mirror of
https://github.com/slackhq/nebula.git
synced 2025-11-08 22:23:59 +01:00
ea2c186a77
This allows you to configure remote allow lists specific to different
subnets of the inside CIDR. Example:
remote_allow_ranges:
10.42.42.0/24:
192.168.0.0/16: true
This would only allow hosts with a VPN IP in the 10.42.42.0/24 range to
have private IPs (and thus don't connect over public IPs).
The PR also refactors AllowList into RemoteAllowList and LocalAllowList to make it clearer which methods are allowed on which allow list.
30 lines
776 B
Go
30 lines
776 B
Go
package nebula
|
|
|
|
const (
|
|
handshakeIXPSK0 = 0
|
|
handshakeXXPSK0 = 1
|
|
)
|
|
|
|
func HandleIncomingHandshake(f *Interface, addr *udpAddr, packet []byte, h *Header, hostinfo *HostInfo) {
|
|
// First remote allow list check before we know the vpnIp
|
|
if !f.lightHouse.remoteAllowList.AllowUnknownVpnIp(addr.IP) {
|
|
f.l.WithField("udpAddr", addr).Debug("lighthouse.remote_allow_list denied incoming handshake")
|
|
return
|
|
}
|
|
|
|
switch h.Subtype {
|
|
case handshakeIXPSK0:
|
|
switch h.MessageCounter {
|
|
case 1:
|
|
ixHandshakeStage1(f, addr, packet, h)
|
|
case 2:
|
|
newHostinfo, _ := f.handshakeManager.QueryIndex(h.RemoteIndex)
|
|
tearDown := ixHandshakeStage2(f, addr, newHostinfo, packet, h)
|
|
if tearDown && newHostinfo != nil {
|
|
f.handshakeManager.DeleteHostInfo(newHostinfo)
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|