mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
ce4553b988
This change allows us to perform batch modification for new route advertisements and route removals. Additionally, we now handle the case where newly added routes are covered by existing ranges. This change also introduces a new appctest package that contains some shared functions used for testing. Updates tailscale/corp#16833 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
305 lines
8.1 KiB
Go
305 lines
8.1 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
// Package appc implements App Connectors.
|
|
// An AppConnector provides DNS domain oriented routing of traffic. An App
|
|
// Connector becomes a DNS server for a peer, authoritative for the set of
|
|
// configured domains. DNS resolution of the target domain triggers dynamic
|
|
// publication of routes to ensure that traffic to the domain is routed through
|
|
// the App Connector.
|
|
package appc
|
|
|
|
import (
|
|
"context"
|
|
"net/netip"
|
|
"slices"
|
|
"strings"
|
|
"sync"
|
|
|
|
xmaps "golang.org/x/exp/maps"
|
|
"golang.org/x/net/dns/dnsmessage"
|
|
"tailscale.com/types/logger"
|
|
"tailscale.com/types/views"
|
|
"tailscale.com/util/dnsname"
|
|
"tailscale.com/util/execqueue"
|
|
)
|
|
|
|
// RouteAdvertiser is an interface that allows the AppConnector to advertise
|
|
// newly discovered routes that need to be served through the AppConnector.
|
|
type RouteAdvertiser interface {
|
|
// AdvertiseRoute adds one or more route advertisements skipping any that
|
|
// are already advertised.
|
|
AdvertiseRoute(...netip.Prefix) error
|
|
|
|
// UnadvertiseRoute removes any matching route advertisements.
|
|
UnadvertiseRoute(...netip.Prefix) error
|
|
}
|
|
|
|
// AppConnector is an implementation of an AppConnector that performs
|
|
// its function as a subsystem inside of a tailscale node. At the control plane
|
|
// side App Connector routing is configured in terms of domains rather than IP
|
|
// addresses.
|
|
// The AppConnectors responsibility inside tailscaled is to apply the routing
|
|
// and domain configuration as supplied in the map response.
|
|
// DNS requests for configured domains are observed. If the domains resolve to
|
|
// routes not yet served by the AppConnector the local node configuration is
|
|
// updated to advertise the new route.
|
|
type AppConnector struct {
|
|
logf logger.Logf
|
|
routeAdvertiser RouteAdvertiser
|
|
|
|
// mu guards the fields that follow
|
|
mu sync.Mutex
|
|
|
|
// domains is a map of lower case domain names with no trailing dot, to a
|
|
// list of resolved IP addresses.
|
|
domains map[string][]netip.Addr
|
|
|
|
// controlRoutes is the list of routes that were last supplied by control.
|
|
controlRoutes []netip.Prefix
|
|
|
|
// wildcards is the list of domain strings that match subdomains.
|
|
wildcards []string
|
|
|
|
// queue provides ordering for update operations
|
|
queue execqueue.ExecQueue
|
|
}
|
|
|
|
// NewAppConnector creates a new AppConnector.
|
|
func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser) *AppConnector {
|
|
return &AppConnector{
|
|
logf: logger.WithPrefix(logf, "appc: "),
|
|
routeAdvertiser: routeAdvertiser,
|
|
}
|
|
}
|
|
|
|
// UpdateDomainsAndRoutes starts an asynchronous update of the configuration
|
|
// given the new domains and routes.
|
|
func (e *AppConnector) UpdateDomainsAndRoutes(domains []string, routes []netip.Prefix) {
|
|
e.queue.Add(func() {
|
|
// Add the new routes first.
|
|
e.updateRoutes(routes)
|
|
e.updateDomains(domains)
|
|
})
|
|
}
|
|
|
|
// UpdateDomains asynchronously replaces the current set of configured domains
|
|
// with the supplied set of domains. Domains must not contain a trailing dot,
|
|
// and should be lower case. If the domain contains a leading '*' label it
|
|
// matches all subdomains of a domain.
|
|
func (e *AppConnector) UpdateDomains(domains []string) {
|
|
e.queue.Add(func() {
|
|
e.updateDomains(domains)
|
|
})
|
|
}
|
|
|
|
// Wait waits for the currently scheduled asynchronous configuration changes to
|
|
// complete.
|
|
func (e *AppConnector) Wait(ctx context.Context) {
|
|
e.queue.Wait(ctx)
|
|
}
|
|
|
|
func (e *AppConnector) updateDomains(domains []string) {
|
|
e.mu.Lock()
|
|
defer e.mu.Unlock()
|
|
|
|
var oldDomains map[string][]netip.Addr
|
|
oldDomains, e.domains = e.domains, make(map[string][]netip.Addr, len(domains))
|
|
e.wildcards = e.wildcards[:0]
|
|
for _, d := range domains {
|
|
d = strings.ToLower(d)
|
|
if len(d) == 0 {
|
|
continue
|
|
}
|
|
if strings.HasPrefix(d, "*.") {
|
|
e.wildcards = append(e.wildcards, d[2:])
|
|
continue
|
|
}
|
|
e.domains[d] = oldDomains[d]
|
|
delete(oldDomains, d)
|
|
}
|
|
|
|
// Ensure that still-live wildcards addresses are preserved as well.
|
|
for d, addrs := range oldDomains {
|
|
for _, wc := range e.wildcards {
|
|
if dnsname.HasSuffix(d, wc) {
|
|
e.domains[d] = addrs
|
|
break
|
|
}
|
|
}
|
|
}
|
|
e.logf("handling domains: %v and wildcards: %v", xmaps.Keys(e.domains), e.wildcards)
|
|
}
|
|
|
|
// updateRoutes merges the supplied routes into the currently configured routes. The routes supplied
|
|
// by control for UpdateRoutes are supplemental to the routes discovered by DNS resolution, but are
|
|
// also more often whole ranges. UpdateRoutes will remove any single address routes that are now
|
|
// covered by new ranges.
