2023-01-27 21:37:20 +00:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2021-03-25 22:38:40 +00:00
|
|
|
|
|
|
|
package ipnlocal
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2021-11-23 05:45:34 +00:00
|
|
|
"encoding/base64"
|
2021-11-03 18:17:56 +00:00
|
|
|
"encoding/json"
|
2021-03-25 22:38:40 +00:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"hash/crc32"
|
|
|
|
"html"
|
|
|
|
"io"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
2022-07-26 04:55:44 +01:00
|
|
|
"net/netip"
|
2021-03-29 18:42:33 +01:00
|
|
|
"net/url"
|
|
|
|
"os"
|
2021-03-26 20:44:55 +00:00
|
|
|
"runtime"
|
2023-08-17 06:09:53 +01:00
|
|
|
"slices"
|
2021-04-26 17:48:34 +01:00
|
|
|
"sort"
|
2021-03-25 22:38:40 +00:00
|
|
|
"strconv"
|
2021-03-29 18:42:33 +01:00
|
|
|
"strings"
|
2021-04-08 22:54:25 +01:00
|
|
|
"sync"
|
|
|
|
"time"
|
2021-03-25 22:38:40 +00:00
|
|
|
|
2022-04-26 20:29:41 +01:00
|
|
|
"github.com/kortschak/wol"
|
2021-11-23 17:58:34 +00:00
|
|
|
"golang.org/x/net/dns/dnsmessage"
|
2022-11-19 23:29:15 +00:00
|
|
|
"golang.org/x/net/http/httpguts"
|
2022-11-07 15:46:42 +00:00
|
|
|
"tailscale.com/envknob"
|
2021-12-21 21:52:50 +00:00
|
|
|
"tailscale.com/health"
|
2021-11-03 18:17:56 +00:00
|
|
|
"tailscale.com/hostinfo"
|
2021-03-30 19:19:42 +01:00
|
|
|
"tailscale.com/ipn"
|
2021-11-23 05:45:34 +00:00
|
|
|
"tailscale.com/net/dns/resolver"
|
2021-03-26 04:41:37 +00:00
|
|
|
"tailscale.com/net/interfaces"
|
2022-07-25 04:08:42 +01:00
|
|
|
"tailscale.com/net/netaddr"
|
2022-02-13 22:45:50 +00:00
|
|
|
"tailscale.com/net/netutil"
|
2023-02-03 20:07:58 +00:00
|
|
|
"tailscale.com/net/sockstats"
|
2021-03-25 22:38:40 +00:00
|
|
|
"tailscale.com/tailcfg"
|
2023-10-06 00:05:45 +01:00
|
|
|
"tailscale.com/taildrop"
|
2023-10-06 00:26:06 +01:00
|
|
|
"tailscale.com/tstime"
|
2023-08-21 18:53:57 +01:00
|
|
|
"tailscale.com/types/views"
|
2021-11-18 15:54:24 +00:00
|
|
|
"tailscale.com/util/clientmetric"
|
2023-05-03 04:57:52 +01:00
|
|
|
"tailscale.com/version/distro"
|
2021-11-25 17:43:39 +00:00
|
|
|
"tailscale.com/wgengine/filter"
|
2021-03-25 22:38:40 +00:00
|
|
|
)
|
|
|
|
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
var initListenConfig func(*net.ListenConfig, netip.Addr, *interfaces.State, string) error
|
2021-03-26 20:44:55 +00:00
|
|
|
|
2021-12-06 22:58:29 +00:00
|
|
|
// addH2C is non-nil on platforms where we want to add H2C
|
|
|
|
// ("cleartext" HTTP/2) support to the peerAPI.
|
|
|
|
var addH2C func(*http.Server)
|
|
|
|
|
2021-03-29 18:42:33 +01:00
|
|
|
type peerAPIServer struct {
|
2023-10-06 00:05:45 +01:00
|
|
|
b *LocalBackend
|
|
|
|
resolver *resolver.Resolver
|
2021-04-20 05:57:08 +01:00
|
|
|
|
2023-10-06 00:05:45 +01:00
|
|
|
taildrop *taildrop.Handler
|
2021-03-30 20:56:00 +01:00
|
|
|
}
|
|
|
|
|
2021-12-01 23:00:23 +00:00
|
|
|
var (
|
|
|
|
errNilPeerAPIServer = errors.New("peerapi unavailable; not listening")
|
|
|
|
)
|
|
|
|
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
func (s *peerAPIServer) listen(ip netip.Addr, ifState *interfaces.State) (ln net.Listener, err error) {
|
2022-04-20 19:57:34 +01:00
|
|
|
// Android for whatever reason often has problems creating the peerapi listener.
|
|
|
|
// But since we started intercepting it with netstack, it's not even important that
|
|
|
|
// we have a real kernel-level listener. So just create a dummy listener on Android
|
|
|
|
// and let netstack intercept it.
|
|
|
|
if runtime.GOOS == "android" {
|
|
|
|
return newFakePeerAPIListener(ip), nil
|
|
|
|
}
|
|
|
|
|
2021-03-26 20:44:55 +00:00
|
|
|
ipStr := ip.String()
|
2021-03-25 22:38:40 +00:00
|
|
|
|
|
|
|
var lc net.ListenConfig
|
|
|
|
if initListenConfig != nil {
|
|
|
|
// On iOS/macOS, this sets the lc.Control hook to
|
|
|
|
// setsockopt the interface index to bind to, to get
|
|
|
|
// out of the network sandbox.
|
2021-12-01 17:18:17 +00:00
|
|
|
if err := initListenConfig(&lc, ip, ifState, s.b.dialer.TUNName()); err != nil {
|
2021-03-25 22:38:40 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2021-03-26 20:44:55 +00:00
|
|
|
if runtime.GOOS == "darwin" || runtime.GOOS == "ios" {
|
|
|
|
ipStr = ""
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-05-03 21:57:17 +01:00
|
|
|
if s.b.sys.IsNetstack() {
|
2021-03-30 17:54:52 +01:00
|
|
|
ipStr = ""
|
|
|
|
}
|
|
|
|
|
2021-03-26 20:44:55 +00:00
|
|
|
tcp4or6 := "tcp4"
|
|
|
|
if ip.Is6() {
|
|
|
|
tcp4or6 = "tcp6"
|
2021-03-25 22:38:40 +00:00
|
|
|
}
|
2021-03-26 20:44:55 +00:00
|
|
|
|
2021-03-25 22:38:40 +00:00
|
|
|
// Make a best effort to pick a deterministic port number for
|
2022-02-22 21:29:17 +00:00
|
|
|
// the ip. The lower three bytes are the same for IPv4 and IPv6
|
2021-03-25 22:38:40 +00:00
|
|
|
// Tailscale addresses (at least currently), so we'll usually
|
|
|
|
// get the same port number on both address families for
|
|
|
|
// dev/debugging purposes, which is nice. But it's not so
|
|
|
|
// deterministic that people will bake this into clients.
|
|
|
|
// We try a few times just in case something's already
|
|
|
|
// listening on that port (on all interfaces, probably).
|
|
|
|
for try := uint8(0); try < 5; try++ {
|
|
|
|
a16 := ip.As16()
|
|
|
|
hashData := a16[len(a16)-3:]
|
|
|
|
hashData[0] += try
|
|
|
|
tryPort := (32 << 10) | uint16(crc32.ChecksumIEEE(hashData))
|
2021-03-26 20:44:55 +00:00
|
|
|
ln, err = lc.Listen(context.Background(), tcp4or6, net.JoinHostPort(ipStr, strconv.Itoa(int(tryPort))))
|
2021-03-25 22:38:40 +00:00
|
|
|
if err == nil {
|
|
|
|
return ln, nil
|
|
|
|
}
|
|
|
|
}
|
2022-04-20 21:22:42 +01:00
|
|
|
// Fall back to some random ephemeral port.
|
|
|
|
ln, err = lc.Listen(context.Background(), tcp4or6, net.JoinHostPort(ipStr, "0"))
|
|
|
|
|
|
|
|
// And if we're on a platform with netstack (anything but iOS), then just fallback to netstack.
|
|
|
|
if err != nil && runtime.GOOS != "ios" {
|
|
|
|
s.b.logf("peerapi: failed to do peerAPI listen, harmless (netstack available) but error was: %v", err)
|
|
|
|
return newFakePeerAPIListener(ip), nil
|
|
|
|
}
|
|
|
|
return ln, err
|
2021-03-25 22:38:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type peerAPIListener struct {
|
2021-04-02 06:04:46 +01:00
|
|
|
ps *peerAPIServer
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
ip netip.Addr
|
2021-04-02 06:04:46 +01:00
|
|
|
lb *LocalBackend
|
|
|
|
|
|
|
|
// ln is the Listener. It can be nil in netstack mode if there are more than
|
|
|
|
// 1 local addresses (e.g. both an IPv4 and IPv6). When it's nil, port
|
|
|
|
// and urlStr are still populated.
|
|
|
|
ln net.Listener
|
|
|
|
|
2022-11-16 17:38:38 +00:00
|
|
|
// urlStr is the base URL to access the PeerAPI (http://ip:port/).
