various: implement stateful firewalling on Linux (#12025)

Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>
2025-10-16 03:14:44 +00:00 · 2024-05-06 15:22:17 -07:00
parent 5ef178fdca
commit c28f5767bf
17 changed files with 632 additions and 47 deletions
--- a/ipn/ipnlocal/profiles_test.go
+++ b/ipn/ipnlocal/profiles_test.go
@@ -4,6 +4,7 @@
 package ipnlocal

 import (
+	"encoding/json"
 	"fmt"
 	"os/user"
 	"strconv"
@@ -12,12 +13,14 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"tailscale.com/clientupdate"
+	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/util/must"
 )
@@ -600,3 +603,86 @@ func TestProfileManagementWindows(t *testing.T) {
 		t.Fatalf("CurrentUserID = %q; want %q", pm.CurrentUserID(), uid)
 	}
 }
+
+func TestProfileBackfillStatefulFiltering(t *testing.T) {
+	envknob.Setenv("TS_DEBUG_PROFILES", "true")
+
+	tests := []struct {
+		noSNAT     bool
+		noStateful opt.Bool
+		want       bool
+	}{
+		// Default: NoSNAT is false, NoStatefulFiltering is false, so
+		// we want it to stay false.
+		{false, "false", false},
+
+		// NoSNAT being set to true and NoStatefulFiltering being false
+		// should result in NoStatefulFiltering still being false,
+		// since it was explicitly set.
+		{true, "false", false},
+
+		// If NoSNAT is false, and NoStatefulFiltering is unset, we
+		// backfill it to 'false'.
+		{false, "", false},
+
+		// If NoSNAT is true, and NoStatefulFiltering is unset, we
+		// backfill to 'true' to not break users of NoSNAT.
+		//
+		// In other words: if the user is not using SNAT, they almost
+		// certainly also don't want to use stateful filtering.
+		{true, "", true},
+
+		// However, if the user specifies both NoSNAT and stateful
+		// filtering, don't change that.
+		{true, "true", true},
+		{false, "true", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("noSNAT=%v,noStateful=%q", tt.noSNAT, tt.noStateful), func(t *testing.T) {
+			prefs := ipn.NewPrefs()
+			prefs.Persist = &persist.Persist{
+				NodeID: tailcfg.StableNodeID("node1"),
+				UserProfile: tailcfg.UserProfile{
+					ID:        tailcfg.UserID(1),
+					LoginName: "user1@example.com",
+				},
+			}
+
+			prefs.NoSNAT = tt.noSNAT
+			prefs.NoStatefulFiltering = tt.noStateful
+
+			// Make enough of a state store to load the prefs.
+			const profileName = "profile1"
+			bn := must.Get(json.Marshal(map[string]any{
+				string(ipn.CurrentProfileStateKey): []byte(profileName),
+				string(ipn.KnownProfilesStateKey): must.Get(json.Marshal(map[ipn.ProfileID]*ipn.LoginProfile{
+					profileName: {
+						ID:  "profile1-id",
+						Key: profileName,
+					},
+				})),
+				profileName: prefs.ToBytes(),
+			}))
+
+			store := new(mem.Store)
+			err := store.LoadFromJSON([]byte(bn))
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			ht := new(health.Tracker)
+			pm, err := newProfileManagerWithGOOS(store, t.Logf, ht, "linux")
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// Get the current profile and verify that we backfilled our
+			// StatefulFiltering boolean.
+			pf := pm.CurrentPrefs()
+			if !pf.NoStatefulFiltering().EqualBool(tt.want) {
+				t.Fatalf("got NoStatefulFiltering=%v, want %v", pf.NoStatefulFiltering(), tt.want)
+			}
+		})
+	}
+}