2023-01-27 13:37:20 -08:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2020-02-05 14:16:58 -08:00
|
|
|
|
|
|
|
package ipn
|
|
|
|
|
|
|
|
import (
|
2020-11-22 11:34:26 +11:00
|
|
|
"bytes"
|
2020-02-05 14:16:58 -08:00
|
|
|
"encoding/json"
|
2022-02-25 16:36:05 -07:00
|
|
|
"errors"
|
2020-02-05 14:16:58 -08:00
|
|
|
"fmt"
|
|
|
|
"log"
|
2022-07-24 20:08:42 -07:00
|
|
|
"net/netip"
|
2020-02-05 14:16:58 -08:00
|
|
|
"os"
|
|
|
|
"path/filepath"
|
2021-03-31 21:35:21 -07:00
|
|
|
"reflect"
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
"runtime"
|
2024-03-07 10:56:11 -06:00
|
|
|
"slices"
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
"strings"
|
2020-02-05 14:16:58 -08:00
|
|
|
|
|
|
|
"tailscale.com/atomicfile"
|
2024-04-02 13:32:30 -07:00
|
|
|
"tailscale.com/drive"
|
2022-02-25 16:36:05 -07:00
|
|
|
"tailscale.com/ipn/ipnstate"
|
2022-07-24 20:08:42 -07:00
|
|
|
"tailscale.com/net/netaddr"
|
2022-03-04 08:00:53 -08:00
|
|
|
"tailscale.com/net/tsaddr"
|
2021-01-20 17:24:16 -08:00
|
|
|
"tailscale.com/tailcfg"
|
2023-12-18 16:57:03 -06:00
|
|
|
"tailscale.com/types/opt"
|
2021-02-05 15:23:01 -08:00
|
|
|
"tailscale.com/types/persist"
|
2021-02-04 13:12:42 -08:00
|
|
|
"tailscale.com/types/preftype"
|
2023-08-18 10:57:04 -07:00
|
|
|
"tailscale.com/types/views"
|
2022-02-25 16:36:05 -07:00
|
|
|
"tailscale.com/util/dnsname"
|
2024-01-05 18:30:15 -05:00
|
|
|
"tailscale.com/util/syspolicy"
|
2020-02-05 14:16:58 -08:00
|
|
|
)
|
|
|
|
|
2021-07-11 21:46:50 -07:00
|
|
|
// DefaultControlURL is the URL base of the control plane
|
2021-04-18 07:48:53 -07:00
|
|
|
// ("coordination server") for use when no explicit one is configured.
|
|
|
|
// The default control plane is the hosted version run by Tailscale.com.
|
2021-06-25 07:05:46 -07:00
|
|
|
const DefaultControlURL = "https://controlplane.tailscale.com"
|
2021-04-18 07:48:53 -07:00
|
|
|
|
2022-02-25 16:36:05 -07:00
|
|
|
var (
|
|
|
|
// ErrExitNodeIDAlreadySet is returned from (*Prefs).SetExitNodeIP when the
|
|
|
|
// Prefs.ExitNodeID field is already set.
|
|
|
|
ErrExitNodeIDAlreadySet = errors.New("cannot set ExitNodeIP when ExitNodeID is already set")
|
|
|
|
)
|
|
|
|
|
2021-07-11 21:46:50 -07:00
|
|
|
// IsLoginServerSynonym reports whether a URL is a drop-in replacement
|
|
|
|
// for the primary Tailscale login server.
|
2022-03-16 16:27:57 -07:00
|
|
|
func IsLoginServerSynonym(val any) bool {
|
2021-07-11 21:46:50 -07:00
|
|
|
return val == "https://login.tailscale.com" || val == "https://controlplane.tailscale.com"
|
|
|
|
}
|
|
|
|
|
2020-02-17 15:45:30 -08:00
|
|
|
// Prefs are the user modifiable settings of the Tailscale node agent.
|
2023-12-04 12:08:56 -05:00
|
|
|
// When you add a Pref to this struct, remember to add a corresponding
|
|
|
|
// field in MaskedPrefs, and check your field for equality in Prefs.Equals().
|
2020-02-05 14:16:58 -08:00
|
|
|
type Prefs struct {
|
2020-02-18 21:03:22 -08:00
|
|
|
// ControlURL is the URL of the control server to use.
|
ipn{,/ipnlocal}, cmd/tailscale/cli: don't check pref reverts on initial up
The ipn.NewPrefs func returns a populated ipn.Prefs for historical
reasons. It's not used or as important as it once was, but it hasn't
yet been removed. Meanwhile, it contains some default values that are
used on some platforms. Notably, for this bug (#1725), Windows/Mac use
its Prefs.RouteAll true value (to accept subnets), but Linux users
have always gotten a "false" value for that, because that's what
cmd/tailscale's CLI default flag is _for all operating systems_. That
meant that "tailscale up" was rightfully reporting that the user was
changing an implicit setting: RouteAll was changing from true with
false with the user explicitly saying so.
An obvious fix might be to change ipn.NewPrefs to return
Prefs.RouteAll == false on some platforms, but the logic is
complicated by darwin: we want RouteAll true on windows, android, ios,
and the GUI mac app, but not the CLI tailscaled-on-macOS mode. But
even if we used build tags (e.g. the "redo" build tag) to determine
what the default is, that then means we have duplicated and differing
"defaults" between both the CLI up flags and ipn.NewPrefs. Furthering
that complication didn't seem like a good idea.
So, changing the NewPrefs defaults is too invasive at this stage of
the release, as is removing the NewPrefs func entirely.
Instead, tweak slightly the semantics of the ipn.Prefs.ControlURL
field. This now defines that a ControlURL of the empty string means
both "we're uninitialized" and also "just use the default".
Then, once we have the "empty-string-means-unintialized" semantics,
use that to suppress "tailscale up"'s recent implicit-setting-revert
checking safety net, if we've never initialized Tailscale yet.
And update/add tests.
Fixes #1725
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-17 22:50:58 -07:00
|
|
|
//
|
|
|
|
// If empty, the default for new installs, DefaultControlURL
|
|
|
|
// is used. It's set non-empty once the daemon has been started
|
|
|
|
// for the first time.
|
ipnlocal: accept a new opts.UpdatePrefs field.
This is needed because the original opts.Prefs field was at some point
subverted for use in frontend->backend state migration for backward
compatibility on some platforms. We still need that feature, but we
also need the feature of providing the full set of prefs from
`tailscale up`, *not* including overwriting the prefs.Persist keys, so
we can't use the original field from `tailscale up`.
`tailscale up` had attempted to compensate for that by doing SetPrefs()
before Start(), but that violates the ipn.Backend contract, which says
you should call Start() before anything else (that's why it's called
Start()). As a result, doing SetPrefs({ControlURL=...,
WantRunning=true}) would cause a connection to the *previous* control
server (because WantRunning=true), and then connect to the *new*
control server only after running Start().
This problem may have been avoided before, but only by pure luck.
It turned out to be relatively harmless since the connection to the old
control server was immediately closed and replaced anyway, but it
created a race condition that could have caused spurious notifications
or rejected keys if the server responded quickly.
As already covered by existing TODOs, a better fix would be to have
Start() get out of the business of state migration altogether. But
we're approaching a release so I want to make the minimum possible fix.
Fixes #1840.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2021-05-04 04:26:07 -04:00
|
|
|
//
|
2024-04-14 19:47:32 -07:00
|
|
|
// TODO(apenwarr): Make it safe to update this with EditPrefs().
|
ipnlocal: accept a new opts.UpdatePrefs field.
This is needed because the original opts.Prefs field was at some point
subverted for use in frontend->backend state migration for backward
compatibility on some platforms. We still need that feature, but we
also need the feature of providing the full set of prefs from
`tailscale up`, *not* including overwriting the prefs.Persist keys, so
we can't use the original field from `tailscale up`.
`tailscale up` had attempted to compensate for that by doing SetPrefs()
before Start(), but that violates the ipn.Backend contract, which says
you should call Start() before anything else (that's why it's called
Start()). As a result, doing SetPrefs({ControlURL=...,
WantRunning=true}) would cause a connection to the *previous* control
server (because WantRunning=true), and then connect to the *new*
control server only after running Start().
This problem may have been avoided before, but only by pure luck.
It turned out to be relatively harmless since the connection to the old
control server was immediately closed and replaced anyway, but it
created a race condition that could have caused spurious notifications
or rejected keys if the server responded quickly.
As already covered by existing TODOs, a better fix would be to have
Start() get out of the business of state migration altogether. But
we're approaching a release so I want to make the minimum possible fix.
