2023-01-27 21:37:20 +00:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2021-06-22 23:29:01 +01:00
|
|
|
|
2022-06-09 01:14:37 +01:00
|
|
|
//go:build !js
|
2022-06-11 20:00:12 +01:00
|
|
|
|
2022-06-09 01:14:37 +01:00
|
|
|
// (no raw sockets in JS/WASM)
|
2021-07-22 21:22:58 +01:00
|
|
|
|
2021-06-22 23:29:01 +01:00
|
|
|
package portmapper
|
|
|
|
|
|
|
|
import (
|
2021-08-03 06:09:50 +01:00
|
|
|
"bufio"
|
|
|
|
"bytes"
|
2023-12-16 04:28:32 +00:00
|
|
|
"cmp"
|
2021-06-22 23:29:01 +01:00
|
|
|
"context"
|
2023-09-11 17:15:02 +01:00
|
|
|
"encoding/xml"
|
2021-06-22 23:29:01 +01:00
|
|
|
"fmt"
|
2023-08-21 21:53:47 +01:00
|
|
|
"io"
|
2021-07-20 23:32:34 +01:00
|
|
|
"math/rand"
|
2023-01-13 00:57:02 +00:00
|
|
|
"net"
|
2021-08-03 06:09:50 +01:00
|
|
|
"net/http"
|
2022-07-26 04:55:44 +01:00
|
|
|
"net/netip"
|
2021-06-22 23:29:01 +01:00
|
|
|
"net/url"
|
2023-12-16 04:28:32 +00:00
|
|
|
"slices"
|
2021-08-03 06:09:50 +01:00
|
|
|
"strings"
|
2023-08-21 21:53:47 +01:00
|
|
|
"sync/atomic"
|
2021-06-22 23:29:01 +01:00
|
|
|
"time"
|
|
|
|
|
2021-08-03 06:09:50 +01:00
|
|
|
"github.com/tailscale/goupnp"
|
2021-06-22 23:29:01 +01:00
|
|
|
"github.com/tailscale/goupnp/dcps/internetgateway2"
|
2023-09-11 17:15:02 +01:00
|
|
|
"github.com/tailscale/goupnp/soap"
|
2023-09-11 20:03:39 +01:00
|
|
|
"tailscale.com/envknob"
|
2021-08-03 06:09:50 +01:00
|
|
|
"tailscale.com/net/netns"
|
|
|
|
"tailscale.com/types/logger"
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
"tailscale.com/util/mak"
|
2021-06-22 23:29:01 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// References:
|
|
|
|
//
|
|
|
|
// WANIP Connection v2: http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf
|
|
|
|
|
|
|
|
// upnpMapping is a port mapping over the upnp protocol. After being created it is immutable,
|
|
|
|
// but the client field may be shared across mapping instances.
|
|
|
|
type upnpMapping struct {
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
gw netip.Addr
|
|
|
|
external netip.AddrPort
|
|
|
|
internal netip.AddrPort
|
2021-06-22 23:29:01 +01:00
|
|
|
goodUntil time.Time
|
|
|
|
renewAfter time.Time
|
|
|
|
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
// rootDev is the UPnP root device, and may be reused across different
|
|
|
|
// UPnP mappings.
|
|
|
|
rootDev *goupnp.RootDevice
|
|
|
|
// loc is the location used to fetch the rootDev
|
|
|
|
loc *url.URL
|
|
|
|
// client is the most recent UPnP client used, and should only be used
|
|
|
|
// to release an existing mapping; new mappings should be selected from
|
|
|
|
// the rootDev on each attempt.
|
2021-06-22 23:29:01 +01:00
|
|
|
client upnpClient
|
|
|
|
}
|
|
|
|
|
2023-03-04 19:40:59 +00:00
|
|
|
// upnpProtocolUDP represents the protocol name for UDP, to be used in the UPnP
|
|
|
|
// <AddPortMapping> message in the <NewProtocol> field.
|
|
|
|
//
|
|
|
|
// NOTE: this must be an upper-case string, or certain routers will reject the
|
|
|
|
// mapping request. Other implementations like miniupnp send an upper-case
|
|
|
|
// protocol as well. See:
|
|
|
|
//
|
|
|
|
// https://github.com/tailscale/tailscale/issues/7377
|
|
|
|
const upnpProtocolUDP = "UDP"
|
|
|
|
|
2023-12-19 20:47:34 +00:00
|
|
|
func (u *upnpMapping) MappingType() string { return "upnp" }
|
2021-06-22 23:29:01 +01:00
|
|
|
func (u *upnpMapping) GoodUntil() time.Time { return u.goodUntil }
|
|
|
|
func (u *upnpMapping) RenewAfter() time.Time { return u.renewAfter }
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
func (u *upnpMapping) External() netip.AddrPort { return u.external }
|
2023-12-19 20:47:34 +00:00
|
|
|
func (u *upnpMapping) MappingDebug() string {
|
|
|
|
return fmt.Sprintf("upnpMapping{gw:%v, external:%v, internal:%v, renewAfter:%d, goodUntil:%d, loc:%q}",
|
|
|
|
u.gw, u.external, u.internal,
|
|
|
|
u.renewAfter.Unix(), u.goodUntil.Unix(),
|
|
|
|
u.loc)
|
|
|
|
}
|
2021-06-22 23:29:01 +01:00
|
|
|
func (u *upnpMapping) Release(ctx context.Context) {
|
2023-03-04 19:40:59 +00:00
|
|
|
u.client.DeletePortMapping(ctx, "", u.external.Port(), upnpProtocolUDP)
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// upnpClient is an interface over the multiple different clients exported by goupnp,
|
2021-08-03 06:09:50 +01:00
|
|
|
// exposing the functions we need for portmapping. Those clients are auto-generated from XML-specs,
|
|
|
|
// which is why they're not very idiomatic.
