From c42a4e407a9fcaccdf29a275dcb9bbbd3040bb59 Mon Sep 17 00:00:00 2001 From: Percy Wegmann Date: Sun, 11 Feb 2024 15:01:59 -0600 Subject: [PATCH] tailfs: listen for local clients only on 100.100.100.100 FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann --- ipn/ipnlocal/local.go | 6 ---- ipn/ipnlocal/tailfs.go | 60 ----------------------------------- wgengine/netstack/netstack.go | 4 +-- 3 files changed, 2 insertions(+), 68 deletions(-) diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index 13d13718f..1f11fa1a1 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -287,8 +287,6 @@ type LocalBackend struct { serveListeners map[netip.AddrPort]*localListener // listeners for local serve traffic serveProxyHandlers sync.Map // string (HTTPHandler.Proxy) => *reverseProxy - tailFSListeners map[netip.AddrPort]*localListener // listeners for local tailfs traffic - // statusLock must be held before calling statusChanged.Wait() or // statusChanged.Broadcast(). statusLock sync.Mutex @@ -4770,10 +4768,6 @@ func (b *LocalBackend) setTCPPortsInterceptedFromNetmapAndPrefsLocked(prefs ipn. } } - if !b.sys.IsNetstack() { - b.updateTailFSListenersLocked() - } - b.reloadServeConfigLocked(prefs) if b.serveConfig.Valid() { servePorts := make([]uint16, 0, 3) diff --git a/ipn/ipnlocal/tailfs.go b/ipn/ipnlocal/tailfs.go index 4a3b83104..d06599661 100644 --- a/ipn/ipnlocal/tailfs.go +++ b/ipn/ipnlocal/tailfs.go @@ -4,22 +4,16 @@ package ipnlocal import ( - "context" "encoding/json" "errors" "fmt" - "net" - "net/netip" "os" "regexp" "strings" - "time" "tailscale.com/ipn" - "tailscale.com/logtail/backoff" "tailscale.com/tailcfg" "tailscale.com/tailfs" - "tailscale.com/types/logger" "tailscale.com/types/netmap" ) @@ -241,60 +235,6 @@ func (b *LocalBackend) tailFSGetSharesLocked() (map[string]*tailfs.Share, error) return shares, nil } -// updateTailFSListenersLocked creates listeners on the local TailFS port. -// This is needed to properly route local traffic when using kernel networking -// mode. -func (b *LocalBackend) updateTailFSListenersLocked() { - if b.netMap == nil { - return - } - - addrs := b.netMap.GetAddresses() - oldListeners := b.tailFSListeners - newListeners := make(map[netip.AddrPort]*localListener, addrs.Len()) - for i := range addrs.LenIter() { - if fs, ok := b.sys.TailFSForLocal.GetOK(); ok { - addrPort := netip.AddrPortFrom(addrs.At(i).Addr(), TailFSLocalPort) - if sl, ok := b.tailFSListeners[addrPort]; ok { - newListeners[addrPort] = sl - delete(oldListeners, addrPort) - continue // already listening - } - - sl := b.newTailFSListener(context.Background(), fs, addrPort, b.logf) - newListeners[addrPort] = sl - go sl.Run() - } - } - - // At this point, anything left in oldListeners can be stopped. - for _, sl := range oldListeners { - sl.cancel() - } -} - -// newTailFSListener returns a listener for local connections to a tailfs -// WebDAV FileSystem. -func (b *LocalBackend) newTailFSListener(ctx context.Context, fs tailfs.FileSystemForLocal, ap netip.AddrPort, logf logger.Logf) *localListener { - ctx, cancel := context.WithCancel(ctx) - return &localListener{ - b: b, - ap: ap, - ctx: ctx, - cancel: cancel, - logf: logf, - - handler: func(conn net.Conn) error { - if !b.TailFSAccessEnabled() { - conn.Close() - return nil - } - return fs.HandleConn(conn, conn.RemoteAddr()) - }, - bo: backoff.NewBackoff(fmt.Sprintf("tailfs-listener-%d", ap.Port()), logf, 30*time.Second), - } -} - // updateTailFSPeersLocked sets all applicable peers from the netmap as tailfs // remotes. func (b *LocalBackend) updateTailFSPeersLocked(nm *netmap.NetworkMap) { diff --git a/wgengine/netstack/netstack.go b/wgengine/netstack/netstack.go index 2df8e2bb9..c58f11023 100644 --- a/wgengine/netstack/netstack.go +++ b/wgengine/netstack/netstack.go @@ -919,10 +919,10 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) { return gonet.NewTCPConn(&wq, ep) } - // Local DNS Service (DNS and WebDAV) + // Local Services (DNS and WebDAV) hittingServiceIP := dialIP == serviceIP || dialIP == serviceIPv6 hittingDNS := hittingServiceIP && reqDetails.LocalPort == 53 - hittingTailFS := hittingServiceIP && ns.tailFSForLocal != nil && reqDetails.LocalPort == 8080 + hittingTailFS := hittingServiceIP && ns.tailFSForLocal != nil && reqDetails.LocalPort == ipnlocal.TailFSLocalPort if hittingDNS || hittingTailFS { c := getConnOrReset() if c == nil {