Documentation ¶
Overview ¶
Package ipn implements the interactions between the Tailscale cloud control plane and the local network stack.
IPN is the abbreviated name for a Tailscale network. What's less clear is what it's an abbreviation for: Identified Private Network? IP Network? Internet Private Network? I Privately Network?
Index ¶
- Constants
- Variables
- func CheckFunnelAccess(port uint16, node *ipnstate.PeerStatus) error
- func CheckFunnelPort(wantedPort uint16, node *ipnstate.PeerStatus) error
- func ExpandProxyTargetValue(target string, supportedSchemes []string, defaultScheme string) (string, error)
- func IsLoginServerSynonym(val any) bool
- func NodeCanFunnel(node *ipnstate.PeerStatus) error
- func PrefsFromBytes(b []byte, base *Prefs) error
- func PutStoreInt(store StateStore, id StateKey, val int64) error
- func ReadStoreInt(store StateStore, id StateKey) (int64, error)
- func SavePrefs(filename string, p *Prefs)
- func WriteState(store StateStore, id StateKey, v []byte) error
- type AppConnectorPrefs
- type AutoUpdatePrefs
- type AutoUpdatePrefsMask
- type ConfigVAlpha
- type EngineStatus
- type ExitNodeLocalIPError
- type FunnelConn
- type HTTPHandler
- type HTTPHandlerView
- func (v HTTPHandlerView) AsStruct() *HTTPHandler
- func (v HTTPHandlerView) MarshalJSON() ([]byte, error)
- func (v HTTPHandlerView) Path() string
- func (v HTTPHandlerView) Proxy() string
- func (v HTTPHandlerView) Text() string
- func (v *HTTPHandlerView) UnmarshalJSON(b []byte) error
- func (v HTTPHandlerView) Valid() bool
- type HostPort
- type LoginProfile
- type MaskedPrefs
- type NetworkProfile
- type Notify
- type NotifyWatchOpt
- type Options
- type OutgoingFile
- type PartialFile
- type Prefs
- func (p *Prefs) AdminPageURL() string
- func (p *Prefs) AdvertisesExitNode() bool
- func (p *Prefs) ApplyEdits(m *MaskedPrefs)
- func (p *Prefs) ClearExitNode()
- func (src *Prefs) Clone() *Prefs
- func (p *Prefs) ControlURLOrDefault() string
- func (p *Prefs) Equals(p2 *Prefs) bool
- func (p *Prefs) IsEmpty() bool
- func (p *Prefs) Pretty() string
- func (p *Prefs) SetAdvertiseExitNode(runExit bool)
- func (p *Prefs) SetExitNodeIP(s string, st *ipnstate.Status) error
- func (p *Prefs) ShouldSSHBeRunning() bool
- func (p *Prefs) ShouldWebClientBeRunning() bool
- func (p *Prefs) ToBytes() []byte
- func (p *Prefs) View() PrefsView
- type PrefsView
- func (p PrefsView) AdminPageURL() string
- func (v PrefsView) AdvertiseRoutes() views.Slice[netip.Prefix]
- func (v PrefsView) AdvertiseServices() views.Slice[string]
- func (v PrefsView) AdvertiseTags() views.Slice[string]
- func (p PrefsView) AdvertisesExitNode() bool
- func (v PrefsView) AllowSingleHosts() marshalAsTrueInJSON
- func (v PrefsView) AppConnector() AppConnectorPrefs
- func (v PrefsView) AsStruct() *Prefs
- func (v PrefsView) AutoUpdate() AutoUpdatePrefs
- func (v PrefsView) ControlURL() string
- func (p PrefsView) ControlURLOrDefault() string
- func (v PrefsView) CorpDNS() bool
- func (v PrefsView) DriveShares() views.SliceView[*drive.Share, drive.ShareView]
- func (v PrefsView) Egg() bool
- func (p PrefsView) Equals(p2 PrefsView) bool
- func (v PrefsView) ExitNodeAllowLANAccess() bool
- func (v PrefsView) ExitNodeID() tailcfg.StableNodeID
- func (v PrefsView) ExitNodeIP() netip.Addr
- func (v PrefsView) ForceDaemon() bool
- func (v PrefsView) Hostname() string
- func (v PrefsView) InternalExitNodePrior() tailcfg.StableNodeID
- func (v PrefsView) LoggedOut() bool
- func (v PrefsView) MarshalJSON() ([]byte, error)
- func (v PrefsView) NetfilterKind() string
- func (v PrefsView) NetfilterMode() preftype.NetfilterMode
- func (v PrefsView) NoSNAT() bool
- func (v PrefsView) NoStatefulFiltering() opt.Bool
- func (v PrefsView) NotepadURLs() bool
- func (v PrefsView) OperatorUser() string
- func (v PrefsView) Persist() persist.PersistView
- func (v PrefsView) PostureChecking() bool
- func (p PrefsView) Pretty() string
- func (v PrefsView) ProfileName() string
- func (v PrefsView) RouteAll() bool
- func (v PrefsView) RunSSH() bool
- func (v PrefsView) RunWebClient() bool
- func (v PrefsView) ShieldsUp() bool
- func (p PrefsView) ShouldSSHBeRunning() bool
- func (p PrefsView) ShouldWebClientBeRunning() bool
- func (p PrefsView) ToBytes() []byte
- func (v *PrefsView) UnmarshalJSON(b []byte) error
- func (v PrefsView) Valid() bool
- func (v PrefsView) WantRunning() bool
- type ProfileID
- type ServeConfig
- func (src *ServeConfig) Clone() *ServeConfig
- func (sc *ServeConfig) FindConfig(port uint16) (*ServeConfig, bool)
- func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler
- func (sc *ServeConfig) GetWebHandler(hp HostPort, mount string) *HTTPHandler
- func (sc *ServeConfig) HasPathHandler() bool
- func (sc *ServeConfig) IsFunnelOn() bool
- func (sc *ServeConfig) IsServingHTTP(port uint16) bool
- func (sc *ServeConfig) IsServingHTTPS(port uint16) bool
- func (sc *ServeConfig) IsServingWeb(port uint16) bool
- func (sc *ServeConfig) IsTCPForwardingAny() bool
- func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool
- func (sc *ServeConfig) RemoveTCPForwarding(port uint16)
- func (sc *ServeConfig) RemoveWebHandler(host string, port uint16, mounts []string, cleanupFunnel bool)
- func (sc *ServeConfig) SetFunnel(host string, port uint16, setOn bool)
- func (sc *ServeConfig) SetTCPForwarding(port uint16, fwdAddr string, terminateTLS bool, host string)
- func (sc *ServeConfig) SetWebHandler(handler *HTTPHandler, host string, port uint16, mount string, useTLS bool)
- func (p *ServeConfig) View() ServeConfigView
- func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool
- type ServeConfigView
- func (v ServeConfigView) AllowFunnel() views.Map[HostPort, bool]
- func (v ServeConfigView) AsStruct() *ServeConfig
- func (v ServeConfigView) ETag() string
- func (v ServeConfigView) FindTCP(port uint16) (res TCPPortHandlerView, ok bool)
- func (v ServeConfigView) FindWeb(hp HostPort) (res WebServerConfigView, ok bool)
- func (v ServeConfigView) Foreground() views.MapFn[string, *ServeConfig, ServeConfigView]
- func (v ServeConfigView) HasAllowFunnel() bool
- func (v ServeConfigView) HasFunnelForTarget(target HostPort) bool
- func (v ServeConfigView) IsFunnelOn() bool
- func (v ServeConfigView) MarshalJSON() ([]byte, error)
- func (v ServeConfigView) RangeOverTCPs(f func(port uint16, _ TCPPortHandlerView) bool)
- func (v ServeConfigView) RangeOverWebs(f func(_ HostPort, conf WebServerConfigView) bool)
- func (v ServeConfigView) Services() views.MapFn[string, *ServiceConfig, ServiceConfigView]
- func (v ServeConfigView) TCP() views.MapFn[uint16, *TCPPortHandler, TCPPortHandlerView]
- func (v *ServeConfigView) UnmarshalJSON(b []byte) error
- func (v ServeConfigView) Valid() bool
- func (v ServeConfigView) Web() views.MapFn[HostPort, *WebServerConfig, WebServerConfigView]
- type ServiceConfig
- type ServiceConfigView
- func (v ServiceConfigView) AsStruct() *ServiceConfig
- func (v ServiceConfigView) MarshalJSON() ([]byte, error)
- func (v ServiceConfigView) TCP() views.MapFn[uint16, *TCPPortHandler, TCPPortHandlerView]
- func (v ServiceConfigView) Tun() bool
- func (v *ServiceConfigView) UnmarshalJSON(b []byte) error
- func (v ServiceConfigView) Valid() bool
- func (v ServiceConfigView) Web() views.MapFn[HostPort, *WebServerConfig, WebServerConfigView]
- type State
- type StateKey
- type StateStore
- type StateStoreDialerSetter
- type TCPPortHandler
- type TCPPortHandlerView
- func (v TCPPortHandlerView) AsStruct() *TCPPortHandler
- func (v TCPPortHandlerView) HTTP() bool
- func (v TCPPortHandlerView) HTTPS() bool
- func (v TCPPortHandlerView) MarshalJSON() ([]byte, error)
- func (v TCPPortHandlerView) TCPForward() string
- func (v TCPPortHandlerView) TerminateTLS() string
- func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error
- func (v TCPPortHandlerView) Valid() bool
- type WebServerConfig
- type WebServerConfigView
- func (v WebServerConfigView) AsStruct() *WebServerConfig
- func (v WebServerConfigView) Handlers() views.MapFn[string, *HTTPHandler, HTTPHandlerView]
- func (v WebServerConfigView) MarshalJSON() ([]byte, error)
- func (v *WebServerConfigView) UnmarshalJSON(b []byte) error
- func (v WebServerConfigView) Valid() bool
- type WindowsUserID
Constants ¶
const ( // MachineKeyStateKey is the key under which we store the machine key, // in its key.NodePrivate.MarshalText representation. MachineKeyStateKey = StateKey("_machinekey") // LegacyGlobalDaemonStateKey is the ipn.StateKey that tailscaled // loads on startup. // // We have to support multiple state keys for other OSes (Windows in // particular), but right now Unix daemons run with a single // node-global state. To keep open the option of having per-user state // later, the global state key doesn't look like a username. // // As of 2022-10-21, it has been superseded by profiles and is no longer // written to disk. It is only read at startup when there are no profiles, // to migrate the state to the "default" profile. // The existing state is left on disk in case the user downgrades to an // older version of Tailscale that doesn't support profiles. We can // remove this in a future release. LegacyGlobalDaemonStateKey = StateKey("_daemon") // ServerModeStartKey's value, if non-empty, is the value of a // StateKey containing the prefs to start with which to start the // server. // // For example, the value might be "user-1234", meaning the // the server should start with the Prefs JSON loaded from // StateKey "user-1234". ServerModeStartKey = StateKey("server-mode-start-key") // KnownProfilesStateKey is the key under which we store the list of // known profiles. The value is a JSON-encoded []LoginProfile. KnownProfilesStateKey = StateKey("_profiles") // CurrentProfileStateKey is the key under which we store the current // profile. CurrentProfileStateKey = StateKey("_current-profile") // TaildropReceivedKey is the key to indicate whether any taildrop file // has ever been received (even if partially). // Any non-empty value indicates that at least one file has been received. TaildropReceivedKey = StateKey("_taildrop-received") )
const DefaultControlURL = "https://controlplane.tailscale.com"
DefaultControlURL is the URL base of the control plane ("coordination server") for use when no explicit one is configured. The default control plane is the hosted version run by Tailscale.com.
const GoogleIDTokenType = "ts_android_google_login"
GoogleIDToken Type is the tailcfg.Oauth2Token.TokenType for the Google ID tokens used by the Android client.
Variables ¶
var DebuggableComponents = []string{
"magicsock",
"sockstats",
"syspolicy",
}
DebuggableComponents is a list of components whose debugging can be turned on and off individually using the tailscale debug command.
var ( // ErrExitNodeIDAlreadySet is returned from (*Prefs).SetExitNodeIP when the // Prefs.ExitNodeID field is already set. ErrExitNodeIDAlreadySet = errors.New("cannot set ExitNodeIP when ExitNodeID is already set") )
var ErrStateNotExist = errors.New("no state with given ID")
ErrStateNotExist is returned by StateStore.ReadState when the requested state ID doesn't exist.
Functions ¶
func CheckFunnelAccess ¶
func CheckFunnelAccess(port uint16, node *ipnstate.PeerStatus) error
CheckFunnelAccess checks whether Funnel access is allowed for the given node and port. It checks:
- HTTPS is enabled on the tailnet
- the node has the "funnel" nodeAttr
- the port is allowed for Funnel
The node arg should be the ipnstate.Status.Self node.
func CheckFunnelPort ¶
func CheckFunnelPort(wantedPort uint16, node *ipnstate.PeerStatus) error
CheckFunnelPort checks whether the given port is allowed for Funnel. It uses the tailcfg.CapabilityFunnelPorts nodeAttr to determine the allowed ports.
func ExpandProxyTargetValue ¶
func ExpandProxyTargetValue(target string, supportedSchemes []string, defaultScheme string) (string, error)
ExpandProxyTargetValue expands the supported target values to be proxied allowing for input values to be a port number, a partial URL, or a full URL including a path.
examples:
- 3000
- localhost:3000
- tcp://localhost:3000
- http://localhost:3000
- https://localhost:3000
- https-insecure://localhost:3000
- https-insecure://localhost:3000/foo
func IsLoginServerSynonym ¶
IsLoginServerSynonym reports whether a URL is a drop-in replacement for the primary Tailscale login server.
func NodeCanFunnel ¶
func NodeCanFunnel(node *ipnstate.PeerStatus) error
NodeCanFunnel returns an error if the given node is not configured to allow for Tailscale Funnel usage.
func PrefsFromBytes ¶
PrefsFromBytes deserializes Prefs from a JSON blob b into base. Values in base are preserved, unless they are populated in the JSON blob.
func PutStoreInt ¶
func PutStoreInt(store StateStore, id StateKey, val int64) error
PutStoreInt puts an integer into a StateStore.
func ReadStoreInt ¶
func ReadStoreInt(store StateStore, id StateKey) (int64, error)
ReadStoreInt reads an integer from a StateStore.
func WriteState ¶
func WriteState(store StateStore, id StateKey, v []byte) error
WriteState is a wrapper around store.WriteState that only writes if the value is different from what's already in the store.
