diff options
| author | Claire Wang <claire@tailscale.com> | 2024-03-27 15:45:02 -0400 |
|---|---|---|
| committer | Claire Wang <claire@tailscale.com> | 2024-04-03 15:24:58 -0400 |
| commit | 78c36f53fee9f03eff7ef09ada79662424db8a15 (patch) | |
| tree | 8dba65a6f67d4d8ef1b29d6845ed70ac02def2e3 /ipn | |
| parent | 92d3f64e95dc7b33fb19f03223d5ba4aa3331d8c (diff) | |
| download | tailscale-enable-exit-node-dst-logs.tar.xz tailscale-enable-exit-node-dst-logs.zip | |
exit node dst wipenable-exit-node-dst-logs
Diffstat (limited to 'ipn')
| -rw-r--r-- | ipn/ipnlocal/local.go | 15 | ||||
| -rw-r--r-- | ipn/prefs.go | 62 |
2 files changed, 50 insertions, 27 deletions
diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index 2ae020df7..010462a56 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -1150,6 +1150,9 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control if setExitNodeID(prefs, st.NetMap) { prefsChanged = true } + if setExitDstFlowLogs(prefs) { + prefsChanged = true + } if applySysPolicy(prefs) { prefsChanged = true } @@ -1335,6 +1338,15 @@ func applySysPolicy(prefs *ipn.Prefs) (anyChange bool) { return anyChange } +func setExitDstFlowLogs(prefs *ipn.Prefs) (anyChange bool) { + fmt.Printf("set exit dst flow pref") + if enable, err := syspolicy.GetBoolean(syspolicy.ExitDestinationFlowLogs, prefs.ExitDestinationFlowLogs); err == nil && prefs.ExitDestinationFlowLogs != enable { + prefs.ExitDestinationFlowLogs = enable + anyChange = true + } + return anyChange +} + var _ controlclient.NetmapDeltaUpdater = (*LocalBackend)(nil) // UpdateNetmapDelta implements controlclient.NetmapDeltaUpdater. @@ -3247,6 +3259,7 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) ipn // everything in this function treats b.prefs as completely new // anyway. No-op if no exit node resolution is needed. setExitNodeID(newp, netMap) + setExitDstFlowLogs(newp) // applySysPolicy does likewise so we can also ignore its return value. applySysPolicy(newp) // We do this to avoid holding the lock while doing everything else. @@ -3628,6 +3641,8 @@ func (b *LocalBackend) authReconfig() { return } + cfg.NetworkLogging.ExitDestinationFlowLogs = prefs.ExitDestinationFlowLogs() + oneCGNATRoute := shouldUseOneCGNATRoute(b.logf, b.sys.ControlKnobs(), version.OS()) rcfg := b.routerConfig(cfg, prefs, oneCGNATRoute) diff --git a/ipn/prefs.go b/ipn/prefs.go index ef81cd08b..4d0947a47 100644 --- a/ipn/prefs.go +++ b/ipn/prefs.go @@ -109,6 +109,9 @@ type Prefs struct { // routed directly or via the exit node. ExitNodeAllowLANAccess bool + // ExitDestinationFlowLogs indicates whether exit node destination is recorded in network flow logs. + ExitDestinationFlowLogs bool + // CorpDNS specifies whether to install the Tailscale network's // DNS configuration, if it exists. CorpDNS bool @@ -274,33 +277,34 @@ type AppConnectorPrefs struct { type MaskedPrefs struct { Prefs - ControlURLSet bool `json:",omitempty"` - RouteAllSet bool `json:",omitempty"` - AllowSingleHostsSet bool `json:",omitempty"` - ExitNodeIDSet bool `json:",omitempty"` - ExitNodeIPSet bool `json:",omitempty"` - ExitNodeAllowLANAccessSet bool `json:",omitempty"` - CorpDNSSet bool `json:",omitempty"` - RunSSHSet bool `json:",omitempty"` - RunWebClientSet bool `json:",omitempty"` - WantRunningSet bool `json:",omitempty"` - LoggedOutSet bool `json:",omitempty"` - ShieldsUpSet bool `json:",omitempty"` - AdvertiseTagsSet bool `json:",omitempty"` - HostnameSet bool `json:",omitempty"` - NotepadURLsSet bool `json:",omitempty"` - ForceDaemonSet bool `json:",omitempty"` - EggSet bool `json:",omitempty"` - AdvertiseRoutesSet bool `json:",omitempty"` - NoSNATSet bool `json:",omitempty"` - NetfilterModeSet bool `json:",omitempty"` - OperatorUserSet bool `json:",omitempty"` - ProfileNameSet bool `json:",omitempty"` - AutoUpdateSet AutoUpdatePrefsMask `json:",omitempty"` - AppConnectorSet bool `json:",omitempty"` - PostureCheckingSet bool `json:",omitempty"` - NetfilterKindSet bool `json:",omitempty"` - DriveSharesSet bool `json:",omitempty"` + ControlURLSet bool `json:",omitempty"` + RouteAllSet bool `json:",omitempty"` + AllowSingleHostsSet bool `json:",omitempty"` + ExitDestinationFlowLogsSet bool `json:",omitempty"` + ExitNodeIDSet bool `json:",omitempty"` + ExitNodeIPSet bool `json:",omitempty"` + ExitNodeAllowLANAccessSet bool `json:",omitempty"` + CorpDNSSet bool `json:",omitempty"` + RunSSHSet bool `json:",omitempty"` + RunWebClientSet bool `json:",omitempty"` + WantRunningSet bool `json:",omitempty"` + LoggedOutSet bool `json:",omitempty"` + ShieldsUpSet bool `json:",omitempty"` + AdvertiseTagsSet bool `json:",omitempty"` + HostnameSet bool `json:",omitempty"` + NotepadURLsSet bool `json:",omitempty"` + ForceDaemonSet bool `json:",omitempty"` + EggSet bool `json:",omitempty"` + AdvertiseRoutesSet bool `json:",omitempty"` + NoSNATSet bool `json:",omitempty"` + NetfilterModeSet bool `json:",omitempty"` + OperatorUserSet bool `json:",omitempty"` + ProfileNameSet bool `json:",omitempty"` + AutoUpdateSet AutoUpdatePrefsMask `json:",omitempty"` + AppConnectorSet bool `json:",omitempty"` + PostureCheckingSet bool `json:",omitempty"` + NetfilterKindSet bool `json:",omitempty"` + DriveSharesSet bool `json:",omitempty"` } type AutoUpdatePrefsMask struct { @@ -475,6 +479,9 @@ func (p *Prefs) pretty(goos string) string { if p.ShieldsUp { sb.WriteString("shields=true ") } + if p.ExitDestinationFlowLogs { + sb.WriteString("exitdestinationflowlogs=true ") + } if p.ExitNodeIP.IsValid() { fmt.Fprintf(&sb, "exit=%v lan=%t ", p.ExitNodeIP, p.ExitNodeAllowLANAccess) } else if !p.ExitNodeID.IsZero() { @@ -545,6 +552,7 @@ func (p *Prefs) Equals(p2 *Prefs) bool { p.ExitNodeID == p2.ExitNodeID && p.ExitNodeIP == p2.ExitNodeIP && p.ExitNodeAllowLANAccess == p2.ExitNodeAllowLANAccess && + p.ExitDestinationFlowLogs == p2.ExitDestinationFlowLogs && p.CorpDNS == p2.CorpDNS && p.RunSSH == p2.RunSSH && p.RunWebClient == p2.RunWebClient && |