diff options
| author | Andrew Dunham <andrew@du.nham.ca> | 2023-02-19 11:07:18 -0700 |
|---|---|---|
| committer | Andrew Dunham <andrew@du.nham.ca> | 2023-02-19 11:07:18 -0700 |
| commit | 71f5df3fbea77b1bb4fb692232b27dbbfac184b3 (patch) | |
| tree | c7a55e96b01570a262a83b99af36a65fc49b0a2f | |
| parent | d38abe90be0738f097ba79abed0a50af226b16f7 (diff) | |
| download | tailscale-andrew/router-drop-ula.tar.xz tailscale-andrew/router-drop-ula.zip | |
wgengine/router: drop non-Tailscale IPv6 traffic from ULA rangeandrew/router-drop-ula
This replicates the same behaviour in our IPv4 rules by dropping traffic
from the IPv6 ULA range that Tailscale uses that does not come from
Tailscale itself (i.e. does not have the fwmark).
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I75bc09fab73b5171de09a6828549644637c8a495
| -rw-r--r-- | wgengine/router/router_linux.go | 11 | ||||
| -rw-r--r-- | wgengine/router/router_linux_test.go | 7 |
2 files changed, 15 insertions, 3 deletions
diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go index 4afdaf7fb..4ffbf80cb 100644 --- a/wgengine/router/router_linux.go +++ b/wgengine/router/router_linux.go @@ -1300,7 +1300,7 @@ func (r *linuxRouter) addNetfilterBase4() error { return nil } -// addNetfilterBase4 adds some basic IPv6 processing rules to be +// addNetfilterBase6 adds some basic IPv6 processing rules to be // supplemented by later calls to other helpers. func (r *linuxRouter) addNetfilterBase6() error { // TODO: only allow traffic from Tailscale's ULA range to come @@ -1314,8 +1314,13 @@ func (r *linuxRouter) addNetfilterBase6() error { if err := r.ipt6.Append("filter", "ts-forward", args...); err != nil { return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err) } - // TODO: drop forwarded traffic to tailscale0 from tailscale's ULA - // (see corresponding IPv4 CGNAT rule). + + // Drop traffic from the Tailscale ULA range; by this rule, we know that + // it doesn't have our fwmark and is thus not from us and safe to drop. + args = []string{"-o", r.tunname, "-s", tsaddr.TailscaleULARange().String(), "-j", "DROP"} + if err := r.ipt6.Append("filter", "ts-forward", args...); err != nil { + return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err) + } args = []string{"-o", r.tunname, "-j", "ACCEPT"} if err := r.ipt6.Append("filter", "ts-forward", args...); err != nil { return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err) diff --git a/wgengine/router/router_linux_test.go b/wgengine/router/router_linux_test.go index 1883e6b4b..92add6468 100644 --- a/wgengine/router/router_linux_test.go +++ b/wgengine/router/router_linux_test.go @@ -117,6 +117,7 @@ v6/filter/FORWARD -j ts-forward v6/filter/INPUT -j ts-input v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT +v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/nat/POSTROUTING -j ts-postrouting v6/nat/ts-postrouting -m mark --mark 0x40000/0xff0000 -j MASQUERADE @@ -148,6 +149,7 @@ v6/filter/FORWARD -j ts-forward v6/filter/INPUT -j ts-input v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT +v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/nat/POSTROUTING -j ts-postrouting `, @@ -181,6 +183,7 @@ v6/filter/FORWARD -j ts-forward v6/filter/INPUT -j ts-input v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT +v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/nat/POSTROUTING -j ts-postrouting `, @@ -211,6 +214,7 @@ v6/filter/FORWARD -j ts-forward v6/filter/INPUT -j ts-input v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT +v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/nat/POSTROUTING -j ts-postrouting `, @@ -237,6 +241,7 @@ v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT +v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP v6/filter/ts-forward -o tailscale0 -j ACCEPT `, }, @@ -266,6 +271,7 @@ v6/filter/FORWARD -j ts-forward v6/filter/INPUT -j ts-input v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT +v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/nat/POSTROUTING -j ts-postrouting `, @@ -298,6 +304,7 @@ v6/filter/FORWARD -j ts-forward v6/filter/INPUT -j ts-input v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT +v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP v6/filter/ts-forward -o tailscale0 -j ACCEPT v6/nat/POSTROUTING -j ts-postrouting `, |