cmd/tailscale/cli: [up] ignore allow-lan-access revert when no --exit-node

When we aren't using an exit node, the `ExitNodeAllowLANAccess` value is
ignored. Make the CLI have the same behavior and not complain of
accidental reverts of --exit-node-allow-lan-access if there is no
exit-node configured.

Fixes #3752

Signed-off-by: Maisem Ali <maisem@tailscale.com>

cmd/tailscale/cli/cli_test.go

@@ -424,6 +424,57 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			},
 			want: accidentalUpPrefix + " --hostname=foo --exit-node-allow-lan-access --exit-node=100.2.3.4",
 		},
+		{
+			name:          "exit_node_revert",
+			flags:         []string{"--hostname=foo"},
+			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
+			curPrefs: &ipn.Prefs{
+				ControlURL:       ipn.DefaultControlURL,
+				AllowSingleHosts: true,
+				CorpDNS:          true,
+				NetfilterMode:    preftype.NetfilterOn,
+				ExitNodeIP:       netip.MustParseAddr("100.2.3.4"),
+			},
+			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.2.3.4",
+		},
+		{
+			name:  "no_revert_lan_access",
+			flags: []string{"--hostname=foo"},
+			curPrefs: &ipn.Prefs{
+				ControlURL:             ipn.DefaultControlURL,
+				AllowSingleHosts:       true,
+				CorpDNS:                true,
+				NetfilterMode:          preftype.NetfilterOn,
+				ExitNodeAllowLANAccess: true,
+			},
+		},
+		{
+			name:          "exit_node_revert_lan_access",
+			flags:         []string{"--hostname=foo", "--exit-node=100.2.3.4"},
+			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
+			curPrefs: &ipn.Prefs{
+				ControlURL:             ipn.DefaultControlURL,
+				AllowSingleHosts:       true,
+				CorpDNS:                true,
+				NetfilterMode:          preftype.NetfilterOn,
+				ExitNodeIP:             netip.MustParseAddr("100.2.3.4"),
+				ExitNodeAllowLANAccess: true,
+			},
+			want: accidentalUpPrefix + " --exit-node=100.2.3.4 --hostname=foo --exit-node-allow-lan-access",
+		},
+		{
+			name:          "exit_node_no_revert_lan_access",
+			flags:         []string{"--exit-node="},
+			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
+			curPrefs: &ipn.Prefs{
+				ControlURL:             ipn.DefaultControlURL,
+				AllowSingleHosts:       true,
+				CorpDNS:                true,
+				NetfilterMode:          preftype.NetfilterOn,
+				ExitNodeIP:             netip.MustParseAddr("100.2.3.4"),
+				ExitNodeAllowLANAccess: true,
+			},
+		},
 		{
 			name:  "ignore_login_server_synonym",
 			flags: []string{"--login-server=https://controlplane.tailscale.com"},

cmd/tailscale/cli/up.go

@@ -285,10 +285,6 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		return nil, err
 	}
 
-	if upArgs.exitNodeIP == "" && upArgs.exitNodeAllowLANAccess {
-		return nil, fmt.Errorf("--exit-node-allow-lan-access can only be used with --exit-node")
-	}
-
 	var tags []string
 	if upArgs.advertiseTags != "" {
 		tags = strings.Split(upArgs.advertiseTags, ",")
@@ -377,6 +373,12 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 		return false, nil, fmt.Errorf("can't change --login-server without --force-reauth")
 	}
 
+	if curPrefs.ExitNodeAllowLANAccess != env.upArgs.exitNodeAllowLANAccess {
+		if env.upArgs.exitNodeIP == "" && env.upArgs.exitNodeAllowLANAccess {
+			return false, nil, fmt.Errorf("--exit-node-allow-lan-access can only be used with --exit-node")
+		}
+	}
+
 	// Do this after validations to avoid the 5s delay if we're going to error
 	// out anyway.
 	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
@@ -824,9 +826,14 @@ func checkForAccidentalSettingReverts(newPrefs, curPrefs *ipn.Prefs, env upCheck
 		return nil
 	}
 
+	usingExitNode := false
 	flagIsSet := map[string]bool{}
 	env.flagSet.Visit(func(f *flag.Flag) {
 		flagIsSet[f.Name] = true
+
+		if f.Name == "exit-node" && f.Value.String() != "" {
+			usingExitNode = true
+		}
 	})
 
 	if len(flagIsSet) == 0 {
@@ -861,6 +868,9 @@ func checkForAccidentalSettingReverts(newPrefs, curPrefs *ipn.Prefs, env upCheck
 	if len(missing) == 0 {
 		return nil
 	}
+	if len(missing) == 1 && missing[0] == "--exit-node-allow-lan-access" && !usingExitNode {
+		return nil
+	}
 	sort.Strings(missing)
 
 	// Compute the stringification of the explicitly provided args in flagSet