ipn: split LocalBackend off into new ipn/ipnlocal package

And move a couple other types down into leafier packages. Now cmd/tailscale doesn't bring in netlink, magicsock, wgengine, etc. Fixes #1181 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-13 22:47:30 +00:00 · 2021-02-04 13:12:42 -08:00
parent 6254efb9ef
commit d76334d2f0
19 changed files with 229 additions and 240 deletions
--- a/wgengine/pendopen.go
+++ b/wgengine/pendopen.go
@@ -9,6 +9,7 @@ import (
 	"strconv"
 	"time"

+	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/flowtrack"
 	"tailscale.com/net/packet"
 	"tailscale.com/wgengine/filter"
@@ -158,7 +159,7 @@ func (e *userspaceEngine) onOpenTimeout(flow flowtrack.Tuple) {
 		lastSeen = *n.LastSeen
 	}

-	var ps *PeerStatus
+	var ps *ipnstate.PeerStatusLite
 	if st, err := e.getStatus(); err == nil {
 		for _, v := range st.Peers {
 			if v.NodeKey == n.Key {
--- a/wgengine/router/router.go
+++ b/wgengine/router/router.go
@@ -11,6 +11,7 @@ import (
 	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/preftype"
 	"tailscale.com/wgengine/router/dns"
 )

@@ -53,29 +54,6 @@ func Cleanup(logf logger.Logf, interfaceName string) {
 	cleanup(logf, interfaceName)
 }

-// NetfilterMode is the firewall management mode to use when
-// programming the Linux network stack.
-type NetfilterMode int
-
-const (
-	NetfilterOff      NetfilterMode = iota // remove all tailscale netfilter state
-	NetfilterNoDivert                      // manage tailscale chains, but don't call them
-	NetfilterOn                            // manage tailscale chains and call them from main chains
-)
-
-func (m NetfilterMode) String() string {
-	switch m {
-	case NetfilterOff:
-		return "off"
-	case NetfilterNoDivert:
-		return "nodivert"
-	case NetfilterOn:
-		return "on"
-	default:
-		return "???"
-	}
-}
-
 // Config is the subset of Tailscale configuration that is relevant to
 // the OS's network stack.
 type Config struct {
@@ -86,9 +64,9 @@ type Config struct {

 	// Linux-only things below, ignored on other platforms.

-	SubnetRoutes     []netaddr.IPPrefix // subnets being advertised to other Tailscale nodes
-	SNATSubnetRoutes bool               // SNAT traffic to local subnets
-	NetfilterMode    NetfilterMode      // how much to manage netfilter rules
+	SubnetRoutes     []netaddr.IPPrefix     // subnets being advertised to other Tailscale nodes
+	SNATSubnetRoutes bool                   // SNAT traffic to local subnets
+	NetfilterMode    preftype.NetfilterMode // how much to manage netfilter rules
 }

 // shutdownConfig is a routing configuration that removes all router
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -21,10 +21,17 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/preftype"
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/router/dns"
 )

+const (
+	netfilterOff      = preftype.NetfilterOff
+	netfilterNoDivert = preftype.NetfilterNoDivert
+	netfilterOn       = preftype.NetfilterOn
+)
+
 // The following bits are added to packet marks for Tailscale use.
 //
 // We tried to pick bits sufficiently out of the way that it's
@@ -89,7 +96,7 @@ type linuxRouter struct {
 	addrs            map[netaddr.IPPrefix]bool
 	routes           map[netaddr.IPPrefix]bool
 	snatSubnetRoutes bool
-	netfilterMode    NetfilterMode
+	netfilterMode    preftype.NetfilterMode

 	// Various feature checks for the network stack.
 	ipRuleAvailable bool
@@ -148,7 +155,7 @@ func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, netfilter4, ne
 	return &linuxRouter{
 		logf:          logf,
 		tunname:       tunname,
-		netfilterMode: NetfilterOff,
+		netfilterMode: netfilterOff,

 		ipRuleAvailable: ipRuleAvailable,
 		v6Available:     supportsV6,
@@ -168,7 +175,7 @@ func (r *linuxRouter) Up() error {
 	if err := r.addIPRules(); err != nil {
 		return err
 	}
-	if err := r.setNetfilterMode(NetfilterOff); err != nil {
+	if err := r.setNetfilterMode(netfilterOff); err != nil {
 		return err
 	}
 	if err := r.upInterface(); err != nil {
@@ -188,7 +195,7 @@ func (r *linuxRouter) Close() error {
 	if err := r.delIPRules(); err != nil {
 		return err
 	}
-	if err := r.setNetfilterMode(NetfilterOff); err != nil {
+	if err := r.setNetfilterMode(netfilterOff); err != nil {
 		return err
 	}

