ipn

package
v1.76.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 4, 2024 License: BSD-3-Clause Imports: 37 Imported by: 93

Documentation

Overview

Package ipn implements the interactions between the Tailscale cloud control plane and the local network stack.

IPN is the abbreviated name for a Tailscale network. What's less clear is what it's an abbreviation for: Identified Private Network? IP Network? Internet Private Network? I Privately Network?

Index

Constants

View Source
const (
	// MachineKeyStateKey is the key under which we store the machine key,
	// in its key.NodePrivate.MarshalText representation.
	MachineKeyStateKey = StateKey("_machinekey")

	// LegacyGlobalDaemonStateKey is the ipn.StateKey that tailscaled
	// loads on startup.
	//
	// We have to support multiple state keys for other OSes (Windows in
	// particular), but right now Unix daemons run with a single
	// node-global state. To keep open the option of having per-user state
	// later, the global state key doesn't look like a username.
	//
	// As of 2022-10-21, it has been superseded by profiles and is no longer
	// written to disk. It is only read at startup when there are no profiles,
	// to migrate the state to the "default" profile.
	// The existing state is left on disk in case the user downgrades to an
	// older version of Tailscale that doesn't support profiles. We can
	// remove this in a future release.
	LegacyGlobalDaemonStateKey = StateKey("_daemon")

	// ServerModeStartKey's value, if non-empty, is the value of a
	// StateKey containing the prefs to start with which to start the
	// server.
	//
	// For example, the value might be "user-1234", meaning the
	// the server should start with the Prefs JSON loaded from
	// StateKey "user-1234".
	ServerModeStartKey = StateKey("server-mode-start-key")

	// KnownProfilesStateKey is the key under which we store the list of
	// known profiles. The value is a JSON-encoded []LoginProfile.
	KnownProfilesStateKey = StateKey("_profiles")

	// CurrentProfileStateKey is the key under which we store the current
	// profile.
	CurrentProfileStateKey = StateKey("_current-profile")

	// TaildropReceivedKey is the key to indicate whether any taildrop file
	// has ever been received (even if partially).
	// Any non-empty value indicates that at least one file has been received.
	TaildropReceivedKey = StateKey("_taildrop-received")
)
View Source
const DefaultControlURL = "https://controlplane.tailscale.com"

DefaultControlURL is the URL base of the control plane ("coordination server") for use when no explicit one is configured. The default control plane is the hosted version run by Tailscale.com.

View Source
const GoogleIDTokenType = "ts_android_google_login"

GoogleIDToken Type is the tailcfg.Oauth2Token.TokenType for the Google ID tokens used by the Android client.

Variables

View Source
var DebuggableComponents = []string{
	"magicsock",
	"sockstats",
	"syspolicy",
}

DebuggableComponents is a list of components whose debugging can be turned on and off individually using the tailscale debug command.

View Source
var (
	// ErrExitNodeIDAlreadySet is returned from (*Prefs).SetExitNodeIP when the
	// Prefs.ExitNodeID field is already set.
	ErrExitNodeIDAlreadySet = errors.New("cannot set ExitNodeIP when ExitNodeID is already set")
)
View Source
var ErrStateNotExist = errors.New("no state with given ID")

ErrStateNotExist is returned by StateStore.ReadState when the requested state ID doesn't exist.

Functions

func CheckFunnelAccess added in v1.38.0

func CheckFunnelAccess(port uint16, node *ipnstate.PeerStatus) error

CheckFunnelAccess checks whether Funnel access is allowed for the given node and port. It checks:

  1. HTTPS is enabled on the tailnet
  2. the node has the "funnel" nodeAttr
  3. the port is allowed for Funnel

The node arg should be the ipnstate.Status.Self node.

func CheckFunnelPort added in v1.48.0

func CheckFunnelPort(wantedPort uint16, node *ipnstate.PeerStatus) error

CheckFunnelPort checks whether the given port is allowed for Funnel. It uses the tailcfg.CapabilityFunnelPorts nodeAttr to determine the allowed ports.

func ExpandProxyTargetValue added in v1.62.0

func ExpandProxyTargetValue(target string, supportedSchemes []string, defaultScheme string) (string, error)

ExpandProxyTargetValue expands the supported target values to be proxied allowing for input values to be a port number, a partial URL, or a full URL including a path.

examples:

func IsLoginServerSynonym added in v1.12.0

func IsLoginServerSynonym(val any) bool

IsLoginServerSynonym reports whether a URL is a drop-in replacement for the primary Tailscale login server.

func NodeCanFunnel added in v1.62.0

func NodeCanFunnel(node *ipnstate.PeerStatus) error

NodeCanFunnel returns an error if the given node is not configured to allow for Tailscale Funnel usage.

func PrefsFromBytes

func PrefsFromBytes(b []byte, base *Prefs) error

PrefsFromBytes deserializes Prefs from a JSON blob b into base. Values in base are preserved, unless they are populated in the JSON blob.

func PutStoreInt added in v1.32.0

func PutStoreInt(store StateStore, id StateKey, val int64) error

PutStoreInt puts an integer into a StateStore.

func ReadStoreInt added in v1.32.0

func ReadStoreInt(store StateStore, id StateKey) (int64, error)

ReadStoreInt reads an integer from a StateStore.

func SavePrefs

func SavePrefs(filename string, p *Prefs)

func WriteState added in v1.48.0

func WriteState(store StateStore, id StateKey, v []byte) error

WriteState is a wrapper around store.WriteState that only writes if the value is different from what's already in the store.

Types

type AppConnectorPrefs added in v1.54.0

type AppConnectorPrefs struct {
	// Advertise specifies whether the app connector subsystem is advertising
	// this node as a connector.
	Advertise bool
}

AppConnectorPrefs are the app connector settings for the node agent.

func (AppConnectorPrefs) Pretty added in v1.54.0

func (ap AppConnectorPrefs) Pretty() string

type AutoUpdatePrefs added in v1.50.0

type AutoUpdatePrefs struct {
	// Check specifies whether background checks for updates are enabled. When
	// enabled, tailscaled will periodically check for available updates and
	// notify the user about them.
	Check bool
	// Apply specifies whether background auto-updates are enabled. When
	// enabled, tailscaled will apply available updates in the background.
	// Check must also be set when Apply is set.
	Apply opt.Bool
}

AutoUpdatePrefs are the auto update settings for the node agent.

func (AutoUpdatePrefs) Equals added in v1.58.0

func (au1 AutoUpdatePrefs) Equals(au2 AutoUpdatePrefs) bool

func (AutoUpdatePrefs) Pretty added in v1.50.0

func (au AutoUpdatePrefs) Pretty() string

type AutoUpdatePrefsMask added in v1.56.0

type AutoUpdatePrefsMask struct {
	CheckSet bool `json:",omitempty"`
	ApplySet bool `json:",omitempty"`
}

func (AutoUpdatePrefsMask) Pretty added in v1.56.0

type ConfigVAlpha added in v1.52.0

type ConfigVAlpha struct {
	Version string   // "alpha0" for now
	Locked  opt.Bool `json:",omitempty"` // whether the config is locked from being changed by 'tailscale set'; it defaults to true

