Documentation ¶
Overview ¶
Package ipn implements the interactions between the Tailscale cloud control plane and the local network stack.
IPN is the abbreviated name for a Tailscale network. What's less clear is what it's an abbreviation for: Identified Private Network? IP Network? Internet Private Network? I Privately Network?
Index ¶
- Constants
- Variables
- func CheckFunnelAccess(port uint16, nodeAttrs []string) error
- func IsLoginServerSynonym(val any) bool
- func PutStoreInt(store StateStore, id StateKey, val int64) error
- func ReadStoreInt(store StateStore, id StateKey) (int64, error)
- func SavePrefs(filename string, p *Prefs)
- type EngineStatus
- type ExitNodeLocalIPError
- type FunnelConn
- type HTTPHandler
- type HTTPHandlerView
- func (v HTTPHandlerView) AsStruct() *HTTPHandler
- func (v HTTPHandlerView) MarshalJSON() ([]byte, error)
- func (v HTTPHandlerView) Path() string
- func (v HTTPHandlerView) Proxy() string
- func (v HTTPHandlerView) Text() string
- func (v *HTTPHandlerView) UnmarshalJSON(b []byte) error
- func (v HTTPHandlerView) Valid() bool
- type HostPort
- type LoginProfile
- type MaskedPrefs
- type Notify
- type NotifyWatchOpt
- type Options
- type PartialFile
- type Prefs
- func (p *Prefs) AdminPageURL() string
- func (p *Prefs) AdvertisesExitNode() bool
- func (p *Prefs) ApplyEdits(m *MaskedPrefs)
- func (p *Prefs) ClearExitNode()
- func (src *Prefs) Clone() *Prefs
- func (p *Prefs) ControlURLOrDefault() string
- func (p *Prefs) Equals(p2 *Prefs) bool
- func (p *Prefs) IsEmpty() bool
- func (p *Prefs) Pretty() string
- func (p *Prefs) SetAdvertiseExitNode(runExit bool)
- func (p *Prefs) SetExitNodeIP(s string, st *ipnstate.Status) error
- func (p *Prefs) ShouldSSHBeRunning() bool
- func (p *Prefs) ToBytes() []byte
- func (p *Prefs) View() PrefsView
- type PrefsView
- func (p PrefsView) AdminPageURL() string
- func (v PrefsView) AdvertiseRoutes() views.IPPrefixSlice
- func (v PrefsView) AdvertiseTags() views.Slice[string]
- func (p PrefsView) AdvertisesExitNode() bool
- func (v PrefsView) AllowSingleHosts() bool
- func (v PrefsView) AsStruct() *Prefs
- func (v PrefsView) ControlURL() string
- func (p PrefsView) ControlURLOrDefault() string
- func (v PrefsView) CorpDNS() bool
- func (v PrefsView) Egg() bool
- func (p PrefsView) Equals(p2 PrefsView) bool
- func (v PrefsView) ExitNodeAllowLANAccess() bool
- func (v PrefsView) ExitNodeID() tailcfg.StableNodeID
- func (v PrefsView) ExitNodeIP() netip.Addr
- func (v PrefsView) ForceDaemon() bool
- func (v PrefsView) Hostname() string
- func (v PrefsView) LoggedOut() bool
- func (v PrefsView) MarshalJSON() ([]byte, error)
- func (v PrefsView) NetfilterMode() preftype.NetfilterMode
- func (v PrefsView) NoSNAT() bool
- func (v PrefsView) NotepadURLs() bool
- func (v PrefsView) OperatorUser() string
- func (v PrefsView) Persist() persist.PersistView
- func (p PrefsView) Pretty() string
- func (v PrefsView) ProfileName() string
- func (v PrefsView) RouteAll() bool
- func (v PrefsView) RunSSH() bool
- func (v PrefsView) ShieldsUp() bool
- func (p PrefsView) ShouldSSHBeRunning() bool
- func (p PrefsView) ToBytes() []byte
- func (v *PrefsView) UnmarshalJSON(b []byte) error
- func (v PrefsView) Valid() bool
- func (v PrefsView) WantRunning() bool
- type ProfileID
- type ServeConfig
- func (src *ServeConfig) Clone() *ServeConfig
- func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler
- func (sc *ServeConfig) GetWebHandler(hp HostPort, mount string) *HTTPHandler
- func (sc *ServeConfig) IsFunnelOn() bool
- func (sc *ServeConfig) IsServingHTTP(port uint16) bool
- func (sc *ServeConfig) IsServingHTTPS(port uint16) bool
- func (sc *ServeConfig) IsServingWeb(port uint16) bool
- func (sc *ServeConfig) IsTCPForwardingAny() bool
- func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool
- func (p *ServeConfig) View() ServeConfigView
- func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool
- type ServeConfigView
- func (v ServeConfigView) AllowFunnel() views.Map[HostPort, bool]
- func (v ServeConfigView) AsStruct() *ServeConfig
- func (v ServeConfigView) IsFunnelOn() bool
- func (v ServeConfigView) MarshalJSON() ([]byte, error)
- func (v ServeConfigView) TCP() views.MapFn[uint16, *TCPPortHandler, TCPPortHandlerView]
- func (v *ServeConfigView) UnmarshalJSON(b []byte) error
- func (v ServeConfigView) Valid() bool
- func (v ServeConfigView) Web() views.MapFn[HostPort, *WebServerConfig, WebServerConfigView]
- type State
- type StateKey
- type StateStore
- type StateStoreDialerSetter
- type TCPPortHandler
- type TCPPortHandlerView
