TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-01-05 23:07:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

wgengine/netstack: fix shouldProcessInbound peerapi non-SYN handling

Browse Source 
It was eating TCP packets to peerapi ports to subnet routers.  Some of
the TCP flow's packets went onward, some got eaten.  So some TCP flows
to subnet routers, if they used an unfortunate TCP port number, got
broken.

Change-Id: Ifea036119ccfb081f4dfa18b892373416a5239f8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2022-11-08 07:47:22 -08:00 committed by Brad Fitzpatrick
parent 6d8320a6e9
commit abfdcd0f70
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
wgengine/netstack/netstack.go
View File

@ -535,23 +535,30 @@ func (ns *Impl) peerAPIPortAtomic(ip netip.Addr) *uint32 {
// WireGuard peer) should be handled by netstack.
func (ns *Impl) shouldProcessInbound(p *packet.Parsed, t *tstun.Wrapper) bool {
// Handle incoming peerapi connections in netstack.
if ns.lb != nil && p.IPProto == ipproto.TCP {
dstIP := p.Dst.Addr()
isLocal := ns.isLocalIP(dstIP)
// Handle TCP connection to the Tailscale IP(s) in some cases:
if ns.lb != nil && p.IPProto == ipproto.TCP && isLocal {
var peerAPIPort uint16
dstIP := p.Dst.Addr()
if p.TCPFlags&packet.TCPSynAck == packet.TCPSyn && ns.isLocalIP(dstIP) {
if port, ok := ns.lb.GetPeerAPIPort(p.Dst.Addr()); ok {
if p.TCPFlags&packet.TCPSynAck == packet.TCPSyn {
if port, ok := ns.lb.GetPeerAPIPort(dstIP); ok {
peerAPIPort = port
atomic.StoreUint32(ns.peerAPIPortAtomic(dstIP), uint32(port))
}
} else {
peerAPIPort = uint16(atomic.LoadUint32(ns.peerAPIPortAtomic(dstIP)))
}
if p.IPProto == ipproto.TCP && p.Dst.Port() == peerAPIPort {
dport := p.Dst.Port()
if dport == peerAPIPort {
return true
}
// Also handle SSH connections, if enabled.
if dport == 22 && ns.lb.ShouldRunSSH() {
return true
}
}
if ns.isInboundTSSH(p) && ns.processSSH() {
return true
}
if p.IPVersion == 6 && viaRange.Contains(p.Dst.Addr()) {
return ns.lb != nil && ns.lb.ShouldHandleViaIP(p.Dst.Addr())
@ -561,7 +568,6 @@ func (ns *Impl) shouldProcessInbound(p *packet.Parsed, t *tstun.Wrapper) bool {
// netstack isn't used at all; don't even do an isLocalIP lookup.
return false
}
isLocal := ns.isLocalIP(p.Dst.Addr())
if ns.ProcessLocalIPs && isLocal {
return true
}
@ -647,12 +653,6 @@ func (ns *Impl) userPing(dstIP netip.Addr, pingResPkt []byte) {
}
}
func (ns *Impl) isInboundTSSH(p *packet.Parsed) bool {
return p.IPProto == ipproto.TCP &&
p.Dst.Port() == 22 &&
ns.isLocalIP(p.Dst.Addr())
}
// injectInbound is installed as a packet hook on the 'inbound' (from a
// WireGuard peer) path. Returning filter.Accept releases the packet to
// continue normally (typically being delivered to the host networking stack),