TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-13 22:47:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

wgengine/magicsock: disable Peer Relay if CryptoRouting is disabled

Browse Source 
Updates tailscale/corp#31083

Signed-off-by: Jordan Whited <jordan@tailscale.com>
This commit is contained in:
Jordan Whited
2025-08-06 15:29:45 -07:00
parent 4666d4ca2a
commit 3624d72e75
2 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
wgengine/magicsock/magicsock.go
View File

@@ -2982,6 +2982,10 @@ func (c *Conn) onNodeViewsUpdate(update NodeViewsUpdate) {
peersChanged := c.updateNodes(update)
relayClientEnabled := update.SelfNode.Valid() &&
// Peer Relay depends on CryptoRouting in [Conn.receiveIP]. If
// CryptoRouting is disabled, then Peer Relay MUST also be disabled to
// avoid traffic blackholes. See http://go/corp/31083.
!update.SelfNode.HasCap(tailcfg.NodeAttrDisableMagicSockCryptoRouting) &&
!update.SelfNode.HasCap(tailcfg.NodeAttrDisableRelayClient) &&
!update.SelfNode.HasCap(tailcfg.NodeAttrOnlyTCP443)

22
wgengine/magicsock/magicsock_test.go
View File

@@ -3625,6 +3625,10 @@ func TestConn_onNodeViewsUpdate_updateRelayServersSet(t *testing.T) {
selfNodeNodeAttrOnlyTCP443.CapMap = make(tailcfg.NodeCapMap)
selfNodeNodeAttrOnlyTCP443.CapMap[tailcfg.NodeAttrOnlyTCP443] = nil
selfNodeNodeAttrDisableMagicSockCryptoRouting := selfNode.Clone()
selfNodeNodeAttrDisableMagicSockCryptoRouting.CapMap = make(tailcfg.NodeCapMap)
selfNodeNodeAttrDisableMagicSockCryptoRouting.CapMap[tailcfg.NodeAttrDisableMagicSockCryptoRouting] = nil
tests := []struct {
name string
filt *filter.Filter
@@ -3693,6 +3697,24 @@ func TestConn_onNodeViewsUpdate_updateRelayServersSet(t *testing.T) {
wantRelayServers: make(set.Set[candidatePeerRelay]),
wantRelayClientEnabled: false,
},
{
name: "no candidate relay server because self has tailcfg.NodeAttrDisableMagicSockCryptoRouting",
filt: filter.New([]filtertype.Match{
{
Srcs: peerNodeCandidateRelay.Addresses,
Caps: []filtertype.CapMatch{
{
Dst: selfNodeNodeAttrDisableMagicSockCryptoRouting.Addresses[0],
Cap: tailcfg.PeerCapabilityRelayTarget,
},
},
},
}, nil, nil, nil, nil, nil),
self: selfNodeNodeAttrDisableMagicSockCryptoRouting.View(),
peers: []tailcfg.NodeView{peerNodeCandidateRelay.View()},
wantRelayServers: make(set.Set[candidatePeerRelay]),
wantRelayClientEnabled: false,
},
{
name: "self candidate relay server",
filt: filter.New([]filtertype.Match{