Program routes and policy rules using netlink, not iptables binary #391
Comments
danderson
added
L2 Few
Can you expand on this? Which APIs do you need, and in which way are they unsafe? I was about to open an issue suggesting to use https://github.com/google/nftables/ where available to avoid the iptables dependency. This would help make tailscale work on https://gokrazy.org/, where only Go is available (no C userland, i.e. no iptables). |
|
For one, we can't depend on nftables, because we need to support OSes that haven't switched to nftables under the hood (e.g. pre-Buster debian), and we have to be cross-compatible with other software that doesn't support nftables (e.g. Docker, Kubernetes). The main way we can do that safely is to continue using the And the legacy iptables is unsafe to use over netlink, because the API does replacement of the entire firewall at once, and doesn't have a way of preventing concurrent writes from squashing each other. The userspace tools work around this (poorly) with file-based locks, which already goes wrong in situations like containers. If we can (a) positively detect that nftables, and only nftables is in use on the system; (b) we can manipulate the "legacy iptables converted to nftables" rules in nftables without conflicting with |
|
Thanks for the additional details, I agree with your view point. I expect that using nftables directly might become more attractive in a few years as more and more installations run on the legacy-converted-to-nftables model. Would an nftables fallback code path be something that you would accept if people contributed it, or is there a lot of churn and hence maintenance burden in that part of the tailscale code base? |
|
I would love to not depend on If we can figure out how to make that part work reliably, I'd be very happy to have logic that uses nftables directly where possible, and falls back to shelling out to iptables otherwise. There is definitely a maintenance burden, and given that we support distros like RHEL that take nearly a decade to drop support, I don't think iptables is going anywhere any time soon, sadly. I still think it's worth doing, if you want to open that particular can of worms :). Otherwise, I think we'll get to it "someday", but once we get the iptables logic stable it's going to be low priority. |
|
Before I lose this, adding @stapelberg's pointers from https://twitter.com/zekjur/status/1427356540072255501: Which uses https://pkg.go.dev/github.com/vishvananda/netlink |
Converts up, down, add/del addresses, add/del non-throw routes. Not yet done: throw routes, rules. Updates #391 Change-Id: I02554ca07046d18f838e04a626ba99bbd35266fb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Converts up, down, add/del addresses, add/del non-throw routes. Not yet done: throw routes, rules. Updates #391 Change-Id: I02554ca07046d18f838e04a626ba99bbd35266fb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Converts up, down, add/del addresses, add/del non-throw routes. Not yet done: throw routes, rules. Updates #391 Change-Id: I02554ca07046d18f838e04a626ba99bbd35266fb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Converts up, down, add/del addresses, add/del routes. Not yet done: rules. Updates #391 Change-Id: I02554ca07046d18f838e04a626ba99bbd35266fb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Converts up, down, add/del addresses, add/del routes. Not yet done: rules. Updates #391 Change-Id: I02554ca07046d18f838e04a626ba99bbd35266fb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
No non-test changes. Updates #391 Change-Id: Ia88610c08e07a119d002e58250463cb4659b9f54 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Pull out the list of policy routing rules to a data structure now shared between the add & delete paths, but to also be shared by the netlink paths in a future change. Updates #391 Change-Id: I119ab1c246f141d639006c808b61c585c3d67924 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Pull out the list of policy routing rules to a data structure now shared between the add & delete paths, but to also be shared by the netlink paths in a future change. Updates #391 Change-Id: I119ab1c246f141d639006c808b61c585c3d67924 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
I sent vishvananda/netlink#711 to add the support for the unreachable rule we use. After that we're down to "just" iptables/nftables. 🥲 |
Updates #391 Change-Id: I6e1de96cf0750ccba53dabff670aca0c56dffb7c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates #391 Change-Id: I6e1de96cf0750ccba53dabff670aca0c56dffb7c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates #391 Change-Id: Ifef196b31dd145f424fb0c0d0bb04565cc22c717 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Due to the conflict between our nftables implementation and ufw, which is a common utility used on linux. We now want to take a step back to prevent regression. This will give us more chance to let users to test our nftables support and heuristic. Updates: #391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com> (cherry picked from commit 93cab56)
This commit tries to mimic the way iptables-nft work with the filewall rules. We follow the convention of using tables like filter, nat and the conventional chains, to make our nftables implementation work with ufw. Updates: #391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com> (cherry picked from commit b040094)
* wgengine/router: fall back and set iptables as default again Due to the conflict between our nftables implementation and ufw, which is a common utility used on linux. We now want to take a step back to prevent regression. This will give us more chance to let users to test our nftables support and heuristic. Updates: #391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com> (cherry picked from commit 93cab56) * util/linuxfw: reorganize nftables rules to allow it to work with ufw This commit tries to mimic the way iptables-nft work with the filewall rules. We follow the convention of using tables like filter, nat and the conventional chains, to make our nftables implementation work with ufw. Updates: #391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com> (cherry picked from commit b040094) * tailcfg: update docs on NetInfo.FirewallMode Updates #391 Change-Id: Ifef196b31dd145f424fb0c0d0bb04565cc22c717 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit 282dad1) --------- Co-authored-by: KevinLiang10 <kevinliang@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
An update on status: v1.48.1 has been released and will default to iptables again. You can test out the detection logic which will pick between nftables and iptables based on usage, by setting: There is additionally a fix in 1.48.1 that resolves the conflict with ufw that lead to forwarding traffic (subnet routers and exit nodes) from functioning properly under nftables mode. We would appreciate wider testing of the nftables mode to ensure broad coverage, as the integration requires coordination with conventions that are not standards in the platform. As of 1.48.1, in ntables mode Tailscale inserts rules into the tables used by iptables-nft and ufw in order to coordinate with those ecosystems. We hope to re-enable firewall mode auto-detection in a future release. |
Not able to reproduce with 1.48.1. I'll report back if I face this issue again. |
|
It is working for me on version |
Signed-off-by: Zephyr Lykos <git@mochaa.ws>
Add an explicit accept rule for input to the tun interface, as a mirror to the explicit rule to accept output from the tun interface. The rule matches any packet in to our tun interface and accepts it, and the rule is positioned and prioritized such that it should be evaluated prior to conventional ufw/iptables/nft rules. Updates #391 Fixes #7332 Updates #9084 Signed-off-by: James Tucker <james@tailscale.com>
|
In https://tailscale.com/kb/1294/firewall-mode/ guide
|
|
I ran a quick test.
|
Add an explicit accept rule for input to the tun interface, as a mirror to the explicit rule to accept output from the tun interface. The rule matches any packet in to our tun interface and accepts it, and the rule is positioned and prioritized such that it should be evaluated prior to conventional ufw/iptables/nft rules. Updates #391 Fixes #7332 Updates #9084 Signed-off-by: James Tucker <james@tailscale.com>
This change is introducing new netfilterRunner interface and moving iptables manipulation to a lower leveled iptables runner. For tailscale#391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com> Signed-off-by: Alex Paguis <alex@windscribe.com>
Exclide GOARCHs including: mips, mips64, mips64le, mipsle, riscv64. These archs are not supported by gvisor.dev/gvisor/pkg/hostarch. Fixes: tailscale#391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com> Signed-off-by: Alex Paguis <alex@windscribe.com>
This commit adds nftable rule injection for tailscaled. If tailscaled is started with envknob TS_DEBUG_USE_NETLINK_NFTABLES = true, the router will use nftables to manage firewall rules. Updates: tailscale#391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com> Signed-off-by: Alex Paguis <alex@windscribe.com>
Due to the conflict between our nftables implementation and ufw, which is a common utility used on linux. We now want to take a step back to prevent regression. This will give us more chance to let users to test our nftables support and heuristic. Updates: tailscale#391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com> Signed-off-by: Alex Paguis <alex@windscribe.com>
This commit tries to mimic the way iptables-nft work with the filewall rules. We follow the convention of using tables like filter, nat and the conventional chains, to make our nftables implementation work with ufw. Updates: tailscale#391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com> Signed-off-by: Alex Paguis <alex@windscribe.com>
Updates tailscale#391 Change-Id: Ifef196b31dd145f424fb0c0d0bb04565cc22c717 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Alex Paguis <alex@windscribe.com>
Add an explicit accept rule for input to the tun interface, as a mirror to the explicit rule to accept output from the tun interface. The rule matches any packet in to our tun interface and accepts it, and the rule is positioned and prioritized such that it should be evaluated prior to conventional ufw/iptables/nft rules. Updates tailscale#391 Fixes tailscale#7332 Updates tailscale#9084 Signed-off-by: James Tucker <james@tailscale.com> Signed-off-by: Alex Paguis <alex@windscribe.com>
and others
The linux router currently programs the linux network stack with
ipandiptables.iptablesis unavoidable because the corresponding netlink APIs are not safe for direct use. However, everything we do withipwe could just do directly over a netlink socket.This would in particular help embedded systems that ship with the Busybox version of
ip, which is stripped down and doesn't understand advanced commands like policy routing rules, which Tailscale requires.The text was updated successfully, but these errors were encountered: