mirror of
https://github.com/tailscale/tailscale.git
synced 2025-10-10 09:45:08 +00:00
ipn: split LocalBackend off into new ipn/ipnlocal package
And move a couple other types down into leafier packages. Now cmd/tailscale doesn't bring in netlink, magicsock, wgengine, etc. Fixes #1181 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
committed by
Dave Anderson
Dave Anderson
parent
6254efb9ef
commit
d76334d2f0
@@ -11,6 +11,7 @@ import (
|
||||
"github.com/tailscale/wireguard-go/tun"
|
||||
"inet.af/netaddr"
|
||||
"tailscale.com/types/logger"
|
||||
"tailscale.com/types/preftype"
|
||||
"tailscale.com/wgengine/router/dns"
|
||||
)
|
||||
|
||||
@@ -53,29 +54,6 @@ func Cleanup(logf logger.Logf, interfaceName string) {
|
||||
cleanup(logf, interfaceName)
|
||||
}
|
||||
|
||||
// NetfilterMode is the firewall management mode to use when
|
||||
// programming the Linux network stack.
|
||||
type NetfilterMode int
|
||||
|
||||
const (
|
||||
NetfilterOff NetfilterMode = iota // remove all tailscale netfilter state
|
||||
NetfilterNoDivert // manage tailscale chains, but don't call them
|
||||
NetfilterOn // manage tailscale chains and call them from main chains
|
||||
)
|
||||
|
||||
func (m NetfilterMode) String() string {
|
||||
switch m {
|
||||
case NetfilterOff:
|
||||
return "off"
|
||||
case NetfilterNoDivert:
|
||||
return "nodivert"
|
||||
case NetfilterOn:
|
||||
return "on"
|
||||
default:
|
||||
return "???"
|
||||
}
|
||||
}
|
||||
|
||||
// Config is the subset of Tailscale configuration that is relevant to
|
||||
// the OS's network stack.
|
||||
type Config struct {
|
||||
@@ -86,9 +64,9 @@ type Config struct {
|
||||
|
||||
// Linux-only things below, ignored on other platforms.
|
||||
|
||||
SubnetRoutes []netaddr.IPPrefix // subnets being advertised to other Tailscale nodes
|
||||
SNATSubnetRoutes bool // SNAT traffic to local subnets
|
||||
NetfilterMode NetfilterMode // how much to manage netfilter rules
|
||||
SubnetRoutes []netaddr.IPPrefix // subnets being advertised to other Tailscale nodes
|
||||
SNATSubnetRoutes bool // SNAT traffic to local subnets
|
||||
NetfilterMode preftype.NetfilterMode // how much to manage netfilter rules
|
||||
}
|
||||
|
||||
// shutdownConfig is a routing configuration that removes all router
|
||||
|
||||
@@ -21,10 +21,17 @@ import (
|
||||
"inet.af/netaddr"
|
||||
"tailscale.com/net/tsaddr"
|
||||
"tailscale.com/types/logger"
|
||||
"tailscale.com/types/preftype"
|
||||
"tailscale.com/version/distro"
|
||||
"tailscale.com/wgengine/router/dns"
|
||||
)
|
||||
|
||||
const (
|
||||
netfilterOff = preftype.NetfilterOff
|
||||
netfilterNoDivert = preftype.NetfilterNoDivert
|
||||
netfilterOn = preftype.NetfilterOn
|
||||
)
|
||||
|
||||
// The following bits are added to packet marks for Tailscale use.
|
||||
//
|
||||
// We tried to pick bits sufficiently out of the way that it's
|
||||
@@ -89,7 +96,7 @@ type linuxRouter struct {
|
||||
addrs map[netaddr.IPPrefix]bool
|
||||
routes map[netaddr.IPPrefix]bool
|
||||
snatSubnetRoutes bool
|
||||
netfilterMode NetfilterMode
|
||||
netfilterMode preftype.NetfilterMode
|
||||
|
||||
// Various feature checks for the network stack.
