[tunnel] Send 0.0.0.0/0 ::/0 routes if NAT GW is enabled

Author: dilyevsky

cmd/tunnelproxy/main.go

@@ -5,6 +5,9 @@ package main
 import (
 "flag"
 "fmt"
+"net"
+"net/netip"
+"os"
 "strings"
 "time"
 
@@ -44,6 +47,8 @@ var (
 
 apiServerAddr = flag.String("apiserver_addr", "host.docker.internal:8443", "APIServer address.")
 jwksURLs = flag.String("jwks_urls", "", "Comma-separated URLs of the JWKS endpoints.")
+
+extIPv6SubnetSize = flag.Int("ext_ipv6_subnet_size", 64, "IPv6 subnet size.")
 )
 
 func main() {
@@ -97,7 +102,20 @@ func main() {
 log.Fatalf("Failed to create JWT validator: %v", err)
 }
 
-r, err := router.NewNetlinkRouter()
+// Resolve external IPv6 address from hostname
+extAddr, err := net.ResolveIPAddr("ip6", os.Getenv("HOSTNAME"))
+if err != nil {
+log.Fatalf("Failed to resolve external IPv6 address: %v", err)
+}
+extIPv6, ok := netip.AddrFromSlice(extAddr.IP)
+if !ok {
+log.Fatalf("Invalid IPv6 address resolved: %s", extAddr.IP.String())
+}
+extIPv6Prefix := netip.PrefixFrom(extIPv6, *extIPv6SubnetSize)
+
+r, err := router.NewNetlinkRouter(
+router.WithExternalIPv6Prefix(extIPv6Prefix),
+)
 if err != nil {
 log.Fatalf("Failed to create netlink router: %v", err)
 }
@@ -106,6 +124,7 @@ func main() {
 mgr.GetClient(),
 jwtValidator,
 r,
+tunnel.WithExternalIPv6Prefix(extIPv6Prefix),
 )
 g.Go(func() error {
 log.Infof("Starting Tunnel Proxy server")

pkg/tunnel/router/options.go

@@ -10,6 +10,7 @@ import (
 type Option func(*routerOptions)
 
 type routerOptions struct {
+extIPv6Prefix netip.Prefix
 localAddresses []netip.Prefix
 resolveConf *network.ResolveConfig // If not set system default resolver is used
 pcapPath string
@@ -20,6 +21,7 @@ type routerOptions struct {
 
 func defaultOptions() *routerOptions {
 return &routerOptions{
+extIPv6Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 64),
 extIfaceName: "eth0",
 tunIfaceName: "tun0",
 socksListenAddr: "localhost:1080",
@@ -33,6 +35,13 @@ func WithLocalAddresses(localAddresses []netip.Prefix) Option {
 }
 }
 
+// WithExternalIPv6Prefix sets the external IPv6 prefix for the router.
+func WithExternalIPv6Prefix(prefix netip.Prefix) Option {
+return func(o *routerOptions) {
+o.extIPv6Prefix = prefix
+}
+}
+
 // WithPcapPath sets the optional path to a packet capture file for the netstack router.
 func WithPcapPath(path string) Option {
 return func(o *routerOptions) {

pkg/tunnel/router/server_netlink_linux.go

@@ -10,8 +10,6 @@ import (
 "net"
 "net/netip"
 "os"
-"slices"
-"strings"
 "sync"
 
 "github.com/vishvananda/netlink"
@@ -32,59 +30,19 @@ var (
 
 // NetlinkRouter implements Router using Linux's netlink subsystem.
 type NetlinkRouter struct {
-extLink netlink.Link
+extLink netlink.Link
+extIPv6Prefix netip.Prefix
+
 tunDev tun.Device
 tunLink netlink.Link
 
-extAddr netip.Addr
-extPrefixes []netip.Prefix
-ipt utiliptables.Interface
+ipt utiliptables.Interface
 
 mux *connection.MuxedConn
 
 closeOnce sync.Once
 }
 
-func extPrefixes(link netlink.Link) (netip.Addr, []netip.Prefix, error) {
-slog.Info("Checking link", slog.String("name", link.Attrs().Name))
-
-addrs, err := netlink.AddrList(link, netlink.FAMILY_V6)
-if err != nil {
-return netip.Addr{}, nil, fmt.Errorf("failed to get addresses for link: %w", err)
-}
-
-var extAddr netip.Addr
-var prefixes []netip.Prefix
-for _, addr := range addrs {
-slog.Debug("Checking address", slog.String("addr", addr.String()))
-// Skip loopback addresses
-ip, ok := netip.AddrFromSlice(addr.IP)
-if !ok {
-slog.Warn("Failed to convert IP address", slog.String("ip", addr.IP.String()))
-continue
-}
-if !ip.Is6() {
-slog.Warn("Skipping non-IPv6 address", slog.String("ip", addr.IP.String()))
-continue
-}
-if !ip.IsGlobalUnicast() { // Skip non-global unicast addresses.
-slog.Debug("Skipping non-global unicast address", slog.String("ip", addr.IP.String()))
-continue
-}
-
-slog.Info("Found IPv6 address", slog.String("ip", addr.IP.String()), slog.String("mask", addr.Mask.String()))
-
-if !extAddr.IsValid() {
-extAddr = ip
-}
-
-bits, _ := addr.Mask.Size()
-prefixes = append(prefixes, netip.PrefixFrom(ip, bits))
-}
-
-return extAddr, prefixes, nil
-}
-
 // NewNetlinkRouter creates a new netlink-based tunnel router.
 func NewNetlinkRouter(opts ...Option) (*NetlinkRouter, error) {
 options := defaultOptions()
@@ -96,10 +54,6 @@ func NewNetlinkRouter(opts ...Option) (*NetlinkRouter, error) {
 if err != nil {
 return nil, fmt.Errorf("failed to get external interface: %w", err)
 }
-extAddr, lrs, err := extPrefixes(extLink)
-if err != nil {
-return nil, fmt.Errorf("failed to get local routes: %w", err)
-}
 
