all: add arbitrary capability support

Updates #4217 RELNOTE=start of WhoIsResponse capability support Change-Id: I6522998a911fe49e2f003077dad6164c017eed9b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-12-01 09:32:08 +00:00 · 2022-03-18 11:48:40 -07:00
parent c591c91653
commit 16f3520089
9 changed files with 218 additions and 5 deletions
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -27,10 +27,12 @@ type Filter struct {
 	// destination within local, regardless of the policy filter
 	// below.
 	local *netaddr.IPSet
+
 	// logIPs is the set of IPs that are allowed to appear in flow
 	// logs. If a packet is to or from an IP not in logIPs, it will
 	// never be logged.
 	logIPs *netaddr.IPSet
+
 	// matches4 and matches6 are lists of match->action rules
 	// applied to all packets arriving over tailscale
 	// tunnels. Matches are checked in order, and processing stops
@@ -38,6 +40,11 @@ type Filter struct {
 	// match is to drop the packet.
 	matches4 matches
 	matches6 matches
+
+	// cap4 and cap6 are the subsets of the matches that are about
+	// capability grants, partitioned by source IP address family.
+	cap4, cap6 matches
+
 	// state is the connection tracking state attached to this
 	// filter. It is used to allow incoming traffic that is a response
 	// to an outbound connection that this node made, even if those
@@ -174,6 +181,8 @@ func New(matches []Match, localNets *netaddr.IPSet, logIPs *netaddr.IPSet, share
 		logf:     logf,
 		matches4: matchesFamily(matches, netaddr.IP.Is4),
 		matches6: matchesFamily(matches, netaddr.IP.Is6),
+		cap4:     capMatchesFunc(matches, netaddr.IP.Is4),
+		cap6:     capMatchesFunc(matches, netaddr.IP.Is6),
 		local:    localNets,
 		logIPs:   logIPs,
 		state:    state,
@@ -205,6 +214,27 @@ func matchesFamily(ms matches, keep func(netaddr.IP) bool) matches {
 	return ret
 }

+// capMatchesFunc returns a copy of the subset of ms for which keep(srcNet.IP)
+// and the match is a capability grant.
+func capMatchesFunc(ms matches, keep func(netaddr.IP) bool) matches {
+	var ret matches
+	for _, m := range ms {
+		if len(m.Caps) == 0 {
+			continue
+		}
+		retm := Match{Caps: m.Caps}
+		for _, src := range m.Srcs {
+			if keep(src.IP()) {
+				retm.Srcs = append(retm.Srcs, src)
+			}
+		}
+		if len(retm.Srcs) > 0 {
+			ret = append(ret, retm)
+		}
+	}
+	return ret
+}
+
 func maybeHexdump(flag RunFlags, b []byte) string {
 	if flag == 0 {
 		return ""
@@ -291,6 +321,30 @@ func (f *Filter) CheckTCP(srcIP, dstIP netaddr.IP, dstPort uint16) Response {
 	return f.RunIn(pkt, 0)
 }

+// AppendCaps appends to base the capabilities that srcIP has talking
+// to dstIP.
+func (f *Filter) AppendCaps(base []string, srcIP, dstIP netaddr.IP) []string {
+	ret := base
+	var mm matches
+	switch {
+	case srcIP.Is4():
+		mm = f.cap4
+	case srcIP.Is6():
+		mm = f.cap6
+	}
+	for _, m := range mm {
+		if !ipInList(srcIP, m.Srcs) {
+			continue
+		}
+		for _, cm := range m.Caps {
+			if cm.Cap != "" && cm.Dst.Contains(dstIP) {
+				ret = append(ret, cm.Cap)
+			}
+		}
+	}
+	return ret
+}
+
 // ShieldsUp reports whether this is a "shields up" (block everything
 // incoming) filter.
 func (f *Filter) ShieldsUp() bool { return f.shieldsUp }
--- a/wgengine/filter/filter_test.go
+++ b/wgengine/filter/filter_test.go
@@ -872,3 +872,83 @@ func TestMatchesMatchProtoAndIPsOnlyIfAllPorts(t *testing.T) {
 		})
 	}
 }
+
+func TestCaps(t *testing.T) {
+	mm, err := MatchesFromFilterRules([]tailcfg.FilterRule{
+		{
+			SrcIPs: []string{"*"},
+			CapGrant: []tailcfg.CapGrant{{
+				Dsts: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+				},
+				Caps: []string{"is_ipv4"},
+			}},
+		},
+		{
+			SrcIPs: []string{"*"},
+			CapGrant: []tailcfg.CapGrant{{
+				Dsts: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("::/0"),
+				},
+				Caps: []string{"is_ipv6"},
+			}},
+		},
+		{
+			SrcIPs: []string{"100.199.0.0/16"},
+			CapGrant: []tailcfg.CapGrant{{
+				Dsts: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("100.200.0.0/16"),
+				},
+				Caps: []string{"some_super_admin"},
+			}},
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	filt := New(mm, nil, nil, nil, t.Logf)
+	tests := []struct {
+		name     string
+		src, dst string // IP
+		want     []string
+	}{
+		{
+			name: "v4",
+			src:  "1.2.3.4",
+			dst:  "2.4.5.5",
+			want: []string{"is_ipv4"},
+		},
+		{
+			name: "v6",
+			src:  "1::1",
+			dst:  "2::2",
+			want: []string{"is_ipv6"},
+		},
+		{
+			name: "admin",
+			src:  "100.199.1.2",
+			dst:  "100.200.3.4",
+			want: []string{"is_ipv4", "some_super_admin"},
+		},
+		{
+			name: "not_admin_bad_src",
+			src:  "100.198.1.2", // 198, not 199
+			dst:  "100.200.3.4",
+			want: []string{"is_ipv4"},
+		},
+		{
+			name: "not_admin_bad_dst",
+			src:  "100.199.1.2",
+			dst:  "100.201.3.4", // 201, not 200
+			want: []string{"is_ipv4"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := filt.AppendCaps(nil, netaddr.MustParseIP(tt.src), netaddr.MustParseIP(tt.dst))
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("got %q; want %q", got, tt.want)
+			}
+		})
+	}
+}
--- a/wgengine/filter/match.go
+++ b/wgengine/filter/match.go
@@ -47,12 +47,24 @@ func (npr NetPortRange) String() string {
 	return fmt.Sprintf("%v:%v", npr.Net, npr.Ports)
 }

+// CapMatch is a capability grant match predicate.
+type CapMatch struct {
+	// Dst is the IP prefix that the destination IP address matches against
+	// to get the capability.
+	Dst netaddr.IPPrefix
+
+	// Cap is the capability that's granted if the destination IP addresses
+	// matches Dst.
+	Cap string
+}
+
 // Match matches packets from any IP address in Srcs to any ip:port in
 // Dsts.
 type Match struct {
 	IPProto []ipproto.Proto // required set (no default value at this layer)
-	Dsts    []NetPortRange
 	Srcs    []netaddr.IPPrefix
+	Dsts    []NetPortRange // optional, if Srcs match
+	Caps    []CapMatch     // optional, if Srcs match
 }

 func (m Match) String() string {
--- a/wgengine/filter/match_clone.go
+++ b/wgengine/filter/match_clone.go
@@ -21,14 +21,16 @@ func (src *Match) Clone() *Match {
 	dst := new(Match)
 	*dst = *src
 	dst.IPProto = append(src.IPProto[:0:0], src.IPProto...)
-	dst.Dsts = append(src.Dsts[:0:0], src.Dsts...)
 	dst.Srcs = append(src.Srcs[:0:0], src.Srcs...)
+	dst.Dsts = append(src.Dsts[:0:0], src.Dsts...)
+	dst.Caps = append(src.Caps[:0:0], src.Caps...)
 	return dst
 }

 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _MatchCloneNeedsRegeneration = Match(struct {
 	IPProto []ipproto.Proto
-	Dsts    []NetPortRange
 	Srcs    []netaddr.IPPrefix
+	Dsts    []NetPortRange
+	Caps    []CapMatch
 }{})
--- a/wgengine/filter/tailcfg.go
+++ b/wgengine/filter/tailcfg.go
@@ -70,6 +70,16 @@ func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error) {
 				})
 			}
 		}
+		for _, cm := range r.CapGrant {
+			for _, dstNet := range cm.Dsts {
+				for _, cap := range cm.Caps {
+					m.Caps = append(m.Caps, CapMatch{
+						Dst: dstNet,
+						Cap: cap,
+					})
+				}
+			}
+		}

 		mm = append(mm, m)
 	}