mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
net/tstun: rename filterIn/filterOut methods to be more descriptive
Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali
Maisem Ali
parent
f61b306133
commit
535fad16f8
@ -136,23 +136,23 @@ type Wrapper struct {
|
|||||||
// filterFlags control the verbosity of logging packet drops/accepts.
|
// filterFlags control the verbosity of logging packet drops/accepts.
|
||||||
filterFlags filter.RunFlags
|
filterFlags filter.RunFlags
|
||||||
|
|
||||||
// PreFilterIn is the inbound filter function that runs before the main filter
|
// PreFilterPacketInboundFromWireGuard is the inbound filter function that runs before the main filter
|
||||||
// and therefore sees the packets that may be later dropped by it.
|
// and therefore sees the packets that may be later dropped by it.
|
||||||
PreFilterIn FilterFunc
|
PreFilterPacketInboundFromWireGuard FilterFunc
|
||||||
// PostFilterIn is the inbound filter function that runs after the main filter.
|
// PostFilterPacketInboundFromWireGaurd is the inbound filter function that runs after the main filter.
|
||||||
PostFilterIn FilterFunc
|
PostFilterPacketInboundFromWireGaurd FilterFunc
|
||||||
// PreFilterFromTunToNetstack is a filter function that runs before the main filter
|
// PreFilterPacketOutboundToWireGuardNetstackIntercept is a filter function that runs before the main filter
|
||||||
// for packets from the local system. This filter is populated by netstack to hook
|
// for packets from the local system. This filter is populated by netstack to hook
|
||||||
// packets that should be handled by netstack. If set, this filter runs before
|
// packets that should be handled by netstack. If set, this filter runs before
|
||||||
// PreFilterFromTunToEngine.
|
// PreFilterFromTunToEngine.
|
||||||
PreFilterFromTunToNetstack FilterFunc
|
PreFilterPacketOutboundToWireGuardNetstackIntercept FilterFunc
|
||||||
// PreFilterFromTunToEngine is a filter function that runs before the main filter
|
// PreFilterPacketOutboundToWireGuardEngineIntercept is a filter function that runs before the main filter
|
||||||
// for packets from the local system. This filter is populated by wgengine to hook
|
// for packets from the local system. This filter is populated by wgengine to hook
|
||||||
// packets which it handles internally. If both this and PreFilterFromTunToNetstack
|
// packets which it handles internally. If both this and PreFilterFromTunToNetstack
|
||||||
// filter functions are non-nil, this filter runs second.
|
// filter functions are non-nil, this filter runs second.
|
||||||
PreFilterFromTunToEngine FilterFunc
|
PreFilterPacketOutboundToWireGuardEngineIntercept FilterFunc
|
||||||
// PostFilterOut is the outbound filter function that runs after the main filter.
|
// PostFilterPacketOutboundToWireGuard is the outbound filter function that runs after the main filter.
|
||||||
PostFilterOut FilterFunc
|
PostFilterPacketOutboundToWireGuard FilterFunc
|
||||||
|
|
||||||
// OnTSMPPongReceived, if non-nil, is called whenever a TSMP pong arrives.
|
// OnTSMPPongReceived, if non-nil, is called whenever a TSMP pong arrives.
|
||||||
OnTSMPPongReceived func(packet.TSMPPongReply)
|
OnTSMPPongReceived func(packet.TSMPPongReply)
|
||||||
@ -464,7 +464,7 @@ func (t *Wrapper) sendVectorOutbound(r tunVectorReadResult) {
|
|||||||
magicDNSIPPortv6 = netip.AddrPortFrom(tsaddr.TailscaleServiceIPv6(), 0)
|
magicDNSIPPortv6 = netip.AddrPortFrom(tsaddr.TailscaleServiceIPv6(), 0)
|
||||||
)
|
)
|
||||||
|
|
||||||
func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
|
func (t *Wrapper) filterPacketOutboundToWireGuard(p *packet.Parsed) filter.Response {
|
||||||
// Fake ICMP echo responses to MagicDNS (100.100.100.100).
|
// Fake ICMP echo responses to MagicDNS (100.100.100.100).
|
||||||
if p.IsEchoRequest() {
|
if p.IsEchoRequest() {
|
||||||
switch p.Dst {
|
switch p.Dst {
|
||||||
@ -494,14 +494,14 @@ func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
|
|||||||
return filter.DropSilently
|
return filter.DropSilently
|
||||||
}
|
}
|
||||||
|
|
||||||
if t.PreFilterFromTunToNetstack != nil {
|
if t.PreFilterPacketOutboundToWireGuardNetstackIntercept != nil {
|
||||||
if res := t.PreFilterFromTunToNetstack(p, t); res.IsDrop() {
|
if res := t.PreFilterPacketOutboundToWireGuardNetstackIntercept(p, t); res.IsDrop() {
|
||||||
// Handled by netstack.Impl.handleLocalPackets (quad-100 DNS primarily)
|
// Handled by netstack.Impl.handleLocalPackets (quad-100 DNS primarily)
|
||||||
return res
|
return res
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if t.PreFilterFromTunToEngine != nil {
|
if t.PreFilterPacketOutboundToWireGuardEngineIntercept != nil {
|
||||||
if res := t.PreFilterFromTunToEngine(p, t); res.IsDrop() {
|
if res := t.PreFilterPacketOutboundToWireGuardEngineIntercept(p, t); res.IsDrop() {
|
||||||
// Handled by userspaceEngine.handleLocalPackets (primarily handles
|
// Handled by userspaceEngine.handleLocalPackets (primarily handles
|
||||||
// quad-100 if netstack is not installed).
|
// quad-100 if netstack is not installed).
|
||||||
return res
|
return res
|
||||||
@ -518,8 +518,8 @@ func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
|
|||||||
return filter.Drop
|
return filter.Drop
|
||||||
}
|
}
|
||||||
|
|
||||||
if t.PostFilterOut != nil {
|
if t.PostFilterPacketOutboundToWireGuard != nil {
|
||||||
if res := t.PostFilterOut(p, t); res.IsDrop() {
|
if res := t.PostFilterPacketOutboundToWireGuard(p, t); res.IsDrop() {
|
||||||
return res
|
return res
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -575,7 +575,7 @@ func (t *Wrapper) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
|
|||||||
capt(capture.FromLocal, time.Now(), data[res.dataOffset:])
|
capt(capture.FromLocal, time.Now(), data[res.dataOffset:])
|
||||||
}
|
}
|
||||||
if !t.disableFilter {
|
if !t.disableFilter {
|
||||||
response := t.filterOut(p)
|
response := t.filterPacketOutboundToWireGuard(p)
|
||||||
if response != filter.Accept {
|
if response != filter.Accept {
|
||||||
metricPacketOutDrop.Add(1)
|
metricPacketOutDrop.Add(1)
|
||||||
continue
|
continue
|
||||||
@ -636,7 +636,7 @@ func (t *Wrapper) injectedRead(res tunInjectedRead, buf []byte, offset int) (int
|
|||||||
return n, nil
|
return n, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *Wrapper) filterIn(p *packet.Parsed) filter.Response {
|
func (t *Wrapper) filterPacketInboundFromWireGuard(p *packet.Parsed) filter.Response {
|
||||||
if capt := t.captureHook.Load(); capt != nil {
|
if capt := t.captureHook.Load(); capt != nil {
|
||||||
capt(capture.FromPeer, time.Now(), p.Buffer())
|
capt(capture.FromPeer, time.Now(), p.Buffer())
|
||||||
}
|
}
|
||||||
@ -672,8 +672,8 @@ func (t *Wrapper) filterIn(p *packet.Parsed) filter.Response {
|
|||||||
return filter.DropSilently
|
return filter.DropSilently
|
||||||
}
|
}
|
||||||
|
|
||||||
if t.PreFilterIn != nil {
|
if t.PreFilterPacketInboundFromWireGuard != nil {
|
||||||
if res := t.PreFilterIn(p, t); res.IsDrop() {
|
if res := t.PreFilterPacketInboundFromWireGuard(p, t); res.IsDrop() {
|
||||||
return res
|
return res
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -724,8 +724,8 @@ func (t *Wrapper) filterIn(p *packet.Parsed) filter.Response {
|
|||||||
return filter.Drop
|
return filter.Drop
|
||||||
}
|
}
|
||||||
|
|
||||||
if t.PostFilterIn != nil {
|
if t.PostFilterPacketInboundFromWireGaurd != nil {
|
||||||
if res := t.PostFilterIn(p, t); res.IsDrop() {
|
if res := t.PostFilterPacketInboundFromWireGaurd(p, t); res.IsDrop() {
|
||||||
return res
|
return res
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -743,7 +743,7 @@ func (t *Wrapper) Write(buffs [][]byte, offset int) (int, error) {
|
|||||||
defer parsedPacketPool.Put(p)
|
defer parsedPacketPool.Put(p)
|
||||||
for _, buff := range buffs {
|
for _, buff := range buffs {
|
||||||
p.Decode(buff[offset:])
|
p.Decode(buff[offset:])
|
||||||
if t.filterIn(p) != filter.Accept {
|
if t.filterPacketInboundFromWireGuard(p) != filter.Accept {
|
||||||
metricPacketInDrop.Add(1)
|
metricPacketInDrop.Add(1)
|
||||||
} else {
|
} else {
|
||||||
buffs[i] = buff
|
buffs[i] = buff
|
||||||
|
|||||||
@ -544,7 +544,7 @@ func TestPeerAPIBypass(t *testing.T) {
|
|||||||
tt.w.SetFilter(tt.filter)
|
tt.w.SetFilter(tt.filter)
|
||||||
tt.w.disableTSMPRejected = true
|
tt.w.disableTSMPRejected = true
|
||||||
tt.w.logf = t.Logf
|
tt.w.logf = t.Logf
|
||||||
if got := tt.w.filterIn(p); got != tt.want {
|
if got := tt.w.filterPacketInboundFromWireGuard(p); got != tt.want {
|
||||||
t.Errorf("got = %v; want %v", got, tt.want)
