wgengine: plumb locally advertised subnet routes.

With this change, advertising subnet routes configures the
firewall correctly.

Signed-off-by: David Anderson <danderson@tailscale.com>

ipn/local.go

@@ -658,6 +658,8 @@ func (b *LocalBackend) blockEngineUpdates(block bool) {
 	b.mu.Unlock()
 }
 
+// authReconfig pushes a new configuration into wgengine, based on the
+// cached netmap and user prefs.
 func (b *LocalBackend) authReconfig() {
 	b.mu.Lock()
 	blocked := b.blocked
@@ -705,7 +707,7 @@ func (b *LocalBackend) authReconfig() {
 		log.Fatalf("WGCfg: %v", err)
 	}
 
-	err = b.e.Reconfig(cfg, dom)
+	err = b.e.Reconfig(cfg, dom, uc.AdvertiseRoutes)
 	if err == wgengine.ErrNoChanges {
 		return
 	}
@@ -734,7 +736,7 @@ func (b *LocalBackend) enterState(newState State) {
 		b.blockEngineUpdates(true)
 		fallthrough
 	case Stopped:
-		err := b.e.Reconfig(&wgcfg.Config{}, nil)
+		err := b.e.Reconfig(&wgcfg.Config{}, nil, nil)
 		if err != nil {
 			b.logf("Reconfig(down): %v", err)
 		}
@@ -810,7 +812,7 @@ func (b *LocalBackend) stateMachine() {
 
 func (b *LocalBackend) stopEngineAndWait() {
 	b.logf("stopEngineAndWait...")
-	b.e.Reconfig(&wgcfg.Config{}, nil)
+	b.e.Reconfig(&wgcfg.Config{}, nil, nil)
 	b.requestEngineStatusAndWait()
 	b.logf("stopEngineAndWait: done.")
 }

wgengine/userspace.go

@@ -328,7 +328,12 @@ func (e *userspaceEngine) pinger(peerKey wgcfg.Key, ips []wgcfg.IP) {
 // However, we don't actually ever provide it to wireguard and it's not in
 // the traditional wireguard config format. On the other hand, wireguard
 // itself doesn't use the traditional 'dns =' setting either.
-func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string) error {
+//
+// TODO(danderson): this function signature is starting to get out of
+// hand. Feels like we either need a wgengine.Config type, or make
+// router and wgengine siblings of each other that interact via glue
+// in ipn.
+func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string, localRoutes []wgcfg.CIDR) error {
 	e.wgLock.Lock()
 	defer e.wgLock.Unlock()
 
@@ -381,12 +386,11 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string) error
 	}
 
 	rs := router.RouteSettings{
-		LocalAddr:  cidr,
+		LocalAddr:    cidr,
-		Cfg:        cfg,
+		Cfg:          cfg,
-		DNS:        cfg.DNS,
+		DNS:          cfg.DNS,
-		DNSDomains: dnsDomains,
+		DNSDomains:   dnsDomains,
-		// HACK HACK HACK DO NOT SUBMIT just testing before further plumbing
+		SubnetRoutes: localRoutes,
-		SubnetRoutes: []wgcfg.CIDR{{IP: wgcfg.IPv4(192, 168, 17, 0), Mask: 24}},
 	}
 
 	// TODO(apenwarr): all the parts of RouteSettings should be "relevant."

wgengine/watchdog.go

@@ -61,8 +61,8 @@ func (e *watchdogEngine) watchdog(name string, fn func()) {
 	})
 }
 
-func (e *watchdogEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string) error {
+func (e *watchdogEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string, localRoutes []wgcfg.CIDR) error {
-	return e.watchdogErr("Reconfig", func() error { return e.wrap.Reconfig(cfg, dnsDomains) })
+	return e.watchdogErr("Reconfig", func() error { return e.wrap.Reconfig(cfg, dnsDomains, localRoutes) })
 }
 func (e *watchdogEngine) GetFilter() *filter.Filter {
 	var x *filter.Filter

wgengine/wgengine.go

@@ -59,7 +59,7 @@ type Engine interface {
 	// sends an updated network map.
 	//
 	// The returned error is ErrNoChanges if no changes were made.
-	Reconfig(cfg *wgcfg.Config, dnsDomains []string) error
+	Reconfig(cfg *wgcfg.Config, dnsDomains []string, localSubnets []wgcfg.CIDR) error
 
 	// GetFilter returns the current packet filter, if any.
 	GetFilter() *filter.Filter