|
||||
ipRuleAvailable bool
|
||||
@@ -148,7 +155,7 @@ func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, netfilter4, ne
|
||||
return &linuxRouter{
|
||||
logf: logf,
|
||||
tunname: tunname,
|
||||
netfilterMode: NetfilterOff,
|
||||
netfilterMode: netfilterOff,
|
||||
|
||||
ipRuleAvailable: ipRuleAvailable,
|
||||
v6Available: supportsV6,
|
||||
@@ -168,7 +175,7 @@ func (r *linuxRouter) Up() error {
|
||||
if err := r.addIPRules(); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := r.setNetfilterMode(NetfilterOff); err != nil {
|
||||
if err := r.setNetfilterMode(netfilterOff); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := r.upInterface(); err != nil {
|
||||
@@ -188,7 +195,7 @@ func (r *linuxRouter) Close() error {
|
||||
if err := r.delIPRules(); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := r.setNetfilterMode(NetfilterOff); err != nil {
|
||||
if err := r.setNetfilterMode(netfilterOff); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -246,9 +253,9 @@ func (r *linuxRouter) Set(cfg *Config) error {
|
||||
// mode. Netfilter state is created or deleted appropriately to
|
||||
// reflect the new mode, and r.snatSubnetRoutes is updated to reflect
|
||||
// the current state of subnet SNATing.
|
||||
func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
|
||||
func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error {
|
||||
if distro.Get() == distro.Synology {
|
||||
mode = NetfilterOff
|
||||
mode = netfilterOff
|
||||
}
|
||||
if r.netfilterMode == mode {
|
||||
return nil
|
||||
@@ -264,9 +271,9 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
|
||||
reprocess := false
|
||||
|
||||
switch mode {
|
||||
case NetfilterOff:
|
||||
case netfilterOff:
|
||||
switch r.netfilterMode {
|
||||
case NetfilterNoDivert:
|
||||
case netfilterNoDivert:
|
||||
if err := r.delNetfilterBase(); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -276,7 +283,7 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
|
||||
// This can happen if someone left a ref to
|
||||
// this table somewhere else.
|
||||
}
|
||||
case NetfilterOn:
|
||||
case netfilterOn:
|
||||
if err := r.delNetfilterHooks(); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -291,9 +298,9 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
|
||||
}
|
||||
}
|
||||
r.snatSubnetRoutes = false
|
||||
case NetfilterNoDivert:
|
||||
case netfilterNoDivert:
|
||||
switch r.netfilterMode {
|
||||
case NetfilterOff:
|
||||
case netfilterOff:
|
||||
reprocess = true
|
||||
if err := r.addNetfilterChains(); err != nil {
|
||||
return err
|
||||
@@ -302,12 +309,12 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
|
||||
return err
|
||||
}
|
||||
r.snatSubnetRoutes = false
|
||||
case NetfilterOn:
|
||||
case netfilterOn:
|
||||
if err := r.delNetfilterHooks(); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
case NetfilterOn:
|
||||
case netfilterOn:
|
||||
// Because of bugs in old version of iptables-compat,
|
||||
// we can't add a "-j ts-forward" rule to FORWARD
|
||||
// while ts-forward contains an "-m mark" rule. But
|
||||
@@ -315,7 +322,7 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
|
||||
// So we have to delNetFilterBase, then add the hooks,
|
||||
// then re-addNetFilterBase, just in case.
|
||||
switch r.netfilterMode {
|
||||
case NetfilterOff:
|
||||
case netfilterOff:
|
||||
reprocess = true
|
||||
if err := r.addNetfilterChains(); err != nil {
|
||||
return err
|
||||
@@ -330,7 +337,7 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
|
||||
return err
|
||||
}
|
||||
r.snatSubnetRoutes = false
|
||||
case NetfilterNoDivert:
|
||||
case netfilterNoDivert:
|
||||
reprocess = true
|
||||
if err := r.delNetfilterBase(); err != nil {
|
||||
return err
|
||||
@@ -397,7 +404,7 @@ func (r *linuxRouter) delAddress(addr netaddr.IPPrefix) error {
|
||||
// addLoopbackRule adds a firewall rule to permit loopback traffic to
|
||||
// a local Tailscale IP.
|
||||
func (r *linuxRouter) addLoopbackRule(addr netaddr.IP) error {
|
||||
if r.netfilterMode == NetfilterOff {
|
||||
if r.netfilterMode == netfilterOff {
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -419,7 +426,7 @@ func (r *linuxRouter) addLoopbackRule(addr netaddr.IP) error {
|
||||
// delLoopbackRule removes the firewall rule permitting loopback
|
||||
// traffic to a Tailscale IP.
|
||||
func (r *linuxRouter) delLoopbackRule(addr netaddr.IP) error {
|
||||
if r.netfilterMode == NetfilterOff {
|
||||
if r.netfilterMode == netfilterOff {
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -903,7 +910,7 @@ func (r *linuxRouter) delNetfilterHooks() error {
|
||||
// addSNATRule adds a netfilter rule to SNAT traffic destined for
|
||||
// local subnets.