- func (v TCPPortHandlerView) AsStruct() *TCPPortHandler
- func (v TCPPortHandlerView) HTTP() bool
- func (v TCPPortHandlerView) HTTPS() bool
- func (v TCPPortHandlerView) MarshalJSON() ([]byte, error)
- func (v TCPPortHandlerView) TCPForward() string
- func (v TCPPortHandlerView) TerminateTLS() string
- func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error
- func (v TCPPortHandlerView) Valid() bool
- type WebServerConfig
- type WebServerConfigView
- func (v WebServerConfigView) AsStruct() *WebServerConfig
- func (v WebServerConfigView) Handlers() views.MapFn[string, *HTTPHandler, HTTPHandlerView]
- func (v WebServerConfigView) MarshalJSON() ([]byte, error)
- func (v *WebServerConfigView) UnmarshalJSON(b []byte) error
- func (v WebServerConfigView) Valid() bool
- type WindowsUserID
Constants ¶
const ( // MachineKeyStateKey is the key under which we store the machine key, // in its key.NodePrivate.MarshalText representation. MachineKeyStateKey = StateKey("_machinekey") // LegacyGlobalDaemonStateKey is the ipn.StateKey that tailscaled // loads on startup. // // We have to support multiple state keys for other OSes (Windows in // particular), but right now Unix daemons run with a single // node-global state. To keep open the option of having per-user state // later, the global state key doesn't look like a username. // // As of 2022-10-21, it has been superseded by profiles and is no longer // written to disk. It is only read at startup when there are no profiles, // to migrate the state to the "default" profile. // The existing state is left on disk in case the user downgrades to an // older version of Tailscale that doesn't support profiles. We can // remove this in a future release. LegacyGlobalDaemonStateKey = StateKey("_daemon") // ServerModeStartKey's value, if non-empty, is the value of a // StateKey containing the prefs to start with which to start the // server. // // For example, the value might be "user-1234", meaning the // the server should start with the Prefs JSON loaded from // StateKey "user-1234". ServerModeStartKey = StateKey("server-mode-start-key") // KnownProfilesStateKey is the key under which we store the list of // known profiles. The value is a JSON-encoded []LoginProfile. KnownProfilesStateKey = StateKey("_profiles") // CurrentProfileStateKey is the key under which we store the current // profile. CurrentProfileStateKey = StateKey("_current-profile") )
const DefaultControlURL = "https://controlplane.tailscale.com"
DefaultControlURL is the URL base of the control plane ("coordination server") for use when no explicit one is configured. The default control plane is the hosted version run by Tailscale.com.
const GoogleIDTokenType = "ts_android_google_login"
GoogleIDToken Type is the tailcfg.Oauth2Token.TokenType for the Google ID tokens used by the Android client.
Variables ¶
var ( // ErrExitNodeIDAlreadySet is returned from (*Prefs).SetExitNodeIP when the // Prefs.ExitNodeID field is already set. ErrExitNodeIDAlreadySet = errors.New("cannot set ExitNodeIP when ExitNodeID is already set") )
var ErrStateNotExist = errors.New("no state with given ID")
ErrStateNotExist is returned by StateStore.ReadState when the requested state ID doesn't exist.
Functions ¶
func CheckFunnelAccess ¶ added in v1.38.0
CheckFunnelAccess checks whether Funnel access is allowed for the given node and port. It checks:
- Funnel is enabled on the Tailnet
- HTTPS is enabled on the Tailnet
- the node has the "funnel" nodeAttr
- the port is allowed for Funnel
The nodeAttrs arg should be the node's Self.Capabilities which should contain the attribute we're checking for and possibly warning-capabilities for Funnel.
func IsLoginServerSynonym ¶ added in v1.12.0
IsLoginServerSynonym reports whether a URL is a drop-in replacement for the primary Tailscale login server.
func PutStoreInt ¶ added in v1.32.0
func PutStoreInt(store StateStore, id StateKey, val int64) error
PutStoreInt puts an integer into a StateStore.
func ReadStoreInt ¶ added in v1.32.0
func ReadStoreInt(store StateStore, id StateKey) (int64, error)
ReadStoreInt reads an integer from a StateStore.
Types ¶
type EngineStatus ¶
type EngineStatus struct {
RBytes, WBytes int64
NumLive int
LiveDERPs int // number of active DERP connections
LivePeers map[key.NodePublic]ipnstate.PeerStatusLite
}
EngineStatus contains WireGuard engine stats.
type ExitNodeLocalIPError ¶ added in v1.24.0
type ExitNodeLocalIPError struct {
// contains filtered or unexported fields
}
ExitNodeLocalIPError is returned when the requested IP address for an exit node belongs to the local machine.
