cmd/tailscale: add missing set flags for linux
We were missing `snat-subnet-routes`, `stateful-filtering` and `netfilter-mode`. Add those to set too. Fixes #12061 Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali
Maisem Ali
parent
ac638f32c0
commit
21abb7f402
|
|
@ -58,6 +58,9 @@ type setArgsT struct {
|
||||||
updateCheck bool
|
updateCheck bool
|
||||||
updateApply bool
|
updateApply bool
|
||||||
postureChecking bool
|
postureChecking bool
|
||||||
|
snat bool
|
||||||
|
statefulFiltering bool
|
||||||
|
netfilterMode string
|
||||||
}
|
}
|
||||||
|
|
||||||
func newSetFlagSet(goos string, setArgs *setArgsT) *flag.FlagSet {
|
func newSetFlagSet(goos string, setArgs *setArgsT) *flag.FlagSet {
|
||||||
|
|
@ -98,6 +101,10 @@ func newSetFlagSet(goos string, setArgs *setArgsT) *flag.FlagSet {
|
||||||
setf.StringVar(&setArgs.opUser, "operator", "", "Unix username to allow to operate on tailscaled without sudo")
|
setf.StringVar(&setArgs.opUser, "operator", "", "Unix username to allow to operate on tailscaled without sudo")
|
||||||
}
|
}
|
||||||
switch goos {
|
switch goos {
|
||||||
|
case "linux":
|
||||||
|
setf.BoolVar(&setArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with --advertise-routes")
|
||||||
|
setf.BoolVar(&setArgs.statefulFiltering, "stateful-filtering", true, "apply stateful filtering to forwarded packets (subnet routers, exit nodes, etc.)")
|
||||||
|
setf.StringVar(&setArgs.netfilterMode, "netfilter-mode", defaultNetfilterMode(), "netfilter mode (one of on, nodivert, off)")
|
||||||
case "windows":
|
case "windows":
|
||||||
setf.BoolVar(&setArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
|
setf.BoolVar(&setArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
|
||||||
}
|
}
|
||||||
|
|
@ -121,6 +128,9 @@ func runSet(ctx context.Context, args []string) (retErr error) {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Note that even though we set the values here regardless of whether the
|
||||||
|
// user passed the flag, the value is only used if the user passed the flag.
|
||||||
|
// See updateMaskedPrefsFromUpOrSetFlag.
|
||||||
maskedPrefs := &ipn.MaskedPrefs{
|
maskedPrefs := &ipn.MaskedPrefs{
|
||||||
Prefs: ipn.Prefs{
|
Prefs: ipn.Prefs{
|
||||||
ProfileName: setArgs.profileName,
|
ProfileName: setArgs.profileName,
|
||||||
|
|
@ -132,6 +142,7 @@ func runSet(ctx context.Context, args []string) (retErr error) {
|
||||||
RunWebClient: setArgs.runWebClient,
|
RunWebClient: setArgs.runWebClient,
|
||||||
Hostname: setArgs.hostname,
|
Hostname: setArgs.hostname,
|
||||||
OperatorUser: setArgs.opUser,
|
OperatorUser: setArgs.opUser,
|
||||||
|
NoSNAT: !setArgs.snat,
|
||||||
ForceDaemon: setArgs.forceDaemon,
|
ForceDaemon: setArgs.forceDaemon,
|
||||||
AutoUpdate: ipn.AutoUpdatePrefs{
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
||||||
Check: setArgs.updateCheck,
|
Check: setArgs.updateCheck,
|
||||||
|
|
@ -140,10 +151,22 @@ func runSet(ctx context.Context, args []string) (retErr error) {
|
||||||
AppConnector: ipn.AppConnectorPrefs{
|
AppConnector: ipn.AppConnectorPrefs{
|
||||||
Advertise: setArgs.advertiseConnector,
|
Advertise: setArgs.advertiseConnector,
|
||||||
},
|
},
|
||||||
PostureChecking: setArgs.postureChecking,
|
PostureChecking: setArgs.postureChecking,
|
||||||
|
NoStatefulFiltering: opt.NewBool(!setArgs.statefulFiltering),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if effectiveGOOS() == "linux" {
|
||||||
|
nfMode, warning, err := netfilterModeFromFlag(setArgs.netfilterMode)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if warning != "" {
|
||||||
|
warnf(warning)
|
||||||
|
}
|
||||||
|
maskedPrefs.Prefs.NetfilterMode = nfMode
|
||||||
|
}
|
||||||
|
|
||||||
if setArgs.exitNodeIP != "" {
|
if setArgs.exitNodeIP != "" {
|
||||||
if err := maskedPrefs.Prefs.SetExitNodeIP(setArgs.exitNodeIP, st); err != nil {
|
if err := maskedPrefs.Prefs.SetExitNodeIP(setArgs.exitNodeIP, st); err != nil {
|
||||||
var e ipn.ExitNodeLocalIPError
|
var e ipn.ExitNodeLocalIPError
|
||||||
|
|
|
||||||
|
|
@ -295,25 +295,42 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
|
||||||
|
|
||||||
// Backfills for NoStatefulFiltering occur when loading a profile; just set it explicitly here.
