net/netns: set the bypass socket mark on linux.

This allows tailscaled's own traffic to bypass Tailscale-managed routes,
so that things like tailscale-provided default routes don't break
tailscaled itself.

Progress on #144.

Signed-off-by: David Anderson <danderson@tailscale.com>
pull/427/head
David Anderson 5 years ago committed by Dave Anderson
parent 3fa58303d0
commit 5114df415e

@ -15,9 +15,14 @@ import (
"time" "time"
"tailscale.com/derp" "tailscale.com/derp"
"tailscale.com/net/netns"
"tailscale.com/types/key" "tailscale.com/types/key"
) )
func init() {
netns.TestOnlySkipPrivilegedOps()
}
func TestSendRecv(t *testing.T) { func TestSendRecv(t *testing.T) {
const numClients = 3 const numClients = 3
var serverPrivateKey key.Private var serverPrivateKey key.Private

@ -16,11 +16,16 @@ import (
"time" "time"
"tailscale.com/net/interfaces" "tailscale.com/net/interfaces"
"tailscale.com/net/netns"
"tailscale.com/net/stun" "tailscale.com/net/stun"
"tailscale.com/net/stun/stuntest" "tailscale.com/net/stun/stuntest"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
) )
func init() {
netns.TestOnlySkipPrivilegedOps()
}
func TestHairpinSTUN(t *testing.T) { func TestHairpinSTUN(t *testing.T) {
tx := stun.NewTxID() tx := stun.NewTxID()
c := &Client{ c := &Client{

@ -13,9 +13,12 @@ package netns
import ( import (
"net" "net"
"syscall"
"tailscale.com/syncs"
) )
var skipPrivileged syncs.AtomicBool
// Listener returns a new net.Listener with its Control hook func // Listener returns a new net.Listener with its Control hook func
// initialized as necessary to run in logical network namespace that // initialized as necessary to run in logical network namespace that
// doesn't route back into Tailscale. // doesn't route back into Tailscale.
@ -30,11 +33,9 @@ func Dialer() *net.Dialer {
return &net.Dialer{Control: control} return &net.Dialer{Control: control}
} }
// control marks c as necessary to dial in a separate network namespace. // TestOnlySkipPrivilegedOps disables any behavior in this package
// // that requires root or other elevated privileges. It's used only in
// It's intentionally the same signature as net.Dialer.Control // tests, and using it definitely breaks some Tailscale functionality.
// and net.ListenConfig.Control. func TestOnlySkipPrivilegedOps() {
func control(network, address string, c syscall.RawConn) error { skipPrivileged.Set(true)
// TODO: implement
return nil
} }

@ -0,0 +1,14 @@
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build !linux
package netns
import "syscall"
// control does nothing to c.
func control(network, address string, c syscall.RawConn) error {
return nil
}

@ -0,0 +1,46 @@
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build linux
package netns
import (
"fmt"
"syscall"
"golang.org/x/sys/unix"
)
// tailscaleBypassMark is the mark indicating that packets originating
// from a socket should bypass Tailscale-managed routes during routing
// table lookups.
//
// Keep this in sync with tailscaleBypassMark in
// wgengine/router/router_linux.go.
const tailscaleBypassMark = 0x20000
// control marks c as necessary to dial in a separate network namespace.
//
// It's intentionally the same signature as net.Dialer.Control
// and net.ListenConfig.Control.
func control(network, address string, c syscall.RawConn) error {
if skipPrivileged.Get() {
// We can't set socket marks without CAP_NET_ADMIN on linux,
// skip as requested.
return nil
}
var controlErr error
err := c.Control(func(fd uintptr) {
controlErr = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_MARK, tailscaleBypassMark)
})
if err != nil {
return fmt.Errorf("setting socket mark: %w", err)
}
if controlErr != nil {
return fmt.Errorf("setting socket mark: %w", controlErr)
}
return nil
}

@ -26,6 +26,7 @@ import (
"tailscale.com/derp" "tailscale.com/derp"
"tailscale.com/derp/derphttp" "tailscale.com/derp/derphttp"
"tailscale.com/derp/derpmap" "tailscale.com/derp/derpmap"
"tailscale.com/net/netns"
"tailscale.com/net/stun/stuntest" "tailscale.com/net/stun/stuntest"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/tstest" "tailscale.com/tstest"
@ -35,6 +36,10 @@ import (
"tailscale.com/wgengine/tstun" "tailscale.com/wgengine/tstun"
) )
func init() {
netns.TestOnlySkipPrivilegedOps()
}
// WaitReady waits until the magicsock is entirely initialized and connected // WaitReady waits until the magicsock is entirely initialized and connected
// to its home DERP server. This is normally not necessary, since magicsock // to its home DERP server. This is normally not necessary, since magicsock
// is intended to be entirely asynchronous, but it helps eliminate race // is intended to be entirely asynchronous, but it helps eliminate race

@ -44,6 +44,9 @@ const (
tailscaleSubnetRouteMark = "0x10000" tailscaleSubnetRouteMark = "0x10000"
// Packet was originated by tailscaled itself, and must not be // Packet was originated by tailscaled itself, and must not be
// routed over the Tailscale network. // routed over the Tailscale network.
//
// Keep this in sync with tailscaleBypassMark in
// net/netns/netns_linux.go.
tailscaleBypassMark = "0x20000" tailscaleBypassMark = "0x20000"
) )

@ -11,10 +11,15 @@ import (
"testing" "testing"
"time" "time"
"tailscale.com/net/netns"
"tailscale.com/wgengine/router" "tailscale.com/wgengine/router"
"tailscale.com/wgengine/tstun" "tailscale.com/wgengine/tstun"
) )
func init() {
netns.TestOnlySkipPrivilegedOps()
}
func TestWatchdog(t *testing.T) { func TestWatchdog(t *testing.T) {
t.Parallel() t.Parallel()

Loading…
Cancel
Save