archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
7,574 Commits
623 Branches
134 Tags
92 MiB
knyar/key
main
10393-pinging-devices-using-subnet-routing-on-apple-tv-does-not-work
andrew/singleflight-context
ox/11854-3
clairew/store-suggested-exit-node-followup
bradfitz/debug_tstest
dependabot/github_actions/golangci/golangci-lint-action-5.3.0
andrew/4via6-same-host
irbekrm/ipv6nat
ox/deepcache2
clairew/revert-storing-last-suggested
irbekrm/nsimage
andrew/debug-integration-tests
fran/appc-ensmallen-gh-preset
irbekrm/dnsconfigdocs
flakes
ox/11854-3-sftp
percy/cherry-pick-2648d475d751b47755958f47a366e300b6b6de0a
irbekrm/docim
ox/corp-19592
dependabot/github_actions/peter-evans/create-pull-request-6.0.5
ox/11954-3
ox/11854
kevin/Split_Remove_advertised_routes_from_pref
jwhited/derp-stun-xdp
dsnet/logtail-buffer2
bradfitz/dataplane_logs_no_logs_no_support
nickkhyl/ipn-user-identity
irbekrm/extsvcnftableslb
andrew/dns-wrap-errors
release-branch/1.64
noncombatant/safeweb-cleanup
bradfitz/login_retry
patrickod/installer-yml-fixup
release-branch/1.64.0
fran/appc-store-routes-by-source
andrew/controlclient-use-last-addr
enable-exit-node-dst-logs
clairew/peer-node-capability-documentation
revert-11590-catzkorn/penguin
enable-exit-node-dst-logs-2
licenses/corp
dsnet/logpolicy-opts
licenses/android
jonathan/taildrop_path
licenses/cli
release-branch/1.62
clairew/log-dst-exit-node
fran/appc-domain-delte-prototype
irbekrm/maybe_fix_v6
oxtoacart/golden_memory
irbekrm/cherry_fix_panic
oxtoacart/no_indent_status
angott/corp-18441
18366-xcodeios-support-serial-number-collection-via-mdm-on-ios
soniaappasamy/serve-funnel-ui
brafitz/remote-config
andrew/control-key-store
maisem/proxy-1
kradalby/api-latency-histogram
release-branch/1.60
irbekrm/accept_routes
andrew/netstack-forwarder-debug
oxtoacart/immediately_access_shares
knyar/varz
knyar/install
irbekrm/splitkeys
oxtoacart/automount
angott/sleep-debug-apis
clairew/suggest-non-mullvad-exit-node
tom/tka4
clairew/add-latitude-longitude
irbekrm/operatorversion
oxtoacart/dsnet_codereview_fixes
clairew/client-suggest-node-poc
andrew/authurl-rename
andrew/workgraph
raggi/rand
flyingsquirrel_bak
will/containerboot-webui
irbekrm/clustermagicdns
noncombatant/add-hello-systemd
catzkorn/jira
release-branch/1.58
kradalby/view-only-type
clairew/add-disco-pong-padding
clairew/receive-icmp-errors
dgentry-b10911
irbekrm/proxyclass2
irbekrm/proxyclass
irbekrm/byocerts
knyar/worklifeposture
dsnet/httpio
will/webclient-mobile
will/webclient-csrf
irbekrm/static_crd
irbekrm/manifests_crd
maisem/exp-k8s
release-branch/1.44
irbekrm/containerbootdeclarativeconf
kube_exp
irbekrm/conf
raggi/stun-subprocess
andrew/nixos-vm-tests
irbekrm/set_args
andrew/peer-ipv6-addrs
irbekrm/external_services
irbekrm/os
irbekrm/pull_in_certs
dependabot/github_actions/github/codeql-action-3
dependabot/github_actions/actions/upload-artifact-4
irbekrm/kube_build_tags
release-branch/1.56
jwhited/derp-cmm-timestamp
naman/web-client-update-fixes
angott/ios-no-global-resolver
dependabot/github_actions/actions/setup-go-5
soniaappasamy/use-swr
marwan/displayname
release-branch/1.54
danderson/debug-garden
jwhited/unsafe-exp
clairew/test-wrapper-file
bradfitz/compontent_logs
kradalby-keys-db-interface
kradalby/keys-db-interface
andrew/upnp-unfork
bm/tsoidc
irbekrm/le
knyar/restartmap
kristoffer/editable-tailnet-displayname
raggi/document-deprecated-approach
dsnet/statestore
awly/version-override
bradfitz/silentdisco_knob
richard/15372
raggi/icmplistener
awly/linux-sudoers-local-admin-poc
release-branch/1.52
soniaappasamy/web-auth-restructure
maisem/art
bradfitz/ipx_set_contains
knyar/derpmesh
irbekrm/chartandcli
richard/15037-2
bradfitz/linuxfw_nil_table
richard/15037
bradfitz/tbug
bradfitz/derp_mesh
