|
|
|
|
@ -751,7 +751,7 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
|
|
|
|
|
discoSendQueue: make(chan pkt, perClientSendQueueDepth),
|
|
|
|
|
sendPongCh: make(chan [8]byte, 1),
|
|
|
|
|
peerGone: make(chan peerGoneMsg),
|
|
|
|
|
canMesh: clientInfo.MeshKey != "" && clientInfo.MeshKey == s.meshKey,
|
|
|
|
|
canMesh: s.isMeshPeer(clientInfo),
|
|
|
|
|
peerGoneLim: rate.NewLimiter(rate.Every(time.Second), 3),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -1153,9 +1153,22 @@ func (c *sclient) requestMeshUpdate() {
|
|
|
|
|
|
|
|
|
|
var localClient tailscale.LocalClient
|
|
|
|
|
|
|
|
|
|
// isMeshPeer reports whether the client is a trusted mesh peer
|
|
|
|
|
// node in the DERP region.
|
|
|
|
|
func (s *Server) isMeshPeer(info *clientInfo) bool {
|
|
|
|
|
return info != nil && info.MeshKey != "" && info.MeshKey == s.meshKey
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// verifyClient checks whether the client is allowed to connect to the derper,
|
|
|
|
|
// depending on how & whether the server's been configured to verify.
|
|
|
|
|
func (s *Server) verifyClient(ctx context.Context, clientKey key.NodePublic, info *clientInfo, clientIP netip.Addr) error {
|
|
|
|
|
if s.isMeshPeer(info) {
|
|
|
|
|
// Trusted mesh peer. No need to verify further. In fact, verifying
|
|
|
|
|
// further wouldn't work: it's not part of the tailnet so tailscaled and
|
|
|
|
|
// likely the admission control URL wouldn't know about it.
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// tailscaled-based verification:
|
|
|
|
|
if s.verifyClientsLocalTailscaled {
|
|
|
|
|
_, err := localClient.WhoIsNodeKey(ctx, clientKey)
|
|
|
|
|
|
Brad Fitzpatrick
1 week ago
committed by