archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge 37a946a6e1 into f8cd07fb8a

Browse Source
Tom Proctor 18 hours ago committed by GitHub
parent f8cd07fb8a 37a946a6e1
commit 07fcc4ec09
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 85 additions and 43 deletions
Show Stats Download Patch File Download Diff File

36
cmd/containerboot/egressservices.go
Unescape Escape View File

@ -27,7 +27,6 @@ import (
"tailscale.com/kube/egressservices" "tailscale.com/kube/egressservices"
"tailscale.com/kube/kubeclient" "tailscale.com/kube/kubeclient"
"tailscale.com/kube/kubetypes" "tailscale.com/kube/kubetypes"
"tailscale.com/tailcfg"
"tailscale.com/util/httpm" "tailscale.com/util/httpm"
"tailscale.com/util/linuxfw" "tailscale.com/util/linuxfw"
"tailscale.com/util/mak" "tailscale.com/util/mak"
@ -477,30 +476,23 @@ func (ep *egressProxy) tailnetTargetIPsForSvc(svc egressservices.Config, n ipn.N
log.Printf("netmap is not available, unable to determine backend addresses for %s", svc.TailnetTarget.FQDN) log.Printf("netmap is not available, unable to determine backend addresses for %s", svc.TailnetTarget.FQDN)
return addrs, nil return addrs, nil
} }
var ( egressAddrs, err := resolveTailnetFQDN(n.NetMap, svc.TailnetTarget.FQDN)
node tailcfg.NodeView if err != nil || len(egressAddrs) == 0 {
nodeFound bool log.Printf("tailnet target %q does not have any backend addresses, skipping", svc.TailnetTarget.FQDN)
) return addrs, nil
for _, nn := range n.NetMap.Peers {
if equalFQDNs(nn.Name(), svc.TailnetTarget.FQDN) {
node = nn
nodeFound = true
break
}
} }
if nodeFound {
for _, addr := range node.Addresses().AsSlice() { for _, addr := range egressAddrs {
if addr.Addr().Is6() && !ep.nfr.HasIPV6NAT() { if addr.Addr().Is6() && !ep.nfr.HasIPV6NAT() {
log.Printf("tailnet target %v is an IPv6 address, but this host does not support IPv6 in the chosen firewall mode, skipping.", addr.Addr().String()) log.Printf("tailnet target %v is an IPv6 address, but this host does not support IPv6 in the chosen firewall mode, skipping.", addr.Addr().String())
continue continue
}
addrs = append(addrs, addr.Addr())
} }
// Egress target endpoints configured via FQDN are stored, so addrs = append(addrs, addr.Addr())
// that we can determine if a netmap update should trigger a
// resync.
mak.Set(&ep.targetFQDNs, svc.TailnetTarget.FQDN, node.Addresses().AsSlice())
} }
// Egress target endpoints configured via FQDN are stored, so
// that we can determine if a netmap update should trigger a
// resync.
mak.Set(&ep.targetFQDNs, svc.TailnetTarget.FQDN, egressAddrs)
return addrs, nil return addrs, nil
} }