valscale/meshFix
will/sonia/web-tailscaled
tyler/serve-status
maisem/ni
maisem/hi
rhea/apple-test
dgentry-nix-flake
dgentry-coverage
c761d10
bradfitz/gocross_wantver
awly/ipnlocal-watchnotifications-clientversion
bradfitz/integration_more_tun
bradfitz/recursive_controlknob
dgentry-authkey
maisem/login-renew
irbekrm/maisem/nf-runner
maisem/fix-gocross
dependabot/npm_and_yarn/cmd/tsconnect/postcss-8.4.31
bm/4via6
bradfitz/sessionactivetimeout
release-branch/1.50
rhea/taildrop-resume
andrew/peercap-ipv6-aaaa
irbekrm/k8sipnftheuristics
irbekrm/kubeipnft
irbekrm/k8sipnft
maisem/no-auth-once
dgentry-istoreos
knyar/posturemac
dependabot/github_actions/tibdex/github-app-token-2.1.0
irbekrm/egress
raggi/restore-extra-records-dns
aaron/win_process_mitigations
danderson/lru-rollback
maisem/fix
clairew/mdm-interface
angott/userdefaults-reader
andrew/bump-esbuild
andrew/netns-more-logging
release-branch/1.48
irbekrm/k8s-autopilot
dsnet/viewer-jsonv2
marwan/altmem_stash
irbekrm/k8s-nftables
marwan/postmem
maisem/fix-deadlock
bradfitz/matrix
irbekrm/egress-dns
bradfitz/wait_unpause
bradfitz/calc_state
irbekrm/svc_conditions
soniaappasamy/fix-test-flake
marwan/servedev
soniaappasamy/fix-web-client-lock
raggi/netfilter-runtime
raggi/netfilter-add-modes
marwan/scmem
bradfitz/ignore_ula
clairew/tstime-net
clairew/tstime-wgengine
bradfitz/tkasig_type
shayne/k8s-serve
bradfitz/gui_netmap
macsys-update
catzkorn/netcheckuout
andrew/doctor-conntrack
tsweb/client-ui
maisem/onceval
valscale/ptb
maisem/remove-loginname
raggi/gotoolchain
irbekrm/improve_logout
maisem/doc
rhea/egress
maisem/tsnet-ssh
noncombatant/large-int-string
release-branch/1.46
andrew/captive-portal-package
s/pmtud
andrew/derp-bound-latency
andrew/health-state
maisem/caps
bradfitz/gokrazy_dns
clairew/use-tstime-etc
bradfitz/negdep
raggi/stunc
raggi/gvisor-hostarch-deptest
crawshaw/art-table
irbekrm/fix_logout_loop
clairew/refactor-new-timer
clairew/test-wrapper-write-file
maisem/m1
s/tsnetd
thisisparker/firstwords
bradfitz/countrycode
crawshaw/stunchild
tom/disco
maisem/ssh-incomplete-read
raggi/v6masq
dsnet/syncs-map-range-mutable
release-branch/1.42
maisem/alpine-bump
raggi/heartbeat-timebomb
raggi/derp-probe-stun-loss
raggi/tsdebugger
tom/derp
andrew/ipn-debug-1.42.0
maisem/blocked
marwan/portlistrefactor
marwan/noconstructor
angott/allow-thunderbolt-bridge
marwan/polleropts
marwan/noconstructor2
andrew/slicesx-deduplicate
unraid-web
release-branch/1.40
kristoffer/enable-mips-pkgs
s/eq
raggi/atomiccloseonce
raggi/bump-goreleaserv2
marwan/tmp
catzkorn/addrsend
raggi/gofuzz
shayne/funnel_cmd
release-branch/1.38
dgentry/atomicfile
andrew/derp-region-location
tom/tka6
maisem/k8s-cache
azure
maisem/tun-1
andrew/fastjson
crawshaw/lnclose
crawshaw/tsnet1
maisem/tsnet-funnel-2
crawshaw/httpconnect
Xe/tsnet-funnel
dgentry/sniproxy-dns
andrew/util-dnsconfig
andrew/cloudenv-location
release-branch/1.36
aaron/migrate_windows
crawshaw/pidlisten
maisem/waiter
andrew/router-drop-ula
will/vizerr
danderson/mkversion
crawshaw/activesum
andrew/doctor-scutil
danderson/version-private3
bradfitz/sassy
bradfitz/win_unattended_warning
andrew/hostinfo-HavePortMap
skriptble/ssh-recording-persist
maisem/funnel-k8s
maisem/clean2
crawshaw/ondemanddomains
maisem/c1
danderson/helm
andrew/peer-status-KeyExpiry
bradfitz/noise_debug_more
release-branch/1.34
cloner
danderson/backport
clairew/tsnet_get_own_ip
bradfitz/tidy
maisem/wakegroup
raggi/tsweb-compression
bradfitz/fix_ipn_cloner
danderson/bootstrap
will/enforce-hostname
mihaip/delete-all-profiles
release-branch/1.32
shayne/serve_empty_text_handler
bradfitz/hostinfo_ingress_bit
mihaip/logout-async-start
net-audit-log/1.32
bradfitz/set_prefs_locked
mihaip/fas
bradfitz/port_intercept
andrew/net-tsaddr-mapviaaddr
danderson/tsburrito