|
2021-06-22 23:29:01 +01:00
|
|
|
type upnpClient interface {
|
|
|
|
AddPortMapping(
|
|
|
|
ctx context.Context,
|
|
|
|
|
|
|
|
// remoteHost is the remote device sending packets to this device, in the format of x.x.x.x.
|
|
|
|
// The empty string, "", means any host out on the internet can send packets in.
|
|
|
|
remoteHost string,
|
|
|
|
|
|
|
|
// externalPort is the exposed port of this port mapping. Visible during NAT operations.
|
|
|
|
// 0 will let the router select the port, but there is an additional call,
|
|
|
|
// `AddAnyPortMapping`, which is available on 1 of the 3 possible protocols,
|
|
|
|
// which should be used if available. See `addAnyPortMapping` below, which calls this if
|
|
|
|
// `AddAnyPortMapping` is not supported.
|
|
|
|
externalPort uint16,
|
|
|
|
|
2023-03-04 19:40:59 +00:00
|
|
|
// protocol is whether this is over TCP or UDP. Either "TCP" or "UDP".
|
2021-06-22 23:29:01 +01:00
|
|
|
protocol string,
|
|
|
|
|
|
|
|
// internalPort is the port that the gateway device forwards the traffic to.
|
|
|
|
internalPort uint16,
|
|
|
|
// internalClient is the IP address that packets will be forwarded to for this mapping.
|
|
|
|
// Internal client is of the form "x.x.x.x".
|
|
|
|
internalClient string,
|
|
|
|
|
|
|
|
// enabled is whether this portmapping should be enabled or disabled.
|
|
|
|
enabled bool,
|
|
|
|
// portMappingDescription is a user-readable description of this portmapping.
|
|
|
|
portMappingDescription string,
|
|
|
|
// leaseDurationSec is the duration of this portmapping. The value of this argument must be
|
|
|
|
// greater than 0. From the spec, it appears if it is set to 0, it will switch to using
|
|
|
|
// 604800 seconds, but not sure why this is desired. The recommended time is 3600 seconds.
|
|
|
|
leaseDurationSec uint32,
|
2021-08-03 06:09:50 +01:00
|
|
|
) error
|
2021-06-22 23:29:01 +01:00
|
|
|
|
|
|
|
DeletePortMapping(ctx context.Context, remoteHost string, externalPort uint16, protocol string) error
|
|
|
|
GetExternalIPAddress(ctx context.Context) (externalIPAddress string, err error)
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
GetStatusInfo(ctx context.Context) (status string, lastConnError string, uptime uint32, err error)
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// tsPortMappingDesc gets sent to UPnP clients as a human-readable label for the portmapping.
|
|
|
|
// It is not used for anything other than labelling.
|
|
|
|
const tsPortMappingDesc = "tailscale-portmap"
|
|
|
|
|
2023-08-21 18:54:24 +01:00
|
|
|
// addAnyPortMapping abstracts over different UPnP client connections, calling
|
|
|
|
// the available AddAnyPortMapping call if available for WAN IP connection v2,
|
|
|
|
// otherwise picking either the previous port (if one is present) or a random
|
|
|
|
// port and trying to obtain a mapping using AddPortMapping.
|
|
|
|
//
|
|
|
|
// It returns the new external port (which may not be identical to the external
|
|
|
|
// port specified), or an error.
|
2021-08-03 06:09:50 +01:00
|
|
|
//
|
|
|
|
// TODO(bradfitz): also returned the actual lease duration obtained. and check it regularly.
|
2021-06-22 23:29:01 +01:00
|
|
|
func addAnyPortMapping(
|
|
|
|
ctx context.Context,
|
|
|
|
upnp upnpClient,
|
|
|
|
externalPort uint16,
|
|
|
|
internalPort uint16,
|
|
|
|
internalClient string,
|
|
|
|
leaseDuration time.Duration,
|
|
|
|
) (newPort uint16, err error) {
|
2023-08-21 18:54:24 +01:00
|
|
|
// Some devices don't let clients add a port mapping for privileged
|
|
|
|
// ports (ports below 1024). Additionally, per section 2.3.18 of the
|
|
|
|
// UPnP spec, regarding the ExternalPort field:
|
|
|
|
//
|
|
|
|
// If this value is specified as a wildcard (i.e. 0), connection
|
|
|
|
// request on all external ports (that are not otherwise mapped)
|
|
|
|
// will be forwarded to InternalClient. In the wildcard case, the
|
|
|
|
// value(s) of InternalPort on InternalClient are ignored by the IGD
|
|
|
|
// for those connections that are forwarded to InternalClient.
|
|
|
|
// Obviously only one such entry can exist in the NAT at any time
|
|
|
|
// and conflicts are handled with a “first write wins” behavior.
|
|
|
|
//
|
|
|
|
// We obviously do not want to open all ports on the user's device to
|
|
|
|
// the internet, so we want to do this prior to calling either
|
|
|
|
// AddAnyPortMapping or AddPortMapping.
