mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-07 08:07:42 +00:00
tailfs: disable TailFSForLocal via policy
Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
This commit is contained in:
parent
abab0d4197
commit
ddcffaef7a
@ -3341,6 +3341,10 @@ func (b *LocalBackend) TCPHandlerForDst(src, dst netip.AddrPort) (handler func(c
|
||||
fs, ok := b.sys.TailFSForLocal.GetOK()
|
||||
if ok {
|
||||
return func(conn net.Conn) error {
|
||||
if !b.TailFSAccessEnabled() {
|
||||
conn.Close()
|
||||
return nil
|
||||
}
|
||||
return fs.HandleConn(conn, conn.RemoteAddr())
|
||||
}, opts
|
||||
}
|
||||
|
@ -46,7 +46,20 @@ func (b *LocalBackend) TailFSSharingEnabled() bool {
|
||||
}
|
||||
|
||||
func (b *LocalBackend) tailFSSharingEnabledLocked() bool {
|
||||
return b.netMap != nil && b.netMap.SelfNode.HasCap(tailcfg.NodeAttrsTailFSSharingEnabled)
|
||||
return b.netMap != nil && b.netMap.SelfNode.HasCap(tailcfg.NodeAttrsTailFSShare)
|
||||
}
|
||||
|
||||
// TailFSAccessEnabled reports whether accessing TailFS shares on remote nodes
|
||||
// is enabled. This is currently based on checking for the tailfs:access node
|
||||
// attribute.
|
||||
func (b *LocalBackend) TailFSAccessEnabled() bool {
|
||||
b.mu.Lock()
|
||||
defer b.mu.Unlock()
|
||||
return b.tailFSAccessEnabledLocked()
|
||||
}
|
||||
|
||||
func (b *LocalBackend) tailFSAccessEnabledLocked() bool {
|
||||
return b.netMap != nil && b.netMap.SelfNode.HasCap(tailcfg.NodeAttrsTailFSAccess)
|
||||
}
|
||||
|
||||
// TailFSSetFileServerAddr tells tailfs to use the given address for connecting
|
||||
@ -272,6 +285,10 @@ func (b *LocalBackend) newTailFSListener(ctx context.Context, fs tailfs.FileSyst
|
||||
logf: logf,
|
||||
|
||||
handler: func(conn net.Conn) error {
|
||||
if !b.TailFSAccessEnabled() {
|
||||
conn.Close()
|
||||
return nil
|
||||
}
|
||||
return fs.HandleConn(conn, conn.RemoteAddr())
|
||||
},
|
||||
bo: backoff.NewBackoff(fmt.Sprintf("tailfs-listener-%d", ap.Port()), logf, 30*time.Second),
|
||||
|
@ -2211,8 +2211,11 @@ type Oauth2Token struct {
|
||||
// tail end of an active direct connection in magicsock.
|
||||
NodeAttrProbeUDPLifetime NodeCapability = "probe-udp-lifetime"
|
||||
|
||||
// NodeAttrsTailFSSharingEnabled enables sharing via TailFS.
|
||||
NodeAttrsTailFSSharingEnabled NodeCapability = "tailfs:share"
|
||||
// NodeAttrsTailFSShare enables sharing via TailFS.
|
||||
NodeAttrsTailFSShare NodeCapability = "tailfs:share"
|
||||
|
||||
// NodeAttrsTailFSAccess enables accessing shares via TailFS.
|
||||
NodeAttrsTailFSAccess NodeCapability = "tailfs:access"
|
||||
)
|
||||
|
||||
// SetDNSRequest is a request to add a DNS record.
|
||||
|
@ -932,6 +932,10 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
|
||||
if hittingDNS {
|
||||
go ns.dns.HandleTCPConn(c, addrPort)
|
||||
} else if hittingTailFS {
|
||||
if !ns.lb.TailFSAccessEnabled() {
|
||||
c.Close()
|
||||
return
|
||||
}
|
||||
err := ns.tailFSForLocal.HandleConn(c, net.TCPAddrFromAddrPort(addrPort))
|
||||
if err != nil {
|
||||
ns.logf("netstack: tailfs.HandleConn: %v", err)
|
||||
|
Loading…
x
Reference in New Issue
Block a user