@@ -246,9 +253,9 @@ func (r *linuxRouter) Set(cfg *Config) error {
 // mode. Netfilter state is created or deleted appropriately to
 // reflect the new mode, and r.snatSubnetRoutes is updated to reflect
 // the current state of subnet SNATing.
-func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
+func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error {
 	if distro.Get() == distro.Synology {
-		mode = NetfilterOff
+		mode = netfilterOff
 	}
 	if r.netfilterMode == mode {
 		return nil
@@ -264,9 +271,9 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 	reprocess := false

 	switch mode {
-	case NetfilterOff:
+	case netfilterOff:
 		switch r.netfilterMode {
-		case NetfilterNoDivert:
+		case netfilterNoDivert:
 			if err := r.delNetfilterBase(); err != nil {
 				return err
 			}
@@ -276,7 +283,7 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 				// This can happen if someone left a ref to
 				// this table somewhere else.
 			}
-		case NetfilterOn:
+		case netfilterOn:
 			if err := r.delNetfilterHooks(); err != nil {
 				return err
 			}
@@ -291,9 +298,9 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 			}
 		}
 		r.snatSubnetRoutes = false
-	case NetfilterNoDivert:
+	case netfilterNoDivert:
 		switch r.netfilterMode {
-		case NetfilterOff:
+		case netfilterOff:
 			reprocess = true
 			if err := r.addNetfilterChains(); err != nil {
 				return err
@@ -302,12 +309,12 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 				return err
 			}
 			r.snatSubnetRoutes = false
-		case NetfilterOn:
+		case netfilterOn:
 			if err := r.delNetfilterHooks(); err != nil {
 				return err
 			}
 		}
-	case NetfilterOn:
+	case netfilterOn:
 		// Because of bugs in old version of iptables-compat,
 		// we can't add a "-j ts-forward" rule to FORWARD
 		// while ts-forward contains an "-m mark" rule. But
@@ -315,7 +322,7 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 		// So we have to delNetFilterBase, then add the hooks,
 		// then re-addNetFilterBase, just in case.
 		switch r.netfilterMode {
-		case NetfilterOff:
+		case netfilterOff:
 			reprocess = true
 			if err := r.addNetfilterChains(); err != nil {
 				return err
@@ -330,7 +337,7 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 				return err
 			}
 			r.snatSubnetRoutes = false
-		case NetfilterNoDivert:
+		case netfilterNoDivert:
 			reprocess = true
 			if err := r.delNetfilterBase(); err != nil {
 				return err
@@ -397,7 +404,7 @@ func (r *linuxRouter) delAddress(addr netaddr.IPPrefix) error {
 // addLoopbackRule adds a firewall rule to permit loopback traffic to
 // a local Tailscale IP.
 func (r *linuxRouter) addLoopbackRule(addr netaddr.IP) error {
-	if r.netfilterMode == NetfilterOff {
+	if r.netfilterMode == netfilterOff {
 		return nil
 	}

@@ -419,7 +426,7 @@ func (r *linuxRouter) addLoopbackRule(addr netaddr.IP) error {
 // delLoopbackRule removes the firewall rule permitting loopback
 // traffic to a Tailscale IP.
 func (r *linuxRouter) delLoopbackRule(addr netaddr.IP) error {
-	if r.netfilterMode == NetfilterOff {
+	if r.netfilterMode == netfilterOff {
 		return nil
 	}

@@ -903,7 +910,7 @@ func (r *linuxRouter) delNetfilterHooks() error {
 // addSNATRule adds a netfilter rule to SNAT traffic destined for
 // local subnets.
 func (r *linuxRouter) addSNATRule() error {
-	if r.netfilterMode == NetfilterOff {
+	if r.netfilterMode == netfilterOff {
 		return nil
 	}

@@ -922,7 +929,7 @@ func (r *linuxRouter) addSNATRule() error {
 // delSNATRule removes the netfilter rule to SNAT traffic destined for
 // local subnets. Fails if the rule does not exist.
 func (r *linuxRouter) delSNATRule() error {
-	if r.netfilterMode == NetfilterOff {
+	if r.netfilterMode == netfilterOff {
 		return nil
 	}

