all: convert more code to use net/netip directly

perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-12-01 09:32:08 +00:00 · 2022-07-25 21:14:09 -07:00
parent 6a396731eb
commit a12aad6b47
148 changed files with 1117 additions and 1200 deletions
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -7,6 +7,7 @@ package filter

 import (
 	"fmt"
+	"net/netip"
 	"sync"
 	"time"

@@ -107,12 +108,12 @@ const (
 // everything. Use in tests only, as it permits some kinds of spoofing
 // attacks to reach the OS network stack.
 func NewAllowAllForTest(logf logger.Logf) *Filter {
-	any4 := netaddr.IPPrefixFrom(netaddr.IPv4(0, 0, 0, 0), 0)
-	any6 := netaddr.IPPrefixFrom(netaddr.IPFrom16([16]byte{}), 0)
+	any4 := netip.PrefixFrom(netaddr.IPv4(0, 0, 0, 0), 0)
+	any6 := netip.PrefixFrom(netaddr.IPFrom16([16]byte{}), 0)
 	ms := []Match{
 		{
 			IPProto: []ipproto.Proto{ipproto.TCP, ipproto.UDP, ipproto.ICMPv4},
-			Srcs:    []netaddr.IPPrefix{any4},
+			Srcs:    []netip.Prefix{any4},
 			Dsts: []NetPortRange{
 				{
 					Net: any4,
@@ -125,7 +126,7 @@ func NewAllowAllForTest(logf logger.Logf) *Filter {
 		},
 		{
 			IPProto: []ipproto.Proto{ipproto.TCP, ipproto.UDP, ipproto.ICMPv6},
-			Srcs:    []netaddr.IPPrefix{any6},
+			Srcs:    []netip.Prefix{any6},
 			Dsts: []NetPortRange{
 				{
 					Net: any6,
@@ -180,10 +181,10 @@ func New(matches []Match, localNets *netipx.IPSet, logIPs *netipx.IPSet, shareSt
 	}
 	f := &Filter{
 		logf:     logf,
-		matches4: matchesFamily(matches, netaddr.IP.Is4),
-		matches6: matchesFamily(matches, netaddr.IP.Is6),
-		cap4:     capMatchesFunc(matches, netaddr.IP.Is4),
-		cap6:     capMatchesFunc(matches, netaddr.IP.Is6),
+		matches4: matchesFamily(matches, netip.Addr.Is4),
+		matches6: matchesFamily(matches, netip.Addr.Is6),
+		cap4:     capMatchesFunc(matches, netip.Addr.Is4),
+		cap6:     capMatchesFunc(matches, netip.Addr.Is6),
 		local:    localNets,
 		logIPs:   logIPs,
 		state:    state,
@@ -193,7 +194,7 @@ func New(matches []Match, localNets *netipx.IPSet, logIPs *netipx.IPSet, shareSt

 // matchesFamily returns the subset of ms for which keep(srcNet.IP)
 // and keep(dstNet.IP) are both true.
-func matchesFamily(ms matches, keep func(netaddr.IP) bool) matches {
+func matchesFamily(ms matches, keep func(netip.Addr) bool) matches {
 	var ret matches
 	for _, m := range ms {
 		var retm Match
@@ -217,7 +218,7 @@ func matchesFamily(ms matches, keep func(netaddr.IP) bool) matches {

 // capMatchesFunc returns a copy of the subset of ms for which keep(srcNet.IP)
 // and the match is a capability grant.
-func capMatchesFunc(ms matches, keep func(netaddr.IP) bool) matches {
+func capMatchesFunc(ms matches, keep func(netip.Addr) bool) matches {
 	var ret matches
 	for _, m := range ms {
 		if len(m.Caps) == 0 {
@@ -299,7 +300,7 @@ var dummyPacket = []byte{

 // CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort
 // is allowed.
-func (f *Filter) CheckTCP(srcIP, dstIP netaddr.IP, dstPort uint16) Response {
+func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response {
 	pkt := &packet.Parsed{}
 	pkt.Decode(dummyPacket) // initialize private fields
 	switch {
@@ -314,8 +315,8 @@ func (f *Filter) CheckTCP(srcIP, dstIP netaddr.IP, dstPort uint16) Response {
 	default:
 		panic("unreachable")
 	}
-	pkt.Src = netaddr.IPPortFrom(srcIP, 0)
-	pkt.Dst = netaddr.IPPortFrom(dstIP, dstPort)
+	pkt.Src = netip.AddrPortFrom(srcIP, 0)
+	pkt.Dst = netip.AddrPortFrom(dstIP, dstPort)
 	pkt.IPProto = ipproto.TCP
 	pkt.TCPFlags = packet.TCPSyn

@@ -324,7 +325,7 @@ func (f *Filter) CheckTCP(srcIP, dstIP netaddr.IP, dstPort uint16) Response {

 // AppendCaps appends to base the capabilities that srcIP has talking
 // to dstIP.
-func (f *Filter) AppendCaps(base []string, srcIP, dstIP netaddr.IP) []string {
+func (f *Filter) AppendCaps(base []string, srcIP, dstIP netip.Addr) []string {
 	ret := base
 	var mm matches
 	switch {
--- a/wgengine/filter/filter_test.go
+++ b/wgengine/filter/filter_test.go
@@ -15,7 +15,6 @@ import (

 	"github.com/google/go-cmp/cmp"
 	"go4.org/netipx"
-	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
@@ -32,7 +31,7 @@ const (
 	testDeniedProto  ipproto.Proto = 127 // CRUDP, appropriately cruddy
 )

-func m(srcs []netaddr.IPPrefix, dsts []NetPortRange, protos ...ipproto.Proto) Match {
+func m(srcs []netip.Prefix, dsts []NetPortRange, protos ...ipproto.Proto) Match {
 	if protos == nil {
 		protos = defaultProtos
 	}
@@ -243,7 +242,7 @@ func TestParseIPSet(t *testing.T) {
 	tests := []struct {
 		host    string
 		bits    int
-		want    []netaddr.IPPrefix
+		want    []netip.Prefix
 		wantErr string
 	}{
 		{"8.8.8.8", 24, pfx("8.8.8.8/24"), ""},
@@ -273,8 +272,8 @@ func TestParseIPSet(t *testing.T) {
 			}
 			t.Errorf("parseIPSet(%q, %v) error: %v; want error %q", tt.host, tt.bits, err, tt.wantErr)
 		}
-		compareIP := cmp.Comparer(func(a, b netaddr.IP) bool { return a == b })
-		compareIPPrefix := cmp.Comparer(func(a, b netaddr.IPPrefix) bool { return a == b })
+		compareIP := cmp.Comparer(func(a, b netip.Addr) bool { return a == b })
+		compareIPPrefix := cmp.Comparer(func(a, b netip.Prefix) bool { return a == b })
 		if diff := cmp.Diff(got, tt.want, compareIP, compareIPPrefix); diff != "" {
 			t.Errorf("parseIPSet(%q, %v) = %s; want %s", tt.host, tt.bits, got, tt.want)
 			continue
@@ -446,10 +445,10 @@ func TestLoggingPrivacy(t *testing.T) {
 	f.logIPs, _ = logB.IPSet()

 	var (
-		ts4       = netaddr.IPPortFrom(tsaddr.CGNATRange().Addr().Next(), 1234)
-		internet4 = netaddr.IPPortFrom(netip.MustParseAddr("8.8.8.8"), 1234)
-		ts6       = netaddr.IPPortFrom(tsaddr.TailscaleULARange().Addr().Next(), 1234)
-		internet6 = netaddr.IPPortFrom(netip.MustParseAddr("2001::1"), 1234)
+		ts4       = netip.AddrPortFrom(tsaddr.CGNATRange().Addr().Next(), 1234)
+		internet4 = netip.AddrPortFrom(netip.MustParseAddr("8.8.8.8"), 1234)
+		ts6       = netip.AddrPortFrom(tsaddr.TailscaleULARange().Addr().Next(), 1234)
+		internet6 = netip.AddrPortFrom(netip.MustParseAddr("2001::1"), 1234)
 	)

 	tests := []struct {
@@ -560,8 +559,8 @@ func parsed(proto ipproto.Proto, src, dst string, sport, dport uint16) packet.Pa
 	var ret packet.Parsed
 	ret.Decode(dummyPacket)
 	ret.IPProto = proto
-	ret.Src = netaddr.IPPortFrom(sip, sport)
-	ret.Dst = netaddr.IPPortFrom(dip, dport)
+	ret.Src = netip.AddrPortFrom(sip, sport)
+	ret.Dst = netip.AddrPortFrom(dip, dport)
 	ret.TCPFlags = packet.TCPSyn

 	if sip.Is4() {
@@ -657,7 +656,7 @@ func parseHexPkt(t *testing.T, h string) *packet.Parsed {
 	return p
 }

-func mustIPPort(s string) netaddr.IPPort {
+func mustIPPort(s string) netip.AddrPort {
 	ipp, err := netip.ParseAddrPort(s)
 	if err != nil {
 		panic(err)
@@ -665,7 +664,7 @@ func mustIPPort(s string) netaddr.IPPort {
 	return ipp
 }

-func pfx(strs ...string) (ret []netaddr.IPPrefix) {
+func pfx(strs ...string) (ret []netip.Prefix) {
 	for _, s := range strs {
 		pfx, err := netip.ParsePrefix(s)
 		if err != nil {
@@ -676,7 +675,7 @@ func pfx(strs ...string) (ret []netaddr.IPPrefix) {
 	return ret
 }

-func nets(nets ...string) (ret []netaddr.IPPrefix) {
+func nets(nets ...string) (ret []netip.Prefix) {
 	for _, s := range nets {
 		if !strings.Contains(s, "/") {
 			ip, err := netip.ParseAddr(s)
@@ -687,7 +686,7 @@ func nets(nets ...string) (ret []netaddr.IPPrefix) {
 			if ip.Is6() {
 				bits = 128
 			}
-			ret = append(ret, netaddr.IPPrefixFrom(ip, bits))
+			ret = append(ret, netip.PrefixFrom(ip, int(bits)))
 		} else {
 			pfx, err := netip.ParsePrefix(s)
 			if err != nil {
@@ -779,7 +778,7 @@ func TestMatchesFromFilterRules(t *testing.T) {
 							Ports: PortRange{22, 22},
 						},
 					},
-					Srcs: []netaddr.IPPrefix{
+					Srcs: []netip.Prefix{
 						netip.MustParsePrefix("100.64.1.1/32"),
 					},
 					Caps: []CapMatch{},
@@ -809,7 +808,7 @@ func TestMatchesFromFilterRules(t *testing.T) {
 							Ports: PortRange{22, 22},
 						},
 					},
-					Srcs: []netaddr.IPPrefix{
+					Srcs: []netip.Prefix{
 						netip.MustParsePrefix("100.64.1.1/32"),
 					},
 					Caps: []CapMatch{},
@@ -824,8 +823,8 @@ func TestMatchesFromFilterRules(t *testing.T) {
 				t.Fatal(err)
 			}

-			compareIP := cmp.Comparer(func(a, b netaddr.IP) bool { return a == b })
-			compareIPPrefix := cmp.Comparer(func(a, b netaddr.IPPrefix) bool { return a == b })
+			compareIP := cmp.Comparer(func(a, b netip.Addr) bool { return a == b })
+			compareIPPrefix := cmp.Comparer(func(a, b netip.Prefix) bool { return a == b })
 			if diff := cmp.Diff(got, tt.want, compareIP, compareIPPrefix); diff != "" {
 				t.Errorf("wrong (-got+want)\n%s", diff)
 			}
@@ -885,7 +884,7 @@ func TestCaps(t *testing.T) {
 		{
 			SrcIPs: []string{"*"},
 			CapGrant: []tailcfg.CapGrant{{
-				Dsts: []netaddr.IPPrefix{
+				Dsts: []netip.Prefix{
 					netip.MustParsePrefix("0.0.0.0/0"),
 				},
 				Caps: []string{"is_ipv4"},
@@ -894,7 +893,7 @@ func TestCaps(t *testing.T) {
 		{
 			SrcIPs: []string{"*"},
 			CapGrant: []tailcfg.CapGrant{{
-				Dsts: []netaddr.IPPrefix{
+				Dsts: []netip.Prefix{
 					netip.MustParsePrefix("::/0"),
 				},
 				Caps: []string{"is_ipv6"},
@@ -903,7 +902,7 @@ func TestCaps(t *testing.T) {
 		{
 			SrcIPs: []string{"100.199.0.0/16"},
 			CapGrant: []tailcfg.CapGrant{{
-				Dsts: []netaddr.IPPrefix{
+				Dsts: []netip.Prefix{
 					netip.MustParsePrefix("100.200.0.0/16"),
 				},
 				Caps: []string{"some_super_admin"},
--- a/wgengine/filter/match.go
+++ b/wgengine/filter/match.go
@@ -6,9 +6,9 @@ package filter

 import (
 	"fmt"
+	"net/netip"
 	"strings"