Fixes #1840.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2021-05-04 04:26:07 -04:00
|
|
|
// Right now, you have to pass it in the initial prefs in Start(),
|
|
|
|
// which is the only code that actually uses the ControlURL value.
|
|
|
|
// It would be more consistent to restart controlclient
|
|
|
|
// automatically whenever this variable changes.
|
|
|
|
//
|
2022-12-02 11:32:26 -08:00
|
|
|
// Meanwhile, you have to provide this as part of
|
|
|
|
// Options.LegacyMigrationPrefs or Options.UpdatePrefs when
|
|
|
|
// calling Backend.Start().
|
2020-02-18 21:03:22 -08:00
|
|
|
ControlURL string
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
|
2021-01-20 17:24:16 -08:00
|
|
|
// RouteAll specifies whether to accept subnets advertised by
|
|
|
|
// other nodes on the Tailscale network. Note that this does not
|
|
|
|
// include default routes (0.0.0.0/0 and ::/0), those are
|
|
|
|
// controlled by ExitNodeID/IP below.
|
2020-02-17 15:45:30 -08:00
|
|
|
RouteAll bool
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
|
2021-01-20 17:24:16 -08:00
|
|
|
// ExitNodeID and ExitNodeIP specify the node that should be used
|
|
|
|
// as an exit node for internet traffic. At most one of these
|
|
|
|
// should be non-zero.
|
|
|
|
//
|
|
|
|
// The preferred way to express the chosen node is ExitNodeID, but
|
|
|
|
// in some cases it's not possible to use that ID (e.g. in the
|
|
|
|
// linux CLI, before tailscaled has a netmap). For those
|
|
|
|
// situations, we allow specifying the exit node by IP, and
|
|
|
|
// ipnlocal.LocalBackend will translate the IP into an ID when the
|
|
|
|
// node is found in the netmap.
|
|
|
|
//
|
|
|
|
// If the selected exit node doesn't exist (e.g. it's not part of
|
|
|
|
// the current tailnet), or it doesn't offer exit node services, a
|
|
|
|
// blackhole route will be installed on the local system to
|
|
|
|
// prevent any traffic escaping to the local network.
|
|
|
|
ExitNodeID tailcfg.StableNodeID
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
ExitNodeIP netip.Addr
|
2021-01-20 17:24:16 -08:00
|
|
|
|
2024-04-03 10:51:51 -07:00
|
|
|
// InternalExitNodePrior is the most recently used ExitNodeID in string form. It is set by
|
|
|
|
// the backend on transition from exit node on to off and used by the
|
2024-04-16 14:53:56 -04:00
|
|
|
// backend.
|
2024-04-03 10:51:51 -07:00
|
|
|
//
|
2024-04-16 14:53:56 -04:00
|
|
|
// As an Internal field, it can't be set by LocalAPI clients, rather it is set indirectly
|
|
|
|
// when the ExitNodeID value is zero'd and via the set-use-exit-node-enabled endpoint.
|
|
|
|
InternalExitNodePrior tailcfg.StableNodeID
|
2024-04-03 10:51:51 -07:00
|
|
|
|
2021-04-08 15:56:51 -07:00
|
|
|
// ExitNodeAllowLANAccess indicates whether locally accessible subnets should be
|
|
|
|
// routed directly or via the exit node.
|
|
|
|
ExitNodeAllowLANAccess bool
|
|
|
|
|
2020-02-17 15:45:30 -08:00
|
|
|
// CorpDNS specifies whether to install the Tailscale network's
|
|
|
|
// DNS configuration, if it exists.
|
|
|
|
CorpDNS bool
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
|
2021-08-26 14:50:55 -07:00
|
|
|
// RunSSH bool is whether this node should run an SSH
|
|
|
|
// server, permitting access to peers according to the
|
|
|
|
// policies as configured by the Tailnet's admin(s).
|
|
|
|
RunSSH bool
|
|
|
|
|
2024-03-18 15:47:21 -06:00
|
|
|
// RunWebClient bool is whether this node should expose
|
|
|
|
// its web client over Tailscale at port 5252,
|
2023-10-26 11:35:41 -07:00
|
|
|
// permitting access to peers according to the
|
|
|
|
// policies as configured by the Tailnet's admin(s).
|
|
|
|
RunWebClient bool
|
|
|
|
|
2020-02-17 15:45:30 -08:00
|
|
|
// WantRunning indicates whether networking should be active on
|
|
|
|
// this node.
|
|
|
|
WantRunning bool
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
|
2021-04-30 03:56:11 -04:00
|
|
|
// LoggedOut indicates whether the user intends to be logged out.
|
|
|
|
// There are other reasons we may be logged out, including no valid
|
|
|
|
// keys.
|
|
|
|
// We need to remember this state so that, on next startup, we can
|
|
|
|
// generate the "Login" vs "Connect" buttons correctly, without having
|
|
|
|
// to contact the server to confirm our nodekey status first.
|
|
|
|
LoggedOut bool
|
|
|
|
|
2020-04-29 02:37:35 -04:00
|
|
|
// ShieldsUp indicates whether to block all incoming connections,
|
|
|
|
// regardless of the control-provided packet filter. If false, we
|
|
|
|
// use the packet filter as provided. If true, we block incoming
|
2020-11-24 10:51:13 -05:00
|
|
|
// connections. This overrides tailcfg.Hostinfo's ShieldsUp.
|
2020-04-29 02:37:35 -04:00
|
|
|
ShieldsUp bool
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
|
2020-05-01 01:01:27 -04:00
|
|
|
// AdvertiseTags specifies groups that this node wants to join, for
|
|
|
|
// purposes of ACL enforcement. These can be referenced from the ACL
|
|
|
|
// security policy. Note that advertising a tag doesn't guarantee that
|
|
|
|
// the control server will allow you to take on the rights for that
|
|
|
|
// tag.
|
|
|
|
AdvertiseTags []string
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
|
2020-06-02 18:12:05 +02:00
|
|
|
// Hostname is the hostname to use for identifying the node. If
|
|
|
|
// not set, os.Hostname is used.
|
|
|
|
Hostname string
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
|
2020-02-17 15:45:30 -08:00
|
|
|
// NotepadURLs is a debugging setting that opens OAuth URLs in
|
|
|
|
// notepad.exe on Windows, rather than loading them in a browser.
|
|
|
|
//
|
2020-04-29 02:37:35 -04:00
|
|
|
// apenwarr 2020-04-29: Unfortunately this is still needed sometimes.
|
|
|
|
// Windows' default browser setting is sometimes screwy and this helps
|
2020-05-01 01:01:27 -04:00
|
|
|
// users narrow it down a bit.
|
2020-02-17 15:45:30 -08:00
|
|
|
NotepadURLs bool
|
2020-02-05 14:16:58 -08:00
|
|
|
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
// ForceDaemon specifies whether a platform that normally
|
|
|
|
// operates in "client mode" (that is, requires an active user
|
|
|
|
// logged in with the GUI app running) should keep running after the
|
|
|
|
// GUI ends and/or the user logs out.
|
|
|
|
//
|
|
|
|
// The only current applicable platform is Windows. This
|
|
|
|
// forced Windows to go into "server mode" where Tailscale is
|
|
|
|
// running even with no users logged in. This might also be
|
|
|
|
// used for macOS in the future. This setting has no effect
|
|
|
|
// for Linux/etc, which always operate in daemon mode.
|
|
|
|
ForceDaemon bool `json:"ForceDaemon,omitempty"`
|
|
|
|
|
2022-09-01 09:27:06 -07:00
|
|
|
// Egg is a optional debug flag.
|
2022-11-29 21:09:38 -08:00
|
|
|
Egg bool `json:",omitempty"`
|
2022-09-01 09:27:06 -07:00
|
|
|
|
2020-05-13 22:35:22 +00:00
|
|
|
// The following block of options only have an effect on Linux.
|
|
|
|
|
|
|
|
// AdvertiseRoutes specifies CIDR prefixes to advertise into the
|
|
|
|
// Tailscale network as reachable through the current
|
|
|
|
// node.
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
AdvertiseRoutes []netip.Prefix
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
|
2024-10-16 19:08:06 -04:00
|
|
|
// AdvertiseServices specifies the list of services that this
|
|
|
|
// node can serve as a destination for. Note that an advertised
|
|
|
|
// service must still go through the approval process from the
|
|
|
|
// control server.
|
|
|
|
AdvertiseServices []string
|
|
|
|
|
2020-05-13 22:35:22 +00:00
|
|
|
// NoSNAT specifies whether to source NAT traffic going to
|
|
|
|
// destinations in AdvertiseRoutes. The default is to apply source
|
|
|
|
// NAT, which makes the traffic appear to come from the router
|
|
|
|
// machine rather than the peer's Tailscale IP.
|
|
|
|
//
|
|
|
|
// Disabling SNAT requires additional manual configuration in your
|
|
|
|
// network to route Tailscale traffic back to the subnet relay
|
|
|
|
// machine.
|
|
|
|
//
|
|
|
|
// Linux-only.
|
|
|
|
NoSNAT bool
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
|
2024-05-20 11:44:29 -07:00
|
|
|
// NoStatefulFiltering specifies whether to apply stateful filtering when
|
|
|
|
// advertising routes in AdvertiseRoutes. The default is to not apply
|
2024-05-06 15:22:17 -07:00
|
|
|
// stateful filtering.
|
|
|
|
//
|
|
|
|
// To allow inbound connections from advertised routes, both NoSNAT and
|
|
|
|
// NoStatefulFiltering must be true.
|
|
|
|
//
|
2024-05-20 11:44:29 -07:00
|
|
|
// This is an opt.Bool because it was first added after NoSNAT, with a
|
|
|
|
// backfill based on the value of that parameter. The backfill has been
|
|
|
|
// removed since then, but the field remains an opt.Bool.
|
2024-05-06 15:22:17 -07:00
|
|
|
//
|
|
|
|
// Linux-only.
|
|
|
|
NoStatefulFiltering opt.Bool `json:",omitempty"`
|
|
|
|
|
2020-05-15 02:07:06 +00:00
|
|
|
// NetfilterMode specifies how much to manage netfilter rules for
|
|
|
|
// Tailscale, if at all.
|
2021-02-04 13:12:42 -08:00
|
|
|
NetfilterMode preftype.NetfilterMode
|
2020-05-13 22:35:22 +00:00
|
|
|
|
2021-04-16 21:01:29 -07:00
|
|
|
// OperatorUser is the local machine user name who is allowed to
|
|
|
|
// operate tailscaled without being root or using sudo.
|
|
|
|
OperatorUser string `json:",omitempty"`
|
|
|
|
|
2022-11-18 14:36:45 +05:00
|
|
|
// ProfileName is the desired name of the profile. If empty, then the user's
|
2022-11-18 14:42:32 +05:00
|
|
|
// LoginName is used. It is only used for display purposes in the client UI
|
|
|
|
// and CLI.
