cmd/tailscale/cli: flesh out serve CLI and tests (#6304)

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>

ipn/ipn_clone.go

@@ -76,10 +76,10 @@ func (src *ServeConfig) Clone() *ServeConfig {
 			dst.Web[k] = v.Clone()
 		}
 	}
-	if dst.AllowIngress != nil {
-		dst.AllowIngress = map[HostPort]bool{}
-		for k, v := range src.AllowIngress {
-			dst.AllowIngress[k] = v
+	if dst.AllowFunnel != nil {
+		dst.AllowFunnel = map[HostPort]bool{}
+		for k, v := range src.AllowFunnel {
+			dst.AllowFunnel[k] = v
 		}
 	}
 	return dst
@@ -87,9 +87,9 @@ func (src *ServeConfig) Clone() *ServeConfig {
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _ServeConfigCloneNeedsRegeneration = ServeConfig(struct {
-	TCP          map[uint16]*TCPPortHandler
-	Web          map[HostPort]*WebServerConfig
-	AllowIngress map[HostPort]bool
+	TCP         map[uint16]*TCPPortHandler
+	Web         map[HostPort]*WebServerConfig
+	AllowFunnel map[HostPort]bool
 }{})
 
 // Clone makes a deep copy of TCPPortHandler.

ipn/ipn_view.go

@@ -176,15 +176,15 @@ func (v ServeConfigView) Web() views.MapFn[HostPort, *WebServerConfig, WebServer
 	})
 }
 
-func (v ServeConfigView) AllowIngress() views.Map[HostPort, bool] {
-	return views.MapOf(v.ж.AllowIngress)
+func (v ServeConfigView) AllowFunnel() views.Map[HostPort, bool] {
+	return views.MapOf(v.ж.AllowFunnel)
 }
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _ServeConfigViewNeedsRegeneration = ServeConfig(struct {
-	TCP          map[uint16]*TCPPortHandler
-	Web          map[HostPort]*WebServerConfig
-	AllowIngress map[HostPort]bool
+	TCP         map[uint16]*TCPPortHandler
+	Web         map[HostPort]*WebServerConfig
+	AllowFunnel map[HostPort]bool
 }{})
 
 // View returns a readonly view of TCPPortHandler.

ipn/ipnlocal/local.go

@@ -2236,13 +2236,13 @@ func (b *LocalBackend) SetPrefs(newp *ipn.Prefs) {
 // optimization hint to know primarily which nodes are NOT using ingress, to
 // avoid doing work for regular nodes.
 //
-// Even if the user's ServeConfig.AllowIngress map was manually edited in raw
+// Even if the user's ServeConfig.AllowFunnel map was manually edited in raw
 // mode and contains map entries with false values, sending true (from Len > 0)
 // is still fine. This is only an optimization hint for the control plane and
 // doesn't affect security or correctness. And we also don't expect people to
 // modify their ServeConfig in raw mode.
 func (b *LocalBackend) wantIngressLocked() bool {
-	return b.serveConfig.Valid() && b.serveConfig.AllowIngress().Len() > 0
+	return b.serveConfig.Valid() && b.serveConfig.AllowFunnel().Len() > 0
 }
 
 // setPrefsLockedOnEntry requires b.mu be held to call it, but it

ipn/ipnlocal/serve.go

@@ -234,7 +234,7 @@ func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ip
 		return
 	}
 
-	if !sc.AllowIngress().Get(target) {
+	if !sc.AllowFunnel().Get(target) {
 		b.logf("localbackend: got ingress conn for unconfigured %q; rejecting", target)
 		sendRST()
 		return

ipn/store.go

@@ -108,9 +108,9 @@ type ServeConfig struct {
 	// keyed by mount point ("/", "/foo", etc)
 	Web map[HostPort]*WebServerConfig `json:",omitempty"`
 
-	// AllowIngress is the set of SNI:port values for which ingress
+	// AllowFunnel is the set of SNI:port values for which funnel
 	// traffic is allowed, from trusted ingress peers.
-	AllowIngress map[HostPort]bool `json:",omitempty"`
+	AllowFunnel map[HostPort]bool `json:",omitempty"`
 }
 
 // HostPort is an SNI name and port number, joined by a colon.
@@ -119,7 +119,7 @@ type HostPort string
 
 // WebServerConfig describes a web server's configuration.
 type WebServerConfig struct {
-	Handlers map[string]*HTTPHandler
+	Handlers map[string]*HTTPHandler // mountPoint => handler
 }
 
 // TCPPortHandler describes what to do when handling a TCP