Types ¶
type AppConnectorPrefs ¶
type AppConnectorPrefs struct { // Advertise specifies whether the app connector subsystem is advertising // this node as a connector. Advertise bool }
AppConnectorPrefs are the app connector settings for the node agent.
func (AppConnectorPrefs) Pretty ¶
func (ap AppConnectorPrefs) Pretty() string
type AutoUpdatePrefs ¶
type AutoUpdatePrefs struct { // Check specifies whether background checks for updates are enabled. When // enabled, tailscaled will periodically check for available updates and // notify the user about them. Check bool // Apply specifies whether background auto-updates are enabled. When // enabled, tailscaled will apply available updates in the background. // Check must also be set when Apply is set. Apply opt.Bool }
AutoUpdatePrefs are the auto update settings for the node agent.
func (AutoUpdatePrefs) Equals ¶
func (au1 AutoUpdatePrefs) Equals(au2 AutoUpdatePrefs) bool
func (AutoUpdatePrefs) Pretty ¶
func (au AutoUpdatePrefs) Pretty() string
type AutoUpdatePrefsMask ¶
type AutoUpdatePrefsMask struct { CheckSet bool `json:",omitempty"` ApplySet bool `json:",omitempty"` }
func (AutoUpdatePrefsMask) Pretty ¶
func (m AutoUpdatePrefsMask) Pretty(au AutoUpdatePrefs) string
type ConfigVAlpha ¶
type ConfigVAlpha struct { Version string // "alpha0" for now Locked opt.Bool `json:",omitempty"` // whether the config is locked from being changed by 'tailscale set'; it defaults to true ServerURL *string `json:",omitempty"` // defaults to https://controlplane.tailscale.com AuthKey *string `json:",omitempty"` // as needed if NeedsLogin. either key or path to a file (if prefixed with "file:") Enabled opt.Bool `json:",omitempty"` // wantRunning; empty string defaults to true OperatorUser *string `json:",omitempty"` // local user name who is allowed to operate tailscaled without being root or using sudo Hostname *string `json:",omitempty"` AcceptDNS opt.Bool `json:"acceptDNS,omitempty"` // --accept-dns AcceptRoutes opt.Bool `json:"acceptRoutes,omitempty"` // --accept-routes defaults to true ExitNode *string `json:"exitNode,omitempty"` // IP, StableID, or MagicDNS base name AllowLANWhileUsingExitNode opt.Bool `json:"allowLANWhileUsingExitNode,omitempty"` AdvertiseRoutes []netip.Prefix `json:",omitempty"` DisableSNAT opt.Bool `json:",omitempty"` AppConnector *AppConnectorPrefs `json:",omitempty"` // advertise app connector; defaults to false (if nil or explicitly set to false) NetfilterMode *string `json:",omitempty"` // "on", "off", "nodivert" NoStatefulFiltering opt.Bool `json:",omitempty"` PostureChecking opt.Bool `json:",omitempty"` RunSSHServer opt.Bool `json:",omitempty"` // Tailscale SSH RunWebClient opt.Bool `json:",omitempty"` ShieldsUp opt.Bool `json:",omitempty"` AutoUpdate *AutoUpdatePrefs `json:",omitempty"` ServeConfigTemp *ServeConfig `json:",omitempty"` // TODO(bradfitz,maisem): make separate stable type for this // StaticEndpoints are additional, user-defined endpoints that this node // should advertise amongst its wireguard endpoints. StaticEndpoints []netip.AddrPort `json:",omitempty"` }
ConfigVAlpha is the config file format for the "alpha0" version.
func (*ConfigVAlpha) ToPrefs ¶
func (c *ConfigVAlpha) ToPrefs() (MaskedPrefs, error)
type EngineStatus ¶
type EngineStatus struct {
RBytes, WBytes int64
NumLive int
LiveDERPs int // number of active DERP connections
LivePeers map[key.NodePublic]ipnstate.PeerStatusLite
}
EngineStatus contains WireGuard engine stats.
type ExitNodeLocalIPError ¶
type ExitNodeLocalIPError struct {
// contains filtered or unexported fields
}
ExitNodeLocalIPError is returned when the requested IP address for an exit node belongs to the local machine.
func (ExitNodeLocalIPError) Error ¶
func (e ExitNodeLocalIPError) Error() string
type FunnelConn ¶
type FunnelConn struct { // Conn is the underlying connection. net.Conn // Target is what was presented in the "Tailscale-Ingress-Target" // HTTP header. Target HostPort // Src is the source address of the connection. // This is the address of the client that initiated the // connection, not the address of the Tailscale Funnel // node which is relaying the connection. That address // can be found in Conn.RemoteAddr. Src netip.AddrPort }
A FunnelConn wraps a net.Conn that is coming over a Funnel connection. It can be used to determine further information about the connection, like the source address and the target SNI name.
type HTTPHandler ¶
type HTTPHandler struct { Path string `json:",omitempty"` // absolute path to directory or file to serve Proxy string `json:",omitempty"` // http://localhost:3000/, localhost:3030, 3030 Text string `json:",omitempty"` // plaintext to serve (primarily for testing) }
HTTPHandler is either a path or a proxy to serve.
func (*HTTPHandler) Clone ¶
func (src *HTTPHandler) Clone() *HTTPHandler
Clone makes a deep copy of HTTPHandler. The result aliases no memory with the original.
func (*HTTPHandler) View ¶
func (p *HTTPHandler) View() HTTPHandlerView
View returns a readonly view of HTTPHandler.
type HTTPHandlerView ¶
type HTTPHandlerView struct {
// contains filtered or unexported fields
}
HTTPHandlerView provides a read-only view over HTTPHandler.
Its methods should only be called if `Valid()` returns true.
func (HTTPHandlerView) AsStruct ¶
func (v HTTPHandlerView) AsStruct() *HTTPHandler
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (HTTPHandlerView) MarshalJSON ¶
func (v HTTPHandlerView) MarshalJSON() ([]byte, error)
func (HTTPHandlerView) Path ¶
func (v HTTPHandlerView) Path() string
func (HTTPHandlerView) Proxy ¶
func (v HTTPHandlerView) Proxy() string
func (HTTPHandlerView) Text ¶
func (v HTTPHandlerView) Text() string
func (*HTTPHandlerView) UnmarshalJSON ¶
func (v *HTTPHandlerView) UnmarshalJSON(b []byte) error
func (HTTPHandlerView) Valid ¶
func (v HTTPHandlerView) Valid() bool
Valid reports whether underlying value is non-nil.
type HostPort ¶
type HostPort string
HostPort is an SNI name and port number, joined by a colon. There is no implicit port 443. It must contain a colon.
type LoginProfile ¶
type LoginProfile struct { // ID is a unique identifier for this profile. // It is assigned on creation and never changes. // It may seem redundant to have both ID and UserProfile.ID // but they are different things. UserProfile.ID may change // over time (e.g. if a device is tagged). ID ProfileID // Name is the user-visible name of this profile. // It is filled in from the UserProfile.LoginName field. Name string // NetworkProfile is a subset of netmap.NetworkMap that we // store to remember information about the tailnet that this // profile was logged in with. // // This field was added on 2023-11-17. NetworkProfile NetworkProfile // Key is the StateKey under which the profile is stored. // It is assigned once at profile creation time and never changes. Key StateKey // UserProfile is the server provided UserProfile for this profile. // This is updated whenever the server provides a new UserProfile. UserProfile tailcfg.UserProfile // NodeID is the NodeID of the node that this profile is logged into. // This should be stable across tagging and untagging nodes. // It may seem redundant to check against both the UserProfile.UserID // and the NodeID. However the NodeID can change if the node is deleted // from the admin panel. NodeID tailcfg.StableNodeID // LocalUserID is the user ID of the user who created this profile. // It is only relevant on Windows where we have a multi-user system. // It is assigned once at profile creation time and never changes. LocalUserID WindowsUserID // ControlURL is the URL of the control server that this profile is logged // into. ControlURL string }
LoginProfile represents a single login profile as managed by the ProfileManager.
