mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
d837e0252f
When an Exit Node is used, we create a WFP rule to block all inbound and outbound traffic, along with several rules to permit specific types of traffic. Notably, we allow all inbound and outbound traffic to and from LocalRoutes specified in wgengine/router.Config. The list of allowed routes always includes routes for internal interfaces, such as loopback and virtual Hyper-V/WSL2 interfaces, and may also include LAN routes if the "Allow local network access" option is enabled. However, these permitting rules do not allow link-local multicast on the corresponding interfaces. This results in broken mDNS/LLMNR, and potentially other similar issues, whenever an exit node is used. In this PR, we update (*wf.Firewall).UpdatePermittedRoutes() to create rules allowing outbound and inbound link-local multicast traffic to and from the permitted IP ranges, partially resolving the mDNS/LLMNR and *.local name resolution issue. Since Windows does not attempt to send mDNS/LLMNR queries if a catch-all NRPT rule is present, it is still necessary to disable the creation of that rule using the disable-local-dns-override-via-nrpt nodeAttr. Updates #13571 Signed-off-by: Nick Khyl <nickk@tailscale.com> |
||
|---|---|---|
| .. | ||
| archtest | ||
| deptest | ||
| integration | ||
| iosdeps | ||
| jsdeps | ||
| natlab | ||
| nettest | ||
| tailmac | ||
| tools | ||
| allocs.go | ||
| clock_test.go | ||
| clock.go | ||
| log_test.go | ||
| log.go | ||
| reflect.go | ||
| resource.go | ||
| test-wishlist.md | ||
| tstest_test.go | ||
| tstest.go | ||