225 lines
6.1 KiB
Go
225 lines
6.1 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package netns
|
|
|
|
import (
|
|
"fmt"
|
|
"math/bits"
|
|
"net/netip"
|
|
"strings"
|
|
"syscall"
|
|
|
|
"golang.org/x/sys/cpu"
|
|
"golang.org/x/sys/windows"
|
|
"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
|
|
"tailscale.com/envknob"
|
|
"tailscale.com/net/netmon"
|
|
"tailscale.com/tsconst"
|
|
"tailscale.com/types/logger"
|
|
)
|
|
|
|
func interfaceIndex(iface *winipcfg.IPAdapterAddresses) uint32 {
|
|
if iface == nil {
|
|
// The zero ifidx means "unspecified". If we end up passing zero
|
|
// to bindSocket*(), it unsets the binding and lets the socket
|
|
// behave as normal again, which is what we want if there's no
|
|
// default route we can use.
|
|
return 0
|
|
}
|
|
return iface.IfIndex
|
|
}
|
|
|
|
func defaultInterfaceIndex(family winipcfg.AddressFamily) (uint32, error) {
|
|
iface, err := netmon.GetWindowsDefault(family)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
return interfaceIndex(iface), nil
|
|
}
|
|
|
|
func control(logf logger.Logf, _ *netmon.Monitor) func(network, address string, c syscall.RawConn) error {
|
|
return func(network, address string, c syscall.RawConn) error {
|
|
return controlC(logf, network, address, c)
|
|
}
|
|
}
|
|
|
|
var bindToInterfaceByRouteEnv = envknob.RegisterBool("TS_BIND_TO_INTERFACE_BY_ROUTE")
|
|
|
|
// controlC binds c to the Windows interface that holds a default
|
|
// route, and is not the Tailscale WinTun interface.
|
|
func controlC(logf logger.Logf, network, address string, c syscall.RawConn) (err error) {
|
|
if isLocalhost(address) {
|
|
// Don't bind to an interface for localhost connections,
|
|
// otherwise we get:
|
|
// connectex: The requested address is not valid in its context
|
|
// (The derphttp tests were failing)
|
|
return nil
|
|
}
|
|
|
|
canV4, canV6 := false, false
|
|
switch network {
|
|
case "tcp", "udp":
|
|
canV4, canV6 = true, true
|
|
case "tcp4", "udp4":
|
|
canV4 = true
|
|
case "tcp6", "udp6":
|
|
canV6 = true
|
|
}
|
|
|
|
var defIfaceIdxV4, defIfaceIdxV6 uint32
|
|
if canV4 {
|
|
defIfaceIdxV4, err = defaultInterfaceIndex(windows.AF_INET)
|
|
if err != nil {
|
|
return fmt.Errorf("defaultInterfaceIndex(AF_INET): %w", err)
|
|
}
|
|
}
|
|
|
|
if canV6 {
|
|
defIfaceIdxV6, err = defaultInterfaceIndex(windows.AF_INET6)
|
|
if err != nil {
|
|
return fmt.Errorf("defaultInterfaceIndex(AF_INET6): %w", err)
|
|
}
|
|
}
|
|
|
|
var ifaceIdxV4, ifaceIdxV6 uint32
|
|
if useRoute := bindToInterfaceByRoute.Load() || bindToInterfaceByRouteEnv(); useRoute {
|
|
addr, err := parseAddress(address)
|
|
if err == nil {
|
|
if canV4 && (addr.Is4() || addr.Is4In6()) {
|
|
addrV4 := addr.Unmap()
|
|
ifaceIdxV4, err = getInterfaceIndex(logf, addrV4, defIfaceIdxV4)
|
|
if err != nil {
|
|
return fmt.Errorf("getInterfaceIndex(%v): %w", addrV4, err)
|
|
}
|
|
}
|
|
|
|
if canV6 && addr.Is6() {
|
|
ifaceIdxV6, err = getInterfaceIndex(logf, addr, defIfaceIdxV6)
|
|
if err != nil {
|
|
return fmt.Errorf("getInterfaceIndex(%v): %w", addr, err)
|
|
}
|
|
}
|
|
} else {
|
|
if err != errUnspecifiedHost {
|
|
logf("[unexpected] netns: error parsing address %q: %v", address, err)
|
|
}
|
|
ifaceIdxV4, ifaceIdxV6 = defIfaceIdxV4, defIfaceIdxV6
|
|
}
|
|
} else {
|
|
ifaceIdxV4, ifaceIdxV6 = defIfaceIdxV4, defIfaceIdxV6
|
|
}
|
|
|
|
if canV4 {
|
|
if err := bindSocket4(c, ifaceIdxV4); err != nil {
|
|