func (ExitNodeLocalIPError) Error ¶ added in v1.24.0
func (e ExitNodeLocalIPError) Error() string
type FunnelConn ¶ added in v1.38.0
type FunnelConn struct { // Conn is the underlying connection. net.Conn // Target is what was presented in the "Tailscale-Ingress-Target" // HTTP header. Target HostPort // Src is the source address of the connection. // This is the address of the client that initiated the // connection, not the address of the Tailscale Funnel // node which is relaying the connection. That address // can be found in Conn.RemoteAddr. Src netip.AddrPort }
A FunnelConn wraps a net.Conn that is coming over a Funnel connection. It can be used to determine further information about the connection, like the source address and the target SNI name.
type HTTPHandler ¶ added in v1.34.0
type HTTPHandler struct { Path string `json:",omitempty"` // absolute path to directory or file to serve Proxy string `json:",omitempty"` // http://localhost:3000/, localhost:3030, 3030 Text string `json:",omitempty"` // plaintext to serve (primarily for testing) }
HTTPHandler is either a path or a proxy to serve.
func (*HTTPHandler) Clone ¶ added in v1.34.0
func (src *HTTPHandler) Clone() *HTTPHandler
Clone makes a deep copy of HTTPHandler. The result aliases no memory with the original.
func (*HTTPHandler) View ¶ added in v1.34.0
func (p *HTTPHandler) View() HTTPHandlerView
View returns a readonly view of HTTPHandler.
type HTTPHandlerView ¶ added in v1.34.0
type HTTPHandlerView struct {
// contains filtered or unexported fields
}
HTTPHandlerView provides a read-only view over HTTPHandler.
Its methods should only be called if `Valid()` returns true.
func (HTTPHandlerView) AsStruct ¶ added in v1.34.0
func (v HTTPHandlerView) AsStruct() *HTTPHandler
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (HTTPHandlerView) MarshalJSON ¶ added in v1.34.0
func (v HTTPHandlerView) MarshalJSON() ([]byte, error)
func (HTTPHandlerView) Path ¶ added in v1.34.0
func (v HTTPHandlerView) Path() string
func (HTTPHandlerView) Proxy ¶ added in v1.34.0
func (v HTTPHandlerView) Proxy() string
func (HTTPHandlerView) Text ¶ added in v1.34.0
func (v HTTPHandlerView) Text() string
func (*HTTPHandlerView) UnmarshalJSON ¶ added in v1.34.0
func (v *HTTPHandlerView) UnmarshalJSON(b []byte) error
func (HTTPHandlerView) Valid ¶ added in v1.34.0
func (v HTTPHandlerView) Valid() bool
Valid reports whether underlying value is non-nil.
type HostPort ¶ added in v1.34.0
type HostPort string
HostPort is an SNI name and port number, joined by a colon. There is no implicit port 443. It must contain a colon.
type LoginProfile ¶ added in v1.34.0
type LoginProfile struct { // ID is a unique identifier for this profile. // It is assigned on creation and never changes. // It may seem redundant to have both ID and UserProfile.ID // but they are different things. UserProfile.ID may change // over time (e.g. if a device is tagged). ID ProfileID // Name is the user-visible name of this profile. // It is filled in from the UserProfile.LoginName field. Name string // Key is the StateKey under which the profile is stored. // It is assigned once at profile creation time and never changes. Key StateKey // UserProfile is the server provided UserProfile for this profile. // This is updated whenever the server provides a new UserProfile. UserProfile tailcfg.UserProfile // NodeID is the NodeID of the node that this profile is logged into. // This should be stable across tagging and untagging nodes. // It may seem redundant to check against both the UserProfile.UserID // and the NodeID. However the NodeID can change if the node is deleted // from the admin panel. NodeID tailcfg.StableNodeID // LocalUserID is the user ID of the user who created this profile. // It is only relevant on Windows where we have a multi-user system. // It is assigned once at profile creation time and never changes. LocalUserID WindowsUserID // ControlURL is the URL of the control server that this profile is logged // into. ControlURL string }
LoginProfile represents a single login profile as managed by the ProfileManager.
type MaskedPrefs ¶ added in v1.8.0
type MaskedPrefs struct { Prefs ControlURLSet bool `json:",omitempty"` RouteAllSet bool `json:",omitempty"` AllowSingleHostsSet bool `json:",omitempty"` ExitNodeIDSet bool `json:",omitempty"` ExitNodeIPSet bool `json:",omitempty"` ExitNodeAllowLANAccessSet bool `json:",omitempty"` CorpDNSSet bool `json:",omitempty"` RunSSHSet bool `json:",omitempty"` WantRunningSet bool `json:",omitempty"` LoggedOutSet bool `json:",omitempty"` ShieldsUpSet bool `json:",omitempty"` AdvertiseTagsSet bool `json:",omitempty"` HostnameSet bool `json:",omitempty"` NotepadURLsSet bool `json:",omitempty"` ForceDaemonSet bool `json:",omitempty"` EggSet bool `json:",omitempty"` AdvertiseRoutesSet bool `json:",omitempty"` NoSNATSet bool `json:",omitempty"` NetfilterModeSet bool `json:",omitempty"` OperatorUserSet bool `json:",omitempty"` ProfileNameSet bool `json:",omitempty"` }
MaskedPrefs is a Prefs with an associated bitmask of which fields are set.
func (*MaskedPrefs) IsEmpty ¶ added in v1.34.0
func (m *MaskedPrefs) IsEmpty() bool
IsEmpty reports whether there are no masks set or if m is nil.
