weird line breaks

CHANGELOG.md

@@ -7,30 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Added
-
-- Experimental Linux UDP offload support: enable `listen.enable_gso` and
-  `listen.enable_gro` to activate UDP_SEGMENT batching and GRO receive
-  splitting. Includes automatic capability probing, per-packet fallbacks, and
-  runtime metrics/logs for visibility.
-- Optional Linux TUN `virtio_net_hdr` support: set `tun.enable_vnet_hdr` to
-  have Nebula negotiate VNET headers and offload flags so future batches can
-  be delivered to the kernel with metadata instead of per-packet writes.
-- Linux UDP send sharding can now be tuned with `listen.send_shards`; defaults
-  to `GOMAXPROCS` but can be increased to stripe heavy peers across more
-  goroutines.
-
 ### Changed
 
 - `default_local_cidr_any` now defaults to false, meaning that any firewall rule
   intended to target an `unsafe_routes` entry must explicitly declare it via the
   `local_cidr` field. This is almost always the intended behavior. This flag is
   deprecated and will be removed in a future release.
-- UDP receive path now enqueues into per-worker lock-free rings, restoring the
-  `listen.decrypt_workers`/`listen.decrypt_queue_depth` tuning knobs while
-  eliminating the mutex contention from the old shared channel.
-- Increased replay protection window to 32k packets so high-throughput links
-  tolerate larger bursts of reordering without tripping the anti-replay logic.
 
 ## [1.9.4] - 2024-09-09
 

connection_state.go

@@ -13,10 +13,7 @@ import (
 	"github.com/slackhq/nebula/noiseutil"
 )
 
-// ReplayWindow controls the size of the sliding window used to detect replays.
+const ReplayWindow = 1024
-// High-bandwidth links with GRO/GSO can reorder more than a thousand packets in
-// flight, so keep this comfortably above the largest expected burst.
-const ReplayWindow = 32768
 
 type ConnectionState struct {
 	eKey           *NebulaCipherState

e2e/helpers_test.go

@@ -29,8 +29,6 @@ type m = map[string]any
 
 // newSimpleServer creates a nebula instance with many assumptions
 func newSimpleServer(v cert.Version, caCrt cert.Certificate, caKey []byte, name string, sVpnNetworks string, overrides m) (*nebula.Control, []netip.Prefix, netip.AddrPort, *config.C) {
-	l := NewTestLogger()
-
 	var vpnNetworks []netip.Prefix
 	for _, sn := range strings.Split(sVpnNetworks, ",") {
 		vpnIpNet, err := netip.ParsePrefix(strings.TrimSpace(sn))
@@ -56,6 +54,25 @@ func newSimpleServer(v cert.Version, caCrt cert.Certificate, caKey []byte, name
 		budpIp[3] = 239
 		udpAddr = netip.AddrPortFrom(netip.AddrFrom16(budpIp), 4242)
 	}
+	return newSimpleServerWithUdp(v, caCrt, caKey, name, sVpnNetworks, udpAddr, overrides)
+}
+
+func newSimpleServerWithUdp(v cert.Version, caCrt cert.Certificate, caKey []byte, name string, sVpnNetworks string, udpAddr netip.AddrPort, overrides m) (*nebula.Control, []netip.Prefix, netip.AddrPort, *config.C) {
+	l := NewTestLogger()
+
+	var vpnNetworks []netip.Prefix
+	for _, sn := range strings.Split(sVpnNetworks, ",") {
+		vpnIpNet, err := netip.ParsePrefix(strings.TrimSpace(sn))
+		if err != nil {
+			panic(err)
+		}
+		vpnNetworks = append(vpnNetworks, vpnIpNet)
+	}
+
+	if len(vpnNetworks) == 0 {
+		panic("no vpn networks")
+	}
+
 	_, _, myPrivKey, myPEM := cert_test.NewTestCert(v, cert.Curve_CURVE25519, caCrt, caKey, name, time.Now(), time.Now().Add(5*time.Minute), vpnNetworks, nil, []string{})
 
 	caB, err := caCrt.MarshalPEM()

e2e/tunnels_test.go

@@ -4,6 +4,7 @@
 package e2e
 
 import (
+	"net/netip"
 	"testing"
 	"time"
 
@@ -55,3 +56,50 @@ func TestDropInactiveTunnels(t *testing.T) {
 	myControl.Stop()
 	theirControl.Stop()
 }
+
+func TestCrossStackRelaysWork(t *testing.T) {
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	myControl, myVpnIpNet, _, _ := newSimpleServer(cert.Version2, ca, caKey, "me     ", "10.128.0.1/24,fc00::1/64", m{"relay": m{"use_relays": true}})
+	relayControl, relayVpnIpNet, relayUdpAddr, _ := newSimpleServer(cert.Version2, ca, caKey, "relay  ", "10.128.0.128/24,fc00::128/64", m{"relay": m{"am_relay": true}})
+	theirUdp := netip.MustParseAddrPort("10.0.0.2:4242")
+	theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServerWithUdp(cert.Version2, ca, caKey, "them   ", "fc00::2/64", theirUdp, m{"relay": m{"use_relays": true}})
+
+	//myVpnV4 := myVpnIpNet[0]
+	myVpnV6 := myVpnIpNet[1]
+	relayVpnV4 := relayVpnIpNet[0]
+	relayVpnV6 := relayVpnIpNet[1]
+	theirVpnV6 := theirVpnIpNet[0]
+
+	// Teach my how to get to the relay and that their can be reached via the relay
+	myControl.InjectLightHouseAddr(relayVpnV4.Addr(), relayUdpAddr)
+	myControl.InjectLightHouseAddr(relayVpnV6.Addr(), relayUdpAddr)
+	myControl.InjectRelays(theirVpnV6.Addr(), []netip.Addr{relayVpnV6.Addr()})
+	relayControl.InjectLightHouseAddr(theirVpnV6.Addr(), theirUdpAddr)
+
+	// Build a router so we don't have to reason who gets which packet
+	r := router.NewR(t, myControl, relayControl, theirControl)
+	defer r.RenderFlow()
+
+	// Start the servers
+	myControl.Start()
+	relayControl.Start()
+	theirControl.Start()
+
+	t.Log("Trigger a handshake from me to them via the relay")
+	myControl.InjectTunUDPPacket(theirVpnV6.Addr(), 80, myVpnV6.Addr(), 80, []byte("Hi from me"))
+
+	p := r.RouteForAllUntilTxTun(theirControl)
+	r.Log("Assert the tunnel works")
+	assertUdpPacket(t, []byte("Hi from me"), p, myVpnV6.Addr(), theirVpnV6.Addr(), 80, 80)
+
+	t.Log("reply?")
+	theirControl.InjectTunUDPPacket(myVpnV6.Addr(), 80, theirVpnV6.Addr(), 80, []byte("Hi from them"))
+	p = r.RouteForAllUntilTxTun(myControl)
+	assertUdpPacket(t, []byte("Hi from them"), p, theirVpnV6.Addr(), myVpnV6.Addr(), 80, 80)
+
+	r.RenderHostmaps("Final hostmaps", myControl, relayControl, theirControl)
+	//t.Log("finish up")
+	//myControl.Stop()
+	//theirControl.Stop()
+	//relayControl.Stop()
+}

firewall_test.go

@@ -392,7 +392,7 @@ func BenchmarkFirewallTable_match(b *testing.B) {
 		c := &cert.CachedCertificate{
 			Certificate: &dummyCert{
 				name:     "nope",
-				networks: []netip.Prefix{netip.MustParsePrefix("fd99::99/128")},
+				networks: []netip.Prefix{netip.MustParsePrefix("fd99:99/128")},
 			},
 			InvertedGroups: map[string]struct{}{"nope": {}},
 		}

go.mod

@@ -8,30 +8,30 @@ require (
 	github.com/armon/go-radix v1.0.0
 	github.com/cyberdelia/go-metrics-graphite v0.0.0-20161219230853-39f87cc3b432
 	github.com/flynn/noise v1.1.0
-	github.com/gaissmai/bart v0.25.0
+	github.com/gaissmai/bart v0.20.4
 	github.com/gogo/protobuf v1.3.2
 	github.com/google/gopacket v1.1.19
-	github.com/kardianos/service v1.2.4
+	github.com/kardianos/service v1.2.2
-	github.com/miekg/dns v1.1.68
+	github.com/miekg/dns v1.1.65
 	github.com/miekg/pkcs11 v1.1.2-0.20231115102856-9078ad6b9d4b
 	github.com/nbrownus/go-metrics-prometheus v0.0.0-20210712211119-974a6260965f
-	github.com/prometheus/client_golang v1.23.2
+	github.com/prometheus/client_golang v1.22.0
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
 	github.com/sirupsen/logrus v1.9.3
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6
-	github.com/stretchr/testify v1.11.1
+	github.com/stretchr/testify v1.10.0
 	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.43.0
+	golang.org/x/crypto v0.37.0
 	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090
-	golang.org/x/net v0.45.0
+	golang.org/x/net v0.39.0
-	golang.org/x/sync v0.17.0
+	golang.org/x/sync v0.13.0
-	golang.org/x/sys v0.37.0
+	golang.org/x/sys v0.32.0
-	golang.org/x/term v0.36.0
+	golang.org/x/term v0.31.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/protobuf v1.36.8
+	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v3 v3.0.1
 	gvisor.dev/gvisor v0.0.0-20240423190808-9d7a357edefe
 )
@@ -43,12 +43,11 @@ require (
 	github.com/google/btree v1.1.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	golang.org/x/mod v0.23.0 // indirect
-	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.33.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
 )

go.sum

@@ -24,8 +24,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/flynn/noise v1.1.0 h1:KjPQoQCEFdZDiP03phOvGi11+SVVhBG2wOWAorLsstg=
 github.com/flynn/noise v1.1.0/go.mod h1:xbMo+0i6+IGbYdJhF31t2eR1BIU0CYc12+BNAKwUTag=
-github.com/gaissmai/bart v0.25.0 h1:eqiokVPqM3F94vJ0bTHXHtH91S8zkKL+bKh+BsGOsJM=
+github.com/gaissmai/bart v0.20.4 h1:Ik47r1fy3jRVU+1eYzKSW3ho2UgBVTVnUS8O993584U=
-github.com/gaissmai/bart v0.25.0/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
+github.com/gaissmai/bart v0.20.4/go.mod h1:cEed+ge8dalcbpi8wtS9x9m2hn/fNJH5suhdGQOHnYk=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -64,8 +64,8 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kardianos/service v1.2.4 h1:XNlGtZOYNx2u91urOdg/Kfmc+gfmuIo1Dd3rEi2OgBk=
+github.com/kardianos/service v1.2.2 h1:ZvePhAHfvo0A7Mftk/tEzqEZ7Q4lgnR8sGz4xu1YX60=
-github.com/kardianos/service v1.2.4/go.mod h1:E4V9ufUuY82F7Ztlu1eN9VXWIQxg8NoLQlmFe0MtrXc=
+github.com/kardianos/service v1.2.2/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
@@ -83,8 +83,8 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA=
+github.com/miekg/dns v1.1.65 h1:0+tIPHzUW0GCge7IiK3guGP57VAw7hoPDfApjkMD1Fc=
-github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps=
+github.com/miekg/dns v1.1.65/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
 github.com/miekg/pkcs11 v1.1.2-0.20231115102856-9078ad6b9d4b h1:J/AzCvg5z0Hn1rqZUJjpbzALUmkKX0Zwbc/i4fw7Sfk=
 github.com/miekg/pkcs11 v1.1.2-0.20231115102856-9078ad6b9d4b/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -106,24 +106,24 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
-github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
@@ -143,33 +143,29 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
 golang.org/x/exp v0.0.0-20230725093048-515e97ebf090 h1:Di6/M8l0O2lCLc6VVRWhgCiApHV8MnQurBnFSHsQtNY=
 golang.org/x/exp v0.0.0-20230725093048-515e97ebf090/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -180,8 +176,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -189,8 +185,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -201,17 +197,18 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
+golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -222,8 +219,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -242,8 +239,8 @@ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miE
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

handshake_manager.go

@@ -292,6 +292,7 @@ func (hm *HandshakeManager) handleOutbound(vpnIp netip.Addr, lighthouseTriggered
 					idx, err := AddRelay(hm.l, relayHostInfo, hm.mainHostMap, vpnIp, nil, TerminalType, Requested)
 					if err != nil {
 						hostinfo.logger(hm.l).WithField("relay", relay.String()).WithError(err).Info("Failed to add relay to hostmap")
+						continue
 					}
 
 					m := NebulaControl{
@@ -301,37 +302,25 @@ func (hm *HandshakeManager) handleOutbound(vpnIp netip.Addr, lighthouseTriggered
 
 					switch relayHostInfo.GetCert().Certificate.Version() {
 					case cert.Version1:
-						if !hm.f.myVpnAddrs[0].Is4() {
+						err = buildRelayInfoCertV1(&m, hm.f.myVpnNetworks, vpnIp)
-							hostinfo.logger(hm.l).Error("can not establish v1 relay with a v6 network because the relay is not running a current nebula version")
-							continue
-						}
-
-						if !vpnIp.Is4() {
-							hostinfo.logger(hm.l).Error("can not establish v1 relay with a v6 remote network because the relay is not running a current nebula version")
-							continue
-						}
-
-						b := hm.f.myVpnAddrs[0].As4()
-						m.OldRelayFromAddr = binary.BigEndian.Uint32(b[:])
-						b = vpnIp.As4()
-						m.OldRelayToAddr = binary.BigEndian.Uint32(b[:])
 					case cert.Version2:
-						m.RelayFromAddr = netAddrToProtoAddr(hm.f.myVpnAddrs[0])
+						err = buildRelayInfoCertV2(&m, hm.f.myVpnNetworks, vpnIp)
-						m.RelayToAddr = netAddrToProtoAddr(vpnIp)
 					default:
-						hostinfo.logger(hm.l).Error("Unknown certificate version found while creating relay")
+						err = errors.New("unknown certificate version found while creating relay")
+					}
+					if err != nil {
+						hostinfo.logger(hm.l).WithError(err).Error("Refusing to relay")
 						continue
 					}
 
 					msg, err := m.Marshal()
 					if err != nil {
-						hostinfo.logger(hm.l).
+						hostinfo.logger(hm.l).WithError(err).
-							WithError(err).
 							Error("Failed to marshal Control message to create relay")
 					} else {
 						hm.f.SendMessageToHostInfo(header.Control, 0, relayHostInfo, msg, make([]byte, 12), make([]byte, mtu))
 						hm.l.WithFields(logrus.Fields{
-							"relayFrom":           hm.f.myVpnAddrs[0],
+							"relayFrom":           m.GetRelayFrom(),
 							"relayTo":             vpnIp,
 							"initiatorRelayIndex": idx,
 							"relay":               relay}).
@@ -357,39 +346,27 @@ func (hm *HandshakeManager) handleOutbound(vpnIp netip.Addr, lighthouseTriggered
 					InitiatorRelayIndex: existingRelay.LocalIndex,
 				}
 
+				var err error
 				switch relayHostInfo.GetCert().Certificate.Version() {
 				case cert.Version1:
-					if !hm.f.myVpnAddrs[0].Is4() {
+					err = buildRelayInfoCertV1(&m, hm.f.myVpnNetworks, vpnIp)
-						hostinfo.logger(hm.l).Error("can not establish v1 relay with a v6 network because the relay is not running a current nebula version")
-						continue
-					}
-
-					if !vpnIp.Is4() {
-						hostinfo.logger(hm.l).Error("can not establish v1 relay with a v6 remote network because the relay is not running a current nebula version")
-						continue
-					}
-
-					b := hm.f.myVpnAddrs[0].As4()
-					m.OldRelayFromAddr = binary.BigEndian.Uint32(b[:])
-					b = vpnIp.As4()
-					m.OldRelayToAddr = binary.BigEndian.Uint32(b[:])
 				case cert.Version2:
-					m.RelayFromAddr = netAddrToProtoAddr(hm.f.myVpnAddrs[0])
+					err = buildRelayInfoCertV2(&m, hm.f.myVpnNetworks, vpnIp)
-					m.RelayToAddr = netAddrToProtoAddr(vpnIp)
 				default:
-					hostinfo.logger(hm.l).Error("Unknown certificate version found while creating relay")
+					err = errors.New("unknown certificate version found while creating relay")
+				}
+				if err != nil {
+					hostinfo.logger(hm.l).WithError(err).Error("Refusing to relay")
 					continue
 				}
 				msg, err := m.Marshal()
 				if err != nil {
-					hostinfo.logger(hm.l).
+					hostinfo.logger(hm.l).WithError(err).Error("Failed to marshal Control message to create relay")
-						WithError(err).
-						Error("Failed to marshal Control message to create relay")
 				} else {
 					// This must send over the hostinfo, not over hm.Hosts[ip]
 					hm.f.SendMessageToHostInfo(header.Control, 0, relayHostInfo, msg, make([]byte, 12), make([]byte, mtu))
 					hm.l.WithFields(logrus.Fields{
-						"relayFrom":           hm.f.myVpnAddrs[0],
+						"relayFrom":           m.GetRelayFrom(),
 						"relayTo":             vpnIp,
 						"initiatorRelayIndex": existingRelay.LocalIndex,
 						"relay":               relay}).
@@ -724,3 +701,32 @@ func generateIndex(l *logrus.Logger) (uint32, error) {
 func hsTimeout(tries int64, interval time.Duration) time.Duration {
 	return time.Duration(tries / 2 * ((2 * int64(interval)) + (tries-1)*int64(interval)))
 }
+
+var errNoRelayTooOld = errors.New("can not establish v1 relay with a v6 network because the relay is not running a current nebula version")
+
+func buildRelayInfoCertV1(m *NebulaControl, myVpnNetworks []netip.Prefix, peerVpnIp netip.Addr) error {
+	relayFrom := myVpnNetworks[0].Addr()
+	if !relayFrom.Is4() {
+		return errNoRelayTooOld
+	}
+	if !peerVpnIp.Is4() {
+		return errNoRelayTooOld
+	}
+
+	b := relayFrom.As4()
+	m.OldRelayFromAddr = binary.BigEndian.Uint32(b[:])
+	b = peerVpnIp.As4()
+	m.OldRelayToAddr = binary.BigEndian.Uint32(b[:])
+	return nil
+}
+
+func buildRelayInfoCertV2(m *NebulaControl, myVpnNetworks []netip.Prefix, peerVpnIp netip.Addr) error {
+	for i := range myVpnNetworks {
+		if myVpnNetworks[i].Contains(peerVpnIp) {
+			m.RelayFromAddr = netAddrToProtoAddr(myVpnNetworks[i].Addr())
+			m.RelayToAddr = netAddrToProtoAddr(peerVpnIp)
+			return nil
+		}
+	}
+	return errors.New("cannot establish relay, no networks in common")
+}

hostmap.go

@@ -512,13 +512,16 @@ func (hm *HostMap) QueryVpnAddr(vpnIp netip.Addr) *HostInfo {
 	return hm.queryVpnAddr(vpnIp, nil)
 }
 
+var errUnableToFindHost = errors.New("unable to find host")
+var errUnableToFindHostWithRelay = errors.New("unable to find host with relay")
+
 func (hm *HostMap) QueryVpnAddrsRelayFor(targetIps []netip.Addr, relayHostIp netip.Addr) (*HostInfo, *Relay, error) {
 	hm.RLock()
 	defer hm.RUnlock()
 
 	h, ok := hm.Hosts[relayHostIp]
 	if !ok {
-		return nil, nil, errors.New("unable to find host")
+		return nil, nil, errUnableToFindHost
 	}
 
 	for h != nil {
@@ -531,7 +534,7 @@ func (hm *HostMap) QueryVpnAddrsRelayFor(targetIps []netip.Addr, relayHostIp net
 		h = h.next
 	}
 
-	return nil, nil, errors.New("unable to find host with relay")
+	return nil, nil, errUnableToFindHostWithRelay
 }
 
 func (hm *HostMap) unlockedDisestablishVpnAddrRelayFor(hi *HostInfo) {

interface.go

@@ -5,11 +5,9 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"math/bits"
 	"net/netip"
 	"os"
 	"runtime"
-	"sync"
 	"sync/atomic"
 	"time"
 
@@ -23,12 +21,7 @@ import (
 	"github.com/slackhq/nebula/udp"
 )
 
-const (
+const mtu = 9001
-	mtu                        = 9001
-	tunReadBufferSize          = mtu * 8
-	defaultDecryptWorkerFactor = 2
-	defaultInboundQueueDepth   = 1024
-)
 
 type InterfaceConfig struct {
 	HostMap            *HostMap
@@ -55,8 +48,6 @@ type InterfaceConfig struct {
 
 	ConntrackCacheTimeout time.Duration
 	l                     *logrus.Logger
-	DecryptWorkers        int
-	DecryptQueueDepth     int
 }
 
 type Interface struct {
@@ -102,166 +93,6 @@ type Interface struct {
 	cachedPacketMetrics *cachedPacketMetrics
 
 	l *logrus.Logger
-	ctx            context.Context
-	udpListenWG    sync.WaitGroup
-	inboundPool    sync.Pool
-	decryptWG      sync.WaitGroup
-	decryptQueues  []*inboundRing
-	decryptWorkers int
-	decryptStates  []decryptWorkerState
-	decryptCounter atomic.Uint32
-}
-
-type inboundPacket struct {
-	addr    netip.AddrPort
-	payload []byte
-	release func()
-	queue   int
-}
-
-type decryptWorkerState struct {
-	queue  *inboundRing
-	notify chan struct{}
-}
-
-type decryptContext struct {
-	ctTicker *firewall.ConntrackCacheTicker
-	plain    []byte
-	head     header.H
-	fwPacket firewall.Packet
-	light    *LightHouseHandler
-	nebula   []byte
-}
-
-type inboundCell struct {
-	seq atomic.Uint64
-	pkt *inboundPacket
-}
-
-type inboundRing struct {
-	mask       uint64
-	cells      []inboundCell
-	enqueuePos atomic.Uint64
-	dequeuePos atomic.Uint64
-}
-
-func newInboundRing(capacity int) *inboundRing {
-	if capacity < 2 {
-		capacity = 2
-	}
-	size := nextPowerOfTwo(uint32(capacity))
-	if size < 2 {
-		size = 2
-	}
-	ring := &inboundRing{
-		mask:  uint64(size - 1),
-		cells: make([]inboundCell, size),
-	}
-	for i := range ring.cells {
-		ring.cells[i].seq.Store(uint64(i))
-	}
-	return ring
-}
-
-func nextPowerOfTwo(v uint32) uint32 {
-	if v == 0 {
-		return 1
-	}
-	return 1 << (32 - bits.LeadingZeros32(v-1))
-}
-
-func (r *inboundRing) Enqueue(pkt *inboundPacket) bool {
-	var cell *inboundCell
-	pos := r.enqueuePos.Load()
-	for {
-		cell = &r.cells[pos&r.mask]
-		seq := cell.seq.Load()
-		diff := int64(seq) - int64(pos)
-		if diff == 0 {
-			if r.enqueuePos.CompareAndSwap(pos, pos+1) {
-				break
-			}
-		} else if diff < 0 {
-			return false
-		} else {
-			pos = r.enqueuePos.Load()
-		}
-	}
-	cell.pkt = pkt
-	cell.seq.Store(pos + 1)
-	return true
-}
-
-func (r *inboundRing) Dequeue() (*inboundPacket, bool) {
-	var cell *inboundCell
-	pos := r.dequeuePos.Load()
-	for {
-		cell = &r.cells[pos&r.mask]
-		seq := cell.seq.Load()
-		diff := int64(seq) - int64(pos+1)
-		if diff == 0 {
-			if r.dequeuePos.CompareAndSwap(pos, pos+1) {
-				break
-			}
-		} else if diff < 0 {
-			return nil, false
-		} else {
-			pos = r.dequeuePos.Load()
-		}
-	}
-	pkt := cell.pkt
-	cell.pkt = nil
-	cell.seq.Store(pos + r.mask + 1)
-	return pkt, true
-}
-
-func (f *Interface) getInboundPacket() *inboundPacket {
-	if pkt, ok := f.inboundPool.Get().(*inboundPacket); ok && pkt != nil {
-		return pkt
-	}
-	return &inboundPacket{}
-}
-
-func (f *Interface) putInboundPacket(pkt *inboundPacket) {
-	if pkt == nil {
-		return
-	}
-	pkt.addr = netip.AddrPort{}
-	pkt.payload = nil
-	pkt.release = nil
-	pkt.queue = 0
-	f.inboundPool.Put(pkt)
-}
-
-func newDecryptContext(f *Interface) *decryptContext {
-	return &decryptContext{
-		ctTicker: firewall.NewConntrackCacheTicker(f.conntrackCacheTimeout),
-		plain:    make([]byte, udp.MTU),
-		head:     header.H{},
-		fwPacket: firewall.Packet{},
-		light:    f.lightHouse.NewRequestHandler(),
-		nebula:   make([]byte, 12, 12),
-	}
-}
-
-func (f *Interface) processInboundPacket(pkt *inboundPacket, ctx *decryptContext) {
-	if pkt == nil {
-		return
-	}
-	defer func() {
-		if pkt.release != nil {
-			pkt.release()
-		}
-		f.putInboundPacket(pkt)
-	}()
-
-	ctx.head = header.H{}
-	ctx.fwPacket = firewall.Packet{}
-	var cache firewall.ConntrackCache
-	if ctx.ctTicker != nil {
-		cache = ctx.ctTicker.Get(f.l)
-	}
-	f.readOutsidePackets(pkt.addr, nil, ctx.plain[:0], pkt.payload, &ctx.head, &ctx.fwPacket, ctx.light, ctx.nebula, pkt.queue, cache)
 }
 
 type EncWriter interface {
@@ -331,35 +162,6 @@ func NewInterface(ctx context.Context, c *InterfaceConfig) (*Interface, error) {
 	}
 
 	cs := c.pki.getCertState()
-	decryptWorkers := c.DecryptWorkers
-	if decryptWorkers < 0 {
-		decryptWorkers = 0
-	}
-	if decryptWorkers == 0 {
-		decryptWorkers = c.routines * defaultDecryptWorkerFactor
-		if decryptWorkers < c.routines {
-			decryptWorkers = c.routines
-		}
-	}
-	if decryptWorkers < 0 {
-		decryptWorkers = 0
-	}
-	if runtime.GOOS != "linux" {
-		decryptWorkers = 0
-	}
-
-	queueDepth := c.DecryptQueueDepth
-	if queueDepth <= 0 {
-		queueDepth = defaultInboundQueueDepth
-	}
-	minDepth := c.routines * 64
-	if minDepth <= 0 {
-		minDepth = 64
-	}
-	if queueDepth < minDepth {
-		queueDepth = minDepth
-	}
-
 	ifce := &Interface{
 		pki:                   c.pki,
 		hostMap:               c.HostMap,
@@ -393,9 +195,6 @@ func NewInterface(ctx context.Context, c *InterfaceConfig) (*Interface, error) {
 		},
 
 		l: c.l,
-		ctx:            ctx,
-		inboundPool:    sync.Pool{New: func() any { return &inboundPacket{} }},
-		decryptWorkers: decryptWorkers,
 	}
 
 	ifce.tryPromoteEvery.Store(c.tryPromoteEvery)
@@ -404,19 +203,6 @@ func NewInterface(ctx context.Context, c *InterfaceConfig) (*Interface, error) {
 
 	ifce.connectionManager.intf = ifce
 
-	if decryptWorkers > 0 {
-		ifce.decryptQueues = make([]*inboundRing, decryptWorkers)
-		ifce.decryptStates = make([]decryptWorkerState, decryptWorkers)
-		for i := 0; i < decryptWorkers; i++ {
-			queue := newInboundRing(queueDepth)
-			ifce.decryptQueues[i] = queue
-			ifce.decryptStates[i] = decryptWorkerState{
-				queue:  queue,
-				notify: make(chan struct{}, 1),
-			}
-		}
-	}
-
 	return ifce, nil
 }
 
@@ -456,68 +242,8 @@ func (f *Interface) activate() {
 	}
 }
 
-func (f *Interface) startDecryptWorkers() {
-	if f.decryptWorkers <= 0 || len(f.decryptQueues) == 0 {
-		return
-	}
-	f.decryptWG.Add(f.decryptWorkers)
-	for i := 0; i < f.decryptWorkers; i++ {
-		go f.decryptWorker(i)
-	}
-}
-
-func (f *Interface) decryptWorker(id int) {
-	defer f.decryptWG.Done()
-	if id < 0 || id >= len(f.decryptStates) {
-		return
-	}
-	state := f.decryptStates[id]
-	if state.queue == nil {
-		return
-	}
-	ctx := newDecryptContext(f)
-	for {
-		for {
-			pkt, ok := state.queue.Dequeue()
-			if !ok {
-				break
-			}
-			f.processInboundPacket(pkt, ctx)
-		}
-		if f.closed.Load() || f.ctx.Err() != nil {
-			for {
-				pkt, ok := state.queue.Dequeue()
-				if !ok {
-					return
-				}
-				f.processInboundPacket(pkt, ctx)
-			}
-		}
-		select {
-		case <-f.ctx.Done():
-		case <-state.notify:
-		}
-	}
-}
-
-func (f *Interface) notifyDecryptWorker(idx int) {
-	if idx < 0 || idx >= len(f.decryptStates) {
-		return
-	}
-	state := f.decryptStates[idx]
-	if state.notify == nil {
-		return
-	}
-	select {
-	case state.notify <- struct{}{}:
-	default:
-	}
-}
-
 func (f *Interface) run() {
-	f.startDecryptWorkers()
 	// Launch n queues to read packets from udp
-	f.udpListenWG.Add(f.routines)
 	for i := 0; i < f.routines; i++ {
 		go f.listenOut(i)
 	}
@@ -530,7 +256,6 @@ func (f *Interface) run() {
 
 func (f *Interface) listenOut(i int) {
 	runtime.LockOSThread()
-	defer f.udpListenWG.Done()
 
 	var li udp.Conn
 	if i > 0 {
@@ -539,78 +264,23 @@ func (f *Interface) listenOut(i int) {
 		li = f.outside
 	}
 
-	useWorkers := f.decryptWorkers > 0 && len(f.decryptQueues) > 0
+	ctCache := firewall.NewConntrackCacheTicker(f.conntrackCacheTimeout)
-	var (
+	lhh := f.lightHouse.NewRequestHandler()
-		inlineTicker  *firewall.ConntrackCacheTicker
+	plaintext := make([]byte, udp.MTU)
-		inlineHandler *LightHouseHandler
+	h := &header.H{}
-		inlinePlain   []byte
+	fwPacket := &firewall.Packet{}
-		inlineHeader  header.H
+	nb := make([]byte, 12, 12)
-		inlinePacket  firewall.Packet
-		inlineNB      []byte
-		inlineCtx     *decryptContext
-	)
 
