tstun, wgengine/magicsock: enable vectorized I/O on Linux.

This commit updates the wireguard-go dependency and implements the
necessary changes to the tun.Device and conn.Bind implementations to
support passing vectors of packets in tailscaled.

Signed-off-by: Jordan Whited <jordan@tailscale.com>
Signed-off-by: James Tucker <james@tailscale.com>
Co-authored-by: James Tucker <james@tailscale.com>

go.mod

@@ -2,6 +2,8 @@ module tailscale.com
 
 go 1.19
 
+replace golang.zx2c4.com/wireguard => github.com/tailscale/wireguard-go v0.0.0-20221207223341-6be4ed075788
+
 require (
 	filippo.io/mkcert v1.4.3
 	github.com/Microsoft/go-winio v0.6.0
@@ -64,12 +66,12 @@ require (
 	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
 	go4.org/mem v0.0.0-20210711025021-927187094b94
 	go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf
-	golang.org/x/crypto v0.1.0
+	golang.org/x/crypto v0.3.0
 	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db
-	golang.org/x/net v0.1.0
+	golang.org/x/net v0.2.0
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
-	golang.org/x/sys v0.1.0
-	golang.org/x/term v0.1.0
+	golang.org/x/sys v0.2.0
+	golang.org/x/term v0.2.0
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.2.0
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224

go.sum

@@ -1108,6 +1108,8 @@ github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89 h1:7xU7AFQE83h0wz/
 github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89/go.mod h1:OGMqrTzDqmJkGumUTtOv44Rp3/4xS+QFbE8Rn0AGlaU=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
+github.com/tailscale/wireguard-go v0.0.0-20221207223341-6be4ed075788 h1:HRBKNhAqG+3NGtudGB8QzpaKlvf4MoBCMEnjdF+D+nA=
+github.com/tailscale/wireguard-go v0.0.0-20221207223341-6be4ed075788/go.mod h1:wzWjYPfptTrgXwkAZmjd7sXHf7RYnz5PrPr6GN1eb2Y=
 github.com/tc-hib/winres v0.1.6 h1:qgsYHze+BxQPEYilxIz/KCQGaClvI2+yLBAZs+3+0B8=
 github.com/tc-hib/winres v0.1.6/go.mod h1:pe6dOR40VOrGz8PkzreVKNvEKnlE8t4yR8A8naL+t7A=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
@@ -1267,8 +1269,8 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1375,8 +1377,8 @@ golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1512,13 +1514,13 @@ golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1656,8 +1658,6 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c h1:Okh6a1xpnJslG9Mn84pId1Mn+Q8cvpo4HCeeFWHo0cA=
-golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c/go.mod h1:enML0deDxY1ux+B6ANGiwtg0yAJi1rctkTpcHNAVPyg=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=

net/tstun/fake.go

@@ -34,21 +34,22 @@ func (t *fakeTUN) Close() error {
 	return nil
 }
 
-func (t *fakeTUN) Read(out []byte, offset int) (int, error) {
+func (t *fakeTUN) Read(out [][]byte, sizes []int, offset int) (int, error) {
 	<-t.closechan
 	return 0, io.EOF
 }
 
-func (t *fakeTUN) Write(b []byte, n int) (int, error) {
+func (t *fakeTUN) Write(b [][]byte, n int) (int, error) {
 	select {
 	case <-t.closechan:
 		return 0, ErrClosed
 	default:
 	}
-	return len(b), nil
+	return 1, nil
 }
 
-func (t *fakeTUN) Flush() error           { return nil }
-func (t *fakeTUN) MTU() (int, error)      { return 1500, nil }
-func (t *fakeTUN) Name() (string, error)  { return "FakeTUN", nil }
-func (t *fakeTUN) Events() chan tun.Event { return t.evchan }
+func (t *fakeTUN) Flush() error             { return nil }
+func (t *fakeTUN) MTU() (int, error)        { return 1500, nil }
+func (t *fakeTUN) Name() (string, error)    { return "FakeTUN", nil }
+func (t *fakeTUN) Events() <-chan tun.Event { return t.evchan }
+func (t *fakeTUN) BatchSize() int           { return 1 }

net/tstun/tap_linux.go

@@ -12,6 +12,7 @@ import (
 	"net/netip"
 	"os"
 	"os/exec"
+	"sync"
 
