net/tsdial: move more weirdo dialing into new tsdial package, plumb

Not done yet, but this move more of the outbound dial special casing
from random packages into tsdial, which aspires to be the one unified
place for all outbound dialing shenanigans.

Then this plumbs it all around, so everybody is ultimately
holding on to the same dialer.

As of this commit, macOS/iOS using an exit node should be able to
reach to the exit node's DoH DNS proxy over peerapi, doing the sockopt
to stay within the Network Extension.

A number of steps remain, including but limited to:

* move a bunch more random dialing stuff

* make netstack-mode tailscaled be able to use exit node's DNS proxy,
  teaching tsdial's resolver to use it when an exit node is in use.

Updates #1713

Change-Id: I1e8ee378f125421c2b816f47bc2c6d913ddcd2f5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

net/dns/manager.go

@@ -13,6 +13,7 @@ import (
 	"tailscale.com/health"
 	"tailscale.com/net/dns/resolver"
 	"tailscale.com/net/tsaddr"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
@@ -39,11 +40,14 @@ type Manager struct {
 }
 
 // NewManagers created a new manager from the given config.
-func NewManager(logf logger.Logf, oscfg OSConfigurator, linkMon *monitor.Mon, linkSel resolver.ForwardLinkSelector) *Manager {
+func NewManager(logf logger.Logf, oscfg OSConfigurator, linkMon *monitor.Mon, dialer *tsdial.Dialer, linkSel resolver.ForwardLinkSelector) *Manager {
+	if dialer == nil {
+		panic("nil Dialer")
+	}
 	logf = logger.WithPrefix(logf, "dns: ")
 	m := &Manager{
 		logf:     logf,
-		resolver: resolver.New(logf, linkMon, linkSel),
+		resolver: resolver.New(logf, linkMon, linkSel, dialer),
 		os:       oscfg,
 	}
 	m.logf("using %T", m.os)
@@ -230,7 +234,7 @@ func Cleanup(logf logger.Logf, interfaceName string) {
 		logf("creating dns cleanup: %v", err)
 		return
 	}
-	dns := NewManager(logf, oscfg, nil, nil)
+	dns := NewManager(logf, oscfg, nil, new(tsdial.Dialer), nil)
 	if err := dns.Down(); err != nil {
 		logf("dns down: %v", err)
 	}

net/dns/manager_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"inet.af/netaddr"
 	"tailscale.com/net/dns/resolver"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/util/dnsname"
 )
@@ -398,7 +399,7 @@ func TestManager(t *testing.T) {
 				SplitDNS:   test.split,
 				BaseConfig: test.bs,
 			}
-			m := NewManager(t.Logf, &f, nil, nil)
+			m := NewManager(t.Logf, &f, nil, new(tsdial.Dialer), nil)
 			m.resolver.TestOnlySetHook(f.SetResolver)
 
 			if err := m.Set(test.in); err != nil {

net/dns/resolver/forwarder.go

@@ -26,6 +26,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/hostinfo"
 	"tailscale.com/net/netns"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
@@ -159,7 +160,8 @@ type resolverAndDelay struct {
 type forwarder struct {
 	logf    logger.Logf
 	linkMon *monitor.Mon
-	linkSel ForwardLinkSelector
+	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absords it
+	dialer  *tsdial.Dialer
 	dohSem  chan struct{}
 
 	ctx       context.Context    // good until Close
@@ -205,11 +207,12 @@ func maxDoHInFlight(goos string) int {
 	return 1000
 }
 
-func newForwarder(logf logger.Logf, responses chan packet, linkMon *monitor.Mon, linkSel ForwardLinkSelector) *forwarder {
+func newForwarder(logf logger.Logf, responses chan packet, linkMon *monitor.Mon, linkSel ForwardLinkSelector, dialer *tsdial.Dialer) *forwarder {
 	f := &forwarder{
 		logf:      logger.WithPrefix(logf, "forward: "),
 		linkMon:   linkMon,
 		linkSel:   linkSel,
+		dialer:    dialer,
 		responses: responses,
 		dohSem:    make(chan struct{}, maxDoHInFlight(runtime.GOOS)),
 	}
@@ -423,10 +426,7 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
 // send expects the reply to have the same txid as txidOut.
 func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) ([]byte, error) {
 	if strings.HasPrefix(rr.name.Addr, "http://") {
-		// TODO(bradfitz): this only work for TUN mode right now; plumb a universal dialer
-		// that can handle the dozen special cases for modes/platforms/routes.
-		TODOHTTPClient := http.DefaultClient
-		return f.sendDoH(ctx, rr.name.Addr, TODOHTTPClient, fq.packet)
+		return f.sendDoH(ctx, rr.name.Addr, f.dialer.PeerAPIHTTPClient(), fq.packet)
 	}
 	if strings.HasPrefix(rr.name.Addr, "https://") {
 		metricDNSFwdErrorType.Add(1)

net/dns/resolver/tsdns.go

@@ -27,6 +27,7 @@ import (
 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/net/tsaddr"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
@@ -192,6 +193,7 @@ func WriteRoutes(w *bufio.Writer, routes map[dnsname.FQDN][]dnstype.Resolver) {
 type Resolver struct {
 	logf               logger.Logf
 	linkMon            *monitor.Mon     // or nil
+	dialer             *tsdial.Dialer   // non-nil
 	saveConfigForTests func(cfg Config) // used in tests to capture resolver config
 	// forwarder forwards requests to upstream nameservers.
 	forwarder *forwarder
@@ -223,7 +225,10 @@ type ForwardLinkSelector interface {
 
 // New returns a new resolver.
 // linkMon optionally specifies a link monitor to use for socket rebinding.
-func New(logf logger.Logf, linkMon *monitor.Mon, linkSel ForwardLinkSelector) *Resolver {
+func New(logf logger.Logf, linkMon *monitor.Mon, linkSel ForwardLinkSelector, dialer *tsdial.Dialer) *Resolver {
+	if dialer == nil {
+		panic("nil Dialer")
+	}
 	r := &Resolver{
 		logf:      logger.WithPrefix(logf, "resolver: "),
 		linkMon:   linkMon,
@@ -232,8 +237,9 @@ func New(logf logger.Logf, linkMon *monitor.Mon, linkSel ForwardLinkSelector) *R
 		closed:    make(chan struct{}),
 		hostToIP:  map[dnsname.FQDN][]netaddr.IP{},
 		ipToHost:  map[netaddr.IP]dnsname.FQDN{},
+		dialer:    dialer,
 	}
-	r.forwarder = newForwarder(r.logf, r.responses, linkMon, linkSel)
+	r.forwarder = newForwarder(r.logf, r.responses, linkMon, linkSel, dialer)
 	return r
 }
 

net/dns/resolver/tsdns_test.go

@@ -18,6 +18,7 @@ import (
 
 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/tstest"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/util/dnsname"
@@ -308,7 +309,7 @@ func TestRDNSNameToIPv6(t *testing.T) {
 }
 
 func newResolver(t testing.TB) *Resolver {
-	return New(t.Logf, nil /* no link monitor */, nil /* no link selector */)
+	return New(t.Logf, nil /* no link monitor */, nil /* no link selector */, new(tsdial.Dialer))
 }
 
 func TestResolveLocal(t *testing.T) {
@@ -1062,7 +1063,7 @@ func TestForwardLinkSelection(t *testing.T) {
 			return "special"
 		}
 		return ""
-	}))
+	}), new(tsdial.Dialer))
 
 	// Test non-special IP.
 	if got, err := fwd.packetListener(netaddr.IP{}); err != nil {

net/tsdial/tsdial.go

@@ -9,9 +9,14 @@ import (
 	"context"
 	"errors"
 	"net"
+	"net/http"
 	"sync"
+	"sync/atomic"
+	"syscall"
+	"time"
 
 	"inet.af/netaddr"
+	"tailscale.com/net/netknob"
 )
 
 // Dialer dials out of tailscaled, while taking care of details while
@@ -27,11 +32,43 @@ type Dialer struct {
 	// If nil, it's not used.
 	NetstackDialTCP func(context.Context, netaddr.IPPort) (net.Conn, error)
 
+	peerDialControlFuncAtomic atomic.Value // of func() func(network, address string, c syscall.RawConn) error
+
+	peerClientOnce sync.Once
+	peerClient     *http.Client
+
 	mu  sync.Mutex
 	dns DNSMap
 }
 
+// PeerDialControlFunc returns a function
+// that can assigned to net.Dialer.Control to set sockopts or whatnot
+// to make a dial escape the current platform's network sandbox.
+//
+// On many platforms the returned func will be nil.
+//
+// Notably, this is non-nil on iOS and macOS when run as a Network or
+// System Extension (the GUI variants).
+func (d *Dialer) PeerDialControlFunc() func(network, address string, c syscall.RawConn) error {
+	gf, _ := d.peerDialControlFuncAtomic.Load().(func() func(network, address string, c syscall.RawConn) error)
+	if gf == nil {
+		return nil
+	}
+	return gf()
+}
+
+// SetPeerDialControlFuncGetter sets a function that returns, for the
+// current network configuration at the time it's called, a function
+// that can assigned to net.Dialer.Control to set sockopts or whatnot
+// to make a dial escape the current platform's network sandbox.
+func (d *Dialer) SetPeerDialControlFuncGetter(getFunc func() func(network, address string, c syscall.RawConn) error) {
+	d.peerDialControlFuncAtomic.Store(getFunc)
+}
+
+// SetDNSMap sets the current map of DNS names learned from the netmap.
 func (d *Dialer) SetDNSMap(m DNSMap) {
+	// TODO(bradfitz): update this to be aware of DNSConfig
+	// ExtraNames and CertDomains.
 	d.mu.Lock()
 	defer d.mu.Unlock()
 	d.dns = m
@@ -44,7 +81,9 @@ func (d *Dialer) resolve(ctx context.Context, addr string) (netaddr.IPPort, erro
 	return dns.Resolve(ctx, addr)
 }
 
-func (d *Dialer) DialContext(ctx context.Context, network, addr string) (net.Conn, error) {
+// UserDial connects to the provided network address as if a user were initiating the dial.
+// (e.g. from a SOCKS or HTTP outbound proxy)
+func (d *Dialer) UserDial(ctx context.Context, network, addr string) (net.Conn, error) {
 	ipp, err := d.resolve(ctx, addr)
 	if err != nil {
 		return nil, err
@@ -59,3 +98,31 @@ func (d *Dialer) DialContext(ctx context.Context, network, addr string) (net.Con
 	var stdDialer net.Dialer
 	return stdDialer.DialContext(ctx, network, ipp.String())
 }
+
+// PeerAPIHTTPClient returns an HTTP Client to call peers' peerapi
+// endpoints.                                                                                                                                                                                                                      //
+// The returned Client must not be mutated; it's owned by the Dialer
+// and shared by callers.
+func (d *Dialer) PeerAPIHTTPClient() *http.Client {
+	d.peerClientOnce.Do(func() {
+		t := http.DefaultTransport.(*http.Transport).Clone()
+		t.Dial = nil
+		dialer := net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: netknob.PlatformTCPKeepAlive(),
+			Control:   d.PeerDialControlFunc(),
+		}
+		t.DialContext = dialer.DialContext
+		d.peerClient = &http.Client{Transport: t}
+	})
+	return d.peerClient
+}
+
+// PeerAPITransport returns a Transport to call peers' peerapi
+// endpoints.
+//
+// The returned value must not be mutated; it's owned by the Dialer
+// and shared by callers.
+func (d *Dialer) PeerAPITransport() *http.Transport {
+	return d.PeerAPIHTTPClient().Transport.(*http.Transport)
+}