From d7429b9a8d15248e26525a79e895c34c3ed67005 Mon Sep 17 00:00:00 2001 From: Avery Pennarun Date: Wed, 29 Apr 2020 02:37:35 -0400 Subject: [PATCH] Add prefs.ShieldsUp and --shields-up option. This sets a default packet filter that blocks all incoming requests, giving end users more control over who can get into their machine, even if the admin hasn't set any central ACLs. Signed-off-by: Avery Pennarun --- cmd/tailscale/tailscale.go | 8 ++++---- ipn/local.go | 13 +++++++------ ipn/prefs.go | 20 +++++++++++--------- ipn/prefs_test.go | 10 +++++----- 4 files changed, 27 insertions(+), 24 deletions(-) diff --git a/cmd/tailscale/tailscale.go b/cmd/tailscale/tailscale.go index f17798bd0..77389bc47 100644 --- a/cmd/tailscale/tailscale.go +++ b/cmd/tailscale/tailscale.go @@ -49,7 +49,7 @@ func main() { upf.StringVar(&upArgs.server, "login-server", "https://login.tailscale.com", "base URL of control server") upf.BoolVar(&upArgs.acceptRoutes, "accept-routes", false, "accept routes advertised by other Tailscale nodes") upf.BoolVar(&upArgs.noSingleRoutes, "no-single-routes", false, "don't install routes to single nodes") - upf.BoolVar(&upArgs.noPacketFilter, "no-packet-filter", false, "disable packet filter") + upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections") upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. 10.0.0.0/8,192.168.0.0/24)") upf.StringVar(&upArgs.authKey, "authkey", "", "node authorization key") upCmd := &ffcli.Command{ @@ -99,7 +99,7 @@ func main() { server string acceptRoutes bool noSingleRoutes bool - noPacketFilter bool + shieldsUp bool advertiseRoutes string authKey string } @@ -128,7 +128,7 @@ func runUp(ctx context.Context, args []string) error { prefs.WantRunning = true prefs.RouteAll = upArgs.acceptRoutes prefs.AllowSingleHosts = !upArgs.noSingleRoutes - prefs.UsePacketFilter = !upArgs.noPacketFilter + prefs.ShieldsUp = upArgs.shieldsUp prefs.AdvertiseRoutes = adv c, bc, ctx, cancel := connect(ctx) @@ -150,7 +150,7 @@ func runUp(ctx context.Context, args []string) error { fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s/admin/machines\n\n", upArgs.server) case ipn.Starting, ipn.Running: // Done full authentication process - fmt.Fprintf(os.Stderr, "\ntailscaled is authenticated, nothing more to do.\n\n") + fmt.Fprintf(os.Stderr, "tailscaled is authenticated, nothing more to do.\n") cancel() } } diff --git a/ipn/local.go b/ipn/local.go index 3de2b87c7..f82a1f2d7 100644 --- a/ipn/local.go +++ b/ipn/local.go @@ -352,14 +352,13 @@ func (b *LocalBackend) Start(opts Options) error { } func (b *LocalBackend) updateFilter(netMap *controlclient.NetworkMap) { - if !b.Prefs().UsePacketFilter { - b.e.SetFilter(filter.NewAllowAll()) - } else if netMap == nil { - // Not configured yet, block everything + // TODO(apenwarr): don't replace filter at all if unchanged. + // TODO(apenwarr): print a diff instead of full filter. + if netMap == nil || b.Prefs().ShieldsUp { + // Not configured yet or shields up, block everything + b.logf("netmap packet filter: (shields up)") b.e.SetFilter(filter.NewAllowNone()) } else { - // TODO(apenwarr): don't replace filter at all if unchanged. - // TODO(apenwarr): print a diff instead of full filter. now := time.Now() if now.Sub(b.lastFilterPrint) > 1*time.Minute { b.logf("netmap packet filter: %v", b.netMapCache.PacketFilter) @@ -616,6 +615,8 @@ func (b *LocalBackend) SetPrefs(new *Prefs) { cli.SetHostinfo(newHi) } + b.updateFilter(b.netMapCache) + if old.WantRunning != new.WantRunning { b.stateMachine() } else { diff --git a/ipn/prefs.go b/ipn/prefs.go index 5d977b224..cfad1ab17 100644 --- a/ipn/prefs.go +++ b/ipn/prefs.go @@ -39,10 +39,11 @@ type Prefs struct { // WantRunning indicates whether networking should be active on // this node. WantRunning bool - // UsePacketFilter indicates whether to enforce centralized ACLs - // on this node. If false, all traffic in and out of this node is - // allowed. - UsePacketFilter bool + // ShieldsUp indicates whether to block all incoming connections, + // regardless of the control-provided packet filter. If false, we + // use the packet filter as provided. If true, we block incoming + // connections. + ShieldsUp bool // AdvertiseRoutes specifies CIDR prefixes to advertise into the // Tailscale network as reachable through the current node. AdvertiseRoutes []wgcfg.CIDR @@ -51,6 +52,9 @@ type Prefs struct { // notepad.exe on Windows, rather than loading them in a browser. // // TODO(danderson): remove? + // apenwarr 2020-04-29: Unfortunately this is still needed sometimes. + // Windows' default browser setting is sometimes screwy and this helps + // narrow it down a bit. NotepadURLs bool // DisableDERP prevents DERP from being used. @@ -74,9 +78,9 @@ func (p *Prefs) Pretty() string { } else { pp = "Persist=nil" } - return fmt.Sprintf("Prefs{ra=%v mesh=%v dns=%v want=%v notepad=%v derp=%v pf=%v routes=%v %v}", + return fmt.Sprintf("Prefs{ra=%v mesh=%v dns=%v want=%v notepad=%v derp=%v shields=%v routes=%v %v}", p.RouteAll, p.AllowSingleHosts, p.CorpDNS, p.WantRunning, - p.NotepadURLs, !p.DisableDERP, p.UsePacketFilter, p.AdvertiseRoutes, pp) + p.NotepadURLs, !p.DisableDERP, p.ShieldsUp, p.AdvertiseRoutes, pp) } func (p *Prefs) ToBytes() []byte { @@ -103,7 +107,7 @@ func (p *Prefs) Equals(p2 *Prefs) bool { p.WantRunning == p2.WantRunning && p.NotepadURLs == p2.NotepadURLs && p.DisableDERP == p2.DisableDERP && - p.UsePacketFilter == p2.UsePacketFilter && + p.ShieldsUp == p2.ShieldsUp && compareIPNets(p.AdvertiseRoutes, p2.AdvertiseRoutes) && p.Persist.Equals(p2.Persist) } @@ -130,7 +134,6 @@ func NewPrefs() *Prefs { AllowSingleHosts: true, CorpDNS: true, WantRunning: true, - UsePacketFilter: true, } } @@ -156,7 +159,6 @@ func PrefsFromBytes(b []byte, enforceDefaults bool) (*Prefs, error) { if enforceDefaults { p.RouteAll = true p.AllowSingleHosts = true - p.UsePacketFilter = true } return p, err } diff --git a/ipn/prefs_test.go b/ipn/prefs_test.go index 4f9c0fdb2..a1e666179 100644 --- a/ipn/prefs_test.go +++ b/ipn/prefs_test.go @@ -20,7 +20,7 @@ func fieldsOf(t reflect.Type) (fields []string) { } func TestPrefsEqual(t *testing.T) { - prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "CorpDNS", "WantRunning", "UsePacketFilter", "AdvertiseRoutes", "NotepadURLs", "DisableDERP", "Persist"} + prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "CorpDNS", "WantRunning", "ShieldsUp", "AdvertiseRoutes", "NotepadURLs", "DisableDERP", "Persist"} if have := fieldsOf(reflect.TypeOf(Prefs{})); !reflect.DeepEqual(have, prefsHandles) { t.Errorf("Prefs.Equal check might be out of sync\nfields: %q\nhandled: %q\n", have, prefsHandles) @@ -123,13 +123,13 @@ func TestPrefsEqual(t *testing.T) { }, { - &Prefs{UsePacketFilter: true}, - &Prefs{UsePacketFilter: false}, + &Prefs{ShieldsUp: true}, + &Prefs{ShieldsUp: false}, false, }, { - &Prefs{UsePacketFilter: true}, - &Prefs{UsePacketFilter: true}, + &Prefs{ShieldsUp: true}, + &Prefs{ShieldsUp: true}, true, },