mirror of
https://github.com/tailscale/tailscale.git
synced 2025-08-13 22:47:30 +00:00
.bencher
.github
appc
atomicfile
chirp
client
clientupdate
cmd
control
derp
disco
docs
doctor
drive
envknob
feature
gokrazy
health
hostinfo
internal
ipn
jsondb
k8s-operator
kube
licenses
log
logpolicy
logtail
metrics
net
omit
packages
paths
portlist
posture
prober
proxymap
release
safesocket
safeweb
scripts
sessionrecording
smallzstd
ssh
syncs
tailcfg
taildrop
tempfork
tka
tool
tsconst
tsd
tsnet
tstest
tstime
tsweb
types
util
cache
cibuild
clientmetric
cloudenv
cmpver
codegen
cstruct
ctxkey
deephash
dirwalk
dnsname
execqueue
expvarx
goroutines
groupmember
hashx
httphdr
httpm
jsonutil
limiter
lineiter
lineread
linuxfw
linuxfwtest
detector.go
fake.go
helpers.go
iptables.go
iptables_for_svcs.go
iptables_for_svcs_test.go
iptables_runner.go
iptables_runner_test.go
linuxfw.go
linuxfw_unsupported.go
nftables.go
nftables_for_svcs.go
nftables_for_svcs_test.go
nftables_runner.go
nftables_runner_test.go
nftables_types.go
lru
mak
multierr
must
nocasemaps
osdiag
osshare
osuser
pidowner
pool
precompress
progresstracking
quarantine
race
racebuild
rands
reload
ringbuffer
set
singleflight
slicesx
stringsx
syspolicy
sysresources
systemd
testenv
topk
truncate
usermetric
vizerror
winutil
zstdframe
version
wf
wgengine
words
.gitattributes
.gitignore
.golangci.yml
ALPINE.txt
AUTHORS
CODEOWNERS
CODE_OF_CONDUCT.md
Dockerfile
Dockerfile.base
LICENSE
Makefile
PATENTS
README.md
SECURITY.md
VERSION.txt
api.md
assert_ts_toolchain_match.go
build_dist.sh
build_docker.sh
flake.lock
flake.nix
go.mod
go.mod.sri
go.sum
go.toolchain.branch
go.toolchain.rev
gomod_test.go
header.txt
pkgdoc_test.go
pull-toolchain.sh
shell.nix
staticcheck.conf
update-flake.sh
version-embed.go
version_tailscale_test.go
version_test.go
096b090caf
* cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets
This commit is first part of the work to allow running multiple
replicas of the Kubernetes operator egress proxies per tailnet service +
to allow exposing multiple tailnet services via each proxy replica.
This expands the existing iptables/nftables-based proxy configuration
mechanism.
A proxy can now be configured to route to one or more tailnet targets
via a (mounted) config file that, for each tailnet target, specifies:
- the target's tailnet IP or FQDN
- mappings of container ports to which cluster workloads will send traffic to
tailnet target ports where the traffic should be forwarded.
Example configfile contents:
{
"some-svc": {"tailnetTarget":{"fqdn":"foo.tailnetxyz.ts.net","ports"{"tcp:4006:80":{"protocol":"tcp","matchPort":4006,"targetPort":80},"tcp:4007:443":{"protocol":"tcp","matchPort":4007,"targetPort":443}}}}
}
A proxy that is configured with this config file will configure firewall rules
to route cluster traffic to the tailnet targets. It will then watch the config file
for updates as well as monitor relevant netmap updates and reconfigure firewall
as needed.
This adds a bunch of new iptables/nftables functionality to make it easier to dynamically update
the firewall rules without needing to restart the proxy Pod as well as to make
it easier to debug/understand the rules:
- for iptables, each portmapping is a DNAT rule with a comment pointing
at the 'service',i.e:
-A PREROUTING ! -i tailscale0 -p tcp -m tcp --dport 4006 -m comment --comment "some-svc:tcp:4006 -> tcp:80" -j DNAT --to-destination 100.64.1.18:80
Additionally there is a SNAT rule for each tailnet target, to mask the source address.
