From ba4e58f429029d1b8d51967aa71ccf3bf36de278 Mon Sep 17 00:00:00 2001
From: shayne <shayne@tailscale.com>
Date: Tue, 4 Apr 2023 22:20:27 -0400
Subject: [PATCH] cmd/tailscale/cli: do not allow turning Funnel on while
 shields-up (#7770)

---
 ipn/ipnlocal/local.go | 10 ++++++++++
 ipn/ipnlocal/serve.go |  5 +++++
 ipn/serve.go          |  6 ++++++
 3 files changed, 21 insertions(+)

diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index 8114e098f..6e7b25550 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -2549,6 +2549,9 @@ func (b *LocalBackend) checkPrefsLocked(p *ipn.Prefs) error {
 	if err := b.checkExitNodePrefsLocked(p); err != nil {
 		errs = append(errs, err)
 	}
+	if err := b.checkFunnelEnabledLocked(p); err != nil {
+		errs = append(errs, err)
+	}
 	return multierr.New(errs...)
 }
 
@@ -2633,6 +2636,13 @@ func (b *LocalBackend) checkExitNodePrefsLocked(p *ipn.Prefs) error {
 	return nil
 }
 
+func (b *LocalBackend) checkFunnelEnabledLocked(p *ipn.Prefs) error {
+	if p.ShieldsUp && b.serveConfig.IsFunnelOn() {
+		return errors.New("Cannot enable shields-up when Funnel is enabled.")
+	}
+	return nil
+}
+
 func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (ipn.PrefsView, error) {
 	b.mu.Lock()
 	if mp.EggSet {
diff --git a/ipn/ipnlocal/serve.go b/ipn/ipnlocal/serve.go
index 5b9f1e943..7b49db5ee 100644
--- a/ipn/ipnlocal/serve.go
+++ b/ipn/ipnlocal/serve.go
@@ -218,6 +218,11 @@ func (b *LocalBackend) SetServeConfig(config *ipn.ServeConfig) error {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
+	prefs := b.pm.CurrentPrefs()
+	if config.IsFunnelOn() && prefs.ShieldsUp() {
+		return errors.New("Unable to turn on Funnel while shields-up is enabled")
+	}
+
 	nm := b.netMap
 	if nm == nil {
 		return errors.New("netMap is nil")
diff --git a/ipn/serve.go b/ipn/serve.go
index 701c32f57..0dda5e251 100644
--- a/ipn/serve.go
+++ b/ipn/serve.go
@@ -163,6 +163,12 @@ func (sc *ServeConfig) IsServingWeb(port uint16) bool {
 	return sc.TCP[port].HTTPS
 }
 
+// IsFunnelOn checks if ServeConfig is currently allowing
+// funnel traffic for any host:port.
+//
+// View version of ServeConfig.IsFunnelOn.
+func (v ServeConfigView) IsFunnelOn() bool { return v.ж.IsFunnelOn() }
+
 // IsFunnelOn checks if ServeConfig is currently allowing
 // funnel traffic for any host:port.
 func (sc *ServeConfig) IsFunnelOn() bool {