webnet
/
tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

net/packet: add IPv6 source and destination IPs to Parsed.

Browse Source 
Signed-off-by: David Anderson <danderson@tailscale.com>
main
David Anderson 6 years ago committed by Dave Anderson
parent d192bd0f86
commit 89894c6930
8 changed files with 66 additions and 40 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 24
      net/packet/ip6.go
  2. 18
      net/packet/packet.go
  3. 20
      net/packet/packet_test.go
  4. 16
      wgengine/filter/filter.go
  5. 12
      wgengine/filter/filter_test.go
  6. 8
      wgengine/filter/match4.go
  7. 2
      wgengine/tstun/tun.go
  8. 6
      wgengine/userspace.go

24
net/packet/ip6.go
Unescape View File

@ -0,0 +1,24 @@
package packet
import (
"fmt"
"inet.af/netaddr"
)
type IP6 [16]byte
func IP6FromNetaddr(ip netaddr.IP) IP6 {
if !ip.Is6() {
panic(fmt.Sprintf("IP6FromNetaddr called with non-v6 addr %q", ip))
}
return IP6(ip.As16())
}
func (ip IP6) Netaddr() netaddr.IP {
return netaddr.IPFrom16(ip)
}
func (ip IP6) String() string {
return ip.Netaddr().String()
}

18
net/packet/packet.go
Unescape View File

@ -45,8 +45,10 @@ type Parsed struct {
IPVersion uint8 // 4, 6, or 0
IPProto IP4Proto // IP subprotocol (UDP, TCP, etc); the NextHeader field for IPv6
SrcIP IP4 // IP source address (not used for IPv6)
DstIP IP4 // IP destination address (not used for IPv6)
SrcIP4 IP4 // IPv4 source address (not used for IPv6)
DstIP4 IP4 // IPv4 destination address (not used for IPv6)
SrcIP6 IP6 // IPv6 source address (not used for IPv4)
DstIP6 IP6 // IPv6 destination address (not used for IPv4)
SrcPort uint16 // TCP/UDP source port
DstPort uint16 // TCP/UDP destination port
TCPFlags uint8 // TCP flags (SYN, ACK, etc)
@ -66,9 +68,9 @@ func (p *Parsed) String() string {
sb := strbuilder.Get()
sb.WriteString(p.IPProto.String())
sb.WriteByte('{')
writeIPPort(sb, p.SrcIP, p.SrcPort)
writeIPPort(sb, p.SrcIP4, p.SrcPort)
sb.WriteString(" > ")
writeIPPort(sb, p.DstIP, p.DstPort)
writeIPPort(sb, p.DstIP4, p.DstPort)
sb.WriteByte('}')
return sb.String()
}
@ -140,8 +142,8 @@ func (q *Parsed) Decode(b []byte) {
}
// If it's valid IPv4, then the IP addresses are valid
q.SrcIP = IP4(get32(b[12:16]))
q.DstIP = IP4(get32(b[16:20]))
q.SrcIP4 = IP4(get32(b[12:16]))
q.DstIP4 = IP4(get32(b[16:20]))
q.subofs = int((b[0] & 0x0F) << 2)
sub := b[q.subofs:]
@ -229,8 +231,8 @@ func (q *Parsed) IPHeader() IP4Header {
return IP4Header{
IPID: ipid,
IPProto: q.IPProto,
SrcIP: q.SrcIP,
DstIP: q.DstIP,
SrcIP: q.SrcIP4,
DstIP: q.DstIP4,
}
}

20
net/packet/packet_test.go
Unescape View File

@ -49,8 +49,8 @@ var icmpRequestDecode = Parsed{
IPVersion: 4,
IPProto: ICMP,
SrcIP: NewIP4(net.ParseIP("1.2.3.4")),
DstIP: NewIP4(net.ParseIP("5.6.7.8")),
SrcIP4: NewIP4(net.ParseIP("1.2.3.4")),
DstIP4: NewIP4(net.ParseIP("5.6.7.8")),
SrcPort: 0,
DstPort: 0,
}
@ -75,8 +75,8 @@ var icmpReplyDecode = Parsed{
IPVersion: 4,
IPProto: ICMP,
SrcIP: NewIP4(net.ParseIP("1.2.3.4")),
DstIP: NewIP4(net.ParseIP("5.6.7.8")),
SrcIP4: NewIP4(net.ParseIP("1.2.3.4")),
DstIP4: NewIP4(net.ParseIP("5.6.7.8")),
SrcPort: 0,
DstPort: 0,
}
@ -131,8 +131,8 @@ var tcpPacketDecode = Parsed{
IPVersion: 4,
IPProto: TCP,
SrcIP: NewIP4(net.ParseIP("1.2.3.4")),
DstIP: NewIP4(net.ParseIP("5.6.7.8")),
SrcIP4: NewIP4(net.ParseIP("1.2.3.4")),
DstIP4: NewIP4(net.ParseIP("5.6.7.8")),
SrcPort: 123,
DstPort: 567,
TCPFlags: TCPSynAck,
@ -159,8 +159,8 @@ var udpRequestDecode = Parsed{
IPVersion: 4,
IPProto: UDP,
SrcIP: NewIP4(net.ParseIP("1.2.3.4")),
DstIP: NewIP4(net.ParseIP("5.6.7.8")),
SrcIP4: NewIP4(net.ParseIP("1.2.3.4")),
DstIP4: NewIP4(net.ParseIP("5.6.7.8")),
SrcPort: 123,
DstPort: 567,
}
@ -185,8 +185,8 @@ var udpReplyDecode = Parsed{
length: len(udpReplyBuffer),
IPProto: UDP,
SrcIP: NewIP4(net.ParseIP("1.2.3.4")),
DstIP: NewIP4(net.ParseIP("5.6.7.8")),
SrcIP4: NewIP4(net.ParseIP("1.2.3.4")),
DstIP4: NewIP4(net.ParseIP("5.6.7.8")),
SrcPort: 567,
DstPort: 123,
}

