appc,feature/conn25,net: Add DNS response interception for conn25
The new version of app connector (conn25) needs to read DNS responses for domains it is interested in and store and swap out IP addresses. Add a hook to dns manager to enable this. Give the conn25 updated netmaps so that it knows when to assign connecting addresses and from what pool. Assign an address when we see a DNS response for a domain we are interested in, but don't do anything with the address yet. Updates tailscale/corp#34252 Signed-off-by: Fran Bull <fran@tailscale.com>
This commit is contained in:
Fran Bull
-101
@@ -5,9 +5,7 @@ package appc
|
||||
|
||||
import (
|
||||
"cmp"
|
||||
"net/netip"
|
||||
"slices"
|
||||
"sync"
|
||||
|
||||
"tailscale.com/tailcfg"
|
||||
"tailscale.com/types/appctype"
|
||||
@@ -15,105 +13,6 @@ import (
|
||||
"tailscale.com/util/set"
|
||||
)
|
||||
|
||||
// Conn25 holds the developing state for the as yet nascent next generation app connector.
|
||||
// There is currently (2025-12-08) no actual app connecting functionality.
|
||||
type Conn25 struct {
|
||||
mu sync.Mutex
|
||||
transitIPs map[tailcfg.NodeID]map[netip.Addr]netip.Addr
|
||||
}
|
||||
|
||||
const dupeTransitIPMessage = "Duplicate transit address in ConnectorTransitIPRequest"
|
||||
|
||||
// HandleConnectorTransitIPRequest creates a ConnectorTransitIPResponse in response to a ConnectorTransitIPRequest.
|
||||
// It updates the connectors mapping of TransitIP->DestinationIP per peer (tailcfg.NodeID).
|
||||
// If a peer has stored this mapping in the connector Conn25 will route traffic to TransitIPs to DestinationIPs for that peer.
|
||||
func (c *Conn25) HandleConnectorTransitIPRequest(nid tailcfg.NodeID, ctipr ConnectorTransitIPRequest) ConnectorTransitIPResponse {
|
||||
resp := ConnectorTransitIPResponse{}
|
||||
seen := map[netip.Addr]bool{}
|
||||
for _, each := range ctipr.TransitIPs {
|
||||
if seen[each.TransitIP] {
|
||||
resp.TransitIPs = append(resp.TransitIPs, TransitIPResponse{
|
||||
Code: OtherFailure,
|
||||
Message: dupeTransitIPMessage,
|
||||
})
|
||||
continue
|
||||
}
|
||||
tipresp := c.handleTransitIPRequest(nid, each)
|
||||
seen[each.TransitIP] = true
|
||||
resp.TransitIPs = append(resp.TransitIPs, tipresp)
|
||||
}
|
||||
return resp
|
||||
}
|
||||
|
||||
func (c *Conn25) handleTransitIPRequest(nid tailcfg.NodeID, tipr TransitIPRequest) TransitIPResponse {
|
||||
c.mu.Lock()
|
||||
defer c.mu.Unlock()
|
||||
if c.transitIPs == nil {
|
||||
c.transitIPs = make(map[tailcfg.NodeID]map[netip.Addr]netip.Addr)
|
||||
}
|
||||
peerMap, ok := c.transitIPs[nid]
|
||||
if !ok {
|
||||
peerMap = make(map[netip.Addr]netip.Addr)
|
||||
c.transitIPs[nid] = peerMap
|
||||
}
|
||||
peerMap[tipr.TransitIP] = tipr.DestinationIP
|
||||
return TransitIPResponse{}
|
||||
}
|
||||
|
||||
func (c *Conn25) transitIPTarget(nid tailcfg.NodeID, tip netip.Addr) netip.Addr {
|
||||
c.mu.Lock()
|
||||
defer c.mu.Unlock()
|
||||
return c.transitIPs[nid][tip]
|
||||
}
|
||||
|
||||
// TransitIPRequest details a single TransitIP allocation request from a client to a
|
||||
// connector.
|
||||
type TransitIPRequest struct {
|
||||
// TransitIP is the intermediate destination IP that will be received at this
|
||||
// connector and will be replaced by DestinationIP when performing DNAT.
|
||||
TransitIP netip.Addr `json:"transitIP,omitzero"`
|
||||
|
||||
// DestinationIP is the final destination IP that connections to the TransitIP
|
||||
// should be mapped to when performing DNAT.
