net/interfaces: use IPv4 link local if nothing better

The only connectivity an AWS Lambda container has is an IPv4 link-local 169.254.x.x address using NAT: 12: vtarget_1@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 7e:1c:3f:00:00:00 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet 169.254.79.1/32 scope global vtarget_1 valid_lft forever preferred_lft forever If there are no other IPv4/v6 addresses available, and we are running in AWS Lambda, allow IPv4 169.254.x.x addresses to be used. ---- Similarly, a Google Cloud Run container's only connectivity is a Unique Local Address fddf:3978:feb1:d745::c001/128. If there are no other addresses available then allow IPv6 Unique Local Addresses to be used. We actually did this in an earlier release, but now refactor it to work the same way as the IPv4 link-local support is being done. Signed-off-by: Denton Gentry <dgentry@tailscale.com>
3 years ago · ad288baaea
parent 3687e5352b
commit ad288baaea
3 changed files with 60 additions and 10 deletions
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@ -22,6 +22,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/disco                                          from tailscale.com/derp
+        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces
        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/metrics                                        from tailscale.com/derp
@ -54,7 +55,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
-   L    tailscale.com/util/lineread                                  from tailscale.com/net/interfaces
+        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@ -81,7 +81,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/disco                                          from tailscale.com/derp+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
-   L    tailscale.com/hostinfo                                       from tailscale.com/control/controlclient
+        tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
        tailscale.com/internal/deephash                              from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn                                            from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/ipnserver+
@ -137,7 +137,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/dnsname                                   from tailscale.com/ipn/ipnstate+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
-   L    tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
+        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@ -15,6 +15,7 @@ import (
 	"strings"

 	"inet.af/netaddr"
+	"tailscale.com/hostinfo"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tshttpproxy"
 )
@ -81,13 +82,16 @@ func isProblematicInterface(nif *net.Interface) bool {
 }

 // LocalAddresses returns the machine's IP addresses, separated by
-// whether they're loopback addresses.
+// whether they're loopback addresses. If there are no regular addresses
+// it will return any IPv4 linklocal or IPv6 unique local addresses because we
+// know of environments where these are used with NAT to provide connectivity.
 func LocalAddresses() (regular, loopback []netaddr.IP, err error) {
 	// TODO(crawshaw): don't serve interface addresses that we are routing
 	ifaces, err := net.Interfaces()
 	if err != nil {
 		return nil, nil, err
 	}
+	var regular4, regular6, linklocal4, ula6 []netaddr.IP
 	for i := range ifaces {
 		iface := &ifaces[i]
 		if !isUp(iface) || isProblematicInterface(iface) {
@ -117,17 +121,44 @@ func LocalAddresses() (regular, loopback []netaddr.IP, err error) {
 				if tsaddr.IsTailscaleIP(ip) {
 					continue
 				}
-				if ip.IsLinkLocalUnicast() {
-					continue
-				}
 				if ip.IsLoopback() || ifcIsLoopback {
 					loopback = append(loopback, ip)
+				} else if ip.IsLinkLocalUnicast() {
+					if ip.Is4() {
+						linklocal4 = append(linklocal4, ip)
+					}
+
+					// We know of no cases where the IPv6 fe80:: addresses
+					// are used to provide WAN connectivity. It is also very
+					// common for users to have no IPv6 WAN connectivity,
+					// but their OS supports IPv6 so they have an fe80::
+					// address. We don't want to report all of those
+					// IPv6 LL to Control.
+				} else if ip.Is6() && tsaddr.IsULA(ip) {
+					// Google Cloud Run uses NAT with IPv6 Unique
+					// Local Addresses to provide IPv6 connectivity.
+					ula6 = append(ula6, ip)
 				} else {
-					regular = append(regular, ip)
+					if ip.Is4() {
+						regular4 = append(regular4, ip)
+					} else {
+						regular6 = append(regular6, ip)
+					}
 				}
 			}
 		}
 	}
+	if len(regular4) == 0 && len(regular6) == 0 {
+		// if we have no usable IP addresses then be willing to accept
+		// addresses we otherwise wouldn't, like:
+		//   + 169.254.x.x (AWS Lambda uses NAT with these)
+		//   + IPv6 ULA (Google Cloud Run uses these with address translation)
+		if hostinfo.GetEnvType() == hostinfo.AWSLambda {
+			regular4 = linklocal4
+		}
+		regular6 = ula6
+	}
+	regular = append(regular4, regular6...)
 	sortIPs(regular)
 	sortIPs(loopback)
 	return regular, loopback, nil
@ -407,11 +438,11 @@ func GetState() (*State, error) {
 			return
 		}
 		for _, pfx := range pfxs {
-			if pfx.IP().IsLoopback() || pfx.IP().IsLinkLocalUnicast() {
+			if pfx.IP().IsLoopback() {
 				continue
 			}
 			s.HaveV6 = s.HaveV6 || isUsableV6(pfx.IP())
-			s.HaveV4 = s.HaveV4 || pfx.IP().Is4()
+			s.HaveV4 = s.HaveV4 || isUsableV4(pfx.IP())
 		}
 	}); err != nil {
 		return nil, err
@ -503,6 +534,24 @@ func isPrivateIP(ip netaddr.IP) bool {
 	return private1.Contains(ip) || private2.Contains(ip) || private3.Contains(ip)
 }

+// isUsableV4 reports whether ip is a usable IPv4 address which could
+// conceivably be used to get Internet connectivity. Globally routable and
+// private IPv4 addresses are always Usable, and link local 169.254.x.x
+// addresses are in some environments.
+func isUsableV4(ip netaddr.IP) bool {
+	if !ip.Is4() || ip.IsLoopback() {
+		return false
+	}
+	if ip.IsLinkLocalUnicast() {
+		return hostinfo.GetEnvType() == hostinfo.AWSLambda
+	}
+	return true
+}
+
+// isUsableV6 reports whether ip is a usable IPv6 address which could
+// conceivably be used to get Internet connectivity. Globally routable
+// IPv6 addresses are always Usable, and Unique Local Addresses
+// (fc00::/7) are in some environments used with address translation.
 func isUsableV6(ip netaddr.IP) bool {
 	return v6Global1.Contains(ip) ||
 		(tsaddr.IsULA(ip) && !tsaddr.TailscaleULARange().Contains(ip))