|
2021-03-29 18:42:33 +01:00
|
|
|
urlStr string
|
2021-04-02 06:04:46 +01:00
|
|
|
// port is just the port of urlStr.
|
|
|
|
port int
|
2021-03-26 20:44:55 +00:00
|
|
|
}
|
|
|
|
|
2021-03-30 17:54:52 +01:00
|
|
|
func (pln *peerAPIListener) Close() error {
|
|
|
|
if pln.ln != nil {
|
|
|
|
return pln.ln.Close()
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-03-25 22:38:40 +00:00
|
|
|
func (pln *peerAPIListener) serve() {
|
2021-03-30 17:54:52 +01:00
|
|
|
if pln.ln == nil {
|
|
|
|
return
|
|
|
|
}
|
2021-03-25 22:38:40 +00:00
|
|
|
defer pln.ln.Close()
|
|
|
|
logf := pln.lb.logf
|
|
|
|
for {
|
|
|
|
c, err := pln.ln.Accept()
|
|
|
|
if errors.Is(err, net.ErrClosed) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
logf("peerapi.Accept: %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
ta, ok := c.RemoteAddr().(*net.TCPAddr)
|
|
|
|
if !ok {
|
|
|
|
c.Close()
|
|
|
|
logf("peerapi: unexpected RemoteAddr %#v", c.RemoteAddr())
|
|
|
|
continue
|
|
|
|
}
|
2022-08-03 05:48:56 +01:00
|
|
|
ipp := netaddr.Unmap(ta.AddrPort())
|
|
|
|
if !ipp.IsValid() {
|
2021-03-25 22:38:40 +00:00
|
|
|
logf("peerapi: bogus TCPAddr %#v", ta)
|
|
|
|
c.Close()
|
|
|
|
continue
|
|
|
|
}
|
2022-01-31 17:20:22 +00:00
|
|
|
pln.ServeConn(ipp, c)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
func (pln *peerAPIListener) ServeConn(src netip.AddrPort, c net.Conn) {
|
2022-01-31 17:20:22 +00:00
|
|
|
logf := pln.lb.logf
|
|
|
|
peerNode, peerUser, ok := pln.lb.WhoIs(src)
|
|
|
|
if !ok {
|
|
|
|
logf("peerapi: unknown peer %v", src)
|
|
|
|
c.Close()
|
|
|
|
return
|
|
|
|
}
|
2022-11-16 19:07:21 +00:00
|
|
|
nm := pln.lb.NetMap()
|
2023-08-21 18:53:57 +01:00
|
|
|
if nm == nil || !nm.SelfNode.Valid() {
|
2022-11-16 19:07:21 +00:00
|
|
|
logf("peerapi: no netmap")
|
|
|
|
c.Close()
|
|
|
|
return
|
|
|
|
}
|
2022-01-31 17:20:22 +00:00
|
|
|
h := &peerAPIHandler{
|
|
|
|
ps: pln.ps,
|
2023-08-21 18:53:57 +01:00
|
|
|
isSelf: nm.SelfNode.User() == peerNode.User(),
|
2022-01-31 17:20:22 +00:00
|
|
|
remoteAddr: src,
|
2022-11-16 19:07:21 +00:00
|
|
|
selfNode: nm.SelfNode,
|
2022-01-31 17:20:22 +00:00
|
|
|
peerNode: peerNode,
|
|
|
|
peerUser: peerUser,
|
|
|
|
}
|
|
|
|
httpServer := &http.Server{
|
|
|
|
Handler: h,
|
|
|
|
}
|
|
|
|
if addH2C != nil {
|
|
|
|
addH2C(httpServer)
|
2021-03-25 22:38:40 +00:00
|
|
|
}
|
2022-12-01 00:21:56 +00:00
|
|
|
go httpServer.Serve(netutil.NewOneConnListener(c, nil))
|
2021-03-25 22:38:40 +00:00
|
|
|
}
|
|
|
|
|
2022-11-16 17:38:38 +00:00
|
|
|
// peerAPIHandler serves the PeerAPI for a source specific client.
|
2021-03-27 04:24:02 +00:00
|
|
|
type peerAPIHandler struct {
|
2021-03-29 18:42:33 +01:00
|
|
|
ps *peerAPIServer
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
remoteAddr netip.AddrPort
|
2021-03-27 04:24:02 +00:00
|
|
|
isSelf bool // whether peerNode is owned by same user as this node
|
2023-08-21 18:53:57 +01:00
|
|
|
selfNode tailcfg.NodeView // this node; always non-nil
|
2023-08-18 15:57:44 +01:00
|
|
|
peerNode tailcfg.NodeView // peerNode is who's making the request
|
2021-03-27 04:24:02 +00:00
|
|
|
peerUser tailcfg.UserProfile // profile of peerNode
|
2021-03-25 22:38:40 +00:00
|
|
|
}
|
|
|
|
|
2022-03-16 23:27:57 +00:00
|
|
|
func (h *peerAPIHandler) logf(format string, a ...any) {
|
2021-03-29 18:42:33 +01:00
|
|
|
h.ps.b.logf("peerapi: "+format, a...)
|
|
|
|
}
|
|
|
|
|
2023-04-19 23:23:26 +01:00
|
|
|
// isAddressValid reports whether addr is a valid destination address for this
|
|
|
|
// node originating from the peer.
|
|
|
|
func (h *peerAPIHandler) isAddressValid(addr netip.Addr) bool {
|
2023-08-18 15:57:44 +01:00
|
|
|
if v := h.peerNode.SelfNodeV4MasqAddrForThisPeer(); v != nil {
|
2023-09-19 01:03:53 +01:00
|
|
|
return *v == addr
|
|
|
|
}
|
|
|
|
if v := h.peerNode.SelfNodeV6MasqAddrForThisPeer(); v != nil {
|
2023-08-18 15:57:44 +01:00
|
|
|
return *v == addr
|
2023-04-19 23:23:26 +01:00
|
|
|
}
|
|
|
|
pfx := netip.PrefixFrom(addr, addr.BitLen())
|
2023-08-21 18:53:57 +01:00
|
|
|
return views.SliceContains(h.selfNode.Addresses(), pfx)
|
2023-04-19 23:23:26 +01:00
|
|
|
}
|
|
|
|
|
2022-11-16 16:53:51 +00:00
|
|
|
func (h *peerAPIHandler) validateHost(r *http.Request) error {
|
|
|
|
if r.Host == "peer" {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
ap, err := netip.ParseAddrPort(r.Host)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2023-04-19 23:23:26 +01:00
|
|
|
if !h.isAddressValid(ap.Addr()) {
|
|
|
|
return fmt.Errorf("%v not found in self addresses", ap.Addr())
|
2022-11-16 16:53:51 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *peerAPIHandler) validatePeerAPIRequest(r *http.Request) error {
|
|
|
|
if r.Referer() != "" {
|
|
|
|
return errors.New("unexpected Referer")
|
|
|
|
}
|
|
|
|
if r.Header.Get("Origin") != "" {
|
|
|
|
return errors.New("unexpected Origin")
|
|
|
|
}
|
|
|
|
return h.validateHost(r)
|
|
|
|
}
|
|
|
|
|
2022-11-19 23:29:15 +00:00
|
|
|
// peerAPIRequestShouldGetSecurityHeaders reports whether the PeerAPI request r
|
|
|
|
// should get security response headers. It aims to report true for any request
|
|
|
|
// from a browser and false for requests from tailscaled (Go) clients.
|
|
|
|
//
|
|
|
|
// PeerAPI is primarily an RPC mechanism between Tailscale instances. Some of
|
|
|
|
// the HTTP handlers are useful for debugging with curl or browsers, but in
|
|
|
|
// general the client is always tailscaled itself. Because PeerAPI only uses
|
|
|
|
// HTTP/1 without HTTP/2 and its HPACK helping with repetitive headers, we try
|
|
|
|
// to minimize header bytes sent in the common case when the client isn't a
|
|
|
|
// browser. Minimizing bytes is important in particular with the ExitDNS service
|
|
|
|
// provided by exit nodes, processing DNS clients from queries. We don't want to
|
|
|
|
// waste bytes with security headers to non-browser clients. But if there's any
|
|
|
|
// hint that the request is from a browser, then we do.
|
|
|
|
func peerAPIRequestShouldGetSecurityHeaders(r *http.Request) bool {
|
|
|
|
// Accept-Encoding is a forbidden header
|
|
|
|
// (https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name)
|
|
|
|
// that Chrome, Firefox, Safari, etc send, but Go does not. So if we see it,
|
|
|
|
// it's probably a browser and not a Tailscale PeerAPI (Go) client.
|
|
|
|
if httpguts.HeaderValuesContainsToken(r.Header["Accept-Encoding"], "deflate") {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
// Clients can mess with their User-Agent, but if they say Mozilla or have a bunch
|
|
|
|
// of components (spaces) they're likely a browser.
|
|
|
|
if ua := r.Header.Get("User-Agent"); strings.HasPrefix(ua, "Mozilla/") || strings.Count(ua, " ") > 2 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
// Tailscale/PeerAPI/Go clients don't have an Accept-Language.