--- a/wgengine/router/router_linux_test.go
+++ b/wgengine/router/router_linux_test.go
@@ -58,7 +58,7 @@ up` + basic,
 			name: "local addr only",
 			in: &Config{
 				LocalAddrs:    mustCIDRs("100.101.102.103/10"),
-				NetfilterMode: NetfilterOff,
+				NetfilterMode: netfilterOff,
 			},
 			want: `
 up
@@ -70,7 +70,7 @@ ip addr add 100.101.102.103/10 dev tailscale0` + basic,
 			in: &Config{
 				LocalAddrs:    mustCIDRs("100.101.102.103/10"),
 				Routes:        mustCIDRs("100.100.100.100/32", "192.168.16.0/24"),
-				NetfilterMode: NetfilterOff,
+				NetfilterMode: netfilterOff,
 			},
 			want: `
 up
@@ -85,7 +85,7 @@ ip route add 192.168.16.0/24 dev tailscale0 table 52` + basic,
 				LocalAddrs:    mustCIDRs("100.101.102.103/10"),
 				Routes:        mustCIDRs("100.100.100.100/32", "192.168.16.0/24"),
 				SubnetRoutes:  mustCIDRs("200.0.0.0/8"),
-				NetfilterMode: NetfilterOff,
+				NetfilterMode: netfilterOff,
 			},
 			want: `
 up
@@ -101,7 +101,7 @@ ip route add 192.168.16.0/24 dev tailscale0 table 52` + basic,
 				Routes:           mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
 				SubnetRoutes:     mustCIDRs("200.0.0.0/8"),
 				SNATSubnetRoutes: true,
-				NetfilterMode:    NetfilterOn,
+				NetfilterMode:    netfilterOn,
 			},
 			want: `
 up
@@ -133,7 +133,7 @@ v6/nat/ts-postrouting -m mark --mark 0x40000 -j MASQUERADE
 			in: &Config{
 				LocalAddrs:    mustCIDRs("100.101.102.104/10"),
 				Routes:        mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
-				NetfilterMode: NetfilterOn,
+				NetfilterMode: netfilterOn,
 			},
 			want: `
 up
@@ -166,7 +166,7 @@ v6/nat/POSTROUTING -j ts-postrouting
 				Routes:           mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
 				SubnetRoutes:     mustCIDRs("200.0.0.0/8"),
 				SNATSubnetRoutes: false,
-				NetfilterMode:    NetfilterOn,
+				NetfilterMode:    netfilterOn,
 			},
 			want: `
 up
@@ -196,7 +196,7 @@ v6/nat/POSTROUTING -j ts-postrouting
 			in: &Config{
 				LocalAddrs:    mustCIDRs("100.101.102.104/10"),
 				Routes:        mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
-				NetfilterMode: NetfilterOn,
+				NetfilterMode: netfilterOn,
 			},
 			want: `
 up
@@ -227,7 +227,7 @@ v6/nat/POSTROUTING -j ts-postrouting
 			in: &Config{
 				LocalAddrs:    mustCIDRs("100.101.102.104/10"),
 				Routes:        mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
-				NetfilterMode: NetfilterNoDivert,
+				NetfilterMode: netfilterNoDivert,
 			},
 			want: `
 up
@@ -251,7 +251,7 @@ v6/filter/ts-forward -o tailscale0 -j ACCEPT
 			in: &Config{
 				LocalAddrs:    mustCIDRs("100.101.102.104/10"),
 				Routes:        mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
-				NetfilterMode: NetfilterOn,
+				NetfilterMode: netfilterOn,
 			},
 			want: `
 up
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -1082,8 +1082,8 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 		errc <- err
 	}()

-	pp := make(map[wgkey.Key]*PeerStatus)
-	p := &PeerStatus{}
+	pp := make(map[wgkey.Key]*ipnstate.PeerStatusLite)
+	p := &ipnstate.PeerStatusLite{}

 	var hst1, hst2, n int64

@@ -1115,20 +1115,20 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 			if err != nil {
 				return nil, fmt.Errorf("IpcGetOperation: invalid key in line %q", line)
 			}
-			p = &PeerStatus{}
+			p = &ipnstate.PeerStatusLite{}
 			pp[wgkey.Key(pk)] = p

 			key := tailcfg.NodeKey(pk)
 			p.NodeKey = key
 		case "rx_bytes":
 			n, err = mem.ParseInt(v, 10, 64)
-			p.RxBytes = ByteCount(n)
+			p.RxBytes = n
 			if err != nil {
 				return nil, fmt.Errorf("IpcGetOperation: rx_bytes invalid: %#v", line)
 			}
 		case "tx_bytes":
 			n, err = mem.ParseInt(v, 10, 64)
-			p.TxBytes = ByteCount(n)
+			p.TxBytes = n
 			if err != nil {
 				return nil, fmt.Errorf("IpcGetOperation: tx_bytes invalid: %#v", line)
 			}
@@ -1154,7 +1154,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 	e.mu.Lock()
 	defer e.mu.Unlock()

-	var peers []PeerStatus
+	var peers []ipnstate.PeerStatusLite
 	for _, pk := range e.peerSequence {
 		if p, ok := pp[pk]; ok { // ignore idle ones not in wireguard-go's config
 			peers = append(peers, *p)
--- a/wgengine/wgengine.go
+++ b/wgengine/wgengine.go
@@ -6,7 +6,6 @@ package wgengine

 import (
 	"errors"
-	"time"

 	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
@@ -19,23 +18,11 @@ import (
 	"tailscale.com/wgengine/wgcfg"
 )

-// ByteCount is the number of bytes that have been sent or received.
-//
-// TODO: why is this a type? remove?
-// TODO: document whether it's payload bytes only or if it includes framing overhead.
-type ByteCount int64
-
-type PeerStatus struct {
-	TxBytes, RxBytes ByteCount
-	LastHandshake    time.Time
-	NodeKey          tailcfg.NodeKey
-}
-
 // Status is the Engine status.
 //
 // TODO(bradfitz): remove this, subset of ipnstate? Need to migrate users.
 type Status struct {
-	Peers      []PeerStatus
+	Peers      []ipnstate.PeerStatusLite
 	LocalAddrs []string // the set of possible endpoints for the magic conn
 	DERPs      int      // number of active DERP connections
 }