-
Notifications
You must be signed in to change notification settings - Fork 974
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V2 certificate format #1216
base: master
Are you sure you want to change the base?
V2 certificate format #1216
Conversation
|
||
-- At least 1 ipv4 or ipv6 address must be present if isCA is false | ||
networks SEQUENCE OF Network, | ||
unsafeNetworks SEQUENCE OF Network OPTIONAL, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very happy to see this getting renamed from -ips
and -subnets
which were a bit confusing (many people believed subnets was essentially the CIDR part of -ips
.) That being said, calling them both "networks" might also be confusing. I think I'd lean towards simply calling this unsafeRoutes
to match the config option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not opposed to calling these unsafeRoutes
, it doesn't quite feel right though since this field is describing a network that can be used to configure unsafe routes on another host.
@@ -62,6 +62,7 @@ message NebulaHandshakeDetails { | |||
uint32 ResponderIndex = 3; | |||
uint64 Cookie = 4; | |||
uint64 Time = 5; | |||
uint32 CertVersion = 8; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thoughts on making this an enum to match cert.go?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be a cyclical import for the cert
package or else we'd have to do silly type conversions between the two packages.
I will say using cert.Version*
for protocol level stuff gave me the ick.
default: | ||
return nil, r, ErrInvalidPEMCertificateBanner | ||
} | ||
|
||
if err != nil { | ||
return nil, r, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
semantics changed a little bit here -- we used to not return the pem-remainder on err, now we do. It's probably fine? It's more consistent with the default/ErrInvalidPEMCertificateBanner
branch.
lighthouse.go
Outdated
func (lhh *LightHouseHandler) handleHostQueryReply(n *NebulaMeta, vpnIp netip.Addr) { | ||
if !lhh.lh.IsLighthouseIP(vpnIp) { | ||
func (lhh *LightHouseHandler) handleHostQueryReply(n *NebulaMeta, reqHostinfo *HostInfo) { | ||
//TODO: this is kind of dumb |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is dumb, but it raises some good questions about multi-IP stuff. Are we going to require users to put each IP for a lighthouse in their config file? If we do, does it make sense to group them?
lighthouse:
hosts:
- 10.0.0.1 # the old way
- ["fc00::2", "10.0.0.2"] # a new way
similar ideas apply wrt the static host map
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From a user perspective I would say no. I think it would be better to layer in learned lighthouse vpn addrs but as a stop gap I have included a IsAnyLighthouseIP
(which the name is wrong ugh) that checks if any of the addrs are a lighthouse addr.
return err | ||
//set route MTU | ||
for i := range t.vpnNetworks { | ||
if err = t.setDefaultRoute(t.vpnNetworks[i]); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this still races and errors sometimes on my proxmox host. Not sure why. On hosts that use systemd-networkd I haven't observed any issues.
…o to the lighthouse request handler
* send in relays on protocol v2 * remove old comment
* combine icmp and icmpv6 handling in the firewall * correct ipv6 port number interpretation * add unit test, fix orientation of ports * gofmt
* fix nebula-cert json printing * fix test
* dns support for v4 and v6 addresses * fix comment
* lighthouse updates with v2 tunnels * tweak message object location
q, | ||
cache.Get(u.l), | ||
) | ||
r(netip.AddrPortFrom(netip.AddrFrom16(rua.Addr).Unmap(), (rua.Port>>8)|((rua.Port&0xff)<<8)), buffer[:n]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use binary
to avoid endianness issues
} | ||
if *sf.networks != "" { | ||
for _, rs := range strings.Split(*sf.networks, ",") { | ||
//TODO: error on duplicates? Mainly only addr matters, having two of the same addr in the same or different prefix space is strange |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also no 4in6
if err != nil { | ||
return newHelpErrorf("invalid subnet definition: %s", rs) | ||
return newHelpErrorf("invalid -unsafe-networks definition: %s", rs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And no 4in6
return fmt.Errorf("error while signing with PKCS#11: %w", err) | ||
|
||
if version == cert.Version1 { | ||
// If we are asked to mint a v1 certificate only then we cant just ignore any v6 addresses |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We arent ignoring them
* relay fixes for multi-IP hosts * more relay fixes * more relay fixes * tighter loop * Revert "relay fixes for multi-IP hosts" This reverts commit ee4495c.
WIP based on cert-interface branch