersion := metrics.GetOrRegisterGauge("certificate.default_version", nil)
 	certMaxVersion := metrics.GetOrRegisterGauge("certificate.max_version", nil)
 
 	for {
@@ -424,8 +424,8 @@ func (f *Interface) emitStats(ctx context.Context, i time.Duration) {
 
 			certState := f.pki.getCertState()
 			defaultCrt := certState.GetDefaultCertificate()
-			certExpirationGauge.Update(int64(time.Until(defaultCrt.NotAfter()) / time.Second))
+			certExpirationGauge.Update(int64(defaultCrt.NotAfter().Sub(time.Now()) / time.Second))
-			certInitiatingVersion.Update(int64(defaultCrt.Version()))
+			certDefaultVersion.Update(int64(defaultCrt.Version()))
 
 			// Report the max certificate version we are capable of using
 			if certState.v2Cert != nil {

lighthouse.go

@@ -371,7 +371,7 @@ func (lh *LightHouse) parseLighthouses(c *config.C, lhMap map[netip.Addr]struct{
 	}
 
 	staticList := lh.GetStaticHostList()
-	for lhAddr := range lhMap {
+	for lhAddr, _ := range lhMap {
 		if _, ok := staticList[lhAddr]; !ok {
 			return fmt.Errorf("lighthouse %s does not have a static_host_map entry", lhAddr)
 		}
@@ -422,7 +422,7 @@ func (lh *LightHouse) loadStaticMap(c *config.C, staticList map[netip.Addr]struc
 		return err
 	}
 
-	shm := c.GetMap("static_host_map", map[string]any{})
+	shm := c.GetMap("static_host_map", map[interface{}]interface{}{})
 	i := 0
 
 	for k, v := range shm {
@@ -436,9 +436,9 @@ func (lh *LightHouse) loadStaticMap(c *config.C, staticList map[netip.Addr]struc
 			return util.NewContextualError("static_host_map key is not in our network, invalid", m{"vpnAddr": vpnAddr, "networks": lh.myVpnNetworks, "entry": i + 1}, nil)
 		}
 
-		vals, ok := v.([]any)
+		vals, ok := v.([]interface{})
 		if !ok {
-			vals = []any{v}
+			vals = []interface{}{v}
 		}
 		remoteAddrs := []string{}
 		for _, v := range vals {
@@ -654,8 +654,11 @@ func (lh *LightHouse) shouldAdd(vpnAddr netip.Addr, to netip.Addr) bool {
 	}
 
 	_, found := lh.myVpnNetworksTable.Lookup(to)
+	if found {
+		return false
+	}
 
-	return !found
+	return true
 }
 
 // unlockedShouldAddV4 checks if to is allowed by our allow list
@@ -672,7 +675,11 @@ func (lh *LightHouse) unlockedShouldAddV4(vpnAddr netip.Addr, to *V4AddrPort) bo
 	}
 
 	_, found := lh.myVpnNetworksTable.Lookup(udpAddr.Addr())
-	return !found
+	if found {
+		return false
+	}
+
+	return true
 }
 
 // unlockedShouldAddV6 checks if to is allowed by our allow list
@@ -689,8 +696,11 @@ func (lh *LightHouse) unlockedShouldAddV6(vpnAddr netip.Addr, to *V6AddrPort) bo
 	}
 
 	_, found := lh.myVpnNetworksTable.Lookup(udpAddr.Addr())
+	if found {
+		return false
+	}
 
-	return !found
+	return true
 }
 
 func (lh *LightHouse) IsLighthouseAddr(vpnAddr netip.Addr) bool {
@@ -718,7 +728,7 @@ func (lh *LightHouse) startQueryWorker() {
 	}
 
 	go func() {
-		nb := make([]byte, 12)
+		nb := make([]byte, 12, 12)
 		out := make([]byte, mtu)
 
 		for {
@@ -753,7 +763,7 @@ func (lh *LightHouse) innerQueryServer(addr netip.Addr, nb, out []byte) {
 		if hi != nil {
 			v = hi.ConnectionState.myCert.Version()
 		} else {
-			v = lh.ifce.GetCertState().initiatingVersion
+			v = lh.ifce.GetCertState().defaultVersion
 		}
 
 		if v == cert.Version1 {
@@ -859,7 +869,7 @@ func (lh *LightHouse) SendUpdate() {
 		}
 	}
 
-	nb := make([]byte, 12)
+	nb := make([]byte, 12, 12)
 	out := make([]byte, mtu)
 
 	var v1Update, v2Update []byte
@@ -873,7 +883,7 @@ func (lh *LightHouse) SendUpdate() {
 		if hi != nil {
 			v = hi.ConnectionState.myCert.Version()
 		} else {
-			v = lh.ifce.GetCertState().initiatingVersion
+			v = lh.ifce.GetCertState().defaultVersion
 		}
 		if v == cert.Version1 {
 			if v1Update == nil {
@@ -961,7 +971,7 @@ type LightHouseHandler struct {
 func (lh *LightHouse) NewRequestHandler() *LightHouseHandler {
 	lhh := &LightHouseHandler{
 		lh:  lh,
-		nb:  make([]byte, 12),
+		nb:  make([]byte, 12, 12),
 		out: make([]byte, mtu),
 		l:   lh.l,
 		pb:  make([]byte, mtu),
@@ -1104,7 +1114,7 @@ func (lhh *LightHouseHandler) sendHostPunchNotification(n *NebulaMeta, fromVpnAd
 		targetHI := lhh.lh.ifce.GetHostInfo(punchNotifDest)
 		var useVersion cert.Version
 		if targetHI == nil {
-			useVersion = lhh.lh.ifce.GetCertState().initiatingVersion
+			useVersion = lhh.lh.ifce.GetCertState().defaultVersion
 		} else {
 			crt := targetHI.GetCert().Certificate
 			useVersion = crt.Version()
@@ -1152,7 +1162,7 @@ func (lhh *LightHouseHandler) coalesceAnswers(v cert.Version, c *cache, n *Nebul
 		if c.v4.learned != nil {
 			n.Details.V4AddrPorts = append(n.Details.V4AddrPorts, c.v4.learned)
 		}
-		if len(c.v4.reported) > 0 {
+		if c.v4.reported != nil && len(c.v4.reported) > 0 {
 			n.Details.V4AddrPorts = append(n.Details.V4AddrPorts, c.v4.reported...)
 		}
 	}
@@ -1161,7 +1171,7 @@ func (lhh *LightHouseHandler) coalesceAnswers(v cert.Version, c *cache, n *Nebul
 		if c.v6.learned != nil {
 			n.Details.V6AddrPorts = append(n.Details.V6AddrPorts, c.v6.learned)
 		}
-		if len(c.v6.reported) > 0 {
+		if c.v6.reported != nil && len(c.v6.reported) > 0 {
 			n.Details.V6AddrPorts = append(n.Details.V6AddrPorts, c.v6.reported...)
 		}
 	}
@@ -1359,7 +1369,7 @@ func (lhh *LightHouseHandler) handleHostPunchNotification(n *NebulaMeta, fromVpn
 			//NOTE: we have to allocate a new output buffer here since we are spawning a new goroutine
 			// for each punchBack packet. We should move this into a timerwheel or a single goroutine
 			// managed by a channel.
-			w.SendMessageToVpnAddr(header.Test, header.TestRequest, queryVpnAddr, []byte(""), make([]byte, 12), make([]byte, mtu))
+			w.SendMessageToVpnAddr(header.Test, header.TestRequest, queryVpnAddr, []byte(""), make([]byte, 12, 12), make([]byte, mtu))
 		}()
 	}
 }

lighthouse_test.go

@@ -14,7 +14,7 @@ import (
 	"github.com/slackhq/nebula/test"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v2"
 )
 
 func TestOldIPv4Only(t *testing.T) {
@@ -40,15 +40,15 @@ func Test_lhStaticMapping(t *testing.T) {
 	lh1 := "10.128.0.2"
 
 	c := config.NewC(l)
-	c.Settings["lighthouse"] = map[string]any{"hosts": []any{lh1}}
+	c.Settings["lighthouse"] = map[interface{}]interface{}{"hosts": []interface{}{lh1}}
-	c.Settings["static_host_map"] = map[string]any{lh1: []any{"1.1.1.1:4242"}}
+	c.Settings["static_host_map"] = map[interface{}]interface{}{lh1: []interface{}{"1.1.1.1:4242"}}
 	_, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil)
 	require.NoError(t, err)
 
 	lh2 := "10.128.0.3"
 	c = config.NewC(l)
-	c.Settings["lighthouse"] = map[string]any{"hosts": []any{lh1, lh2}}
+	c.Settings["lighthouse"] = map[interface{}]interface{}{"hosts": []interface{}{lh1, lh2}}
-	c.Settings["static_host_map"] = map[string]any{lh1: []any{"100.1.1.1:4242"}}
+	c.Settings["static_host_map"] = map[interface{}]interface{}{lh1: []interface{}{"100.1.1.1:4242"}}
 	_, err = NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil)
 	require.EqualError(t, err, "lighthouse 10.128.0.3 does not have a static_host_map entry")
 }
@@ -65,12 +65,12 @@ func TestReloadLighthouseInterval(t *testing.T) {
 	lh1 := "10.128.0.2"
 
 	c := config.NewC(l)
-	c.Settings["lighthouse"] = map[string]any{
+	c.Settings["lighthouse"] = map[interface{}]interface{}{
-		"hosts":    []any{lh1},
+		"hosts":    []interface{}{lh1},
 		"interval": "1s",
 	}
 
-	c.Settings["static_host_map"] = map[string]any{lh1: []any{"1.1.1.1:4242"}}
+	c.Settings["static_host_map"] = map[interface{}]interface{}{lh1: []interface{}{"1.1.1.1:4242"}}
 	lh, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil)
 	require.NoError(t, err)
 	lh.ifce = &mockEncWriter{}
@@ -192,8 +192,8 @@ func TestLighthouse_Memory(t *testing.T) {
 	theirVpnIp := netip.MustParseAddr("10.128.0.3")
 
 	c := config.NewC(l)
-	c.Settings["lighthouse"] = map[string]any{"am_lighthouse": true}
+	c.Settings["lighthouse"] = map[interface{}]interface{}{"am_lighthouse": true}
-	c.Settings["listen"] = map[string]any{"port": 4242}
+	c.Settings["listen"] = map[interface{}]interface{}{"port": 4242}
 
 	myVpnNet := netip.MustParsePrefix("10.128.0.1/24")
 	nt := new(bart.Table[struct{}])
@@ -277,8 +277,8 @@ func TestLighthouse_Memory(t *testing.T) {
 func TestLighthouse_reload(t *testing.T) {
 	l := test.NewLogger()
 	c := config.NewC(l)
-	c.Settings["lighthouse"] = map[string]any{"am_lighthouse": true}
+	c.Settings["lighthouse"] = map[interface{}]interface{}{"am_lighthouse": true}
-	c.Settings["listen"] = map[string]any{"port": 4242}
+	c.Settings["listen"] = map[interface{}]interface{}{"port": 4242}
 
 	myVpnNet := netip.MustParsePrefix("10.128.0.1/24")
 	nt := new(bart.Table[struct{}])
@@ -291,9 +291,9 @@ func TestLighthouse_reload(t *testing.T) {
 	lh, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil)
 	require.NoError(t, err)
 
-	nc := map[string]any{
+	nc := map[interface{}]interface{}{
-		"static_host_map": map[string]any{
+		"static_host_map": map[interface{}]interface{}{
-			"10.128.0.2": []any{"1.1.1.1:4242"},
+			"10.128.0.2": []interface{}{"1.1.1.1:4242"},
 		},
 	}
 	rc, err := yaml.Marshal(nc)
@@ -417,7 +417,7 @@ func (tw *testEncWriter) GetHostInfo(vpnIp netip.Addr) *HostInfo {
 }
 
 func (tw *testEncWriter) GetCertState() *CertState {
-	return &CertState{initiatingVersion: tw.protocolVersion}
+	return &CertState{defaultVersion: tw.protocolVersion}
 }
 
 // assertIp4InArray asserts every address in want is at the same position in have and that the lengths match
@@ -484,12 +484,12 @@ func Test_findNetworkUnion(t *testing.T) {
 	assert.Equal(t, out, afe81)
 
 	//falsey cases
-	_, ok = findNetworkUnion([]netip.Prefix{oneSevenTwo, fe80}, []netip.Addr{a1})
+	out, ok = findNetworkUnion([]netip.Prefix{oneSevenTwo, fe80}, []netip.Addr{a1})
 	assert.False(t, ok)
-	_, ok = findNetworkUnion([]netip.Prefix{fc00, fe80}, []netip.Addr{a1})
+	out, ok = findNetworkUnion([]netip.Prefix{fc00, fe80}, []netip.Addr{a1})
 	assert.False(t, ok)
-	_, ok = findNetworkUnion([]netip.Prefix{oneSevenTwo, fc00}, []netip.Addr{a1, afe81})
+	out, ok = findNetworkUnion([]netip.Prefix{oneSevenTwo, fc00}, []netip.Addr{a1, afe81})
 	assert.False(t, ok)
-	_, ok = findNetworkUnion([]netip.Prefix{fc00}, []netip.Addr{a1, afe81})
+	out, ok = findNetworkUnion([]netip.Prefix{fc00}, []netip.Addr{a1, afe81})
 	assert.False(t, ok)
 }

main.go

@@ -13,10 +13,10 @@ import (
 	"github.com/slackhq/nebula/sshd"
 	"github.com/slackhq/nebula/udp"
 	"github.com/slackhq/nebula/util"
-	"gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v2"
 )
 
