nebula

package module
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 22, 2020 License: MIT Imports: 45 Imported by: 5

README

What is Nebula?

Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, and Windows. (Also: keep this quiet, but we have an early prototype running on iOS). It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.

Nebula incorporates a number of existing concepts like encryption, security groups, certificates, and tunneling, and each of those individual pieces existed before Nebula in various forms. What makes Nebula different to existing offerings is that it brings all of these ideas together, resulting in a sum that is greater than its individual parts.

You can read more about Nebula here.

You can also join the NebulaOSS Slack group here

Technical Overview

Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework. Nebula uses certificates to assert a node's IP address, name, and membership within user-defined groups. Nebula's user-defined groups allow for provider agnostic traffic filtering between nodes. Discovery nodes allow individual peers to find each other and optionally use UDP hole punching to establish connections from behind most firewalls or NATs. Users can move data between nodes in any number of cloud service providers, datacenters, and endpoints, without needing to maintain a particular addressing scheme.

Nebula uses elliptic curve Diffie-Hellman key exchange, and AES-256-GCM in its default configuration.

Nebula was created to provide a mechanism for groups hosts to communicate securely, even across the internet, while enabling expressive firewall definitions similar in style to cloud security groups.

Getting started (quickly)

To set up a Nebula network, you'll need:

1. The Nebula binaries for your specific platform. Specifically you'll need nebula-cert and the specific nebula binary for each platform you use.
2. (Optional, but you really should..) At least one discovery node with a routable IP address, which we call a lighthouse.

Nebula lighthouses allow nodes to find each other, anywhere in the world. A lighthouse is the only node in a Nebula network whose IP should not change. Running a lighthouse requires very few compute resources, and you can easily use the least expensive option from a cloud hosting provider. If you're not sure which provider to use, a number of us have used $5/mo DigitalOcean droplets as lighthouses.

Once you have launched an instance, ensure that Nebula udp traffic (default port udp/4242) can reach it over the internet.

3. A Nebula certificate authority, which will be the root of trust for a particular Nebula network.
./nebula-cert ca -name "Myorganization, Inc"

This will create files named ca.key and ca.cert in the current directory. The ca.key file is the most sensitive file you'll create, because it is the key used to sign the certificates for individual nebula nodes/hosts. Please store this file somewhere safe, preferably with strong encryption.

4. Nebula host keys and certificates generated from that certificate authority

This assumes you have four nodes, named lighthouse1, laptop, server1, host3. You can name the nodes any way you'd like, including FQDN. You'll also need to choose IP addresses and the associated subnet. In this example, we are creating a nebula network that will use 192.168.100.x/24 as its network range. This example also demonstrates nebula groups, which can later be used to define traffic rules in a nebula network.

./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24"
./nebula-cert sign -name "laptop" -ip "192.168.100.2/24" -groups "laptop,home,ssh"
./nebula-cert sign -name "server1" -ip "192.168.100.9/24" -groups "servers"
./nebula-cert sign -name "host3" -ip "192.168.100.10/24"
5. Configuration files for each host

Download a copy of the nebula example configuration.

  • On the lighthouse node, you'll need to ensure am_lighthouse: true is set.

  • On the individual hosts, ensure the lighthouse is defined properly in the static_host_map section, and is added to the lighthouse hosts section.

6. Copy nebula credentials, configuration, and binaries to each host

For each host, copy the nebula binary to the host, along with config.yaml from step 5, and the files ca.crt, {host}.crt, and {host}.key from step 4.

DO NOT COPY ca.key TO INDIVIDUAL NODES.

7. Run nebula on each host
./nebula -config /path/to/config.yaml

Building Nebula from source

Download go and clone this repo. Change to the nebula directory.

To build nebula for all platforms: make all

To build nebula for a specific platform (ex, Windows): make bin-windows

See the Makefile for more details on build targets

Credits

Nebula was created at Slack Technologies, Inc by Nate Brown and Ryan Huber, with contributions from Oliver Fross, Alan Lam, Wade Simmons, and Lining Wang.

Documentation

Index

Constants

View Source 
const (
	// Total time to try a handshake = sequence of HandshakeTryInterval * HandshakeRetries
	// With 100ms interval and 20 retries is 23.5 seconds
	DefaultHandshakeTryInterval = time.Millisecond * 100
	DefaultHandshakeRetries     = 20
	// DefaultHandshakeWaitRotation is the number of handshake attempts to do before starting to use other ips addresses
	DefaultHandshakeWaitRotation  = 5
	DefaultHandshakeTriggerBuffer = 64
)
View Source 
const (
	Version   uint8 = 1
	HeaderLen       = 16
)
View Source 
const DEFAULT_MTU = 1300
View Source 
const MaxRemotes = 10
View Source 
const PromoteEvery = 1000

const ProbeLen = 100

View Source 
const ReplayWindow = 1024
View Source 
const RoamingSupressSeconds = 2

How long we should prevent roaming back to the previous IP. This helps prevent flapping due to packets already in flight

Variables

View Source 
var ErrInvalidLocalIP = errors.New("local IP is not in list of handled local IPs")
View Source 
var ErrInvalidRemoteIP = errors.New("remote IP is not in remote certificate subnets")
View Source 
var ErrNoMatchingRule = errors.New("no matching rule in firewall table")
View Source 
var NebulaMeta_MessageType_name = map[int32]string{
	0: "None",
	1: "HostQuery",
	2: "HostQueryReply",
	3: "HostUpdateNotification",
	4: "HostMovedNotification",
	5: "HostPunchNotification",
	6: "HostWhoami",
	7: "HostWhoamiReply",
	8: "PathCheck",
	9: "PathCheckReply",
}
View Source 
var NebulaMeta_MessageType_value = map[string]int32{
	"None":                   0,
	"HostQuery":              1,
	"HostQueryReply":         2,
	"HostUpdateNotification": 3,
	"HostMovedNotification":  4,
	"HostPunchNotification":  5,
	"HostWhoami":             6,
	"HostWhoamiReply":        7,
	"PathCheck":              8,
	"PathCheckReply":         9,
}
View Source 
var NebulaPing_MessageType_name = map[int32]string{
	0: "Ping",
	1: "Reply",
}
View Source 
var NebulaPing_MessageType_value = map[string]int32{
	"Ping":  0,
	"Reply": 1,
}

