Documentation
¶
Overview ¶
Package conn25 registers the conn25 feature and implements its associated ipnext.Extension. conn25 will be an app connector like feature that routes traffic for configured domains via connector devices and avoids the "too many routes" pitfall of app connector. It is currently (2026-02-04) some peer API routes for clients to tell connectors about their desired routing.
Index ¶
Constants ¶
const ( // OK indicates that the mapping was created as requested. OK TransitIPResponseCode = 0 // OtherFailure indicates that the mapping failed for a reason that does not have // another relevant [TransitIPResponseCode]. OtherFailure TransitIPResponseCode = 1 // DuplicateTransitIP indicates that the same transit address appeared more than // once in a [ConnectorTransitIPRequest]. DuplicateTransitIP TransitIPResponseCode = 2 // NoMatchingPeerIPFamily indicates that the peer did not have an associated // IP with the same family as transit IP being registered. NoMatchingPeerIPFamily = 3 // AddrFamilyMismatch indicates that the transit IP and destination IP addresses // do not belong to the same IP family. AddrFamilyMismatch = 4 // UnknownAppName indicates that the connector is not configured to handle requests // for the App name that was specified in the request. UnknownAppName = 5 )
const AppConnectorsExperimentalAttrName = "tailscale.com/app-connectors-experimental"
Variables ¶
var ( ErrUnmappedMagicIP = errors.New("unmapped magic IP") ErrUnmappedSrcAndTransitIP = errors.New("unmapped src and transit IP") )
Functions ¶
This section is empty.
Types ¶
type Conn25 ¶
type Conn25 struct {
// contains filtered or unexported fields
}
Conn25 holds state for routing traffic for a domain via a connector.
func (*Conn25) ClientTransitIPForMagicIP ¶ added in v1.98.0
ClientTransitIPForMagicIP implements IPMapper.
type ConnectorTransitIPRequest ¶
type ConnectorTransitIPRequest struct {
// TransitIPs is the list of requested mappings.
TransitIPs []TransitIPRequest `json:"transitIPs,omitempty"`
}
ConnectorTransitIPRequest is the request body for a PeerAPI request to /connector/transit-ip and can include zero or more TransitIP allocation requests.
type ConnectorTransitIPResponse ¶
type ConnectorTransitIPResponse struct {
// TransitIPs is the list of outcomes for each requested mapping. Elements
// correspond to the order of [ConnectorTransitIPRequest.TransitIPs].
TransitIPs []TransitIPResponse `json:"transitIPs,omitempty"`
}
ConnectorTransitIPResponse is the response to a ConnectorTransitIPRequest
type FlowData ¶ added in v1.98.0
type FlowData struct {
Tuple flowtrack.Tuple
Action PacketAction
}
FlowData is an entry stored in the FlowTable.
type FlowTable ¶ added in v1.98.0
type FlowTable struct {
// contains filtered or unexported fields
}
FlowTable stores and retrieves FlowData that can be looked up by 5-tuple. New entries specify the tuple to use for both directions of traffic flow. The underlying cache is LRU, and the maximum number of entries is specified in calls to NewFlowTable. FlowTable has its own mutex and is safe for concurrent use.
func NewFlowTable ¶ added in v1.98.0
NewFlowTable returns a FlowTable maxEntries maximum entries. A maxEntries of 0 indicates no maximum. See also FlowTable.
func (*FlowTable) LookupFromTunDevice ¶ added in v1.98.0
LookupFromTunDevice looks up a FlowData entry that is valid to run for packets observed as coming from the tun device. The tuple must match the direction it was stored with.
func (*FlowTable) LookupFromWireGuard ¶ added in v1.98.0
LookupFromWireGuard looks up a FlowData entry that is valid to run for packets observed as coming from the WireGuard tunnel. The tuple must match the direction it was stored with.
func (*FlowTable) NewFlowFromTunDevice ¶ added in v1.98.0
NewFlowFromTunDevice installs (or overwrites) both the forward and return entries. The forward tuple is tagged as FromTun, and the return tuple is tagged as FromWireGuard. If overwriting, it removes the old paired tuple for the forward key to avoid stale reverse mappings.
func (*FlowTable) NewFlowFromWireGuard ¶ added in v1.98.0
NewFlowFromWireGuard installs (or overwrites) both the forward and return entries. The forward tuple is tagged as FromWireGuard, and the return tuple is tagged as FromTun. If overwriting, it removes the old paired tuple for the forward key to avoid stale reverse mappings.
type IPMapper ¶ added in v1.98.0
type IPMapper interface {
// ClientTransitIPForMagicIP returns a Transit IP for the given magicIP on a client.
// If the magicIP is within a configured Magic IP range for an app on the client,
// but not mapped to an active Transit IP, implementations should return [ErrUnmappedMagicIP].
// If magicIP is not within a configured Magic IP range, i.e. it is not actually a Magic IP,
// implementations should return a nil error, and a zero-value [netip.Addr] to indicate
// this potentially valid, non-app-connector traffic.
ClientTransitIPForMagicIP(magicIP netip.Addr) (netip.Addr, error)
// ConnectorRealIPForTransitIPConnection returns a real destination IP for the given
// srcIP and transitIP on a connector. If the transitIP is within a configured Transit IP
// range for an app on the connector, but not mapped to the client at srcIP, implementations
// should return [ErrUnmappedSrcAndTransitIP]. If the transitIP is not within a configured
// Transit IP range, i.e. it is not actually a Transit IP, implementations should return
// a nil error, and a zero-value [netip.Addr] to indicate this is potentially valid,
// non-app-connector traffic.
ConnectorRealIPForTransitIPConnection(srcIP netip.Addr, transitIP netip.Addr) (netip.Addr, error)
}
IPMapper provides methods for mapping special app connector IPs to each other in aid of performing DNAT and SNAT on app connector packets.
type PacketAction ¶ added in v1.98.0
PacketAction may modify the packet.
type TransitIPRequest ¶
type TransitIPRequest struct {
// TransitIP is the intermediate destination IP that will be received at this
// connector and will be replaced by DestinationIP when performing DNAT.
TransitIP netip.Addr `json:"transitIP,omitzero"`
// DestinationIP is the final destination IP that connections to the TransitIP
// should be mapped to when performing DNAT.
DestinationIP netip.Addr `json:"destinationIP,omitzero"`
// App is the name of the connector application from the tailnet
// configuration.
App string `json:"app,omitzero"`
}
TransitIPRequest details a single TransitIP allocation request from a client to a connector.
type TransitIPResponse ¶
type TransitIPResponse struct {
// Code is an error code indicating success or failure of the [TransitIPRequest].
Code TransitIPResponseCode `json:"code,omitzero"`
// Message is an error message explaining what happened, suitable for logging but
// not necessarily suitable for displaying in a UI to non-technical users. It
// should be empty when [Code] is [OK].
Message string `json:"message,omitzero"`
}
TransitIPResponse is the response to a TransitIPRequest
type TransitIPResponseCode ¶
type TransitIPResponseCode int
TransitIPResponseCode appears in TransitIPResponse and signifies success or failure status.
Source Files