-type m = map[string]any
+type m map[string]interface{}
 
 func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logger, deviceFactory overlay.DeviceFactory) (retcon *Control, reterr error) {
 	ctx, cancel := context.WithCancel(context.Background())

message_metrics.go

@@ -17,7 +17,7 @@ type MessageMetrics struct {
 
 func (m *MessageMetrics) Rx(t header.MessageType, s header.MessageSubType, i int64) {
 	if m != nil {
-		if int(t) < len(m.rx) && int(s) < len(m.rx[t]) {
+		if t >= 0 && int(t) < len(m.rx) && s >= 0 && int(s) < len(m.rx[t]) {
 			m.rx[t][s].Inc(i)
 		} else if m.rxUnknown != nil {
 			m.rxUnknown.Inc(i)
@@ -26,7 +26,7 @@ func (m *MessageMetrics) Rx(t header.MessageType, s header.MessageSubType, i int
 }
 func (m *MessageMetrics) Tx(t header.MessageType, s header.MessageSubType, i int64) {
 	if m != nil {
-		if int(t) < len(m.tx) && int(s) < len(m.tx[t]) {
+		if t >= 0 && int(t) < len(m.tx) && s >= 0 && int(s) < len(m.tx[t]) {
 			m.tx[t][s].Inc(i)
 		} else if m.txUnknown != nil {
 			m.txUnknown.Inc(i)

outside.go

@@ -228,7 +228,7 @@ func (f *Interface) closeTunnel(hostInfo *HostInfo) {
 
 // sendCloseTunnel is a helper function to send a proper close tunnel packet to a remote
 func (f *Interface) sendCloseTunnel(h *HostInfo) {
-	f.send(header.CloseTunnel, 0, h.ConnectionState, h, []byte{}, make([]byte, 12), make([]byte, mtu))
+	f.send(header.CloseTunnel, 0, h.ConnectionState, h, []byte{}, make([]byte, 12, 12), make([]byte, mtu))
 }
 
 func (f *Interface) handleHostRoaming(hostinfo *HostInfo, udpAddr netip.AddrPort) {

overlay/device.go

@@ -3,8 +3,6 @@ package overlay
 import (
 	"io"
 	"net/netip"
-
-	"github.com/slackhq/nebula/routing"
 )
 
 type Device interface {
@@ -12,6 +10,6 @@ type Device interface {
 	Activate() error
 	Networks() []netip.Prefix
 	Name() string
-	RoutesFor(netip.Addr) routing.Gateways
+	RouteFor(netip.Addr) netip.Addr
 	NewMultiQueueReader() (io.ReadWriteCloser, error)
 }

overlay/route.go

@@ -3,6 +3,7 @@ package overlay
 import (
 	"fmt"
 	"math"
+	"net"
 	"net/netip"
 	"runtime"
 	"strconv"
@@ -10,14 +11,13 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 )
 
 type Route struct {
 	MTU     int
 	Metric  int
 	Cidr    netip.Prefix
-	Via     routing.Gateways
+	Via     netip.Addr
 	Install bool
 }
 
@@ -47,17 +47,15 @@ func (r Route) String() string {
 	return s
 }
 
-func makeRouteTree(l *logrus.Logger, routes []Route, allowMTU bool) (*bart.Table[routing.Gateways], error) {
+func makeRouteTree(l *logrus.Logger, routes []Route, allowMTU bool) (*bart.Table[netip.Addr], error) {
-	routeTree := new(bart.Table[routing.Gateways])
+	routeTree := new(bart.Table[netip.Addr])
 	for _, r := range routes {
 		if !allowMTU && r.MTU > 0 {
 			l.WithField("route", r).Warnf("route MTU is not supported in %s", runtime.GOOS)
 		}
 
-		gateways := r.Via
+		if r.Via.IsValid() {
-		if len(gateways) > 0 {
+			routeTree.Insert(r.Cidr, r.Via)
-			routing.CalculateBucketsForGateways(gateways)
-			routeTree.Insert(r.Cidr, gateways)
 		}
 	}
 	return routeTree, nil
@@ -71,7 +69,7 @@ func parseRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 		return []Route{}, nil
 	}
 
-	rawRoutes, ok := r.([]any)
+	rawRoutes, ok := r.([]interface{})
 	if !ok {
 		return nil, fmt.Errorf("tun.routes is not an array")
 	}
@@ -82,7 +80,7 @@ func parseRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 
 	routes := make([]Route, len(rawRoutes))
 	for i, r := range rawRoutes {
-		m, ok := r.(map[string]any)
+		m, ok := r.(map[interface{}]interface{})
 		if !ok {
 			return nil, fmt.Errorf("entry %v in tun.routes is invalid", i+1)
 		}
@@ -150,7 +148,7 @@ func parseUnsafeRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 		return []Route{}, nil
 	}
 
-	rawRoutes, ok := r.([]any)
+	rawRoutes, ok := r.([]interface{})
 	if !ok {
 		return nil, fmt.Errorf("tun.unsafe_routes is not an array")
 	}
@@ -161,7 +159,7 @@ func parseUnsafeRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 
 	routes := make([]Route, len(rawRoutes))
 	for i, r := range rawRoutes {
-		m, ok := r.(map[string]any)
+		m, ok := r.(map[interface{}]interface{})
 		if !ok {
 			return nil, fmt.Errorf("entry %v in tun.unsafe_routes is invalid", i+1)
 		}
@@ -203,65 +201,16 @@ func parseUnsafeRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 			return nil, fmt.Errorf("entry %v.via in tun.unsafe_routes is not present", i+1)
 		}
 
-		var gateways routing.Gateways
+		via, ok := rVia.(string)
+		if !ok {
+			return nil, fmt.Errorf("entry %v.via in tun.unsafe_routes is not a string: found %T", i+1, rVia)
+		}
 
-		switch via := rVia.(type) {
+		viaVpnIp, err := netip.ParseAddr(via)
-		case string:
-			viaIp, err := netip.ParseAddr(via)
 		if err != nil {
 			return nil, fmt.Errorf("entry %v.via in tun.unsafe_routes failed to parse address: %v", i+1, err)
 		}
 
-			gateways = routing.Gateways{routing.NewGateway(viaIp, 1)}
-
-		case []any:
-			gateways = make(routing.Gateways, len(via))
-			for ig, v := range via {
-				gatewayMap, ok := v.(map[string]any)
-				if !ok {
-					return nil, fmt.Errorf("entry %v in tun.unsafe_routes[%v].via is invalid", i+1, ig+1)
-				}
-
-				rGateway, ok := gatewayMap["gateway"]
-				if !ok {
-					return nil, fmt.Errorf("entry .gateway in tun.unsafe_routes[%v].via[%v] is not present", i+1, ig+1)
-				}
-
-				parsedGateway, ok := rGateway.(string)
-				if !ok {
-					return nil, fmt.Errorf("entry .gateway in tun.unsafe_routes[%v].via[%v] is not a string", i+1, ig+1)
-				}
-
-				gatewayIp, err := netip.ParseAddr(parsedGateway)
-				if err != nil {
-					return nil, fmt.Errorf("entry .gateway in tun.unsafe_routes[%v].via[%v] failed to parse address: %v", i+1, ig+1, err)
-				}
-
-				rGatewayWeight, ok := gatewayMap["weight"]
-				if !ok {
-					rGatewayWeight = 1
-				}
-
-				gatewayWeight, ok := rGatewayWeight.(int)
-				if !ok {
-					_, err = strconv.ParseInt(rGatewayWeight.(string), 10, 32)
-					if err != nil {
-						return nil, fmt.Errorf("entry .weight in tun.unsafe_routes[%v].via[%v] is not an integer", i+1, ig+1)
-					}
-				}
-
-				if gatewayWeight < 1 || gatewayWeight > math.MaxInt32 {
-					return nil, fmt.Errorf("entry .weight in tun.unsafe_routes[%v].via[%v] is not in range (1-%d) : %v", i+1, ig+1, math.MaxInt32, gatewayWeight)
-				}
-
-				gateways[ig] = routing.NewGateway(gatewayIp, gatewayWeight)
-
-			}
-
-		default:
-			return nil, fmt.Errorf("entry %v.via in tun.unsafe_routes is not a string or list of gateways: found %T", i+1, rVia)
-		}
-
 		rRoute, ok := m["route"]
 		if !ok {
 			return nil, fmt.Errorf("entry %v.route in tun.unsafe_routes is not present", i+1)
@@ -277,7 +226,7 @@ func parseUnsafeRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 		}
 
 		r := Route{
-			Via:     gateways,
+			Via:     viaVpnIp,
 			MTU:     mtu,
 			Metric:  metric,
 			Install: install,
@@ -304,3 +253,29 @@ func parseUnsafeRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 
 	return routes, nil
 }
+
+func ipWithin(o *net.IPNet, i *net.IPNet) bool {
+	// Make sure o contains the lowest form of i
+	if !o.Contains(i.IP.Mask(i.Mask)) {
+		return false
+	}
+
+	// Find the max ip in i
+	ip4 := i.IP.To4()
+	if ip4 == nil {
+		return false
+	}
+
+	last := make(net.IP, len(ip4))
+	copy(last, ip4)
+	for x := range ip4 {
+		last[x] |= ^i.Mask[x]
+	}
+
+	// Make sure o contains the max
+	if !o.Contains(last) {
+		return false
+	}
+
+	return true
+}

overlay/route_test.go

@@ -6,7 +6,6 @@ import (
 	"testing"
 
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/test"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -24,75 +23,75 @@ func Test_parseRoutes(t *testing.T) {
 	assert.Empty(t, routes)
 
 	// not an array
-	c.Settings["tun"] = map[string]any{"routes": "hi"}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": "hi"}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "tun.routes is not an array")
 
 	// no routes
-	c.Settings["tun"] = map[string]any{"routes": []any{}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	require.NoError(t, err)
 	assert.Empty(t, routes)
 
 	// weird route
-	c.Settings["tun"] = map[string]any{"routes": []any{"asdf"}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{"asdf"}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1 in tun.routes is invalid")
 
 	// no mtu
-	c.Settings["tun"] = map[string]any{"routes": []any{map[string]any{}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{map[interface{}]interface{}{}}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.mtu in tun.routes is not present")
 
 	// bad mtu
-	c.Settings["tun"] = map[string]any{"routes": []any{map[string]any{"mtu": "nope"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{map[interface{}]interface{}{"mtu": "nope"}}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.mtu in tun.routes is not an integer: strconv.Atoi: parsing \"nope\": invalid syntax")
 
 	// low mtu
-	c.Settings["tun"] = map[string]any{"routes": []any{map[string]any{"mtu": "499"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{map[interface{}]interface{}{"mtu": "499"}}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.mtu in tun.routes is below 500: 499")
 
 	// missing route
-	c.Settings["tun"] = map[string]any{"routes": []any{map[string]any{"mtu": "500"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{map[interface{}]interface{}{"mtu": "500"}}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.route in tun.routes is not present")
 
 	// unparsable route
-	c.Settings["tun"] = map[string]any{"routes": []any{map[string]any{"mtu": "500", "route": "nope"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{map[interface{}]interface{}{"mtu": "500", "route": "nope"}}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.route in tun.routes failed to parse: netip.ParsePrefix(\"nope\"): no '/'")
 
 	// below network range
-	c.Settings["tun"] = map[string]any{"routes": []any{map[string]any{"mtu": "500", "route": "1.0.0.0/8"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{map[interface{}]interface{}{"mtu": "500", "route": "1.0.0.0/8"}}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.route in tun.routes is not contained within the configured vpn networks; route: 1.0.0.0/8, networks: [10.0.0.0/24]")
 
 	// above network range
-	c.Settings["tun"] = map[string]any{"routes": []any{map[string]any{"mtu": "500", "route": "10.0.1.0/24"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{map[interface{}]interface{}{"mtu": "500", "route": "10.0.1.0/24"}}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.route in tun.routes is not contained within the configured vpn networks; route: 10.0.1.0/24, networks: [10.0.0.0/24]")
 
 	// Not in multiple ranges
-	c.Settings["tun"] = map[string]any{"routes": []any{map[string]any{"mtu": "500", "route": "192.0.0.0/24"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{map[interface{}]interface{}{"mtu": "500", "route": "192.0.0.0/24"}}}
 	routes, err = parseRoutes(c, []netip.Prefix{n, netip.MustParsePrefix("192.1.0.0/24")})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.route in tun.routes is not contained within the configured vpn networks; route: 192.0.0.0/24, networks: [10.0.0.0/24 192.1.0.0/24]")
 
 	// happy case
-	c.Settings["tun"] = map[string]any{"routes": []any{
+	c.Settings["tun"] = map[interface{}]interface{}{"routes": []interface{}{
-		map[string]any{"mtu": "9000", "route": "10.0.0.0/29"},
+		map[interface{}]interface{}{"mtu": "9000", "route": "10.0.0.0/29"},
-		map[string]any{"mtu": "8000", "route": "10.0.0.1/32"},
+		map[interface{}]interface{}{"mtu": "8000", "route": "10.0.0.1/32"},
 	}}
 	routes, err = parseRoutes(c, []netip.Prefix{n})
 	require.NoError(t, err)
@@ -129,130 +128,105 @@ func Test_parseUnsafeRoutes(t *testing.T) {
 	assert.Empty(t, routes)
 
 	// not an array
-	c.Settings["tun"] = map[string]any{"unsafe_routes": "hi"}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": "hi"}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "tun.unsafe_routes is not an array")
 
 	// no routes
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	require.NoError(t, err)
 	assert.Empty(t, routes)
 
 	// weird route
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{"asdf"}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{"asdf"}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1 in tun.unsafe_routes is invalid")
 
