You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: fix netstack to forward TCP sessions to local addresses (#62)
relates to: coder/coder#14715
For CoderVPN, we need Agents to operate on a separate Unique Local Address (ULA) prefix than Tailscale, so that CoderVPN and Tailscale can both run on the same computer.
This PR fixes an issue in the Tailscale netstack, where it uses the hardcoded Tailscale ULA to decide whether to forward TCP connections to localhost (127.0.0.1), rather than just checking whether the destination is an address assigned to the node.
Pretty sure this is just a bug / another case of assumptions that are true for Tailscale but not for us. `acceptTCP()` makes a call to `removeSubnetAddress()` in a defer. This was originally conditional on `isTailscaleIP`, but the check for `addSubnetAddress()` on line 311 uses `isLocalIP()`. Stepping thru the code, if we accept a TCP connection for an address that is local, but not in the Tailscale service prefix (i.e. one in our new Coder service prefix), we call `removeSubnetAddress()` without ever having called `addSubnetAddress()`, and decrement the connection count on that address to -1, which is almost certainly incorrect. It worked fine for Tailscale because they could safely assume that all local addresses were also Tailscale IPs, but we can't anymore.
Note also that UDP forwarding already uses `isLocalIP()` to decide whether to forward.
This change passes the local `netstack` unit tests, but the real tests will be in `coder/coder` when we show that we can successfully make TCP connections.
0 commit comments