Update config parser to allow setting a weight per gateway

Author: dioss-Machiel

examples/config.yml

@@ -234,7 +234,28 @@ tun:
 
   # Unsafe routes allows you to route traffic over nebula to non-nebula nodes
   # Unsafe routes should be avoided unless you have hosts/services that cannot run nebula
-  # NOTE: The nebula certificate of the "via" node *MUST* have the "route" defined as a subnet in its certificate
+  # Supports weighted ECMP if you define a list of gateways, this can be used for load balancing or redundancy to hosts outside of nebula
+  # NOTES:
+  # * You will only see a single gateway in the routing table if you are not on linux
+  # * If a gateway is not reachable through the overlay another gateway will be selected to send the traffic through, ignoring weights
+  #
+  # unsafe_routes:
+  # # Multiple gateways without defining a weight defaults to a weight of 1, this will balance traffic equally between the three gateways
+  # - route: 192.168.87.0/24
+  #   via:
+  #     - gateway: 10.0.0.1
+  #     - gateway: 10.0.0.2
+  #     - gateway: 10.0.0.3
+  # # Multiple gateways with a weight, this will balance traffic accordingly
+  # - route: 192.168.87.0/24
+  #   via:
+  #     - gateway: 10.0.0.1
+  #       weight: 10
+  #     - gateway: 10.0.0.2
+  #       weight: 5
+  #
+  # NOTE: The nebula certificate of the "via" node(s) *MUST* have the "route" defined as a subnet in its certificate
+  # `via`: single node or list of gateways to use for this route
   # `mtu`: will default to tun mtu if this option is not specified
   # `metric`: will default to 0 if this option is not specified
   # `install`: will default to true, controls whether this route is installed in the systems routing table.

overlay/route.go

@@ -18,7 +18,7 @@ type Route struct {
 	MTU     int
 	Metric  int
 	Cidr    netip.Prefix
-	Via     []netip.Addr
+	Via     []routing.Gateway
 	Install bool
 }
 
@@ -55,14 +55,7 @@ func makeRouteTree(l *logrus.Logger, routes []Route, allowMTU bool) (*bart.Table
 			l.WithField("route", r).Warnf("route MTU is not supported in %s", runtime.GOOS)
 		}
 
-		gateways := []routing.Gateway{}
-
-		for _, via := range r.Via {
-			if via.IsValid() {
-				gateways = append(gateways, routing.NewGateway(via, 1))
-			}
-		}
-
+		gateways := r.Via
 		if len(gateways) > 0 {
 			routing.RebalanceGateways(gateways)
 			routeTree.Insert(r.Cidr, gateways)
@@ -211,29 +204,63 @@ func parseUnsafeRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 			return nil, fmt.Errorf("entry %v.via in tun.unsafe_routes is not present", i+1)
 		}
 
-		var viasInConfig = []string{}
-		via, isSingleVia := rVia.(string)
+		var gateways []routing.Gateway
 
-		if !isSingleVia {
-			multiVia, isMultiVia := rVia.([]string)
-
-			if !isMultiVia {
-				return nil, fmt.Errorf("entry %v.via in tun.unsafe_routes is not a string or array of string: found %T", i+1, rVia)
+		switch via := rVia.(type) {
+		case string:
+			viaIp, err := netip.ParseAddr(via)
+			if err != nil {
+				return nil, fmt.Errorf("entry %v.via in tun.unsafe_routes failed to parse address: %v", i+1, err)
 			}
 
-			viasInConfig = append(viasInConfig, multiVia...)
-		} else {
-			viasInConfig = append(viasInConfig, via)
-		}
+			gateways = []routing.Gateway{routing.NewGateway(viaIp, 1)}
+
+		case []interface{}:
+			gateways = make([]routing.Gateway, len(via))
+			for ig, v := range via {
+				gatewayMap, ok := v.(map[interface{}]interface{})
+				if !ok {
+					return nil, fmt.Errorf("entry %v in tun.unsafe_routes[%v].via is invalid", i+1, ig+1)
+				}
+
+				rGateway, ok := gatewayMap["gateway"]
+				if !ok {
+					return nil, fmt.Errorf("entry .gateway in tun.unsafe_routes[%v].via[%v] is not present", i+1, ig+1)
+				}
+
+				parsedGateway, ok := rGateway.(string)
+				if !ok {
+					return nil, fmt.Errorf("entry .gateway in tun.unsafe_routes[%v].via[%v] is not a string", i+1, ig+1)
+				}
+
+				gatewayIp, err := netip.ParseAddr(parsedGateway)
+				if err != nil {
+					return nil, fmt.Errorf("entry .gateway in tun.unsafe_routes[%v].via[%v] failed to parse address: %v", i+1, ig+1, err)
+				}
+
+				rGatewayWeight, ok := gatewayMap["weight"]
+				if !ok {
+					rGatewayWeight = 1
+				}
+
+				gatewayWeight, ok := rGatewayWeight.(int)
+				if !ok {
+					_, err = strconv.ParseInt(rGatewayWeight.(string), 10, 32)
+					if err != nil {
+						return nil, fmt.Errorf("entry .weight in tun.unsafe_routes[%v].via[%v] is not an integer", i+1, ig+1)
+					}
+				}
+
+				if gatewayWeight < 1 || gatewayWeight > math.MaxInt32 {
+					return nil, fmt.Errorf("entry .weight in tun.unsafe_routes[%v].via[%v] is not in range (1-%d) : %v", i+1, ig+1, math.MaxInt32, metric)
+				}
+
+				gateways[ig] = routing.NewGateway(gatewayIp, gatewayWeight)
 