Functions

func AddFirewallRulesFromConfig 

func AddFirewallRulesFromConfig(inbound bool, config *Config, fw FirewallInterface) error

func HandleIncomingHandshake 

func HandleIncomingHandshake(f *Interface, addr *udpAddr, packet []byte, h *Header, hostinfo *HostInfo)

func HeaderEncode 

func HeaderEncode(b []byte, v uint8, t uint8, st uint8, ri uint32, c uint64) []byte

HeaderEncode uses the provided byte array to encode the provided header values into. Byte array must be capped higher than HeaderLen or this will panic

func NewIpAndPortsFromNetIps 

func NewIpAndPortsFromNetIps(ips []udpAddr) *[]*IpAndPort

func NewListenConfig 

func NewListenConfig(multi bool) net.ListenConfig

func NewListener 

func NewListener(ip string, port int, multi bool) (*udpConn, error)

func NewUDPAddr 

func NewUDPAddr(ip uint32, port uint16) *udpAddr

func NewUDPAddrFromString 

func NewUDPAddrFromString(s string) *udpAddr

func PrivateIP 

func PrivateIP(ip net.IP) bool

func RecombineCertAndValidate 

func RecombineCertAndValidate(h *noise.HandshakeState, rawCertBytes []byte) (*cert.NebulaCertificate, error)

func SubTypeName 

func SubTypeName(t NebulaMessageType, s NebulaMessageSubType) string

SubTypeName will transform a nebula message sub type into a human string

func TypeName 

func TypeName(t NebulaMessageType) string

TypeName will transform a nebula message type into a human string

Types

type AllowList added in v1.2.0 

type AllowList struct {
	// contains filtered or unexported fields
}

func (*AllowList) Allow added in v1.2.0 

func (al *AllowList) Allow(ip uint32) bool

func (*AllowList) AllowName added in v1.2.0 

func (al *AllowList) AllowName(name string) bool

type AllowListNameRule added in v1.2.0 

type AllowListNameRule struct {
	Name  *regexp.Regexp
	Allow bool
}

type Bits 

type Bits struct {
	// contains filtered or unexported fields
}

func NewBits 

func NewBits(bits uint64) *Bits

func (*Bits) Check 

func (b *Bits) Check(i uint64) bool

func (*Bits) Update 

func (b *Bits) Update(i uint64) bool

type CIDRNode 

type CIDRNode struct {
	// contains filtered or unexported fields
}

type CIDRTree 

type CIDRTree struct {
	// contains filtered or unexported fields
}

func NewCIDRTree 

func NewCIDRTree() *CIDRTree

func (*CIDRTree) AddCIDR 

func (tree *CIDRTree) AddCIDR(cidr *net.IPNet, val interface{})

func (*CIDRTree) Contains 

func (tree *CIDRTree) Contains(ip uint32) (value interface{})

Finds the first match, which way be the least specific

func (*CIDRTree) Match 

func (tree *CIDRTree) Match(ip uint32) (value interface{})

Finds the most specific match

func (*CIDRTree) MostSpecificContains added in v1.1.0 

func (tree *CIDRTree) MostSpecificContains(ip uint32) (value interface{})

Finds the most specific match

type CertState 

type CertState struct {
	// contains filtered or unexported fields
}

func NewCertState 

func NewCertState(certificate *cert.NebulaCertificate, privateKey []byte) (*CertState, error)

func NewCertStateFromConfig 

func NewCertStateFromConfig(c *Config) (*CertState, error)

type Config 

type Config struct {
	Settings map[interface{}]interface{}
	// contains filtered or unexported fields
}

func NewConfig 

func NewConfig() *Config

func (*Config) CatchHUP 

func (c *Config) CatchHUP()

CatchHUP will listen for the HUP signal in a go routine and reload all configs found in the original path provided to Load. The old settings are shallow copied for change detection after the reload.

func (*Config) Get 

func (c *Config) Get(k string) interface{}

func (*Config) GetAllowList added in v1.2.0 

func (c *Config) GetAllowList(k string, allowInterfaces bool) (*AllowList, error)

func (*Config) GetBool 

func (c *Config) GetBool(k string, d bool) bool

GetBool will get the bool for k or return the default d if not found or invalid

func (*Config) GetDuration 

func (c *Config) GetDuration(k string, d time.Duration) time.Duration

GetDuration will get the duration for k or return the default d if not found or invalid

func (*Config) GetInt 

func (c *Config) GetInt(k string, d int) int

GetInt will get the int for k or return the default d if not found or invalid

func (*Config) GetMap 

func (c *Config) GetMap(k string, d map[interface{}]interface{}) map[interface{}]interface{}

GetMap will get the map for k or return the default d if not found or invalid

func (*Config) GetString 

func (c *Config) GetString(k, d string) string

GetString will get the string for k or return the default d if not found or invalid

func (*Config) GetStringSlice 

func (c *Config) GetStringSlice(k string, d []string) []string

GetStringSlice will get the slice of strings for k or return the default d if not found or invalid

func (*Config) HasChanged 

func (c *Config) HasChanged(k string) bool

HasChanged checks if the underlying structure of the provided key has changed after a config reload. The value of k in both the old and new settings will be serialized, the result of the string comparison is returned. If k is an empty string the entire config is tested. It's important to note that this is very rudimentary and susceptible to configuration ordering issues indicating there is change when there actually wasn't any.

func (*Config) IsSet added in v1.2.0 

func (c *Config) IsSet(k string) bool

func (*Config) Load 

func (c *Config) Load(path string) error

Load will find all yaml files within path and load them in lexical order

func (*Config) LoadString added in v1.3.0 

func (c *Config) LoadString(raw string) error

func (*Config) RegisterReloadCallback 

func (c *Config) RegisterReloadCallback(f func(*Config))