	ServerURL *string  `json:",omitempty"` // defaults to https://controlplane.tailscale.com
	AuthKey   *string  `json:",omitempty"` // as needed if NeedsLogin. either key or path to a file (if prefixed with "file:")
	Enabled   opt.Bool `json:",omitempty"` // wantRunning; empty string defaults to true

	OperatorUser *string `json:",omitempty"` // local user name who is allowed to operate tailscaled without being root or using sudo
	Hostname     *string `json:",omitempty"`

	AcceptDNS    opt.Bool `json:"acceptDNS,omitempty"`    // --accept-dns
	AcceptRoutes opt.Bool `json:"acceptRoutes,omitempty"` // --accept-routes defaults to true

	ExitNode                   *string  `json:"exitNode,omitempty"` // IP, StableID, or MagicDNS base name
	AllowLANWhileUsingExitNode opt.Bool `json:"allowLANWhileUsingExitNode,omitempty"`

	AdvertiseRoutes []netip.Prefix `json:",omitempty"`
	DisableSNAT     opt.Bool       `json:",omitempty"`

	NetfilterMode       *string  `json:",omitempty"` // "on", "off", "nodivert"
	NoStatefulFiltering opt.Bool `json:",omitempty"`

	PostureChecking opt.Bool         `json:",omitempty"`
	RunSSHServer    opt.Bool         `json:",omitempty"` // Tailscale SSH
	RunWebClient    opt.Bool         `json:",omitempty"`
	ShieldsUp       opt.Bool         `json:",omitempty"`
	AutoUpdate      *AutoUpdatePrefs `json:",omitempty"`
	ServeConfigTemp *ServeConfig     `json:",omitempty"` // TODO(bradfitz,maisem): make separate stable type for this

	// StaticEndpoints are additional, user-defined endpoints that this node
	// should advertise amongst its wireguard endpoints.
	StaticEndpoints []netip.AddrPort `json:",omitempty"`
}

ConfigVAlpha is the config file format for the "alpha0" version.

func (*ConfigVAlpha) ToPrefs added in v1.52.0

func (c *ConfigVAlpha) ToPrefs() (MaskedPrefs, error)

type EngineStatus

type EngineStatus struct {
	RBytes, WBytes int64
	NumLive        int
	LiveDERPs      int // number of active DERP connections
	LivePeers      map[key.NodePublic]ipnstate.PeerStatusLite
}

EngineStatus contains WireGuard engine stats.

type ExitNodeLocalIPError added in v1.24.0

type ExitNodeLocalIPError struct {
	// contains filtered or unexported fields
}

ExitNodeLocalIPError is returned when the requested IP address for an exit node belongs to the local machine.

func (ExitNodeLocalIPError) Error added in v1.24.0

func (e ExitNodeLocalIPError) Error() string

type FunnelConn added in v1.38.0

type FunnelConn struct {
	// Conn is the underlying connection.
	net.Conn

	// Target is what was presented in the "Tailscale-Ingress-Target"
	// HTTP header.
	Target HostPort

	// Src is the source address of the connection.
	// This is the address of the client that initiated the
	// connection, not the address of the Tailscale Funnel
	// node which is relaying the connection. That address
	// can be found in Conn.RemoteAddr.
	Src netip.AddrPort
}

A FunnelConn wraps a net.Conn that is coming over a Funnel connection. It can be used to determine further information about the connection, like the source address and the target SNI name.

type HTTPHandler added in v1.34.0

type HTTPHandler struct {
	Path  string `json:",omitempty"` // absolute path to directory or file to serve
	Proxy string `json:",omitempty"` // http://localhost:3000/, localhost:3030, 3030

	Text string `json:",omitempty"` // plaintext to serve (primarily for testing)

}

HTTPHandler is either a path or a proxy to serve.

func (*HTTPHandler) Clone added in v1.34.0

func (src *HTTPHandler) Clone() *HTTPHandler

Clone makes a deep copy of HTTPHandler. The result aliases no memory with the original.

func (*HTTPHandler) View added in v1.34.0

func (p *HTTPHandler) View() HTTPHandlerView

View returns a readonly view of HTTPHandler.

type HTTPHandlerView added in v1.34.0

type HTTPHandlerView struct {
	// contains filtered or unexported fields
}

HTTPHandlerView provides a read-only view over HTTPHandler.

Its methods should only be called if `Valid()` returns true.

func (HTTPHandlerView) AsStruct added in v1.34.0

func (v HTTPHandlerView) AsStruct() *HTTPHandler

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (HTTPHandlerView) MarshalJSON added in v1.34.0

func (v HTTPHandlerView) MarshalJSON() ([]byte, error)

func (HTTPHandlerView) Path added in v1.34.0

func (v HTTPHandlerView) Path() string

func (HTTPHandlerView) Proxy added in v1.34.0

func (v HTTPHandlerView) Proxy() string

func (HTTPHandlerView) Text added in v1.34.0

func (v HTTPHandlerView) Text() string

func (*HTTPHandlerView) UnmarshalJSON added in v1.34.0

func (v *HTTPHandlerView) UnmarshalJSON(b []byte) error

func (HTTPHandlerView) Valid added in v1.34.0

func (v HTTPHandlerView) Valid() bool

Valid reports whether underlying value is non-nil.

type HostPort added in v1.34.0

type HostPort string

HostPort is an SNI name and port number, joined by a colon. There is no implicit port 443. It must contain a colon.

func (HostPort) Port added in v1.50.0

func (hp HostPort) Port() (uint16, error)

Port extracts just the port number from hp. An error is reported in the case that the hp does not have a valid numeric port ending.

type LoginProfile added in v1.34.0

type LoginProfile struct {
	// ID is a unique identifier for this profile.
	// It is assigned on creation and never changes.
	// It may seem redundant to have both ID and UserProfile.ID
	// but they are different things. UserProfile.ID may change
	// over time (e.g. if a device is tagged).
	ID ProfileID

	// Name is the user-visible name of this profile.
	// It is filled in from the UserProfile.LoginName field.
	Name string

	// NetworkProfile is a subset of netmap.NetworkMap that we
	// store to remember information about the tailnet that this
	// profile was logged in with.
	//
	// This field was added on 2023-11-17.
	NetworkProfile NetworkProfile

	// Key is the StateKey under which the profile is stored.
	// It is assigned once at profile creation time and never changes.
	Key StateKey

	// UserProfile is the server provided UserProfile for this profile.
	// This is updated whenever the server provides a new UserProfile.
	UserProfile tailcfg.UserProfile

	// NodeID is the NodeID of the node that this profile is logged into.
	// This should be stable across tagging and untagging nodes.
	// It may seem redundant to check against both the UserProfile.UserID
	// and the NodeID. However the NodeID can change if the node is deleted
	// from the admin panel.
	NodeID tailcfg.StableNodeID

	// LocalUserID is the user ID of the user who created this profile.
	// It is only relevant on Windows where we have a multi-user system.
	// It is assigned once at profile creation time and never changes.
	LocalUserID WindowsUserID

	// ControlURL is the URL of the control server that this profile is logged
	// into.
	ControlURL string
}

LoginProfile represents a single login profile as managed by the ProfileManager.