|
|
|
|
//
|
|
|
|
// Pick an external port that's greater than 1024 by getting a random
|
|
|
|
// number in [0, 65535 - 1024] and then adding 1024 to it, shifting the
|
|
|
|
// range to [1024, 65535].
|
|
|
|
if externalPort < 1024 {
|
|
|
|
externalPort = uint16(rand.Intn(65535-1024) + 1024)
|
|
|
|
}
|
|
|
|
|
|
|
|
// First off, try using AddAnyPortMapping; if there's a conflict, the
|
|
|
|
// router will pick another port and return it.
|
2021-06-22 23:29:01 +01:00
|
|
|
if upnp, ok := upnp.(*internetgateway2.WANIPConnection2); ok {
|
|
|
|
return upnp.AddAnyPortMapping(
|
|
|
|
ctx,
|
|
|
|
"",
|
|
|
|
externalPort,
|
2023-03-04 19:40:59 +00:00
|
|
|
upnpProtocolUDP,
|
2021-06-22 23:29:01 +01:00
|
|
|
internalPort,
|
|
|
|
internalClient,
|
|
|
|
true,
|
|
|
|
tsPortMappingDesc,
|
|
|
|
uint32(leaseDuration.Seconds()),
|
|
|
|
)
|
|
|
|
}
|
2023-03-04 18:38:29 +00:00
|
|
|
|
2023-08-21 18:54:24 +01:00
|
|
|
// Fall back to using AddPortMapping, which requests a mapping to/from
|
|
|
|
// a specific external port.
|
2021-06-22 23:29:01 +01:00
|
|
|
err = upnp.AddPortMapping(
|
|
|
|
ctx,
|
|
|
|
"",
|
|
|
|
externalPort,
|
2023-03-04 19:40:59 +00:00
|
|
|
upnpProtocolUDP,
|
2021-06-22 23:29:01 +01:00
|
|
|
internalPort,
|
|
|
|
internalClient,
|
|
|
|
true,
|
|
|
|
tsPortMappingDesc,
|
|
|
|
uint32(leaseDuration.Seconds()),
|
|
|
|
)
|
2021-07-20 23:32:34 +01:00
|
|
|
return externalPort, err
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
|
|
|
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
// getUPnPRootDevice fetches the UPnP root device given the discovery response,
|
|
|
|
// ignoring the underlying protocol for now.
|
2021-06-22 23:29:01 +01:00
|
|
|
// Adapted from https://github.com/huin/goupnp/blob/master/GUIDE.md.
|
2021-08-03 06:09:50 +01:00
|
|
|
//
|
|
|
|
// The gw is the detected gateway.
|
|
|
|
//
|
|
|
|
// The meta is the most recently parsed UDP discovery packet response
|
|
|
|
// from the Internet Gateway Device.
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
func getUPnPRootDevice(ctx context.Context, logf logger.Logf, debug DebugKnobs, gw netip.Addr, meta uPnPDiscoResponse) (rootDev *goupnp.RootDevice, loc *url.URL, err error) {
|
2023-09-11 20:03:39 +01:00
|
|
|
if debug.DisableUPnP {
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
return nil, nil, nil
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
2021-08-03 06:09:50 +01:00
|
|
|
|
|
|
|
if meta.Location == "" {
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
return nil, nil, nil
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
|
|
|
|
2023-03-02 23:05:30 +00:00
|
|
|
if debug.VerboseLogs {
|
2021-08-03 06:09:50 +01:00
|
|
|
logf("fetching %v", meta.Location)
|
|
|
|
}
|
|
|
|
u, err := url.Parse(meta.Location)
|
|
|
|
if err != nil {
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
return nil, nil, err
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
|
|
|
|
2022-07-26 04:55:44 +01:00
|
|
|
ipp, err := netip.ParseAddrPort(u.Host)
|
2021-08-03 06:09:50 +01:00
|
|
|
if err != nil {
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
return nil, nil, fmt.Errorf("unexpected host %q in %q", u.Host, meta.Location)
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
2022-07-25 04:08:42 +01:00
|
|
|
if ipp.Addr() != gw {
|
2023-01-13 00:57:02 +00:00
|
|
|
// https://github.com/tailscale/tailscale/issues/5502
|
|
|
|
logf("UPnP discovered root %q does not match gateway IP %v; repointing at gateway which is assumed to be floating",
|
2021-08-03 06:09:50 +01:00
|
|
|
meta.Location, gw)
|
2023-01-13 00:57:02 +00:00
|
|
|
u.Host = net.JoinHostPort(gw.String(), u.Port())
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// We're fetching a smallish XML document over plain HTTP
|
|
|
|
// across the local LAN, without using DNS. There should be
|
|
|
|
// very few round trips and low latency, so one second is a
|
|
|
|
// long time.
|
|
|
|
ctx, cancel := context.WithTimeout(ctx, time.Second)
|
2021-06-22 23:29:01 +01:00
|
|
|
defer cancel()
|
|
|
|
|
2021-08-03 06:09:50 +01:00
|
|
|
// This part does a network fetch.
|
|
|
|
root, err := goupnp.DeviceByURL(ctx, u)
|
2021-06-22 23:29:01 +01:00
|
|
|
if err != nil {
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
return nil, nil, err
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
return root, u, nil
|
|
|
|
}
|
2021-06-22 23:29:01 +01:00
|
|
|
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
// selectBestService picks the "best" service from the given UPnP root device
|
|
|
|
// to use to create a port mapping.
|
|
|
|
//
|
|
|
|
// loc is the parsed location that was used to fetch the given RootDevice.
