Hook send should use a code path that actually firewalls

This change enforces that outbound hook traffic will actually be checked by the firewall and added to the conntrack if allowed.
2025-04-14 17:38:30 +00:00 · 2020-10-02 23:42:20 +10:00 · 2020-10-02 23:42:20 +10:00 · 2ee428b067
commit 2ee428b067
parent e9657d571e
3 changed files with 8 additions and 10 deletions
--- a/control.go
+++ b/control.go
@ -192,10 +192,7 @@ func (c *Control) Hook(t NebulaMessageSubType, w func([]byte) error) error {
 // The provided payload will be encapsulated in a Nebula Firewall packet
 // (IPv4 plus ports) from the node IP to the provided destination nebula IP.
 // Any protocol handling above layer 3 (IP) must be managed by the caller.
-func (c *Control) Send(ip uint32, port uint16, t NebulaMessageSubType, payload []byte) {
-	hostinfo := c.f.getOrHandshake(ip)
-	ci := hostinfo.ConnectionState
-
+func (c *Control) Send(ip uint32, port uint16, st NebulaMessageSubType, payload []byte) {
 	headerLen := ipv4.HeaderLen + minFwPacketLen
 	length := headerLen + len(payload)
 	packet := make([]byte, length)
@ -206,13 +203,14 @@ func (c *Control) Send(ip uint32, port uint16, t NebulaMessageSubType, payload [
 	binary.BigEndian.PutUint32(packet[16:20], ip)

 	// Set identical values for src and dst port as they're only
-	// used for nebula firewall rule mataching.
+	// used for nebula firewall rule/conntrack matching.
 	binary.BigEndian.PutUint16(packet[20:22], port)
 	binary.BigEndian.PutUint16(packet[22:24], port)

 	copy(packet[headerLen:], payload)

+	fp := &FirewallPacket{}
 	nb := make([]byte, 12)
 	out := make([]byte, mtu)
-	c.f.sendNoMetrics(message, t, ci, hostinfo, hostinfo.remote, packet, nb, out)
+	c.f.consumeInsidePacket(st, packet, fp, nb, out)
 }
--- a/inside.go
+++ b/inside.go
@ -7,7 +7,7 @@ import (
 	"github.com/sirupsen/logrus"
 )

-func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *FirewallPacket, nb, out []byte) {
+func (f *Interface) consumeInsidePacket(st NebulaMessageSubType, packet []byte, fwPacket *FirewallPacket, nb, out []byte) {
 	err := newPacket(packet, false, fwPacket)
 	if err != nil {
 		l.WithField("packet", packet).Debugf("Error while validating outbound packet: %s", err)
@ -45,7 +45,7 @@ func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *FirewallPacket,
 		// the packet queue.
 		ci.queueLock.Lock()
 		if !ci.ready {
-			hostinfo.cachePacket(message, 0, packet, f.sendMessageNow)
+			hostinfo.cachePacket(message, st, packet, f.sendMessageNow)
 			ci.queueLock.Unlock()
 			return
 		}
@ -54,7 +54,7 @@ func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *FirewallPacket,

 	dropReason := f.firewall.Drop(packet, *fwPacket, false, hostinfo, trustedCAs)
 	if dropReason == nil {
-		mc := f.sendNoMetrics(message, 0, ci, hostinfo, hostinfo.remote, packet, nb, out)
+		mc := f.sendNoMetrics(message, st, ci, hostinfo, hostinfo.remote, packet, nb, out)
 		if f.lightHouse != nil && mc%5000 == 0 {
 			f.lightHouse.Query(fwPacket.RemoteIP, f)
 		}
--- a/interface.go
+++ b/interface.go
@ -196,7 +196,7 @@ func (f *Interface) listenIn(i int) {
 			os.Exit(2)
 		}

-		f.consumeInsidePacket(packet[:n], fwPacket, nb, out)
+		f.consumeInsidePacket(subTypeNone, packet[:n], fwPacket, nb, out)
 	}
 }