wgengine/router{,/osrouter}: split OS router implementations into subpackage

So wgengine/router is just the docs + entrypoint + types, and then underscore importing wgengine/router/osrouter registers the constructors with the wgengine/router package. Then tsnet can not pull those in. Updates #17313 Change-Id: If313226f6987d709ea9193c8f16a909326ceefe7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-10-28 05:00:08 +00:00 · 2025-09-27 15:18:25 -07:00
parent 65d6c80695
commit 39e35379d4
29 changed files with 208 additions and 207 deletions
--- a/wgengine/router/consolidating_router_test.go
+++ b/wgengine/router/consolidating_router_test.go
@@ -4,7 +4,6 @@
 package router

 import (
-	"log"
 	"net/netip"
 	"testing"

@@ -56,7 +55,7 @@ func TestConsolidateRoutes(t *testing.T) {
 		},
 	}

-	cr := &consolidatingRouter{logf: log.Printf}
+	cr := &consolidatingRouter{logf: t.Logf}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			got := cr.consolidateRoutes(test.cfg)
--- a/wgengine/router/osrouter/ifconfig_windows.go
+++ b/wgengine/router/osrouter/ifconfig_windows.go
@@ -3,7 +3,7 @@
 * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
 */

-package router
+package osrouter

 import (
 	"errors"
@@ -19,6 +19,7 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tstun"
 	"tailscale.com/util/multierr"
+	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/winnet"

 	ole "github.com/go-ole/go-ole"
@@ -246,7 +247,7 @@ var networkCategoryWarnable = health.Register(&health.Warnable{
 	MapDebugFlag: "warn-network-category-unhealthy",
 })

-func configureInterface(cfg *Config, tun *tun.NativeTun, ht *health.Tracker) (retErr error) {
+func configureInterface(cfg *router.Config, tun *tun.NativeTun, ht *health.Tracker) (retErr error) {
 	var mtu = tstun.DefaultTUNMTU()
 	luid := winipcfg.LUID(tun.LUID())
 	iface, err := interfaceFromLUID(luid,
--- a/wgengine/router/osrouter/ifconfig_windows_test.go
+++ b/wgengine/router/osrouter/ifconfig_windows_test.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-package router
+package osrouter

 import (
 	"fmt"
--- a/wgengine/router/osrouter/osrouter.go
+++ b/wgengine/router/osrouter/osrouter.go
@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package osrouter contains OS-specific router implementations.
+// This package has no API; it exists purely to import
+// for the side effect of it registering itself with the wgengine/router
+// package.
+package osrouter
+
+import "tailscale.com/wgengine/router"
+
+// shutdownConfig is a routing configuration that removes all router
+// state from the OS. It's the config used when callers pass in a nil
+// Config.
+var shutdownConfig router.Config
--- a/wgengine/router/osrouter/osrouter_test.go
+++ b/wgengine/router/osrouter/osrouter_test.go
@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package osrouter
+
+import "net/netip"
+
+//lint:ignore U1000 used in Windows/Linux tests only
+func mustCIDRs(ss ...string) []netip.Prefix {
+	var ret []netip.Prefix
+	for _, s := range ss {
+		ret = append(ret, netip.MustParsePrefix(s))
+	}
+	return ret
+}
--- a/wgengine/router/osrouter/router_freebsd.go
+++ b/wgengine/router/osrouter/router_freebsd.go
@@ -1,23 +1,18 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-package router
+package osrouter

 import (
-	"github.com/tailscale/wireguard-go/tun"
-	"tailscale.com/health"
 	"tailscale.com/net/netmon"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/eventbus"
+	"tailscale.com/wgengine/router"
 )

-// For now this router only supports the userspace WireGuard implementations.
-//
-// Work is currently underway for an in-kernel FreeBSD implementation of wireguard
-// https://svnweb.freebsd.org/base?view=revision&revision=357986
-
-func newUserspaceRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor, health *health.Tracker, bus *eventbus.Bus) (Router, error) {
-	return newUserspaceBSDRouter(logf, tundev, netMon, health)
+func init() {
+	router.HookCleanUp.Set(func(logf logger.Logf, netMon *netmon.Monitor, ifName string) {
+		cleanUp(logf, ifName)
+	})
 }

 func cleanUp(logf logger.Logf, interfaceName string) {
--- a/wgengine/router/osrouter/router_linux.go
+++ b/wgengine/router/osrouter/router_linux.go
@@ -3,7 +3,7 @@

