nebula

package module
v0.24.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 17, 2024 License: MIT Imports: 60 Imported by: 0

README

What is Nebula?

Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, Windows, iOS, and Android. It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.

Nebula incorporates a number of existing concepts like encryption, security groups, certificates, and tunneling, and each of those individual pieces existed before Nebula in various forms. What makes Nebula different to existing offerings is that it brings all of these ideas together, resulting in a sum that is greater than its individual parts.

Further documentation can be found here.

You can read more about Nebula here.

You can also join the NebulaOSS Slack group here.

Supported Platforms

Desktop and Server

Check the releases page for downloads or see the Distribution Packages section.

  • Linux - 64 and 32 bit, arm, and others
  • Windows
  • MacOS
  • Freebsd
Distribution Packages
Mobile

Technical Overview

Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework. Nebula uses certificates to assert a node's IP address, name, and membership within user-defined groups. Nebula's user-defined groups allow for provider agnostic traffic filtering between nodes. Discovery nodes allow individual peers to find each other and optionally use UDP hole punching to establish connections from behind most firewalls or NATs. Users can move data between nodes in any number of cloud service providers, datacenters, and endpoints, without needing to maintain a particular addressing scheme.

Nebula uses Elliptic-curve Diffie-Hellman (ECDH) key exchange and AES-256-GCM in its default configuration.

Nebula was created to provide a mechanism for groups of hosts to communicate securely, even across the internet, while enabling expressive firewall definitions similar in style to cloud security groups.

Getting started (quickly)

To set up a Nebula network, you'll need:

1. The Nebula binaries or Distribution Packages for your specific platform. Specifically you'll need nebula-cert and the specific nebula binary for each platform you use.
2. (Optional, but you really should..) At least one discovery node with a routable IP address, which we call a lighthouse.

Nebula lighthouses allow nodes to find each other, anywhere in the world. A lighthouse is the only node in a Nebula network whose IP should not change. Running a lighthouse requires very few compute resources, and you can easily use the least expensive option from a cloud hosting provider. If you're not sure which provider to use, a number of us have used $5/mo DigitalOcean droplets as lighthouses.

Once you have launched an instance, ensure that Nebula udp traffic (default port udp/4242) can reach it over the internet.

3. A Nebula certificate authority, which will be the root of trust for a particular Nebula network.
./nebula-cert ca -name "Myorganization, Inc"

This will create files named ca.key and ca.cert in the current directory. The ca.key file is the most sensitive file you'll create, because it is the key used to sign the certificates for individual nebula nodes/hosts. Please store this file somewhere safe, preferably with strong encryption.

4. Nebula host keys and certificates generated from that certificate authority

This assumes you have four nodes, named lighthouse1, laptop, server1, host3. You can name the nodes any way you'd like, including FQDN. You'll also need to choose IP addresses and the associated subnet. In this example, we are creating a nebula network that will use 192.168.100.x/24 as its network range. This example also demonstrates nebula groups, which can later be used to define traffic rules in a nebula network.

./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24"
./nebula-cert sign -name "laptop" -ip "192.168.100.2/24" -groups "laptop,home,ssh"
./nebula-cert sign -name "server1" -ip "192.168.100.9/24" -groups "servers"
./nebula-cert sign -name "host3" -ip "192.168.100.10/24"
5. Configuration files for each host

Download a copy of the nebula example configuration.

  • On the lighthouse node, you'll need to ensure am_lighthouse: true is set.

  • On the individual hosts, ensure the lighthouse is defined properly in the static_host_map section, and is added to the lighthouse hosts section.

6. Copy nebula credentials, configuration, and binaries to each host

For each host, copy the nebula binary to the host, along with config.yml from step 5, and the files ca.crt, {host}.crt, and {host}.key from step 4.

DO NOT COPY ca.key TO INDIVIDUAL NODES.

7. Run nebula on each host
./nebula -config /path/to/config.yml

Building Nebula from source

Make sure you have go installed and clone this repo. Change to the nebula directory.

To build nebula for all platforms: make all

To build nebula for a specific platform (ex, Windows): make bin-windows

See the Makefile for more details on build targets

Curve P256 and BoringCrypto

The default curve used for cryptographic handshakes and signatures is Curve25519. This is the recommended setting for most users. If your deployment has certain compliance requirements, you have the option of creating your CA using nebula-cert ca -curve P256 to use NIST Curve P256. The CA will then sign certificates using ECDSA P256, and any hosts using these certificates will use P256 for ECDH handshakes.

In addition, Nebula can be built using the BoringCrypto GOEXPERIMENT by running either of the following make targets:

make bin-boringcrypto
make release-boringcrypto

This is not the recommended default deployment, but may be useful based on your compliance requirements.

Credits

Nebula was created at Slack Technologies, Inc by Nate Brown and Ryan Huber, with contributions from Oliver Fross, Alan Lam, Wade Simmons, and Lining Wang.

Documentation

Index

Constants

View Source 
const (
	DefaultHandshakeTryInterval   = time.Millisecond * 100
	DefaultHandshakeRetries       = 10
	DefaultHandshakeTriggerBuffer = 64
	DefaultUseRelays              = true
	DefaultForceRelays            = false
)
View Source 
const (
	Requested = iota
	PeerRequested
	Established
)
View Source 
const (
	Unknowntype = iota
	ForwardingType
	TerminalType
)
View Source 
const MaxHostInfosPerVpnIp = 5

MaxHostInfosPerVpnIp is the max number of hostinfos we will track for a given vpn ip 5 allows for an initial handshake and each host pair re-handshaking twice

View Source 
const MaxRemotes = 10
View Source 
const ReplayWindow = 1024
View Source 
const RoamingSuppressSeconds = 2

How long we should prevent roaming back to the previous IP. This helps prevent flapping due to packets already in flight

Variables

View Source 
var (
	ErrExistingHostInfo    = errors.New("existing hostinfo")
	ErrAlreadySeen         = errors.New("already seen")
	ErrLocalIndexCollision = errors.New("local index collision")
)
View Source 
var (
	ErrInvalidLengthNebula        = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowNebula          = fmt.Errorf("proto: integer overflow")
	ErrUnexpectedEndOfGroupNebula = fmt.Errorf("proto: unexpected end of group")
)
View Source 
var ErrHostNotKnown = errors.New("host not known")
View Source 
var ErrInvalidLocalIP = errors.New("local IP is not in list of handled local IPs")
View Source 
var ErrInvalidRemoteIP = errors.New("remote IP is not in remote certificate subnets")
View Source 
var ErrNoMatchingRule = errors.New("no matching rule in firewall table")
View Source 
var NebulaControl_MessageType_name = map[int32]string{
	0: "None",
	1: "CreateRelayRequest",
	2: "CreateRelayResponse",
}
View Source 
var NebulaControl_MessageType_value = map[string]int32{
	"None":                0,
	"CreateRelayRequest":  1,
	"CreateRelayResponse": 2,
}
View Source 
var NebulaMeta_MessageType_name = map[int32]string{
	0:  "None",
	1:  "HostQuery",
	2:  "HostQueryReply",
	3:  "HostUpdateNotification",
	4:  "HostMovedNotification",
	5:  "HostPunchNotification",
	6:  "HostWhoami",
	7:  "HostWhoamiReply",
	8:  "PathCheck",
	9:  "PathCheckReply",
	10: "HostUpdateNotificationAck",
}
View Source 
var NebulaMeta_MessageType_value = map[string]int32{
	"None":                      0,
	"HostQuery":                 1,
	"HostQueryReply":            2,
	"HostUpdateNotification":    3,
	"HostMovedNotification":     4,
	"HostPunchNotification":     5,
	"HostWhoami":                6,
	"HostWhoamiReply":           7,
	"PathCheck":                 8,
	"PathCheckReply":            9,
	"HostUpdateNotificationAck": 10,
}
View Source 
var NebulaPing_MessageType_name = map[int32]string{
	0: "Ping",
	1: "Reply",
}
View Source 
var NebulaPing_MessageType_value = map[string]int32{
	"Ping":  0,
	"Reply": 1,
}

