cmd/tailscale,ipn,net/netutil: remove rp_filter strict mode warnings (#18863)
PR #18860 adds firewall rules in the mangle table to save outbound packet marks to conntrack and restore them on reply packets before the routing decision. When reply packets have their marks restored, the kernel uses the correct routing table (based on the mark) and the packets pass the rp_filter check. This makes the risk check and reverse path filtering warnings unnecessary. Updates #3310 Fixes tailscale/corp#37846 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
This commit is contained in:
Mike O'Driscoll
GitHub
@@ -4,13 +4,10 @@
|
||||
package cli
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"flag"
|
||||
"runtime"
|
||||
"strings"
|
||||
|
||||
"tailscale.com/ipn"
|
||||
"tailscale.com/util/prompt"
|
||||
"tailscale.com/util/testenv"
|
||||
)
|
||||
@@ -19,7 +16,6 @@ var (
|
||||
riskTypes []string
|
||||
riskLoseSSH = registerRiskType("lose-ssh")
|
||||
riskMacAppConnector = registerRiskType("mac-app-connector")
|
||||
riskStrictRPFilter = registerRiskType("linux-strict-rp-filter")
|
||||
riskAll = registerRiskType("all")
|
||||
)
|
||||
|
||||
@@ -72,18 +68,3 @@ func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
|
||||
|
||||
return errAborted
|
||||
}
|
||||
|
||||
// checkExitNodeRisk checks if the user is using an exit node on Linux and
|
||||
// whether reverse path filtering is enabled. If so, it presents a risk message.
|
||||
func checkExitNodeRisk(ctx context.Context, prefs *ipn.Prefs, acceptedRisks string) error {
|
||||
if runtime.GOOS != "linux" {
|
||||
return nil
|
||||
}
|
||||
if !prefs.ExitNodeIP.IsValid() && prefs.ExitNodeID == "" {
|
||||
return nil
|
||||
}
|
||||
if err := localClient.CheckReversePathFiltering(ctx); err != nil {
|
||||
return presentRiskToUser(riskStrictRPFilter, err.Error(), acceptedRisks)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -193,9 +193,7 @@ func runSet(ctx context.Context, args []string) (retErr error) {
|
||||
}
|
||||
|
||||
warnOnAdvertiseRoutes(ctx, &maskedPrefs.Prefs)
|
||||
if err := checkExitNodeRisk(ctx, &maskedPrefs.Prefs, setArgs.acceptedRisks); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var advertiseExitNodeSet, advertiseRoutesSet bool
|
||||
setFlagSet.Visit(func(f *flag.Flag) {
|
||||
updateMaskedPrefsFromUpOrSetFlag(maskedPrefs, f.Name)
|
||||
|
||||
@@ -543,9 +543,6 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
|
||||
}
|
||||
|
||||
warnOnAdvertiseRoutes(ctx, prefs)
|
||||
if err := checkExitNodeRisk(ctx, prefs, upArgs.acceptedRisks); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
curPrefs, err := localClient.GetPrefs(ctx)
|
||||
if err != nil {
|
||||
@@ -834,7 +831,6 @@ func upWorthyWarning(s string) bool {
|
||||
return strings.Contains(s, healthmsg.TailscaleSSHOnBut) ||
|
||||
strings.Contains(s, healthmsg.WarnAcceptRoutesOff) ||
|
||||
strings.Contains(s, healthmsg.LockedOut) ||
|
||||
strings.Contains(s, healthmsg.WarnExitNodeUsage) ||
|
||||
strings.Contains(s, healthmsg.InMemoryTailnetLockState) ||
|
||||
strings.Contains(strings.ToLower(s), "update available: ")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user