Add prefs.ShieldsUp and --shields-up option.
This sets a default packet filter that blocks all incoming requests, giving end users more control over who can get into their machine, even if the admin hasn't set any central ACLs. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
This commit is contained in:
Avery Pennarun
+7
-6
@@ -352,14 +352,13 @@ func (b *LocalBackend) Start(opts Options) error {
|
||||
}
|
||||
|
||||
func (b *LocalBackend) updateFilter(netMap *controlclient.NetworkMap) {
|
||||
if !b.Prefs().UsePacketFilter {
|
||||
b.e.SetFilter(filter.NewAllowAll())
|
||||
} else if netMap == nil {
|
||||
// Not configured yet, block everything
|
||||
// TODO(apenwarr): don't replace filter at all if unchanged.
|
||||
// TODO(apenwarr): print a diff instead of full filter.
|
||||
if netMap == nil || b.Prefs().ShieldsUp {
|
||||
// Not configured yet or shields up, block everything
|
||||
b.logf("netmap packet filter: (shields up)")
|
||||
b.e.SetFilter(filter.NewAllowNone())
|
||||
} else {
|
||||
// TODO(apenwarr): don't replace filter at all if unchanged.
|
||||
// TODO(apenwarr): print a diff instead of full filter.
|
||||
now := time.Now()
|
||||
if now.Sub(b.lastFilterPrint) > 1*time.Minute {
|
||||
b.logf("netmap packet filter: %v", b.netMapCache.PacketFilter)
|
||||
@@ -616,6 +615,8 @@ func (b *LocalBackend) SetPrefs(new *Prefs) {
|
||||
cli.SetHostinfo(newHi)
|
||||
}
|
||||
|
||||
b.updateFilter(b.netMapCache)
|
||||
|
||||
if old.WantRunning != new.WantRunning {
|
||||
b.stateMachine()
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user