|
|
|
|
//
|
|
|
|
// The provided ctx is not retained in the returned upnpClient, but
|
|
|
|
// its associated HTTP client is (if set via goupnp.WithHTTPClient).
|
|
|
|
func selectBestService(ctx context.Context, logf logger.Logf, root *goupnp.RootDevice, loc *url.URL) (client upnpClient, err error) {
|
|
|
|
method := "none"
|
2021-08-03 06:09:50 +01:00
|
|
|
defer func() {
|
|
|
|
if client == nil {
|
|
|
|
return
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
logf("saw UPnP type %v at %v; %v (%v), method=%s",
|
2021-08-03 06:09:50 +01:00
|
|
|
strings.TrimPrefix(fmt.Sprintf("%T", client), "*internetgateway2."),
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
loc, root.Device.FriendlyName, root.Device.Manufacturer,
|
|
|
|
method)
|
2021-06-22 23:29:01 +01:00
|
|
|
}()
|
|
|
|
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
// First, get all available clients from the device, and append to our
|
|
|
|
// list of possible clients. Order matters here; we want to prefer
|
|
|
|
// WANIPConnection2 over WANIPConnection1 or WANPPPConnection.
|
|
|
|
wanIP2, _ := internetgateway2.NewWANIPConnection2ClientsFromRootDevice(ctx, root, loc)
|
|
|
|
wanIP1, _ := internetgateway2.NewWANIPConnection1ClientsFromRootDevice(ctx, root, loc)
|
|
|
|
wanPPP, _ := internetgateway2.NewWANPPPConnection1ClientsFromRootDevice(ctx, root, loc)
|
|
|
|
|
|
|
|
var clients []upnpClient
|
|
|
|
for _, v := range wanIP2 {
|
|
|
|
clients = append(clients, v)
|
|
|
|
}
|
|
|
|
for _, v := range wanIP1 {
|
|
|
|
clients = append(clients, v)
|
|
|
|
}
|
|
|
|
for _, v := range wanPPP {
|
|
|
|
clients = append(clients, v)
|
|
|
|
}
|
|
|
|
|
|
|
|
// If we have no clients, then return right now; if we only have one,
|
|
|
|
// just select and return it.
|
|
|
|
if len(clients) == 0 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
if len(clients) == 1 {
|
|
|
|
method = "single"
|
|
|
|
metricUPnPSelectSingle.Add(1)
|
|
|
|
return clients[0], nil
|
|
|
|
}
|
|
|
|
|
|
|
|
metricUPnPSelectMultiple.Add(1)
|
|
|
|
|
|
|
|
// In order to maximize the chances that we find a valid UPnP device
|
|
|
|
// that can give us a port mapping, we check a few properties:
|
|
|
|
// 1. Whether the device is "online", as defined by GetStatusInfo
|
|
|
|
// 2. Whether the device has an external IP address, as defined by
|
|
|
|
// GetExternalIPAddress
|
|
|
|
// 3. Whether the device's external IP address is a public address
|
|
|
|
// or a private one.
|
|
|
|
//
|
|
|
|
// We prefer a device where all of the above is true, and fall back if
|
|
|
|
// none are found.
|
|
|
|
//
|
|
|
|
// In order to save on network requests, iterate through all devices
|
|
|
|
// and determine how many "points" they have based on the above
|
|
|
|
// criteria, but return immediately if we find one that meets all
|
|
|
|
// three.
|
|
|
|
var (
|
|
|
|
connected = make(map[upnpClient]bool)
|
|
|
|
externalIPs map[upnpClient]netip.Addr
|
|
|
|
)
|
|
|
|
for _, svc := range clients {
|
|
|
|
isConnected := serviceIsConnected(ctx, logf, svc)
|
|
|
|
connected[svc] = isConnected
|
|
|
|
|
|
|
|
// Don't bother checking for an external IP if the device isn't
|
|
|
|
// connected; technically this could happen with a misbehaving
|
|
|
|
// device, but that seems unlikely.
|
|
|
|
if !isConnected {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the device has an external IP address.
|
|
|
|
extIP, err := svc.GetExternalIPAddress(ctx)
|
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
externalIP, err := netip.ParseAddr(extIP)
|
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
mak.Set(&externalIPs, svc, externalIP)
|
|
|
|
|
|
|
|
// If we get here, this device has a non-private external IP
|
|
|
|
// and is up, so we can just return it.
|
|
|
|
if !externalIP.IsPrivate() {
|
|
|
|
method = "ext-public"
|
|
|
|
metricUPnPSelectExternalPublic.Add(1)
|
|
|
|
return svc, nil
|
|
|
|
}
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
|
|
|
|
// Okay, we have no devices that meet all the available options. Fall
|
|
|
|
// back to first checking for devices that are up and have a private
|
|
|
|
// external IP (order matters), and then devices that are up, and then
|
|
|
|
// just anything at all.
|
|
|
|
//
|
|
|
|
// try=0 Up + private external IP
|
|
|
|
// try=1 Up
|
|
|
|
for try := 0; try <= 1; try++ {
|
|
|
|
for _, svc := range clients {
|
|
|
|
if !connected[svc] {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
_, hasExtIP := externalIPs[svc]
|
|
|
|
if hasExtIP {
|
|
|
|
method = "ext-private"
|
|
|
|
metricUPnPSelectExternalPrivate.Add(1)
|
|
|
|
return svc, nil
|
|
|
|
} else if try == 1 {
|
|
|
|
method = "up"
|
|
|
|
metricUPnPSelectUp.Add(1)
|
|
|
|
return svc, nil
|
|
|
|
}
|
|
|
|
}
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
|
|
|
|
// Nothing is up, but we have something (length of clients checked
|
|
|
|
// above); just return the first one.
