ipn, ipn/policy: filter portlist to a short list of "interesting" ports
Adds new package ipn/policy to be shared between node client & control server. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>pull/241/head
Brad Fitzpatrick
Brad Fitzpatrick
parent
c6aa5b639f
commit
8ca796d144
20
ipn/local.go
20
ipn/local.go
|
|
@ -16,6 +16,7 @@ import (
|
||||||
"github.com/tailscale/wireguard-go/wgcfg"
|
"github.com/tailscale/wireguard-go/wgcfg"
|
||||||
"tailscale.com/control/controlclient"
|
"tailscale.com/control/controlclient"
|
||||||
"tailscale.com/ipn/ipnstate"
|
"tailscale.com/ipn/ipnstate"
|
||||||
|
"tailscale.com/ipn/policy"
|
||||||
"tailscale.com/portlist"
|
"tailscale.com/portlist"
|
||||||
"tailscale.com/tailcfg"
|
"tailscale.com/tailcfg"
|
||||||
"tailscale.com/types/empty"
|
"tailscale.com/types/empty"
|
||||||
|
|
@ -377,28 +378,15 @@ func (b *LocalBackend) runPoller() {
|
||||||
}
|
}
|
||||||
sl := []tailcfg.Service{}
|
sl := []tailcfg.Service{}
|
||||||
for _, p := range ports {
|
for _, p := range ports {
|
||||||
var proto tailcfg.ServiceProto
|
|
||||||
if p.Proto == "tcp" {
|
|
||||||
proto = tailcfg.TCP
|
|
||||||
} else if p.Proto == "udp" {
|
|
||||||
proto = tailcfg.UDP
|
|
||||||
}
|
|
||||||
if p.Port == 53 || p.Port == 68 ||
|
|
||||||
p.Port == 5353 || p.Port == 5355 {
|
|
||||||
// uninteresting system services
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if p.Proto == "udp" && strings.EqualFold(p.Process, "tailscaled") {
|
|
||||||
// Skip our own.
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
s := tailcfg.Service{
|
s := tailcfg.Service{
|
||||||
Proto: proto,
|
Proto: tailcfg.ServiceProto(p.Proto),
|
||||||
Port: p.Port,
|
Port: p.Port,
|
||||||
Description: p.Process,
|
Description: p.Process,
|
||||||
}
|
}
|
||||||
|
if policy.IsInterestingService(s, version.OS()) {
|
||||||
sl = append(sl, s)
|
sl = append(sl, s)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
b.mu.Lock()
|
b.mu.Lock()
|
||||||
if b.hiCache == nil {
|
if b.hiCache == nil {
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,42 @@
|
||||||
|
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package policy contains various policy decisions that need to be
|
||||||
|
// shared between the node client & control server.
|
||||||
|
package policy
|
||||||
|
|
||||||
|
import "tailscale.com/tailcfg"
|
||||||
|
|
||||||
|
// IsInterestingService reports whether service s on the given operating
|
||||||
|
// system (a version.OS value) is an interesting enough port to report
|
||||||
|
// to our peer nodes for discovery purposes.
|
||||||
|
func IsInterestingService(s tailcfg.Service, os string) bool {
|
||||||
|
if s.Proto != tailcfg.TCP {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if os != "windows" {
|
||||||
|
// For non-Windows machines, assume all TCP listeners
|
||||||
|
// are interesting enough. We don't see listener spam
|
||||||
|
// there.
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
// Windows has tons of TCP listeners. We need to move to a blacklist
|
||||||
|
// model later, but for now we just whitelist some common ones:
|
||||||
|
switch s.Port {
|
||||||
|
case 22, // ssh
|
||||||
|
80, // http
|
||||||
|
443, // https (but no hostname, so little useless)
|
||||||
|
3389, // rdp
|
||||||
|
5900, // vnc
|
||||||
|
32400, // plex
|
||||||
|
|
||||||
|
// And now some arbitary HTTP dev server ports:
|
||||||
|
// Eventually we'll remove this and make all ports
|
||||||
|
// work, once we nicely filter away noisy system
|
||||||
|
// ports.
|
||||||
|
8000, 8080, 8443, 8888:
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue