Skip to content

util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux #10370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Dec 5, 2023
Merged

util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux #10370

merged 5 commits into from
Dec 5, 2023

Conversation

@tendstofortytwo
Copy link
Contributor

@tendstofortytwo tendstofortytwo commented Nov 23, 2023
edited
Loading

Updates #9084.

Currently, we have to tell users to manually open UDP ports on Linux when certain firewalls (like ufw) are enabled. This change automates the process of adding and updating those firewall rules as magicsock changes what port it listens on.

@tendstofortytwo
util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux
15d5e0d 
Updates #9084.

Currently, we have to tell users to manually open UDP ports on Linux when
certain firewalls (like ufw) are enabled. This change automates the process of
adding and updating those firewall rules as magicsock changes what port it
listens on.

Signed-off-by: Naman Sood <mail@nsood.in>
@tendstofortytwo tendstofortytwo force-pushed the naman/linuxfw-magicsock-port-rule branch from 8524910 to 15d5e0d Compare November 23, 2023 21:23
catzkorn
catzkorn reviewed Nov 24, 2023
View reviewed changes
@tendstofortytwo
address most review feedback
fa51c04 
Signed-off-by: Naman Sood <mail@nsood.in>
@tendstofortytwo
add error descriptions
062273f 
Signed-off-by: Naman Sood <mail@nsood.in>
@tendstofortytwo tendstofortytwo requested review from twitchyliquid64 and removed request for raggi November 27, 2023 20:00
twitchyliquid64
twitchyliquid64 approved these changes Nov 29, 2023
View reviewed changes
Copy link
Contributor

@twitchyliquid64 twitchyliquid64 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This all looks great! Have you had a chance to test this on a variety of linux distros? No better test coverage than tests that arent tests lol

And afaict youre mostly changing the wiring in userspace.go - that should apply to use in both tailscaled.go and tsnet.go, but maybe double check the way that tsnet initializes all the subsystems is compatible with your changes?

@tendstofortytwo
merge
c51490a 
Signed-off-by: Naman Sood <mail@nsood.in>
@tendstofortytwo
initialize nfr if nil
16ed725 
Signed-off-by: Naman Sood <mail@nsood.in>
@tendstofortytwo
Copy link
Contributor Author

tendstofortytwo commented Dec 5, 2023
edited
Loading

@twitchyliquid64 tested on arch+no firewall, fedora+firewalld, and ubuntu+ufw, seems to correctly create the iptables/nftables rules in all of those cases.

looking at tsnet/tsnet.go, it seems like tsnet uses a fake router, not the linux one, so this should not affect tsnet at all, I think?

@twitchyliquid64
Copy link
Contributor

Excellante!

@tendstofortytwo tendstofortytwo merged commit d46a4ec into main Dec 5, 2023
@tendstofortytwo tendstofortytwo deleted the naman/linuxfw-magicsock-port-rule branch December 5, 2023 23:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maisem maisem Awaiting requested review from maisem

2 more reviewers

@catzkorn catzkorn catzkorn left review comments

@twitchyliquid64 twitchyliquid64 twitchyliquid64 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tendstofortytwo @twitchyliquid64 @catzkorn