diff options
| author | Brad Fitzpatrick <bradfitz@tailscale.com> | 2024-07-08 20:31:16 -0700 |
|---|---|---|
| committer | Brad Fitzpatrick <brad@danga.com> | 2024-07-12 08:24:06 -0700 |
| commit | 808b4139eec4f9ffcf8fc7a39b0519395efcc165 (patch) | |
| tree | b6a12ab98b73477b0e2e9d20ab180665ea2499db /control/controlknobs/controlknobs.go | |
| parent | 49bf63cdd0ffbc207f9b5e75890a977309714c11 (diff) | |
| download | tailscale-808b4139eec4f9ffcf8fc7a39b0519395efcc165.tar.xz tailscale-808b4139eec4f9ffcf8fc7a39b0519395efcc165.zip | |
wgengine/magicsock: use wireguard-go/conn.PeerAwareEndpoint
If we get an non-disco presumably-wireguard-encrypted UDP packet from
an IP:port we don't recognize, rather than drop the packet, give it to
WireGuard anyway and let WireGuard try to figure out who it's from and
tell us.
This uses the new hook added in https://github.com/tailscale/wireguard-go/pull/27
Updates tailscale/corp#20732
Change-Id: I5c61a40143810592f9efac6c12808a87f924ecf2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Diffstat (limited to 'control/controlknobs/controlknobs.go')
| -rw-r--r-- | control/controlknobs/controlknobs.go | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/control/controlknobs/controlknobs.go b/control/controlknobs/controlknobs.go index bdbe5bdd2..7315a10f7 100644 --- a/control/controlknobs/controlknobs.go +++ b/control/controlknobs/controlknobs.go @@ -95,6 +95,10 @@ type Knobs struct { // We began creating this rule on 2024-06-14, and this knob // allows us to disable the new behavior remotely if needed. DisableLocalDNSOverrideViaNRPT atomic.Bool + + // DisableCryptorouting indicates that the node should not use the + // magicsock crypto routing feature. + DisableCryptorouting atomic.Bool } // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self @@ -122,6 +126,7 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) { userDialUseRoutes = has(tailcfg.NodeAttrUserDialUseRoutes) disableSplitDNSWhenNoCustomResolvers = has(tailcfg.NodeAttrDisableSplitDNSWhenNoCustomResolvers) disableLocalDNSOverrideViaNRPT = has(tailcfg.NodeAttrDisableLocalDNSOverrideViaNRPT) + disableCryptorouting = has(tailcfg.NodeAttrDisableMagicSockCryptoRouting) ) if has(tailcfg.NodeAttrOneCGNATEnable) { @@ -147,6 +152,7 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) { k.UserDialUseRoutes.Store(userDialUseRoutes) k.DisableSplitDNSWhenNoCustomResolvers.Store(disableSplitDNSWhenNoCustomResolvers) k.DisableLocalDNSOverrideViaNRPT.Store(disableLocalDNSOverrideViaNRPT) + k.DisableCryptorouting.Store(disableCryptorouting) } // AsDebugJSON returns k as something that can be marshalled with json.Marshal @@ -173,5 +179,6 @@ func (k *Knobs) AsDebugJSON() map[string]any { "UserDialUseRoutes": k.UserDialUseRoutes.Load(), "DisableSplitDNSWhenNoCustomResolvers": k.DisableSplitDNSWhenNoCustomResolvers.Load(), "DisableLocalDNSOverrideViaNRPT": k.DisableLocalDNSOverrideViaNRPT.Load(), + "DisableCryptorouting": k.DisableCryptorouting.Load(), } } |