|
||||
func (r *linuxRouter) addSNATRule() error {
|
||||
if r.netfilterMode == NetfilterOff {
|
||||
if r.netfilterMode == netfilterOff {
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -922,7 +929,7 @@ func (r *linuxRouter) addSNATRule() error {
|
||||
// delSNATRule removes the netfilter rule to SNAT traffic destined for
|
||||
// local subnets. Fails if the rule does not exist.
|
||||
func (r *linuxRouter) delSNATRule() error {
|
||||
if r.netfilterMode == NetfilterOff {
|
||||
if r.netfilterMode == netfilterOff {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -58,7 +58,7 @@ up` + basic,
|
||||
name: "local addr only",
|
||||
in: &Config{
|
||||
LocalAddrs: mustCIDRs("100.101.102.103/10"),
|
||||
NetfilterMode: NetfilterOff,
|
||||
NetfilterMode: netfilterOff,
|
||||
},
|
||||
want: `
|
||||
up
|
||||
@@ -70,7 +70,7 @@ ip addr add 100.101.102.103/10 dev tailscale0` + basic,
|
||||
in: &Config{
|
||||
LocalAddrs: mustCIDRs("100.101.102.103/10"),
|
||||
Routes: mustCIDRs("100.100.100.100/32", "192.168.16.0/24"),
|
||||
NetfilterMode: NetfilterOff,
|
||||
NetfilterMode: netfilterOff,
|
||||
},
|
||||
want: `
|
||||
up
|
||||
@@ -85,7 +85,7 @@ ip route add 192.168.16.0/24 dev tailscale0 table 52` + basic,
|
||||
LocalAddrs: mustCIDRs("100.101.102.103/10"),
|
||||
Routes: mustCIDRs("100.100.100.100/32", "192.168.16.0/24"),
|
||||
SubnetRoutes: mustCIDRs("200.0.0.0/8"),
|
||||
NetfilterMode: NetfilterOff,
|
||||
NetfilterMode: netfilterOff,
|
||||
},
|
||||
want: `
|
||||
up
|
||||
@@ -101,7 +101,7 @@ ip route add 192.168.16.0/24 dev tailscale0 table 52` + basic,
|
||||
Routes: mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
|
||||
SubnetRoutes: mustCIDRs("200.0.0.0/8"),
|
||||
SNATSubnetRoutes: true,
|
||||
NetfilterMode: NetfilterOn,
|
||||
NetfilterMode: netfilterOn,
|
||||
},
|
||||
want: `
|
||||
up
|
||||
@@ -133,7 +133,7 @@ v6/nat/ts-postrouting -m mark --mark 0x40000 -j MASQUERADE
|
||||
in: &Config{
|
||||
LocalAddrs: mustCIDRs("100.101.102.104/10"),
|
||||
Routes: mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
|
||||
NetfilterMode: NetfilterOn,
|
||||
NetfilterMode: netfilterOn,
|
||||
},
|
||||
want: `
|
||||
up
|
||||
@@ -166,7 +166,7 @@ v6/nat/POSTROUTING -j ts-postrouting
|
||||
Routes: mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
|
||||
SubnetRoutes: mustCIDRs("200.0.0.0/8"),
|
||||
SNATSubnetRoutes: false,
|
||||
NetfilterMode: NetfilterOn,
|
||||
NetfilterMode: netfilterOn,
|
||||
},
|
||||
want: `
|
||||
up
|
||||
@@ -196,7 +196,7 @@ v6/nat/POSTROUTING -j ts-postrouting
|
||||
in: &Config{
|
||||
LocalAddrs: mustCIDRs("100.101.102.104/10"),
|
||||
Routes: mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
|
||||
NetfilterMode: NetfilterOn,
|
||||
NetfilterMode: netfilterOn,
|
||||
},
|
||||
want: `
|
||||
up
|
||||
@@ -227,7 +227,7 @@ v6/nat/POSTROUTING -j ts-postrouting
|
||||
in: &Config{
|
||||
LocalAddrs: mustCIDRs("100.101.102.104/10"),
|
||||
Routes: mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
|
||||
NetfilterMode: NetfilterNoDivert,
|
||||
NetfilterMode: netfilterNoDivert,
|
||||
},
|
||||
want: `
|
||||
up
|
||||
@@ -251,7 +251,7 @@ v6/filter/ts-forward -o tailscale0 -j ACCEPT
|
||||
in: &Config{
|
||||
LocalAddrs: mustCIDRs("100.101.102.104/10"),
|
||||
Routes: mustCIDRs("100.100.100.100/32", "10.0.0.0/8"),
|
||||
NetfilterMode: NetfilterOn,
|
||||
NetfilterMode: netfilterOn,
|
||||
},
|
||||
want: `
|
||||
up
|
||||
|
||||
Reference in New Issue
Block a user