webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wgengine/netstack: don't register subnet/4via6 TCP flows with proxymap

Browse Source 
Fixes #18991

Change-Id: I29a609dcd401854026aef4a5ad8d5806c3249ea6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
2026-03-13 20:51:22 +00:00
committed by Brad Fitzpatrick
parent 4c91f90776
commit 54606a0a89
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
wgengine/netstack/netstack.go
+9 -6
View File
@@ -1481,6 +1481,7 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
dialIP := netaddrIPFromNetstackIP(reqDetails.LocalAddress)
isTailscaleIP := tsaddr.IsTailscaleIP(dialIP)
isLocal := ns.isLocalIP(dialIP) // i.e. not a subnet routed or 4via6 target
dstAddrPort := netip.AddrPortFrom(dialIP, reqDetails.LocalPort)
@@ -1600,7 +1601,7 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
}
dialAddr := netip.AddrPortFrom(dialIP, uint16(reqDetails.LocalPort))
if !ns.forwardTCP(getConnOrReset, clientRemoteIP, &wq, dialAddr) {
if !ns.forwardTCP(getConnOrReset, clientRemoteIP, &wq, dialAddr, isLocal) {
r.Complete(true) // sends a RST
}
}
@@ -1612,7 +1613,7 @@ type tcpCloser interface {
CloseWrite() error
}
func (ns *Impl) forwardTCP(getClient func(...tcpip.SettableSocketOption) *gonet.TCPConn, clientRemoteIP netip.Addr, wq *waiter.Queue, dialAddr netip.AddrPort) (handled bool) {
func (ns *Impl) forwardTCP(getClient func(...tcpip.SettableSocketOption) *gonet.TCPConn, clientRemoteIP netip.Addr, wq *waiter.Queue, dialAddr netip.AddrPort, isLocal bool) (handled bool) {
dialAddrStr := dialAddr.String()
if debugNetstack() {
ns.logf("[v2] netstack: forwarding incoming connection to %s", dialAddrStr)
@@ -1659,11 +1660,13 @@ func (ns *Impl) forwardTCP(getClient func(...tcpip.SettableSocketOption) *gonet.
backendLocalAddr := backend.LocalAddr().(*net.TCPAddr)
backendLocalIPPort := netaddr.Unmap(backendLocalAddr.AddrPort())
if err := ns.pm.RegisterIPPortIdentity("tcp", backendLocalIPPort, clientRemoteIP); err != nil {
ns.logf("netstack: could not register TCP mapping %s: %v", backendLocalIPPort, err)
return
if isLocal {
if err := ns.pm.RegisterIPPortIdentity("tcp", backendLocalIPPort, clientRemoteIP); err != nil {
ns.logf("netstack: could not register TCP mapping %s: %v", backendLocalIPPort, err)
return
}
defer ns.pm.UnregisterIPPortIdentity("tcp", backendLocalIPPort)
}
defer ns.pm.UnregisterIPPortIdentity("tcp", backendLocalIPPort)
// If we get here, either the getClient call below will succeed and
// return something we can Close, or it will fail and will properly