tailscale

Commit Graph

Author	SHA1	Message	Date
Maisem Ali	af97e7a793	tailcfg,all: add/plumb Node.IsJailed This adds a new bool that can be sent down from control to do jailing on the client side. Previously this would only be done from control by modifying the packet filter we sent down to clients. This would result in a lot of additional work/CPU on control, we could instead just do this on the client. This has always been a TODO which we keep putting off, might as well do it now. Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 weeks ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	7b34154df2	all: deprecate Node.Capabilities (more), remove PeerChange.Capabilities [capver 89] First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b104688e04	ipn/ipnlocal, types/netmap: replace hasCapability with set lookup on NetworkMap When node attributes were super rare, the O(n) slice scans looking for node attributes was more acceptable. But now more code and more users are using increasingly more node attributes. Time to make it a map. Noticed while working on tailscale/corp#17879 Updates #cleanup Change-Id: Ic17c80341f418421002fbceb47490729048756d2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	f45594d2c9	control/controlclient: free memory on iOS before full netmap work Updates tailscale/corp#18514 Change-Id: I8d0330334b030ed8692b25549a0ee887ac6d7188 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Adrian Dewhurst	2f7e7be2ea	control/controlclient: do not alias peer CapMap Updates #cleanup Change-Id: I10fd5e04310cdd7894a3caa3045b86eb0a06b6a0 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2 months ago
Claire Wang	221de01745	control/controlclient: fix sending peer capmap changes (#11457 ) Instead of just checking if a peer capmap is nil, compare the previous state peer capmap with the new peer capmap. Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Brad Fitzpatrick	e1bd7488d0	all: remove LenIter, use Go 1.22 range-over-int instead Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Joe Tsai	94a4f701c2	all: use reflect.TypeFor now available in Go 1.22 (#11078 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	3 months ago
Brad Fitzpatrick	2bd3c1474b	util/cmpx: delete now that we're using Go 1.22 Updates #11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
James 'zofrex' Sanderson	124dc10261	controlclient,tailcfg,types: expose MaxKeyDuration via localapi (#10401 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	4 months ago
Andrew Lytvynov	2716250ee8	all: cleanup unused code, part 2 (#10670 ) And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Brad Fitzpatrick	fb829ea7f1	control/controlclient: support incremental packet filter updates [capver 81] Updates #10299 Change-Id: I87e4235c668a1db7de7ef1abc743f0beecb86d3d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Brad Fitzpatrick	44c6909c92	control/controlclient: move watchdog out of mapSession In prep for making mapSession's lifetime not be 1:1 with a single HTTP response's lifetime, this moves the inactivity timer watchdog out of mapSession and into the caller that owns the streaming HTTP response. (This is admittedly closer to how it was prior to the mapSession type existing, but that was before we connected some dots which were impossible to even see before the mapSession type broke the code up.) Updates #7175 Change-Id: Ia108dac84a4953db41cbd30e73b1de4a2a676c11 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Brad Fitzpatrick	c87d58063a	control/controlclient: move lastPrintMap field from Direct to mapSession It was a really a mutable field owned by mapSession that we didn't move in earlier commits. Once moved, it's then possible to de-func-ify the code and turn it into a regular method rather than an installed optional hook. Noticed while working to move map session lifetimes out of Direct.sendMapRequest's single-HTTP-connection scope. Updates #7175 Updates #cleanup Change-Id: I6446b15793953d88d1cabf94b5943bb3ccac3ad9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Tom DNetto	c08cf2a9c6	all: declare & plumb IPv6 masquerade address for peer This PR plumbs through awareness of an IPv6 SNAT/masquerade address from the wire protocol through to the low-level (tstun / wgengine). This PR is the first in two PRs for implementing IPv6 NAT support to/from peers. A subsequent PR will implement the data-plane changes to implement IPv6 NAT - this is just plumbing. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates ENG-991	8 months ago
