tailcfg, ipn/ipnlocal, wgengine/magicsock: add only-tcp-443 node attr

Updates tailscale/corp#17879 Change-Id: I0dc305d147b76c409cf729b599a94fa723aef0e0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2024-03-22 14:18:04 -07:00
parent 7b34154df2
commit a36cfb4d3d
5 changed files with 42 additions and 1 deletions
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -2133,6 +2133,13 @@ const (
 	// e.g. https://tailscale.com/cap/funnel-ports?ports=80,443,8080-8090
 	CapabilityFunnelPorts NodeCapability = "https://tailscale.com/cap/funnel-ports"

+	// NodeAttrOnlyTCP443 specifies that the client should not attempt to generate
+	// any outbound traffic that isn't TCP on port 443 (HTTPS). This is used for
+	// clients in restricted environments where only HTTPS traffic is allowed
+	// other types of traffic trips outbound firewall alarms. This thus implies
+	// all traffic is over DERP.
+	NodeAttrOnlyTCP443 NodeCapability = "only-tcp-443"
+
 	// NodeAttrFunnel grants the ability for a node to host ingress traffic.
 	NodeAttrFunnel NodeCapability = "funnel"
 	// NodeAttrSSHAggregator grants the ability for a node to collect SSH sessions.