 	"github.com/insomniacslk/dhcp/dhcpv4"
 	"golang.org/x/sys/unix"
@@ -23,6 +24,7 @@ import (
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
+	"tailscale.com/util/multierr"
 )
 
 // TODO: this was randomly generated once. Maybe do it per process start? But
@@ -69,13 +71,7 @@ func openDevice(fd int, tapName, bridgeName string) (tun.Device, error) {
 		}
 	}
 
-	// Also sets non-blocking I/O on fd when creating tun.Device.
-	dev, _, err := tun.CreateUnmonitoredTUNFromFD(fd) // TODO: MTU
-	if err != nil {
-		return nil, err
-	}
-
-	return dev, nil
+	return newTAPDevice(fd, tapName)
 }
 
 type etherType [2]byte
@@ -168,7 +164,8 @@ func (t *Wrapper) handleTAPFrame(ethBuf []byte) bool {
 			copy(res.HardwareAddressTarget(), req.HardwareAddressSender())
 			copy(res.ProtocolAddressTarget(), req.ProtocolAddressSender())
 
-			n, err := t.tdev.Write(buf, 0)
+			// TODO(raggi): reduce allocs!
+			n, err := t.tdev.Write([][]byte{buf}, 0)
 			if tapDebug {
 				t.logf("tap: wrote ARP reply %v, %v", n, err)
 			}
@@ -252,7 +249,9 @@ func (t *Wrapper) handleDHCPRequest(ethBuf []byte) bool {
 			netip.AddrPortFrom(netaddr.IPv4(100, 100, 100, 100), 67), // src
 			netip.AddrPortFrom(netaddr.IPv4(255, 255, 255, 255), 68), // dst
 		)
-		n, err := t.tdev.Write(pkt, 0)
+
+		// TODO(raggi): reduce allocs!
+		n, err := t.tdev.Write([][]byte{pkt}, 0)
 		if tapDebug {
 			t.logf("tap: wrote DHCP OFFER %v, %v", n, err)
 		}
@@ -279,7 +278,8 @@ func (t *Wrapper) handleDHCPRequest(ethBuf []byte) bool {
 			netip.AddrPortFrom(netaddr.IPv4(100, 100, 100, 100), 67), // src
 			netip.AddrPortFrom(netaddr.IPv4(255, 255, 255, 255), 68), // dst
 		)
-		n, err := t.tdev.Write(pkt, 0)
+		// TODO(raggi): reduce allocs!
+		n, err := t.tdev.Write([][]byte{pkt}, 0)
 		if tapDebug {
 			t.logf("tap: wrote DHCP ACK %v, %v", n, err)
 		}
@@ -346,21 +346,108 @@ func (t *Wrapper) destMAC() [6]byte {
 	return t.destMACAtomic.Load()
 }
 