func (*MaskedPrefs) Pretty ¶ added in v1.8.0
func (m *MaskedPrefs) Pretty() string
type Notify ¶
type Notify struct { Version string // version number of IPN backend // ErrMessage, if non-nil, contains a critical error message. // For State InUseOtherUser, ErrMessage is not critical and just contains the details. ErrMessage *string LoginFinished *empty.Message // non-nil when/if the login process succeeded State *State // if non-nil, the new or current IPN state Prefs *PrefsView // if non-nil && Valid, the new or current preferences NetMap *netmap.NetworkMap // if non-nil, the new or current netmap Engine *EngineStatus // if non-nil, the new or current wireguard stats BrowseToURL *string // if non-nil, UI should open a browser right now BackendLogID *string // if non-nil, the public logtail ID used by backend // FilesWaiting if non-nil means that files are buffered in // the Tailscale daemon and ready for local transfer to the // user's preferred storage location. // // Deprecated: use LocalClient.AwaitWaitingFiles instead. FilesWaiting *empty.Message `json:",omitempty"` // IncomingFiles, if non-nil, specifies which files are in the // process of being received. A nil IncomingFiles means this // Notify should not update the state of file transfers. A non-nil // but empty IncomingFiles means that no files are in the middle // of being transferred. // // Deprecated: use LocalClient.AwaitWaitingFiles instead. IncomingFiles []PartialFile `json:",omitempty"` // LocalTCPPort, if non-nil, informs the UI frontend which // (non-zero) localhost TCP port it's listening on. // This is currently only used by Tailscale when run in the // macOS Network Extension. LocalTCPPort *uint16 `json:",omitempty"` // ClientVersion, if non-nil, describes whether a client version update // is available. ClientVersion *tailcfg.ClientVersion `json:",omitempty"` // contains filtered or unexported fields }
Notify is a communication from a backend (e.g. tailscaled) to a frontend (cmd/tailscale, iOS, macOS, Win Tasktray). In any given notification, any or all of these may be nil, meaning that they have not changed. They are JSON-encoded on the wire, despite the lack of struct tags.
type NotifyWatchOpt ¶ added in v1.34.0
type NotifyWatchOpt uint64
NotifyWatchOpt is a bitmask of options about what type of Notify messages to subscribe to.
const ( // NotifyWatchEngineUpdates, if set, causes Engine updates to be sent to the // client either regularly or when they change, without having to ask for // each one via RequestEngineStatus. NotifyWatchEngineUpdates NotifyWatchOpt = 1 << iota NotifyInitialState // if set, the first Notify message (sent immediately) will contain the current State + BrowseToURL NotifyInitialPrefs // if set, the first Notify message (sent immediately) will contain the current Prefs NotifyInitialNetMap // if set, the first Notify message (sent immediately) will contain the current NetMap NotifyNoPrivateKeys // if set, private keys that would normally be sent in updates are zeroed out )
type Options ¶
type Options struct { // FrontendLogID is the public logtail id used by the frontend. FrontendLogID string // LegacyMigrationPrefs are used to migrate preferences from the // frontend to the backend. // If non-nil, they are imported as a new profile. LegacyMigrationPrefs *Prefs `json:"Prefs"` // UpdatePrefs, if provided, overrides Options.LegacyMigrationPrefs // *and* the Prefs already stored in the backend state, *except* for // the Persist member. If you just want to provide prefs, this is // probably what you want. // // TODO(apenwarr): Rename this to Prefs, and possibly move Prefs.Persist // elsewhere entirely (as it always should have been). Or, move the // fancy state migration stuff out of Start(). UpdatePrefs *Prefs // AuthKey is an optional node auth key used to authorize a // new node key without user interaction. AuthKey string }
type PartialFile ¶ added in v1.8.0
type PartialFile struct { Name string // e.g. "foo.jpg" Started time.Time // time transfer started DeclaredSize int64 // or -1 if unknown Received int64 // bytes copied thus far // PartialPath is set non-empty in "direct" file mode to the // in-progress '*.partial' file's path when the peerapi isn't // being used; see LocalBackend.SetDirectFileRoot. PartialPath string `json:",omitempty"` // Done is set in "direct" mode when the partial file has been // closed and is ready for the caller to rename away the // ".partial" suffix. Done bool `json:",omitempty"` }
PartialFile represents an in-progress file transfer.