Functions

func AddFirewallRulesFromConfig 

func AddFirewallRulesFromConfig(l *logrus.Logger, inbound bool, c *config.C, fw FirewallInterface) error

func AddRelay 

func AddRelay(l *logrus.Logger, relayHostInfo *HostInfo, hm *HostMap, vpnIp iputil.VpnIp, remoteIdx *uint32, relayType int, state int) (uint32, error)

AddRelay finds an available relay index on the hostmap, and associates the relay info with it. relayHostInfo is the Nebula peer which can be used as a relay to access the target vpnIp.

func MigrateRelayUsed 

func MigrateRelayUsed(dstHost, relayhost *HostInfo, log *logrus.Logger) error

func NewCalculatedRemotesFromConfig 

func NewCalculatedRemotesFromConfig(c *config.C, k string) (*cidr.Tree4[[]*calculatedRemote], error)

func NewHostnameResults 

func NewHostnameResults(ctx context.Context, l *logrus.Logger, d time.Duration, network string, timeout time.Duration, hostPorts []string, onUpdate func()) (*hostnamesResults, error)

func NewRelayManager 

func NewRelayManager(ctx context.Context, l *logrus.Logger, hostmap *HostMap, c *config.C) *relayManager

func NewUDPAddrFromLH4 

func NewUDPAddrFromLH4(ipp *Ip4AndPort) *udp.Addr

func NewUDPAddrFromLH6 

func NewUDPAddrFromLH6(ipp *Ip6AndPort) *udp.Addr

func RecombineCertAndValidate 

func RecombineCertAndValidate(h *noise.HandshakeState, rawCertBytes []byte, caPool *cert.NebulaCAPool) (*cert.NebulaCertificate, error)

Types

type AllowList 

type AllowList struct {
	// contains filtered or unexported fields
}

func (*AllowList) Allow 

func (al *AllowList) Allow(ip net.IP) bool

func (*AllowList) AllowIpV4 

func (al *AllowList) AllowIpV4(ip iputil.VpnIp) bool

func (*AllowList) AllowIpV6 

func (al *AllowList) AllowIpV6(hi, lo uint64) bool

type AllowListNameRule 

type AllowListNameRule struct {
	Name  *regexp.Regexp
	Allow bool
}

type AvoidClient 

type AvoidClient struct {
	avoid.UnimplementedAvoidClientServer
	// contains filtered or unexported fields
}

func NewAvoidClient 

func NewAvoidClient(token string, iface *Interface, hostmap *HostMap) *AvoidClient

func (*AvoidClient) Action 

func (s *AvoidClient) Action(ctx context.Context, req *avoid.ActionRequest) (*avoid.ConnectionInfo, error)

func (*AvoidClient) HealthCheck 

func (s *AvoidClient) HealthCheck(ctx context.Context, req *avoid.HealthRequest) (*avoid.HealthReply, error)

type Bits 

type Bits struct {
	// contains filtered or unexported fields
}

func NewBits 

func NewBits(bits uint64) *Bits

func (*Bits) Check 

func (b *Bits) Check(l logrus.FieldLogger, i uint64) bool

func (*Bits) Update 

func (b *Bits) Update(l *logrus.Logger, i uint64) bool

type Cache 

type Cache struct {
	Learned  []*udp.Addr `json:"learned,omitempty"`
	Reported []*udp.Addr `json:"reported,omitempty"`
	Relay    []*net.IP   `json:"relay"`
}

Cache is the other part of CacheMap to better represent the lighthouse cache for humans We don't reason about ipv4 vs ipv6 here

type CacheMap 

type CacheMap map[string]*Cache

CacheMap is a struct that better represents the lighthouse cache for humans The string key is the owners vpnIp

type CertState 

type CertState struct {
	Certificate         *cert.NebulaCertificate
	RawCertificate      []byte
	RawCertificateNoKey []byte
	PublicKey           []byte
	PrivateKey          []byte
}

type ConnectionState 

type ConnectionState struct {
	H *noise.HandshakeState
	// contains filtered or unexported fields
}

func NewConnectionState 

func NewConnectionState(l *logrus.Logger, cipher string, certState *CertState, initiator bool, pattern noise.HandshakePattern, psk []byte, pskStage int) *ConnectionState

func (*ConnectionState) MarshalJSON 

func (cs *ConnectionState) MarshalJSON() ([]byte, error)

type Control 

type Control struct {
	// contains filtered or unexported fields
}

func Main 

func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logger, deviceFactory overlay.DeviceFactory) (retcon *Control, reterr error)

func (*Control) CloseAllTunnels 

func (c *Control) CloseAllTunnels(excludeLighthouses bool) (closed int)

CloseAllTunnels is just like CloseTunnel except it goes through and shuts them all down, optionally you can avoid shutting down lighthouse tunnels the int returned is a count of tunnels closed

func (*Control) CloseTunnel 

func (c *Control) CloseTunnel(vpnIp iputil.VpnIp, localOnly bool) bool

CloseTunnel closes a fully established tunnel. If localOnly is false it will notify the remote end as well.

func (*Control) Context 

func (c *Control) Context() context.Context

func (*Control) Device 

func (c *Control) Device() overlay.Device

func (*Control) GetHostInfoByVpnIp 

func (c *Control) GetHostInfoByVpnIp(vpnIp iputil.VpnIp, pending bool) *ControlHostInfo

GetHostInfoByVpnIp returns a single tunnels hostInfo, or nil if not found

func (*Control) ListHostmapHosts 

func (c *Control) ListHostmapHosts(pendingMap bool) []ControlHostInfo

ListHostmapHosts returns details about the actual or pending (handshaking) hostmap by vpn ip

func (*Control) ListHostmapIndexes 

func (c *Control) ListHostmapIndexes(pendingMap bool) []ControlHostInfo

ListHostmapIndexes returns details about the actual or pending (handshaking) hostmap by local index id

func (*Control) RebindUDPServer 

func (c *Control) RebindUDPServer()

RebindUDPServer asks the UDP listener to rebind it's listener. Mainly used on mobile clients when interfaces change

func (*Control) SetRemoteForTunnel 

func (c *Control) SetRemoteForTunnel(vpnIp iputil.VpnIp, addr udp.Addr) *ControlHostInfo

SetRemoteForTunnel forces a tunnel to use a specific remote

func (*Control) ShutdownBlock 

func (c *Control) ShutdownBlock()

ShutdownBlock will listen for and block on term and interrupt signals, calling Control.Stop() once signalled

func (*Control) Start 

func (c *Control) Start()

Start actually runs nebula, this is a nonblocking call. To block use Control.ShutdownBlock()

func (*Control) Stop 

func (c *Control) Stop()

Stop signals nebula to shutdown and close all tunnels, returns after the shutdown is complete

type ControlHostInfo 

type ControlHostInfo struct {
	VpnIp                  net.IP                  `json:"vpnIp"`
	LocalIndex             uint32                  `json:"localIndex"`
	RemoteIndex            uint32                  `json:"remoteIndex"`
	RemoteAddrs            []*udp.Addr             `json:"remoteAddrs"`
	Cert                   *cert.NebulaCertificate `json:"cert"`
	MessageCounter         uint64                  `json:"messageCounter"`
	CurrentRemote          *udp.Addr               `json:"currentRemote"`
	CurrentRelaysToMe      []iputil.VpnIp          `json:"currentRelaysToMe"`
	CurrentRelaysThroughMe []iputil.VpnIp          `json:"currentRelaysThroughMe"`
}

type EncWriter 

type EncWriter interface {
	SendVia(via *HostInfo,
		relay *Relay,
		ad,
		nb,
		out []byte,
		nocopy bool,
	)
	SendMessageToVpnIp(t header.MessageType, st header.MessageSubType, vpnIp iputil.VpnIp, p, nb, out []byte)
	SendMessageToHostInfo(t header.MessageType, st header.MessageSubType, hostinfo *HostInfo, p, nb, out []byte)
	Handshake(vpnIp iputil.VpnIp)
}

type Firewall 

type Firewall struct {
	Conntrack *FirewallConntrack

	InRules  *FirewallTable
	OutRules *FirewallTable

	InSendReject  bool
	OutSendReject bool

	//TODO: we should have many more options for TCP, an option for ICMP, and mimic the kernel a bit better
	// https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
	TCPTimeout     time.Duration //linux: 5 days max
	UDPTimeout     time.Duration //linux: 180s max
	DefaultTimeout time.Duration //linux: 600s
	// contains filtered or unexported fields
}

