// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // +build !ios // (https://github.com/tailscale/tailscale/issues/2495) package portmapper import ( "context" "fmt" "math/rand" "net/url" "time" "github.com/tailscale/goupnp/dcps/internetgateway2" "inet.af/netaddr" "tailscale.com/control/controlknobs" ) // References: // // WANIP Connection v2: http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf // upnpMapping is a port mapping over the upnp protocol. After being created it is immutable, // but the client field may be shared across mapping instances. type upnpMapping struct { gw netaddr.IP external netaddr.IPPort internal netaddr.IPPort goodUntil time.Time renewAfter time.Time // client is a connection to a upnp device, and may be reused across different UPnP mappings. client upnpClient } func (u *upnpMapping) GoodUntil() time.Time { return u.goodUntil } func (u *upnpMapping) RenewAfter() time.Time { return u.renewAfter } func (u *upnpMapping) External() netaddr.IPPort { return u.external } func (u *upnpMapping) Release(ctx context.Context) { u.client.DeletePortMapping(ctx, "", u.external.Port(), "udp") } // upnpClient is an interface over the multiple different clients exported by goupnp, // exposing the functions we need for portmapping. They are auto-generated from XML-specs. type upnpClient interface { AddPortMapping( ctx context.Context, // remoteHost is the remote device sending packets to this device, in the format of x.x.x.x. // The empty string, "", means any host out on the internet can send packets in. remoteHost string, // externalPort is the exposed port of this port mapping. Visible during NAT operations. // 0 will let the router select the port, but there is an additional call, // `AddAnyPortMapping`, which is available on 1 of the 3 possible protocols, // which should be used if available. See `addAnyPortMapping` below, which calls this if // `AddAnyPortMapping` is not supported. externalPort uint16, // protocol is whether this is over TCP or UDP. Either "tcp" or "udp". protocol string, // internalPort is the port that the gateway device forwards the traffic to. internalPort uint16, // internalClient is the IP address that packets will be forwarded to for this mapping. // Internal client is of the form "x.x.x.x". internalClient string, // enabled is whether this portmapping should be enabled or disabled. enabled bool, // portMappingDescription is a user-readable description of this portmapping. portMappingDescription string, // leaseDurationSec is the duration of this portmapping. The value of this argument must be // greater than 0. From the spec, it appears if it is set to 0, it will switch to using // 604800 seconds, but not sure why this is desired. The recommended time is 3600 seconds. leaseDurationSec uint32, ) (err error) DeletePortMapping(ctx context.Context, remoteHost string, externalPort uint16, protocol string) error GetExternalIPAddress(ctx context.Context) (externalIPAddress string, err error) } // tsPortMappingDesc gets sent to UPnP clients as a human-readable label for the portmapping. // It is not used for anything other than labelling. const tsPortMappingDesc = "tailscale-portmap" // addAnyPortMapping abstracts over different UPnP client connections, calling the available // AddAnyPortMapping call if available for WAN IP connection v2, otherwise defaulting to the old // behavior of calling AddPortMapping with port = 0 to specify a wildcard port. // It returns the new external port (which may not be identical to the external port specified), // or an error. func addAnyPortMapping( ctx context.Context, upnp upnpClient, externalPort uint16, internalPort uint16, internalClient string, leaseDuration time.Duration, ) (newPort uint16, err error) { if upnp, ok := upnp.(*internetgateway2.WANIPConnection2); ok { return upnp.AddAnyPortMapping( ctx, "", externalPort, "udp", internalPort, internalClient, true, tsPortMappingDesc, uint32(leaseDuration.Seconds()), ) } for externalPort == 0 { externalPort = uint16(rand.Intn(65535)) } err = upnp.AddPortMapping( ctx, "", externalPort, "udp", internalPort, internalClient, true, tsPortMappingDesc, uint32(leaseDuration.Seconds()), ) return externalPort, err } // getUPnPClients gets a client for interfacing with UPnP, ignoring the underlying protocol for // now. // Adapted from https://github.com/huin/goupnp/blob/master/GUIDE.md. func getUPnPClient(ctx context.Context, gw netaddr.IP) (upnpClient, error) { if controlknobs.DisableUPnP() { return nil, nil } ctx, cancel := context.WithTimeout(ctx, 250*time.Millisecond) defer cancel() // Attempt to connect over the multiple available connection types concurrently, // returning the fastest. // TODO(jknodt): this url seems super brittle? maybe discovery is better but this is faster u, err := url.Parse(fmt.Sprintf("http://%s:5000/rootDesc.xml", gw)) if err != nil { return nil, err } clients := make(chan upnpClient, 3) go func() { var err error ip1Clients, err := internetgateway2.NewWANIPConnection1ClientsByURL(ctx, u) if err == nil && len(ip1Clients) > 0 { clients <- ip1Clients[0] } }() go func() { ip2Clients, err := internetgateway2.NewWANIPConnection2ClientsByURL(ctx, u) if err == nil && len(ip2Clients) > 0 { clients <- ip2Clients[0] } }() go func() { ppp1Clients, err := internetgateway2.NewWANPPPConnection1ClientsByURL(ctx, u) if err == nil && len(ppp1Clients) > 0 { clients <- ppp1Clients[0] } }() select { case client := <-clients: return client, nil case <-ctx.Done(): return nil, ctx.Err() } } // getUPnPPortMapping attempts to create a port-mapping over the UPnP protocol. On success, // it will return the externally exposed IP and port. Otherwise, it will return a zeroed IP and // port and an error. func (c *Client) getUPnPPortMapping( ctx context.Context, gw netaddr.IP, internal netaddr.IPPort, prevPort uint16, ) (external netaddr.IPPort, ok bool) { if controlknobs.DisableUPnP() { return netaddr.IPPort{}, false } now := time.Now() upnp := &upnpMapping{ gw: gw, internal: internal, } var client upnpClient var err error c.mu.Lock() oldMapping, ok := c.mapping.(*upnpMapping) c.mu.Unlock() if ok && oldMapping != nil { client = oldMapping.client } else { client, err = getUPnPClient(ctx, gw) if err != nil { return netaddr.IPPort{}, false } } if client == nil { return netaddr.IPPort{}, false } var newPort uint16 newPort, err = addAnyPortMapping( ctx, client, prevPort, internal.Port(), internal.IP().String(), time.Second*pmpMapLifetimeSec, ) if err != nil { return netaddr.IPPort{}, false } // TODO cache this ip somewhere? extIP, err := client.GetExternalIPAddress(ctx) if err != nil { // TODO this doesn't seem right return netaddr.IPPort{}, false } externalIP, err := netaddr.ParseIP(extIP) if err != nil { return netaddr.IPPort{}, false } upnp.external = netaddr.IPPortFrom(externalIP, newPort) d := time.Duration(pmpMapLifetimeSec) * time.Second upnp.goodUntil = now.Add(d) upnp.renewAfter = now.Add(d / 2) upnp.client = client c.mu.Lock() defer c.mu.Unlock() c.mapping = upnp c.localPort = newPort return upnp.external, true }