- for nftables, a separate prerouting chain is created for each tailnet target
and all the portmapping rules are placed in that chain. This makes it easier
to look up rules and delete services when no longer needed.
(nftables allows hooking a custom chain to a prerouting hook, so no extra work
is needed to ensure that the rules in the service chains are evaluated).
The next steps will be to get the Kubernetes Operator to generate
the configfile and ensure it is mounted to the relevant proxy nodes.
Updates tailscale/tailscale#13406
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
80 lines
2.7 KiB
Go
80 lines
2.7 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build linux
|
|
|
|
package linuxfw
|
|
|
|
import (
|
|
"fmt"
|
|
"net/netip"
|
|
)
|
|
|
|
// This file contains functionality to insert portmapping rules for a 'service'.
|
|
// These are currently only used by the Kubernetes operator proxies.
|
|
// An iptables rule for such a service contains a comment with the service name.
|
|
|
|
// EnsurePortMapRuleForSvc adds a prerouting rule that forwards traffic received
|
|
// on match port and NOT on the provided interface to target IP and target port.
|
|
// Rule will only be added if it does not already exists.
|
|
func (i *iptablesRunner) EnsurePortMapRuleForSvc(svc, tun string, targetIP netip.Addr, pm PortMap) error {
|
|
table := i.getIPTByAddr(targetIP)
|
|
args := argsForPortMapRule(svc, tun, targetIP, pm)
|
|
exists, err := table.Exists("nat", "PREROUTING", args...)
|
|
if err != nil {
|
|
return fmt.Errorf("error checking if rule exists: %w", err)
|
|
}
|
|
if !exists {
|
|
return table.Append("nat", "PREROUTING", args...)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// DeleteMapRuleForSvc constructs a prerouting rule as would be created by
|
|
// EnsurePortMapRuleForSvc with the provided args and, if such a rule exists,
|
|
// deletes it.
|
|
func (i *iptablesRunner) DeletePortMapRuleForSvc(svc, excludeI string, targetIP netip.Addr, pm PortMap) error {
|
|
table := i.getIPTByAddr(targetIP)
|
|
args := argsForPortMapRule(svc, excludeI, targetIP, pm)
|
|
exists, err := table.Exists("nat", "PREROUTING", args...)
|
|
if err != nil {
|
|
return fmt.Errorf("error checking if rule exists: %w", err)
|
|
}
|
|
if exists {
|
|
return table.Delete("nat", "PREROUTING", args...)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// DeleteSvc constructs all possible rules that would have been created by
|
|
// EnsurePortMapRuleForSvc from the provided args and ensures that each one that
|
|
// exists is deleted.
|
|
func (i *iptablesRunner) DeleteSvc(svc, tun string, targetIPs []netip.Addr, pms []PortMap) error {
|
|
for _, tip := range targetIPs {
|
|
for _, pm := range pms {
|
|
if err := i.DeletePortMapRuleForSvc(svc, tun, tip, pm); err != nil {
|
|
return fmt.Errorf("error deleting rule: %w", err)
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func argsForPortMapRule(svc, excludeI string, targetIP netip.Addr, pm PortMap) []string {
|
|
c := commentForSvc(svc, pm)
|
|
return []string{
|
|
"!", "-i", excludeI,
|
|
"-p", pm.Protocol,
|
|
"--dport", fmt.Sprintf("%d", pm.MatchPort),
|
|
"-m", "comment", "--comment", c,
|
|
"-j", "DNAT",
|
|
"--to-destination", fmt.Sprintf("%v:%v", targetIP, pm.TargetPort),
|
|
}
|
|
}
|
|
|
|
// commentForSvc generates a comment to be added to an iptables DNAT rule for a
|
|
// service. This is for iptables debugging/readability purposes only.
|
|
func commentForSvc(svc string, pm PortMap) string {
|
|
return fmt.Sprintf("%s:%s:%d -> %s:%d", svc, pm.Protocol, pm.MatchPort, pm.Protocol, pm.TargetPort)
|
|
}
|