andrew/tstest-goroutine-ignore
andrew/monitor-link-change
danderson/k8s
andrew/debug-subnet-router
andrew/metrics-distribution
knyar/prober
crawshaw/accumulatorcfg
bradfitz/keyboard-interactive
maisem/unused-ssh-field
bradfitz/tailpipe
maisem/ssh-port-forward-no-session
vm
raggi/accept-routes-filter
nyghtowl/tailnet-name2
buildjet
buildjet-vs-github
andrew/netns-macos-route
maisem/exit-lan
walterp-api
andrew/linux-router-v4-disabled
bradfitz/distro_ubuntu
tom/iptables
release-branch/1.30
tom/tka2
andrew/dnscache-debugging-1.22.2
andrew/controlclient-dial
raggi/experiment-queues
bradfitz/u32
ip6tables
maisem/dns-5
catzkorn/derp-benchmark
maisem/dns-3
jwhited/wireguard-go-vectorized-bind
catzkorn/otel-init
bradfitz/appendf
mihaip/js-cli
dsnet/tsweb-499s
bradfitz/deephash_early_exit
crawshaw/xdp
dsnet/logtail-zstd-single-segment
Xe/gitops-pusher-three-version-problem
Xe/gitops-pusher-acl-test-error-output
Xe/gitops-pusher-ffcli
bradfitz/ssh_auth_none_demo
release-branch/1.28
catzkorn/otel-derp
bradfitz/shared_split_dns
nyghtowl/fix-resolved
release-branch/1.26
bradfitz/explicit_empty_test_3808
crawshaw/preservenetinfo
miriah-3808-reset-operator
dsnet/tsnet-logging
mihaip/wasm-taildrop
crawshaw/stunname
bradfitz/wasm_play
maisem/reg
bradfitz/dot
bradfitz/tcp_flows
release-branch/1.24
raggi/netstack_fwd_close
bradfitz/netstack_fwd_close
merge-tag
cross-android
bradfitz/kmod
bradfitz/ssh_banner
bradfitz/ping
tom/integration
bradfitz/ssh_policy_earlier
maisem/cu
bradfitz/derpy_cast
bradfitz/cli_admin
release-branch/1.22
maisem/ssh-policiy-2
maisem/ssh-policiy-1
aaron/go-ole-ref
bradfitz/key_rotation_prep
josh/tswebflags
release-branch/1.20
crawshaw/envtype
danderson/tsweb-server
bradfitz/autocert_force
bradfitz/use_netstack_upstream
Xe/winui-bugreport-without-tailscaled
bradfitz/hostinfo_basically_equal
release-branch/1.18
aaron/loglog
aaron/dnsapc
bradfitz/demo_client_hijack
bradfitz/windns
bradfitz/exit_node_forward_dns
bradfitz/1.18.1
Xe/tailtlsproxy
bradfitz/allsrc
josh/peermap
danderson/ebpf
bradfitz/1_16_stress_netmap
danderson/nodekey-move
danderson/nodekey-delete-old
danderson/nodekey-cleanup
danderson/magicsock-discokey
release-branch/1.16
danderson/magicsock-node-key
crawshaw/updatefallback
release-branch/1.14
bradfitz/1.14
bradfitz/updates
josh/immutable-views
bradfitz/portmap_gh_actions
danderson/kernel-tailscale
bradfitz/win_default_route
release-branch/1.12
jknodt/logging
simenghe/add-tsmpping-call
josh/opt-getstatus
Aadi/speedtest-tailscaled
dsnet/admin-cli
bradfitz/portmap_test
jknodt/portmap_test
upnpdebug
jknodt/upnp_reuse
crawshaw/peerdoh
josh/debug-flake
simenghe/pingresult-work
jknodt/derp_flow
tps/tailscaled
jknodt/vms_ref
jknodt/integ_test
josh/fast-time
josh/coarsetime
bradfitz/derp_flow
release-branch/1.10
josh/io_uring
josh/deflake-pipe-again
Xe/testcontrol-v6
jknodt/io-uring
simenghe/admin-ping-test
jknodt/periodic_probe
simenghe/isoping
Xe/private-logcatcher-in-process
simenghe/tcpnodeping
bradfitz/deephash_methods
crawshaw/deephash
josh/de-select-tstun-wrapper
Xe/debug-nixos-build
simenghe/isoping-experiment
crawshaw/dnswslhackery
jknodt/userderp
jknodt/bw_rep2
crawshaw/wslresolvconf
jknodt/upnp
crawshaw/magicdnsalways
simenghe/flakeresolve
rec_in_use_after_5_sec
bradfitz/acme
release-branch/1.8
simenghe/add-httphandlers-ping
simenghe/add-ping-route-testcontrol-mux
simeng-pingtest
Xe/test-install-script-libvirtd
apenwarr/check184
crawshaw/newbackendserver
adding-address-ips-totestcontrolnode
onebinary
Xe/synology-does-actually-work-with-subnet-routes-til
bradfitz/netstack_port_map
bradfitz/demo_pinger
apenwarr/fixes
apenwarr/relogin
josh/NewIPPort
josh/IPWithPort
bradfitz/integration_tests
josh/opt-dp-wip
bradfitz/ping_notes
bradfitz/dropped_by_filter_logspam
