mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-24 17:48:57 +00:00 
			
		
		
		
	 8b9474b06a
			
		
	
	8b9474b06a
	
	
	
		
			
			That's already the default. Avoid the overhead of writing it on one side and reading it on the other to do nothing. Updates #cleanup (noticed while researching something else) Change-Id: I449c88a022271afb9be5da876bfaf438fe5d3f58 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
		
			
				
	
	
		
			155 lines
		
	
	
		
			4.3 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			155 lines
		
	
	
		
			4.3 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright (c) Tailscale Inc & AUTHORS
 | |
| // SPDX-License-Identifier: BSD-3-Clause
 | |
| 
 | |
| package wgcfg
 | |
| 
 | |
| import (
 | |
| 	"fmt"
 | |
| 	"io"
 | |
| 	"net/netip"
 | |
| 	"strconv"
 | |
| 
 | |
| 	"tailscale.com/types/key"
 | |
| 	"tailscale.com/types/logger"
 | |
| )
 | |
| 
 | |
| // ToUAPI writes cfg in UAPI format to w.
 | |
| // Prev is the previous device Config.
 | |
| //
 | |
| // Prev is required so that we can remove now-defunct peers without having to
 | |
| // remove and re-add all peers, and so that we can avoid writing information
 | |
| // about peers that have not changed since the previous time we wrote our
 | |
| // Config.
 | |
| func (cfg *Config) ToUAPI(logf logger.Logf, w io.Writer, prev *Config) error {
 | |
| 	var stickyErr error
 | |
| 	set := func(key, value string) {
 | |
| 		if stickyErr != nil {
 | |
| 			return
 | |
| 		}
 | |
| 		_, err := fmt.Fprintf(w, "%s=%s\n", key, value)
 | |
| 		if err != nil {
 | |
| 			stickyErr = err
 | |
| 		}
 | |
| 	}
 | |
| 	setUint16 := func(key string, value uint16) {
 | |
| 		set(key, strconv.FormatUint(uint64(value), 10))
 | |
| 	}
 | |
| 	setPeer := func(peer Peer) {
 | |
| 		set("public_key", peer.PublicKey.UntypedHexString())
 | |
| 	}
 | |
| 
 | |
| 	// Device config.
 | |
| 	if !prev.PrivateKey.Equal(cfg.PrivateKey) {
 | |
| 		set("private_key", cfg.PrivateKey.UntypedHexString())
 | |
| 	}
 | |
| 
 | |
| 	old := make(map[key.NodePublic]Peer)
 | |
| 	for _, p := range prev.Peers {
 | |
| 		old[p.PublicKey] = p
 | |
| 	}
 | |
| 
 | |
| 	// Add/configure all new peers.
 | |
| 	for _, p := range cfg.Peers {
 | |
| 		oldPeer, wasPresent := old[p.PublicKey]
 | |
| 
 | |
| 		// We only want to write the peer header/version if we're about
 | |
| 		// to change something about that peer, or if it's a new peer.
 | |
| 		// Figure out up-front whether we'll need to do anything for
 | |
| 		// this peer, and skip doing anything if not.
 | |
| 		//
 | |
| 		// If the peer was not present in the previous config, this
 | |
| 		// implies that this is a new peer; set all of these to 'true'
 | |
| 		// to ensure that we're writing the full peer configuration.
 | |
| 		willSetEndpoint := oldPeer.WGEndpoint != p.PublicKey || !wasPresent
 | |
| 		willChangeIPs := !cidrsEqual(oldPeer.AllowedIPs, p.AllowedIPs) || !wasPresent
 | |
| 		willChangeKeepalive := oldPeer.PersistentKeepalive != p.PersistentKeepalive // if not wasPresent, no need to redundantly set zero (default)
 | |
| 
 | |
| 		if !willSetEndpoint && !willChangeIPs && !willChangeKeepalive {
 | |
| 			// It's safe to skip doing anything here; wireguard-go
 | |
| 			// will not remove a peer if it's unspecified unless we
 | |
| 			// tell it to (which we do below if necessary).
 | |
| 			continue
 | |
| 		}
 | |
| 
 | |
| 		setPeer(p)
 | |
| 		set("protocol_version", "1")
 | |
| 
 | |
| 		// Avoid setting endpoints if the correct one is already known
 | |
| 		// to WireGuard, because doing so generates a bit more work in
 | |
| 		// calling magicsock's ParseEndpoint for effectively a no-op.
 | |
| 		if willSetEndpoint {
 | |
| 			if wasPresent {
 | |
| 				// We had an endpoint, and it was wrong.
 | |
| 				// By construction, this should not happen.
 | |
| 				// If it does, keep going so that we can recover from it,
 | |
| 				// but log so that we know about it,
 | |
| 				// because it is an indicator of other failed invariants.
 | |
| 				// See corp issue 3016.
 | |
| 				logf("[unexpected] endpoint changed from %s to %s", oldPeer.WGEndpoint, p.PublicKey)
 | |
| 			}
 | |
| 			set("endpoint", p.PublicKey.UntypedHexString())
 | |
| 		}
 | |
| 
 | |
| 		// TODO: replace_allowed_ips is expensive.
 | |
| 		// If p.AllowedIPs is a strict superset of oldPeer.AllowedIPs,
 | |
| 		// then skip replace_allowed_ips and instead add only
 | |
| 		// the new ipps with allowed_ip.
 | |
| 		if willChangeIPs {
 | |
| 			set("replace_allowed_ips", "true")
 | |
| 			for _, ipp := range p.AllowedIPs {
 | |
| 				set("allowed_ip", ipp.String())
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 		// Set PersistentKeepalive after the peer is otherwise configured,
 | |
| 		// because it can trigger handshake packets.
 | |
| 		if willChangeKeepalive {
 | |
| 			setUint16("persistent_keepalive_interval", p.PersistentKeepalive)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Remove peers that were present but should no longer be.
 | |
| 	for _, p := range cfg.Peers {
 | |
| 		delete(old, p.PublicKey)
 | |
| 	}
 | |
| 	for _, p := range old {
 | |
| 		setPeer(p)
 | |
| 		set("remove", "true")
 | |
| 	}
 | |
| 
 | |
| 	if stickyErr != nil {
 | |
| 		stickyErr = fmt.Errorf("ToUAPI: %w", stickyErr)
 | |
| 	}
 | |
| 	return stickyErr
 | |
| }
 | |
| 
 | |
| func cidrsEqual(x, y []netip.Prefix) bool {
 | |
| 	// TODO: re-implement using netaddr.IPSet.Equal.
 | |
| 	if len(x) != len(y) {
 | |
| 		return false
 | |
| 	}
 | |
| 	// First see if they're equal in order, without allocating.
 | |
| 	exact := true
 | |
| 	for i := range x {
 | |
| 		if x[i] != y[i] {
 | |
| 			exact = false
 | |
| 			break
 | |
| 		}
 | |
| 	}
 | |
| 	if exact {
 | |
| 		return true
 | |
| 	}
 | |
| 
 | |
| 	// Otherwise, see if they're the same, but out of order.
 | |
| 	m := make(map[netip.Prefix]bool)
 | |
| 	for _, v := range x {
 | |
| 		m[v] = true
 | |
| 	}
 | |
| 	for _, v := range y {
 | |
| 		if !m[v] {
 | |
| 			return false
 | |
| 		}
 | |
| 	}
 | |
| 	return true
 | |
| }
 |