mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-26 03:25:35 +00:00
e5f67f90a2
Fixes tailscale/tailscale#10393 Fixes tailscale/corp#15412 Fixes tailscale/corp#19808 On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using. Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
39 lines
1006 B
Go
39 lines
1006 B
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build darwin || ios
|
|
|
|
package netstack
|
|
|
|
import (
|
|
"net/netip"
|
|
"time"
|
|
|
|
"github.com/prometheus-community/pro-bing"
|
|
)
|
|
|
|
// sendOutboundUserPing sends a non-privileged ICMP (or ICMPv6) ping to dstIP with the given timeout.
|
|
func (ns *Impl) sendOutboundUserPing(dstIP netip.Addr, timeout time.Duration) error {
|
|
p, err := probing.NewPinger(dstIP.String())
|
|
if err != nil {
|
|
ns.logf("sendICMPPingToIP failed to create pinger: %v", err)
|
|
return err
|
|
}
|
|
|
|
p.Timeout = timeout
|
|
p.Count = 1
|
|
p.SetPrivileged(false)
|
|
|
|
p.OnSend = func(pkt *probing.Packet) {
|
|
ns.logf("sendICMPPingToIP: forwarding ping to %s:", p.Addr())
|
|
}
|
|
p.OnRecv = func(pkt *probing.Packet) {
|
|
ns.logf("sendICMPPingToIP: %d bytes pong from %s: icmp_seq=%d time=%v", pkt.Nbytes, pkt.IPAddr, pkt.Seq, pkt.Rtt)
|
|
}
|
|
p.OnFinish = func(stats *probing.Statistics) {
|
|
ns.logf("sendICMPPingToIP: done, %d replies received", stats.PacketsRecv)
|
|
}
|
|
|
|
return p.Run()
|
|
}
|