bradfitz/netstack_drop_silent
bradfitz/log_rate_test
bradfitz/issue_1840_rebased_tree
bradfitz/issue_1849_rebased_tree
crawshaw/syno
apenwarr/statefix
apenwarr/statetest
josh/wip/endpoint-serialize
apenwarr/ioslogin
rosszurowski/cli-fix-typo
bradfitz/cli_pretty
bradfitz/win_delete_retry
bradfitz/sleep
naman/netstack-request-logging
naman/ephem-expand-range
bradfitz/macos_progress
bradfitz/ip_of
crawshaw/localapi404
crawshaw/movefiles
crawshaw/socket
crawshaw/cgi
naman/netstack-subnet-routing
josh/wip/create-endpoint-no-public-key
Xe/log-target-registry-key
release-branch/1.6
bradfitz/ipv6_link_local_strip
bradfitz/darwin_gw
Xe/disallow-local-ip-for-exit-node
release-branch/1.4
crawshaw/upjson
bradfitz/proposed_1.4.6
bradfitz/derp_steer
crawshaw/tailscalestatus
Xe/reset-logid-on-logout-login
naman/netstack-incoming
mkramlich/macos-brew2
naman/netstack-outgoing-udp-test
mkramlich/macos-brew
bradfitz/proposed-1.4.5
peske/ifacewatcher
Xe/hello-vr
crawshaw/filchsync
Xe/derphttp-panic-fix
peske/elnotfound
Xe/rel-144-fix-ipv6-broken-in-tests
bradfitz/darwin_creds
josh/longblock
josh/udp-alloc-less
josh/simplify-filch
josh/remove-ipcgetfilter
Xe/envvar-name-TS
Xe/TS-envvar-name
Xe/do-windows-logserver-better
Xe/log-target-flag
crawshaw/ipuint
bradfitz/hello
bradfitz/linux_v6_off
bradfitz/call_me_maybe_eps
bradfitz/api_docs
alexbrainman/use_wg_dns_code
naman/netstack-use-tailscale-ip
josh/debug-TestLikelyHomeRouterIPSyscallExec
noerror-not-notimp
bradfitz/umaskless_permissions
naman/netstack-bump-version
bradfitz/lite_endpoint_update
c22wen/api-docs
bradfitz/grafana_auth_proxy
crawshaw/dnsguid
nix-shell
release-branch/1.2
bradfitz/acl_tags_in_tailscale_status
bradfitz/expiry_spin
josh/no-goroutine-per-udp-read-2
crawshaw/tailcfg
bradfitz/wgengine_monitor_windows_take2
netstat-unsafe
bradfitz/ipn_empty
bradfitz/win_firewall_async
bradfitz/machine_key
apenwarr/faketun
crawshaw/cloner
crawshaw/jsonhandler
c22wen/route-addr
c22wen/magicsock.go
bradfitz/gvisor_netstack
crawshaw/loadtest
dshynkev/dns-autoset
crawshaw/e2etest
bradfitz/win_wpad_pac
release-branch/1.0
bradfitz/linux_default_route_interface
bradfitz/release-branch-1.0
crawshaw/restartlimit
clone
dshynkev/dns-name
dshynkev/dns-refactor
bradfitz/go_vet
crawshaw/tswebextra
crawshaw/pinger2
lzjluzijie/all_proxy
rate-limiting
lzjluzijie/227_http_proxy
crawshaw/rebind
crawshaw/hostinfo
crawshaw/derp-nokeepalives
crawshaw/derptimeout
crawshaw/derpdial2
crawshaw/derpdial
crawshaw/ipn
crawshaw/e2e_test
crawshaw/ipn2
crawshaw/magicsock
crawshaw/magicsock-infping
crawshaw/spray
crawshaw/br1
v1.64.2
v1.64.1
v1.64.0
v1.62.1
v1.62.0
v1.60.1
v1.60.0
v1.58.2
v1.58.1
v1.58.0
v1.44.3
v1.56.1
v1.56.0
v1.54.1
v1.54.0
v1.52.1
v1.52.0
v1.50.1
v1.50.0
v1.48.2
v1.48.1
v1.48.0
v1.46.1
v1.46.0
v1.44.2
v1.44.0
v1.42.1
v1.42.0
v1.40.1
v1.40.0
v1.38.4
v1.38.3
v1.38.2
v1.38.1
v1.38.0
v1.36.2
v1.36.1
v1.36.0
v1.34.2
v1.34.1
v1.34.0
v1.32.3
v1.32.2
v1.32.1
v1.32.0
v1.30.2
v1.30.1
v1.30.0
v1.28.0
v1.26.2
v1.26.1
v1.26.0
v1.24.2
v1.24.1
v1.24.0
v1.22.2
v1.22.1
v1.22.0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.18.2
v1.18.1
v1.18.0
v1.16.2
v1.16.1
v1.16.0
v1.14.6
v1.14.5
v1.14.4
v1.14.3
v1.14.0
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.12.0
v1.10.2
v1.10.1
v1.10.0
v1.8.8
v1.8.7
v1.8.6
v1.8.5
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.6.0
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.2.10
v1.2.9
v1.2.8
v1.2.7
v1.2.6
v1.2.5
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.1.0
v1.0.0
v0.100.0
v0.99.1
v0.99.0
v0.98.1
v0.98
v0.98.0
v0.97
v0.96.1
v0.96
coral-gitops
gitops-1.30.0
gitops-1.58.2
nginx-auth-0.1.2
v0.100.0-107
v0.100.0-153
v1.61.0-pre
v1.63.0-pre
v1.65.0-pre
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Commit Graph

