mirror of
https://github.com/tailscale/tailscale.git
synced 2025-08-11 13:18:53 +00:00
util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux (#10370)
* util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux Updates #9084. Currently, we have to tell users to manually open UDP ports on Linux when certain firewalls (like ufw) are enabled. This change automates the process of adding and updating those firewall rules as magicsock changes what port it listens on. Signed-off-by: Naman Sood <mail@nsood.in>
This commit is contained in:
Naman Sood
@@ -9,6 +9,7 @@ import (
|
||||
"fmt"
|
||||
"net/netip"
|
||||
"os/exec"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/coreos/go-iptables/iptables"
|
||||
@@ -236,7 +237,7 @@ func (i *iptablesRunner) AddBase(tunname string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// addBase4 adds some basic IPv6 processing rules to be
|
||||
// addBase4 adds some basic IPv4 processing rules to be
|
||||
// supplemented by later calls to other helpers.
|
||||
func (i *iptablesRunner) addBase4(tunname string) error {
|
||||
// Only allow CGNAT range traffic to come from tailscale0. There
|
||||
@@ -311,7 +312,7 @@ func (i *iptablesRunner) ClampMSSToPMTU(tun string, addr netip.Addr) error {
|
||||
return table.Append("mangle", "FORWARD", "-o", tun, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
|
||||
}
|
||||
|
||||
// addBase6 adds some basic IPv4 processing rules to be
|
||||
// addBase6 adds some basic IPv6 processing rules to be
|
||||
// supplemented by later calls to other helpers.
|
||||
func (i *iptablesRunner) addBase6(tunname string) error {
|
||||
// TODO: only allow traffic from Tailscale's ULA range to come
|
||||
@@ -437,6 +438,63 @@ func (i *iptablesRunner) DelSNATRule() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// buildMagicsockPortRule generates the string slice containing the arguments
|
||||
// to describe a rule accepting traffic on a particular port to iptables. It is
|
||||
// separated out here to avoid repetition in AddMagicsockPortRule and
|
||||
// RemoveMagicsockPortRule, since it is important that the same rule is passed
|
||||
// to Append() and Delete().
|
||||
func buildMagicsockPortRule(port uint16) []string {
|
||||
return []string{"-p", "udp", "--dport", strconv.FormatUint(uint64(port), 10), "-j", "ACCEPT"}
|
||||
}
|
||||
|
||||
// AddMagicsockPortRule adds a rule to iptables to allow incoming traffic on
|
||||
// the specified UDP port, so magicsock can accept incoming connections.
|
||||
// network must be either "udp4" or "udp6" - this determines whether the rule
|
||||
// is added for IPv4 or IPv6.
|
||||
func (i *iptablesRunner) AddMagicsockPortRule(port uint16, network string) error {
|
||||
var ipt iptablesInterface
|
||||
switch network {
|
||||
case "udp4":
|
||||
ipt = i.ipt4
|
||||
case "udp6":
|
||||
ipt = i.ipt6
|
||||
default:
|
||||
return fmt.Errorf("unsupported network %s", network)
|
||||
}
|
||||
|
||||
args := buildMagicsockPortRule(port)
|
||||
|
||||
if err := ipt.Append("filter", "ts-input", args...); err != nil {
|
||||
return fmt.Errorf("adding %v in filter/ts-input: %w", args, err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// DelMagicsockPortRule removes a rule added by AddMagicsockPortRule to accept
|
||||
// incoming traffic on a particular UDP port.
|
||||
// network must be either "udp4" or "udp6" - this determines whether the rule
|
||||
// is removed for IPv4 or IPv6.
|
||||
func (i *iptablesRunner) DelMagicsockPortRule(port uint16, network string) error {
|
||||
var ipt iptablesInterface
|
||||
switch network {
|
||||
case "udp4":
|
||||
ipt = i.ipt4
|
||||
case "udp6":
|
||||
ipt = i.ipt6
|
||||
default:
|
||||
return fmt.Errorf("unsupported network %s", network)
|
||||
}
|
||||
|
||||
args := buildMagicsockPortRule(port)
|
||||
|
||||
if err := ipt.Delete("filter", "ts-input", args...); err != nil {
|
||||
return fmt.Errorf("removing %v in filter/ts-input: %w", args, err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// IPTablesCleanup removes all Tailscale added iptables rules.
|
||||
// Any errors that occur are logged to the provided logf.
|
||||
func IPTablesCleanup(logf logger.Logf) {
|
||||
|
||||
@@ -509,6 +509,15 @@ type NetfilterRunner interface {
|
||||
// ClampMSSToPMTU adds a rule to the mangle/FORWARD chain to clamp MSS for
|
||||
// traffic destined for the provided tun interface.
|
||||
ClampMSSToPMTU(tun string, addr netip.Addr) error
|
||||
|
||||
// AddMagicsockPortRule adds a rule to the ts-input chain to accept
|
||||
// incoming traffic on the specified port, to allow magicsock to
|
||||
// communicate.
|
||||
AddMagicsockPortRule(port uint16, network string) error
|
||||
|
||||
// DelMagicsockPortRule removes the rule created by AddMagicsockPortRule,
|
||||
// if it exists.
|
||||
DelMagicsockPortRule(port uint16, network string) error
|
||||
}
|
||||
|
||||
// New creates a NetfilterRunner, auto-detecting whether to use
|
||||
@@ -584,6 +593,17 @@ func newLoadSaddrExpr(proto nftables.TableFamily, destReg uint32) (expr.Any, err
|
||||
}
|
||||
}
|
||||
|
||||
// newLoadDportExpr creates a new nftables express that loads the desination port
|
||||
// of a TCP/UDP packet into the given register.
