device: add API for on-demand configuration of peers #47
Conversation
Depends on tailscale/wireguard-go#47 Updates #17858 Change-Id: I3e38484bfc3e73b29cbe9e53f28f140c2cf85ae1 Signed-off-by: Brad Fitzpatrick <[email protected]>
Updates tailscale/tailscale#17858 Signed-off-by: Brad Fitzpatrick <[email protected]>
| toRemove := peer.handshake.remoteStatic | ||
| go func() { | ||
| peer.device.RemovePeer(toRemove) | ||
| log.Printf("expiredZeroKeyMaterial: removed idle lazy peer %x", toRemove) |
There was a problem hiding this comment.
peer.device.log.Verbosef, and we could match the overall signature to the above log message or close to it, i.e. use %s of peer
| peer.SendHandshakeInitiation(false) | ||
| } | ||
|
|
||
| func expiredZeroKeyMaterial(peer *Peer) { |
There was a problem hiding this comment.
we should rename this "expirePeer" or similar
There was a problem hiding this comment.
well, I was trying to keep it closer to upstream
| if slices.Equal(p.state.allowedIPs, allowedIPs) { | ||
| return | ||
| } | ||
| p.device.allowedips.SetPeerPrefixes(p, allowedIPs) |
There was a problem hiding this comment.
the clone and comment below seem sensible, but if that implies a dependence or leads to a future dependence, SetPeerPrefixes doesn't document the same behavior that this method relies on - if we need to preserve the behavior we should document it so future changes are less likely to accidentally change the semnatics.
| } | ||
| } | ||
|
|
||
| func (table *AllowedIPs) SetPeerPrefixes(peer *Peer, prefixes []netip.Prefix) { |
There was a problem hiding this comment.
We're going to need to hold this with care, and it's almost tempting to suggest fixing it wireguard-go side, though it's also sort of a pre-existing issue:
If Peer A and Peer B have the same routes, then the last write wins.
If Peer B is removed, the route becomes un-routed.
A typical user expectation would more likely be that Peer A becomes the destination instead.
I believe we do some guarding of this on our side at quite a distance away from here, but it feels risky.
There was a problem hiding this comment.
oh, I think I can unexport this now. I think this was from when I was waffling on the API I wanted. But this can be an internal detail now.
2 participants
Updates tailscale/tailscale#17858