TODO: need conntrack max tracked connections handling

func NewFirewall 

func NewFirewall(l *logrus.Logger, tcpTimeout, UDPTimeout, defaultTimeout time.Duration, c *cert.NebulaCertificate) *Firewall

NewFirewall creates a new Firewall object. A TimerWheel is created for you from the provided timeouts.

func NewFirewallFromConfig 

func NewFirewallFromConfig(l *logrus.Logger, nc *cert.NebulaCertificate, c *config.C) (*Firewall, error)

func (*Firewall) AddRule 

func (f *Firewall) AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip *net.IPNet, localIp *net.IPNet, caName string, caSha string) error

AddRule properly creates the in memory rule structure for a firewall table.

func (*Firewall) Destroy 

func (f *Firewall) Destroy()

Destroy cleans up any known cyclical references so the object can be free'd my GC. This should be called if a new firewall object is created

func (*Firewall) Drop 

func (f *Firewall) Drop(fp firewall.Packet, incoming bool, h *HostInfo, caPool *cert.NebulaCAPool, localCache firewall.ConntrackCache) error

Drop returns an error if the packet should be dropped, explaining why. It returns nil if the packet should not be dropped.

func (*Firewall) EmitStats 

func (f *Firewall) EmitStats()

func (*Firewall) GetRuleHash 

func (f *Firewall) GetRuleHash() string

GetRuleHash returns a hash representation of all inbound and outbound rules

func (*Firewall) GetRuleHashFNV 

func (f *Firewall) GetRuleHashFNV() uint32

GetRuleHashFNV returns a uint32 FNV-1 hash representation the rules, for use as a metric value

func (*Firewall) GetRuleHashes 

func (f *Firewall) GetRuleHashes() string

GetRuleHashes returns both the sha256 and FNV-1 hashes, suitable for logging

type FirewallCA 

type FirewallCA struct {
	Any     *FirewallRule
	CANames map[string]*FirewallRule
	CAShas  map[string]*FirewallRule
}

type FirewallConntrack 

type FirewallConntrack struct {
	sync.Mutex

	Conns      map[firewall.Packet]*conn
	TimerWheel *TimerWheel[firewall.Packet]
}

type FirewallInterface 

type FirewallInterface interface {
	AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip *net.IPNet, localIp *net.IPNet, caName string, caSha string) error
}

type FirewallRule 

type FirewallRule struct {
	// Any makes Hosts, Groups, and CIDR irrelevant
	Any    *firewallLocalCIDR
	Hosts  map[string]*firewallLocalCIDR
	Groups []*firewallGroups
	CIDR   *cidr.Tree4[*firewallLocalCIDR]
}

type FirewallTable 

type FirewallTable struct {
	TCP      firewallPort
	UDP      firewallPort
	ICMP     firewallPort
	AnyProto firewallPort
}

FirewallTable is the entry point for a rule, the evaluation order is: Proto AND port AND (CA SHA or CA name) AND local CIDR AND (group OR groups OR name OR remote CIDR)

type HandshakeConfig 

type HandshakeConfig struct {
	// contains filtered or unexported fields
}

type HandshakeHostInfo 

type HandshakeHostInfo struct {
	sync.Mutex
	// contains filtered or unexported fields
}

type HandshakeManager 

type HandshakeManager struct {
	// Mutex for interacting with the vpnIps and indexes maps
	sync.RWMutex

	OutboundHandshakeTimer *LockingTimerWheel[iputil.VpnIp]
	// contains filtered or unexported fields
}

func NewHandshakeManager 

func NewHandshakeManager(l *logrus.Logger, mainHostMap *HostMap, lightHouse *LightHouse, outside udp.Conn, config HandshakeConfig) *HandshakeManager

func (*HandshakeManager) CheckAndComplete 

func (c *HandshakeManager) CheckAndComplete(hostinfo *HostInfo, handshakePacket uint8, f *Interface) (*HostInfo, error)

CheckAndComplete checks for any conflicts in the main and pending hostmap before adding hostinfo to main. If err is nil, it was added. Otherwise err will be:

ErrAlreadySeen if we already have an entry in the hostmap that has seen the exact same handshake packet

ErrExistingHostInfo if we already have an entry in the hostmap for this VpnIp and the new handshake was older than the one we currently have

ErrLocalIndexCollision if we already have an entry in the main or pending hostmap for the hostinfo.localIndexId.

func (*HandshakeManager) Complete 

func (hm *HandshakeManager) Complete(hostinfo *HostInfo, f *Interface)

Complete is a simpler version of CheckAndComplete when we already know we won't have a localIndexId collision because we already have an entry in the pendingHostMap. An existing hostinfo is returned if there was one.

func (*HandshakeManager) DeleteHostInfo 

func (c *HandshakeManager) DeleteHostInfo(hostinfo *HostInfo)

func (*HandshakeManager) EmitStats 

func (c *HandshakeManager) EmitStats()

func (*HandshakeManager) ForEachIndex 

func (c *HandshakeManager) ForEachIndex(f controlEach)

func (*HandshakeManager) ForEachVpnIp 

func (c *HandshakeManager) ForEachVpnIp(f controlEach)

func (*HandshakeManager) GetOrHandshake 

func (hm *HandshakeManager) GetOrHandshake(vpnIp iputil.VpnIp, cacheCb func(*HandshakeHostInfo)) (*HostInfo, bool)

GetOrHandshake will try to find a hostinfo with a fully formed tunnel or start a new handshake if one is not present The 2nd argument will be true if the hostinfo is ready to transmit traffic

func (*HandshakeManager) GetPreferredRanges 

func (c *HandshakeManager) GetPreferredRanges() []*net.IPNet

func (*HandshakeManager) HandleIncoming 

func (hm *HandshakeManager) HandleIncoming(addr *udp.Addr, via *ViaSender, packet []byte, h *header.H)

func (*HandshakeManager) NextOutboundHandshakeTimerTick 

func (c *HandshakeManager) NextOutboundHandshakeTimerTick(now time.Time)

func (*HandshakeManager) QueryIndex 

func (hm *HandshakeManager) QueryIndex(index uint32) *HostInfo

func (*HandshakeManager) QueryVpnIp 

func (hm *HandshakeManager) QueryVpnIp(vpnIp iputil.VpnIp) *HostInfo

func (*HandshakeManager) Run 

func (c *HandshakeManager) Run(ctx context.Context)

func (*HandshakeManager) StartHandshake 

func (hm *HandshakeManager) StartHandshake(vpnIp iputil.VpnIp, cacheCb func(*HandshakeHostInfo)) *HostInfo

StartHandshake will ensure a handshake is currently being attempted for the provided vpn ip

type HostInfo 

type HostInfo struct {
	ConnectionState *ConnectionState

	// HandshakePacket records the packets used to create this hostinfo
	// We need these to avoid replayed handshake packets creating new hostinfos which causes churn
	HandshakePacket map[uint8][]byte
	// contains filtered or unexported fields
}

func (*HostInfo) CreateRemoteCIDR 

func (i *HostInfo) CreateRemoteCIDR(c *cert.NebulaCertificate)

func (*HostInfo) GetCert 

func (i *HostInfo) GetCert() *cert.NebulaCertificate

func (*HostInfo) RecvErrorExceeded 

func (i *HostInfo) RecvErrorExceeded() bool

func (*HostInfo) SetRemote 

func (i *HostInfo) SetRemote(remote *udp.Addr)

func (*HostInfo) SetRemoteIfPreferred 

func (i *HostInfo) SetRemoteIfPreferred(hm *HostMap, newRemote *udp.Addr) bool

SetRemoteIfPreferred returns true if the remote was changed. The lastRoam time on the HostInfo will also be updated.

func (*HostInfo) TryPromoteBest 

func (i *HostInfo) TryPromoteBest(preferredRanges []*net.IPNet, ifce *Interface)

TryPromoteBest handles re-querying lighthouses and probing for better paths NOTE: It is an error to call this if you are a lighthouse since they should not roam clients!

