various: disable stateful filtering by default (#12197)

After some analysis, stateful filtering is only necessary in tailnets that use `autogroup:danger-all` in `src` in ACLs. And in those cases users explicitly specify that hosts outside of the tailnet should be able to reach their nodes. To fix local DNS breakage in containers, we disable stateful filtering by default. Updates #12108 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2024-05-20 11:44:29 -07:00
parent 6db1219185
commit c9179bc261
8 changed files with 159 additions and 246 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -4186,18 +4186,7 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs ipn.PrefsView, oneC
 	}

 	var doStatefulFiltering bool
-	if v, ok := prefs.NoStatefulFiltering().Get(); !ok {
-		// The stateful filtering preference isn't explicitly set; this is
-		// unexpected since we expect it to be set during the profile
-		// backfill, but to be safe let's enable stateful filtering
-		// absent further information.
-		doStatefulFiltering = true
-		b.logf("[unexpected] NoStatefulFiltering preference not set; enabling stateful filtering")
-	} else if v {
-		// The preferences explicitly say "no stateful filtering", so
-		// we don't do it.
-		doStatefulFiltering = false
-	} else {
+	if v, ok := prefs.NoStatefulFiltering().Get(); ok && !v {
 		// The preferences explicitly "do stateful filtering" is turned
 		// off, or to expand the double negative, to do stateful
 		// filtering. Do so.
--- a/ipn/ipnlocal/profiles.go
+++ b/ipn/ipnlocal/profiles.go
@@ -354,10 +354,6 @@ func (pm *profileManager) loadSavedPrefs(key ipn.StateKey) (ipn.PrefsView, error
 		return ipn.PrefsView{}, err
 	}
 	savedPrefs := ipn.NewPrefs()
-	// NewPrefs sets a default NoStatefulFiltering, but we want to actually see
-	// if the saved state had an empty value. The empty value gets migrated
-	// based on NoSNAT, while a default "false" does not.
-	savedPrefs.NoStatefulFiltering = ""
 	if err := ipn.PrefsFromBytes(bs, savedPrefs); err != nil {
 		return ipn.PrefsView{}, fmt.Errorf("parsing saved prefs: %v", err)
 	}
@@ -382,32 +378,6 @@ func (pm *profileManager) loadSavedPrefs(key ipn.StateKey) (ipn.PrefsView, error
 		savedPrefs.AutoUpdate.Apply.Clear()
 	}

-	// Backfill a missing NoStatefulFiltering field based on the value of
-	// the NoSNAT field; we want to apply stateful filtering in all cases
-	// *except* where the user has disabled SNAT.
-	//
-	// Only backfill if the user hasn't set a value for
-	// NoStatefulFiltering, however.
-	_, haveNoStateful := savedPrefs.NoStatefulFiltering.Get()
-	if !haveNoStateful {
-		if savedPrefs.NoSNAT {
-			pm.logf("backfilling NoStatefulFiltering field to true because NoSNAT is set")
-
-			// No SNAT: no stateful filtering
-			savedPrefs.NoStatefulFiltering.Set(true)
-		} else {
-			pm.logf("backfilling NoStatefulFiltering field to false because NoSNAT is not set")
-
-			// SNAT (default): apply stateful filtering
-			savedPrefs.NoStatefulFiltering.Set(false)
-		}
-
-		// Write back to the preferences store now that we've updated it.
-		if err := pm.writePrefsToStore(key, savedPrefs.View()); err != nil {
-			return ipn.PrefsView{}, err
-		}
-	}
-
 	return savedPrefs.View(), nil
 }

--- a/ipn/ipnlocal/profiles_test.go
+++ b/ipn/ipnlocal/profiles_test.go
@@ -4,7 +4,6 @@
 package ipnlocal

 import (
-	"encoding/json"
 	"fmt"
 	"os/user"
 	"strconv"
@@ -13,14 +12,12 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"tailscale.com/clientupdate"
-	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/util/must"
 )
@@ -604,89 +601,6 @@ func TestProfileManagementWindows(t *testing.T) {
 	}
 }

-func TestProfileBackfillStatefulFiltering(t *testing.T) {
-	envknob.Setenv("TS_DEBUG_PROFILES", "true")
-
-	tests := []struct {
-		noSNAT     bool
-		noStateful opt.Bool
-		want       bool
-	}{
-		// Default: NoSNAT is false, NoStatefulFiltering is false, so
-		// we want it to stay false.
-		{false, "false", false},
-
-		// NoSNAT being set to true and NoStatefulFiltering being false
-		// should result in NoStatefulFiltering still being false,
-		// since it was explicitly set.
-		{true, "false", false},
-
-		// If NoSNAT is false, and NoStatefulFiltering is unset, we
-		// backfill it to 'false'.
-		{false, "", false},
-
-		// If NoSNAT is true, and NoStatefulFiltering is unset, we
-		// backfill to 'true' to not break users of NoSNAT.
-		//
-		// In other words: if the user is not using SNAT, they almost
-		// certainly also don't want to use stateful filtering.
-		{true, "", true},
-
-		// However, if the user specifies both NoSNAT and stateful
-		// filtering, don't change that.
-		{true, "true", true},
-		{false, "true", true},
-	}
-
-	for _, tt := range tests {
-		t.Run(fmt.Sprintf("noSNAT=%v,noStateful=%q", tt.noSNAT, tt.noStateful), func(t *testing.T) {
-			prefs := ipn.NewPrefs()
-			prefs.Persist = &persist.Persist{
-				NodeID: tailcfg.StableNodeID("node1"),
-				UserProfile: tailcfg.UserProfile{
-					ID:        tailcfg.UserID(1),
-					LoginName: "user1@example.com",
-				},
-			}
-
-			prefs.NoSNAT = tt.noSNAT
-			prefs.NoStatefulFiltering = tt.noStateful
-
-			// Make enough of a state store to load the prefs.
-			const profileName = "profile1"
-			bn := must.Get(json.Marshal(map[string]any{
-				string(ipn.CurrentProfileStateKey): []byte(profileName),
-				string(ipn.KnownProfilesStateKey): must.Get(json.Marshal(map[ipn.ProfileID]*ipn.LoginProfile{
-					profileName: {
-						ID:  "profile1-id",
-						Key: profileName,
-					},
-				})),
-				profileName: prefs.ToBytes(),
-			}))
-
-			store := new(mem.Store)
-			err := store.LoadFromJSON([]byte(bn))
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			ht := new(health.Tracker)
-			pm, err := newProfileManagerWithGOOS(store, t.Logf, ht, "linux")
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			// Get the current profile and verify that we backfilled our
-			// StatefulFiltering boolean.
-			pf := pm.CurrentPrefs()
-			if !pf.NoStatefulFiltering().EqualBool(tt.want) {
-				t.Fatalf("got NoStatefulFiltering=%q, want %v", pf.NoStatefulFiltering(), tt.want)
-			}
-		})
-	}
-}
-
 // TestDefaultPrefs tests that defaultPrefs is just NewPrefs with
 // LoggedOut=true (the Prefs we use before connecting to control). We shouldn't
 // be putting any defaulting there, and instead put all defaults in NewPrefs.