tailscale

Commit Graph

Author	SHA1	Message	Date
James Sanderson	717fa68f3a	tailcfg: read max key duration from node cap map [capver 114] This will be used by clients to make better decisions on when to warn users about impending key expiry. Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	10 months ago
Brad Fitzpatrick	5a082fccec	tailcfg: remove ancient UserProfiles.Roles field And add omitempty to the ProfilePicURL too while here. Plenty of users (and tagged devices) don't have profile pics. Updates #14988 Change-Id: I6534bc14edb58fe1034d2d35ae2395f09fd7dd0d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Andrew Dunham	926a43fe51	tailcfg: make NetPortRange.Bits omitempty This is deprecated anyway, and we don't need to be sending `"Bits":null` on the wire for the majority of clients. Updates tailscale/corp#20965 Updates tailscale/corp#26353 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I95a3e3d72619389ae34a6547ebf47043445374e1	10 months ago
Brad Fitzpatrick	b865ceea20	tailcfg: update + clean up machine API docs, remove some dead code The machine API docs were still often referring to the nacl boxes which are no longer present in the client. Fix that up, fix the paths, add the HTTP methods. And then delete some unused code I found in the process. Updates #cleanup Change-Id: I1591274acbb00a08b7ca4879dfebd5e6b8a9fbcd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Adrian Dewhurst	600f25dac9	tailcfg: add JSON unmarshal helper for view of node/peer capabilities Many places that need to work with node/peer capabilities end up with a something-View and need to either reimplement the helper code or make an expensive copy. We have the machinery to easily handle this now. Updates #cleanup Change-Id: Ic3f55be329f0fc6c178de26b34359d0e8c6ca5fc Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	10 months ago
Brad Fitzpatrick	1a7274fccb	control/controlclient: skip SetControlClientStatus when queue has newer results later Updates #1909 Updates #12542 Updates tailscale/corp#26058 Change-Id: I3033d235ca49f9739fdf3deaf603eea4ec3e407e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Adrian Dewhurst	d69c70ee5b	tailcfg: adjust ServiceName.Validate to use vizerror Updates #cleanup Change-Id: I163b3f762b9d45c2155afe1c0a36860606833a22 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	10 months ago
Adrian Dewhurst	0fa7b4a236	tailcfg: add ServiceName Rather than using a string everywhere and needing to clarify that the string should have the svc: prefix, create a separate type for Service names. Updates tailscale/corp#24607 Change-Id: I720e022f61a7221644bb60955b72cacf42f59960 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	11 months ago
Brad Fitzpatrick	17022ad0e9	tailcfg: remove now-unused TailscaleFunnelEnabled method As of tailscale/corp#26003 Updates tailscale/tailscale#11572 Change-Id: I5de2a0951b7b8972744178abc1b0e7948087d412 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
KevinLiang10	e4779146b5	delete extra struct in tailcfg Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	11 months ago
KevinLiang10	8c8750f1b3	ipn/ipnlocal: Support TCP and Web VIP services This commit intend to provide support for TCP and Web VIP services and also allow user to use Tun for VIP services if they want to. The commit includes: 1.Setting TCP intercept function for VIP Services. 2.Update netstack to send packet written from WG to netStack handler for VIP service. 3.Return correct TCP hander for VIP services when netstack acceptTCP. This commit also includes unit tests for if the local backend setServeConfig would set correct TCP intercept function and test if a hander gets returned when getting TCPHandlerForDst. The shouldProcessInbound check is not unit tested since the test result just depends on mocked functions. There should be an integration test to cover shouldProcessInbound and if the returned TCP handler actually does what the serveConfig says. Updates tailscale/corp#24604 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	11 months ago
Irbe Krumina	69a985fb1e	ipn/ipnlocal,tailcfg: communicate to control whether funnel is enabled (#14688 ) Adds a new Hostinfo.IngressEnabled bool field that holds whether funnel is currently enabled for the node. Triggers control update when this value changes. Bumps capver so that control can distinguish the new field being false vs non-existant in previous clients. This is part of a fix for an issue where nodes with any AllowFunnel block set in their serve config are being displayed as if actively routing funnel traffic in the admin panel. Updates tailscale/tailscale#11572 Updates tailscale/corp#25931 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Brad Fitzpatrick	7ecb69e32e	tailcfg,control/controlclient: treat nil AllowedIPs as Addresses [capver 112] Updates #14635 Change-Id: I21e2bd1ec4eb384eb7a3fc8379f0788a684893f3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	2fc4455e6d	all: add Node.HomeDERP int, phase out "127.3.3.40:$region" hack [capver 111] This deprecates the old "DERP string" packing a DERP region ID into an IP:port of 127.3.3.40:$REGION_ID and just uses an integer, like PeerChange.DERPRegion does. We still support servers sending the old form; they're converted to the new form internally right when they're read off the network. Updates #14636 Change-Id: I9427ec071f02a2c6d75ccb0fcbf0ecff9f19f26f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	b90707665e	tailcfg: remove unused User fields Fixes #14542 Change-Id: Ifeb0f90c570c1b555af761161f79df75f18ae3f9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	f13b2bce93	tailcfg: flesh out docs Updates #cleanup Updates #14542 Change-Id: I41f7ce69d43032e0ba3c866d9c89d2a7eccbf090 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	47bd0723a0	all: use iterators in more places instead of Range funcs And misc cleanup along the way. Updates #12912 Change-Id: I0cab148b49efc668c6f5cdf09c740b84a713e388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	ff095606cc	all: add means to set device posture attributes from node Updates tailscale/corp#24690 Updates #4077 Change-Id: I05fe799beb1d2a71d1ec3ae08744cc68bcadae2a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Naman Sood	887472312d	tailcfg: rename and retype ServiceHost capability (#14380 ) * tailcfg: rename and retype ServiceHost capability, add value type Updates tailscale/corp#22743. In #14046, this was accidentally made a PeerCapability when it should have been NodeCapability. Also, renaming it to use the nomenclature that we decided on after #14046 went up, and adding the type of the value that will be passed down in the RawMessage for this capability. This shouldn't break anything, since no one was using this string or variable yet. Signed-off-by: Naman Sood <mail@nsood.in>	12 months ago
Brad Fitzpatrick	73128e2523	ssh/tailssh: remove unused public key support When we first made Tailscale SSH, we assumed people would want public key support soon after. Turns out that hasn't been the case; people love the Tailscale identity authentication and check mode. In light of CVE-2024-45337, just remove all our public key code to not distract people, and to make the code smaller. We can always get it back from git if needed. Updates tailscale/corp#25131 Updates golang/go#70779 Co-authored-by: Percy Wegmann <percy@tailscale.com> Change-Id: I87a6e79c2215158766a81942227a18b247333c22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	12 months ago
Anton Tolchanov	9f33aeb649	wgengine/filter: actually use the passed CapTestFunc [capver 109] Initial support for SrcCaps was added in `5ec01bf` but it was not actually working without this. Updates #12542 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Naman Sood	aefbed323f	ipn,tailcfg: add VIPService struct and c2n to fetch them from client (#14046 ) * ipn,tailcfg: add VIPService struct and c2n to fetch them from client Updates tailscale/corp#22743, tailscale/corp#22955 Signed-off-by: Naman Sood <mail@nsood.in> * more review fixes Signed-off-by: Naman Sood <mail@nsood.in> * don't mention PeerCapabilityServicesDestination since it's currently unused Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	1 year ago
Irbe Krumina	45354dab9b	ipn,tailcfg: add app connector config knob to conffile (#13942 ) Make it possible to advertise app connector via a new conffile field. Also bumps capver - conffile deserialization errors out if unknonw fields are set, so we need to know which clients understand the new field. Updates tailscale/tailscale#11113 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Naman Sood	22c89fcb19	cmd/tailscale,ipn,tailcfg: add `tailscale advertise` subcommand behind envknob (#13734 ) Signed-off-by: Naman Sood <mail@nsood.in>	1 year ago
Tom Proctor	5f22f72636	hostinfo,build_docker.sh,tailcfg: more reliably detect being in a container (#13826 ) Our existing container-detection tricks did not work on Kubernetes, where Docker is no longer used as a container runtime. Extends the existing go build tags for containers to the other container packages and uses that to reliably detect builds that were created by Tailscale for use in a container. Unfortunately this doesn't necessarily improve detection for users' custom builds, but that's a separate issue. Updates #13825 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Naman Sood	09ec2f39b5	tailcfg: add func to check for known valid ServiceProtos (#13668 ) Updates tailscale/corp#23574. Signed-off-by: Naman Sood <mail@nsood.in>	1 year ago