RegisterReloadCallback stores a function to be called when a config reload is triggered. The functions registered here should decide if they need to make a change to the current process before making the change. HasChanged can be used to help decide if a change is necessary. These functions should return quickly or spawn their own go routine if they will take a while

func (*Config) ReloadConfig 

func (c *Config) ReloadConfig()

type ConnectionState 

type ConnectionState struct {
	H *noise.HandshakeState
	// contains filtered or unexported fields
}

func (*ConnectionState) MarshalJSON 

func (cs *ConnectionState) MarshalJSON() ([]byte, error)

type ContextualError added in v1.3.0 

type ContextualError struct {
	RealError error
	Fields    map[string]interface{}
	Context   string
}

func NewContextualError added in v1.3.0 

func NewContextualError(msg string, fields map[string]interface{}, realError error) ContextualError

func (ContextualError) Error added in v1.3.0 

func (ce ContextualError) Error() string

func (*ContextualError) Log added in v1.3.0 

func (ce *ContextualError) Log(lr *logrus.Logger)

func (ContextualError) Unwrap added in v1.3.0 

func (ce ContextualError) Unwrap() error

type Control added in v1.3.0 

type Control struct {
	// contains filtered or unexported fields
}

func Main 

func Main(config *Config, configTest bool, buildVersion string, logger *logrus.Logger, tunFd *int) (*Control, error)

func (*Control) CloseTunnel added in v1.3.0 

func (c *Control) CloseTunnel(vpnIP uint32, localOnly bool) bool

CloseTunnel closes a fully established tunnel. If localOnly is false it will notify the remote end as well.

func (*Control) GetHostInfoByVpnIP added in v1.3.0 

func (c *Control) GetHostInfoByVpnIP(vpnIP uint32, pending bool) *ControlHostInfo

GetHostInfoByVpnIP returns a single tunnels hostInfo, or nil if not found

func (*Control) ListHostmap added in v1.3.0 

func (c *Control) ListHostmap(pendingMap bool) []ControlHostInfo

ListHostmap returns details about the actual or pending (handshaking) hostmap

func (*Control) RebindUDPServer added in v1.3.0 

func (c *Control) RebindUDPServer()

RebindUDPServer asks the UDP listener to rebind it's listener. Mainly used on mobile clients when interfaces change

func (*Control) SetRemoteForTunnel added in v1.3.0 

func (c *Control) SetRemoteForTunnel(vpnIP uint32, addr udpAddr) *ControlHostInfo

SetRemoteForTunnel forces a tunnel to use a specific remote

func (*Control) ShutdownBlock added in v1.3.0 

func (c *Control) ShutdownBlock()

ShutdownBlock will listen for and block on term and interrupt signals, calling Control.Stop() once signalled

func (*Control) Start added in v1.3.0 

func (c *Control) Start()

Start actually runs nebula, this is a nonblocking call. To block use Control.ShutdownBlock()

func (*Control) Stop added in v1.3.0 

func (c *Control) Stop()

Stop signals nebula to shutdown, returns after the shutdown is complete

type ControlHostInfo added in v1.3.0 

type ControlHostInfo struct {
	VpnIP          net.IP                  `json:"vpnIp"`
	LocalIndex     uint32                  `json:"localIndex"`
	RemoteIndex    uint32                  `json:"remoteIndex"`
	RemoteAddrs    []udpAddr               `json:"remoteAddrs"`
	CachedPackets  int                     `json:"cachedPackets"`
	Cert           *cert.NebulaCertificate `json:"cert"`
	MessageCounter uint64                  `json:"messageCounter"`
	CurrentRemote  udpAddr                 `json:"currentRemote"`
}

type EncWriter 

type EncWriter interface {
	SendMessageToVpnIp(t NebulaMessageType, st NebulaMessageSubType, vpnIp uint32, p, nb, out []byte)
	SendMessageToAll(t NebulaMessageType, st NebulaMessageSubType, vpnIp uint32, p, nb, out []byte)
}

type Firewall 

type Firewall struct {
	Conntrack *FirewallConntrack

	InRules  *FirewallTable
	OutRules *FirewallTable

	//TODO: we should have many more options for TCP, an option for ICMP, and mimic the kernel a bit better
	// https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
	TCPTimeout     time.Duration //linux: 5 days max
	UDPTimeout     time.Duration //linux: 180s max
	DefaultTimeout time.Duration //linux: 600s
	// contains filtered or unexported fields
}

TODO: need conntrack max tracked connections handling

func NewFirewall 

func NewFirewall(tcpTimeout, UDPTimeout, defaultTimeout time.Duration, c *cert.NebulaCertificate) *Firewall

NewFirewall creates a new Firewall object. A TimerWheel is created for you from the provided timeouts.

func NewFirewallFromConfig 

func NewFirewallFromConfig(nc *cert.NebulaCertificate, c *Config) (*Firewall, error)

func (*Firewall) AddRule 

func (f *Firewall) AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip *net.IPNet, caName string, caSha string) error

AddRule properly creates the in memory rule structure for a firewall table.

func (*Firewall) Destroy 

func (f *Firewall) Destroy()

Destroy cleans up any known cyclical references so the object can be free'd my GC. This should be called if a new firewall object is created

func (*Firewall) Drop 

func (f *Firewall) Drop(packet []byte, fp FirewallPacket, incoming bool, h *HostInfo, caPool *cert.NebulaCAPool) error

Drop returns an error if the packet should be dropped, explaining why. It returns nil if the packet should not be dropped.