 //go:build !android

-package router
+package osrouter

 import (
 	"errors"
@@ -34,8 +34,18 @@ import (
 	"tailscale.com/util/linuxfw"
 	"tailscale.com/util/multierr"
 	"tailscale.com/version/distro"
+	"tailscale.com/wgengine/router"
 )

+func init() {
+	router.HookNewUserspaceRouter.Set(func(opts router.NewOpts) (router.Router, error) {
+		return newUserspaceRouter(opts.Logf, opts.Tun, opts.NetMon, opts.Health, opts.Bus)
+	})
+	router.HookCleanUp.Set(func(logf logger.Logf, netMon *netmon.Monitor, ifName string) {
+		cleanUp(logf, ifName)
+	})
+}
+
 var getDistroFunc = distro.Get

 const (
@@ -81,7 +91,7 @@ type linuxRouter struct {
 	magicsockPortV6 uint16
 }

-func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, netMon *netmon.Monitor, health *health.Tracker, bus *eventbus.Bus) (Router, error) {
+func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, netMon *netmon.Monitor, health *health.Tracker, bus *eventbus.Bus) (router.Router, error) {
 	tunname, err := tunDev.Name()
 	if err != nil {
 		return nil, err
@@ -94,7 +104,7 @@ func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, netMon *netmon.Moni
 	return newUserspaceRouterAdvanced(logf, tunname, netMon, cmd, health, bus)
 }

-func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, netMon *netmon.Monitor, cmd commandRunner, health *health.Tracker, bus *eventbus.Bus) (Router, error) {
+func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, netMon *netmon.Monitor, cmd commandRunner, health *health.Tracker, bus *eventbus.Bus) (router.Router, error) {
 	r := &linuxRouter{
 		logf:          logf,
 		tunname:       tunname,
@@ -401,7 +411,7 @@ func (r *linuxRouter) setupNetfilter(kind string) error {
 }

 // Set implements the Router interface.
-func (r *linuxRouter) Set(cfg *Config) error {
+func (r *linuxRouter) Set(cfg *router.Config) error {
 	var errs []error
 	if cfg == nil {
 		cfg = &shutdownConfig
@@ -488,7 +498,7 @@ var dockerStatefulFilteringWarnable = health.Register(&health.Warnable{
 	Text:     health.StaticMessage("Stateful filtering is enabled and Docker was detected; this may prevent Docker containers on this host from resolving DNS and connecting to Tailscale nodes. See https://tailscale.com/s/stateful-docker"),
 })

-func (r *linuxRouter) updateStatefulFilteringWithDockerWarning(cfg *Config) {
+func (r *linuxRouter) updateStatefulFilteringWithDockerWarning(cfg *router.Config) {
 	// If stateful filtering is disabled, clear the warning.
 	if !r.statefulFiltering {
 		r.health.SetHealthy(dockerStatefulFilteringWarnable)
--- a/wgengine/router/osrouter/router_linux_test.go
+++ b/wgengine/router/osrouter/router_linux_test.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-package router
+package osrouter

 import (
 	"errors"
@@ -32,8 +32,11 @@ import (
 	"tailscale.com/util/eventbus/eventbustest"
 	"tailscale.com/util/linuxfw"
 	"tailscale.com/version/distro"
+	"tailscale.com/wgengine/router"
 )

+type Config = router.Config
+
 func TestRouterStates(t *testing.T) {
 	basic := `
 ip rule add -4 pref 5210 fwmark 0x80000/0xff0000 table main
--- a/wgengine/router/osrouter/router_openbsd.go
+++ b/wgengine/router/osrouter/router_openbsd.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-package router
+package osrouter

 import (
 	"errors"
@@ -17,10 +17,18 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/util/eventbus"
 	"tailscale.com/util/set"
+	"tailscale.com/wgengine/router"
 )