Maisem Ali	19a9d9037f	tailcfg: add NodeCapMap Like PeerCapMap, add a field to `tailcfg.Node` which provides a map of Capability to raw JSON messages which are deferred to be parsed later by the application code which cares about the specific capabilities. This effectively allows us to prototype new behavior without having to commit to a schema in tailcfg, and it also opens up the possibilities to develop custom behavior in tsnet applications w/o having to plumb through application specific data in the MapResponse. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Brad Fitzpatrick	0d991249e1	types/netmap: remove NetworkMap.{Addresses,MachineStatus} And convert all callers over to the methods that check SelfNode. Now we don't have multiple ways to express things in tests (setting fields on SelfNode vs NetworkMap, sometimes inconsistently) and don't have multiple ways to check those two fields (often only checking one or the other). Updates #9443 Change-Id: I2d7ba1cf6556142d219fae2be6f484f528756e3c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
James Tucker	e7727db553	tailcfg: add DNS address list for IsWireGuardOnly nodes Tailscale exit nodes provide DNS service over the peer API, however IsWireGuardOnly nodes do not have a peer API, and instead need client DNS parameters passed in their node description. For Mullvad nodes this will contain the in network 10.64.0.1 address. Updates #9377 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Brad Fitzpatrick	9203916a4a	control/controlknobs: move more controlknobs code from controlclient Updates #cleanup Change-Id: I2b8b6ac97589270f307bfb20e33674894ce873b5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	3af051ea27	control/controlclient, types/netmap: start plumbing delta netmap updates Currently only the top four most popular changes: endpoints, DERP home, online, and LastSeen. Updates #1909 Change-Id: I03152da176b2b95232b56acabfb55dcdfaa16b79 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	4e91cf20a8	control/controlknobs, all: add plumbed Knobs type, not global variables Previously two tsnet nodes in the same process couldn't have disjoint sets of controlknob settings from control as both would overwrite each other's global variables. This plumbs a new controlknobs.Knobs type around everywhere and hangs the knobs sent by control on that instead. Updates #9351 Change-Id: I75338646d36813ed971b4ffad6f9a8b41ec91560 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	a79b1d23b8	control/controlclient: convert PeersChanged nodes to patches internally So even if the server doesn't support sending patches (neither the Tailscale control server nor Headscale yet do), this makes the client convert a changed node to its diff so the diffs can be processed individually in a follow-up change. This lets us make progress on #1909 without adding a dependency on finishing the server-side part, and also means other control servers will get the same upcoming optimizations. And add some clientmetrics while here. Updates #1909 Change-Id: I9533bcb8bba5227e17389f0b10dff71f33ee54ec Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	947def7688	types/netmap: remove redundant Netmap.Hostinfo It was in SelfNode.Hostinfo anyway. The redundant copy was just costing us an allocation per netmap (a Hostinfo.Clone). Updates #1909 Change-Id: Ifac568aa5f8054d9419828489442a0f4559bc099 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	db017d3b12	control/controlclient: remove quadratic allocs in mapSession The mapSession code was previously quadratic: N clients in a netmap send updates proportional to N and then for each, we do N units of work. This removes most of that "N units of work" per update. There's still a netmap-sized slice allocation per update (that's #8963), but that's it. Bit more efficient now, especially with larger netmaps: │ before │ after │ │ sec/op │ sec/op vs base │ MapSessionDelta/size_10-8 47.935µ ± 3% 1.232µ ± 2% -97.43% (p=0.000 n=10) MapSessionDelta/size_100-8 79.950µ ± 3% 1.642µ ± 2% -97.95% (p=0.000 n=10) MapSessionDelta/size_1000-8 355.747µ ± 10% 4.400µ ± 1% -98.76% (p=0.000 n=10) MapSessionDelta/size_10000-8 3079.71µ ± 3% 27.89µ ± 3% -99.09% (p=0.000 n=10) geomean 254.6µ 3.969µ -98.44% │ before │ after │ │ B/op │ B/op vs base │ MapSessionDelta/size_10-8 9.651Ki ± 0% 2.395Ki ± 0% -75.19% (p=0.000 n=10) MapSessionDelta/size_100-8 83.097Ki ± 0% 3.192Ki ± 