Commit Graph

135 Commits

Author SHA1 Message Date
ff64d1f952 unsafe_routes mtu (#209) 2020-04-06 11:33:30 -07:00
9e2ff7df57 Correct typos in noise.go (#205) 2020-03-30 11:23:55 -07:00
1297090af3 add configurable punching delay because of race-condition-y conntracks (#210)
* add configurable punching delay because of race-condition-y conntracks

* add changelog

* fix tests

* only do one punch per query

* Coalesce punchy config

* It is not is not set

* Add tests

Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2020-03-27 11:26:39 -07:00
add1b21777 only create a CIDRTree for each host if necessary (#198)
A CIDRTree can be expensive to create, so only do it if we need
it. If the remote host only has one IP address and no subnets, just do
an exact IP match instead.

Fixes: #171
2020-03-02 16:21:33 -05:00
1cb3201b5e Github Actions: cache modules and only run when necessary (#197)
This PR does two things:

- Only run the tests when relevant files change.
- Cache the Go Modules directory between runs, so they don't have to redownload everything everytime (go.sum is the cache key). Pretty much straight from the examples: https://github.com/actions/cache/blob/master/examples.md#go---modules
2020-03-02 16:21:19 -05:00
41968551f9 clarify that lighthouse IP should be nebula range (#196) 2020-02-28 11:35:55 -08:00
8548ac3c31 build and test with go1.14 (#195)
- https://golang.org/doc/go1.14

I did a performance sanity check in Docker, and performance seems about
the same (perhaps slightly higher).
2020-02-27 15:48:39 -05:00
fb9b36f677 allow any config file name if specified directly (#189)
Currently, we require that config file names end with `.yml` or `.yaml`.
This is because if the user points `-config` at a directory of files, we
only want to use the YAML files in that directory.

But this makes it more difficult to use the `-test -config` option
because config management tools might not have an extension on the file
when preparing a new config file. This change makes it so that if you
point `-config file` directly at a file, it uses it no matter what the
extension is.
2020-02-26 15:38:56 -05:00
4d1928f1e3 Support unsafe_routes on Windows (#184)
* Support unsafe_routes on Windows

* Full path to route executable

* Escape string properly
2020-02-26 15:23:16 -05:00
a91a40212d check that packet isn't bound for my vpn ip (#192) 2020-02-21 16:49:54 -08:00
179a369130 add configuration options for HandshakeManager (#179)
This change exposes the current constants we have defined for the handshake
manager as configuration options. This will allow us to test and tweak
with different intervals and wait rotations.

    # Handshake Manger Settings
    handshakes:
      # Total time to try a handshake = sequence of `try_interval * retries`
      # With 100ms interval and 20 retries it is 23.5 seconds
      try_interval: 100ms
      retries: 20

      # wait_rotation is the number of handshake attempts to do before starting to try non-local IP addresses
      wait_rotation: 5
2020-02-21 16:25:11 -05:00
df69371620 use absolute paths on darwin and windows (#191)
We want to make sure to use the system binaries, and not whatever is in
the PATH.
2020-02-21 15:25:33 -05:00
eda344d88f add logging.timestamp_format config option (#187)
This change introduces logging.timestamp_format, which allows
configuration of the Logrus TimestampFormat setting. The primary purpose
of this change was to allow logging with millisecond precision. The
default for `text` and `json` formats remains the same for backwards
compatibility.

timestamp format is specified in Go time format, see:

 - https://golang.org/pkg/time/#pkg-constants

Default when `format: json`: "2006-01-02T15:04:05Z07:00" (RFC3339)
Default when `format: text`:
  when TTY attached: seconds since beginning of execution
  otherwise: "2006-01-02T15:04:05Z07:00" (RFC3339)

As an example, to log as RFC3339 with millisecond precision, set to:

    logging:
        timestamp_format: "2006-01-02T15:04:05.000Z07:00"
2020-02-21 15:25:00 -05:00
065e2ff88a update golang.org/x/crypto (#188)
This version contains a fix for CVE-2020-9283, a remote crash bug:

- https://groups.google.com/forum/#!msg/golang-announce/3L45YRc91SY/ywEPcKLnGQAJ
2020-02-20 14:49:55 -05:00
45a5de2719 Print the udp listen address on startup (#181) 2020-02-06 21:17:43 -08:00
2d24ef7166 validate lighthouses and static hosts are in our subnet (#170)
Validate all lighthouse.hosts and static_host_map VPN IPs are in the
subnet defined in our cert. Exit with a fatal error if they are not in
our subnet, as this is an invalid configuration (we will not have the
proper routes set up to communicate with these hosts).