type MaskedPrefs added in v1.8.0

type MaskedPrefs struct {
	Prefs

	ControlURLSet             bool                `json:",omitempty"`
	RouteAllSet               bool                `json:",omitempty"`
	ExitNodeIDSet             bool                `json:",omitempty"`
	ExitNodeIPSet             bool                `json:",omitempty"`
	InternalExitNodePriorSet  bool                `json:",omitempty"` // Internal; can't be set by LocalAPI clients
	ExitNodeAllowLANAccessSet bool                `json:",omitempty"`
	CorpDNSSet                bool                `json:",omitempty"`
	RunSSHSet                 bool                `json:",omitempty"`
	RunWebClientSet           bool                `json:",omitempty"`
	WantRunningSet            bool                `json:",omitempty"`
	LoggedOutSet              bool                `json:",omitempty"`
	ShieldsUpSet              bool                `json:",omitempty"`
	AdvertiseTagsSet          bool                `json:",omitempty"`
	HostnameSet               bool                `json:",omitempty"`
	NotepadURLsSet            bool                `json:",omitempty"`
	ForceDaemonSet            bool                `json:",omitempty"`
	EggSet                    bool                `json:",omitempty"`
	AdvertiseRoutesSet        bool                `json:",omitempty"`
	NoSNATSet                 bool                `json:",omitempty"`
	NoStatefulFilteringSet    bool                `json:",omitempty"`
	NetfilterModeSet          bool                `json:",omitempty"`
	OperatorUserSet           bool                `json:",omitempty"`
	ProfileNameSet            bool                `json:",omitempty"`
	AutoUpdateSet             AutoUpdatePrefsMask `json:",omitempty"`
	AppConnectorSet           bool                `json:",omitempty"`
	PostureCheckingSet        bool                `json:",omitempty"`
	NetfilterKindSet          bool                `json:",omitempty"`
	DriveSharesSet            bool                `json:",omitempty"`
}

MaskedPrefs is a Prefs with an associated bitmask of which fields are set.

Each FooSet field maps to a corresponding Foo field in Prefs. FooSet can be a struct, in which case inner fields of FooSet map to inner fields of Foo in Prefs (see AutoUpdateSet for example).

func (*MaskedPrefs) IsEmpty added in v1.34.0

func (m *MaskedPrefs) IsEmpty() bool

IsEmpty reports whether there are no masks set or if m is nil.

func (*MaskedPrefs) Pretty added in v1.8.0

func (m *MaskedPrefs) Pretty() string

func (*MaskedPrefs) SetsInternal added in v1.64.0

func (mp *MaskedPrefs) SetsInternal() bool

SetsInternal reports whether mp has any of the Internal*Set field bools set to true.

type NetworkProfile added in v1.56.0

type NetworkProfile struct {
	MagicDNSName string
	DomainName   string
}

NetworkProfile is a subset of netmap.NetworkMap that should be saved with each user profile.

func (NetworkProfile) RequiresBackfill added in v1.56.0

func (n NetworkProfile) RequiresBackfill() bool

RequiresBackfill returns whether this object does not have all the data expected. This is because this struct is a later addition to LoginProfile and this method can be checked to see if it's been backfilled to the current expectation or not. Note that for now, it just checks if the struct is empty. In the future, if we have new optional fields, this method can be changed to do more explicit checks to return whether it's apt for a backfill or not.

type Notify

type Notify struct {
	Version string // version number of IPN backend

	// SessionID identifies the unique WatchIPNBus session.
	// This field is only set in the first message when requesting
	// NotifyInitialState. Clients must store it on their side as
	// following notifications will not include this field.
	SessionID string `json:",omitempty"`

	// ErrMessage, if non-nil, contains a critical error message.
	// For State InUseOtherUser, ErrMessage is not critical and just contains the details.
	ErrMessage *string

	LoginFinished *empty.Message     // non-nil when/if the login process succeeded
	State         *State             // if non-nil, the new or current IPN state
	Prefs         *PrefsView         // if non-nil && Valid, the new or current preferences
	NetMap        *netmap.NetworkMap // if non-nil, the new or current netmap
	Engine        *EngineStatus      // if non-nil, the new or current wireguard stats
	BrowseToURL   *string            // if non-nil, UI should open a browser right now
	BackendLogID  *string            // if non-nil, the public logtail ID used by backend

	// FilesWaiting if non-nil means that files are buffered in
	// the Tailscale daemon and ready for local transfer to the
	// user's preferred storage location.
	//
	// Deprecated: use LocalClient.AwaitWaitingFiles instead.
	FilesWaiting *empty.Message `json:",omitempty"`

	// IncomingFiles, if non-nil, specifies which files are in the
	// process of being received. A nil IncomingFiles means this
	// Notify should not update the state of file transfers. A non-nil
	// but empty IncomingFiles means that no files are in the middle
	// of being transferred.
	//
	// Deprecated: use LocalClient.AwaitWaitingFiles instead.
	IncomingFiles []PartialFile `json:",omitempty"`

	// OutgoingFiles, if non-nil, tracks which files are in the process of
	// being sent via TailDrop, including files that finished, whether
	// successful or failed. This slice is sorted by Started time, then Name.
	OutgoingFiles []*OutgoingFile `json:",omitempty"`

	// LocalTCPPort, if non-nil, informs the UI frontend which
	// (non-zero) localhost TCP port it's listening on.
	// This is currently only used by Tailscale when run in the
	// macOS Network Extension.
	LocalTCPPort *uint16 `json:",omitempty"`

	// ClientVersion, if non-nil, describes whether a client version update
	// is available.
	ClientVersion *tailcfg.ClientVersion `json:",omitempty"`

	// DriveShares tracks the full set of current DriveShares that we're
	// publishing. Some client applications, like the MacOS and Windows clients,
	// will listen for updates to this and handle serving these shares under
	// the identity of the unprivileged user that is running the application. A
	// nil value here means that we're not broadcasting shares information, an
	// empty value means that there are no shares.
	DriveShares views.SliceView[*drive.Share, drive.ShareView]

	// Health is the last-known health state of the backend. When this field is
	// non-nil, a change in health verified, and the API client should surface
	// any changes to the user in the UI.
	Health *health.State `json:",omitempty"`
	// contains filtered or unexported fields
}

Notify is a communication from a backend (e.g. tailscaled) to a frontend (cmd/tailscale, iOS, macOS, Win Tasktray). In any given notification, any or all of these may be nil, meaning that they have not changed. They are JSON-encoded on the wire, despite the lack of struct tags.

func (Notify) String added in v1.8.0

func (n Notify) String() string

type NotifyWatchOpt added in v1.34.0

type NotifyWatchOpt uint64

NotifyWatchOpt is a bitmask of options about what type of Notify messages to subscribe to.

const (
	// NotifyWatchEngineUpdates, if set, causes Engine updates to be sent to the
	// client either regularly or when they change, without having to ask for
	// each one via Engine.RequestStatus.
	NotifyWatchEngineUpdates NotifyWatchOpt = 1 << iota

	NotifyInitialState  // if set, the first Notify message (sent immediately) will contain the current State + BrowseToURL + SessionID
	NotifyInitialPrefs  // if set, the first Notify message (sent immediately) will contain the current Prefs
	NotifyInitialNetMap // if set, the first Notify message (sent immediately) will contain the current NetMap