|
|
|
|
metricUPnPSelectNone.Add(1)
|
|
|
|
return clients[0], nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// serviceIsConnected returns whether a given UPnP service is connected, based
|
|
|
|
// on the NewConnectionStatus field returned from GetStatusInfo.
|
|
|
|
func serviceIsConnected(ctx context.Context, logf logger.Logf, svc upnpClient) bool {
|
|
|
|
status, _ /* NewLastConnectionError */, _ /* NewUptime */, err := svc.GetStatusInfo(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
return status == "Connected" || status == "Up"
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) upnpHTTPClientLocked() *http.Client {
|
|
|
|
if c.uPnPHTTPClient == nil {
|
|
|
|
c.uPnPHTTPClient = &http.Client{
|
|
|
|
Transport: &http.Transport{
|
2023-04-18 00:01:41 +01:00
|
|
|
DialContext: netns.NewDialer(c.logf, c.netMon).DialContext,
|
2021-08-03 06:09:50 +01:00
|
|
|
IdleConnTimeout: 2 * time.Second, // LAN is cheap
|
|
|
|
},
|
|
|
|
}
|
2023-08-21 21:53:47 +01:00
|
|
|
if c.debug.LogHTTP {
|
|
|
|
c.uPnPHTTPClient = requestLogger(c.logf, c.uPnPHTTPClient)
|
|
|
|
}
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
2021-08-03 06:09:50 +01:00
|
|
|
return c.uPnPHTTPClient
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
|
|
|
|
2023-09-11 20:03:39 +01:00
|
|
|
var (
|
|
|
|
disableUPnpEnv = envknob.RegisterBool("TS_DISABLE_UPNP")
|
|
|
|
)
|
|
|
|
|
2021-06-22 23:29:01 +01:00
|
|
|
// getUPnPPortMapping attempts to create a port-mapping over the UPnP protocol. On success,
|
|
|
|
// it will return the externally exposed IP and port. Otherwise, it will return a zeroed IP and
|
|
|
|
// port and an error.
|
|
|
|
func (c *Client) getUPnPPortMapping(
|
|
|
|
ctx context.Context,
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
gw netip.Addr,
|
|
|
|
internal netip.AddrPort,
|
2021-06-22 23:29:01 +01:00
|
|
|
prevPort uint16,
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
) (external netip.AddrPort, ok bool) {
|
2023-09-11 20:03:39 +01:00
|
|
|
if disableUPnpEnv() || c.debug.DisableUPnP || (c.controlKnobs != nil && c.controlKnobs.DisableUPnP.Load()) {
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-26 05:14:09 +01:00
|
|
|
return netip.AddrPort{}, false
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
2023-03-02 23:05:30 +00:00
|
|
|
|
2021-06-22 23:29:01 +01:00
|
|
|
now := time.Now()
|
|
|
|
upnp := &upnpMapping{
|
|
|
|
gw: gw,
|
|
|
|
internal: internal,
|
|
|
|
}
|
|
|
|
|
2023-12-16 04:28:32 +00:00
|
|
|
// We can have multiple UPnP "meta" values (which correspond to the
|
|
|
|
// UPnP discovery responses received). We want to try all of them when
|
|
|
|
// obtaining a mapping, but also prefer any existing mapping's root
|
|
|
|
// device (if present), since that will allow us to renew an existing
|
|
|
|
// mapping instead of creating a new one.
|
|
|
|
// Start by grabbing the list of metas, any existing mapping, and
|
|
|
|
// creating a HTTP client for use.
|
2021-06-22 23:29:01 +01:00
|
|
|
c.mu.Lock()
|
|
|
|
oldMapping, ok := c.mapping.(*upnpMapping)
|
2023-12-16 04:28:32 +00:00
|
|
|
metas := c.uPnPMetas
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
ctx = goupnp.WithHTTPClient(ctx, c.upnpHTTPClientLocked())
|
2021-06-22 23:29:01 +01:00
|
|
|
c.mu.Unlock()
|
2023-12-16 04:28:32 +00:00
|
|
|
|
|
|
|
// Wrapper for a uPnPDiscoResponse with an optional existing root
|
|
|
|
// device + URL (if we've got a previous cached mapping).
|
|
|
|
type step struct {
|
|
|
|
rootDev *goupnp.RootDevice // if nil, use 'meta'
|
|
|
|
loc *url.URL // non-nil if rootDev is non-nil
|
|
|
|
meta uPnPDiscoResponse
|
|
|
|
}
|
|
|
|
var steps []step
|
|
|
|
|
|
|
|
// Now, if we have an existing mapping, swap that mapping's entry to
|
|
|
|
// the first entry in our "metas" list so we try it first.
|
|
|
|
haveOldMapping := ok && oldMapping != nil
|
|
|
|
if haveOldMapping && oldMapping.rootDev != nil {
|
|
|
|
steps = append(steps, step{rootDev: oldMapping.rootDev, loc: oldMapping.loc})
|
|
|
|
}
|
|
|
|
// Note: this includes the meta for a previously-cached mapping, in
|
|
|
|
// case the rootDev changes.