type MaskedPrefs ¶
type MaskedPrefs struct { Prefs ControlURLSet bool `json:",omitempty"` RouteAllSet bool `json:",omitempty"` ExitNodeIDSet bool `json:",omitempty"` ExitNodeIPSet bool `json:",omitempty"` InternalExitNodePriorSet bool `json:",omitempty"` // Internal; can't be set by LocalAPI clients ExitNodeAllowLANAccessSet bool `json:",omitempty"` CorpDNSSet bool `json:",omitempty"` RunSSHSet bool `json:",omitempty"` RunWebClientSet bool `json:",omitempty"` WantRunningSet bool `json:",omitempty"` LoggedOutSet bool `json:",omitempty"` ShieldsUpSet bool `json:",omitempty"` AdvertiseTagsSet bool `json:",omitempty"` HostnameSet bool `json:",omitempty"` NotepadURLsSet bool `json:",omitempty"` ForceDaemonSet bool `json:",omitempty"` EggSet bool `json:",omitempty"` AdvertiseRoutesSet bool `json:",omitempty"` AdvertiseServicesSet bool `json:",omitempty"` NoSNATSet bool `json:",omitempty"` NoStatefulFilteringSet bool `json:",omitempty"` NetfilterModeSet bool `json:",omitempty"` OperatorUserSet bool `json:",omitempty"` ProfileNameSet bool `json:",omitempty"` AutoUpdateSet AutoUpdatePrefsMask `json:",omitempty"` AppConnectorSet bool `json:",omitempty"` PostureCheckingSet bool `json:",omitempty"` NetfilterKindSet bool `json:",omitempty"` }
MaskedPrefs is a Prefs with an associated bitmask of which fields are set.
Each FooSet field maps to a corresponding Foo field in Prefs. FooSet can be a struct, in which case inner fields of FooSet map to inner fields of Foo in Prefs (see AutoUpdateSet for example).
func (*MaskedPrefs) IsEmpty ¶
func (m *MaskedPrefs) IsEmpty() bool
IsEmpty reports whether there are no masks set or if m is nil.
func (*MaskedPrefs) Pretty ¶
func (m *MaskedPrefs) Pretty() string
func (*MaskedPrefs) SetsInternal ¶
func (mp *MaskedPrefs) SetsInternal() bool
SetsInternal reports whether mp has any of the Internal*Set field bools set to true.
type NetworkProfile ¶
NetworkProfile is a subset of netmap.NetworkMap that should be saved with each user profile.
func (NetworkProfile) RequiresBackfill ¶
func (n NetworkProfile) RequiresBackfill() bool
RequiresBackfill returns whether this object does not have all the data expected. This is because this struct is a later addition to LoginProfile and this method can be checked to see if it's been backfilled to the current expectation or not. Note that for now, it just checks if the struct is empty. In the future, if we have new optional fields, this method can be changed to do more explicit checks to return whether it's apt for a backfill or not.
type Notify ¶
type Notify struct { Version string // version number of IPN backend // SessionID identifies the unique WatchIPNBus session. // This field is only set in the first message when requesting // NotifyInitialState. Clients must store it on their side as // following notifications will not include this field. SessionID string `json:",omitempty"` // ErrMessage, if non-nil, contains a critical error message. // For State InUseOtherUser, ErrMessage is not critical and just contains the details. ErrMessage *string LoginFinished *empty.Message // non-nil when/if the login process succeeded State *State // if non-nil, the new or current IPN state Prefs *PrefsView // if non-nil && Valid, the new or current preferences NetMap *netmap.NetworkMap // if non-nil, the new or current netmap Engine *EngineStatus // if non-nil, the new or current wireguard stats BrowseToURL *string // if non-nil, UI should open a browser right now // FilesWaiting if non-nil means that files are buffered in // the Tailscale daemon and ready for local transfer to the // user's preferred storage location. // // Deprecated: use LocalClient.AwaitWaitingFiles instead. FilesWaiting *empty.Message `json:",omitempty"` // IncomingFiles, if non-nil, specifies which files are in the // process of being received. A nil IncomingFiles means this // Notify should not update the state of file transfers. A non-nil // but empty IncomingFiles means that no files are in the middle // of being transferred. // // Deprecated: use LocalClient.AwaitWaitingFiles instead. IncomingFiles []PartialFile `json:",omitempty"` // OutgoingFiles, if non-nil, tracks which files are in the process of // being sent via TailDrop, including files that finished, whether // successful or failed. This slice is sorted by Started time, then Name. OutgoingFiles []*OutgoingFile `json:",omitempty"` // LocalTCPPort, if non-nil, informs the UI frontend which // (non-zero) localhost TCP port it's listening on. // This is currently only used by Tailscale when run in the // macOS Network Extension. LocalTCPPort *uint16 `json:",omitempty"` // ClientVersion, if non-nil, describes whether a client version update // is available. ClientVersion *tailcfg.ClientVersion `json:",omitempty"` // publishing. Some client applications, like the MacOS and Windows clients, // will listen for updates to this and handle serving these shares under // the identity of the unprivileged user that is running the application. A // nil value here means that we're not broadcasting shares information, an // empty value means that there are no shares. DriveShares views.SliceView[*drive.Share, drive.ShareView] // Health is the last-known health state of the backend. When this field is // non-nil, a change in health verified, and the API client should surface // any changes to the user in the UI. Health *health.State `json:",omitempty"` // contains filtered or unexported fields }
Notify is a communication from a backend (e.g. tailscaled) to a frontend (cmd/tailscale, iOS, macOS, Win Tasktray). In any given notification, any or all of these may be nil, meaning that they have not changed. They are JSON-encoded on the wire, despite the lack of struct tags.
type NotifyWatchOpt ¶
type NotifyWatchOpt uint64
NotifyWatchOpt is a bitmask of options about what type of Notify messages to subscribe to.
const ( // NotifyWatchEngineUpdates, if set, causes Engine updates to be sent to the // client either regularly or when they change, without having to ask for // each one via Engine.RequestStatus. NotifyWatchEngineUpdates NotifyWatchOpt = 1 << iota NotifyInitialState // if set, the first Notify message (sent immediately) will contain the current State + BrowseToURL + SessionID NotifyInitialPrefs // if set, the first Notify message (sent immediately) will contain the current Prefs NotifyInitialNetMap // if set, the first Notify message (sent immediately) will contain the current NetMap NotifyNoPrivateKeys // if set, private keys that would normally be sent in updates are zeroed out NotifyInitialOutgoingFiles // if set, the first Notify message (sent immediately) will contain the current Taildrop OutgoingFiles NotifyInitialHealthState // if set, the first Notify message (sent immediately) will contain the current health.State of the client NotifyRateLimit // if set, rate limit spammy netmap updates to every few seconds )
type Options ¶
type Options struct { // FrontendLogID is the public logtail id used by the frontend. FrontendLogID string // UpdatePrefs, if provided, overrides the Prefs already stored in the // backend state, *except* for the Persist member. // // TODO(apenwarr): Rename this to Prefs, and possibly move Prefs.Persist // elsewhere entirely (as it always should have been). UpdatePrefs *Prefs // AuthKey is an optional node auth key used to authorize a // new node key without user interaction. AuthKey string }
type OutgoingFile ¶
type OutgoingFile struct { ID string `json:",omitempty"` // unique identifier for this transfer (a type 4 UUID) PeerID tailcfg.StableNodeID `json:",omitempty"` // identifier for the peer to which this is being transferred Name string `json:",omitempty"` // e.g. "foo.jpg" Started time.Time // time transfer started DeclaredSize int64 // or -1 if unknown Sent int64 // bytes copied thus far Finished bool // indicates whether or not the transfer finished Succeeded bool // for a finished transfer, indicates whether or not it was successful }
OutgoingFile represents an in-progress outgoing file transfer.
