tailfs: disable TailFSForLocal via policy

Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2024-02-09 16:23:42 -06:00
parent abab0d4197
commit ddcffaef7a
4 changed files with 31 additions and 3 deletions
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -932,6 +932,10 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 		if hittingDNS {
 			go ns.dns.HandleTCPConn(c, addrPort)
 		} else if hittingTailFS {
+			if !ns.lb.TailFSAccessEnabled() {
+				c.Close()
+				return
+			}
 			err := ns.tailFSForLocal.HandleConn(c, net.TCPAddrFromAddrPort(addrPort))
 			if err != nil {
 				ns.logf("netstack: tailfs.HandleConn: %v", err)