wgengine/router: allow disco packets through iptables on Linux

Fixes #3824

Change-Id: I9d0a86bae7f6ca3b4588a0b621dc434b1611f414
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2022-08-28 14:31:34 -07:00
parent 66d7d2549f
commit ad91d1aa20
2 changed files with 48 additions and 1 deletions

View File

@ -1112,6 +1112,30 @@ func (r *linuxRouter) addNetfilterBase() error {
return nil return nil
} }
// allowDiscoRule is the iptables rule to allow all UDP discovery packets in.
// See https://github.com/tailscale/tailscale/issues/3824.
var allowDiscoRule = []string{
"-p", "udp", // UDP
"!", "-f", // not fragmented parts of UDP packets
"-m", "u32", "--u32",
"0>>22&0x3C@8=0x5453f09f && 0>>22&0x3C@10&0xffff=0x92ac", // check first 6 bytes of UDP payload is disco packet magic
"-m", "comment", "--comment", "Allow Tailscale NAT traversal",
"-j", "ACCEPT",
}
// allowDiscoRule6 is allowDiscoRule without the fragment check that doesn't
// apply to IPv6, and with the right offsets for the IPv6 UDP payload.
//
// Note: this doesn't work if IPv6 extension headers are present. Oh well.
// It'll help most users.
var allowDiscoRule6 = []string{
"-p", "udp", // UDP
"-m", "u32", "--u32",
"0x30=0x5453f09f && 0x32&0xffff=0x92ac", // check first 6 bytes of UDP payload is disco packet magic
"-m", "comment", "--comment", "Allow Tailscale NAT traversal",
"-j", "ACCEPT",
}
// addNetfilterBase4 adds some basic IPv4 processing rules to be // addNetfilterBase4 adds some basic IPv4 processing rules to be
// supplemented by later calls to other helpers. // supplemented by later calls to other helpers.
func (r *linuxRouter) addNetfilterBase4() error { func (r *linuxRouter) addNetfilterBase4() error {
@ -1129,6 +1153,10 @@ func (r *linuxRouter) addNetfilterBase4() error {
if err := r.ipt4.Append("filter", "ts-input", args...); err != nil { if err := r.ipt4.Append("filter", "ts-input", args...); err != nil {
return fmt.Errorf("adding %v in v4/filter/ts-input: %w", args, err) return fmt.Errorf("adding %v in v4/filter/ts-input: %w", args, err)
} }
if err := r.ipt4.Append("filter", "ts-input", allowDiscoRule...); err != nil {
// Not worth returning an error about. (Maybe they lack u32 kernel match support.)
r.logf("ignoring error adding allow-disco in v4/filter/ts-input: %v", err)
}
// Forward all traffic from the Tailscale interface, and drop // Forward all traffic from the Tailscale interface, and drop
// traffic to the tailscale interface by default. We use packet // traffic to the tailscale interface by default. We use packet
@ -1167,6 +1195,11 @@ func (r *linuxRouter) addNetfilterBase6() error {
// TODO: only allow traffic from Tailscale's ULA range to come // TODO: only allow traffic from Tailscale's ULA range to come
// from tailscale0. // from tailscale0.
if err := r.ipt6.Append("filter", "ts-input", allowDiscoRule6...); err != nil {
// Not worth returning an error about. (Maybe they lack u32 kernel match support.)
r.logf("ignoring error adding allow-disco in v6/filter/ts-input: %v", err)
}
args := []string{"-i", r.tunname, "-j", "MARK", "--set-mark", tailscaleSubnetRouteMark} args := []string{"-i", r.tunname, "-j", "MARK", "--set-mark", tailscaleSubnetRouteMark}
if err := r.ipt6.Append("filter", "ts-forward", args...); err != nil { if err := r.ipt6.Append("filter", "ts-forward", args...); err != nil {
return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err) return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)