 	// no via
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.via in tun.unsafe_routes is not present")
 
 	// invalid via
-	for _, invalidValue := range []any{
+	for _, invalidValue := range []interface{}{
 		127, false, nil, 1.0, []string{"1", "2"},
 	} {
-		c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": invalidValue}}}
+		c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": invalidValue}}}
 		routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 		assert.Nil(t, routes)
-		require.EqualError(t, err, fmt.Sprintf("entry 1.via in tun.unsafe_routes is not a string or list of gateways: found %T", invalidValue))
+		require.EqualError(t, err, fmt.Sprintf("entry 1.via in tun.unsafe_routes is not a string: found %T", invalidValue))
 	}
 
-	// Unparsable list of via
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": []string{"1", "2"}}}}
-	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
-	assert.Nil(t, routes)
-	require.EqualError(t, err, "entry 1.via in tun.unsafe_routes is not a string or list of gateways: found []string")
-
 	// unparsable via
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"mtu": "500", "via": "nope"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"mtu": "500", "via": "nope"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.via in tun.unsafe_routes failed to parse address: ParseAddr(\"nope\"): unable to parse IP")
 
-	// unparsable gateway
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"mtu": "500", "via": []any{map[string]any{"gateway": "1"}}}}}
-	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
-	assert.Nil(t, routes)
-	require.EqualError(t, err, "entry .gateway in tun.unsafe_routes[1].via[1] failed to parse address: ParseAddr(\"1\"): unable to parse IP")
-
-	// missing gateway element
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"mtu": "500", "via": []any{map[string]any{"weight": "1"}}}}}
-	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
-	assert.Nil(t, routes)
-	require.EqualError(t, err, "entry .gateway in tun.unsafe_routes[1].via[1] is not present")
-
-	// unparsable weight element
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"mtu": "500", "via": []any{map[string]any{"gateway": "10.0.0.1", "weight": "a"}}}}}
-	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
-	assert.Nil(t, routes)
-	require.EqualError(t, err, "entry .weight in tun.unsafe_routes[1].via[1] is not an integer")
-
 	// missing route
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "mtu": "500"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "500"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.route in tun.unsafe_routes is not present")
 
 	// unparsable route
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "mtu": "500", "route": "nope"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "500", "route": "nope"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.route in tun.unsafe_routes failed to parse: netip.ParsePrefix(\"nope\"): no '/'")
 
 	// within network range
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "route": "10.0.0.0/24"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "route": "10.0.0.0/24"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.route in tun.unsafe_routes is contained within the configured vpn networks; route: 10.0.0.0/24, network: 10.0.0.0/24")
 
 	// below network range
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "route": "1.0.0.0/8"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "route": "1.0.0.0/8"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Len(t, routes, 1)
 	require.NoError(t, err)
 
 	// above network range
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "route": "10.0.1.0/24"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "route": "10.0.1.0/24"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Len(t, routes, 1)
 	require.NoError(t, err)
 
 	// no mtu
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "route": "1.0.0.0/8"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "route": "1.0.0.0/8"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
-	require.NoError(t, err)
 	assert.Len(t, routes, 1)
 	assert.Equal(t, 0, routes[0].MTU)
 
 	// bad mtu
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "mtu": "nope"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "nope"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.mtu in tun.unsafe_routes is not an integer: strconv.Atoi: parsing \"nope\": invalid syntax")
 
 	// low mtu
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "mtu": "499"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "499"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.mtu in tun.unsafe_routes is below 500: 499")
 
 	// bad install
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "mtu": "9000", "route": "1.0.0.0/29", "install": "nope"}}}
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "9000", "route": "1.0.0.0/29", "install": "nope"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.install in tun.unsafe_routes is not a boolean: strconv.ParseBool: parsing \"nope\": invalid syntax")
 
 	// happy case
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{
-		map[string]any{"via": "127.0.0.1", "mtu": "9000", "route": "1.0.0.0/29", "install": "t"},
+		map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "9000", "route": "1.0.0.0/29", "install": "t"},
-		map[string]any{"via": "127.0.0.1", "mtu": "8000", "route": "1.0.0.1/32", "install": 0},
+		map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "8000", "route": "1.0.0.1/32", "install": 0},
-		map[string]any{"via": "127.0.0.1", "mtu": "1500", "metric": 1234, "route": "1.0.0.2/32", "install": 1},
+		map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "1500", "metric": 1234, "route": "1.0.0.2/32", "install": 1},
-		map[string]any{"via": "127.0.0.1", "mtu": "1500", "metric": 1234, "route": "1.0.0.2/32"},
+		map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "1500", "metric": 1234, "route": "1.0.0.2/32"},
 	}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	require.NoError(t, err)
@@ -289,9 +263,9 @@ func Test_makeRouteTree(t *testing.T) {
 	n, err := netip.ParsePrefix("10.0.0.0/24")
 	require.NoError(t, err)
 
-	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{
-		map[string]any{"via": "192.168.0.1", "route": "1.0.0.0/28"},
+		map[interface{}]interface{}{"via": "192.168.0.1", "route": "1.0.0.0/28"},
-		map[string]any{"via": "192.168.0.2", "route": "1.0.0.1/32"},
+		map[interface{}]interface{}{"via": "192.168.0.2", "route": "1.0.0.1/32"},
 	}}
 	routes, err := parseUnsafeRoutes(c, []netip.Prefix{n})
 	require.NoError(t, err)
@@ -306,7 +280,7 @@ func Test_makeRouteTree(t *testing.T) {
 
 	nip, err := netip.ParseAddr("192.168.0.1")
 	require.NoError(t, err)
-	assert.Equal(t, nip, r[0].Addr())
+	assert.Equal(t, nip, r)
 
 	ip, err = netip.ParseAddr("1.0.0.1")
 	require.NoError(t, err)
@@ -315,91 +289,10 @@ func Test_makeRouteTree(t *testing.T) {
 
 	nip, err = netip.ParseAddr("192.168.0.2")
 	require.NoError(t, err)
-	assert.Equal(t, nip, r[0].Addr())
+	assert.Equal(t, nip, r)
 
 	ip, err = netip.ParseAddr("1.1.0.1")
 	require.NoError(t, err)
-	_, ok = routeTree.Lookup(ip)
+	r, ok = routeTree.Lookup(ip)
 	assert.False(t, ok)
 }
-
-func Test_makeMultipathUnsafeRouteTree(t *testing.T) {
-	l := test.NewLogger()
-	c := config.NewC(l)
-	n, err := netip.ParsePrefix("10.0.0.0/24")
-	require.NoError(t, err)
-
-	c.Settings["tun"] = map[string]any{
-		"unsafe_routes": []any{
-			map[string]any{
-				"route": "192.168.86.0/24",
-				"via":   "192.168.100.10",
-			},
-			map[string]any{
-				"route": "192.168.87.0/24",
-				"via": []any{
-					map[string]any{
-						"gateway": "10.0.0.1",
-					},
-					map[string]any{
-						"gateway": "10.0.0.2",
-					},
-					map[string]any{
-						"gateway": "10.0.0.3",
-					},
-				},
-			},
-			map[string]any{
-				"route": "192.168.89.0/24",
-				"via": []any{
-					map[string]any{
-						"gateway": "10.0.0.1",
-						"weight":  10,
-					},
-					map[string]any{
-						"gateway": "10.0.0.2",
-						"weight":  5,
-					},
-				},
-			},
-		},
-	}
-
-	routes, err := parseUnsafeRoutes(c, []netip.Prefix{n})
-	require.NoError(t, err)
-	assert.Len(t, routes, 3)
-	routeTree, err := makeRouteTree(l, routes, true)
-	require.NoError(t, err)
-
-	ip, err := netip.ParseAddr("192.168.86.1")
-	require.NoError(t, err)
-	r, ok := routeTree.Lookup(ip)
-	assert.True(t, ok)
-
-	nip, err := netip.ParseAddr("192.168.100.10")
-	require.NoError(t, err)
-	assert.Equal(t, nip, r[0].Addr())
-
-	ip, err = netip.ParseAddr("192.168.87.1")
-	require.NoError(t, err)
-	r, ok = routeTree.Lookup(ip)
-	assert.True(t, ok)
-
-	expectedGateways := routing.Gateways{routing.NewGateway(netip.MustParseAddr("10.0.0.1"), 1),
-		routing.NewGateway(netip.MustParseAddr("10.0.0.2"), 1),
-		routing.NewGateway(netip.MustParseAddr("10.0.0.3"), 1)}
-
-	routing.CalculateBucketsForGateways(expectedGateways)
-	assert.ElementsMatch(t, expectedGateways, r)
-
-	ip, err = netip.ParseAddr("192.168.89.1")
-	require.NoError(t, err)
-	r, ok = routeTree.Lookup(ip)
-	assert.True(t, ok)
-
-	expectedGateways = routing.Gateways{routing.NewGateway(netip.MustParseAddr("10.0.0.1"), 10),
-		routing.NewGateway(netip.MustParseAddr("10.0.0.2"), 5)}
-
-	routing.CalculateBucketsForGateways(expectedGateways)
-	assert.ElementsMatch(t, expectedGateways, r)
-}

overlay/tun_android.go

@@ -13,7 +13,6 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
 )
 
@@ -22,7 +21,7 @@ type tun struct {
 	fd          int
 	vpnNetworks []netip.Prefix
 	Routes      atomic.Pointer[[]Route]
-	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	routeTree   atomic.Pointer[bart.Table[netip.Addr]]
 	l           *logrus.Logger
 }
 
@@ -57,7 +56,7 @@ func newTun(_ *config.C, _ *logrus.Logger, _ []netip.Prefix, _ bool) (*tun, erro
 	return nil, fmt.Errorf("newTun not supported in Android")
 }
 
-func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
+func (t *tun) RouteFor(ip netip.Addr) netip.Addr {
 	r, _ := t.routeTree.Load().Lookup(ip)
 	return r
 }

overlay/tun_darwin.go

@@ -17,7 +17,6 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
 	netroute "golang.org/x/net/route"
 	"golang.org/x/sys/unix"
@@ -29,7 +28,7 @@ type tun struct {
 	vpnNetworks []netip.Prefix
 	DefaultMTU  int
 	Routes      atomic.Pointer[[]Route]
-	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	routeTree   atomic.Pointer[bart.Table[netip.Addr]]
 	linkAddr    *netroute.LinkAddr
 	l           *logrus.Logger
 
@@ -343,12 +342,12 @@ func (t *tun) reload(c *config.C, initial bool) error {
 	return nil
 }
 
-func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
+func (t *tun) RouteFor(ip netip.Addr) netip.Addr {
 	r, ok := t.routeTree.Load().Lookup(ip)
 	if ok {
 		return r
 	}
-	return routing.Gateways{}
+	return netip.Addr{}
 }
 
 // Get the LinkAddr for the interface of the given name
@@ -383,7 +382,7 @@ func (t *tun) addRoutes(logErrors bool) error {
 	routes := *t.Routes.Load()
 
 	for _, r := range routes {
-		if len(r.Via) == 0 || !r.Install {
+		if !r.Via.IsValid() || !r.Install {
 			// We don't allow route MTUs so only install routes with a via
 			continue
 		}
@@ -394,7 +393,7 @@ func (t *tun) addRoutes(logErrors bool) error {
 				t.l.WithField("route", r.Cidr).
 					Warnf("unable to add unsafe_route, identical route already exists")
 			} else {
-				retErr := util.NewContextualError("Failed to add route", map[string]any{"route": r}, err)
+				retErr := util.NewContextualError("Failed to add route", map[string]interface{}{"route": r}, err)
 				if logErrors {
 					retErr.Log(t.l)
 				} else {

overlay/tun_disabled.go

@@ -9,7 +9,6 @@ import (
 	"github.com/rcrowley/go-metrics"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/iputil"
-	"github.com/slackhq/nebula/routing"
 )
 
 type disabledTun struct {
@@ -44,8 +43,8 @@ func (*disabledTun) Activate() error {
 	return nil
 }
 
-func (*disabledTun) RoutesFor(addr netip.Addr) routing.Gateways {
+func (*disabledTun) RouteFor(addr netip.Addr) netip.Addr {
-	return routing.Gateways{}
+	return netip.Addr{}
 }
 
 func (t *disabledTun) Networks() []netip.Prefix {

overlay/tun_freebsd.go

@@ -20,7 +20,6 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
 )
 
@@ -51,7 +50,7 @@ type tun struct {
 	vpnNetworks []netip.Prefix
 	MTU         int
 	Routes      atomic.Pointer[[]Route]
-	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	routeTree   atomic.Pointer[bart.Table[netip.Addr]]
 	l           *logrus.Logger
 
 	io.ReadWriteCloser
@@ -243,7 +242,7 @@ func (t *tun) reload(c *config.C, initial bool) error {
 	return nil
 }
 
-func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
+func (t *tun) RouteFor(ip netip.Addr) netip.Addr {
 	r, _ := t.routeTree.Load().Lookup(ip)
 	return r
 }
@@ -263,7 +262,7 @@ func (t *tun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
 func (t *tun) addRoutes(logErrors bool) error {
 	routes := *t.Routes.Load()
 	for _, r := range routes {
-		if len(r.Via) == 0 || !r.Install {
+		if !r.Via.IsValid() || !r.Install {
 			// We don't allow route MTUs so only install routes with a via
 			continue
 		}
@@ -271,7 +270,7 @@ func (t *tun) addRoutes(logErrors bool) error {
 		cmd := exec.Command("/sbin/route", "-n", "add", "-net", r.Cidr.String(), "-interface", t.Device)
 		t.l.Debug("command: ", cmd.String())
 		if err := cmd.Run(); err != nil {
-			retErr := util.NewContextualError("failed to run 'route add' for unsafe_route", map[string]any{"route": r}, err)
+			retErr := util.NewContextualError("failed to run 'route add' for unsafe_route", map[string]interface{}{"route": r}, err)
 			if logErrors {
 				retErr.Log(t.l)
 			} else {

overlay/tun_ios.go

@@ -16,7 +16,6 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
 )
 