|
|
|
|
if r.Header.Get("Accept-Language") != "" {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2021-03-27 04:24:02 +00:00
|
|
|
func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
2022-11-16 16:53:51 +00:00
|
|
|
if err := h.validatePeerAPIRequest(r); err != nil {
|
2022-12-09 22:21:53 +00:00
|
|
|
metricInvalidRequests.Add(1)
|
2022-11-16 16:53:51 +00:00
|
|
|
h.logf("invalid request from %v: %v", h.remoteAddr, err)
|
|
|
|
http.Error(w, "invalid peerapi request", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
2022-11-19 23:29:15 +00:00
|
|
|
if peerAPIRequestShouldGetSecurityHeaders(r) {
|
2023-02-23 19:48:03 +00:00
|
|
|
w.Header().Set("Content-Security-Policy", `default-src 'none'; frame-ancestors 'none'; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'; style-src 'unsafe-inline'`)
|
2022-11-19 23:29:15 +00:00
|
|
|
w.Header().Set("X-Frame-Options", "DENY")
|
|
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
|
|
|
}
|
2021-03-29 18:42:33 +01:00
|
|
|
if strings.HasPrefix(r.URL.Path, "/v0/put/") {
|
2022-12-09 22:21:53 +00:00
|
|
|
metricPutCalls.Add(1)
|
2021-04-20 04:21:48 +01:00
|
|
|
h.handlePeerPut(w, r)
|
2021-03-29 18:42:33 +01:00
|
|
|
return
|
|
|
|
}
|
2021-11-23 05:45:34 +00:00
|
|
|
if strings.HasPrefix(r.URL.Path, "/dns-query") {
|
2022-12-09 22:21:53 +00:00
|
|
|
metricDNSCalls.Add(1)
|
2021-11-23 05:45:34 +00:00
|
|
|
h.handleDNSQuery(w, r)
|
|
|
|
return
|
|
|
|
}
|
2021-11-18 15:54:24 +00:00
|
|
|
switch r.URL.Path {
|
|
|
|
case "/v0/goroutines":
|
2021-04-22 21:01:42 +01:00
|
|
|
h.handleServeGoroutines(w, r)
|
|
|
|
return
|
2021-11-18 15:54:24 +00:00
|
|
|
case "/v0/env":
|
2021-11-03 18:17:56 +00:00
|
|
|
h.handleServeEnv(w, r)
|
|
|
|
return
|
2021-11-18 15:54:24 +00:00
|
|
|
case "/v0/metrics":
|
|
|
|
h.handleServeMetrics(w, r)
|
|
|
|
return
|
2021-12-21 18:26:13 +00:00
|
|
|
case "/v0/magicsock":
|
|
|
|
h.handleServeMagicsock(w, r)
|
|
|
|
return
|
2021-12-21 21:52:50 +00:00
|
|
|
case "/v0/dnsfwd":
|
|
|
|
h.handleServeDNSFwd(w, r)
|
|
|
|
return
|
2022-04-26 20:29:41 +01:00
|
|
|
case "/v0/wol":
|
2022-12-09 22:21:53 +00:00
|
|
|
metricWakeOnLANCalls.Add(1)
|
2022-04-26 20:29:41 +01:00
|
|
|
h.handleWakeOnLAN(w, r)
|
|
|
|
return
|
2022-04-26 23:25:48 +01:00
|
|
|
case "/v0/interfaces":
|
|
|
|
h.handleServeInterfaces(w, r)
|
|
|
|
return
|
2023-02-09 22:58:20 +00:00
|
|
|
case "/v0/doctor":
|
|
|
|
h.handleServeDoctor(w, r)
|
2023-02-03 20:07:58 +00:00
|
|
|
case "/v0/sockstats":
|
|
|
|
h.handleServeSockStats(w, r)
|
2023-02-09 22:58:20 +00:00
|
|
|
return
|
2022-11-07 15:46:42 +00:00
|
|
|
case "/v0/ingress":
|
2022-12-09 22:21:53 +00:00
|
|
|
metricIngressCalls.Add(1)
|
2022-11-07 15:46:42 +00:00
|
|
|
h.handleServeIngress(w, r)
|
|
|
|
return
|
2021-11-03 18:17:56 +00:00
|
|
|
}
|
2021-03-27 04:24:02 +00:00
|
|
|
who := h.peerUser.DisplayName
|
2021-03-25 22:38:40 +00:00
|
|
|
fmt.Fprintf(w, `<html>
|
|
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
|
|
<body>
|
|
|
|
<h1>Hello, %s (%v)</h1>
|
|
|
|
This is my Tailscale device. Your device is %v.
|
2023-08-18 15:57:44 +01:00
|
|
|
`, html.EscapeString(who), h.remoteAddr.Addr(), html.EscapeString(h.peerNode.ComputedName()))
|
2021-03-25 22:38:40 +00:00
|
|
|
|
2021-03-27 04:24:02 +00:00
|
|
|
if h.isSelf {
|
|
|
|
fmt.Fprintf(w, "<p>You are the owner of this node.\n")
|
|
|
|
}
|
2021-03-25 22:38:40 +00:00
|
|
|
}
|
2021-03-29 18:42:33 +01:00
|
|
|
|
2022-11-07 15:46:42 +00:00
|
|
|
func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// http.Errors only useful if hitting endpoint manually
|
|
|
|
// otherwise rely on log lines when debugging ingress connections
|
|
|
|
// as connection is hijacked for bidi and is encrypted tls
|
|
|
|
if !h.canIngress() {
|
|
|
|
h.logf("ingress: denied; no ingress cap from %v", h.remoteAddr)
|
|
|
|
http.Error(w, "denied; no ingress cap", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
logAndError := func(code int, publicMsg string) {
|
|
|
|
h.logf("ingress: bad request from %v: %s", h.remoteAddr, publicMsg)
|
|
|
|
http.Error(w, publicMsg, http.StatusMethodNotAllowed)
|
|
|
|
}
|
|
|
|
bad := func(publicMsg string) {
|
|
|
|
logAndError(http.StatusBadRequest, publicMsg)
|
|
|
|
}
|
|
|
|
if r.Method != "POST" {
|
|
|
|
logAndError(http.StatusMethodNotAllowed, "only POST allowed")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
srcAddrStr := r.Header.Get("Tailscale-Ingress-Src")
|
|
|
|
if srcAddrStr == "" {
|
|
|
|
bad("Tailscale-Ingress-Src header not set")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
srcAddr, err := netip.ParseAddrPort(srcAddrStr)
|
|
|
|
if err != nil {
|
|
|
|
bad("Tailscale-Ingress-Src header invalid; want ip:port")
|
|
|
|
return
|
|
|
|
}
|
2023-03-08 20:36:41 +00:00
|
|
|
target := ipn.HostPort(r.Header.Get("Tailscale-Ingress-Target"))
|
2022-11-07 15:46:42 +00:00
|
|
|
if target == "" {
|
2022-11-13 20:36:33 +00:00
|
|
|
bad("Tailscale-Ingress-Target header not set")
|
2022-11-07 15:46:42 +00:00
|
|
|
return
|
|
|
|
}
|
2023-03-08 20:36:41 +00:00
|
|
|
if _, _, err := net.SplitHostPort(string(target)); err != nil {
|
2022-11-13 20:36:33 +00:00
|
|
|
bad("Tailscale-Ingress-Target header invalid; want host:port")
|
2022-11-07 15:46:42 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-06-09 00:57:40 +01:00
|
|
|
getConnOrReset := func() (net.Conn, bool) {
|
2022-11-07 15:46:42 +00:00
|
|
|
conn, _, err := w.(http.Hijacker).Hijack()
|
|
|
|
if err != nil {
|
|
|
|
h.logf("ingress: failed hijacking conn")
|
|
|
|
http.Error(w, "failed hijacking conn", http.StatusInternalServerError)
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
io.WriteString(conn, "HTTP/1.1 101 Switching Protocols\r\n\r\n")
|
2023-03-08 20:36:41 +00:00
|
|
|
return &ipn.FunnelConn{
|
|
|
|
Conn: conn,
|
|
|
|
Src: srcAddr,
|
|
|
|
Target: target,
|
|
|
|
}, true
|
2022-11-07 15:46:42 +00:00
|
|
|
}
|
|
|
|
sendRST := func() {
|
|
|
|
http.Error(w, "denied", http.StatusForbidden)