func (*Firewall) EmitStats 

func (f *Firewall) EmitStats()

func (*Firewall) GetRuleHash 

func (f *Firewall) GetRuleHash() string

GetRuleHash returns a hash representation of all inbound and outbound rules

type FirewallCA added in v1.1.0 

type FirewallCA struct {
	Any     *FirewallRule
	CANames map[string]*FirewallRule
	CAShas  map[string]*FirewallRule
}

type FirewallConntrack added in v1.3.0 

type FirewallConntrack struct {
	sync.Mutex

	Conns      map[FirewallPacket]*conn
	TimerWheel *TimerWheel
}

type FirewallInterface 

type FirewallInterface interface {
	AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip *net.IPNet, caName string, caSha string) error
}

type FirewallPacket 

type FirewallPacket struct {
	LocalIP    uint32
	RemoteIP   uint32
	LocalPort  uint16
	RemotePort uint16
	Protocol   uint8
	Fragment   bool
}

func (*FirewallPacket) Copy 

func (fp *FirewallPacket) Copy() *FirewallPacket

func (FirewallPacket) MarshalJSON 

func (fp FirewallPacket) MarshalJSON() ([]byte, error)

type FirewallRule 

type FirewallRule struct {
	// Any makes Hosts, Groups, and CIDR irrelevant
	Any    bool
	Hosts  map[string]struct{}
	Groups [][]string
	CIDR   *CIDRTree
}

type FirewallTable 

type FirewallTable struct {
	TCP      firewallPort
	UDP      firewallPort
	ICMP     firewallPort
	AnyProto firewallPort
}

type HandshakeConfig added in v1.2.0 

type HandshakeConfig struct {
	// contains filtered or unexported fields
}

type HandshakeManager 

type HandshakeManager struct {
	OutboundHandshakeTimer *SystemTimerWheel
	InboundHandshakeTimer  *SystemTimerWheel
	// contains filtered or unexported fields
}

func NewHandshakeManager 

func NewHandshakeManager(tunCidr *net.IPNet, preferredRanges []*net.IPNet, mainHostMap *HostMap, lightHouse *LightHouse, outside *udpConn, config HandshakeConfig) *HandshakeManager

func (*HandshakeManager) AddIndex 

func (c *HandshakeManager) AddIndex(index uint32, ci *ConnectionState) (*HostInfo, error)

func (*HandshakeManager) AddIndexHostInfo 

func (c *HandshakeManager) AddIndexHostInfo(index uint32, h *HostInfo)

func (*HandshakeManager) AddVpnIP 

func (c *HandshakeManager) AddVpnIP(vpnIP uint32) *HostInfo

func (*HandshakeManager) DeleteIndex 

func (c *HandshakeManager) DeleteIndex(index uint32)

func (*HandshakeManager) DeleteVpnIP 

func (c *HandshakeManager) DeleteVpnIP(vpnIP uint32)

func (*HandshakeManager) EmitStats 

func (c *HandshakeManager) EmitStats()

func (*HandshakeManager) NextInboundHandshakeTimerTick 

func (c *HandshakeManager) NextInboundHandshakeTimerTick(now time.Time)

func (*HandshakeManager) NextOutboundHandshakeTimerTick 

func (c *HandshakeManager) NextOutboundHandshakeTimerTick(now time.Time, f EncWriter)

func (*HandshakeManager) QueryIndex 

func (c *HandshakeManager) QueryIndex(index uint32) (*HostInfo, error)

func (*HandshakeManager) Run 

func (c *HandshakeManager) Run(f EncWriter)
type Header struct {
	Version        uint8
	Type           NebulaMessageType
	Subtype        NebulaMessageSubType
	Reserved       uint16
	RemoteIndex    uint32
	MessageCounter uint64
}

func NewHeader 

func NewHeader(b []byte) (*Header, error)

NewHeader turns bytes into a header

func (*Header) Encode 

func (h *Header) Encode(b []byte) ([]byte, error)

Encode turns header into bytes

func (*Header) MarshalJSON 

func (h *Header) MarshalJSON() ([]byte, error)

MarshalJSON creates a json string representation of a header

func (*Header) Parse 

func (h *Header) Parse(b []byte) error

Parse is a helper function to parses given bytes into new Header struct

func (*Header) String 

func (h *Header) String() string

String creates a readable string representation of a header

func (*Header) SubTypeName 

func (h *Header) SubTypeName() string

SubTypeName will transform the headers message sub type into a human string

func (*Header) TypeName 

func (h *Header) TypeName() string

TypeName will transform the headers message type into a human string

type HostInfo 

type HostInfo struct {
	Remotes []*HostInfoDest

	ConnectionState *ConnectionState

	HandshakeReady    bool
	HandshakeCounter  int
	HandshakeComplete bool
	HandshakePacket   map[uint8][]byte
	// contains filtered or unexported fields
}

func (*HostInfo) AddRemote 

func (i *HostInfo) AddRemote(r udpAddr) *udpAddr

func (*HostInfo) BindConnectionState 

func (i *HostInfo) BindConnectionState(cs *ConnectionState)

func (*HostInfo) ClearConnectionState 

func (i *HostInfo) ClearConnectionState()

func (*HostInfo) ClearRemotes 

func (i *HostInfo) ClearRemotes()

func (*HostInfo) CreateRemoteCIDR added in v1.1.0 

func (i *HostInfo) CreateRemoteCIDR(c *cert.NebulaCertificate)

func (*HostInfo) ForcePromoteBest 

func (i *HostInfo) ForcePromoteBest(preferredRanges []*net.IPNet)

func (*HostInfo) GetCert 

func (i *HostInfo) GetCert() *cert.NebulaCertificate

func (*HostInfo) MarshalJSON 

func (i *HostInfo) MarshalJSON() ([]byte, error)

func (*HostInfo) RecvErrorExceeded 

func (i *HostInfo) RecvErrorExceeded() bool

func (*HostInfo) RemoteUDPAddrs 

func (i *HostInfo) RemoteUDPAddrs() []*udpAddr

func (*HostInfo) SetRemote 

func (i *HostInfo) SetRemote(remote udpAddr)

func (*HostInfo) TryPromoteBest 

func (i *HostInfo) TryPromoteBest(preferredRanges []*net.IPNet, ifce *Interface)

type HostInfoDest 

type HostInfoDest struct {
	// contains filtered or unexported fields
}

func NewHostInfoDest 

func NewHostInfoDest(addr *udpAddr) *HostInfoDest

func (*HostInfoDest) MarshalJSON 

func (hid *HostInfoDest) MarshalJSON() ([]byte, error)

type HostMap 

type HostMap struct {
	sync.RWMutex //Because we concurrently read and write to our maps

