209 Commits (hwh33/add-unix-sockets-to-serve)

Author	SHA1	Message	Date
Andrea Gottardo	e5f67f90a2	xcode: allow ICMP ping relay on macOS + iOS platforms (#12048) ... Fixes tailscale/tailscale#10393 Fixes tailscale/corp#15412 Fixes tailscale/corp#19808 On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using. Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 years ago
Andrew Dunham	8f7f9ac17e	wgengine/netstack: handle 4via6 routes that are advertised by the same node ... Previously, a node that was advertising a 4via6 route wouldn't be able to make use of that same route; the packet would be delivered to Tailscale, but since we weren't accepting it in handleLocalPackets, the packet wouldn't be delivered to netstack and would never hit the 4via6 logic. Let's add that support so that usage of 4via6 is consistent regardless of where the connection is initiated from. Updates #11304 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic28dc2e58080d76100d73b93360f4698605af7cb	2 years ago
Brad Fitzpatrick	21509db121	ipn/ipnlocal, all: plumb health trackers in tests ... I saw some panics in CI, like: 2024-05-08T04:30:25.9553518Z ## WARNING: (non-fatal) nil health.Tracker (being strict in CI): 2024-05-08T04:30:25.9554043Z goroutine 801 [running]: 2024-05-08T04:30:25.9554489Z tailscale.com/health.(*Tracker).nil(0x0) 2024-05-08T04:30:25.9555086Z tailscale.com/health/health.go:185 +0x70 2024-05-08T04:30:25.9555688Z tailscale.com/health.(*Tracker).SetUDP4Unbound(0x0, 0x0) 2024-05-08T04:30:25.9556373Z tailscale.com/health/health.go:532 +0x2f 2024-05-08T04:30:25.9557296Z tailscale.com/wgengine/magicsock.(*Conn).bindSocket(0xc0003b4808, 0xc0003b4878, {0x1fbca53, 0x4}, 0x0) 2024-05-08T04:30:25.9558301Z tailscale.com/wgengine/magicsock/magicsock.go:2481 +0x12c5 2024-05-08T04:30:25.9559026Z tailscale.com/wgengine/magicsock.(*Conn).rebind(0xc0003b4808, 0x0) 2024-05-08T04:30:25.9559874Z tailscale.com/wgengine/magicsock/magicsock.go:2510 +0x16f 2024-05-08T04:30:25.9561038Z tailscale.com/wgengine/magicsock.NewConn({0xc000063c80, 0x0, 0xc000197930, 0xc000197950, 0xc000197960, {0x0, 0x0}, 0xc000197970, 0xc000198ee0, 0x0, ...}) 2024-05-08T04:30:25.9562402Z tailscale.com/wgengine/magicsock/magicsock.go:476 +0xd5f 2024-05-08T04:30:25.9563779Z tailscale.com/wgengine.NewUserspaceEngine(0xc000063c80, {{0x22c8750, 0xc0001976b0}, 0x0, {0x22c3210, 0xc000063c80}, {0x22c31d8, 0x2d3c900}, 0x0, 0x0, ...}) 2024-05-08T04:30:25.9564982Z tailscale.com/wgengine/userspace.go:389 +0x159d 2024-05-08T04:30:25.9565529Z tailscale.com/ipn/ipnlocal.newTestBackend(0xc000358b60) 2024-05-08T04:30:25.9566086Z tailscale.com/ipn/ipnlocal/serve_test.go:675 +0x2a5 2024-05-08T04:30:25.9566612Z ta Updates #11874 Change-Id: I3432ed52d670743e532be4642f38dbd6e3763b1b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int ... Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	dd6c76ea24	ipn: remove unused Options.LegacyMigrationPrefs ... I'm on a mission to simplify LocalBackend.Start and its locking and deflake some tests. I noticed this hasn't been used since March 2023 when it was removed from the Windows client in corp 66be796d33c. So, delete. Updates #11649 Change-Id: I40f2cb75fb3f43baf23558007655f65a8ec5e1b2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	3f4c5daa15	wgengine/netstack: remove SubnetRouterWrapper ... It was used when we only supported subnet routers on linux and would nil out the SubnetRoutes slice as no other router worked with it, but now we support subnet routers on ~all platforms. The field it was setting to nil is now only used for network logging and nowhere else, so keep the field but drop the SubnetRouterWrapper as it's not useful. Updates #cleanup Change-Id: Id03f9b6ec33e47ad643e7b66e07911945f25db79 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597) ... This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 years ago
Charlotte Brandhorst-Satzkorn	14683371ee	tailscale: update tailfs file and package names (#11590) ... This change updates the tailfs file and package names to their new naming convention. Updates #tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 years ago
