mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-26 22:01:09 +01:00 
			
		
		
		
	In prep for most of the package funcs in net/interfaces to become methods in a long-lived netmon.Monitor that can cache things. (Many of the funcs are very heavy to call regularly, whereas the long-lived netmon.Monitor can subscribe to things from the OS and remember answers to questions it's asked regularly later) Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: Ie4e8dedb70136af2d611b990b865a822cd1797e5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
		
			
				
	
	
		
			292 lines
		
	
	
		
			7.9 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			292 lines
		
	
	
		
			7.9 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright (c) Tailscale Inc & AUTHORS
 | |
| // SPDX-License-Identifier: BSD-3-Clause
 | |
| 
 | |
| //go:build darwin
 | |
| 
 | |
| package netns
 | |
| 
 | |
| import (
 | |
| 	"errors"
 | |
| 	"fmt"
 | |
| 	"log"
 | |
| 	"net"
 | |
| 	"net/netip"
 | |
| 	"os"
 | |
| 	"strings"
 | |
| 	"syscall"
 | |
| 
 | |
| 	"golang.org/x/net/route"
 | |
| 	"golang.org/x/sys/unix"
 | |
| 	"tailscale.com/envknob"
 | |
| 	"tailscale.com/net/netmon"
 | |
| 	"tailscale.com/net/tsaddr"
 | |
| 	"tailscale.com/types/logger"
 | |
| )
 | |
| 
 | |
| func control(logf logger.Logf, netMon *netmon.Monitor) func(network, address string, c syscall.RawConn) error {
 | |
| 	return func(network, address string, c syscall.RawConn) error {
 | |
| 		return controlLogf(logf, netMon, network, address, c)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| var bindToInterfaceByRouteEnv = envknob.RegisterBool("TS_BIND_TO_INTERFACE_BY_ROUTE")
 | |
| 
 | |
| var errInterfaceStateInvalid = errors.New("interface state invalid")
 | |
| 
 | |
| // controlLogf marks c as necessary to dial in a separate network namespace.
 | |
| //
 | |
| // It's intentionally the same signature as net.Dialer.Control
 | |
| // and net.ListenConfig.Control.
 | |
| func controlLogf(logf logger.Logf, netMon *netmon.Monitor, network, address string, c syscall.RawConn) error {
 | |
| 	if isLocalhost(address) {
 | |
| 		// Don't bind to an interface for localhost connections.
 | |
| 		return nil
 | |
| 	}
 | |
| 
 | |
| 	if disableBindConnToInterface.Load() {
 | |
| 		logf("netns_darwin: binding connection to interfaces disabled")
 | |
| 		return nil
 | |
| 	}
 | |
| 
 | |
| 	idx, err := getInterfaceIndex(logf, netMon, address)
 | |
| 	if err != nil {
 | |
| 		// callee logged
 | |
| 		return nil
 | |
| 	}
 | |
| 
 | |
| 	return bindConnToInterface(c, network, address, idx, logf)
 | |
| }
 | |
| 
 | |
| func getInterfaceIndex(logf logger.Logf, netMon *netmon.Monitor, address string) (int, error) {
 | |
| 	// Helper so we can log errors.
 | |
| 	defaultIdx := func() (int, error) {
 | |
| 		if netMon == nil {
 | |
| 			idx, err := netmon.DefaultRouteInterfaceIndex()
 | |
| 			if err != nil {
 | |
| 				// It's somewhat common for there to be no default gateway route
 | |
| 				// (e.g. on a phone with no connectivity), don't log those errors
 | |
| 				// since they are expected.
 | |
| 				if !errors.Is(err, netmon.ErrNoGatewayIndexFound) {
 | |
| 					logf("[unexpected] netns: DefaultRouteInterfaceIndex: %v", err)
 | |
| 				}
 | |
| 				return -1, err
 | |
| 			}
 | |
| 			return idx, nil
 | |
| 		}
 | |
| 		state := netMon.InterfaceState()
 | |
| 		if state == nil {
 | |
| 			return -1, errInterfaceStateInvalid
 | |
| 		}
 | |
| 
 | |
| 		if iface, ok := state.Interface[state.DefaultRouteInterface]; ok {
 | |
| 			return iface.Index, nil
 | |
| 		}
 | |
| 		return -1, errInterfaceStateInvalid
 | |
| 	}
 | |
| 
 | |
| 	useRoute := bindToInterfaceByRoute.Load() || bindToInterfaceByRouteEnv()
 | |
| 	if !useRoute {
 | |
| 		return defaultIdx()
 | |
| 	}
 | |
| 
 | |
| 	host, _, err := net.SplitHostPort(address)
 | |
| 	if err != nil {
 | |
| 		// No port number; use the string directly.
 | |
| 		host = address
 | |
| 	}
 | |
| 
 | |
| 	// If the address doesn't parse, use the default index.
 | |
| 	addr, err := netip.ParseAddr(host)
 | |
| 	if err != nil {
 | |
| 		logf("[unexpected] netns: error parsing address %q: %v", host, err)
 | |
| 		return defaultIdx()
 | |
| 	}
 | |
| 
 | |
| 	idx, err := interfaceIndexFor(addr, true /* canRecurse */)
 | |
| 	if err != nil {
 | |
| 		logf("netns: error in interfaceIndexFor: %v", err)
 | |
| 		return defaultIdx()
 | |
| 	}
 | |
| 
 | |
| 	// Verify that we didn't just choose the Tailscale interface;
 | |
| 	// if so, we fall back to binding from the default.
 | |
| 	tsif, err2 := tailscaleInterface()
 | |
| 	if err2 == nil && tsif != nil && tsif.Index == idx {
 | |
| 		logf("[unexpected] netns: interfaceIndexFor returned Tailscale interface")
 | |
| 		return defaultIdx()
 | |
| 	}
 | |
| 
 | |
| 	return idx, err
 | |
| }
 | |
| 
 | |
| // tailscaleInterface returns the current machine's Tailscale interface, if any.
 | |
| // If none is found, (nil, nil) is returned.
 | |
| // A non-nil error is only returned on a problem listing the system interfaces.
 | |
| func tailscaleInterface() (*net.Interface, error) {
 | |
| 	ifs, err := net.Interfaces()
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	for _, iface := range ifs {
 | |
| 		if !strings.HasPrefix(iface.Name, "utun") {
 | |
| 			continue
 | |
| 		}
 | |
| 		addrs, err := iface.Addrs()
 | |
| 		if err != nil {
 | |
| 			continue
 | |
| 		}
 | |
| 		for _, a := range addrs {
 | |
| 			if ipnet, ok := a.(*net.IPNet); ok {
 | |
| 				nip, ok := netip.AddrFromSlice(ipnet.IP)
 | |
| 				if ok && tsaddr.IsTailscaleIP(nip.Unmap()) {
 | |
| 					return &iface, nil
 | |
| 				}
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 	return nil, nil
 | |
| }
 | |
| 
 | |
| // interfaceIndexFor returns the interface index that we should bind to in
 | |
| // order to send traffic to the provided address.
 | |
| func interfaceIndexFor(addr netip.Addr, canRecurse bool) (int, error) {
 | |
| 	fd, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
 | |
| 	if err != nil {
 | |
| 		return 0, fmt.Errorf("creating AF_ROUTE socket: %w", err)
 | |
| 	}
 | |
| 	defer unix.Close(fd)
 | |
| 
 | |
| 	var routeAddr route.Addr
 | |
| 	if addr.Is4() {
 | |
| 		routeAddr = &route.Inet4Addr{IP: addr.As4()}
 | |
| 	} else {
 | |
| 		routeAddr = &route.Inet6Addr{IP: addr.As16()}
 | |
| 	}
 | |
| 
 | |
| 	rm := route.RouteMessage{
 | |
| 		// NOTE: This is unix.RTM_VERSION, but we want to pin this to a
 | |
| 		// particular constant so that it doesn't change under us if
 | |
| 		// the x/sys/unix package changes down the road. Currently this
 | |
| 		// is 0x5 on both Darwin x86 and ARM64.
 | |
| 		Version: 0x5,
 | |
| 		Type:    unix.RTM_GET,
 | |
| 		Flags:   unix.RTF_UP,
 | |
| 		ID:      uintptr(os.Getpid()),
 | |
| 		Seq:     1,
 | |
| 		Addrs: []route.Addr{
 | |
| 			unix.RTAX_DST: routeAddr,
 | |
| 		},
 | |
| 	}
 | |
| 	b, err := rm.Marshal()
 | |
| 	if err != nil {
 | |
| 		return 0, fmt.Errorf("marshaling RouteMessage: %w", err)
 | |
| 	}
 | |
| 	_, err = unix.Write(fd, b)
 | |
| 	if err != nil {
 | |
| 		return 0, fmt.Errorf("writing message: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	// On macOS, the RTM_GET call should return exactly one route message.
 | |
| 	// Given the following sizes and constants:
 | |
