tailcfg, wgengine/magicsock: disable all UDP relay usage if disable-relay-client is set (#16492)

If the NodeAttrDisableRelayClient node attribute is set, ensures that a node cannot allocate endpoints on a UDP relay server itself, and cannot use newly-discovered paths (via disco/CallMeMaybeVia) that traverse a UDP relay server. Fixes tailscale/corp#30180 Signed-off-by: Dylan Bargatze <dylan@tailscale.com>
5 months ago · d40b25326c
parent ff1803158a
commit d40b25326c
2 changed files with 19 additions and 9 deletions
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@ -2607,14 +2607,16 @@ const (
 	// only needs to be present in [NodeCapMap] to take effect.
 	NodeAttrDisableRelayServer NodeCapability = "disable-relay-server"
-	// NodeAttrDisableRelayClient prevents the node from allocating UDP relay
+	// NodeAttrDisableRelayClient prevents the node from both allocating UDP
-	// server endpoints itself; the node may still bind into and relay traffic
+	// relay server endpoints itself, and from using endpoints allocated by
-	// using endpoints allocated by its peers. This attribute can be added to
+	// its peers. This attribute can be added to the node dynamically; if added
-	// the node dynamically; if added while the node is already running, the
+	// while the node is already running, the node will be unable to allocate
-	// node will be unable to allocate UDP relay server endpoints after it next
+	// endpoints after it next updates its network map, and will be immediately
-	// updates its network map. There are no expected values for this key in
+	// unable to use new paths via a UDP relay server. Setting this attribute
-	// [NodeCapMap]; the key only needs to be present in [NodeCapMap] to take
+	// dynamically does not remove any existing paths, including paths that
-	// effect.
+	// traverse a UDP relay server. There are no expected values for this key
 	// in [NodeCapMap]; the key only needs to be present in [NodeCapMap] to
 	// take effect.
 	NodeAttrDisableRelayClient NodeCapability = "disable-relay-client"
 	// NodeAttrMagicDNSPeerAAAA is a capability that tells the node's MagicDNS
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@ -355,7 +355,7 @@ type Conn struct {
 	self               tailcfg.NodeView              // from last onNodeViewsUpdate
 	peers              views.Slice[tailcfg.NodeView] // from last onNodeViewsUpdate, sorted by Node.ID; Note: [netmap.NodeMutation]'s rx'd in onNodeMutationsUpdate are never applied
 	filt               *filter.Filter                // from last onFilterUpdate
-	relayClientEnabled bool                          // whether we can allocate UDP relay endpoints on UDP relay servers
+	relayClientEnabled bool                          // whether we can allocate UDP relay endpoints on UDP relay servers or receive CallMeMaybeVia messages from peers
 	lastFlags          debugFlags                    // at time of last onNodeViewsUpdate
 	privateKey         key.NodePrivate               // WireGuard private key for this node
 	everHadKey         bool                          // whether we ever had a non-zero private key
@ -2149,6 +2149,14 @@ func (c *Conn) handleDiscoMessage(msg []byte, src epAddr, shouldBeRelayHandshake
 			c.logf("magicsock: disco: ignoring %s from %v; %v is unknown", msgType, sender.ShortString(), derpNodeSrc.ShortString())
 			return
 		}
 		// If the "disable-relay-client" node attr is set for this node, it
 		// can't be a UDP relay client, so drop any CallMeMaybeVia messages it
 		// receives.
 		if isVia && !c.relayClientEnabled {
 			c.logf("magicsock: disco: ignoring %s from %v; disable-relay-client node attr is set", msgType, sender.ShortString())
 			return
 		}
 		ep.mu.Lock()
 		relayCapable := ep.relayCapable
 		lastBest := ep.bestAddr