408 Commits (main)

Author SHA1 Message Date
James Tucker 8d6793fd70 wgengine/router,util/kmod: load & log xt_mark 
Attempt to load the xt_mark kernel module when it is not present. If the
load fails, log error information.

It may be tempting to promote this failure to an error once it has been
in use for some time, so as to avoid reaching an error with the iptables
invocation, however, there are conditions under which the two stages may
disagree - this change adds more useful breadcrumbs.

Example new output from tailscaled running under my WSL2:

```
router: ensure module xt_mark: "/usr/sbin/modprobe xt_mark" failed: exit status 1; modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.10.43.3-microsoft-standard-WSL2
```

Background:

There are two places to lookup modules, one is `/proc/modules` "old",
the other is `/sys/module/` "new".

There was query_modules(2) in linux <2.6, alas, it is gone.

In a docker container in the default configuration, you would get
/proc/modules and /sys/module/ both populated. lsmod may work file,
modprobe will fail with EPERM at `finit_module()` for an unpriviliged
container.

In a priviliged container the load may *succeed*, if some conditions are
met. This condition should be avoided, but the code landing in this
change does not attempt to avoid this scenario as it is both difficult
to detect, and has a very uncertain impact.

In an nspawn container `/proc/modules` is populated, but `/sys/module`
does not exist. Modern `lsmod` versions will fail to gather most module
information, without sysfs being populated with module information.

In WSL2 modules are likely missing, as the in-use kernel typically is
not provided by the distribution filesystem, and WSL does not mount in a
module filesystem of its own. Notably the WSL2 kernel supports iptables
marks without listing the xt_mark module in /sys/module, and
/proc/modules is empty.

On a recent kernel, we can ask the capabilities system about SYS_MODULE,
that will help to disambiguate between the non-privileged container case
and just being root. On older kernels these calls may fail.

Update #4329

Signed-off-by: James Tucker <james@tailscale.com>
 2 years ago
Maisem Ali 2b8b887d55 ssh/tailssh: send banner messages during auth, move more to conn 
(VSCode Live Share between Brad & Maisem!)

Updates #3802

Change-Id: Id8edca4481b0811debfdf56d4ccb1a46f71dd6d3
Co-Authored-By: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2 years ago
Maisem Ali 14d077fc3a ssh/tailssh: terminate ssh auth early if no policy can match 
Also bump github.com/tailscale/golang-x-crypto/ssh

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2 years ago
James Tucker 67192a2323 go.mod: bump u-root 
We only use the termios subpackage, so we're unaffected by
CVE-2020-7665, but the bump will let dependabot return to slumber.

Fixes https://github.com/tailscale/tailscale/security/dependabot/2

Signed-off-by: James Tucker <james@tailscale.com>
 2 years ago
Xe Iaso 4f1d6c53cb
cmd/nginx-auth: create new Tailscale NGINX auth service (#4400) 
This conforms to the NGINX subrequest result authentication protocol[1]
using the NGINX module `ngx_http_auth_request_module`. This is based on
the example that @peterkeen provided on Twitter[2], but with several
changes to make things more tightly locked down:

* This listens over a UNIX socket instead of a TCP socket to prevent
  leakage to the network
* This uses systemd socket activation so that systemd owns the socket
  and can then lock down the service to the bare minimum required to do
  its job without having to worry about dropping permissions
* This provides additional information in HTTP response headers that can
  be useful for integrating with various services
* This has a script to automagically create debian and redhat packages
  for easier distribution

This will be written about on the Tailscale blog. There is more
information in README.md.

[1]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
[2]: https://github.com/peterkeen/tailscale/blob/main/cmd/nginx-auth-proxy/nginx-auth-proxy.go

Signed-off-by: Xe Iaso <xe@tailscale.com>
 2 years ago
Brad Fitzpatrick 09c5c9eb83 go.mod: bump x/tools for go/packages generics fix 
Updates #4194

Change-Id: Ia992ffb14210d5ad53f8f98d12b80d64080998e6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 years ago
James Tucker 8226f1482c
go.mod: bump rtnetlink for address label encoding (#4386) 
This will enable me to land tests for the upcoming monitor change in
PR #4385.

Update #4385
Update #4282

Signed-off-by: James Tucker <james@tailscale.com>
 2 years ago
James Tucker 2550acfd9d
go.mod: bump netstack for clone reset fix (#4379) 
In tracking down issue #4144 and reading through the netstack code in
detail, I discovered that the packet buf Clone path did not reset the
packetbuf it was getting from the sync.Pool. The fix was sent upstream
https://github.com/google/gvisor/pull/7385, and this bump pulls that in.
At this time there is no known path that this fixes, however at the time
of upstream submission this reset at least one field that could lead to
incorrect packet routing if exercised, a situation that could therefore
lead to an information leak.

Signed-off-by: James Tucker <james@tailscale.com>
 2 years ago
Xe Iaso 55161b3d92
cmd/mkpkg: use package flag (#4373) 
Also removes getopt

Signed-off-by: Xe <xe@tailscale.com>
 2 years ago
Matt Layher c79c72c4fc go.mod: github.com/mdlayher/sdnotify@v1.0.0 
Signed-off-by: Matt Layher <mdlayher@gmail.com>
 2 years ago
Maisem Ali ac2033d98c
go.mod: bump staticcheck (#4359) 
Updates #4194

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2 years ago
Brad Fitzpatrick 3d180c0376 go.mod, ssh/tailssh, tempfork/gliderlabs: bump x/crypto/ssh fork for NoClientAuthCallback 
Prep for evaluating SSHPolicy earlier to decide whether certs are
required, which requires knowing the target SSH user.

Updates #3802

Change-Id: I2753ec8069e7f19c9121300d0fb0813c1c627c36
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 years ago
Brad Fitzpatrick 5a44f9f5b5 tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh 
While we rearrange/upstream things.

gliderlabs/ssh is forked into tempfork from our prior fork
at be8b7add40

x/crypto/ssh OTOH is forked at
https://github.com/tailscale/golang-x-crypto because it was gnarlier
to vendor with various internal packages, etc.
Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d).

Updates #3802

Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 years ago
Brad Fitzpatrick 8294915780 cmd/tailscale/cli: add start of 'ssh' subcommand 
Updates #3802

Change-Id: Iabc07c00c7e4f43944cfe7daec8d2b66ac002289
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 years ago
Brad Fitzpatrick 4fc38888d2 go.mod: bump x/crypto for SSH change 
(for golang/go#51808)

Updates #3802

Change-Id: Ifbd483c0144b4c86da69143b23b2a06da7672c92
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 years ago
James Tucker 73314009d0
go.mod: bump netstack (#4222) 
Primarily this is for f375784d83852b1e3ff20cc9de0648b3c0cf8525 and the
related commits that provide buffer pooling for the endpoint code paths
we use.

Signed-off-by: James Tucker <james@tailscale.com>
 2 years ago
Josh Bleecher Snyder 5f176f24db go.mod: upgrade to the latest wireguard-go 
This pulls in a handful of fixes and an update to Go 1.18.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 2 years ago
Josh Bleecher Snyder 8c2cb4b431 go.mod: update to latest certstore 
It includes a fix to allow us to use Go 1.18.
We can now remove our Tailscale-only build tags.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 2 years ago
Josh Bleecher Snyder f695f0b178 go.mod: update golang.org/x/tools and honnef.co/go/tools 
This is required for staticcheck to process code
using Go 1.18.

