ipn/ipnlocal: allow client access to exit node's public IPs.

"public IP" is defined as an IP address configured on the exit node itself that isn't in the list of forbidden ranges (RFC1918, CGNAT, Tailscale). Fixes #1522. Signed-off-by: David Anderson <danderson@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2021-03-17 17:04:32 -07:00
parent 0a02aaf813
commit 8c0a0450d9
2 changed files with 50 additions and 3 deletions
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"

 	"inet.af/netaddr"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/netmap"
@@ -122,11 +123,21 @@ func TestNetworkMapCompare(t *testing.T) {
 	}
 }

+func inRemove(ip netaddr.IP) bool {
+	for _, pfx := range removeFromDefaultRoute {
+		if pfx.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
 func TestShrinkDefaultRoute(t *testing.T) {
 	tests := []struct {
-		route string
-		in    []string
-		out   []string
+		route     string
+		in        []string
+		out       []string
+		localIPFn func(netaddr.IP) bool // true if this machine's local IP address should be "in" after shrinking.
 	}{
 		{
 			route: "0.0.0.0/0",
@@ -139,19 +150,24 @@ func TestShrinkDefaultRoute(t *testing.T) {
 				"172.16.0.1",
 				"172.31.255.255",
 				"100.101.102.103",
+				"224.0.0.1",
+				"169.254.169.254",
 				// Some random IPv6 stuff that shouldn't be in a v4
 				// default route.
 				"fe80::",
 				"2601::1",
 			},
+			localIPFn: func(ip netaddr.IP) bool { return !inRemove(ip) && ip.Is4() },
 		},
 		{
 			route: "::/0",
 			in:    []string{"::1", "2601::1"},
 			out: []string{
 				"fe80::1",
+				"ff00::1",
 				tsaddr.TailscaleULARange().IP.String(),
 			},
+			localIPFn: func(ip netaddr.IP) bool { return !inRemove(ip) && ip.Is6() },
 		},
 	}

@@ -171,6 +187,16 @@ func TestShrinkDefaultRoute(t *testing.T) {
 				t.Errorf("shrink(%q).Contains(%v) = true, want false", test.route, ip)
 			}
 		}
+		ips, _, err := interfaces.LocalAddresses()
+		if err != nil {
+			t.Fatal(err)
+		}
+		for _, ip := range ips {
+			want := test.localIPFn(ip)
+			if gotContains := got.Contains(ip); gotContains != want {
+				t.Errorf("shrink(%q).Contains(%v) = %v, want %v", test.route, ip, gotContains, want)
+			}
+		}
 	}
 }