This commit is contained in:
+43
@@ -57,6 +57,49 @@ WORKDIR /src/tailscale
|
|||||||
# disables the filter at runtime for debugging — no rebuild needed.
|
# disables the filter at runtime for debugging — no rebuild needed.
|
||||||
COPY patches/stderr_verbosity_filter.go cmd/tailscaled/
|
COPY patches/stderr_verbosity_filter.go cmd/tailscaled/
|
||||||
|
|
||||||
|
# Patch net/tstun/wrap.go: fix panic("unreachable") in invertGSOChecksum for
|
||||||
|
# ts_omit_netstack builds.
|
||||||
|
#
|
||||||
|
# invertGSOChecksum is a gVisor/GSO helper that inverts a transport-layer
|
||||||
|
# checksum before/after SNAT when gVisor hands us a segment with a partial
|
||||||
|
# checksum (NeedsCsum=true). It is only meaningful when netstack (gVisor) is
|
||||||
|
# compiled in (HasNetstack=true).
|
||||||
|
#
|
||||||
|
# The function correctly guards its body with:
|
||||||
|
# if !buildfeatures.HasNetstack { panic("unreachable") }
|
||||||
|
#
|
||||||
|
# When built with ts_omit_netstack, HasNetstack is a const false, so that guard
|
||||||
|
# evaluates to `if true { panic(...) }` — the function always panics.
|
||||||
|
#
|
||||||
|
# The problem: invertGSOChecksum is called unconditionally from injectedRead()
|
||||||
|
# (twice, around pc.snat()), even for the res.data path where res.packet==nil
|
||||||
|
# and gso is a zero-value netstack_GSO (NeedsCsum=false). The HasNetstack
|
||||||
|
# guard in the res.packet branch does NOT protect these calls.
|
||||||
|
#
|
||||||
|
# As a result, any code path that injects an outbound packet via InjectOutbound()
|
||||||
|
# — which happens when enabling exit-node use (Tailscale sends TSMP messages
|
||||||
|
# and synthesizes packets through the TUN injection path) — hits injectedRead
|
||||||
|
# with res.data!=nil, calls invertGSOChecksum, and crashes with:
|
||||||
|
# panic: unreachable
|
||||||
|
# tailscale.com/net/tstun.invertGSOChecksum(...)
|
||||||
|
# tailscale.com/net/tstun.(*Wrapper).injectedRead(...) wrap.go:1077
|
||||||
|
#
|
||||||
|
# Fix: replace the `panic("unreachable")` with a `return` in invertGSOChecksum.
|
||||||
|
# When HasNetstack=false (ts_omit_netstack), a zero-value netstack_GSO always
|
||||||
|
# has NeedsCsum=false, so the function is correctly a no-op anyway. This matches
|
||||||
|
# what the function would do if the rest of its body ran: NeedsCsum=false → return.
|
||||||
|
#
|
||||||
|
# The sed expression targets the function precisely: it matches the three-line
|
||||||
|
# sequence that opens invertGSOChecksum's HasNetstack guard, and replaces only
|
||||||
|
# the panic line with return. The pattern is stable across minor reformats
|
||||||
|
# because it anchors on the literal function comment and the specific panic string.
|
||||||
|
#
|
||||||
|
# See tailscale/tailscale issue for context (no upstream fix as of v1.98.5):
|
||||||
|
# panic happens when using exit-node via a ts_omit_netstack build.
|
||||||
|
RUN sed -i \
|
||||||
|
-e '/func invertGSOChecksum/,/^}/ s/\t\tpanic("unreachable")/\t\treturn/' \
|
||||||
|
net/tstun/wrap.go
|
||||||
|
|
||||||
# Build a minimal combined binary (tailscale CLI + tailscaled daemon in one file).
|
# Build a minimal combined binary (tailscale CLI + tailscaled daemon in one file).
|
||||||
#
|
#
|
||||||
# Tag strategy — ALLOWLIST, not blocklist:
|
# Tag strategy — ALLOWLIST, not blocklist:
|
||||||
|
|||||||
Reference in New Issue
Block a user