mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-08 09:07:44 +00:00
util/linuxfw,wgengine/router: enable IPv6 configuration when netfilter is disabled (#11517)
Updates #11434 Signed-off-by: James Tucker <james@tailscale.com> (cherry picked from commit 3f7313dbdbb86b166b115c59bff444b1dc301e64) Co-authored-by: James Tucker <james@tailscale.com>
This commit is contained in:
parent
7074c49db8
commit
0ad803a3db
@ -59,7 +59,7 @@ func newIPTablesRunner(logf logger.Logf) (*iptablesRunner, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
supportsV6, supportsV6NAT := false, false
|
supportsV6, supportsV6NAT := false, false
|
||||||
v6err := checkIPv6(logf)
|
v6err := CheckIPv6(logf)
|
||||||
ip6terr := checkIP6TablesExists()
|
ip6terr := checkIP6TablesExists()
|
||||||
var ipt6 *iptables.IPTables
|
var ipt6 *iptables.IPTables
|
||||||
switch {
|
switch {
|
||||||
|
@ -130,7 +130,7 @@ func errCode(err error) int {
|
|||||||
// missing. It does not check that IPv6 is currently functional or
|
// missing. It does not check that IPv6 is currently functional or
|
||||||
// that there's a global address, just that the system would support
|
// that there's a global address, just that the system would support
|
||||||
// IPv6 if it were on an IPv6 network.
|
// IPv6 if it were on an IPv6 network.
|
||||||
func checkIPv6(logf logger.Logf) error {
|
func CheckIPv6(logf logger.Logf) error {
|
||||||
_, err := os.Stat("/proc/sys/net/ipv6")
|
_, err := os.Stat("/proc/sys/net/ipv6")
|
||||||
if os.IsNotExist(err) {
|
if os.IsNotExist(err) {
|
||||||
return err
|
return err
|
||||||
|
@ -546,7 +546,7 @@ func newNfTablesRunner(logf logger.Logf) (*nftablesRunner, error) {
|
|||||||
}
|
}
|
||||||
nft4 := &nftable{Proto: nftables.TableFamilyIPv4}
|
nft4 := &nftable{Proto: nftables.TableFamilyIPv4}
|
||||||
|
|
||||||
v6err := checkIPv6(logf)
|
v6err := CheckIPv6(logf)
|
||||||
if v6err != nil {
|
if v6err != nil {
|
||||||
logf("disabling tunneled IPv6 due to system IPv6 config: %v", v6err)
|
logf("disabling tunneled IPv6 due to system IPv6 config: %v", v6err)
|
||||||
}
|
}
|
||||||
|
@ -56,6 +56,7 @@ type linuxRouter struct {
|
|||||||
|
|
||||||
// Various feature checks for the network stack.
|
// Various feature checks for the network stack.
|
||||||
ipRuleAvailable bool // whether kernel was built with IP_MULTIPLE_TABLES
|
ipRuleAvailable bool // whether kernel was built with IP_MULTIPLE_TABLES
|
||||||
|
v6Available bool // whether the kernel supports IPv6
|
||||||
fwmaskWorks bool // whether we can use 'ip rule...fwmark <mark>/<mask>'
|
fwmaskWorks bool // whether we can use 'ip rule...fwmark <mark>/<mask>'
|
||||||
|
|
||||||
// ipPolicyPrefBase is the base priority at which ip rules are installed.
|
// ipPolicyPrefBase is the base priority at which ip rules are installed.
|
||||||
@ -142,6 +143,8 @@ func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, netMon *netmon
|
|||||||
r.logf("mwan3 on openWRT detected, switching policy base priority to 1300")
|
r.logf("mwan3 on openWRT detected, switching policy base priority to 1300")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
r.v6Available = linuxfw.CheckIPv6(r.logf) == nil
|
||||||
|
|
||||||
r.fixupWSLMTU()
|
r.fixupWSLMTU()
|
||||||
|
|
||||||
return r, nil
|
return r, nil
|
||||||
@ -416,7 +419,7 @@ func (r *linuxRouter) UpdateMagicsockPort(port uint16, network string) error {
|
|||||||
case "udp4":
|
case "udp4":
|
||||||
magicsockPort = &r.magicsockPortV4
|
magicsockPort = &r.magicsockPortV4
|
||||||
case "udp6":
|
case "udp6":
|
||||||
if !r.nfr.HasIPV6() {
|
if !r.getV6Available() {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
magicsockPort = &r.magicsockPortV6
|
magicsockPort = &r.magicsockPortV6
|
||||||
@ -523,7 +526,7 @@ func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error {
|
|||||||
return fmt.Errorf("could not add magicsock port rule v4: %w", err)
|
return fmt.Errorf("could not add magicsock port rule v4: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if r.magicsockPortV6 != 0 && r.nfr.HasIPV6() {
|
if r.magicsockPortV6 != 0 && r.getV6Available() {
|
||||||
if err := r.nfr.AddMagicsockPortRule(r.magicsockPortV6, "udp6"); err != nil {
|
if err := r.nfr.AddMagicsockPortRule(r.magicsockPortV6, "udp6"); err != nil {
|
||||||
return fmt.Errorf("could not add magicsock port rule v6: %w", err)
|
return fmt.Errorf("could not add magicsock port rule v6: %w", err)
|
||||||
}
|
}
|
||||||
@ -563,7 +566,7 @@ func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error {
|
|||||||
return fmt.Errorf("could not add magicsock port rule v4: %w", err)
|
return fmt.Errorf("could not add magicsock port rule v4: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if r.magicsockPortV6 != 0 && r.nfr.HasIPV6() {
|
if r.magicsockPortV6 != 0 && r.getV6Available() {
|
||||||
if err := r.nfr.AddMagicsockPortRule(r.magicsockPortV6, "udp6"); err != nil {
|
if err := r.nfr.AddMagicsockPortRule(r.magicsockPortV6, "udp6"); err != nil {
|
||||||
return fmt.Errorf("could not add magicsock port rule v6: %w", err)
|
return fmt.Errorf("could not add magicsock port rule v6: %w", err)
|
||||||
}
|
}
|
||||||
@ -602,6 +605,9 @@ func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (r *linuxRouter) getV6Available() bool {
|
func (r *linuxRouter) getV6Available() bool {
|
||||||
|
if r.netfilterMode == netfilterOff {
|
||||||
|
return r.v6Available
|
||||||
|
}
|
||||||
return r.nfr.HasIPV6()
|
return r.nfr.HasIPV6()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user