CheckServiceName validates svc for use as a service name.

CheckTag validates tag for use as an ACL tag.

Clone duplicates src into dst and reports whether it succeeded.

IsKnownServiceProto checks whether sp represents a known-valid value of ServiceProto.

MarshalCapJSON returns a capability rule in RawMessage string format.

ParseProtoPortRanges parses a slice of IP port range fields.

UnmarshalCapJSON unmarshals each JSON value in cm[cap] as T.

UnmarshalNodeCapJSON unmarshals each JSON value in cm[cap] as T.

CapabilityBindToInterfaceByRoute changes how Darwin nodes create sockets (in the net/netns package).

feature enabled.

exposes debug endpoints over the PeerAPI.

CapabilityDebugDisableAlternateDefaultRouteInterface changes how Darwin nodes get the default interface.

CapabilityDebugDisableBindConnToInterface disables the automatic binding of connections to the default network interface on Darwin nodes.

CapabilityDebugTSDNSResolution enables verbose debug logging for DNS resolution for Tailscale-controlled domains (the control server, log server, DERP servers, etc.).

CapabilityFunnelPorts specifies the ports that the Funnel is available on.

feature enabled/available.

some SSH rule reach this node.

CapabilityTailnetLock indicates the node may initialize tailnet lock.

CapabilityWarnFunnelNoHTTPS indicates HTTPS has not been enabled for the tailnet.

CapabilityWarnFunnelNoInvite indicates whether Funnel is enabled for the tailnet.

CurrentCapabilityVersion is the current capability version of the codebase.

DerpMagicIP is a fake WireGuard endpoint IP address that means to use DERP.

DotInvalid is a fake DNS TLD used in tests for an invalid hostname.

explicitly configured (routing to be done by client).

hard NAT: STUN'ed IPv4 address + local fixed port.

LBHeader is the HTTP request header used to provide a load balancer or internal reverse proxy with information about the request body without the reverse proxy needing to read the body to parse it out.

server has approved.

server has explicitly rejected this machine key.

server has yet to approve.

NodeAttrAutoExitNode permits the automatic exit nodes feature.

NodeAttrDebugDisableWGTrim disables the lazy WireGuard configuration, always giving WireGuard the full netmap, even for idle peers.

NodeAttrDebugForceBackgroundSTUN forces a node to always do background STUN queries regardless of inactivity.

NodeAttrDisableCaptivePortalDetection instructs the client to not perform captive portal detection automatically when the network state changes.

NodeAttrDisableDeltaUpdates makes the client not process updates via the delta update mechanism and should instead treat all netmap changes as "full" ones as tailscaled did in 1.48.x and earlier.

NodeAttrDisableLocalDNSOverrideViaNRPT indicates that the node's DNS manager should not create a default (catch-all) Windows NRPT rule when "Override local DNS" is enabled.

NodeAttrDisableMagicSockCryptoRouting disables the use of the magicsock cryptorouting hook.

NodeAttrDisableSplitDNSWhenNoCustomResolvers indicates that the node's DNS manager should not adopt a split DNS configuration even though the Config of the resolver only contains routes that do not specify custom resolver(s), hence all DNS queries can be safely sent to the upstream DNS resolver and the node's DNS forwarder doesn't need to handle all DNS traffic.

NodeAttrDisableSubnetsIfPAC controls whether subnet routers should be disabled if WPAD is present on the network.

NodeAttrDisableUPnP makes the client not perform a UPnP portmapping.

NodeAttrDisableWebClient disables using the web client.

NodeAttrDNSForwarderDisableTCPRetries disables retrying truncated DNS queries over TCP if the response is truncated.

NodeAttrFunnel grants the ability for a node to host ingress traffic.

NodeAttrLinuxMustUseIPTables forces Linux clients to use iptables for netfilter management.

NodeAttrLinuxMustUseNfTables forces Linux clients to use nftables for netfilter management.

NodeAttrLogExitFlows enables exit node destinations in network flow logs.

NodeAttrOneCGNATDisable makes the client prefer a /32 route per peer rather than one big /10 CGNAT route.