16
wgengine/filter/filter.go
Unescape View File

@ -191,8 +191,8 @@ func (f *Filter) CheckTCP(srcIP, dstIP netaddr.IP, dstPort uint16) Response {
pkt.IPVersion = 4
pkt.IPProto = packet.TCP
pkt.TCPFlags = packet.TCPSyn
pkt.SrcIP = packet.IP4FromNetaddr(srcIP) // TODO: IPv6
pkt.DstIP = packet.IP4FromNetaddr(dstIP)
pkt.SrcIP4 = packet.IP4FromNetaddr(srcIP) // TODO: IPv6
pkt.DstIP4 = packet.IP4FromNetaddr(dstIP)
pkt.SrcPort = 0
pkt.DstPort = dstPort
@ -233,7 +233,7 @@ func (f *Filter) runIn(q *packet.Parsed) (r Response, why string) {
// A compromised peer could try to send us packets for
// destinations we didn't explicitly advertise. This check is to
// prevent that.
if !ip4InList(q.DstIP, f.local4) {
if !ip4InList(q.DstIP4, f.local4) {
return Drop, "destination not allowed"
}
@ -271,7 +271,7 @@ func (f *Filter) runIn(q *packet.Parsed) (r Response, why string) {
return Accept, "tcp ok"
}
case packet.UDP:
t := tuple{q.SrcIP, q.DstIP, q.SrcPort, q.DstPort}
t := tuple{q.SrcIP4, q.DstIP4, q.SrcPort, q.DstPort}
f.state.mu.Lock()
_, ok := f.state.lru.Get(t)
@ -292,7 +292,7 @@ func (f *Filter) runIn(q *packet.Parsed) (r Response, why string) {
// runIn runs the output-specific part of the filter logic.
func (f *Filter) runOut(q *packet.Parsed) (r Response, why string) {
if q.IPProto == packet.UDP {
t := tuple{q.DstIP, q.SrcIP, q.DstPort, q.SrcPort}
t := tuple{q.DstIP4, q.SrcIP4, q.DstPort, q.SrcPort}
var ti interface{} = t // allocate once, rather than twice inside mutex
f.state.mu.Lock()
@ -338,11 +338,11 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) Response {
f.logRateLimit(rf, q, dir, Drop, "ipv6")
return Drop
}
if q.DstIP.IsMulticast() {
if q.DstIP4.IsMulticast() {
f.logRateLimit(rf, q, dir, Drop, "multicast")
return Drop
}
if q.DstIP.IsLinkLocalUnicast() {
if q.DstIP4.IsLinkLocalUnicast() {
f.logRateLimit(rf, q, dir, Drop, "link-local-unicast")
return Drop
}
@ -389,7 +389,7 @@ func omitDropLogging(p *packet.Parsed, dir direction) bool {
if ipProto == packet.IGMP {
return true
}
if p.DstIP.IsMulticast() || p.DstIP.IsLinkLocalUnicast() {
if p.DstIP4.IsMulticast() || p.DstIP4.IsLinkLocalUnicast() {
return true
}
case 6:

