split out exit nodes from primary manager

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-08-24 13:46:53 +02:00 · 2025-03-19 08:34:28 +01:00 · 2025-03-19 08:34:28 +01:00 · c047278109
commit c047278109
parent 8e3201b78d
7 changed files with 78 additions and 33 deletions
--- a/hscontrol/mapper/mapper_test.go
+++ b/hscontrol/mapper/mapper_test.go
@ -165,9 +165,10 @@ func Test_fullMapResponse(t *testing.T) {
 		),
 		Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
 		AllowedIPs: []netip.Prefix{
-			netip.MustParsePrefix("100.64.0.1/32"),
 			tsaddr.AllIPv4(),
 			netip.MustParsePrefix("192.168.0.0/24"),
+			netip.MustParsePrefix("100.64.0.1/32"),
+			tsaddr.AllIPv6(),
 		},
 		PrimaryRoutes: []netip.Prefix{
 			netip.MustParsePrefix("192.168.0.0/24"),
--- a/hscontrol/mapper/tail.go
+++ b/hscontrol/mapper/tail.go
@ -8,6 +8,7 @@ import (
 	"github.com/juanfont/headscale/hscontrol/routes"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/samber/lo"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 )

@ -80,6 +81,10 @@ func tailNode(
 	}
 	tags = lo.Uniq(append(tags, node.ForcedTags...))

+	allowed := append(node.Prefixes(), primary.PrimaryRoutes(node.ID)...)
+	allowed = append(allowed, node.ExitRoutes()...)
+	tsaddr.SortPrefixes(allowed)
+
 	tNode := tailcfg.Node{
 		ID:       tailcfg.NodeID(node.ID), // this is the actual ID
 		StableID: node.ID.StableID(),
--- a/hscontrol/mapper/tail_test.go
+++ b/hscontrol/mapper/tail_test.go
@ -137,9 +137,10 @@ func TestTailNode(t *testing.T) {
 				),
 				Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
 				AllowedIPs: []netip.Prefix{
-					netip.MustParsePrefix("100.64.0.1/32"),
 					tsaddr.AllIPv4(),
 					netip.MustParsePrefix("192.168.0.0/24"),
+					netip.MustParsePrefix("100.64.0.1/32"),
+					tsaddr.AllIPv6(),
 				},
 				PrimaryRoutes: []netip.Prefix{
 					netip.MustParsePrefix("192.168.0.0/24"),
--- a/hscontrol/routes/primary.go
+++ b/hscontrol/routes/primary.go
@ -102,12 +102,16 @@ func (pr *PrimaryRoutes) updatePrimaryLocked() bool {
 	return changed
 }

-func (pr *PrimaryRoutes) SetRoutes(node types.NodeID, prefix ...netip.Prefix) bool {
+// SetRoutes sets the routes for a given Node ID and recalculates the primary routes
+// of the headscale.
+// It returns true if there was a change in primary routes.
+// All exit routes are ignored as they are not used in primary route context.
+func (pr *PrimaryRoutes) SetRoutes(node types.NodeID, prefixes ...netip.Prefix) bool {
 	pr.mu.Lock()
 	defer pr.mu.Unlock()

 	// If no routes are being set, remove the node from the routes map.
-	if len(prefix) == 0 {
+	if len(prefixes) == 0 {
 		if _, ok := pr.routes[node]; ok {
 			delete(pr.routes, node)
 			return pr.updatePrimaryLocked()
--- a/hscontrol/routes/primary_test.go
+++ b/hscontrol/routes/primary_test.go
@ -366,7 +366,6 @@ func TestPrimaryRoutes(t *testing.T) {
 			},
 			expectedPrimaries: map[netip.Prefix]types.NodeID{
 				mp("192.168.1.0/24"): 1,
-				mp("0.0.0.0/0"):      1,
 			},
 			expectedIsPrimary: map[types.NodeID]bool{
 				1: true,
@ -389,6 +388,26 @@ func TestPrimaryRoutes(t *testing.T) {
 			expectedRoutes: nil,
 			expectedChange: false,
 		},
+		{
+			name: "exit-nodes",
+			operations: func(pr *PrimaryRoutes) bool {
+				pr.SetRoutes(1, mp("10.0.0.0/16"), mp("0.0.0.0/0"), mp("::/0"))
+				pr.SetRoutes(3, mp("0.0.0.0/0"), mp("::/0"))
+				return pr.SetRoutes(2, mp("0.0.0.0/0"), mp("::/0"))
+			},
+			expectedRoutes: map[types.NodeID]set.Set[netip.Prefix]{
+				1: {
+					mp("10.0.0.0/16"): {},
+				},
+			},
+			expectedPrimaries: map[netip.Prefix]types.NodeID{
+				mp("10.0.0.0/16"): 1,
+			},
+			expectedIsPrimary: map[types.NodeID]bool{
+				1: true,
+			},
+			expectedChange: false,
+		},
 		{
 			name: "concurrent-access",
 			operations: func(pr *PrimaryRoutes) bool {
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@ -14,6 +14,7 @@ import (
 	"github.com/juanfont/headscale/hscontrol/util"
 	"go4.org/netipx"
 	"google.golang.org/protobuf/types/known/timestamppb"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
@ -222,6 +223,19 @@ func (node *Node) Prefixes() []netip.Prefix {
 	return addrs
 }

