mirror of
https://github.com/tailscale/tailscale.git
synced 2025-12-24 01:26:39 +00:00
tsconst, util/linuxfw, wgengine/router: move Linux fw consts to tsconst
Now cmd/derper doesn't depend on iptables, nftables, and netlink code :) But this is really just a cleanup step I noticed on the way to making tsnet applications able to not link all the OS router code which they don't use. Updates #17313 Change-Id: Ic7b4e04e3a9639fd198e9dbeb0f7bae22a4a47a9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
committed by
Brad Fitzpatrick
Brad Fitzpatrick
parent
f19409482d
commit
475b520aa2
@@ -11,7 +11,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
|
|||||||
github.com/coder/websocket/internal/errd from github.com/coder/websocket
|
github.com/coder/websocket/internal/errd from github.com/coder/websocket
|
||||||
github.com/coder/websocket/internal/util from github.com/coder/websocket
|
github.com/coder/websocket/internal/util from github.com/coder/websocket
|
||||||
github.com/coder/websocket/internal/xsync from github.com/coder/websocket
|
github.com/coder/websocket/internal/xsync from github.com/coder/websocket
|
||||||
L github.com/coreos/go-iptables/iptables from tailscale.com/util/linuxfw
|
|
||||||
W 💣 github.com/dblohm7/wingoes from tailscale.com/util/winutil+
|
W 💣 github.com/dblohm7/wingoes from tailscale.com/util/winutil+
|
||||||
github.com/fxamacker/cbor/v2 from tailscale.com/tka
|
github.com/fxamacker/cbor/v2 from tailscale.com/tka
|
||||||
github.com/go-json-experiment/json from tailscale.com/types/opt+
|
github.com/go-json-experiment/json from tailscale.com/types/opt+
|
||||||
@@ -21,18 +20,11 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
|
|||||||
github.com/go-json-experiment/json/internal/jsonwire from github.com/go-json-experiment/json+
|
github.com/go-json-experiment/json/internal/jsonwire from github.com/go-json-experiment/json+
|
||||||
github.com/go-json-experiment/json/jsontext from github.com/go-json-experiment/json+
|
github.com/go-json-experiment/json/jsontext from github.com/go-json-experiment/json+
|
||||||
github.com/golang/groupcache/lru from tailscale.com/net/dnscache
|
github.com/golang/groupcache/lru from tailscale.com/net/dnscache
|
||||||
L github.com/google/nftables from tailscale.com/util/linuxfw
|
|
||||||
L 💣 github.com/google/nftables/alignedbuff from github.com/google/nftables/xt
|
|
||||||
L 💣 github.com/google/nftables/binaryutil from github.com/google/nftables+
|
|
||||||
L github.com/google/nftables/expr from github.com/google/nftables+
|
|
||||||
L github.com/google/nftables/internal/parseexprfunc from github.com/google/nftables+
|
|
||||||
L github.com/google/nftables/xt from github.com/google/nftables/expr+
|
|
||||||
github.com/hdevalence/ed25519consensus from tailscale.com/tka
|
github.com/hdevalence/ed25519consensus from tailscale.com/tka
|
||||||
L 💣 github.com/jsimonetti/rtnetlink from tailscale.com/net/netmon
|
L 💣 github.com/jsimonetti/rtnetlink from tailscale.com/net/netmon
|
||||||
L github.com/jsimonetti/rtnetlink/internal/unix from github.com/jsimonetti/rtnetlink
|
L github.com/jsimonetti/rtnetlink/internal/unix from github.com/jsimonetti/rtnetlink
|
||||||
L 💣 github.com/mdlayher/netlink from github.com/google/nftables+
|
L 💣 github.com/mdlayher/netlink from github.com/jsimonetti/rtnetlink+
|
||||||
L 💣 github.com/mdlayher/netlink/nlenc from github.com/jsimonetti/rtnetlink+
|
L 💣 github.com/mdlayher/netlink/nlenc from github.com/jsimonetti/rtnetlink+
|
||||||
L github.com/mdlayher/netlink/nltest from github.com/google/nftables
|
|
||||||
L 💣 github.com/mdlayher/socket from github.com/mdlayher/netlink
|
L 💣 github.com/mdlayher/socket from github.com/mdlayher/netlink
|
||||||
💣 github.com/mitchellh/go-ps from tailscale.com/safesocket
|
💣 github.com/mitchellh/go-ps from tailscale.com/safesocket
|
||||||
github.com/munnerz/goautoneg from github.com/prometheus/common/expfmt
|
github.com/munnerz/goautoneg from github.com/prometheus/common/expfmt
|
||||||
@@ -49,11 +41,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
|
|||||||
W 💣 github.com/tailscale/go-winio/internal/socket from github.com/tailscale/go-winio
|
W 💣 github.com/tailscale/go-winio/internal/socket from github.com/tailscale/go-winio
|
||||||
W github.com/tailscale/go-winio/internal/stringbuffer from github.com/tailscale/go-winio/internal/fs
|
W github.com/tailscale/go-winio/internal/stringbuffer from github.com/tailscale/go-winio/internal/fs
|
||||||
W github.com/tailscale/go-winio/pkg/guid from github.com/tailscale/go-winio+
|
W github.com/tailscale/go-winio/pkg/guid from github.com/tailscale/go-winio+
|
||||||
L 💣 github.com/tailscale/netlink from tailscale.com/util/linuxfw
|
|
||||||
L 💣 github.com/tailscale/netlink/nl from github.com/tailscale/netlink
|
|
||||||
github.com/tailscale/setec/client/setec from tailscale.com/cmd/derper
|
github.com/tailscale/setec/client/setec from tailscale.com/cmd/derper
|
||||||
github.com/tailscale/setec/types/api from github.com/tailscale/setec/client/setec
|
github.com/tailscale/setec/types/api from github.com/tailscale/setec/client/setec
|
||||||
L github.com/vishvananda/netns from github.com/tailscale/netlink+
|
|
||||||
github.com/x448/float16 from github.com/fxamacker/cbor/v2
|
github.com/x448/float16 from github.com/fxamacker/cbor/v2
|
||||||
💣 go4.org/mem from tailscale.com/client/local+
|
💣 go4.org/mem from tailscale.com/client/local+
|
||||||
go4.org/netipx from tailscale.com/net/tsaddr
|
go4.org/netipx from tailscale.com/net/tsaddr
|
||||||
@@ -98,8 +87,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
|
|||||||
tailscale.com/disco from tailscale.com/derp/derpserver
|
tailscale.com/disco from tailscale.com/derp/derpserver
|
||||||
tailscale.com/drive from tailscale.com/client/local+
|
tailscale.com/drive from tailscale.com/client/local+
|
||||||
tailscale.com/envknob from tailscale.com/client/local+
|
tailscale.com/envknob from tailscale.com/client/local+
|
||||||
tailscale.com/feature from tailscale.com/tsweb+
|
tailscale.com/feature from tailscale.com/tsweb
|
||||||
L tailscale.com/feature/buildfeatures from tailscale.com/util/linuxfw
|
|
||||||
tailscale.com/health from tailscale.com/net/tlsdial+
|
tailscale.com/health from tailscale.com/net/tlsdial+
|
||||||
tailscale.com/hostinfo from tailscale.com/net/netmon+
|
tailscale.com/hostinfo from tailscale.com/net/netmon+
|
||||||
tailscale.com/ipn from tailscale.com/client/local
|
tailscale.com/ipn from tailscale.com/client/local
|
||||||
@@ -131,7 +119,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
|
|||||||
tailscale.com/syncs from tailscale.com/cmd/derper+
|
tailscale.com/syncs from tailscale.com/cmd/derper+
|
||||||
tailscale.com/tailcfg from tailscale.com/client/local+
|
tailscale.com/tailcfg from tailscale.com/client/local+
|
||||||
tailscale.com/tka from tailscale.com/client/local+
|
tailscale.com/tka from tailscale.com/client/local+
|
||||||
W tailscale.com/tsconst from tailscale.com/net/netmon+
|
LW tailscale.com/tsconst from tailscale.com/net/netmon+
|
||||||
tailscale.com/tstime from tailscale.com/derp+
|
tailscale.com/tstime from tailscale.com/derp+
|
||||||
tailscale.com/tstime/mono from tailscale.com/tstime/rate
|
tailscale.com/tstime/mono from tailscale.com/tstime/rate
|
||||||
tailscale.com/tstime/rate from tailscale.com/derp/derpserver
|
tailscale.com/tstime/rate from tailscale.com/derp/derpserver
|
||||||
@@ -164,7 +152,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
|
|||||||
tailscale.com/util/eventbus from tailscale.com/net/netmon+
|
tailscale.com/util/eventbus from tailscale.com/net/netmon+
|
||||||
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
||||||
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
||||||
L tailscale.com/util/linuxfw from tailscale.com/net/netns
|
|
||||||
tailscale.com/util/mak from tailscale.com/health+
|
tailscale.com/util/mak from tailscale.com/health+
|
||||||
tailscale.com/util/multierr from tailscale.com/health+
|
tailscale.com/util/multierr from tailscale.com/health+
|
||||||
tailscale.com/util/nocasemaps from tailscale.com/types/ipproto
|
tailscale.com/util/nocasemaps from tailscale.com/types/ipproto
|
||||||
@@ -214,7 +201,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
|
|||||||
golang.org/x/sync/errgroup from github.com/mdlayher/socket+
|
golang.org/x/sync/errgroup from github.com/mdlayher/socket+
|
||||||
golang.org/x/sync/singleflight from github.com/tailscale/setec/client/setec
|
golang.org/x/sync/singleflight from github.com/tailscale/setec/client/setec
|
||||||
golang.org/x/sys/cpu from golang.org/x/crypto/argon2+
|
golang.org/x/sys/cpu from golang.org/x/crypto/argon2+
|
||||||
LD golang.org/x/sys/unix from github.com/google/nftables+
|
LD golang.org/x/sys/unix from github.com/jsimonetti/rtnetlink/internal/unix+
|
||||||
W golang.org/x/sys/windows from github.com/dblohm7/wingoes+
|
W golang.org/x/sys/windows from github.com/dblohm7/wingoes+
|
||||||
W golang.org/x/sys/windows/registry from github.com/dblohm7/wingoes+
|
W golang.org/x/sys/windows/registry from github.com/dblohm7/wingoes+
|
||||||
W golang.org/x/sys/windows/svc from golang.org/x/sys/windows/svc/mgr+
|
W golang.org/x/sys/windows/svc from golang.org/x/sys/windows/svc/mgr+
|
||||||
@@ -363,7 +350,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
|
|||||||
internal/unsafeheader from internal/reflectlite+
|
internal/unsafeheader from internal/reflectlite+
|
||||||
io from bufio+
|
io from bufio+
|
||||||
io/fs from crypto/x509+
|
io/fs from crypto/x509+
|
||||||
L io/ioutil from github.com/mitchellh/go-ps+
|
L io/ioutil from github.com/mitchellh/go-ps
|
||||||
iter from maps+
|
iter from maps+
|
||||||
log from expvar+
|
log from expvar+
|
||||||
log/internal from log
|
log/internal from log
|
||||||
@@ -387,13 +374,13 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
|
|||||||
net/textproto from golang.org/x/net/http/httpguts+
|
net/textproto from golang.org/x/net/http/httpguts+
|
||||||
net/url from crypto/x509+
|
net/url from crypto/x509+
|
||||||
os from crypto/internal/sysrand+
|
os from crypto/internal/sysrand+
|
||||||
os/exec from github.com/coreos/go-iptables/iptables+
|
os/exec from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
|
||||||
os/signal from tailscale.com/cmd/derper
|
os/signal from tailscale.com/cmd/derper
|
||||||
W os/user from tailscale.com/util/winutil
|
W os/user from tailscale.com/util/winutil
|
||||||
path from github.com/prometheus/client_golang/prometheus/internal+
|
path from github.com/prometheus/client_golang/prometheus/internal+
|
||||||
path/filepath from crypto/x509+
|
path/filepath from crypto/x509+
|
||||||
reflect from crypto/x509+
|
reflect from crypto/x509+
|
||||||
regexp from github.com/coreos/go-iptables/iptables+
|
regexp from github.com/prometheus/client_golang/prometheus/internal+
|
||||||
regexp/syntax from regexp
|
regexp/syntax from regexp
|
||||||
runtime from crypto/internal/fips140+
|
runtime from crypto/internal/fips140+
|
||||||
runtime/debug from github.com/prometheus/client_golang/prometheus+
|
runtime/debug from github.com/prometheus/client_golang/prometheus+
|
||||||
|
|||||||
@@ -932,7 +932,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
|
|||||||
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
||||||
tailscale.com/util/httpm from tailscale.com/client/tailscale+
|
tailscale.com/util/httpm from tailscale.com/client/tailscale+
|
||||||
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
||||||
L tailscale.com/util/linuxfw from tailscale.com/net/netns+
|
L tailscale.com/util/linuxfw from tailscale.com/wgengine/router
|
||||||
tailscale.com/util/mak from tailscale.com/appc+
|
tailscale.com/util/mak from tailscale.com/appc+
|
||||||
tailscale.com/util/multierr from tailscale.com/control/controlclient+
|
tailscale.com/util/multierr from tailscale.com/control/controlclient+
|
||||||
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
||||||
|
|||||||
@@ -14,7 +14,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
|
|||||||
github.com/coder/websocket/internal/errd from github.com/coder/websocket
|
github.com/coder/websocket/internal/errd from github.com/coder/websocket
|
||||||
github.com/coder/websocket/internal/util from github.com/coder/websocket
|
github.com/coder/websocket/internal/util from github.com/coder/websocket
|
||||||
github.com/coder/websocket/internal/xsync from github.com/coder/websocket
|
github.com/coder/websocket/internal/xsync from github.com/coder/websocket
|
||||||
L github.com/coreos/go-iptables/iptables from tailscale.com/util/linuxfw
|
|
||||||
W 💣 github.com/dblohm7/wingoes from github.com/dblohm7/wingoes/pe+
|
W 💣 github.com/dblohm7/wingoes from github.com/dblohm7/wingoes/pe+
|
||||||
W 💣 github.com/dblohm7/wingoes/pe from tailscale.com/util/winutil/authenticode
|
W 💣 github.com/dblohm7/wingoes/pe from tailscale.com/util/winutil/authenticode
|
||||||
L github.com/fogleman/gg from tailscale.com/client/systray
|
L github.com/fogleman/gg from tailscale.com/client/systray
|
||||||
@@ -31,12 +30,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
|
|||||||
L github.com/golang/freetype/raster from github.com/fogleman/gg+
|
L github.com/golang/freetype/raster from github.com/fogleman/gg+
|
||||||
L github.com/golang/freetype/truetype from github.com/fogleman/gg
|
L github.com/golang/freetype/truetype from github.com/fogleman/gg
|
||||||
github.com/golang/groupcache/lru from tailscale.com/net/dnscache
|
github.com/golang/groupcache/lru from tailscale.com/net/dnscache
|
||||||
L github.com/google/nftables from tailscale.com/util/linuxfw
|
|
||||||
L 💣 github.com/google/nftables/alignedbuff from github.com/google/nftables/xt
|
|
||||||
L 💣 github.com/google/nftables/binaryutil from github.com/google/nftables+
|
|
||||||
L github.com/google/nftables/expr from github.com/google/nftables+
|
|
||||||
L github.com/google/nftables/internal/parseexprfunc from github.com/google/nftables+
|
|
||||||
L github.com/google/nftables/xt from github.com/google/nftables/expr+
|
|
||||||
DW github.com/google/uuid from tailscale.com/clientupdate+
|
DW github.com/google/uuid from tailscale.com/clientupdate+
|
||||||
github.com/hdevalence/ed25519consensus from tailscale.com/clientupdate/distsign+
|
github.com/hdevalence/ed25519consensus from tailscale.com/clientupdate/distsign+
|
||||||
L 💣 github.com/jsimonetti/rtnetlink from tailscale.com/net/netmon
|
L 💣 github.com/jsimonetti/rtnetlink from tailscale.com/net/netmon
|
||||||
@@ -44,9 +37,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
|
|||||||
github.com/kballard/go-shellquote from tailscale.com/cmd/tailscale/cli
|
github.com/kballard/go-shellquote from tailscale.com/cmd/tailscale/cli
|
||||||
💣 github.com/mattn/go-colorable from tailscale.com/cmd/tailscale/cli
|
💣 github.com/mattn/go-colorable from tailscale.com/cmd/tailscale/cli
|
||||||
💣 github.com/mattn/go-isatty from tailscale.com/cmd/tailscale/cli+
|
💣 github.com/mattn/go-isatty from tailscale.com/cmd/tailscale/cli+
|
||||||
L 💣 github.com/mdlayher/netlink from github.com/google/nftables+
|
L 💣 github.com/mdlayher/netlink from github.com/jsimonetti/rtnetlink+
|
||||||
L 💣 github.com/mdlayher/netlink/nlenc from github.com/jsimonetti/rtnetlink+
|
L 💣 github.com/mdlayher/netlink/nlenc from github.com/jsimonetti/rtnetlink+
|
||||||
L github.com/mdlayher/netlink/nltest from github.com/google/nftables
|
|
||||||
L 💣 github.com/mdlayher/socket from github.com/mdlayher/netlink
|
L 💣 github.com/mdlayher/socket from github.com/mdlayher/netlink
|
||||||
💣 github.com/mitchellh/go-ps from tailscale.com/cmd/tailscale/cli+
|
💣 github.com/mitchellh/go-ps from tailscale.com/cmd/tailscale/cli+
|
||||||
github.com/peterbourgon/ff/v3 from github.com/peterbourgon/ff/v3/ffcli+
|
github.com/peterbourgon/ff/v3 from github.com/peterbourgon/ff/v3/ffcli+
|
||||||
@@ -66,11 +58,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
|
|||||||
github.com/tailscale/goupnp/scpd from github.com/tailscale/goupnp
|
github.com/tailscale/goupnp/scpd from github.com/tailscale/goupnp
|
||||||
github.com/tailscale/goupnp/soap from github.com/tailscale/goupnp+
|
github.com/tailscale/goupnp/soap from github.com/tailscale/goupnp+
|
||||||
github.com/tailscale/goupnp/ssdp from github.com/tailscale/goupnp
|
github.com/tailscale/goupnp/ssdp from github.com/tailscale/goupnp
|
||||||
L 💣 github.com/tailscale/netlink from tailscale.com/util/linuxfw
|
|
||||||
L 💣 github.com/tailscale/netlink/nl from github.com/tailscale/netlink
|
|
||||||
github.com/tailscale/web-client-prebuilt from tailscale.com/client/web
|
github.com/tailscale/web-client-prebuilt from tailscale.com/client/web
|
||||||
github.com/toqueteos/webbrowser from tailscale.com/cmd/tailscale/cli+
|
github.com/toqueteos/webbrowser from tailscale.com/cmd/tailscale/cli+
|
||||||
L github.com/vishvananda/netns from github.com/tailscale/netlink+
|
|
||||||
github.com/x448/float16 from github.com/fxamacker/cbor/v2
|
github.com/x448/float16 from github.com/fxamacker/cbor/v2
|
||||||
💣 go4.org/mem from tailscale.com/client/local+
|
💣 go4.org/mem from tailscale.com/client/local+
|
||||||
go4.org/netipx from tailscale.com/net/tsaddr
|
go4.org/netipx from tailscale.com/net/tsaddr
|
||||||
@@ -183,7 +172,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
|
|||||||
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
||||||
tailscale.com/util/httpm from tailscale.com/client/tailscale+
|
tailscale.com/util/httpm from tailscale.com/client/tailscale+
|
||||||
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
||||||
L tailscale.com/util/linuxfw from tailscale.com/net/netns
|
|
||||||
tailscale.com/util/mak from tailscale.com/cmd/tailscale/cli+
|
tailscale.com/util/mak from tailscale.com/cmd/tailscale/cli+
|
||||||
tailscale.com/util/multierr from tailscale.com/health+
|
tailscale.com/util/multierr from tailscale.com/health+
|
||||||
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
||||||
@@ -259,7 +247,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
|
|||||||
golang.org/x/oauth2/internal from golang.org/x/oauth2+
|
golang.org/x/oauth2/internal from golang.org/x/oauth2+
|
||||||
golang.org/x/sync/errgroup from github.com/mdlayher/socket+
|
golang.org/x/sync/errgroup from github.com/mdlayher/socket+
|
||||||
golang.org/x/sys/cpu from golang.org/x/crypto/argon2+
|
golang.org/x/sys/cpu from golang.org/x/crypto/argon2+
|
||||||
LD golang.org/x/sys/unix from github.com/google/nftables+
|
LD golang.org/x/sys/unix from github.com/jsimonetti/rtnetlink/internal/unix+
|
||||||
W golang.org/x/sys/windows from github.com/dblohm7/wingoes+
|
W golang.org/x/sys/windows from github.com/dblohm7/wingoes+
|
||||||
W golang.org/x/sys/windows/registry from github.com/dblohm7/wingoes+
|
W golang.org/x/sys/windows/registry from github.com/dblohm7/wingoes+
|
||||||
W golang.org/x/sys/windows/svc from golang.org/x/sys/windows/svc/mgr+
|
W golang.org/x/sys/windows/svc from golang.org/x/sys/windows/svc/mgr+
|
||||||
@@ -446,13 +434,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
|
|||||||
net/textproto from golang.org/x/net/http/httpguts+
|
net/textproto from golang.org/x/net/http/httpguts+
|
||||||
net/url from crypto/x509+
|
net/url from crypto/x509+
|
||||||
os from crypto/internal/sysrand+
|
os from crypto/internal/sysrand+
|
||||||
os/exec from github.com/coreos/go-iptables/iptables+
|
os/exec from github.com/atotto/clipboard+
|
||||||
os/signal from tailscale.com/cmd/tailscale/cli+
|
os/signal from tailscale.com/cmd/tailscale/cli+
|
||||||
os/user from archive/tar+
|
os/user from archive/tar+
|
||||||
path from archive/tar+
|
path from archive/tar+
|
||||||
path/filepath from archive/tar+
|
path/filepath from archive/tar+
|
||||||
reflect from archive/tar+
|
reflect from archive/tar+
|
||||||
regexp from github.com/coreos/go-iptables/iptables+
|
regexp from github.com/tailscale/goupnp/httpu+
|
||||||
regexp/syntax from regexp
|
regexp/syntax from regexp
|
||||||
runtime from archive/tar+
|
runtime from archive/tar+
|
||||||
runtime/debug from tailscale.com+
|
runtime/debug from tailscale.com+
|
||||||
|
|||||||
@@ -142,6 +142,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
|||||||
tailscale.com/tempfork/heap from tailscale.com/wgengine/magicsock
|
tailscale.com/tempfork/heap from tailscale.com/wgengine/magicsock
|
||||||
tailscale.com/tempfork/httprec from tailscale.com/control/controlclient
|
tailscale.com/tempfork/httprec from tailscale.com/control/controlclient
|
||||||
tailscale.com/tka from tailscale.com/control/controlclient+
|
tailscale.com/tka from tailscale.com/control/controlclient+
|
||||||
|
tailscale.com/tsconst from tailscale.com/net/netns+
|
||||||
tailscale.com/tsd from tailscale.com/cmd/tailscaled+
|
tailscale.com/tsd from tailscale.com/cmd/tailscaled+
|
||||||
tailscale.com/tstime from tailscale.com/control/controlclient+
|
tailscale.com/tstime from tailscale.com/control/controlclient+
|
||||||
tailscale.com/tstime/mono from tailscale.com/net/tstun+
|
tailscale.com/tstime/mono from tailscale.com/net/tstun+
|
||||||
@@ -184,7 +185,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
|||||||
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
||||||
tailscale.com/util/httpm from tailscale.com/clientupdate/distsign+
|
tailscale.com/util/httpm from tailscale.com/clientupdate/distsign+
|
||||||
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
||||||
tailscale.com/util/linuxfw from tailscale.com/net/netns+
|
tailscale.com/util/linuxfw from tailscale.com/wgengine/router
|
||||||
tailscale.com/util/mak from tailscale.com/appc+
|
tailscale.com/util/mak from tailscale.com/appc+
|
||||||
tailscale.com/util/multierr from tailscale.com/cmd/tailscaled+
|
tailscale.com/util/multierr from tailscale.com/cmd/tailscaled+
|
||||||
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
||||||
|
|||||||
@@ -419,7 +419,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
|||||||
tailscale.com/util/httphdr from tailscale.com/feature/taildrop
|
tailscale.com/util/httphdr from tailscale.com/feature/taildrop
|
||||||
tailscale.com/util/httpm from tailscale.com/client/web+
|
tailscale.com/util/httpm from tailscale.com/client/web+
|
||||||
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
||||||
L tailscale.com/util/linuxfw from tailscale.com/net/netns+
|
L tailscale.com/util/linuxfw from tailscale.com/wgengine/router
|
||||||
tailscale.com/util/mak from tailscale.com/control/controlclient+
|
tailscale.com/util/mak from tailscale.com/control/controlclient+
|
||||||
tailscale.com/util/multierr from tailscale.com/cmd/tailscaled+
|
tailscale.com/util/multierr from tailscale.com/cmd/tailscaled+
|
||||||
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
||||||
|
|||||||
@@ -362,7 +362,7 @@ tailscale.com/cmd/tsidp dependencies: (generated by github.com/tailscale/depawar
|
|||||||
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
||||||
tailscale.com/util/httpm from tailscale.com/client/web+
|
tailscale.com/util/httpm from tailscale.com/client/web+
|
||||||
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
||||||
L tailscale.com/util/linuxfw from tailscale.com/net/netns+
|
L tailscale.com/util/linuxfw from tailscale.com/wgengine/router
|
||||||
tailscale.com/util/mak from tailscale.com/appc+
|
tailscale.com/util/mak from tailscale.com/appc+
|
||||||
tailscale.com/util/multierr from tailscale.com/control/controlclient+
|
tailscale.com/util/multierr from tailscale.com/control/controlclient+
|
||||||
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
||||||
|
|||||||
@@ -15,8 +15,8 @@ import (
|
|||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
"tailscale.com/envknob"
|
"tailscale.com/envknob"
|
||||||
"tailscale.com/net/netmon"
|
"tailscale.com/net/netmon"
|
||||||
|
"tailscale.com/tsconst"
|
||||||
"tailscale.com/types/logger"
|
"tailscale.com/types/logger"
|
||||||
"tailscale.com/util/linuxfw"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// socketMarkWorksOnce is the sync.Once & cached value for useSocketMark.
|
// socketMarkWorksOnce is the sync.Once & cached value for useSocketMark.
|
||||||
@@ -111,7 +111,7 @@ func controlC(network, address string, c syscall.RawConn) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func setBypassMark(fd uintptr) error {
|
func setBypassMark(fd uintptr) error {
|
||||||
if err := unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_MARK, linuxfw.TailscaleBypassMarkNum); err != nil {
|
if err := unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_MARK, tsconst.LinuxBypassMarkNum); err != nil {
|
||||||
return fmt.Errorf("setting SO_MARK bypass: %w", err)
|
return fmt.Errorf("setting SO_MARK bypass: %w", err)
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
|
|||||||
43
tsconst/linuxfw.go
Normal file
43
tsconst/linuxfw.go
Normal file
@@ -0,0 +1,43 @@
|
|||||||
|
// Copyright (c) Tailscale Inc & AUTHORS
|
||||||
|
// SPDX-License-Identifier: BSD-3-Clause
|
||||||
|
|
||||||
|
package tsconst
|
||||||
|
|
||||||
|
// Linux firewall constants used by Tailscale.
|
||||||
|
|
||||||
|
// The following bits are added to packet marks for Tailscale use.
|
||||||
|
//
|
||||||
|
// We tried to pick bits sufficiently out of the way that it's
|
||||||
|
// unlikely to collide with existing uses. We have 4 bytes of mark
|
||||||
|
// bits to play with. We leave the lower byte alone on the assumption
|
||||||
|
// that sysadmins would use those. Kubernetes uses a few bits in the
|
||||||
|
// second byte, so we steer clear of that too.
|
||||||
|
//
|
||||||
|
// Empirically, most of the documentation on packet marks on the
|
||||||
|
// internet gives the impression that the marks are 16 bits
|
||||||
|
// wide. Based on this, we theorize that the upper two bytes are
|
||||||
|
// relatively unused in the wild, and so we consume bits 16:23 (the
|
||||||
|
// third byte).
|
||||||
|
//
|
||||||
|
// The constants are in the iptables/iproute2 string format for
|
||||||
|
// matching and setting the bits, so they can be directly embedded in
|
||||||
|
// commands.
|
||||||
|
const (
|
||||||
|
// The mask for reading/writing the 'firewall mask' bits on a packet.
|
||||||
|
// See the comment on the const block on why we only use the third byte.
|
||||||
|
//
|
||||||
|
// We claim bits 16:23 entirely. For now we only use the lower four
|
||||||
|
// bits, leaving the higher 4 bits for future use.
|
||||||
|
LinuxFwmarkMask = "0xff0000"
|
||||||
|
LinuxFwmarkMaskNum = 0xff0000
|
||||||
|
|
||||||
|
// Packet is from Tailscale and to a subnet route destination, so
|
||||||
|
// is allowed to be routed through this machine.
|
||||||
|
LinuxSubnetRouteMark = "0x40000"
|
||||||
|
LinuxSubnetRouteMarkNum = 0x40000
|
||||||
|
|
||||||
|
// Packet was originated by tailscaled itself, and must not be
|
||||||
|
// routed over the Tailscale network.
|
||||||
|
LinuxBypassMark = "0x80000"
|
||||||
|
LinuxBypassMarkNum = 0x80000
|
||||||
|
)
|
||||||
@@ -357,7 +357,7 @@ tailscale.com/tsnet dependencies: (generated by github.com/tailscale/depaware)
|
|||||||
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
💣 tailscale.com/util/hashx from tailscale.com/util/deephash
|
||||||
tailscale.com/util/httpm from tailscale.com/client/web+
|
tailscale.com/util/httpm from tailscale.com/client/web+
|
||||||
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
tailscale.com/util/lineiter from tailscale.com/hostinfo+
|
||||||
L tailscale.com/util/linuxfw from tailscale.com/net/netns+
|
L tailscale.com/util/linuxfw from tailscale.com/wgengine/router
|
||||||
tailscale.com/util/mak from tailscale.com/appc+
|
tailscale.com/util/mak from tailscale.com/appc+
|
||||||
tailscale.com/util/multierr from tailscale.com/control/controlclient+
|
tailscale.com/util/multierr from tailscale.com/control/controlclient+
|
||||||
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
tailscale.com/util/must from tailscale.com/clientupdate/distsign+
|
||||||
|
|||||||
@@ -246,11 +246,11 @@ func (i *iptablesRunner) addBase4(tunname string) error {
|
|||||||
// POSTROUTING. So instead, we match on the inbound interface in
|
// POSTROUTING. So instead, we match on the inbound interface in
|
||||||
// filter/FORWARD, and set a packet mark that nat/POSTROUTING can
|
// filter/FORWARD, and set a packet mark that nat/POSTROUTING can
|
||||||
// use to effectively run that same test again.
|
// use to effectively run that same test again.
|
||||||
args = []string{"-i", tunname, "-j", "MARK", "--set-mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask}
|
args = []string{"-i", tunname, "-j", "MARK", "--set-mark", subnetRouteMark + "/" + fwmarkMask}
|
||||||
if err := i.ipt4.Append("filter", "ts-forward", args...); err != nil {
|
if err := i.ipt4.Append("filter", "ts-forward", args...); err != nil {
|
||||||
return fmt.Errorf("adding %v in v4/filter/ts-forward: %w", args, err)
|
return fmt.Errorf("adding %v in v4/filter/ts-forward: %w", args, err)
|
||||||
}
|
}
|
||||||
args = []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "ACCEPT"}
|
args = []string{"-m", "mark", "--mark", subnetRouteMark + "/" + fwmarkMask, "-j", "ACCEPT"}
|
||||||
if err := i.ipt4.Append("filter", "ts-forward", args...); err != nil {
|
if err := i.ipt4.Append("filter", "ts-forward", args...); err != nil {
|
||||||
return fmt.Errorf("adding %v in v4/filter/ts-forward: %w", args, err)
|
return fmt.Errorf("adding %v in v4/filter/ts-forward: %w", args, err)
|
||||||
}
|
}
|
||||||
@@ -352,11 +352,11 @@ func (i *iptablesRunner) addBase6(tunname string) error {
|
|||||||
return fmt.Errorf("adding %v in v6/filter/ts-input: %w", args, err)
|
return fmt.Errorf("adding %v in v6/filter/ts-input: %w", args, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
args = []string{"-i", tunname, "-j", "MARK", "--set-mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask}
|
args = []string{"-i", tunname, "-j", "MARK", "--set-mark", subnetRouteMark + "/" + fwmarkMask}
|
||||||
if err := i.ipt6.Append("filter", "ts-forward", args...); err != nil {
|
if err := i.ipt6.Append("filter", "ts-forward", args...); err != nil {
|
||||||
return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
|
return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
|
||||||
}
|
}
|
||||||
args = []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "ACCEPT"}
|
args = []string{"-m", "mark", "--mark", subnetRouteMark + "/" + fwmarkMask, "-j", "ACCEPT"}
|
||||||
if err := i.ipt6.Append("filter", "ts-forward", args...); err != nil {
|
if err := i.ipt6.Append("filter", "ts-forward", args...); err != nil {
|
||||||
return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
|
return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
|
||||||
}
|
}
|
||||||
@@ -445,7 +445,7 @@ func (i *iptablesRunner) DelHooks(logf logger.Logf) error {
|
|||||||
// AddSNATRule adds a netfilter rule to SNAT traffic destined for
|
// AddSNATRule adds a netfilter rule to SNAT traffic destined for
|
||||||
// local subnets.
|
// local subnets.
|
||||||
func (i *iptablesRunner) AddSNATRule() error {
|
func (i *iptablesRunner) AddSNATRule() error {
|
||||||
args := []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "MASQUERADE"}
|
args := []string{"-m", "mark", "--mark", subnetRouteMark + "/" + fwmarkMask, "-j", "MASQUERADE"}
|
||||||
for _, ipt := range i.getNATTables() {
|
for _, ipt := range i.getNATTables() {
|
||||||
if err := ipt.Append("nat", "ts-postrouting", args...); err != nil {
|
if err := ipt.Append("nat", "ts-postrouting", args...); err != nil {
|
||||||
return fmt.Errorf("adding %v in nat/ts-postrouting: %w", args, err)
|
return fmt.Errorf("adding %v in nat/ts-postrouting: %w", args, err)
|
||||||
@@ -457,7 +457,7 @@ func (i *iptablesRunner) AddSNATRule() error {
|
|||||||
// DelSNATRule removes the netfilter rule to SNAT traffic destined for
|
// DelSNATRule removes the netfilter rule to SNAT traffic destined for
|
||||||
// local subnets. An error is returned if the rule does not exist.
|
// local subnets. An error is returned if the rule does not exist.
|
||||||
func (i *iptablesRunner) DelSNATRule() error {
|
func (i *iptablesRunner) DelSNATRule() error {
|
||||||
args := []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "MASQUERADE"}
|
args := []string{"-m", "mark", "--mark", subnetRouteMark + "/" + fwmarkMask, "-j", "MASQUERADE"}
|
||||||
for _, ipt := range i.getNATTables() {
|
for _, ipt := range i.getNATTables() {
|
||||||
if err := ipt.Delete("nat", "ts-postrouting", args...); err != nil {
|
if err := ipt.Delete("nat", "ts-postrouting", args...); err != nil {
|
||||||
return fmt.Errorf("deleting %v in nat/ts-postrouting: %w", args, err)
|
return fmt.Errorf("deleting %v in nat/ts-postrouting: %w", args, err)
|
||||||
|
|||||||
@@ -11,6 +11,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"tailscale.com/net/tsaddr"
|
"tailscale.com/net/tsaddr"
|
||||||
|
"tailscale.com/tsconst"
|
||||||
)
|
)
|
||||||
|
|
||||||
var testIsNotExistErr = "exitcode:1"
|
var testIsNotExistErr = "exitcode:1"
|
||||||
@@ -132,8 +133,8 @@ func TestAddAndDeleteBase(t *testing.T) {
|
|||||||
|
|
||||||
tsRulesCommon := []fakeRule{ // table/chain/rule
|
tsRulesCommon := []fakeRule{ // table/chain/rule
|
||||||
{"filter", "ts-input", []string{"-i", tunname, "-j", "ACCEPT"}},
|
{"filter", "ts-input", []string{"-i", tunname, "-j", "ACCEPT"}},
|
||||||
{"filter", "ts-forward", []string{"-i", tunname, "-j", "MARK", "--set-mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask}},
|
{"filter", "ts-forward", []string{"-i", tunname, "-j", "MARK", "--set-mark", tsconst.LinuxSubnetRouteMark + "/" + tsconst.LinuxFwmarkMask}},
|
||||||
{"filter", "ts-forward", []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "ACCEPT"}},
|
{"filter", "ts-forward", []string{"-m", "mark", "--mark", tsconst.LinuxSubnetRouteMark + "/" + tsconst.LinuxFwmarkMask, "-j", "ACCEPT"}},
|
||||||
{"filter", "ts-forward", []string{"-o", tunname, "-j", "ACCEPT"}},
|
{"filter", "ts-forward", []string{"-o", tunname, "-j", "ACCEPT"}},
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -254,7 +255,7 @@ func TestAddAndDelSNATRule(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
rule := fakeRule{ // table/chain/rule
|
rule := fakeRule{ // table/chain/rule
|
||||||
"nat", "ts-postrouting", []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "MASQUERADE"},
|
"nat", "ts-postrouting", []string{"-m", "mark", "--mark", tsconst.LinuxSubnetRouteMark + "/" + tsconst.LinuxFwmarkMask, "-j", "MASQUERADE"},
|
||||||
}
|
}
|
||||||
|
|
||||||
// Add SNAT rule
|
// Add SNAT rule
|
||||||
|
|||||||
@@ -15,6 +15,7 @@ import (
|
|||||||
|
|
||||||
"github.com/tailscale/netlink"
|
"github.com/tailscale/netlink"
|
||||||
"tailscale.com/feature"
|
"tailscale.com/feature"
|
||||||
|
"tailscale.com/tsconst"
|
||||||
"tailscale.com/types/logger"
|
"tailscale.com/types/logger"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -70,23 +71,12 @@ const (
|
|||||||
// matching and setting the bits, so they can be directly embedded in
|
// matching and setting the bits, so they can be directly embedded in
|
||||||
// commands.
|
// commands.
|
||||||
const (
|
const (
|
||||||
// The mask for reading/writing the 'firewall mask' bits on a packet.
|
fwmarkMask = tsconst.LinuxFwmarkMask
|
||||||
// See the comment on the const block on why we only use the third byte.
|
fwmarkMaskNum = tsconst.LinuxFwmarkMaskNum
|
||||||
//
|
subnetRouteMark = tsconst.LinuxSubnetRouteMark
|
||||||
// We claim bits 16:23 entirely. For now we only use the lower four
|
subnetRouteMarkNum = tsconst.LinuxSubnetRouteMarkNum
|
||||||
// bits, leaving the higher 4 bits for future use.
|
bypassMark = tsconst.LinuxBypassMark
|
||||||
TailscaleFwmarkMask = "0xff0000"
|
bypassMarkNum = tsconst.LinuxBypassMarkNum
|
||||||
TailscaleFwmarkMaskNum = 0xff0000
|
|
||||||
|
|
||||||
// Packet is from Tailscale and to a subnet route destination, so
|
|
||||||
// is allowed to be routed through this machine.
|
|
||||||
TailscaleSubnetRouteMark = "0x40000"
|
|
||||||
TailscaleSubnetRouteMarkNum = 0x40000
|
|
||||||
|
|
||||||
// Packet was originated by tailscaled itself, and must not be
|
|
||||||
// routed over the Tailscale network.
|
|
||||||
TailscaleBypassMark = "0x80000"
|
|
||||||
TailscaleBypassMarkNum = 0x80000
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// getTailscaleFwmarkMaskNeg returns the negation of TailscaleFwmarkMask in bytes.
|
// getTailscaleFwmarkMaskNeg returns the negation of TailscaleFwmarkMask in bytes.
|
||||||
@@ -170,7 +160,7 @@ func CheckIPRuleSupportsV6(logf logger.Logf) error {
|
|||||||
// Try to actually create & delete one as a test.
|
// Try to actually create & delete one as a test.
|
||||||
rule := netlink.NewRule()
|
rule := netlink.NewRule()
|
||||||
rule.Priority = 1234
|
rule.Priority = 1234
|
||||||
rule.Mark = TailscaleBypassMarkNum
|
rule.Mark = bypassMarkNum
|
||||||
rule.Table = 52
|
rule.Table = 52
|
||||||
rule.Family = netlink.FAMILY_V6
|
rule.Family = netlink.FAMILY_V6
|
||||||
// First delete the rule unconditionally, and don't check for
|
// First delete the rule unconditionally, and don't check for
|
||||||
|
|||||||
@@ -26,6 +26,7 @@ import (
|
|||||||
"tailscale.com/envknob"
|
"tailscale.com/envknob"
|
||||||
"tailscale.com/health"
|
"tailscale.com/health"
|
||||||
"tailscale.com/net/netmon"
|
"tailscale.com/net/netmon"
|
||||||
|
"tailscale.com/tsconst"
|
||||||
"tailscale.com/types/logger"
|
"tailscale.com/types/logger"
|
||||||
"tailscale.com/types/opt"
|
"tailscale.com/types/opt"
|
||||||
"tailscale.com/types/preftype"
|
"tailscale.com/types/preftype"
|
||||||
@@ -1238,14 +1239,14 @@ var baseIPRules = []netlink.Rule{
|
|||||||
// main routing table.
|
// main routing table.
|
||||||
{
|
{
|
||||||
Priority: 10,
|
Priority: 10,
|
||||||
Mark: linuxfw.TailscaleBypassMarkNum,
|
Mark: tsconst.LinuxBypassMarkNum,
|
||||||
Table: mainRouteTable.Num,
|
Table: mainRouteTable.Num,
|
||||||
},
|
},
|
||||||
// ...and then we try the 'default' table, for correctness,
|
// ...and then we try the 'default' table, for correctness,
|
||||||
// even though it's been empty on every Linux system I've ever seen.
|
// even though it's been empty on every Linux system I've ever seen.
|
||||||
{
|
{
|
||||||
Priority: 30,
|
Priority: 30,
|
||||||
Mark: linuxfw.TailscaleBypassMarkNum,
|
Mark: tsconst.LinuxBypassMarkNum,
|
||||||
Table: defaultRouteTable.Num,
|
Table: defaultRouteTable.Num,
|
||||||
},
|
},
|
||||||
// If neither of those matched (no default route on this system?)
|
// If neither of those matched (no default route on this system?)
|
||||||
@@ -1253,7 +1254,7 @@ var baseIPRules = []netlink.Rule{
|
|||||||
// to the tailscale routes, because that would create routing loops.
|
// to the tailscale routes, because that would create routing loops.
|
||||||
{
|
{
|
||||||
Priority: 50,
|
Priority: 50,
|
||||||
Mark: linuxfw.TailscaleBypassMarkNum,
|
Mark: tsconst.LinuxBypassMarkNum,
|
||||||
Type: unix.RTN_UNREACHABLE,
|
Type: unix.RTN_UNREACHABLE,
|
||||||
},
|
},
|
||||||
// If we get to this point, capture all packets and send them
|
// If we get to this point, capture all packets and send them
|
||||||
@@ -1283,7 +1284,7 @@ var ubntIPRules = []netlink.Rule{
|
|||||||
{
|
{
|
||||||
Priority: 70,
|
Priority: 70,
|
||||||
Invert: true,
|
Invert: true,
|
||||||
Mark: linuxfw.TailscaleBypassMarkNum,
|
Mark: tsconst.LinuxBypassMarkNum,
|
||||||
Table: tailscaleRouteTable.Num,
|
Table: tailscaleRouteTable.Num,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@@ -1311,7 +1312,7 @@ func (r *linuxRouter) justAddIPRules() error {
|
|||||||
// Note: r is a value type here; safe to mutate it.
|
// Note: r is a value type here; safe to mutate it.
|
||||||
ru.Family = family.netlinkInt()
|
ru.Family = family.netlinkInt()
|
||||||
if ru.Mark != 0 {
|
if ru.Mark != 0 {
|
||||||
ru.Mask = linuxfw.TailscaleFwmarkMaskNum
|
ru.Mask = tsconst.LinuxFwmarkMaskNum
|
||||||
}
|
}
|
||||||
ru.Goto = -1
|
ru.Goto = -1
|
||||||
ru.SuppressIfgroup = -1
|
ru.SuppressIfgroup = -1
|
||||||
@@ -1344,7 +1345,7 @@ func (r *linuxRouter) addIPRulesWithIPCommand() error {
|
|||||||
}
|
}
|
||||||
if rule.Mark != 0 {
|
if rule.Mark != 0 {
|
||||||
if r.fwmaskWorks() {
|
if r.fwmaskWorks() {
|
||||||
args = append(args, "fwmark", fmt.Sprintf("0x%x/%s", rule.Mark, linuxfw.TailscaleFwmarkMask))
|
args = append(args, "fwmark", fmt.Sprintf("0x%x/%s", rule.Mark, tsconst.LinuxFwmarkMask))
|
||||||
} else {
|
} else {
|
||||||
args = append(args, "fwmark", fmt.Sprintf("0x%x", rule.Mark))
|
args = append(args, "fwmark", fmt.Sprintf("0x%x", rule.Mark))
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,6 +25,7 @@ import (
|
|||||||
"tailscale.com/health"
|
"tailscale.com/health"
|
||||||
"tailscale.com/net/netmon"
|
"tailscale.com/net/netmon"
|
||||||
"tailscale.com/net/tsaddr"
|
"tailscale.com/net/tsaddr"
|
||||||
|
"tailscale.com/tsconst"
|
||||||
"tailscale.com/tstest"
|
"tailscale.com/tstest"
|
||||||
"tailscale.com/types/logger"
|
"tailscale.com/types/logger"
|
||||||
"tailscale.com/util/eventbus"
|
"tailscale.com/util/eventbus"
|
||||||
@@ -572,8 +573,8 @@ func (n *fakeIPTablesRunner) addBase4(tunname string) error {
|
|||||||
newRules := []struct{ chain, rule string }{
|
newRules := []struct{ chain, rule string }{
|
||||||
{"filter/ts-input", fmt.Sprintf("! -i %s -s %s -j RETURN", tunname, tsaddr.ChromeOSVMRange().String())},
|
{"filter/ts-input", fmt.Sprintf("! -i %s -s %s -j RETURN", tunname, tsaddr.ChromeOSVMRange().String())},
|
||||||
{"filter/ts-input", fmt.Sprintf("! -i %s -s %s -j DROP", tunname, tsaddr.CGNATRange().String())},
|
{"filter/ts-input", fmt.Sprintf("! -i %s -s %s -j DROP", tunname, tsaddr.CGNATRange().String())},
|
||||||
{"filter/ts-forward", fmt.Sprintf("-i %s -j MARK --set-mark %s/%s", tunname, linuxfw.TailscaleSubnetRouteMark, linuxfw.TailscaleFwmarkMask)},
|
{"filter/ts-forward", fmt.Sprintf("-i %s -j MARK --set-mark %s/%s", tunname, tsconst.LinuxSubnetRouteMark, tsconst.LinuxFwmarkMask)},
|
||||||
{"filter/ts-forward", fmt.Sprintf("-m mark --mark %s/%s -j ACCEPT", linuxfw.TailscaleSubnetRouteMark, linuxfw.TailscaleFwmarkMask)},
|
{"filter/ts-forward", fmt.Sprintf("-m mark --mark %s/%s -j ACCEPT", tsconst.LinuxSubnetRouteMark, tsconst.LinuxFwmarkMask)},
|
||||||
{"filter/ts-forward", fmt.Sprintf("-o %s -s %s -j DROP", tunname, tsaddr.CGNATRange().String())},
|
{"filter/ts-forward", fmt.Sprintf("-o %s -s %s -j DROP", tunname, tsaddr.CGNATRange().String())},
|
||||||
{"filter/ts-forward", fmt.Sprintf("-o %s -j ACCEPT", tunname)},
|
{"filter/ts-forward", fmt.Sprintf("-o %s -j ACCEPT", tunname)},
|
||||||
}
|
}
|
||||||
@@ -588,8 +589,8 @@ func (n *fakeIPTablesRunner) addBase4(tunname string) error {
|
|||||||
func (n *fakeIPTablesRunner) addBase6(tunname string) error {
|
func (n *fakeIPTablesRunner) addBase6(tunname string) error {
|
||||||
curIPT := n.ipt6
|
curIPT := n.ipt6
|
||||||
newRules := []struct{ chain, rule string }{
|
newRules := []struct{ chain, rule string }{
|
||||||
{"filter/ts-forward", fmt.Sprintf("-i %s -j MARK --set-mark %s/%s", tunname, linuxfw.TailscaleSubnetRouteMark, linuxfw.TailscaleFwmarkMask)},
|
{"filter/ts-forward", fmt.Sprintf("-i %s -j MARK --set-mark %s/%s", tunname, tsconst.LinuxSubnetRouteMark, tsconst.LinuxFwmarkMask)},
|
||||||
{"filter/ts-forward", fmt.Sprintf("-m mark --mark %s/%s -j ACCEPT", linuxfw.TailscaleSubnetRouteMark, linuxfw.TailscaleFwmarkMask)},
|
{"filter/ts-forward", fmt.Sprintf("-m mark --mark %s/%s -j ACCEPT", tsconst.LinuxSubnetRouteMark, tsconst.LinuxFwmarkMask)},
|
||||||
{"filter/ts-forward", fmt.Sprintf("-o %s -j ACCEPT", tunname)},
|
{"filter/ts-forward", fmt.Sprintf("-o %s -j ACCEPT", tunname)},
|
||||||
}
|
}
|
||||||
for _, rule := range newRules {
|
for _, rule := range newRules {
|
||||||
@@ -673,7 +674,7 @@ func (n *fakeIPTablesRunner) DelBase() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (n *fakeIPTablesRunner) AddSNATRule() error {
|
func (n *fakeIPTablesRunner) AddSNATRule() error {
|
||||||
newRule := fmt.Sprintf("-m mark --mark %s/%s -j MASQUERADE", linuxfw.TailscaleSubnetRouteMark, linuxfw.TailscaleFwmarkMask)
|
newRule := fmt.Sprintf("-m mark --mark %s/%s -j MASQUERADE", tsconst.LinuxSubnetRouteMark, tsconst.LinuxFwmarkMask)
|
||||||
for _, ipt := range []map[string][]string{n.ipt4, n.ipt6} {
|
for _, ipt := range []map[string][]string{n.ipt4, n.ipt6} {
|
||||||
if err := appendRule(n, ipt, "nat/ts-postrouting", newRule); err != nil {
|
if err := appendRule(n, ipt, "nat/ts-postrouting", newRule); err != nil {
|
||||||
return err
|
return err
|
||||||
@@ -683,7 +684,7 @@ func (n *fakeIPTablesRunner) AddSNATRule() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (n *fakeIPTablesRunner) DelSNATRule() error {
|
func (n *fakeIPTablesRunner) DelSNATRule() error {
|
||||||
delRule := fmt.Sprintf("-m mark --mark %s/%s -j MASQUERADE", linuxfw.TailscaleSubnetRouteMark, linuxfw.TailscaleFwmarkMask)
|
delRule := fmt.Sprintf("-m mark --mark %s/%s -j MASQUERADE", tsconst.LinuxSubnetRouteMark, tsconst.LinuxFwmarkMask)
|
||||||
for _, ipt := range []map[string][]string{n.ipt4, n.ipt6} {
|
for _, ipt := range []map[string][]string{n.ipt4, n.ipt6} {
|
||||||
if err := deleteRule(n, ipt, "nat/ts-postrouting", delRule); err != nil {
|
if err := deleteRule(n, ipt, "nat/ts-postrouting", delRule); err != nil {
|
||||||
return err
|
return err
|
||||||
|
|||||||
Reference in New Issue
Block a user