This error case could occur for the following invalid example:

    nebula-cert sign -name "lighthouse" -ip "10.0.1.1/24"
    nebula-cert sign -name "host" -ip "10.0.2.1/24"

    config.yaml:

        static_host_map:
            "10.0.1.1": ["lighthouse.local:4242"]
        lighthouse:
          hosts:
            - "10.0.1.1"

We will now return a fatal error for this config, since `10.0.1.1` is
not in the host cert's subnet of `10.0.2.1/24`
2020-01-20 15:52:55 -05:00
13941aa723 Prepare for 1.1.0 release. (#167)
Update the changelog to mark today as the release day for 1.1.0.
2020-01-17 12:29:42 -05:00
672edcaf73 add CHANGELOG.md (#166)
This is the initial creation of a CHANGELOG. When we are ready to cut
a release we can change the version at the top and update the links at
the bottom.
2020-01-17 09:23:54 -05:00
25bf80d8d3 add new invite link without expiration date (#165)
merging because link doesn't work rn and this is not a code change.
2020-01-16 10:09:45 -06:00
5c126cd42b conform to new build format for vagrant (#153)
* conform to new build format for vagrant
2020-01-08 11:32:28 -08:00
91f7b9c049 Update README.md
fix readme
2020-01-07 12:40:25 -06:00
1592da921d fix(nebula-cert): flag duration is optional, so reflect this is the cli help (#117)
* fix: nebula-cert duration is optional, so reflect this is the cli help

nebula-cert sign defaults the duration flag to 1 second before the CA expires, so it is not required to be provided.

* tests: Fix test for duration flag help message

* nebula-cert: add duration default value hint
2020-01-06 10:51:29 -08:00
4e0da13180 Support unsafe_routes on Darwin (#139)
* Support unsafe_routes on darwin

* fix formatting in tun_darwin.go (spaces to tabs)
2020-01-06 10:09:56 -08:00
e9b0498b21 Correct typo (#150) 2020-01-06 09:14:11 -08:00
efe741ad66 Allow ValidateLHStaticEntries to check all static host map entries (#141)
* Allow ValidateLHStaticEntries to check all static host map entries

* Cleaner fix for ValidateLHStaticEntries
2020-01-02 21:04:18 -05:00
fd8ad5d0d7 Merge pull request #133 from slackhq/interval_zero_check
if interval is 0 don't even update lh (mobile use case)
2019-12-26 15:57:01 -06:00
df8e45c13b if interval is 0 don't even update lh (mobile use case) 2019-12-26 21:12:31 +00:00
0eb5ce6b41 better windows targets in Makefile (#125)
This restores `make bin-windows` and also adds `make
build/nebula-windows-amd64.zip` to build the zip file.

Co-authored-by: Ryan Huber <rhuber@gmail.com>
2019-12-21 09:31:48 -05:00
8ed8419584 GitHub Action: add release script (#124)
This script will be triggered by any tag starting with `v[0-9]+.[0-9]+.[0-9]+` (i.e.
v1.1.0). It will create all of the .tar.gz files (or .zip for windows). The amd64 binaries will be
compiled on their target systems, the rest of the Linux architecures
will be cross compiled from the Linux amd64 host.

A SHASUM256.txt will also be generated and attached to the release.
2019-12-21 01:15:41 -05:00
e728b81573 Merge pull request #122 from slackhq/better-makefile
Makefile improvements
2019-12-20 14:15:58 -05:00
4c1725772b make arm builds specific 2019-12-20 14:08:18 -05:00
f6aabf14a6 fix whitespace 2019-12-20 13:55:15 -05:00
bc7b3895f9 Makefile improvements
Simplify the makefile by using implicit rules. The new structure for the
build directory when using `make all` or `make release` is:

    build/$GOOS-$GOARCH-$GOARM/nebula

(The GOARM part is optional, and only used for linux-arm-6)

So, releases end up like `nebula-linux-amd64.tar.gz` or
`nebula-linux-arm-6.tar.gz`

This change also adds `-trimpath` to the build, to make the pathnames
more generic in our releases.
2019-12-20 13:48:41 -05:00
fe8a71ed59 Merge pull request #121 from slackhq/txq-err
Make linux tx queue length an error log instead of a fatal on error
2019-12-20 09:21:46 -08:00
9db16d226c Make linux tx queue length an error log instead of a fatal on error 2019-12-20 09:10:26 -08:00
fe58cedd2e Merge pull request #120 from slackhq/add_slack_link
add invitation link to readme
2019-12-20 08:33:38 -08:00
7ee692663d add invitation link to readme 2019-12-20 16:28:17 +00:00
e465b13045 Merge pull request #113 from slackhq/fw-ca
Fixes the issues with caSha and caName
2019-12-19 09:06:50 -08:00
2d8a8143de Actual fix for the real issue with tests 2019-12-18 21:23:59 -08:00
b39fab3043 Merge pull request #114 from slackhq/mtu-optional
Move tun mtu failing to an error log instead of fatal
2019-12-18 16:57:40 -08:00
55525654a8 Move tun mtu failing to an error log instead of fatal 2019-12-18 16:51:59 -08:00
4e378fdb5b Add test for current bug in master, reduce log output in test 2019-12-18 11:06:51 -08:00
99cac0da55 Remove println 2019-12-17 23:48:33 -08:00
c359a5cf71 Correct example config doc 2019-12-17 23:43:10 -08:00
56657065e0 Fix ca* checks 2019-12-17 23:36:12 -08:00
8e6b72516b Merge pull request #107 from slackhq/ca-ip
Support extra root assertions in `cert.Verify`
2019-12-17 19:09:52 -08:00
328db6bb82 Root constraint usage and support in nebula-cert 2019-12-17 17:59:21 -08:00
0dc9aafa14 Support root subnet asserts 2019-12-17 17:10:46 -08:00
98d92ee4cf Support root IP assertions in cert.Verify 2019-12-17 17:06:13 -08:00
8b2ee5cf34 Merge pull request #99 from slackhq/update-deps-2019-12
Update dependencies, December 2019
2019-12-17 13:29:21 -05:00