TestHandleLocalPackets tests the handleLocalPackets function, ensuring that we are properly deciding to handle packets that are destined for "local" IPs–addresses that are either for this node, or that it is responsible for. See, e.g. #11304
(t *testing.T)
| 922 | // |
| 923 | // See, e.g. #11304 |
| 924 | func TestHandleLocalPackets(t *testing.T) { |
| 925 | var ( |
| 926 | selfIP4 = netip.MustParseAddr("100.64.1.2") |
| 927 | selfIP6 = netip.MustParseAddr("fd7a:115c:a1e0::123") |
| 928 | ) |
| 929 | |
| 930 | impl := makeNetstack(t, func(impl *Impl) { |
| 931 | impl.ProcessSubnets = false |
| 932 | impl.ProcessLocalIPs = false |
| 933 | impl.atomicIsLocalIPFunc.Store(func(addr netip.Addr) bool { |
| 934 | return addr == selfIP4 || addr == selfIP6 |
| 935 | }) |
| 936 | }) |
| 937 | |
| 938 | prefs := ipn.NewPrefs() |
| 939 | prefs.AdvertiseRoutes = []netip.Prefix{ |
| 940 | // $ tailscale debug via 7 10.1.1.0/24 |
| 941 | // fd7a:115c:a1e0:b1a:0:7:a01:100/120 |
| 942 | netip.MustParsePrefix("fd7a:115c:a1e0:b1a:0:7:a01:100/120"), |
| 943 | } |
| 944 | prefs.AdvertiseServices = []string{"svc:test-service"} |
| 945 | _, err := impl.lb.EditPrefs(&ipn.MaskedPrefs{ |
| 946 | Prefs: *prefs, |
| 947 | AdvertiseRoutesSet: true, |
| 948 | AdvertiseServicesSet: true, |
| 949 | }) |
| 950 | if err != nil { |
| 951 | t.Fatalf("EditPrefs: %v", err) |
| 952 | } |
| 953 | IPServiceMap := netmap.IPServiceMappings{ |
| 954 | netip.MustParseAddr("100.99.55.111"): "svc:test-service", |
| 955 | netip.MustParseAddr("fd7a:115c:a1e0::abcd"): "svc:test-service", |
| 956 | } |
| 957 | impl.lb.SetIPServiceMappingsForTest(IPServiceMap) |
| 958 | |
| 959 | t.Run("ShouldHandleServiceIP", func(t *testing.T) { |
| 960 | t.Parallel() |
| 961 | pkt := &packet.Parsed{ |
| 962 | IPVersion: 4, |
| 963 | IPProto: ipproto.TCP, |
| 964 | Src: netip.MustParseAddrPort("127.0.0.1:9999"), |
| 965 | Dst: netip.MustParseAddrPort("100.100.100.100:53"), |
| 966 | TCPFlags: packet.TCPSyn, |
| 967 | } |
| 968 | resp, _ := impl.handleLocalPackets(pkt, impl.tundev, nil) |
| 969 | if resp != filter.DropSilently { |
| 970 | t.Errorf("got filter outcome %v, want filter.DropSilently", resp) |
| 971 | } |
| 972 | }) |
| 973 | // Any port on the quad-100 service IP must be absorbed locally by |
| 974 | // netstack and never leak out to the WireGuard / peer-routing |
| 975 | // layers. Historically we only intercepted specific ports (UDP 53 |
| 976 | // and TCP 53/80/8080), causing stray traffic to other ports such |
| 977 | // as 100.100.100.100:853 (DoT) to time out in wireguard-go and |
| 978 | // produce "open-conn-track: timeout opening ...; no associated |
| 979 | // peer node" log spam. See the handleLocalPackets comment. |
| 980 | quad100LeakCases := []struct { |
| 981 | name string |
nothing calls this directly
no test coverage detected
searching dependent graphs…