tsnet: enable use-cases with non-native IPs by setting ns.ProcessSubnets

Terminating traffic to IPs which are not the native IPs of the node requires the netstack subsystem to intercept trafic to an IP it does not consider local. This PR switches on such interception. In addition to supporting such termination, this change will also enable exit nodes and subnet routers when running in userspace mode. DO NOT MERGE until 1.52 is cut. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: https://github.com/tailscale/corp/issues/15038
2025-08-11 13:18:53 +00:00 · 2023-10-24 14:08:54 -07:00
parent 452f900589
commit 3df305b764
3 changed files with 90 additions and 27 deletions
--- a/tstest/integration/testcontrol/testcontrol.go
+++ b/tstest/integration/testcontrol/testcontrol.go
@@ -33,6 +33,7 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/ptr"
+	"tailscale.com/util/mak"
 	"tailscale.com/util/must"
 	"tailscale.com/util/rands"
 	"tailscale.com/util/set"
@@ -64,6 +65,10 @@ type Server struct {
 	pubKey     key.MachinePublic
 	privKey    key.ControlPrivate // not strictly needed vs. MachinePrivate, but handy to test type interactions.

+	// nodeSubnetRoutes is a list of subnet routes that are served
+	// by the specified node.
+	nodeSubnetRoutes map[key.NodePublic][]netip.Prefix
+
 	// masquerades is the set of masquerades that should be applied to
 	// MapResponses sent to clients. It is keyed by the requesting nodes
 	// public key, and then the peer node's public key. The value is the
@@ -328,6 +333,13 @@ func (s *Server) serveMachine(w http.ResponseWriter, r *http.Request) {
 	}
 }

+// SetSubnetRoutes sets the list of subnet routes which a node is routing.
+func (s *Server) SetSubnetRoutes(nodeKey key.NodePublic, routes []netip.Prefix) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	mak.Set(&s.nodeSubnetRoutes, nodeKey, routes)
+}
+
 // MasqueradePair is a pair of nodes and the IP address that the
 // Node masquerades as for the Peer.
 //
@@ -908,6 +920,7 @@ func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse,

 		s.mu.Lock()
 		peerAddress := s.masquerades[p.Key][node.Key]
+		routes := s.nodeSubnetRoutes[p.Key]
 		s.mu.Unlock()
 		if peerAddress.IsValid() {
 			if peerAddress.Is6() {
@@ -918,6 +931,10 @@ func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse,
 				p.AllowedIPs[0] = netip.PrefixFrom(peerAddress, peerAddress.BitLen())
 			}
 		}
+		if len(routes) > 0 {
+			p.PrimaryRoutes = routes
+			p.AllowedIPs = append(p.AllowedIPs, routes...)
+		}
 		res.Peers = append(res.Peers, p)
 	}

@@ -939,11 +956,12 @@ func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse,
 		v4Prefix,
 		v6Prefix,
 	}
-	res.Node.AllowedIPs = res.Node.Addresses

-	// Consume a PingRequest while protected by mutex if it exists
 	s.mu.Lock()
 	defer s.mu.Unlock()
+	res.Node.AllowedIPs = append(res.Node.Addresses, s.nodeSubnetRoutes[nk]...)
+
+	// Consume a PingRequest while protected by mutex if it exists
 	switch m := s.msgToSend[nk].(type) {
 	case *tailcfg.PingRequest:
 		res.PingRequest = m