type HostMap 

type HostMap struct {
	sync.RWMutex  //Because we concurrently read and write to our maps
	Indexes       map[uint32]*HostInfo
	Relays        map[uint32]*HostInfo // Maps a Relay IDX to a Relay HostInfo object
	RemoteIndexes map[uint32]*HostInfo
	Hosts         map[iputil.VpnIp]*HostInfo
	// contains filtered or unexported fields
}

func NewHostMapFromConfig 

func NewHostMapFromConfig(l *logrus.Logger, vpnCIDR *net.IPNet, c *config.C) *HostMap

func (*HostMap) DeleteHostInfo 

func (hm *HostMap) DeleteHostInfo(hostinfo *HostInfo) bool

DeleteHostInfo will fully unlink the hostinfo and return true if it was the final hostinfo for this vpn ip

func (*HostMap) EmitStats 

func (hm *HostMap) EmitStats()

EmitStats reports host, index, and relay counts to the stats collection system

func (*HostMap) ForEachIndex 

func (hm *HostMap) ForEachIndex(f controlEach)

func (*HostMap) ForEachVpnIp 

func (hm *HostMap) ForEachVpnIp(f controlEach)

func (*HostMap) GetPreferredRanges 

func (hm *HostMap) GetPreferredRanges() []*net.IPNet

func (*HostMap) MakePrimary 

func (hm *HostMap) MakePrimary(hostinfo *HostInfo)

func (*HostMap) QueryIndex 

func (hm *HostMap) QueryIndex(index uint32) *HostInfo

func (*HostMap) QueryRelayIndex 

func (hm *HostMap) QueryRelayIndex(index uint32) *HostInfo

func (*HostMap) QueryReverseIndex 

func (hm *HostMap) QueryReverseIndex(index uint32) *HostInfo

func (*HostMap) QueryVpnIp 

func (hm *HostMap) QueryVpnIp(vpnIp iputil.VpnIp) *HostInfo

func (*HostMap) QueryVpnIpRelayFor 

func (hm *HostMap) QueryVpnIpRelayFor(targetIp, relayHostIp iputil.VpnIp) (*HostInfo, *Relay, error)

func (*HostMap) RemoveRelay 

func (hm *HostMap) RemoveRelay(localIdx uint32)

type Interface 

type Interface struct {
	// contains filtered or unexported fields
}

func NewInterface 

func NewInterface(ctx context.Context, c *InterfaceConfig) (*Interface, error)

func (*Interface) Close 

func (f *Interface) Close() error

func (*Interface) Handshake 

func (f *Interface) Handshake(vpnIp iputil.VpnIp)

func (*Interface) RegisterConfigChangeCallbacks 

func (f *Interface) RegisterConfigChangeCallbacks(c *config.C)

func (*Interface) SendMessageToHostInfo 

func (f *Interface) SendMessageToHostInfo(t header.MessageType, st header.MessageSubType, hi *HostInfo, p, nb, out []byte)

func (*Interface) SendMessageToVpnIp 

func (f *Interface) SendMessageToVpnIp(t header.MessageType, st header.MessageSubType, vpnIp iputil.VpnIp, p, nb, out []byte)

SendMessageToVpnIp handles real ip:port lookup and sends to the current best known address for vpnIp

func (*Interface) SendVia 

func (f *Interface) SendVia(via *HostInfo,
	relay *Relay,
	ad,
	nb,
	out []byte,
	nocopy bool,
)

SendVia sends a payload through a Relay tunnel. No authentication or encryption is done to the payload for the ultimate target host, making this a useful method for sending handshake messages to peers through relay tunnels. via is the HostInfo through which the message is relayed. ad is the plaintext data to authenticate, but not encrypt nb is a buffer used to store the nonce value, re-used for performance reasons. out is a buffer used to store the result of the Encrypt operation q indicates which writer to use to send the packet.

type InterfaceConfig 

type InterfaceConfig struct {
	HostMap *HostMap
	Outside udp.Conn
	Inside  overlay.Device

	Cipher           string
	Firewall         *Firewall
	ServeDns         bool
	HandshakeManager *HandshakeManager

	DropLocalBroadcast bool
	DropMulticast      bool

	MessageMetrics *MessageMetrics

	ConntrackCacheTimeout time.Duration
	// contains filtered or unexported fields
}

type Ip4AndPort 

type Ip4AndPort struct {
	Ip   uint32 `protobuf:"varint,1,opt,name=Ip,proto3" json:"Ip,omitempty"`
	Port uint32 `protobuf:"varint,2,opt,name=Port,proto3" json:"Port,omitempty"`
}

func NewIp4AndPort 

func NewIp4AndPort(ip net.IP, port uint32) *Ip4AndPort

func NewIp4AndPortFromNetIP 

func NewIp4AndPortFromNetIP(ip netip.Addr, port uint16) *Ip4AndPort

func (*Ip4AndPort) Descriptor 

func (*Ip4AndPort) Descriptor() ([]byte, []int)

func (*Ip4AndPort) GetIp 

func (m *Ip4AndPort) GetIp() uint32

func (*Ip4AndPort) GetPort 

func (m *Ip4AndPort) GetPort() uint32

func (*Ip4AndPort) Marshal 

func (m *Ip4AndPort) Marshal() (dAtA []byte, err error)

func (*Ip4AndPort) MarshalTo 

func (m *Ip4AndPort) MarshalTo(dAtA []byte) (int, error)

func (*Ip4AndPort) MarshalToSizedBuffer 

func (m *Ip4AndPort) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*Ip4AndPort) ProtoMessage 

func (*Ip4AndPort) ProtoMessage()

func (*Ip4AndPort) Reset 

func (m *Ip4AndPort) Reset()

func (*Ip4AndPort) Size 

func (m *Ip4AndPort) Size() (n int)

func (*Ip4AndPort) String 

func (m *Ip4AndPort) String() string

func (*Ip4AndPort) Unmarshal 

func (m *Ip4AndPort) Unmarshal(dAtA []byte) error

func (*Ip4AndPort) XXX_DiscardUnknown 

func (m *Ip4AndPort) XXX_DiscardUnknown()

func (*Ip4AndPort) XXX_Marshal 

func (m *Ip4AndPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Ip4AndPort) XXX_Merge 

func (m *Ip4AndPort) XXX_Merge(src proto.Message)

func (*Ip4AndPort) XXX_Size 

func (m *Ip4AndPort) XXX_Size() int

func (*Ip4AndPort) XXX_Unmarshal 

func (m *Ip4AndPort) XXX_Unmarshal(b []byte) error

type Ip6AndPort 

type Ip6AndPort struct {
	Hi   uint64 `protobuf:"varint,1,opt,name=Hi,proto3" json:"Hi,omitempty"`
	Lo   uint64 `protobuf:"varint,2,opt,name=Lo,proto3" json:"Lo,omitempty"`
	Port uint32 `protobuf:"varint,3,opt,name=Port,proto3" json:"Port,omitempty"`
}

func NewIp6AndPort 

func NewIp6AndPort(ip net.IP, port uint32) *Ip6AndPort

func NewIp6AndPortFromNetIP 

func NewIp6AndPortFromNetIP(ip netip.Addr, port uint16) *Ip6AndPort

func (*Ip6AndPort) Descriptor 

func (*Ip6AndPort) Descriptor() ([]byte, []int)

func (*Ip6AndPort) GetHi 

func (m *Ip6AndPort) GetHi() uint64

func (*Ip6AndPort) GetLo 

func (m *Ip6AndPort) GetLo() uint64

func (*Ip6AndPort) GetPort 

func (m *Ip6AndPort) GetPort() uint32

func (*Ip6AndPort) Marshal 

func (m *Ip6AndPort) Marshal() (dAtA []byte, err error)

func (*Ip6AndPort) MarshalTo 

func (m *Ip6AndPort) MarshalTo(dAtA []byte) (int, error)

func (*Ip6AndPort) MarshalToSizedBuffer 

func (m *Ip6AndPort) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*Ip6AndPort) ProtoMessage 

func (*Ip6AndPort) ProtoMessage()

func (*Ip6AndPort) Reset 

func (m *Ip6AndPort) Reset()

func (*Ip6AndPort) Size 

func (m *Ip6AndPort) Size() (n int)

func (*Ip6AndPort) String 

func (m *Ip6AndPort) String() string

func (*Ip6AndPort) Unmarshal 

func (m *Ip6AndPort) Unmarshal(dAtA []byte) error

func (*Ip6AndPort) XXX_DiscardUnknown 

func (m *Ip6AndPort) XXX_DiscardUnknown()

func (*Ip6AndPort) XXX_Marshal 

func (m *Ip6AndPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Ip6AndPort) XXX_Merge 

func (m *Ip6AndPort) XXX_Merge(src proto.Message)

func (*Ip6AndPort) XXX_Size 

func (m *Ip6AndPort) XXX_Size() int

func (*Ip6AndPort) XXX_Unmarshal 

func (m *Ip6AndPort) XXX_Unmarshal(b []byte) error

type LightHouse 

type LightHouse struct {
	//TODO: We need a timer wheel to kick out vpnIps that haven't reported in a long time
	sync.RWMutex //Because we concurrently read and write to our maps
	// contains filtered or unexported fields
}

func NewLightHouseFromConfig 

func NewLightHouseFromConfig(ctx context.Context, l *logrus.Logger, c *config.C, myVpnNet *net.IPNet, pc udp.Conn, p *Punchy) (*LightHouse, error)

