tailscale

Commit Graph

Author	SHA1	Message	Date
Andrew Dunham	d05a572db4	net/portmapper: handle multiple UPnP discovery responses Instead of taking the first UPnP response we receive and using that to create port mappings, store all received UPnP responses, sort and deduplicate them, and then try all of them to obtain an external address. Updates #10602 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I783ccb1834834ee2a9ecbae2b16d801f2354302f	6 months ago
Sonia Appasamy	c2fe123232	cmd/tailscaled: update ConfigureWebClient's UseSocketOnly value Previously were always setting `UseSocketOnly` because we were comparing `args.socketpath != ""`, but `args.socketpath` flag always gets filled with `paths.DefaultTailscaledSocket()` when not provided. Rather than comparing to the empty string, compare to the default value to determine if `UseSocketOnly` should be set. Should fix issue with web client being unreachable for Mac App Store variant of the mac build. Updates #16054 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Aaron Klotz	0f646937e9	clientupdate: remove TS_NOLAUNCH and GUI restart hacks from autoupdate We've fixed the underlying issue in github.com/tailscale/corp/issues/13998. Fixes #10513 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	6 months ago
Claire Wang	8af503b0c5	syspolicy: add exit node related policies (#10172 ) Adds policy keys ExitNodeID and ExitNodeIP. Uses the policy keys to determine the exit node in preferences. Fixes tailscale/corp#15683 Signed-off-by: Claire Wang <claire@tailscale.com>	6 months ago
Maisem Ali	57129205e6	cmd/tailscaled: make tun mode default on gokrazy Now that we have nftable support this works fine and force it on gokrazy since `25a8daf405`. Updates gokrazy/gokrazy#209 Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
Sonia Appasamy	6f7a1b51a8	ipn/ipnlocal: rename SetWebLocalClient to ConfigureWebClient For consistency with the "WebClient" naming of the other functions here. Also fixed a doc typo. A #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Aaron Klotz	855f79fad7	cmd/tailscaled, util/winutil: changes to process and token APIs in winutil This PR changes the internal getTokenInfo function to use generics. I also removed our own implementations for obtaining a token's user and primary group in favour of calling the ones now available in x/sys/windows. Furthermore, I added two new functions for working with tokens, logon session IDs, and Terminal Services / RDP session IDs. I modified our privilege enabling code to allow enabling of multiple privileges via one single function call. Finally, I added the ProcessImageName function and updated the code in tailscaled_windows.go to use that instead of directly calling the underlying API. All of these changes will be utilized by subsequent PRs pertaining to this issue. Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
Andrew Lytvynov	c3f1bd4c0a	clientupdate: fix auto-update on Windows over RDP (#10242 ) `winutil.WTSGetActiveConsoleSessionId` only works for physical desktop logins and does not return the session ID for RDP logins. We need to `windows.WTSEnumerateSessions` and find the active session. Fixes https://github.com/tailscale/corp/issues/15772 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Naman Sood	e57fd9cda4	ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update (#10188 ) * ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * depaware Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * address review feedback Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	7 months ago
Andrew Lytvynov	55cd5c575b	ipn/localapi: only perform local-admin check in serveServeConfig (#10163 ) On unix systems, the check involves executing sudo, which is slow. Instead of doing it for every incoming request, move the logic into localapi serveServeConfig handler and do it as needed. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Jordan Whited	12d5c99b04	client/tailscale,ipn/{ipnlocal,localapi}: check UDP GRO config (#10071 ) Updates tailscale/corp#9990 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Andrew Lytvynov	1fc1077052	ssh/tailssh,util: extract new osuser package from ssh code (#10170 ) This package is a wrapper for os/user that handles non-cgo builds, gokrazy and user shells. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
James Tucker	f27b2cf569	appc,cmd/sniproxy,ipn/ipnlocal: split sniproxy configuration code out of appc The design changed during integration and testing, resulting in the earlier implementation growing in the appc package to be intended now only for the sniproxy implementation. That code is moved to it's final location, and the current App Connector code is now renamed. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	7 months ago
