From c48cc08de2517a8faa273a9e0674c32f2e540ace Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Fri, 4 Oct 2024 18:20:06 -0700 Subject: [PATCH] wgengine: stop conntrack log spam about Canonical net probes Like we do for the ones on iOS. As a bonus, this removes a caller of tsaddr.IsTailscaleIP which we want to revamp/remove soonish. Updates #13687 Change-Id: Iab576a0c48e9005c7844ab52a0aba5ba343b750e Signed-off-by: Brad Fitzpatrick --- wgengine/pendopen.go | 69 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 58 insertions(+), 11 deletions(-) diff --git a/wgengine/pendopen.go b/wgengine/pendopen.go index 59b1fccda..340c7e0f3 100644 --- a/wgengine/pendopen.go +++ b/wgengine/pendopen.go @@ -5,14 +5,17 @@ package wgengine import ( "fmt" + "net/netip" "runtime" + "strings" "time" + "github.com/gaissmai/bart" "tailscale.com/net/flowtrack" "tailscale.com/net/packet" - "tailscale.com/net/tsaddr" "tailscale.com/net/tstun" "tailscale.com/types/ipproto" + "tailscale.com/types/lazy" "tailscale.com/util/mak" "tailscale.com/wgengine/filter" ) @@ -86,6 +89,57 @@ func (e *userspaceEngine) trackOpenPreFilterIn(pp *packet.Parsed, t *tstun.Wrapp return } +var ( + appleIPRange = netip.MustParsePrefix("17.0.0.0/8") + canonicalIPs = lazy.SyncFunc(func() (checkIPFunc func(netip.Addr) bool) { + // https://bgp.he.net/AS41231#_prefixes + t := &bart.Table[bool]{} + for _, s := range strings.Fields(` + 91.189.89.0/24 + 91.189.91.0/24 + 91.189.92.0/24 + 91.189.93.0/24 + 91.189.94.0/24 + 91.189.95.0/24 + 162.213.32.0/24 + 162.213.34.0/24 + 162.213.35.0/24 + 185.125.188.0/23 + 185.125.190.0/24 + 194.169.254.0/24`) { + t.Insert(netip.MustParsePrefix(s), true) + } + return func(ip netip.Addr) bool { + v, _ := t.Lookup(ip) + return v + } + }) +) + +// isOSNetworkProbe reports whether the target is likely a network +// connectivity probe target from e.g. iOS or Ubuntu network-manager. +// +// iOS likes to probe Apple IPs on all interfaces to check for connectivity. +// Don't start timers tracking those. They won't succeed anyway. Avoids log +// spam like: +func (e *userspaceEngine) isOSNetworkProbe(dst netip.AddrPort) bool { + // iOS had log spam like: + // open-conn-track: timeout opening (100.115.73.60:52501 => 17.125.252.5:443); no associated peer node + if runtime.GOOS == "ios" && dst.Port() == 443 && appleIPRange.Contains(dst.Addr()) { + if _, ok := e.PeerForIP(dst.Addr()); !ok { + return true + } + } + // NetworkManager; https://github.com/tailscale/tailscale/issues/13687 + // open-conn-track: timeout opening (TCP 100.96.229.119:42798 => 185.125.190.49:80); no associated peer node + if runtime.GOOS == "linux" && dst.Port() == 80 && canonicalIPs()(dst.Addr()) { + if _, ok := e.PeerForIP(dst.Addr()); !ok { + return true + } + } + return false +} + func (e *userspaceEngine) trackOpenPostFilterOut(pp *packet.Parsed, t *tstun.Wrapper) (res filter.Response) { res = filter.Accept // always @@ -95,19 +149,12 @@ func (e *userspaceEngine) trackOpenPostFilterOut(pp *packet.Parsed, t *tstun.Wra pp.TCPFlags&packet.TCPSyn == 0 { return } + if e.isOSNetworkProbe(pp.Dst) { + return + } flow := flowtrack.MakeTuple(pp.IPProto, pp.Src, pp.Dst) - // iOS likes to probe Apple IPs on all interfaces to check for connectivity. - // Don't start timers tracking those. They won't succeed anyway. Avoids log spam - // like: - // open-conn-track: timeout opening (100.115.73.60:52501 => 17.125.252.5:443); no associated peer node - if runtime.GOOS == "ios" && flow.DstPort() == 443 && !tsaddr.IsTailscaleIP(flow.DstAddr()) { - if _, ok := e.PeerForIP(flow.DstAddr()); !ok { - return - } - } - e.mu.Lock() defer e.mu.Unlock() if _, dup := e.pendOpen[flow]; dup {