|
|
|
|
}
|
|
|
|
|
2023-06-09 00:57:40 +01:00
|
|
|
h.ps.b.HandleIngressTCPConn(h.peerNode, target, srcAddr, getConnOrReset, sendRST)
|
2022-11-07 15:46:42 +00:00
|
|
|
}
|
|
|
|
|
2022-04-26 23:25:48 +01:00
|
|
|
func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if !h.canDebug() {
|
|
|
|
http.Error(w, "denied; no debug access", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
2022-12-01 01:06:21 +00:00
|
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
|
|
fmt.Fprintln(w, "<h1>Interfaces</h1>")
|
|
|
|
|
|
|
|
if dr, err := interfaces.DefaultRoute(); err == nil {
|
|
|
|
fmt.Fprintf(w, "<h3>Default route is %q(%d)</h3>\n", html.EscapeString(dr.InterfaceName), dr.InterfaceIndex)
|
|
|
|
} else {
|
|
|
|
fmt.Fprintf(w, "<h3>Could not get the default route: %s</h3>\n", html.EscapeString(err.Error()))
|
2022-04-26 23:25:48 +01:00
|
|
|
}
|
|
|
|
|
2023-02-23 19:48:03 +00:00
|
|
|
if hasCGNATInterface, err := interfaces.HasCGNATInterface(); hasCGNATInterface {
|
|
|
|
fmt.Fprintln(w, "<p>There is another interface using the CGNAT range.</p>")
|
|
|
|
} else if err != nil {
|
|
|
|
fmt.Fprintf(w, "<p>Could not check for CGNAT interfaces: %s</p>\n", html.EscapeString(err.Error()))
|
|
|
|
}
|
|
|
|
|
2022-12-01 01:06:21 +00:00
|
|
|
i, err := interfaces.GetList()
|
2022-04-26 23:25:48 +01:00
|
|
|
if err != nil {
|
2022-12-01 01:06:21 +00:00
|
|
|
fmt.Fprintf(w, "Could not get interfaces: %s\n", html.EscapeString(err.Error()))
|
|
|
|
return
|
2022-04-26 23:25:48 +01:00
|
|
|
}
|
|
|
|
|
2023-02-23 19:48:03 +00:00
|
|
|
fmt.Fprintln(w, "<table style='border-collapse: collapse' border=1 cellspacing=0 cellpadding=2>")
|
2022-04-26 23:25:48 +01:00
|
|
|
fmt.Fprint(w, "<tr>")
|
2023-02-23 19:48:03 +00:00
|
|
|
for _, v := range []any{"Index", "Name", "MTU", "Flags", "Addrs", "Extra"} {
|
2022-04-26 23:25:48 +01:00
|
|
|
fmt.Fprintf(w, "<th>%v</th> ", v)
|
|
|
|
}
|
|
|
|
fmt.Fprint(w, "</tr>\n")
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
i.ForeachInterface(func(iface interfaces.Interface, ipps []netip.Prefix) {
|
2022-04-26 23:25:48 +01:00
|
|
|
fmt.Fprint(w, "<tr>")
|
|
|
|
for _, v := range []any{iface.Index, iface.Name, iface.MTU, iface.Flags, ipps} {
|
2022-12-01 01:06:21 +00:00
|
|
|
fmt.Fprintf(w, "<td>%s</td> ", html.EscapeString(fmt.Sprintf("%v", v)))
|
2022-04-26 23:25:48 +01:00
|
|
|
}
|
2023-02-23 19:48:03 +00:00
|
|
|
if extras, err := interfaces.InterfaceDebugExtras(iface.Index); err == nil && extras != "" {
|
|
|
|
fmt.Fprintf(w, "<td>%s</td> ", html.EscapeString(extras))
|
|
|
|
} else if err != nil {
|
|
|
|
fmt.Fprintf(w, "<td>%s</td> ", html.EscapeString(err.Error()))
|
|
|
|
}
|
2022-04-26 23:25:48 +01:00
|
|
|
fmt.Fprint(w, "</tr>\n")
|
|
|
|
})
|
|
|
|
fmt.Fprintln(w, "</table>")
|
|
|
|
}
|
|
|
|
|
2023-02-09 22:58:20 +00:00
|
|
|
func (h *peerAPIHandler) handleServeDoctor(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if !h.canDebug() {
|
|
|
|
http.Error(w, "denied; no debug access", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
|
|
fmt.Fprintln(w, "<h1>Doctor Output</h1>")
|
|
|
|
|
|
|
|
fmt.Fprintln(w, "<pre>")
|
|
|
|
|
|
|
|
h.ps.b.Doctor(r.Context(), func(format string, args ...any) {
|
2023-02-10 23:40:28 +00:00
|
|
|
line := fmt.Sprintf(format, args...)
|
2023-02-09 22:58:20 +00:00
|
|
|
fmt.Fprintln(w, html.EscapeString(line))
|
|
|
|
})
|
|
|
|
|
|
|
|
fmt.Fprintln(w, "</pre>")
|
|
|
|
}
|
|
|
|
|
2023-02-03 20:07:58 +00:00
|
|
|
func (h *peerAPIHandler) handleServeSockStats(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if !h.canDebug() {
|
|
|
|
http.Error(w, "denied; no debug access", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
|
|
fmt.Fprintln(w, "<!DOCTYPE html><h1>Socket Stats</h1>")
|
|
|
|
|
2023-04-10 22:25:22 +01:00
|
|
|
if !sockstats.IsAvailable {
|
|
|
|
fmt.Fprintln(w, "Socket stats are not available for this client")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-03-14 20:34:04 +00:00
|
|
|
stats, interfaceStats, validation := sockstats.Get(), sockstats.GetInterfaces(), sockstats.GetValidation()
|
2023-02-03 20:07:58 +00:00
|
|
|
if stats == nil {
|
|
|
|
fmt.Fprintln(w, "No socket stats available")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
fmt.Fprintln(w, "<table border='1' cellspacing='0' style='border-collapse: collapse;'>")
|
|
|
|
fmt.Fprintln(w, "<thead>")
|
|
|
|
fmt.Fprintln(w, "<th>Label</th>")
|
|
|
|
fmt.Fprintln(w, "<th>Tx</th>")
|
|
|
|
fmt.Fprintln(w, "<th>Rx</th>")
|
2023-03-14 20:34:04 +00:00
|
|
|
for _, iface := range interfaceStats.Interfaces {
|
2023-02-03 20:07:58 +00:00
|
|
|
fmt.Fprintf(w, "<th>Tx (%s)</th>", html.EscapeString(iface))
|
|
|
|
fmt.Fprintf(w, "<th>Rx (%s)</th>", html.EscapeString(iface))
|
|
|
|
}
|
2023-03-08 00:29:41 +00:00
|
|
|
fmt.Fprintln(w, "<th>Validation</th>")
|
2023-02-03 20:07:58 +00:00
|
|
|
fmt.Fprintln(w, "</thead>")
|
|
|
|
|
|
|
|
fmt.Fprintln(w, "<tbody>")
|
2023-03-06 23:35:50 +00:00
|
|
|
labels := make([]sockstats.Label, 0, len(stats.Stats))
|
2023-02-03 20:07:58 +00:00
|
|
|
for label := range stats.Stats {
|
|
|
|
labels = append(labels, label)
|
|
|
|
}
|
2023-07-28 18:39:04 +01:00
|
|
|
slices.SortFunc(labels, func(a, b sockstats.Label) int {
|
|
|
|
return strings.Compare(a.String(), b.String())
|
2023-03-06 23:35:50 +00:00
|
|
|
})
|
2023-02-03 20:07:58 +00:00
|
|
|
|
2023-03-08 00:29:41 +00:00
|
|
|
txTotal := uint64(0)
|
|
|
|
rxTotal := uint64(0)
|
|
|
|
txTotalByInterface := map[string]uint64{}
|
|
|
|
rxTotalByInterface := map[string]uint64{}
|
2023-02-03 20:07:58 +00:00
|
|
|
|
|
|
|
for _, label := range labels {
|
|
|
|
stat := stats.Stats[label]
|
|
|
|
fmt.Fprintln(w, "<tr>")
|
2023-03-06 23:35:50 +00:00
|
|
|
fmt.Fprintf(w, "<td>%s</td>", html.EscapeString(label.String()))
|
2023-02-03 20:07:58 +00:00
|
|
|
fmt.Fprintf(w, "<td align=right>%d</td>", stat.TxBytes)
|
|
|
|
fmt.Fprintf(w, "<td align=right>%d</td>", stat.RxBytes)
|
|
|
|
|
|
|
|
txTotal += stat.TxBytes
|
|
|
|