Andrew Dunham	7429e8912a	wgengine/netstack: fix bug with duplicate SYN packets in client limit ... This fixes a bug that was introduced in #11258 where the handling of the per-client limit didn't properly account for the fact that the gVisor TCP forwarder will return 'true' to indicate that it's handled a duplicate SYN packet, but not launch the handler goroutine. In such a case, we neither decremented our per-client limit in the wrapper function, nor did we do so in the handler function, leading to our per-client limit table slowly filling up without bound. Fix this by doing the same duplicate-tracking logic that the TCP forwarder does so we can detect such cases and appropriately decrement our in-flight counter. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib6011a71d382a10d68c0802593f34b8153d06892	2 years ago
Andrew Dunham	62cf83eb92	go.mod: bump gvisor ... The `stack.PacketBufferPtr` type no longer exists; replace it with `*stack.PacketBuffer` instead. Updates #8043 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib56ceff09166a042aa3d9b80f50b2aa2d34b3683	2 years ago
Percy Wegmann	2d5d6f5403	ipn,wgengine: only intercept TailFS traffic on quad 100 ... This fixes a regression introduced with 993acf4 and released in v1.60.0. The regression caused us to intercept all userspace traffic to port 8080 which prevented users from exposing their own services to their tailnet at port 8080. Now, we only intercept traffic to port 8080 if it's bound for 100.100.100.100 or fd7a:115c:a1e0::53. Fixes #11283 Signed-off-by: Percy Wegmann <percy@tailscale.com> (cherry picked from commit 17cd0626f3)	2 years ago
Andrew Dunham	3dd8ae2f26	net/tstun: fix spelling of "WireGuard" ... Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida7e30f4689bc18f5f7502f53a0adb5ac3c7981a	2 years ago
Andrew Dunham	c5abbcd4b4	wgengine/netstack: add a per-client limit for in-flight TCP forwards ... This is a fun one. Right now, when a client is connecting through a subnet router, here's roughly what happens: 1. The client initiates a connection to an IP address behind a subnet router, and sends a TCP SYN 2. The subnet router gets the SYN packet from netstack, and after running through acceptTCP, starts DialContext-ing the destination IP, without accepting the connection¹ 3. The client retransmits the SYN packet a few times while the dial is in progress, until either... 4. The subnet router successfully establishes a connection to the destination IP and sends the SYN-ACK back to the client, or... 5. The subnet router times out and sends a RST to the client. 6. If the connection was successful, the client ACKs the SYN-ACK it received, and traffic starts flowing As a result, the notification code in forwardTCP never notices when a new connection attempt is aborted, and it will wait until either the connection is established, or until the OS-level connection timeout is reached and it aborts. To mitigate this, add a per-client limit on how many in-flight TCP forwarding connections can be in-progress; after this, clients will see a similar behaviour to the global limit, where new connection attempts are aborted instead of waiting. This prevents a single misbehaving client from blocking all other clients of a subnet router by ensuring that it doesn't starve the global limiter. Also, bump the global limit again to a higher value. ¹ We can't accept the connection before establishing a connection to the remote server since otherwise we'd be opening the connection and then immediately closing it, which breaks a bunch of stuff; see #5503 for more details. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I76e7008ddd497303d75d473f534e32309c8a5144	2 years ago
Anton Tolchanov	cd9cf93de6	wgengine/netstack: expose TCP forwarder drops via clientmetrics ... - add a clientmetric with a counter of TCP forwarder drops due to the max attempts; - fix varz metric types, as they are all counters. Updates #8210 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Brad Fitzpatrick	e1bd7488d0	all: remove LenIter, use Go 1.22 range-over-int instead ... Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Percy Wegmann	c42a4e407a	tailfs: listen for local clients only on 100.100.100.100 ... FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
