From 8a63c023f073b246b6409e3eaeee8bb6a876c0ed Mon Sep 17 00:00:00 2001 From: "M. J. Fromberger" Date: Mon, 1 Jun 2026 15:16:45 -0700 Subject: [PATCH] tailcfg: add a node attribute to explicitly disable netmap caching (#19947) Add a new tailcfg.NodeCapability (NodeAttrDisableCacheNetworkMaps) to allow the policy document to override whether a node will receive the cache-network-maps attribute by default. The client does not interpret this attribute directly, it is used to influence decisions by the control plane. As of 2026-06-01, cache-network-maps is only sent when explicitly requested by the policy. In a future version, we will send it by default for clients with a sufficient capability version (to be added in a future commit), except to ephemeral nodes, unless the policy sets disable-cached-network-maps. Updates #12639 Updates tailscale/projects#28 Change-Id: I6376376d7898f7da8db977e457dcd45df9deef41 Signed-off-by: M. J. Fromberger --- tailcfg/tailcfg.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go index 96ae15f5c..3434e3f5f 100644 --- a/tailcfg/tailcfg.go +++ b/tailcfg/tailcfg.go @@ -2786,6 +2786,12 @@ func (p NodeCapabilityPrefix) ToAttribute(value string) NodeCapability { // discard existing cached maps, and will not store any. NodeAttrCacheNetworkMaps NodeCapability = "cache-network-maps" + // NodeAttrDisableCacheNetworkMaps indicates that the node should not cache + // network maps (as per [NodeAttrCacheNetworkMaps]) when it normally would. + // This attribute exists to allow the policy document to override the default. + // When set, it takes precedence over [NodeAttrCacheNetworkMaps]. + NodeAttrDisableCacheNetworkMaps NodeCapability = "disable-cache-network-maps" + // NodeAttrDisableLinuxCGNATDropRule tells Linux clients to not insert a // blanket firewall DROP rule for inbound traffic from the CGNAT IP range // that does not originate from the Tailscale network interface.