mirror of
https://github.com/tailscale/tailscale.git
synced 2025-12-05 04:11:59 +00:00
cmd/tta, vnet: add host firewall, env var support, more tests
In particular, tests showing that #3824 works. But that test doesn't actually work yet; it only gets a DERP connection. (why?) Updates #13038 Change-Id: Ie1fd1b6a38d4e90fae7e72a0b9a142a95f0b2e8f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
committed by
Brad Fitzpatrick
Brad Fitzpatrick
parent
b692985aef
commit
a61825c7b8
@@ -102,6 +102,14 @@ func easy(c *vnet.Config) *vnet.Node {
|
||||
fmt.Sprintf("192.168.%d.1/24", n), vnet.EasyNAT))
|
||||
}
|
||||
|
||||
// easy + host firewall
|
||||
func easyFW(c *vnet.Config) *vnet.Node {
|
||||
n := c.NumNodes() + 1
|
||||
return c.AddNode(vnet.HostFirewall, c.AddNetwork(
|
||||
fmt.Sprintf("2.%d.%d.%d", n, n, n), // public IP
|
||||
fmt.Sprintf("192.168.%d.1/24", n), vnet.EasyNAT))
|
||||
}
|
||||
|
||||
func easyAF(c *vnet.Config) *vnet.Node {
|
||||
n := c.NumNodes() + 1
|
||||
return c.AddNode(c.AddNetwork(
|
||||
@@ -134,6 +142,29 @@ func easyPMP(c *vnet.Config) *vnet.Node {
|
||||
fmt.Sprintf("192.168.%d.1/24", n), vnet.EasyNAT, vnet.NATPMP))
|
||||
}
|
||||
|
||||
// easy + port mapping + host firewall
|
||||
func easyPMPFW(c *vnet.Config) *vnet.Node {
|
||||
n := c.NumNodes() + 1
|
||||
return c.AddNode(vnet.HostFirewall,
|
||||
c.AddNetwork(
|
||||
fmt.Sprintf("2.%d.%d.%d", n, n, n), // public IP
|
||||
fmt.Sprintf("192.168.%d.1/24", n), vnet.EasyNAT, vnet.NATPMP))
|
||||
}
|
||||
|
||||
// easy + port mapping + host firewall - BPF
|
||||
func easyPMPFWNoBPF(c *vnet.Config) *vnet.Node {
|
||||
n := c.NumNodes() + 1
|
||||
return c.AddNode(
|
||||
vnet.HostFirewall,
|
||||
vnet.TailscaledEnv{
|
||||
Key: "TS_DEBUG_DISABLE_RAW_DISCO",
|
||||
Value: "1",
|
||||
},
|
||||
c.AddNetwork(
|
||||
fmt.Sprintf("2.%d.%d.%d", n, n, n), // public IP
|
||||
fmt.Sprintf("192.168.%d.1/24", n), vnet.EasyNAT, vnet.NATPMP))
|
||||
}
|
||||
|
||||
func hard(c *vnet.Config) *vnet.Node {
|
||||
n := c.NumNodes() + 1
|
||||
return c.AddNode(c.AddNetwork(
|
||||
@@ -203,12 +234,18 @@ func (nt *natTest) runTest(node1, node2 addNodeFunc) pingRoute {
|
||||
t.Fatalf("qemu-img create: %v, %s", err, out)
|
||||
}
|
||||
|
||||
var envBuf bytes.Buffer
|
||||
for _, e := range node.Env() {
|
||||
fmt.Fprintf(&envBuf, " tailscaled.env=%s=%s", e.Key, e.Value)
|
||||
}
|
||||
envStr := envBuf.String()
|
||||
|
||||
cmd := exec.Command("qemu-system-x86_64",
|
||||
"-M", "microvm,isa-serial=off",
|
||||
"-m", "384M",
|
||||
"-nodefaults", "-no-user-config", "-nographic",
|
||||
"-kernel", nt.kernel,
|
||||
"-append", "console=hvc0 root=PARTUUID=60c24cc1-f3f9-427a-8199-dd02023b0001/PARTNROFF=1 ro init=/gokrazy/init panic=10 oops=panic pci=off nousb tsc=unstable clocksource=hpet tailscale-tta=1",
|
||||
"-append", "console=hvc0 root=PARTUUID=60c24cc1-f3f9-427a-8199-dd02023b0001/PARTNROFF=1 ro init=/gokrazy/init panic=10 oops=panic pci=off nousb tsc=unstable clocksource=hpet tailscale-tta=1"+envStr,
|
||||
"-drive", "id=blk0,file="+disk+",format=qcow2",
|
||||
"-device", "virtio-blk-device,drive=blk0",
|
||||
"-netdev", "stream,id=net0,addr.type=unix,addr.path="+sockAddr,
|
||||
@@ -254,10 +291,20 @@ func (nt *natTest) runTest(node1, node2 addNodeFunc) pingRoute {
|
||||
return fmt.Errorf("node%d status: %w", i, err)
|
||||
}
|
||||
t.Logf("node%d status: %v", i, st)
|
||||
|
||||
node := nodes[i]
|
||||
if node.HostFirewall() {
|
||||
if err := c.EnableHostFirewall(ctx); err != nil {
|
||||
return fmt.Errorf("node%d firewall: %w", i, err)
|
||||
}
|
||||
t.Logf("node%d firewalled", i)
|
||||
}
|
||||
|
||||
if err := up(ctx, c); err != nil {
|
||||
return fmt.Errorf("node%d up: %w", i, err)
|
||||
}
|
||||
t.Logf("node%d up!", i)
|
||||
|
||||
st, err = c.Status(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("node%d status: %w", i, err)
|
||||
@@ -408,6 +455,31 @@ func TestEasyEasy(t *testing.T) {
|
||||
nt.runTest(easy, easy)
|
||||
}
|
||||
|
||||
// Tests https://github.com/tailscale/tailscale/issues/3824 ...
|
||||
// * server behind a Hard NAT
|
||||
// * client behind a NAT with UPnP support
|
||||
// * client machine has a stateful host firewall (e.g. ufw)
|
||||
|
||||
func TestBPFDisco(t *testing.T) {
|
||||
nt := newNatTest(t)
|
||||
nt.runTest(easyPMPFW, hard)
|
||||
}
|
||||
|
||||
func TestHostFWNoBPF(t *testing.T) {
|
||||
nt := newNatTest(t)
|
||||
nt.runTest(easyPMPFWNoBPF, hard)
|
||||
}
|
||||
|
||||
func TestHostFWPair(t *testing.T) {
|
||||
nt := newNatTest(t)
|
||||
nt.runTest(easyFW, easyFW)
|
||||
}
|
||||
|
||||
func TestOneHostFW(t *testing.T) {
|
||||
nt := newNatTest(t)
|
||||
nt.runTest(easy, easyFW)
|
||||
}
|
||||
|
||||
var pair = flag.String("pair", "", "comma-separated pair of types to test (easy, easyAF, hard, easyPMP, hardPMP, one2one, sameLAN)")
|
||||
|
||||
func TestPair(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user