type PartialFile ¶
type PartialFile struct { Name string // e.g. "foo.jpg" Started time.Time // time transfer started DeclaredSize int64 // or -1 if unknown Received int64 // bytes copied thus far // PartialPath is set non-empty in "direct" file mode to the // in-progress '*.partial' file's path when the peerapi isn't // being used; see LocalBackend.SetDirectFileRoot. PartialPath string `json:",omitempty"` FinalPath string `json:",omitempty"` // Done is set in "direct" mode when the partial file has been // closed and is ready for the caller to rename away the // ".partial" suffix. Done bool `json:",omitempty"` }
PartialFile represents an in-progress incoming file transfer.
type Prefs ¶
type Prefs struct { // ControlURL is the URL of the control server to use. // // If empty, the default for new installs, DefaultControlURL // is used. It's set non-empty once the daemon has been started // for the first time. // // TODO(apenwarr): Make it safe to update this with EditPrefs(). // Right now, you have to pass it in the initial prefs in Start(), // which is the only code that actually uses the ControlURL value. // It would be more consistent to restart controlclient // automatically whenever this variable changes. // // Meanwhile, you have to provide this as part of // Options.LegacyMigrationPrefs or Options.UpdatePrefs when // calling Backend.Start(). ControlURL string // RouteAll specifies whether to accept subnets advertised by // other nodes on the Tailscale network. Note that this does not // include default routes (0.0.0.0/0 and ::/0), those are // controlled by ExitNodeID/IP below. RouteAll bool // ExitNodeID and ExitNodeIP specify the node that should be used // as an exit node for internet traffic. At most one of these // should be non-zero. // // The preferred way to express the chosen node is ExitNodeID, but // in some cases it's not possible to use that ID (e.g. in the // linux CLI, before tailscaled has a netmap). For those // situations, we allow specifying the exit node by IP, and // ipnlocal.LocalBackend will translate the IP into an ID when the // node is found in the netmap. // // If the selected exit node doesn't exist (e.g. it's not part of // the current tailnet), or it doesn't offer exit node services, a // blackhole route will be installed on the local system to // prevent any traffic escaping to the local network. ExitNodeID tailcfg.StableNodeID ExitNodeIP netip.Addr // InternalExitNodePrior is the most recently used ExitNodeID in string form. It is set by // the backend on transition from exit node on to off and used by the // backend. // // As an Internal field, it can't be set by LocalAPI clients, rather it is set indirectly // when the ExitNodeID value is zero'd and via the set-use-exit-node-enabled endpoint. InternalExitNodePrior tailcfg.StableNodeID // ExitNodeAllowLANAccess indicates whether locally accessible subnets should be // routed directly or via the exit node. ExitNodeAllowLANAccess bool // CorpDNS specifies whether to install the Tailscale network's // DNS configuration, if it exists. CorpDNS bool // RunSSH bool is whether this node should run an SSH // server, permitting access to peers according to the // policies as configured by the Tailnet's admin(s). RunSSH bool // RunWebClient bool is whether this node should expose // its web client over Tailscale at port 5252, // permitting access to peers according to the // policies as configured by the Tailnet's admin(s). RunWebClient bool // WantRunning indicates whether networking should be active on // this node. WantRunning bool // LoggedOut indicates whether the user intends to be logged out. // There are other reasons we may be logged out, including no valid // keys. // We need to remember this state so that, on next startup, we can // generate the "Login" vs "Connect" buttons correctly, without having // to contact the server to confirm our nodekey status first. LoggedOut bool // ShieldsUp indicates whether to block all incoming connections, // regardless of the control-provided packet filter. If false, we // use the packet filter as provided. If true, we block incoming // connections. This overrides tailcfg.Hostinfo's ShieldsUp. ShieldsUp bool // AdvertiseTags specifies groups that this node wants to join, for // purposes of ACL enforcement. These can be referenced from the ACL // security policy. Note that advertising a tag doesn't guarantee that // the control server will allow you to take on the rights for that // tag. AdvertiseTags []string // Hostname is the hostname to use for identifying the node. If // not set, os.Hostname is used. Hostname string // NotepadURLs is a debugging setting that opens OAuth URLs in // notepad.exe on Windows, rather than loading them in a browser. // // apenwarr 2020-04-29: Unfortunately this is still needed sometimes. // Windows' default browser setting is sometimes screwy and this helps // users narrow it down a bit. NotepadURLs bool // ForceDaemon specifies whether a platform that normally // operates in "client mode" (that is, requires an active user // logged in with the GUI app running) should keep running after the // GUI ends and/or the user logs out. // // The only current applicable platform is Windows. This // forced Windows to go into "server mode" where Tailscale is // running even with no users logged in. This might also be // used for macOS in the future. This setting has no effect // for Linux/etc, which always operate in daemon mode. ForceDaemon bool `json:"ForceDaemon,omitempty"` // Egg is a optional debug flag. Egg bool `json:",omitempty"` // AdvertiseRoutes specifies CIDR prefixes to advertise into the // Tailscale network as reachable through the current // node. AdvertiseRoutes []netip.Prefix // AdvertiseServices specifies the list of services that this // node can serve as a destination for. Note that an advertised // service must still go through the approval process from the // control server. AdvertiseServices []string // NoSNAT specifies whether to source NAT traffic going to // destinations in AdvertiseRoutes. The default is to apply source // NAT, which makes the traffic appear to come from the router // machine rather than the peer's Tailscale IP. // // Disabling SNAT requires additional manual configuration in your // network to route Tailscale traffic back to the subnet relay // machine. // // Linux-only. NoSNAT bool // NoStatefulFiltering specifies whether to apply stateful filtering when // advertising routes in AdvertiseRoutes. The default is to not apply // stateful filtering. // // To allow inbound connections from advertised routes, both NoSNAT and // NoStatefulFiltering must be true. // // This is an opt.Bool because it was first added after NoSNAT, with a // backfill based on the value of that parameter. The backfill has been // removed since then, but the field remains an opt.Bool. // // Linux-only. NoStatefulFiltering opt.Bool `json:",omitempty"` // NetfilterMode specifies how much to manage netfilter rules for // Tailscale, if at all. NetfilterMode preftype.NetfilterMode // OperatorUser is the local machine user name who is allowed to // operate tailscaled without being root or using sudo. OperatorUser string `json:",omitempty"` // ProfileName is the desired name of the profile. If empty, then the user's // LoginName is used. It is only used for display purposes in the client UI // and CLI. ProfileName string `json:",omitempty"` // AutoUpdate sets the auto-update preferences for the node agent. See // AutoUpdatePrefs docs for more details. AutoUpdate AutoUpdatePrefs // AppConnector sets the app connector preferences for the node agent. See // AppConnectorPrefs docs for more details. AppConnector AppConnectorPrefs // PostureChecking enables the collection of information used for device // posture checks. PostureChecking bool // NetfilterKind specifies what netfilter implementation to use. // // Linux-only. NetfilterKind string // by name. DriveShares []*drive.Share // AllowSingleHosts was a legacy field that was always true // for the past 4.5 years. It controlled whether Tailscale // peers got /32 or /127 routes for each other. // As of 2024-05-17 we're starting to ignore it, but to let // people still downgrade Tailscale versions and not break // all peer-to-peer networking we still write it to disk (as JSON) // so it can be loaded back by old versions. // TODO(bradfitz): delete this in 2025 sometime. See #12058. AllowSingleHosts marshalAsTrueInJSON // The Persist field is named 'Config' in the file for backward // compatibility with earlier versions. // TODO(apenwarr): We should move this out of here, it's not a pref. // We can maybe do that once we're sure which module should persist // it (backend or frontend?) Persist *persist.Persist `json:"Config"` }
Prefs are the user modifiable settings of the Tailscale node agent. When you add a Pref to this struct, remember to add a corresponding field in MaskedPrefs, and check your field for equality in Prefs.Equals().
func LoadPrefsWindows ¶
LoadPrefsWindows loads a legacy relaynode config file into Prefs with sensible migration defaults set. Windows-only.
func (*Prefs) AdminPageURL ¶
AdminPageURL returns the admin web site URL for the current ControlURL.
func (*Prefs) AdvertisesExitNode ¶
AdvertisesExitNode reports whether p is advertising both the v4 and v6 /0 exit node routes.
func (*Prefs) ApplyEdits ¶
func (p *Prefs) ApplyEdits(m *MaskedPrefs)
ApplyEdits mutates p, assigning fields from m.Prefs for each MaskedPrefs Set field that's true.
func (*Prefs) ClearExitNode ¶
func (p *Prefs) ClearExitNode()
ClearExitNode sets the ExitNodeID and ExitNodeIP to their zero values.
func (*Prefs) Clone ¶
Clone makes a deep copy of Prefs. The result aliases no memory with the original.
func (*Prefs) ControlURLOrDefault ¶
ControlURLOrDefault returns the coordination server's URL base.