	NotifyNoPrivateKeys        // if set, private keys that would normally be sent in updates are zeroed out
	NotifyInitialDriveShares   // if set, the first Notify message (sent immediately) will contain the current Taildrive Shares
	NotifyInitialOutgoingFiles // if set, the first Notify message (sent immediately) will contain the current Taildrop OutgoingFiles

	NotifyInitialHealthState // if set, the first Notify message (sent immediately) will contain the current health.State of the client
)

type Options

type Options struct {
	// FrontendLogID is the public logtail id used by the frontend.
	FrontendLogID string
	// UpdatePrefs, if provided, overrides the Prefs already stored in the
	// backend state, *except* for the Persist member.
	//
	// TODO(apenwarr): Rename this to Prefs, and possibly move Prefs.Persist
	// elsewhere entirely (as it always should have been).
	UpdatePrefs *Prefs
	// AuthKey is an optional node auth key used to authorize a
	// new node key without user interaction.
	AuthKey string
}

type OutgoingFile added in v1.64.0

type OutgoingFile struct {
	ID           string               `json:",omitempty"` // unique identifier for this transfer (a type 4 UUID)
	PeerID       tailcfg.StableNodeID `json:",omitempty"` // identifier for the peer to which this is being transferred
	Name         string               `json:",omitempty"` // e.g. "foo.jpg"
	Started      time.Time            // time transfer started
	DeclaredSize int64                // or -1 if unknown
	Sent         int64                // bytes copied thus far
	Finished     bool                 // indicates whether or not the transfer finished
	Succeeded    bool                 // for a finished transfer, indicates whether or not it was successful
}

OutgoingFile represents an in-progress outgoing file transfer.

type PartialFile added in v1.8.0

type PartialFile struct {
	Name         string    // e.g. "foo.jpg"
	Started      time.Time // time transfer started
	DeclaredSize int64     // or -1 if unknown
	Received     int64     // bytes copied thus far

	// PartialPath is set non-empty in "direct" file mode to the
	// in-progress '*.partial' file's path when the peerapi isn't
	// being used; see LocalBackend.SetDirectFileRoot.
	PartialPath string `json:",omitempty"`
	FinalPath   string `json:",omitempty"`

	// Done is set in "direct" mode when the partial file has been
	// closed and is ready for the caller to rename away the
	// ".partial" suffix.
	Done bool `json:",omitempty"`
}

PartialFile represents an in-progress incoming file transfer.

type Prefs

type Prefs struct {
	// ControlURL is the URL of the control server to use.
	//
	// If empty, the default for new installs, DefaultControlURL
	// is used. It's set non-empty once the daemon has been started
	// for the first time.
	//
	// TODO(apenwarr): Make it safe to update this with EditPrefs().
	// Right now, you have to pass it in the initial prefs in Start(),
	// which is the only code that actually uses the ControlURL value.
	// It would be more consistent to restart controlclient
	// automatically whenever this variable changes.
	//
	// Meanwhile, you have to provide this as part of
	// Options.LegacyMigrationPrefs or Options.UpdatePrefs when
	// calling Backend.Start().
	ControlURL string

	// RouteAll specifies whether to accept subnets advertised by
	// other nodes on the Tailscale network. Note that this does not
	// include default routes (0.0.0.0/0 and ::/0), those are
	// controlled by ExitNodeID/IP below.
	RouteAll bool

	// ExitNodeID and ExitNodeIP specify the node that should be used
	// as an exit node for internet traffic. At most one of these
	// should be non-zero.
	//
	// The preferred way to express the chosen node is ExitNodeID, but
	// in some cases it's not possible to use that ID (e.g. in the
	// linux CLI, before tailscaled has a netmap). For those
	// situations, we allow specifying the exit node by IP, and
	// ipnlocal.LocalBackend will translate the IP into an ID when the
	// node is found in the netmap.
	//
	// If the selected exit node doesn't exist (e.g. it's not part of
	// the current tailnet), or it doesn't offer exit node services, a
	// blackhole route will be installed on the local system to
	// prevent any traffic escaping to the local network.
	ExitNodeID tailcfg.StableNodeID
	ExitNodeIP netip.Addr

	// InternalExitNodePrior is the most recently used ExitNodeID in string form. It is set by
	// the backend on transition from exit node on to off and used by the
	// backend.
	//
	// As an Internal field, it can't be set by LocalAPI clients, rather it is set indirectly
	// when the ExitNodeID value is zero'd and via the set-use-exit-node-enabled endpoint.
	InternalExitNodePrior tailcfg.StableNodeID

	// ExitNodeAllowLANAccess indicates whether locally accessible subnets should be
	// routed directly or via the exit node.
	ExitNodeAllowLANAccess bool

	// CorpDNS specifies whether to install the Tailscale network's
	// DNS configuration, if it exists.
	CorpDNS bool

	// RunSSH bool is whether this node should run an SSH
	// server, permitting access to peers according to the
	// policies as configured by the Tailnet's admin(s).
	RunSSH bool

	// RunWebClient bool is whether this node should expose
	// its web client over Tailscale at port 5252,
	// permitting access to peers according to the
	// policies as configured by the Tailnet's admin(s).
	RunWebClient bool

	// WantRunning indicates whether networking should be active on
	// this node.
	WantRunning bool

	// LoggedOut indicates whether the user intends to be logged out.
	// There are other reasons we may be logged out, including no valid
	// keys.
	// We need to remember this state so that, on next startup, we can
	// generate the "Login" vs "Connect" buttons correctly, without having
	// to contact the server to confirm our nodekey status first.
	LoggedOut bool

	// ShieldsUp indicates whether to block all incoming connections,
	// regardless of the control-provided packet filter. If false, we
	// use the packet filter as provided. If true, we block incoming
	// connections. This overrides tailcfg.Hostinfo's ShieldsUp.
	ShieldsUp bool

	// AdvertiseTags specifies groups that this node wants to join, for
	// purposes of ACL enforcement. These can be referenced from the ACL
	// security policy. Note that advertising a tag doesn't guarantee that
	// the control server will allow you to take on the rights for that
	// tag.
	AdvertiseTags []string

	// Hostname is the hostname to use for identifying the node. If
	// not set, os.Hostname is used.
	Hostname string

	// NotepadURLs is a debugging setting that opens OAuth URLs in
	// notepad.exe on Windows, rather than loading them in a browser.
	//
	// apenwarr 2020-04-29: Unfortunately this is still needed sometimes.
	// Windows' default browser setting is sometimes screwy and this helps
	// users narrow it down a bit.
	NotepadURLs bool

	// ForceDaemon specifies whether a platform that normally
	// operates in "client mode" (that is, requires an active user
	// logged in with the GUI app running) should keep running after the
	// GUI ends and/or the user logs out.
	//
	// The only current applicable platform is Windows. This
	// forced Windows to go into "server mode" where Tailscale is
	// running even with no users logged in. This might also be
	// used for macOS in the future. This setting has no effect
	// for Linux/etc, which always operate in daemon mode.
	ForceDaemon bool `json:"ForceDaemon,omitempty"`

	// Egg is a optional debug flag.
	Egg bool `json:",omitempty"`

	// AdvertiseRoutes specifies CIDR prefixes to advertise into the
	// Tailscale network as reachable through the current
	// node.
	AdvertiseRoutes []netip.Prefix