88
cmd/containerboot/main.go
Unescape Escape View File

@ -127,8 +127,10 @@ import (
"tailscale.com/kube/services" "tailscale.com/kube/services"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/types/netmap"
"tailscale.com/types/ptr" "tailscale.com/types/ptr"
"tailscale.com/util/deephash" "tailscale.com/util/deephash"
"tailscale.com/util/dnsname"
"tailscale.com/util/linuxfw" "tailscale.com/util/linuxfw"
) )
@ -526,27 +528,14 @@ runLoop:
} }
} }
if cfg.TailnetTargetFQDN != "" { if cfg.TailnetTargetFQDN != "" {
var ( egressAddrs, err := resolveTailnetFQDN(n.NetMap, cfg.TailnetTargetFQDN)
egressAddrs []netip.Prefix if err != nil {
newCurentEgressIPs deephash.Sum log.Print(err.Error())
egressIPsHaveChanged bool
node tailcfg.NodeView
nodeFound bool
)
for _, n := range n.NetMap.Peers {
if strings.EqualFold(n.Name(), cfg.TailnetTargetFQDN) {
node = n
nodeFound = true
break
}
}
if !nodeFound {
log.Printf("Tailscale node %q not found; it either does not exist, or not reachable because of ACLs", cfg.TailnetTargetFQDN)
break break
} }
egressAddrs = node.Addresses().AsSlice()
newCurentEgressIPs = deephash.Hash(&egressAddrs) newCurentEgressIPs := deephash.Hash(&egressAddrs)
egressIPsHaveChanged = newCurentEgressIPs != currentEgressIPs egressIPsHaveChanged := newCurentEgressIPs != currentEgressIPs
// The firewall rules get (re-)installed: // The firewall rules get (re-)installed:
// - on startup // - on startup
// - when the tailnet IPs of the tailnet target have changed // - when the tailnet IPs of the tailnet target have changed
@ -892,3 +881,64 @@ func runHTTPServer(mux *http.ServeMux, addr string) (close func() error) {
return errors.Join(err, ln.Close()) return errors.Join(err, ln.Close())
} }
} }
// resolveTailnetFQDN resolves a tailnet FQDN to a list of IP prefixes, which
// can be either a peer device or a Tailscale Service.
func resolveTailnetFQDN(nm *netmap.NetworkMap, fqdn string) ([]netip.Prefix, error) {
// Check all peer devices first.
for _, p := range nm.Peers {
if strings.EqualFold(p.Name(), fqdn) {
return p.Addresses().AsSlice(), nil
}
}
// If not found yet, check for a matching Tailscale Service.
dnsFQDN, err := dnsname.ToFQDN(fqdn)
if err != nil {
return nil, fmt.Errorf("error parsing %q as FQDN: %w", fqdn, err)
}
if svcIPs := serviceIPsFromNetMap(nm, dnsFQDN); len(svcIPs) != 0 {
return svcIPs, nil
}
return nil, fmt.Errorf("could not find Tailscale node or service %q; it either does not exist, or not reachable because of ACLs", fqdn)
}
// serviceIPsFromNetMap returns all IPs of a Tailscale Service if its FQDN is
// found in the netmap. Note that Tailscale Services are not a first-class
// object in the netmap, so we guess based on DNS ExtraRecords and AllowedIPs.
func serviceIPsFromNetMap(nm *netmap.NetworkMap, fqdn dnsname.FQDN) []netip.Prefix {
var extraRecords []tailcfg.DNSRecord
for _, rec := range nm.DNS.ExtraRecords {
recFQDN, err := dnsname.ToFQDN(rec.Name)
if err != nil {
continue
}
if strings.EqualFold(fqdn.WithTrailingDot(), recFQDN.WithTrailingDot()) {
extraRecords = append(extraRecords, rec)
}
}
if len(extraRecords) == 0 {
return nil
}
// Validate we can see a peer advertising the Tailscale Service.
var prefixes []netip.Prefix
for _, extraRecord := range extraRecords {
ip, err := netip.ParseAddr(extraRecord.Value)
if err != nil {
continue
}
ipPrefix := netip.PrefixFrom(ip, ip.BitLen())
for _, ps := range nm.Peers {
for _, allowedIP := range ps.AllowedIPs().All() {
if allowedIP == ipPrefix {
prefixes = append(prefixes, ipPrefix)
}
}
}
}
return prefixes
}

4
cmd/tailscale/cli/configure-kube.go
Unescape Escape View File

@ -247,7 +247,7 @@ func nodeOrServiceDNSNameFromArg(st *ipnstate.Status, nm *netmap.NetworkMap, arg
} }
// If not found, check for a Tailscale Service DNS name. // If not found, check for a Tailscale Service DNS name.
rec, ok := serviceDNSRecordFromNetMap(nm, st.CurrentTailnet.MagicDNSSuffix, arg) rec, ok := serviceDNSRecordFromNetMap(nm, arg)
if !ok { if !ok {
return "", fmt.Errorf("no peer found for %q", arg) return "", fmt.Errorf("no peer found for %q", arg)
} }
@ -287,7 +287,7 @@ func getNetMap(ctx context.Context) (*netmap.NetworkMap, error) {
return n.NetMap, nil return n.NetMap, nil
} }
func serviceDNSRecordFromNetMap(nm *netmap.NetworkMap, tcd, arg string) (rec tailcfg.DNSRecord, ok bool) { func serviceDNSRecordFromNetMap(nm *netmap.NetworkMap, arg string) (rec tailcfg.DNSRecord, ok bool) {
argIP, _ := netip.ParseAddr(arg) argIP, _ := netip.ParseAddr(arg)
argFQDN, err := dnsname.ToFQDN(arg) argFQDN, err := dnsname.ToFQDN(arg)
argFQDNValid := err == nil argFQDNValid := err == nil

Write Preview
Loading…
Cancel
Save