mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-26 13:51:10 +01:00 
			
		
		
		
	Now cmd/derper doesn't depend on iptables, nftables, and netlink code :) But this is really just a cleanup step I noticed on the way to making tsnet applications able to not link all the OS router code which they don't use. Updates #17313 Change-Id: Ic7b4e04e3a9639fd198e9dbeb0f7bae22a4a47a9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
		
			
				
	
	
		
			44 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			44 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright (c) Tailscale Inc & AUTHORS
 | |
| // SPDX-License-Identifier: BSD-3-Clause
 | |
| 
 | |
| package tsconst
 | |
| 
 | |
| // Linux firewall constants used by Tailscale.
 | |
| 
 | |
| // The following bits are added to packet marks for Tailscale use.
 | |
| //
 | |
| // We tried to pick bits sufficiently out of the way that it's
 | |
| // unlikely to collide with existing uses. We have 4 bytes of mark
 | |
| // bits to play with. We leave the lower byte alone on the assumption
 | |
| // that sysadmins would use those. Kubernetes uses a few bits in the
 | |
| // second byte, so we steer clear of that too.
 | |
| //
 | |
| // Empirically, most of the documentation on packet marks on the
 | |
| // internet gives the impression that the marks are 16 bits
 | |
| // wide. Based on this, we theorize that the upper two bytes are
 | |
| // relatively unused in the wild, and so we consume bits 16:23 (the
 | |
| // third byte).
 | |
| //
 | |
| // The constants are in the iptables/iproute2 string format for
 | |
| // matching and setting the bits, so they can be directly embedded in
 | |
| // commands.
 | |
| const (
 | |
| 	// The mask for reading/writing the 'firewall mask' bits on a packet.
 | |
| 	// See the comment on the const block on why we only use the third byte.
 | |
| 	//
 | |
| 	// We claim bits 16:23 entirely. For now we only use the lower four
 | |
| 	// bits, leaving the higher 4 bits for future use.
 | |
| 	LinuxFwmarkMask    = "0xff0000"
 | |
| 	LinuxFwmarkMaskNum = 0xff0000
 | |
| 
 | |
| 	// Packet is from Tailscale and to a subnet route destination, so
 | |
| 	// is allowed to be routed through this machine.
 | |
| 	LinuxSubnetRouteMark    = "0x40000"
 | |
| 	LinuxSubnetRouteMarkNum = 0x40000
 | |
| 
 | |
| 	// Packet was originated by tailscaled itself, and must not be
 | |
| 	// routed over the Tailscale network.
 | |
| 	LinuxBypassMark    = "0x80000"
 | |
| 	LinuxBypassMarkNum = 0x80000
 | |
| )
 |