	// NoSNAT specifies whether to source NAT traffic going to
	// destinations in AdvertiseRoutes. The default is to apply source
	// NAT, which makes the traffic appear to come from the router
	// machine rather than the peer's Tailscale IP.
	//
	// Disabling SNAT requires additional manual configuration in your
	// network to route Tailscale traffic back to the subnet relay
	// machine.
	//
	// Linux-only.
	NoSNAT bool

	// NoStatefulFiltering specifies whether to apply stateful filtering when
	// advertising routes in AdvertiseRoutes. The default is to not apply
	// stateful filtering.
	//
	// To allow inbound connections from advertised routes, both NoSNAT and
	// NoStatefulFiltering must be true.
	//
	// This is an opt.Bool because it was first added after NoSNAT, with a
	// backfill based on the value of that parameter. The backfill has been
	// removed since then, but the field remains an opt.Bool.
	//
	// Linux-only.
	NoStatefulFiltering opt.Bool `json:",omitempty"`

	// NetfilterMode specifies how much to manage netfilter rules for
	// Tailscale, if at all.
	NetfilterMode preftype.NetfilterMode

	// OperatorUser is the local machine user name who is allowed to
	// operate tailscaled without being root or using sudo.
	OperatorUser string `json:",omitempty"`

	// ProfileName is the desired name of the profile. If empty, then the user's
	// LoginName is used. It is only used for display purposes in the client UI
	// and CLI.
	ProfileName string `json:",omitempty"`

	// AutoUpdate sets the auto-update preferences for the node agent. See
	// AutoUpdatePrefs docs for more details.
	AutoUpdate AutoUpdatePrefs

	// AppConnector sets the app connector preferences for the node agent. See
	// AppConnectorPrefs docs for more details.
	AppConnector AppConnectorPrefs

	// PostureChecking enables the collection of information used for device
	// posture checks.
	PostureChecking bool

	// NetfilterKind specifies what netfilter implementation to use.
	//
	// Linux-only.
	NetfilterKind string

	// DriveShares are the configured DriveShares, stored in increasing order
	// by name.
	DriveShares []*drive.Share

	// AllowSingleHosts was a legacy field that was always true
	// for the past 4.5 years. It controlled whether Tailscale
	// peers got /32 or /127 routes for each other.
	// As of 2024-05-17 we're starting to ignore it, but to let
	// people still downgrade Tailscale versions and not break
	// all peer-to-peer networking we still write it to disk (as JSON)
	// so it can be loaded back by old versions.
	// TODO(bradfitz): delete this in 2025 sometime. See #12058.
	AllowSingleHosts marshalAsTrueInJSON

	// The Persist field is named 'Config' in the file for backward
	// compatibility with earlier versions.
	// TODO(apenwarr): We should move this out of here, it's not a pref.
	//  We can maybe do that once we're sure which module should persist
	//  it (backend or frontend?)
	Persist *persist.Persist `json:"Config"`
}

Prefs are the user modifiable settings of the Tailscale node agent. When you add a Pref to this struct, remember to add a corresponding field in MaskedPrefs, and check your field for equality in Prefs.Equals().

func LoadPrefsWindows added in v1.66.0

func LoadPrefsWindows(filename string) (*Prefs, error)

LoadPrefsWindows loads a legacy relaynode config file into Prefs with sensible migration defaults set. Windows-only.

func NewPrefs

func NewPrefs() *Prefs

NewPrefs returns the default preferences to use.

func (*Prefs) AdminPageURL added in v1.12.0

func (p *Prefs) AdminPageURL() string

AdminPageURL returns the admin web site URL for the current ControlURL.

func (*Prefs) AdvertisesExitNode added in v1.20.0

func (p *Prefs) AdvertisesExitNode() bool

AdvertisesExitNode reports whether p is advertising both the v4 and v6 /0 exit node routes.

func (*Prefs) ApplyEdits added in v1.8.0

func (p *Prefs) ApplyEdits(m *MaskedPrefs)

ApplyEdits mutates p, assigning fields from m.Prefs for each MaskedPrefs Set field that's true.

func (*Prefs) ClearExitNode added in v1.24.0

func (p *Prefs) ClearExitNode()

ClearExitNode sets the ExitNodeID and ExitNodeIP to their zero values.

func (*Prefs) Clone

func (src *Prefs) Clone() *Prefs

Clone makes a deep copy of Prefs. The result aliases no memory with the original.

func (*Prefs) ControlURLOrDefault added in v1.8.0

func (p *Prefs) ControlURLOrDefault() string

ControlURLOrDefault returns the coordination server's URL base.

If not configured, or if the configured value is a legacy name equivalent to the default, then DefaultControlURL is returned instead.

func (*Prefs) Equals

func (p *Prefs) Equals(p2 *Prefs) bool

func (*Prefs) IsEmpty

func (p *Prefs) IsEmpty() bool

IsEmpty reports whether p is nil or pointing to a Prefs zero value.

func (*Prefs) Pretty

func (p *Prefs) Pretty() string

func (*Prefs) SetAdvertiseExitNode added in v1.20.0

func (p *Prefs) SetAdvertiseExitNode(runExit bool)

SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two /0 exit node routes.

func (*Prefs) SetExitNodeIP added in v1.24.0

func (p *Prefs) SetExitNodeIP(s string, st *ipnstate.Status) error

SetExitNodeIP validates and sets the ExitNodeIP from a user-provided string specifying either an IP address or a MagicDNS base name ("foo", as opposed to "foo.bar.beta.tailscale.net"). This method does not mutate ExitNodeID and will fail if ExitNodeID is already set.

func (*Prefs) ShouldSSHBeRunning added in v1.26.0

func (p *Prefs) ShouldSSHBeRunning() bool

ShouldSSHBeRunning reports whether the SSH server should be running based on the prefs.

func (*Prefs) ShouldWebClientBeRunning added in v1.54.0

func (p *Prefs) ShouldWebClientBeRunning() bool

ShouldWebClientBeRunning reports whether the web client server should be running based on the prefs.

func (*Prefs) ToBytes

func (p *Prefs) ToBytes() []byte

func (*Prefs) View added in v1.32.3

func (p *Prefs) View() PrefsView

View returns a readonly view of Prefs.

type PrefsView added in v1.32.3

type PrefsView struct {
	// contains filtered or unexported fields
}

PrefsView provides a read-only view over Prefs.

Its methods should only be called if `Valid()` returns true.

func (PrefsView) AdminPageURL added in v1.34.0

func (p PrefsView) AdminPageURL() string

AdminPageURL returns the admin web site URL for the current ControlURL.

func (PrefsView) AdvertiseRoutes added in v1.32.3

func (v PrefsView) AdvertiseRoutes() views.Slice[netip.Prefix]

func (PrefsView) AdvertiseTags added in v1.32.3

func (v PrefsView) AdvertiseTags() views.Slice[string]

func (PrefsView) AdvertisesExitNode added in v1.34.0

func (p PrefsView) AdvertisesExitNode() bool

AdvertisesExitNode reports whether p is advertising both the v4 and v6 /0 exit node routes.

func (PrefsView) AllowSingleHosts added in v1.32.3

func (v PrefsView) AllowSingleHosts() marshalAsTrueInJSON

func (PrefsView) AppConnector added in v1.54.0

func (v PrefsView) AppConnector() AppConnectorPrefs

func (PrefsView) AsStruct added in v1.32.3

func (v PrefsView) AsStruct() *Prefs

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (PrefsView) AutoUpdate added in v1.50.0

func (v PrefsView) AutoUpdate() AutoUpdatePrefs

func (PrefsView) ControlURL added in v1.32.3

func (v PrefsView) ControlURL() string

func (PrefsView) ControlURLOrDefault added in v1.32.3

func (p PrefsView) ControlURLOrDefault() string

ControlURLOrDefault returns the coordination server's URL base.