This puts us on a random commit on the bleeding edge
of staticcheck, which isn't great, but there don't
appear to have been any releases yet that support 1.18.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 2 years ago
Maisem Ali da6ce27416 go.mod: move from github.com/gliderlabs/ssh to github.com/tailscale/ssh 
Updates #4146

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2 years ago
Brad Fitzpatrick ba1adf6c24 ssh/tailssh: make pty termios options match OpenSSH 
Still not sure the exact rules of how/when/who's supposed to set
these, but this works for now on making them match. Baby steps.
Will research more and adjust later.

Updates #4146 (but not enough to fix it, something's still wrong)
Updates #3802

Change-Id: I496d8cd7e31d45fe9ede88fc8894f35dc096de67
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 years ago
Dmytro Shynkevych d9a7205be5 net/tstun: set link speed to SPEED_UNKNOWN 
Fixes #3933.

Signed-off-by: Dmytro Shynkevych <dm.shynk@gmail.com>
 2 years ago
David Anderson 0fc1479633 go.mod: update github.com/mdlayher/netlink to 1.6.0 
This unbreaks some downstream users of tailscale who end up
with build errors from importing a v0 indirect dependency.

Signed-off-by: David Anderson <danderson@tailscale.com>
 2 years ago
Brad Fitzpatrick 1af26222b6 go.mod: bump netstack, switch to upstream netstack 
Now that Go 1.17 has module graph pruning
(https://go.dev/doc/go1.17#go-command), we should be able to use
upstream netstack without breaking our private repo's build
that then depends on the tailscale.com Go module.

This is that experiment.

Updates #1518 (the original bug to break out netstack to own module)
Updates #2642 (this updates netstack, but doesn't remove workaround)

Change-Id: I27a252c74a517053462e5250db09f379de8ac8ff
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 years ago
Brad Fitzpatrick 39ffa16853 net/dnscache, net/tsdial: add DNS caching to tsdial UserDial 
This is enough to handle the DNS queries as generated by Go's
net package (which our HTTP/SOCKS client uses), and the responses
generated by the ExitDNS DoH server.

This isn't yet suitable for putting on 100.100.100.100 where a number
of different DNS clients would hit it, as this doesn't yet do
EDNS0. It might work, but it's untested and likely incomplete.

Likewise, this doesn't handle anything about truncation, as the
exchanges are entirely in memory between Go or DoH. That would also
need to be handled later, if/when it's hooked up to 100.100.100.100.

Updates #3507

Change-Id: I1736b0ad31eea85ea853b310c52c5e6bf65c6e2a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 years ago
David Anderson 190b7a4cca go.mod: mass update with go get -u. 
Gets ahead of dependabot slightly, but the updates are minor.

Signed-off-by: David Anderson <danderson@tailscale.com>
 2 years ago
dependabot[bot] 0d8ef1ff35 go.mod: bump github.com/aws/aws-sdk-go-v2/service/ssm 
Bumps [github.com/aws/aws-sdk-go-v2/service/ssm](https://github.com/aws/aws-sdk-go-v2) from 1.17.0 to 1.17.1.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.17.0...service/ssm/v1.17.1)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ssm
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2 years ago
dependabot[bot] 329751c48e go.mod: bump golang.org/x/tools from 0.1.7 to 0.1.8 
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.7 to 0.1.8.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.1.7...v0.1.8)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2 years ago
dependabot[bot] 9ddef8cdbf go.mod: bump github.com/mdlayher/netlink from 1.4.1 to 1.4.2 
Bumps [github.com/mdlayher/netlink](https://github.com/mdlayher/netlink) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/mdlayher/netlink/releases)
- [Changelog](https://github.com/mdlayher/netlink/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mdlayher/netlink/compare/v1.4.1...v1.4.2)

---
updated-dependencies:
- dependency-name: github.com/mdlayher/netlink
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2 years ago
dependabot[bot] 9140f193bc go.mod: bump github.com/aws/aws-sdk-go-v2/feature/s3/manager 
Bumps [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2) from 1.7.3 to 1.7.4.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/fsx/v1.7.3...feature/s3/manager/v1.7.4)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2 years ago
Artyom Pervukhin 49a9e62d58 Replace AWS SDK v1 dependency with v2 
This change drops AWS SDKv1 dependency, leaving only SDK v2 in use.