Aaron Klotz	47019ce1f1	cmd/tailscaled: pre-load wintun.dll using a fully-qualified path In corp PR #14970 I updated the installer to set a security mitigation that always forces system32 to the front of the Windows dynamic linker's search path. Unfortunately there are other products out there that, partying like it's 1995, drop their own, older version of wintun.dll into system32. Since we look there first, we end up loading that old version. We can fix this by preloading wintun using a fully-qualified path. When wintun-go then loads wintun, the dynamic linker will hand it the module that was previously loaded by us. Fixes #10023, #10025, #10052 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
James Tucker	6ad54fed00	appc,ipn/ipnlocal: add App Connector domain configuration from mapcap The AppConnector is now configured by the mapcap from the control plane. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	7 months ago
James Tucker	b48b7d82d0	appc,ipn/ipnlocal,net/dns/resolver: add App Connector wiring when enabled in prefs An EmbeddedAppConnector is added that when configured observes DNS responses from the PeerAPI. If a response is found matching a configured domain, routes are advertised when necessary. The wiring from a configuration in the netmap capmap is not yet done, so while the connector can be enabled, no domains can yet be added. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	7 months ago
Will Norris	66c7af3dd3	ipn: replace web client debug flag with node capability Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	89953b015b	ipn/ipnlocal,client/web: add web client to tailscaled Allows for serving the web interface from tailscaled, with the ability to start and stop the server via localapi endpoints (/web/start and /web/stop). This will be used to run the new full management web client, which will only be accessible over Tailscale (with an extra auth check step over noise) from the daemon. This switch also allows us to run the web interface as a long-lived service in environments where the CLI version is restricted to CGI, allowing us to manage certain auth state in memory. ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for ios builds to satisfy ios restriction from adding "text/template" and "html/template" dependencies. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
Adrian Dewhurst	5347e6a292	control/controlclient: support certstore without cgo We no longer build Windows releases with cgo enabled, which automatically turned off certstore support. Rather than re-enabling cgo, we updated our fork of the certstore package to no longer require cgo. This updates the package, cleans up how the feature is configured, and removes the cgo build tag requirement. Fixes tailscale/corp#14797 Fixes tailscale/coral#118 Change-Id: Iaea34340761c0431d759370532c16a48c0913374 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	8 months ago
Brad Fitzpatrick	18bd98d35b	cmd/tailscaled,*: add start of configuration file support Updates #1412 Co-authored-by: Maisem Ali <maisem@tailscale.com> Change-Id: I38d559c1784d09fc804f521986c9b4b548718f7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Rhea Ghosh	71271e41d6	ipn/{ipnlocal/peerapi, localapi} initial taildrop resume api plumbing (#9798 ) This change: * adds a partial files peerAPI endpoint to get a list of partial files * adds a helper function to extract the basename of a file * updates the peer put peerAPI endpoint * updates the file put localapi endpoint to allow resume functionality Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Maisem Ali	5297bd2cff	cmd/tailscaled,net/tstun: fix data race on start-up in TUN mode Fixes #7894 Change-Id: Ice3f8019405714dd69d02bc07694f3872bb598b8 Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
James Tucker	96f01a73b1	tailcfg: import ProtoPortRange for local use Imported type and parsing, with minor modifications. Updates tailscale/corp#15043 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	c1ef55249a	types/ipproto: import and test string parsing for ipproto IPProto has been being converted to and from string formats in multiple locations with variations in behavior. TextMarshaller and JSONMarshaller implementations are now added, along with defined accepted and preferred formats to centralize the logic into a single cross compatible implementation. Updates tailscale/corp#15043 Fixes tailscale/corp#15141 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Maisem Ali	9d96e05267	net/packet: split off checksum munging into different pkg The current structure meant that we were embedding netstack in the tailscale CLI and in the GUIs. This removes that by isolating the checksum munging to a different pkg which is only called from `net/tstun`. Fixes #9756 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Andrew Lytvynov	677d486830	clientupdate: abort if current version is newer than latest (#9733 ) This is only relevant for unstable releases and local builds. When local version is newer than upstream, abort release. Also, re-add missing newlines in output that were missed in https://github.com/tailscale/tailscale/pull/9694. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Brad Fitzpatrick	6b1ed732df	go.mod: bump x/net to 0.17 for CVE-2023-39325 https://go.googlesource.com/net/+/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd Updates tailscale/corp#15165 Change-Id: Ia8b5e16b1acfe1b2400d321034b41370396f70e2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Kristoffer Dalby	7f540042d5	ipn/ipnlocal: use syspolicy to determine collection of posture data Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	8 months ago
Kristoffer Dalby	9eedf86563	posture: add get serial support for Windows/Linux This commit adds support for getting serial numbers from SMBIOS on Windows/Linux (and BSD) using go-smbios. Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	8 months ago
Kristoffer Dalby	9593cd3871	posture: add get serial stub for all platforms Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	8 months ago
Rhea Ghosh	dc1c7cbe3e	taildrop: initial commit of taildrop functionality refactoring (#9676 ) Over time all taildrop functionality will be contained in the taildrop package. This will include end to end unit tests. This is simply the first smallest piece to move over. There is no functionality change in this commit. Updates tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com> Co-authored-by: Joseph Tsai <joetsai@tailscale.com>	8 months ago
Andrew Dunham	286c6ce27c	net/dns/resolver: race UDP and TCP queries (#9544 ) Instead of just falling back to making a TCP query to an upstream DNS server when the UDP query returns a truncated query, also start a TCP query in parallel with the UDP query after a given race timeout. This ensures that if the upstream DNS server does not reply over UDP (or if the response packet is blocked, or there's an error), we can still make queries if the server replies to TCP queries. This also adds a new package, util/race, to contain the logic required for racing two different functions and returning the first non-error answer. Updates tailscale/corp#14809 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4311702016c1093b1beaa31b135da1def6d86316	8 months ago
Tom DNetto	656a77ab4e	net/packet: implement methods for rewriting v6 addresses Implements the ability for the address-rewriting code to support rewriting IPv6 addresses. Specifically, UpdateSrcAddr & UpdateDstAddr. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates https://github.com/tailscale/corp/issues/11202	8 months ago
Claire Wang	a56e58c244	util/syspolicy: add read boolean setting (#9592 )	8 months ago
James Tucker	0c8c374a41	go.mod: bump all dependencies except go-billy go-billy is held back at v5.4.1 in order to avoid a newly introduced subdependency that is not compatible with plan9. Updates #8043 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Andrea Barisani	b5b4298325	go.mod,*: bump gvisor Updates #9253 Signed-off-by: Andrea Barisani <andrea@inversepath.com> Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Claire Wang	e3d6236606	winutil: refactor methods to get values from registry to also return (#9536 ) errors Updates tailscale/corp#14879 Signed-off-by: Claire Wang <claire@tailscale.com>	8 months ago
Brad Fitzpatrick	3d37328af6	wgengine, proxymap: split out port mapping from Engine to new type (Continuing quest to remove rando stuff from the "Engine") Updates #cleanup Change-Id: I77f39902c2194410c10c054b545d70c9744250b0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	db2f37d7c6	ipn/ipnlocal: add some test accessors Updates tailscale/corp#12990 Change-Id: I82801ac4c003d2c7e1352c514adb908dbf01be87 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	343c0f1031	wgengine{,/netstack}: remove AddNetworkMapCallback from Engine interface It had exactly one user: netstack. Just have LocalBackend notify netstack when here's a new netmap instead, simplifying the bloated Engine interface that has grown a bunch of non-Engine-y things. (plenty of rando stuff remains after this, but it's a start) Updates #cleanup Change-Id: I45e10ab48119e962fc4967a95167656e35b141d8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	9203916a4a	control/controlknobs: move more controlknobs code from controlclient Updates #cleanup Change-Id: I2b8b6ac97589270f307bfb20e33674894ce873b5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	4e91cf20a8	control/controlknobs, all: add plumbed Knobs type, not global variables Previously two tsnet nodes in the same process couldn't have disjoint sets of controlknob settings from control as both would overwrite each other's global variables. This plumbs a new controlknobs.Knobs type around everywhere and hangs the knobs sent by control on that instead. Updates #9351 Change-Id: I75338646d36813ed971b4ffad6f9a8b41ec91560 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	9a86aa5732	all: depend on zstd unconditionally, remove plumbing to make it optional All platforms use it at this point, including iOS which was the original hold out for memory reasons. No more reason to make it optional. Updates #9332 Change-Id: I743fbc2f370921a852fbcebf4eb9821e2bdd3086 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Marwan Sulaiman	51d3220153	ipn, ipn/ipnlocal: remove log streaming for StreamServe This PR removes the per request logging to the CLI as the CLI will not be displaying those logs initially. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Marwan Sulaiman	a4aa6507fa	ipn, ipn/ipnlocal: add session identifier for WatchIPNBus This PR adds a SessionID field to the ipn.Notify struct so that ipn buses can identify a session and register deferred clean up code in the future. The first use case this is for is to be able to tie foreground serve configs to a specific watch session and ensure its clean up when a connection is closed. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Brad Fitzpatrick	7175f06e62	util/rands: add package with HexString func We use it a number of places in different repos. Might as well make one. Another use is coming. Updates #cleanup Change-Id: Ib7ce38de0db35af998171edee81ca875102349a4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	055fdb235f	cmd/tailscaled, tstest/integration: make tailscaled die when parent dies I noticed that failed tests were leaving aroudn stray tailscaled processes on macOS at least. To repro, add this to tstest/integration: func TestFailInFewSeconds(t testing.T) { t.Parallel() time.Sleep(3 time.Second) os.Exit(1) t.Fatal("boom") } Those three seconds let the other parallel tests (with all their tailscaled child processes) start up and start running their tests, but then we violently os.Exit(1) the test driver and all the children were kept alive (and were spinning away, using all available CPU in gvisor scheduler code, which is a separate scary issue) Updates #cleanup Change-Id: I9c891ed1a1ec639fb2afec2808c04dbb8a460e0e Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Andrew Lytvynov	4e72992900	clientupdate: add linux tarball updates (#9144 ) As a fallback to package managers, allow updating tailscale that was self-installed in some way. There are some tricky bits around updating the systemd unit (should we stick to local binary paths or to the ones in tailscaled.service?), so leaving that out for now. Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Chris Palmer	ce1e02096a	ipn/ipnlocal: support most Linuxes in handleC2NUpdate (#9114 ) * ipn/ipnlocal: support most Linuxes in handleC2NUpdate Updates #6995 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	9 months ago
Brad Fitzpatrick	7053e19562	control/controlclient: delete Status.Log{in,out}Finished They were entirely redundant and 1:1 with the status field so this turns them into methods instead. Updates #cleanup Updates #1909 Change-Id: I7d939750749edf7dae4c97566bbeb99f2f75adbc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	6dfa403e6b	cmd/tailscaled: default to userspace-networking on plan9 No tun support yet. Updates #5794 Change-Id: Ibd8db67594d4c65b47e352ae2af2ab3d2712dfad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	98a5116434	all: adjust some build tags for plan9 I'm not saying it works, but it compiles. Updates #5794 Change-Id: I2f3c99732e67fe57a05edb25b758d083417f083e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Aaron Klotz	5fb1695bcb	util/osdiag, util/osdiag/internal/wsc: add code to probe the Windows Security Center for installed software The Windows Security Center is a component that manages the registration of security products on a Windows system. Only products that have obtained a special cert from Microsoft may register themselves using the WSC API. Practically speaking, most vendors do in fact sign up for the program as it enhances their legitimacy. From our perspective, this is useful because it gives us a high-signal source of information to query for the security products installed on the system. I've tied this query into the osdiag package and is run during bugreports. It uses COM bindings that were automatically generated by my prototype metadata processor, however that program still has a few bugs, so I had to make a few manual tweaks. I dropped those binding into an internal package because (for the moment, at least) they are effectively purpose-built for the osdiag use case. We also update the wingoes dependency to pick up BSTR. Fixes #10646 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Brad Fitzpatrick	9089efea06	net/netmon: make ChangeFunc's signature take new ChangeDelta, not bool Updates #9040 Change-Id: Ia43752064a1a6ecefc8802b58d6eaa0b71cf1f84 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Marwan Sulaiman	35ff5bf5a6	cmd/tailscale/cli, ipn/ipnlocal: [funnel] add stream mode Adds ability to start Funnel in the foreground and stream incoming connections. When foreground process is stopped, Funnel is turned back off for the port. Exampe usage: ``` TAILSCALE_FUNNEL_V2=on tailscale funnel 8080 ``` Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	10 months ago
