ipn/ipnlocal: add empty address to the app-connector localNets set

App connectors handle DNS requests for app domains over PeerAPI, but a safety check verifies the requesting peer has at least permission to send traffic to 0.0.0.0:53 (or 2000:: for IPv6) before handling the DNS request. The correct filter rules are synthesized by the coordination server and sent down, but the address needs to be part of the 'local net' for the filter package to even bother checking the filter rules, so we set them here. See: https://github.com/tailscale/corp/issues/11961 for more information. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: ENG-2405
2025-08-12 05:37:32 +00:00 · 2023-11-07 15:45:46 -08:00
parent fdbe511c41
commit 3496d62ed3
2 changed files with 19 additions and 0 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -1776,6 +1776,18 @@ func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs ipn.P
 				logNetsB.AddPrefix(r)
 			}
 		}
+
+		// App connectors handle DNS requests for app domains over PeerAPI (corp#11961),
+		// but a safety check verifies the requesting peer has at least permission
+		// to send traffic to 0.0.0.0:53 (or 2000:: for IPv6) before handling the DNS
+		// request (see peerAPIHandler.replyToDNSQueries in peerapi.go).
+		// The correct filter rules are synthesized by the coordination server
+		// and sent down, but the address needs to be part of the 'local net' for the
+		// filter package to even bother checking the filter rules, so we set them here.
+		if prefs.AppConnector().Advertise {
+			localNetsB.Add(netip.MustParseAddr("0.0.0.0"))
+			localNetsB.Add(netip.MustParseAddr("::0"))
+		}
 	}
 	localNets, _ := localNetsB.IPSet()
 	logNets, _ := logNetsB.IPSet()