2023-01-27 13:37:20 -08:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2021-02-05 12:44:43 -08:00
|
|
|
|
|
|
|
// Package nmcfg converts a controlclient.NetMap into a wgcfg config.
|
|
|
|
package nmcfg
|
|
|
|
|
|
|
|
import (
|
2021-04-21 10:47:50 -07:00
|
|
|
"bytes"
|
2021-02-05 12:44:43 -08:00
|
|
|
"fmt"
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
"net/netip"
|
2021-02-05 12:44:43 -08:00
|
|
|
"strings"
|
|
|
|
|
2022-10-06 16:19:38 -07:00
|
|
|
"golang.org/x/exp/slices"
|
2021-02-05 12:44:43 -08:00
|
|
|
"tailscale.com/net/tsaddr"
|
|
|
|
"tailscale.com/tailcfg"
|
|
|
|
"tailscale.com/types/logger"
|
2023-02-28 19:00:00 -08:00
|
|
|
"tailscale.com/types/logid"
|
2021-02-05 15:44:46 -08:00
|
|
|
"tailscale.com/types/netmap"
|
2021-02-05 12:44:43 -08:00
|
|
|
"tailscale.com/wgengine/wgcfg"
|
|
|
|
)
|
|
|
|
|
|
|
|
func nodeDebugName(n *tailcfg.Node) string {
|
|
|
|
name := n.Name
|
|
|
|
if name == "" {
|
2022-02-15 08:19:44 -08:00
|
|
|
name = n.Hostinfo.Hostname()
|
2021-02-05 12:44:43 -08:00
|
|
|
}
|
|
|
|
if i := strings.Index(name, "."); i != -1 {
|
|
|
|
name = name[:i]
|
|
|
|
}
|
|
|
|
if name == "" && len(n.Addresses) != 0 {
|
|
|
|
return n.Addresses[0].String()
|
|
|
|
}
|
|
|
|
return name
|
|
|
|
}
|
|
|
|
|
|
|
|
// cidrIsSubnet reports whether cidr is a non-default-route subnet
|
|
|
|
// exported by node that is not one of its own self addresses.
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
func cidrIsSubnet(node *tailcfg.Node, cidr netip.Prefix) bool {
|
2021-05-14 18:07:28 -07:00
|
|
|
if cidr.Bits() == 0 {
|
2021-02-05 12:44:43 -08:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
if !cidr.IsSingleIP() {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
for _, selfCIDR := range node.Addresses {
|
|
|
|
if cidr == selfCIDR {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2022-05-04 12:10:17 -07:00
|
|
|
// WGCfg returns the NetworkMaps's WireGuard configuration.
|
2021-02-24 20:05:23 -08:00
|
|
|
func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, exitNode tailcfg.StableNodeID) (*wgcfg.Config, error) {
|
2021-02-05 12:44:43 -08:00
|
|
|
cfg := &wgcfg.Config{
|
|
|
|
Name: "tailscale",
|
2021-10-28 10:44:34 -07:00
|
|
|
PrivateKey: nm.PrivateKey,
|
2021-02-05 12:44:43 -08:00
|
|
|
Addresses: nm.Addresses,
|
|
|
|
Peers: make([]wgcfg.Peer, 0, len(nm.Peers)),
|
|
|
|
}
|
|
|
|
|
2022-10-06 16:19:38 -07:00
|
|
|
// Setup log IDs for data plane audit logging.
|
|
|
|
if nm.SelfNode != nil {
|
2022-10-28 10:09:30 -07:00
|
|
|
cfg.NodeID = nm.SelfNode.StableID
|
2022-10-06 16:19:38 -07:00
|
|
|
canNetworkLog := slices.Contains(nm.SelfNode.Capabilities, tailcfg.CapabilityDataPlaneAuditLogs)
|
|
|
|
if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID != "" && nm.DomainAuditLogID != "" {
|
2023-02-28 19:00:00 -08:00
|
|
|
nodeID, errNode := logid.ParsePrivateID(nm.SelfNode.DataPlaneAuditLogID)
|
2022-10-06 16:19:38 -07:00
|
|
|
if errNode != nil {
|
|
|
|
logf("[v1] wgcfg: unable to parse node audit log ID: %v", errNode)
|
|
|
|
}
|
2023-02-28 19:00:00 -08:00
|
|
|
domainID, errDomain := logid.ParsePrivateID(nm.DomainAuditLogID)
|
2022-10-06 16:19:38 -07:00
|
|
|
if errDomain != nil {
|
|
|
|
logf("[v1] wgcfg: unable to parse domain audit log ID: %v", errDomain)
|
|
|
|
}
|
|
|
|
if errNode == nil && errDomain == nil {
|
|
|
|
cfg.NetworkLogging.NodeID = nodeID
|
|
|
|
cfg.NetworkLogging.DomainID = domainID
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-04-21 10:47:50 -07:00
|
|
|
// Logging buffers
|
|
|
|
skippedUnselected := new(bytes.Buffer)
|
|
|
|
skippedIPs := new(bytes.Buffer)
|
|
|
|
skippedSubnets := new(bytes.Buffer)
|
|
|
|
|
2021-02-05 12:44:43 -08:00
|
|
|
for _, peer := range nm.Peers {
|
2023-04-05 17:28:28 -07:00
|
|
|
if peer.DiscoKey.IsZero() && peer.DERP == "" && !peer.IsWireGuardOnly {
|
2021-09-01 15:29:06 -07:00
|
|
|
// Peer predates both DERP and active discovery, we cannot
|
|
|
|
// communicate with it.
|
|
|
|
logf("[v1] wgcfg: skipped peer %s, doesn't offer DERP or disco", peer.Key.ShortString())
|
|
|
|
continue
|
|
|
|
}
|
2021-02-05 12:44:43 -08:00
|
|
|
cfg.Peers = append(cfg.Peers, wgcfg.Peer{
|
2021-11-01 20:55:52 -07:00
|
|
|
PublicKey: peer.Key,
|
2021-11-02 14:41:56 -07:00
|
|
|
DiscoKey: peer.DiscoKey,
|
2021-02-05 12:44:43 -08:00
|
|
|
})
|
|
|
|
cpeer := &cfg.Peers[len(cfg.Peers)-1]
|
|
|
|
if peer.KeepAlive {
|
|
|
|
cpeer.PersistentKeepalive = 25 // seconds
|
|
|
|
}
|
|
|
|
|
2021-03-31 09:51:55 -07:00
|
|
|
didExitNodeWarn := false
|
2023-03-29 09:51:18 -07:00
|
|
|
cpeer.V4MasqAddr = peer.SelfNodeV4MasqAddrForThisPeer
|
2021-02-05 12:44:43 -08:00
|
|
|
for _, allowedIP := range peer.AllowedIPs {
|
2021-05-14 18:07:28 -07:00
|
|
|
if allowedIP.Bits() == 0 && peer.StableID != exitNode {
|
2021-03-31 09:51:55 -07:00
|
|
|
if didExitNodeWarn {
|
|
|
|
// Don't log about both the IPv4 /0 and IPv6 /0.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
didExitNodeWarn = true
|
2021-04-21 10:47:50 -07:00
|
|
|
if skippedUnselected.Len() > 0 {
|
|
|
|
skippedUnselected.WriteString(", ")
|
|
|
|
}
|
|
|
|
fmt.Fprintf(skippedUnselected, "%q (%v)", nodeDebugName(peer), peer.Key.ShortString())
|
2021-02-24 20:05:23 -08:00
|
|
|
continue
|
2022-07-24 20:08:42 -07:00
|
|
|
} else if allowedIP.IsSingleIP() && tsaddr.IsTailscaleIP(allowedIP.Addr()) && (flags&netmap.AllowSingleHosts) == 0 {
|
2021-04-21 10:47:50 -07:00
|
|
|
if skippedIPs.Len() > 0 {
|
|
|
|
skippedIPs.WriteString(", ")
|
|
|
|
}
|
2022-07-24 20:08:42 -07:00
|
|
|
fmt.Fprintf(skippedIPs, "%v from %q (%v)", allowedIP.Addr(), nodeDebugName(peer), peer.Key.ShortString())
|
2021-02-05 12:44:43 -08:00
|
|
|
continue
|
|
|
|
} else if cidrIsSubnet(peer, allowedIP) {
|
2021-02-05 15:44:46 -08:00
|
|
|
if (flags & netmap.AllowSubnetRoutes) == 0 {
|
2021-04-21 10:47:50 -07:00
|
|
|
if skippedSubnets.Len() > 0 {
|
|
|
|
skippedSubnets.WriteString(", ")
|
|
|
|
}
|
|
|
|
fmt.Fprintf(skippedSubnets, "%v from %q (%v)", allowedIP, nodeDebugName(peer), peer.Key.ShortString())
|
2021-02-05 12:44:43 -08:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
cpeer.AllowedIPs = append(cpeer.AllowedIPs, allowedIP)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-04-21 10:47:50 -07:00
|
|
|
if skippedUnselected.Len() > 0 {
|
|
|
|
logf("[v1] wgcfg: skipped unselected default routes from: %s", skippedUnselected.Bytes())
|
|
|
|
}
|
|
|
|
if skippedIPs.Len() > 0 {
|
|
|
|
logf("[v1] wgcfg: skipped node IPs: %s", skippedIPs)
|
|
|
|
}
|
|
|
|
if skippedSubnets.Len() > 0 {
|
|
|
|
logf("[v1] wgcfg: did not accept subnet routes: %s", skippedSubnets)
|
|
|
|
}
|
|
|
|
|
2021-02-05 12:44:43 -08:00
|
|
|
return cfg, nil
|
|
|
|
}
|