Merge branch 'release/v2.22' into release/v2

Author: thallgren

CHANGELOG.yml

@@ -25,7 +25,7 @@
 # For older changes, see CHANGELOG.OLD.md
 items:
   - version: 2.23.0
-    date: (TBD)
+    date: 2025-03-29
     notes:
       - type: feature
         title: New telepresence wiretap command
@@ -36,6 +36,16 @@ items:
           Similar to an `ingest`, a `wiretap` will always enforce read-only status on all volume mounts, and since that
           makes the `wiretap` completely read-only, there's no limit to how many simultaneous wiretaps that can be
           served. In fact, a `wiretap` and an `intercept` on the same port can run simultaneously.
+  - version: 2.22.2
+    date: 2025-03-28
+    notes:
+      - type: bugfix
+        title: Panic when using telepresence replace in a IPv6-only cluster
+        body: |-
+          A "slice bounds out of range" would occur when the targeted Pod's Traffic Agent requested a local dialer to
+          be created on the client. This was due to a glitch in the VPN-tunnel implementation that got triggered when
+          a remote IPv6-address was combined with a local IPv4-address.
+        docs: https://github.com/telepresenceio/telepresence/issues/3828
   - version: 2.22.1
     date: 2025-03-27
     notes:

docs/release-notes.md

@@ -1,14 +1,23 @@
 
 [comment]: # (Code generated by relnotesgen. DO NOT EDIT.)
 # <img src="images/logo.png" height="64px"/> Telepresence Release Notes
-## Version 2.23.0
+## Version 2.23.0 <span style="font-size: 16px;">(March 29)</span>
 ## <div style="display:flex;"><img src="images/feature.png" alt="feature" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">New telepresence wiretap command</div></div>
 <div style="margin-left: 15px">
 
 The new `telepresence wiretap` command introduces a read-only form of an `intercept` where the original container will run unaffected while a copy of the wiretapped traffic is sent to the client.
 Similar to an `ingest`, a `wiretap` will always enforce read-only status on all volume mounts, and since that makes the `wiretap` completely read-only, there's no limit to how many simultaneous wiretaps that can be served. In fact, a `wiretap` and an `intercept` on the same port can run simultaneously.
 </div>
 
+## Version 2.22.2 <span style="font-size: 16px;">(March 28)</span>
+## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">[Panic when using telepresence replace in a IPv6-only cluster](https://github.com/telepresenceio/telepresence/issues/3828)</div></div>
+<div style="margin-left: 15px">
+
+A "slice bounds out of range" would occur when the targeted Pod's Traffic Agent requested a local dialer to
+be created on the client. This was due to a glitch in the VPN-tunnel implementation that got triggered when
+a remote IPv6-address was combined with a local IPv4-address.
+</div>
+
 ## Version 2.22.1 <span style="font-size: 16px;">(March 27)</span>
 ## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">Only restore inactive traffic-agent after a replace.</div></div>
 <div style="margin-left: 15px">

docs/release-notes.mdx

@@ -7,14 +7,23 @@ import { Note, Title, Body } from '@site/src/components/ReleaseNotes'
 [comment]: # (Code generated by relnotesgen. DO NOT EDIT.)
 
 # Telepresence Release Notes
-## Version 2.23.0
+## Version 2.23.0 <span style={{fontSize:'16px'}}>(March 29)</span>
 <Note>
 	<Title type="feature">New telepresence wiretap command</Title>
 	<Body>
 The new `telepresence wiretap` command introduces a read-only form of an `intercept` where the original container will run unaffected while a copy of the wiretapped traffic is sent to the client.
 Similar to an `ingest`, a `wiretap` will always enforce read-only status on all volume mounts, and since that makes the `wiretap` completely read-only, there's no limit to how many simultaneous wiretaps that can be served. In fact, a `wiretap` and an `intercept` on the same port can run simultaneously.
   </Body>
 </Note>
+## Version 2.22.2 <span style={{fontSize:'16px'}}>(March 28)</span>
+<Note>
+	<Title type="bugfix" docs="https://github.com/telepresenceio/telepresence/issues/3828">Panic when using telepresence replace in a IPv6-only cluster</Title>
+	<Body>
+A "slice bounds out of range" would occur when the targeted Pod's Traffic Agent requested a local dialer to
+be created on the client. This was due to a glitch in the VPN-tunnel implementation that got triggered when
+a remote IPv6-address was combined with a local IPv4-address.
+  </Body>
+</Note>
 ## Version 2.22.1 <span style={{fontSize:'16px'}}>(March 27)</span>
 <Note>
 	<Title type="bugfix">Only restore inactive traffic-agent after a replace.</Title>

go.mod

@@ -39,7 +39,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/telepresenceio/go-fuseftp v0.6.6
 	github.com/telepresenceio/go-fuseftp/rpc v0.6.6
-	github.com/telepresenceio/telepresence/rpc/v2 v2.22.1
+	github.com/telepresenceio/telepresence/rpc/v2 v2.22.2
 	github.com/vishvananda/netlink v1.3.0
 	golang.org/x/net v0.37.0
 	golang.org/x/sys v0.31.0

pkg/tunnel/connid.go

@@ -21,15 +21,24 @@ func ConnIDFromUDP(src, dst *net.UDPAddr) ConnID {
 func NewConnID(proto int, src, dst netip.AddrPort) ConnID {
 	srcAddr := src.Addr()
 	dstAddr := dst.Addr()
-	if srcAddr.Is4In6() {
+	switch {
+	case srcAddr.Is4():
+		if dstAddr.Is4In6() {
+			dstAddr = dstAddr.Unmap()
+		} else if dstAddr.Is6() {
+			srcAddr = netip.AddrFrom16(srcAddr.As16())
+		}
+	case srcAddr.Is4In6():
 		if dstAddr.Is4() {
 			srcAddr = srcAddr.Unmap()
 		} else if dstAddr.Is4In6() {
 			srcAddr = srcAddr.Unmap()
 			dstAddr = dstAddr.Unmap()
 		}
-	} else if srcAddr.Is4() && dstAddr.Is4In6() {
-		dstAddr = dstAddr.Unmap()
+	default:
+		if dstAddr.Is4() {
+			dstAddr = netip.AddrFrom16(dstAddr.As16())
+		}
 	}
 
 	ls := srcAddr.BitLen() / 8
@@ -63,12 +72,12 @@ func (id ConnID) areBothIPv4() bool {
 
 // IsSourceIPv4 returns true if the source of this ConnID is IPv4.
 func (id ConnID) IsSourceIPv4() bool {
-	return id.areBothIPv4() || net.IP(id[0:16]).To4() != nil
+	return id.areBothIPv4() || len(id) > 16 && net.IP(id[0:16]).To4() != nil
 }
 
 // IsDestinationIPv4 returns true if the destination of this ConnID is IPv4.
 func (id ConnID) IsDestinationIPv4() bool {
-	return id.areBothIPv4() || net.IP(id[18:34]).To4() != nil
+	return id.areBothIPv4() || len(id) == 37 && net.IP(id[18:34]).To4() != nil
 }
 
 // Source returns the source address and port.