tailfs: listen for local clients only on 100.100.100.100

FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
3 months ago · c42a4e407a
parent d0ef3a25df
commit c42a4e407a
3 changed files with 2 additions and 68 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@ -287,8 +287,6 @@ type LocalBackend struct {
 	serveListeners     map[netip.AddrPort]*localListener // listeners for local serve traffic
 	serveProxyHandlers sync.Map                          // string (HTTPHandler.Proxy) => *reverseProxy

-	tailFSListeners map[netip.AddrPort]*localListener // listeners for local tailfs traffic
-
 	// statusLock must be held before calling statusChanged.Wait() or
 	// statusChanged.Broadcast().
 	statusLock    sync.Mutex
@ -4770,10 +4768,6 @@ func (b *LocalBackend) setTCPPortsInterceptedFromNetmapAndPrefsLocked(prefs ipn.
 		}
 	}

-	if !b.sys.IsNetstack() {
-		b.updateTailFSListenersLocked()
-	}
-
 	b.reloadServeConfigLocked(prefs)
 	if b.serveConfig.Valid() {
 		servePorts := make([]uint16, 0, 3)
--- a/ipn/ipnlocal/tailfs.go
+++ b/ipn/ipnlocal/tailfs.go
@ -4,22 +4,16 @@
 package ipnlocal

 import (
-	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"net"
-	"net/netip"
 	"os"
 	"regexp"
 	"strings"
-	"time"

 	"tailscale.com/ipn"
-	"tailscale.com/logtail/backoff"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tailfs"
-	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 )

@ -241,60 +235,6 @@ func (b *LocalBackend) tailFSGetSharesLocked() (map[string]*tailfs.Share, error)
 	return shares, nil
 }

-// updateTailFSListenersLocked creates listeners on the local TailFS port.
-// This is needed to properly route local traffic when using kernel networking
-// mode.
-func (b *LocalBackend) updateTailFSListenersLocked() {
-	if b.netMap == nil {
-		return
-	}
-
-	addrs := b.netMap.GetAddresses()
-	oldListeners := b.tailFSListeners
-	newListeners := make(map[netip.AddrPort]*localListener, addrs.Len())
-	for i := range addrs.LenIter() {
-		if fs, ok := b.sys.TailFSForLocal.GetOK(); ok {
-			addrPort := netip.AddrPortFrom(addrs.At(i).Addr(), TailFSLocalPort)
-			if sl, ok := b.tailFSListeners[addrPort]; ok {
-				newListeners[addrPort] = sl
-				delete(oldListeners, addrPort)
-				continue // already listening
-			}
-
-			sl := b.newTailFSListener(context.Background(), fs, addrPort, b.logf)
-			newListeners[addrPort] = sl
-			go sl.Run()
-		}
-	}
-
-	// At this point, anything left in oldListeners can be stopped.
-	for _, sl := range oldListeners {
-		sl.cancel()
-	}
-}
-
-// newTailFSListener returns a listener for local connections to a tailfs
-// WebDAV FileSystem.
-func (b *LocalBackend) newTailFSListener(ctx context.Context, fs tailfs.FileSystemForLocal, ap netip.AddrPort, logf logger.Logf) *localListener {
-	ctx, cancel := context.WithCancel(ctx)
-	return &localListener{
-		b:      b,
-		ap:     ap,
-		ctx:    ctx,
-		cancel: cancel,
-		logf:   logf,
-
-		handler: func(conn net.Conn) error {
-			if !b.TailFSAccessEnabled() {
-				conn.Close()
-				return nil
-			}
-			return fs.HandleConn(conn, conn.RemoteAddr())
-		},
-		bo: backoff.NewBackoff(fmt.Sprintf("tailfs-listener-%d", ap.Port()), logf, 30*time.Second),
-	}
-}
-
 // updateTailFSPeersLocked sets all applicable peers from the netmap as tailfs
 // remotes.
 func (b *LocalBackend) updateTailFSPeersLocked(nm *netmap.NetworkMap) {
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@ -919,10 +919,10 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 		return gonet.NewTCPConn(&wq, ep)
 	}

-	// Local DNS Service (DNS and WebDAV)
+	// Local Services (DNS and WebDAV)
 	hittingServiceIP := dialIP == serviceIP || dialIP == serviceIPv6
 	hittingDNS := hittingServiceIP && reqDetails.LocalPort == 53
-	hittingTailFS := hittingServiceIP && ns.tailFSForLocal != nil && reqDetails.LocalPort == 8080
+	hittingTailFS := hittingServiceIP && ns.tailFSForLocal != nil && reqDetails.LocalPort == ipnlocal.TailFSLocalPort
 	if hittingDNS || hittingTailFS {
 		c := getConnOrReset()
 		if c == nil {