-// For now this router only supports the WireGuard userspace implementation.
-// There is an experimental kernel version in the works for OpenBSD:
+func init() {
+	router.HookNewUserspaceRouter.Set(func(opts router.NewOpts) (router.Router, error) {
+		return newUserspaceRouter(opts.Logf, opts.Tun, opts.NetMon, opts.Health, opts.Bus)
+	})
+	router.HookCleanUp.Set(func(logf logger.Logf, netMon *netmon.Monitor, ifName string) {
+		cleanUp(logf, ifName)
+	})
+}
+
 // https://git.zx2c4.com/wireguard-openbsd.

 type openbsdRouter struct {
@@ -32,7 +40,7 @@ type openbsdRouter struct {
 	routes  set.Set[netip.Prefix]
 }

-func newUserspaceRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor, health *health.Tracker, bus *eventbus.Bus) (Router, error) {
+func newUserspaceRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor, health *health.Tracker, bus *eventbus.Bus) (router.Router, error) {
 	tunname, err := tundev.Name()
 	if err != nil {
 		return nil, err
@@ -68,7 +76,7 @@ func inet(p netip.Prefix) string {
 	return "inet"
 }

-func (r *openbsdRouter) Set(cfg *Config) error {
+func (r *openbsdRouter) Set(cfg *router.Config) error {
 	if cfg == nil {
 		cfg = &shutdownConfig
 	}
--- a/wgengine/router/osrouter/router_plan9.go
+++ b/wgengine/router/osrouter/router_plan9.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-package router
+package osrouter

 import (
 	"bufio"
@@ -15,10 +15,19 @@ import (
 	"tailscale.com/health"
 	"tailscale.com/net/netmon"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/eventbus"
+	"tailscale.com/wgengine/router"
 )

-func newUserspaceRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor, health *health.Tracker, bus *eventbus.Bus) (Router, error) {
+func init() {
+	router.HookCleanUp.Set(func(logf logger.Logf, netMon *netmon.Monitor, ifName string) {
+		cleanAllTailscaleRoutes(logf)
+	})
+	router.HookNewUserspaceRouter.Set(func(opts router.NewOpts) (router.Router, error) {
+		return newUserspaceRouter(opts.Logf, opts.Tun, opts.NetMon)
+	})
+}
+
+func newUserspaceRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor) (router.Router, error) {
 	r := &plan9Router{
 		logf:   logf,
 		tundev: tundev,
@@ -39,7 +48,7 @@ func (r *plan9Router) Up() error {
 	return nil
 }

-func (r *plan9Router) Set(cfg *Config) error {
+func (r *plan9Router) Set(cfg *router.Config) error {
 	if cfg == nil {
 		cleanAllTailscaleRoutes(r.logf)
 		return nil
@@ -118,10 +127,6 @@ func (r *plan9Router) Close() error {
 	return nil
 }

-func cleanUp(logf logger.Logf, _ string) {
-	cleanAllTailscaleRoutes(logf)
-}
-
 func cleanAllTailscaleRoutes(logf logger.Logf) {
 	routes, err := os.OpenFile("/net/iproute", os.O_RDWR, 0)
 	if err != nil {
--- a/wgengine/router/osrouter/router_userspace_bsd.go
+++ b/wgengine/router/osrouter/router_userspace_bsd.go
@@ -3,7 +3,7 @@

 //go:build darwin || freebsd

-package router
+package osrouter

 import (
 	"fmt"
@@ -19,8 +19,15 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
+	"tailscale.com/wgengine/router"
 )

+func init() {
+	router.HookNewUserspaceRouter.Set(func(opts router.NewOpts) (router.Router, error) {
+		return newUserspaceBSDRouter(opts.Logf, opts.Tun, opts.NetMon, opts.Health)
+	})
+}
+
 type userspaceBSDRouter struct {
 	logf    logger.Logf
 	netMon  *netmon.Monitor
@@ -30,7 +37,7 @@ type userspaceBSDRouter struct {
 	routes  map[netip.Prefix]bool
 }

-func newUserspaceBSDRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor, health *health.Tracker) (Router, error) {
+func newUserspaceBSDRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor, health *health.Tracker) (router.Router, error) {
 	tunname, err := tundev.Name()
 	if err != nil {
 		return nil, err
@@ -99,7 +106,7 @@ func inet(p netip.Prefix) string {
 	return "inet"
 }

-func (r *userspaceBSDRouter) Set(cfg *Config) (reterr error) {
+func (r *userspaceBSDRouter) Set(cfg *router.Config) (reterr error) {
 	if cfg == nil {
 		cfg = &shutdownConfig
 	}
--- a/wgengine/router/osrouter/router_windows.go
+++ b/wgengine/router/osrouter/router_windows.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-package router
+package osrouter

 import (
 	"bufio"
@@ -28,8 +28,15 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/util/backoff"
 	"tailscale.com/util/eventbus"
+	"tailscale.com/wgengine/router"
 )

+func init() {
+	router.HookNewUserspaceRouter.Set(func(opts router.NewOpts) (router.Router, error) {
+		return newUserspaceRouter(opts.Logf, opts.Tun, opts.NetMon, opts.Health, opts.Bus)
+	})
+}
+
 type winRouter struct {
 	logf                func(fmt string, args ...any)
 	netMon              *netmon.Monitor // may be nil
@@ -39,7 +46,7 @@ type winRouter struct {
 	firewall            *firewallTweaker
 }

-func newUserspaceRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor, health *health.Tracker, bus *eventbus.Bus) (Router, error) {
+func newUserspaceRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor, health *health.Tracker, bus *eventbus.Bus) (router.Router, error) {
 	nativeTun := tundev.(*tun.NativeTun)
 	luid := winipcfg.LUID(nativeTun.LUID())
 	guid, err := luid.GUID()
@@ -73,7 +80,7 @@ func (r *winRouter) Up() error {
 	return nil
 }

-func (r *winRouter) Set(cfg *Config) error {
+func (r *winRouter) Set(cfg *router.Config) error {
 	if cfg == nil {
 		cfg = &shutdownConfig
 	}
@@ -124,10 +131,6 @@ func (r *winRouter) Close() error {
 	return nil
 }

-func cleanUp(logf logger.Logf, interfaceName string) {
-	// Nothing to do here.
-}
-
 // firewallTweaker changes the Windows firewall. Normally this wouldn't be so complicated,
 // but it can be REALLY SLOW to change the Windows firewall for reasons not understood.
 // Like 4 minutes slow. But usually it's tens of milliseconds.
--- a/wgengine/router/osrouter/router_windows_test.go
+++ b/wgengine/router/osrouter/router_windows_test.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-package router
+package osrouter

 import (
 	"path/filepath"
--- a/wgengine/router/osrouter/runner.go
+++ b/wgengine/router/osrouter/runner.go
@@ -3,7 +3,7 @@

 //go:build linux

-package router
+package osrouter

 import (
 	"errors"
--- a/wgengine/router/router.go
+++ b/wgengine/router/router.go
@@ -6,10 +6,15 @@
 package router

 import (
+	"errors"
+	"fmt"
 	"net/netip"
 	"reflect"
+	"runtime"

 	"github.com/tailscale/wireguard-go/tun"
+	"tailscale.com/feature"
+	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/health"
 	"tailscale.com/net/netmon"
 	"tailscale.com/types/logger"
@@ -41,6 +46,22 @@ type Router interface {
 	Close() error
 }

+// NewOpts are the options passed to the NewUserspaceRouter hook.
+type NewOpts struct {
+	Logf   logger.Logf     // required
+	Tun    tun.Device      // required
+	NetMon *netmon.Monitor // optional
+	Health *health.Tracker // required (but TODO: support optional later)
+	Bus    *eventbus.Bus   // required
+}
+
+// HookNewUserspaceRouter is the registration point for router implementations
+// to register a constructor for userspace routers. It's meant for implementations
+// in wgengine/router/osrouter.
+//
+// If no implementation is registered, [New] will return an error.
+var HookNewUserspaceRouter feature.Hook[func(NewOpts) (Router, error)]
+
 // New returns a new Router for the current platform, using the
 // provided tun device.
 //
@@ -50,14 +71,33 @@ func New(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor,
 	health *health.Tracker, bus *eventbus.Bus,
 ) (Router, error) {
 	logf = logger.WithPrefix(logf, "router: ")
-	return newUserspaceRouter(logf, tundev, netMon, health, bus)
+	if f, ok := HookNewUserspaceRouter.GetOk(); ok {
+		return f(NewOpts{
+			Logf:   logf,
+			Tun:    tundev,
+			NetMon: netMon,
+			Health: health,
+			Bus:    bus,
+		})
+	}
+	if !buildfeatures.HasOSRouter {
+		return nil, errors.New("router: tailscaled was built without OSRouter support")
+	}
+	return nil, fmt.Errorf("unsupported OS %q", runtime.GOOS)
 }

+// HookCleanUp is the optional registration point for router implementations
+// to register a cleanup function for [CleanUp] to use. It's meant for
+// implementations in wgengine/router/osrouter.
+var HookCleanUp feature.Hook[func(_ logger.Logf, _ *netmon.Monitor, ifName string)]
+
 // CleanUp restores the system network configuration to its original state
 // in case the Tailscale daemon terminated without closing the router.
 // No other state needs to be instantiated before this runs.
 func CleanUp(logf logger.Logf, netMon *netmon.Monitor, interfaceName string) {
-	cleanUp(logf, interfaceName)
+	if f, ok := HookCleanUp.GetOk(); ok {
+		f(logf, netMon, interfaceName)
+	}
 }

 // Config is the subset of Tailscale configuration that is relevant to
@@ -106,8 +146,3 @@ func (a *Config) Equal(b *Config) bool {
 	}
 	return reflect.DeepEqual(a, b)
 }
-
-// shutdownConfig is a routing configuration that removes all router
-// state from the OS. It's the config used when callers pass in a nil
-// Config.
-var shutdownConfig = Config{}
--- a/wgengine/router/router_android.go
+++ b/wgengine/router/router_android.go
@@ -1,30 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build android
-
-package router
-
-import (
-	"github.com/tailscale/wireguard-go/tun"
-	"tailscale.com/health"
-	"tailscale.com/net/netmon"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/eventbus"
-)
-
-func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, netMon *netmon.Monitor, health *health.Tracker, _ *eventbus.Bus) (Router, error) {
-	// Note, this codepath is _not_ used when building the android app
-	// from github.com/tailscale/tailscale-android. The android app
-	// constructs its own wgengine with a custom router implementation
-	// that plugs into Android networking APIs.
-	//
-	// In practice, the only place this fake router gets used is when
-	// you build a tsnet app for android, in which case we don't want
-	// to touch the OS network stack and a no-op router is correct.
-	return NewFake(logf), nil
-}
-
-func cleanUp(logf logger.Logf, interfaceName string) {
-	// Nothing to do here.
-}
--- a/wgengine/router/router_darwin.go
+++ b/wgengine/router/router_darwin.go
@@ -1,20 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package router
-
-import (
-	"github.com/tailscale/wireguard-go/tun"
-	"tailscale.com/health"
-	"tailscale.com/net/netmon"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/eventbus"
-)
-
-func newUserspaceRouter(logf logger.Logf, tundev tun.Device, netMon *netmon.Monitor, health *health.Tracker, bus *eventbus.Bus) (Router, error) {
-	return newUserspaceBSDRouter(logf, tundev, netMon, health)
-}
-
-func cleanUp(logger.Logf, string) {
-	// Nothing to do.
-}
--- a/wgengine/router/router_default.go
+++ b/wgengine/router/router_default.go
@@ -1,25 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !windows && !linux && !darwin && !openbsd && !freebsd && !plan9
-
-package router
-
-import (
-	"fmt"
-	"runtime"
-
-	"github.com/tailscale/wireguard-go/tun"
-	"tailscale.com/health"
-	"tailscale.com/net/netmon"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/eventbus"
-)
-
-func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, netMon *netmon.Monitor, health *health.Tracker, _ *eventbus.Bus) (Router, error) {
-	return nil, fmt.Errorf("unsupported OS %q", runtime.GOOS)
-}
-
-func cleanUp(logf logger.Logf, interfaceName string) {
-	// Nothing to do here.
-}
--- a/wgengine/router/router_test.go
+++ b/wgengine/router/router_test.go
@@ -11,15 +11,6 @@ import (
 	"tailscale.com/types/preftype"
 )

-//lint:ignore U1000 used in Windows/Linux tests only
-func mustCIDRs(ss ...string) []netip.Prefix {
-	var ret []netip.Prefix
-	for _, s := range ss {
-		ret = append(ret, netip.MustParsePrefix(s))
-	}
-	return ret
-}
-
 func TestConfigEqual(t *testing.T) {
 	testedFields := []string{
 		"LocalAddrs", "Routes", "LocalRoutes", "NewMTU",