Mario Minardi	8d508712c9	tailcfg: add AcceptEnv field to SSHRule (#13523 ) Add an `AcceptEnv` field to `SSHRule`. This will contain the collection of environment variable names / patterns that are specified in the `acceptEnv` block for the SSH rule within the policy file. This will be used in the tailscale client to filter out unacceptable environment variables. Updates: https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	1 year ago
Mario Minardi	93f61aa4cc	tailcfg: add node attr for SSH environment variables (#13450 ) Add a node attr for enabling SSH environment variable handling logic. Updates https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	1 year ago
Brad Fitzpatrick	eb2fa16fcc	tailcfg: bump capver for earlier cryptokey panic fix [capver 106] I should've bumped capver in `65fe0ba7b5` but forgot. This lets us turn off the cryptokey routing change from control for the affected panicky range of commits, based on capver. Updates #13332 Updates tailscale/corp#20732 Change-Id: I32c17cfcb45b2369b2b560032330551d47a0ce0b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Percy Wegmann	ecc451501c	ssh/tailssh: add ability to force V2 behavior using new feature flag Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1. Updates #11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago
Percy Wegmann	7d83056a1b	ssh/tailssh: fix SSH on busybox systems This involved the following: 1. Pass the su command path as first of args in call to unix.Exec to make sure that busybox sees the correct program name. Busybox is a single executable userspace that implements various core userspace commands in a single binary. You'll see it used via symlinking, so that for example /bin/su symlinks to /bin/busybox. Busybox knows that you're trying to execute /bin/su because argv[0] is '/bin/su'. When we called unix.Exec, we weren't including the program name for argv[0], which caused busybox to fail with 'applet not found', meaning that it didn't know which command it was supposed to run. 2. Tell su to whitelist the SSH_AUTH_SOCK environment variable in order to support ssh agent forwarding. 3. Run integration tests on alpine, which uses busybox. 4. Increment CurrentCapabilityVersion to allow turning on SSH V2 behavior from control. Fixes #12849 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago
Maisem Ali	f205efcf18	net/packet/checksum: fix v6 NAT We were copying 12 out of the 16 bytes which meant that the 1:1 NAT required would only work if the last 4 bytes happened to match between the new and old address, something that our tests accidentally had. Fix it by copying the full 16 bytes and make the tests also verify the addr and use rand addresses. Updates #9511 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrea Gottardo	90be06bd5b	health: introduce captive-portal-detected Warnable (#12707 ) Updates tailscale/tailscale#1634 This PR introduces a new `captive-portal-detected` Warnable which is set to an unhealthy state whenever a captive portal is detected on the local network, preventing Tailscale from connecting. ipn/ipnlocal: fix captive portal loop shutdown Change-Id: I7cafdbce68463a16260091bcec1741501a070c95 net/captivedetection: fix mutex misuse ipn/ipnlocal: ensure that we don't fail to start the timer Change-Id: I3e43fb19264d793e8707c5031c0898e48e3e7465 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Brad Fitzpatrick	808b4139ee	wgengine/magicsock: use wireguard-go/conn.PeerAwareEndpoint If we get an non-disco presumably-wireguard-encrypted UDP packet from an IP:port we don't recognize, rather than drop the packet, give it to WireGuard anyway and let WireGuard try to figure out who it's from and tell us. This uses the new hook added in https://github.com/tailscale/wireguard-go/pull/27 Updates tailscale/corp#20732 Change-Id: I5c61a40143810592f9efac6c12808a87f924ecf2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	c6af5bbfe8	all: add test for package comments, fix, add comments as needed Updates #cleanup Change-Id: Ic4304e909d2131a95a38b26911f49e7b1729aaef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	42dac7c5c2	wgengine/magicsock: add debug envknob for injecting an endpoint For testing. Lee wants to play with 'AWS Global Accelerator Custom Routing with Amazon Elastic Kubernetes Service'. If this works well enough, we can promote it. Updates #12578 Change-Id: I5018347ed46c15c9709910717d27305d0aedf8f4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	d2fef01206	control/controlknobs,tailcfg,wgengine/magicsock: remove DRPO shutoff switch The DERP Return Path Optimization (DRPO) is over four years old (and on by default for over two) and we haven't had problems, so time to remove the emergency shutoff code (controlknob) which we've never used. The controlknobs are only meant for new features, to mitigate risk. But we don't want to keep them forever, as they kinda pollute the code. Updates #150 Change-Id: If021bc8fd1b51006d8bddd1ffab639bb1abb0ad1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Percy Wegmann	489b990240	tailcfg: bump CurrentCapabilityVersion to capture SSH agent forwarding fix Updates #12467 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago
Brad Fitzpatrick	5ec01bf3ce	wgengine/filter: support FilterRules matching on srcIP node caps [capver 100] See #12542 for background. Updates #12542 Change-Id: Ida312f700affc00d17681dc7551ee9672eeb1789 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	21460a5b14	tailcfg, wgengine/filter: remove most FilterRule.SrcBits code The control plane hasn't sent it to clients in ages. Updates tailscale/corp#20965 Change-Id: I1d71a4b6dd3f75010a05c544ee39827837c30772 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Nick Khyl	c32efd9118	various: create a catch-all NRPT rule when "Override local DNS" is enabled on Windows Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers associated with all network adapters, even when "Override local DNS" is enabled and/or a Mullvad exit node is being used, resulting in DNS leaks. This also adds "disable-local-dns-override-via-nrpt" nodeAttr that can be used to disable the new behavior if needed. Fixes tailscale/corp#20718 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Andrea Gottardo	e8ca30a5c7	xcode/iOS: support serial number collection via MDM on iOS (#11429 ) Fixes tailscale/corp#18366. This PR provides serial number collection on iOS, by allowing system administrators to pass a `DeviceSerialNumber` MDM key which can be read by the `posture` package in Go. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
James Tucker	85ad0c276c	tailcfg: update PeerAPIDNS Port value documentation We do not intend to use this value for feature support communication in the future, and have applied changes elsewhere that now fix the expected value. Updates tailscale/corp#19391 Updates tailscale/corp#20398 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Nick Khyl	3672f66c74	tailcfg: bump capver for NodeAttrDisableSplitDNSWhenNoCustomResolvers Missed in `b65221999c`. Updates tailscale/corp#15802 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 years ago
Irbe Krumina	c3e2b7347b	tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236 ) This PR is in prep of adding logic to control to be able to parse tailscale.com/cap/kubernetes grants in control: - moves the type definition of PeerCapabilityKubernetes cap to a location shared with control. - update the Kubernetes cap rule definition with fields for granting kubectl exec session recording capabilities. - adds a convenience function to produce tailcfg.RawMessage from an arbitrary cap rule and a test for it. An example grant defined via ACLs: "grants": [{ "src": ["tag:eng"], "dst": ["tag:k8s-operator"], "app": { "tailscale.com/cap/kubernetes": [{ "recorder": ["tag:my-recorder"] “enforceRecorder”: true }], }, } ] This grant enforces `kubectl exec` sessions from tailnet clients, matching `tag:eng` via API server proxy matching `tag:k8s-operator` to be recorded and recording to be sent to a tsrecorder instance, matching `tag:my-recorder`. The type needs to be shared with control because we want control to parse this cap and resolve tags to peer IPs. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Andrea Gottardo	b65221999c	tailcfg,net/dns: add controlknob to disable battery split DNS on iOS (#12346 ) Updates corp#15802. Adds the ability for control to disable the recently added change that uses split DNS in more cases on iOS. This will allow us to disable the feature if it leads to regression in production. We plan to remove this knob once we've verified that the feature works properly. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 years ago
Irbe Krumina	82576190a7	tailcfg,cmd/k8s-operator: moves tailscale.com/cap/kubernetes peer cap to tailcfg (#12235 ) This is done in preparation for adding kubectl session recording rules to this capability grant that will need to be unmarshalled by control, so will also need to be in a shared location. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Andrew Dunham	36d0ac6f8e	tailcfg: use strings.CutPrefix for CheckTag; add test Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I42eddc7547a6dd50c4d5b2a9fc88a19aac9767aa	2 years ago