rxTotal += stat.RxBytes
|
|
|
|
|
2023-03-14 20:34:04 +00:00
|
|
|
if interfaceStat, ok := interfaceStats.Stats[label]; ok {
|
|
|
|
for _, iface := range interfaceStats.Interfaces {
|
|
|
|
fmt.Fprintf(w, "<td align=right>%d</td>", interfaceStat.TxBytesByInterface[iface])
|
|
|
|
fmt.Fprintf(w, "<td align=right>%d</td>", interfaceStat.RxBytesByInterface[iface])
|
|
|
|
txTotalByInterface[iface] += interfaceStat.TxBytesByInterface[iface]
|
|
|
|
rxTotalByInterface[iface] += interfaceStat.RxBytesByInterface[iface]
|
|
|
|
}
|
2023-02-03 20:07:58 +00:00
|
|
|
}
|
2023-03-08 00:29:41 +00:00
|
|
|
|
2023-03-09 19:40:07 +00:00
|
|
|
if validationStat, ok := validation.Stats[label]; ok && (validationStat.RxBytes > 0 || validationStat.TxBytes > 0) {
|
2023-03-08 00:29:41 +00:00
|
|
|
fmt.Fprintf(w, "<td>Tx=%d (%+d) Rx=%d (%+d)</td>",
|
2023-03-09 19:40:07 +00:00
|
|
|
validationStat.TxBytes,
|
|
|
|
int64(validationStat.TxBytes)-int64(stat.TxBytes),
|
|
|
|
validationStat.RxBytes,
|
|
|
|
int64(validationStat.RxBytes)-int64(stat.RxBytes))
|
2023-03-08 00:29:41 +00:00
|
|
|
} else {
|
|
|
|
fmt.Fprintln(w, "<td></td>")
|
|
|
|
}
|
|
|
|
|
2023-02-03 20:07:58 +00:00
|
|
|
fmt.Fprintln(w, "</tr>")
|
|
|
|
}
|
|
|
|
fmt.Fprintln(w, "</tbody>")
|
|
|
|
|
|
|
|
fmt.Fprintln(w, "<tfoot>")
|
|
|
|
fmt.Fprintln(w, "<th>Total</th>")
|
|
|
|
fmt.Fprintf(w, "<th>%d</th>", txTotal)
|
|
|
|
fmt.Fprintf(w, "<th>%d</th>", rxTotal)
|
2023-03-14 20:34:04 +00:00
|
|
|
for _, iface := range interfaceStats.Interfaces {
|
2023-02-03 20:07:58 +00:00
|
|
|
fmt.Fprintf(w, "<th>%d</th>", txTotalByInterface[iface])
|
|
|
|
fmt.Fprintf(w, "<th>%d</th>", rxTotalByInterface[iface])
|
|
|
|
}
|
2023-03-08 00:29:41 +00:00
|
|
|
fmt.Fprintln(w, "<th></th>")
|
2023-02-03 20:07:58 +00:00
|
|
|
fmt.Fprintln(w, "</tfoot>")
|
|
|
|
|
|
|
|
fmt.Fprintln(w, "</table>")
|
2023-04-19 21:45:02 +01:00
|
|
|
|
|
|
|
fmt.Fprintln(w, "<h2>Debug Info</h2>")
|
|
|
|
|
|
|
|
fmt.Fprintln(w, "<pre>")
|
|
|
|
fmt.Fprintln(w, html.EscapeString(sockstats.DebugInfo()))
|
|
|
|
fmt.Fprintln(w, "</pre>")
|
2023-02-03 20:07:58 +00:00
|
|
|
}
|
|
|
|
|
2021-04-08 22:54:25 +01:00
|
|
|
type incomingFile struct {
|
2023-10-06 00:26:06 +01:00
|
|
|
clock tstime.Clock
|
|
|
|
|
|
|
|
name string // "foo.jpg"
|
|
|
|
started time.Time
|
|
|
|
size int64 // or -1 if unknown; never 0
|
|
|
|
w io.Writer // underlying writer
|
|
|
|
sendFileNotify func() // called when done
|
|
|
|
partialPath string // non-empty in direct mode
|
2021-04-08 22:54:25 +01:00
|
|
|
|
|
|
|
mu sync.Mutex
|
|
|
|
copied int64
|
2021-04-16 20:33:04 +01:00
|
|
|
done bool
|
2021-04-08 22:54:25 +01:00
|
|
|
lastNotify time.Time
|
2021-04-12 22:05:44 +01:00
|
|
|
}
|
|
|
|
|
2021-04-16 20:33:04 +01:00
|
|
|
func (f *incomingFile) markAndNotifyDone() {
|
2021-04-12 22:05:44 +01:00
|
|
|
f.mu.Lock()
|
2021-04-16 20:33:04 +01:00
|
|
|
f.done = true
|
2021-04-12 22:05:44 +01:00
|
|
|
f.mu.Unlock()
|
2023-10-06 00:26:06 +01:00
|
|
|
f.sendFileNotify()
|
2021-04-08 22:54:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (f *incomingFile) Write(p []byte) (n int, err error) {
|
|
|
|
n, err = f.w.Write(p)
|
|
|
|
|
|
|
|
var needNotify bool
|
|
|
|
defer func() {
|
|
|
|
if needNotify {
|
2023-10-06 00:26:06 +01:00
|
|
|
f.sendFileNotify()
|
2021-04-08 22:54:25 +01:00
|
|
|
}
|
|
|
|
}()
|
|
|
|
if n > 0 {
|
|
|
|
f.mu.Lock()
|
|
|
|
defer f.mu.Unlock()
|
|
|
|
f.copied += int64(n)
|
2023-10-06 00:26:06 +01:00
|
|
|
now := f.clock.Now()
|
2021-04-08 22:54:25 +01:00
|
|
|
if f.lastNotify.IsZero() || now.Sub(f.lastNotify) > time.Second {
|
|
|
|
f.lastNotify = now
|
|
|
|
needNotify = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return n, err
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *incomingFile) PartialFile() ipn.PartialFile {
|
|
|
|
f.mu.Lock()
|
|
|
|
defer f.mu.Unlock()
|
|
|
|
return ipn.PartialFile{
|
|
|
|
Name: f.name,
|
|
|
|
Started: f.started,
|
|
|
|
DeclaredSize: f.size,
|
|
|
|
Received: f.copied,
|
2021-04-16 20:33:04 +01:00
|
|
|
PartialPath: f.partialPath,
|
|
|
|
Done: f.done,
|
2021-04-08 22:54:25 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-17 16:45:49 +01:00
|
|
|
// canPutFile reports whether h can put a file ("Taildrop") to this node.
|
|
|
|
func (h *peerAPIHandler) canPutFile() bool {
|
2023-08-18 15:57:44 +01:00
|
|
|
if h.peerNode.UnsignedPeerAPIOnly() {
|
2022-11-23 23:14:25 +00:00
|
|
|
// Unsigned peers can't send files.
|
|
|
|
return false
|
|
|
|
}
|
2023-07-25 05:07:00 +01:00
|
|
|
return h.isSelf || h.peerHasCap(tailcfg.PeerCapabilityFileSharingSend)
|
2022-04-18 18:06:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// canDebug reports whether h can debug this node (goroutines, metrics,
|
|
|
|
// magicsock internal state, etc).
|
|
|
|
func (h *peerAPIHandler) canDebug() bool {
|
2023-09-18 17:36:26 +01:00
|
|
|
if !h.selfNode.HasCap(tailcfg.CapabilityDebug) {
|
2022-11-16 18:36:01 +00:00
|
|
|
// This node does not expose debug info.
|
|
|
|
return false
|
|
|
|
}
|
2023-08-18 15:57:44 +01:00
|
|
|
if h.peerNode.UnsignedPeerAPIOnly() {
|
2022-11-23 23:14:25 +00:00
|
|
|
// Unsigned peers can't debug.
|
|
|
|
return false
|
|
|
|
}
|
2023-07-25 05:07:00 +01:00
|
|
|
return h.isSelf || h.peerHasCap(tailcfg.PeerCapabilityDebugPeer)
|
2022-04-18 18:06:41 +01:00
|
|
|
}
|
|
|
|
|
2022-04-26 20:29:41 +01:00
|
|
|
// canWakeOnLAN reports whether h can send a Wake-on-LAN packet from this node.
|
|
|
|
func (h *peerAPIHandler) canWakeOnLAN() bool {
|
2023-08-18 15:57:44 +01:00
|
|
|
if h.peerNode.UnsignedPeerAPIOnly() {
|
2023-01-10 23:40:07 +00:00
|
|
|
return false
|
|
|
|
}
|
2023-07-25 05:07:00 +01:00
|
|
|
return h.isSelf || h.peerHasCap(tailcfg.PeerCapabilityWakeOnLAN)
|
2022-04-26 20:29:41 +01:00
|
|
|
}
|
|
|
|
|
2022-11-07 15:46:42 +00:00
|
|
|
var allowSelfIngress = envknob.RegisterBool("TS_ALLOW_SELF_INGRESS")
|
|
|
|
|
|
|
|
// canIngress reports whether h can send ingress requests to this node.
|
|
|
|
func (h *peerAPIHandler) canIngress() bool {
|
2023-07-25 05:07:00 +01:00
|
|
|
return h.peerHasCap(tailcfg.PeerCapabilityIngress) || (allowSelfIngress() && h.isSelf)
|
2022-11-07 15:46:42 +00:00
|
|
|
}
|
|
|
|
|
2023-07-25 05:07:00 +01:00
|
|
|
func (h *peerAPIHandler) peerHasCap(wantCap tailcfg.PeerCapability) bool {
|
|
|
|
return h.ps.b.PeerCaps(h.remoteAddr.Addr()).HasCapability(wantCap)
|
2022-04-17 16:45:49 +01:00
|
|
|
}
|
|
|
|
|
2021-04-20 04:21:48 +01:00
|
|
|
func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
|
2022-11-24 04:16:31 +00:00
|
|
|
if !envknob.CanTaildrop() {
|
|
|
|
http.Error(w, "Taildrop disabled on device", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
2022-04-17 16:45:49 +01:00
|
|
|
if !h.canPutFile() {
|
|
|
|
http.Error(w, "Taildrop access denied", http.StatusForbidden)
|
2021-03-29 18:42:33 +01:00
|
|
|
return
|
|
|
|
}
|
2021-04-16 18:57:46 +01:00
|
|
|
if !h.ps.b.hasCapFileSharing() {
|
|
|
|
http.Error(w, "file sharing not enabled by Tailscale admin", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
2021-03-29 18:42:33 +01:00
|
|
|
if r.Method != "PUT" {
|
2021-04-20 05:00:25 +01:00
|
|
|
http.Error(w, "expected method PUT", http.StatusMethodNotAllowed)
|
2021-03-29 18:42:33 +01:00
|
|
|
return
|
|
|
|
}
|
2023-10-06 00:05:45 +01:00
|
|
|
if mayDeref(h.ps.taildrop).RootDir == "" {
|
|
|
|
http.Error(w, taildrop.ErrNoTaildrop.Error(), http.StatusInternalServerError)
|
2021-03-29 18:42:33 +01:00
|
|
|
return
|
|
|
|
}
|
2023-10-06 00:05:45 +01:00
|
|
|
if distro.Get() == distro.Unraid && !h.ps.taildrop.DirectFileMode {
|
2023-05-03 04:57:52 +01:00
|
|
|
http.Error(w, "Taildrop folder not configured or accessible", http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
2021-04-20 05:57:08 +01:00
|
|
|
rawPath := r.URL.EscapedPath()
|
2023-02-01 21:43:06 +00:00
|
|
|
suffix, ok := strings.CutPrefix(rawPath, "/v0/put/")
|
2022-09-16 06:08:45 +01:00
|
|
|
if !ok {
|
2021-04-20 05:57:08 +01:00
|
|
|
http.Error(w, "misconfigured internals", 500)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if suffix == "" {
|
|
|
|
http.Error(w, "empty filename", 400)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if strings.Contains(suffix, "/") {
|
|
|
|
http.Error(w, "directories not supported", 400)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
baseName, err := url.PathUnescape(suffix)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(w, "bad path encoding", 400)
|
|
|
|
return
|
|
|
|
}
|
2023-10-06 00:05:45 +01:00
|
|
|
dstFile, ok := h.ps.taildrop.DiskPath(baseName)
|
2021-03-30 20:56:00 +01:00
|
|
|
if !ok {
|
|
|
|
http.Error(w, "bad filename", 400)
|
2021-03-29 18:42:33 +01:00
|
|
|
return
|
|
|
|
}
|
2023-07-27 20:41:31 +01:00
|
|
|
t0 := h.ps.b.clock.Now()
|
2021-04-26 19:28:27 +01:00
|
|
|
// TODO(bradfitz): prevent same filename being sent by two peers at once
|
2023-09-26 18:22:13 +01:00
|
|
|
|
|
|
|
// prevent same filename being sent twice
|
|
|
|
if _, err := os.Stat(dstFile); err == nil {
|
|
|
|
http.Error(w, "file exists", http.StatusConflict)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-10-06 00:05:45 +01:00
|
|
|
partialFile := dstFile + taildrop.PartialSuffix
|
2021-04-26 19:28:27 +01:00
|
|
|
f, err := os.Create(partialFile)
|
2021-03-29 18:42:33 +01:00
|
|
|
if err != nil {
|
2023-10-06 00:05:45 +01:00
|
|
|
h.logf("put Create error: %v", taildrop.RedactErr(err))
|
2021-03-29 18:42:33 +01:00
|
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
var success bool
|
|
|
|
defer func() {
|
|
|
|
if !success {
|
2021-04-26 19:28:27 +01:00
|
|
|
os.Remove(partialFile)
|
2021-03-29 18:42:33 +01:00
|
|
|
}
|
|
|
|
}()
|
2021-04-08 22:54:25 +01:00
|
|
|
var finalSize int64
|
2021-04-12 22:05:44 +01:00
|
|
|
var inFile *incomingFile
|
2021-04-08 22:54:25 +01:00
|
|
|
if r.ContentLength != 0 {
|
2021-04-12 22:05:44 +01:00
|
|
|
inFile = &incomingFile{
|
2023-10-06 00:26:06 +01:00
|
|
|
clock: h.ps.b.clock,
|
|
|
|
name: baseName,
|
|
|
|
started: h.ps.b.clock.Now(),
|
|
|
|
size: r.ContentLength,
|
|
|
|
w: f,
|
|
|
|
sendFileNotify: h.ps.b.sendFileNotify,
|
2021-04-08 22:54:25 +01:00
|
|
|
}
|
2023-10-06 00:05:45 +01:00
|
|
|
if h.ps.taildrop.DirectFileMode {
|
2021-04-26 19:28:27 +01:00
|
|
|
inFile.partialPath = partialFile
|
2021-04-16 20:33:04 +01:00
|
|
|
}
|
2021-04-08 22:54:25 +01:00
|
|
|
h.ps.b.registerIncomingFile(inFile, true)
|
|
|
|
defer h.ps.b.registerIncomingFile(inFile, false)
|
|
|
|
n, err := io.Copy(inFile, r.Body)
|
|
|
|
if err != nil {
|
2023-10-06 00:05:45 +01:00
|
|
|
err = taildrop.RedactErr(err)
|
2021-04-08 22:54:25 +01:00
|
|
|
f.Close()
|
|
|
|
h.logf("put Copy error: %v", err)
|
|
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
finalSize = n
|
2021-03-29 18:42:33 +01:00
|
|
|
}
|
2023-10-06 00:05:45 +01:00
|
|
|
if err := taildrop.RedactErr(f.Close()); err != nil {
|
2021-03-29 18:42:33 +01:00
|
|
|
h.logf("put Close error: %v", err)
|
|
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
2023-10-06 00:05:45 +01:00
|
|
|
if h.ps.taildrop.DirectFileMode && !h.ps.taildrop.DirectFileDoFinalRename {
|
2021-04-12 22:05:44 +01:00
|
|
|
if inFile != nil { // non-zero length; TODO: notify even for zero length
|
2021-04-16 20:33:04 +01:00
|
|
|
inFile.markAndNotifyDone()
|
2021-04-12 22:05:44 +01:00
|
|
|
}
|
2021-04-26 19:28:27 +01:00
|
|
|
} else {
|
|
|
|
if err := os.Rename(partialFile, dstFile); err != nil {
|
2023-10-06 00:05:45 +01:00
|
|
|
err = taildrop.RedactErr(err)
|
2021-04-26 19:28:27 +01:00
|
|
|
h.logf("put final rename: %v", err)
|
|
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
2021-04-12 22:05:44 +01:00
|
|
|
}
|
2021-03-29 18:42:33 +01:00
|
|
|
|
2023-07-27 20:41:31 +01:00
|
|
|
d := h.ps.b.clock.Since(t0).Round(time.Second / 10)
|
2022-07-25 04:08:42 +01:00
|
|
|
h.logf("got put of %s in %v from %v/%v", approxSize(finalSize), d, h.remoteAddr.Addr(), h.peerNode.ComputedName)
|
2021-03-29 18:42:33 +01:00
|
|
|
|
|
|
|
// TODO: set modtime
|
|
|
|
// TODO: some real response
|
|
|
|
success = true
|
|
|
|
io.WriteString(w, "{}\n")
|
2023-10-06 00:05:45 +01:00
|
|
|
h.ps.taildrop.KnownEmpty.Store(false)
|
2021-04-08 22:54:25 +01:00
|
|
|
h.ps.b.sendFileNotify()
|
2021-03-29 18:42:33 +01:00
|
|
|
}
|
2021-03-30 20:56:00 +01:00
|
|
|
|
|
|
|
func approxSize(n int64) string {
|
|
|
|
if n <= 1<<10 {
|
|
|
|
return "<=1KB"
|
|
|
|
}
|
|
|
|
if n <= 1<<20 {
|
|
|
|
return "<=1MB"
|
|
|
|
}
|
2021-04-22 16:43:52 +01:00
|
|
|
return fmt.Sprintf("~%dMB", n>>20)
|
2021-03-30 20:56:00 +01:00
|
|
|
}
|
2021-04-22 21:01:42 +01:00
|
|
|
|
|
|
|
func (h *peerAPIHandler) handleServeGoroutines(w http.ResponseWriter, r *http.Request) {
|
2022-04-18 18:06:41 +01:00
|
|
|
if !h.canDebug() {
|
|
|
|
http.Error(w, "denied; no debug access", http.StatusForbidden)
|
2021-04-22 21:01:42 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
var buf []byte
|
|
|
|
for size := 4 << 10; size <= 2<<20; size *= 2 {
|
|
|
|
buf = make([]byte, size)
|
|
|
|
buf = buf[:runtime.Stack(buf, true)]
|
|
|
|
if len(buf) < size {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
w.Write(buf)
|
|
|
|
}
|
2021-11-03 18:17:56 +00:00
|
|
|
|
|
|
|
func (h *peerAPIHandler) handleServeEnv(w http.ResponseWriter, r *http.Request) {
|
2022-04-18 18:06:41 +01:00
|
|
|
if !h.canDebug() {
|
|
|
|
http.Error(w, "denied; no debug access", http.StatusForbidden)
|
2021-11-03 18:17:56 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
var data struct {
|
|
|
|
Hostinfo *tailcfg.Hostinfo
|
|
|
|
Uid int
|
|
|
|
Args []string
|
|
|
|
Env []string
|
|
|
|
}
|
|