+// ExitRoutes returns a list of both exit routes if the
+// node has any exit routes enabled.
+// If none are enabled, it will return nil.
+func (node *Node) ExitRoutes() []netip.Prefix {
+	for _, route := range node.SubnetRoutes() {
+		if tsaddr.IsExitRoute(route) {
+			return tsaddr.ExitRoutes()
+		}
+	}
+
+	return nil
+}
+
 func (node *Node) IPsAsString() []string {
 	var ret []string

--- a/integration/route_test.go
+++ b/integration/route_test.go
@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1"
 	"github.com/juanfont/headscale/hscontrol/util"
@ -19,6 +20,7 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/ipproto"
 	"tailscale.com/types/views"
+	"tailscale.com/util/slicesx"
 	"tailscale.com/wgengine/filter"
 )

@ -125,7 +127,7 @@ func TestEnablingRoutes(t *testing.T) {
 		for _, peerKey := range status.Peers() {
 			peerStatus := status.Peer[peerKey]

-			assert.Nil(t, peerStatus.PrimaryRoutes)
+			assert.NotNil(t, peerStatus.PrimaryRoutes)

 			assert.Len(t, peerStatus.AllowedIPs.AsSlice(), 3)

@ -189,7 +191,6 @@ func TestEnablingRoutes(t *testing.T) {
 		for _, peerKey := range status.Peers() {
 			peerStatus := status.Peer[peerKey]

-			assert.Nil(t, peerStatus.PrimaryRoutes)
 			if peerStatus.ID == "1" {
 				requirePeerSubnetRoutes(t, peerStatus, nil)
 			} else if peerStatus.ID == "2" {
@ -1378,6 +1379,32 @@ func TestSubnetRouterMultiNetwork(t *testing.T) {
 		peerStatus := status.Peer[peerKey]

 		assert.Contains(t, peerStatus.PrimaryRoutes.AsSlice(), *pref)
+		requirePeerSubnetRoutes(t, peerStatus, []netip.Prefix{*pref})
+	}
+
+	usernet1, err := scenario.Network("usernet1")
+	require.NoError(t, err)
+
+	services, err := scenario.Services("usernet1")
+	require.NoError(t, err)
+	require.Len(t, services, 1)
+
+	web := services[0]
+	webip := netip.MustParseAddr(web.GetIPInNetwork(usernet1))
+
+	url := fmt.Sprintf("http://%s/etc/hostname", webip)
+	t.Logf("url from %s to %s", user2c.Hostname(), url)
+
+	result, err := user2c.Curl(url)
+	require.NoError(t, err)
+	assert.Len(t, result, 13)
+
+	tr, err := user2c.Traceroute(webip)
+	require.NoError(t, err)
+	assertTracerouteViaIP(t, tr, user1c.MustIPv4())
+}
+
+// TestSubnetRouterMultiNetworkExitNode
 func TestSubnetRouterMultiNetworkExitNode(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()
@ -1510,32 +1537,6 @@ func TestSubnetRouterMultiNetworkExitNode(t *testing.T) {
 	require.NoError(t, err)
 }

-		assert.Nil(t, peerStatus.PrimaryRoutes)
-		requirePeerSubnetRoutes(t, peerStatus, []netip.Prefix{*pref})
-	}
-
-	usernet1, err := scenario.Network("usernet1")
-	require.NoError(t, err)
-
-	services, err := scenario.Services("usernet1")
-	require.NoError(t, err)
-	require.Len(t, services, 1)
-
-	web := services[0]
-	webip := netip.MustParseAddr(web.GetIPInNetwork(usernet1))
-
-	url := fmt.Sprintf("http://%s/etc/hostname", webip)
-	t.Logf("url from %s to %s", user2c.Hostname(), url)
-
-	result, err := user2c.Curl(url)
-	require.NoError(t, err)
-	assert.Len(t, result, 13)
-
-	tr, err := user2c.Traceroute(webip)
-	require.NoError(t, err)
-	assertTracerouteViaIP(t, tr, user1c.MustIPv4())
-}
-
 func assertTracerouteViaIP(t *testing.T, tr util.Traceroute, ip netip.Addr) {
 	t.Helper()