tailfs: listen for local clients only on 100.100.100.100

FileSystemForLocal was listening on the node's Tailscale address,
which potentially exposes the user's view of TailFS shares to other
Tailnet users. Remote nodes should connect to exported shares via
the peerapi.

This removes that code so that FileSystemForLocal is only avaialable
on 100.100.100.100:8080.

Updates tailscale/corp#16827

Signed-off-by: Percy Wegmann <percy@tailscale.com>

Author: oxtoacart

ipn/ipnlocal/local.go

@@ -287,8 +287,6 @@ type LocalBackend struct {
 	serveListeners     map[netip.AddrPort]*localListener // listeners for local serve traffic
 	serveProxyHandlers sync.Map                          // string (HTTPHandler.Proxy) => *reverseProxy
 
-	tailFSListeners map[netip.AddrPort]*localListener // listeners for local tailfs traffic
-
 	// statusLock must be held before calling statusChanged.Wait() or
 	// statusChanged.Broadcast().
 	statusLock    sync.Mutex
@@ -4770,10 +4768,6 @@ func (b *LocalBackend) setTCPPortsInterceptedFromNetmapAndPrefsLocked(prefs ipn.
 		}
 	}
 
-	if !b.sys.IsNetstack() {
-		b.updateTailFSListenersLocked()
-	}
-
 	b.reloadServeConfigLocked(prefs)
 	if b.serveConfig.Valid() {
 		servePorts := make([]uint16, 0, 3)

ipn/ipnlocal/tailfs.go

@@ -4,22 +4,16 @@
 package ipnlocal
 
 import (
-	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"net"
-	"net/netip"
 	"os"
 	"regexp"
 	"strings"
-	"time"
 
 	"tailscale.com/ipn"
-	"tailscale.com/logtail/backoff"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tailfs"
-	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 )
 
@@ -241,60 +235,6 @@ func (b *LocalBackend) tailFSGetSharesLocked() (map[string]*tailfs.Share, error)
 	return shares, nil
 }
 
-// updateTailFSListenersLocked creates listeners on the local TailFS port.
-// This is needed to properly route local traffic when using kernel networking
-// mode.
-func (b *LocalBackend) updateTailFSListenersLocked() {
-	if b.netMap == nil {
-		return
-	}
-
-	addrs := b.netMap.GetAddresses()
-	oldListeners := b.tailFSListeners
-	newListeners := make(map[netip.AddrPort]*localListener, addrs.Len())
-	for i := range addrs.LenIter() {
-		if fs, ok := b.sys.TailFSForLocal.GetOK(); ok {
-			addrPort := netip.AddrPortFrom(addrs.At(i).Addr(), TailFSLocalPort)
-			if sl, ok := b.tailFSListeners[addrPort]; ok {
-				newListeners[addrPort] = sl
-				delete(oldListeners, addrPort)
-				continue // already listening
-			}
-
-			sl := b.newTailFSListener(context.Background(), fs, addrPort, b.logf)
-			newListeners[addrPort] = sl
-			go sl.Run()
-		}
-	}
-
-	// At this point, anything left in oldListeners can be stopped.
-	for _, sl := range oldListeners {
-		sl.cancel()
-	}
-}
-
-// newTailFSListener returns a listener for local connections to a tailfs
-// WebDAV FileSystem.
-func (b *LocalBackend) newTailFSListener(ctx context.Context, fs tailfs.FileSystemForLocal, ap netip.AddrPort, logf logger.Logf) *localListener {
-	ctx, cancel := context.WithCancel(ctx)
-	return &localListener{
-		b:      b,
-		ap:     ap,
-		ctx:    ctx,
-		cancel: cancel,
-		logf:   logf,
-
-		handler: func(conn net.Conn) error {
-			if !b.TailFSAccessEnabled() {
-				conn.Close()
-				return nil
-			}
-			return fs.HandleConn(conn, conn.RemoteAddr())
-		},
-		bo: backoff.NewBackoff(fmt.Sprintf("tailfs-listener-%d", ap.Port()), logf, 30*time.Second),
-	}
-}
-
 // updateTailFSPeersLocked sets all applicable peers from the netmap as tailfs
 // remotes.
 func (b *LocalBackend) updateTailFSPeersLocked(nm *netmap.NetworkMap) {

wgengine/netstack/netstack.go

@@ -919,10 +919,10 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 		return gonet.NewTCPConn(&wq, ep)
 	}
 
-	// Local DNS Service (DNS and WebDAV)
+	// Local Services (DNS and WebDAV)
 	hittingServiceIP := dialIP == serviceIP || dialIP == serviceIPv6
 	hittingDNS := hittingServiceIP && reqDetails.LocalPort == 53
-	hittingTailFS := hittingServiceIP && ns.tailFSForLocal != nil && reqDetails.LocalPort == 8080
+	hittingTailFS := hittingServiceIP && ns.tailFSForLocal != nil && reqDetails.LocalPort == ipnlocal.TailFSLocalPort
 	if hittingDNS || hittingTailFS {
 		c := getConnOrReset()
 		if c == nil {