wgengine/wgcfg/nmcfg: split control/controlclient/netmap.go into own package

It couldn't move to ipnlocal due to test dependency cycles.

Updates #1278

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

wgengine/magicsock/magicsock.go

@@ -51,6 +51,7 @@ import (
 	"tailscale.com/types/nettype"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/version"
+	"tailscale.com/wgengine/wgcfg"
 )
 
 // Various debugging and experimental tweakables, set by environment
@@ -2643,11 +2644,11 @@ func (c *Conn) CreateEndpoint(pubKey [32]byte, addrs string) (conn.Endpoint, err
 	pk := key.Public(pubKey)
 	c.logf("magicsock: CreateEndpoint: key=%s: %s", pk.ShortString(), derpStr(addrs))
 
-	if !strings.HasSuffix(addrs, controlclient.EndpointDiscoSuffix) {
+	if !strings.HasSuffix(addrs, wgcfg.EndpointDiscoSuffix) {
 		return c.createLegacyEndpointLocked(pk, addrs)
 	}
 
-	discoHex := strings.TrimSuffix(addrs, controlclient.EndpointDiscoSuffix)
+	discoHex := strings.TrimSuffix(addrs, wgcfg.EndpointDiscoSuffix)
 	discoKey, err := key.NewPublicFromHexMem(mem.S(discoHex))
 	if err != nil {
 		return nil, fmt.Errorf("magicsock: invalid discokey endpoint %q for %v: %w", addrs, pk.ShortString(), err)

wgengine/magicsock/magicsock_test.go

@@ -46,6 +46,7 @@ import (
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/tstun"
 	"tailscale.com/wgengine/wgcfg"
+	"tailscale.com/wgengine/wgcfg/nmcfg"
 	"tailscale.com/wgengine/wglog"
 )
 
@@ -293,7 +294,7 @@ func meshStacks(logf logger.Logf, ms []*magicStack) (cleanup func()) {
 				peerSet[key.Public(peer.Key)] = struct{}{}
 			}
 			m.conn.UpdatePeers(peerSet)
-			wg, err := netmap.WGCfg(logf, controlclient.AllowSingleHosts)
+			wg, err := nmcfg.WGCfg(netmap, logf, controlclient.AllowSingleHosts)
 			if err != nil {
 				// We're too far from the *testing.T to be graceful,
 				// blow up. Shouldn't happen anyway.

wgengine/wgcfg/config.go

@@ -9,6 +9,11 @@ import (
 	"inet.af/netaddr"
 )
 
+// EndpointDiscoSuffix is appended to the hex representation of a peer's discovery key
+// and is then the sole wireguard endpoint for peers with a non-zero discovery key.
+// This form is then recognize by magicsock's CreateEndpoint.
+const EndpointDiscoSuffix = ".disco.tailscale:12345"
+
 // Config is a WireGuard configuration.
 // It only supports the set of things Tailscale uses.
 type Config struct {

wgengine/wgcfg/nmcfg/nmcfg.go

@@ -0,0 +1,126 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package nmcfg converts a controlclient.NetMap into a wgcfg config.
+package nmcfg
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+
+	"inet.af/netaddr"
+	"tailscale.com/control/controlclient"
+	"tailscale.com/net/tsaddr"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/logger"
+	"tailscale.com/wgengine/wgcfg"
+)
+
+func nodeDebugName(n *tailcfg.Node) string {
+	name := n.Name
+	if name == "" {
+		name = n.Hostinfo.Hostname
+	}
+	if i := strings.Index(name, "."); i != -1 {
+		name = name[:i]
+	}
+	if name == "" && len(n.Addresses) != 0 {
+		return n.Addresses[0].String()
+	}
+	return name
+}
+
+// cidrIsSubnet reports whether cidr is a non-default-route subnet
+// exported by node that is not one of its own self addresses.
+func cidrIsSubnet(node *tailcfg.Node, cidr netaddr.IPPrefix) bool {
+	if cidr.Bits == 0 {
+		return false
+	}
+	if !cidr.IsSingleIP() {
+		return true
+	}
+	for _, selfCIDR := range node.Addresses {
+		if cidr == selfCIDR {
+			return false
+		}
+	}
+	return true
+}
+
+// WGCfg returns the NetworkMaps's Wireguard configuration.
+func WGCfg(nm *controlclient.NetworkMap, logf logger.Logf, flags controlclient.WGConfigFlags) (*wgcfg.Config, error) {
+	cfg := &wgcfg.Config{
+		Name:       "tailscale",
+		PrivateKey: wgcfg.PrivateKey(nm.PrivateKey),
+		Addresses:  nm.Addresses,
+		ListenPort: nm.LocalPort,
+		Peers:      make([]wgcfg.Peer, 0, len(nm.Peers)),
+	}
+
+	for _, peer := range nm.Peers {
+		if controlclient.Debug.OnlyDisco && peer.DiscoKey.IsZero() {
+			continue
+		}
+		cfg.Peers = append(cfg.Peers, wgcfg.Peer{
+			PublicKey: wgcfg.Key(peer.Key),
+		})
+		cpeer := &cfg.Peers[len(cfg.Peers)-1]
+		if peer.KeepAlive {
+			cpeer.PersistentKeepalive = 25 // seconds
+		}
+
+		if !peer.DiscoKey.IsZero() {
+			if err := appendEndpoint(cpeer, fmt.Sprintf("%x%s", peer.DiscoKey[:], wgcfg.EndpointDiscoSuffix)); err != nil {
+				return nil, err
+			}
+			cpeer.Endpoints = fmt.Sprintf("%x.disco.tailscale:12345", peer.DiscoKey[:])
+		} else {
+			if err := appendEndpoint(cpeer, peer.DERP); err != nil {
+				return nil, err
+			}
+			for _, ep := range peer.Endpoints {
+				if err := appendEndpoint(cpeer, ep); err != nil {
+					return nil, err
+				}
+			}
+		}
+		for _, allowedIP := range peer.AllowedIPs {
+			if allowedIP.IsSingleIP() && tsaddr.IsTailscaleIP(allowedIP.IP) && (flags&controlclient.AllowSingleHosts) == 0 {
+				logf("[v1] wgcfg: skipping node IP %v from %q (%v)",
+					allowedIP.IP, nodeDebugName(peer), peer.Key.ShortString())
+				continue
+			} else if cidrIsSubnet(peer, allowedIP) {
+				if (flags & controlclient.AllowSubnetRoutes) == 0 {
+					logf("[v1] wgcfg: not accepting subnet route %v from %q (%v)",
+						allowedIP, nodeDebugName(peer), peer.Key.ShortString())
+					continue
+				}
+			}
+			cpeer.AllowedIPs = append(cpeer.AllowedIPs, allowedIP)
+		}
+	}
+
+	return cfg, nil
+}
+
+func appendEndpoint(peer *wgcfg.Peer, epStr string) error {
+	if epStr == "" {
+		return nil
+	}
+	_, port, err := net.SplitHostPort(epStr)
+	if err != nil {
+		return fmt.Errorf("malformed endpoint %q for peer %v", epStr, peer.PublicKey.ShortString())
+	}
+	_, err = strconv.ParseUint(port, 10, 16)
+	if err != nil {
+		return fmt.Errorf("invalid port in endpoint %q for peer %v", epStr, peer.PublicKey.ShortString())
+	}
+	if peer.Endpoints != "" {
+		peer.Endpoints += ","
+	}
+	peer.Endpoints += epStr
+	return nil
+}