Percy Wegmann	ddcffaef7a	tailfs: disable TailFSForLocal via policy ... Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
Percy Wegmann	abab0d4197	tailfs: clean up naming and package structure ... - Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
Percy Wegmann	993acf4475	tailfs: initial implementation ... Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
James Tucker	7e3bcd297e	go.mod,wgengine/netstack: bump gvisor ... Updates #8043 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Andrew Dunham	7a0392a8a3	wgengine/netstack: expose gVisor metrics through expvar ... When tailscaled is run with "-debug 127.0.0.1:12345", these metrics are available at: http://localhost:12345/debug/metrics Updates #8210 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I19db6c445ac1f8344df2bc1066a3d9c9030606f8	2 years ago
Jordan Whited	5e861c3871	wgengine/netstack: disable RACK on Windows (#10402) ... Updates #9707 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 years ago
Maisem Ali	d0f2c0664b	wgengine/netstack: standardize var names in UpdateNetstackIPs ... Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	eaf8aa63fc	wgengine/netstack: remove unnecessary map in UpdateNetstackIPs ... Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	d601c81c51	wgengine/netstack: use netip.Prefix as map keys ... Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
James Tucker	7df6f8736a	wgengine/netstack: only add addresses to correct protocols ... Prior to an earlier netstack bump this code used a string conversion path to cover multiple cases of behavior seemingly checking for unspecified addresses, adding unspecified addresses to v6. The behavior is now crashy in netstack, as it is enforcing address length in various areas of the API, one in particular being address removal. As netstack is now protocol specific, we must not create invalid protocol addresses - an address is v4 or v6, and the address value contained inside must match. If a control path attempts to do something otherwise it is now logged and skipped rather than incorrect addressing being added. Fixes tailscale/corp#15377 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Andrea Barisani	f50b2a87ec	wgengine/netstack: refactor address construction and conversion ... Updates #9252 Updates #9253 Signed-off-by: Andrea Barisani <andrea@inversepath.com> Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Andrea Barisani	b5b4298325	go.mod,*: bump gvisor ... Updates #9253 Signed-off-by: Andrea Barisani <andrea@inversepath.com> Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Val	c608660d12	wgengine,net,ipn,disco: split up and define different types of MTU ... Prepare for path MTU discovery by splitting up the concept of DefaultMTU() into the concepts of the Tailscale TUN MTU, MTUs of underlying network interfaces, minimum "safe" TUN MTU, user configured TUN MTU, probed path MTU to a peer, and maximum probed MTU. Add a set of likely MTUs to probe. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	2 years ago
Val	578b357849	wgengine/netstack: use buffer pools for UDP packet forwarding ... Use buffer pools for UDP packet forwarding to prepare for increasing the forwarded UDP packet size for peer path MTU discovery. Updates #311 Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Val <valerie@tailscale.com>	2 years ago
Andrew Dunham	530aaa52f1	net/dns: retry forwarder requests over TCP ... We weren't correctly retrying truncated requests to an upstream DNS server with TCP. Instead, we'd return a truncated request to the user, even if the user was querying us over TCP and thus able to handle a large response. Also, add an envknob and controlknob to allow users/us to disable this behaviour if it turns out to be buggy (✨ DNS ✨). Updates #9264 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ifb04b563839a9614c0ba03e9c564e8924c1a2bfd	2 years ago
Val	08302c0731	Revert "wgengine/netstack: use buffer pools for UDP packet forwarding" ... This reverts commit fb2f3e4741. Signed-off-by: Val <valerie@tailscale.com>	2 years ago
Val	6cc5b272d8	Revert "wgengine,net,ipn,disco: split up and define different types of MTU" ... This reverts commit 059051c58a. Signed-off-by: Val <valerie@tailscale.com>	2 years ago
Val	059051c58a	wgengine,net,ipn,disco: split up and define different types of MTU ... Prepare for path MTU discovery by splitting up the concept of DefaultMTU() into the concepts of the Tailscale TUN MTU, MTUs of underlying network interfaces, minimum "safe" TUN MTU, user configured TUN MTU, probed path MTU to a peer, and maximum probed MTU. Add a set of likely MTUs to probe. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	2 years ago
Val	fb2f3e4741	wgengine/netstack: use buffer pools for UDP packet forwarding ... Use buffer pools for UDP packet forwarding to prepare for increasing the forwarded UDP packet size for peer path MTU discovery. Updates #311 Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Val <valerie@tailscale.com>	2 years ago
Brad Fitzpatrick	0d991249e1	types/netmap: remove NetworkMap.{Addresses,MachineStatus} ... And convert all callers over to the methods that check SelfNode. Now we don't have multiple ways to express things in tests (setting fields on SelfNode vs NetworkMap, sometimes inconsistently) and don't have multiple ways to check those two fields (often only checking one or the other). Updates #9443 Change-Id: I2d7ba1cf6556142d219fae2be6f484f528756e3c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	3d37328af6	wgengine, proxymap: split out port mapping from Engine to new type ... (Continuing quest to remove rando stuff from the "Engine") Updates #cleanup Change-Id: I77f39902c2194410c10c054b545d70c9744250b0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	343c0f1031	wgengine{,/netstack}: remove AddNetworkMapCallback from Engine interface ... It had exactly one user: netstack. Just have LocalBackend notify netstack when here's a new netmap instead, simplifying the bloated Engine interface that has grown a bunch of non-Engine-y things. (plenty of rando stuff remains after this, but it's a start) Updates #cleanup Change-Id: I45e10ab48119e962fc4967a95167656e35b141d8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	84b94b3146	types/netmap, all: make NetworkMap.SelfNode a tailcfg.NodeView ... Updates #1909 Change-Id: I8c470cbc147129a652c1d58eac9b790691b87606 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	fe95d81b43	ipn/ipnlocal,wgengine/netstack: move LocalBackend specifc serving logic to LocalBackend ... The netstack code had a bunch of logic to figure out if the LocalBackend should handle an incoming connection and then would call the function directly on LocalBackend. Move that logic to LocalBackend and refactor the methods to return conn handlers. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Denton Gentry	5b110685fb	wgengine/netstack: increase maxInFlightConnectionAttempts ... Address reports of subnet router instability when running in `--tun=userspace-networking` mode. Fixes https://github.com/tailscale/corp/issues/12184 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	3 years ago
Denton Gentry	399a80785e	wgengine/netstack: use ping6 on BSD platforms ... Various BSD-derived operating systems including macOS and FreeBSD require that ping6 be used for IPv6 destinations. The "ping" command does not understand an IPv6 destination. FreeBSD 13.x and later do handle IPv6 in the regular ping command, but also retain a ping6 command. We use ping6 on all versions of FreeBSD. Fixes https://github.com/tailscale/tailscale/issues/8225 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	3 years ago
Brad Fitzpatrick	6e967446e4	tsd: add package with System type to unify subsystem init, discovery ... This is part of an effort to clean up tailscaled initialization between tailscaled, tailscaled Windows service, tsnet, and the mac GUI. Updates #8036 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