-	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
 )
@@ -39,7 +39,7 @@ func (pr PortRange) contains(port uint16) bool {

 // NetPortRange combines an IP address prefix and PortRange.
 type NetPortRange struct {
-	Net   netaddr.IPPrefix
+	Net   netip.Prefix
 	Ports PortRange
 }

@@ -51,7 +51,7 @@ func (npr NetPortRange) String() string {
 type CapMatch struct {
 	// Dst is the IP prefix that the destination IP address matches against
 	// to get the capability.
-	Dst netaddr.IPPrefix
+	Dst netip.Prefix

 	// Cap is the capability that's granted if the destination IP addresses
 	// matches Dst.
@@ -62,7 +62,7 @@ type CapMatch struct {
 // Dsts.
 type Match struct {
 	IPProto []ipproto.Proto // required set (no default value at this layer)
-	Srcs    []netaddr.IPPrefix
+	Srcs    []netip.Prefix
 	Dsts    []NetPortRange // optional, if Srcs match
 	Caps    []CapMatch     // optional, if Srcs match
 }
@@ -152,7 +152,7 @@ func (ms matches) matchProtoAndIPsOnlyIfAllPorts(q *packet.Parsed) bool {
 	return false
 }

-func ipInList(ip netaddr.IP, netlist []netaddr.IPPrefix) bool {
+func ipInList(ip netip.Addr, netlist []netip.Prefix) bool {
 	for _, net := range netlist {
 		if net.Contains(ip) {
 			return true
--- a/wgengine/filter/tailcfg.go
+++ b/wgengine/filter/tailcfg.go
@@ -34,7 +34,7 @@ func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error) {
 		// of time in runtime.growslice. As such, we attempt to
 		// pre-allocate some slices. Multipliers were chosen arbitrarily.
 		m := Match{
-			Srcs: make([]netaddr.IPPrefix, 0, len(r.SrcIPs)),
+			Srcs: make([]netip.Prefix, 0, len(r.SrcIPs)),
 			Dsts: make([]NetPortRange, 0, 2*len(r.DstPorts)),
 			Caps: make([]CapMatch, 0, 3*len(r.CapGrant)),
 		}
@@ -114,12 +114,12 @@ var (
 // around, and ultimately use a new version of IPSet.ContainsFunc like
 // Contains16Func that works in [16]byte address, so we we can match
 // at runtime without allocating?
-func parseIPSet(arg string, bits *int) ([]netaddr.IPPrefix, error) {
+func parseIPSet(arg string, bits *int) ([]netip.Prefix, error) {
 	if arg == "*" {
 		// User explicitly requested wildcard.
-		return []netaddr.IPPrefix{
-			netaddr.IPPrefixFrom(zeroIP4, 0),
-			netaddr.IPPrefixFrom(zeroIP6, 0),
+		return []netip.Prefix{
+			netip.PrefixFrom(zeroIP4, 0),
+			netip.PrefixFrom(zeroIP6, 0),
 		}, nil
 	}
 	if strings.Contains(arg, "/") {
@@ -130,7 +130,7 @@ func parseIPSet(arg string, bits *int) ([]netaddr.IPPrefix, error) {
 		if pfx != pfx.Masked() {
 			return nil, fmt.Errorf("%v contains non-network bits set", pfx)
 		}
-		return []netaddr.IPPrefix{pfx}, nil
+		return []netip.Prefix{pfx}, nil
 	}
 	if strings.Count(arg, "-") == 1 {
 		ip1s, ip2s, _ := strings.Cut(arg, "-")
@@ -159,5 +159,5 @@ func parseIPSet(arg string, bits *int) ([]netaddr.IPPrefix, error) {
 		}
 		bits8 = uint8(*bits)
 	}
-	return []netaddr.IPPrefix{netaddr.IPPrefixFrom(ip, bits8)}, nil
+	return []netip.Prefix{netip.PrefixFrom(ip, int(bits8))}, nil
 }