|
|
|
|
for _, meta := range metas {
|
|
|
|
steps = append(steps, step{meta: meta})
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now, iterate through every meta that we have trying to get an
|
|
|
|
// external IP address. If we succeed, we'll return; if we fail, we
|
|
|
|
// continue this loop.
|
|
|
|
var errs []error
|
|
|
|
for _, step := range steps {
|
|
|
|
var (
|
|
|
|
rootDev *goupnp.RootDevice
|
|
|
|
loc *url.URL
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
if step.rootDev != nil {
|
|
|
|
rootDev = step.rootDev
|
|
|
|
loc = step.loc
|
|
|
|
} else {
|
|
|
|
rootDev, loc, err = getUPnPRootDevice(ctx, c.logf, c.debug, gw, step.meta)
|
|
|
|
c.vlogf("getUPnPRootDevice: loc=%q err=%v", loc, err)
|
|
|
|
if err != nil {
|
|
|
|
errs = append(errs, err)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if rootDev == nil {
|
|
|
|
continue
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
2023-12-16 04:28:32 +00:00
|
|
|
|
|
|
|
// This actually performs the port mapping operation using this
|
|
|
|
// root device.
|
|
|
|
//
|
|
|
|
// TODO(andrew-d): this can successfully perform a portmap and
|
|
|
|
// return an externalAddrPort that refers to a non-public IP
|
|
|
|
// address if the first selected RootDevice is a device that is
|
|
|
|
// connected to another internal network. This is still better
|
|
|
|
// than randomly flapping between multiple devices, but we
|
|
|
|
// should probably split this up further to try the best
|
|
|
|
// service (one with an external IP) first, instead of
|
|
|
|
// iterating by device.
|
|
|
|
//
|
|
|
|
// This is probably sufficiently unlikely that I'm leaving that
|
|
|
|
// as a follow-up task if it's necessary.
|
|
|
|
externalAddrPort, client, err := c.tryUPnPPortmapWithDevice(ctx, internal, prevPort, rootDev, loc)
|
2021-06-22 23:29:01 +01:00
|
|
|
if err != nil {
|
2023-12-16 04:28:32 +00:00
|
|
|
errs = append(errs, err)
|
|
|
|
continue
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
|
2023-12-16 04:28:32 +00:00
|
|
|
// If we get here, we're successful; we can cache this mapping,
|
|
|
|
// update our local port, and then return.
|
|
|
|
//
|
|
|
|
// NOTE: this time might not technically be accurate if we created a
|
|
|
|
// permanent lease above, but we should still re-check the presence of
|
|
|
|
// the lease on a regular basis so we use it anyway.
|
|
|
|
d := time.Duration(pmpMapLifetimeSec) * time.Second
|
|
|
|
upnp.goodUntil = now.Add(d)
|
|
|
|
upnp.renewAfter = now.Add(d / 2)
|
|
|
|
upnp.external = externalAddrPort
|
|
|
|
upnp.rootDev = rootDev
|
|
|
|
upnp.loc = loc
|
|
|
|
upnp.client = client
|
|
|
|
|
|
|
|
c.mu.Lock()
|
|
|
|
defer c.mu.Unlock()
|
|
|
|
c.mapping = upnp
|
|
|
|
c.localPort = externalAddrPort.Port()
|
|
|
|
return upnp.external, true
|
|
|
|
}
|
|
|
|
|
|
|
|
// If we get here, we didn't get anything.
|
|
|
|
// TODO(andrew-d): use or log errs?
|
|
|
|
_ = errs
|
|
|
|
return netip.AddrPort{}, false
|
|
|
|
}
|
|
|
|
|
|
|
|
// tryUPnPPortmapWithDevice attempts to perform a port forward from the given
|
|
|
|
// UPnP device to the 'internal' address. It tries to re-use the previous port,
|
|
|
|
// if a non-zero value is provided, and handles retries and errors about
|
|
|
|
// unsupported features.
|
|
|
|
//
|
|
|
|
// It returns the external address and port that was mapped (i.e. the
|
|
|
|
// address+port that another Tailscale node can use to make a connection to
|
|
|
|
// this one) and the UPnP client that was used to obtain that mapping.
|
|
|
|
func (c *Client) tryUPnPPortmapWithDevice(
|
|
|
|
ctx context.Context,
|
|
|
|
internal netip.AddrPort,
|
|
|
|
prevPort uint16,
|
|
|
|
rootDev *goupnp.RootDevice,
|
|
|
|
loc *url.URL,
|
|
|
|
) (netip.AddrPort, upnpClient, error) {
|
|
|
|
// Select the best mapping service from the given root device. This
|
|
|
|
// makes network requests, and can vary from mapping to mapping if the
|
|
|
|
// upstream device's connection status changes.