Percy Wegmann	08a9551a73	ssh/tailssh: fall back to using su when no TTY available on Linux This allows pam authentication to run for ssh sessions, triggering automation like pam_mkhomedir. Updates #11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
Brad Fitzpatrick	1384c24e41	control/controlclient: delete unused Client.Login Oauth2Token field Updates #12172 (then need to update other repos) Change-Id: I439f65e0119b09e00da2ef5c7a4f002f93558578 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	482890b9ed	tailcfg: bump capver for using NodeAttrUserDialUseRoutes for DNS Missed in `f62e678df8`. Updates tailscale/corp#18725 Updates #4529 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	af97e7a793	tailcfg,all: add/plumb Node.IsJailed This adds a new bool that can be sent down from control to do jailing on the client side. Previously this would only be done from control by modifying the packet filter we sent down to clients. This would result in a lot of additional work/CPU on control, we could instead just do this on the client. This has always been a TODO which we keep putting off, might as well do it now. Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Nick Khyl	f62e678df8	net/dns/resolver, control/controlknobs, tailcfg: use UserDial instead of SystemDial to dial DNS servers Now that tsdial.Dialer.UserDial has been updated to honor the configured routes and dial external network addresses without going through Tailscale, while also being able to dial a node/subnet router on the tailnet, we can start using UserDial to forward DNS requests. This is primarily needed for DNS over TCP when forwarding requests to internal DNS servers, but we also update getKnownDoHClientForProvider to use it. Updates tailscale/corp#18725 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 years ago
Andrew Lytvynov	c28f5767bf	various: implement stateful firewalling on Linux (#12025 ) Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Nick Khyl	caa3d7594f	ipn/ipnlocal, net/tsdial: plumb routes into tsdial and use them in UserDial We'd like to use tsdial.Dialer.UserDial instead of SystemDial for DNS over TCP. This is primarily necessary to properly dial internal DNS servers accessible over Tailscale and subnet routes. However, to avoid issues when switching between Wi-Fi and cellular, we need to ensure that we don't retain connections to any external addresses on the old interface. Therefore, we need to determine which dialer to use internally based on the configured routes. This plumbs routes and localRoutes from router.Config to tsdial.Dialer, and updates UserDial to use either the peer dialer or the system dialer, depending on the network address and the configured routes. Updates tailscale/corp#18725 Fixes #4529 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 years ago
Claire Wang	5254f6de06	tailcfg: add suggest exit node UI node attribute (#11918 ) Add node attribute to determine whether or not to show suggested exit node in UI. Updates tailscale/corp#19515 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Fran Bull	1bd1b387b2	appc: add flag shouldStoreRoutes and controlknob for it When an app connector is reconfigured and domains to route are removed, we would like to no longer advertise routes that were discovered for those domains. In order to do this we plan to store which routes were discovered for which domains. Add a controlknob so that we can enable/disable the new behavior. Updates #11008 Signed-off-by: Fran Bull <fran@tailscale.com>	2 years ago
Claire Wang	d5fc52a0f5	tailcfg: add auto exit node attribute (#11871 ) Updates tailscale/corp#19515 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Percy Wegmann	955ad12489	ipn/ipnlocal: only show Taildrive peers to which ACLs grant us access This improves convenience and security. * Convenience - no need to see nodes that can't share anything with you. * Security - malicious nodes can't expose shares to peers that aren't allowed to access their shares. Updates tailscale/corp#19432 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
