From 89af51b84db2a042b03f2443c740886b7ed1ed3b Mon Sep 17 00:00:00 2001 From: David Anderson Date: Thu, 7 May 2020 17:48:11 +0000 Subject: [PATCH] wgengine: plumb locally advertised subnet routes. With this change, advertising subnet routes configures the firewall correctly. Signed-off-by: David Anderson --- ipn/local.go | 8 +++++--- wgengine/userspace.go | 18 +++++++++++------- wgengine/watchdog.go | 4 ++-- wgengine/wgengine.go | 2 +- 4 files changed, 19 insertions(+), 13 deletions(-) diff --git a/ipn/local.go b/ipn/local.go index eb52f277b..277529782 100644 --- a/ipn/local.go +++ b/ipn/local.go @@ -658,6 +658,8 @@ func (b *LocalBackend) blockEngineUpdates(block bool) { b.mu.Unlock() } +// authReconfig pushes a new configuration into wgengine, based on the +// cached netmap and user prefs. func (b *LocalBackend) authReconfig() { b.mu.Lock() blocked := b.blocked @@ -705,7 +707,7 @@ func (b *LocalBackend) authReconfig() { log.Fatalf("WGCfg: %v", err) } - err = b.e.Reconfig(cfg, dom) + err = b.e.Reconfig(cfg, dom, uc.AdvertiseRoutes) if err == wgengine.ErrNoChanges { return } @@ -734,7 +736,7 @@ func (b *LocalBackend) enterState(newState State) { b.blockEngineUpdates(true) fallthrough case Stopped: - err := b.e.Reconfig(&wgcfg.Config{}, nil) + err := b.e.Reconfig(&wgcfg.Config{}, nil, nil) if err != nil { b.logf("Reconfig(down): %v", err) } @@ -810,7 +812,7 @@ func (b *LocalBackend) stateMachine() { func (b *LocalBackend) stopEngineAndWait() { b.logf("stopEngineAndWait...") - b.e.Reconfig(&wgcfg.Config{}, nil) + b.e.Reconfig(&wgcfg.Config{}, nil, nil) b.requestEngineStatusAndWait() b.logf("stopEngineAndWait: done.") } diff --git a/wgengine/userspace.go b/wgengine/userspace.go index f814da523..b9c0e911e 100644 --- a/wgengine/userspace.go +++ b/wgengine/userspace.go @@ -328,7 +328,12 @@ func (e *userspaceEngine) pinger(peerKey wgcfg.Key, ips []wgcfg.IP) { // However, we don't actually ever provide it to wireguard and it's not in // the traditional wireguard config format. On the other hand, wireguard // itself doesn't use the traditional 'dns =' setting either. -func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string) error { +// +// TODO(danderson): this function signature is starting to get out of +// hand. Feels like we either need a wgengine.Config type, or make +// router and wgengine siblings of each other that interact via glue +// in ipn. +func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string, localRoutes []wgcfg.CIDR) error { e.wgLock.Lock() defer e.wgLock.Unlock() @@ -381,12 +386,11 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string) error } rs := router.RouteSettings{ - LocalAddr: cidr, - Cfg: cfg, - DNS: cfg.DNS, - DNSDomains: dnsDomains, - // HACK HACK HACK DO NOT SUBMIT just testing before further plumbing - SubnetRoutes: []wgcfg.CIDR{{IP: wgcfg.IPv4(192, 168, 17, 0), Mask: 24}}, + LocalAddr: cidr, + Cfg: cfg, + DNS: cfg.DNS, + DNSDomains: dnsDomains, + SubnetRoutes: localRoutes, } // TODO(apenwarr): all the parts of RouteSettings should be "relevant." diff --git a/wgengine/watchdog.go b/wgengine/watchdog.go index cba9eab7a..1eb210537 100644 --- a/wgengine/watchdog.go +++ b/wgengine/watchdog.go @@ -61,8 +61,8 @@ func (e *watchdogEngine) watchdog(name string, fn func()) { }) } -func (e *watchdogEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string) error { - return e.watchdogErr("Reconfig", func() error { return e.wrap.Reconfig(cfg, dnsDomains) }) +func (e *watchdogEngine) Reconfig(cfg *wgcfg.Config, dnsDomains []string, localRoutes []wgcfg.CIDR) error { + return e.watchdogErr("Reconfig", func() error { return e.wrap.Reconfig(cfg, dnsDomains, localRoutes) }) } func (e *watchdogEngine) GetFilter() *filter.Filter { var x *filter.Filter diff --git a/wgengine/wgengine.go b/wgengine/wgengine.go index 1d1554683..dc08ab751 100644 --- a/wgengine/wgengine.go +++ b/wgengine/wgengine.go @@ -59,7 +59,7 @@ type Engine interface { // sends an updated network map. // // The returned error is ErrNoChanges if no changes were made. - Reconfig(cfg *wgcfg.Config, dnsDomains []string) error + Reconfig(cfg *wgcfg.Config, dnsDomains []string, localSubnets []wgcfg.CIDR) error // GetFilter returns the current packet filter, if any. GetFilter() *filter.Filter