mirror of
https://github.com/tailscale/tailscale.git
synced 2025-10-24 09:39:39 +00:00
net/netcheck,wgengine/magicsock: add potential workaround for Palo Alto DIPP misbehavior
Palo Alto firewalls have a typically hard NAT, but also have a mode called Persistent DIPP that is supposed to provide consistent port mapping suitable for STUN resolution of public ports. Persistent DIPP works initially on most Palo Alto firewalls, but some models/software versions have a bug which this works around. The bug symptom presents as follows: - STUN sessions resolve a consistent public IP:port to start with - Much later netchecks report the same IP:Port for a subset of sessions, most often the users active DERP, and/or the port related to sustained traffic. - The broader set of DERPs in a full netcheck will now consistently observe a new IP:Port. - After this point of observation, new inbound connections will only succeed to the new IP:Port observed, and existing/old sessions will only work to the old binding. In this patch we now advertise the lowest latency global endpoint discovered as we always have, but in addition any global endpoints that are observed more than once in a single netcheck report. This should provide viable endpoints for potential connection establishment across a NAT with this behavior. Updates tailscale/corp#19106 Signed-off-by: James Tucker <james@tailscale.com>
This commit is contained in:

committed by
James Tucker

parent
6831a29f8b
commit
8d1249550a
@@ -11,6 +11,7 @@ import (
|
||||
"net/http"
|
||||
"net/netip"
|
||||
"reflect"
|
||||
"slices"
|
||||
"sort"
|
||||
"strconv"
|
||||
"strings"
|
||||
@@ -189,12 +190,50 @@ func TestBasic(t *testing.T) {
|
||||
if _, ok := r.RegionLatency[1]; !ok {
|
||||
t.Errorf("expected key 1 in DERPLatency; got %+v", r.RegionLatency)
|
||||
}
|
||||
if r.GlobalV4 == "" {
|
||||
if !r.GlobalV4.IsValid() {
|
||||
t.Error("expected GlobalV4 set")
|
||||
}
|
||||
if r.PreferredDERP != 1 {
|
||||
t.Errorf("PreferredDERP = %v; want 1", r.PreferredDERP)
|
||||
}
|
||||
v4Addrs, _ := r.GetGlobalAddrs()
|
||||
if len(v4Addrs) != 1 {
|
||||
t.Error("expected one global IPv4 address")
|
||||
}
|
||||
if got, want := v4Addrs[0], r.GlobalV4; got != want {
|
||||
t.Errorf("got %v; want %v", got, want)
|
||||
}
|
||||
}
|
||||
|
||||
func TestMultiGlobalAddressMapping(t *testing.T) {
|
||||
c := &Client{
|
||||
Logf: t.Logf,
|
||||
}
|
||||
|
||||
rs := &reportState{
|
||||
c: c,
|
||||
start: time.Now(),
|
||||
report: newReport(),
|
||||
sentHairCheck: true, // prevent hair check start, not relevant here
|
||||
}
|
||||
derpNode := &tailcfg.DERPNode{}
|
||||
port1 := netip.MustParseAddrPort("127.0.0.1:1234")
|
||||
port2 := netip.MustParseAddrPort("127.0.0.1:2345")
|
||||
port3 := netip.MustParseAddrPort("127.0.0.1:3456")
|
||||
// First report for port1
|
||||
rs.addNodeLatency(derpNode, port1, 10*time.Millisecond)
|
||||
// Singular report for port2
|
||||
rs.addNodeLatency(derpNode, port2, 11*time.Millisecond)
|
||||
// Duplicate reports for port3
|
||||
rs.addNodeLatency(derpNode, port3, 12*time.Millisecond)
|
||||
rs.addNodeLatency(derpNode, port3, 13*time.Millisecond)
|
||||
|
||||
r := rs.report
|
||||
v4Addrs, _ := r.GetGlobalAddrs()
|
||||
wantV4Addrs := []netip.AddrPort{port1, port3}
|
||||
if !slices.Equal(v4Addrs, wantV4Addrs) {
|
||||
t.Errorf("got global addresses: %v, want %v", v4Addrs, wantV4Addrs)
|
||||
}
|
||||
}
|
||||
|
||||
func TestWorksWhenUDPBlocked(t *testing.T) {
|
||||
|
Reference in New Issue
Block a user