type Prefs ¶
type Prefs struct { // ControlURL is the URL of the control server to use. // // If empty, the default for new installs, DefaultControlURL // is used. It's set non-empty once the daemon has been started // for the first time. // // TODO(apenwarr): Make it safe to update this with SetPrefs(). // Right now, you have to pass it in the initial prefs in Start(), // which is the only code that actually uses the ControlURL value. // It would be more consistent to restart controlclient // automatically whenever this variable changes. // // Meanwhile, you have to provide this as part of // Options.LegacyMigrationPrefs or Options.UpdatePrefs when // calling Backend.Start(). ControlURL string // RouteAll specifies whether to accept subnets advertised by // other nodes on the Tailscale network. Note that this does not // include default routes (0.0.0.0/0 and ::/0), those are // controlled by ExitNodeID/IP below. RouteAll bool // AllowSingleHosts specifies whether to install routes for each // node IP on the tailscale network, in addition to a route for // the whole network. // This corresponds to the "tailscale up --host-routes" value, // which defaults to true. // // TODO(danderson): why do we have this? It dumps a lot of stuff // into the routing table, and a single network route _should_ be // all that we need. But when I turn this off in my tailscaled, // packets stop flowing. What's up with that? AllowSingleHosts bool // ExitNodeID and ExitNodeIP specify the node that should be used // as an exit node for internet traffic. At most one of these // should be non-zero. // // The preferred way to express the chosen node is ExitNodeID, but // in some cases it's not possible to use that ID (e.g. in the // linux CLI, before tailscaled has a netmap). For those // situations, we allow specifying the exit node by IP, and // ipnlocal.LocalBackend will translate the IP into an ID when the // node is found in the netmap. // // If the selected exit node doesn't exist (e.g. it's not part of // the current tailnet), or it doesn't offer exit node services, a // blackhole route will be installed on the local system to // prevent any traffic escaping to the local network. ExitNodeID tailcfg.StableNodeID ExitNodeIP netip.Addr // ExitNodeAllowLANAccess indicates whether locally accessible subnets should be // routed directly or via the exit node. ExitNodeAllowLANAccess bool // CorpDNS specifies whether to install the Tailscale network's // DNS configuration, if it exists. CorpDNS bool // RunSSH bool is whether this node should run an SSH // server, permitting access to peers according to the // policies as configured by the Tailnet's admin(s). RunSSH bool // WantRunning indicates whether networking should be active on // this node. WantRunning bool // LoggedOut indicates whether the user intends to be logged out. // There are other reasons we may be logged out, including no valid // keys. // We need to remember this state so that, on next startup, we can // generate the "Login" vs "Connect" buttons correctly, without having // to contact the server to confirm our nodekey status first. LoggedOut bool // ShieldsUp indicates whether to block all incoming connections, // regardless of the control-provided packet filter. If false, we // use the packet filter as provided. If true, we block incoming // connections. This overrides tailcfg.Hostinfo's ShieldsUp. ShieldsUp bool // AdvertiseTags specifies groups that this node wants to join, for // purposes of ACL enforcement. These can be referenced from the ACL // security policy. Note that advertising a tag doesn't guarantee that // the control server will allow you to take on the rights for that // tag. AdvertiseTags []string // Hostname is the hostname to use for identifying the node. If // not set, os.Hostname is used. Hostname string // NotepadURLs is a debugging setting that opens OAuth URLs in // notepad.exe on Windows, rather than loading them in a browser. // // apenwarr 2020-04-29: Unfortunately this is still needed sometimes. // Windows' default browser setting is sometimes screwy and this helps // users narrow it down a bit. NotepadURLs bool // ForceDaemon specifies whether a platform that normally // operates in "client mode" (that is, requires an active user // logged in with the GUI app running) should keep running after the // GUI ends and/or the user logs out. // // The only current applicable platform is Windows. This // forced Windows to go into "server mode" where Tailscale is // running even with no users logged in. This might also be // used for macOS in the future. This setting has no effect // for Linux/etc, which always operate in daemon mode. ForceDaemon bool `json:"ForceDaemon,omitempty"` // Egg is a optional debug flag. Egg bool `json:",omitempty"` // AdvertiseRoutes specifies CIDR prefixes to advertise into the // Tailscale network as reachable through the current // node. AdvertiseRoutes []netip.Prefix // NoSNAT specifies whether to source NAT traffic going to // destinations in AdvertiseRoutes. The default is to apply source // NAT, which makes the traffic appear to come from the router // machine rather than the peer's Tailscale IP. // // Disabling SNAT requires additional manual configuration in your // network to route Tailscale traffic back to the subnet relay // machine. // // Linux-only. NoSNAT bool // NetfilterMode specifies how much to manage netfilter rules for // Tailscale, if at all. NetfilterMode preftype.NetfilterMode // OperatorUser is the local machine user name who is allowed to // operate tailscaled without being root or using sudo. OperatorUser string `json:",omitempty"` // ProfileName is the desired name of the profile. If empty, then the user's // LoginName is used. It is only used for display purposes in the client UI // and CLI. ProfileName string `json:",omitempty"` // The Persist field is named 'Config' in the file for backward // compatibility with earlier versions. // TODO(apenwarr): We should move this out of here, it's not a pref. // We can maybe do that once we're sure which module should persist // it (backend or frontend?) Persist *persist.Persist `json:"Config"` }
Prefs are the user modifiable settings of the Tailscale node agent.
func LoadPrefs ¶
LoadPrefs loads a legacy relaynode config file into Prefs with sensible migration defaults set.
func PrefsFromBytes ¶
PrefsFromBytes deserializes Prefs from a JSON blob.
func (*Prefs) AdminPageURL ¶ added in v1.12.0
AdminPageURL returns the admin web site URL for the current ControlURL.
func (*Prefs) AdvertisesExitNode ¶ added in v1.20.0
AdvertisesExitNode reports whether p is advertising both the v4 and v6 /0 exit node routes.
func (*Prefs) ApplyEdits ¶ added in v1.8.0
func (p *Prefs) ApplyEdits(m *MaskedPrefs)
ApplyEdits mutates p, assigning fields from m.Prefs for each MaskedPrefs Set field that's true.
func (*Prefs) ClearExitNode ¶ added in v1.24.0
func (p *Prefs) ClearExitNode()
ClearExitNode sets the ExitNodeID and ExitNodeIP to their zero values.
func (*Prefs) Clone ¶
Clone makes a deep copy of Prefs. The result aliases no memory with the original.
func (*Prefs) ControlURLOrDefault ¶ added in v1.8.0
ControlURLOrDefault returns the coordination server's URL base.
