TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-02-27 02:37:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

tailcfg, ipn/ipnlocal, wgengine/magicsock: add only-tcp-443 node attr

Browse Source 
Updates tailscale/corp#17879

Change-Id: I0dc305d147b76c409cf729b599a94fa723aef0e0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2024-03-22 14:18:04 -07:00 committed by Brad Fitzpatrick
parent 7b34154df2
commit a36cfb4d3d
5 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ipn/ipnlocal/local.go
View File

@ -1230,6 +1230,7 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
b.e.SetNetworkMap(st.NetMap) b.e.SetNetworkMap(st.NetMap)
b.MagicConn().SetDERPMap(st.NetMap.DERPMap) b.MagicConn().SetDERPMap(st.NetMap.DERPMap)
b.MagicConn().SetOnlyTCP443(st.NetMap.HasCap(tailcfg.NodeAttrOnlyTCP443))
// Update our cached DERP map // Update our cached DERP map
dnsfallback.UpdateCache(st.NetMap.DERPMap, b.logf) dnsfallback.UpdateCache(st.NetMap.DERPMap, b.logf)

18
net/portmapper/portmapper.go
View File

@ -49,6 +49,17 @@ type DebugKnobs struct {
DisableUPnP bool DisableUPnP bool
DisablePMP bool DisablePMP bool
DisablePCP bool DisablePCP bool
// DisableAll, if non-nil, is a func that reports whether all port
// mapping attempts should be disabled.
DisableAll func() bool
}
func (k *DebugKnobs) disableAll() bool {
if k.DisableAll != nil {
return k.DisableAll()
}
return false
} }
// References: // References:
@ -403,6 +414,7 @@ var (
ErrNoPortMappingServices = errors.New("no port mapping services were found") ErrNoPortMappingServices = errors.New("no port mapping services were found")
ErrGatewayRange = errors.New("skipping portmap; gateway range likely lacks support") ErrGatewayRange = errors.New("skipping portmap; gateway range likely lacks support")
ErrGatewayIPv6 = errors.New("skipping portmap; no IPv6 support for portmapping") ErrGatewayIPv6 = errors.New("skipping portmap; no IPv6 support for portmapping")
ErrPortMappingDisabled = errors.New("port mapping is disabled")
) )
// GetCachedMappingOrStartCreatingOne quickly returns with our current cached portmapping, if any. // GetCachedMappingOrStartCreatingOne quickly returns with our current cached portmapping, if any.
@ -464,6 +476,9 @@ var wildcardIP = netip.MustParseAddr("0.0.0.0")
// If no mapping is available, the error will be of type // If no mapping is available, the error will be of type
// NoMappingError; see IsNoMappingError. // NoMappingError; see IsNoMappingError.
func (c *Client) createOrGetMapping(ctx context.Context) (external netip.AddrPort, err error) { func (c *Client) createOrGetMapping(ctx context.Context) (external netip.AddrPort, err error) {
if c.debug.disableAll() {
return netip.AddrPort{}, NoMappingError{ErrPortMappingDisabled}
}
if c.debug.DisableUPnP && c.debug.DisablePCP && c.debug.DisablePMP { if c.debug.DisableUPnP && c.debug.DisablePCP && c.debug.DisablePMP {
return netip.AddrPort{}, NoMappingError{ErrNoPortMappingServices} return netip.AddrPort{}, NoMappingError{ErrNoPortMappingServices}
} }
@ -777,6 +792,9 @@ type ProbeResult struct {
// the returned result might be server from the Client's cache, without // the returned result might be server from the Client's cache, without
// sending any network traffic. // sending any network traffic.
func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) { func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
if c.debug.disableAll() {
return res, ErrPortMappingDisabled
}
gw, myIP, ok := c.gatewayAndSelfIP() gw, myIP, ok := c.gatewayAndSelfIP()
if !ok { if !ok {
return res, ErrGatewayRange return res, ErrGatewayRange

7
tailcfg/tailcfg.go
View File

@ -2133,6 +2133,13 @@ const (
// e.g. https://tailscale.com/cap/funnel-ports?ports=80,443,8080-8090 // e.g. https://tailscale.com/cap/funnel-ports?ports=80,443,8080-8090
CapabilityFunnelPorts NodeCapability = "https://tailscale.com/cap/funnel-ports" CapabilityFunnelPorts NodeCapability = "https://tailscale.com/cap/funnel-ports"
// NodeAttrOnlyTCP443 specifies that the client should not attempt to generate
// any outbound traffic that isn't TCP on port 443 (HTTPS). This is used for
// clients in restricted environments where only HTTPS traffic is allowed
// other types of traffic trips outbound firewall alarms. This thus implies
// all traffic is over DERP.
NodeAttrOnlyTCP443 NodeCapability = "only-tcp-443"
// NodeAttrFunnel grants the ability for a node to host ingress traffic. // NodeAttrFunnel grants the ability for a node to host ingress traffic.
NodeAttrFunnel NodeCapability = "funnel" NodeAttrFunnel NodeCapability = "funnel"
// NodeAttrSSHAggregator grants the ability for a node to collect SSH sessions. // NodeAttrSSHAggregator grants the ability for a node to collect SSH sessions.

7
wgengine/magicsock/derp.go
View File

@ -729,6 +729,13 @@ func (c *Conn) processDERPReadResult(dm derpReadResult, b []byte) (n int, ep *en
return n, ep return n, ep
} }
// SetOnlyTCP443 set whether the magicsock connection is restricted
// to only using TCP port 443 outbound. If true, no UDP is allowed,
// no STUN checks are performend, etc.
func (c *Conn) SetOnlyTCP443(v bool) {
c.onlyTCP443.Store(v)
}
// SetDERPMap controls which (if any) DERP servers are used. // SetDERPMap controls which (if any) DERP servers are used.
// A nil value means to disable DERP; it's disabled by default. // A nil value means to disable DERP; it's disabled by default.
func (c *Conn) SetDERPMap(dm *tailcfg.DERPMap) { func (c *Conn) SetDERPMap(dm *tailcfg.DERPMap) {

10
wgengine/magicsock/magicsock.go
View File

@ -198,6 +198,8 @@ type Conn struct {
mu sync.Mutex mu sync.Mutex
muCond *sync.Cond muCond *sync.Cond
onlyTCP443 atomic.Bool
closed bool // Close was called closed bool // Close was called
closing atomic.Bool // Close is in progress (or done) closing atomic.Bool // Close is in progress (or done)
@ -444,7 +446,10 @@ func NewConn(opts Options) (*Conn, error) {
c.idleFunc = opts.IdleFunc c.idleFunc = opts.IdleFunc
c.testOnlyPacketListener = opts.TestOnlyPacketListener c.testOnlyPacketListener = opts.TestOnlyPacketListener
c.noteRecvActivity = opts.NoteRecvActivity c.noteRecvActivity = opts.NoteRecvActivity
c.portMapper = portmapper.NewClient(logger.WithPrefix(c.logf, "portmapper: "), opts.NetMon, nil, opts.ControlKnobs, c.onPortMapChanged) portMapOpts := &portmapper.DebugKnobs{
DisableAll: func() bool { return c.onlyTCP443.Load() },
}
c.portMapper = portmapper.NewClient(logger.WithPrefix(c.logf, "portmapper: "), opts.NetMon, portMapOpts, opts.ControlKnobs, c.onPortMapChanged)
if opts.NetMon != nil { if opts.NetMon != nil {
c.portMapper.SetGatewayLookupFunc(opts.NetMon.GatewayAndSelfIP) c.portMapper.SetGatewayLookupFunc(opts.NetMon.GatewayAndSelfIP)
} }
@ -1067,6 +1072,9 @@ func (c *Conn) sendUDP(ipp netip.AddrPort, b []byte) (sent bool, err error) {
// sendUDP sends UDP packet b to addr. // sendUDP sends UDP packet b to addr.
// See sendAddr's docs on the return value meanings. // See sendAddr's docs on the return value meanings.
func (c *Conn) sendUDPStd(addr netip.AddrPort, b []byte) (sent bool, err error) { func (c *Conn) sendUDPStd(addr netip.AddrPort, b []byte) (sent bool, err error) {
if c.onlyTCP443.Load() {
return false, nil
}
switch { switch {
case addr.Addr().Is4(): case addr.Addr().Is4():
_, err = c.pconn4.WriteToUDPAddrPort(b, addr) _, err = c.pconn4.WriteToUDPAddrPort(b, addr)