-
-
Notifications
You must be signed in to change notification settings - Fork 13.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nebula: default to port 0 for hosts other than lighthouse/relay #280836
Conversation
Tests pass even without #279826 merged but that will probably remove edgecases that this change may hit. |
c65f881
to
80f0dec
Compare
@magneticflux- thanks for the patch, applied it and pushed. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/3351 |
@Br1ght0ne @Jaculabilis does this look good to merge? |
80f0dec
to
32f56d7
Compare
Any chance of getting this merged soon? |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-already-reviewed/2617/1479 |
@@ -229,7 +253,7 @@ in | |||
|
|||
# Open the chosen ports for UDP. | |||
networking.firewall.allowedUDPPorts = | |||
unique (mapAttrsToList (netName: netCfg: netCfg.listen.port) enabledNetworks); | |||
unique (filter (port: port > 0) (mapAttrsToList (netName: netCfg: resolveFinalPort netCfg) enabledNetworks)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: how does this know which port to open on the firewall? Seems the resolveFinalPort
function just returns 4242 or 0, and in the case of 0, how will the firewall know which port nebula chose?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Non-lighthouse Nebula nodes do not need an inbound firewall rule.
AFAIK, the P2P connection is established with normal NAT- and firewall-punching techniques, where both nodes use outbound connections to coordinate through the lighthouse, which then eventually hands off each connection to the other node.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That had been my impression as well, but locally trying to change the port to 0 resulted in not being able to connect to the computer over nebula (although maybe it was something else in my setup). In the least, if that is the case, we should remove the line opening that port
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how does this know which port to open on the firewall?
It doesn't; we don't open any ports when port 0 is chosen (the default for non-lighthouse and non-relay nodes) because it's not needed and because we can't (it's chosen at runtime, after the NixOS configuration is built).
In the least, if that is the case, we should remove the line opening that port
That line exists to filter out port 0, since it's not a real port (it's reserved by the TCP/IP spec itself). We only want to add a firewall opening if the node is a lighthouse (or relay), which implies (but is not implied by) a non-zero port. In this case, we would unnecessarily open a non-lighthouse node's port if it is explicitly set, but I don't think it's a problem.
That had been my impression as well, but locally trying to change the port to 0 resulted in not being able to connect to the computer over nebula (although maybe it was something else in my setup).
There might be another problem with your setup, I have a lighthouse node exposed to the internet on port 4242 and 4 other nodes with port 0 (i.e. randomly chosen at Nebula startup) and they can all see and connect directly to each other, even through NAT.
For reference, Nebula needs at least one "lighthouse" node that is accessible at a fixed location and port (this may involve opening firewall ports, port-forwarding on a router, and possibly setting up a DNS name). The other nodes connect to the lighthouse(s) and perform that NAT-punching handoff with whatever random port they chose when starting up.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-already-reviewed/2617/1499 |
Any chance of merge in time for 24.05? |
@ofborg test nebula |
Description of changes
Fixes #277066.
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.