If not configured, or if the configured value is a legacy name equivalent to the default, then DefaultControlURL is returned instead.
func (*Prefs) SetAdvertiseExitNode ¶ added in v1.20.0
SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two /0 exit node routes.
func (*Prefs) SetExitNodeIP ¶ added in v1.24.0
SetExitNodeIP validates and sets the ExitNodeIP from a user-provided string specifying either an IP address or a MagicDNS base name ("foo", as opposed to "foo.bar.beta.tailscale.net"). This method does not mutate ExitNodeID and will fail if ExitNodeID is already set.
func (*Prefs) ShouldSSHBeRunning ¶ added in v1.26.0
ShouldSSHBeRunning reports whether the SSH server should be running based on the prefs.
type PrefsView ¶ added in v1.32.3
type PrefsView struct {
// contains filtered or unexported fields
}
PrefsView provides a read-only view over Prefs.
Its methods should only be called if `Valid()` returns true.
func (PrefsView) AdminPageURL ¶ added in v1.34.0
AdminPageURL returns the admin web site URL for the current ControlURL.
func (PrefsView) AdvertiseRoutes ¶ added in v1.32.3
func (v PrefsView) AdvertiseRoutes() views.IPPrefixSlice
func (PrefsView) AdvertiseTags ¶ added in v1.32.3
func (PrefsView) AdvertisesExitNode ¶ added in v1.34.0
AdvertisesExitNode reports whether p is advertising both the v4 and v6 /0 exit node routes.
func (PrefsView) AllowSingleHosts ¶ added in v1.32.3
func (PrefsView) AsStruct ¶ added in v1.32.3
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (PrefsView) ControlURL ¶ added in v1.32.3
func (PrefsView) ControlURLOrDefault ¶ added in v1.32.3
ControlURLOrDefault returns the coordination server's URL base.
If not configured, or if the configured value is a legacy name equivalent to the default, then DefaultControlURL is returned instead.
func (PrefsView) ExitNodeAllowLANAccess ¶ added in v1.32.3
func (PrefsView) ExitNodeID ¶ added in v1.32.3
func (v PrefsView) ExitNodeID() tailcfg.StableNodeID
func (PrefsView) ExitNodeIP ¶ added in v1.32.3
func (PrefsView) ForceDaemon ¶ added in v1.32.3
func (PrefsView) MarshalJSON ¶ added in v1.32.3
func (PrefsView) NetfilterMode ¶ added in v1.32.3
func (v PrefsView) NetfilterMode() preftype.NetfilterMode
func (PrefsView) NotepadURLs ¶ added in v1.32.3
func (PrefsView) OperatorUser ¶ added in v1.32.3
func (PrefsView) Persist ¶ added in v1.32.3
func (v PrefsView) Persist() persist.PersistView
func (PrefsView) ProfileName ¶ added in v1.34.0
func (PrefsView) ShouldSSHBeRunning ¶ added in v1.32.3
ShouldSSHBeRunning reports whether the SSH server should be running based on the prefs.
func (*PrefsView) UnmarshalJSON ¶ added in v1.32.3
func (PrefsView) WantRunning ¶ added in v1.32.3
type ProfileID ¶ added in v1.34.0
type ProfileID string
ProfileID is an auto-generated system-wide unique identifier for a login profile. It is a 4 character hex string like "1ab3".
type ServeConfig ¶ added in v1.34.0
type ServeConfig struct { // TCP are the list of TCP port numbers that tailscaled should handle for // the Tailscale IP addresses. (not subnet routers, etc) TCP map[uint16]*TCPPortHandler `json:",omitempty"` // Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers // keyed by mount point ("/", "/foo", etc) Web map[HostPort]*WebServerConfig `json:",omitempty"` // AllowFunnel is the set of SNI:port values for which funnel // traffic is allowed, from trusted ingress peers. AllowFunnel map[HostPort]bool `json:",omitempty"` }
ServeConfig is the JSON type stored in the StateStore for StateKey "_serve/$PROFILE_ID" as returned by ServeConfigKey.
func (*ServeConfig) Clone ¶ added in v1.34.0
func (src *ServeConfig) Clone() *ServeConfig
Clone makes a deep copy of ServeConfig. The result aliases no memory with the original.
func (*ServeConfig) GetTCPPortHandler ¶ added in v1.34.0
func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler
GetTCPPortHandler returns the TCPPortHandler for the given port. If the port is not configured, nil is returned.
func (*ServeConfig) GetWebHandler ¶ added in v1.34.0
func (sc *ServeConfig) GetWebHandler(hp HostPort, mount string) *HTTPHandler
GetWebHandler returns the HTTPHandler for the given host:port and mount point. Returns nil if the handler does not exist.
func (*ServeConfig) IsFunnelOn ¶ added in v1.34.0
func (sc *ServeConfig) IsFunnelOn() bool
IsFunnelOn reports whether if ServeConfig is currently allowing funnel traffic for any host:port.