|
|
|
|
ProfileName string `json:",omitempty"`
|
|
|
|
|
2023-09-01 14:45:12 -06:00
|
|
|
// AutoUpdate sets the auto-update preferences for the node agent. See
|
|
|
|
// AutoUpdatePrefs docs for more details.
|
|
|
|
AutoUpdate AutoUpdatePrefs
|
|
|
|
|
2023-10-26 15:55:32 -07:00
|
|
|
// AppConnector sets the app connector preferences for the node agent. See
|
|
|
|
// AppConnectorPrefs docs for more details.
|
|
|
|
AppConnector AppConnectorPrefs
|
|
|
|
|
2023-10-03 11:46:24 +02:00
|
|
|
// PostureChecking enables the collection of information used for device
|
|
|
|
// posture checks.
|
|
|
|
PostureChecking bool
|
|
|
|
|
2023-12-04 12:08:56 -05:00
|
|
|
// NetfilterKind specifies what netfilter implementation to use.
|
|
|
|
//
|
|
|
|
// Linux-only.
|
|
|
|
NetfilterKind string
|
|
|
|
|
2024-04-03 10:09:58 -07:00
|
|
|
// DriveShares are the configured DriveShares, stored in increasing order
|
2024-03-07 10:56:11 -06:00
|
|
|
// by name.
|
2024-04-03 10:09:58 -07:00
|
|
|
DriveShares []*drive.Share
|
2024-03-07 10:56:11 -06:00
|
|
|
|
2024-05-17 13:47:57 -07:00
|
|
|
// AllowSingleHosts was a legacy field that was always true
|
|
|
|
// for the past 4.5 years. It controlled whether Tailscale
|
|
|
|
// peers got /32 or /127 routes for each other.
|
|
|
|
// As of 2024-05-17 we're starting to ignore it, but to let
|
|
|
|
// people still downgrade Tailscale versions and not break
|
|
|
|
// all peer-to-peer networking we still write it to disk (as JSON)
|
|
|
|
// so it can be loaded back by old versions.
|
|
|
|
// TODO(bradfitz): delete this in 2025 sometime. See #12058.
|
|
|
|
AllowSingleHosts marshalAsTrueInJSON
|
|
|
|
|
2020-02-05 14:16:58 -08:00
|
|
|
// The Persist field is named 'Config' in the file for backward
|
|
|
|
// compatibility with earlier versions.
|
|
|
|
// TODO(apenwarr): We should move this out of here, it's not a pref.
|
|
|
|
// We can maybe do that once we're sure which module should persist
|
|
|
|
// it (backend or frontend?)
|
2021-02-05 15:23:01 -08:00
|
|
|
Persist *persist.Persist `json:"Config"`
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
|
|
|
|
2023-09-01 14:45:12 -06:00
|
|
|
// AutoUpdatePrefs are the auto update settings for the node agent.
|
|
|
|
type AutoUpdatePrefs struct {
|
|
|
|
// Check specifies whether background checks for updates are enabled. When
|
|
|
|
// enabled, tailscaled will periodically check for available updates and
|
|
|
|
// notify the user about them.
|
|
|
|
Check bool
|
|
|
|
// Apply specifies whether background auto-updates are enabled. When
|
|
|
|
// enabled, tailscaled will apply available updates in the background.
|
|
|
|
// Check must also be set when Apply is set.
|
2023-12-18 16:57:03 -06:00
|
|
|
Apply opt.Bool
|
|
|
|
}
|
|
|
|
|
|
|
|
func (au1 AutoUpdatePrefs) Equals(au2 AutoUpdatePrefs) bool {
|
|
|
|
// This could almost be as easy as `au1.Apply == au2.Apply`, except that
|
|
|
|
// opt.Bool("") and opt.Bool("unset") should be treated as equal.
|
|
|
|
apply1, ok1 := au1.Apply.Get()
|
|
|
|
apply2, ok2 := au2.Apply.Get()
|
|
|
|
return au1.Check == au2.Check &&
|
|
|
|
apply1 == apply2 &&
|
|
|
|
ok1 == ok2
|
2023-09-01 14:45:12 -06:00
|
|
|
}
|
|
|
|
|
2024-05-17 13:47:57 -07:00
|
|
|
type marshalAsTrueInJSON struct{}
|
|
|
|
|
|
|
|
var trueJSON = []byte("true")
|
|
|
|
|
|
|
|
func (marshalAsTrueInJSON) MarshalJSON() ([]byte, error) { return trueJSON, nil }
|
|
|
|
func (*marshalAsTrueInJSON) UnmarshalJSON([]byte) error { return nil }
|
|
|
|
|
2023-10-26 15:55:32 -07:00
|
|
|
// AppConnectorPrefs are the app connector settings for the node agent.
|
|
|
|
type AppConnectorPrefs struct {
|
|
|
|
// Advertise specifies whether the app connector subsystem is advertising
|
|
|
|
// this node as a connector.
|
|
|
|
Advertise bool
|
|
|
|
}
|
|
|
|
|
2021-03-31 21:35:21 -07:00
|
|
|
// MaskedPrefs is a Prefs with an associated bitmask of which fields are set.
|
2023-12-08 12:19:25 -06:00
|
|
|
//
|
|
|
|
// Each FooSet field maps to a corresponding Foo field in Prefs. FooSet can be
|
|
|
|
// a struct, in which case inner fields of FooSet map to inner fields of Foo in
|
|
|
|
// Prefs (see AutoUpdateSet for example).
|
2021-03-31 21:35:21 -07:00
|
|
|
type MaskedPrefs struct {
|
|
|
|
Prefs
|
|
|
|
|
2023-12-08 12:19:25 -06:00
|
|
|
ControlURLSet bool `json:",omitempty"`
|
|
|
|
RouteAllSet bool `json:",omitempty"`
|
|
|
|
ExitNodeIDSet bool `json:",omitempty"`
|
|
|
|
ExitNodeIPSet bool `json:",omitempty"`
|
2024-04-03 10:51:51 -07:00
|
|
|
InternalExitNodePriorSet bool `json:",omitempty"` // Internal; can't be set by LocalAPI clients
|
2023-12-08 12:19:25 -06:00
|
|
|
ExitNodeAllowLANAccessSet bool `json:",omitempty"`
|
|
|
|
CorpDNSSet bool `json:",omitempty"`
|
|
|
|
RunSSHSet bool `json:",omitempty"`
|
|
|
|
RunWebClientSet bool `json:",omitempty"`
|
|
|
|
WantRunningSet bool `json:",omitempty"`
|
|
|
|
LoggedOutSet bool `json:",omitempty"`
|
|
|
|
ShieldsUpSet bool `json:",omitempty"`
|
|
|
|
AdvertiseTagsSet bool `json:",omitempty"`
|
|
|
|
HostnameSet bool `json:",omitempty"`
|
|
|
|
NotepadURLsSet bool `json:",omitempty"`
|
|
|
|
ForceDaemonSet bool `json:",omitempty"`
|
|
|
|
EggSet bool `json:",omitempty"`
|
|
|
|
AdvertiseRoutesSet bool `json:",omitempty"`
|
2024-10-16 19:08:06 -04:00
|
|
|
AdvertiseServicesSet bool `json:",omitempty"`
|
2023-12-08 12:19:25 -06:00
|
|
|
NoSNATSet bool `json:",omitempty"`
|
2024-05-06 15:22:17 -07:00
|
|
|
NoStatefulFilteringSet bool `json:",omitempty"`
|
2023-12-08 12:19:25 -06:00
|
|
|
NetfilterModeSet bool `json:",omitempty"`
|
|
|
|
OperatorUserSet bool `json:",omitempty"`
|
|
|
|
ProfileNameSet bool `json:",omitempty"`
|
|
|
|
AutoUpdateSet AutoUpdatePrefsMask `json:",omitempty"`
|
|
|
|
AppConnectorSet bool `json:",omitempty"`
|
|
|
|
PostureCheckingSet bool `json:",omitempty"`
|
|
|
|
NetfilterKindSet bool `json:",omitempty"`
|
2024-04-03 10:09:58 -07:00
|
|
|
DriveSharesSet bool `json:",omitempty"`
|
2023-12-08 12:19:25 -06:00
|
|
|
}
|
|
|
|
|
2024-04-03 10:51:51 -07:00
|
|
|
// SetsInternal reports whether mp has any of the Internal*Set field bools set
|
|
|
|
// to true.
|
|
|
|
func (mp *MaskedPrefs) SetsInternal() bool {
|
|
|
|
return mp.InternalExitNodePriorSet
|
|
|
|
}
|
|
|
|
|
2023-12-08 12:19:25 -06:00
|
|
|
type AutoUpdatePrefsMask struct {
|
|
|
|
CheckSet bool `json:",omitempty"`
|
|
|
|
ApplySet bool `json:",omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m AutoUpdatePrefsMask) Pretty(au AutoUpdatePrefs) string {
|
|
|
|
var fields []string
|
|
|
|
if m.CheckSet {
|
|
|
|
fields = append(fields, fmt.Sprintf("Check=%v", au.Check))
|
|
|
|
}
|
|
|
|
if m.ApplySet {
|
|
|
|
fields = append(fields, fmt.Sprintf("Apply=%v", au.Apply))
|
|
|
|
}
|
|
|
|
return strings.Join(fields, " ")
|
2021-03-31 21:35:21 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
// ApplyEdits mutates p, assigning fields from m.Prefs for each MaskedPrefs
|
|
|
|
// Set field that's true.