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
client, err := selectBestService(ctx, c.logf, rootDev, loc)
|
|
|
|
if err != nil {
|
2023-12-16 04:28:32 +00:00
|
|
|
return netip.AddrPort{}, nil, err
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
|
|
|
|
2023-09-11 17:15:02 +01:00
|
|
|
// Start by trying to make a temporary lease with a duration.
|
2021-06-22 23:29:01 +01:00
|
|
|
var newPort uint16
|
|
|
|
newPort, err = addAnyPortMapping(
|
|
|
|
ctx,
|
|
|
|
client,
|
|
|
|
prevPort,
|
|
|
|
internal.Port(),
|
2022-07-25 04:08:42 +01:00
|
|
|
internal.Addr().String(),
|
2023-09-11 17:15:02 +01:00
|
|
|
pmpMapLifetimeSec*time.Second,
|
2021-06-22 23:29:01 +01:00
|
|
|
)
|
2023-12-16 04:28:32 +00:00
|
|
|
c.vlogf("addAnyPortMapping: %v, err=%q", newPort, err)
|
2023-09-11 17:15:02 +01:00
|
|
|
|
|
|
|
// If this is an error and the code is
|
|
|
|
// "OnlyPermanentLeasesSupported", then we retry with no lease
|
|
|
|
// duration; see the following issue for details:
|
|
|
|
// https://github.com/tailscale/tailscale/issues/9343
|
|
|
|
if err != nil {
|
2023-09-13 00:16:51 +01:00
|
|
|
code, ok := getUPnPErrorCode(err)
|
|
|
|
if ok {
|
|
|
|
getUPnPErrorsMetric(code).Add(1)
|
|
|
|
}
|
|
|
|
|
2023-09-11 17:15:02 +01:00
|
|
|
// From the UPnP spec: http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf
|
|
|
|
// 725: OnlyPermanentLeasesSupported
|
2023-09-13 00:16:51 +01:00
|
|
|
if ok && code == 725 {
|
2023-09-11 17:15:02 +01:00
|
|
|
newPort, err = addAnyPortMapping(
|
|
|
|
ctx,
|
|
|
|
client,
|
|
|
|
prevPort,
|
|
|
|
internal.Port(),
|
|
|
|
internal.Addr().String(),
|
|
|
|
0, // permanent
|
|
|
|
)
|
2023-12-16 04:28:32 +00:00
|
|
|
c.vlogf("addAnyPortMapping: 725 retry %v, err=%q", newPort, err)
|
2023-09-11 17:15:02 +01:00
|
|
|
}
|
|
|
|
}
|
2021-06-22 23:29:01 +01:00
|
|
|
if err != nil {
|
2023-12-16 04:28:32 +00:00
|
|
|
return netip.AddrPort{}, nil, err
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
2023-09-11 17:15:02 +01:00
|
|
|
|
2021-06-22 23:29:01 +01:00
|
|
|
// TODO cache this ip somewhere?
|
|
|
|
extIP, err := client.GetExternalIPAddress(ctx)
|
2023-12-16 04:28:32 +00:00
|
|
|
c.vlogf("client.GetExternalIPAddress: %v, %v", extIP, err)
|
2021-06-22 23:29:01 +01:00
|
|
|
if err != nil {
|
2023-12-16 04:28:32 +00:00
|
|
|
return netip.AddrPort{}, nil, err
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
2022-07-26 04:55:44 +01:00
|
|
|
externalIP, err := netip.ParseAddr(extIP)
|
2021-06-22 23:29:01 +01:00
|
|
|
if err != nil {
|
2023-12-16 04:28:32 +00:00
|
|
|
return netip.AddrPort{}, nil, err
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
|
|
|
|
2023-12-16 04:28:32 +00:00
|
|
|
return netip.AddrPortFrom(externalIP, newPort), client, nil
|
|
|
|
}
|
2023-09-11 17:15:02 +01:00
|
|
|
|
2023-12-16 04:28:32 +00:00
|
|
|
// processUPnPResponses sorts and deduplicates a list of UPnP discovery
|
|
|
|
// responses, returning the possibly-reduced list.
|
|
|
|
//
|
|
|
|
// It will perform a consistent sort of the provided responses, so if we have
|
|
|
|
// multiple valid UPnP destinations a consistent option will be picked every
|
|
|
|
// time.
|
|
|
|
func processUPnPResponses(metas []uPnPDiscoResponse) []uPnPDiscoResponse {
|
|
|
|
// Sort and compact all responses to remove duplicates; since
|
|
|
|
// we send multiple probes, we often get duplicate responses.
|
|
|
|
slices.SortFunc(metas, func(a, b uPnPDiscoResponse) int {
|
|
|
|
// Sort the USN in reverse, so that
|
|
|
|
// "InternetGatewayDevice:2" sorts before
|
|
|
|
// "InternetGatewayDevice:1".
|
|
|
|
if ii := cmp.Compare(a.USN, b.USN); ii != 0 {
|
|
|
|
return -ii
|
|
|
|
}
|
|
|
|
if ii := cmp.Compare(a.Location, b.Location); ii != 0 {
|
|
|
|
return ii
|
|
|
|
}
|
|
|
|
return cmp.Compare(a.Server, b.Server)
|
|
|
|
})
|
|
|
|
|
|
|
|
// We can get multiple responses that point to a single Location, since
|
|
|
|
// we probe for both ssdp:all and InternetGatewayDevice:1 as
|
|
|
|
// independent packets. Compact by comparing the Location and Server,
|
|
|
|
// but not the USN (which contains the device being offered).
|
|
|
|
//
|
|
|
|
// Since the slices are sorted in reverse above, this means that if we
|
|
|
|
// get a discovery response for both InternetGatewayDevice:1 and
|
|
|
|
// InternetGatewayDevice:2, we'll keep the first
|
|
|
|
// (InternetGatewayDevice:2) response, which is what we want.
|
|
|
|
metas = slices.CompactFunc(metas, func(a, b uPnPDiscoResponse) bool {
|
|
|
|
return a.Location == b.Location && a.Server == b.Server
|
|
|
|
})
|
|
|
|
|
|
|
|
return metas
|
2021-06-22 23:29:01 +01:00
|
|
|
}
|
2021-08-03 06:09:50 +01:00
|
|
|
|
2023-09-13 00:16:51 +01:00
|
|
|
// getUPnPErrorCode returns the UPnP error code from the given response, if the
|
|
|
|
// error is a SOAP error in the proper format, and a boolean indicating whether
|
|
|
|
// the provided error was actually a UPnP error.