James Tucker	fb18af5564	wgengine/netstack: fix data-race on startup ... Running tailscaled with the race detector enabled immediately fires on this field, as it is updated after first read. Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	3 years ago
James Tucker	40fa2a420c	envknob,net/tstun,wgengine: use TS_DEBUG_MTU consistently ... Noted on #5915 TS_DEBUG_MTU was not used consistently everywhere. Extract the default into a function that can apply this centrally and use it everywhere. Added envknob.Lookup{Int,Uint}Sized to make it easier to keep CodeQL happy when using converted values. Updates #5915 Signed-off-by: James Tucker <james@tailscale.com>	3 years ago
James Tucker	c628132b34	wgengine/netstack: do not send packets to netstack after close ... Use the local context on Impl to check for shut down state in order to drop rather than inject packets after close has begun. Netstack sets endpoint.dispatcher to nil during shutdown. After the recent adjustment in 920ec69241 we now wait for netstack to fully shutdown before we release tests. This means that we may continue to accept packets and attempt to inject them, which we must prevent in order to avoid nil pointer panic. References google/gvisor#8765 Fixes #7715 Signed-off-by: James Tucker <james@tailscale.com>	3 years ago
Maisem Ali	920ec69241	tsnet,wgenegine/netstack: add test and fix resource leaks ... We were not closing the http.Server and were also not waiting for netstack to fully close. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Maisem Ali	535fad16f8	net/tstun: rename filterIn/filterOut methods to be more descriptive ... Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Will Norris	57a008a1e1	all: pass log IDs as the proper type rather than strings ... This change focuses on the backend log ID, which is the mostly commonly used in the client. Tests which don't seem to make use of the log ID just use the zero value. Signed-off-by: Will Norris <will@tailscale.com>	3 years ago
Maisem Ali	b0cb39cda1	tsnet: only intercept TCP flows that have listeners ... Previously, it would accept all TCP connections and then close the ones it did not care about. Make it only ever accept the connections that it cares about. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Brad Fitzpatrick	9ff51ca17f	wgengine/netstack: add support for custom UDP flow handlers ... To be used by tsnet and sniproxy later. Updates #5871 Updates #1748 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	cf8dd7aa09	all: use Go 1.20's bytes.Clone ... Updates #7123 Updates #6257 (more to do in other repos) Change-Id: I073e2a6d81a5d7fbecc29caddb7e057ff65239d0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Maisem Ali	04b57a371e	ipn/ipnlocal: drop not required StateKey parameter ... This is #cleanup now that #7121 is merged. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Will Norris	71029cea2d	all: update copyright and license headers ... This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	3 years ago
Andrew Dunham	58ad21b252	wgengine/netstack: fix data race in tests ... This uses the helper function added in #6173 to avoid flakes like: https://github.com/tailscale/tailscale/actions/runs/3826912237/jobs/6511078024 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: If3f1d3b9c0f64ffcb4ba9a30d3522ec49484f993	3 years ago
Claire Wang	a45c9f982a	wgengine/netstack: change netstack API to require LocalBackend ... The macOS client was forgetting to call netstack.Impl.SetLocalBackend. Change the API so that it can't be started without one, eliminating this class of bug. Then update all the callers. Updates #6764 Change-Id: I2b3a4f31fdfd9fdbbbbfe25a42db0c505373562f Signed-off-by: Claire Wang <claire@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	caa2fe394f	wgengine/netstack: delete some dead code, old comment, use atomic int types ... Noticed while looking at something else; #cleanup. Change-Id: Icde7749363014eab9bebe1dd80708f5491f933d1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
