mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-25 10:09:17 +00:00 
			
		
		
		
	various: implement stateful firewalling on Linux (#12025)
Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>
This commit is contained in:
		| @@ -4153,13 +4153,33 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs ipn.PrefsView, oneC | ||||
| 		netfilterKind = prefs.NetfilterKind() | ||||
| 	} | ||||
| 
 | ||||
| 	var doStatefulFiltering bool | ||||
| 	if v, ok := prefs.NoStatefulFiltering().Get(); !ok { | ||||
| 		// The stateful filtering preference isn't explicitly set; this is | ||||
| 		// unexpected since we expect it to be set during the profile | ||||
| 		// backfill, but to be safe let's enable stateful filtering | ||||
| 		// absent further information. | ||||
| 		doStatefulFiltering = true | ||||
| 		b.logf("[unexpected] NoStatefulFiltering preference not set; enabling stateful filtering") | ||||
| 	} else if v { | ||||
| 		// The preferences explicitly say "no stateful filtering", so | ||||
| 		// we don't do it. | ||||
| 		doStatefulFiltering = false | ||||
| 	} else { | ||||
| 		// The preferences explicitly "do stateful filtering" is turned | ||||
| 		// off, or to expand the double negative, to do stateful | ||||
| 		// filtering. Do so. | ||||
| 		doStatefulFiltering = true | ||||
| 	} | ||||
| 
 | ||||
| 	rs := &router.Config{ | ||||
| 		LocalAddrs:       unmapIPPrefixes(cfg.Addresses), | ||||
| 		SubnetRoutes:     unmapIPPrefixes(prefs.AdvertiseRoutes().AsSlice()), | ||||
| 		SNATSubnetRoutes: !prefs.NoSNAT(), | ||||
| 		NetfilterMode:    prefs.NetfilterMode(), | ||||
| 		Routes:           peerRoutes(b.logf, cfg.Peers, singleRouteThreshold), | ||||
| 		NetfilterKind:    netfilterKind, | ||||
| 		LocalAddrs:        unmapIPPrefixes(cfg.Addresses), | ||||
| 		SubnetRoutes:      unmapIPPrefixes(prefs.AdvertiseRoutes().AsSlice()), | ||||
| 		SNATSubnetRoutes:  !prefs.NoSNAT(), | ||||
| 		StatefulFiltering: doStatefulFiltering, | ||||
| 		NetfilterMode:     prefs.NetfilterMode(), | ||||
| 		Routes:            peerRoutes(b.logf, cfg.Peers, singleRouteThreshold), | ||||
| 		NetfilterKind:     netfilterKind, | ||||
| 	} | ||||
| 
 | ||||
| 	if distro.Get() == distro.Synology { | ||||
|   | ||||
| @@ -371,12 +371,39 @@ func (pm *profileManager) loadSavedPrefs(key ipn.StateKey) (ipn.PrefsView, error | ||||
| 	// https://github.com/tailscale/tailscale/pull/11814/commits/1613b18f8280c2bce786980532d012c9f0454fa2#diff-314ba0d799f70c8998940903efb541e511f352b39a9eeeae8d475c921d66c2ac | ||||
| 	// prefs could set AutoUpdate.Apply=true via EditPrefs or tailnet | ||||
| 	// auto-update defaults. After that change, such value is "invalid" and | ||||
| 	// cause any EditPrefs calls to fail (other than disabling autp-updates). | ||||
| 	// cause any EditPrefs calls to fail (other than disabling auto-updates). | ||||
| 	// | ||||
| 	// Reset AutoUpdate.Apply if we detect such invalid prefs. | ||||
| 	if savedPrefs.AutoUpdate.Apply.EqualBool(true) && !clientupdate.CanAutoUpdate() { | ||||
| 		savedPrefs.AutoUpdate.Apply.Clear() | ||||
| 	} | ||||
| 
 | ||||
| 	// Backfill a missing NoStatefulFiltering field based on the value of | ||||
| 	// the NoSNAT field; we want to apply stateful filtering in all cases | ||||
| 	// *except* where the user has disabled SNAT. | ||||
| 	// | ||||
| 	// Only backfill if the user hasn't set a value for | ||||
| 	// NoStatefulFiltering, however. | ||||
| 	_, haveNoStateful := savedPrefs.NoStatefulFiltering.Get() | ||||
| 	if !haveNoStateful { | ||||
| 		if savedPrefs.NoSNAT { | ||||
| 			pm.logf("backfilling NoStatefulFiltering field to true because NoSNAT is set") | ||||
| 
 | ||||
| 			// No SNAT: no stateful filtering | ||||
| 			savedPrefs.NoStatefulFiltering.Set(true) | ||||
| 		} else { | ||||
| 			pm.logf("backfilling NoStatefulFiltering field to false because NoSNAT is not set") | ||||
| 
 | ||||
| 			// SNAT (default): apply stateful filtering | ||||
| 			savedPrefs.NoStatefulFiltering.Set(false) | ||||
| 		} | ||||
| 
 | ||||
| 		// Write back to the preferences store now that we've updated it. | ||||
| 		if err := pm.writePrefsToStore(key, savedPrefs.View()); err != nil { | ||||
| 			return ipn.PrefsView{}, err | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	return savedPrefs.View(), nil | ||||
| } | ||||
| 
 | ||||
| @@ -468,6 +495,7 @@ var defaultPrefs = func() ipn.PrefsView { | ||||
| 	prefs := ipn.NewPrefs() | ||||
| 	prefs.LoggedOut = true | ||||
| 	prefs.WantRunning = false | ||||
| 	prefs.NoStatefulFiltering = "false" | ||||
| 
 | ||||
| 	return prefs.View() | ||||
| }() | ||||
|   | ||||
| @@ -4,6 +4,7 @@ | ||||
| package ipnlocal | ||||
| 
 | ||||
| import ( | ||||
| 	"encoding/json" | ||||
| 	"fmt" | ||||
| 	"os/user" | ||||
| 	"strconv" | ||||
| @@ -12,12 +13,14 @@ import ( | ||||
| 	"github.com/google/go-cmp/cmp" | ||||
| 	"github.com/google/go-cmp/cmp/cmpopts" | ||||
| 	"tailscale.com/clientupdate" | ||||
| 	"tailscale.com/envknob" | ||||
| 	"tailscale.com/health" | ||||
| 	"tailscale.com/ipn" | ||||
| 	"tailscale.com/ipn/store/mem" | ||||
| 	"tailscale.com/tailcfg" | ||||
| 	"tailscale.com/types/key" | ||||
| 	"tailscale.com/types/logger" | ||||
| 	"tailscale.com/types/opt" | ||||
| 	"tailscale.com/types/persist" | ||||
| 	"tailscale.com/util/must" | ||||
| ) | ||||
| @@ -600,3 +603,86 @@ func TestProfileManagementWindows(t *testing.T) { | ||||
| 		t.Fatalf("CurrentUserID = %q; want %q", pm.CurrentUserID(), uid) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func TestProfileBackfillStatefulFiltering(t *testing.T) { | ||||
| 	envknob.Setenv("TS_DEBUG_PROFILES", "true") | ||||
| 
 | ||||
| 	tests := []struct { | ||||
| 		noSNAT     bool | ||||
| 		noStateful opt.Bool | ||||
| 		want       bool | ||||
| 	}{ | ||||
| 		// Default: NoSNAT is false, NoStatefulFiltering is false, so | ||||
| 		// we want it to stay false. | ||||
| 		{false, "false", false}, | ||||
| 
 | ||||
| 		// NoSNAT being set to true and NoStatefulFiltering being false | ||||
| 		// should result in NoStatefulFiltering still being false, | ||||
| 		// since it was explicitly set. | ||||
| 		{true, "false", false}, | ||||
| 
 | ||||
| 		// If NoSNAT is false, and NoStatefulFiltering is unset, we | ||||
| 		// backfill it to 'false'. | ||||
| 		{false, "", false}, | ||||
| 
 | ||||
| 		// If NoSNAT is true, and NoStatefulFiltering is unset, we | ||||
| 		// backfill to 'true' to not break users of NoSNAT. | ||||
| 		// | ||||
| 		// In other words: if the user is not using SNAT, they almost | ||||
| 		// certainly also don't want to use stateful filtering. | ||||
| 		{true, "", true}, | ||||
| 
 | ||||
| 		// However, if the user specifies both NoSNAT and stateful | ||||
| 		// filtering, don't change that. | ||||
| 		{true, "true", true}, | ||||
| 		{false, "true", true}, | ||||
| 	} | ||||
| 
 | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(fmt.Sprintf("noSNAT=%v,noStateful=%q", tt.noSNAT, tt.noStateful), func(t *testing.T) { | ||||
| 			prefs := ipn.NewPrefs() | ||||
| 			prefs.Persist = &persist.Persist{ | ||||
| 				NodeID: tailcfg.StableNodeID("node1"), | ||||
| 				UserProfile: tailcfg.UserProfile{ | ||||
| 					ID:        tailcfg.UserID(1), | ||||
| 					LoginName: "user1@example.com", | ||||
| 				}, | ||||
| 			} | ||||
| 
 | ||||
| 			prefs.NoSNAT = tt.noSNAT | ||||
| 			prefs.NoStatefulFiltering = tt.noStateful | ||||
| 
 | ||||
| 			// Make enough of a state store to load the prefs. | ||||
| 			const profileName = "profile1" | ||||
| 			bn := must.Get(json.Marshal(map[string]any{ | ||||
| 				string(ipn.CurrentProfileStateKey): []byte(profileName), | ||||
| 				string(ipn.KnownProfilesStateKey): must.Get(json.Marshal(map[ipn.ProfileID]*ipn.LoginProfile{ | ||||
| 					profileName: { | ||||
| 						ID:  "profile1-id", | ||||
| 						Key: profileName, | ||||
| 					}, | ||||
| 				})), | ||||
| 				profileName: prefs.ToBytes(), | ||||
| 			})) | ||||
| 
 | ||||
| 			store := new(mem.Store) | ||||
| 			err := store.LoadFromJSON([]byte(bn)) | ||||
| 			if err != nil { | ||||
| 				t.Fatal(err) | ||||
| 			} | ||||
| 
 | ||||
| 			ht := new(health.Tracker) | ||||
| 			pm, err := newProfileManagerWithGOOS(store, t.Logf, ht, "linux") | ||||
| 			if err != nil { | ||||
| 				t.Fatal(err) | ||||
| 			} | ||||
| 
 | ||||
| 			// Get the current profile and verify that we backfilled our | ||||
| 			// StatefulFiltering boolean. | ||||
| 			pf := pm.CurrentPrefs() | ||||
| 			if !pf.NoStatefulFiltering().EqualBool(tt.want) { | ||||
| 				t.Fatalf("got NoStatefulFiltering=%v, want %v", pf.NoStatefulFiltering(), tt.want) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Andrew Lytvynov
					Andrew Lytvynov