Merge tag 'v1.38.4' into sunos-1.38

Release 1.38.4
nshalman · Apr 18, 2023 · 1ef27eb · 1ef27eb
2 parents d02885d + 043a345
commit 1ef27eb
Show file tree

Hide file tree

Showing 14 changed files with 543 additions and 75 deletions.
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-1.38.3
+1.38.4
diff --git a/cmd/tailscale/cli/cli.go b/cmd/tailscale/cli/cli.go
@@ -120,6 +120,8 @@ change in the future.
  pingCmd,
  ncCmd,
  sshCmd,
+ funnelCmd,
+ serveCmd,
  versionCmd,
  webCmd,
  fileCmd,
@@ -147,10 +149,6 @@ change in the future.
  switch {
  case slices.Contains(args, "debug"):
  rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
- case slices.Contains(args, "funnel"):
- rootCmd.Subcommands = append(rootCmd.Subcommands, funnelCmd)
- case slices.Contains(args, "serve"):
- rootCmd.Subcommands = append(rootCmd.Subcommands, serveCmd)
  case slices.Contains(args, "update"):
  rootCmd.Subcommands = append(rootCmd.Subcommands, updateCmd)
  }

diff --git a/cmd/tailscale/cli/funnel.go b/cmd/tailscale/cli/funnel.go
@@ -29,7 +29,7 @@ var funnelCmd = newFunnelCommand(&serveEnv{lc: &localClient})
 func newFunnelCommand(e *serveEnv) *ffcli.Command {
  return &ffcli.Command{
  Name: "funnel",
- ShortHelp: "[BETA] turn Tailscale Funnel on or off",
+ ShortHelp: "Turn on/off Funnel service",
  ShortUsage: strings.TrimSpace(`
 funnel <serve-port> {on|off}
  funnel status [--json]

diff --git a/cmd/tailscale/cli/serve.go b/cmd/tailscale/cli/serve.go
@@ -33,7 +33,7 @@ var serveCmd = newServeCommand(&serveEnv{lc: &localClient})
 func newServeCommand(e *serveEnv) *ffcli.Command {
  return &ffcli.Command{
  Name: "serve",
- ShortHelp: "[BETA] Serve from your Tailscale node",
+ ShortHelp: "Serve content and local servers",
  ShortUsage: strings.TrimSpace(`
 serve https:<port> <mount-point> <source> [off]
  serve tcp:<port> tcp://localhost:<local-port> [off]
@@ -45,7 +45,7 @@ serve https:<port> <mount-point> <source> [off]
 
 The 'tailscale serve' set of commands allows you to serve
 content and local servers from your Tailscale node to
-your tailnet. 
+your tailnet.
 
 You can also choose to enable the Tailscale Funnel with:
 'tailscale funnel on'. Funnel allows you to publish
@@ -66,10 +66,12 @@ EXAMPLES
  - To serve simple static text:
  $ tailscale serve https:8080 / text:"Hello, world!"
 
- - To forward raw TCP packets to a local TCP server on port 5432:
+ - To forward incoming TCP connections on port 2222 to a local TCP server on
+ port 22 (e.g. to run OpenSSH in parallel with Tailscale SSH):
  $ tailscale serve tcp:2222 tcp://localhost:22
 
- - To forward raw, TLS-terminated TCP packets to a local TCP server on port 80:
+ - To accept TCP TLS connections (terminated within tailscaled) proxied to a
+ local plaintext server on port 80:
  $ tailscale serve tls-terminated-tcp:443 tcp://localhost:80
 `),
  Exec: e.runServe,
@@ -451,6 +453,7 @@ func expandProxyTarget(source string) (string, error) {
  if u.Port() != "" {
  url += ":" + u.Port()
  }
+ url += u.Path
  return url, nil
 }
 

diff --git a/cmd/tailscale/cli/serve_test.go b/cmd/tailscale/cli/serve_test.go
@@ -262,6 +262,18 @@ func TestServeConfigMutations(t *testing.T) {
  },
  },
  })
+ add(step{reset: true})
+ add(step{ // support path in proxy
+ command: cmd("https / http://127.0.0.1:3000/foo/bar"),
+ want: &ipn.ServeConfig{
+ TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
+ Web: map[ipn.HostPort]*ipn.WebServerConfig{
+ "foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
+ "/": {Proxy: "http://127.0.0.1:3000/foo/bar"},
+ }},
+ },
+ },
+ })
 
  // tcp
  add(step{reset: true})

diff --git a/go.toolchain.rev b/go.toolchain.rev
@@ -1 +1 @@
-db4dc9046c93dde2c0e534ca7d529bd690ad09c9
+ddff070c02790cb571006e820e58cce9627569cf
diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
@@ -2530,6 +2530,9 @@ func (b *LocalBackend) checkPrefsLocked(p *ipn.Prefs) error {
  if err := b.checkExitNodePrefsLocked(p); err != nil {
  errs = append(errs, err)
  }
+ if err := b.checkFunnelEnabledLocked(p); err != nil {
+ errs = append(errs, err)
+ }
  return multierr.New(errs...)
 }
 
@@ -2614,6 +2617,13 @@ func (b *LocalBackend) checkExitNodePrefsLocked(p *ipn.Prefs) error {
  return nil
 }
 
+func (b *LocalBackend) checkFunnelEnabledLocked(p *ipn.Prefs) error {
+ if p.ShieldsUp && b.serveConfig.IsFunnelOn() {
+ return errors.New("Cannot enable shields-up when Funnel is enabled.")
+ }
+ return nil
+}
+
 func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (ipn.PrefsView, error) {
  b.mu.Lock()
  if mp.EggSet {

diff --git a/ipn/ipnlocal/serve.go b/ipn/ipnlocal/serve.go
@@ -218,6 +218,11 @@ func (b *LocalBackend) SetServeConfig(config *ipn.ServeConfig) error {
  b.mu.Lock()
  defer b.mu.Unlock()
 
+ prefs := b.pm.CurrentPrefs()
+ if config.IsFunnelOn() && prefs.ShieldsUp() {
+ return errors.New("Unable to turn on Funnel while shields-up is enabled")
+ }
+
  nm := b.netMap
  if nm == nil {
  return errors.New("netMap is nil")

diff --git a/ipn/serve.go b/ipn/serve.go
@@ -163,6 +163,12 @@ func (sc *ServeConfig) IsServingWeb(port uint16) bool {
  return sc.TCP[port].HTTPS
 }
 
+// IsFunnelOn checks if ServeConfig is currently allowing
+// funnel traffic for any host:port.
+//
+// View version of ServeConfig.IsFunnelOn.
+func (v ServeConfigView) IsFunnelOn() bool { return v.ж.IsFunnelOn() }
+
 // IsFunnelOn checks if ServeConfig is currently allowing
 // funnel traffic for any host:port.
 func (sc *ServeConfig) IsFunnelOn() bool {