NewLightHouseFromConfig will build a Lighthouse struct from the values provided in the config object addrMap should be nil unless this is during a config reload

func (*LightHouse) DeleteVpnIp 

func (lh *LightHouse) DeleteVpnIp(vpnIp iputil.VpnIp)

func (*LightHouse) GetAdvertiseAddrs 

func (lh *LightHouse) GetAdvertiseAddrs() []netIpAndPort

func (*LightHouse) GetLighthouses 

func (lh *LightHouse) GetLighthouses() map[iputil.VpnIp]struct{}

func (*LightHouse) GetLocalAllowList 

func (lh *LightHouse) GetLocalAllowList() *LocalAllowList

func (*LightHouse) GetRelaysForMe 

func (lh *LightHouse) GetRelaysForMe() []iputil.VpnIp

func (*LightHouse) GetRemoteAllowList 

func (lh *LightHouse) GetRemoteAllowList() *RemoteAllowList

func (*LightHouse) GetStaticHostList 

func (lh *LightHouse) GetStaticHostList() map[iputil.VpnIp]struct{}

func (*LightHouse) GetUpdateInterval 

func (lh *LightHouse) GetUpdateInterval() int64

func (*LightHouse) IsLighthouseIP 

func (lh *LightHouse) IsLighthouseIP(vpnIp iputil.VpnIp) bool

func (*LightHouse) NewRequestHandler 

func (lh *LightHouse) NewRequestHandler() *LightHouseHandler

func (*LightHouse) Query 

func (lh *LightHouse) Query(ip iputil.VpnIp) *RemoteList

func (*LightHouse) QueryCache 

func (lh *LightHouse) QueryCache(ip iputil.VpnIp) *RemoteList

func (*LightHouse) QueryServer 

func (lh *LightHouse) QueryServer(ip iputil.VpnIp)

QueryServer is asynchronous so no reply should be expected

func (*LightHouse) SendUpdate 

func (lh *LightHouse) SendUpdate()

func (*LightHouse) StartUpdateWorker 

func (lh *LightHouse) StartUpdateWorker()

type LightHouseHandler 

type LightHouseHandler struct {
	// contains filtered or unexported fields
}

func (*LightHouseHandler) HandleRequest 

func (lhh *LightHouseHandler) HandleRequest(rAddr *udp.Addr, vpnIp iputil.VpnIp, p []byte, w EncWriter)

type LocalAllowList 

type LocalAllowList struct {
	AllowList *AllowList
	// contains filtered or unexported fields
}

func NewLocalAllowListFromConfig 

func NewLocalAllowListFromConfig(c *config.C, k string) (*LocalAllowList, error)

func (*LocalAllowList) Allow 

func (al *LocalAllowList) Allow(ip net.IP) bool

func (*LocalAllowList) AllowName 

func (al *LocalAllowList) AllowName(name string) bool

type LockingTimerWheel 

type LockingTimerWheel[T any] struct {
	// contains filtered or unexported fields
}

func NewLockingTimerWheel 

func NewLockingTimerWheel[T any](min, max time.Duration) *LockingTimerWheel[T]

NewLockingTimerWheel is version of TimerWheel that is safe for concurrent use with a small performance penalty

func (*LockingTimerWheel[T]) Add 

func (lw *LockingTimerWheel[T]) Add(v T, timeout time.Duration) *TimeoutItem[T]

func (*LockingTimerWheel[T]) Advance 

func (lw *LockingTimerWheel[T]) Advance(now time.Time)

func (*LockingTimerWheel[T]) Purge 

func (lw *LockingTimerWheel[T]) Purge() (T, bool)

type MessageMetrics 

type MessageMetrics struct {
	// contains filtered or unexported fields
}

func (*MessageMetrics) Rx 

func (m *MessageMetrics) Rx(t header.MessageType, s header.MessageSubType, i int64)

func (*MessageMetrics) Tx 

func (m *MessageMetrics) Tx(t header.MessageType, s header.MessageSubType, i int64)

type NebulaCipherState 

type NebulaCipherState struct {
	// contains filtered or unexported fields
}

func NewNebulaCipherState 

func NewNebulaCipherState(s *noise.CipherState) *NebulaCipherState

func (*NebulaCipherState) DecryptDanger 

func (s *NebulaCipherState) DecryptDanger(out, ad, ciphertext []byte, n uint64, nb []byte) ([]byte, error)

func (*NebulaCipherState) EncryptDanger 

func (s *NebulaCipherState) EncryptDanger(out, ad, plaintext []byte, n uint64, nb []byte) ([]byte, error)

EncryptDanger encrypts and authenticates a given payload.

out is a destination slice to hold the output of the EncryptDanger operation. - ad is additional data, which will be authenticated and appended to out, but not encrypted. - plaintext is encrypted, authenticated and appended to out. - n is a nonce value which must never be re-used with this key. - nb is a buffer used for temporary storage in the implementation of this call, which should be re-used by callers to minimize garbage collection.

func (*NebulaCipherState) Overhead 

func (s *NebulaCipherState) Overhead() int

type NebulaControl 

type NebulaControl struct {
	Type                NebulaControl_MessageType `protobuf:"varint,1,opt,name=Type,proto3,enum=nebula.NebulaControl_MessageType" json:"Type,omitempty"`
	InitiatorRelayIndex uint32                    `protobuf:"varint,2,opt,name=InitiatorRelayIndex,proto3" json:"InitiatorRelayIndex,omitempty"`
	ResponderRelayIndex uint32                    `protobuf:"varint,3,opt,name=ResponderRelayIndex,proto3" json:"ResponderRelayIndex,omitempty"`
	RelayToIp           uint32                    `protobuf:"varint,4,opt,name=RelayToIp,proto3" json:"RelayToIp,omitempty"`
	RelayFromIp         uint32                    `protobuf:"varint,5,opt,name=RelayFromIp,proto3" json:"RelayFromIp,omitempty"`
}

func (*NebulaControl) Descriptor 

func (*NebulaControl) Descriptor() ([]byte, []int)

func (*NebulaControl) GetInitiatorRelayIndex 

func (m *NebulaControl) GetInitiatorRelayIndex() uint32

func (*NebulaControl) GetRelayFromIp 

func (m *NebulaControl) GetRelayFromIp() uint32

func (*NebulaControl) GetRelayToIp 

func (m *NebulaControl) GetRelayToIp() uint32

func (*NebulaControl) GetResponderRelayIndex 

func (m *NebulaControl) GetResponderRelayIndex() uint32

func (*NebulaControl) GetType 

func (m *NebulaControl) GetType() NebulaControl_MessageType

func (*NebulaControl) Marshal 

func (m *NebulaControl) Marshal() (dAtA []byte, err error)

func (*NebulaControl) MarshalTo 

func (m *NebulaControl) MarshalTo(dAtA []byte) (int, error)

func (*NebulaControl) MarshalToSizedBuffer 

func (m *NebulaControl) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*NebulaControl) ProtoMessage 

func (*NebulaControl) ProtoMessage()

func (*NebulaControl) Reset 

func (m *NebulaControl) Reset()

func (*NebulaControl) Size 

func (m *NebulaControl) Size() (n int)

func (*NebulaControl) String 

func (m *NebulaControl) String() string

func (*NebulaControl) Unmarshal 

func (m *NebulaControl) Unmarshal(dAtA []byte) error

func (*NebulaControl) XXX_DiscardUnknown 

func (m *NebulaControl) XXX_DiscardUnknown()

func (*NebulaControl) XXX_Marshal 

func (m *NebulaControl) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaControl) XXX_Merge 

func (m *NebulaControl) XXX_Merge(src proto.Message)

func (*NebulaControl) XXX_Size 

func (m *NebulaControl) XXX_Size() int

func (*NebulaControl) XXX_Unmarshal 

func (m *NebulaControl) XXX_Unmarshal(b []byte) error

type NebulaControl_MessageType 

type NebulaControl_MessageType int32
const (
	NebulaControl_None                NebulaControl_MessageType = 0
	NebulaControl_CreateRelayRequest  NebulaControl_MessageType = 1
	NebulaControl_CreateRelayResponse NebulaControl_MessageType = 2
)

func (NebulaControl_MessageType) EnumDescriptor 

func (NebulaControl_MessageType) EnumDescriptor() ([]byte, []int)

func (NebulaControl_MessageType) String 

func (x NebulaControl_MessageType) String() string

type NebulaHandshake 

type NebulaHandshake struct {
	Details *NebulaHandshakeDetails `protobuf:"bytes,1,opt,name=Details,proto3" json:"Details,omitempty"`
	Hmac    []byte                  `protobuf:"bytes,2,opt,name=Hmac,proto3" json:"Hmac,omitempty"`
}

func (*NebulaHandshake) Descriptor 

func (*NebulaHandshake) Descriptor() ([]byte, []int)

func (*NebulaHandshake) GetDetails 

func (m *NebulaHandshake) GetDetails() *NebulaHandshakeDetails

func (*NebulaHandshake) GetHmac 

func (m *NebulaHandshake) GetHmac() []byte

func (*NebulaHandshake) Marshal 

func (m *NebulaHandshake) Marshal() (dAtA []byte, err error)

func (*NebulaHandshake) MarshalTo 

func (m *NebulaHandshake) MarshalTo(dAtA []byte) (int, error)

func (*NebulaHandshake) MarshalToSizedBuffer 

func (m *NebulaHandshake) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*NebulaHandshake) ProtoMessage 

func (*NebulaHandshake) ProtoMessage()

func (*NebulaHandshake) Reset 

func (m *NebulaHandshake) Reset()

func (*NebulaHandshake) Size 

func (m *NebulaHandshake) Size() (n int)

func (*NebulaHandshake) String 

func (m *NebulaHandshake) String() string

func (*NebulaHandshake) Unmarshal 

func (m *NebulaHandshake) Unmarshal(dAtA []byte) error

func (*NebulaHandshake) XXX_DiscardUnknown 

func (m *NebulaHandshake) XXX_DiscardUnknown()

func (*NebulaHandshake) XXX_Marshal 

func (m *NebulaHandshake) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaHandshake) XXX_Merge 

func (m *NebulaHandshake) XXX_Merge(src proto.Message)

func (*NebulaHandshake) XXX_Size 

func (m *NebulaHandshake) XXX_Size() int

func (*NebulaHandshake) XXX_Unmarshal 

func (m *NebulaHandshake) XXX_Unmarshal(b []byte) error

type NebulaHandshakeDetails 

type NebulaHandshakeDetails struct {
	Cert           []byte `protobuf:"bytes,1,opt,name=Cert,proto3" json:"Cert,omitempty"`
	InitiatorIndex uint32 `protobuf:"varint,2,opt,name=InitiatorIndex,proto3" json:"InitiatorIndex,omitempty"`
	ResponderIndex uint32 `protobuf:"varint,3,opt,name=ResponderIndex,proto3" json:"ResponderIndex,omitempty"`
	Cookie         uint64 `protobuf:"varint,4,opt,name=Cookie,proto3" json:"Cookie,omitempty"`
	Time           uint64 `protobuf:"varint,5,opt,name=Time,proto3" json:"Time,omitempty"`
}

func (*NebulaHandshakeDetails) Descriptor 

func (*NebulaHandshakeDetails) Descriptor() ([]byte, []int)

func (*NebulaHandshakeDetails) GetCert 

func (m *NebulaHandshakeDetails) GetCert() []byte

func (*NebulaHandshakeDetails) GetCookie 

func (m *NebulaHandshakeDetails) GetCookie() uint64

func (*NebulaHandshakeDetails) GetInitiatorIndex 

func (m *NebulaHandshakeDetails) GetInitiatorIndex() uint32

func (*NebulaHandshakeDetails) GetResponderIndex 

func (m *NebulaHandshakeDetails) GetResponderIndex() uint32

func (*NebulaHandshakeDetails) GetTime 

func (m *NebulaHandshakeDetails) GetTime() uint64

func (*NebulaHandshakeDetails) Marshal 

func (m *NebulaHandshakeDetails) Marshal() (dAtA []byte, err error)

func (*NebulaHandshakeDetails) MarshalTo 

func (m *NebulaHandshakeDetails) MarshalTo(dAtA []byte) (int, error)

func (*NebulaHandshakeDetails) MarshalToSizedBuffer 

func (m *NebulaHandshakeDetails) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*NebulaHandshakeDetails) ProtoMessage 

func (*NebulaHandshakeDetails) ProtoMessage()

func (*NebulaHandshakeDetails) Reset 

func (m *NebulaHandshakeDetails) Reset()

func (*NebulaHandshakeDetails) Size 

func (m *NebulaHandshakeDetails) Size() (n int)

func (*NebulaHandshakeDetails) String 

func (m *NebulaHandshakeDetails) String() string

func (*NebulaHandshakeDetails) Unmarshal 

func (m *NebulaHandshakeDetails) Unmarshal(dAtA []byte) error

func (*NebulaHandshakeDetails) XXX_DiscardUnknown 

func (m *NebulaHandshakeDetails) XXX_DiscardUnknown()

func (*NebulaHandshakeDetails) XXX_Marshal 

func (m *NebulaHandshakeDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaHandshakeDetails) XXX_Merge 

func (m *NebulaHandshakeDetails) XXX_Merge(src proto.Message)

func (*NebulaHandshakeDetails) XXX_Size 

func (m *NebulaHandshakeDetails) XXX_Size() int

func (*NebulaHandshakeDetails) XXX_Unmarshal 

func (m *NebulaHandshakeDetails) XXX_Unmarshal(b []byte) error

type NebulaMeta 

type NebulaMeta struct {
	Type    NebulaMeta_MessageType `protobuf:"varint,1,opt,name=Type,proto3,enum=nebula.NebulaMeta_MessageType" json:"Type,omitempty"`
	Details *NebulaMetaDetails     `protobuf:"bytes,2,opt,name=Details,proto3" json:"Details,omitempty"`
}

func NewLhQueryByInt 

func NewLhQueryByInt(VpnIp iputil.VpnIp) *NebulaMeta

func (*NebulaMeta) Descriptor 

func (*NebulaMeta) Descriptor() ([]byte, []int)

func (*NebulaMeta) GetDetails 

func (m *NebulaMeta) GetDetails() *NebulaMetaDetails

func (*NebulaMeta) GetType 

func (m *NebulaMeta) GetType() NebulaMeta_MessageType

func (*NebulaMeta) Marshal 

func (m *NebulaMeta) Marshal() (dAtA []byte, err error)

func (*NebulaMeta) MarshalTo 

func (m *NebulaMeta) MarshalTo(dAtA []byte) (int, error)

func (*NebulaMeta) MarshalToSizedBuffer 

func (m *NebulaMeta) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*NebulaMeta) ProtoMessage 

func (*NebulaMeta) ProtoMessage()

func (*NebulaMeta) Reset 

func (m *NebulaMeta) Reset()

func (*NebulaMeta) Size 

func (m *NebulaMeta) Size() (n int)

func (*NebulaMeta) String 

func (m *NebulaMeta) String() string

func (*NebulaMeta) Unmarshal 

func (m *NebulaMeta) Unmarshal(dAtA []byte) error

func (*NebulaMeta) XXX_DiscardUnknown 

func (m *NebulaMeta) XXX_DiscardUnknown()

func (*NebulaMeta) XXX_Marshal 

func (m *NebulaMeta) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaMeta) XXX_Merge 

func (m *NebulaMeta) XXX_Merge(src proto.Message)

func (*NebulaMeta) XXX_Size 

func (m *NebulaMeta) XXX_Size() int

func (*NebulaMeta) XXX_Unmarshal 

func (m *NebulaMeta) XXX_Unmarshal(b []byte) error

type NebulaMetaDetails 

type NebulaMetaDetails struct {
	VpnIp       uint32        `protobuf:"varint,1,opt,name=VpnIp,proto3" json:"VpnIp,omitempty"`
	Ip4AndPorts []*Ip4AndPort `protobuf:"bytes,2,rep,name=Ip4AndPorts,proto3" json:"Ip4AndPorts,omitempty"`
	Ip6AndPorts []*Ip6AndPort `protobuf:"bytes,4,rep,name=Ip6AndPorts,proto3" json:"Ip6AndPorts,omitempty"`
	RelayVpnIp  []uint32      `protobuf:"varint,5,rep,packed,name=RelayVpnIp,proto3" json:"RelayVpnIp,omitempty"`
	Counter     uint32        `protobuf:"varint,3,opt,name=counter,proto3" json:"counter,omitempty"`
}

func (*NebulaMetaDetails) Descriptor 

func (*NebulaMetaDetails) Descriptor() ([]byte, []int)

func (*NebulaMetaDetails) GetCounter 

func (m *NebulaMetaDetails) GetCounter() uint32

func (*NebulaMetaDetails) GetIp4AndPorts 

func (m *NebulaMetaDetails) GetIp4AndPorts() []*Ip4AndPort

func (*NebulaMetaDetails) GetIp6AndPorts 

func (m *NebulaMetaDetails) GetIp6AndPorts() []*Ip6AndPort

func (*NebulaMetaDetails) GetRelayVpnIp 

func (m *NebulaMetaDetails) GetRelayVpnIp() []uint32

func (*NebulaMetaDetails) GetVpnIp 

func (m *NebulaMetaDetails) GetVpnIp() uint32

func (*NebulaMetaDetails) Marshal 

func (m *NebulaMetaDetails) Marshal() (dAtA []byte, err error)

func (*NebulaMetaDetails) MarshalTo 

func (m *NebulaMetaDetails) MarshalTo(dAtA []byte) (int, error)

func (*NebulaMetaDetails) MarshalToSizedBuffer 

func (m *NebulaMetaDetails) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*NebulaMetaDetails) ProtoMessage 

func (*NebulaMetaDetails) ProtoMessage()

func (*NebulaMetaDetails) Reset 

func (m *NebulaMetaDetails) Reset()

func (*NebulaMetaDetails) Size 

func (m *NebulaMetaDetails) Size() (n int)

func (*NebulaMetaDetails) String 

func (m *NebulaMetaDetails) String() string

func (*NebulaMetaDetails) Unmarshal 

func (m *NebulaMetaDetails) Unmarshal(dAtA []byte) error

func (*NebulaMetaDetails) XXX_DiscardUnknown 

func (m *NebulaMetaDetails) XXX_DiscardUnknown()

func (*NebulaMetaDetails) XXX_Marshal 

func (m *NebulaMetaDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaMetaDetails) XXX_Merge 

func (m *NebulaMetaDetails) XXX_Merge(src proto.Message)

func (*NebulaMetaDetails) XXX_Size 

func (m *NebulaMetaDetails) XXX_Size() int

func (*NebulaMetaDetails) XXX_Unmarshal 

func (m *NebulaMetaDetails) XXX_Unmarshal(b []byte) error

type NebulaMeta_MessageType 

type NebulaMeta_MessageType int32
const (
	NebulaMeta_None                      NebulaMeta_MessageType = 0
	NebulaMeta_HostQuery                 NebulaMeta_MessageType = 1
	NebulaMeta_HostQueryReply            NebulaMeta_MessageType = 2
	NebulaMeta_HostUpdateNotification    NebulaMeta_MessageType = 3
	NebulaMeta_HostMovedNotification     NebulaMeta_MessageType = 4
	NebulaMeta_HostPunchNotification     NebulaMeta_MessageType = 5
	NebulaMeta_HostWhoami                NebulaMeta_MessageType = 6
	NebulaMeta_HostWhoamiReply           NebulaMeta_MessageType = 7
	NebulaMeta_PathCheck                 NebulaMeta_MessageType = 8
	NebulaMeta_PathCheckReply            NebulaMeta_MessageType = 9
	NebulaMeta_HostUpdateNotificationAck NebulaMeta_MessageType = 10
)

func (NebulaMeta_MessageType) EnumDescriptor 

func (NebulaMeta_MessageType) EnumDescriptor() ([]byte, []int)

func (NebulaMeta_MessageType) String 

func (x NebulaMeta_MessageType) String() string

type NebulaPing 

type NebulaPing struct {
	Type NebulaPing_MessageType `protobuf:"varint,1,opt,name=Type,proto3,enum=nebula.NebulaPing_MessageType" json:"Type,omitempty"`
	Time uint64                 `protobuf:"varint,2,opt,name=Time,proto3" json:"Time,omitempty"`
}

func (*NebulaPing) Descriptor 

func (*NebulaPing) Descriptor() ([]byte, []int)

func (*NebulaPing) GetTime 

func (m *NebulaPing) GetTime() uint64

func (*NebulaPing) GetType 

func (m *NebulaPing) GetType() NebulaPing_MessageType

func (*NebulaPing) Marshal 

func (m *NebulaPing) Marshal() (dAtA []byte, err error)

func (*NebulaPing) MarshalTo 

func (m *NebulaPing) MarshalTo(dAtA []byte) (int, error)

func (*NebulaPing) MarshalToSizedBuffer 

func (m *NebulaPing) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*NebulaPing) ProtoMessage 

func (*NebulaPing) ProtoMessage()

func (*NebulaPing) Reset 

func (m *NebulaPing) Reset()

func (*NebulaPing) Size 

func (m *NebulaPing) Size() (n int)

func (*NebulaPing) String 

func (m *NebulaPing) String() string

func (*NebulaPing) Unmarshal 

func (m *NebulaPing) Unmarshal(dAtA []byte) error

func (*NebulaPing) XXX_DiscardUnknown 

func (m *NebulaPing) XXX_DiscardUnknown()

func (*NebulaPing) XXX_Marshal 

func (m *NebulaPing) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NebulaPing) XXX_Merge 

func (m *NebulaPing) XXX_Merge(src proto.Message)

func (*NebulaPing) XXX_Size 

func (m *NebulaPing) XXX_Size() int

func (*NebulaPing) XXX_Unmarshal 

func (m *NebulaPing) XXX_Unmarshal(b []byte) error

type NebulaPing_MessageType 

type NebulaPing_MessageType int32
const (
	NebulaPing_Ping  NebulaPing_MessageType = 0
	NebulaPing_Reply NebulaPing_MessageType = 1
)

func (NebulaPing_MessageType) EnumDescriptor 

func (NebulaPing_MessageType) EnumDescriptor() ([]byte, []int)

func (NebulaPing_MessageType) String 

func (x NebulaPing_MessageType) String() string

type PKI 

type PKI struct {
	// contains filtered or unexported fields
}

func NewPKIFromConfig 

func NewPKIFromConfig(l *logrus.Logger, c *config.C) (*PKI, error)

func (*PKI) GetCAPool 

func (p *PKI) GetCAPool() *cert.NebulaCAPool

func (*PKI) GetCertState 

func (p *PKI) GetCertState() *CertState

type Punchy 

type Punchy struct {
	// contains filtered or unexported fields
}

func NewPunchyFromConfig 

func NewPunchyFromConfig(l *logrus.Logger, c *config.C) *Punchy

func (*Punchy) GetDelay 

func (p *Punchy) GetDelay() time.Duration

func (*Punchy) GetPunch 

func (p *Punchy) GetPunch() bool

func (*Punchy) GetRespond 

func (p *Punchy) GetRespond() bool

func (*Punchy) GetRespondDelay 

func (p *Punchy) GetRespondDelay() time.Duration

func (*Punchy) GetTargetEverything 

func (p *Punchy) GetTargetEverything() bool

type Relay 

type Relay struct {
	Type        int
	State       int
	LocalIndex  uint32
	RemoteIndex uint32
	PeerIp      iputil.VpnIp
}

type RelayState 

type RelayState struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

For synchronization, treat the pointed-to Relay struct as immutable. To edit the Relay struct, make a copy of an existing value, edit the fileds in the copy, and then store a pointer to the new copy in both realyForBy* maps.