-		var parsedVias = []netip.Addr{}
-		for _, viaString := range viasInConfig {
-			viaVpnIp, err := netip.ParseAddr(viaString)
-			if err != nil {
-				return nil, fmt.Errorf("entry %v.via in tun.unsafe_routes failed to parse address: %v", i+1, err)
 			}
 
-			parsedVias = append(parsedVias, viaVpnIp)
+		default:
+			return nil, fmt.Errorf("entry %v.via in tun.unsafe_routes is not a string or list of gateways: found %T", i+1, rVia)
 		}
 
 		rRoute, ok := m["route"]
@@ -251,7 +278,7 @@ func parseUnsafeRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 		}
 
 		r := Route{
-			Via:     parsedVias,
+			Via:     gateways,
 			MTU:     mtu,
 			Metric:  metric,
 			Install: install,

overlay/route_test.go

@@ -3,7 +3,6 @@ package overlay
 import (
 	"fmt"
 	"net/netip"
-	"reflect"
 	"testing"
 
 	"github.com/slackhq/nebula/config"
@@ -155,26 +154,44 @@ func Test_parseUnsafeRoutes(t *testing.T) {
 
 	// invalid via
 	for _, invalidValue := range []interface{}{
-		127, false, nil, 1.0,
+		127, false, nil, 1.0, []string{"1", "2"},
 	} {
 		c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": invalidValue}}}
 		routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 		assert.Nil(t, routes)
-		require.EqualError(t, err, fmt.Sprintf("entry 1.via in tun.unsafe_routes is not a string or array of string: found %T", invalidValue))
+		require.EqualError(t, err, fmt.Sprintf("entry 1.via in tun.unsafe_routes is not a string or list of gateways: found %T", invalidValue))
 	}
 
 	// Unparsable list of via
 	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": []string{"1", "2"}}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
-	assert.EqualError(t, err, fmt.Sprintf("entry 1.via in tun.unsafe_routes failed to parse address: ParseAddr(\"1\"): unable to parse IP"))
+	require.EqualError(t, err, "entry 1.via in tun.unsafe_routes is not a string or list of gateways: found []string")
 
 	// unparsable via
 	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"mtu": "500", "via": "nope"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
 	assert.Nil(t, routes)
 	require.EqualError(t, err, "entry 1.via in tun.unsafe_routes failed to parse address: ParseAddr(\"nope\"): unable to parse IP")
 
+	// unparsable gateway
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"mtu": "500", "via": []interface{}{map[interface{}]interface{}{"gateway": "1"}}}}}
+	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
+	assert.Nil(t, routes)
+	require.EqualError(t, err, "entry .gateway in tun.unsafe_routes[1].via[1] failed to parse address: ParseAddr(\"1\"): unable to parse IP")
+
+	// missing gateway element
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"mtu": "500", "via": []interface{}{map[interface{}]interface{}{"weight": "1"}}}}}
+	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
+	assert.Nil(t, routes)
+	require.EqualError(t, err, "entry .gateway in tun.unsafe_routes[1].via[1] is not present")
+
+	// unparsable weight element
+	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"mtu": "500", "via": []interface{}{map[interface{}]interface{}{"gateway": "10.0.0.1", "weight": "a"}}}}}
+	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
+	assert.Nil(t, routes)
+	require.EqualError(t, err, "entry .weight in tun.unsafe_routes[1].via[1] is not an integer")
+
 	// missing route
 	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{map[interface{}]interface{}{"via": "127.0.0.1", "mtu": "500"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
@@ -305,51 +322,83 @@ func Test_makeRouteTree(t *testing.T) {
 	assert.False(t, ok)
 }
 