-func (t *Wrapper) tapWrite(buf []byte, offset int) (int, error) {
-	if offset < ethernetFrameSize {
-		return 0, fmt.Errorf("[unexpected] weird offset %d for TAP write", offset)
+func newTAPDevice(fd int, tapName string) (tun.Device, error) {
+	err := unix.SetNonblock(fd, true)
+	if err != nil {
+		return nil, err
 	}
-	eth := buf[offset-ethernetFrameSize:]
-	dst := t.destMAC()
-	copy(eth[:6], dst[:])
-	copy(eth[6:12], ourMAC[:])
-	et := etherTypeIPv4
-	if buf[offset]>>4 == 6 {
-		et = etherTypeIPv6
+	file := os.NewFile(uintptr(fd), "/dev/tap")
+	d := &tapDevice{
+		file:   file,
+		events: make(chan tun.Event),
+		name:   tapName,
 	}
-	eth[12], eth[13] = et[0], et[1]
-	if tapDebug {
-		t.logf("tap: tapWrite off=%v % x", offset, buf)
+	return d, nil
+}
+
+var (
+	_ setWrapperer = &tapDevice{}
+)
+
+type tapDevice struct {
+	file      *os.File
+	events    chan tun.Event
+	name      string
+	wrapper   *Wrapper
+	closeOnce sync.Once
+}
+
+func (t *tapDevice) setWrapper(wrapper *Wrapper) {
+	t.wrapper = wrapper
+}
+
+func (t *tapDevice) File() *os.File {
+	return t.file
+}
+
+func (t *tapDevice) Name() (string, error) {
+	return t.name, nil
+}
+
+func (t *tapDevice) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
+	n, err := t.file.Read(buffs[0][offset:])
+	if err != nil {
+		return 0, err
 	}
-	return t.tdev.Write(buf, offset-ethernetFrameSize)
+	sizes[0] = n
+	return 1, nil
+}
+
+func (t *tapDevice) Write(buffs [][]byte, offset int) (int, error) {
+	errs := make([]error, 0)
+	wrote := 0
+	for _, buff := range buffs {
+		if offset < ethernetFrameSize {
+			errs = append(errs, fmt.Errorf("[unexpected] weird offset %d for TAP write", offset))
+			return 0, multierr.New(errs...)
+		}
+		eth := buff[offset-ethernetFrameSize:]
+		dst := t.wrapper.destMAC()
+		copy(eth[:6], dst[:])
+		copy(eth[6:12], ourMAC[:])
+		et := etherTypeIPv4
+		if buff[offset]>>4 == 6 {
+			et = etherTypeIPv6
+		}
+		eth[12], eth[13] = et[0], et[1]
+		if tapDebug {
+			t.wrapper.logf("tap: tapWrite off=%v % x", offset, buff)
+		}
+		_, err := t.file.Write(buff[offset-ethernetFrameSize:])
+		if err != nil {
+			errs = append(errs, err)
+		} else {
+			wrote++
+		}
+	}
+	return wrote, multierr.New(errs...)
+}
+
+func (t *tapDevice) MTU() (int, error) {
+	ifr, err := unix.NewIfreq(t.name)
+	if err != nil {
+		return 0, err
+	}
+	err = unix.IoctlIfreq(int(t.file.Fd()), unix.SIOCGIFMTU, ifr)
+	if err != nil {
+		return 0, err
+	}
+	return int(ifr.Uint32()), nil
+}
+
+func (t *tapDevice) Events() <-chan tun.Event {
+	return t.events
+}
+
+func (t *tapDevice) Close() error {
+	var err error
+	t.closeOnce.Do(func() {
+		close(t.events)
+		err = t.file.Close()
+	})
+	return err
+}
+
+func (t *tapDevice) BatchSize() int {
+	return 1
 }

net/tstun/tap_unsupported.go

@@ -6,5 +6,4 @@
 
 package tstun
 
-func (*Wrapper) handleTAPFrame([]byte) bool        { panic("unreachable") }
-func (*Wrapper) tapWrite([]byte, int) (int, error) { panic("unreachable") }
+func (*Wrapper) handleTAPFrame([]byte) bool { panic("unreachable") }

net/tstun/tun.go

@@ -25,6 +25,7 @@ var createTAP func(tapName, bridgeName string) (tun.Device, error)
 // New returns a tun.Device for the requested device name, along with
 // the OS-dependent name that was allocated to the device.
 func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
+	var disableTUNOffload = envknob.Bool("TS_DISABLE_TUN_OFFLOAD")
 	var dev tun.Device
 	var err error
 	if strings.HasPrefix(tunName, "tap:") {
@@ -51,6 +52,11 @@ func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
 			tunMTU = mtu
 		}
 		dev, err = tun.CreateTUN(tunName, tunMTU)
+		if err == nil && disableTUNOffload {
+			if do, ok := dev.(tun.DisableOffloader); ok {
+				do.DisableOffload()
+			}
+		}
 	}
 	if err != nil {
 		return nil, "", err