mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-09 09:33:42 +00:00
7330aa593e
On some platforms (notably macOS and iOS) we look up the default interface to bind outgoing connections to. This is both duplicated work and results in logspam when the default interface is not available (i.e. when a phone has no connectivity, we log an error and thus cause more things that we will try to upload and fail). Fixed by passing around a netmon.Monitor to more places, so that we can use its cached interface state. Fixes #7850 Updates #7621 Signed-off-by: Mihai Parparita <mihai@tailscale.com>
142 lines
3.4 KiB
Go
142 lines
3.4 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build linux && !android
|
|
|
|
package netns
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"os"
|
|
"sync"
|
|
"syscall"
|
|
|
|
"golang.org/x/sys/unix"
|
|
"tailscale.com/envknob"
|
|
"tailscale.com/net/interfaces"
|
|
"tailscale.com/net/netmon"
|
|
"tailscale.com/types/logger"
|
|
)
|
|
|
|
// tailscaleBypassMark is the mark indicating that packets originating
|
|
// from a socket should bypass Tailscale-managed routes during routing
|
|
// table lookups.
|
|
//
|
|
// Keep this in sync with tailscaleBypassMark in
|
|
// wgengine/router/router_linux.go.
|
|
const tailscaleBypassMark = 0x80000
|
|
|
|
// socketMarkWorksOnce is the sync.Once & cached value for useSocketMark.
|
|
var socketMarkWorksOnce struct {
|
|
sync.Once
|
|
v bool
|
|
}
|
|
|
|
// socketMarkWorks returns whether SO_MARK works.
|
|
func socketMarkWorks() bool {
|
|
addr, err := net.ResolveUDPAddr("udp", "127.0.0.1:1")
|
|
if err != nil {
|
|
return true // unsure, returning true does the least harm.
|
|
}
|
|
|
|
sConn, err := net.DialUDP("udp", nil, addr)
|
|
if err != nil {
|
|
return true // unsure, return true
|
|
}
|
|
defer sConn.Close()
|
|
|
|
rConn, err := sConn.SyscallConn()
|
|
if err != nil {
|
|
return true // unsure, return true
|
|
}
|
|
|
|
var sockErr error
|
|
err = rConn.Control(func(fd uintptr) {
|
|
sockErr = setBypassMark(fd)
|
|
})
|
|
if err != nil || sockErr != nil {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
var forceBindToDevice = envknob.RegisterBool("TS_FORCE_LINUX_BIND_TO_DEVICE")
|
|
|
|
// UseSocketMark reports whether SO_MARK is in use.
|
|
// If it doesn't, we have to use SO_BINDTODEVICE on our sockets instead.
|
|
func UseSocketMark() bool {
|
|
if forceBindToDevice() {
|
|
return false
|
|
}
|
|
socketMarkWorksOnce.Do(func() {
|
|
socketMarkWorksOnce.v = socketMarkWorks()
|
|
})
|
|
return socketMarkWorksOnce.v
|
|
}
|
|
|
|
// ignoreErrors returns true if we should ignore setsocketopt errors in
|
|
// this instance.
|
|
func ignoreErrors() bool {
|
|
if os.Getuid() != 0 {
|
|
// only root can manipulate these socket flags
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
func control(logger.Logf, *netmon.Monitor) func(network, address string, c syscall.RawConn) error {
|
|
return controlC
|
|
}
|
|
|
|
// controlC marks c as necessary to dial in a separate network namespace.
|
|
//
|
|
// It's intentionally the same signature as net.Dialer.Control
|
|
// and net.ListenConfig.Control.
|
|
func controlC(network, address string, c syscall.RawConn) error {
|
|
if isLocalhost(address) {
|
|
// Don't bind to an interface for localhost connections.
|
|
return nil
|
|
}
|
|
|
|
var sockErr error
|
|
err := c.Control(func(fd uintptr) {
|
|
if UseSocketMark() {
|
|
sockErr = setBypassMark(fd)
|
|
} else {
|
|
sockErr = bindToDevice(fd)
|
|
}
|
|
})
|
|
if err != nil {
|
|
return fmt.Errorf("RawConn.Control on %T: %w", c, err)
|
|
}
|
|
if sockErr != nil && ignoreErrors() {
|
|
// TODO(bradfitz): maybe log once? probably too spammy for e.g. CLI tools like tailscale netcheck.
|
|
return nil
|
|
}
|
|
return sockErr
|
|
}
|
|
|
|
func setBypassMark(fd uintptr) error {
|
|
if err := unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_MARK, tailscaleBypassMark); err != nil {
|
|
return fmt.Errorf("setting SO_MARK bypass: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func bindToDevice(fd uintptr) error {
|
|
ifc, err := interfaces.DefaultRouteInterface()
|
|
if err != nil {
|
|
// Make sure we bind to *some* interface,
|
|
// or we could get a routing loop.
|
|
// "lo" is always wrong, but if we don't have
|
|
// a default route anyway, it doesn't matter.
|
|
ifc = "lo"
|
|
}
|
|
if err := unix.SetsockoptString(int(fd), unix.SOL_SOCKET, unix.SO_BINDTODEVICE, ifc); err != nil {
|
|
return fmt.Errorf("setting SO_BINDTODEVICE: %w", err)
|
|
}
|
|
return nil
|
|
}
|