Maisem Ali	8a5ec72c85	cmd/cloner: use maps.Clone and ptr.To Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Brad Fitzpatrick	e8551d6b40	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	239ad57446	tailcfg: move LogHeapPprof from Debug to c2n [capver 69] And delete Debug.GoroutineDumpURL, which was already in c2n. Updates #8923 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Andrew Dunham	95d776bd8c	wgengine/magicsock: only cache N most recent endpoints per-Addr If a node is flapping or otherwise generating lots of STUN endpoints, we can end up caching a ton of useless values and sending them to peers. Instead, let's apply a fixed per-Addr limit of endpoints that we cache, so that we're only sending peers up to the N most recent. Updates tailscale/corp#13890 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8079a05b44220c46da55016c0e5fc96dd2135ef8	10 months ago
Brad Fitzpatrick	a1b8d703d6	tstime/mono: remove unsafe This removes the unsafe/linkname and only uses the standard library. It's a bit slower, for now, but https://go.dev/cl/518336 should get us back. On darwin/arm64, without https://go.dev/cl/518336 pkg: tailscale.com/tstime/mono │ before │ after │ │ sec/op │ sec/op vs base │ MonoNow-8 16.20n ± 0% 19.75n ± 0% +21.92% (p=0.000 n=10) TimeNow-8 39.46n ± 0% 39.40n ± 0% -0.16% (p=0.002 n=10) geomean 25.28n 27.89n +10.33% And with it, MonoNow-8 16.34n ± 1% 16.93n ± 0% +3.67% (p=0.001 n=10) TimeNow-8 39.55n ± 15% 38.46n ± 1% -2.76% (p=0.000 n=10) geomean 25.42n 25.52n +0.41% Updates #8839 Updates tailscale/go#70 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	66f27c4beb	all: require Go 1.21 Updates #8419 Change-Id: I809b6a4d59d92a2ab6ec587ccbb9053376bf02c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Maisem Ali	682fd72f7b	util/testenv: add new package to hold InTest Removes duplicated code. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Aaron Klotz	37925b3e7a	go.mod, cmd/tailscaled, ipn/localapi, util/osdiag, util/winutil, util/winutil/authenticode: add Windows module list to OS-specific logs that are written upon bugreport * We update wingoes to pick up new version information functionality (See pe/version.go in the https://github.com/dblohm7/wingoes repo); * We move the existing LogSupportInfo code (including necessary syscall stubs) out of util/winutil into a new package, util/osdiag, and implement the public LogSupportInfo function may be implemented for other platforms as needed; * We add a new reason argument to LogSupportInfo and wire that into localapi's bugreport implementation; * We add module information to the Windows implementation of LogSupportInfo when reason indicates a bugreport. We enumerate all loaded modules in our process, and for each one we gather debug, authenticode signature, and version information. Fixes #7802 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Brad Fitzpatrick	88cc0ad9f7	util/linuxfw: remove yet-unused code to fix linux/arm64 crash The util/linuxfw/iptables.go had a bunch of code that wasn't yet used (in prep for future work) but because of its imports, ended up initializing code deep within gvisor that panicked on init on arm64 systems not using 4KB pages. This deletes the unused code to delete the imports and remove the panic. We can then cherry-pick this back to the branch and restore it later in a different way. A new test makes sure we don't regress in the future by depending on the panicking package in question. Fixes #8658 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	7560435eb5	tstest/deptest: add test-only package to unify negative dep tests Updates #8658 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Andrew Lytvynov	7a82fd8dbe	ipn/ipnlocal: add optional support for ACME Renewal Info (ARI) (#8599 )	11 months ago
Andrew Dunham	60ab8089ff	logpolicy, various: allow overriding log function This allows sending logs from the "logpolicy" package (and associated callees) to something other than the log package. The behaviour for tailscaled remains the same, passing in log.Printf Updates #8249 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie1d43b75fa7281933d9225bffd388462c08a5f31	11 months ago
Andrew Dunham	a7648a6723	net/dnsfallback: run recursive resolver and compare results When performing a fallback DNS query, run the recursive resolver in a separate goroutine and compare the results returned by the recursive resolver with the results we get from "regular" bootstrap DNS. This will allow us to gather data about whether the recursive DNS resolver works better, worse, or about the same as "regular" bootstrap DNS. Updates #5853 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ifa0b0cc9eeb0dccd6f7a3d91675fe44b3b34bd48	11 months ago
Maisem Ali	2e19790f61	types/views: add JSON marshal/unmarshal and AsMap to Map This allows cloning a Map as well as marshaling the Map as JSON. Updates tailscale/corp#12754 Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
Andrew Dunham	ab310a7f60	derp: use new net/tcpinfo package Updates #8413 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8bf8046517195a6d42cabb32d6ec7f1f79cef860	11 months ago
KevinLiang10	243ce6ccc1	util/linuxfw: decoupling IPTables logic from linux router This change is introducing new netfilterRunner interface and moving iptables manipulation to a lower leveled iptables runner. For #391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com>	12 months ago
phirework	fbacc0bd39	go.toolchain: switch to tailscale.go1.21 (#8415 ) Updates #8419 Signed-off-by: Jenny Zhang <jz@tailscale.com>	12 months ago
Brad Fitzpatrick	67e912824a	all: adjust some build tags for wasi A start. Updates #8320 Change-Id: I64057f977be51ba63ce635c56d67de7ecec415d1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	eefee6f149	all: use cmpx.Or where it made sense I left a few out where writing it explicitly was better for various reasons. Updates #8296 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Aaron Klotz	2aa8299c37	cmd/tailscaled, util/winutil: log our registry keys during tailscaled startup In order to improve our ability to understand the state of policies and registry settings when troubleshooting, we enumerate all values in all subkeys. x/sys/windows does not already offer this, so we need to call RegEnumValue directly. For now we're just logging this during startup, however in a future PR I plan to also trigger this code during a bugreport. I also want to log more than just registry. Fixes #8141 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Joe Tsai	84c99fe0d9	logtail: be less aggressive about re-uploads (#8117 ) The retry logic was pathological in the following ways: * If we restarted the logging service, any pending uploads would be placed in a retry-loop where it depended on backoff.Backoff, which was too aggresive. It would retry failures within milliseconds, taking at least 10 retries to hit a delay of 1 second. * In the event where a logstream was rate limited, the aggressive retry logic would severely exacerbate the problem since each retry would also log an error message. It is by chance that the rate of log error spam does not happen to exceed the rate limit itself. We modify the retry logic in the following ways: * We now respect the "Retry-After" header sent by the logging service. * Lacking a "Retry-After" header, we retry after a hard-coded period of 30 to 60 seconds. This avoids the thundering-herd effect when all nodes try reconnecting to the logging service at the same time after a restart. * We do not treat a status 400 as having been uploaded. This is simply not the behavior of the logging service. Updates #tailscale/corp#11213 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Chenyang Gao	b9fb8ac702	fix sys.Set(router) issue will crash the daemon in some OSs Signed-off-by: Chenyang Gao <gps949@outlook.com> in commit `6e96744`, the tsd system type has been added. Which will cause the daemon will crash on some OSs (Windows, darwin and so on). The root cause is that on those OSs, handleSubnetsInNetstack() will return true and set the conf.Router with a wrapper. Later in NewUserspaceEngine() it will do subsystem set and found that early set router mismatch to current value, then panic.	1 year ago
Brad Fitzpatrick	6e967446e4	tsd: add package with System type to unify subsystem init, discovery This is part of an effort to clean up tailscaled initialization between tailscaled, tailscaled Windows service, tsnet, and the mac GUI. Updates #8036 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Derek Kaser	0d7303b798	various: add detection and Taildrop for Unraid Updates tailscale/tailscale#8025 Signed-off-by: Derek Kaser <derek.kaser@gmail.com>	1 year ago
Brad Fitzpatrick	9e9ea6e974	go.mod: bump all deps possible that don't break the build This holds back gvisor, kubernetes, goreleaser, and esbuild, which all had breaking API changes. Updates #8043 Updates #7381 Updates #8042 (updates u-root which adds deps) Change-Id: I889759bea057cd3963037d41f608c99eb7466a5b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Charlotte Brandhorst-Satzkorn	ddb4040aa0	wgengine/magicsock: add address selection for wireguard only endpoints (#7979 ) This change introduces address selection for wireguard only endpoints. If a endpoint has not been used before, an address is randomly selected to be used based on information we know about, such as if they are able to use IPv4 or IPv6. When an address is initially selected, we also initiate a new ICMP ping to the endpoints addresses to determine which endpoint offers the best latency. This information is then used to update which endpoint we should be using based on the best possible route. If the latency is the same for a IPv4 and an IPv6 address, IPv6 will be used. Updates #7826 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 year ago