|
|
data.Hostinfo = hostinfo.New()
|
|
|
|
data.Uid = os.Getuid()
|
|
|
|
data.Args = os.Args
|
|
|
|
data.Env = os.Environ()
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
json.NewEncoder(w).Encode(data)
|
|
|
|
}
|
2021-11-18 15:54:24 +00:00
|
|
|
|
2021-12-21 18:26:13 +00:00
|
|
|
func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Request) {
|
2022-04-18 18:06:41 +01:00
|
|
|
if !h.canDebug() {
|
|
|
|
http.Error(w, "denied; no debug access", http.StatusForbidden)
|
2021-12-21 18:26:13 +00:00
|
|
|
return
|
|
|
|
}
|
2023-09-13 04:29:26 +01:00
|
|
|
h.ps.b.magicConn().ServeHTTPDebug(w, r)
|
2021-12-21 18:26:13 +00:00
|
|
|
}
|
|
|
|
|
2021-11-18 15:54:24 +00:00
|
|
|
func (h *peerAPIHandler) handleServeMetrics(w http.ResponseWriter, r *http.Request) {
|
2022-04-18 18:06:41 +01:00
|
|
|
if !h.canDebug() {
|
|
|
|
http.Error(w, "denied; no debug access", http.StatusForbidden)
|
2021-11-18 15:54:24 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
|
|
clientmetric.WritePrometheusExpositionFormat(w)
|
|
|
|
}
|
2021-11-23 05:45:34 +00:00
|
|
|
|
2021-12-21 21:52:50 +00:00
|
|
|
func (h *peerAPIHandler) handleServeDNSFwd(w http.ResponseWriter, r *http.Request) {
|
2022-04-26 20:29:41 +01:00
|
|
|
if !h.canDebug() {
|
|
|
|
http.Error(w, "denied; no debug access", http.StatusForbidden)
|
2021-12-21 21:52:50 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
dh := health.DebugHandler("dnsfwd")
|
|
|
|
if dh == nil {
|
|
|
|
http.Error(w, "not wired up", 500)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
dh.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
|
2022-04-26 20:29:41 +01:00
|
|
|
func (h *peerAPIHandler) handleWakeOnLAN(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if !h.canWakeOnLAN() {
|
|
|
|
http.Error(w, "no WoL access", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if r.Method != "POST" {
|
|
|
|
http.Error(w, "bad method", http.StatusMethodNotAllowed)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
macStr := r.FormValue("mac")
|
|
|
|
if macStr == "" {
|
|
|
|
http.Error(w, "missing 'mac' param", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
mac, err := net.ParseMAC(macStr)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(w, "bad 'mac' param", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
2023-10-05 17:49:30 +01:00
|
|
|
var password []byte // TODO(bradfitz): support? does anything use WoL passwords?
|
2023-08-01 23:47:54 +01:00
|
|
|
st := h.ps.b.sys.NetMon.Get().InterfaceState()
|
|
|
|
if st == nil {
|
2022-04-26 20:29:41 +01:00
|
|
|
http.Error(w, "failed to get interfaces state", http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
var res struct {
|
|
|
|
SentTo []string
|
|
|
|
Errors []string
|
|
|
|
}
|
|
|
|
for ifName, ips := range st.InterfaceIPs {
|
|
|
|
for _, ip := range ips {
|
2022-07-25 04:08:42 +01:00
|
|
|
if ip.Addr().IsLoopback() || ip.Addr().Is6() {
|
2022-04-26 20:29:41 +01:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
local := &net.UDPAddr{
|
2022-07-25 04:08:42 +01:00
|
|
|
IP: ip.Addr().AsSlice(),
|
2022-04-26 20:29:41 +01:00
|
|
|
Port: 0,
|
|
|
|
}
|
|
|
|
remote := &net.UDPAddr{
|
|
|
|
IP: net.IPv4bcast,
|
|
|
|
Port: 0,
|
|
|
|
}
|
|
|
|
if err := wol.Wake(mac, password, local, remote); err != nil {
|
|
|
|
res.Errors = append(res.Errors, err.Error())
|
|
|
|
} else {
|
|
|
|
res.SentTo = append(res.SentTo, ifName)
|
|
|
|
}
|
|
|
|
break // one per interface is enough
|
|
|
|
}
|
|
|
|
}
|
|
|
|
sort.Strings(res.SentTo)
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
json.NewEncoder(w).Encode(res)
|
|
|
|
}
|
|
|
|
|
2021-11-23 05:45:34 +00:00
|
|
|
func (h *peerAPIHandler) replyToDNSQueries() bool {
|
2021-11-25 17:43:39 +00:00
|
|
|
if h.isSelf {
|
|
|
|
// If the peer is owned by the same user, just allow it
|
|
|
|
// without further checks.
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
b := h.ps.b
|
|
|
|
if !b.OfferingExitNode() {
|
|
|
|
// If we're not an exit node, there's no point to
|
|
|
|
// being a DNS server for somebody.
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if !h.remoteAddr.IsValid() {
|
|
|
|
// This should never be the case if the peerAPIHandler
|
|
|
|
// was wired up correctly, but just in case.
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
// Otherwise, we're an exit node but the peer is not us, so
|
|
|
|
// we need to check if they're allowed access to the internet.
|
|
|
|
// As peerapi bypasses wgengine/filter checks, we need to check
|
|
|
|
// ourselves. As a proxy for autogroup:internet access, we see
|
|
|
|
// if we would've accepted a packet to 0.0.0.0:53. We treat
|
|
|
|
// the IP 0.0.0.0 as being "the internet".
|
2022-08-04 05:31:40 +01:00
|
|
|
f := b.filterAtomic.Load()
|
|
|
|
if f == nil {
|
2021-11-25 17:43:39 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
// Note: we check TCP here because the Filter type already had
|
|
|
|
// a CheckTCP method (for unit tests), but it's pretty
|
|
|
|
// arbitrary. DNS runs over TCP and UDP, so sure... we check
|
|
|
|
// TCP.
|
|
|
|
dstIP := netaddr.IPv4(0, 0, 0, 0)
|
2022-07-25 04:08:42 +01:00
|
|
|
remoteIP := h.remoteAddr.Addr()
|
2021-11-25 17:43:39 +00:00
|
|
|
if remoteIP.Is6() {
|
|
|
|
// autogroup:internet for IPv6 is defined to start with 2000::/3,
|
|
|
|
// so use 2000::0 as the probe "the internet" address.
|
2022-07-26 04:55:44 +01:00
|
|
|
dstIP = netip.MustParseAddr("2000::")
|
2021-11-25 17:43:39 +00:00
|
|
|
}
|
|
|
|
verdict := f.CheckTCP(remoteIP, dstIP, 53)
|
|
|
|
return verdict == filter.Accept
|
2021-11-23 05:45:34 +00:00
|
|
|
}
|
|
|
|
|
2021-11-23 17:58:34 +00:00
|
|
|
// handleDNSQuery implements a DoH server (RFC 8484) over the peerapi.
|
|
|
|
// It's not over HTTPS as the spec dictates, but rather HTTP-over-WireGuard.
|
2021-11-23 05:45:34 +00:00
|
|
|
func (h *peerAPIHandler) handleDNSQuery(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if h.ps.resolver == nil {
|
|
|
|
http.Error(w, "DNS not wired up", http.StatusNotImplemented)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if !h.replyToDNSQueries() {
|
|
|
|
http.Error(w, "DNS access denied", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
2021-11-23 17:58:34 +00:00
|
|
|
pretty := false // non-DoH debug mode for humans
|
2021-11-23 05:45:34 +00:00
|
|
|
q, publicError := dohQuery(r)
|
2021-11-23 17:58:34 +00:00
|
|
|
if publicError != "" && r.Method == "GET" {
|
|
|
|
if name := r.FormValue("q"); name != "" {
|
|
|
|
pretty = true
|
|
|
|
publicError = ""
|
|
|
|
q = dnsQueryForName(name, r.FormValue("t"))
|
|
|
|
}
|
|
|
|
}
|
2021-11-23 05:45:34 +00:00
|
|
|
if publicError != "" {
|
|
|
|
http.Error(w, publicError, http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
2021-11-23 17:58:34 +00:00
|
|
|
|
|
|
|
// Some timeout that's short enough to be noticed by humans
|
|
|
|
// but long enough that it's longer than real DNS timeouts.
|
|
|
|
const arbitraryTimeout = 5 * time.Second
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(r.Context(), arbitraryTimeout)
|
|
|
|
defer cancel()
|
2021-11-29 22:18:09 +00:00
|
|
|
res, err := h.ps.resolver.HandleExitNodeDNSQuery(ctx, q, h.remoteAddr, h.ps.b.allowExitNodeDNSProxyToServeName)
|
2021-11-23 17:58:34 +00:00
|
|
|
if err != nil {
|
|
|
|
h.logf("handleDNS fwd error: %v", err)
|
|
|
|
if err := ctx.Err(); err != nil {
|
|
|
|
http.Error(w, err.Error(), 500)
|
|
|
|
} else {
|
|
|
|
http.Error(w, "DNS forwarding error", 500)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if pretty {
|
|
|
|
// Non-standard response for interactive debugging.