|
|
|
|
func (p *Prefs) ApplyEdits(m *MaskedPrefs) {
|
|
|
|
if p == nil {
|
|
|
|
panic("can't edit nil Prefs")
|
|
|
|
}
|
|
|
|
pv := reflect.ValueOf(p).Elem()
|
|
|
|
mv := reflect.ValueOf(m).Elem()
|
|
|
|
mpv := reflect.ValueOf(&m.Prefs).Elem()
|
2023-12-08 12:19:25 -06:00
|
|
|
applyPrefsEdits(mpv, pv, maskFields(mv))
|
|
|
|
}
|
|
|
|
|
|
|
|
func applyPrefsEdits(src, dst reflect.Value, mask map[string]reflect.Value) {
|
|
|
|
for n, m := range mask {
|
|
|
|
switch m.Kind() {
|
|
|
|
case reflect.Bool:
|
|
|
|
if m.Bool() {
|
|
|
|
dst.FieldByName(n).Set(src.FieldByName(n))
|
|
|
|
}
|
|
|
|
case reflect.Struct:
|
|
|
|
applyPrefsEdits(src.FieldByName(n), dst.FieldByName(n), maskFields(m))
|
|
|
|
default:
|
|
|
|
panic(fmt.Sprintf("unsupported mask field kind %v", m.Kind()))
|
2021-03-31 21:35:21 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-12-08 12:19:25 -06:00
|
|
|
func maskFields(v reflect.Value) map[string]reflect.Value {
|
|
|
|
mask := make(map[string]reflect.Value)
|
2024-04-16 13:15:13 -07:00
|
|
|
for i := range v.NumField() {
|
2023-12-08 12:19:25 -06:00
|
|
|
f := v.Type().Field(i).Name
|
|
|
|
if !strings.HasSuffix(f, "Set") {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
mask[strings.TrimSuffix(f, "Set")] = v.Field(i)
|
|
|
|
}
|
|
|
|
return mask
|
|
|
|
}
|
|
|
|
|
2022-10-25 18:02:58 -07:00
|
|
|
// IsEmpty reports whether there are no masks set or if m is nil.
|
|
|
|
func (m *MaskedPrefs) IsEmpty() bool {
|
|
|
|
if m == nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
mv := reflect.ValueOf(m).Elem()
|
|
|
|
fields := mv.NumField()
|
|
|
|
for i := 1; i < fields; i++ {
|
2023-12-08 12:19:25 -06:00
|
|
|
if !mv.Field(i).IsZero() {
|
2022-10-25 18:02:58 -07:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2021-03-31 21:35:21 -07:00
|
|
|
func (m *MaskedPrefs) Pretty() string {
|
|
|
|
if m == nil {
|
|
|
|
return "MaskedPrefs{<nil>}"
|
|
|
|
}
|
|
|
|
var sb strings.Builder
|
|
|
|
sb.WriteString("MaskedPrefs{")
|
|
|
|
mv := reflect.ValueOf(m).Elem()
|
|
|
|
mt := mv.Type()
|
|
|
|
mpv := reflect.ValueOf(&m.Prefs).Elem()
|
|
|
|
first := true
|
2021-10-13 14:48:47 -07:00
|
|
|
|
|
|
|
format := func(v reflect.Value) string {
|
|
|
|
switch v.Type().Kind() {
|
|
|
|
case reflect.String:
|
|
|
|
return "%s=%q"
|
|
|
|
case reflect.Slice:
|
|
|
|
// []string
|
|
|
|
if v.Type().Elem().Kind() == reflect.String {
|
|
|
|
return "%s=%q"
|
|
|
|
}
|
2023-09-01 14:45:12 -06:00
|
|
|
case reflect.Struct:
|
|
|
|
return "%s=%+v"
|
|
|
|
case reflect.Pointer:
|
|
|
|
if v.Type().Elem().Kind() == reflect.Struct {
|
|
|
|
return "%s=%+v"
|
|
|
|
}
|
2021-10-13 14:48:47 -07:00
|
|
|
}
|
|
|
|
return "%s=%v"
|
|
|
|
}
|
|
|
|
|
2021-03-31 21:35:21 -07:00
|
|
|
for i := 1; i < mt.NumField(); i++ {
|
|
|
|
name := mt.Field(i).Name
|
2023-12-08 12:19:25 -06:00
|
|
|
mf := mv.Field(i)
|
|
|
|
switch mf.Kind() {
|
|
|
|
case reflect.Bool:
|
|
|
|
if mf.Bool() {
|
|
|
|
if !first {
|
|
|
|
sb.WriteString(" ")
|
|
|
|
}
|
|
|
|
first = false
|
|
|
|
f := mpv.Field(i - 1)
|
|
|
|
fmt.Fprintf(&sb, format(f),
|
|
|
|
strings.TrimSuffix(name, "Set"),
|
|
|
|
f.Interface())
|
|
|
|
}
|
|
|
|
case reflect.Struct:
|
|
|
|
if mf.IsZero() {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
mpf := mpv.Field(i - 1)
|
2023-12-20 09:12:26 -06:00
|
|
|
// This would be much simpler with reflect.MethodByName("Pretty"),
|
|
|
|
// but using MethodByName disables some linker optimizations and
|
|
|
|
// makes our binaries much larger. See
|
|
|
|
// https://github.com/tailscale/tailscale/issues/10627#issuecomment-1861211945
|
|
|
|
//
|
|
|
|
// Instead, have this explicit switch by field name to do type
|
|
|
|
// assertions.
|
|
|
|
switch name {
|
|
|
|
case "AutoUpdateSet":
|
|
|
|
p := mf.Interface().(AutoUpdatePrefsMask).Pretty(mpf.Interface().(AutoUpdatePrefs))
|
|
|
|
fmt.Fprintf(&sb, "%s={%s}", strings.TrimSuffix(name, "Set"), p)
|
|
|
|
default:
|
|
|
|
panic(fmt.Sprintf("unexpected MaskedPrefs field %q", name))
|
2021-03-31 21:35:21 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
sb.WriteString("}")
|
|
|
|
return sb.String()
|
|
|
|
}
|
|
|
|
|
2020-02-03 10:35:52 -08:00
|
|
|
// IsEmpty reports whether p is nil or pointing to a Prefs zero value.
|
2020-02-17 15:01:23 -08:00
|
|
|
func (p *Prefs) IsEmpty() bool { return p == nil || p.Equals(&Prefs{}) }
|
2020-02-03 10:35:52 -08:00
|
|
|
|
2022-10-21 23:05:43 +00:00
|
|
|
func (p PrefsView) Pretty() string { return p.ж.Pretty() }
|
|
|
|
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
func (p *Prefs) Pretty() string { return p.pretty(runtime.GOOS) }
|
|
|
|
func (p *Prefs) pretty(goos string) string {
|
|
|
|
var sb strings.Builder
|
|
|
|
sb.WriteString("Prefs{")
|
|
|
|
fmt.Fprintf(&sb, "ra=%v ", p.RouteAll)
|
|
|
|
fmt.Fprintf(&sb, "dns=%v want=%v ", p.CorpDNS, p.WantRunning)
|
2021-08-26 14:50:55 -07:00
|
|
|
if p.RunSSH {
|
|
|
|
sb.WriteString("ssh=true ")
|
|
|
|
}
|
2023-10-26 11:35:41 -07:00
|
|
|
if p.RunWebClient {
|
|
|
|
sb.WriteString("webclient=true ")
|
|
|
|
}
|
2021-04-30 03:56:11 -04:00
|
|
|
if p.LoggedOut {
|
|
|
|
sb.WriteString("loggedout=true ")
|
|
|
|
}
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
if p.ForceDaemon {
|
|
|
|
sb.WriteString("server=true ")
|
|
|
|
}
|
|
|
|
if p.NotepadURLs {
|
|
|
|
sb.WriteString("notepad=true ")
|
|
|
|
}
|
|
|
|
if p.ShieldsUp {
|
|
|
|
sb.WriteString("shields=true ")
|
|
|
|
}
|
2022-07-24 20:08:42 -07:00
|
|
|
if p.ExitNodeIP.IsValid() {
|
2021-04-08 15:56:51 -07:00
|
|
|
fmt.Fprintf(&sb, "exit=%v lan=%t ", p.ExitNodeIP, p.ExitNodeAllowLANAccess)
|
2021-02-24 20:06:15 -08:00
|
|
|
} else if !p.ExitNodeID.IsZero() {
|
2021-04-08 15:56:51 -07:00
|
|
|
fmt.Fprintf(&sb, "exit=%v lan=%t ", p.ExitNodeID, p.ExitNodeAllowLANAccess)
|
2021-02-24 20:06:15 -08:00
|
|
|
}
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
if len(p.AdvertiseRoutes) > 0 || goos == "linux" {
|
|
|
|
fmt.Fprintf(&sb, "routes=%v ", p.AdvertiseRoutes)
|
|
|
|
}
|
|
|
|
if len(p.AdvertiseRoutes) > 0 || p.NoSNAT {
|
|
|
|
fmt.Fprintf(&sb, "snat=%v ", !p.NoSNAT)
|
|
|
|
}
|
2024-05-06 15:22:17 -07:00
|
|
|
if len(p.AdvertiseRoutes) > 0 || p.NoStatefulFiltering.EqualBool(true) {
|
|
|
|
// Only print if we're advertising any routes, or the user has
|
|
|
|
// turned off stateful filtering (NoStatefulFiltering=true ⇒
|
|
|
|
// StatefulFiltering=false).
|
|
|
|
bb, _ := p.NoStatefulFiltering.Get()
|
|
|
|
fmt.Fprintf(&sb, "statefulFiltering=%v ", !bb)
|
|
|
|
}
|
2020-11-04 10:24:33 -08:00
|
|
|
if len(p.AdvertiseTags) > 0 {
|
|
|
|
fmt.Fprintf(&sb, "tags=%s ", strings.Join(p.AdvertiseTags, ","))
|
|
|
|
}
|
2024-10-16 19:08:06 -04:00
|
|
|
if len(p.AdvertiseServices) > 0 {
|
|
|
|
fmt.Fprintf(&sb, "services=%s ", strings.Join(p.AdvertiseServices, ","))
|
|
|
|
}
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
if goos == "linux" {
|
|
|
|
fmt.Fprintf(&sb, "nf=%v ", p.NetfilterMode)
|
|
|
|
}
|
2021-04-18 07:48:53 -07:00
|
|
|
if p.ControlURL != "" && p.ControlURL != DefaultControlURL {
|
2020-11-04 10:24:33 -08:00
|
|
|
fmt.Fprintf(&sb, "url=%q ", p.ControlURL)
|
|
|
|
}
|
2021-04-12 10:45:33 -07:00
|
|
|
if p.Hostname != "" {
|
|
|
|
fmt.Fprintf(&sb, "host=%q ", p.Hostname)
|
|
|
|
}
|
2021-04-16 21:01:29 -07:00
|
|
|
if p.OperatorUser != "" {
|
|
|
|
fmt.Fprintf(&sb, "op=%q ", p.OperatorUser)
|
|
|
|
}
|
2023-12-04 12:08:56 -05:00
|
|
|
if p.NetfilterKind != "" {
|
|
|
|
fmt.Fprintf(&sb, "netfilterKind=%s ", p.NetfilterKind)
|
|
|
|
}
|
2023-09-01 14:45:12 -06:00
|
|
|
sb.WriteString(p.AutoUpdate.Pretty())
|
2023-10-26 15:55:32 -07:00
|
|
|
sb.WriteString(p.AppConnector.Pretty())
|
2020-02-17 15:01:23 -08:00
|
|
|
if p.Persist != nil {
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
sb.WriteString(p.Persist.Pretty())
|
2020-02-05 14:16:58 -08:00
|
|
|
} else {
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
sb.WriteString("Persist=nil")
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
sb.WriteString("}")
|
|
|
|
return sb.String()
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
|
|
|
|
2022-10-21 23:05:43 +00:00
|
|
|
func (p PrefsView) ToBytes() []byte {
|
|
|
|
return p.ж.ToBytes()
|
|
|
|
}
|
|
|
|
|
2020-02-17 15:01:23 -08:00
|
|
|
func (p *Prefs) ToBytes() []byte {
|
|
|
|
data, err := json.MarshalIndent(p, "", "\t")
|
2020-02-05 14:16:58 -08:00
|
|
|
if err != nil {
|
|
|
|
log.Fatalf("Prefs marshal: %v\n", err)
|
|
|
|
}
|
|
|
|
return data
|
|
|
|
}
|
|
|
|
|
2022-10-21 23:05:43 +00:00
|
|
|
func (p PrefsView) Equals(p2 PrefsView) bool {
|
|
|
|
return p.ж.Equals(p2.ж)
|
|
|
|
}
|
|
|
|
|
2020-02-17 15:01:23 -08:00
|
|
|
func (p *Prefs) Equals(p2 *Prefs) bool {
|
|
|
|
if p == nil && p2 == nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
if p == nil || p2 == nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2023-12-05 10:32:35 -05:00
|
|
|
return p.ControlURL == p2.ControlURL &&
|
2020-02-17 15:01:23 -08:00
|
|
|
p.RouteAll == p2.RouteAll &&
|
2021-01-20 17:24:16 -08:00
|
|
|
p.ExitNodeID == p2.ExitNodeID &&
|
|
|
|
p.ExitNodeIP == p2.ExitNodeIP &&
|
2024-04-03 10:51:51 -07:00
|
|
|
p.InternalExitNodePrior == p2.InternalExitNodePrior &&
|
2021-04-08 15:56:51 -07:00
|
|
|
p.ExitNodeAllowLANAccess == p2.ExitNodeAllowLANAccess &&
|
2020-02-17 15:01:23 -08:00
|
|
|
p.CorpDNS == p2.CorpDNS &&
|
2021-08-26 14:50:55 -07:00
|
|
|
p.RunSSH == p2.RunSSH &&
|
2023-10-26 11:35:41 -07:00
|
|
|
p.RunWebClient == p2.RunWebClient &&
|
2020-02-17 15:01:23 -08:00
|
|
|
p.WantRunning == p2.WantRunning &&
|
2021-04-30 03:56:11 -04:00
|
|
|
p.LoggedOut == p2.LoggedOut &&
|
2020-02-17 15:01:23 -08:00
|
|
|
p.NotepadURLs == p2.NotepadURLs &&
|
2020-04-29 02:37:35 -04:00
|
|
|
p.ShieldsUp == p2.ShieldsUp &&
|
2020-05-11 20:16:52 +00:00
|
|
|
p.NoSNAT == p2.NoSNAT &&
|
2024-05-06 15:22:17 -07:00
|
|
|
p.NoStatefulFiltering == p2.NoStatefulFiltering &&
|
2020-05-15 02:07:06 +00:00
|
|
|
p.NetfilterMode == p2.NetfilterMode &&
|
2021-04-16 21:01:29 -07:00
|
|
|
p.OperatorUser == p2.OperatorUser &&
|
2020-06-02 18:12:05 +02:00
|
|
|
p.Hostname == p2.Hostname &&
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 14:28:21 -07:00
|
|
|
p.ForceDaemon == p2.ForceDaemon &&
|
2020-02-17 15:01:23 -08:00
|
|
|
compareIPNets(p.AdvertiseRoutes, p2.AdvertiseRoutes) &&
|
2020-05-01 01:01:27 -04:00
|
|
|
compareStrings(p.AdvertiseTags, p2.AdvertiseTags) &&
|
2024-10-16 19:08:06 -04:00
|
|
|
compareStrings(p.AdvertiseServices, p2.AdvertiseServices) &&
|
2022-11-18 14:42:32 +05:00
|
|
|
p.Persist.Equals(p2.Persist) &&
|
2023-09-01 14:45:12 -06:00
|
|
|
p.ProfileName == p2.ProfileName &&
|
2023-12-18 16:57:03 -06:00
|
|
|
p.AutoUpdate.Equals(p2.AutoUpdate) &&
|
2023-10-26 15:55:32 -07:00
|
|
|
p.AppConnector == p2.AppConnector &&
|
2023-12-04 12:08:56 -05:00
|
|
|
p.PostureChecking == p2.PostureChecking &&
|
2024-04-03 10:09:58 -07:00
|
|
|
slices.EqualFunc(p.DriveShares, p2.DriveShares, drive.SharesEqual) &&
|
2023-12-04 12:08:56 -05:00
|
|
|
p.NetfilterKind == p2.NetfilterKind
|
2023-09-01 14:45:12 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
func (au AutoUpdatePrefs) Pretty() string {
|
2023-12-18 16:57:03 -06:00
|
|
|
if au.Apply.EqualBool(true) {
|
2023-09-01 14:45:12 -06:00
|
|
|
return "update=on "
|
|
|
|
}
|
|
|
|
if au.Check {
|
|
|
|
return "update=check "
|
|
|
|
}
|
|
|
|
return "update=off "
|
2020-02-17 15:01:23 -08:00
|
|
|
}
|
|
|
|
|
2023-10-26 15:55:32 -07:00
|
|
|
func (ap AppConnectorPrefs) Pretty() string {
|
|
|
|
if ap.Advertise {
|
|
|
|
return "appconnector=advertise "
|
|
|
|
}
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
func compareIPNets(a, b []netip.Prefix) bool {
|
2020-02-17 15:01:23 -08:00
|
|
|
if len(a) != len(b) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
for i := range a {
|
2020-12-24 12:33:55 -08:00
|
|
|
if a[i] != b[i] {
|
2020-02-17 15:01:23 -08:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
|
|
|
|
2020-05-01 01:01:27 -04:00
|
|
|
func compareStrings(a, b []string) bool {
|
|
|
|
if len(a) != len(b) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
for i := range a {
|
|
|
|
if a[i] != b[i] {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
ipn{,/ipnlocal}, cmd/tailscale/cli: don't check pref reverts on initial up
The ipn.NewPrefs func returns a populated ipn.Prefs for historical
reasons. It's not used or as important as it once was, but it hasn't
yet been removed. Meanwhile, it contains some default values that are
used on some platforms. Notably, for this bug (#1725), Windows/Mac use
its Prefs.RouteAll true value (to accept subnets), but Linux users
have always gotten a "false" value for that, because that's what
cmd/tailscale's CLI default flag is _for all operating systems_. That
meant that "tailscale up" was rightfully reporting that the user was
changing an implicit setting: RouteAll was changing from true with
false with the user explicitly saying so.
An obvious fix might be to change ipn.NewPrefs to return
Prefs.RouteAll == false on some platforms, but the logic is
complicated by darwin: we want RouteAll true on windows, android, ios,
and the GUI mac app, but not the CLI tailscaled-on-macOS mode. But
even if we used build tags (e.g. the "redo" build tag) to determine
what the default is, that then means we have duplicated and differing
"defaults" between both the CLI up flags and ipn.NewPrefs. Furthering
that complication didn't seem like a good idea.
So, changing the NewPrefs defaults is too invasive at this stage of
the release, as is removing the NewPrefs func entirely.
Instead, tweak slightly the semantics of the ipn.Prefs.ControlURL
field. This now defines that a ControlURL of the empty string means
both "we're uninitialized" and also "just use the default".
Then, once we have the "empty-string-means-unintialized" semantics,
use that to suppress "tailscale up"'s recent implicit-setting-revert
checking safety net, if we've never initialized Tailscale yet.
