mirror of
https://github.com/tailscale/tailscale.git
synced 2025-08-13 22:47:30 +00:00
wgengine/magicsock: disable Peer Relay if CryptoRouting is disabled
Updates tailscale/corp#31083 Signed-off-by: Jordan Whited <jordan@tailscale.com>
This commit is contained in:
Jordan Whited
@@ -2982,6 +2982,10 @@ func (c *Conn) onNodeViewsUpdate(update NodeViewsUpdate) {
|
|||||||
peersChanged := c.updateNodes(update)
|
peersChanged := c.updateNodes(update)
|
||||||
|
|
||||||
relayClientEnabled := update.SelfNode.Valid() &&
|
relayClientEnabled := update.SelfNode.Valid() &&
|
||||||
|
// Peer Relay depends on CryptoRouting in [Conn.receiveIP]. If
|
||||||
|
// CryptoRouting is disabled, then Peer Relay MUST also be disabled to
|
||||||
|
// avoid traffic blackholes. See http://go/corp/31083.
|
||||||
|
!update.SelfNode.HasCap(tailcfg.NodeAttrDisableMagicSockCryptoRouting) &&
|
||||||
!update.SelfNode.HasCap(tailcfg.NodeAttrDisableRelayClient) &&
|
!update.SelfNode.HasCap(tailcfg.NodeAttrDisableRelayClient) &&
|
||||||
!update.SelfNode.HasCap(tailcfg.NodeAttrOnlyTCP443)
|
!update.SelfNode.HasCap(tailcfg.NodeAttrOnlyTCP443)
|
||||||
|
|
||||||
|
|||||||
@@ -3625,6 +3625,10 @@ func TestConn_onNodeViewsUpdate_updateRelayServersSet(t *testing.T) {
|
|||||||
selfNodeNodeAttrOnlyTCP443.CapMap = make(tailcfg.NodeCapMap)
|
selfNodeNodeAttrOnlyTCP443.CapMap = make(tailcfg.NodeCapMap)
|
||||||
selfNodeNodeAttrOnlyTCP443.CapMap[tailcfg.NodeAttrOnlyTCP443] = nil
|
selfNodeNodeAttrOnlyTCP443.CapMap[tailcfg.NodeAttrOnlyTCP443] = nil
|
||||||
|
|
||||||
|
selfNodeNodeAttrDisableMagicSockCryptoRouting := selfNode.Clone()
|
||||||
|
selfNodeNodeAttrDisableMagicSockCryptoRouting.CapMap = make(tailcfg.NodeCapMap)
|
||||||
|
selfNodeNodeAttrDisableMagicSockCryptoRouting.CapMap[tailcfg.NodeAttrDisableMagicSockCryptoRouting] = nil
|
||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
filt *filter.Filter
|
filt *filter.Filter
|
||||||
@@ -3693,6 +3697,24 @@ func TestConn_onNodeViewsUpdate_updateRelayServersSet(t *testing.T) {
|
|||||||
wantRelayServers: make(set.Set[candidatePeerRelay]),
|
wantRelayServers: make(set.Set[candidatePeerRelay]),
|
||||||
wantRelayClientEnabled: false,
|
wantRelayClientEnabled: false,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "no candidate relay server because self has tailcfg.NodeAttrDisableMagicSockCryptoRouting",
|
||||||
|
filt: filter.New([]filtertype.Match{
|
||||||
|
{
|
||||||
|
Srcs: peerNodeCandidateRelay.Addresses,
|
||||||
|
Caps: []filtertype.CapMatch{
|
||||||
|
{
|
||||||
|
Dst: selfNodeNodeAttrDisableMagicSockCryptoRouting.Addresses[0],
|
||||||
|
Cap: tailcfg.PeerCapabilityRelayTarget,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, nil, nil, nil, nil, nil),
|
||||||
|
self: selfNodeNodeAttrDisableMagicSockCryptoRouting.View(),
|
||||||
|
peers: []tailcfg.NodeView{peerNodeCandidateRelay.View()},
|
||||||
|
wantRelayServers: make(set.Set[candidatePeerRelay]),
|
||||||
|
wantRelayClientEnabled: false,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "self candidate relay server",
|
name: "self candidate relay server",
|
||||||
filt: filter.New([]filtertype.Match{
|
filt: filter.New([]filtertype.Match{
|
||||||
|
|||||||
Reference in New Issue
Block a user