net/tsaddr, wgengine/netstack: add IPv6 range that forwards to site-relative IPv4

This defines a new magic IPv6 prefix, fd7a:115c:a1e0:b1a::/64, a subset of our existing /48, where the final 32 bits are an IPv4 address, and the middle 32 bits are a user-chosen "site ID". (which must currently be 0000:00xx; the top 3 bytes must be zero for now) e.g., I can say my home LAN's "site ID" is "0000:00bb" and then advertise its 10.2.0.0/16 IPv4 range via IPv6, like: tailscale up --advertise-routes=fd7a:115c:a1e0:b1a::bb:10.2.0.0/112 (112 being /128 minuse the /96 v6 prefix length) Then people in my tailnet can: $ curl '[fd7a:115c:a1e0:b1a::bb:10.2.0.230]' <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" .... Updates #3616, etc RELNOTE=initial support for TS IPv6 addresses to route v4 "via" specific nodes Change-Id: I9b49b6ad10410a24b5866b9fbc69d3cae1f600ef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2022-03-30 08:47:16 -07:00
parent f992749b98
commit 3ae701f0eb
6 changed files with 156 additions and 4 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -106,7 +106,8 @@ type LocalBackend struct {

 	filterHash deephash.Sum

-	filterAtomic atomic.Value // of *filter.Filter
+	filterAtomic            atomic.Value // of *filter.Filter
+	containsViaIPFuncAtomic atomic.Value // of func(netaddr.IP) bool

 	// The mutex protects the following elements.
 	mu             sync.Mutex
@@ -1573,11 +1574,23 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err

 	b.logf("using backend prefs for %q: %s", key, b.prefs.Pretty())

-	b.sshAtomicBool.Set(b.prefs != nil && b.prefs.RunSSH && canSSH)
+	b.setAtomicValuesFromPrefs(b.prefs)

 	return nil
 }

+// setAtomicValuesFromPrefs populates sshAtomicBool and containsViaIPFuncAtomic
+// from the prefs p, which may be nil.
+func (b *LocalBackend) setAtomicValuesFromPrefs(p *ipn.Prefs) {
+	b.sshAtomicBool.Set(p != nil && p.RunSSH && canSSH)
+
+	if p == nil {
+		b.containsViaIPFuncAtomic.Store(tsaddr.NewContainsIPFunc(nil))
+	} else {
+		b.containsViaIPFuncAtomic.Store(tsaddr.NewContainsIPFunc(tsaddr.FilterPrefixesCopy(p.AdvertiseRoutes, tsaddr.IsViaPrefix)))
+	}
+}
+
 // State returns the backend state machine's current state.
 func (b *LocalBackend) State() ipn.State {
 	b.mu.Lock()
@@ -1746,7 +1759,7 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 	netMap := b.netMap
 	stateKey := b.stateKey

-	b.sshAtomicBool.Set(newp.RunSSH && canSSH)
+	b.setAtomicValuesFromPrefs(newp)

 	oldp := b.prefs
 	newp.Persist = oldp.Persist // caller isn't allowed to override this
@@ -2690,11 +2703,21 @@ func (b *LocalBackend) ResetForClientDisconnect() {
 	b.authURL = ""
 	b.authURLSticky = ""
 	b.activeLogin = ""
-	b.sshAtomicBool.Set(false)
+	b.setAtomicValuesFromPrefs(nil)
 }

 func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Get() && canSSH }

+// ShouldHandleViaIP reports whether whether ip is an IPv6 address in the
+// Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
+// by Tailscale.
+func (b *LocalBackend) ShouldHandleViaIP(ip netaddr.IP) bool {
+	if f, ok := b.containsViaIPFuncAtomic.Load().(func(netaddr.IP) bool); ok {
+		return f(ip)
+	}
+	return false
+}
+
 // Logout tells the controlclient that we want to log out, and
 // transitions the local engine to the logged-out state without
 // waiting for controlclient to be in that state.