From 71f5df3fbea77b1bb4fb692232b27dbbfac184b3 Mon Sep 17 00:00:00 2001
From: Andrew Dunham <andrew@du.nham.ca>
Date: Sun, 19 Feb 2023 11:07:18 -0700
Subject: [PATCH] wgengine/router: drop non-Tailscale IPv6 traffic from ULA
 range

This replicates the same behaviour in our IPv4 rules by dropping traffic
from the IPv6 ULA range that Tailscale uses that does not come from
Tailscale itself (i.e. does not have the fwmark).

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I75bc09fab73b5171de09a6828549644637c8a495
---
 wgengine/router/router_linux.go      | 11 ++++++++---
 wgengine/router/router_linux_test.go |  7 +++++++
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go
index 4afdaf7fb..4ffbf80cb 100644
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -1300,7 +1300,7 @@ func (r *linuxRouter) addNetfilterBase4() error {
 	return nil
 }
 
-// addNetfilterBase4 adds some basic IPv6 processing rules to be
+// addNetfilterBase6 adds some basic IPv6 processing rules to be
 // supplemented by later calls to other helpers.
 func (r *linuxRouter) addNetfilterBase6() error {
 	// TODO: only allow traffic from Tailscale's ULA range to come
@@ -1314,8 +1314,13 @@ func (r *linuxRouter) addNetfilterBase6() error {
 	if err := r.ipt6.Append("filter", "ts-forward", args...); err != nil {
 		return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
 	}
-	// TODO: drop forwarded traffic to tailscale0 from tailscale's ULA
-	// (see corresponding IPv4 CGNAT rule).
+
+	// Drop traffic from the Tailscale ULA range; by this rule, we know that
+	// it doesn't have our fwmark and is thus not from us and safe to drop.
+	args = []string{"-o", r.tunname, "-s", tsaddr.TailscaleULARange().String(), "-j", "DROP"}
+	if err := r.ipt6.Append("filter", "ts-forward", args...); err != nil {
+		return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
+	}
 	args = []string{"-o", r.tunname, "-j", "ACCEPT"}
 	if err := r.ipt6.Append("filter", "ts-forward", args...); err != nil {
 		return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
diff --git a/wgengine/router/router_linux_test.go b/wgengine/router/router_linux_test.go
index 1883e6b4b..92add6468 100644
--- a/wgengine/router/router_linux_test.go
+++ b/wgengine/router/router_linux_test.go
@@ -117,6 +117,7 @@ v6/filter/FORWARD -j ts-forward
 v6/filter/INPUT -j ts-input
 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000
 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
+v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP
 v6/filter/ts-forward -o tailscale0 -j ACCEPT
 v6/nat/POSTROUTING -j ts-postrouting
 v6/nat/ts-postrouting -m mark --mark 0x40000/0xff0000 -j MASQUERADE
@@ -148,6 +149,7 @@ v6/filter/FORWARD -j ts-forward
 v6/filter/INPUT -j ts-input
 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000
 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
+v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP
 v6/filter/ts-forward -o tailscale0 -j ACCEPT
 v6/nat/POSTROUTING -j ts-postrouting
 `,
@@ -181,6 +183,7 @@ v6/filter/FORWARD -j ts-forward
 v6/filter/INPUT -j ts-input
 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000
 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
+v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP
 v6/filter/ts-forward -o tailscale0 -j ACCEPT
 v6/nat/POSTROUTING -j ts-postrouting
 `,
@@ -211,6 +214,7 @@ v6/filter/FORWARD -j ts-forward
 v6/filter/INPUT -j ts-input
 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000
 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
+v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP
 v6/filter/ts-forward -o tailscale0 -j ACCEPT
 v6/nat/POSTROUTING -j ts-postrouting
 `,
@@ -237,6 +241,7 @@ v4/filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN
 v4/filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP
 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000
 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
+v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP
 v6/filter/ts-forward -o tailscale0 -j ACCEPT
 `,
 		},
@@ -266,6 +271,7 @@ v6/filter/FORWARD -j ts-forward
 v6/filter/INPUT -j ts-input
 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000
 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
+v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP
 v6/filter/ts-forward -o tailscale0 -j ACCEPT
 v6/nat/POSTROUTING -j ts-postrouting
 `,
@@ -298,6 +304,7 @@ v6/filter/FORWARD -j ts-forward
 v6/filter/INPUT -j ts-input
 v6/filter/ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000
 v6/filter/ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
+v6/filter/ts-forward -o tailscale0 -s fd7a:115c:a1e0::/48 -j DROP
 v6/filter/ts-forward -o tailscale0 -j ACCEPT
 v6/nat/POSTROUTING -j ts-postrouting
 `,