ipn/ipnlocal: disallow unsigned peers from WoL

raggi · raggi · commit 2afa1672ac15 · 2023-01-10T15:54:48.000-08:00
Unsigned peers should not be allowed to generate Wake-on-Lan packets, only access Funnel. Updates tailscale#6934 Updates tailscale#7515 Updates tailscale#6475 Signed-off-by: James Tucker <james@tailscale.com>
diff --git a/ipn/ipnlocal/peerapi.go b/ipn/ipnlocal/peerapi.go
@@ -903,6 +903,9 @@ func (h *peerAPIHandler) canDebug() bool {
 
 // canWakeOnLAN reports whether h can send a Wake-on-LAN packet from this node.
 func (h *peerAPIHandler) canWakeOnLAN() bool {
+	if h.peerNode.UnsignedPeerAPIOnly {
+		return false
+	}
 	return h.isSelf || h.peerHasCap(tailcfg.CapabilityWakeOnLAN)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -903,6 +903,9 @@ func (h *peerAPIHandler) canDebug() bool {`
`903`	`903`
`904`	`904`	`// canWakeOnLAN reports whether h can send a Wake-on-LAN packet from this node.`
`905`	`905`	`func (h *peerAPIHandler) canWakeOnLAN() bool {`
	`906`	`+ if h.peerNode.UnsignedPeerAPIOnly {`
	`907`	`+ return false`
	`908`	`+ }`
`906`	`909`	`return h.isSelf \|\| h.peerHasCap(tailcfg.CapabilityWakeOnLAN)`
`907`	`910`	`}`
`908`	`911`