andig	14e8afe444	go.mod, etc: bump gvisor ... Fixes #6554 Change-Id: Ia04ae37a47b67fa57091c9bfe1d45a1842589aa8 Signed-off-by: andig <cpuidle@gmx.de>	3 years ago
Maisem Ali	18c7c3981a	ipn/ipnlocal: call checkPrefs in Start too ... We were not calling checkPrefs on `opts.*Prefs` in (*LocalBackend).Start(). Updates #713 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Maisem Ali	4d330bac14	ipn/ipnlocal: add support for multiple user profiles ... Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Brad Fitzpatrick	b683921b87	ipn/ipnlocal: add start of handling TCP proxying ... Updates tailscale/corp#7515 Change-Id: I82d19b5864674b2169f25ec8e429f60a543e0c57 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	79472a4a6e	wgengine/netstack: optimize shouldProcessInbound, avoiding 4via6 lookups ... All IPv6 packets for the self address were doing netip.Prefix.Contains lookups. If if we know they're for a self address (which we already previously computed and have sitting in a bool), then they can't be for a 4via6 range. Change-Id: Iaaaf1248cb3fecec229935a80548ead0eb4cb892 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	2daf0f146c	ipn/ipnlocal, wgengine/netstack: start handling ports for future serving ... Updates tailscale/corp#7515 Change-Id: I966e936e72a2ee99be8d0f5f16872b48cc150258 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Andrew Dunham	acf5839dd2	wgengine/netstack: add tests for shouldProcessInbound ... Inspired by #6235, let's explicitly test the behaviour of this function to ensure that we're not processing things we don't expect to. Change-Id: I158050a63be7410fb99452089ea607aaf89fe91a Signed-off-by: Andrew Dunham <andrew@tailscale.com>	3 years ago
Brad Fitzpatrick	abfdcd0f70	wgengine/netstack: fix shouldProcessInbound peerapi non-SYN handling ... It was eating TCP packets to peerapi ports to subnet routers. Some of the TCP flow's packets went onward, some got eaten. So some TCP flows to subnet routers, if they used an unfortunate TCP port number, got broken. Change-Id: Ifea036119ccfb081f4dfa18b892373416a5239f8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	3367136d9e	wgengine/netstack: remove old unused handleSSH hook ... It's leftover from an earlier Tailscale SSH wiring and I forgot to delete it apparently. Change-Id: I14f071f450e272b98d90080a71ce68ba459168d1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Maisem Ali	42f7ef631e	wgengine/netstack: use 72h as the KeepAlive Idle time for Tailscale SSH ... Setting TCP KeepAlives for Tailscale SSH connections results in them unnecessarily disconnecting. However, we can't turn them off completely as that would mean we start leaking sessions waiting for a peer to come back which may have gone away forever (e.g. if the node was deleted from the tailnet during a session). Updates #5021 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Jordan Whited	a471681e28	wgengine/netstack: enable TCP SACK (#6066) ... TCP selective acknowledgement can improve throughput by an order of magnitude in the presence of loss. Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 years ago
Emmanuel T Odeke	f981b1d9da	all: fix resource leaks with missing .Close() calls ... Fixes #5706 Signed-off-by: Emmanuel T Odeke <emmanuel@orijtech.com>	3 years ago
Andrew Dunham	0607832397	wgengine/netstack: always respond to 4via6 echo requests (#5712) ... As the comment in the code says, netstack should always respond to ICMP echo requests to a 4via6 address, even if the netstack instance isn't normally processing subnet traffic. Follow-up to #5709 Change-Id: I504d0776c5824071b2a2e0e687bc33e24f6c4746 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	3 years ago
Andrew Dunham	b9b0bf65a0	wgengine/netstack: handle 4via6 packets when pinging (#5709) ... Change-Id: Ib6ebbaa11219fb91b550ed7fc6ede61f83262e89 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	3 years ago
Brad Fitzpatrick	74674b110d	envknob: support changing envknobs post-init ... Updates #5114 Change-Id: Ia423fc7486e1b3f3180a26308278be0086fae49b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Andrew Dunham	9240f5c1e2	wgengine/netstack: only accept connection after dialing (#5503) ... If we accept a forwarded TCP connection before dialing, we can erroneously signal to a client that we support IPv6 (or IPv4) without that actually being possible. Instead, we only complete the client's TCP handshake after we've dialed the outbound connection; if that fails, we respond with a RST. Updates #5425 (maybe fixes!) Signed-off-by: Andrew Dunham <andrew@tailscale.com>	3 years ago
Maisem Ali	a9f6cd41fd	all: use syncs.AtomicValue ... Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Brad Fitzpatrick	5f6abcfa6f	all: migrate code from netaddr.FromStdAddr to Go 1.18 ... With caveat https://github.com/golang/go/issues/53607#issuecomment-1203466984 that then requires a new wrapper. But a simpler one at least. Updates #5162 Change-Id: I0a5265065bfcd7f21e8dd65b2bd74cae90d76090 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	8725b14056	all: migrate more code code to net/netip directly ... Instead of going through the tailscale.com/net/netaddr transitional wrappers. Updates #5162 Change-Id: I3dafd1c2effa1a6caa9b7151ecf6edd1a3fda3dd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	a12aad6b47	all: convert more code to use net/netip directly ... perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package ... Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Maisem Ali	9514ed33d2	go.mod: bump gvisor.dev/gvisor ... Pick up https://github.com/google/gvisor/pull/7787 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
kylecarbs	9280d39678	wgengine/netstack: close ipstack when netstack.Impl is closed ... Fixes netstack.Impl leaking goroutines after shutdown. Signed-off-by: kylecarbs <kyle@carberry.com>	3 years ago
Brad Fitzpatrick	69b535c01f	wgengine/netstack: replace a 1500 with a const + doc ... Per post-submit code review feedback of 1336fb740b from @maisem. Change-Id: Ic5c16306cbdee1029518448642304981f77ea1fd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	1336fb740b	wgengine/netstack: make netstack MTU be 1280 also ... Updates #3878 Change-Id: I1850085b32c8a40d85607b4ad433622c97d96a8d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Tom	fc5839864b	wgengine/netstack: handle multiple magicDNS queries per UDP socket (#4708) ... Fixes: #4686 Signed-off-by: Tom DNetto <tom@tailscale.com>	4 years ago
Brad Fitzpatrick	35111061e9	wgengine/netstack, ipn/ipnlocal: serve http://100.100.100.100/ ... For future stuff. Change-Id: I64615b8b2ab50b57e4eef1ca66fa72e3458cb4a9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Tom	d1d6ab068e	net/dns, wgengine: implement DNS over TCP (#4598) ... * net/dns, wgengine: implement DNS over TCP Signed-off-by: Tom DNetto <tom@tailscale.com> * wgengine/netstack: intercept only relevant port/protocols to quad-100 Signed-off-by: Tom DNetto <tom@tailscale.com>	4 years ago
James Tucker	f9e86e64b7	*: use WireGuard where logged, printed or named ... Signed-off-by: James Tucker <james@tailscale.com>	4 years ago
Tom DNetto	7f45734663	assorted: documentation and readability fixes ... This were intended to be pushed to #4408, but in my excitement I forgot to git push :/ better late than never. Signed-off-by: Tom DNetto <tom@tailscale.com>	4 years ago
Tom DNetto	9e77660931	net/tstun,wgengine/{.,netstack}: handle UDP magicDNS traffic in netstack ... This change wires netstack with a hook for traffic coming from the host into the tun, allowing interception and handling of traffic to quad-100. With this hook wired, magicDNS queries over UDP are now handled within netstack. The existing logic in wgengine to handle magicDNS remains for now, but its hook operates after the netstack hook so the netstack implementation takes precedence. This is done in case we need to support platforms with netstack longer than expected. Signed-off-by: Tom DNetto <tom@tailscale.com>	4 years ago
Tom DNetto	9dee6adfab	cmd/tailscaled,ipn/ipnlocal,wgengine/...: pass dns.Manager into netstack ... Needed for a following commit which moves magicDNS handling into netstack. Signed-off-by: Tom DNetto <tom@tailscale.com>	4 years ago