|
t.Errorf("got = %v; want %v", got, tt.want)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
@ -574,7 +574,7 @@ func TestFilterDiscoLoop(t *testing.T) {
|
|||||||
|
|
||||||
p := new(packet.Parsed)
|
p := new(packet.Parsed)
|
||||||
p.Decode(pkt)
|
p.Decode(pkt)
|
||||||
got := tw.filterIn(p)
|
got := tw.filterPacketInboundFromWireGuard(p)
|
||||||
if got != filter.DropSilently {
|
if got != filter.DropSilently {
|
||||||
t.Errorf("got %v; want DropSilently", got)
|
t.Errorf("got %v; want DropSilently", got)
|
||||||
}
|
}
|
||||||
@ -585,7 +585,7 @@ func TestFilterDiscoLoop(t *testing.T) {
|
|||||||
memLog.Reset()
|
memLog.Reset()
|
||||||
pp := new(packet.Parsed)
|
pp := new(packet.Parsed)
|
||||||
pp.Decode(pkt)
|
pp.Decode(pkt)
|
||||||
got = tw.filterOut(pp)
|
got = tw.filterPacketOutboundToWireGuard(pp)
|
||||||
if got != filter.DropSilently {
|
if got != filter.DropSilently {
|
||||||
t.Errorf("got %v; want DropSilently", got)
|
t.Errorf("got %v; want DropSilently", got)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -260,8 +260,8 @@ func (ns *Impl) Start(lb *ipnlocal.LocalBackend) error {
|
|||||||
ns.ipstack.SetTransportProtocolHandler(tcp.ProtocolNumber, ns.wrapProtoHandler(tcpFwd.HandlePacket))
|
ns.ipstack.SetTransportProtocolHandler(tcp.ProtocolNumber, ns.wrapProtoHandler(tcpFwd.HandlePacket))
|
||||||
ns.ipstack.SetTransportProtocolHandler(udp.ProtocolNumber, ns.wrapProtoHandler(udpFwd.HandlePacket))
|
ns.ipstack.SetTransportProtocolHandler(udp.ProtocolNumber, ns.wrapProtoHandler(udpFwd.HandlePacket))
|
||||||
go ns.inject()
|
go ns.inject()
|
||||||
ns.tundev.PostFilterIn = ns.injectInbound
|
ns.tundev.PostFilterPacketInboundFromWireGaurd = ns.injectInbound
|
||||||
ns.tundev.PreFilterFromTunToNetstack = ns.handleLocalPackets
|
ns.tundev.PreFilterPacketOutboundToWireGuardNetstackIntercept = ns.handleLocalPackets
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -373,19 +373,19 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)
|
|||||||
tsTUNDev.SetDiscoKey(e.magicConn.DiscoPublicKey())
|
tsTUNDev.SetDiscoKey(e.magicConn.DiscoPublicKey())
|
||||||
|
|
||||||
if conf.RespondToPing {
|
if conf.RespondToPing {
|
||||||
e.tundev.PostFilterIn = echoRespondToAll
|
e.tundev.PostFilterPacketInboundFromWireGaurd = echoRespondToAll
|
||||||
}
|
}
|
||||||
e.tundev.PreFilterFromTunToEngine = e.handleLocalPackets
|
e.tundev.PreFilterPacketOutboundToWireGuardEngineIntercept = e.handleLocalPackets
|
||||||
|
|
||||||
if envknob.BoolDefaultTrue("TS_DEBUG_CONNECT_FAILURES") {
|
if envknob.BoolDefaultTrue("TS_DEBUG_CONNECT_FAILURES") {
|
||||||
if e.tundev.PreFilterIn != nil {
|
if e.tundev.PreFilterPacketInboundFromWireGuard != nil {
|
||||||
return nil, errors.New("unexpected PreFilterIn already set")
|
return nil, errors.New("unexpected PreFilterIn already set")
|
||||||
}
|
}
|
||||||
e.tundev.PreFilterIn = e.trackOpenPreFilterIn
|
e.tundev.PreFilterPacketInboundFromWireGuard = e.trackOpenPreFilterIn
|
||||||
if e.tundev.PostFilterOut != nil {
|
if e.tundev.PostFilterPacketOutboundToWireGuard != nil {
|
||||||
return nil, errors.New("unexpected PostFilterOut already set")
|
return nil, errors.New("unexpected PostFilterOut already set")
|
||||||
}
|
}
|
||||||
e.tundev.PostFilterOut = e.trackOpenPostFilterOut
|
e.tundev.PostFilterPacketOutboundToWireGuard = e.trackOpenPostFilterOut
|
||||||
}
|
}
|
||||||
|
|
||||||
e.wgLogger = wglog.NewLogger(logf)
|
e.wgLogger = wglog.NewLogger(logf)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user