12
wgengine/filter/filter_test.go
Unescape View File

@ -168,7 +168,7 @@ func TestFilter(t *testing.T) {
t.Errorf("#%d runIn got=%v want=%v packet:%v", i, got, test.want, test.p)
}
if test.p.IPProto == TCP {
if got := acl.CheckTCP(test.p.SrcIP.Netaddr(), test.p.DstIP.Netaddr(), test.p.DstPort); test.want != got {
if got := acl.CheckTCP(test.p.SrcIP4.Netaddr(), test.p.DstIP4.Netaddr(), test.p.DstPort); test.want != got {
t.Errorf("#%d CheckTCP got=%v want=%v packet:%v", i, got, test.want, test.p)
}
}
@ -315,8 +315,8 @@ func TestPreFilter(t *testing.T) {
func parsed(proto packet.IP4Proto, src, dst packet.IP4, sport, dport uint16) packet.Parsed {
return packet.Parsed{
IPProto: proto,
SrcIP: src,
DstIP: dst,
SrcIP4: src,
DstIP4: dst,
SrcPort: sport,
DstPort: dport,
TCPFlags: packet.TCPSyn,
@ -435,19 +435,19 @@ func TestOmitDropLogging(t *testing.T) {
},
{
name: "v4_multicast_out_low",
pkt: &packet.Parsed{IPVersion: 4, DstIP: packet.NewIP4(net.ParseIP("224.0.0.0"))},
pkt: &packet.Parsed{IPVersion: 4, DstIP4: packet.NewIP4(net.ParseIP("224.0.0.0"))},
dir: out,
want: true,
},
{
name: "v4_multicast_out_high",
pkt: &packet.Parsed{IPVersion: 4, DstIP: packet.NewIP4(net.ParseIP("239.255.255.255"))},
pkt: &packet.Parsed{IPVersion: 4, DstIP4: packet.NewIP4(net.ParseIP("239.255.255.255"))},
dir: out,
want: true,
},
{
name: "v4_link_local_unicast",
pkt: &packet.Parsed{IPVersion: 4, DstIP: packet.NewIP4(net.ParseIP("169.254.1.2"))},
pkt: &packet.Parsed{IPVersion: 4, DstIP4: packet.NewIP4(net.ParseIP("169.254.1.2"))},
dir: out,
want: true,
},

8
wgengine/filter/match4.go
Unescape View File

@ -104,11 +104,11 @@ func newMatches4(ms []Match) (ret matches4) {
// any of ms.
func (ms matches4) match(q *packet.Parsed) bool {
for _, m := range ms {
if !ip4InList(q.SrcIP, m.srcs) {
if !ip4InList(q.SrcIP4, m.srcs) {
continue
}
for _, dst := range m.dsts {
if !dst.net.Contains(q.DstIP) {
if !dst.net.Contains(q.DstIP4) {
continue
}
if !dst.ports.contains(q.DstPort) {
@ -124,11 +124,11 @@ func (ms matches4) match(q *packet.Parsed) bool {
// any of ms.
func (ms matches4) matchIPsOnly(q *packet.Parsed) bool {
for _, m := range ms {
if !ip4InList(q.SrcIP, m.srcs) {
if !ip4InList(q.SrcIP4, m.srcs) {
continue
}
for _, dst := range m.dsts {
if dst.net.Contains(q.DstIP) {
if dst.net.Contains(q.DstIP4) {
return true
}
}

2
wgengine/tstun/tun.go
Unescape View File

@ -283,7 +283,7 @@ func (t *TUN) Read(buf []byte, offset int) (int, error) {
p.Decode(buf[offset : offset+n])
if m, ok := t.destIPActivity.Load().(map[packet.IP4]func()); ok {
if fn := m[p.DstIP]; fn != nil {
if fn := m[p.DstIP4]; fn != nil {
fn()
}
}

6
wgengine/userspace.go
Unescape View File

@ -397,7 +397,7 @@ func (e *userspaceEngine) handleLocalPackets(p *packet.Parsed, t *tstun.TUN) fil
return filter.Drop
}
if runtime.GOOS == "darwin" && e.isLocalAddr(p.DstIP) {
if runtime.GOOS == "darwin" && e.isLocalAddr(p.DstIP4) {
// macOS NetworkExtension directs packets destined to the
// tunnel's local IP address into the tunnel, instead of
// looping back within the kernel network stack. We have to
@ -421,10 +421,10 @@ func (e *userspaceEngine) isLocalAddr(ip packet.IP4) bool {
// handleDNS is an outbound pre-filter resolving Tailscale domains.
func (e *userspaceEngine) handleDNS(p *packet.Parsed, t *tstun.TUN) filter.Response {
if p.DstIP == magicDNSIP && p.DstPort == magicDNSPort && p.IPProto == packet.UDP {
if p.DstIP4 == magicDNSIP && p.DstPort == magicDNSPort && p.IPProto == packet.UDP {
request := tsdns.Packet{
Payload: append([]byte(nil), p.Payload()...),
Addr: netaddr.IPPort{IP: p.SrcIP.Netaddr(), Port: p.SrcPort},
Addr: netaddr.IPPort{IP: p.SrcIP4.Netaddr(), Port: p.SrcPort},
}
err := e.resolver.EnqueueRequest(request)
if err != nil {

Write Preview
Loading…
Cancel
Save