ipn/ipnlocal: add VIP service IPs to localnets

Without adding this, the packet filter rejects traffic to VIP service addresses before checking the filters sent in the netmap. Fixes tailscale/corp#26241 Change-Id: Idd54448048e9b786cf4873fd33b3b21e03d3ad4c Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2025-01-31 15:25:48 -05:00 · 2025-01-31 15:25:48 -05:00 · 97c4c0ecf0
commit 97c4c0ecf0
parent 600f25dac9
1 changed files with 27 additions and 0 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@ -2368,6 +2368,29 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	return nil
 }
 // addServiceIPs adds the IP addresses of any VIP Services sent from the
 // coordination server to the list of addresses that we expect to handle.
 func addServiceIPs(localNetsB *netipx.IPSetBuilder, selfNode tailcfg.NodeView) error {
 	if !selfNode.Valid() {
 		return nil
 	}
 	serviceMap, err := tailcfg.UnmarshalNodeCapViewJSON[tailcfg.ServiceIPMappings](selfNode.CapMap(), tailcfg.NodeAttrServiceHost)
 	if err != nil {
 		return err
 	}
 	for _, sm := range serviceMap { // typically there will be exactly one of these
 		for _, serviceAddrs := range sm {
 			for _, addr := range serviceAddrs { // typically there will be exactly two of these
 				localNetsB.Add(addr)
 			}
 		}
 	}
 	return nil
 }
 // invalidPacketFilterWarnable is a Warnable to warn the user that the control server sent an invalid packet filter.
 var invalidPacketFilterWarnable = health.Register(&health.Warnable{
 	Code:     "invalid-packet-filter",
@ -2411,6 +2434,10 @@ func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs ipn.P
 		} else {
 			b.health.SetHealthy(invalidPacketFilterWarnable)
 		}
 		if err := addServiceIPs(&localNetsB, netMap.SelfNode); err != nil {
 			b.logf("addServiceIPs: %v", err)
 		}
 	}
 	if prefs.Valid() {
 		for _, r := range prefs.AdvertiseRoutes().All() {