Fix UDP listener on IPv4-only Linux

[perfecto25]

fixes #467 - allows nebula to run on IPV4 only hosts

rebased to latest nebula master,

based on work from https://github.com/jilyaluk in #506

• tested on Linux centos 7 x64, working on both IPV6 and IPV4 hosts

[CLAassistant]

All committers have signed the CLA.

[salesforce-cla]

Thanks for the contribution! Before we can merge this, we need @perfecto25 to sign the Salesforce Inc. Contributor License Agreement.

[johnmaguire]

I tested this on an IPv4-only Arch Linux VM (disabled via kernel command line in GRUB) and it seems to be working.

# ipv6 is disabled
[root@archlinux ~]# cat /sys/module/ipv6/parameters/disable
1

# nebula v1.8.2
[root@archlinux ~]# ./nebula -config config.yml
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:outgoing endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: localIp: proto:1 startPort:0]"
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:incoming endPort:443 groups:[laptop home] host: ip: localIp: proto:6 startPort:443]"
INFO[0000] Firewall started                              firewallHashes="SHA:58e2e90dab9bc5d50b9e164e6b1b0cb09c5168fc46847e3b1b3a5026d4d3de63,FNV:322409501"
INFO[0000] listening "0.0.0.0" 4242
ERRO[0000] Failed to open udp listener                   error="unable to open socket: address family not supported by protocol" queue=0

# nebula ipv4-allowed
[root@archlinux ~]# ./nebula -config config.yml
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:outgoing endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: localIp: proto:1 startPort:0]"
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:incoming endPort:443 groups:[laptop home] host: ip: localIp: proto:6 startPort:443]"
INFO[0000] Firewall started                              firewallHashes="SHA:58e2e90dab9bc5d50b9e164e6b1b0cb09c5168fc46847e3b1b3a5026d4d3de63,FNV:322409501"
INFO[0000] listening "0.0.0.0" 4242
INFO[0000] Main HostMap created                          network=192.168.100.1/24 preferredRanges="[]"
INFO[0000] punchy enabled
INFO[0000] Loaded send_recv_error config                 sendRecvError=always
INFO[0000] Nebula interface is active                    boringcrypto=false build=1.8.2-ipv4-allowed-6-geca9f7a interface=nebula1 network=192.168.100.1/24 udpAddr="0.0.0.0:4242"
INFO[0000] Handshake message sent                        handshake="map[stage:1 style:ix_psk0]" initiatorIndex=821382157 localIndex=821382157 remoteIndex=0 udpAddrs="[100.64.22.11:4242]" vpnIp=192.168.100.1
^CINFO[0002] Caught signal, shutting down                  signal=interrupt
INFO[0002] Goodbye

I also built a development build of dnclient with it which I'm running on the VM without issue. The only thing to note is that you need to make sure listen.host is set to 0.0.0.0 and not [::].

[johnmaguire]

Just as a note, I experimented with whether we can disable IPv6 using sysctl to invoke the error, as this would allow us to add a container to our smoke test to verify this. Unfortunately, it looks like setting sysctl's is not enough - IPv6 needs to be disabled via the kernel command line.

# ipv6 is disabled via sysctl
root@nebula-ipv4-container:~# cat /etc/sysctl.conf
... snip ...

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1

# no ipv6 addresses
root@nebula-ipv4-container:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:69:ca:5d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.56.193/24 metric 100 brd 192.168.56.255 scope global dynamic eth0
       valid_lft 3407sec preferred_lft 3407sec

# nebula v1.8.2 does not produce the expected error
root@nebula-ipv4-container:~# ./nebula -config config.yml
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:outgoing endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: localIp: proto:1 startPort:0]"
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:incoming endPort:443 groups:[laptop home] host: ip: localIp: proto:6 startPort:443]"
INFO[0000] Firewall started                              firewallHashes="SHA:58e2e90dab9bc5d50b9e164e6b1b0cb09c5168fc46847e3b1b3a5026d4d3de63,FNV:322409501"
INFO[0000] listening "0.0.0.0" 4242
INFO[0000] Main HostMap created                          network=192.168.100.1/24 preferredRanges="[]"
INFO[0000] punchy enabled
INFO[0000] Loaded send_recv_error config                 sendRecvError=always
INFO[0000] Nebula interface is active                    boringcrypto=false build=1.8.2 interface=nebula1 network=192.168.100.1/24 udpAddr="0.0.0.0:4242"
ERRO[0000] Failed to set tun tx queue length             error="operation not permitted"
INFO[0000] Handshake message sent                        handshake="map[stage:1 style:ix_psk0]" initiatorIndex=4277378970 localIndex=4277378970 remoteIndex=0 udpAddrs="[100.64.22.11:4242]" vpnIp=192.168.100.1
^CINFO[0001] Caught signal, shutting down                  signal=interrupt
INFO[0001] Goodbye