|
|
func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
|
|
e.mu.Lock()
|
|
defer e.mu.Unlock()
|
|
|
|
// If there was no change since the last update, no work to do.
|
|
if slices.Equal(e.controlRoutes, routes) {
|
|
return
|
|
}
|
|
|
|
if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
|
|
e.logf("failed to advertise routes: %v: %v", routes, err)
|
|
return
|
|
}
|
|
|
|
var toRemove []netip.Prefix
|
|
|
|
nextRoute:
|
|
for _, r := range routes {
|
|
for _, addr := range e.domains {
|
|
for _, a := range addr {
|
|
if r.Contains(a) {
|
|
pfx := netip.PrefixFrom(a, a.BitLen())
|
|
toRemove = append(toRemove, pfx)
|
|
continue nextRoute
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
|
|
e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
|
|
}
|
|
|
|
e.controlRoutes = routes
|
|
}
|
|
|
|
// Domains returns the currently configured domain list.
|
|
func (e *AppConnector) Domains() views.Slice[string] {
|
|
e.mu.Lock()
|
|
defer e.mu.Unlock()
|
|
|
|
return views.SliceOf(xmaps.Keys(e.domains))
|
|
}
|
|
|
|
// DomainRoutes returns a map of domains to resolved IP
|
|
// addresses.
|
|
func (e *AppConnector) DomainRoutes() map[string][]netip.Addr {
|
|
e.mu.Lock()
|
|
defer e.mu.Unlock()
|
|
|
|
drCopy := make(map[string][]netip.Addr)
|
|
for k, v := range e.domains {
|
|
drCopy[k] = append(drCopy[k], v...)
|
|
}
|
|
|
|
return drCopy
|
|
}
|
|
|
|
// ObserveDNSResponse is a callback invoked by the DNS resolver when a DNS
|
|
// response is being returned over the PeerAPI. The response is parsed and
|
|
// matched against the configured domains, if matched the routeAdvertiser is
|
|
// advised to advertise the discovered route.
|
|
func (e *AppConnector) ObserveDNSResponse(res []byte) {
|
|
var p dnsmessage.Parser
|
|
if _, err := p.Start(res); err != nil {
|
|
return
|
|
}
|
|
if err := p.SkipAllQuestions(); err != nil {
|
|
return
|
|
}
|
|
|
|
nextAnswer:
|
|
for {
|
|
h, err := p.AnswerHeader()
|
|
if err == dnsmessage.ErrSectionDone {
|
|
break
|
|
}
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if h.Class != dnsmessage.ClassINET {
|
|
if err := p.SkipAnswer(); err != nil {
|
|
return
|
|
}
|
|
continue
|
|
}
|
|
if h.Type != dnsmessage.TypeA && h.Type != dnsmessage.TypeAAAA {
|
|
if err := p.SkipAnswer(); err != nil {
|
|
return
|
|
}
|
|
continue
|
|
}
|
|
|
|
domain := h.Name.String()
|
|
if len(domain) == 0 {
|
|
return
|
|
}
|
|
domain = strings.TrimSuffix(domain, ".")
|
|
domain = strings.ToLower(domain)
|
|
e.logf("[v2] observed DNS response for %s", domain)
|
|
|
|
e.mu.Lock()
|
|
addrs, ok := e.domains[domain]
|
|
// match wildcard domains
|
|
if !ok {
|
|
for _, wc := range e.wildcards {
|
|
if dnsname.HasSuffix(domain, wc) {
|
|
e.domains[domain] = nil
|
|
ok = true
|
|
break
|
|
}
|
|
}
|
|
}
|
|
e.mu.Unlock()
|
|
|
|
if !ok {
|
|
if err := p.SkipAnswer(); err != nil {
|
|
return
|
|
}
|
|
continue
|
|
}
|
|
|
|
var addr netip.Addr
|
|
switch h.Type {
|
|
case dnsmessage.TypeA:
|
|
r, err := p.AResource()
|
|
if err != nil {
|
|
return
|
|
}
|
|
addr = netip.AddrFrom4(r.A)
|
|
case dnsmessage.TypeAAAA:
|
|
r, err := p.AAAAResource()
|
|
if err != nil {
|
|
return
|
|
}
|
|
addr = netip.AddrFrom16(r.AAAA)
|
|
default:
|
|
if err := p.SkipAnswer(); err != nil {
|
|
return
|
|
}
|
|
continue
|
|
}
|
|
if slices.Contains(addrs, addr) {
|
|
continue
|
|
}
|
|
for _, route := range e.controlRoutes {
|
|
if route.Contains(addr) {
|
|
// record the new address associated with the domain for faster matching in subsequent
|
|
// requests and for diagnostic records.
|
|
e.mu.Lock()
|
|
e.domains[domain] = append(addrs, addr)
|
|
e.mu.Unlock()
|
|
continue nextAnswer
|
|
}
|
|
}
|
|
if err := e.routeAdvertiser.AdvertiseRoute(netip.PrefixFrom(addr, addr.BitLen())); err != nil {
|
|
e.logf("failed to advertise route for %s: %v: %v", domain, addr, err)
|
|
continue
|
|
}
|
|
e.logf("[v2] advertised route for %v: %v", domain, addr)
|
|
|
|
e.mu.Lock()
|
|
e.domains[domain] = append(addrs, addr)
|
|
e.mu.Unlock()
|
|
}
|
|
}
|