|
||||
DestinationIP netip.Addr `json:"destinationIP,omitzero"`
|
||||
}
|
||||
|
||||
// ConnectorTransitIPRequest is the request body for a PeerAPI request to
|
||||
// /connector/transit-ip and can include zero or more TransitIP allocation requests.
|
||||
type ConnectorTransitIPRequest struct {
|
||||
// TransitIPs is the list of requested mappings.
|
||||
TransitIPs []TransitIPRequest `json:"transitIPs,omitempty"`
|
||||
}
|
||||
|
||||
// TransitIPResponseCode appears in TransitIPResponse and signifies success or failure status.
|
||||
type TransitIPResponseCode int
|
||||
|
||||
const (
|
||||
// OK indicates that the mapping was created as requested.
|
||||
OK TransitIPResponseCode = 0
|
||||
|
||||
// OtherFailure indicates that the mapping failed for a reason that does not have
|
||||
// another relevant [TransitIPResponsecode].
|
||||
OtherFailure TransitIPResponseCode = 1
|
||||
)
|
||||
|
||||
// TransitIPResponse is the response to a TransitIPRequest
|
||||
type TransitIPResponse struct {
|
||||
// Code is an error code indicating success or failure of the [TransitIPRequest].
|
||||
Code TransitIPResponseCode `json:"code,omitzero"`
|
||||
// Message is an error message explaining what happened, suitable for logging but
|
||||
// not necessarily suitable for displaying in a UI to non-technical users. It
|
||||
// should be empty when [Code] is [OK].
|
||||
Message string `json:"message,omitzero"`
|
||||
}
|
||||
|
||||
// ConnectorTransitIPResponse is the response to a ConnectorTransitIPRequest
|
||||
type ConnectorTransitIPResponse struct {
|
||||
// TransitIPs is the list of outcomes for each requested mapping. Elements
|
||||
// correspond to the order of [ConnectorTransitIPRequest.TransitIPs].
|
||||
TransitIPs []TransitIPResponse `json:"transitIPs,omitempty"`
|
||||
}
|
||||
|
||||
const AppConnectorsExperimentalAttrName = "tailscale.com/app-connectors-experimental"
|
||||
|
||||
// PickSplitDNSPeers looks at the netmap peers capabilities and finds which peers
|
||||
|
||||
@@ -5,7 +5,6 @@ package appc
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"net/netip"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
@@ -14,183 +13,6 @@ import (
|
||||
"tailscale.com/types/opt"
|
||||
)
|
||||
|
||||
// TestHandleConnectorTransitIPRequestZeroLength tests that if sent a
|
||||
// ConnectorTransitIPRequest with 0 TransitIPRequests, we respond with a
|
||||
// ConnectorTransitIPResponse with 0 TransitIPResponses.
|
||||
func TestHandleConnectorTransitIPRequestZeroLength(t *testing.T) {
|
||||
c := &Conn25{}
|
||||
req := ConnectorTransitIPRequest{}
|
||||
nid := tailcfg.NodeID(1)
|
||||
|
||||
resp := c.HandleConnectorTransitIPRequest(nid, req)
|
||||
if len(resp.TransitIPs) != 0 {
|
||||
t.Fatalf("n TransitIPs in response: %d, want 0", len(resp.TransitIPs))
|
||||
}
|
||||
}
|
||||
|
||||
// TestHandleConnectorTransitIPRequestStoresAddr tests that if sent a
|
||||
// request with a transit addr and a destination addr we store that mapping
|
||||
// and can retrieve it. If sent another req with a different dst for that transit addr
|
||||
// we store that instead.
|
||||
func TestHandleConnectorTransitIPRequestStoresAddr(t *testing.T) {
|
||||
c := &Conn25{}
|
||||
nid := tailcfg.NodeID(1)
|
||||
tip := netip.MustParseAddr("0.0.0.1")
|
||||
dip := netip.MustParseAddr("1.2.3.4")
|
||||
dip2 := netip.MustParseAddr("1.2.3.5")
|
||||
mr := func(t, d netip.Addr) ConnectorTransitIPRequest {
|
||||
return ConnectorTransitIPRequest{
|
||||
TransitIPs: []TransitIPRequest{
|
||||
{TransitIP: t, DestinationIP: d},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
resp := c.HandleConnectorTransitIPRequest(nid, mr(tip, dip))
|
||||
if len(resp.TransitIPs) != 1 {
|
||||
t.Fatalf("n TransitIPs in response: %d, want 1", len(resp.TransitIPs))
|
||||
}
|
||||
got := resp.TransitIPs[0].Code
|
||||
if got != TransitIPResponseCode(0) {
|
||||
t.Fatalf("TransitIP Code: %d, want 0", got)
|
||||
}
|
||||
gotAddr := c.transitIPTarget(nid, tip)
|
||||
if gotAddr != dip {
|
||||
t.Fatalf("Connector stored destination for tip: %v, want %v", gotAddr, dip)
|
||||
}
|
||||
|
||||
// mapping can be overwritten
|
||||
resp2 := c.HandleConnectorTransitIPRequest(nid, mr(tip, dip2))
|
||||
if len(resp2.TransitIPs) != 1 {
|
||||
t.Fatalf("n TransitIPs in response: %d, want 1", len(resp2.TransitIPs))
|
||||
}
|
||||
got2 := resp.TransitIPs[0].Code
|
||||
if got2 != TransitIPResponseCode(0) {
|
||||
t.Fatalf("TransitIP Code: %d, want 0", got2)
|
||||
}
|
||||
gotAddr2 := c.transitIPTarget(nid, tip)
|
||||
if gotAddr2 != dip2 {
|
||||
t.Fatalf("Connector stored destination for tip: %v, want %v", gotAddr, dip2)
|
||||
}
|
||||
}
|
||||
|
||||
// TestHandleConnectorTransitIPRequestMultipleTIP tests that we can
|
||||
// get a req with multiple mappings and we store them all. Including
|
||||
// multiple transit addrs for the same destination.
|
||||
func TestHandleConnectorTransitIPRequestMultipleTIP(t *testing.T) {
|
||||
c := &Conn25{}
|
||||
nid := tailcfg.NodeID(1)
|
||||
tip := netip.MustParseAddr("0.0.0.1")
|
||||
tip2 := netip.MustParseAddr("0.0.0.2")
|
||||
tip3 := netip.MustParseAddr("0.0.0.3")
|
||||
dip := netip.MustParseAddr("1.2.3.4")
|
||||
dip2 := netip.MustParseAddr("1.2.3.5")
|
||||
req := ConnectorTransitIPRequest{
|
||||
TransitIPs: []TransitIPRequest{
|
||||
{TransitIP: tip, DestinationIP: dip},
|
||||
{TransitIP: tip2, DestinationIP: dip2},
|
||||
// can store same dst addr for multiple transit addrs
|
||||
{TransitIP: tip3, DestinationIP: dip},
|
||||
},
|
||||
}
|
||||
resp := c.HandleConnectorTransitIPRequest(nid, req)
|
||||
if len(resp.TransitIPs) != 3 {
|
||||
t.Fatalf("n TransitIPs in response: %d, want 3", len(resp.TransitIPs))
|
||||
}
|
||||
|
||||
for i := 0; i < 3; i++ {
|
||||
got := resp.TransitIPs[i].Code
|
||||
if got != TransitIPResponseCode(0) {
|
||||
t.Fatalf("i=%d TransitIP Code: %d, want 0", i, got)
|
||||
}
|
||||
}
|
||||
gotAddr1 := c.transitIPTarget(nid, tip)
|
||||
if gotAddr1 != dip {
|
||||
t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip, gotAddr1, dip)
|
||||
}
|
||||
gotAddr2 := c.transitIPTarget(nid, tip2)
|
||||
if gotAddr2 != dip2 {
|
||||
t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip2, gotAddr2, dip2)
|
||||
}
|
||||
gotAddr3 := c.transitIPTarget(nid, tip3)
|
||||
if gotAddr3 != dip {
|
||||
t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip3, gotAddr3, dip)
|
||||
}
|
||||
}
|
||||
|
||||
// TestHandleConnectorTransitIPRequestSameTIP tests that if we get
|
||||
// a req that has more than one TransitIPRequest for the same transit addr
|
||||
// only the first is stored, and the subsequent ones get an error code and
|
||||
// message in the response.
