make boringcrypto: add checklinkname flag for go1.23

Starting with go1.23, we need to set -checklinkname=0 when building for
boringcrypto because we need to use go:linkname to access `newGCMTLS`.

Note that this does break builds when using a go version less than
go1.23.0. We can probably assume that someone using this Makefile and
manually building is using the latest release of Go though.

See:

- https://go.dev/doc/go1.23#linker

CHANGELOG.md

@@ -7,26 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [1.9.4] - 2024-09-09
-
-### Added
-
-- Support UDP dialing with gVisor. (#1181)
-
-### Changed
-
-- Make some Nebula state programmatically available via control object. (#1188)
-- Switch internal representation of IPs to netip, to prepare for IPv6 support
-  in the overlay. (#1173)
-- Minor build and cleanup changes. (#1171, #1164, #1162)
-- Various dependency updates. (#1195, #1190, #1174, #1168, #1167, #1161, #1147, #1146)
-
-### Fixed
-
-- Fix a bug on big endian hosts, like mips. (#1194)
-- Fix a rare panic if a local index collision happens. (#1191)
-- Fix integer wraparound in the calculation of handshake timeouts on 32-bit targets. (#1185)
-
 ## [1.9.3] - 2024-06-06
 
 ### Fixed
@@ -664,8 +644,7 @@ created.)
 
 - Initial public release.
 
-[Unreleased]: https://github.com/slackhq/nebula/compare/v1.9.4...HEAD
+[Unreleased]: https://github.com/slackhq/nebula/compare/v1.9.3...HEAD
-[1.9.4]: https://github.com/slackhq/nebula/releases/tag/v1.9.4
 [1.9.3]: https://github.com/slackhq/nebula/releases/tag/v1.9.3
 [1.9.2]: https://github.com/slackhq/nebula/releases/tag/v1.9.2
 [1.9.1]: https://github.com/slackhq/nebula/releases/tag/v1.9.1

Makefile

@@ -133,6 +133,8 @@ build/linux-mips-softfloat/%: LDFLAGS += -s -w
 # boringcrypto
 build/linux-amd64-boringcrypto/%: GOENV += GOEXPERIMENT=boringcrypto CGO_ENABLED=1
 build/linux-arm64-boringcrypto/%: GOENV += GOEXPERIMENT=boringcrypto CGO_ENABLED=1
+build/linux-amd64-boringcrypto/%: LDFLAGS += -checklinkname=0
+build/linux-arm64-boringcrypto/%: LDFLAGS += -checklinkname=0
 
 build/%/nebula: .FORCE
 	GOOS=$(firstword $(subst -, , $*)) \

examples/go_service/main.go

@@ -4,7 +4,6 @@ import (
 	"bufio"
 	"fmt"
 	"log"
-	"net"
 
 	"github.com/slackhq/nebula/config"
 	"github.com/slackhq/nebula/service"
@@ -55,16 +54,16 @@ pki:
   cert: /home/rice/Developer/nebula-config/app.crt
   key: /home/rice/Developer/nebula-config/app.key
 `
-	var cfg config.C
+	var config config.C
-	if err := cfg.LoadString(configStr); err != nil {
+	if err := config.LoadString(configStr); err != nil {
 		return err
 	}
-	svc, err := service.New(&cfg)
+	service, err := service.New(&config)
 	if err != nil {
 		return err
 	}
 
-	ln, err := svc.Listen("tcp", ":1234")
+	ln, err := service.Listen("tcp", ":1234")
 	if err != nil {
 		return err
 	}
@@ -74,24 +73,16 @@ pki:
 			log.Printf("accept error: %s", err)
 			break
 		}
-		defer func(conn net.Conn) {
+		defer conn.Close()
-			_ = conn.Close()
-		}(conn)
 
 		log.Printf("got connection")
 
-		_, err = conn.Write([]byte("hello world\n"))
+		conn.Write([]byte("hello world\n"))
-		if err != nil {
-			log.Printf("write error: %s", err)
-		}
 
 		scanner := bufio.NewScanner(conn)
 		for scanner.Scan() {
 			message := scanner.Text()
-			_, err = fmt.Fprintf(conn, "echo: %q\n", message)
+			fmt.Fprintf(conn, "echo: %q\n", message)
-			if err != nil {
-				log.Printf("write error: %s", err)
-			}
 			log.Printf("got message %q", message)
 		}
 