0% -96.16% (p=0.000 n=10) MapSessionDelta/size_1000-8 800.25Ki ± 0% 10.32Ki ± 0% -98.71% (p=0.000 n=10) MapSessionDelta/size_10000-8 7896.04Ki ± 0% 82.32Ki ± 0% -98.96% (p=0.000 n=10) geomean 266.8Ki 8.977Ki -96.64% │ before │ after │ │ allocs/op │ allocs/op vs base │ MapSessionDelta/size_10-8 72.00 ± 0% 20.00 ± 0% -72.22% (p=0.000 n=10) MapSessionDelta/size_100-8 523.00 ± 0% 20.00 ± 0% -96.18% (p=0.000 n=10) MapSessionDelta/size_1000-8 5024.00 ± 0% 20.00 ± 0% -99.60% (p=0.000 n=10) MapSessionDelta/size_10000-8 50024.00 ± 0% 20.00 ± 0% -99.96% (p=0.000 n=10) geomean 1.754k 20.00 -98.86% Updates #1909 Change-Id: I41ee29358a5521ed762216a76d4cc5b0d16e46ac Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	cb4a61f951	control/controlclient: don't clone self node on each NetworkMap Drop in the bucket, but have to start somewhere. Real wins will come once this is done for peers. │ before │ after │ │ B/op │ B/op vs base │ MapSessionDelta/size_10-8 10.213Ki ± ∞ ¹ 9.650Ki ± ∞ ¹ -5.51% (p=0.008 n=5) MapSessionDelta/size_100-8 83.64Ki ± ∞ ¹ 83.08Ki ± ∞ ¹ -0.67% (p=0.008 n=5) MapSessionDelta/size_1000-8 800.8Ki ± ∞ ¹ 800.3Ki ± ∞ ¹ -0.07% (p=0.008 n=5) MapSessionDelta/size_10000-8 7.712Mi ± ∞ ¹ 7.711Mi ± ∞ ¹ -0.01% (p=0.008 n=5) geomean 271.1Ki 266.8Ki -1.59% │ before │ after │ │ allocs/op │ allocs/op vs base │ MapSessionDelta/size_10-8 73.00 ± ∞ ¹ 72.00 ± ∞ ¹ -1.37% (p=0.008 n=5) MapSessionDelta/size_100-8 524.0 ± ∞ ¹ 523.0 ± ∞ ¹ -0.19% (p=0.008 n=5) MapSessionDelta/size_1000-8 5.025k ± ∞ ¹ 5.024k ± ∞ ¹ -0.02% (p=0.008 n=5) MapSessionDelta/size_10000-8 50.02k ± ∞ ¹ 50.02k ± ∞ ¹ -0.00% (p=0.040 n=5) geomean 1.761k 1.754k -0.40% Updates #1909 Change-Id: Ie19dea3371de251d64d4373dd00422f53c2675ea Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	84b94b3146	types/netmap, all: make NetworkMap.SelfNode a tailcfg.NodeView Updates #1909 Change-Id: I8c470cbc147129a652c1d58eac9b790691b87606 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	b5ff68a968	control/controlclient: flesh out mapSession to break up gigantic method Now mapSession has a bunch more fields and methods, rather than being just one massive func with a ton of local variables. So far there are no major new optimizations, though. It should behave the same as before. This has been done with an eye towards testability (so tests can set all the callback funcs as needed, or not, without a huge Direct client or long-running HTTP requests), but this change doesn't add new tests yet. That will follow in the changes which flesh out the NetmapUpdater interface. Updates #1909 Change-Id: Iad4e7442d5bbbe2614bd4b1dc4b02e27504898df Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	165f0116f1	types/netmap: move some mutations earlier, remove, document some fields And optimize the Persist setting a bit, allocating later and only mutating fields when there's been a Node change. Updates #1909 Change-Id: Iaddfd9e88ef76e1d18e8d0a41926eb44d0955312 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	4511e7d64e	ipn/ipnstate: add PeerStatus.AltSharerUserID, stop mangling Node.User In `b987b2ab18` (2021-01-12) when we introduced sharing we mapped the sharer to the userid at a low layer, mostly to fix the display of "tailscale status" and the client UIs, but also some tests. The commit earlier today, `7dec09d169`, removed the 2.5yo option to let clients disable that automatic mapping, as clearly we were never getting around to it. This plumbs the Sharer UserID all the way to ipnstatus so the CLI itself can choose to print out the Sharer's identity over the node's original owner. Then we stop mangling Node.User and let clients decide how they want to render things. To ease the migration for the Windows GUI (which currently operates on tailcfg.Node via the NetMap from WatchIPNBus, instead of PeerStatus), a new method Node.SharerOrUser is added to do the mapping of Sharer-else-User. Updates #1909 Updates tailscale/corp#1183 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	7dec09d169	control/controlclient: remove Opts.KeepSharerAndUserSplit It was added 2.5 years ago in `c1dabd9436` but was never used. Clearly that migration didn't matter. We can attempt this again later if/when this matters. Meanwhile this simplifies the code and thus makes working on other current efforts in these parts of the code easier. Updates #1909 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	58a4fd43d8	types/netmap, all: use read-only tailcfg.NodeView in