ipn/ipnlocal: disallow unsigned peers from WoL

Unsigned peers should not be allowed to generate Wake-on-Lan packets, only access Funnel. Updates tailscale#6934 Updates tailscale#7515 Updates tailscale#6475 Signed-off-by: James Tucker <james@tailscale.com>
appbricks · Jan 10, 2023 · 2afa167 · 2afa167
1 parent 237b110
commit 2afa167
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/ipn/ipnlocal/peerapi.go b/ipn/ipnlocal/peerapi.go
@@ -903,6 +903,9 @@ func (h *peerAPIHandler) canDebug() bool {
 
 // canWakeOnLAN reports whether h can send a Wake-on-LAN packet from this node.
 func (h *peerAPIHandler) canWakeOnLAN() bool {
+	if h.peerNode.UnsignedPeerAPIOnly {
+		return false
+	}
 	return h.isSelf || h.peerHasCap(tailcfg.CapabilityWakeOnLAN)
 }