return fmt.Errorf("bindSocket4(%d): %w", ifaceIdxV4, err)
|
|
}
|
|
}
|
|
|
|
if canV6 {
|
|
if err := bindSocket6(c, ifaceIdxV6); err != nil {
|
|
return fmt.Errorf("bindSocket6(%d): %w", ifaceIdxV6, err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func getInterfaceIndex(logf logger.Logf, addr netip.Addr, defaultIdx uint32) (idx uint32, err error) {
|
|
idx, err = interfaceIndexFor(addr)
|
|
if err != nil {
|
|
return defaultIdx, fmt.Errorf("interfaceIndexFor: %w", err)
|
|
}
|
|
|
|
isTS, err := isTailscaleInterface(idx)
|
|
if err != nil {
|
|
return defaultIdx, fmt.Errorf("isTailscaleInterface: %w", err)
|
|
}
|
|
if isTS {
|
|
return defaultIdx, nil
|
|
}
|
|
return idx, nil
|
|
}
|
|
|
|
func isTailscaleInterface(ifaceIdx uint32) (bool, error) {
|
|
ifaceLUID, err := winipcfg.LUIDFromIndex(ifaceIdx)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
iface, err := ifaceLUID.Interface()
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
result := iface.Type == winipcfg.IfTypePropVirtual &&
|
|
strings.Contains(iface.Description(), tsconst.WintunInterfaceDesc)
|
|
return result, nil
|
|
}
|
|
|
|
func interfaceIndexFor(addr netip.Addr) (uint32, error) {
|
|
var sockaddr winipcfg.RawSockaddrInet
|
|
if err := sockaddr.SetAddr(addr); err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
var idx uint32
|
|
if err := getBestInterfaceEx(&sockaddr, &idx); err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
return idx, nil
|
|
}
|
|
|
|
// sockoptBoundInterface is the value of IP_UNICAST_IF and IPV6_UNICAST_IF.
|
|
//
|
|
// See https://docs.microsoft.com/en-us/windows/win32/winsock/ipproto-ip-socket-options
|
|
// and https://docs.microsoft.com/en-us/windows/win32/winsock/ipproto-ipv6-socket-options
|
|
const sockoptBoundInterface = 31
|
|
|
|
// bindSocket4 binds the given RawConn to the network interface with
|
|
// index ifidx, for IPv4 traffic only.
|
|
func bindSocket4(c syscall.RawConn, ifidx uint32) error {
|
|
// For IPv4 (but NOT IPv6) the interface index must be passed
|
|
// as a big-endian integer (regardless of platform endianness)
|
|
// because the underlying sockopt takes either an IPv4 address
|
|
// or an index shoved into IPv4 address representation (an IP
|
|
// in 0.0.0.0/8 means it's actually an index).
|
|
//
|
|
// See https://docs.microsoft.com/en-us/windows/win32/winsock/ipproto-ip-socket-options
|
|
// and IP_UNICAST_IF.
|
|
indexAsAddr := nativeToBigEndian(ifidx)
|
|
var controlErr error
|
|
err := c.Control(func(fd uintptr) {
|
|
controlErr = windows.SetsockoptInt(windows.Handle(fd), windows.IPPROTO_IP, sockoptBoundInterface, int(indexAsAddr))
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return controlErr
|
|
}
|
|
|
|
// bindSocket6 binds the given RawConn to the network interface with
|
|
// index ifidx, for IPv6 traffic only.
|
|
func bindSocket6(c syscall.RawConn, ifidx uint32) error {
|
|
var controlErr error
|
|
err := c.Control(func(fd uintptr) {
|
|
controlErr = windows.SetsockoptInt(windows.Handle(fd), windows.IPPROTO_IPV6, sockoptBoundInterface, int(ifidx))
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return controlErr
|
|
}
|
|
|
|
// nativeToBigEndian returns i converted into big-endian
|
|
// representation, suitable for passing to Windows APIs that require a
|
|
// mangled uint32.
|
|
func nativeToBigEndian(i uint32) uint32 {
|
|
if cpu.IsBigEndian {
|
|
return i
|
|
}
|
|
return bits.ReverseBytes32(i)
|
|
}
|