If not configured, or if the configured value is a legacy name equivalent to the default, then DefaultControlURL is returned instead.

func (PrefsView) CorpDNS added in v1.32.3

func (v PrefsView) CorpDNS() bool

func (PrefsView) DriveShares added in v1.64.0

func (v PrefsView) DriveShares() views.SliceView[*drive.Share, drive.ShareView]

func (PrefsView) Egg added in v1.32.3

func (v PrefsView) Egg() bool

func (PrefsView) Equals added in v1.32.3

func (p PrefsView) Equals(p2 PrefsView) bool

func (PrefsView) ExitNodeAllowLANAccess added in v1.32.3

func (v PrefsView) ExitNodeAllowLANAccess() bool

func (PrefsView) ExitNodeID added in v1.32.3

func (v PrefsView) ExitNodeID() tailcfg.StableNodeID

func (PrefsView) ExitNodeIP added in v1.32.3

func (v PrefsView) ExitNodeIP() netip.Addr

func (PrefsView) ForceDaemon added in v1.32.3

func (v PrefsView) ForceDaemon() bool

func (PrefsView) Hostname added in v1.32.3

func (v PrefsView) Hostname() string

func (PrefsView) InternalExitNodePrior added in v1.64.0

func (v PrefsView) InternalExitNodePrior() tailcfg.StableNodeID

func (PrefsView) LoggedOut added in v1.32.3

func (v PrefsView) LoggedOut() bool

func (PrefsView) MarshalJSON added in v1.32.3

func (v PrefsView) MarshalJSON() ([]byte, error)

func (PrefsView) NetfilterKind added in v1.56.0

func (v PrefsView) NetfilterKind() string

func (PrefsView) NetfilterMode added in v1.32.3

func (v PrefsView) NetfilterMode() preftype.NetfilterMode

func (PrefsView) NoSNAT added in v1.32.3

func (v PrefsView) NoSNAT() bool

func (PrefsView) NoStatefulFiltering added in v1.66.0

func (v PrefsView) NoStatefulFiltering() opt.Bool

func (PrefsView) NotepadURLs added in v1.32.3

func (v PrefsView) NotepadURLs() bool

func (PrefsView) OperatorUser added in v1.32.3

func (v PrefsView) OperatorUser() string

func (PrefsView) Persist added in v1.32.3

func (v PrefsView) Persist() persist.PersistView

func (PrefsView) PostureChecking added in v1.52.0

func (v PrefsView) PostureChecking() bool

func (PrefsView) Pretty added in v1.32.3

func (p PrefsView) Pretty() string

func (PrefsView) ProfileName added in v1.34.0

func (v PrefsView) ProfileName() string

func (PrefsView) RouteAll added in v1.32.3

func (v PrefsView) RouteAll() bool

func (PrefsView) RunSSH added in v1.32.3

func (v PrefsView) RunSSH() bool

func (PrefsView) RunWebClient added in v1.54.0

func (v PrefsView) RunWebClient() bool

func (PrefsView) ShieldsUp added in v1.32.3

func (v PrefsView) ShieldsUp() bool

func (PrefsView) ShouldSSHBeRunning added in v1.32.3

func (p PrefsView) ShouldSSHBeRunning() bool

ShouldSSHBeRunning reports whether the SSH server should be running based on the prefs.

func (PrefsView) ShouldWebClientBeRunning added in v1.54.0

func (p PrefsView) ShouldWebClientBeRunning() bool

ShouldWebClientBeRunning reports whether the web client server should be running based on the prefs.

func (PrefsView) ToBytes added in v1.32.3

func (p PrefsView) ToBytes() []byte

func (*PrefsView) UnmarshalJSON added in v1.32.3

func (v *PrefsView) UnmarshalJSON(b []byte) error

func (PrefsView) Valid added in v1.32.3

func (v PrefsView) Valid() bool

Valid reports whether underlying value is non-nil.

func (PrefsView) WantRunning added in v1.32.3

func (v PrefsView) WantRunning() bool

type ProfileID added in v1.34.0

type ProfileID string

ProfileID is an auto-generated system-wide unique identifier for a login profile. It is a 4 character hex string like "1ab3".

type ServeConfig added in v1.34.0

type ServeConfig struct {
	// TCP are the list of TCP port numbers that tailscaled should handle for
	// the Tailscale IP addresses. (not subnet routers, etc)
	TCP map[uint16]*TCPPortHandler `json:",omitempty"`

	// Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers
	// keyed by mount point ("/", "/foo", etc)
	Web map[HostPort]*WebServerConfig `json:",omitempty"`

	// AllowFunnel is the set of SNI:port values for which funnel
	// traffic is allowed, from trusted ingress peers.
	AllowFunnel map[HostPort]bool `json:",omitempty"`

	// Foreground is a map of an IPN Bus session ID to an alternate foreground
	// serve config that's valid for the life of that WatchIPNBus session ID.
	// This. This allows the config to specify ephemeral configs that are
	// used in the CLI's foreground mode to ensure ungraceful shutdowns
	// of either the client or the LocalBackend does not expose ports
	// that users are not aware of.
	Foreground map[string]*ServeConfig `json:",omitempty"`

	// ETag is the checksum of the serve config that's populated
	// by the LocalClient through the HTTP ETag header during a
	// GetServeConfig request and is translated to an If-Match header
	// during a SetServeConfig request.
	ETag string `json:"-"`
}

ServeConfig is the JSON type stored in the StateStore for StateKey "_serve/$PROFILE_ID" as returned by ServeConfigKey.

func (*ServeConfig) Clone added in v1.34.0

func (src *ServeConfig) Clone() *ServeConfig

Clone makes a deep copy of ServeConfig. The result aliases no memory with the original.

func (*ServeConfig) FindConfig added in v1.62.0

func (sc *ServeConfig) FindConfig(port uint16) (*ServeConfig, bool)

FindConfig finds a config that contains the given port, which can be the top level background config or an inner foreground one. The second result is true if it's foreground.

func (*ServeConfig) GetTCPPortHandler added in v1.34.0

func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler

GetTCPPortHandler returns the TCPPortHandler for the given port. If the port is not configured, nil is returned.

func (*ServeConfig) GetWebHandler added in v1.34.0

func (sc *ServeConfig) GetWebHandler(hp HostPort, mount string) *HTTPHandler

GetWebHandler returns the HTTPHandler for the given host:port and mount point. Returns nil if the handler does not exist.

func (*ServeConfig) HasPathHandler added in v1.44.3

func (sc *ServeConfig) HasPathHandler() bool

HasPathHandler reports whether if ServeConfig has at least one path handler, including foreground configs.

