TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-04-03 14:55:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

net/tstun: fix TUN log spam when ACLs drop a packet

Browse Source 
Whenever we dropped a packet due to ACLs, wireguard-go was logging:

Failed to write packet to TUN device: packet dropped by filter

Instead, just lie to wireguard-go and pretend everything is okay.

Fixes #1229

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2021-05-05 21:00:49 -07:00 committed by David Crawshaw
parent 2585edfaeb
commit 7f2eb1d87a
2 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
net/tstun/wrap.go
View File

@ -457,13 +457,22 @@ func (t *Wrapper) filterIn(buf []byte) filter.Response {
// like wireguard-go/tun.Device.Write. // like wireguard-go/tun.Device.Write.
func (t *Wrapper) Write(buf []byte, offset int) (int, error) { func (t *Wrapper) Write(buf []byte, offset int) (int, error) {
if !t.disableFilter { if !t.disableFilter {
res := t.filterIn(buf[offset:]) if t.filterIn(buf[offset:]) != filter.Accept {
if res == filter.DropSilently { // If we're not accepting the packet, lie to wireguard-go and pretend
// that everything is okay with a nil error, so wireguard-go
// doesn't log about this Write "failure".
//
// We return len(buf), but the ill-defined wireguard-go/tun.Device.Write
// method doesn't specify how the offset affects the return value.
// In fact, the Linux implementation does one of two different things depending
// on how the /dev/net/tun was created. But fortunately the wireguard-go
// code ignores the int return and only looks at the error:
//
// device/receive.go: _, err = device.tun.device.Write(....)
//
// TODO(bradfitz): fix upstream interface docs, implementation.
return len(buf), nil return len(buf), nil
} }
if res != filter.Accept {
return 0, ErrFiltered
}
} }
t.noteActivity() t.noteActivity()

11
net/tstun/wrap_test.go
View File

@ -329,11 +329,14 @@ func TestFilter(t *testing.T) {
var filtered bool var filtered bool
if tt.dir == in { if tt.dir == in {
// Use the side effect of updating the last
// activity atomic to determine whether the
// data was actually filtered.
// If it stays zero, nothing made it through
// to the wrapped TUN.
atomic.StoreInt64(&tun.lastActivityAtomic, 0)
_, err = tun.Write(tt.data, 0) _, err = tun.Write(tt.data, 0)
if err == ErrFiltered { filtered = atomic.LoadInt64(&tun.lastActivityAtomic) == 0
filtered = true
err = nil
}
} else { } else {
chtun.Outbound <- tt.data chtun.Outbound <- tt.data
n, err = tun.Read(buf[:], 0) n, err = tun.Read(buf[:], 0)