From 2afa1672ac15f1634fbd1fc1301db93fac3d3d9e Mon Sep 17 00:00:00 2001
From: James Tucker <james@tailscale.com>
Date: Tue, 10 Jan 2023 15:40:07 -0800
Subject: [PATCH] ipn/ipnlocal: disallow unsigned peers from WoL

Unsigned peers should not be allowed to generate Wake-on-Lan packets,
only access Funnel.

Updates #6934
Updates #7515
Updates #6475

Signed-off-by: James Tucker <james@tailscale.com>
---
 ipn/ipnlocal/peerapi.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipn/ipnlocal/peerapi.go b/ipn/ipnlocal/peerapi.go
index 2b9cac4aa..f6a4167e3 100644
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -903,6 +903,9 @@ func (h *peerAPIHandler) canDebug() bool {
 
 // canWakeOnLAN reports whether h can send a Wake-on-LAN packet from this node.
 func (h *peerAPIHandler) canWakeOnLAN() bool {
+	if h.peerNode.UnsignedPeerAPIOnly {
+		return false
+	}
 	return h.isSelf || h.peerHasCap(tailcfg.CapabilityWakeOnLAN)
 }