func (*ServeConfig) IsFunnelOn added in v1.34.0

func (sc *ServeConfig) IsFunnelOn() bool

IsFunnelOn reports whether if ServeConfig is currently allowing funnel traffic for any host:port.

func (*ServeConfig) IsServingHTTP added in v1.44.0

func (sc *ServeConfig) IsServingHTTP(port uint16) bool

IsServingHTTP reports whether if ServeConfig is currently serving HTTP on the given port. This is exclusive of HTTPS and TCPForwarding.

func (*ServeConfig) IsServingHTTPS added in v1.44.0

func (sc *ServeConfig) IsServingHTTPS(port uint16) bool

IsServingHTTPS reports whether if ServeConfig is currently serving HTTPS on the given port. This is exclusive of HTTP and TCPForwarding.

func (*ServeConfig) IsServingWeb added in v1.34.0

func (sc *ServeConfig) IsServingWeb(port uint16) bool

IsServingWeb reports whether if ServeConfig is currently serving Web (HTTP/HTTPS) on the given port. This is exclusive of TCPForwarding.

func (*ServeConfig) IsTCPForwardingAny added in v1.34.0

func (sc *ServeConfig) IsTCPForwardingAny() bool

IsTCPForwardingAny reports whether ServeConfig is currently forwarding in TCPForward mode on any port. This is exclusive of Web/HTTPS serving.

func (*ServeConfig) IsTCPForwardingOnPort added in v1.34.0

func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool

IsTCPForwardingOnPort reports whether if ServeConfig is currently forwarding in TCPForward mode on the given port. This is exclusive of Web/HTTPS serving.

func (*ServeConfig) RemoveTCPForwarding added in v1.62.0

func (sc *ServeConfig) RemoveTCPForwarding(port uint16)

RemoveTCPForwarding deletes the TCP forwarding configuration for the given port from the serve config.

func (*ServeConfig) RemoveWebHandler added in v1.62.0

func (sc *ServeConfig) RemoveWebHandler(host string, port uint16, mounts []string, cleanupFunnel bool)

RemoveWebHandler deletes the web handlers at all of the given mount points for the provided host and port in the serve config. If cleanupFunnel is true, this also removes the funnel value for this port if no handlers remain.

func (*ServeConfig) SetFunnel added in v1.62.0

func (sc *ServeConfig) SetFunnel(host string, port uint16, setOn bool)

SetFunnel sets the sc.AllowFunnel value for the given host and port.

func (*ServeConfig) SetTCPForwarding added in v1.62.0

func (sc *ServeConfig) SetTCPForwarding(port uint16, fwdAddr string, terminateTLS bool, host string)

SetTCPForwarding sets the fwdAddr (IP:port form) to which to forward connections from the given port. If terminateTLS is true, TLS connections are terminated with only the given host name permitted before passing them to the fwdAddr.

func (*ServeConfig) SetWebHandler added in v1.62.0

func (sc *ServeConfig) SetWebHandler(handler *HTTPHandler, host string, port uint16, mount string, useTLS bool)

SetWebHandler sets the given HTTPHandler at the specified host, port, and mount in the serve config. sc.TCP is also updated to reflect web serving usage of the given port.

func (*ServeConfig) View added in v1.34.0

func (p *ServeConfig) View() ServeConfigView

View returns a readonly view of ServeConfig.

func (*ServeConfig) WebHandlerExists added in v1.34.0

func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool

WebHandlerExists reports whether if the ServeConfig Web handler exists for the given host:port and mount point.

type ServeConfigView added in v1.34.0

type ServeConfigView struct {
	// contains filtered or unexported fields
}

ServeConfigView provides a read-only view over ServeConfig.

Its methods should only be called if `Valid()` returns true.

func (ServeConfigView) AllowFunnel added in v1.34.0

func (v ServeConfigView) AllowFunnel() views.Map[HostPort, bool]

func (ServeConfigView) AsStruct added in v1.34.0

func (v ServeConfigView) AsStruct() *ServeConfig

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (ServeConfigView) ETag added in v1.50.0

func (v ServeConfigView) ETag() string

func (ServeConfigView) FindTCP added in v1.50.0

func (v ServeConfigView) FindTCP(port uint16) (res TCPPortHandlerView, ok bool)

FindTCP returns the first TCP that matches with the given port. It prefers a foreground match first followed by a background search if none existed.

func (ServeConfigView) FindWeb added in v1.50.0

func (v ServeConfigView) FindWeb(hp HostPort) (res WebServerConfigView, ok bool)

FindWeb returns the first Web that matches with the given HostPort. It prefers a foreground match first followed by a background search if none existed.

func (ServeConfigView) Foreground added in v1.50.0

func (ServeConfigView) HasAllowFunnel added in v1.50.0

func (v ServeConfigView) HasAllowFunnel() bool

HasAllowFunnel returns whether this config has at least one AllowFunnel set in the background or foreground configs.

func (ServeConfigView) HasFunnelForTarget added in v1.50.0

func (v ServeConfigView) HasFunnelForTarget(target HostPort) bool

FindFunnel reports whether target exists in either the background AllowFunnel or any of the foreground configs.

func (ServeConfigView) IsFunnelOn added in v1.38.4

func (v ServeConfigView) IsFunnelOn() bool

IsFunnelOn reports whether if ServeConfig is currently allowing funnel traffic for any host:port.

View version of ServeConfig.IsFunnelOn.

func (ServeConfigView) MarshalJSON added in v1.34.0

func (v ServeConfigView) MarshalJSON() ([]byte, error)

func (ServeConfigView) RangeOverTCPs added in v1.50.0

func (v ServeConfigView) RangeOverTCPs(f func(port uint16, _ TCPPortHandlerView) bool)

RangeOverTCPs ranges over both background and foreground TCPs. If the returned bool from the given f is false, then this function stops iterating immediately and does not check other foreground configs.

func (ServeConfigView) RangeOverWebs added in v1.50.0

func (v ServeConfigView) RangeOverWebs(f func(_ HostPort, conf WebServerConfigView) bool)

RangeOverWebs ranges over both background and foreground Webs. If the returned bool from the given f is false, then this function stops iterating immediately and does not check other foreground configs.

func (ServeConfigView) TCP added in v1.34.0

func (*ServeConfigView) UnmarshalJSON added in v1.34.0

func (v *ServeConfigView) UnmarshalJSON(b []byte) error

func (ServeConfigView) Valid added in v1.34.0

func (v ServeConfigView) Valid() bool

Valid reports whether underlying value is non-nil.

func (ServeConfigView) Web added in v1.34.0

type State

type State int
const (
	NoState          State = 0
	InUseOtherUser   State = 1
	NeedsLogin       State = 2
	NeedsMachineAuth State = 3
	Stopped          State = 4
	Starting         State = 5
	Running          State = 6
)

func (State) String

func (s State) String() string

type StateKey

type StateKey string

StateKey is an opaque identifier for a set of LocalBackend state (preferences, private keys, etc.). It is also used as a key for the various LoginProfiles that the instance may be signed into.

