From 97c4c0ecf02c792b3fcc7a9d009c2204c00c6d18 Mon Sep 17 00:00:00 2001 From: Adrian Dewhurst Date: Fri, 31 Jan 2025 15:25:48 -0500 Subject: [PATCH] ipn/ipnlocal: add VIP service IPs to localnets Without adding this, the packet filter rejects traffic to VIP service addresses before checking the filters sent in the netmap. Fixes tailscale/corp#26241 Change-Id: Idd54448048e9b786cf4873fd33b3b21e03d3ad4c Signed-off-by: Adrian Dewhurst --- ipn/ipnlocal/local.go | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index faf5d13db..373da9881 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -2368,6 +2368,29 @@ func (b *LocalBackend) Start(opts ipn.Options) error { return nil } +// addServiceIPs adds the IP addresses of any VIP Services sent from the +// coordination server to the list of addresses that we expect to handle. +func addServiceIPs(localNetsB *netipx.IPSetBuilder, selfNode tailcfg.NodeView) error { + if !selfNode.Valid() { + return nil + } + + serviceMap, err := tailcfg.UnmarshalNodeCapViewJSON[tailcfg.ServiceIPMappings](selfNode.CapMap(), tailcfg.NodeAttrServiceHost) + if err != nil { + return err + } + + for _, sm := range serviceMap { // typically there will be exactly one of these + for _, serviceAddrs := range sm { + for _, addr := range serviceAddrs { // typically there will be exactly two of these + localNetsB.Add(addr) + } + } + } + + return nil +} + // invalidPacketFilterWarnable is a Warnable to warn the user that the control server sent an invalid packet filter. var invalidPacketFilterWarnable = health.Register(&health.Warnable{ Code: "invalid-packet-filter", @@ -2411,6 +2434,10 @@ func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs ipn.P } else { b.health.SetHealthy(invalidPacketFilterWarnable) } + + if err := addServiceIPs(&localNetsB, netMap.SelfNode); err != nil { + b.logf("addServiceIPs: %v", err) + } } if prefs.Valid() { for _, r := range prefs.AdvertiseRoutes().All() {