|
// Backfills for NoStatefulFiltering occur when loading a profile; just set it explicitly here.
|
||||||
prefs.NoStatefulFiltering.Set(!upArgs.statefulFiltering)
|
prefs.NoStatefulFiltering.Set(!upArgs.statefulFiltering)
|
||||||
|
v, warning, err := netfilterModeFromFlag(upArgs.netfilterMode)
|
||||||
switch upArgs.netfilterMode {
|
if err != nil {
|
||||||
case "on":
|
return nil, err
|
||||||
prefs.NetfilterMode = preftype.NetfilterOn
|
}
|
||||||
case "nodivert":
|
prefs.NetfilterMode = v
|
||||||
prefs.NetfilterMode = preftype.NetfilterNoDivert
|
if warning != "" {
|
||||||
warnf("netfilter=nodivert; add iptables calls to ts-* chains manually.")
|
warnf(warning)
|
||||||
case "off":
|
|
||||||
prefs.NetfilterMode = preftype.NetfilterOff
|
|
||||||
if defaultNetfilterMode() != "off" {
|
|
||||||
warnf("netfilter=off; configure iptables yourself.")
|
|
||||||
}
|
|
||||||
default:
|
|
||||||
return nil, fmt.Errorf("invalid value --netfilter-mode=%q", upArgs.netfilterMode)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return prefs, nil
|
return prefs, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// netfilterModeFromFlag returns the preftype.NetfilterMode for the provided
|
||||||
|
// flag value. It returns a warning if there is something the user should know
|
||||||
|
// about the value.
|
||||||
|
func netfilterModeFromFlag(v string) (_ preftype.NetfilterMode, warning string, _ error) {
|
||||||
|
switch v {
|
||||||
|
case "on", "nodivert", "off":
|
||||||
|
default:
|
||||||
|
return preftype.NetfilterOn, "", fmt.Errorf("invalid value --netfilter-mode=%q", v)
|
||||||
|
}
|
||||||
|
m, err := preftype.ParseNetfilterMode(v)
|
||||||
|
if err != nil {
|
||||||
|
return preftype.NetfilterOn, "", err
|
||||||
|
}
|
||||||
|
switch m {
|
||||||
|
case preftype.NetfilterNoDivert:
|
||||||
|
warning = "netfilter=nodivert; add iptables calls to ts-* chains manually."
|
||||||
|
case preftype.NetfilterOff:
|
||||||
|
if defaultNetfilterMode() != "off" {
|
||||||
|
warning = "netfilter=off; configure iptables yourself."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return m, warning, nil
|
||||||
|
}
|
||||||
|
|
||||||
// updatePrefs returns how to edit preferences based on the
|
// updatePrefs returns how to edit preferences based on the
|
||||||
// flag-provided 'prefs' and the currently active 'curPrefs'.
|
// flag-provided 'prefs' and the currently active 'curPrefs'.
|
||||||
//
|
//
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue