wgengine/magicsock: make endpoint.bestAddr Geneve-aware (#16195)

This commit adds a new type to magicsock, epAddr, which largely ends up replacing netip.AddrPort in packet I/O paths throughout, enabling Geneve encapsulation over UDP awareness. The conn.ReceiveFunc for UDP has been revamped to fix and more clearly distinguish the different classes of packets we expect to receive: naked STUN binding messages, naked disco, naked WireGuard, Geneve-encapsulated disco, and Geneve-encapsulated WireGuard. Prior to this commit, STUN matching logic in the RX path could swallow a naked WireGuard packet if the keypair index, which is randomly generated, happened to overlap with a subset of the STUN magic cookie. Updates tailscale/corp#27502 Updates tailscale/corp#29326 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2025-08-21 10:27:30 +00:00 · 2025-06-06 09:46:29 -07:00
parent 3f7a9f82e3
commit 66ae8737f4
14 changed files with 604 additions and 386 deletions
--- a/wgengine/magicsock/batching_conn_linux.go
+++ b/wgengine/magicsock/batching_conn_linux.go
@@ -22,6 +22,7 @@ import (
 	"golang.org/x/sys/unix"
 	"tailscale.com/hostinfo"
 	"tailscale.com/net/neterror"
+	"tailscale.com/net/packet"
 	"tailscale.com/types/nettype"
 )

@@ -92,9 +93,14 @@ const (
 	maxIPv6PayloadLen = 1<<16 - 1 - 8
 )

-// coalesceMessages iterates msgs, coalescing them where possible while
-// maintaining datagram order. All msgs have their Addr field set to addr.
-func (c *linuxBatchingConn) coalesceMessages(addr *net.UDPAddr, buffs [][]byte, msgs []ipv6.Message, offset int) int {
+// coalesceMessages iterates 'buffs', setting and coalescing them in 'msgs'
+// where possible while maintaining datagram order.
+//
+// All msgs have their Addr field set to addr.
+//
+// All msgs[i].Buffers[0] are preceded by a Geneve header with vni.get() if
+// vni.isSet().
+func (c *linuxBatchingConn) coalesceMessages(addr *net.UDPAddr, vni virtualNetworkID, buffs [][]byte, msgs []ipv6.Message, offset int) int {
 	var (
 		base     = -1 // index of msg we are currently coalescing into
 		gsoSize  int  // segmentation size of msgs[base]
@@ -105,8 +111,17 @@ func (c *linuxBatchingConn) coalesceMessages(addr *net.UDPAddr, buffs [][]byte,
 	if addr.IP.To4() == nil {
 		maxPayloadLen = maxIPv6PayloadLen
 	}
+	vniIsSet := vni.isSet()
+	var gh packet.GeneveHeader
+	if vniIsSet {
+		gh.VNI = vni.get()
+	}
 	for i, buff := range buffs {
-		buff = buff[offset:]
+		if vniIsSet {
+			gh.Encode(buffs[i])
+		} else {
+			buff = buff[offset:]
+		}
 		if i > 0 {
 			msgLen := len(buff)
 			baseLenBefore := len(msgs[base].Buffers[0])
@@ -163,28 +178,37 @@ func (c *linuxBatchingConn) putSendBatch(batch *sendBatch) {
 	c.sendBatchPool.Put(batch)
 }

-func (c *linuxBatchingConn) WriteBatchTo(buffs [][]byte, addr netip.AddrPort, offset int) error {
+func (c *linuxBatchingConn) WriteBatchTo(buffs [][]byte, addr epAddr, offset int) error {
 	batch := c.getSendBatch()
 	defer c.putSendBatch(batch)
-	if addr.Addr().Is6() {
-		as16 := addr.Addr().As16()
+	if addr.ap.Addr().Is6() {
+		as16 := addr.ap.Addr().As16()
 		copy(batch.ua.IP, as16[:])
 		batch.ua.IP = batch.ua.IP[:16]
 	} else {
-		as4 := addr.Addr().As4()
+		as4 := addr.ap.Addr().As4()
 		copy(batch.ua.IP, as4[:])
 		batch.ua.IP = batch.ua.IP[:4]
 	}
-	batch.ua.Port = int(addr.Port())
+	batch.ua.Port = int(addr.ap.Port())
 	var (
 		n       int
 		retried bool
 	)
 retry:
 	if c.txOffload.Load() {
-		n = c.coalesceMessages(batch.ua, buffs, batch.msgs, offset)
+		n = c.coalesceMessages(batch.ua, addr.vni, buffs, batch.msgs, offset)
 	} else {
+		vniIsSet := addr.vni.isSet()
+		var gh packet.GeneveHeader
+		if vniIsSet {
+			gh.VNI = addr.vni.get()
+			offset -= packet.GeneveFixedHeaderLength
+		}
 		for i := range buffs {
+			if vniIsSet {
+				gh.Encode(buffs[i])
+			}
 			batch.msgs[i].Buffers[0] = buffs[i][offset:]
 			batch.msgs[i].Addr = batch.ua
 			batch.msgs[i].OOB = batch.msgs[i].OOB[:0]