summaryrefslogtreecommitdiffhomepage
path: root/wf
AgeCommit message (Collapse)AuthorFilesLines
2024-10-02wf/firewall: allow link-local multicast for permitted local routes when the ↵Nick Khyl1-1/+56
killswitch is on on Windows When an Exit Node is used, we create a WFP rule to block all inbound and outbound traffic, along with several rules to permit specific types of traffic. Notably, we allow all inbound and outbound traffic to and from LocalRoutes specified in wgengine/router.Config. The list of allowed routes always includes routes for internal interfaces, such as loopback and virtual Hyper-V/WSL2 interfaces, and may also include LAN routes if the "Allow local network access" option is enabled. However, these permitting rules do not allow link-local multicast on the corresponding interfaces. This results in broken mDNS/LLMNR, and potentially other similar issues, whenever an exit node is used. In this PR, we update (*wf.Firewall).UpdatePermittedRoutes() to create rules allowing outbound and inbound link-local multicast traffic to and from the permitted IP ranges, partially resolving the mDNS/LLMNR and *.local name resolution issue. Since Windows does not attempt to send mDNS/LLMNR queries if a catch-all NRPT rule is present, it is still necessary to disable the creation of that rule using the disable-local-dns-override-via-nrpt nodeAttr. Updates #13571 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-07-10all: add test for package comments, fix, add comments as neededBrad Fitzpatrick1-0/+1
Updates #cleanup Change-Id: Ic4304e909d2131a95a38b26911f49e7b1729aaef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-02-13go.mod, all: move away from inet.af domain seized by TalibanBrad Fitzpatrick1-1/+1
Updates inetaf/tcpproxy#39 Change-Id: I7fee276b116bd08397347c6c949011d76a2842cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-01-27all: update copyright and license headersWill Norris1-3/+2
This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>
2022-11-04all: remove old +build tagsBrad Fitzpatrick1-1/+0
The //go:build syntax was introduced in Go 1.17: https://go.dev/doc/go1.17#build-lines gofmt has kept the +build and go:build lines in sync since then, but enough time has passed. Time to remove them. Done with: perl -i -npe 's,^// \+build.*\n,,' $(git grep -l -F '+build') Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-09-29all: fix spelling mistakesJosh Soref1-1/+1
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-07-25all: convert more code to use net/netip directlyBrad Fitzpatrick1-6/+6
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25all: use various net/netip parse funcs directlyBrad Fitzpatrick1-4/+5
Mechanical change with perl+goimports. Changed {Must,}Parse{IP,IPPrefix,IPPort} to their netip variants, then goimports -d . Finally, removed the net/netaddr wrappers, to prevent future use. Updates #5162 Change-Id: I59c0e38b5fbca5a935d701645789cddf3d7863ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25net/netaddr: start migrating to net/netip via new netaddr adapter packageBrad Fitzpatrick1-2/+2
Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-17all: use any instead of interface{}Josh Bleecher Snyder1-3/+3
My favorite part of generics. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-12-15all: gofmt -w -s (simplify) testsBrad Fitzpatrick1-0/+1
And it updates the build tag style on a couple files. Change-Id: I84478d822c8de3f84b56fa1176c99d2ea5083237 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-06-16wf: loopback condition should use MatchTypeFlagsAllSet.Maisem Ali1-2/+2
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-05-16all: adapt to opaque netaddr typesJosh Bleecher Snyder1-1/+1
This commit is a mishmash of automated edits using gofmt: gofmt -r 'netaddr.IPPort{IP: a, Port: b} -> netaddr.IPPortFrom(a, b)' -w . gofmt -r 'netaddr.IPPrefix{IP: a, Port: b} -> netaddr.IPPrefixFrom(a, b)' -w . gofmt -r 'a.IP.Is4 -> a.IP().Is4' -w . gofmt -r 'a.IP.As16 -> a.IP().As16' -w . gofmt -r 'a.IP.Is6 -> a.IP().Is6' -w . gofmt -r 'a.IP.As4 -> a.IP().As4' -w . gofmt -r 'a.IP.String -> a.IP().String' -w . And regexps: \w*(.*)\.Port = (.*) -> $1 = $1.WithPort($2) \w*(.*)\.IP = (.*) -> $1 = $1.WithIP($2) And lots of manual fixups. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-05-10wf: implement windows firewall using inet.af/wf.Maisem Ali1-0/+510
Signed-off-by: Maisem Ali <maisem@tailscale.com>
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.