@@ -24,7 +23,7 @@ type tun struct {
 	io.ReadWriteCloser
 	vpnNetworks []netip.Prefix
 	Routes      atomic.Pointer[[]Route]
-	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	routeTree   atomic.Pointer[bart.Table[netip.Addr]]
 	l           *logrus.Logger
 }
 
@@ -80,7 +79,7 @@ func (t *tun) reload(c *config.C, initial bool) error {
 	return nil
 }
 
-func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
+func (t *tun) RouteFor(ip netip.Addr) netip.Addr {
 	r, _ := t.routeTree.Load().Lookup(ip)
 	return r
 }

overlay/tun_linux.go

@@ -17,7 +17,6 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
 	"github.com/vishvananda/netlink"
 	"golang.org/x/sys/unix"
@@ -35,7 +34,7 @@ type tun struct {
 	ioctlFd     uintptr
 
 	Routes          atomic.Pointer[[]Route]
-	routeTree       atomic.Pointer[bart.Table[routing.Gateways]]
+	routeTree       atomic.Pointer[bart.Table[netip.Addr]]
 	routeChan       chan struct{}
 	useSystemRoutes bool
 
@@ -232,7 +231,7 @@ func (t *tun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
 	return file, nil
 }
 
-func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
+func (t *tun) RouteFor(ip netip.Addr) netip.Addr {
 	r, _ := t.routeTree.Load().Lookup(ip)
 	return r
 }
@@ -464,7 +463,7 @@ func (t *tun) addRoutes(logErrors bool) error {
 
 		err := netlink.RouteReplace(&nr)
 		if err != nil {
-			retErr := util.NewContextualError("Failed to add route", map[string]any{"route": r}, err)
+			retErr := util.NewContextualError("Failed to add route", map[string]interface{}{"route": r}, err)
 			if logErrors {
 				retErr.Log(t.l)
 			} else {
@@ -551,7 +550,20 @@ func (t *tun) watchRoutes() {
 	}()
 }
 
-func (t *tun) isGatewayInVpnNetworks(gwAddr netip.Addr) bool {
+func (t *tun) updateRoutes(r netlink.RouteUpdate) {
+	if r.Gw == nil {
+		// Not a gateway route, ignore
+		t.l.WithField("route", r).Debug("Ignoring route update, not a gateway route")
+		return
+	}
+
+	gwAddr, ok := netip.AddrFromSlice(r.Gw)
+	if !ok {
+		t.l.WithField("route", r).Debug("Ignoring route update, invalid gateway address")
+		return
+	}
+
+	gwAddr = gwAddr.Unmap()
 	withinNetworks := false
 	for i := range t.vpnNetworks {
 		if t.vpnNetworks[i].Contains(gwAddr) {
@@ -559,68 +571,9 @@ func (t *tun) isGatewayInVpnNetworks(gwAddr netip.Addr) bool {
 			break
 		}
 	}
-
+	if !withinNetworks {
-	return withinNetworks
-}
-
-func (t *tun) getGatewaysFromRoute(r *netlink.Route) routing.Gateways {
-
-	var gateways routing.Gateways
-
-	link, err := netlink.LinkByName(t.Device)
-	if err != nil {
-		t.l.WithField("Devicename", t.Device).Error("Ignoring route update: failed to get link by name")
-		return gateways
-	}
-
-	// If this route is relevant to our interface and there is a gateway then add it
-	if r.LinkIndex == link.Attrs().Index && len(r.Gw) > 0 {
-		gwAddr, ok := netip.AddrFromSlice(r.Gw)
-		if !ok {
-			t.l.WithField("route", r).Debug("Ignoring route update, invalid gateway address")
-		} else {
-			gwAddr = gwAddr.Unmap()
-
-			if !t.isGatewayInVpnNetworks(gwAddr) {
 		// Gateway isn't in our overlay network, ignore
-				t.l.WithField("route", r).Debug("Ignoring route update, not in our network")
+		t.l.WithField("route", r).Debug("Ignoring route update, not in our networks")
-			} else {
-				gateways = append(gateways, routing.NewGateway(gwAddr, 1))
-			}
-		}
-	}
-
-	for _, p := range r.MultiPath {
-		// If this route is relevant to our interface and there is a gateway then add it
-		if p.LinkIndex == link.Attrs().Index && len(p.Gw) > 0 {
-			gwAddr, ok := netip.AddrFromSlice(p.Gw)
-			if !ok {
-				t.l.WithField("route", r).Debug("Ignoring multipath route update, invalid gateway address")
-			} else {
-				gwAddr = gwAddr.Unmap()
-
-				if !t.isGatewayInVpnNetworks(gwAddr) {
-					// Gateway isn't in our overlay network, ignore
-					t.l.WithField("route", r).Debug("Ignoring route update, not in our network")
-				} else {
-					// p.Hops+1 = weight of the route
-					gateways = append(gateways, routing.NewGateway(gwAddr, p.Hops+1))
-				}
-			}
-		}
-	}
-
-	routing.CalculateBucketsForGateways(gateways)
-	return gateways
-}
-
-func (t *tun) updateRoutes(r netlink.RouteUpdate) {
-
-	gateways := t.getGatewaysFromRoute(&r.Route)
-
-	if len(gateways) == 0 {
-		// No gateways relevant to our network, no routing changes required.
-		t.l.WithField("route", r).Debug("Ignoring route update, no gateways")
 		return
 	}
 
@@ -636,12 +589,12 @@ func (t *tun) updateRoutes(r netlink.RouteUpdate) {
 	newTree := t.routeTree.Load().Clone()
 
 	if r.Type == unix.RTM_NEWROUTE {
-		t.l.WithField("destination", dst).WithField("via", gateways).Info("Adding route")
+		t.l.WithField("destination", r.Dst).WithField("via", r.Gw).Info("Adding route")
-		newTree.Insert(dst, gateways)
+		newTree.Insert(dst, gwAddr)
 
 	} else {
-		t.l.WithField("destination", dst).WithField("via", gateways).Info("Removing route")
 		newTree.Delete(dst)
+		t.l.WithField("destination", r.Dst).WithField("via", r.Gw).Info("Removing route")
 	}
 	t.routeTree.Store(newTree)
 }

overlay/tun_netbsd.go

@@ -18,7 +18,6 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
 )
 
@@ -32,7 +31,7 @@ type tun struct {
 	vpnNetworks []netip.Prefix
 	MTU         int
 	Routes      atomic.Pointer[[]Route]
-	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	routeTree   atomic.Pointer[bart.Table[netip.Addr]]
 	l           *logrus.Logger
 
 	io.ReadWriteCloser
@@ -178,7 +177,7 @@ func (t *tun) reload(c *config.C, initial bool) error {
 	return nil
 }
 
-func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
+func (t *tun) RouteFor(ip netip.Addr) netip.Addr {
 	r, _ := t.routeTree.Load().Lookup(ip)
 	return r
 }
@@ -198,7 +197,7 @@ func (t *tun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
 func (t *tun) addRoutes(logErrors bool) error {
 	routes := *t.Routes.Load()
 	for _, r := range routes {
-		if len(r.Via) == 0 || !r.Install {
+		if !r.Via.IsValid() || !r.Install {
 			// We don't allow route MTUs so only install routes with a via
 			continue
 		}
@@ -206,7 +205,7 @@ func (t *tun) addRoutes(logErrors bool) error {
 		cmd := exec.Command("/sbin/route", "-n", "add", "-net", r.Cidr.String(), t.vpnNetworks[0].Addr().String())
 		t.l.Debug("command: ", cmd.String())
 		if err := cmd.Run(); err != nil {
-			retErr := util.NewContextualError("failed to run 'route add' for unsafe_route", map[string]any{"route": r}, err)
+			retErr := util.NewContextualError("failed to run 'route add' for unsafe_route", map[string]interface{}{"route": r}, err)
 			if logErrors {
 				retErr.Log(t.l)
 			} else {

overlay/tun_openbsd.go

@@ -17,7 +17,6 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
 )
 
@@ -26,7 +25,7 @@ type tun struct {
 	vpnNetworks []netip.Prefix
 	MTU         int
 	Routes      atomic.Pointer[[]Route]
-	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	routeTree   atomic.Pointer[bart.Table[netip.Addr]]
 	l           *logrus.Logger
 
 	io.ReadWriteCloser
@@ -159,7 +158,7 @@ func (t *tun) Activate() error {
 	return nil
 }
 
-func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
+func (t *tun) RouteFor(ip netip.Addr) netip.Addr {
 	r, _ := t.routeTree.Load().Lookup(ip)
 	return r
 }
@@ -167,7 +166,7 @@ func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
 func (t *tun) addRoutes(logErrors bool) error {
 	routes := *t.Routes.Load()
 	for _, r := range routes {
-		if len(r.Via) == 0 || !r.Install {
+		if !r.Via.IsValid() || !r.Install {
 			// We don't allow route MTUs so only install routes with a via
 			continue
 		}
@@ -175,7 +174,7 @@ func (t *tun) addRoutes(logErrors bool) error {
 		cmd := exec.Command("/sbin/route", "-n", "add", "-inet", r.Cidr.String(), t.vpnNetworks[0].Addr().String())
 		t.l.Debug("command: ", cmd.String())
 		if err := cmd.Run(); err != nil {
-			retErr := util.NewContextualError("failed to run 'route add' for unsafe_route", map[string]any{"route": r}, err)
+			retErr := util.NewContextualError("failed to run 'route add' for unsafe_route", map[string]interface{}{"route": r}, err)
 			if logErrors {
 				retErr.Log(t.l)
 			} else {

overlay/tun_tester.go

@@ -13,14 +13,13 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 )
 
 type TestTun struct {
 	Device      string
 	vpnNetworks []netip.Prefix
 	Routes      []Route
-	routeTree   *bart.Table[routing.Gateways]
+	routeTree   *bart.Table[netip.Addr]
 	l           *logrus.Logger
 
 	closed    atomic.Bool
@@ -87,7 +86,7 @@ func (t *TestTun) Get(block bool) []byte {
 // Below this is boilerplate implementation to make nebula actually work
 //********************************************************************************************************************//
 
-func (t *TestTun) RoutesFor(ip netip.Addr) routing.Gateways {
+func (t *TestTun) RouteFor(ip netip.Addr) netip.Addr {
 	r, _ := t.routeTree.Lookup(ip)
 	return r
 }

overlay/tun_windows.go

@@ -18,7 +18,6 @@ import (
 	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
 	"github.com/slackhq/nebula/wintun"
 	"golang.org/x/sys/windows"
@@ -32,7 +31,7 @@ type winTun struct {
 	vpnNetworks []netip.Prefix
 	MTU         int
 	Routes      atomic.Pointer[[]Route]
-	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	routeTree   atomic.Pointer[bart.Table[netip.Addr]]
 	l           *logrus.Logger
 
 	tun *wintun.NativeTun
@@ -148,18 +147,15 @@ func (t *winTun) addRoutes(logErrors bool) error {
 	foundDefault4 := false
 
 	for _, r := range routes {
-		if len(r.Via) == 0 || !r.Install {
+		if !r.Via.IsValid() || !r.Install {
 			// We don't allow route MTUs so only install routes with a via
 			continue
 		}
 
 		// Add our unsafe route
-		// Windows does not support multipath routes natively, so we install only a single route.
+		err := luid.AddRoute(r.Cidr, r.Via, uint32(r.Metric))
-		// This is not a problem as traffic will always be sent to Nebula which handles the multipath routing internally.
-		// In effect this provides multipath routing support to windows supporting loadbalancing and redundancy.
-		err := luid.AddRoute(r.Cidr, r.Via[0].Addr(), uint32(r.Metric))
 		if err != nil {
-			retErr := util.NewContextualError("Failed to add route", map[string]any{"route": r}, err)
+			retErr := util.NewContextualError("Failed to add route", map[string]interface{}{"route": r}, err)
 			if logErrors {
 				retErr.Log(t.l)
 				continue
@@ -202,8 +198,7 @@ func (t *winTun) removeRoutes(routes []Route) error {
 			continue
 		}
 
-		// See comment on luid.AddRoute
+		err := luid.DeleteRoute(r.Cidr, r.Via)
-		err := luid.DeleteRoute(r.Cidr, r.Via[0].Addr())
 		if err != nil {
 			t.l.WithError(err).WithField("route", r).Error("Failed to remove route")
 		} else {
@@ -213,7 +208,7 @@ func (t *winTun) removeRoutes(routes []Route) error {
 	return nil
 }
 
-func (t *winTun) RoutesFor(ip netip.Addr) routing.Gateways {
+func (t *winTun) RouteFor(ip netip.Addr) netip.Addr {
 	r, _ := t.routeTree.Load().Lookup(ip)
 	return r
 }

overlay/user.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
 )
 
 func NewUserDeviceFromConfig(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, routines int) (Device, error) {
@@ -39,13 +38,9 @@ type UserDevice struct {
 func (d *UserDevice) Activate() error {
 	return nil
 }
-
 func (d *UserDevice) Networks() []netip.Prefix          { return d.vpnNetworks }
 func (d *UserDevice) Name() string                      { return "faketun0" }
-func (d *UserDevice) RoutesFor(ip netip.Addr) routing.Gateways {
+func (d *UserDevice) RouteFor(ip netip.Addr) netip.Addr { return ip }
-	return routing.Gateways{routing.NewGateway(ip, 1)}
-}
-
 func (d *UserDevice) NewMultiQueueReader() (io.ReadWriteCloser, error) {
 	return d, nil
 }

pkclient/pkclient.go

@@ -1,6 +1,8 @@
 package pkclient
 
 import (
+	"crypto/ecdsa"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"strconv"
@@ -48,6 +50,27 @@ func FromUrl(pkurl string) (*PKClient, error) {
 	return New(module, uint(slotid), pin, id, label)
 }
 