 tunDev, err := tun.CreateTUN(options.tunIfaceName, netstack.IPv6MinMTU)
 if err != nil {
@@ -157,9 +111,7 @@ func NewNetlinkRouter(opts ...Option) (*NetlinkRouter, error) {
 tunDev: tunDev,
 tunLink: tunLink,
 
-extAddr: extAddr,
-extPrefixes: lrs,
-ipt: utiliptables.New(utilexec.New(), utiliptables.ProtocolIPv6),
+ipt: utiliptables.New(utilexec.New(), utiliptables.ProtocolIPv6),
 
 mux: connection.NewMuxedConn(),
 }, nil
@@ -181,14 +133,12 @@ func (r *NetlinkRouter) setupDNAT() error {
 extName := r.extLink.Attrs().Name
 tunName := r.tunLink.Attrs().Name
 
-// Setup jump rule to our custom chain.
-var dsts []string
-for _, prefix := range r.extPrefixes {
-dsts = append(dsts, prefix.Addr().String())
-}
-slices.Sort(dsts)
-slog.Info("Setting up jump rule", slog.String("ext_iface", extName), slog.String("tun_iface", tunName), slog.String("dsts", strings.Join(dsts, ",")))
-jRuleSpec := []string{"-d", strings.Join(dsts, ","), "-i", extName, "-j", string(ChainA3yTunRules)}
+slog.Info("Setting up jump rule",
+slog.String("ext_iface", extName),
+slog.String("ext_addr", r.extIPv6Prefix.Addr().String()))
+
+// Traffic arriving at the designated external interface will be processed by the A3Y-TUN-RULES chain.
+jRuleSpec := []string{"-d", r.extIPv6Prefix.Addr().String(), "-i", extName, "-j", string(ChainA3yTunRules)}
 if _, err := r.ipt.EnsureRule(utiliptables.Append, utiliptables.TableNAT, utiliptables.ChainPrerouting, jRuleSpec...); err != nil {
 return fmt.Errorf("failed to ensure jump rule: %w", err)
 }

pkg/tunnel/server.go

@@ -44,20 +44,22 @@ var (
 type TunnelServerOption func(*tunnelServerOptions)
 
 type tunnelServerOptions struct {
-proxyAddr string
-ulaPrefix netip.Prefix
-certPath string
-keyPath string
-ipam tunnet.IPAM
+proxyAddr string
+ulaPrefix netip.Prefix
+certPath string
+keyPath string
+ipam tunnet.IPAM
+extIPv6Prefix netip.Prefix
 }
 
 func defaultServerOptions() *tunnelServerOptions {
 return &tunnelServerOptions{
-proxyAddr: "0.0.0.0:9443",
-ulaPrefix: netip.MustParsePrefix("fd00::/64"),
-certPath: "/etc/apoxy/certs/tunnelproxy.crt",
-keyPath: "/etc/apoxy/certs/tunnelproxy.key",
-ipam: tunnet.NewRandomULA(),
+proxyAddr: "0.0.0.0:9443",
+ulaPrefix: netip.MustParsePrefix("fd00::/64"),
+certPath: "/etc/apoxy/certs/tunnelproxy.crt",
+keyPath: "/etc/apoxy/certs/tunnelproxy.key",
+ipam: tunnet.NewRandomULA(),
+extIPv6Prefix: netip.MustParsePrefix("fd00::/64"),
 }
 }
 
@@ -96,6 +98,14 @@ func WithIPAM(ipam tunnet.IPAM) TunnelServerOption {
 }
 }
 
+// WithExternalIPv6Prefix sets the external IPv6 prefix. This is the IPv6 prefix used to
+// send traffic through the tunnel.
+func WithExternalIPv6Prefix(prefix netip.Prefix) TunnelServerOption {
+return func(o *tunnelServerOptions) {
+o.extIPv6Prefix = prefix
+}
+}
+
 type TunnelServer struct {
 http3.Server
 client.Client
@@ -318,7 +328,17 @@ func (t *TunnelServer) handleConnect(w http.ResponseWriter, r *http.Request) {
 return
 }
 
-advRoutes := []netip.Prefix{} // TODO: Implement route advertisement logic from TunnelNode and config.
+advRoutes := []netip.Prefix{
+t.options.extIPv6Prefix,
+}
+// If egress gateway is enabled, route 0.0.0.0/0 via the tunnel.
+if tn.Spec.EgressGateway != nil && tn.Spec.EgressGateway.Enabled {
+advRoutes = append(advRoutes,
+netip.PrefixFrom(netip.IPv4Unspecified(), 0),
+netip.PrefixFrom(netip.IPv6Unspecified(), 0),
+)
+}
+
 logger.Info("Advertising routes", slog.Any("routes", advRoutes))
 
 if err := conn.AdvertiseRoute(r.Context(), iproutesFromPrefixes(advRoutes)); err != nil {