diff options
| author | Michael Ben-Ami <mzb@tailscale.com> | 2025-12-11 15:31:15 -0500 |
|---|---|---|
| committer | Michael Ben-Ami <mzb@tailscale.com> | 2026-02-04 15:53:58 -0500 |
| commit | c0422f977cdd7c292c37a7939b54ff4d226010a5 (patch) | |
| tree | c5f9f1b68fb05c98469fa09b1b1d8ee88457b201 /ipn | |
| parent | 40cd54daf73a154c3f8b60c020d70b11c1b5aa85 (diff) | |
| download | tailscale-mzb/dnat-exp.tar.xz tailscale-mzb/dnat-exp.zip | |
[DRAFT] appc,wgengine: sketch how connectors 2025 hooks into themzb/dnat-exp
datapath
This commit outlines basic NAT datapath actions for next-gen
app connectors, and FlowTable structure for caching those actions.
It also demonstrates datapath integration via tstun wrapper hooks,
and presents examples of the methods to be implemented at the
state-management layer (Conn25). It probably should not be merged as
is and this commit message should be re-written. There should be
more detail in the PR description.
Diffstat (limited to 'ipn')
| -rw-r--r-- | ipn/ipnlocal/local.go | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index 300f7a4c3..5c7d1ebef 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -408,6 +408,8 @@ type LocalBackend struct { // getCertForTest is used to retrieve TLS certificates in tests. // See [LocalBackend.ConfigureCertsForTest]. getCertForTest func(hostname string) (*TLSCertKeyPair, error) + + conn25 *appc.Conn25 } // SetHardwareAttested enables hardware attestation key signatures in map @@ -525,6 +527,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo captiveCtx: captiveCtx, captiveCancel: nil, // so that we start checkCaptivePortalLoop when Running needsCaptiveDetection: make(chan bool), + conn25: &appc.Conn25{}, } nb := newNodeBackend(ctx, b.logf, b.sys.Bus.Get()) @@ -2876,10 +2879,10 @@ func (b *LocalBackend) updateFilterLocked(prefs ipn.PrefsView) { oldFilter := b.e.GetFilter() if shieldsUp { b.logf("[v1] netmap packet filter: (shields up)") - b.setFilter(filter.NewShieldsUpFilter(localNets, logNets, oldFilter, b.logf)) + b.setFilter(filter.NewShieldsUpFilter(localNets, logNets, oldFilter, b.logf, filter.WithLinkLocalDestinationAllower(b.conn25))) } else { b.logf("[v1] netmap packet filter: %v filters", len(packetFilter)) - b.setFilter(filter.New(packetFilter, b.srcIPHasCapForFilter, localNets, logNets, oldFilter, b.logf)) + b.setFilter(filter.New(packetFilter, b.srcIPHasCapForFilter, localNets, logNets, oldFilter, b.logf, filter.WithLinkLocalDestinationAllower(b.conn25))) } // The filter for a jailed node is the exact same as a ShieldsUp filter. oldJailedFilter := b.e.GetJailedFilter() @@ -5140,7 +5143,12 @@ func (b *LocalBackend) authReconfigLocked() { priv = key.NodePrivate{} } - cfg, err := nmcfg.WGCfg(priv, nm, b.logf, flags, prefs.ExitNodeID()) + var appConnectorTransitIPFn func(peer tailcfg.NodeView) []netip.Prefix + if b.conn25 != nil { + appConnectorTransitIPFn = b.conn25.AllTransitIPsForPeer + } + + cfg, err := nmcfg.WGCfg(priv, nm, b.logf, flags, prefs.ExitNodeID(), appConnectorTransitIPFn) if err != nil { b.logf("wgcfg: %v", err) return |