func (*ServeConfig) IsServingHTTP ¶ added in v1.44.0
func (sc *ServeConfig) IsServingHTTP(port uint16) bool
IsServingHTTP reports whether if ServeConfig is currently serving HTTP on the given port. This is exclusive of HTTPS and TCPForwarding.
func (*ServeConfig) IsServingHTTPS ¶ added in v1.44.0
func (sc *ServeConfig) IsServingHTTPS(port uint16) bool
IsServingHTTPS reports whether if ServeConfig is currently serving HTTPS on the given port. This is exclusive of HTTP and TCPForwarding.
func (*ServeConfig) IsServingWeb ¶ added in v1.34.0
func (sc *ServeConfig) IsServingWeb(port uint16) bool
IsServingWeb reports whether if ServeConfig is currently serving Web (HTTP/HTTPS) on the given port. This is exclusive of TCPForwarding.
func (*ServeConfig) IsTCPForwardingAny ¶ added in v1.34.0
func (sc *ServeConfig) IsTCPForwardingAny() bool
IsTCPForwardingAny reports whether ServeConfig is currently forwarding in TCPForward mode on any port. This is exclusive of Web/HTTPS serving.
func (*ServeConfig) IsTCPForwardingOnPort ¶ added in v1.34.0
func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool
IsTCPForwardingOnPort reports whether if ServeConfig is currently forwarding in TCPForward mode on the given port. This is exclusive of Web/HTTPS serving.
func (*ServeConfig) View ¶ added in v1.34.0
func (p *ServeConfig) View() ServeConfigView
View returns a readonly view of ServeConfig.
func (*ServeConfig) WebHandlerExists ¶ added in v1.34.0
func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool
WebHandlerExists reports whether if the ServeConfig Web handler exists for the given host:port and mount point.
type ServeConfigView ¶ added in v1.34.0
type ServeConfigView struct {
// contains filtered or unexported fields
}
ServeConfigView provides a read-only view over ServeConfig.
Its methods should only be called if `Valid()` returns true.
func (ServeConfigView) AllowFunnel ¶ added in v1.34.0
func (v ServeConfigView) AllowFunnel() views.Map[HostPort, bool]
func (ServeConfigView) AsStruct ¶ added in v1.34.0
func (v ServeConfigView) AsStruct() *ServeConfig
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (ServeConfigView) IsFunnelOn ¶ added in v1.38.4
func (v ServeConfigView) IsFunnelOn() bool
IsFunnelOn reports whether if ServeConfig is currently allowing funnel traffic for any host:port.
View version of ServeConfig.IsFunnelOn.
func (ServeConfigView) MarshalJSON ¶ added in v1.34.0
func (v ServeConfigView) MarshalJSON() ([]byte, error)
func (ServeConfigView) TCP ¶ added in v1.34.0
func (v ServeConfigView) TCP() views.MapFn[uint16, *TCPPortHandler, TCPPortHandlerView]
func (*ServeConfigView) UnmarshalJSON ¶ added in v1.34.0
func (v *ServeConfigView) UnmarshalJSON(b []byte) error
func (ServeConfigView) Valid ¶ added in v1.34.0
func (v ServeConfigView) Valid() bool
Valid reports whether underlying value is non-nil.
func (ServeConfigView) Web ¶ added in v1.34.0
func (v ServeConfigView) Web() views.MapFn[HostPort, *WebServerConfig, WebServerConfigView]
type StateKey ¶
type StateKey string
StateKey is an opaque identifier for a set of LocalBackend state (preferences, private keys, etc.). It is also used as a key for the various LoginProfiles that the instance may be signed into.
Additionally, the StateKey can be debug setting name:
- "_debug_magicsock_until" with value being a unix timestamp stringified
- "_debug_<component>_until" with value being a unix timestamp stringified
func CurrentProfileKey ¶ added in v1.34.0
CurrentProfileID returns the StateKey that stores the current profile ID. The value is a JSON-encoded LoginProfile. If the userID is empty, the key returned is CurrentProfileStateKey, otherwise it is "_current/"+userID.
func ServeConfigKey ¶ added in v1.34.0
ServeConfigKey returns a StateKey that stores the JSON-encoded ServeConfig for a config profile.
type StateStore ¶
type StateStore interface { // ReadState returns the bytes associated with ID. Returns (nil, // ErrStateNotExist) if the ID doesn't have associated state. ReadState(id StateKey) ([]byte, error) // WriteState saves bs as the state associated with ID. WriteState(id StateKey, bs []byte) error }
StateStore persists state, and produces it back on request.
type StateStoreDialerSetter ¶ added in v1.40.0
type StateStoreDialerSetter interface {
SetDialer(d func(ctx context.Context, network, address string) (net.Conn, error))
}
StateStoreDialerSetter is an optional interface that StateStores can implement to allow the caller to set a custom dialer.
type TCPPortHandler ¶ added in v1.34.0
type TCPPortHandler struct { // HTTPS, if true, means that tailscaled should handle this connection as an // HTTPS request as configured by ServeConfig.Web. // // It is mutually exclusive with TCPForward. HTTPS bool `json:",omitempty"` // HTTP, if true, means that tailscaled should handle this connection as an // HTTP request as configured by ServeConfig.Web. // // It is mutually exclusive with TCPForward. HTTP bool `json:",omitempty"` // TCPForward is the IP:port to forward TCP connections to. // Whether or not TLS is terminated by tailscaled depends on // TerminateTLS. // // It is mutually exclusive with HTTPS. TCPForward string `json:",omitempty"` // TerminateTLS, if non-empty, means that tailscaled should terminate the // TLS connections before forwarding them to TCPForward, permitting only the // SNI name with this value. It is only used if TCPForward is non-empty. // (the HTTPS mode uses ServeConfig.Web) TerminateTLS string `json:",omitempty"` }
TCPPortHandler describes what to do when handling a TCP connection.
func (*TCPPortHandler) Clone ¶ added in v1.34.0
func (src *TCPPortHandler) Clone() *TCPPortHandler
Clone makes a deep copy of TCPPortHandler. The result aliases no memory with the original.
func (*TCPPortHandler) View ¶ added in v1.34.0
func (p *TCPPortHandler) View() TCPPortHandlerView
View returns a readonly view of TCPPortHandler.
type TCPPortHandlerView ¶ added in v1.34.0
type TCPPortHandlerView struct {
// contains filtered or unexported fields
}
TCPPortHandlerView provides a read-only view over TCPPortHandler.
Its methods should only be called if `Valid()` returns true.
func (TCPPortHandlerView) AsStruct ¶ added in v1.34.0
func (v TCPPortHandlerView) AsStruct() *TCPPortHandler
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (TCPPortHandlerView) HTTP ¶ added in v1.44.0
func (v TCPPortHandlerView) HTTP() bool
func (TCPPortHandlerView) HTTPS ¶ added in v1.34.0
func (v TCPPortHandlerView) HTTPS() bool
func (TCPPortHandlerView) MarshalJSON ¶ added in v1.34.0
func (v TCPPortHandlerView) MarshalJSON() ([]byte, error)
func (TCPPortHandlerView) TCPForward ¶ added in v1.34.0
func (v TCPPortHandlerView) TCPForward() string
func (TCPPortHandlerView) TerminateTLS ¶ added in v1.34.0
func (v TCPPortHandlerView) TerminateTLS() string
func (*TCPPortHandlerView) UnmarshalJSON ¶ added in v1.34.0
func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error
func (TCPPortHandlerView) Valid ¶ added in v1.34.0
func (v TCPPortHandlerView) Valid() bool
Valid reports whether underlying value is non-nil.
type WebServerConfig ¶ added in v1.34.0
type WebServerConfig struct {
Handlers map[string]*HTTPHandler // mountPoint => handler
}
WebServerConfig describes a web server's configuration.
func (*WebServerConfig) Clone ¶ added in v1.34.0
func (src *WebServerConfig) Clone() *WebServerConfig
Clone makes a deep copy of WebServerConfig. The result aliases no memory with the original.
func (*WebServerConfig) View ¶ added in v1.34.0
func (p *WebServerConfig) View() WebServerConfigView
View returns a readonly view of WebServerConfig.
type WebServerConfigView ¶ added in v1.34.0
type WebServerConfigView struct {
// contains filtered or unexported fields
}
WebServerConfigView provides a read-only view over WebServerConfig.
Its methods should only be called if `Valid()` returns true.
func (WebServerConfigView) AsStruct ¶ added in v1.34.0
func (v WebServerConfigView) AsStruct() *WebServerConfig
AsStruct returns a clone of the underlying value which aliases no memory with the original.
func (WebServerConfigView) Handlers ¶ added in v1.34.0
func (v WebServerConfigView) Handlers() views.MapFn[string, *HTTPHandler, HTTPHandlerView]
func (WebServerConfigView) MarshalJSON ¶ added in v1.34.0
func (v WebServerConfigView) MarshalJSON() ([]byte, error)
func (*WebServerConfigView) UnmarshalJSON ¶ added in v1.34.0
func (v *WebServerConfigView) UnmarshalJSON(b []byte) error
func (WebServerConfigView) Valid ¶ added in v1.34.0
func (v WebServerConfigView) Valid() bool
Valid reports whether underlying value is non-nil.
type WindowsUserID ¶ added in v1.34.0
type WindowsUserID string
WindowsUserID is a userid (suitable for passing to ipnauth.LookupUserFromID or os/user.LookupId) but only set on Windows. It's empty on all other platforms, unless envknob.GOOS is in used, making Linux act like Windows for tests.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package ipnauth controls access to the LocalAPI.
|
Package ipnauth controls access to the LocalAPI. |
Package ipnstate captures the entire state of the Tailscale network.
|
Package ipnstate captures the entire state of the Tailscale network. |
Package localapi contains the HTTP server handlers for tailscaled's API server.
|
Package localapi contains the HTTP server handlers for tailscaled's API server. |
Package policy contains various policy decisions that need to be shared between the node client & control server.
|
Package policy contains various policy decisions that need to be shared between the node client & control server. |
Package store provides various implementation of ipn.StateStore.
|
Package store provides various implementation of ipn.StateStore. |
awsstore
Package awsstore contains an ipn.StateStore implementation using AWS SSM.
|
Package awsstore contains an ipn.StateStore implementation using AWS SSM. |
mem
Package mem provides an in-memory ipn.StateStore implementation.
|
Package mem provides an in-memory ipn.StateStore implementation. |