wgengine: stop conntrack log spam about Canonical net probes

Like we do for the ones on iOS. As a bonus, this removes a caller of tsaddr.IsTailscaleIP which we want to revamp/remove soonish. Updates #13687 Change-Id: Iab576a0c48e9005c7844ab52a0aba5ba343b750e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-11-29 04:55:31 +00:00 · 2024-10-04 18:20:06 -07:00 · 2024-10-04 18:20:06 -07:00 · c48cc08de2
commit c48cc08de2
parent 12f1bc7c77
1 changed files with 58 additions and 11 deletions
--- a/wgengine/pendopen.go
+++ b/wgengine/pendopen.go
@ -5,14 +5,17 @@
 import (
 	"fmt"
 	"net/netip"
 	"runtime"
 	"strings"
 	"time"
 	"github.com/gaissmai/bart"
 	"tailscale.com/net/flowtrack"
 	"tailscale.com/net/packet"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tstun"
 	"tailscale.com/types/ipproto"
 	"tailscale.com/types/lazy"
 	"tailscale.com/util/mak"
 	"tailscale.com/wgengine/filter"
 )
@ -86,6 +89,57 @@ func (e *userspaceEngine) trackOpenPreFilterIn(pp *packet.Parsed, t *tstun.Wrapp
 	return
 }
 var (
 	appleIPRange = netip.MustParsePrefix("17.0.0.0/8")
 	canonicalIPs = lazy.SyncFunc(func() (checkIPFunc func(netip.Addr) bool) {
 		// https://bgp.he.net/AS41231#_prefixes
 		t := &bart.Table[bool]{}
 		for _, s := range strings.Fields(`
 			91.189.89.0/24
 			91.189.91.0/24
 			91.189.92.0/24
 			91.189.93.0/24
 			91.189.94.0/24
 			91.189.95.0/24
 			162.213.32.0/24
 			162.213.34.0/24
 			162.213.35.0/24
 			185.125.188.0/23
 			185.125.190.0/24
 			194.169.254.0/24`) {
 			t.Insert(netip.MustParsePrefix(s), true)
 		}
 		return func(ip netip.Addr) bool {
 			v, _ := t.Lookup(ip)
 			return v
 		}
 	})
 )
 // isOSNetworkProbe reports whether the target is likely a network
 // connectivity probe target from e.g. iOS or Ubuntu network-manager.
 //
 // iOS likes to probe Apple IPs on all interfaces to check for connectivity.
 // Don't start timers tracking those. They won't succeed anyway. Avoids log
 // spam like:
 func (e *userspaceEngine) isOSNetworkProbe(dst netip.AddrPort) bool {
 	// iOS had log spam like:
 	// open-conn-track: timeout opening (100.115.73.60:52501 => 17.125.252.5:443); no associated peer node
 	if runtime.GOOS == "ios" && dst.Port() == 443 && appleIPRange.Contains(dst.Addr()) {
 		if _, ok := e.PeerForIP(dst.Addr()); !ok {
 			return true
 		}
 	}
 	// NetworkManager; https://github.com/tailscale/tailscale/issues/13687
 	// open-conn-track: timeout opening (TCP 100.96.229.119:42798 => 185.125.190.49:80); no associated peer node
 	if runtime.GOOS == "linux" && dst.Port() == 80 && canonicalIPs()(dst.Addr()) {
 		if _, ok := e.PeerForIP(dst.Addr()); !ok {
 			return true
 		}
 	}
 	return false
 }
 func (e *userspaceEngine) trackOpenPostFilterOut(pp *packet.Parsed, t *tstun.Wrapper) (res filter.Response) {
 	res = filter.Accept // always
@ -95,18 +149,11 @@ func (e *userspaceEngine) trackOpenPostFilterOut(pp *packet.Parsed, t *tstun.Wra
 		pp.TCPFlags&packet.TCPSyn == 0 {
 		return
 	}
-
+	if e.isOSNetworkProbe(pp.Dst) {
 	flow := flowtrack.MakeTuple(pp.IPProto, pp.Src, pp.Dst)
 	// iOS likes to probe Apple IPs on all interfaces to check for connectivity.
 	// Don't start timers tracking those. They won't succeed anyway. Avoids log spam
 	// like:
 	//    open-conn-track: timeout opening (100.115.73.60:52501 => 17.125.252.5:443); no associated peer node
 	if runtime.GOOS == "ios" && flow.DstPort() == 443 && !tsaddr.IsTailscaleIP(flow.DstAddr()) {
 		if _, ok := e.PeerForIP(flow.DstAddr()); !ok {
 		return
 	}
-	}
+
 	flow := flowtrack.MakeTuple(pp.IPProto, pp.Src, pp.Dst)
 	e.mu.Lock()
 	defer e.mu.Unlock()