	Indexes map[uint32]*HostInfo
	Hosts   map[uint32]*HostInfo
	// contains filtered or unexported fields
}

func NewHostMap 

func NewHostMap(name string, vpnCIDR *net.IPNet, preferredRanges []*net.IPNet) *HostMap

func (*HostMap) Add 

func (hm *HostMap) Add(ip uint32, hostinfo *HostInfo)

func (*HostMap) AddIndex 

func (hm *HostMap) AddIndex(index uint32, ci *ConnectionState) (*HostInfo, error)

func (*HostMap) AddIndexHostInfo 

func (hm *HostMap) AddIndexHostInfo(index uint32, h *HostInfo)

func (*HostMap) AddRemote 

func (hm *HostMap) AddRemote(vpnIp uint32, remote *udpAddr) *HostInfo

func (*HostMap) AddVpnIP 

func (hm *HostMap) AddVpnIP(vpnIP uint32) *HostInfo

func (*HostMap) AddVpnIPHostInfo 

func (hm *HostMap) AddVpnIPHostInfo(vpnIP uint32, h *HostInfo)

func (*HostMap) CheckHandshakeCompleteIP 

func (hm *HostMap) CheckHandshakeCompleteIP(vpnIP uint32) bool

func (*HostMap) CheckHandshakeCompleteIndex 

func (hm *HostMap) CheckHandshakeCompleteIndex(index uint32) bool

func (*HostMap) ClearRemotes 

func (hm *HostMap) ClearRemotes(vpnIP uint32)

func (*HostMap) DeleteIndex 

func (hm *HostMap) DeleteIndex(index uint32)

func (*HostMap) DeleteVpnIP 

func (hm *HostMap) DeleteVpnIP(vpnIP uint32)

func (*HostMap) EmitStats 

func (hm *HostMap) EmitStats(name string)

UpdateStats takes a name and reports host and index counts to the stats collection system

func (*HostMap) GetIndexByVpnIP 

func (hm *HostMap) GetIndexByVpnIP(vpnIP uint32) (uint32, error)

func (*HostMap) GetVpnIPByIndex 

func (hm *HostMap) GetVpnIPByIndex(index uint32) (uint32, error)

func (*HostMap) PromoteBestQueryVpnIP 

func (hm *HostMap) PromoteBestQueryVpnIP(vpnIp uint32, ifce *Interface) (*HostInfo, error)

PromoteBestQueryVpnIP will attempt to lazily switch to the best remote every `PromoteEvery` calls to this function for a given host.

func (*HostMap) PunchList 

func (hm *HostMap) PunchList() []*udpAddr

func (*HostMap) Punchy 

func (hm *HostMap) Punchy(conn *udpConn)

func (*HostMap) QueryIndex 

func (hm *HostMap) QueryIndex(index uint32) (*HostInfo, error)

func (*HostMap) QueryReverseIndex 

func (hm *HostMap) QueryReverseIndex(index uint32) (*HostInfo, error)

This function needs to range because we don't keep a map of remote indexes.

func (*HostMap) QueryVpnIP 

func (hm *HostMap) QueryVpnIP(vpnIp uint32) (*HostInfo, error)

func (*HostMap) SetDefaultRoute 

func (hm *HostMap) SetDefaultRoute(ip uint32)

type Inside added in v1.3.0 

type Inside interface {
	io.ReadWriteCloser
	Activate() error
	CidrNet() *net.IPNet
	DeviceName() string
	WriteRaw([]byte) error
}

type IntIp 

type IntIp uint32

A helper type to avoid converting to IP when logging

func (IntIp) MarshalJSON 

func (ip IntIp) MarshalJSON() ([]byte, error)

func (IntIp) String 

func (ip IntIp) String() string

type Interface 

type Interface struct {
	// contains filtered or unexported fields
}

func NewInterface 

func NewInterface(c *InterfaceConfig) (*Interface, error)

func (*Interface) RegisterConfigChangeCallbacks 

func (f *Interface) RegisterConfigChangeCallbacks(c *Config)

func (*Interface) SendMessageToAll 

func (f *Interface) SendMessageToAll(t NebulaMessageType, st NebulaMessageSubType, vpnIp uint32, p, nb, out []byte)

SendMessageToAll handles real ip:port lookup and sends to all known addresses for vpnIp

func (*Interface) SendMessageToVpnIp 

func (f *Interface) SendMessageToVpnIp(t NebulaMessageType, st NebulaMessageSubType, vpnIp uint32, p, nb, out []byte)

SendMessageToVpnIp handles real ip:port lookup and sends to the current best known address for vpnIp

type InterfaceConfig 

type InterfaceConfig struct {
	HostMap *HostMap
	Outside *udpConn
	Inside  Inside

	Cipher           string
	Firewall         *Firewall
	ServeDns         bool
	HandshakeManager *HandshakeManager

	DropLocalBroadcast bool
	DropMulticast      bool
	UDPBatchSize       int

	MessageMetrics *MessageMetrics
	// contains filtered or unexported fields
}

type IpAndPort 

type IpAndPort struct {
	Ip                   uint32   `protobuf:"varint,1,opt,name=Ip,json=ip,proto3" json:"Ip,omitempty"`
	Port                 uint32   `protobuf:"varint,2,opt,name=Port,json=port,proto3" json:"Port,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func NewIpAndPortFromUDPAddr 

func NewIpAndPortFromUDPAddr(addr udpAddr) *IpAndPort

func (*IpAndPort) Descriptor 

func (*IpAndPort) Descriptor() ([]byte, []int)

func (*IpAndPort) GetIp 

func (m *IpAndPort) GetIp() uint32

func (*IpAndPort) GetPort 

func (m *IpAndPort) GetPort() uint32

func (*IpAndPort) ProtoMessage 

func (*IpAndPort) ProtoMessage()

func (*IpAndPort) Reset 

func (m *IpAndPort) Reset()

func (*IpAndPort) String 

func (m *IpAndPort) String() string

func (*IpAndPort) XXX_DiscardUnknown 

func (m *IpAndPort) XXX_DiscardUnknown()

func (*IpAndPort) XXX_Marshal 

func (m *IpAndPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*IpAndPort) XXX_Merge 