NodeAttrOneCGNATEnable makes the client prefer one big CGNAT /10 route rather than a /32 per peer.

NodeAttrOnlyTCP443 specifies that the client should not attempt to generate any outbound traffic that isn't TCP on port 443 (HTTPS).

NodeAttrPeerMTUEnable makes the client do path MTU discovery to its peers.

NodeAttrProbeUDPLifetime makes the client probe UDP path lifetime at the tail end of an active direct connection in magicsock.

NodeAttrRandomizeClientPort makes magicsock UDP bind to :0 to get a random local port, ignoring any configured fixed port.

NodeAttrSeamlessKeyRenewal makes clients enable beta functionality of renewing node keys without breaking connections.

NodeAttrSilentDisco makes the client suppress disco heartbeats to its peers.

NodeAttrSSHAggregator grants the ability for a node to collect SSH sessions.

NodeAttrSSHBehaviorV1 forces SSH to use the V1 behavior (no su, run SFTP in-process) Added 2024-05-29 in Tailscale version 1.68.

NodeAttrSSHBehaviorV2 forces SSH to use the V2 behavior (use su, run SFTP in child process).

NodeAttrSSHEnvironmentVariables enables logic for handling environment variables sent via SendEnv in the SSH server and applying them to the SSH session.

NodeAttrsTaildriveAccess enables accessing shares via Taildrive.

NodeAttrsTaildriveShare enables sharing via Taildrive.

NodeAttrStoreAppCRoutes configures the node to store app connector routes persistently.

NodeAttrSuggestExitNode is applied to each exit node which the control plane has determined is a recommended exit node.

NodeAttrSuggestExitNodeUI allows the currently suggested exit node to appear in the client GUI.

NodeAttrUserDialUseRoutes makes UserDial use either the peer dialer or the system dialer, depending on the destination address and the configured routes.

PeerCapabilityDebugPeer grants the ability for a peer to read this node's goroutines, metrics, magicsock internal state, etc.

PeerCapabilityFileSharingSend grants the ability to receive files from a node that's owned by a different user.

PeerCapabilityFileSharingTarget grants the current node the ability to send files to the peer which has this capability.

PeerCapabilityIngress grants the ability for a peer to send ingress traffic.

PeerCapabilityKubernetes grants a peer Kubernetes-specific capabilities, such as the ability to impersonate specific Tailscale user groups as Kubernetes user groups.

PeerCapabilityServicesDestination grants a peer the ability to serve as a destination for a set of given VIP services, which is provided as the value of this key in NodeCapMap.

PeerCapabilityTaildrive grants the ability for a peer to access Taildrive shares.

PeerCapabilityTaildriveSharer indicates that a peer has the ability to share folders with us.

PeerCapabilityWakeOnLAN grants the ability to send a Wake-On-LAN packet.

PeerCapabilityWebUI grants the ability for a peer to edit features from the device Web UI.

PingDisco performs a ping, without involving IP at either end.

PingICMP performs a ping between two tailscale nodes using ICMP that is received by the target systems IP stack.

PingPeerAPI performs a ping between two tailscale nodes using ICMP that is received by the target systems IP stack.

PingTSMP performs a ping, using the IP layer, but avoiding the OS IP stack.

SignatureNone indicates that there is no signature, no Timestamp is required (but may be specified if desired), and both DeviceCert and Signature should be empty.

SignatureUnknown represents an unknown signature scheme, which should be considered an error if seen.

SignatureV1 is computed as RSA-PSS-Sign(privateKeyForDeviceCert, SHA256(Timestamp || ServerIdentity || DeviceCert || ServerShortPubKey || MachineShortPubKey)).

SignatureV2 is computed as RSA-PSS-Sign(privateKeyForDeviceCert, SHA256(Timestamp || ServerIdentity || DeviceCert || ServerPubKey || MachinePubKey)).

SSHSessionRecordingFailed is the event that defines when session recording is unavailable and the SSHRecorderFailureAction RejectSessionWithMessage or TerminateSessionWithMessage is empty.

SSHSessionRecordingRejected is the event that defines when a SSH session cannot be started because no recorder is available for session recording, and the SSHRecorderFailureAction RejectSessionWithMessage is not empty.

SSHSessionRecordingTerminated is the event that defines when session recording has failed during the session and the SSHRecorderFailureAction TerminateSessionWithMessage is not empty.

C2NAppConnectorDomainRoutesResponse contains a map of domains to slice of addresses, indicating what IP addresses have been resolved for each domain.

C2NPostureIdentityResponse contains either a set of identifying serial numbers and hardware addresses from the client, or a boolean flag indicating that the machine has opted out of posture collection.

C2NSSHUsernamesRequest is the request for the /ssh/usernames.

C2NSSHUsernamesResponse is the response (from node to control) from the /ssh/usernames handler.

C2NTLSCertInfo describes the state of a cached TLS certificate.

C2NUpdateResponse is the response (from node to control) from the /update handler.

CapGrant grants capabilities in a FilterRule.

ClientVersion is information about the latest client version that's available for the client (and whether they're already running it).

ControlDialPlan is instructions from the control server to the client on how to connect to the control server; this is useful for maintaining connection if the client's network state changes after the initial connection, or due to the configuration that the control server pushes.

ControlDialPlanView provides a read-only view over ControlDialPlan.

ControlIPCandidate represents a single candidate address to use when connecting to the control server.

Debug used to be a miscellaneous set of declarative debug config changes and imperative debug commands.

DERPAdmitClientRequest is the JSON request body of a POST to derper's --verify-client-url admission controller URL.

DERPAdmitClientResponse is the response to a DERPAdmitClientRequest.

DERPHomeParams contains parameters from the server related to selecting a DERP home region (sometimes referred to as the "preferred DERP").

DERPHomeParamsView provides a read-only view over DERPHomeParams.

DERPMap describes the set of DERP packet relay servers that are available.

DERPMapView provides a read-only view over DERPMap.

DERPNode describes a DERP packet relay node running within a DERPRegion.

DERPNodeView provides a read-only view over DERPNode.

DERPRegion is a geographic region running DERP relay node(s).

DERPRegionView provides a read-only view over DERPRegion.

DNSConfig is the DNS configuration.

DNSConfigView provides a read-only view over DNSConfig.

DNSRecord is an extra DNS record to add to MagicDNS.

EarlyNoise is the early payload that's sent over Noise but before the HTTP/2 handshake when connecting to the coordination server.

Endpoint is an endpoint IPPort and an associated type.

FilterRule represents one rule in a packet filter.

HealthChangeRequest is the JSON request body type used to report node health changes to https://<control>/machine/<mkey hex>/update-health.

Hostinfo contains a summary of a Tailscale host.

HostinfoView provides a read-only view over Hostinfo.

Location represents geographical location data about a Tailscale host.

LocationView provides a read-only view over Location.

LoginView provides a read-only view over Login.

MapRequest is sent by a client to either update the control plane about its current state, or to start a long-poll of network map updates.

MapResponse is the response to a MapRequest.

NetInfo contains information about the host's network state.

NetInfoView provides a read-only view over NetInfo.

NetPortRange represents a range of ports that's allowed for one or more IPs.

NodeView provides a read-only view over Node.

Oauth2Token is a copy of golang.org/x/oauth2.Token, to avoid the go.mod dependency on App Engine and grpc, which was causing problems.

OverTLSPublicKeyResponse is the JSON response to /key?v=<n> over HTTPS (regular TLS) to the Tailscale control plane server, where the 'v' argument is the client's current capability version (previously known as the "MapRequest version").

PeerChange is an update to a node.

PingRequest with no IP and Types is a request to send an HTTP request to prove the long-polling client is still connected.

PingResponse provides result information for a TSMP or Disco PingRequest.

PortRange represents a range of UDP or TCP port numbers.

ProtoPortRange is used to encode "proto:port" format.

QueryFeatureRequest is a request sent to "/machine/feature/query" to get instructions on how to enable a feature, such as Funnel, for the node's tailnet.