If not configured, or if the configured value is a legacy name equivalent to the default, then DefaultControlURL is returned instead.
func (*Prefs) SetAdvertiseExitNode ¶
SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two /0 exit node routes.
func (*Prefs) SetExitNodeIP ¶
SetExitNodeIP validates and sets the ExitNodeIP from a user-provided string specifying either an IP address or a MagicDNS base name ("foo", as opposed to "foo.bar.beta.tailscale.net"). This method does not mutate ExitNodeID and will fail if ExitNodeID is already set.
func (*Prefs) ShouldSSHBeRunning ¶
ShouldSSHBeRunning reports whether the SSH server should be running based on the prefs.
func (*Prefs) ShouldWebClientBeRunning ¶
ShouldWebClientBeRunning reports whether the web client server should be running based on the prefs.
type PrefsView ¶
type PrefsView struct {
// contains filtered or unexported fields
}
PrefsView provides a read-only view over Prefs.
Its methods should only be called if `Valid()` returns true.
func (PrefsView) AdminPageURL ¶
AdminPageURL returns the admin web site URL for the current ControlURL.
func (PrefsView) AdvertisesExitNode ¶
AdvertisesExitNode reports whether p is advertising both the v4 and v6 /0 exit node routes.
func (PrefsView) AllowSingleHosts ¶
func (v PrefsView) AllowSingleHosts() marshalAsTrueInJSON
func (PrefsView) AppConnector ¶
func (v PrefsView) AppConnector() AppConnectorPrefs
func (PrefsView) AsStruct ¶
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (PrefsView) AutoUpdate ¶
func (v PrefsView) AutoUpdate() AutoUpdatePrefs
func (PrefsView) ControlURL ¶
func (PrefsView) ControlURLOrDefault ¶
ControlURLOrDefault returns the coordination server's URL base.
If not configured, or if the configured value is a legacy name equivalent to the default, then DefaultControlURL is returned instead.
func (PrefsView) DriveShares ¶
func (PrefsView) ExitNodeAllowLANAccess ¶
func (PrefsView) ExitNodeID ¶
func (v PrefsView) ExitNodeID() tailcfg.StableNodeID
func (PrefsView) ExitNodeIP ¶
func (PrefsView) ForceDaemon ¶
func (PrefsView) InternalExitNodePrior ¶
func (v PrefsView) InternalExitNodePrior() tailcfg.StableNodeID
func (PrefsView) MarshalJSON ¶
func (PrefsView) NetfilterKind ¶
func (PrefsView) NetfilterMode ¶
func (v PrefsView) NetfilterMode() preftype.NetfilterMode
func (PrefsView) NoStatefulFiltering ¶
func (PrefsView) NotepadURLs ¶
func (PrefsView) OperatorUser ¶
func (PrefsView) Persist ¶
func (v PrefsView) Persist() persist.PersistView
func (PrefsView) PostureChecking ¶
func (PrefsView) ProfileName ¶
func (PrefsView) RunWebClient ¶
func (PrefsView) ShouldSSHBeRunning ¶
ShouldSSHBeRunning reports whether the SSH server should be running based on the prefs.
func (PrefsView) ShouldWebClientBeRunning ¶
ShouldWebClientBeRunning reports whether the web client server should be running based on the prefs.
func (*PrefsView) UnmarshalJSON ¶
func (PrefsView) WantRunning ¶
type ProfileID ¶
type ProfileID string
ProfileID is an auto-generated system-wide unique identifier for a login profile. It is a 4 character hex string like "1ab3".
type ServeConfig ¶
type ServeConfig struct { // TCP are the list of TCP port numbers that tailscaled should handle for // the Tailscale IP addresses. (not subnet routers, etc) TCP map[uint16]*TCPPortHandler `json:",omitempty"` // Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers // keyed by mount point ("/", "/foo", etc) Web map[HostPort]*WebServerConfig `json:",omitempty"` // Services maps from service name to a ServiceConfig. Which describes the // L3, L4, and L7 forwarding information for the service. Services map[string]*ServiceConfig `json:",omitempty"` // AllowFunnel is the set of SNI:port values for which funnel // traffic is allowed, from trusted ingress peers. AllowFunnel map[HostPort]bool `json:",omitempty"` // Foreground is a map of an IPN Bus session ID to an alternate foreground // serve config that's valid for the life of that WatchIPNBus session ID. // This. This allows the config to specify ephemeral configs that are // used in the CLI's foreground mode to ensure ungraceful shutdowns // of either the client or the LocalBackend does not expose ports // that users are not aware of. Foreground map[string]*ServeConfig `json:",omitempty"` // ETag is the checksum of the serve config that's populated // by the LocalClient through the HTTP ETag header during a // GetServeConfig request and is translated to an If-Match header // during a SetServeConfig request. ETag string `json:"-"` }
ServeConfig is the JSON type stored in the StateStore for StateKey "_serve/$PROFILE_ID" as returned by ServeConfigKey.
func (*ServeConfig) Clone ¶
func (src *ServeConfig) Clone() *ServeConfig
Clone makes a deep copy of ServeConfig. The result aliases no memory with the original.
func (*ServeConfig) FindConfig ¶
func (sc *ServeConfig) FindConfig(port uint16) (*ServeConfig, bool)
FindConfig finds a config that contains the given port, which can be the top level background config or an inner foreground one. The second result is true if it's foreground.
func (*ServeConfig) GetTCPPortHandler ¶
func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler
GetTCPPortHandler returns the TCPPortHandler for the given port. If the port is not configured, nil is returned.
func (*ServeConfig) GetWebHandler ¶
func (sc *ServeConfig) GetWebHandler(hp HostPort, mount string) *HTTPHandler
GetWebHandler returns the HTTPHandler for the given host:port and mount point. Returns nil if the handler does not exist.
func (*ServeConfig) HasPathHandler ¶
func (sc *ServeConfig) HasPathHandler() bool
HasPathHandler reports whether if ServeConfig has at least one path handler, including foreground configs.
func (*ServeConfig) IsFunnelOn ¶
func (sc *ServeConfig) IsFunnelOn() bool
IsFunnelOn reports whether if ServeConfig is currently allowing funnel traffic for any host:port.
func (*ServeConfig) IsServingHTTP ¶
func (sc *ServeConfig) IsServingHTTP(port uint16) bool
IsServingHTTP reports whether if ServeConfig is currently serving HTTP on the given port. This is exclusive of HTTPS and TCPForwarding.
func (*ServeConfig) IsServingHTTPS ¶
func (sc *ServeConfig) IsServingHTTPS(port uint16) bool
IsServingHTTPS reports whether if ServeConfig is currently serving HTTPS on the given port. This is exclusive of HTTP and TCPForwarding.