func (*RelayState) CompleteRelayByIP 

func (rs *RelayState) CompleteRelayByIP(vpnIp iputil.VpnIp, remoteIdx uint32) bool

func (*RelayState) CompleteRelayByIdx 

func (rs *RelayState) CompleteRelayByIdx(localIdx uint32, remoteIdx uint32) (*Relay, bool)

func (*RelayState) CopyAllRelayFor 

func (rs *RelayState) CopyAllRelayFor() []*Relay

func (*RelayState) CopyRelayForIdxs 

func (rs *RelayState) CopyRelayForIdxs() []uint32

func (*RelayState) CopyRelayForIps 

func (rs *RelayState) CopyRelayForIps() []iputil.VpnIp

func (*RelayState) CopyRelayIps 

func (rs *RelayState) CopyRelayIps() []iputil.VpnIp

func (*RelayState) DeleteRelay 

func (rs *RelayState) DeleteRelay(ip iputil.VpnIp)

func (*RelayState) GetRelayForByIp 

func (rs *RelayState) GetRelayForByIp(ip iputil.VpnIp) (*Relay, bool)

func (*RelayState) InsertRelay 

func (rs *RelayState) InsertRelay(ip iputil.VpnIp, idx uint32, r *Relay)

func (*RelayState) InsertRelayTo 

func (rs *RelayState) InsertRelayTo(ip iputil.VpnIp)

func (*RelayState) QueryRelayForByIdx 

func (rs *RelayState) QueryRelayForByIdx(idx uint32) (*Relay, bool)

func (*RelayState) QueryRelayForByIp 

func (rs *RelayState) QueryRelayForByIp(vpnIp iputil.VpnIp) (*Relay, bool)

func (*RelayState) RemoveRelay 

func (rs *RelayState) RemoveRelay(localIdx uint32) (iputil.VpnIp, bool)

type RemoteAllowList 

type RemoteAllowList struct {
	AllowList *AllowList
	// contains filtered or unexported fields
}

func NewRemoteAllowListFromConfig 

func NewRemoteAllowListFromConfig(c *config.C, k, rangesKey string) (*RemoteAllowList, error)

func (*RemoteAllowList) Allow 

func (al *RemoteAllowList) Allow(vpnIp iputil.VpnIp, ip net.IP) bool

func (*RemoteAllowList) AllowIpV4 

func (al *RemoteAllowList) AllowIpV4(vpnIp iputil.VpnIp, ip iputil.VpnIp) bool

func (*RemoteAllowList) AllowIpV6 

func (al *RemoteAllowList) AllowIpV6(vpnIp iputil.VpnIp, hi, lo uint64) bool

func (*RemoteAllowList) AllowUnknownVpnIp 

func (al *RemoteAllowList) AllowUnknownVpnIp(ip net.IP) bool

type RemoteList 

type RemoteList struct {
	// Every interaction with internals requires a lock!
	sync.RWMutex
	// contains filtered or unexported fields
}

RemoteList is a unifying concept for lighthouse servers and clients as well as hostinfos. It serves as a local cache of query replies, host update notifications, and locally learned addresses

func NewRemoteList 

func NewRemoteList(shouldAdd func(netip.Addr) bool) *RemoteList

NewRemoteList creates a new empty RemoteList

func (*RemoteList) BlockRemote 

func (r *RemoteList) BlockRemote(bad *udp.Addr)

BlockRemote locks and records the address as bad, it will be excluded from the deduplicated address list

func (*RemoteList) CopyAddrs 

func (r *RemoteList) CopyAddrs(preferredRanges []*net.IPNet) []*udp.Addr

CopyAddrs locks and makes a deep copy of the deduplicated address list The deduplication work may need to occur here, so you must pass preferredRanges

func (*RemoteList) CopyBlockedRemotes 

func (r *RemoteList) CopyBlockedRemotes() []*udp.Addr

CopyBlockedRemotes locks and makes a deep copy of the blocked remotes list

func (*RemoteList) CopyCache 

func (r *RemoteList) CopyCache() *CacheMap

CopyCache locks and creates a more human friendly form of the internal address cache. This may contain duplicates and blocked addresses

func (*RemoteList) ForEach 

func (r *RemoteList) ForEach(preferredRanges []*net.IPNet, forEach forEachFunc)

ForEach locks and will call the forEachFunc for every deduplicated address in the list The deduplication work may need to occur here, so you must pass preferredRanges

func (*RemoteList) LearnRemote 

func (r *RemoteList) LearnRemote(ownerVpnIp iputil.VpnIp, addr *udp.Addr)

LearnRemote locks and sets the learned slot for the owner vpn ip to the provided addr Currently this is only needed when HostInfo.SetRemote is called as that should cover both handshaking and roaming. It will mark the deduplicated address list as dirty, so do not call it unless new information is available TODO: this needs to support the allow list list

func (*RemoteList) Len 

func (r *RemoteList) Len(preferredRanges []*net.IPNet) int

Len locks and reports the size of the deduplicated address list The deduplication work may need to occur here, so you must pass preferredRanges

func (*RemoteList) Rebuild 

func (r *RemoteList) Rebuild(preferredRanges []*net.IPNet)

Rebuild locks and generates the deduplicated address list only if there is work to be done There is generally no reason to call this directly but it is safe to do so

func (*RemoteList) ResetBlockedRemotes 

func (r *RemoteList) ResetBlockedRemotes()

ResetBlockedRemotes locks and clears the blocked remotes list

type TimeoutItem 

type TimeoutItem[T any] struct {
	Item T
	Next *TimeoutItem[T]
}

TimeoutItem Represents an item within a tick

type TimeoutList 

type TimeoutList[T any] struct {
	Head *TimeoutItem[T]
	Tail *TimeoutItem[T]
}

TimeoutList Represents a tick in the wheel

type TimerWheel 

type TimerWheel[T any] struct {
	// contains filtered or unexported fields
}

func NewTimerWheel 

func NewTimerWheel[T any](min, max time.Duration) *TimerWheel[T]

NewTimerWheel Builds a timer wheel and identifies the tick duration and wheel duration from the provided values Purge must be called once per entry to actually remove anything The TimerWheel does not handle concurrency on its own. Locks around access to it must be used if multiple routines are manipulating it.

func (*TimerWheel[T]) Add 

func (tw *TimerWheel[T]) Add(v T, timeout time.Duration) *TimeoutItem[T]

Add will add an item to the wheel in its proper timeout. Caller should Advance the wheel prior to ensure the proper slot is used.

func (*TimerWheel[T]) Advance 

func (tw *TimerWheel[T]) Advance(now time.Time)

Advance will move the wheel forward by the appropriate number of ticks for the provided time and all items passed over will be moved to the expired list. Calling Purge is necessary to remove them entirely.

func (*TimerWheel[T]) Purge 

func (tw *TimerWheel[T]) Purge() (T, bool)

Purge removes and returns the first available expired item from the wheel and the 2nd argument is true. If no item is available then an empty T is returned and the 2nd argument is false.

type UEClient 

type UEClient struct {
	avoid.UnimplementedAvoidClientServer
	// contains filtered or unexported fields
}

func (*UEClient) Action 

func (s *UEClient) Action(ctx context.Context, req *avoid.ActionRequest) (*avoid.ConnectionInfo, error)

func (*UEClient) HealthCheck 

func (s *UEClient) HealthCheck(ctx context.Context, req *avoid.HealthRequest) (*avoid.HealthReply, error)

type ViaSender 

type ViaSender struct {
	// contains filtered or unexported fields
}

Source Files

View all Source files

Directories

Path Synopsis
cli/manager
services/actioneer
services/client
services/manager
services/relay
tunnel
cert
v2
cmd
nebula
nebula-cert
nebula-service
e2e
router
examples
go_service

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.