wgengine/netstack: always respond to 4via6 echo requests (#5712)

As the comment in the code says, netstack should always respond to ICMP
echo requests to a 4via6 address, even if the netstack instance isn't
normally processing subnet traffic.

Follow-up to #5709

Change-Id: I504d0776c5824071b2a2e0e687bc33e24f6c4746
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
andrew/netns-macos-route
Andrew Dunham 2 years ago committed by GitHub
parent 565dbc599a
commit 0607832397
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -716,33 +716,49 @@ func (ns *Impl) shouldHandlePing(p *packet.Parsed) (_ netip.Addr, ok bool) {
if !p.IsEchoRequest() { if !p.IsEchoRequest() {
return netip.Addr{}, false return netip.Addr{}, false
} }
destIP := p.Dst.Addr()
// We need to handle pings for all 4via6 addresses, even if this
// netstack instance normally isn't responsible for processing subnets.
//
// For example, on Linux, subnet router traffic could be handled via
// tun+iptables rules for most packets, but we still need to handle
// ICMP echo requests over 4via6 since the host networking stack
// doesn't know what to do with a 4via6 address.
//
// shouldProcessInbound returns 'true' to say that we should process
// all IPv6 packets with a destination address in the 'via' range, so
// check before we check the "ProcessSubnets" boolean below.
if viaRange.Contains(destIP) {
// The input echo request was to a 4via6 address, which we cannot
// simply ping as-is from this process. Translate the destination to an
// IPv4 address, so that our relayed ping (in userPing) is pinging the
// underlying destination IP.
//
// ICMPv4 and ICMPv6 are different protocols with different on-the-wire
// representations, so normally you can't send an ICMPv6 message over
// IPv4 and expect to get a useful result. However, in this specific
// case things are safe because the 'userPing' function doesn't make
// use of the input packet.
return tsaddr.UnmapVia(destIP), true
}
// If we get here, we don't do anything unless this netstack instance
// is responsible for processing subnet traffic.
if !ns.ProcessSubnets { if !ns.ProcessSubnets {
return netip.Addr{}, false return netip.Addr{}, false
} }
destIP := p.Dst.Addr()
// For non-4via6 addresses, we don't handle pings if they're destined // For non-4via6 addresses, we don't handle pings if they're destined
// for a Tailscale IP. // for a Tailscale IP.
if !viaRange.Contains(destIP) { if tsaddr.IsTailscaleIP(destIP) {
if tsaddr.IsTailscaleIP(destIP) { return netip.Addr{}, false
return netip.Addr{}, false
}
return destIP, true
} }
// The input echo request was to a 4via6 address, which we cannot // This netstack instance is processing subnet traffic, so handle the
// simply ping as-is from this process. Translate the destination to an // ping ourselves.
// IPv4 address, so that our relayed ping (in userPing) is pinging the return destIP, true
// underlying destination IP.
//
// ICMPv4 and ICMPv6 are different protocols with different on-the-wire
// representations, so normally you can't send an ICMPv6 message over
// IPv4 and expect to get a useful result. However, in this specific
// case things are safe because the 'userPing' function doesn't make
// use of the input packet.
return tsaddr.UnmapVia(destIP), true
} }
func netaddrIPFromNetstackIP(s tcpip.Address) netip.Addr { func netaddrIPFromNetstackIP(s tcpip.Address) netip.Addr {

@ -5,6 +5,7 @@
package netstack package netstack
import ( import (
"fmt"
"net/netip" "net/netip"
"runtime" "runtime"
"testing" "testing"
@ -216,36 +217,38 @@ func TestShouldHandlePing(t *testing.T) {
} }
}) })
t.Run("ICMP6-4via6", func(t *testing.T) { // Handle pings for 4via6 addresses regardless of ProcessSubnets
// The 4via6 route 10.1.1.0/24 siteid 7, and then the IP for _, subnets := range []bool{true, false} {
// 10.1.1.9 within that route. t.Run("ICMP6-4via6-ProcessSubnets-"+fmt.Sprint(subnets), func(t *testing.T) {
dst := netip.MustParseAddr("fd7a:115c:a1e0:b1a:0:7:a01:109") // The 4via6 route 10.1.1.0/24 siteid 7, and then the IP
expectedPingDst := netip.MustParseAddr("10.1.1.9") // 10.1.1.9 within that route.
icmph := packet.ICMP6Header{ dst := netip.MustParseAddr("fd7a:115c:a1e0:b1a:0:7:a01:109")
IP6Header: packet.IP6Header{ expectedPingDst := netip.MustParseAddr("10.1.1.9")
IPProto: ipproto.ICMPv6, icmph := packet.ICMP6Header{
Src: srcIP, IP6Header: packet.IP6Header{
Dst: dst, IPProto: ipproto.ICMPv6,
}, Src: srcIP,
Type: packet.ICMP6EchoRequest, Dst: dst,
Code: packet.ICMP6NoCode, },
} Type: packet.ICMP6EchoRequest,
_, payload := packet.ICMPEchoPayload(nil) Code: packet.ICMP6NoCode,
icmpPing := packet.Generate(icmph, payload) }
pkt := &packet.Parsed{} _, payload := packet.ICMPEchoPayload(nil)
pkt.Decode(icmpPing) icmpPing := packet.Generate(icmph, payload)
pkt := &packet.Parsed{}
impl := makeNetstack(t, func(impl *Impl) { pkt.Decode(icmpPing)
impl.ProcessSubnets = true
impl := makeNetstack(t, func(impl *Impl) {
impl.ProcessSubnets = subnets
})
pingDst, ok := impl.shouldHandlePing(pkt)
// Handled due to being 4via6
if !ok {
t.Errorf("expected shouldHandlePing==true")
} else if pingDst != expectedPingDst {
t.Errorf("got dst %s; want %s", pingDst, expectedPingDst)
}
}) })
pingDst, ok := impl.shouldHandlePing(pkt) }
// Handled due to being 4via6
if !ok {
t.Errorf("expected shouldHandlePing==true")
}
if pingDst != expectedPingDst {
t.Errorf("got dst %s; want %s", pingDst, expectedPingDst)
}
})
} }

Loading…
Cancel
Save