func (m *IpAndPort) XXX_Merge(src proto.Message)

func (*IpAndPort) XXX_Size 

func (m *IpAndPort) XXX_Size() int

func (*IpAndPort) XXX_Unmarshal 

func (m *IpAndPort) XXX_Unmarshal(b []byte) error

type LightHouse 

type LightHouse struct {
	sync.RWMutex //Because we concurrently read and write to our maps
	// contains filtered or unexported fields
}

func NewLightHouse 

func NewLightHouse(amLighthouse bool, myIp uint32, ips []uint32, interval int, nebulaPort int, pc *udpConn, punchBack bool, punchDelay time.Duration, metricsEnabled bool) *LightHouse

func (*LightHouse) AddRemote 

func (lh *LightHouse) AddRemote(vpnIP uint32, toIp *udpAddr, static bool)

func (*LightHouse) AddRemoteAndReset 

func (lh *LightHouse) AddRemoteAndReset(vpnIP uint32, toIp *udpAddr)

func (*LightHouse) DeleteVpnIP 

func (lh *LightHouse) DeleteVpnIP(vpnIP uint32)

func (*LightHouse) HandleRequest 

func (lh *LightHouse) HandleRequest(rAddr *udpAddr, vpnIp uint32, p []byte, c *cert.NebulaCertificate, f EncWriter)

func (*LightHouse) IsLighthouseIP 

func (lh *LightHouse) IsLighthouseIP(vpnIP uint32) bool

func (*LightHouse) LhUpdateWorker 

func (lh *LightHouse) LhUpdateWorker(f EncWriter)

func (*LightHouse) Query 

func (lh *LightHouse) Query(ip uint32, f EncWriter) ([]udpAddr, error)

func (*LightHouse) QueryCache 

func (lh *LightHouse) QueryCache(ip uint32) []udpAddr

Query our local lighthouse cached results

func (*LightHouse) QueryServer 

func (lh *LightHouse) QueryServer(ip uint32, f EncWriter)

This is asynchronous so no reply should be expected

func (*LightHouse) SetLocalAllowList added in v1.2.0 

func (lh *LightHouse) SetLocalAllowList(allowList *AllowList)

func (*LightHouse) SetRemoteAllowList added in v1.2.0 

func (lh *LightHouse) SetRemoteAllowList(allowList *AllowList)

func (*LightHouse) ValidateLHStaticEntries added in v1.1.0 

func (lh *LightHouse) ValidateLHStaticEntries() error

type MessageMetrics added in v1.3.0 

type MessageMetrics struct {
	// contains filtered or unexported fields
}

func (*MessageMetrics) Rx added in v1.3.0 

func (m *MessageMetrics) Rx(t NebulaMessageType, s NebulaMessageSubType, i int64)

func (*MessageMetrics) Tx added in v1.3.0 

func (m *MessageMetrics) Tx(t NebulaMessageType, s NebulaMessageSubType, i int64)

type NebulaCipherState 

type NebulaCipherState struct {
	// contains filtered or unexported fields
}

func NewNebulaCipherState 

func NewNebulaCipherState(s *noise.CipherState) *NebulaCipherState

func (*NebulaCipherState) DecryptDanger 

func (s *NebulaCipherState) DecryptDanger(out, ad, ciphertext []byte, n uint64, nb []byte) ([]byte, error)

func (*NebulaCipherState) EncryptDanger 

func (s *NebulaCipherState) EncryptDanger(out, ad, plaintext []byte, n uint64, nb []byte) ([]byte, error)

type NebulaHandshake 

type NebulaHandshake struct {
	Details              *NebulaHandshakeDetails `protobuf:"bytes,1,opt,name=Details,json=details,proto3" json:"Details,omitempty"`
	Hmac                 []byte                  `protobuf:"bytes,2,opt,name=Hmac,json=hmac,proto3" json:"Hmac,omitempty"`
	XXX_NoUnkeyedLiteral struct{}                `json:"-"`
	XXX_unrecognized     []byte                  `json:"-"`
	XXX_sizecache        int32                   `json:"-"`
}

func (*NebulaHandshake) Descriptor 

func (*NebulaHandshake) Descriptor() ([]byte, []int)

func (*NebulaHandshake) GetDetails 

func (m *NebulaHandshake) GetDetails() *NebulaHandshakeDetails

func (*NebulaHandshake) GetHmac 

func (m *NebulaHandshake) GetHmac() []byte

func (*NebulaHandshake) ProtoMessage 

func (*NebulaHandshake) ProtoMessage()

func (*NebulaHandshake) Reset 

func (m *NebulaHandshake) Reset()

func (*NebulaHandshake) String 

func (m *NebulaHandshake) String() string

func (*NebulaHandshake) XXX_DiscardUnknown 

func (m *NebulaHandshake) XXX_DiscardUnknown()

func (*NebulaHandshake) XXX_Marshal 

func (m *NebulaHandshake) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaHandshake) XXX_Merge 

func (m *NebulaHandshake) XXX_Merge(src proto.Message)

func (*NebulaHandshake) XXX_Size 

func (m *NebulaHandshake) XXX_Size() int

func (*NebulaHandshake) XXX_Unmarshal 

func (m *NebulaHandshake) XXX_Unmarshal(b []byte) error

type NebulaHandshakeDetails 

type NebulaHandshakeDetails struct {
	Cert                 []byte   `protobuf:"bytes,1,opt,name=Cert,json=cert,proto3" json:"Cert,omitempty"`
	InitiatorIndex       uint32   `protobuf:"varint,2,opt,name=InitiatorIndex,json=initiatorIndex,proto3" json:"InitiatorIndex,omitempty"`
	ResponderIndex       uint32   `protobuf:"varint,3,opt,name=ResponderIndex,json=responderIndex,proto3" json:"ResponderIndex,omitempty"`
	Cookie               uint64   `protobuf:"varint,4,opt,name=Cookie,json=cookie,proto3" json:"Cookie,omitempty"`
	Time                 uint64   `protobuf:"varint,5,opt,name=Time,json=time,proto3" json:"Time,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*NebulaHandshakeDetails) Descriptor 

func (*NebulaHandshakeDetails) Descriptor() ([]byte, []int)

func (*NebulaHandshakeDetails) GetCert 

func (m *NebulaHandshakeDetails) GetCert() []byte

func (*NebulaHandshakeDetails) GetCookie 

func (m *NebulaHandshakeDetails) GetCookie() uint64

func (*NebulaHandshakeDetails) GetInitiatorIndex 

func (m *NebulaHandshakeDetails) GetInitiatorIndex() uint32

func (*NebulaHandshakeDetails) GetResponderIndex 

func (m *NebulaHandshakeDetails) GetResponderIndex() uint32

func (*NebulaHandshakeDetails) GetTime 

func (m *NebulaHandshakeDetails) GetTime() uint64

func (*NebulaHandshakeDetails) ProtoMessage 

func (*NebulaHandshakeDetails) ProtoMessage()

func (*NebulaHandshakeDetails) Reset 

func (m *NebulaHandshakeDetails) Reset()

func (*NebulaHandshakeDetails) String 

func (m *NebulaHandshakeDetails) String() string

func (*NebulaHandshakeDetails) XXX_DiscardUnknown 

func (m *NebulaHandshakeDetails) XXX_DiscardUnknown()

func (*NebulaHandshakeDetails) XXX_Marshal 

func (m *NebulaHandshakeDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaHandshakeDetails) XXX_Merge 

func (m *NebulaHandshakeDetails) XXX_Merge(src proto.Message)

func (*NebulaHandshakeDetails) XXX_Size 

func (m *NebulaHandshakeDetails) XXX_Size() int

func (*NebulaHandshakeDetails) XXX_Unmarshal 

func (m *NebulaHandshakeDetails) XXX_Unmarshal(b []byte) error

type NebulaMessageSubType 

type NebulaMessageSubType uint8

type NebulaMessageType 

type NebulaMessageType uint8

type NebulaMeta 

type NebulaMeta struct {
	Type                 NebulaMeta_MessageType `protobuf:"varint,1,opt,name=Type,json=type,proto3,enum=nebula.NebulaMeta_MessageType" json:"Type,omitempty"`
	Details              *NebulaMetaDetails     `protobuf:"bytes,2,opt,name=Details,json=details,proto3" json:"Details,omitempty"`
	XXX_NoUnkeyedLiteral struct{}               `json:"-"`
	XXX_unrecognized     []byte                 `json:"-"`
	XXX_sizecache        int32                  `json:"-"`
}

func NewLhQueryByInt 

func NewLhQueryByInt(VpnIp uint32) *NebulaMeta

func NewLhQueryByIpString 

func NewLhQueryByIpString(VpnIp string) *NebulaMeta

func NewLhWhoami 

func NewLhWhoami() *NebulaMeta

func (*NebulaMeta) Descriptor 

func (*NebulaMeta) Descriptor() ([]byte, []int)

func (*NebulaMeta) GetDetails 

func (m *NebulaMeta) GetDetails() *NebulaMetaDetails

func (*NebulaMeta) GetType 

func (m *NebulaMeta) GetType() NebulaMeta_MessageType

func (*NebulaMeta) ProtoMessage 

func (*NebulaMeta) ProtoMessage()

func (*NebulaMeta) Reset 

func (m *NebulaMeta) Reset()

func (*NebulaMeta) String 

func (m *NebulaMeta) String() string

func (*NebulaMeta) XXX_DiscardUnknown 

func (m *NebulaMeta) XXX_DiscardUnknown()

func (*NebulaMeta) XXX_Marshal 

func (m *NebulaMeta) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaMeta) XXX_Merge 

func (m *NebulaMeta) XXX_Merge(src proto.Message)

func (*NebulaMeta) XXX_Size 

func (m *NebulaMeta) XXX_Size() int

func (*NebulaMeta) XXX_Unmarshal 

func (m *NebulaMeta) XXX_Unmarshal(b []byte) error

type NebulaMetaDetails 

type NebulaMetaDetails struct {
	VpnIp                uint32       `protobuf:"varint,1,opt,name=VpnIp,json=vpnIp,proto3" json:"VpnIp,omitempty"`
	IpAndPorts           []*IpAndPort `protobuf:"bytes,2,rep,name=IpAndPorts,json=ipAndPorts,proto3" json:"IpAndPorts,omitempty"`
	Counter              uint32       `protobuf:"varint,3,opt,name=counter,proto3" json:"counter,omitempty"`
	XXX_NoUnkeyedLiteral struct{}     `json:"-"`
	XXX_unrecognized     []byte       `json:"-"`
	XXX_sizecache        int32        `json:"-"`
}

func (*NebulaMetaDetails) Descriptor 

func (*NebulaMetaDetails) Descriptor() ([]byte, []int)

func (*NebulaMetaDetails) GetCounter 

func (m *NebulaMetaDetails) GetCounter() uint32

func (*NebulaMetaDetails) GetIpAndPorts 

func (m *NebulaMetaDetails) GetIpAndPorts() []*IpAndPort

func (*NebulaMetaDetails) GetVpnIp 

func (m *NebulaMetaDetails) GetVpnIp() uint32

func (*NebulaMetaDetails) ProtoMessage 

func (*NebulaMetaDetails) ProtoMessage()

func (*NebulaMetaDetails) Reset 

func (m *NebulaMetaDetails) Reset()

func (*NebulaMetaDetails) String 

func (m *NebulaMetaDetails) String() string

func (*NebulaMetaDetails) XXX_DiscardUnknown 

func (m *NebulaMetaDetails) XXX_DiscardUnknown()

func (*NebulaMetaDetails) XXX_Marshal 

func (m *NebulaMetaDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaMetaDetails) XXX_Merge 

func (m *NebulaMetaDetails) XXX_Merge(src proto.Message)