Brad Fitzpatrick	c39cde79d2	tailcfg: remove some unused fields from RegisterResponseAuth Fixes #19334 Change-Id: Id6463f28af23078a7bc25b9280c99d4491bd9651 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	05bfa022f2	tailcfg: pointerify RegisterRequest.Auth, omitemptify RegisterResponseAuth We were storing server-side lots of: "Auth":{"Provider":"","LoginName":"","Oauth2Token":null,"AuthKey":""}, That was about 7% of our total storage of pending RegisterRequest bodies. Updates tailscale/corp#19327 Change-Id: Ib73842759a2b303ff5fe4c052a76baea0d68ae7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Claire Wang	c24f2eee34	tailcfg: rename exit node destination network flow log node attribute (#11779 ) Updates tailscale/corp#18625 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Adrian Dewhurst	ca5cb41b43	tailcfg: document use of CapMap for peers Updates tailscale/corp#17516 Updates #11508 Change-Id: Iad2dafb38ffb9948bc2f3dfaf9c268f7d772cf56 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2 years ago
Claire Wang	976d3c7b5f	tailcfg: add exit destination for network flow logs node attribute (#11698 ) Updates tailscale/corp#18625 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Charlotte Brandhorst-Satzkorn	98cf71cd73	tailscale: switch tailfs to drive syntax for api and logs (#11625 ) This change switches the api to /drive, rather than the previous /tailfs as well as updates the log lines to reflect the new value. It also cleans up some existing tailfs references. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 years ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597 ) This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 years ago
Brad Fitzpatrick	a36cfb4d3d	tailcfg, ipn/ipnlocal, wgengine/magicsock: add only-tcp-443 node attr Updates tailscale/corp#17879 Change-Id: I0dc305d147b76c409cf729b599a94fa723aef0e0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7b34154df2	all: deprecate Node.Capabilities (more), remove PeerChange.Capabilities [capver 89] First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	20e9f3369d	control/controlclient: send load balancing hint HTTP request header Updates tailscale/corp#1297 Change-Id: I0b102081e81dfc1261f4b05521ab248a2e4a1298 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mario Minardi	e0886ad167	ipn/ipnlocal, tailcfg: add disable-web-client node attribute (#11418 ) Add a disable-web-client node attribute and add handling for disabling the web client when this node attribute is set. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	2 years ago
Claire Wang	74e33b9c50	tailcfg: bump CapabilityVersion (#11368 ) bump version for adding NodeAttrSuggestExitNode remove extra s from NodeAttrSuggestExitNode Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Claire Wang	d610f8eec0	tailcfg: add suggest exit node related node attribute (#11329 ) Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Claire Wang	352c1ac96c	tailcfg: add latitude, longitude for node location (#11162 ) Updates tailscale/corp#17590 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Maisem Ali	370ecb4654	tailcfg: remove UserProfile.Groups Removing as per go/group-all-the-things. Updates tailscale/corp#17445 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Percy Wegmann	ddcffaef7a	tailfs: disable TailFSForLocal via policy Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
Percy Wegmann	abab0d4197	tailfs: clean up naming and package structure - Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
Percy Wegmann	993acf4475	tailfs: initial implementation Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
Brad Fitzpatrick	2bd3c1474b	util/cmpx: delete now that we're using Go 1.22 Updates #11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Jordan Whited	8b47322acc	wgengine/magicsock: implement probing of UDP path lifetime (#10844 ) This commit implements probing of UDP path lifetime on the tail end of an active direct connection. Probing configuration has two parts - Cliffs, which are various timeout cliffs of interest, and CycleCanStartEvery, which limits how often a probing cycle can start, per-endpoint. Initially a statically defined default configuration will be used. The default configuration has cliffs of 10s, 30s, and 60s, with a CycleCanStartEvery of 24h. Probing results are communicated via clientmetric counters. Probing is off by default, and can be enabled via control knob. Probing is purely informational and does not yet drive any magicsock behaviors. Updates #540 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 years ago
Sonia Appasamy	331a6d105f	client/web: add initial types for using peer capabilities Sets up peer capability types for future use within the web client views and APIs. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	2 years ago
James 'zofrex' Sanderson	124dc10261	controlclient,tailcfg,types: expose MaxKeyDuration via localapi (#10401 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	2 years ago
