IPv6 support for outside (udp) (#369)

2021-03-18 20:37:24 -05:00
parent 9e94442ce7
commit 7073d204a8
34 changed files with 1726 additions and 732 deletions
--- a/lighthouse.go
+++ b/lighthouse.go
@ -9,6 +9,7 @@ import (

 	"github.com/golang/protobuf/proto"
 	"github.com/rcrowley/go-metrics"
+	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/cert"
 )

@ -21,7 +22,7 @@ type LightHouse struct {
 	punchConn    *udpConn

 	// Local cache of answers from light houses
-	addrMap map[uint32][]udpAddr
+	addrMap map[uint32][]*udpAddr

 	// filters remote addresses allowed for each host
 	// - When we are a lighthouse, this filters what addresses we store and
@ -41,7 +42,7 @@ type LightHouse struct {
 	staticList  map[uint32]struct{}
 	lighthouses map[uint32]struct{}
 	interval    int
-	nebulaPort  uint32
+	nebulaPort  uint32 // 32 bits because protobuf does not have a uint16
 	punchBack   bool
 	punchDelay  time.Duration

@ -58,7 +59,7 @@ func NewLightHouse(amLighthouse bool, myIp uint32, ips []uint32, interval int, n
 	h := LightHouse{
 		amLighthouse: amLighthouse,
 		myIp:         myIp,
-		addrMap:      make(map[uint32][]udpAddr),
+		addrMap:      make(map[uint32][]*udpAddr),
 		nebulaPort:   nebulaPort,
 		lighthouses:  make(map[uint32]struct{}),
 		staticList:   make(map[uint32]struct{}),
@ -106,7 +107,7 @@ func (lh *LightHouse) ValidateLHStaticEntries() error {
 	return nil
 }

-func (lh *LightHouse) Query(ip uint32, f EncWriter) ([]udpAddr, error) {
+func (lh *LightHouse) Query(ip uint32, f EncWriter) ([]*udpAddr, error) {
 	if !lh.IsLighthouseIP(ip) {
 		lh.QueryServer(ip, f)
 	}
@ -139,7 +140,7 @@ func (lh *LightHouse) QueryServer(ip uint32, f EncWriter) {
 }

 // Query our local lighthouse cached results
-func (lh *LightHouse) QueryCache(ip uint32) []udpAddr {
+func (lh *LightHouse) QueryCache(ip uint32) []*udpAddr {
 	lh.RLock()
 	if v, ok := lh.addrMap[ip]; ok {
 		lh.RUnlock()
@ -179,7 +180,7 @@ func (lh *LightHouse) AddRemote(vpnIP uint32, toIp *udpAddr, static bool) {
 		}
 	}

-	allow := lh.remoteAllowList.Allow(udp2ipInt(toIp))
+	allow := lh.remoteAllowList.Allow(toIp.IP)
 	l.WithField("remoteIp", toIp).WithField("allow", allow).Debug("remoteAllowList.Allow")
 	if !allow {
 		return
@ -189,7 +190,8 @@ func (lh *LightHouse) AddRemote(vpnIP uint32, toIp *udpAddr, static bool) {
 	if static {
 		lh.staticList[vpnIP] = struct{}{}
 	}
-	lh.addrMap[vpnIP] = append(lh.addrMap[vpnIP], *toIp)
+
+	lh.addrMap[vpnIP] = append(lh.addrMap[vpnIP], toIp.Copy())
 }

 func (lh *LightHouse) AddRemoteAndReset(vpnIP uint32, toIp *udpAddr) {
@ -216,12 +218,41 @@ func NewLhQueryByInt(VpnIp uint32) *NebulaMeta {
 	}
 }

-func NewIpAndPort(ip net.IP, port uint32) IpAndPort {
-	return IpAndPort{Ip: ip2int(ip), Port: port}
+type ip4Or6 struct {
+	v4 IpAndPort
+	v6 Ip6AndPort
 }

-func NewIpAndPortFromUDPAddr(addr udpAddr) IpAndPort {
-	return IpAndPort{Ip: udp2ipInt(&addr), Port: uint32(addr.Port)}
+func NewIpAndPort(ip net.IP, port uint32) ip4Or6 {
+	ipp := ip4Or6{}
+
+	if ipv4 := ip.To4(); ipv4 != nil {
+		ipp.v4 = IpAndPort{Port: port}
+		ipp.v4.Ip = ip2int(ip)
+
+	} else {
+		ipp.v6 = Ip6AndPort{Port: port}
+		ipp.v6.Ip = make([]byte, len(ip))
+		copy(ipp.v6.Ip, ip)
+	}
+
+	return ipp
+}
+
+func NewIpAndPortFromUDPAddr(addr *udpAddr) ip4Or6 {
+	return NewIpAndPort(addr.IP, uint32(addr.Port))
+}
+
+func NewUDPAddrFromLH4(ipp *IpAndPort) *udpAddr {
+	ip := ipp.Ip
+	return NewUDPAddr(
+		net.IPv4(byte(ip&0xff000000>>24), byte(ip&0x00ff0000>>16), byte(ip&0x0000ff00>>8), byte(ip&0x000000ff)),
+		uint16(ipp.Port),
+	)
+}
+
+func NewUDPAddrFromLH6(ipp *Ip6AndPort) *udpAddr {
+	return NewUDPAddr(ipp.Ip, uint16(ipp.Port))
 }

 func (lh *LightHouse) LhUpdateWorker(f EncWriter) {
@ -236,20 +267,27 @@ func (lh *LightHouse) LhUpdateWorker(f EncWriter) {
 }

 func (lh *LightHouse) SendUpdate(f EncWriter) {
-	var ipps []*IpAndPort
+	var v4 []*IpAndPort
+	var v6 []*Ip6AndPort

 	for _, e := range *localIps(lh.localAllowList) {
 		// Only add IPs that aren't my VPN/tun IP
 		if ip2int(e) != lh.myIp {
 			ipp := NewIpAndPort(e, lh.nebulaPort)
-			ipps = append(ipps, &ipp)
+			if len(ipp.v6.Ip) > 0 {
+				v6 = append(v6, &ipp.v6)
+			} else {
+				v4 = append(v4, &ipp.v4)
+			}
+
 		}
 	}
 	m := &NebulaMeta{
 		Type: NebulaMeta_HostUpdateNotification,
 		Details: &NebulaMetaDetails{
-			VpnIp:      lh.myIp,
-			IpAndPorts: ipps,
+			VpnIp:       lh.myIp,
+			IpAndPorts:  v4,
+			Ip6AndPorts: v6,
 		},
 	}

@ -272,8 +310,8 @@ type LightHouseHandler struct {
 	nb   []byte
 	out  []byte
 	meta *NebulaMeta
-	iap  []IpAndPort
-	iapp []*IpAndPort
+	iap  []ip4Or6
+	iapp []*ip4Or6
 }

 func (lh *LightHouse) NewRequestHandler() *LightHouseHandler {
@ -306,8 +344,8 @@ func (lhh *LightHouseHandler) resetMeta() *NebulaMeta {

 func (lhh *LightHouseHandler) resizeIpAndPorts(n int) {
 	if cap(lhh.iap) < n {
-		lhh.iap = make([]IpAndPort, n)
-		lhh.iapp = make([]*IpAndPort, n)
+		lhh.iap = make([]ip4Or6, n)
+		lhh.iapp = make([]*ip4Or6, n)

 		for i := range lhh.iap {
 			lhh.iapp[i] = &lhh.iap[i]
@ -317,7 +355,7 @@ func (lhh *LightHouseHandler) resizeIpAndPorts(n int) {
 	lhh.iapp = lhh.iapp[:n]
 }