func (*NebulaMetaDetails) XXX_Size 

func (m *NebulaMetaDetails) XXX_Size() int

func (*NebulaMetaDetails) XXX_Unmarshal 

func (m *NebulaMetaDetails) XXX_Unmarshal(b []byte) error

type NebulaMeta_MessageType 

type NebulaMeta_MessageType int32
const (
	NebulaMeta_None                   NebulaMeta_MessageType = 0
	NebulaMeta_HostQuery              NebulaMeta_MessageType = 1
	NebulaMeta_HostQueryReply         NebulaMeta_MessageType = 2
	NebulaMeta_HostUpdateNotification NebulaMeta_MessageType = 3
	NebulaMeta_HostMovedNotification  NebulaMeta_MessageType = 4
	NebulaMeta_HostPunchNotification  NebulaMeta_MessageType = 5
	NebulaMeta_HostWhoami             NebulaMeta_MessageType = 6
	NebulaMeta_HostWhoamiReply        NebulaMeta_MessageType = 7
	NebulaMeta_PathCheck              NebulaMeta_MessageType = 8
	NebulaMeta_PathCheckReply         NebulaMeta_MessageType = 9
)

func (NebulaMeta_MessageType) EnumDescriptor 

func (NebulaMeta_MessageType) EnumDescriptor() ([]byte, []int)

func (NebulaMeta_MessageType) String 

func (x NebulaMeta_MessageType) String() string

type NebulaPing 

type NebulaPing struct {
	Type                 NebulaPing_MessageType `protobuf:"varint,1,opt,name=Type,json=type,proto3,enum=nebula.NebulaPing_MessageType" json:"Type,omitempty"`
	Time                 uint64                 `protobuf:"varint,2,opt,name=Time,json=time,proto3" json:"Time,omitempty"`
	XXX_NoUnkeyedLiteral struct{}               `json:"-"`
	XXX_unrecognized     []byte                 `json:"-"`
	XXX_sizecache        int32                  `json:"-"`
}

func (*NebulaPing) Descriptor 

func (*NebulaPing) Descriptor() ([]byte, []int)

func (*NebulaPing) GetTime 

func (m *NebulaPing) GetTime() uint64

func (*NebulaPing) GetType 

func (m *NebulaPing) GetType() NebulaPing_MessageType

func (*NebulaPing) ProtoMessage 

func (*NebulaPing) ProtoMessage()

func (*NebulaPing) Reset 

func (m *NebulaPing) Reset()

func (*NebulaPing) String 

func (m *NebulaPing) String() string

func (*NebulaPing) XXX_DiscardUnknown 

func (m *NebulaPing) XXX_DiscardUnknown()

func (*NebulaPing) XXX_Marshal 

func (m *NebulaPing) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaPing) XXX_Merge 

func (m *NebulaPing) XXX_Merge(src proto.Message)

func (*NebulaPing) XXX_Size 

func (m *NebulaPing) XXX_Size() int

func (*NebulaPing) XXX_Unmarshal 

func (m *NebulaPing) XXX_Unmarshal(b []byte) error

type NebulaPing_MessageType 

type NebulaPing_MessageType int32
const (
	NebulaPing_Ping  NebulaPing_MessageType = 0
	NebulaPing_Reply NebulaPing_MessageType = 1
)

func (NebulaPing_MessageType) EnumDescriptor 

func (NebulaPing_MessageType) EnumDescriptor() ([]byte, []int)

func (NebulaPing_MessageType) String 

func (x NebulaPing_MessageType) String() string

type Probe 

type Probe struct {
	Addr    *net.UDPAddr
	Counter int
}

type Punchy added in v1.2.0 

type Punchy struct {
	Punch   bool
	Respond bool
	Delay   time.Duration
}

func NewPunchyFromConfig added in v1.2.0 

func NewPunchyFromConfig(c *Config) *Punchy

type SystemTimeoutItem 

type SystemTimeoutItem struct {
	Item uint32
	Next *SystemTimeoutItem
}

Represents an item within a tick

type SystemTimeoutList 

type SystemTimeoutList struct {
	Head *SystemTimeoutItem
	Tail *SystemTimeoutItem
}

Represents a tick in the wheel

type SystemTimerWheel 

type SystemTimerWheel struct {
	// contains filtered or unexported fields
}

func NewSystemTimerWheel 

func NewSystemTimerWheel(min, max time.Duration) *SystemTimerWheel

Builds a timer wheel and identifies the tick duration and wheel duration from the provided values Purge must be called once per entry to actually remove anything

func (*SystemTimerWheel) Add 

func (tw *SystemTimerWheel) Add(v uint32, timeout time.Duration) *SystemTimeoutItem

func (*SystemTimerWheel) Purge 

func (tw *SystemTimerWheel) Purge() interface{}

type TimeoutItem 

type TimeoutItem struct {
	Packet FirewallPacket
	Next   *TimeoutItem
}

Represents an item within a tick

type TimeoutList 

type TimeoutList struct {
	Head *TimeoutItem
	Tail *TimeoutItem
}

Represents a tick in the wheel

type TimerWheel 

type TimerWheel struct {
	// contains filtered or unexported fields
}

func NewTimerWheel 

func NewTimerWheel(min, max time.Duration) *TimerWheel

Builds a timer wheel and identifies the tick duration and wheel duration from the provided values Purge must be called once per entry to actually remove anything

func (*TimerWheel) Add 

func (tw *TimerWheel) Add(v FirewallPacket, timeout time.Duration) *TimeoutItem

Add will add a FirewallPacket to the wheel in it's proper timeout

func (*TimerWheel) Purge 

func (tw *TimerWheel) Purge() (FirewallPacket, bool)

type Tun 

type Tun struct {
	Device       string
	Cidr         *net.IPNet
	MTU          int
	UnsafeRoutes []route

	*water.Interface
}

func (*Tun) Activate 

func (c *Tun) Activate() error

func (*Tun) CidrNet added in v1.3.0 

func (c *Tun) CidrNet() *net.IPNet

func (*Tun) DeviceName added in v1.3.0 

func (c *Tun) DeviceName() string

func (*Tun) WriteRaw 

func (c *Tun) WriteRaw(b []byte) error

Source Files

View all Source files

Directories

Path Synopsis
cmd
nebula
nebula-cert
nebula-service

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.