-func sameElements[T comparable](arr1 []T, arr2 []T) bool {
-	if len(arr1) != len(arr2) {
-		return false
-	}
-
-	counts1 := make(map[T]int)
-	counts2 := make(map[T]int)
-
-	for _, v := range arr1 {
-		counts1[v]++
-	}
-	for _, v := range arr2 {
-		counts2[v]++
-	}
-
-	return reflect.DeepEqual(counts1, counts2)
-}
-
-func Test_multipath(t *testing.T) {
+func Test_makeMultipathUnsafeRouteTree(t *testing.T) {
 	l := test.NewLogger()
 	c := config.NewC(l)
 	n, err := netip.ParsePrefix("10.0.0.0/24")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 
-	c.Settings["tun"] = map[interface{}]interface{}{"unsafe_routes": []interface{}{
-		map[interface{}]interface{}{"via": []string{"192.168.0.1", "192.168.0.2", "192.168.0.3"}, "route": "1.0.0.0/16"},
-	}}
+	c.Settings["tun"] = map[interface{}]interface{}{
+		"unsafe_routes": []interface{}{
+			map[interface{}]interface{}{
+				"route": "192.168.86.0/24",
+				"via":   "192.168.100.10",
+			},
+			map[interface{}]interface{}{
+				"route": "192.168.87.0/24",
+				"via": []interface{}{
+					map[interface{}]interface{}{
+						"gateway": "10.0.0.1",
+					},
+					map[interface{}]interface{}{
+						"gateway": "10.0.0.2",
+					},
+					map[interface{}]interface{}{
+						"gateway": "10.0.0.3",
+					},
+				},
+			},
+			map[interface{}]interface{}{
+				"route": "192.168.89.0/24",
+				"via": []interface{}{
+					map[interface{}]interface{}{
+						"gateway": "10.0.0.1",
+						"weight":  10,
+					},
+					map[interface{}]interface{}{
+						"gateway": "10.0.0.2",
+						"weight":  5,
+					},
+				},
+			},
+		},
+	}
 
 	routes, err := parseUnsafeRoutes(c, []netip.Prefix{n})
-	assert.NoError(t, err)
-	assert.Len(t, routes, 1)
+	require.NoError(t, err)
+	assert.Len(t, routes, 3)
 	routeTree, err := makeRouteTree(l, routes, true)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 
-	ip, err := netip.ParseAddr("1.0.0.2")
-	assert.NoError(t, err)
+	ip, err := netip.ParseAddr("192.168.86.1")
+	require.NoError(t, err)
 	r, ok := routeTree.Lookup(ip)
 	assert.True(t, ok)
 
-	nips := []routing.Gateway{}
-	nips = append(nips, routing.NewGateway(netip.MustParseAddr("192.168.0.1"), 1))
-	nips = append(nips, routing.NewGateway(netip.MustParseAddr("192.168.0.2"), 1))
-	nips = append(nips, routing.NewGateway(netip.MustParseAddr("192.168.0.3"), 1))
+	nip, err := netip.ParseAddr("192.168.100.10")
+	require.NoError(t, err)
+	assert.Equal(t, nip, r[0].Ip())
+
+	ip, err = netip.ParseAddr("192.168.87.1")
+	require.NoError(t, err)
+	r, ok = routeTree.Lookup(ip)
+	assert.True(t, ok)
+
+	expectedGateways := []routing.Gateway{routing.NewGateway(netip.MustParseAddr("10.0.0.1"), 1),
+		routing.NewGateway(netip.MustParseAddr("10.0.0.2"), 1),
+		routing.NewGateway(netip.MustParseAddr("10.0.0.3"), 1)}
+
+	routing.RebalanceGateways(expectedGateways)
+	assert.ElementsMatch(t, expectedGateways, r)
+
+	ip, err = netip.ParseAddr("192.168.89.1")
+	require.NoError(t, err)
+	r, ok = routeTree.Lookup(ip)
+	assert.True(t, ok)
 
-	routing.RebalanceGateways(nips)
+	expectedGateways = []routing.Gateway{routing.NewGateway(netip.MustParseAddr("10.0.0.1"), 10),
+		routing.NewGateway(netip.MustParseAddr("10.0.0.2"), 5)}
 
-	assert.ElementsMatch(t, nips, r)
+	routing.RebalanceGateways(expectedGateways)
+	assert.ElementsMatch(t, expectedGateways, r)
 }

overlay/tun_windows.go

@@ -157,7 +157,7 @@ func (t *winTun) addRoutes(logErrors bool) error {
 		// Windows does not support multipath routes natively, so we install only a single route.
 		// This is not a problem as traffic will always be sent to Nebula which handles the multipath routing internally.
 		// In effect this provides multipath routing support to windows supporting loadbalancing and redundancy.
-		err := luid.AddRoute(r.Cidr, r.Via[0], uint32(r.Metric))
+		err := luid.AddRoute(r.Cidr, r.Via[0].Ip(), uint32(r.Metric))
 		if err != nil {
 			retErr := util.NewContextualError("Failed to add route", map[string]interface{}{"route": r}, err)
 			if logErrors {
@@ -203,7 +203,7 @@ func (t *winTun) removeRoutes(routes []Route) error {
 		}
 
 		// See comment on luid.AddRoute
-		err := luid.DeleteRoute(r.Cidr, r.Via[0])
+		err := luid.DeleteRoute(r.Cidr, r.Via[0].Ip())
 		if err != nil {
 			t.l.WithError(err).WithField("route", r).Error("Failed to remove route")
 		} else {