honor remote_allow_ilst in hole punch response

When we receive a "hole punch notification" from a Lighthouse, we send a hole punch packet to every remote of that host, even if we don't include those remotes in our "remote_allow_list". Change the logic here to check if the remote IP is in our allow list before sending the hole punch packet.
slackhq · Jul 23, 2024 · 1170ff1 · 1170ff1
1 parent e6009b8
commit 1170ff1
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/lighthouse.go b/lighthouse.go
@@ -1125,12 +1125,18 @@ func (lhh *LightHouseHandler) handleHostPunchNotification(n *NebulaMeta, vpnIp i
 		}
 	}
 
+	remoteVpnIp := iputil.VpnIp(n.Details.VpnIp)
+	remoteAllowList := lhh.lh.GetRemoteAllowList()
 	for _, a := range n.Details.Ip4AndPorts {
-		punch(NewUDPAddrFromLH4(a))
+		if remoteAllowList.AllowIpV4(remoteVpnIp, iputil.VpnIp(a.Ip)) {
+			punch(NewUDPAddrFromLH4(a))
+		}
 	}
 
 	for _, a := range n.Details.Ip6AndPorts {
-		punch(NewUDPAddrFromLH6(a))
+		if remoteAllowList.AllowIpV6(remoteVpnIp, a.Hi, a.Lo) {
+			punch(NewUDPAddrFromLH6(a))
+		}
 	}
 
 	// This sends a nebula test packet to the host trying to contact us. In the case