Mihai Parparita	7330aa593e	all: avoid repeated default interface lookups On some platforms (notably macOS and iOS) we look up the default interface to bind outgoing connections to. This is both duplicated work and results in logspam when the default interface is not available (i.e. when a phone has no connectivity, we log an error and thus cause more things that we will try to upload and fail). Fixed by passing around a netmon.Monitor to more places, so that we can use its cached interface state. Fixes #7850 Updates #7621 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Mihai Parparita	4722f7e322	all: move network monitoring from wgengine/monitor to net/netmon We're using it in more and more places, and it's not really specific to our use of Wireguard (and does more just link/interface monitoring). Also removes the separate interface we had for it in sockstats -- it's a small enough package (we already pull in all of its dependencies via other paths) that it's not worth the extra complexity. Updates #7621 Updates #7850 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Mihai Parparita	9a655a1d58	net/dnsfallback: more explicitly pass through logf function Redoes the approach from #5550 and #7539 to explicitly pass in the logf function, instead of having global state that can be overridden. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Anton Tolchanov	8546ff98fb	tsweb: move varz handler(s) into separate modules This splits Prometheus metric handlers exposed by tsweb into two modules: - `varz.Handler` exposes Prometheus metrics generated by our expvar converter; - `promvarz.Handler` combines our expvar-converted metrics and native Prometheus metrics. By default, tsweb will use the promvarz handler, however users can keep using only the expvar converter. Specifically, `tailscaled` now uses `varz.Handler` explicitly, which avoids a dependency on the (heavyweight) Prometheus client. Updates https://github.com/tailscale/corp/issues/10205 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Anton Tolchanov	11e6247d2a	tsweb: expose native Prometheus metrics in /debug/varz The handler will expose built-in process and Go metrics by default, which currently duplicate some of the expvar-proxied metrics (`goroutines` vs `go_goroutines`, `memstats` vs `go_memstats`), but as long as their names are different, Prometheus server will just scrape both. This will change /debug/varz behaviour for most tsweb binaries, but notably not for control, which configures a `tsweb.VarzHandler` [explicitly](`a5b5d5167f/cmd/tailcontrol/tailcontrol.go (L779)`) Updates https://github.com/tailscale/corp/issues/10205 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Aaron Klotz	90fd04cbde	ipn/ipnlocal, util/winutil/policy: modify Windows profile migration to load legacy prefs from within tailscaled I realized that a lot of the problems that we're seeing around migration and LocalBackend state can be avoided if we drive Windows pref migration entirely from within tailscaled. By doing it this way, tailscaled can automatically perform the migration as soon as the connection with the client frontend is established. Since tailscaled is already running as LocalSystem, it already has access to the user's local AppData directory. The profile manager already knows which user is connected, so we simply need to resolve the user's prefs file and read it from there. Of course, to properly migrate this information we need to also check system policies. I moved a bunch of policy resolution code out of the GUI and into a new package in util/winutil/policy. Updates #7626 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Andrew Dunham	8d3acc9235	util/sysresources, magicsock: scale DERP buffer based on system memory This adds the util/sysresources package, which currently only contains a function to return the total memory size of the current system. Then, we modify magicsock to scale the number of buffered DERP messages based on the system's available memory, ensuring that we never use a value lower than the previous constant of 32. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib763c877de4d0d4ee88869078e7d512f6a3a148d	1 year ago
Andrew Dunham	38e4d303a2	net/tshttpproxy: don't proxy through ourselves When running a SOCKS or HTTP proxy, configure the tshttpproxy package to drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment variables. Fixes #7407 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6cd7cad7a609c639780484bad521c7514841764b	1 year ago