func (*ServeConfig) IsServingWeb ¶
func (sc *ServeConfig) IsServingWeb(port uint16) bool
IsServingWeb reports whether if ServeConfig is currently serving Web (HTTP/HTTPS) on the given port. This is exclusive of TCPForwarding.
func (*ServeConfig) IsTCPForwardingAny ¶
func (sc *ServeConfig) IsTCPForwardingAny() bool
IsTCPForwardingAny reports whether ServeConfig is currently forwarding in TCPForward mode on any port. This is exclusive of Web/HTTPS serving.
func (*ServeConfig) IsTCPForwardingOnPort ¶
func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool
IsTCPForwardingOnPort reports whether if ServeConfig is currently forwarding in TCPForward mode on the given port. This is exclusive of Web/HTTPS serving.
func (*ServeConfig) RemoveTCPForwarding ¶
func (sc *ServeConfig) RemoveTCPForwarding(port uint16)
RemoveTCPForwarding deletes the TCP forwarding configuration for the given port from the serve config.
func (*ServeConfig) RemoveWebHandler ¶
func (sc *ServeConfig) RemoveWebHandler(host string, port uint16, mounts []string, cleanupFunnel bool)
RemoveWebHandler deletes the web handlers at all of the given mount points for the provided host and port in the serve config. If cleanupFunnel is true, this also removes the funnel value for this port if no handlers remain.
func (*ServeConfig) SetFunnel ¶
func (sc *ServeConfig) SetFunnel(host string, port uint16, setOn bool)
SetFunnel sets the sc.AllowFunnel value for the given host and port.
func (*ServeConfig) SetTCPForwarding ¶
func (sc *ServeConfig) SetTCPForwarding(port uint16, fwdAddr string, terminateTLS bool, host string)
SetTCPForwarding sets the fwdAddr (IP:port form) to which to forward connections from the given port. If terminateTLS is true, TLS connections are terminated with only the given host name permitted before passing them to the fwdAddr.
func (*ServeConfig) SetWebHandler ¶
func (sc *ServeConfig) SetWebHandler(handler *HTTPHandler, host string, port uint16, mount string, useTLS bool)
SetWebHandler sets the given HTTPHandler at the specified host, port, and mount in the serve config. sc.TCP is also updated to reflect web serving usage of the given port.
func (*ServeConfig) View ¶
func (p *ServeConfig) View() ServeConfigView
View returns a readonly view of ServeConfig.
func (*ServeConfig) WebHandlerExists ¶
func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool
WebHandlerExists reports whether if the ServeConfig Web handler exists for the given host:port and mount point.
type ServeConfigView ¶
type ServeConfigView struct {
// contains filtered or unexported fields
}
ServeConfigView provides a read-only view over ServeConfig.
Its methods should only be called if `Valid()` returns true.
func (ServeConfigView) AllowFunnel ¶
func (v ServeConfigView) AllowFunnel() views.Map[HostPort, bool]
func (ServeConfigView) AsStruct ¶
func (v ServeConfigView) AsStruct() *ServeConfig
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (ServeConfigView) ETag ¶
func (v ServeConfigView) ETag() string
func (ServeConfigView) FindTCP ¶
func (v ServeConfigView) FindTCP(port uint16) (res TCPPortHandlerView, ok bool)
FindTCP returns the first TCP that matches with the given port. It prefers a foreground match first followed by a background search if none existed.
func (ServeConfigView) FindWeb ¶
func (v ServeConfigView) FindWeb(hp HostPort) (res WebServerConfigView, ok bool)
FindWeb returns the first Web that matches with the given HostPort. It prefers a foreground match first followed by a background search if none existed.
func (ServeConfigView) Foreground ¶
func (v ServeConfigView) Foreground() views.MapFn[string, *ServeConfig, ServeConfigView]
func (ServeConfigView) HasAllowFunnel ¶
func (v ServeConfigView) HasAllowFunnel() bool
HasAllowFunnel returns whether this config has at least one AllowFunnel set in the background or foreground configs.
func (ServeConfigView) HasFunnelForTarget ¶
func (v ServeConfigView) HasFunnelForTarget(target HostPort) bool
FindFunnel reports whether target exists in either the background AllowFunnel or any of the foreground configs.
func (ServeConfigView) IsFunnelOn ¶
func (v ServeConfigView) IsFunnelOn() bool
IsFunnelOn reports whether if ServeConfig is currently allowing funnel traffic for any host:port.
View version of ServeConfig.IsFunnelOn.
func (ServeConfigView) MarshalJSON ¶
func (v ServeConfigView) MarshalJSON() ([]byte, error)
func (ServeConfigView) RangeOverTCPs ¶
func (v ServeConfigView) RangeOverTCPs(f func(port uint16, _ TCPPortHandlerView) bool)
RangeOverTCPs ranges over both background and foreground TCPs. If the returned bool from the given f is false, then this function stops iterating immediately and does not check other foreground configs.
func (ServeConfigView) RangeOverWebs ¶
func (v ServeConfigView) RangeOverWebs(f func(_ HostPort, conf WebServerConfigView) bool)
RangeOverWebs ranges over both background and foreground Webs. If the returned bool from the given f is false, then this function stops iterating immediately and does not check other foreground configs.
func (ServeConfigView) Services ¶
func (v ServeConfigView) Services() views.MapFn[string, *ServiceConfig, ServiceConfigView]
func (ServeConfigView) TCP ¶
func (v ServeConfigView) TCP() views.MapFn[uint16, *TCPPortHandler, TCPPortHandlerView]
func (*ServeConfigView) UnmarshalJSON ¶
func (v *ServeConfigView) UnmarshalJSON(b []byte) error
func (ServeConfigView) Valid ¶
func (v ServeConfigView) Valid() bool
Valid reports whether underlying value is non-nil.
func (ServeConfigView) Web ¶
func (v ServeConfigView) Web() views.MapFn[HostPort, *WebServerConfig, WebServerConfigView]
type ServiceConfig ¶
type ServiceConfig struct { // TCP are the list of TCP port numbers that tailscaled should handle for // the Tailscale IP addresses. (not subnet routers, etc) TCP map[uint16]*TCPPortHandler `json:",omitempty"` // Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers // keyed by mount point ("/", "/foo", etc) Web map[HostPort]*WebServerConfig `json:",omitempty"` // Tun determines if the service should be using L3 forwarding (Tun mode). Tun bool `json:",omitempty"` }
ServiceConfig contains the config information for a single service. it contains a bool to indicate if the service is in Tun mode (L3 forwarding). If the service is not in Tun mode, the service is configured by the L4 forwarding (TCP ports) and/or the L7 forwarding (http handlers) information.
func (*ServiceConfig) Clone ¶
func (src *ServiceConfig) Clone() *ServiceConfig
Clone makes a deep copy of ServiceConfig. The result aliases no memory with the original.
func (*ServiceConfig) View ¶
func (p *ServiceConfig) View() ServiceConfigView
View returns a readonly view of ServiceConfig.
type ServiceConfigView ¶
type ServiceConfigView struct {
// contains filtered or unexported fields
}
ServiceConfigView provides a read-only view over ServiceConfig.