+func ecKeyToArray(key *ecdsa.PublicKey) []byte {
+	x := make([]byte, 32)
+	y := make([]byte, 32)
+	key.X.FillBytes(x)
+	key.Y.FillBytes(y)
+	return append([]byte{0x04}, append(x, y...)...)
+}
+
+func formatPubkeyFromPublicKeyInfoAttr(d []byte) ([]byte, error) {
+	e, err := x509.ParsePKIXPublicKey(d)
+	if err != nil {
+		return nil, err
+	}
+	switch t := e.(type) {
+	case *ecdsa.PublicKey:
+		return ecKeyToArray(e.(*ecdsa.PublicKey)), nil
+	default:
+		return nil, fmt.Errorf("unknown public key type: %T", t)
+	}
+}
+
 func (c *PKClient) Test() error {
 	pub, err := c.GetPubKey()
 	if err != nil {

pkclient/pkclient_cgo.go

@@ -3,8 +3,6 @@
 package pkclient
 
 import (
-	"crypto/ecdsa"
-	"crypto/x509"
 	"encoding/asn1"
 	"errors"
 	"fmt"
@@ -229,24 +227,3 @@ func (c *PKClient) GetPubKey() ([]byte, error) {
 		return nil, fmt.Errorf("unknown public key length: %d", len(d))
 	}
 }
-
-func ecKeyToArray(key *ecdsa.PublicKey) []byte {
-	x := make([]byte, 32)
-	y := make([]byte, 32)
-	key.X.FillBytes(x)
-	key.Y.FillBytes(y)
-	return append([]byte{0x04}, append(x, y...)...)
-}
-
-func formatPubkeyFromPublicKeyInfoAttr(d []byte) ([]byte, error) {
-	e, err := x509.ParsePKIXPublicKey(d)
-	if err != nil {
-		return nil, err
-	}
-	switch t := e.(type) {
-	case *ecdsa.PublicKey:
-		return ecKeyToArray(e.(*ecdsa.PublicKey)), nil
-	default:
-		return nil, fmt.Errorf("unknown public key type: %T", t)
-	}
-}

pkclient/pkclient_stub.go

@@ -7,10 +7,10 @@ import "errors"
 type PKClient struct {
 }
 
-var errNotImplemented = errors.New("not implemented")
+var notImplemented = errors.New("not implemented")
 
 func New(hsmPath string, slotId uint, pin string, id string, label string) (*PKClient, error) {
-	return nil, errNotImplemented
+	return nil, notImplemented
 }
 
 func (c *PKClient) Close() error {
@@ -18,13 +18,13 @@ func (c *PKClient) Close() error {
 }
 
 func (c *PKClient) SignASN1(data []byte) ([]byte, error) {
-	return nil, errNotImplemented
+	return nil, notImplemented
 }
 
 func (c *PKClient) DeriveNoise(_ []byte) ([]byte, error) {
-	return nil, errNotImplemented
+	return nil, notImplemented
 }
 
 func (c *PKClient) GetPubKey() ([]byte, error) {
-	return nil, errNotImplemented
+	return nil, notImplemented
 }

pki.go

@@ -33,11 +33,13 @@ type CertState struct {
 	v2Cert           cert.Certificate
 	v2HandshakeBytes []byte
 
-	initiatingVersion cert.Version
+	defaultVersion cert.Version
 	privateKey     []byte
 	pkcs11Backed   bool
 	cipher         string
 
+	psk *Psk
+
 	myVpnNetworks            []netip.Prefix
 	myVpnNetworksTable       *bart.Table[struct{}]
 	myVpnAddrs               []netip.Addr
@@ -171,6 +173,16 @@ func (p *PKI) reloadCerts(c *config.C, initial bool) *util.ContextualError {
 		}
 	}
 
+	psk, err := NewPskFromConfig(c)
+	if err != nil {
+		return util.NewContextualError("Failed to load psk from config", nil, err)
+	}
+	if len(psk.keys) > 0 {
+		p.l.WithField("pskMode", psk.mode).WithField("keysLen", len(psk.keys)).
+			Info("pre shared keys are in use")
+	}
+	newState.psk = psk
+
 	p.cs.Store(newState)
 
 	//TODO: CERT-V2 newState needs a stringer that does json
@@ -194,7 +206,7 @@ func (p *PKI) reloadCAPool(c *config.C) *util.ContextualError {
 }
 
 func (cs *CertState) GetDefaultCertificate() cert.Certificate {
-	c := cs.getCertificate(cs.initiatingVersion)
+	c := cs.getCertificate(cs.defaultVersion)
 	if c == nil {
 		panic("No default certificate found")
 	}
@@ -317,28 +329,28 @@ func newCertStateFromConfig(c *config.C) (*CertState, error) {
 		return nil, errors.New("no certificates found in pki.cert")
 	}
 
-	useInitiatingVersion := uint32(1)
+	useDefaultVersion := uint32(1)
 	if v1 == nil {
 		// The only condition that requires v2 as the default is if only a v2 certificate is present
 		// We do this to avoid having to configure it specifically in the config file
-		useInitiatingVersion = 2
+		useDefaultVersion = 2
 	}
 
-	rawInitiatingVersion := c.GetUint32("pki.initiating_version", useInitiatingVersion)
+	rawDefaultVersion := c.GetUint32("pki.default_version", useDefaultVersion)
-	var initiatingVersion cert.Version
+	var defaultVersion cert.Version
-	switch rawInitiatingVersion {
+	switch rawDefaultVersion {
 	case 1:
 		if v1 == nil {
-			return nil, fmt.Errorf("can not use pki.initiating_version 1 without a v1 certificate in pki.cert")
+			return nil, fmt.Errorf("can not use pki.default_version 1 without a v1 certificate in pki.cert")
 		}
-		initiatingVersion = cert.Version1
+		defaultVersion = cert.Version1
 	case 2:
-		initiatingVersion = cert.Version2
+		defaultVersion = cert.Version2
 	default:
-		return nil, fmt.Errorf("unknown pki.initiating_version: %v", rawInitiatingVersion)
+		return nil, fmt.Errorf("unknown pki.default_version: %v", rawDefaultVersion)
 	}
 
-	return newCertState(initiatingVersion, v1, v2, isPkcs11, curve, rawKey)
+	return newCertState(defaultVersion, v1, v2, isPkcs11, curve, rawKey)
 }
 
 func newCertState(dv cert.Version, v1, v2 cert.Certificate, pkcs11backed bool, privateKeyCurve cert.Curve, privateKey []byte) (*CertState, error) {
@@ -361,7 +373,7 @@ func newCertState(dv cert.Version, v1, v2 cert.Certificate, pkcs11backed bool, p
 
 		//TODO: CERT-V2 make sure v2 has v1s address
 
-		cs.initiatingVersion = dv
+		cs.defaultVersion = dv
 	}
 
 	if v1 != nil {
@@ -380,8 +392,8 @@ func newCertState(dv cert.Version, v1, v2 cert.Certificate, pkcs11backed bool, p
 		cs.v1Cert = v1
 		cs.v1HandshakeBytes = v1hs
 
-		if cs.initiatingVersion == 0 {
+		if cs.defaultVersion == 0 {
-			cs.initiatingVersion = cert.Version1
+			cs.defaultVersion = cert.Version1
 		}
 	}
 
@@ -401,8 +413,8 @@ func newCertState(dv cert.Version, v1, v2 cert.Certificate, pkcs11backed bool, p
 		cs.v2Cert = v2
 		cs.v2HandshakeBytes = v2hs
 
-		if cs.initiatingVersion == 0 {
+		if cs.defaultVersion == 0 {
-			cs.initiatingVersion = cert.Version2
+			cs.defaultVersion = cert.Version2
 		}
 	}
 

psk.go

@@ -0,0 +1,150 @@
+package nebula
+
+import (
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/slackhq/nebula/config"
+	"github.com/slackhq/nebula/util"
+	"golang.org/x/crypto/hkdf"
+)
+
+var ErrNotAPskMode = errors.New("not a psk mode")
+var ErrKeyTooShort = errors.New("key is too short")
+var ErrNotEnoughPskKeys = errors.New("at least 1 key is required")
+
+// MinPskLength is the minimum bytes that we accept for a user defined psk, the choice is arbitrary
+const MinPskLength = 8
+
+type PskMode int
+
+const (
+	PskAccepting PskMode = 0
+	PskSending   PskMode = 1
+	PskEnforced  PskMode = 2
+)
+
+func NewPskMode(m string) (PskMode, error) {
+	switch m {
+	case "accepting":
+		return PskAccepting, nil
+	case "sending":
+		return PskSending, nil
+	case "enforced":
+		return PskEnforced, nil
+	}
+	return PskAccepting, ErrNotAPskMode
+}
+
+func (p PskMode) String() string {
+	switch p {
+	case PskAccepting:
+		return "accepting"
+	case PskSending:
+		return "sending"
+	case PskEnforced:
+		return "enforced"
+	}
+
+	return "unknown"
+}
+
+func (p PskMode) IsValid() bool {
+	switch p {
+	case PskAccepting, PskSending, PskEnforced:
+		return true
+	default:
+		return false
+	}
+}
+
+type Psk struct {
+	// pskMode sets how psk works, ignored, allowed for incoming, or enforced for all
+	mode PskMode
+
+	// primary is the key to use when sending, it may be nil
+	primary []byte
+
+	// keys holds all pre-computed psk hkdfs
+	// Handshakes iterate this directly
+	keys [][]byte
+}
+
+// NewPskFromConfig is a helper for initial boot and config reloading.
+func NewPskFromConfig(c *config.C) (*Psk, error) {
+	sMode := c.GetString("psk.mode", "accepting")
+	mode, err := NewPskMode(sMode)
+	if err != nil {
+		return nil, util.NewContextualError("Could not parse psk.mode", m{"mode": mode}, err)
+	}
+
+	return NewPsk(
+		mode,
+		c.GetStringSlice("psk.keys", nil),
+	)
+}
+
+// NewPsk creates a new Psk object and handles the caching of all accepted keys
+func NewPsk(mode PskMode, keys []string) (*Psk, error) {
+	if !mode.IsValid() {
+		return nil, ErrNotAPskMode
+	}
+
+	psk := &Psk{
+		mode: mode,
+	}
+
+	err := psk.cachePsks(keys)
+	if err != nil {
+		return nil, err
+	}
+
+	return psk, nil
+}
+
+// cachePsks generates all psks we accept and caches them to speed up handshaking
+func (p *Psk) cachePsks(keys []string) error {
+	if p.mode != PskAccepting && len(keys) < 1 {
+		return ErrNotEnoughPskKeys
+	}
+
+	p.keys = [][]byte{}
+
+	for i, rk := range keys {
+		k, err := sha256KdfFromString(rk)
+		if err != nil {
+			return fmt.Errorf("failed to generate key for position %v: %w", i, err)
+		}
+
+		p.keys = append(p.keys, k)
+	}
+
+	if p.mode != PskAccepting {
+		// We are either sending or enforcing, the primary key must the first slot
+		p.primary = p.keys[0]
+	}
+
+	if p.mode != PskEnforced {
+		// If we are not enforcing psk use then a nil psk is allowed
+		p.keys = append(p.keys, nil)
+	}
+
+	return nil
+}
+
+// sha256KdfFromString generates a useful key to use from a provided secret
+func sha256KdfFromString(secret string) ([]byte, error) {
+	if len(secret) < MinPskLength {
+		return nil, ErrKeyTooShort
+	}
+
+	hmacKey := make([]byte, sha256.Size)
+	_, err := io.ReadFull(hkdf.New(sha256.New, []byte(secret), nil, nil), hmacKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return hmacKey, nil
+}

psk_test.go

@@ -0,0 +1,72 @@
+package nebula
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewPsk(t *testing.T) {
+	t.Run("mode accepting", func(t *testing.T) {
+		p, err := NewPsk(PskAccepting, nil)
+		require.NoError(t, err)
+		assert.Equal(t, PskAccepting, p.mode)
+		assert.Nil(t, p.keys[0])
+		assert.Nil(t, p.primary)
+
+		p, err = NewPsk(PskAccepting, []string{"1234567"})
+		require.ErrorIs(t, err, ErrKeyTooShort)
+
+		p, err = NewPsk(PskAccepting, []string{"hi there friends"})
+		require.NoError(t, err)
+		assert.Equal(t, PskAccepting, p.mode)
+		assert.Nil(t, p.primary)
+		assert.Len(t, p.keys, 2)
+		assert.Nil(t, p.keys[1])
+
+		expectedCache := []byte{
+			0xb9, 0x8c, 0xdc, 0xac, 0x77, 0xf4, 0x8c, 0xf8, 0x1d, 0xe7, 0xe7, 0xb, 0x53, 0x25, 0xd3, 0x65,
+			0xa3, 0x9f, 0x78, 0xb2, 0xc7, 0x2d, 0xa5, 0xd8, 0x84, 0x81, 0x7b, 0xb5, 0xdb, 0xe0, 0x9a, 0xef,
+		}
+		assert.Equal(t, expectedCache, p.keys[0])
+	})
+
+	t.Run("mode sending", func(t *testing.T) {
+		p, err := NewPsk(PskSending, nil)
+		require.ErrorIs(t, err, ErrNotEnoughPskKeys)
+
+		p, err = NewPsk(PskSending, []string{"1234567"})
+		require.ErrorIs(t, err, ErrKeyTooShort)
+
+		p, err = NewPsk(PskSending, []string{"hi there friends"})
+		require.NoError(t, err)
+		assert.Equal(t, PskSending, p.mode)
+		assert.Len(t, p.keys, 2)
+		assert.Nil(t, p.keys[1])
+
+		expectedCache := []byte{
+			0xb9, 0x8c, 0xdc, 0xac, 0x77, 0xf4, 0x8c, 0xf8, 0x1d, 0xe7, 0xe7, 0xb, 0x53, 0x25, 0xd3, 0x65,
+			0xa3, 0x9f, 0x78, 0xb2, 0xc7, 0x2d, 0xa5, 0xd8, 0x84, 0x81, 0x7b, 0xb5, 0xdb, 0xe0, 0x9a, 0xef,
+		}
+		assert.Equal(t, expectedCache, p.keys[0])
+		assert.Equal(t, p.keys[0], p.primary)
+	})
+
+	t.Run("mode enforced", func(t *testing.T) {
+		p, err := NewPsk(PskEnforced, nil)
+		require.ErrorIs(t, err, ErrNotEnoughPskKeys)
+
+		p, err = NewPsk(PskEnforced, []string{"hi there friends"})
+		require.NoError(t, err)
+		assert.Equal(t, PskEnforced, p.mode)
+		assert.Len(t, p.keys, 1)
+
+		expectedCache := []byte{
+			0xb9, 0x8c, 0xdc, 0xac, 0x77, 0xf4, 0x8c, 0xf8, 0x1d, 0xe7, 0xe7, 0xb, 0x53, 0x25, 0xd3, 0x65,
+			0xa3, 0x9f, 0x78, 0xb2, 0xc7, 0x2d, 0xa5, 0xd8, 0x84, 0x81, 0x7b, 0xb5, 0xdb, 0xe0, 0x9a, 0xef,
+		}
+		assert.Equal(t, expectedCache, p.keys[0])
+		assert.Equal(t, p.keys[0], p.primary)
+	})
+}

punchy_test.go

@@ -27,7 +27,7 @@ func TestNewPunchyFromConfig(t *testing.T) {
 	assert.True(t, p.GetPunch())
 
 	// punchy.punch
-	c.Settings["punchy"] = map[string]any{"punch": true}
+	c.Settings["punchy"] = map[interface{}]interface{}{"punch": true}
 	p = NewPunchyFromConfig(l, c)
 	assert.True(t, p.GetPunch())
 
@@ -37,18 +37,18 @@ func TestNewPunchyFromConfig(t *testing.T) {
 	assert.True(t, p.GetRespond())
 
 	// punchy.respond
-	c.Settings["punchy"] = map[string]any{"respond": true}
+	c.Settings["punchy"] = map[interface{}]interface{}{"respond": true}
 	c.Settings["punch_back"] = false
 	p = NewPunchyFromConfig(l, c)
 	assert.True(t, p.GetRespond())
 
 	// punchy.delay
-	c.Settings["punchy"] = map[string]any{"delay": "1m"}
+	c.Settings["punchy"] = map[interface{}]interface{}{"delay": "1m"}
 	p = NewPunchyFromConfig(l, c)
 	assert.Equal(t, time.Minute, p.GetDelay())
 
 	// punchy.respond_delay
-	c.Settings["punchy"] = map[string]any{"respond_delay": "1m"}
+	c.Settings["punchy"] = map[interface{}]interface{}{"respond_delay": "1m"}
 	p = NewPunchyFromConfig(l, c)
 	assert.Equal(t, time.Minute, p.GetRespondDelay())
 }

remote_list.go

@@ -263,7 +263,9 @@ func (r *RemoteList) CopyAddrs(preferredRanges []netip.Prefix) []netip.AddrPort
 	r.RLock()
 	defer r.RUnlock()
 	c := make([]netip.AddrPort, len(r.addrs))
-	copy(c, r.addrs)
+	for i, v := range r.addrs {
+		c[i] = v
+	}
 	return c
 }
 
@@ -324,7 +326,9 @@ func (r *RemoteList) CopyCache() *CacheMap {
 		}
 
 		if mc.relay != nil {
-			c.Relay = append(c.Relay, mc.relay.relay...)
+			for _, a := range mc.relay.relay {
+				c.Relay = append(c.Relay, a)
+			}
 		}
 	}
 
@@ -358,7 +362,9 @@ func (r *RemoteList) CopyBlockedRemotes() []netip.AddrPort {
 	defer r.RUnlock()
 
 	c := make([]netip.AddrPort, len(r.badRemotes))
-	copy(c, r.badRemotes)
+	for i, v := range r.badRemotes {
+		c[i] = v
+	}
 	return c
 }
 
@@ -563,7 +569,9 @@ func (r *RemoteList) unlockedCollect() {
 		}
 
 		if c.relay != nil {
-			relays = append(relays, c.relay.relay...)
+			for _, v := range c.relay.relay {
+				relays = append(relays, v)
+			}
 		}
 	}
 
@@ -627,15 +635,15 @@ func (r *RemoteList) unlockedSort(preferredRanges []netip.Prefix) {
 		a4 := a.Addr().Is4()
 		b4 := b.Addr().Is4()
 		switch {
-		case !a4 && b4:
+		case a4 == false && b4 == true:
 			// If i is v6 and j is v4, i is less than j
 			return true
 
-		case a4 && !b4:
+		case a4 == true && b4 == false:
 			// If j is v6 and i is v4, i is not less than j
 			return false
 
-		case a4 && b4:
+		case a4 == true && b4 == true:
 			// i and j are both ipv4
 			aPrivate := a.Addr().IsPrivate()
 			bPrivate := b.Addr().IsPrivate()
@@ -683,6 +691,7 @@ func (r *RemoteList) unlockedSort(preferredRanges []netip.Prefix) {
 	}
 
 	r.addrs = r.addrs[:a+1]
+	return
 }
 
 // minInt returns the minimum integer of a or b

routing/balance.go

@@ -1,39 +0,0 @@
-package routing
-
-import (
-	"net/netip"
-
-	"github.com/slackhq/nebula/firewall"
-)
-
-// Hashes the packet source and destination port and always returns a positive integer
-// Based on 'Prospecting for Hash Functions'
-//   - https://nullprogram.com/blog/2018/07/31/
-//   - https://github.com/skeeto/hash-prospector
-//     [16 21f0aaad 15 d35a2d97 15] = 0.10760229515479501
-func hashPacket(p *firewall.Packet) int {
-	x := (uint32(p.LocalPort) << 16) | uint32(p.RemotePort)
-	x ^= x >> 16
-	x *= 0x21f0aaad
-	x ^= x >> 15
-	x *= 0xd35a2d97
-	x ^= x >> 15
-
-	return int(x) & 0x7FFFFFFF
-}
-
-// For this function to work correctly it requires that the buckets for the gateways have been calculated
-// If the contract is violated balancing will not work properly and the second return value will return false
-func BalancePacket(fwPacket *firewall.Packet, gateways []Gateway) (netip.Addr, bool) {
-	hash := hashPacket(fwPacket)
-
-	for i := range gateways {
-		if hash <= gateways[i].BucketUpperBound() {
-			return gateways[i].Addr(), true
-		}
-	}
-
-	// If you land here then the buckets for the gateways are not properly calculated
-	// Fallback to random routing and let the caller know
-	return gateways[hash%len(gateways)].Addr(), false
-}

routing/balance_test.go

@@ -1,144 +0,0 @@
-package routing
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/slackhq/nebula/firewall"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestPacketsAreBalancedEqually(t *testing.T) {
-
-	gateways := []Gateway{}
-
-	gw1Addr := netip.MustParseAddr("1.0.0.1")
-	gw2Addr := netip.MustParseAddr("1.0.0.2")
-	gw3Addr := netip.MustParseAddr("1.0.0.3")
-
-	gateways = append(gateways, NewGateway(gw1Addr, 1))
-	gateways = append(gateways, NewGateway(gw2Addr, 1))
-	gateways = append(gateways, NewGateway(gw3Addr, 1))
-
-	CalculateBucketsForGateways(gateways)
-
-	gw1count := 0
-	gw2count := 0
-	gw3count := 0
-
-	iterationCount := uint16(65535)
-	for i := uint16(0); i < iterationCount; i++ {
-		packet := firewall.Packet{
-			LocalAddr:  netip.MustParseAddr("192.168.1.1"),
-			RemoteAddr: netip.MustParseAddr("10.0.0.1"),
-			LocalPort:  i,
-			RemotePort: 65535 - i,
-			Protocol:   6, // TCP
-			Fragment:   false,
-		}
-
-		selectedGw, ok := BalancePacket(&packet, gateways)
-		assert.True(t, ok)
-
-		switch selectedGw {
-		case gw1Addr:
-			gw1count += 1
-		case gw2Addr:
-			gw2count += 1
-		case gw3Addr:
-			gw3count += 1
-		}
-
-	}
-
-	// Assert packets are balanced, allow variation of up to 100 packets per gateway
-	assert.InDeltaf(t, iterationCount/3, gw1count, 100, "Expected %d +/- 100, but got %d", iterationCount/3, gw1count)
-	assert.InDeltaf(t, iterationCount/3, gw2count, 100, "Expected %d +/- 100, but got %d", iterationCount/3, gw1count)
-	assert.InDeltaf(t, iterationCount/3, gw3count, 100, "Expected %d +/- 100, but got %d", iterationCount/3, gw1count)
-
-}
-
-func TestPacketsAreBalancedByPriority(t *testing.T) {
-
-	gateways := []Gateway{}
-
-	gw1Addr := netip.MustParseAddr("1.0.0.1")
-	gw2Addr := netip.MustParseAddr("1.0.0.2")
-
-	gateways = append(gateways, NewGateway(gw1Addr, 10))
-	gateways = append(gateways, NewGateway(gw2Addr, 5))
-
-	CalculateBucketsForGateways(gateways)
-
-	gw1count := 0
-	gw2count := 0
-
-	iterationCount := uint16(65535)
-	for i := uint16(0); i < iterationCount; i++ {
-		packet := firewall.Packet{
-			LocalAddr:  netip.MustParseAddr("192.168.1.1"),
-			RemoteAddr: netip.MustParseAddr("10.0.0.1"),
-			LocalPort:  i,
-			RemotePort: 65535 - i,
-			Protocol:   6, // TCP
-			Fragment:   false,
-		}
-
-		selectedGw, ok := BalancePacket(&packet, gateways)
-		assert.True(t, ok)
-
-		switch selectedGw {
-		case gw1Addr:
-			gw1count += 1
-		case gw2Addr:
-			gw2count += 1
-		}
-
-	}
-
-	iterationCountAsFloat := float32(iterationCount)
-
-	assert.InDeltaf(t, iterationCountAsFloat*(2.0/3.0), gw1count, 100, "Expected %d +/- 100, but got %d", iterationCountAsFloat*(2.0/3.0), gw1count)
-	assert.InDeltaf(t, iterationCountAsFloat*(1.0/3.0), gw2count, 100, "Expected %d +/- 100, but got %d", iterationCountAsFloat*(1.0/3.0), gw2count)
-}
-
-func TestBalancePacketDistributsRandomlyAndReturnsFalseIfBucketsNotCalculated(t *testing.T) {
-	gateways := []Gateway{}
-
-	gw1Addr := netip.MustParseAddr("1.0.0.1")
-	gw2Addr := netip.MustParseAddr("1.0.0.2")
-
-	gateways = append(gateways, NewGateway(gw1Addr, 10))
-	gateways = append(gateways, NewGateway(gw2Addr, 5))
-
-	iterationCount := uint16(65535)
-	gw1count := 0
-	gw2count := 0
-
-	for i := uint16(0); i < iterationCount; i++ {
-		packet := firewall.Packet{
-			LocalAddr:  netip.MustParseAddr("192.168.1.1"),
-			RemoteAddr: netip.MustParseAddr("10.0.0.1"),
-			LocalPort:  i,
-			RemotePort: 65535 - i,
-			Protocol:   6, // TCP
-			Fragment:   false,
-		}
-
-		selectedGw, ok := BalancePacket(&packet, gateways)
-		assert.False(t, ok)
-
-		switch selectedGw {
-		case gw1Addr:
-			gw1count += 1
-		case gw2Addr:
-			gw2count += 1
-		}
-
-	}
-
-	assert.Equal(t, int(iterationCount), (gw1count + gw2count))
-	assert.NotEqual(t, 0, gw1count)
-	assert.NotEqual(t, 0, gw2count)
-
-}