Maisem Ali	985535aebc	net/tstun,wgengine/*: add support for NAT to routes This adds support to make exit nodes and subnet routers work when in scenarios where NAT is required. It also updates the NATConfig to be generated from a `wgcfg.Config` as that handles merging prefs with the netmap, so it has the required information about whether an exit node is already configured and whether routes are accepted. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	c98652c333	doctor/permissions: add new check to print process permissions Since users can run tailscaled in a variety of ways (root, non-root, non-root with process capabilities on Linux), this check will print the current process permissions to the log to aid in debugging. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida93a206123f98271a0c664775d0baba98b330c7	1 year ago
James Tucker	a31e43f760	go.mod: bump gvisor to 20230320 for dispatcher locking Upstream improved code around an issue showing up in CI, where sometimes shutdown will race on endpoint.dispatcher being nil'd, causing a panic down stack of injectInbound. The upstream patch makes some usage more safe, but it does not itself fix the local issue. See panic in https://github.com/tailscale/tailscale/actions/runs/4548299564/jobs/8019187385#step:7:843 See fix in google/gvisor@13d7bf69d8 Updates #7715 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
valscale	74eb99aed1	derp, derphttp, magicsock: send new unknown peer frame when destination is unknown (#7552 ) * wgengine/magicsock: add envknob to send CallMeMaybe to non-existent peer For testing older client version responses to the PeerGone packet format change. Updates #4326 Signed-off-by: Val <valerie@tailscale.com> * derp: remove dead sclient struct member replaceLimiter Leftover from an previous solution to the duplicate client problem. Updates #2751 Signed-off-by: Val <valerie@tailscale.com> * derp, derp/derphttp, wgengine/magicsock: add new PeerGone message type Not Here Extend the PeerGone message type by adding a reason byte. Send a PeerGone "Not Here" message when an endpoint sends a disco message to a peer that this server has no record of. Fixes #4326 Signed-off-by: Val <valerie@tailscale.com> --------- Signed-off-by: Val <valerie@tailscale.com>	1 year ago
Maisem Ali	8a11f76a0d	ipn/ipnlocal: fix cert storage in Kubernetes We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	57a008a1e1	all: pass log IDs as the proper type rather than strings This change focuses on the backend log ID, which is the mostly commonly used in the client. Tests which don't seem to make use of the log ID just use the zero value. Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Will Norris	a1d9f65354	ipn,log: add logger for sockstat deltas Signed-off-by: Will Norris <will@tailscale.com> Co-authored-by: Melanie Warrick <warrick@tailscale.com>	1 year ago
Maisem Ali	be027a9899	control/controlclient: improve handling of concurrent lite map requests This reverts commit `6eca47b16c` and fixes forward. Previously the first ever streaming MapRequest that a client sent would also set ReadOnly to true as it didn't have any endpoints and expected/relied on the map poll to restart as soon as it got endpoints. However with `48f6c1eba4`, we would no longer restart MapRequests as frequently as we used to, so control would only ever get the first streaming MapRequest which had ReadOnly=true. Control would treat this as an uninteresting request and would not send it any further netmaps, while the client would happily stay in the map poll forever while litemap updates happened in parallel. This makes it so that we never set `ReadOnly=true` when we are doing a streaming MapRequest. This is no longer necessary either as most endpoint discovery happens over disco anyway. Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	be107f92d3	wgengine/magicsock: track per-endpoint changes in ringbuffer This change adds a ringbuffer to each magicsock endpoint that keeps a fixed set of "changes"–debug information about what updates have been made to that endpoint. Additionally, this adds a LocalAPI endpoint and associated "debug peer-status" CLI subcommand to fetch the set of changes for a given IP or hostname. Updates tailscale/corp#9364 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I34f726a71bddd0dfa36ec05ebafffb24f6e0516a	1 year ago
Andrew Dunham	73fa7dd7af	util/slicesx: add package for generic slice functions, use Now that we're using rand.Shuffle in a few locations, create a generic shuffle function and use it instead. While we're at it, move the interleaveSlices function to the same package for use. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I0b00920e5b3eea846b6cedc30bd34d978a049fd3	1 year ago

1 2 3 4 5 ...

604 Commits (main)