Its methods should only be called if `Valid()` returns true.
func (ServiceConfigView) AsStruct ¶
func (v ServiceConfigView) AsStruct() *ServiceConfig
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (ServiceConfigView) MarshalJSON ¶
func (v ServiceConfigView) MarshalJSON() ([]byte, error)
func (ServiceConfigView) TCP ¶
func (v ServiceConfigView) TCP() views.MapFn[uint16, *TCPPortHandler, TCPPortHandlerView]
func (ServiceConfigView) Tun ¶
func (v ServiceConfigView) Tun() bool
func (*ServiceConfigView) UnmarshalJSON ¶
func (v *ServiceConfigView) UnmarshalJSON(b []byte) error
func (ServiceConfigView) Valid ¶
func (v ServiceConfigView) Valid() bool
Valid reports whether underlying value is non-nil.
func (ServiceConfigView) Web ¶
func (v ServiceConfigView) Web() views.MapFn[HostPort, *WebServerConfig, WebServerConfigView]
type StateKey ¶
type StateKey string
StateKey is an opaque identifier for a set of LocalBackend state (preferences, private keys, etc.). It is also used as a key for the various LoginProfiles that the instance may be signed into.
Additionally, the StateKey can be debug setting name:
- "_debug_magicsock_until" with value being a unix timestamp stringified
- "_debug_<component>_until" with value being a unix timestamp stringified
func CurrentProfileKey ¶
CurrentProfileID returns the StateKey that stores the current profile ID. The value is a JSON-encoded LoginProfile. If the userID is empty, the key returned is CurrentProfileStateKey, otherwise it is "_current/"+userID.
func ServeConfigKey ¶
ServeConfigKey returns a StateKey that stores the JSON-encoded ServeConfig for a config profile.
type StateStore ¶
type StateStore interface { // ReadState returns the bytes associated with ID. Returns (nil, // ErrStateNotExist) if the ID doesn't have associated state. ReadState(id StateKey) ([]byte, error) // WriteState saves bs as the state associated with ID. // // Callers should generally use the ipn.WriteState wrapper func // instead, which only writes if the value is different from what's // already in the store. WriteState(id StateKey, bs []byte) error }
StateStore persists state, and produces it back on request. Implementations of StateStore are expected to be safe for concurrent use.
type StateStoreDialerSetter ¶
type StateStoreDialerSetter interface {
SetDialer(d func(ctx context.Context, network, address string) (net.Conn, error))
}
StateStoreDialerSetter is an optional interface that StateStores can implement to allow the caller to set a custom dialer.
type TCPPortHandler ¶
type TCPPortHandler struct { // HTTPS, if true, means that tailscaled should handle this connection as an // HTTPS request as configured by ServeConfig.Web. // // It is mutually exclusive with TCPForward. HTTPS bool `json:",omitempty"` // HTTP, if true, means that tailscaled should handle this connection as an // HTTP request as configured by ServeConfig.Web. // // It is mutually exclusive with TCPForward. HTTP bool `json:",omitempty"` // TCPForward is the IP:port to forward TCP connections to. // Whether or not TLS is terminated by tailscaled depends on // TerminateTLS. // // It is mutually exclusive with HTTPS. TCPForward string `json:",omitempty"` // TerminateTLS, if non-empty, means that tailscaled should terminate the // TLS connections before forwarding them to TCPForward, permitting only the // SNI name with this value. It is only used if TCPForward is non-empty. // (the HTTPS mode uses ServeConfig.Web) TerminateTLS string `json:",omitempty"` }
TCPPortHandler describes what to do when handling a TCP connection.
func (*TCPPortHandler) Clone ¶
func (src *TCPPortHandler) Clone() *TCPPortHandler
Clone makes a deep copy of TCPPortHandler. The result aliases no memory with the original.
func (*TCPPortHandler) View ¶
func (p *TCPPortHandler) View() TCPPortHandlerView
View returns a readonly view of TCPPortHandler.
type TCPPortHandlerView ¶
type TCPPortHandlerView struct {
// contains filtered or unexported fields
}
TCPPortHandlerView provides a read-only view over TCPPortHandler.
Its methods should only be called if `Valid()` returns true.
func (TCPPortHandlerView) AsStruct ¶
func (v TCPPortHandlerView) AsStruct() *TCPPortHandler
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (TCPPortHandlerView) HTTP ¶
func (v TCPPortHandlerView) HTTP() bool
func (TCPPortHandlerView) HTTPS ¶
func (v TCPPortHandlerView) HTTPS() bool
func (TCPPortHandlerView) MarshalJSON ¶
func (v TCPPortHandlerView) MarshalJSON() ([]byte, error)
func (TCPPortHandlerView) TCPForward ¶
func (v TCPPortHandlerView) TCPForward() string
func (TCPPortHandlerView) TerminateTLS ¶
func (v TCPPortHandlerView) TerminateTLS() string
func (*TCPPortHandlerView) UnmarshalJSON ¶
func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error
func (TCPPortHandlerView) Valid ¶
func (v TCPPortHandlerView) Valid() bool
Valid reports whether underlying value is non-nil.
type WebServerConfig ¶
type WebServerConfig struct {
Handlers map[string]*HTTPHandler // mountPoint => handler
}
WebServerConfig describes a web server's configuration.
func (*WebServerConfig) Clone ¶
func (src *WebServerConfig) Clone() *WebServerConfig
Clone makes a deep copy of WebServerConfig. The result aliases no memory with the original.
func (*WebServerConfig) View ¶
func (p *WebServerConfig) View() WebServerConfigView
View returns a readonly view of WebServerConfig.
type WebServerConfigView ¶
type WebServerConfigView struct {
// contains filtered or unexported fields
}
WebServerConfigView provides a read-only view over WebServerConfig.
Its methods should only be called if `Valid()` returns true.
func (WebServerConfigView) AsStruct ¶
func (v WebServerConfigView) AsStruct() *WebServerConfig
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (WebServerConfigView) Handlers ¶
func (v WebServerConfigView) Handlers() views.MapFn[string, *HTTPHandler, HTTPHandlerView]
func (WebServerConfigView) MarshalJSON ¶
func (v WebServerConfigView) MarshalJSON() ([]byte, error)
func (*WebServerConfigView) UnmarshalJSON ¶
func (v *WebServerConfigView) UnmarshalJSON(b []byte) error
func (WebServerConfigView) Valid ¶
func (v WebServerConfigView) Valid() bool
Valid reports whether underlying value is non-nil.
type WindowsUserID ¶
type WindowsUserID string
WindowsUserID is a userid (suitable for passing to ipnauth.LookupUserFromID or os/user.LookupId) but only set on Windows. It's empty on all other platforms, unless envknob.GOOS is in used, making Linux act like Windows for tests.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package conffile contains code to load, manipulate, and access config file settings.
|
Package conffile contains code to load, manipulate, and access config file settings. |
Package ipnauth controls access to the LocalAPI.
|
Package ipnauth controls access to the LocalAPI. |
Package ipnlocal is the heart of the Tailscale node agent that controls all the other misc pieces of the Tailscale node.
|
Package ipnlocal is the heart of the Tailscale node agent that controls all the other misc pieces of the Tailscale node. |
Package ipnserver runs the LocalAPI HTTP server that communicates with the LocalBackend.
|
Package ipnserver runs the LocalAPI HTTP server that communicates with the LocalBackend. |
Package ipnstate captures the entire state of the Tailscale network.
|
Package ipnstate captures the entire state of the Tailscale network. |
Package localapi contains the HTTP server handlers for tailscaled's API server.
|
Package localapi contains the HTTP server handlers for tailscaled's API server. |
Package policy contains various policy decisions that need to be shared between the node client & control server.
|
Package policy contains various policy decisions that need to be shared between the node client & control server. |
Package store provides various implementation of ipn.StateStore.
|
Package store provides various implementation of ipn.StateStore. |
kubestore
Package kubestore contains an ipn.StateStore implementation using Kubernetes Secrets.
|
Package kubestore contains an ipn.StateStore implementation using Kubernetes Secrets. |
mem
Package mem provides an in-memory ipn.StateStore implementation.
|
Package mem provides an in-memory ipn.StateStore implementation. |