|
||||
func TestHandleConnectorTransitIPRequestSameTIP(t *testing.T) {
|
||||
c := &Conn25{}
|
||||
nid := tailcfg.NodeID(1)
|
||||
tip := netip.MustParseAddr("0.0.0.1")
|
||||
tip2 := netip.MustParseAddr("0.0.0.2")
|
||||
dip := netip.MustParseAddr("1.2.3.4")
|
||||
dip2 := netip.MustParseAddr("1.2.3.5")
|
||||
dip3 := netip.MustParseAddr("1.2.3.6")
|
||||
req := ConnectorTransitIPRequest{
|
||||
TransitIPs: []TransitIPRequest{
|
||||
{TransitIP: tip, DestinationIP: dip},
|
||||
// cannot have dupe TransitIPs in one ConnectorTransitIPRequest
|
||||
{TransitIP: tip, DestinationIP: dip2},
|
||||
{TransitIP: tip2, DestinationIP: dip3},
|
||||
},
|
||||
}
|
||||
|
||||
resp := c.HandleConnectorTransitIPRequest(nid, req)
|
||||
if len(resp.TransitIPs) != 3 {
|
||||
t.Fatalf("n TransitIPs in response: %d, want 3", len(resp.TransitIPs))
|
||||
}
|
||||
|
||||
got := resp.TransitIPs[0].Code
|
||||
if got != TransitIPResponseCode(0) {
|
||||
t.Fatalf("i=0 TransitIP Code: %d, want 0", got)
|
||||
}
|
||||
msg := resp.TransitIPs[0].Message
|
||||
if msg != "" {
|
||||
t.Fatalf("i=0 TransitIP Message: \"%s\", want \"%s\"", msg, "")
|
||||
}
|
||||
got1 := resp.TransitIPs[1].Code
|
||||
if got1 != TransitIPResponseCode(1) {
|
||||
t.Fatalf("i=1 TransitIP Code: %d, want 1", got1)
|
||||
}
|
||||
msg1 := resp.TransitIPs[1].Message
|
||||
if msg1 != dupeTransitIPMessage {
|
||||
t.Fatalf("i=1 TransitIP Message: \"%s\", want \"%s\"", msg1, dupeTransitIPMessage)
|
||||
}
|
||||
got2 := resp.TransitIPs[2].Code
|
||||
if got2 != TransitIPResponseCode(0) {
|
||||
t.Fatalf("i=2 TransitIP Code: %d, want 0", got2)
|
||||
}
|
||||
msg2 := resp.TransitIPs[2].Message
|
||||
if msg2 != "" {
|
||||
t.Fatalf("i=2 TransitIP Message: \"%s\", want \"%s\"", msg, "")
|
||||
}
|
||||
|
||||
gotAddr1 := c.transitIPTarget(nid, tip)
|
||||
if gotAddr1 != dip {
|
||||
t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip, gotAddr1, dip)
|
||||
}
|
||||
gotAddr2 := c.transitIPTarget(nid, tip2)
|
||||
if gotAddr2 != dip3 {
|
||||
t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip2, gotAddr2, dip3)
|
||||
}
|
||||
}
|
||||
|
||||
// TestGetDstIPUnknownTIP tests that unknown transit addresses can be looked up without problem.
|
||||
func TestTransitIPTargetUnknownTIP(t *testing.T) {
|
||||
c := &Conn25{}
|
||||
nid := tailcfg.NodeID(1)
|
||||
tip := netip.MustParseAddr("0.0.0.1")
|
||||
got := c.transitIPTarget(nid, tip)
|
||||
want := netip.Addr{}
|
||||
if got != want {
|
||||
t.Fatalf("Unknown transit addr, want: %v, got %v", want, got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPickSplitDNSPeers(t *testing.T) {
|
||||
getBytesForAttr := func(name string, domains []string, tags []string) []byte {
|
||||
attr := appctype.AppConnectorAttr{
|
||||
|
||||
@@ -1,61 +0,0 @@
|
||||
// Copyright (c) Tailscale Inc & contributors
|
||||
// SPDX-License-Identifier: BSD-3-Clause
|
||||
|
||||
package appc
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net/netip"
|
||||
|
||||
"go4.org/netipx"
|
||||
)
|
||||
|
||||
// errPoolExhausted is returned when there are no more addresses to iterate over.
|
||||
var errPoolExhausted = errors.New("ip pool exhausted")
|
||||
|
||||
// ippool allows for iteration over all the addresses within a netipx.IPSet.
|
||||
// netipx.IPSet has a Ranges call that returns the "minimum and sorted set of IP ranges that covers [the set]".
|
||||
// netipx.IPRange is "an inclusive range of IP addresses from the same address family.". So we can iterate over
|
||||
// all the addresses in the set by keeping a track of the last address we returned, calling Next on the last address
|
||||
// to get the new one, and if we run off the edge of the current range, starting on the next one.