And update/add tests.
Fixes #1725
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-17 22:50:58 -07:00
|
|
|
// NewPrefs returns the default preferences to use.
|
2020-02-20 11:07:00 -08:00
|
|
|
func NewPrefs() *Prefs {
|
ipn{,/ipnlocal}, cmd/tailscale/cli: don't check pref reverts on initial up
The ipn.NewPrefs func returns a populated ipn.Prefs for historical
reasons. It's not used or as important as it once was, but it hasn't
yet been removed. Meanwhile, it contains some default values that are
used on some platforms. Notably, for this bug (#1725), Windows/Mac use
its Prefs.RouteAll true value (to accept subnets), but Linux users
have always gotten a "false" value for that, because that's what
cmd/tailscale's CLI default flag is _for all operating systems_. That
meant that "tailscale up" was rightfully reporting that the user was
changing an implicit setting: RouteAll was changing from true with
false with the user explicitly saying so.
An obvious fix might be to change ipn.NewPrefs to return
Prefs.RouteAll == false on some platforms, but the logic is
complicated by darwin: we want RouteAll true on windows, android, ios,
and the GUI mac app, but not the CLI tailscaled-on-macOS mode. But
even if we used build tags (e.g. the "redo" build tag) to determine
what the default is, that then means we have duplicated and differing
"defaults" between both the CLI up flags and ipn.NewPrefs. Furthering
that complication didn't seem like a good idea.
So, changing the NewPrefs defaults is too invasive at this stage of
the release, as is removing the NewPrefs func entirely.
Instead, tweak slightly the semantics of the ipn.Prefs.ControlURL
field. This now defines that a ControlURL of the empty string means
both "we're uninitialized" and also "just use the default".
Then, once we have the "empty-string-means-unintialized" semantics,
use that to suppress "tailscale up"'s recent implicit-setting-revert
checking safety net, if we've never initialized Tailscale yet.
And update/add tests.
Fixes #1725
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-17 22:50:58 -07:00
|
|
|
// Provide default values for options which might be missing
|
|
|
|
// from the json data for any reason. The json can still
|
|
|
|
// override them to false.
|
2020-02-20 11:07:00 -08:00
|
|
|
return &Prefs{
|
ipn{,/ipnlocal}, cmd/tailscale/cli: don't check pref reverts on initial up
The ipn.NewPrefs func returns a populated ipn.Prefs for historical
reasons. It's not used or as important as it once was, but it hasn't
yet been removed. Meanwhile, it contains some default values that are
used on some platforms. Notably, for this bug (#1725), Windows/Mac use
its Prefs.RouteAll true value (to accept subnets), but Linux users
have always gotten a "false" value for that, because that's what
cmd/tailscale's CLI default flag is _for all operating systems_. That
meant that "tailscale up" was rightfully reporting that the user was
changing an implicit setting: RouteAll was changing from true with
false with the user explicitly saying so.
An obvious fix might be to change ipn.NewPrefs to return
Prefs.RouteAll == false on some platforms, but the logic is
complicated by darwin: we want RouteAll true on windows, android, ios,
and the GUI mac app, but not the CLI tailscaled-on-macOS mode. But
even if we used build tags (e.g. the "redo" build tag) to determine
what the default is, that then means we have duplicated and differing
"defaults" between both the CLI up flags and ipn.NewPrefs. Furthering
that complication didn't seem like a good idea.
So, changing the NewPrefs defaults is too invasive at this stage of
the release, as is removing the NewPrefs func entirely.
Instead, tweak slightly the semantics of the ipn.Prefs.ControlURL
field. This now defines that a ControlURL of the empty string means
both "we're uninitialized" and also "just use the default".
Then, once we have the "empty-string-means-unintialized" semantics,
use that to suppress "tailscale up"'s recent implicit-setting-revert
checking safety net, if we've never initialized Tailscale yet.
And update/add tests.
Fixes #1725
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-17 22:50:58 -07:00
|
|
|
// ControlURL is explicitly not set to signal that
|
|
|
|
// it's not yet configured, which relaxes the CLI "up"
|
|
|
|
// safety net features. It will get set to DefaultControlURL
|
|
|
|
// on first up. Or, if not, DefaultControlURL will be used
|
|
|
|
// later anyway.
|
|
|
|
ControlURL: "",
|
|
|
|
|
2024-05-07 10:28:22 -07:00
|
|
|
RouteAll: true,
|
|
|
|
CorpDNS: true,
|
|
|
|
WantRunning: false,
|
|
|
|
NetfilterMode: preftype.NetfilterOn,
|
2024-05-20 11:44:29 -07:00
|
|
|
NoStatefulFiltering: opt.NewBool(true),
|
2023-09-01 14:45:12 -06:00
|
|
|
AutoUpdate: AutoUpdatePrefs{
|
|
|
|
Check: true,
|
2023-12-18 16:57:03 -06:00
|
|
|
Apply: opt.Bool("unset"),
|
2023-09-01 14:45:12 -06:00
|
|
|
},
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-10-21 23:05:43 +00:00
|
|
|
// ControlURLOrDefault returns the coordination server's URL base.
|
|
|
|
//
|
|
|
|
// If not configured, or if the configured value is a legacy name equivalent to
|
|
|
|
// the default, then DefaultControlURL is returned instead.
|
|
|
|
func (p PrefsView) ControlURLOrDefault() string {
|
|
|
|
return p.ж.ControlURLOrDefault()
|
|
|
|
}
|
|
|
|
|
ipn{,/ipnlocal}, cmd/tailscale/cli: don't check pref reverts on initial up
The ipn.NewPrefs func returns a populated ipn.Prefs for historical
reasons. It's not used or as important as it once was, but it hasn't
yet been removed. Meanwhile, it contains some default values that are
used on some platforms. Notably, for this bug (#1725), Windows/Mac use
its Prefs.RouteAll true value (to accept subnets), but Linux users
have always gotten a "false" value for that, because that's what
cmd/tailscale's CLI default flag is _for all operating systems_. That
meant that "tailscale up" was rightfully reporting that the user was
changing an implicit setting: RouteAll was changing from true with
false with the user explicitly saying so.
An obvious fix might be to change ipn.NewPrefs to return
Prefs.RouteAll == false on some platforms, but the logic is
complicated by darwin: we want RouteAll true on windows, android, ios,
and the GUI mac app, but not the CLI tailscaled-on-macOS mode. But
even if we used build tags (e.g. the "redo" build tag) to determine
what the default is, that then means we have duplicated and differing
"defaults" between both the CLI up flags and ipn.NewPrefs. Furthering
that complication didn't seem like a good idea.
So, changing the NewPrefs defaults is too invasive at this stage of
the release, as is removing the NewPrefs func entirely.
Instead, tweak slightly the semantics of the ipn.Prefs.ControlURL
field. This now defines that a ControlURL of the empty string means
both "we're uninitialized" and also "just use the default".
Then, once we have the "empty-string-means-unintialized" semantics,
use that to suppress "tailscale up"'s recent implicit-setting-revert
checking safety net, if we've never initialized Tailscale yet.
And update/add tests.
Fixes #1725
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-17 22:50:58 -07:00
|
|
|
// ControlURLOrDefault returns the coordination server's URL base.
|
2022-04-26 14:57:55 -07:00
|
|
|
//
|
|
|
|
// If not configured, or if the configured value is a legacy name equivalent to
|
|
|
|
// the default, then DefaultControlURL is returned instead.
|
ipn{,/ipnlocal}, cmd/tailscale/cli: don't check pref reverts on initial up
The ipn.NewPrefs func returns a populated ipn.Prefs for historical
reasons. It's not used or as important as it once was, but it hasn't
yet been removed. Meanwhile, it contains some default values that are
used on some platforms. Notably, for this bug (#1725), Windows/Mac use
its Prefs.RouteAll true value (to accept subnets), but Linux users
have always gotten a "false" value for that, because that's what
cmd/tailscale's CLI default flag is _for all operating systems_. That
meant that "tailscale up" was rightfully reporting that the user was
changing an implicit setting: RouteAll was changing from true with
false with the user explicitly saying so.
An obvious fix might be to change ipn.NewPrefs to return
Prefs.RouteAll == false on some platforms, but the logic is
complicated by darwin: we want RouteAll true on windows, android, ios,
and the GUI mac app, but not the CLI tailscaled-on-macOS mode. But
even if we used build tags (e.g. the "redo" build tag) to determine
what the default is, that then means we have duplicated and differing
"defaults" between both the CLI up flags and ipn.NewPrefs. Furthering
that complication didn't seem like a good idea.
So, changing the NewPrefs defaults is too invasive at this stage of
the release, as is removing the NewPrefs func entirely.
Instead, tweak slightly the semantics of the ipn.Prefs.ControlURL
field. This now defines that a ControlURL of the empty string means
both "we're uninitialized" and also "just use the default".
Then, once we have the "empty-string-means-unintialized" semantics,
use that to suppress "tailscale up"'s recent implicit-setting-revert
checking safety net, if we've never initialized Tailscale yet.
And update/add tests.
Fixes #1725
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-17 22:50:58 -07:00
|
|
|
func (p *Prefs) ControlURLOrDefault() string {
|
2024-01-05 18:30:15 -05:00
|
|
|
controlURL, err := syspolicy.GetString(syspolicy.ControlURL, p.ControlURL)
|
|
|
|
if err != nil {
|
|
|
|
controlURL = p.ControlURL
|
|
|
|
}
|
|
|
|
|
|
|
|
if controlURL != "" {
|
|
|
|
if controlURL != DefaultControlURL && IsLoginServerSynonym(controlURL) {
|
2022-04-26 14:57:55 -07:00
|
|
|
return DefaultControlURL
|
|
|
|
}
|
2024-01-05 18:30:15 -05:00
|
|
|
return controlURL
|
ipn{,/ipnlocal}, cmd/tailscale/cli: don't check pref reverts on initial up
The ipn.NewPrefs func returns a populated ipn.Prefs for historical
reasons. It's not used or as important as it once was, but it hasn't
yet been removed. Meanwhile, it contains some default values that are
used on some platforms. Notably, for this bug (#1725), Windows/Mac use
its Prefs.RouteAll true value (to accept subnets), but Linux users
have always gotten a "false" value for that, because that's what
cmd/tailscale's CLI default flag is _for all operating systems_. That
meant that "tailscale up" was rightfully reporting that the user was
changing an implicit setting: RouteAll was changing from true with
false with the user explicitly saying so.
An obvious fix might be to change ipn.NewPrefs to return
Prefs.RouteAll == false on some platforms, but the logic is
complicated by darwin: we want RouteAll true on windows, android, ios,
and the GUI mac app, but not the CLI tailscaled-on-macOS mode. But
even if we used build tags (e.g. the "redo" build tag) to determine
what the default is, that then means we have duplicated and differing
"defaults" between both the CLI up flags and ipn.NewPrefs. Furthering
that complication didn't seem like a good idea.
So, changing the NewPrefs defaults is too invasive at this stage of
the release, as is removing the NewPrefs func entirely.
Instead, tweak slightly the semantics of the ipn.Prefs.ControlURL
field. This now defines that a ControlURL of the empty string means
both "we're uninitialized" and also "just use the default".
Then, once we have the "empty-string-means-unintialized" semantics,
use that to suppress "tailscale up"'s recent implicit-setting-revert
checking safety net, if we've never initialized Tailscale yet.
And update/add tests.
Fixes #1725
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-17 22:50:58 -07:00
|
|
|
}
|
|
|
|
return DefaultControlURL
|
|
|
|
}
|
|
|
|
|
2022-11-11 12:12:03 +05:00
|
|
|
// AdminPageURL returns the admin web site URL for the current ControlURL.
|
|
|
|
func (p PrefsView) AdminPageURL() string { return p.ж.AdminPageURL() }
|
|
|
|
|
2021-07-11 21:46:50 -07:00
|
|
|
// AdminPageURL returns the admin web site URL for the current ControlURL.
|
|
|
|
func (p *Prefs) AdminPageURL() string {
|
|
|
|
url := p.ControlURLOrDefault()
|
|
|
|
if IsLoginServerSynonym(url) {
|
|
|
|
// TODO(crawshaw): In future release, make this https://console.tailscale.com
|
|
|
|
url = "https://login.tailscale.com"
|
|
|
|
}
|
2023-11-29 15:58:56 -05:00
|
|
|
return url + "/admin"
|
2021-07-11 21:46:50 -07:00
|
|
|
}
|
|
|
|
|
2022-11-11 12:12:03 +05:00
|
|
|
// AdvertisesExitNode reports whether p is advertising both the v4 and
|
|
|
|
// v6 /0 exit node routes.
|
|
|
|
func (p PrefsView) AdvertisesExitNode() bool { return p.ж.AdvertisesExitNode() }
|
|
|
|
|
2022-01-06 14:56:38 -08:00
|
|
|
// AdvertisesExitNode reports whether p is advertising both the v4 and
|
|
|
|
// v6 /0 exit node routes.
|
|
|
|
func (p *Prefs) AdvertisesExitNode() bool {
|
|
|
|
if p == nil {
|
|
|
|
return false
|
|
|
|
}
|
2023-08-18 10:57:04 -07:00
|
|
|
return tsaddr.ContainsExitRoutes(views.SliceOf(p.AdvertiseRoutes))
|
2022-01-06 14:56:38 -08:00
|
|
|
}
|
|
|
|
|
2022-01-06 16:17:00 -08:00
|
|
|
// SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two
|
2022-01-06 14:56:38 -08:00
|
|
|
// /0 exit node routes.
|
2022-01-06 16:17:00 -08:00
|
|
|
func (p *Prefs) SetAdvertiseExitNode(runExit bool) {
|
2022-01-06 14:56:38 -08:00
|
|
|
if p == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
all := p.AdvertiseRoutes
|
|
|
|
p.AdvertiseRoutes = p.AdvertiseRoutes[:0]
|
|
|
|
for _, r := range all {
|
|
|
|
if r.Bits() != 0 {
|
|
|
|
p.AdvertiseRoutes = append(p.AdvertiseRoutes, r)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !runExit {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
p.AdvertiseRoutes = append(p.AdvertiseRoutes,
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
netip.PrefixFrom(netaddr.IPv4(0, 0, 0, 0), 0),
|
|
|
|
netip.PrefixFrom(netip.IPv6Unspecified(), 0))
|
2022-01-06 14:56:38 -08:00
|
|
|
}
|
|
|
|
|
2022-02-25 16:36:05 -07:00
|
|
|
// peerWithTailscaleIP returns the peer in st with the provided
|
|
|
|
// Tailscale IP.
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
func peerWithTailscaleIP(st *ipnstate.Status, ip netip.Addr) (ps *ipnstate.PeerStatus, ok bool) {
|
2022-02-25 16:36:05 -07:00
|
|
|
for _, ps := range st.Peer {
|
|
|
|
for _, ip2 := range ps.TailscaleIPs {
|
|
|
|
if ip == ip2 {
|
|
|
|
return ps, true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
func isRemoteIP(st *ipnstate.Status, ip netip.Addr) bool {
|
2022-02-25 16:36:05 -07:00
|
|
|
for _, selfIP := range st.TailscaleIPs {
|
|
|
|
if ip == selfIP {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// ClearExitNode sets the ExitNodeID and ExitNodeIP to their zero values.
|
|
|
|
func (p *Prefs) ClearExitNode() {
|
|
|
|
p.ExitNodeID = ""
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
p.ExitNodeIP = netip.Addr{}
|
2022-02-25 16:36:05 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
// ExitNodeLocalIPError is returned when the requested IP address for an exit
|
|
|
|
// node belongs to the local machine.
|
|
|
|
type ExitNodeLocalIPError struct {
|
|
|
|
hostOrIP string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (e ExitNodeLocalIPError) Error() string {
|
|
|
|
return fmt.Sprintf("cannot use %s as an exit node as it is a local IP address to this machine", e.hostOrIP)
|
|
|
|
}
|
|
|
|
|
all: convert more code to use net/netip directly
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:14:09 -07:00
|
|
|
func exitNodeIPOfArg(s string, st *ipnstate.Status) (ip netip.Addr, err error) {
|
2022-02-25 16:36:05 -07:00
|
|
|
if s == "" {
|
|
|
|
return ip, os.ErrInvalid
|
|
|
|
}
|
2022-07-25 20:55:44 -07:00
|
|
|
ip, err = netip.ParseAddr(s)
|
2022-02-25 16:36:05 -07:00
|
|
|
if err == nil {
|
|
|
|
// If we're online already and have a netmap, double check that the IP
|
|
|
|
// address specified is valid.
|
|
|
|
if st.BackendState == "Running" {
|
|
|
|
ps, ok := peerWithTailscaleIP(st, ip)
|
|
|
|
if !ok {
|
|
|
|
return ip, fmt.Errorf("no node found in netmap with IP %v", ip)
|
|
|
|
}
|
|
|
|
if !ps.ExitNodeOption {
|
|
|
|
return ip, fmt.Errorf("node %v is not advertising an exit node", ip)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !isRemoteIP(st, ip) {
|
|
|
|
return ip, ExitNodeLocalIPError{s}
|
|
|
|
}
|
|
|
|
return ip, nil
|
|
|
|
}
|
|
|
|
match := 0
|
|
|
|
for _, ps := range st.Peer {
|
|
|
|
baseName := dnsname.TrimSuffix(ps.DNSName, st.MagicDNSSuffix)
|
2024-07-15 11:13:11 -04:00
|
|
|
if !strings.EqualFold(s, baseName) && !strings.EqualFold(s, ps.DNSName) {
|
2022-02-25 16:36:05 -07:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
match++
|
|
|
|
if len(ps.TailscaleIPs) == 0 {
|
|
|
|
return ip, fmt.Errorf("node %q has no Tailscale IP?", s)
|
|
|
|
}
|
|
|
|
if !ps.ExitNodeOption {
|
|
|
|
return ip, fmt.Errorf("node %q is not advertising an exit node", s)
|
|
|
|
}
|
|
|
|
ip = ps.TailscaleIPs[0]
|
|
|
|
}
|
|
|
|
switch match {
|
|
|
|
case 0:
|
|
|
|
return ip, fmt.Errorf("invalid value %q for --exit-node; must be IP or unique node name", s)
|
|
|
|
case 1:
|
|
|
|
if !isRemoteIP(st, ip) {
|
|
|
|
return ip, ExitNodeLocalIPError{s}
|
|
|
|
}
|
|
|
|
return ip, nil
|
|
|
|
default:
|
|
|
|
return ip, fmt.Errorf("ambiguous exit node name %q", s)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetExitNodeIP validates and sets the ExitNodeIP from a user-provided string
|
|
|
|
// specifying either an IP address or a MagicDNS base name ("foo", as opposed to
|
|
|
|
// "foo.bar.beta.tailscale.net"). This method does not mutate ExitNodeID and
|
|
|
|
// will fail if ExitNodeID is already set.
|
|
|
|
func (p *Prefs) SetExitNodeIP(s string, st *ipnstate.Status) error {
|
|
|
|
if !p.ExitNodeID.IsZero() {
|
|
|
|
return ErrExitNodeIDAlreadySet
|
|
|
|
}
|
|
|
|
ip, err := exitNodeIPOfArg(s, st)
|
|
|
|
if err == nil {
|
|
|
|
p.ExitNodeIP = ip
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-10-21 23:05:43 +00:00
|
|
|
// ShouldSSHBeRunning reports whether the SSH server should be running based on
|
|
|
|
// the prefs.
|
|
|
|
func (p PrefsView) ShouldSSHBeRunning() bool {
|
|
|
|
return p.Valid() && p.ж.ShouldSSHBeRunning()
|
|
|
|
}
|
|
|
|
|
2022-05-30 02:06:46 -07:00
|
|
|
// ShouldSSHBeRunning reports whether the SSH server should be running based on
|
|
|
|
// the prefs.
|
|
|
|
func (p *Prefs) ShouldSSHBeRunning() bool {
|
|
|
|
return p.WantRunning && p.RunSSH
|
|
|
|
}
|
|
|
|
|
2023-10-26 11:35:41 -07:00
|
|
|
// ShouldWebClientBeRunning reports whether the web client server should be running based on
|
|
|
|
// the prefs.
|
|
|
|
func (p PrefsView) ShouldWebClientBeRunning() bool {
|
|
|
|
return p.Valid() && p.ж.ShouldWebClientBeRunning()
|
|
|
|
}
|
|
|
|
|
|
|
|
// ShouldWebClientBeRunning reports whether the web client server should be running based on
|
|
|
|
// the prefs.
|
|
|
|
func (p *Prefs) ShouldWebClientBeRunning() bool {
|
|
|
|
return p.WantRunning && p.RunWebClient
|
|
|
|
}
|
|
|
|
|
2024-05-07 10:28:22 -07:00
|
|
|
// PrefsFromBytes deserializes Prefs from a JSON blob b into base. Values in
|
|
|
|
// base are preserved, unless they are populated in the JSON blob.
|
|
|
|
func PrefsFromBytes(b []byte, base *Prefs) error {
|
2020-02-05 14:16:58 -08:00
|
|
|
if len(b) == 0 {
|
2024-05-07 10:28:22 -07:00
|
|
|
return nil
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
2023-08-03 18:38:28 -06:00
|
|
|
|
2024-05-07 10:28:22 -07:00
|
|
|
return json.Unmarshal(b, base)
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
|
|
|
|
2022-11-25 07:54:57 -08:00
|
|
|
var jsonEscapedZero = []byte(`\u0000`)
|
|
|
|
|
2024-05-07 10:28:22 -07:00
|
|
|
// LoadPrefsWindows loads a legacy relaynode config file into Prefs with
|
|
|
|
// sensible migration defaults set. Windows-only.
|
|
|
|
func LoadPrefsWindows(filename string) (*Prefs, error) {
|
2022-09-15 20:06:59 +08:00
|
|
|
data, err := os.ReadFile(filename)
|
2020-02-05 14:16:58 -08:00
|
|
|
if err != nil {
|
2020-09-17 07:59:55 -07:00
|
|
|
return nil, fmt.Errorf("LoadPrefs open: %w", err) // err includes path
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
2020-11-22 11:34:26 +11:00
|
|
|
if bytes.Contains(data, jsonEscapedZero) {
|
2020-11-24 11:07:49 -08:00
|
|
|
// Tailscale 1.2.0 - 1.2.8 on Windows had a memory corruption bug
|
|
|
|
// in the backend process that ended up sending NULL bytes over JSON
|
|
|
|
// to the frontend which wrote them out to JSON files on disk.
|
|
|
|
// So if we see one, treat is as corrupt and the user will need
|
|
|
|
// to log in again. (better than crashing)
|
2020-11-22 11:34:26 +11:00
|
|
|
return nil, os.ErrNotExist
|
|
|
|
}
|
2024-05-07 10:28:22 -07:00
|
|
|
p := NewPrefs()
|
|
|
|
if err := PrefsFromBytes(data, p); err != nil {
|
2020-09-17 07:59:55 -07:00
|
|
|
return nil, fmt.Errorf("LoadPrefs(%q) decode: %w", filename, err)
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
2020-02-20 11:07:00 -08:00
|
|
|
return p, nil
|
2020-02-05 14:16:58 -08:00
|
|
|
}
|
|
|
|
|
2020-02-17 15:01:23 -08:00
|
|
|
func SavePrefs(filename string, p *Prefs) {
|
|
|
|
log.Printf("Saving prefs %v %v\n", filename, p.Pretty())
|
|
|
|
data := p.ToBytes()
|
2020-02-05 14:16:58 -08:00
|
|
|
os.MkdirAll(filepath.Dir(filename), 0700)
|
2021-01-11 19:16:14 -08:00
|
|
|
if err := atomicfile.WriteFile(filename, data, 0600); err != nil {
|
2020-02-05 14:16:58 -08:00
|
|
|
log.Printf("SavePrefs: %v\n", err)
|
|
|
|
}
|
|
|
|
}
|
2022-11-09 10:58:10 +05:00
|
|
|
|
|
|
|
// ProfileID is an auto-generated system-wide unique identifier for a login
|
|
|
|
// profile. It is a 4 character hex string like "1ab3".
|
|
|
|
type ProfileID string
|
|
|
|
|
2022-11-27 09:04:00 -08:00
|
|
|
// WindowsUserID is a userid (suitable for passing to ipnauth.LookupUserFromID
|
|
|
|
// or os/user.LookupId) but only set on Windows. It's empty on all other
|
|
|
|
// platforms, unless envknob.GOOS is in used, making Linux act like Windows for
|
|
|
|
// tests.
|
|
|
|
type WindowsUserID string
|
|
|
|
|
2023-11-16 21:40:23 -05:00
|
|
|
// NetworkProfile is a subset of netmap.NetworkMap
|
|
|
|
// that should be saved with each user profile.
|
|
|
|
type NetworkProfile struct {
|
|
|
|
MagicDNSName string
|
|
|
|
DomainName string
|
|
|
|
}
|
|
|
|
|
|
|
|
// RequiresBackfill returns whether this object does not have all the data
|
|
|
|
// expected. This is because this struct is a later addition to LoginProfile and
|
|
|
|
// this method can be checked to see if it's been backfilled to the current
|
|
|
|
// expectation or not. Note that for now, it just checks if the struct is empty.
|
|
|
|
// In the future, if we have new optional fields, this method can be changed to
|
|
|
|
// do more explicit checks to return whether it's apt for a backfill or not.
|
|
|
|
func (n NetworkProfile) RequiresBackfill() bool {
|
|
|
|
return n == NetworkProfile{}
|
|
|
|
}
|
|
|
|
|
2022-11-09 10:58:10 +05:00
|
|
|
// LoginProfile represents a single login profile as managed
|
|
|
|
// by the ProfileManager.
|
|
|
|
type LoginProfile struct {
|
2022-11-16 16:17:36 +05:00
|
|
|
// ID is a unique identifier for this profile.
|
|
|
|
// It is assigned on creation and never changes.
|
|
|
|
// It may seem redundant to have both ID and UserProfile.ID
|
|
|
|
// but they are different things. UserProfile.ID may change
|
|
|
|
// over time (e.g. if a device is tagged).
|
|
|
|
ID ProfileID
|
|
|
|
|
|
|
|
// Name is the user-visible name of this profile.
|
|
|
|
// It is filled in from the UserProfile.LoginName field.
|
2022-11-09 10:58:10 +05:00
|
|
|
Name string
|
|
|
|
|
2023-11-16 21:40:23 -05:00
|
|
|
// NetworkProfile is a subset of netmap.NetworkMap that we
|
|
|
|
// store to remember information about the tailnet that this
|
|
|
|
// profile was logged in with.
|
2023-09-08 12:04:54 -04:00
|
|
|
//
|
2023-11-16 21:40:23 -05:00
|
|
|
// This field was added on 2023-11-17.
|
|
|
|
NetworkProfile NetworkProfile
|
2023-09-08 12:04:54 -04:00
|
|
|
|
2022-11-16 16:17:36 +05:00
|
|
|
// Key is the StateKey under which the profile is stored.
|
|
|
|
// It is assigned once at profile creation time and never changes.
|
|
|
|
Key StateKey
|
|
|
|
|
|
|
|
// UserProfile is the server provided UserProfile for this profile.
|
|
|
|
// This is updated whenever the server provides a new UserProfile.
|
2022-11-09 10:58:10 +05:00
|
|
|
UserProfile tailcfg.UserProfile
|
|
|
|
|
2022-11-17 19:05:02 +05:00
|
|
|
// NodeID is the NodeID of the node that this profile is logged into.
|
|
|
|
// This should be stable across tagging and untagging nodes.
|
|
|
|
// It may seem redundant to check against both the UserProfile.UserID
|
|
|
|
// and the NodeID. However the NodeID can change if the node is deleted
|
|
|
|
// from the admin panel.
|
|
|
|
NodeID tailcfg.StableNodeID
|
|
|
|
|
2022-11-09 10:58:10 +05:00
|
|
|
// LocalUserID is the user ID of the user who created this profile.
|
|
|
|
// It is only relevant on Windows where we have a multi-user system.
|
2022-11-16 16:17:36 +05:00
|
|
|
// It is assigned once at profile creation time and never changes.
|
2022-11-27 09:04:00 -08:00
|
|
|
LocalUserID WindowsUserID
|
2022-11-30 04:16:01 +05:00
|
|
|
|
|
|
|
// ControlURL is the URL of the control server that this profile is logged
|
|
|
|
// into.
|
|
|
|
ControlURL string
|
2022-11-09 10:58:10 +05:00
|
|
|
}
|