control/controlclient: support incremental packet filter updates [capver 81]

Updates #10299 Change-Id: I87e4235c668a1db7de7ef1abc743f0beecb86d3d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2023-11-17 09:20:08 -08:00
parent b8a2aedccd
commit fb829ea7f1
4 changed files with 156 additions and 4 deletions
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -16,6 +16,7 @@ import (
 	"sync"
 	"time"

+	xmaps "golang.org/x/exp/maps"
 	"tailscale.com/control/controlknobs"
 	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
@@ -27,6 +28,7 @@ import (
 	"tailscale.com/types/views"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/cmpx"
+	"tailscale.com/util/mak"
 	"tailscale.com/wgengine/filter"
 )

@@ -75,7 +77,8 @@ type mapSession struct {
 	lastDNSConfig          *tailcfg.DNSConfig
 	lastDERPMap            *tailcfg.DERPMap
 	lastUserProfile        map[tailcfg.UserID]tailcfg.UserProfile
-	lastPacketFilterRules  views.Slice[tailcfg.FilterRule]
+	lastPacketFilterRules  views.Slice[tailcfg.FilterRule] // concatenation of all namedPacketFilters
+	namedPacketFilters     map[string]views.Slice[tailcfg.FilterRule]
 	lastParsedPacketFilter []filter.Match
 	lastSSHPolicy          *tailcfg.SSHPolicy
 	collectServices        bool
@@ -259,10 +262,39 @@ func (ms *mapSession) updateStateFromResponse(resp *tailcfg.MapResponse) {
 		ms.lastDERPMap = dm
 	}

+	var packetFilterChanged bool
+	// Older way, one big blob:
 	if pf := resp.PacketFilter; pf != nil {
+		packetFilterChanged = true
+		mak.Set(&ms.namedPacketFilters, "base", views.SliceOf(pf))
+	}
+	// Newer way, named chunks:
+	if m := resp.PacketFilters; m != nil {
+		packetFilterChanged = true
+		if v, ok := m["*"]; ok && v == nil {
+			ms.namedPacketFilters = nil
+		}
+		for k, v := range m {
+			if k == "*" {
+				continue
+			}
+			if v != nil {
+				mak.Set(&ms.namedPacketFilters, k, views.SliceOf(v))
+			} else {
+				delete(ms.namedPacketFilters, k)
+			}
+		}
+	}
+	if packetFilterChanged {
+		keys := xmaps.Keys(ms.namedPacketFilters)
+		sort.Strings(keys)
+		var concat []tailcfg.FilterRule
+		for _, v := range keys {
+			concat = ms.namedPacketFilters[v].AppendTo(concat)
+		}
+		ms.lastPacketFilterRules = views.SliceOf(concat)
 		var err error
-		ms.lastPacketFilterRules = views.SliceOf(pf)
-		ms.lastParsedPacketFilter, err = filter.MatchesFromFilterRules(pf)
+		ms.lastParsedPacketFilter, err = filter.MatchesFromFilterRules(concat)
 		if err != nil {
 			ms.logf("parsePacketFilter: %v", err)
 		}
--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -547,6 +547,98 @@ func TestNetmapForResponse(t *testing.T) {
 			t.Errorf("Node mismatch in 2nd netmap; got: %s", j)
 		}
 	})
+	t.Run("named_packetfilter", func(t *testing.T) {
+		pfA := []tailcfg.FilterRule{
+			{
+				SrcIPs: []string{"10.0.0.1"},
+				DstPorts: []tailcfg.NetPortRange{
+					{IP: "10.2.3.4", Ports: tailcfg.PortRange{First: 22, Last: 22}},
+				},
+			},
+		}
+		pfB := []tailcfg.FilterRule{
+			{
+				SrcIPs: []string{"10.0.0.2"},
+				DstPorts: []tailcfg.NetPortRange{
+					{IP: "10.2.3.4", Ports: tailcfg.PortRange{First: 22, Last: 22}},
+				},
+			},
+		}
+		ms := newTestMapSession(t, nil)
+
+		// Mix of old & new style (PacketFilter and PacketFilters).
+		nm1 := ms.netmapForResponse(&tailcfg.MapResponse{
+			Node:         new(tailcfg.Node),
+			PacketFilter: pfA,
+			PacketFilters: map[string][]tailcfg.FilterRule{
+				"pf-b": pfB,
+			},
+		})
+		if got, want := len(nm1.PacketFilter), 2; got != want {
+			t.Fatalf("PacketFilter length = %v; want %v", got, want)
+		}
+		if got, want := first(nm1.PacketFilter[0].Srcs).String(), "10.0.0.1/32"; got != want {
+			t.Fatalf("PacketFilter[0].Srcs = %v; want %v", got, want)
+		}
+		if got, want := first(nm1.PacketFilter[1].Srcs).String(), "10.0.0.2/32"; got != want {
+			t.Fatalf("PacketFilter[0].Srcs = %v; want %v", got, want)
+		}
+
+		// No-op change. Remember the old stuff.
+		nm2 := ms.netmapForResponse(&tailcfg.MapResponse{
+			Node:          new(tailcfg.Node),
+			PacketFilter:  nil,
+			PacketFilters: nil,
+		})
+		if got, want := len(nm2.PacketFilter), 2; got != want {
+			t.Fatalf("PacketFilter length = %v; want %v", got, want)
+		}
+		if !reflect.DeepEqual(nm1.PacketFilter, nm2.PacketFilter) {
+			t.Error("packet filters differ")
+		}
+
+		// New style only, with clear.
+		nm3 := ms.netmapForResponse(&tailcfg.MapResponse{
+			Node:         new(tailcfg.Node),
+			PacketFilter: nil,
+			PacketFilters: map[string][]tailcfg.FilterRule{
+				"*":    nil,
+				"pf-b": pfB,
+			},
+		})
+		if got, want := len(nm3.PacketFilter), 1; got != want {
+			t.Fatalf("PacketFilter length = %v; want %v", got, want)
+		}
+		if got, want := first(nm3.PacketFilter[0].Srcs).String(), "10.0.0.2/32"; got != want {
+			t.Fatalf("PacketFilter[0].Srcs = %v; want %v", got, want)
+		}
+
+		// New style only, adding pfA back, not as the legacy "base" layer:.
+		nm4 := ms.netmapForResponse(&tailcfg.MapResponse{
+			Node:         new(tailcfg.Node),
+			PacketFilter: nil,
+			PacketFilters: map[string][]tailcfg.FilterRule{
+				"pf-a": pfA,
+			},
+		})
+		if got, want := len(nm4.PacketFilter), 2; got != want {
+			t.Fatalf("PacketFilter length = %v; want %v", got, want)
+		}
+		if got, want := first(nm4.PacketFilter[0].Srcs).String(), "10.0.0.1/32"; got != want {
+			t.Fatalf("PacketFilter[0].Srcs = %v; want %v", got, want)
+		}
+		if got, want := first(nm4.PacketFilter[1].Srcs).String(), "10.0.0.2/32"; got != want {
+			t.Fatalf("PacketFilter[0].Srcs = %v; want %v", got, want)
+		}
+	})
+}
+
+func first[T any](s []T) T {
+	if len(s) == 0 {
+		var zero T
+		return zero
+	}
+	return s[0]
 }

 func TestDeltaDERPMap(t *testing.T) {