|
||||
type ippool struct {
|
||||
// ranges defines the addresses in the pool
|
||||
ranges []netipx.IPRange
|
||||
// last is internal tracking of which the last address provided was.
|
||||
last netip.Addr
|
||||
// rangeIdx is internal tracking of which netipx.IPRange from the IPSet we are currently on.
|
||||
rangeIdx int
|
||||
}
|
||||
|
||||
func newIPPool(ipset *netipx.IPSet) *ippool {
|
||||
if ipset == nil {
|
||||
return &ippool{}
|
||||
}
|
||||
return &ippool{ranges: ipset.Ranges()}
|
||||
}
|
||||
|
||||
// next returns the next address from the set, or errPoolExhausted if we have
|
||||
// iterated over the whole set.
|
||||
func (ipp *ippool) next() (netip.Addr, error) {
|
||||
if ipp.rangeIdx >= len(ipp.ranges) {
|
||||
// ipset is empty or we have iterated off the end
|
||||
return netip.Addr{}, errPoolExhausted
|
||||
}
|
||||
if !ipp.last.IsValid() {
|
||||
// not initialized yet
|
||||
ipp.last = ipp.ranges[0].From()
|
||||
return ipp.last, nil
|
||||
}
|
||||
currRange := ipp.ranges[ipp.rangeIdx]
|
||||
if ipp.last == currRange.To() {
|
||||
// then we need to move to the next range
|
||||
ipp.rangeIdx++
|
||||
if ipp.rangeIdx >= len(ipp.ranges) {
|
||||
return netip.Addr{}, errPoolExhausted
|
||||
}
|
||||
ipp.last = ipp.ranges[ipp.rangeIdx].From()
|
||||
return ipp.last, nil
|
||||
}
|
||||
ipp.last = ipp.last.Next()
|
||||
return ipp.last, nil
|
||||
}
|
||||
@@ -1,60 +0,0 @@
|
||||
// Copyright (c) Tailscale Inc & contributors
|
||||
// SPDX-License-Identifier: BSD-3-Clause
|
||||
|
||||
package appc
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net/netip"
|
||||
"testing"
|
||||
|
||||
"go4.org/netipx"
|
||||
"tailscale.com/util/must"
|
||||
)
|
||||
|
||||
func TestNext(t *testing.T) {
|
||||
a := ippool{}
|
||||
_, err := a.next()
|
||||
if !errors.Is(err, errPoolExhausted) {
|
||||
t.Fatalf("expected errPoolExhausted, got %v", err)
|
||||
}
|
||||
|
||||
var isb netipx.IPSetBuilder
|
||||
ipset := must.Get(isb.IPSet())
|
||||
b := newIPPool(ipset)
|
||||
_, err = b.next()
|
||||
if !errors.Is(err, errPoolExhausted) {
|
||||
t.Fatalf("expected errPoolExhausted, got %v", err)
|
||||
}
|
||||
|
||||
isb.AddRange(netipx.IPRangeFrom(netip.MustParseAddr("192.168.0.0"), netip.MustParseAddr("192.168.0.2")))
|
||||
isb.AddRange(netipx.IPRangeFrom(netip.MustParseAddr("200.0.0.0"), netip.MustParseAddr("200.0.0.0")))
|
||||
isb.AddRange(netipx.IPRangeFrom(netip.MustParseAddr("201.0.0.0"), netip.MustParseAddr("201.0.0.1")))
|
||||
ipset = must.Get(isb.IPSet())
|
||||
c := newIPPool(ipset)
|
||||
expected := []string{
|
||||
"192.168.0.0",
|
||||
"192.168.0.1",
|
||||
"192.168.0.2",
|
||||
"200.0.0.0",
|
||||
"201.0.0.0",
|
||||
"201.0.0.1",
|
||||
}
|
||||
for i, want := range expected {
|
||||
addr, err := c.next()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if addr != netip.MustParseAddr(want) {
|
||||
t.Fatalf("next call %d want: %s, got: %v", i, want, addr)
|
||||
}
|
||||
}
|
||||
_, err = c.next()
|
||||
if !errors.Is(err, errPoolExhausted) {
|
||||
t.Fatalf("expected errPoolExhausted, got %v", err)
|
||||
}
|
||||
_, err = c.next()
|
||||
if !errors.Is(err, errPoolExhausted) {
|
||||
t.Fatalf("expected errPoolExhausted, got %v", err)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user