|
|
|
|
func getUPnPErrorCode(err error) (int, bool) {
|
2023-09-11 17:15:02 +01:00
|
|
|
soapErr, ok := err.(*soap.SOAPFaultError)
|
|
|
|
if !ok {
|
2023-09-13 00:16:51 +01:00
|
|
|
return 0, false
|
2023-09-11 17:15:02 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
var upnpErr struct {
|
|
|
|
XMLName xml.Name
|
|
|
|
Code int `xml:"errorCode"`
|
|
|
|
Description string `xml:"errorDescription"`
|
|
|
|
}
|
|
|
|
if err := xml.Unmarshal([]byte(soapErr.Detail.Raw), &upnpErr); err != nil {
|
2023-09-13 00:16:51 +01:00
|
|
|
return 0, false
|
2023-09-11 17:15:02 +01:00
|
|
|
}
|
|
|
|
if upnpErr.XMLName.Local != "UPnPError" {
|
2023-09-13 00:16:51 +01:00
|
|
|
return 0, false
|
2023-09-11 17:15:02 +01:00
|
|
|
}
|
2023-09-13 00:16:51 +01:00
|
|
|
return upnpErr.Code, true
|
2023-09-11 17:15:02 +01:00
|
|
|
}
|
|
|
|
|
2021-08-03 06:09:50 +01:00
|
|
|
type uPnPDiscoResponse struct {
|
|
|
|
Location string
|
2021-08-10 22:50:33 +01:00
|
|
|
// Server describes what version the UPnP is, such as MiniUPnPd/2.x.x
|
|
|
|
Server string
|
|
|
|
// USN is the serial number of the device, which also contains
|
|
|
|
// what kind of UPnP service is being offered, i.e. InternetGatewayDevice:2
|
|
|
|
USN string
|
2021-08-03 06:09:50 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// parseUPnPDiscoResponse parses a UPnP HTTP-over-UDP discovery response.
|
|
|
|
func parseUPnPDiscoResponse(body []byte) (uPnPDiscoResponse, error) {
|
|
|
|
var r uPnPDiscoResponse
|
|
|
|
res, err := http.ReadResponse(bufio.NewReaderSize(bytes.NewReader(body), 128), nil)
|
|
|
|
if err != nil {
|
|
|
|
return r, err
|
|
|
|
}
|
|
|
|
r.Location = res.Header.Get("Location")
|
2021-08-10 22:50:33 +01:00
|
|
|
r.Server = res.Header.Get("Server")
|
|
|
|
r.USN = res.Header.Get("Usn")
|
2021-08-03 06:09:50 +01:00
|
|
|
return r, nil
|
|
|
|
}
|
2023-08-21 21:53:47 +01:00
|
|
|
|
|
|
|
type roundTripperFunc func(*http.Request) (*http.Response, error)
|
|
|
|
|
|
|
|
func (r roundTripperFunc) RoundTrip(req *http.Request) (*http.Response, error) {
|
|
|
|
return r(req)
|
|
|
|
}
|
|
|
|
|
|
|
|
func requestLogger(logf logger.Logf, client *http.Client) *http.Client {
|
|
|
|
// Clone the HTTP client, and override the Transport to log to the
|
|
|
|
// provided logger.
|
|
|
|
ret := *client
|
|
|
|
oldTransport := ret.Transport
|
|
|
|
|
|
|
|
var requestCounter atomic.Uint64
|
|
|
|
loggingTransport := roundTripperFunc(func(req *http.Request) (*http.Response, error) {
|
|
|
|
ctr := requestCounter.Add(1)
|
|
|
|
|
|
|
|
// Read the body and re-set it.
|
|
|
|
var (
|
|
|
|
body []byte
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
if req.Body != nil {
|
|
|
|
body, err = io.ReadAll(req.Body)
|
|
|
|
req.Body.Close()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
req.Body = io.NopCloser(bytes.NewReader(body))
|
|
|
|
}
|
|
|
|
|
|
|
|
logf("request[%d]: %s %q body=%q", ctr, req.Method, req.URL, body)
|
|
|
|
|
|
|
|
resp, err := oldTransport.RoundTrip(req)
|
|
|
|
if err != nil {
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
logf("response[%d]: err=%v", ctr, err)
|
2023-08-21 21:53:47 +01:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read the response body
|
|
|
|
if resp.Body != nil {
|
|
|
|
body, err = io.ReadAll(resp.Body)
|
|
|
|
resp.Body.Close()
|
|
|
|
if err != nil {
|
net/portmapper: be smarter about selecting a UPnP device
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
2023-12-06 16:55:49 +00:00
|
|
|
logf("response[%d]: %d bodyErr=%v", ctr, resp.StatusCode, err)
|
2023-08-21 21:53:47 +01:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
resp.Body = io.NopCloser(bytes.NewReader(body))
|
|
|
|
}
|
|
|
|
|
|
|
|
logf("response[%d]: %d body=%q", ctr, resp.StatusCode, body)
|
|
|
|
return resp, nil
|
|
|
|
})
|
|
|
|
ret.Transport = loggingTransport
|
|
|
|
|
|
|
|
return &ret
|
|
|
|
}
|