routing/gateway.go

@@ -1,70 +0,0 @@
-package routing
-
-import (
-	"fmt"
-	"net/netip"
-)
-
-const (
-	// Sentinal value
-	BucketNotCalculated = -1
-)
-
-type Gateways []Gateway
-
-func (g Gateways) String() string {
-	str := ""
-	for i, gw := range g {
-		str += gw.String()
-		if i < len(g)-1 {
-			str += ", "
-		}
-	}
-	return str
-}
-
-type Gateway struct {
-	addr             netip.Addr
-	weight           int
-	bucketUpperBound int
-}
-
-func NewGateway(addr netip.Addr, weight int) Gateway {
-	return Gateway{addr: addr, weight: weight, bucketUpperBound: BucketNotCalculated}
-}
-
-func (g *Gateway) BucketUpperBound() int {
-	return g.bucketUpperBound
-}
-
-func (g *Gateway) Addr() netip.Addr {
-	return g.addr
-}
-
-func (g *Gateway) String() string {
-	return fmt.Sprintf("{addr: %s, weight: %d}", g.addr, g.weight)
-}
-
-// Divide and round to nearest integer
-func divideAndRound(v uint64, d uint64) uint64 {
-	var tmp uint64 = v + d/2
-	return tmp / d
-}
-
-// Implements Hash-Threshold mapping, equivalent to the implementation in the linux kernel.
-// After this function returns each gateway will have a
-// positive bucketUpperBound with a maximum value of 2147483647 (INT_MAX)
-func CalculateBucketsForGateways(gateways []Gateway) {
-
-	var totalWeight int = 0
-	for i := range gateways {
-		totalWeight += gateways[i].weight
-	}
-
-	var loopWeight int = 0
-	for i := range gateways {
-		loopWeight += gateways[i].weight
-		gateways[i].bucketUpperBound = int(divideAndRound(uint64(loopWeight)<<31, uint64(totalWeight))) - 1
-	}
-
-}

routing/gateway_test.go

@@ -1,34 +0,0 @@
-package routing
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestRebalance3_2Split(t *testing.T) {
-	gateways := []Gateway{}
-
-	gateways = append(gateways, Gateway{addr: netip.Addr{}, weight: 10})
-	gateways = append(gateways, Gateway{addr: netip.Addr{}, weight: 5})
-
-	CalculateBucketsForGateways(gateways)
-
-	assert.Equal(t, 1431655764, gateways[0].bucketUpperBound) // INT_MAX/3*2
-	assert.Equal(t, 2147483647, gateways[1].bucketUpperBound) // INT_MAX
-}
-
-func TestRebalanceEqualSplit(t *testing.T) {
-	gateways := []Gateway{}
-
-	gateways = append(gateways, Gateway{addr: netip.Addr{}, weight: 1})
-	gateways = append(gateways, Gateway{addr: netip.Addr{}, weight: 1})
-	gateways = append(gateways, Gateway{addr: netip.Addr{}, weight: 1})
-
-	CalculateBucketsForGateways(gateways)
-
-	assert.Equal(t, 715827882, gateways[0].bucketUpperBound)  // INT_MAX/3
-	assert.Equal(t, 1431655764, gateways[1].bucketUpperBound) // INT_MAX/3*2
-	assert.Equal(t, 2147483647, gateways[2].bucketUpperBound) // INT_MAX
-}

service/service_test.go

@@ -13,10 +13,10 @@ import (
 	"github.com/slackhq/nebula/cert_test"
 	"github.com/slackhq/nebula/config"
 	"golang.org/x/sync/errgroup"
-	"gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v2"
 )
 
-type m = map[string]any
+type m map[string]interface{}
 
 func newSimpleService(caCrt cert.Certificate, caKey []byte, name string, udpIp netip.Addr, overrides m) *Service {
 	_, _, myPrivKey, myPEM := cert_test.NewTestCert(cert.Version2, cert.Curve_CURVE25519, caCrt, caKey, "a", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.PrefixFrom(udpIp, 24)}, nil, []string{})

ssh.go

@@ -124,10 +124,10 @@ func configSSH(l *logrus.Logger, ssh *sshd.SSHServer, c *config.C) (func(), erro
 	}
 
 	rawKeys := c.Get("sshd.authorized_users")
-	keys, ok := rawKeys.([]any)
+	keys, ok := rawKeys.([]interface{})
 	if ok {
 		for _, rk := range keys {
-			kDef, ok := rk.(map[string]any)
+			kDef, ok := rk.(map[interface{}]interface{})
 			if !ok {
 				l.WithField("sshKeyConfig", rk).Warn("Authorized user had an error, ignoring")
 				continue
@@ -148,7 +148,7 @@ func configSSH(l *logrus.Logger, ssh *sshd.SSHServer, c *config.C) (func(), erro
 					continue
 				}
 
-			case []any:
+			case []interface{}:
 				for _, subK := range v {
 					sk, ok := subK.(string)
 					if !ok {
@@ -190,7 +190,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "list-hostmap",
 		ShortDescription: "List all known previously connected hosts",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshListHostMapFlags{}
 			fl.BoolVar(&s.Json, "json", false, "outputs as json with more information")
@@ -198,7 +198,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 			fl.BoolVar(&s.ByIndex, "by-index", false, "gets all hosts in the hostmap from the index table")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshListHostMap(f.hostMap, fs, w)
 		},
 	})
@@ -206,7 +206,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "list-pending-hostmap",
 		ShortDescription: "List all handshaking hosts",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshListHostMapFlags{}
 			fl.BoolVar(&s.Json, "json", false, "outputs as json with more information")
@@ -214,7 +214,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 			fl.BoolVar(&s.ByIndex, "by-index", false, "gets all hosts in the hostmap from the index table")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshListHostMap(f.handshakeManager, fs, w)
 		},
 	})
@@ -222,14 +222,14 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "list-lighthouse-addrmap",
 		ShortDescription: "List all lighthouse map entries",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshListHostMapFlags{}
 			fl.BoolVar(&s.Json, "json", false, "outputs as json with more information")
 			fl.BoolVar(&s.Pretty, "pretty", false, "pretty prints json, assumes -json")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshListLighthouseMap(f.lightHouse, fs, w)
 		},
 	})
@@ -237,7 +237,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "reload",
 		ShortDescription: "Reloads configuration from disk, same as sending HUP to the process",
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshReload(c, w)
 		},
 	})
@@ -251,7 +251,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "stop-cpu-profile",
 		ShortDescription: "Stops a cpu profile and writes output to the previously provided file",
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			pprof.StopCPUProfile()
 			return w.WriteLine("If a CPU profile was running it is now stopped")
 		},
@@ -278,7 +278,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "log-level",
 		ShortDescription: "Gets or sets the current log level",
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshLogLevel(l, fs, a, w)
 		},
 	})
@@ -286,7 +286,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "log-format",
 		ShortDescription: "Gets or sets the current log format",
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshLogFormat(l, fs, a, w)
 		},
 	})
@@ -294,7 +294,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "version",
 		ShortDescription: "Prints the currently running version of nebula",
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshVersion(f, fs, a, w)
 		},
 	})
@@ -302,14 +302,14 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "device-info",
 		ShortDescription: "Prints information about the network device.",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshDeviceInfoFlags{}
 			fl.BoolVar(&s.Json, "json", false, "outputs as json with more information")
 			fl.BoolVar(&s.Pretty, "pretty", false, "pretty prints json, assumes -json")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshDeviceInfo(f, fs, w)
 		},
 	})
@@ -317,7 +317,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "print-cert",
 		ShortDescription: "Prints the current certificate being used or the certificate for the provided vpn addr",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshPrintCertFlags{}
 			fl.BoolVar(&s.Json, "json", false, "outputs as json")
@@ -325,7 +325,7 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 			fl.BoolVar(&s.Raw, "raw", false, "raw prints the PEM encoded certificate, not compatible with -json or -pretty")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshPrintCert(f, fs, a, w)
 		},
 	})
@@ -333,13 +333,13 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "print-tunnel",
 		ShortDescription: "Prints json details about a tunnel for the provided vpn addr",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshPrintTunnelFlags{}
 			fl.BoolVar(&s.Pretty, "pretty", false, "pretty prints json")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshPrintTunnel(f, fs, a, w)
 		},
 	})
@@ -347,13 +347,13 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "print-relays",
 		ShortDescription: "Prints json details about all relay info",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshPrintTunnelFlags{}
 			fl.BoolVar(&s.Pretty, "pretty", false, "pretty prints json")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshPrintRelays(f, fs, a, w)
 		},
 	})
@@ -361,13 +361,13 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "change-remote",
 		ShortDescription: "Changes the remote address used in the tunnel for the provided vpn addr",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshChangeRemoteFlags{}
 			fl.StringVar(&s.Address, "address", "", "The new remote address, ip:port")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshChangeRemote(f, fs, a, w)
 		},
 	})
@@ -375,13 +375,13 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 	ssh.RegisterCommand(&sshd.Command{
 		Name:             "close-tunnel",
 		ShortDescription: "Closes a tunnel for the provided vpn addr",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshCloseTunnelFlags{}
 			fl.BoolVar(&s.LocalOnly, "local-only", false, "Disables notifying the remote that the tunnel is shutting down")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshCloseTunnel(f, fs, a, w)
 		},
 	})
@@ -390,13 +390,13 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 		Name:             "create-tunnel",
 		ShortDescription: "Creates a tunnel for the provided vpn address",
 		Help:             "The lighthouses will be queried for real addresses but you can provide one as well.",
-		Flags: func() (*flag.FlagSet, any) {
+		Flags: func() (*flag.FlagSet, interface{}) {
 			fl := flag.NewFlagSet("", flag.ContinueOnError)
 			s := sshCreateTunnelFlags{}
 			fl.StringVar(&s.Address, "address", "", "Optionally provide a real remote address, ip:port ")
 			return fl, &s
 		},
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshCreateTunnel(f, fs, a, w)
 		},
 	})
@@ -405,13 +405,13 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
 		Name:             "query-lighthouse",
 		ShortDescription: "Query the lighthouses for the provided vpn address",
 		Help:             "This command is asynchronous. Only currently known udp addresses will be printed.",
-		Callback: func(fs any, a []string, w sshd.StringWriter) error {
+		Callback: func(fs interface{}, a []string, w sshd.StringWriter) error {
 			return sshQueryLighthouse(f, fs, a, w)
 		},
 	})
 }
 
-func sshListHostMap(hl controlHostLister, a any, w sshd.StringWriter) error {
+func sshListHostMap(hl controlHostLister, a interface{}, w sshd.StringWriter) error {
 	fs, ok := a.(*sshListHostMapFlags)
 	if !ok {
 		return nil
@@ -451,7 +451,7 @@ func sshListHostMap(hl controlHostLister, a any, w sshd.StringWriter) error {
 	return nil
 }
 
-func sshListLighthouseMap(lightHouse *LightHouse, a any, w sshd.StringWriter) error {
+func sshListLighthouseMap(lightHouse *LightHouse, a interface{}, w sshd.StringWriter) error {
 	fs, ok := a.(*sshListHostMapFlags)
 	if !ok {
 		return nil
@@ -505,7 +505,7 @@ func sshListLighthouseMap(lightHouse *LightHouse, a any, w sshd.StringWriter) er
 	return nil
 }
 
-func sshStartCpuProfile(fs any, a []string, w sshd.StringWriter) error {
+func sshStartCpuProfile(fs interface{}, a []string, w sshd.StringWriter) error {
 	if len(a) == 0 {
 		err := w.WriteLine("No path to write profile provided")
 		return err
@@ -527,11 +527,11 @@ func sshStartCpuProfile(fs any, a []string, w sshd.StringWriter) error {
 	return err
 }
 
-func sshVersion(ifce *Interface, _ any, _ []string, w sshd.StringWriter) error {
+func sshVersion(ifce *Interface, fs interface{}, a []string, w sshd.StringWriter) error {
-	return w.WriteLine(ifce.version)
+	return w.WriteLine(fmt.Sprintf("%s", ifce.version))
 }
 
-func sshQueryLighthouse(ifce *Interface, _ any, a []string, w sshd.StringWriter) error {
+func sshQueryLighthouse(ifce *Interface, fs interface{}, a []string, w sshd.StringWriter) error {
 	if len(a) == 0 {
 		return w.WriteLine("No vpn address was provided")
 	}
@@ -553,7 +553,7 @@ func sshQueryLighthouse(ifce *Interface, _ any, a []string, w sshd.StringWriter)
 	return json.NewEncoder(w.GetWriter()).Encode(cm)
 }
 
-func sshCloseTunnel(ifce *Interface, fs any, a []string, w sshd.StringWriter) error {
+func sshCloseTunnel(ifce *Interface, fs interface{}, a []string, w sshd.StringWriter) error {
 	flags, ok := fs.(*sshCloseTunnelFlags)
 	if !ok {
 		return nil
@@ -584,7 +584,7 @@ func sshCloseTunnel(ifce *Interface, fs any, a []string, w sshd.StringWriter) er
 			hostInfo.ConnectionState,
 			hostInfo,
 			[]byte{},
-			make([]byte, 12),
+			make([]byte, 12, 12),
 			make([]byte, mtu),
 		)
 	}
@@ -593,7 +593,7 @@ func sshCloseTunnel(ifce *Interface, fs any, a []string, w sshd.StringWriter) er
 	return w.WriteLine("Closed")
 }
 
-func sshCreateTunnel(ifce *Interface, fs any, a []string, w sshd.StringWriter) error {
+func sshCreateTunnel(ifce *Interface, fs interface{}, a []string, w sshd.StringWriter) error {
 	flags, ok := fs.(*sshCreateTunnelFlags)
 	if !ok {
 		return nil
@@ -614,12 +614,12 @@ func sshCreateTunnel(ifce *Interface, fs any, a []string, w sshd.StringWriter) e
 
 	hostInfo := ifce.hostMap.QueryVpnAddr(vpnAddr)
 	if hostInfo != nil {
-		return w.WriteLine("Tunnel already exists")
+		return w.WriteLine(fmt.Sprintf("Tunnel already exists"))
 	}
 
 	hostInfo = ifce.handshakeManager.QueryVpnAddr(vpnAddr)
 	if hostInfo != nil {
-		return w.WriteLine("Tunnel already handshaking")
+		return w.WriteLine(fmt.Sprintf("Tunnel already handshaking"))
 	}
 
 	var addr netip.AddrPort
@@ -638,7 +638,7 @@ func sshCreateTunnel(ifce *Interface, fs any, a []string, w sshd.StringWriter) e
 	return w.WriteLine("Created")
 }
 
-func sshChangeRemote(ifce *Interface, fs any, a []string, w sshd.StringWriter) error {
+func sshChangeRemote(ifce *Interface, fs interface{}, a []string, w sshd.StringWriter) error {
 	flags, ok := fs.(*sshChangeRemoteFlags)
 	if !ok {
 		return nil
@@ -675,7 +675,7 @@ func sshChangeRemote(ifce *Interface, fs any, a []string, w sshd.StringWriter) e
 	return w.WriteLine("Changed")
 }
 
-func sshGetHeapProfile(fs any, a []string, w sshd.StringWriter) error {
+func sshGetHeapProfile(fs interface{}, a []string, w sshd.StringWriter) error {
 	if len(a) == 0 {
 		return w.WriteLine("No path to write profile provided")
 	}
@@ -696,7 +696,7 @@ func sshGetHeapProfile(fs any, a []string, w sshd.StringWriter) error {
 	return err
 }
 
-func sshMutexProfileFraction(fs any, a []string, w sshd.StringWriter) error {
+func sshMutexProfileFraction(fs interface{}, a []string, w sshd.StringWriter) error {
 	if len(a) == 0 {
 		rate := runtime.SetMutexProfileFraction(-1)
 		return w.WriteLine(fmt.Sprintf("Current value: %d", rate))
@@ -711,7 +711,7 @@ func sshMutexProfileFraction(fs any, a []string, w sshd.StringWriter) error {
 	return w.WriteLine(fmt.Sprintf("New value: %d. Old value: %d", newRate, oldRate))
 }
 
-func sshGetMutexProfile(fs any, a []string, w sshd.StringWriter) error {
+func sshGetMutexProfile(fs interface{}, a []string, w sshd.StringWriter) error {
 	if len(a) == 0 {
 		return w.WriteLine("No path to write profile provided")
 	}
@@ -735,7 +735,7 @@ func sshGetMutexProfile(fs any, a []string, w sshd.StringWriter) error {
 	return w.WriteLine(fmt.Sprintf("Mutex profile created at %s", a))
 }
 
-func sshLogLevel(l *logrus.Logger, _ any, a []string, w sshd.StringWriter) error {
+func sshLogLevel(l *logrus.Logger, fs interface{}, a []string, w sshd.StringWriter) error {
 	if len(a) == 0 {
 		return w.WriteLine(fmt.Sprintf("Log level is: %s", l.Level))
 	}
@@ -749,7 +749,7 @@ func sshLogLevel(l *logrus.Logger, _ any, a []string, w sshd.StringWriter) error
 	return w.WriteLine(fmt.Sprintf("Log level is: %s", l.Level))
 }
 
-func sshLogFormat(l *logrus.Logger, _ any, a []string, w sshd.StringWriter) error {
+func sshLogFormat(l *logrus.Logger, fs interface{}, a []string, w sshd.StringWriter) error {
 	if len(a) == 0 {
 		return w.WriteLine(fmt.Sprintf("Log format is: %s", reflect.TypeOf(l.Formatter)))
 	}
@@ -767,7 +767,7 @@ func sshLogFormat(l *logrus.Logger, _ any, a []string, w sshd.StringWriter) erro
 	return w.WriteLine(fmt.Sprintf("Log format is: %s", reflect.TypeOf(l.Formatter)))
 }
 
-func sshPrintCert(ifce *Interface, fs any, a []string, w sshd.StringWriter) error {
+func sshPrintCert(ifce *Interface, fs interface{}, a []string, w sshd.StringWriter) error {
 	args, ok := fs.(*sshPrintCertFlags)
 	if !ok {
 		return nil
@@ -822,10 +822,10 @@ func sshPrintCert(ifce *Interface, fs any, a []string, w sshd.StringWriter) erro
 	return w.WriteLine(cert.String())
 }
 
-func sshPrintRelays(ifce *Interface, fs any, _ []string, w sshd.StringWriter) error {
+func sshPrintRelays(ifce *Interface, fs interface{}, a []string, w sshd.StringWriter) error {
 	args, ok := fs.(*sshPrintTunnelFlags)
 	if !ok {
-		w.WriteLine("sshPrintRelays failed to convert args type")
+		w.WriteLine(fmt.Sprintf("sshPrintRelays failed to convert args type"))
 		return nil
 	}
 
@@ -919,7 +919,7 @@ func sshPrintRelays(ifce *Interface, fs any, _ []string, w sshd.StringWriter) er
 	return nil
 }
 
-func sshPrintTunnel(ifce *Interface, fs any, a []string, w sshd.StringWriter) error {
+func sshPrintTunnel(ifce *Interface, fs interface{}, a []string, w sshd.StringWriter) error {
 	args, ok := fs.(*sshPrintTunnelFlags)
 	if !ok {
 		return nil
@@ -951,7 +951,7 @@ func sshPrintTunnel(ifce *Interface, fs any, a []string, w sshd.StringWriter) er
 	return enc.Encode(copyHostInfo(hostInfo, ifce.hostMap.GetPreferredRanges()))
 }
 
-func sshDeviceInfo(ifce *Interface, fs any, w sshd.StringWriter) error {
+func sshDeviceInfo(ifce *Interface, fs interface{}, w sshd.StringWriter) error {
 
 	data := struct {
 		Name string         `json:"name"`

sshd/command.go

@@ -12,7 +12,7 @@ import (
 
 // CommandFlags is a function called before help or command execution to parse command line flags
 // It should return a flag.FlagSet instance and a pointer to the struct that will contain parsed flags
-type CommandFlags func() (*flag.FlagSet, any)
+type CommandFlags func() (*flag.FlagSet, interface{})
 
 // CommandCallback is the function called when your command should execute.
 // fs will be a a pointer to the struct provided by Command.Flags callback, if there was one. -h and -help are reserved
@@ -21,7 +21,7 @@ type CommandFlags func() (*flag.FlagSet, any)
 // w is the writer to use when sending messages back to the client.
 // If an error is returned by the callback it is logged locally, the callback should handle messaging errors to the user
 // where appropriate
-type CommandCallback func(fs any, a []string, w StringWriter) error
+type CommandCallback func(fs interface{}, a []string, w StringWriter) error
 
 type Command struct {
 	Name             string
@@ -34,7 +34,7 @@ type Command struct {
 func execCommand(c *Command, args []string, w StringWriter) error {
 	var (
 		fl *flag.FlagSet
-		fs any
+		fs interface{}
 	)
 
 	if c.Flags != nil {
@@ -85,7 +85,7 @@ func lookupCommand(c *radix.Tree, sCmd string) (*Command, error) {
 
 func matchCommand(c *radix.Tree, cmd string) []string {
 	cmds := make([]string, 0)
-	c.WalkPrefix(cmd, func(found string, v any) bool {
+	c.WalkPrefix(cmd, func(found string, v interface{}) bool {
 		cmds = append(cmds, found)
 		return false
 	})
@@ -95,7 +95,7 @@ func matchCommand(c *radix.Tree, cmd string) []string {
 
 func allCommands(c *radix.Tree) []*Command {
 	cmds := make([]*Command, 0)
-	c.WalkPrefix("", func(found string, v any) bool {
+	c.WalkPrefix("", func(found string, v interface{}) bool {
 		cmd, ok := v.(*Command)
 		if ok {
 			cmds = append(cmds, cmd)

sshd/server.go

@@ -23,6 +23,7 @@ type SSHServer struct {
 	trustedCAs  []ssh.PublicKey
 
 	// List of available commands
+	helpCommand *Command
 	commands    *radix.Tree
 	listener    net.Listener
 
@@ -42,7 +43,7 @@ func NewSSHServer(l *logrus.Entry) (*SSHServer, error) {
 		conns:       make(map[int]*session),
 	}
 
-	cc := &ssh.CertChecker{
+	cc := ssh.CertChecker{
 		IsUserAuthority: func(auth ssh.PublicKey) bool {
 			for _, ca := range s.trustedCAs {
 				if bytes.Equal(ca.Marshal(), auth.Marshal()) {
@@ -76,17 +77,16 @@ func NewSSHServer(l *logrus.Entry) (*SSHServer, error) {
 
 		},
 	}
-	s.certChecker = cc
 
 	s.config = &ssh.ServerConfig{
 		PublicKeyCallback: cc.Authenticate,
-		ServerVersion:     "SSH-2.0-Nebula???",
+		ServerVersion:     fmt.Sprintf("SSH-2.0-Nebula???"),
 	}
 
 	s.RegisterCommand(&Command{
 		Name:             "help",
 		ShortDescription: "prints available commands or help <command> for specific usage info",
-		Callback: func(a any, args []string, w StringWriter) error {
+		Callback: func(a interface{}, args []string, w StringWriter) error {
 			return helpCallback(s.commands, args, w)
 		},
 	})

sshd/session.go

@@ -9,13 +9,13 @@ import (
 	"github.com/armon/go-radix"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
-	"golang.org/x/term"
+	"golang.org/x/crypto/ssh/terminal"
 )
 
 type session struct {
 	l        *logrus.Entry
 	c        *ssh.ServerConn
-	term     *term.Terminal
+	term     *terminal.Terminal
 	commands *radix.Tree
 	exitChan chan bool
 }
@@ -31,7 +31,7 @@ func NewSession(commands *radix.Tree, conn *ssh.ServerConn, chans <-chan ssh.New
 	s.commands.Insert("logout", &Command{
 		Name:             "logout",
 		ShortDescription: "Ends the current session",
-		Callback: func(a any, args []string, w StringWriter) error {
+		Callback: func(a interface{}, args []string, w StringWriter) error {
 			s.Close()
 			return nil
 		},
@@ -106,8 +106,8 @@ func (s *session) handleRequests(in <-chan *ssh.Request, channel ssh.Channel) {
 	}
 }
 
-func (s *session) createTerm(channel ssh.Channel) *term.Terminal {
+func (s *session) createTerm(channel ssh.Channel) *terminal.Terminal {
-	term := term.NewTerminal(channel, s.c.User()+"@nebula > ")
+	term := terminal.NewTerminal(channel, s.c.User()+"@nebula > ")
 	term.AutoCompleteCallback = func(line string, pos int, key rune) (newLine string, newPos int, ok bool) {
 		// key 9 is tab
 		if key == 9 {
@@ -170,6 +170,7 @@ func (s *session) dispatchCommand(line string, w StringWriter) {
 	}
 
 	_ = execCommand(c, args[1:], w)
+	return
 }
 
 func (s *session) Close() {

test/assert.go

@@ -13,7 +13,7 @@ import (
 
 // AssertDeepCopyEqual checks to see if two variables have the same values but DO NOT share any memory
 // There is currently a special case for `time.loc` (as this code traverses into unexported fields)
-func AssertDeepCopyEqual(t *testing.T, a any, b any) {
+func AssertDeepCopyEqual(t *testing.T, a interface{}, b interface{}) {
 	v1 := reflect.ValueOf(a)
 	v2 := reflect.ValueOf(b)
 

test/tun.go

@@ -4,14 +4,12 @@ import (
 	"errors"
 	"io"
 	"net/netip"
-
-	"github.com/slackhq/nebula/routing"
 )
 
 type NoopTun struct{}
 
-func (NoopTun) RoutesFor(addr netip.Addr) routing.Gateways {
+func (NoopTun) RouteFor(addr netip.Addr) netip.Addr {
-	return routing.Gateways{}
+	return netip.Addr{}
 }
 
 func (NoopTun) Activate() error {

udp/conn.go

@@ -30,11 +30,15 @@ func (NoopConn) Rebind() error {
 func (NoopConn) LocalAddr() (netip.AddrPort, error) {
 	return netip.AddrPort{}, nil
 }
-func (NoopConn) ListenOut(_ EncReader) {}
+func (NoopConn) ListenOut(_ EncReader) {
+	return
+}
 func (NoopConn) WriteTo(_ []byte, _ netip.AddrPort) error {
 	return nil
 }
-func (NoopConn) ReloadConfig(_ *config.C) {}
+func (NoopConn) ReloadConfig(_ *config.C) {
+	return
+}
 func (NoopConn) Close() error {
 	return nil
 }

udp/udp_generic.go

@@ -33,7 +33,7 @@ func NewGenericListener(l *logrus.Logger, ip netip.Addr, port int, multi bool, b
 	if uc, ok := pc.(*net.UDPConn); ok {
 		return &GenericConn{UDPConn: uc, l: l}, nil
 	}
-	return nil, fmt.Errorf("unexpected PacketConn: %T %#v", pc, pc)
+	return nil, fmt.Errorf("Unexpected PacketConn: %T %#v", pc, pc)
 }
 
 func (u *GenericConn) WriteTo(b []byte, addr netip.AddrPort) error {
@@ -66,6 +66,10 @@ func NewUDPStatsEmitter(udpConns []Conn) func() {
 	return func() {}
 }
 
+type rawMessage struct {
+	Len uint32
+}
+
 func (u *GenericConn) ListenOut(r EncReader) {
 	buffer := make([]byte, MTU)
 

util/error.go

@@ -9,11 +9,11 @@ import (
 
 type ContextualError struct {
 	RealError error
-	Fields    map[string]any
+	Fields    map[string]interface{}
 	Context   string
 }
 
-func NewContextualError(msg string, fields map[string]any, realError error) *ContextualError {
+func NewContextualError(msg string, fields map[string]interface{}, realError error) *ContextualError {
 	return &ContextualError{Context: msg, Fields: fields, RealError: realError}
 }
 

util/error_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-type m = map[string]any
+type m map[string]interface{}
 
 type TestLogWriter struct {
 	Logs []string