|
||||
func newLoadDportExpr(destReg uint32) expr.Any {
|
||||
return &expr.Payload{
|
||||
DestRegister: destReg,
|
||||
Base: expr.PayloadBaseTransportHeader,
|
||||
Offset: 2,
|
||||
Len: 2,
|
||||
}
|
||||
}
|
||||
|
||||
// HasIPV6 reports true if the system supports IPv6.
|
||||
func (n *nftablesRunner) HasIPV6() bool {
|
||||
return n.v6Available
|
||||
@@ -1267,6 +1287,125 @@ func addAcceptOutgoingPacketRule(conn *nftables.Conn, table *nftables.Table, cha
|
||||
return nil
|
||||
}
|
||||
|
||||
// createAcceptOnPortRule creates a rule to accept incoming packets to
|
||||
// a given destination UDP port.
|
||||
func createAcceptOnPortRule(table *nftables.Table, chain *nftables.Chain, port uint16) *nftables.Rule {
|
||||
portBytes := make([]byte, 2)
|
||||
binary.BigEndian.PutUint16(portBytes, port)
|
||||
return &nftables.Rule{
|
||||
Table: table,
|
||||
Chain: chain,
|
||||
Exprs: []expr.Any{
|
||||
&expr.Meta{
|
||||
Key: expr.MetaKeyL4PROTO,
|
||||
Register: 1,
|
||||
},
|
||||
&expr.Cmp{
|
||||
Op: expr.CmpOpEq,
|
||||
Register: 1,
|
||||
Data: []byte{unix.IPPROTO_UDP},
|
||||
},
|
||||
newLoadDportExpr(1),
|
||||
&expr.Cmp{
|
||||
Op: expr.CmpOpEq,
|
||||
Register: 1,
|
||||
Data: portBytes,
|
||||
},
|
||||
&expr.Counter{},
|
||||
&expr.Verdict{
|
||||
Kind: expr.VerdictAccept,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// addAcceptOnPortRule adds a rule to accept incoming packets to
|
||||
// a given destination UDP port.
|
||||
func addAcceptOnPortRule(conn *nftables.Conn, table *nftables.Table, chain *nftables.Chain, port uint16) error {
|
||||
rule := createAcceptOnPortRule(table, chain, port)
|
||||
_ = conn.AddRule(rule)
|
||||
|
||||
if err := conn.Flush(); err != nil {
|
||||
return fmt.Errorf("flush add rule: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// addAcceptOnPortRule removes a rule to accept incoming packets to
|
||||
// a given destination UDP port.
|
||||
func removeAcceptOnPortRule(conn *nftables.Conn, table *nftables.Table, chain *nftables.Chain, port uint16) error {
|
||||
rule := createAcceptOnPortRule(table, chain, port)
|
||||
rule, err := findRule(conn, rule)
|
||||
if err != nil {
|
||||
return fmt.Errorf("find rule: %v", err)
|
||||
}
|
||||
|
||||
_ = conn.DelRule(rule)
|
||||
|
||||
if err := conn.Flush(); err != nil {
|
||||
return fmt.Errorf("flush del rule: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// AddMagicsockPortRule adds a rule to nftables to allow incoming traffic on
|
||||
// the specified UDP port, so magicsock can accept incoming connections.
|
||||
// network must be either "udp4" or "udp6" - this determines whether the rule
|
||||
// is added for IPv4 or IPv6.
|
||||
func (n *nftablesRunner) AddMagicsockPortRule(port uint16, network string) error {
|
||||
var filterTable *nftables.Table
|
||||
switch network {
|
||||
case "udp4":
|
||||
filterTable = n.nft4.Filter
|
||||
case "udp6":
|
||||
filterTable = n.nft6.Filter
|
||||
default:
|
||||
return fmt.Errorf("unsupported network %s", network)
|
||||
}
|
||||
|
||||
inputChain, err := getChainFromTable(n.conn, filterTable, chainNameInput)
|
||||
if err != nil {
|
||||
return fmt.Errorf("get input chain: %v", err)
|
||||
}
|
||||
|
||||
err = addAcceptOnPortRule(n.conn, filterTable, inputChain, port)
|
||||
if err != nil {
|
||||
return fmt.Errorf("add accept on port rule: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// DelMagicsockPortRule removes a rule added by AddMagicsockPortRule to accept
|
||||
// incoming traffic on a particular UDP port.
|
||||
// network must be either "udp4" or "udp6" - this determines whether the rule
|
||||
// is removed for IPv4 or IPv6.
|
||||
func (n *nftablesRunner) DelMagicsockPortRule(port uint16, network string) error {
|
||||
var filterTable *nftables.Table
|
||||
switch network {
|
||||
case "udp4":
|
||||
filterTable = n.nft4.Filter
|
||||
case "udp6":
|
||||
filterTable = n.nft6.Filter
|
||||
default:
|
||||
return fmt.Errorf("unsupported network %s", network)
|
||||
}
|
||||
|
||||
inputChain, err := getChainFromTable(n.conn, filterTable, chainNameInput)
|
||||
if err != nil {
|
||||
return fmt.Errorf("get input chain: %v", err)
|
||||
}
|
||||
|
||||
err = removeAcceptOnPortRule(n.conn, filterTable, inputChain, port)
|
||||
if err != nil {
|
||||
return fmt.Errorf("add accept on port rule: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// createAcceptIncomingPacketRule creates a rule to accept incoming packets to
|
||||
// the given interface.
|
||||
func createAcceptIncomingPacketRule(table *nftables.Table, chain *nftables.Chain, tunname string) *nftables.Rule {
|
||||
|
||||
Reference in New Issue
Block a user