-	if useWorkers {
+	li.ListenOut(func(fromUdpAddr netip.AddrPort, payload []byte) {
-		inlineCtx = newDecryptContext(f)
+		f.readOutsidePackets(fromUdpAddr, nil, plaintext[:0], payload, h, fwPacket, lhh, nb, i, ctCache.Get(f.l))
-	} else {
-		inlineTicker = firewall.NewConntrackCacheTicker(f.conntrackCacheTimeout)
-		inlineHandler = f.lightHouse.NewRequestHandler()
-		inlinePlain = make([]byte, udp.MTU)
-		inlineNB = make([]byte, 12, 12)
-	}
-
-	li.ListenOut(func(fromUdpAddr netip.AddrPort, payload []byte, release func()) {
-		if !useWorkers {
-			if release != nil {
-				defer release()
-			}
-			select {
-			case <-f.ctx.Done():
-				return
-			default:
-			}
-			inlineHeader = header.H{}
-			inlinePacket = firewall.Packet{}
-			var cache firewall.ConntrackCache
-			if inlineTicker != nil {
-				cache = inlineTicker.Get(f.l)
-			}
-			f.readOutsidePackets(fromUdpAddr, nil, inlinePlain[:0], payload, &inlineHeader, &inlinePacket, inlineHandler, inlineNB, i, cache)
-			return
-		}
-
-		if f.ctx.Err() != nil {
-			if release != nil {
-				release()
-			}
-			return
-		}
-
-		pkt := f.getInboundPacket()
-		pkt.addr = fromUdpAddr
-		pkt.payload = payload
-		pkt.release = release
-		pkt.queue = i
-
-		queueCount := len(f.decryptQueues)
-		if queueCount == 0 {
-			f.processInboundPacket(pkt, inlineCtx)
-			return
-		}
-		w := int(f.decryptCounter.Add(1)-1) % queueCount
-		if w < 0 || w >= queueCount || !f.decryptQueues[w].Enqueue(pkt) {
-			f.processInboundPacket(pkt, inlineCtx)
-			return
-		}
-		f.notifyDecryptWorker(w)
 	})
 }
 
 func (f *Interface) listenIn(reader io.ReadWriteCloser, i int) {
 	runtime.LockOSThread()
 
-	packet := make([]byte, tunReadBufferSize)
+	packet := make([]byte, mtu)
-	out := make([]byte, tunReadBufferSize)
+	out := make([]byte, mtu)
 	fwPacket := &firewall.Packet{}
 	nb := make([]byte, 12, 12)
 
@@ -788,19 +458,6 @@ func (f *Interface) Close() error {
 		}
 	}
 
-	f.udpListenWG.Wait()
-	if f.decryptWorkers > 0 {
-		for _, state := range f.decryptStates {
-			if state.notify != nil {
-				select {
-				case state.notify <- struct{}{}:
-				default:
-				}
-			}
-		}
-		f.decryptWG.Wait()
-	}
-
 	// Release the tun device
 	return f.inside.Close()
 }

lighthouse.go

@@ -1425,7 +1425,7 @@ func (d *NebulaMetaDetails) GetRelays() []netip.Addr {
 	return relays
 }
 
-// FindNetworkUnion returns the first netip.Addr contained in the list of provided netip.Prefix, if able
+// findNetworkUnion returns the first netip.Addr of addrs contained in the list of provided netip.Prefix, if able
 func findNetworkUnion(prefixes []netip.Prefix, addrs []netip.Addr) (netip.Addr, bool) {
 	for i := range prefixes {
 		for j := range addrs {
@@ -1450,3 +1450,13 @@ func (d *NebulaMetaDetails) GetVpnAddrAndVersion() (netip.Addr, cert.Version, er
 		return netip.Addr{}, cert.Version1, ErrBadDetailsVpnAddr
 	}
 }
+
+func (d *NebulaControl) GetRelayFrom() netip.Addr {
+	if d.OldRelayFromAddr != 0 {
+		b := [4]byte{}
+		binary.BigEndian.PutUint32(b[:], d.OldRelayFromAddr)
+		return netip.AddrFrom4(b)
+	} else {
+		return protoAddrToNetAddr(d.RelayFromAddr)
+	}
+}

main.go

@@ -120,8 +120,6 @@ func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logg
 		l.WithField("duration", conntrackCacheTimeout).Info("Using routine-local conntrack cache")
 	}
 
-	udp.SetDisableUDPCsum(c.GetBool("listen.disable_udp_checksum", false))
-
 	var tun overlay.Device
 	if !configTest {
 		c.CatchHUP(ctx)
@@ -223,9 +221,6 @@ func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logg
 		}
 	}
 
-	decryptWorkers := c.GetInt("listen.decrypt_workers", 0)
-	decryptQueueDepth := c.GetInt("listen.decrypt_queue_depth", 0)
-
 	ifConfig := &InterfaceConfig{
 		HostMap:               hostMap,
 		Inside:                tun,
@@ -248,8 +243,6 @@ func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logg
 		punchy:                punchy,
 		ConntrackCacheTimeout: conntrackCacheTimeout,
 		l:                     l,
-		DecryptWorkers:        decryptWorkers,
-		DecryptQueueDepth:     decryptQueueDepth,
 	}
 
 	var ifce *Interface

outside.go

@@ -470,13 +470,7 @@ func (f *Interface) decryptToTun(hostinfo *HostInfo, messageCounter uint64, out
 
 	out, err = hostinfo.ConnectionState.dKey.DecryptDanger(out, packet[:header.Len], packet[header.Len:], messageCounter, nb)
 	if err != nil {
-		hostinfo.logger(f.l).
+		hostinfo.logger(f.l).WithError(err).Error("Failed to decrypt packet")
-			WithError(err).
-			WithField("tag", "decrypt-debug").
-			WithField("remoteIndexLocal", hostinfo.localIndexId).
-			WithField("messageCounter", messageCounter).
-			WithField("packet_len", len(packet)).
-			Error("Failed to decrypt packet")
 		return false
 	}
 

overlay/tun_linux.go

@@ -33,9 +33,6 @@ type tun struct {
 	TXQueueLen  int
 	deviceIndex int
 	ioctlFd     uintptr
-	enableVnetHdr bool
-	vnetHdrLen    int
-	queues        []*tunQueue
 
 	Routes                    atomic.Pointer[[]Route]
 	routeTree                 atomic.Pointer[bart.Table[routing.Gateways]]
@@ -68,90 +65,10 @@ type ifreqQLEN struct {
 	pad   [8]byte
 }
 
-const (
-	virtioNetHdrLen     = 12
-	tunDefaultMaxPacket = 65536
-)
-
-type tunQueue struct {
-	file          *os.File
-	fd            int
-	enableVnetHdr bool
-	vnetHdrLen    int
-	maxPacket     int
-	writeScratch  []byte
-	readScratch   []byte
-	l             *logrus.Logger
-}
-
-func newTunQueue(file *os.File, enableVnetHdr bool, vnetHdrLen, maxPacket int, l *logrus.Logger) *tunQueue {
-	if maxPacket <= 0 {
-		maxPacket = tunDefaultMaxPacket
-	}
-	q := &tunQueue{
-		file:          file,
-		fd:            int(file.Fd()),
-		enableVnetHdr: enableVnetHdr,
-		vnetHdrLen:    vnetHdrLen,
-		maxPacket:     maxPacket,
-		l:             l,
-	}
-	if enableVnetHdr {
-		q.growReadScratch(maxPacket)
-	}
-	return q
-}
-
-func (q *tunQueue) growReadScratch(packetSize int) {
-	needed := q.vnetHdrLen + packetSize
-	if needed < q.vnetHdrLen+DefaultMTU {
-		needed = q.vnetHdrLen + DefaultMTU
-	}
-	if q.readScratch == nil || cap(q.readScratch) < needed {
-		q.readScratch = make([]byte, needed)
-	} else {
-		q.readScratch = q.readScratch[:needed]
-	}
-}
-
-func (q *tunQueue) setMaxPacket(packet int) {
-	if packet <= 0 {
-		packet = DefaultMTU
-	}
-	q.maxPacket = packet
-	if q.enableVnetHdr {
-		q.growReadScratch(packet)
-	}
-}
-
-func configureVnetHdr(fd int, hdrLen int, l *logrus.Logger) error {
-	features, err := unix.IoctlGetInt(fd, unix.TUNGETFEATURES)
-	if err == nil && features&unix.IFF_VNET_HDR == 0 {
-		return fmt.Errorf("kernel does not support IFF_VNET_HDR")
-	}
-	if err := unix.IoctlSetInt(fd, unix.TUNSETVNETHDRSZ, hdrLen); err != nil {
-		return err
-	}
-	offload := unix.TUN_F_CSUM | unix.TUN_F_UFO
-	if err := unix.IoctlSetInt(fd, unix.TUNSETOFFLOAD, offload); err != nil {
-		if l != nil {
-			l.WithError(err).Warn("Failed to enable TUN offload features")
-		}
-	}
-	return nil
-}
-
 func newTunFromFd(c *config.C, l *logrus.Logger, deviceFd int, vpnNetworks []netip.Prefix) (*tun, error) {
 	file := os.NewFile(uintptr(deviceFd), "/dev/net/tun")
-	enableVnetHdr := c.GetBool("tun.enable_vnet_hdr", false)
-	if enableVnetHdr {
-		if err := configureVnetHdr(deviceFd, virtioNetHdrLen, l); err != nil {
-			l.WithError(err).Warn("Failed to configure VNET header support on provided tun fd; disabling")
-			enableVnetHdr = false
-		}
-	}
 
-	t, err := newTunGeneric(c, l, file, vpnNetworks, enableVnetHdr)
+	t, err := newTunGeneric(c, l, file, vpnNetworks)
 	if err != nil {
 		return nil, err
 	}
@@ -189,25 +106,14 @@ func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, multiqueu
 	if multiqueue {
 		req.Flags |= unix.IFF_MULTI_QUEUE
 	}
-	enableVnetHdr := c.GetBool("tun.enable_vnet_hdr", false)
-	if enableVnetHdr {
-		req.Flags |= unix.IFF_VNET_HDR
-	}
 	copy(req.Name[:], c.GetString("tun.dev", ""))
 	if err = ioctl(uintptr(fd), uintptr(unix.TUNSETIFF), uintptr(unsafe.Pointer(&req))); err != nil {
 		return nil, err
 	}
 	name := strings.Trim(string(req.Name[:]), "\x00")
 
-	if enableVnetHdr {
-		if err := configureVnetHdr(fd, virtioNetHdrLen, l); err != nil {
-			l.WithError(err).Warn("Failed to configure VNET header support on tun device; disabling")
-			enableVnetHdr = false
-		}
-	}
-
 	file := os.NewFile(uintptr(fd), "/dev/net/tun")
-	t, err := newTunGeneric(c, l, file, vpnNetworks, enableVnetHdr)
+	t, err := newTunGeneric(c, l, file, vpnNetworks)
 	if err != nil {
 		return nil, err
 	}
@@ -217,30 +123,21 @@ func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, multiqueu
 	return t, nil
 }
 
-func newTunGeneric(c *config.C, l *logrus.Logger, file *os.File, vpnNetworks []netip.Prefix, enableVnetHdr bool) (*tun, error) {
+func newTunGeneric(c *config.C, l *logrus.Logger, file *os.File, vpnNetworks []netip.Prefix) (*tun, error) {
-	queue := newTunQueue(file, enableVnetHdr, virtioNetHdrLen, tunDefaultMaxPacket, l)
 	t := &tun{
-		ReadWriteCloser:           queue,
+		ReadWriteCloser:           file,
 		fd:                        int(file.Fd()),
 		vpnNetworks:               vpnNetworks,
 		TXQueueLen:                c.GetInt("tun.tx_queue", 500),
 		useSystemRoutes:           c.GetBool("tun.use_system_route_table", false),
 		useSystemRoutesBufferSize: c.GetInt("tun.use_system_route_table_buffer_size", 0),
 		l:                         l,
-		enableVnetHdr:             enableVnetHdr,
-		vnetHdrLen:                virtioNetHdrLen,
-		queues:                    []*tunQueue{queue},
 	}
 
 	err := t.reload(c, true)
 	if err != nil {
 		return nil, err
 	}
-	if enableVnetHdr {
-		for _, q := range t.queues {
-			q.setMaxPacket(t.MaxMTU)
-		}
-	}
 
 	c.RegisterReloadCallback(func(c *config.C) {
 		err := t.reload(c, false)
@@ -283,11 +180,6 @@ func (t *tun) reload(c *config.C, initial bool) error {
 
 	t.MaxMTU = newMaxMTU
 	t.DefaultMTU = newDefaultMTU
-	if t.enableVnetHdr {
-		for _, q := range t.queues {
-			q.setMaxPacket(t.MaxMTU)
-		}
-	}
 
 	// Teach nebula how to handle the routes before establishing them in the system table
 	oldRoutes := t.Routes.Swap(&routes)
@@ -332,87 +224,14 @@ func (t *tun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
 
 	var req ifReq
 	req.Flags = uint16(unix.IFF_TUN | unix.IFF_NO_PI | unix.IFF_MULTI_QUEUE)
-	if t.enableVnetHdr {
-		req.Flags |= unix.IFF_VNET_HDR
-	}
 	copy(req.Name[:], t.Device)
 	if err = ioctl(uintptr(fd), uintptr(unix.TUNSETIFF), uintptr(unsafe.Pointer(&req))); err != nil {
 		return nil, err
 	}
 
 	file := os.NewFile(uintptr(fd), "/dev/net/tun")
-	queue := newTunQueue(file, t.enableVnetHdr, t.vnetHdrLen, t.MaxMTU, t.l)
-	if t.enableVnetHdr {
-		if err := configureVnetHdr(fd, t.vnetHdrLen, t.l); err != nil {
-			queue.enableVnetHdr = false
-		}
-	}
-	t.queues = append(t.queues, queue)
 
-	return queue, nil
+	return file, nil
-}
-
-func (q *tunQueue) Read(p []byte) (int, error) {
-	if !q.enableVnetHdr {
-		return q.file.Read(p)
-	}
-
-	if len(p)+q.vnetHdrLen > cap(q.readScratch) {
-		q.growReadScratch(len(p))
-	}
-
-	buf := q.readScratch[:cap(q.readScratch)]
-	n, err := q.file.Read(buf)
-	if n <= 0 {
-		return n, err
-	}
-	if n < q.vnetHdrLen {
-		if err == nil {
-			err = io.ErrUnexpectedEOF
-		}
-		return 0, err
-	}
-
-	payload := buf[q.vnetHdrLen:n]
-	if len(payload) > len(p) {
-		copy(p, payload[:len(p)])
-		if err == nil {
-			err = io.ErrShortBuffer
-		}
-		return len(p), err
-	}
-	copy(p, payload)
-	return len(payload), err
-}
-
-func (q *tunQueue) Write(b []byte) (int, error) {
-	if !q.enableVnetHdr {
-		return unix.Write(q.fd, b)
-	}
-
-	total := q.vnetHdrLen + len(b)
-	if cap(q.writeScratch) < total {
-		q.writeScratch = make([]byte, total)
-	} else {
-		q.writeScratch = q.writeScratch[:total]
-	}
-
-	for i := 0; i < q.vnetHdrLen; i++ {
-		q.writeScratch[i] = 0
-	}
-	copy(q.writeScratch[q.vnetHdrLen:], b)
-
-	n, err := unix.Write(q.fd, q.writeScratch)
-	if n >= q.vnetHdrLen {
-		n -= q.vnetHdrLen
-	} else {
-		n = 0
-	}
-	return n, err
-}
-
-func (q *tunQueue) Close() error {
-	return q.file.Close()
 }
 
 func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {

relay_manager.go

@@ -155,6 +155,8 @@ func (rm *relayManager) handleCreateRelayResponse(v cert.Version, h *HostInfo, f
 		"vpnAddrs":            h.vpnAddrs}).
 		Info("handleCreateRelayResponse")
 
+	//peer == relayFrom
+	//target == relayTo
 	target := m.RelayToAddr
 	targetAddr := protoAddrToNetAddr(target)
 
@@ -190,11 +192,12 @@ func (rm *relayManager) handleCreateRelayResponse(v cert.Version, h *HostInfo, f
 			InitiatorRelayIndex: peerRelay.RemoteIndex,
 		}
 
+		relayFrom := h.vpnAddrs[0]
 		if v == cert.Version1 {
 			peer := peerHostInfo.vpnAddrs[0]
 			if !peer.Is4() {
 				rm.l.WithField("relayFrom", peer).
-					WithField("relayTo", target).
+					WithField("relayTo", targetAddr).
 					WithField("initiatorRelayIndex", resp.InitiatorRelayIndex).
 					WithField("responderRelayIndex", resp.ResponderRelayIndex).
 					WithField("vpnAddrs", peerHostInfo.vpnAddrs).
@@ -207,7 +210,22 @@ func (rm *relayManager) handleCreateRelayResponse(v cert.Version, h *HostInfo, f
 			b = targetAddr.As4()
 			resp.OldRelayToAddr = binary.BigEndian.Uint32(b[:])
 		} else {
-			resp.RelayFromAddr = netAddrToProtoAddr(peerHostInfo.vpnAddrs[0])
+			ok = false
+			peerNetworks := h.GetCert().Certificate.Networks()
+			for i := range peerNetworks {
+				if peerNetworks[i].Contains(targetAddr) {
+					relayFrom = peerNetworks[i].Addr()
+					ok = true
+					break
+				}
+			}
+			if !ok {
+				rm.l.WithFields(logrus.Fields{"from": f.myVpnNetworks, "to": targetAddr}).
+					Error("cannot establish relay, no networks in common")
+				return
+			}
+
+			resp.RelayFromAddr = netAddrToProtoAddr(relayFrom)
 			resp.RelayToAddr = target
 		}
 
@@ -218,8 +236,8 @@ func (rm *relayManager) handleCreateRelayResponse(v cert.Version, h *HostInfo, f
 		} else {
 			f.SendMessageToHostInfo(header.Control, 0, peerHostInfo, msg, make([]byte, 12), make([]byte, mtu))
 			rm.l.WithFields(logrus.Fields{
-				"relayFrom":           resp.RelayFromAddr,
+				"relayFrom":           relayFrom,
-				"relayTo":             resp.RelayToAddr,
+				"relayTo":             targetAddr,
 				"initiatorRelayIndex": resp.InitiatorRelayIndex,
 				"responderRelayIndex": resp.ResponderRelayIndex,
 				"vpnAddrs":            peerHostInfo.vpnAddrs}).
@@ -313,8 +331,7 @@ func (rm *relayManager) handleCreateRelayRequest(v cert.Version, h *HostInfo, f
 
 		msg, err := resp.Marshal()
 		if err != nil {
-			logMsg.
+			logMsg.WithError(err).Error("relayManager Failed to marshal Control CreateRelayResponse message to create relay")
-				WithError(err).Error("relayManager Failed to marshal Control CreateRelayResponse message to create relay")
 		} else {
 			f.SendMessageToHostInfo(header.Control, 0, h, msg, make([]byte, 12), make([]byte, mtu))
 			rm.l.WithFields(logrus.Fields{
@@ -360,10 +377,10 @@ func (rm *relayManager) handleCreateRelayRequest(v cert.Version, h *HostInfo, f
 			Type:                NebulaControl_CreateRelayRequest,
 			InitiatorRelayIndex: index,
 		}
-
+		relayFrom := h.vpnAddrs[0]
 		if v == cert.Version1 {
-			if !h.vpnAddrs[0].Is4() {
+			if !relayFrom.Is4() {
-				rm.l.WithField("relayFrom", h.vpnAddrs[0]).
+				rm.l.WithField("relayFrom", relayFrom).
 					WithField("relayTo", target).
 					WithField("initiatorRelayIndex", req.InitiatorRelayIndex).
 					WithField("responderRelayIndex", req.ResponderRelayIndex).
@@ -372,23 +389,37 @@ func (rm *relayManager) handleCreateRelayRequest(v cert.Version, h *HostInfo, f
 				return
 			}
 
-			b := h.vpnAddrs[0].As4()
+			b := relayFrom.As4()
 			req.OldRelayFromAddr = binary.BigEndian.Uint32(b[:])
 			b = target.As4()
 			req.OldRelayToAddr = binary.BigEndian.Uint32(b[:])
 		} else {
-			req.RelayFromAddr = netAddrToProtoAddr(h.vpnAddrs[0])
+			ok = false
+			peerNetworks := h.GetCert().Certificate.Networks()
+			for i := range peerNetworks {
+				if peerNetworks[i].Contains(target) {
+					relayFrom = peerNetworks[i].Addr()
+					ok = true
+					break
+				}
+			}
+			if !ok {
+				rm.l.WithFields(logrus.Fields{"from": f.myVpnNetworks, "to": target}).
+					Error("cannot establish relay, no networks in common")
+				return
+			}
+
+			req.RelayFromAddr = netAddrToProtoAddr(relayFrom)
 			req.RelayToAddr = netAddrToProtoAddr(target)
 		}
 
 		msg, err := req.Marshal()
 		if err != nil {
-			logMsg.
+			logMsg.WithError(err).Error("relayManager Failed to marshal Control message to create relay")
-				WithError(err).Error("relayManager Failed to marshal Control message to create relay")
 		} else {
 			f.SendMessageToHostInfo(header.Control, 0, peer, msg, make([]byte, 12), make([]byte, mtu))
 			rm.l.WithFields(logrus.Fields{
-				"relayFrom":           h.vpnAddrs[0],
+				"relayFrom":           relayFrom,
 				"relayTo":             target,
 				"initiatorRelayIndex": req.InitiatorRelayIndex,
 				"responderRelayIndex": req.ResponderRelayIndex,
@@ -401,8 +432,7 @@ func (rm *relayManager) handleCreateRelayRequest(v cert.Version, h *HostInfo, f
 		if !ok {
 			_, err := AddRelay(rm.l, h, f.hostMap, target, &m.InitiatorRelayIndex, ForwardingType, PeerRequested)
 			if err != nil {
-				logMsg.
+				logMsg.WithError(err).Error("relayManager Failed to allocate a local index for relay")
-					WithError(err).Error("relayManager Failed to allocate a local index for relay")
 				return
 			}
 		}

udp/config.go

@@ -1,16 +0,0 @@
-package udp
-
-import "sync/atomic"
-
-var disableUDPCsum atomic.Bool
-
-// SetDisableUDPCsum controls whether IPv4 UDP sockets opt out of kernel
-// checksum calculation via SO_NO_CHECK. Only applicable on platforms that
-// support the option (Linux). IPv6 always keeps the checksum enabled.
-func SetDisableUDPCsum(disable bool) {
-	disableUDPCsum.Store(disable)
-}
-
-func udpChecksumDisabled() bool {
-	return disableUDPCsum.Load()
-}

udp/conn.go

@@ -11,7 +11,6 @@ const MTU = 9001
 type EncReader func(
 	addr netip.AddrPort,
 	payload []byte,
-	release func(),
 )
 
 type Conn interface {

udp/msghdr_helper_linux_32.go

@@ -1,25 +0,0 @@
-//go:build linux && (386 || amd64p32 || arm || mips || mipsle) && !android && !e2e_testing
-// +build linux
-// +build 386 amd64p32 arm mips mipsle
-// +build !android
-// +build !e2e_testing
-
-package udp
-
-import "golang.org/x/sys/unix"
-
-func controllen(n int) uint32 {
-	return uint32(n)
-}
-
-func setCmsgLen(h *unix.Cmsghdr, n int) {
-	h.Len = uint32(unix.CmsgLen(n))
-}
-
-func setIovecLen(v *unix.Iovec, n int) {
-	v.Len = uint32(n)
-}
-
-func setMsghdrIovlen(m *unix.Msghdr, n int) {
-	m.Iovlen = uint32(n)
-}

udp/msghdr_helper_linux_64.go

@@ -1,25 +0,0 @@
-//go:build linux && (amd64 || arm64 || ppc64 || ppc64le || mips64 || mips64le || s390x || riscv64 || loong64) && !android && !e2e_testing
-// +build linux
-// +build amd64 arm64 ppc64 ppc64le mips64 mips64le s390x riscv64 loong64
-// +build !android
-// +build !e2e_testing
-
-package udp
-
-import "golang.org/x/sys/unix"
-
-func controllen(n int) uint64 {
-	return uint64(n)
-}
-
-func setCmsgLen(h *unix.Cmsghdr, n int) {
-	h.Len = uint64(unix.CmsgLen(n))
-}
-
-func setIovecLen(v *unix.Iovec, n int) {
-	v.Len = uint64(n)
-}
-
-func setMsghdrIovlen(m *unix.Msghdr, n int) {
-	m.Iovlen = uint64(n)
-}

udp/sendmmsg_linux_32.go

@@ -1,25 +0,0 @@
-//go:build linux && (386 || amd64p32 || arm || mips || mipsle) && !android && !e2e_testing
-
-package udp
-
-import (
-	"unsafe"
-
-	"golang.org/x/sys/unix"
-)
-
-type linuxMmsgHdr struct {
-	Hdr unix.Msghdr
-	Len uint32
-}
-
-func sendmmsg(fd int, hdrs []linuxMmsgHdr, flags int) (int, error) {
-	if len(hdrs) == 0 {
-		return 0, nil
-	}
-	n, _, errno := unix.Syscall6(unix.SYS_SENDMMSG, uintptr(fd), uintptr(unsafe.Pointer(&hdrs[0])), uintptr(len(hdrs)), uintptr(flags), 0, 0)
-	if errno != 0 {
-		return int(n), errno
-	}
-	return int(n), nil
-}

udp/sendmmsg_linux_64.go

@@ -1,26 +0,0 @@
-//go:build linux && (amd64 || arm64 || ppc64 || ppc64le || mips64 || mips64le || s390x || riscv64 || loong64) && !android && !e2e_testing
-
-package udp
-
-import (
-	"unsafe"
-
-	"golang.org/x/sys/unix"
-)
-
-type linuxMmsgHdr struct {
-	Hdr unix.Msghdr
-	Len uint32
-	_   uint32
-}
-
-func sendmmsg(fd int, hdrs []linuxMmsgHdr, flags int) (int, error) {
-	if len(hdrs) == 0 {
-		return 0, nil
-	}
-	n, _, errno := unix.Syscall6(unix.SYS_SENDMMSG, uintptr(fd), uintptr(unsafe.Pointer(&hdrs[0])), uintptr(len(hdrs)), uintptr(flags), 0, 0)
-	if errno != 0 {
-		return int(n), errno
-	}
-	return int(n), nil
-}

udp/udp_darwin.go

@@ -180,7 +180,7 @@ func (u *StdConn) ListenOut(r EncReader) {
 			u.l.WithError(err).Error("unexpected udp socket receive error")
 		}
 
-		r(netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port()), buffer[:n], nil)
+		r(netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port()), buffer[:n])
 	}
 }
 

udp/udp_generic.go

@@ -82,6 +82,6 @@ func (u *GenericConn) ListenOut(r EncReader) {
 			return
 		}
 
-		r(netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port()), buffer[:n], nil)
+		r(netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port()), buffer[:n])
 	}
 }

udp/udp_linux_32.go

@@ -30,29 +30,17 @@ type rawMessage struct {
 	Len uint32
 }
 
-func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte, [][]byte) {
+func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte) {
-	controlLen := int(u.controlLen.Load())
-
 	msgs := make([]rawMessage, n)
 	buffers := make([][]byte, n)
 	names := make([][]byte, n)
 
-	var controls [][]byte
-	if controlLen > 0 {
-		controls = make([][]byte, n)
-	}
-
 	for i := range msgs {
-		size := int(u.groBufSize.Load())
+		buffers[i] = make([]byte, MTU)
-		if size < MTU {
-			size = MTU
-		}
-		buf := u.borrowRxBuffer(size)
-		buffers[i] = buf
 		names[i] = make([]byte, unix.SizeofSockaddrInet6)
 
 		vs := []iovec{
-			{Base: &buf[0], Len: uint32(len(buf))},
+			{Base: &buffers[i][0], Len: uint32(len(buffers[i]))},
 		}
 
 		msgs[i].Hdr.Iov = &vs[0]
@@ -60,22 +48,7 @@ func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte, [
 
 		msgs[i].Hdr.Name = &names[i][0]
 		msgs[i].Hdr.Namelen = uint32(len(names[i]))
-
-		if controlLen > 0 {
-			controls[i] = make([]byte, controlLen)
-			msgs[i].Hdr.Control = &controls[i][0]
-			msgs[i].Hdr.Controllen = controllen(len(controls[i]))
-		} else {
-			msgs[i].Hdr.Control = nil
-			msgs[i].Hdr.Controllen = controllen(0)
-		}
 	}
 
-	return msgs, buffers, names, controls
+	return msgs, buffers, names
-}
-
-func setIovecBase(msg *rawMessage, buf []byte) {
-	iov := (*iovec)(msg.Hdr.Iov)
-	iov.Base = &buf[0]
-	iov.Len = uint32(len(buf))
 }

udp/udp_linux_64.go

@@ -33,50 +33,25 @@ type rawMessage struct {
 	Pad0 [4]byte
 }
 
-func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte, [][]byte) {
+func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte) {
-	controlLen := int(u.controlLen.Load())
-
 	msgs := make([]rawMessage, n)
 	buffers := make([][]byte, n)
 	names := make([][]byte, n)
 
-	var controls [][]byte
-	if controlLen > 0 {
-		controls = make([][]byte, n)
-	}
-
 	for i := range msgs {
-		size := int(u.groBufSize.Load())
+		buffers[i] = make([]byte, MTU)
-		if size < MTU {
-			size = MTU
-		}
-		buf := u.borrowRxBuffer(size)
-		buffers[i] = buf
 		names[i] = make([]byte, unix.SizeofSockaddrInet6)
 
-		vs := []iovec{{Base: &buf[0], Len: uint64(len(buf))}}
+		vs := []iovec{
+			{Base: &buffers[i][0], Len: uint64(len(buffers[i]))},
+		}
 
 		msgs[i].Hdr.Iov = &vs[0]
 		msgs[i].Hdr.Iovlen = uint64(len(vs))
 
 		msgs[i].Hdr.Name = &names[i][0]
 		msgs[i].Hdr.Namelen = uint32(len(names[i]))
-
-		if controlLen > 0 {
-			controls[i] = make([]byte, controlLen)
-			msgs[i].Hdr.Control = &controls[i][0]
-			msgs[i].Hdr.Controllen = controllen(len(controls[i]))
-		} else {
-			msgs[i].Hdr.Control = nil
-			msgs[i].Hdr.Controllen = controllen(0)
-		}
 	}
 
-	return msgs, buffers, names, controls
+	return msgs, buffers, names
-}
-
-func setIovecBase(msg *rawMessage, buf []byte) {
-	iov := (*iovec)(msg.Hdr.Iov)
-	iov.Base = &buf[0]
-	iov.Len = uint64(len(buf))
 }

udp/udp_rio_windows.go

@@ -149,7 +149,7 @@ func (u *RIOConn) ListenOut(r EncReader) {
 			continue
 		}
 
-		r(netip.AddrPortFrom(netip.AddrFrom16(rua.Addr).Unmap(), (rua.Port>>8)|((rua.Port&0xff)<<8)), buffer[:n], nil)
+		r(netip.AddrPortFrom(netip.AddrFrom16(rua.Addr).Unmap(), (rua.Port>>8)|((rua.Port&0xff)<<8)), buffer[:n])
 	}
 }
 

udp/udp_tester.go

@@ -112,7 +112,7 @@ func (u *TesterConn) ListenOut(r EncReader) {
 		if !ok {
 			return
 		}
-		r(p.From, p.Data, func() {})
+		r(p.From, p.Data)
 	}
 }