Add prefs.ShieldsUp and --shields-up option.

This sets a default packet filter that blocks all incoming requests, giving end users more control over who can get into their machine, even if the admin hasn't set any central ACLs. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2025-01-05 14:57:49 +00:00 · 2020-04-29 02:37:35 -04:00 · 2020-04-29 02:37:35 -04:00 · d7429b9a8d
commit d7429b9a8d
parent 85e675940d
4 changed files with 27 additions and 24 deletions
--- a/cmd/tailscale/tailscale.go
+++ b/cmd/tailscale/tailscale.go
@ -49,7 +49,7 @@ func main() {
 	upf.StringVar(&upArgs.server, "login-server", "https://login.tailscale.com", "base URL of control server")
 	upf.BoolVar(&upArgs.acceptRoutes, "accept-routes", false, "accept routes advertised by other Tailscale nodes")
 	upf.BoolVar(&upArgs.noSingleRoutes, "no-single-routes", false, "don't install routes to single nodes")
-	upf.BoolVar(&upArgs.noPacketFilter, "no-packet-filter", false, "disable packet filter")
+	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
 	upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. 10.0.0.0/8,192.168.0.0/24)")
 	upf.StringVar(&upArgs.authKey, "authkey", "", "node authorization key")
 	upCmd := &ffcli.Command{
@ -99,7 +99,7 @@ func main() {
 	server          string
 	acceptRoutes    bool
 	noSingleRoutes  bool
-	noPacketFilter  bool
+	shieldsUp       bool
 	advertiseRoutes string
 	authKey         string
 }
@ -128,7 +128,7 @@ func runUp(ctx context.Context, args []string) error {
 	prefs.WantRunning = true
 	prefs.RouteAll = upArgs.acceptRoutes
 	prefs.AllowSingleHosts = !upArgs.noSingleRoutes
-	prefs.UsePacketFilter = !upArgs.noPacketFilter
+	prefs.ShieldsUp = upArgs.shieldsUp
 	prefs.AdvertiseRoutes = adv

 	c, bc, ctx, cancel := connect(ctx)
@ -150,7 +150,7 @@ func runUp(ctx context.Context, args []string) error {
 					fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s/admin/machines\n\n", upArgs.server)
 				case ipn.Starting, ipn.Running:
 					// Done full authentication process
-					fmt.Fprintf(os.Stderr, "\ntailscaled is authenticated, nothing more to do.\n\n")
+					fmt.Fprintf(os.Stderr, "tailscaled is authenticated, nothing more to do.\n")
 					cancel()
 				}
 			}
--- a/ipn/local.go
+++ b/ipn/local.go
@ -352,14 +352,13 @@ func (b *LocalBackend) Start(opts Options) error {
 }

 func (b *LocalBackend) updateFilter(netMap *controlclient.NetworkMap) {
-	if !b.Prefs().UsePacketFilter {
-		b.e.SetFilter(filter.NewAllowAll())
-	} else if netMap == nil {
-		// Not configured yet, block everything
+	// TODO(apenwarr): don't replace filter at all if unchanged.
+	// TODO(apenwarr): print a diff instead of full filter.
+	if netMap == nil || b.Prefs().ShieldsUp {
+		// Not configured yet or shields up, block everything
+		b.logf("netmap packet filter: (shields up)")
 		b.e.SetFilter(filter.NewAllowNone())
 	} else {
-		// TODO(apenwarr): don't replace filter at all if unchanged.
-		// TODO(apenwarr): print a diff instead of full filter.
 		now := time.Now()
 		if now.Sub(b.lastFilterPrint) > 1*time.Minute {
 			b.logf("netmap packet filter: %v", b.netMapCache.PacketFilter)
@ -616,6 +615,8 @@ func (b *LocalBackend) SetPrefs(new *Prefs) {
 		cli.SetHostinfo(newHi)
 	}

+	b.updateFilter(b.netMapCache)
+
 	if old.WantRunning != new.WantRunning {
 		b.stateMachine()
 	} else {
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@ -39,10 +39,11 @@ type Prefs struct {
 	// WantRunning indicates whether networking should be active on
 	// this node.
 	WantRunning bool
-	// UsePacketFilter indicates whether to enforce centralized ACLs
-	// on this node. If false, all traffic in and out of this node is
-	// allowed.
-	UsePacketFilter bool
+	// ShieldsUp indicates whether to block all incoming connections,
+	// regardless of the control-provided packet filter. If false, we
+	// use the packet filter as provided. If true, we block incoming
+	// connections.
+	ShieldsUp bool
 	// AdvertiseRoutes specifies CIDR prefixes to advertise into the
 	// Tailscale network as reachable through the current node.
 	AdvertiseRoutes []wgcfg.CIDR
@ -51,6 +52,9 @@ type Prefs struct {
 	// notepad.exe on Windows, rather than loading them in a browser.
 	//
 	// TODO(danderson): remove?
+	// apenwarr 2020-04-29: Unfortunately this is still needed sometimes.
+	// Windows' default browser setting is sometimes screwy and this helps
+	// narrow it down a bit.
 	NotepadURLs bool

 	// DisableDERP prevents DERP from being used.
@ -74,9 +78,9 @@ func (p *Prefs) Pretty() string {
 	} else {
 		pp = "Persist=nil"
 	}
-	return fmt.Sprintf("Prefs{ra=%v mesh=%v dns=%v want=%v notepad=%v derp=%v pf=%v routes=%v %v}",
+	return fmt.Sprintf("Prefs{ra=%v mesh=%v dns=%v want=%v notepad=%v derp=%v shields=%v routes=%v %v}",
 		p.RouteAll, p.AllowSingleHosts, p.CorpDNS, p.WantRunning,
-		p.NotepadURLs, !p.DisableDERP, p.UsePacketFilter, p.AdvertiseRoutes, pp)
+		p.NotepadURLs, !p.DisableDERP, p.ShieldsUp, p.AdvertiseRoutes, pp)
 }

 func (p *Prefs) ToBytes() []byte {
@ -103,7 +107,7 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		p.WantRunning == p2.WantRunning &&
 		p.NotepadURLs == p2.NotepadURLs &&
 		p.DisableDERP == p2.DisableDERP &&
-		p.UsePacketFilter == p2.UsePacketFilter &&
+		p.ShieldsUp == p2.ShieldsUp &&
 		compareIPNets(p.AdvertiseRoutes, p2.AdvertiseRoutes) &&
 		p.Persist.Equals(p2.Persist)
 }
@ -130,7 +134,6 @@ func NewPrefs() *Prefs {
 		AllowSingleHosts: true,
 		CorpDNS:          true,
 		WantRunning:      true,
-		UsePacketFilter:  true,
 	}
 }

@ -156,7 +159,6 @@ func PrefsFromBytes(b []byte, enforceDefaults bool) (*Prefs, error) {
 	if enforceDefaults {
 		p.RouteAll = true
 		p.AllowSingleHosts = true
-		p.UsePacketFilter = true
 	}
 	return p, err
 }
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@ -20,7 +20,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 }

 func TestPrefsEqual(t *testing.T) {
-	prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "CorpDNS", "WantRunning", "UsePacketFilter", "AdvertiseRoutes", "NotepadURLs", "DisableDERP", "Persist"}
+	prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "CorpDNS", "WantRunning", "ShieldsUp", "AdvertiseRoutes", "NotepadURLs", "DisableDERP", "Persist"}
 	if have := fieldsOf(reflect.TypeOf(Prefs{})); !reflect.DeepEqual(have, prefsHandles) {
 		t.Errorf("Prefs.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, prefsHandles)
@ -123,13 +123,13 @@ func TestPrefsEqual(t *testing.T) {
 		},

 		{
-			&Prefs{UsePacketFilter: true},
-			&Prefs{UsePacketFilter: false},
+			&Prefs{ShieldsUp: true},
+			&Prefs{ShieldsUp: false},
 			false,
 		},
 		{
-			&Prefs{UsePacketFilter: true},
-			&Prefs{UsePacketFilter: true},
+			&Prefs{ShieldsUp: true},
+			&Prefs{ShieldsUp: true},
 			true,
 		},