ipnext,ipnlocal: add ExtraWireGuardAllowedIPs hook
This hook addition is motivated by the Connectors 2025 work, in which NATed "Transit IPs" are used to route interesting traffic to the appropriate peer, without advertising the actual real IPs. It overlaps with #17858, and specifically with the WIP PR #17861. If that work completes, this hook may be replaced by other ones that fit the new WireGuard configuration paradigm. Fixes tailscale/corp#37146 Signed-off-by: Michael Ben-Ami <mzb@tailscale.com>
This commit is contained in:
Michael Ben-Ami
committed by
mzbenami
mzbenami
parent
8e3d176f1c
commit
40858a61fe
@@ -5129,6 +5129,16 @@ func (b *LocalBackend) authReconfigLocked() {
|
||||
oneCGNATRoute := shouldUseOneCGNATRoute(b.logf, b.sys.NetMon.Get(), b.sys.ControlKnobs(), version.OS())
|
||||
rcfg := b.routerConfigLocked(cfg, prefs, nm, oneCGNATRoute)
|
||||
|
||||
// Add these extra Allowed IPs after router configuration, because the expected
|
||||
// extension (features/conn25), does not want these routes installed on the OS.
|
||||
// See also [Hooks.ExtraWireGuardAllowedIPs].
|
||||
if extraAllowedIPsFn, ok := b.extHost.hooks.ExtraWireGuardAllowedIPs.GetOk(); ok {
|
||||
for i := range cfg.Peers {
|
||||
extras := extraAllowedIPsFn(cfg.Peers[i].PublicKey)
|
||||
cfg.Peers[i].AllowedIPs = extras.AppendTo(cfg.Peers[i].AllowedIPs)
|
||||
}
|
||||
}
|
||||
|
||||
err = b.e.Reconfig(cfg, rcfg, dcfg)
|
||||
if err == wgengine.ErrNoChanges {
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user