QueryFeatureResponse is the response to an QueryFeatureRequest.

RegisterRequest is sent by a client to register the key for a node.

RegisterRequestView provides a read-only view over RegisterRequest.

RegisterResponse is returned by the server in response to a RegisterRequest.

RegisterResponseAuth is the authentication information returned by the server in response to a RegisterRequest.

RegisterResponseAuthView provides a read-only view over RegisterResponseAuth.

RegisterResponseView provides a read-only view over RegisterResponse.

Service represents a service running on a node.

SetDNSRequest is a request to add a DNS record.

SetDNSResponse is the response to a SetDNSRequest.

SSHAction is how to handle an incoming connection.

SSHActionView provides a read-only view over SSHAction.

SSHEventNotifyRequest is the JSON payload sent to the NotifyURL for an SSH event.

SSHPolicy is the policy for how to handle incoming SSH connections over Tailscale.

SSHPrincipal is either a particular node or a user on any node.

SSHPrincipalView provides a read-only view over SSHPrincipal.

SSHRecorderFailureAction is the action to take if recording fails.

SSHRecordingAttempt is a single attempt to start a recording.

An SSH rule is a match predicate and associated action for an incoming SSH connection.

SSHRuleView provides a read-only view over SSHRule.

TKABootstrapRequest is sent by a node to get information necessary for enabling or disabling the tailnet key authority.

TKABootstrapResponse encodes values necessary to enable or disable the tailnet key authority (TKA).

TKADisableRequest disables network-lock across the tailnet using the provided disablement secret.

TKADisableResponse is the JSON response from a /tka/disable RPC.

TKAInfo encodes the control plane's view of tailnet key authority (TKA) state.

TKAInitBeginRequest submits a genesis AUM to seed the creation of the tailnet's key authority.

TKAInitBeginResponse is the JSON response from a /tka/init/begin RPC.

TKAInitFinishRequest is the JSON request of a /tka/init/finish RPC.

TKAInitFinishResponse is the JSON response from a /tka/init/finish RPC.

TKASignaturesUsingKeyRequest asks the control plane for all signatures which are signed by the provided keyID.

TKASignaturesUsingKeyResponse is the JSON response to a /tka/affected-sigs RPC.

TKASignInfo describes information about an existing node that needs to be signed into a node-key signature.

TKASubmitSignatureRequest transmits a node-key signature to the control plane.

TKASubmitSignatureResponse is the JSON response from a /tka/sign RPC.

TKASyncOfferRequest encodes a request to synchronize tailnet key authority state (TKA).

TKASyncOfferResponse encodes a response in synchronizing a node's tailnet key authority state.

TKASyncSendRequest encodes AUMs that a node believes the control plane is missing, and notifies control of its local TKA state (specifically the head hash).

TKASyncSendResponse encodes the control plane's response to a node submitting AUMs during AUM synchronization.

TokenRequest is a request to get an OIDC ID token for an audience.

TokenResponse is the response to a TokenRequest.

User is an IPN user.

A UserProfile is display-friendly data for a user.

UserProfileView provides a read-only view over UserProfile.

UserView provides a read-only view over User.

VIPService represents a service created on a tailnet from the perspective of a node providing that service.

WebClientAuthResponse is the response to a web client authentication request sent to "/machine/webclient/action" or "/machine/webclient/wait".

CapabilityVersion represents the client's capability level.

EndpointType distinguishes different sources of MapRequest.Endpoint values.

NodeCapability represents a capability granted to the self node as listed in MapResponse.Node.Capabilities.

NodeCapMap is a map of capabilities to their optional values.

PeerCapability represents a capability granted to a peer by a FilterRule when the peer communicates with the node that has this rule.

PeerCapMap is a map of capabilities to their optional values.

PingType is a string representing the kind of ping to perform.

RawMessage is a raw encoded JSON value.

ServiceProto is a service type.

SignatureType specifies a scheme for signing RegisterRequest messages.

SSHEventType defines the event type linked to a SSH action or state.