tailscale

Commit Graph

Author	SHA1	Message	Date
Andrew Dunham	35dc1fea72	wgengine/netstack: add debug page for TCP forwarder To help in debugging issues with subnet routers in userspace mode–for example, hitting the max inflight limit. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Idd922f4ae37695f6598a914c2d050574755ef309	3 months ago
Percy Wegmann	50fb8b9123	tailfs: replace webdavfs with reverse proxies Instead of modeling remote WebDAV servers as actual webdav.FS instances, we now just proxy traffic to them. This not only simplifies the code, but it also allows WebDAV locking to work correctly by making sure locks are handled by the servers that need to (i.e. the ones actually serving the files). Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	e1bd7488d0	all: remove LenIter, use Go 1.22 range-over-int instead Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
mrrfv	ff1391a97e	net/dns/publicdns: add Mullvad family DNS to the list of known DoH servers Adds the new Mullvad family DNS server to the known DNS over HTTPS server list. Signed-off-by: mrrfv <rm-rfv-no-preserve-root@protonmail.com>	3 months ago
Brad Fitzpatrick	6ad6d6b252	wgengine/wglog: add TS_DEBUG_RAW_WGLOG envknob for raw wg logs Updates #7617 (part of debugging it) Change-Id: I1bcbdcf0f929e3bcf83f244b1033fd438aa6dac1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	8b9474b06a	wgengine/wgcfg: don't send UAPI to disable keep-alives on new peers That's already the default. Avoid the overhead of writing it on one side and reading it on the other to do nothing. Updates #cleanup (noticed while researching something else) Change-Id: I449c88a022271afb9be5da876bfaf438fe5d3f58 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
James Tucker	8d0d46462b	net/dns: timeout DOH requests after 10s without response headers If a client socket is remotely lost but the client is not sent an RST in response to the next request, the socket might sit in RTO for extended lengths of time, resulting in "no internet" for users. Instead, timeout after 10s, which will close the underlying socket, recovering from the situation more promptly. Updates #10967 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	0c5e65eb3f	cmd/derper: apply TCP keepalive and timeout to TLS as well I missed a case in the earlier patch, and so we're still sending 15s TCP keepalive for TLS connections, now adjusted there too. Updates tailscale/corp#17587 Updates #3363 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	c9b6d19fc9	.github/workflows: fix typo in XDG_CACHE_HOME This appears to be one of the contributors to this CI target regularly entering a bad state with a partially written toolchain. Updates #self Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	651c4899ac	net/interfaces: reduce & cleanup logs on iOS We don't need a log line every time defaultRoute is read in the good case, and we now only log default interface updates that are actually changes. Updates #3363 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Andrea Gottardo	c8c999d7a9	cli/debug: rename DERP debug mode (#11220 ) Renames a debug flag in the CLI. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
Mario Minardi	ac281dd493	client/web: update vite and vitest to latest versions (#11200 ) Update vite to 5.1.4, and vitest to 1.3.1 (their latest versions). Also remove vite-plugin-rewrite-all as this is no longer necessary with vite 5.x and has a dependency on vite 4.x. Updates https://github.com/tailscale/corp/issues/17715 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
Percy Wegmann	15b2c674bf	cmd/tailscale: add node attribute instructions to share command help This adds details on how to configure node attributes to allow sharing and accessing shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
James Tucker	131f9094fd	wgengine/wglog: quieten WireGuard logs for allowedips An increasing number of users have very large subnet route configurations, which can produce very large amounts of log data when WireGuard is reconfigured. The logs don't contain the actual routes, so they're largely useless for diagnostics, so we'll just suppress them. Fixes tailscale/corp#17532 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Andrew Dunham	e8d2fc7f7f	net/tshttpproxy: log when we're using a proxy Updates #11196 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id6334c10f52f4cfbda9f03dc8096ab7a6c54a088	3 months ago
Mario Minardi	713d2928b1	client/web: update plugin-react-swc to latest version (#11199 ) Update plugin-react-swc to the latest version (3.6.0) ahead of updating vite to 5.x. Updates https://github.com/tailscale/corp/issues/17715 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
Mario Minardi	72140da000	client/web: update vite-plugin-svgr to latest version (#11197 ) Update vite-plugin-svgr to the latest version (4.2.0) ahead of updating vite to 5.x. This is a major version bump from our previous 3.x, and requires changing the import paths used for SVGs. Updates https://github.com/tailscale/corp/issues/17715 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
James Tucker	edbad6d274	cmd/derper: add user timeout and reduce TCP keepalive The derper sends an in-protocol keepalive every 60-65s, so frequent TCP keepalives are unnecessary. In this tuning TCP keepalives should never occur for a DERP client connection, as they will send an L7 keepalive often enough to always reset the TCP keepalive timer. If however a connection does not receive an ACK promptly it will now be shutdown, which happens sooner than it would with a normal TCP keepalive tuning. This re-tuning reduces the frequency of network traffic from derp to client, reducing battery cost. Updates tailscale/corp#17587 Updates #3363 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Andrea Gottardo	0359c2f94e	util/syspolicy: add 'ResetToDefaults' (#11194 ) Updates ENG-2133. Adds the ResetToDefaults visibility policy currently only available on macOS, so that the Windows client can read its value. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
Brad Fitzpatrick	10d130b845	cmd/derper, derp, tailcfg: add admission controller URL option So derpers can check an external URL for whether to permit access to a certain public key. Updates tailscale/corp#17693 Change-Id: I8594de58f54a08be3e2dbef8bcd1ff9b728ab297 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	2988c1ec52	derp: plumb context to Server.verifyClient Updates tailscale/corp#17693 Change-Id: If17e02c77d5ad86b820e639176da2d3e61296bae Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Paul Scott	7708ab68c0	cmd/tailscale/cli: pass "-o 'CanonicalizeHostname no'" to ssh Fixes #10348 Signed-off-by: Paul Scott <paul@tailscale.com>	3 months ago
Percy Wegmann	91a1019ee2	cmd/testwrapper: apply results of all unit tests to coverage for all packages This allows coverage from tests that hit multiple packages at once to be reflected in all those packages' coverage. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Andrea Gottardo	d756622432	util/syspolicy: add ManagedBy keys for Windows (#11183 )	3 months ago
James Tucker	8fe504241d	net/ktimeout: add a package to set TCP user timeout Setting a user timeout will be a more practical tuning knob for a number of endpoints, this provides a way to set it. Updates tailscale/corp#17587 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Brad Fitzpatrick	a4a909a20b	prober: add TLS probe constructor to split dial addr from cert name So we can probe load balancers by their unique DNS name but without asking for that cert name. Updates tailscale/corp#13050 Change-Id: Ie4c0a2f951328df64281ed1602b4e624e3c8cf2e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	794af40f68	ipn/ipnlocal: remove ancient transition mechanism for https certs And confusing error message that duplicated the valid cert domains. Fixes tailscale/corp#15876 Change-Id: I098bc45d83c8d1e0a233dcdf3188869cce66e128 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
James Tucker	6c3899e6ee	logpolicy: allow longer idle log upload connections From a packet trace we have seen log connections being closed prematurely by the client, resulting in unnecessary extra TLS setup traffic. Updates #3363 Updates tailscale/corp#9230 Updates tailscale/corp#8564 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Andrew Dunham	70b7201744	net/dns: fix infinite loop when run on Amazon Linux 2023 This fixes an infinite loop caused by the configuration of systemd-resolved on Amazon Linux 2023 and how that interacts with Tailscale's "direct" mode. We now drop the Tailscale service IP from the OS's "base configuration" when we detect this configuration. Updates #7816 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I73a4ea8e65571eb368c7e179f36af2c049a588ee	4 months ago
Andrea Gottardo	44e337cc0e	tool/gocross: pass flags for visionOS and visionOS Simulator (#11127 ) Adds logic in gocross to detect environment variables and pass the right flags so that the backend can be built with the visionOS SDK. Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 months ago
Will Norris	6b582cb8b6	cmd/tailscale: support clickable IPv6 web client addresses Instead of constructing the `ip:port` string ourselves, use netip.AddrPortFrom which handles IPv6 correctly. Updates #11164 Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Will Norris	24487815e1	cmd/tailscale: make web client URL clickable Updates #11151 Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
San	69f5664075	ipn/ipnlocal: fix doctor API endpoint (#11155 ) Small fix to make sure doctor API endpoint returns correctly - I spotted it when checking my tailscaled node and noticed it was handled slightly different compare to the rest Signed-off-by: San <santrancisco@users.noreply.github.com>	4 months ago
Percy Wegmann	3aca29e00e	VERSION.txt: this is v1.61.0 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Jason Barnett	4d668416b8	wgengine/router: fix ip rule restoration Fixes #10857 Signed-off-by: Jason Barnett <J@sonBarnett.com>	4 months ago
Andrew Dunham	52f16b5d10	doctor/ethtool, ipn/ipnlocal: add ethtool bugreport check Updates #11137 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Idbe862d80e428adb044249c47d9096b87f29d5d8	4 months ago
Patrick O'Doherty	38bba2d23a	clientupdate: disable auto update on NixOS (#11136 ) Updates #cleanup NixOS packages are immutable and attempts to update via our tarball mechanism will always fail as a result. Instead we now direct users to update their nix channel or nixpkgs flake input to receive the latest Tailscale release. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	4 months ago
Andrew Dunham	b7104cde4a	util/topk: add package containing a probabilistic top-K tracker This package uses a count-min sketch and a heap to track the top K items in a stream of data. Tracking a new item and adding a count to an existing item both require no memory allocations and is at worst O(log(k)) complexity. Change-Id: I0553381be3fef2470897e2bd806d43396f2dbb36 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	4 months ago
Flakes Updater	7ad2bb87a6	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	4 months ago
Brad Fitzpatrick	61a1644c2a	go.mod, all: move away from inet.af domain seized by Taliban Updates inetaf/tcpproxy#39 Change-Id: I7fee276b116bd08397347c6c949011d76a2842cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Andrew Dunham	b0e96a6c39	net/dns: log more info when openresolv commands fail Updates #11129 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic594868ba3bc31f6d3b0721ecba4090749a81f7f	4 months ago
Nathan Woodburn	7c0651aea6	scripts/installer.sh: add tuxedoOS to the Ubuntu copies Signed-off-by: Nathan Woodburn <github@nathan.woodburn.au>	4 months ago
Patrick O'Doherty	256ecd0e8f	Revert "tsweb: update ServeMux matching to 1.22.0 syntax (#11090 )" (#11125 ) This reverts commit `30c9189ed3`. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	4 months ago
Aaron Klotz	f7acbefbbb	wgengine/router: make the Windows ifconfig implementation reuse existing MibIPforwardRow2 when possible Looking at profiles, we spend a lot of time in winipcfg.LUID.DeleteRoute looking up the routing table entry for the provided RouteData. But we already have the row! We previously obtained that data via the full table dump we did in getInterfaceRoutes. We can make this a lot faster by hanging onto a reference to the wipipcfg.MibIPforwardRow2 and executing the delete operation directly on that. Fixes #11123 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	4 months ago
Patrick O'Doherty	30c9189ed3	tsweb: update ServeMux matching to 1.22.0 syntax (#11090 ) * tsweb: update ServeMux matching to 1.22.0 syntax Updates #cleanup Go 1.22.0 introduced the ability to use more expressive routing patterns that include HTTP method when constructing ServeMux entries. Applications that attempted to use these patterns in combination with the old `tsweb.Debugger` would experience a panic as Go would not permit the use of matching rules with mixed level of specificity. We now specify the method for each `/debug` handler to prevent incompatibilities. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	4 months ago
Irbe Krumina	5bd19fd3e3	cmd/k8s-operator,k8s-operator: proxy configuration mechanism via a new ProxyClass custom resource (#11074 ) * cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource. ProxyClass custom resource can be used to specify customizations for the proxy resources created by the operator. Add a reconciler that validates ProxyClass resources and sets a Ready condition to True or False with a corresponding reason and message. This is required because some fields (labels and annotations) require complex validations that cannot be performed at custom resource apply time. Reconcilers that use the ProxyClass to configure proxy resources are expected to verify that the ProxyClass is Ready and not proceed with resource creation if configuration from a ProxyClass that is not yet Ready is required. If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet. If a tailscale Ingress has a tailscale.com/proxy-class annotation and the referenced ProxyClass custom resource is available and Ready, apply configuration from the ProxyClass to the proxy resources that will be created for the Ingress. Add a new .proxyClass field to the Connector spec. If connector.spec.proxyClass is set to a ProxyClass that is available and Ready, apply configuration from the ProxyClass to the proxy resources created for the Connector. Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Brad Fitzpatrick	f7f496025a	types/views: add test that LenIter doesn't allocate For a second we thought this was allocating but we were looking at a CPU profile (which showed calls to mallocgc view makeslice) instead of the alloc profile. Updates golang/go#65685 (which if fixed wouldn't have confused us) Change-Id: Ic0132310d52d8a65758a516142525339aa23b1ed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Percy Wegmann	c42a4e407a	tailfs: listen for local clients only on 100.100.100.100 FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	d0ef3a25df	cmd/tailscale: hide share subcommand Fixes #1115 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
David Anderson	58b8f78e7e	flake.nix: build tailscale with go 1.22 Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	4 months ago

1 2 3 4 5 ...

7182 Commits (andrew/netstack-forwarder-debug) All Branches Search

7182 Commits (andrew/netstack-forwarder-debug)

All Branches