Switch to acknowledging lighthouse host updates

slackhq · May 5, 2023 · 812f674 · 812f674
1 parent 2d08a05
commit 812f674
Show file tree

Hide file tree

Showing 8 changed files with 101 additions and 104 deletions.
diff --git a/cert/cert.pb.go b/cert/cert.pb.go
diff --git a/connection_manager.go b/connection_manager.go
@@ -368,12 +368,6 @@ func (n *connectionManager) makeTrafficDecision(localIndex uint32, p, nb, out []
 			n.sendPunch(hostinfo)
 		}
 
-		if !n.punchy.GetTestLighthouses() && n.intf.lightHouse.IsLighthouseIP(hostinfo.vpnIp) {
-			// We are sending traffic to the lighthouse, let recv_error sort out any issues instead of testing the tunnel
-			n.trafficTimer.Add(hostinfo.localIndexId, n.checkInterval)
-			return doNothing, nil, nil
-		}
-
 		if n.l.Level >= logrus.DebugLevel {
 			hostinfo.logger(n.l).
 				WithField("tunnelCheck", m{"state": "testing", "method": "active"}).

diff --git a/examples/config.yml b/examples/config.yml
@@ -42,13 +42,6 @@ lighthouse:
   hosts:
     - "192.168.100.1"
 
-  # Toggle sending test packets to lighthouse hosts to assert the tunnels are still viable.
-  # Disabling sending test packets to lighthouses can reduce bookkeeping traffic
-  # and load on lighthouses with many tunnels.
-  # Setting to false may lead to connectivity issues if a lighthouse host is behind a NAT or firewall that
-  # tracks outbound packets from the lighthouse to the clients.
-  #send_test_packets: true
-
   # remote_allow_list allows you to control ip ranges that this node will
   # consider when handshaking to another node. By default, any remote IPs are
   # allowed. You can provide CIDRs here with `true` to allow and `false` to

diff --git a/lighthouse.go b/lighthouse.go
@@ -793,11 +793,14 @@ func (lhh *LightHouseHandler) HandleRequest(rAddr *udp.Addr, vpnIp iputil.VpnIp,
 		lhh.handleHostQueryReply(n, vpnIp)
 
 	case NebulaMeta_HostUpdateNotification:
-		lhh.handleHostUpdateNotification(n, vpnIp)
+		lhh.handleHostUpdateNotification(n, vpnIp, w)
 
 	case NebulaMeta_HostMovedNotification:
 	case NebulaMeta_HostPunchNotification:
 		lhh.handleHostPunchNotification(n, vpnIp, w)
+
+	case NebulaMeta_HostUpdateNotificationAck:
+		// noop
 	}
 }
 
@@ -906,7 +909,7 @@ func (lhh *LightHouseHandler) handleHostQueryReply(n *NebulaMeta, vpnIp iputil.V
 	}
 }
 
-func (lhh *LightHouseHandler) handleHostUpdateNotification(n *NebulaMeta, vpnIp iputil.VpnIp) {
+func (lhh *LightHouseHandler) handleHostUpdateNotification(n *NebulaMeta, vpnIp iputil.VpnIp, w EncWriter) {
 	if !lhh.lh.amLighthouse {
 		if lhh.l.Level >= logrus.DebugLevel {
 			lhh.l.Debugln("I am not a lighthouse, do not take host updates: ", vpnIp)
@@ -932,6 +935,19 @@ func (lhh *LightHouseHandler) handleHostUpdateNotification(n *NebulaMeta, vpnIp
 	am.unlockedSetV6(vpnIp, certVpnIp, n.Details.Ip6AndPorts, lhh.lh.unlockedShouldAddV6)
 	am.unlockedSetRelay(vpnIp, certVpnIp, n.Details.RelayVpnIp)
 	am.Unlock()
+
+	n = lhh.resetMeta()
+	n.Type = NebulaMeta_HostUpdateNotificationAck
+	n.Details.VpnIp = uint32(vpnIp)
+	ln, err := n.MarshalTo(lhh.pb)
+
+	if err != nil {
+		lhh.l.WithError(err).WithField("vpnIp", vpnIp).Error("Failed to marshal lighthouse host update ack")
+		return
+	}
+
+	lhh.lh.metricTx(NebulaMeta_HostUpdateNotificationAck, 1)
+	w.SendMessageToVpnIp(header.LightHouse, 0, vpnIp, lhh.pb[:ln], lhh.nb, lhh.out[:0])
 }
 
 func (lhh *LightHouseHandler) handleHostPunchNotification(n *NebulaMeta, vpnIp iputil.VpnIp, w EncWriter) {

diff --git a/message_metrics.go b/message_metrics.go
@@ -84,6 +84,7 @@ func newLighthouseMetrics() *MessageMetrics {
 			NebulaMeta_HostQueryReply,
 			NebulaMeta_HostUpdateNotification,
 			NebulaMeta_HostPunchNotification,
+			NebulaMeta_HostUpdateNotificationAck,
 		}
 		for _, i := range used {
 			h[i] = []metrics.Counter{metrics.GetOrRegisterCounter(fmt.Sprintf("lighthouse.%s.%s", t, i.String()), nil)}

diff --git a/nebula.pb.go b/nebula.pb.go
diff --git a/nebula.proto b/nebula.proto
@@ -15,6 +15,7 @@ message NebulaMeta {
     HostWhoamiReply = 7;
     PathCheck = 8;
     PathCheckReply = 9;
+    HostUpdateNotificationAck = 10;
   }
 
   MessageType Type = 1;

diff --git a/punchy.go b/punchy.go
@@ -14,7 +14,6 @@ type Punchy struct {
 	delay           atomic.Int64
 	respondDelay    atomic.Int64
 	punchEverything atomic.Bool
-	testLighthouses atomic.Bool
 	l               *logrus.Logger
 }
 
@@ -88,13 +87,6 @@ func (p *Punchy) reload(c *config.C, initial bool) {
 			p.l.Infof("punchy.respond_delay changed to %s", p.GetRespondDelay())
 		}
 	}
-
-	if initial || c.HasChanged("lighthouse.send_test_packets") {
-		p.testLighthouses.Store(c.GetBool("lighthouse.send_test_packets", true))
-		if !initial {
-			p.l.Infof("lighthouse.send_test_packets changed to %v", p.GetTestLighthouses())
-		}
-	}
 }
 
 func (p *Punchy) GetPunch() bool {
@@ -116,7 +108,3 @@ func (p *Punchy) GetRespondDelay() time.Duration {
 func (p *Punchy) GetTargetEverything() bool {
 	return p.punchEverything.Load()
 }
-
-func (p *Punchy) GetTestLighthouses() bool {
-	return p.testLighthouses.Load()
-}