View File

@ -108,6 +108,7 @@ func TestRouterStates(t *testing.T) {
v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT
v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN
v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP
v4/filter/ts-input -p udp ! -f -m u32 --u32 0>>22&0x3C@8=0x5453f09f && 0>>22&0x3C@10&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v4/nat/POSTROUTING -j ts-postrouting v4/nat/POSTROUTING -j ts-postrouting
v4/nat/ts-postrouting -m mark --mark 0x40000 -j MASQUERADE v4/nat/ts-postrouting -m mark --mark 0x40000 -j MASQUERADE
v6/filter/FORWARD -j ts-forward v6/filter/FORWARD -j ts-forward
@ -115,6 +116,7 @@ func TestRouterStates(t *testing.T) {
v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000
v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT
v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/filter/ts-forward -o tailscale0 -j ACCEPT
v6/filter/ts-input -p udp -m u32 --u32 0x30=0x5453f09f && 0x32&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v6/nat/POSTROUTING -j ts-postrouting v6/nat/POSTROUTING -j ts-postrouting
v6/nat/ts-postrouting -m mark --mark 0x40000 -j MASQUERADE v6/nat/ts-postrouting -m mark --mark 0x40000 -j MASQUERADE
`, `,
@ -140,12 +142,14 @@ func TestRouterStates(t *testing.T) {
v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT
v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN
v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP
v4/filter/ts-input -p udp ! -f -m u32 --u32 0>>22&0x3C@8=0x5453f09f && 0>>22&0x3C@10&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v4/nat/POSTROUTING -j ts-postrouting v4/nat/POSTROUTING -j ts-postrouting
v6/filter/FORWARD -j ts-forward v6/filter/FORWARD -j ts-forward
v6/filter/INPUT -j ts-input v6/filter/INPUT -j ts-input
v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000
v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT
v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/filter/ts-forward -o tailscale0 -j ACCEPT
v6/filter/ts-input -p udp -m u32 --u32 0x30=0x5453f09f && 0x32&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v6/nat/POSTROUTING -j ts-postrouting v6/nat/POSTROUTING -j ts-postrouting
`, `,
}, },
@ -173,17 +177,19 @@ func TestRouterStates(t *testing.T) {
v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT
v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN
v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP
v4/filter/ts-input -p udp ! -f -m u32 --u32 0>>22&0x3C@8=0x5453f09f && 0>>22&0x3C@10&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v4/nat/POSTROUTING -j ts-postrouting v4/nat/POSTROUTING -j ts-postrouting
v6/filter/FORWARD -j ts-forward v6/filter/FORWARD -j ts-forward
v6/filter/INPUT -j ts-input v6/filter/INPUT -j ts-input
v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000
v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT
v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/filter/ts-forward -o tailscale0 -j ACCEPT
v6/filter/ts-input -p udp -m u32 --u32 0x30=0x5453f09f && 0x32&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v6/nat/POSTROUTING -j ts-postrouting v6/nat/POSTROUTING -j ts-postrouting
`, `,
}, },
{ {
name: "addr and routes with netfilter", name: "addr and routes with netfilter v2",
in: &Config{ in: &Config{
LocalAddrs: mustCIDRs("100.101.102.104/10"), LocalAddrs: mustCIDRs("100.101.102.104/10"),
Routes: mustCIDRs("100.100.100.100/32", "10.0.0.0/8"), Routes: mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
@ -203,12 +209,14 @@ func TestRouterStates(t *testing.T) {
v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT
v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN
v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP
v4/filter/ts-input -p udp ! -f -m u32 --u32 0>>22&0x3C@8=0x5453f09f && 0>>22&0x3C@10&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v4/nat/POSTROUTING -j ts-postrouting v4/nat/POSTROUTING -j ts-postrouting
v6/filter/FORWARD -j ts-forward v6/filter/FORWARD -j ts-forward
v6/filter/INPUT -j ts-input v6/filter/INPUT -j ts-input
v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000
v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT
v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/filter/ts-forward -o tailscale0 -j ACCEPT
v6/filter/ts-input -p udp -m u32 --u32 0x30=0x5453f09f && 0x32&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v6/nat/POSTROUTING -j ts-postrouting v6/nat/POSTROUTING -j ts-postrouting
`, `,
}, },
@ -232,9 +240,11 @@ func TestRouterStates(t *testing.T) {
v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT
v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN
v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP
v4/filter/ts-input -p udp ! -f -m u32 --u32 0>>22&0x3C@8=0x5453f09f && 0>>22&0x3C@10&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000
v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT
v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/filter/ts-forward -o tailscale0 -j ACCEPT
v6/filter/ts-input -p udp -m u32 --u32 0x30=0x5453f09f && 0x32&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
`, `,
}, },
{ {
@ -258,12 +268,14 @@ func TestRouterStates(t *testing.T) {
v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT
v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN
v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP
v4/filter/ts-input -p udp ! -f -m u32 --u32 0>>22&0x3C@8=0x5453f09f && 0>>22&0x3C@10&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v4/nat/POSTROUTING -j ts-postrouting v4/nat/POSTROUTING -j ts-postrouting
v6/filter/FORWARD -j ts-forward v6/filter/FORWARD -j ts-forward
v6/filter/INPUT -j ts-input v6/filter/INPUT -j ts-input
v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000
v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT
v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/filter/ts-forward -o tailscale0 -j ACCEPT
v6/filter/ts-input -p udp -m u32 --u32 0x30=0x5453f09f && 0x32&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v6/nat/POSTROUTING -j ts-postrouting v6/nat/POSTROUTING -j ts-postrouting
`, `,
}, },
@ -290,12 +302,14 @@ func TestRouterStates(t *testing.T) {
v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT v4/filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT
v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN
v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP
v4/filter/ts-input -p udp ! -f -m u32 --u32 0>>22&0x3C@8=0x5453f09f && 0>>22&0x3C@10&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v4/nat/POSTROUTING -j ts-postrouting v4/nat/POSTROUTING -j ts-postrouting
v6/filter/FORWARD -j ts-forward v6/filter/FORWARD -j ts-forward
v6/filter/INPUT -j ts-input v6/filter/INPUT -j ts-input
v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000
v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT v6/filter/ts-forward -m mark --mark 0x40000 -j ACCEPT
v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/filter/ts-forward -o tailscale0 -j ACCEPT
v6/filter/ts-input -p udp -m u32 --u32 0x30=0x5453f09f && 0x32&0xffff=0x92ac -m comment --comment Allow Tailscale NAT traversal -j ACCEPT
v6/nat/POSTROUTING -j ts-postrouting v6/nat/POSTROUTING -j ts-postrouting
`, `,
}, },