NetworkMap Updates #8948 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	af2e4909b6	all: remove some Debug fields, NetworkMap.Debug, Reconfig Debug arg Updates #8923 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	25663b1307	tailcfg: remove most Debug fields, move bulk to nodeAttrs [capver 70] Now a nodeAttr: ForceBackgroundSTUN, DERPRoute, TrimWGConfig, DisableSubnetsIfPAC, DisableUPnP. Kept support for, but also now a NodeAttr: RandomizeClientPort. Removed: SetForceBackgroundSTUN, SetRandomizeClientPort (both never used, sadly... never got around to them. But nodeAttrs are better anyway), EnableSilentDisco (will be a nodeAttr later when that effort resumes). Updates #8923 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Claire Wang	a17c45fd6e	control: use tstime instead of time (#8595 ) Updates #8587 Signed-off-by: Claire Wang <claire@tailscale.com>	10 months ago
Andrew Dunham	7aba0b0d78	net/netcheck, tailcfg: add DERPHomeParams and use it This allows providing additional information to the client about how to select a home DERP region, such as preferring a given DERP region over all others. Updates #8603 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I7c4a270f31d8585112fab5408799ffba5b75266f	10 months ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Brad Fitzpatrick	6edf357b96	all: start groundwork for using capver for localapi & peerapi Updates #7015 Change-Id: I3d4c11b42a727a62eaac3262a879f29bb4ce82dd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrew Dunham	3a018e51bb	ipn/ipnlocal: move handling of expired nodes to LocalBackend In order to be able to synthesize a new NetMap when a node expires, have LocalBackend start a timer when receiving a new NetMap that fires slightly after the next node expires. Additionally, move the logic that updates expired nodes into LocalBackend so it runs on every netmap (whether received from controlclient or self-triggered). Updates #6932 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I833390e16ad188983eac29eb34cc7574f555f2f3	1 year ago
Andrew Dunham	1e67947cfa	control/controlclient, tailcfg: add Node.Expired field, set for expired nodes Nodes that are expired, taking into account the time delta calculated from MapResponse.ControlTime have the newly-added Expired boolean set. For additional defense-in-depth, also replicate what control does and clear the Endpoints and DERP fields, and additionally set the node key to a bogus value. Updates #6932 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ia2bd6b56064416feee28aef5699ca7090940662a	1 year ago
Brad Fitzpatrick	eafbf8886d	ipn/localapi: add localapi debug endpoints for packet filter/matches For debugging #6423. This is easier than TS_DEBUG_MAP, as this means I can pipe things into jq, etc. Updates #6423 Change-Id: Ib3e7496b2eb3f47d4bed42e9b8045a441424b23c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Joe Tsai	82f5f438e0	wgengine/wgcfg: plumb down audit log IDs (#5855 ) The node and domain audit log IDs are provided in the map response, but are ultimately going to be used in wgengine since that's the layer that manages the tstun.Wrapper. Do the plumbing work to get this field passed down the stack. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Josh Soref	d4811f11a0	all: fix spelling mistakes Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Tom DNetto	e9b98dd2e1	control/controlclient,ipn/ipnlocal: wire tka enable/disable Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	74674b110d	envknob: support changing envknobs post-init Updates #5114 Change-Id: Ia423fc7486e1b3f3180a26308278be0086fae49b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	18edd79421	control/controlclient,tailcfg: [capver 40] create KeySignature field in tailcfg.Node We calve out a space to put the node-key signature (used on tailnets where network lock is enabled). Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	4ee64681ad	tailcfg, control/controlclient: make Debug settings sticky in a map session [capver 37] Fixes #4843 Change-Id: I3accfd91be474ac745cb47f5d6e866c37d5c5d2d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7c7e23d87a	control/controlclient, tailcfg: add 6 more patchable Node fields [capver 36] Change-Id: Iae997a9a98a5dd841bc41fa91227d5a7dd476a25 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	a12aad6b47	all: convert more code to use net/netip directly perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago

1 2

69 Commits (main)