| 	//    - sizeof(struct rt_msghdr) = 92
 | |
| 	//    - RTAX_MAX = 8
 | |
| 	//    - sizeof(struct sockaddr_in6) = 28
 | |
| 	//    - sizeof(struct sockaddr_in) = 16
 | |
| 	//    - sizeof(struct sockaddr_dl) = 20
 | |
| 	//
 | |
| 	// The maximum buffer size should be:
 | |
| 	//    sizeof(struct rt_msghdr) + RTAX_MAX*sizeof(struct sockaddr_in6)
 | |
| 	//    = 92 + 8*28
 | |
| 	//    = 316
 | |
| 	//
 | |
| 	// During my testing, responses are typically ~120 bytes.
 | |
| 	//
 | |
| 	// We provide a much larger buffer just in case we're off by a bit, or
 | |
| 	// the kernel decides to return more than one message; 2048 bytes
 | |
| 	// should be plenty here. This also means we can do a single Read.
 | |
| 	var buf [2048]byte
 | |
| 	n, err := unix.Read(fd, buf[:])
 | |
| 	if err != nil {
 | |
| 		return 0, fmt.Errorf("reading message: %w", err)
 | |
| 	}
 | |
| 	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf[:n])
 | |
| 	if err != nil {
 | |
| 		return 0, fmt.Errorf("route.ParseRIB: %w", err)
 | |
| 	}
 | |
| 	if len(msgs) == 0 {
 | |
| 		return 0, fmt.Errorf("no messages")
 | |
| 	}
 | |
| 
 | |
| 	for _, msg := range msgs {
 | |
| 		rm, ok := msg.(*route.RouteMessage)
 | |
| 		if !ok {
 | |
| 			continue
 | |
| 		}
 | |
| 		if rm.Version < 3 || rm.Version > 5 || rm.Type != unix.RTM_GET {
 | |
| 			continue
 | |
| 		}
 | |
| 		if len(rm.Addrs) < unix.RTAX_GATEWAY {
 | |
| 			continue
 | |
| 		}
 | |
| 
 | |
| 		switch addr := rm.Addrs[unix.RTAX_GATEWAY].(type) {
 | |
| 		case *route.LinkAddr:
 | |
| 			return addr.Index, nil
 | |
| 		case *route.Inet4Addr:
 | |
| 			// We can get a gateway IP; recursively call ourselves
 | |
| 			// (exactly once) to get the link (and thus index) for
 | |
| 			// the gateway IP.
 | |
| 			if canRecurse {
 | |
| 				return interfaceIndexFor(netip.AddrFrom4(addr.IP), false)
 | |
| 			}
 | |
| 		case *route.Inet6Addr:
 | |
| 			// As above.
 | |
| 			if canRecurse {
 | |
| 				return interfaceIndexFor(netip.AddrFrom16(addr.IP), false)
 | |
| 			}
 | |
| 		default:
 | |
| 			// Unknown type; skip it
 | |
| 			continue
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return 0, fmt.Errorf("no valid address found")
 | |
| }
 | |
| 
 | |
| // SetListenConfigInterfaceIndex sets lc.Control such that sockets are bound
 | |
| // to the provided interface index.
 | |
| func SetListenConfigInterfaceIndex(lc *net.ListenConfig, ifIndex int) error {
 | |
| 	if lc == nil {
 | |
| 		return errors.New("nil ListenConfig")
 | |
| 	}
 | |
| 	if lc.Control != nil {
 | |
| 		return errors.New("ListenConfig.Control already set")
 | |
| 	}
 | |
| 	lc.Control = func(network, address string, c syscall.RawConn) error {
 | |
| 		return bindConnToInterface(c, network, address, ifIndex, log.Printf)
 | |
| 	}
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| func bindConnToInterface(c syscall.RawConn, network, address string, ifIndex int, logf logger.Logf) error {
 | |
| 	v6 := strings.Contains(address, "]:") || strings.HasSuffix(network, "6") // hacky test for v6
 | |
| 	proto := unix.IPPROTO_IP
 | |
| 	opt := unix.IP_BOUND_IF
 | |
| 	if v6 {
 | |
| 		proto = unix.IPPROTO_IPV6
 | |
| 		opt = unix.IPV6_BOUND_IF
 | |
| 	}
 | |
| 
 | |
| 	var sockErr error
 | |
| 	err := c.Control(func(fd uintptr) {
 | |
| 		sockErr = unix.SetsockoptInt(int(fd), proto, opt, ifIndex)
 | |
| 	})
 | |
| 	if sockErr != nil {
 | |
| 		logf("[unexpected] netns: bindConnToInterface(%q, %q), v6=%v, index=%v: %v", network, address, v6, ifIndex, sockErr)
 | |
| 	}
 | |
| 	if err != nil {
 | |
| 		return fmt.Errorf("RawConn.Control on %T: %w", c, err)
 | |
| 	}
 | |
| 	return sockErr
 | |
| }
 |