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
writePrettyDNSReply(w, res)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/dns-message")
|
2021-11-30 22:18:48 +00:00
|
|
|
w.Header().Set("Content-Length", strconv.Itoa(len(res)))
|
2021-11-23 17:58:34 +00:00
|
|
|
w.Write(res)
|
2021-11-23 05:45:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func dohQuery(r *http.Request) (dnsQuery []byte, publicErr string) {
|
|
|
|
const maxQueryLen = 256 << 10
|
|
|
|
switch r.Method {
|
|
|
|
default:
|
|
|
|
return nil, "bad HTTP method"
|
|
|
|
case "GET":
|
|
|
|
q64 := r.FormValue("dns")
|
|
|
|
if q64 == "" {
|
|
|
|
return nil, "missing 'dns' parameter"
|
|
|
|
}
|
|
|
|
if base64.RawURLEncoding.DecodedLen(len(q64)) > maxQueryLen {
|
|
|
|
return nil, "query too large"
|
|
|
|
}
|
|
|
|
q, err := base64.RawURLEncoding.DecodeString(q64)
|
|
|
|
if err != nil {
|
|
|
|
return nil, "invalid 'dns' base64 encoding"
|
|
|
|
}
|
|
|
|
return q, ""
|
|
|
|
case "POST":
|
|
|
|
if r.Header.Get("Content-Type") != "application/dns-message" {
|
|
|
|
return nil, "unexpected Content-Type"
|
|
|
|
}
|
|
|
|
q, err := io.ReadAll(io.LimitReader(r.Body, maxQueryLen+1))
|
|
|
|
if err != nil {
|
|
|
|
return nil, "error reading post body with DNS query"
|
|
|
|
}
|
|
|
|
if len(q) > maxQueryLen {
|
|
|
|
return nil, "query too large"
|
|
|
|
}
|
|
|
|
return q, ""
|
|
|
|
}
|
|
|
|
}
|
2021-11-23 17:58:34 +00:00
|
|
|
|
|
|
|
func dnsQueryForName(name, typStr string) []byte {
|
|
|
|
typ := dnsmessage.TypeA
|
|
|
|
switch strings.ToLower(typStr) {
|
|
|
|
case "aaaa":
|
|
|
|
typ = dnsmessage.TypeAAAA
|
|
|
|
case "txt":
|
|
|
|
typ = dnsmessage.TypeTXT
|
|
|
|
}
|
|
|
|
b := dnsmessage.NewBuilder(nil, dnsmessage.Header{
|
|
|
|
OpCode: 0, // query
|
|
|
|
RecursionDesired: true,
|
|
|
|
ID: 0,
|
|
|
|
})
|
|
|
|
if !strings.HasSuffix(name, ".") {
|
|
|
|
name += "."
|
|
|
|
}
|
|
|
|
b.StartQuestions()
|
|
|
|
b.Question(dnsmessage.Question{
|
|
|
|
Name: dnsmessage.MustNewName(name),
|
|
|
|
Type: typ,
|
|
|
|
Class: dnsmessage.ClassINET,
|
|
|
|
})
|
|
|
|
msg, _ := b.Finish()
|
|
|
|
return msg
|
|
|
|
}
|
|
|
|
|
|
|
|
func writePrettyDNSReply(w io.Writer, res []byte) (err error) {
|
|
|
|
defer func() {
|
|
|
|
if err != nil {
|
|
|
|
j, _ := json.Marshal(struct {
|
|
|
|
Error string
|
|
|
|
}{err.Error()})
|
2021-11-29 22:18:09 +00:00
|
|
|
j = append(j, '\n')
|
2021-11-23 17:58:34 +00:00
|
|
|
w.Write(j)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
var p dnsmessage.Parser
|
2021-11-29 22:18:09 +00:00
|
|
|
hdr, err := p.Start(res)
|
|
|
|
if err != nil {
|
2021-11-23 17:58:34 +00:00
|
|
|
return err
|
|
|
|
}
|
2021-11-29 22:18:09 +00:00
|
|
|
if hdr.RCode != dnsmessage.RCodeSuccess {
|
|
|
|
return fmt.Errorf("DNS RCode = %v", hdr.RCode)
|
|
|
|
}
|
2021-11-23 17:58:34 +00:00
|
|
|
if err := p.SkipAllQuestions(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
var gotIPs []string
|
|
|
|
for {
|
|
|
|
h, err := p.AnswerHeader()
|
|
|
|
if err == dnsmessage.ErrSectionDone {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if h.Class != dnsmessage.ClassINET {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
switch h.Type {
|
|
|
|
case dnsmessage.TypeA:
|
|
|
|
r, err := p.AResource()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
gotIPs = append(gotIPs, net.IP(r.A[:]).String())
|
|
|
|
case dnsmessage.TypeAAAA:
|
|
|
|
r, err := p.AAAAResource()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
gotIPs = append(gotIPs, net.IP(r.AAAA[:]).String())
|
|
|
|
case dnsmessage.TypeTXT:
|
|
|
|
r, err := p.TXTResource()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
gotIPs = append(gotIPs, r.TXT...)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
j, _ := json.Marshal(gotIPs)
|
|
|
|
j = append(j, '\n')
|
|
|
|
w.Write(j)
|
|
|
|
return nil
|
|
|
|
}
|
2022-04-20 19:57:34 +01:00
|
|
|
|
|
|
|
// newFakePeerAPIListener creates a new net.Listener that acts like
|
|
|
|
// it's listening on the provided IP address and on TCP port 1.
|
|
|
|
//
|
|
|
|
// See docs on fakePeerAPIListener.
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
func newFakePeerAPIListener(ip netip.Addr) net.Listener {
|
2022-04-20 19:57:34 +01:00
|
|
|
return &fakePeerAPIListener{
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
addr: net.TCPAddrFromAddrPort(netip.AddrPortFrom(ip, 1)),
|
2022-04-20 19:57:34 +01:00
|
|
|
closed: make(chan struct{}),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// fakePeerAPIListener is a net.Listener that has an Addr method returning a TCPAddr
|
|
|
|
// for a given IP on port 1 (arbitrary) and can be Closed, but otherwise Accept
|
|
|
|
// just blocks forever until closed. The purpose of this is to let the rest
|
|
|
|
// of the LocalBackend/PeerAPI code run and think it's talking to the kernel,
|
|
|
|
// even if the kernel isn't cooperating (like on Android: Issue 4449, 4293, etc)
|
|
|
|
// or we lack permission to listen on a port. It's okay to not actually listen via
|
|
|
|
// the kernel because on almost all platforms (except iOS as of 2022-04-20) we
|
2022-09-25 19:29:55 +01:00
|
|
|
// also intercept incoming netstack TCP requests to our peerapi port and hand them over
|
2022-04-20 19:57:34 +01:00
|
|
|
// directly to peerapi, without involving the kernel. So this doesn't need to be
|
|
|
|
// real. But the port number we return (1, in this case) is the port number we advertise
|
|
|
|
// to peers and they connect to. 1 seems pretty safe to use. Even if the kernel's
|
|
|
|
// using it, it doesn't matter, as we intercept it first in netstack and the kernel
|
|
|
|
// never notices.
|
|
|
|
//
|
|
|
|
// Eventually we'll remove this code and do this on all platforms, when iOS also uses
|
|
|
|
// netstack.
|
|
|
|
type fakePeerAPIListener struct {
|
|
|
|
addr net.Addr
|
|
|
|
|
|
|
|
closeOnce sync.Once
|
|
|
|
closed chan struct{}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (fl *fakePeerAPIListener) Close() error {
|
|
|
|
fl.closeOnce.Do(func() { close(fl.closed) })
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (fl *fakePeerAPIListener) Accept() (net.Conn, error) {
|
|
|
|
<-fl.closed
|
2022-04-25 19:02:59 +01:00
|
|
|
return nil, net.ErrClosed
|
2022-04-20 19:57:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (fl *fakePeerAPIListener) Addr() net.Addr { return fl.addr }
|
2022-12-09 22:21:53 +00:00
|
|
|
|
|
|
|
var (
|
|
|
|
metricInvalidRequests = clientmetric.NewCounter("peerapi_invalid_requests")
|
|
|
|
|
|
|
|
// Non-debug PeerAPI endpoints.
|
|
|
|
metricPutCalls = clientmetric.NewCounter("peerapi_put")
|
|
|
|
metricDNSCalls = clientmetric.NewCounter("peerapi_dns")
|
|
|
|
metricWakeOnLANCalls = clientmetric.NewCounter("peerapi_wol")
|
|
|
|
metricIngressCalls = clientmetric.NewCounter("peerapi_ingress")
|
|
|
|
)
|