Closes #3461

Signed-off-by: Artyom Pervukhin <github@artyom.dev>
 2 years ago
dependabot[bot] d89c61b812 go.mod: bump github.com/aws/aws-sdk-go-v2/service/ssm 
Bumps [github.com/aws/aws-sdk-go-v2/service/ssm](https://github.com/aws/aws-sdk-go-v2) from 1.16.0 to 1.17.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.16.0...service/s3/v1.17.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ssm
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2 years ago
dependabot[bot] 341e1af873 go.mod: bump github.com/aws/aws-sdk-go-v2/config from 1.10.2 to 1.10.3 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.10.2 to 1.10.3.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.10.2...config/v1.10.3)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2 years ago
David Crawshaw 1e8b4e770a update github.com/aws/aws-sdk-go-v2 
Replaces #3464, #3365, #3366 with a PR that includes the depaware fix.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
 2 years ago
dependabot[bot] 6fd6fe11f2 go.mod: bump honnef.co/go/tools from 0.2.1 to 0.2.2 
Bumps [honnef.co/go/tools](https://github.com/dominikh/go-tools) from 0.2.1 to 0.2.2.
- [Release notes](https://github.com/dominikh/go-tools/releases)
- [Commits](https://github.com/dominikh/go-tools/compare/v0.2.1...v0.2.2)

---
updated-dependencies:
- dependency-name: honnef.co/go/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2 years ago
dependabot[bot] f76a8d93da go.mod: bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6 
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.5 to 5.0.6.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.0.5...v5.0.6)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2 years ago
Brad Fitzpatrick 2ea765e5d8 go.mod: bump inet.af/netstack 
Updates #2642 (I'd hoped, but doesn't seem to fix it)

Change-Id: Id54af7c90a1206bc7018215957e20e954782b911
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 years ago
David Anderson 41da7620af go.mod: update wireguard-go to pick up roaming toggle 
wgengine/wgcfg: introduce wgcfg.NewDevice helper to disable roaming
at all call sites (one real plus several tests).

Fixes tailscale/corp#3016.

Signed-off-by: David Anderson <danderson@tailscale.com>
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Brad Fitzpatrick 0edd2d1cd5 safesocket: add js/wasm implementation with in-memory net.Conn 
Updates #3157

Change-Id: Ia35b1e259011fb86f8c4e01f62146f9fd4c9b7c6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
dependabot[bot] 12148dcf48 go.mod: bump github.com/frankban/quicktest from 1.13.1 to 1.14.0 
Bumps [github.com/frankban/quicktest](https://github.com/frankban/quicktest) from 1.13.1 to 1.14.0.
- [Release notes](https://github.com/frankban/quicktest/releases)
- [Commits](https://github.com/frankban/quicktest/compare/v1.13.1...v1.14.0)

---
updated-dependencies:
- dependency-name: github.com/frankban/quicktest
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
Brad Fitzpatrick ff1954cfd9 wgengine/router: use netlink for ip rules on Linux 
Using temporary netlink fork in github.com/tailscale/netlink until we
get the necessary changes upstream in either vishvananda/netlink
or jsimonetti/rtnetlink.

Updates #391

Change-Id: I6e1de96cf0750ccba53dabff670aca0c56dffb7c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick 0303ec44c3 go.mod: bump netstack for mipsle fix 
Fixes #3233

Change-Id: I18d1af886402774ce0ecc77dae3bc71eb8ba5c9d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick dc2fbf5877 wgengine/router: start using netlink instead of 'ip' on Linux 
Converts up, down, add/del addresses, add/del routes.

Not yet done: rules.

Updates #391

Change-Id: I02554ca07046d18f838e04a626ba99bbd35266fb
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick e4d2ef2b67 go.sum: tidy 
Change-Id: I198755a3a94d89d838ff817573fbdd198412b2f3
 3 years ago
Josh Bleecher Snyder f27950e97f go.mod: upgrade netaddr, netstack 
For Go 1.18 support.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Brad Fitzpatrick 505f844a43 cmd/derper, derp/derphttp: add websocket support 
Updates #3157

Change-Id: I337a919a3b350bc7bd9af567b49c4d5d6616abdd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick c209278a9b go.mod: bump wireguard-go to pick up upstreamed js/wasm build fixes 
Updates #3157

Change-Id: I727cb5f77110c87850061aa3b9f03c15dbda70d3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
dependabot[bot] eaa0aef934 go.mod: bump github.com/creack/pty from 1.1.16 to 1.1.17 
Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.16 to 1.1.17.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.16...v1.1.17)

---
updated-dependencies:
- dependency-name: github.com/creack/pty
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
Aaron Klotz 1991a1ac6a net/tstun: update tun_windows for wintun 0.14 API revisions, update wireguard-go dependency to 82d2aa87aa623cb5143a41c3345da4fb875ad85d 
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
 3 years ago
Maxime VISONNEAU 4528f448d6 ipn/store/aws, cmd/tailscaled: add AWS SSM ipn.StateStore implementation 
From https://github.com/tailscale/tailscale/pull/1919 with
edits by bradfitz@.

This change introduces a new storage provider for the state file. It
allows users to leverage AWS SSM parameter store natively within
tailscaled, like:

    $ tailscaled --state=arn:aws:