-func (lhh *LightHouseHandler) setIpAndPortsFromNetIps(ips []udpAddr) []*IpAndPort {
+func (lhh *LightHouseHandler) setIpAndPortsFromNetIps(ips []*udpAddr) []*ip4Or6 {
 	lhh.resizeIpAndPorts(len(ips))
 	for i, e := range ips {
 		lhh.iap[i] = NewIpAndPortFromUDPAddr(e)
@ -363,7 +401,25 @@ func (lhh *LightHouseHandler) HandleRequest(rAddr *udpAddr, vpnIp uint32, p []by
 			n = lhh.resetMeta()
 			n.Type = NebulaMeta_HostQueryReply
 			n.Details.VpnIp = reqVpnIP
-			n.Details.IpAndPorts = lhh.setIpAndPortsFromNetIps(ips)
+
+			v4s := make([]*IpAndPort, 0)
+			v6s := make([]*Ip6AndPort, 0)
+			for _, v := range lhh.setIpAndPortsFromNetIps(ips) {
+				if len(v.v6.Ip) > 0 {
+					v6s = append(v6s, &v.v6)
+				} else {
+					v4s = append(v4s, &v.v4)
+				}
+			}
+
+			if len(v4s) > 0 {
+				n.Details.IpAndPorts = v4s
+			}
+
+			if len(v6s) > 0 {
+				n.Details.Ip6AndPorts = v6s
+			}
+
 			reply, err := proto.Marshal(n)
 			if err != nil {
 				l.WithError(err).WithField("vpnIp", IntIp(vpnIp)).Error("Failed to marshal lighthouse host query reply")
@ -382,7 +438,25 @@ func (lhh *LightHouseHandler) HandleRequest(rAddr *udpAddr, vpnIp uint32, p []by
 				n = lhh.resetMeta()
 				n.Type = NebulaMeta_HostPunchNotification
 				n.Details.VpnIp = vpnIp
-				n.Details.IpAndPorts = lhh.setIpAndPortsFromNetIps(ips)
+
+				v4s := make([]*IpAndPort, 0)
+				v6s := make([]*Ip6AndPort, 0)
+				for _, v := range lhh.setIpAndPortsFromNetIps(ips) {
+					if len(v.v6.Ip) > 0 {
+						v6s = append(v6s, &v.v6)
+					} else {
+						v4s = append(v4s, &v.v4)
+					}
+				}
+
+				if len(v4s) > 0 {
+					n.Details.IpAndPorts = v4s
+				}
+
+				if len(v6s) > 0 {
+					n.Details.Ip6AndPorts = v6s
+				}
+
 				reply, _ := proto.Marshal(n)
 				lh.metricTx(NebulaMeta_HostPunchNotification, 1)
 				f.SendMessageToVpnIp(lightHouse, 0, reqVpnIP, reply, lhh.nb, lhh.out[:0])
@ -394,11 +468,21 @@ func (lhh *LightHouseHandler) HandleRequest(rAddr *udpAddr, vpnIp uint32, p []by
 		if !lh.IsLighthouseIP(vpnIp) {
 			return
 		}
+
 		for _, a := range n.Details.IpAndPorts {
-			//first := n.Details.IpAndPorts[0]
-			ans := NewUDPAddr(a.Ip, uint16(a.Port))
-			lh.AddRemote(n.Details.VpnIp, ans, false)
+			ans := NewUDPAddrFromLH4(a)
+			if ans != nil {
+				lh.AddRemote(n.Details.VpnIp, ans, false)
+			}
 		}
+
+		for _, a := range n.Details.Ip6AndPorts {
+			ans := NewUDPAddrFromLH6(a)
+			if ans != nil {
+				lh.AddRemote(n.Details.VpnIp, ans, false)
+			}
+		}
+
 		// Non-blocking attempt to trigger, skip if it would block
 		select {
 		case lh.handshakeTrigger <- n.Details.VpnIp:
@ -411,10 +495,21 @@ func (lhh *LightHouseHandler) HandleRequest(rAddr *udpAddr, vpnIp uint32, p []by
 			l.WithField("vpnIp", IntIp(vpnIp)).WithField("answer", IntIp(n.Details.VpnIp)).Debugln("Host sent invalid update")
 			return
 		}
+
 		for _, a := range n.Details.IpAndPorts {
-			ans := NewUDPAddr(a.Ip, uint16(a.Port))
-			lh.AddRemote(n.Details.VpnIp, ans, false)
+			ans := NewUDPAddrFromLH4(a)
+			if ans != nil {
+				lh.AddRemote(n.Details.VpnIp, ans, false)
+			}
 		}
+
+		for _, a := range n.Details.Ip6AndPorts {
+			ans := NewUDPAddrFromLH6(a)
+			if ans != nil {
+				lh.AddRemote(n.Details.VpnIp, ans, false)
+			}
+		}
+
 	case NebulaMeta_HostMovedNotification:
 	case NebulaMeta_HostPunchNotification:
 		if !lh.IsLighthouseIP(vpnIp) {
@ -423,15 +518,43 @@ func (lhh *LightHouseHandler) HandleRequest(rAddr *udpAddr, vpnIp uint32, p []by

 		empty := []byte{0}
 		for _, a := range n.Details.IpAndPorts {
-			vpnPeer := NewUDPAddr(a.Ip, uint16(a.Port))
+			vpnPeer := NewUDPAddrFromLH4(a)
+			if vpnPeer == nil {
+				continue
+			}
+
 			go func() {
 				time.Sleep(lh.punchDelay)
 				lh.metricHolepunchTx.Inc(1)
 				lh.punchConn.WriteTo(empty, vpnPeer)

 			}()
-			l.Debugf("Punching %s on %d for %s", IntIp(a.Ip), a.Port, IntIp(n.Details.VpnIp))
+
+			if l.Level >= logrus.DebugLevel {
+				//TODO: lacking the ip we are actually punching on, old: l.Debugf("Punching %s on %d for %s", IntIp(a.Ip), a.Port, IntIp(n.Details.VpnIp))
+				l.Debugf("Punching on %d for %s", a.Port, IntIp(n.Details.VpnIp))
+			}
 		}
+
+		for _, a := range n.Details.Ip6AndPorts {
+			vpnPeer := NewUDPAddrFromLH6(a)
+			if vpnPeer == nil {
+				continue
+			}
+
+			go func() {
+				time.Sleep(lh.punchDelay)
+				lh.metricHolepunchTx.Inc(1)
+				lh.punchConn.WriteTo(empty, vpnPeer)
+
+			}()
+
+			if l.Level >= logrus.DebugLevel {
+				//TODO: lacking the ip we are actually punching on, old: l.Debugf("Punching %s on %d for %s", IntIp(a.Ip), a.Port, IntIp(n.Details.VpnIp))
+				l.Debugf("Punching on %d for %s", a.Port, IntIp(n.Details.VpnIp))
+			}
+		}
+
 		// This sends a nebula test packet to the host trying to contact us. In the case
 		// of a double nat or other difficult scenario, this may help establish
 		// a tunnel.