client/web: indicate if ACLs prevent access
Use the packet filter rules to determine if any device is allowed to connect on port 5252. This does not check whether a specific device can connect (since we typically don't know the source device when this is used). Nor does it specifically check for wide-open ACLs, which is something we may provide a warning about in the future. Update the login popover content to display information when the src device is unable to connect to the dst device over its Tailscale IP. If we know it's an ACL issue, mention that, otherwise list a couple of things to check. In both cases, link to a placeholder URL to get more information about web client connection issues. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>
This commit is contained in:
Will Norris
Will Norris
@@ -562,6 +562,9 @@ type nodeData struct {
|
||||
|
||||
ClientVersion *tailcfg.ClientVersion
|
||||
|
||||
// whether tailnet ACLs allow access to port 5252 on this device
|
||||
ACLAllowsAnyIncomingTraffic bool
|
||||
|
||||
ControlAdminURL string
|
||||
LicensesURL string
|
||||
|
||||
@@ -591,6 +594,11 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
filterRules, err := s.lc.DebugPacketFilterRules(r.Context())
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
data := &nodeData{
|
||||
ID: st.Self.ID,
|
||||
Status: st.BackendState,
|
||||
@@ -610,6 +618,8 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
|
||||
ControlAdminURL: prefs.AdminPageURL(),
|
||||
LicensesURL: licenses.LicensesURL(),
|
||||
Features: availableFeatures(),
|
||||
|
||||
ACLAllowsAnyIncomingTraffic: s.aclsAllowAccess(filterRules),
|
||||
}
|
||||
|
||||
cv, err := s.lc.CheckUpdate(r.Context())
|
||||
@@ -692,6 +702,20 @@ func availableFeatures() map[string]bool {
|
||||
}
|
||||
}
|
||||
|
||||
// aclsAllowAccess returns whether tailnet ACLs (as expressed in the provided filter rules)
|
||||
// permit any devices to access the local web client.
|
||||
// This does not currently check whether a specific device can connect, just any device.
|
||||
func (s *Server) aclsAllowAccess(rules []tailcfg.FilterRule) bool {
|
||||
for _, rule := range rules {
|
||||
for _, dp := range rule.DstPorts {
|
||||
if dp.Ports.Contains(ListenPort) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
type exitNode struct {
|
||||
ID tailcfg.StableNodeID
|
||||
Name string
|
||||
|
||||
Reference in New Issue
Block a user