Additionally, the StateKey can be debug setting name:

  • "_debug_magicsock_until" with value being a unix timestamp stringified
  • "_debug_<component>_until" with value being a unix timestamp stringified

func CurrentProfileKey added in v1.34.0

func CurrentProfileKey(userID string) StateKey

CurrentProfileID returns the StateKey that stores the current profile ID. The value is a JSON-encoded LoginProfile. If the userID is empty, the key returned is CurrentProfileStateKey, otherwise it is "_current/"+userID.

func ServeConfigKey added in v1.34.0

func ServeConfigKey(profileID ProfileID) StateKey

ServeConfigKey returns a StateKey that stores the JSON-encoded ServeConfig for a config profile.

type StateStore

type StateStore interface {
	// ReadState returns the bytes associated with ID. Returns (nil,
	// ErrStateNotExist) if the ID doesn't have associated state.
	ReadState(id StateKey) ([]byte, error)
	// WriteState saves bs as the state associated with ID.
	//
	// Callers should generally use the ipn.WriteState wrapper func
	// instead, which only writes if the value is different from what's
	// already in the store.
	WriteState(id StateKey, bs []byte) error
}

StateStore persists state, and produces it back on request. Implementations of StateStore are expected to be safe for concurrent use.

type StateStoreDialerSetter added in v1.40.0

type StateStoreDialerSetter interface {
	SetDialer(d func(ctx context.Context, network, address string) (net.Conn, error))
}

StateStoreDialerSetter is an optional interface that StateStores can implement to allow the caller to set a custom dialer.

type TCPPortHandler added in v1.34.0

type TCPPortHandler struct {
	// HTTPS, if true, means that tailscaled should handle this connection as an
	// HTTPS request as configured by ServeConfig.Web.
	//
	// It is mutually exclusive with TCPForward.
	HTTPS bool `json:",omitempty"`

	// HTTP, if true, means that tailscaled should handle this connection as an
	// HTTP request as configured by ServeConfig.Web.
	//
	// It is mutually exclusive with TCPForward.
	HTTP bool `json:",omitempty"`

	// TCPForward is the IP:port to forward TCP connections to.
	// Whether or not TLS is terminated by tailscaled depends on
	// TerminateTLS.
	//
	// It is mutually exclusive with HTTPS.
	TCPForward string `json:",omitempty"`

	// TerminateTLS, if non-empty, means that tailscaled should terminate the
	// TLS connections before forwarding them to TCPForward, permitting only the
	// SNI name with this value. It is only used if TCPForward is non-empty.
	// (the HTTPS mode uses ServeConfig.Web)
	TerminateTLS string `json:",omitempty"`
}

TCPPortHandler describes what to do when handling a TCP connection.

func (*TCPPortHandler) Clone added in v1.34.0

func (src *TCPPortHandler) Clone() *TCPPortHandler

Clone makes a deep copy of TCPPortHandler. The result aliases no memory with the original.

func (*TCPPortHandler) View added in v1.34.0

View returns a readonly view of TCPPortHandler.

type TCPPortHandlerView added in v1.34.0

type TCPPortHandlerView struct {
	// contains filtered or unexported fields
}

TCPPortHandlerView provides a read-only view over TCPPortHandler.

Its methods should only be called if `Valid()` returns true.

func (TCPPortHandlerView) AsStruct added in v1.34.0

func (v TCPPortHandlerView) AsStruct() *TCPPortHandler

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (TCPPortHandlerView) HTTP added in v1.44.0

func (v TCPPortHandlerView) HTTP() bool

func (TCPPortHandlerView) HTTPS added in v1.34.0

func (v TCPPortHandlerView) HTTPS() bool

func (TCPPortHandlerView) MarshalJSON added in v1.34.0

func (v TCPPortHandlerView) MarshalJSON() ([]byte, error)

func (TCPPortHandlerView) TCPForward added in v1.34.0

func (v TCPPortHandlerView) TCPForward() string

func (TCPPortHandlerView) TerminateTLS added in v1.34.0

func (v TCPPortHandlerView) TerminateTLS() string

func (*TCPPortHandlerView) UnmarshalJSON added in v1.34.0

func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error

func (TCPPortHandlerView) Valid added in v1.34.0

func (v TCPPortHandlerView) Valid() bool

Valid reports whether underlying value is non-nil.

type WebServerConfig added in v1.34.0

type WebServerConfig struct {
	Handlers map[string]*HTTPHandler // mountPoint => handler
}

WebServerConfig describes a web server's configuration.

func (*WebServerConfig) Clone added in v1.34.0

func (src *WebServerConfig) Clone() *WebServerConfig

Clone makes a deep copy of WebServerConfig. The result aliases no memory with the original.

func (*WebServerConfig) View added in v1.34.0

View returns a readonly view of WebServerConfig.

type WebServerConfigView added in v1.34.0

type WebServerConfigView struct {
	// contains filtered or unexported fields
}

WebServerConfigView provides a read-only view over WebServerConfig.

Its methods should only be called if `Valid()` returns true.

func (WebServerConfigView) AsStruct added in v1.34.0

func (v WebServerConfigView) AsStruct() *WebServerConfig

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (WebServerConfigView) Handlers added in v1.34.0

func (WebServerConfigView) MarshalJSON added in v1.34.0

func (v WebServerConfigView) MarshalJSON() ([]byte, error)

func (*WebServerConfigView) UnmarshalJSON added in v1.34.0

func (v *WebServerConfigView) UnmarshalJSON(b []byte) error

func (WebServerConfigView) Valid added in v1.34.0

func (v WebServerConfigView) Valid() bool

Valid reports whether underlying value is non-nil.

type WindowsUserID added in v1.34.0

type WindowsUserID string

WindowsUserID is a userid (suitable for passing to ipnauth.LookupUserFromID or os/user.LookupId) but only set on Windows. It's empty on all other platforms, unless envknob.GOOS is in used, making Linux act like Windows for tests.

Directories

Path Synopsis
Package conffile contains code to load, manipulate, and access config file settings.
Package conffile contains code to load, manipulate, and access config file settings.
Package ipnauth controls access to the LocalAPI.
Package ipnauth controls access to the LocalAPI.
Package ipnlocal is the heart of the Tailscale node agent that controls all the other misc pieces of the Tailscale node.
Package ipnlocal is the heart of the Tailscale node agent that controls all the other misc pieces of the Tailscale node.
Package ipnserver runs the LocalAPI HTTP server that communicates with the LocalBackend.
Package ipnserver runs the LocalAPI HTTP server that communicates with the LocalBackend.
Package ipnstate captures the entire state of the Tailscale network.
Package ipnstate captures the entire state of the Tailscale network.
Package localapi contains the HTTP server handlers for tailscaled's API server.
Package localapi contains the HTTP server handlers for tailscaled's API server.
Package policy contains various policy decisions that need to be shared between the node client & control server.
Package policy contains various policy decisions that need to be shared between the node client & control server.
Package store provides various implementation of ipn.StateStore.
Package store provides various implementation of ipn.StateStore.
awsstore
Package awsstore contains an ipn.StateStore implementation using AWS SSM.
Package awsstore contains an ipn.StateStore implementation using AWS SSM.
kubestore
Package kubestore contains an ipn.StateStore implementation using Kubernetes Secrets.
Package kubestore contains an ipn.StateStore implementation using Kubernetes Secrets.
mem
Package mem provides an in-memory ipn.StateStore implementation.
Package mem provides an in-memory ipn.StateStore implementation.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL