2023-01-27 21:37:20 +00:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2021-02-05 20:44:43 +00:00
|
|
|
|
|
|
|
// Package nmcfg converts a controlclient.NetMap into a wgcfg config.
|
|
|
|
package nmcfg
|
|
|
|
|
|
|
|
import (
|
2021-04-21 17:47:50 +00:00
|
|
|
"bytes"
|
2021-02-05 20:44:43 +00:00
|
|
|
"fmt"
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 04:14:09 +00:00
|
|
|
"net/netip"
|
2021-02-05 20:44:43 +00:00
|
|
|
"strings"
|
|
|
|
|
|
|
|
"tailscale.com/net/tsaddr"
|
|
|
|
"tailscale.com/tailcfg"
|
|
|
|
"tailscale.com/types/logger"
|
2023-03-01 03:00:00 +00:00
|
|
|
"tailscale.com/types/logid"
|
2021-02-05 23:44:46 +00:00
|
|
|
"tailscale.com/types/netmap"
|
2021-02-05 20:44:43 +00:00
|
|
|
"tailscale.com/wgengine/wgcfg"
|
|
|
|
)
|
|
|
|
|
2023-08-18 14:57:44 +00:00
|
|
|
func nodeDebugName(n tailcfg.NodeView) string {
|
|
|
|
name := n.Name()
|
2021-02-05 20:44:43 +00:00
|
|
|
if name == "" {
|
2023-08-18 14:57:44 +00:00
|
|
|
name = n.Hostinfo().Hostname()
|
2021-02-05 20:44:43 +00:00
|
|
|
}
|
|
|
|
if i := strings.Index(name, "."); i != -1 {
|
|
|
|
name = name[:i]
|
|
|
|
}
|
2023-08-18 14:57:44 +00:00
|
|
|
if name == "" && n.Addresses().Len() != 0 {
|
|
|
|
return n.Addresses().At(0).String()
|
2021-02-05 20:44:43 +00:00
|
|
|
}
|
|
|
|
return name
|
|
|
|
}
|
|
|
|
|
|
|
|
// cidrIsSubnet reports whether cidr is a non-default-route subnet
|
|
|
|
// exported by node that is not one of its own self addresses.
|
2023-08-18 14:57:44 +00:00
|
|
|
func cidrIsSubnet(node tailcfg.NodeView, cidr netip.Prefix) bool {
|
2021-05-15 01:07:28 +00:00
|
|
|
if cidr.Bits() == 0 {
|
2021-02-05 20:44:43 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
if !cidr.IsSingleIP() {
|
|
|
|
return true
|
|
|
|
}
|
2024-02-25 15:57:11 +00:00
|
|
|
for i := range node.Addresses().Len() {
|
2023-08-18 14:57:44 +00:00
|
|
|
selfCIDR := node.Addresses().At(i)
|
2021-02-05 20:44:43 +00:00
|
|
|
if cidr == selfCIDR {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2022-05-04 19:10:17 +00:00
|
|
|
// WGCfg returns the NetworkMaps's WireGuard configuration.
|
2021-02-25 04:05:23 +00:00
|
|
|
func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, exitNode tailcfg.StableNodeID) (*wgcfg.Config, error) {
|
2021-02-05 20:44:43 +00:00
|
|
|
cfg := &wgcfg.Config{
|
|
|
|
Name: "tailscale",
|
2021-10-28 17:44:34 +00:00
|
|
|
PrivateKey: nm.PrivateKey,
|
2023-09-18 06:31:34 +00:00
|
|
|
Addresses: nm.GetAddresses().AsSlice(),
|
2021-02-05 20:44:43 +00:00
|
|
|
Peers: make([]wgcfg.Peer, 0, len(nm.Peers)),
|
|
|
|
}
|
|
|
|
|
2022-10-06 23:19:38 +00:00
|
|
|
// Setup log IDs for data plane audit logging.
|
2023-08-21 17:53:57 +00:00
|
|
|
if nm.SelfNode.Valid() {
|
|
|
|
cfg.NodeID = nm.SelfNode.StableID()
|
2023-09-18 16:36:26 +00:00
|
|
|
canNetworkLog := nm.SelfNode.HasCap(tailcfg.CapabilityDataPlaneAuditLogs)
|
2023-08-21 17:53:57 +00:00
|
|
|
if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID() != "" && nm.DomainAuditLogID != "" {
|
|
|
|
nodeID, errNode := logid.ParsePrivateID(nm.SelfNode.DataPlaneAuditLogID())
|
2022-10-06 23:19:38 +00:00
|
|
|
if errNode != nil {
|
|
|
|
logf("[v1] wgcfg: unable to parse node audit log ID: %v", errNode)
|
|
|
|
}
|
2023-03-01 03:00:00 +00:00
|
|
|
domainID, errDomain := logid.ParsePrivateID(nm.DomainAuditLogID)
|
2022-10-06 23:19:38 +00:00
|
|
|
if errDomain != nil {
|
|
|
|
logf("[v1] wgcfg: unable to parse domain audit log ID: %v", errDomain)
|
|
|
|
}
|
|
|
|
if errNode == nil && errDomain == nil {
|
|
|
|
cfg.NetworkLogging.NodeID = nodeID
|
|
|
|
cfg.NetworkLogging.DomainID = domainID
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-04-21 17:47:50 +00:00
|
|
|
// Logging buffers
|
|
|
|
skippedUnselected := new(bytes.Buffer)
|
|
|
|
skippedIPs := new(bytes.Buffer)
|
|
|
|
skippedSubnets := new(bytes.Buffer)
|
|
|
|
|
2021-02-05 20:44:43 +00:00
|
|
|
for _, peer := range nm.Peers {
|
2023-08-18 14:57:44 +00:00
|
|
|
if peer.DiscoKey().IsZero() && peer.DERP() == "" && !peer.IsWireGuardOnly() {
|
2021-09-01 22:29:06 +00:00
|
|
|
// Peer predates both DERP and active discovery, we cannot
|
|
|
|
// communicate with it.
|
2023-08-18 14:57:44 +00:00
|
|
|
logf("[v1] wgcfg: skipped peer %s, doesn't offer DERP or disco", peer.Key().ShortString())
|
2021-09-01 22:29:06 +00:00
|
|
|
continue
|
|
|
|
}
|
2024-04-19 19:35:34 +00:00
|
|
|
// Skip expired peers; we'll end up failing to connect to them
|
|
|
|
// anyway, since control intentionally breaks node keys for
|
|
|
|
// expired peers so that we can't discover endpoints via DERP.
|
|
|
|
if peer.Expired() {
|
|
|
|
logf("[v1] wgcfg: skipped expired peer %s", peer.Key().ShortString())
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2021-02-05 20:44:43 +00:00
|
|
|
cfg.Peers = append(cfg.Peers, wgcfg.Peer{
|
2023-08-18 14:57:44 +00:00
|
|
|
PublicKey: peer.Key(),
|
|
|
|
DiscoKey: peer.DiscoKey(),
|
2021-02-05 20:44:43 +00:00
|
|
|
})
|
|
|
|
cpeer := &cfg.Peers[len(cfg.Peers)-1]
|
|
|
|
|
2021-03-31 16:51:55 +00:00
|
|
|
didExitNodeWarn := false
|
2023-08-18 14:57:44 +00:00
|
|
|
cpeer.V4MasqAddr = peer.SelfNodeV4MasqAddrForThisPeer()
|
2023-09-19 00:03:53 +00:00
|
|
|
cpeer.V6MasqAddr = peer.SelfNodeV6MasqAddrForThisPeer()
|
2024-02-25 15:57:11 +00:00
|
|
|
for i := range peer.AllowedIPs().Len() {
|
2023-08-18 14:57:44 +00:00
|
|
|
allowedIP := peer.AllowedIPs().At(i)
|
|
|
|
if allowedIP.Bits() == 0 && peer.StableID() != exitNode {
|
2021-03-31 16:51:55 +00:00
|
|
|
if didExitNodeWarn {
|
|
|
|
// Don't log about both the IPv4 /0 and IPv6 /0.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
didExitNodeWarn = true
|
2021-04-21 17:47:50 +00:00
|
|
|
if skippedUnselected.Len() > 0 {
|
|
|
|
skippedUnselected.WriteString(", ")
|
|
|
|
}
|
2023-08-18 14:57:44 +00:00
|
|
|
fmt.Fprintf(skippedUnselected, "%q (%v)", nodeDebugName(peer), peer.Key().ShortString())
|
2021-02-25 04:05:23 +00:00
|
|
|
continue
|
2022-07-25 03:08:42 +00:00
|
|
|
} else if allowedIP.IsSingleIP() && tsaddr.IsTailscaleIP(allowedIP.Addr()) && (flags&netmap.AllowSingleHosts) == 0 {
|
2021-04-21 17:47:50 +00:00
|
|
|
if skippedIPs.Len() > 0 {
|
|
|
|
skippedIPs.WriteString(", ")
|
|
|
|
}
|
2023-08-18 14:57:44 +00:00
|
|
|
fmt.Fprintf(skippedIPs, "%v from %q (%v)", allowedIP.Addr(), nodeDebugName(peer), peer.Key().ShortString())
|
2021-02-05 20:44:43 +00:00
|
|
|
continue
|
|
|
|
} else if cidrIsSubnet(peer, allowedIP) {
|
2021-02-05 23:44:46 +00:00
|
|
|
if (flags & netmap.AllowSubnetRoutes) == 0 {
|
2021-04-21 17:47:50 +00:00
|
|
|
if skippedSubnets.Len() > 0 {
|
|
|
|
skippedSubnets.WriteString(", ")
|
|
|
|
}
|
2023-08-18 14:57:44 +00:00
|
|
|
fmt.Fprintf(skippedSubnets, "%v from %q (%v)", allowedIP, nodeDebugName(peer), peer.Key().ShortString())
|
2021-02-05 20:44:43 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
cpeer.AllowedIPs = append(cpeer.AllowedIPs, allowedIP)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-04-21 17:47:50 +00:00
|
|
|
if skippedUnselected.Len() > 0 {
|
|
|
|
logf("[v1] wgcfg: skipped unselected default routes from: %s", skippedUnselected.Bytes())
|
|
|
|
}
|
|
|
|
if skippedIPs.Len() > 0 {
|
|
|
|
logf("[v1] wgcfg: skipped node IPs: %s", skippedIPs)
|
|
|
|
}
|
|
|
|
if skippedSubnets.Len() > 0 {
|
|
|
|
logf("[v1] wgcfg: did not accept subnet routes: %s", skippedSubnets)
|
|
|
|
}
|
|
|
|
|
2021-02-05 20:44:43 +00:00
|
|
|
return cfg, nil
|
|
|
|
}
|