@@ -101,8 +92,8 @@ pki:
 		}
 	}
 
-	_ = svc.Close()
+	service.Close()
-	if err := svc.Wait(); err != nil {
+	if err := service.Wait(); err != nil {
 		return err
 	}
 	return nil

go.mod

@@ -23,12 +23,12 @@ require (
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
 	github.com/stretchr/testify v1.9.0
 	github.com/vishvananda/netlink v1.2.1-beta.2
-	golang.org/x/crypto v0.26.0
+	golang.org/x/crypto v0.25.0
 	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090
-	golang.org/x/net v0.28.0
+	golang.org/x/net v0.27.0
 	golang.org/x/sync v0.8.0
-	golang.org/x/sys v0.24.0
+	golang.org/x/sys v0.23.0
-	golang.org/x/term v0.23.0
+	golang.org/x/term v0.22.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b
 	golang.zx2c4.com/wireguard/windows v0.5.3

go.sum

@@ -151,8 +151,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20230725093048-515e97ebf090 h1:Di6/M8l0O2lCLc6VVRWhgCiApHV8MnQurBnFSHsQtNY=
 golang.org/x/exp v0.0.0-20230725093048-515e97ebf090/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
@@ -171,8 +171,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -199,11 +199,11 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
-golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

service/service.go

@@ -8,7 +8,6 @@ import (
 	"log"
 	"math"
 	"net"
-	"net/netip"
 	"os"
 	"strings"
 	"sync"
@@ -154,48 +153,24 @@ func New(config *config.C) (*Service, error) {
 	return &s, nil
 }
 
-func getProtocolNumber(addr netip.Addr) tcpip.NetworkProtocolNumber {
+// DialContext dials the provided address. Currently only TCP is supported.
-	if addr.Is6() {
-		return ipv6.ProtocolNumber
-	}
-	return ipv4.ProtocolNumber
-}
-
-// DialContext dials the provided address.
 func (s *Service) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
-	switch network {
+	if network != "tcp" && network != "tcp4" {
-	case "udp", "udp4", "udp6":
+		return nil, errors.New("only tcp is supported")
-		addr, err := net.ResolveUDPAddr(network, address)
-		if err != nil {
-			return nil, err
-		}
-		fullAddr := tcpip.FullAddress{
-			NIC:  nicID,
-			Addr: tcpip.AddrFromSlice(addr.IP),
-			Port: uint16(addr.Port),
-		}
-		num := getProtocolNumber(addr.AddrPort().Addr())
-		return gonet.DialUDP(s.ipstack, nil, &fullAddr, num)
-	case "tcp", "tcp4", "tcp6":
-		addr, err := net.ResolveTCPAddr(network, address)
-		if err != nil {
-			return nil, err
-		}
-		fullAddr := tcpip.FullAddress{
-			NIC:  nicID,
-			Addr: tcpip.AddrFromSlice(addr.IP),
-			Port: uint16(addr.Port),
-		}
-		num := getProtocolNumber(addr.AddrPort().Addr())
-		return gonet.DialContextTCP(ctx, s.ipstack, fullAddr, num)
-	default:
-		return nil, fmt.Errorf("unknown network type: %s", network)
 	}
-}
 
-// Dial dials the provided address
+	addr, err := net.ResolveTCPAddr(network, address)
-func (s *Service) Dial(network, address string) (net.Conn, error) {
+	if err != nil {
-	return s.DialContext(context.Background(), network, address)
+		return nil, err
+	}
+
+	fullAddr := tcpip.FullAddress{
+		NIC:  nicID,
+		Addr: tcpip.AddrFromSlice(addr.IP),
+		Port: uint16(addr.Port),
+	}
+
+	return gonet.DialContextTCP(ctx, s.ipstack, fullAddr, ipv4.ProtocolNumber)
 }
 
 // Listen listens on the provided address. Currently only TCP with wildcard

udp/udp_linux.go

@@ -218,7 +218,9 @@ func (u *StdConn) writeTo6(b []byte, ip netip.AddrPort) error {
 	var rsa unix.RawSockaddrInet6
 	rsa.Family = unix.AF_INET6
 	rsa.Addr = ip.Addr().As16()
-	binary.BigEndian.PutUint16((*[2]byte)(unsafe.Pointer(&rsa.Port))[:], ip.Port())
+	port := ip.Port()
+	// Little Endian -> Network Endian
+	rsa.Port = (port >> 8) | ((port & 0xff) << 8)
 
 	for {
 		_, _, err := unix.Syscall6(
@@ -249,7 +251,9 @@ func (u *StdConn) writeTo4(b []byte, ip netip.AddrPort) error {
 	var rsa unix.RawSockaddrInet4
 	rsa.Family = unix.AF_INET
 	rsa.Addr = ip.Addr().As4()
-	binary.BigEndian.PutUint16((*[2]byte)(unsafe.Pointer(&rsa.Port))[:], ip.Port())
+	port := ip.Port()
+	// Little Endian -> Network Endian
+	rsa.Port = (port >> 8) | ((port & 0xff) << 8)
 
 	for {
 		_, _, err := unix.Syscall6(