James 'zofrex' Sanderson	10c595d962	ipn/ipnlocal: refresh node key without blocking if cap enabled (#10529 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Andrew Lytvynov	945cf836ee	ipn: apply tailnet-wide default for auto-updates (#10508 ) When auto-update setting in local Prefs is unset, apply the tailnet default value from control. This only happens once, when we apply the default (or when the user manually overrides it), tailnet default no longer affects the node. Updates #16244 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 years ago
Naman Sood	650c67a0a1	tailcfg: bump CapabilityVersion for Linux netfilter NodeAttrs and c2n endpoint Updates tailscale/corp#14029. Signed-off-by: Naman Sood <mail@nsood.in>	2 years ago
Naman Sood	0a59754eda	linuxfw,wgengine/route,ipn: add c2n and nodeattrs to control linux netfilter Updates tailscale/corp#14029. Signed-off-by: Naman Sood <mail@nsood.in>	2 years ago
Brad Fitzpatrick	fb829ea7f1	control/controlclient: support incremental packet filter updates [capver 81] Updates #10299 Change-Id: I87e4235c668a1db7de7ef1abc743f0beecb86d3d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	cca27ef96a	ipn/ipnlocal: add c2n method to check on TLS cert fetch status So the control plane can delete TXT records more aggressively after client's done with ACME fetch. Updates tailscale/corp#15848 Change-Id: I4f1140305bee11ee3eee93d4fec3aef2bd6c5a7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Will Norris	9b537f7c97	ipn: remove the preview-webclient node capability Now that 1.54 has released, and the new web client will be included in 1.56, we can remove the need for the node capability. This means that all 1.55 unstable builds, and then eventually the 1.56 build, will work without setting the node capability. The web client still requires the "webclient" user pref, so this does NOT mean that the web client will be on by default for all devices. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Jordan Whited	e848736927	control/controlknobs,wgengine/magicsock: implement SilentDisco toggle (#10195 ) This change exposes SilentDisco as a control knob, and plumbs it down to magicsock.endpoint. No changes are being made to magicsock.endpoint disco behavior, yet. Updates #540 Signed-off-by: Jordan Whited <jordan@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	c54d680682	ipn,tailconfig: clean up unreleased and removed app connector service This was never released, and is replaced by HostInfo.AppConnector. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	0b6636295e	tailcfg,ipn/ipnlocal: add hostinfo field to replace service entry Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	228a82f178	ipn/ipnlocal,tailcfg: add AppConnector service to HostInfo when configured Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Will Norris	66c7af3dd3	ipn: replace web client debug flag with node capability Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Sonia Appasamy	b4247fabec	tailcfg: add ID field to WebClientAuthResponse Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	2 years ago
Andrew Lytvynov	33bb2bbfe9	tailcfg,cmd/tailscale: add UrgentSecurityUpdate flag to ClientVersion (#9848 ) This flag is used in clients to surface urgent updates more prominently. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 years ago
Claire Wang	754fb9a8a8	tailcfg: add tailnet field to register request (#9675 ) Updates tailscale/corp#10967 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Will Norris	7f08bddfe1	tailcfg: add type for web client auth response This will be returned from the upcoming control endpoints for doing web client session authentication. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Brad Fitzpatrick	b4816e19b6	hostinfo, ipnlocal: flesh out Wake-on-LAN support, send MACs, add c2n sender This optionally uploads MAC address(es) to control, then adds a c2n handler so control can ask a node to send a WoL packet. Updates #306 RELNOTE=now supports waking up peer nodes on your LAN via Wake-on-LAN packets Change-Id: Ibea1275fcd2048dc61d7059039abfbaf1ad4f465 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	da1b917575	net/tstun: finish wiring IPv6 NAT support Updates https://github.com/tailscale/corp/issues/11202 Updates ENG-991 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	93c6e1d53b	tstest/deptest: add check that x/exp/{maps,slices} imported as xfoo Updates #cleanup Change-Id: I4cbb5e477c739deddf7a46b66f286c9fdb106279 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago

1 2 3 4 5 ...

501 Commits (hwh33/add-unix-sockets-to-serve)