James Tucker	1aa75b1c9e	wgengine/netstack: always set TCP keepalive ... Setting keepalive ensures that idle connections will eventually be closed. In userspace mode, any application configured TCP keepalive is effectively swallowed by the host kernel, and is not easy to detect. Failure to close connections when a peer tailscaled goes offline or restarts may result in an otherwise indefinite connection for any protocol endpoint that does not initiate new traffic. This patch does not take any new opinion on a sensible default for the keepalive timers, though as noted in the TODO, doing so likely deserves further consideration. Update #4522 Signed-off-by: James Tucker <james@tailscale.com>	4 years ago
Brad Fitzpatrick	8ee044ea4a	ssh/tailssh: make the SSH server a singleton, register with LocalBackend ... Remove the weird netstack -> tailssh dependency and instead have tailssh register itself with ipnlocal when linked. This makes tailssh.server a singleton, so we can have a global map of all sessions. Updates #3802 Change-Id: Iad5caec3a26a33011796878ab66b8e7b49339f29 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	da14e024a8	tailcfg, ssh/tailssh: optionally support SSH public keys in wire policy ... And clean up logging. Updates #3802 Change-Id: I756dc2d579a16757537142283d791f1d0319f4f0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	3ae701f0eb	net/tsaddr, wgengine/netstack: add IPv6 range that forwards to site-relative IPv4 ... This defines a new magic IPv6 prefix, fd7a:115c:a1e0:b1a::/64, a subset of our existing /48, where the final 32 bits are an IPv4 address, and the middle 32 bits are a user-chosen "site ID". (which must currently be 0000:00xx; the top 3 bytes must be zero for now) e.g., I can say my home LAN's "site ID" is "0000:00bb" and then advertise its 10.2.0.0/16 IPv4 range via IPv6, like: tailscale up --advertise-routes=fd7a:115c:a1e0:b1a::bb:10.2.0.0/112 (112 being /128 minuse the /96 v6 prefix length) Then people in my tailnet can: $ curl '[fd7a:115c:a1e0:b1a::bb:10.2.0.230]' <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" .... Updates #3616, etc RELNOTE=initial support for TS IPv6 addresses to route v4 "via" specific nodes Change-Id: I9b49b6ad10410a24b5866b9fbc69d3cae1f600ef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
James Tucker	c6ac29bcc4	wgengine/netstack: disable refsvfs2 leak tracking (#4378) ... In addition an envknob (TS_DEBUG_NETSTACK_LEAK_MODE) now provides access to set leak tracking to more useful values. Fixes #4309 Signed-off-by: James Tucker <james@tailscale.com>	4 years ago
Brad Fitzpatrick	e4d8d5e78b	net/packet, wgengine/netstack: remove workaround for old gvisor ECN bug ... Fixes #2642 Change-Id: Ic02251d24a4109679645d1c8336e0f961d0cce13 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
James Tucker	445c04c938	wgengine: inject packetbuffers rather than bytes (#4220) ... Plumb the outbound injection path to allow passing netstack PacketBuffers down to the tun Read, where they are decref'd to enable buffer re-use. This removes one packet alloc & copy, and reduces GC pressure by pooling outbound injected packets. Fixes #2741 Signed-off-by: James Tucker <james@tailscale.com>	4 years ago
Josh Bleecher Snyder	0868329936	all: use any instead of interface{} ... My favorite part of generics. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	4 years ago
Brad Fitzpatrick	c9eca9451a	ssh: make it build on darwin ... For local dev testing initially. Product-wise, it'll probably only be workable on the two unsandboxed builds. Updates #3802 Change-Id: Ic352f966e7fb29aff897217d79b383131bf3f92b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	1b87e025e9	ssh/tailssh: move SSH code from wgengine/netstack to this new package ... Still largely incomplete, but in a better home now. Updates #3802 Change-Id: I46c5ffdeb12e306879af801b06266839157bc624 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	6eed2811b2	wgengine/netstack: start supporting different SSH users ... Updates #3802 Change-Id: I44de6897e36b1362cd74c9b10c9cbfeb9abc3dbc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago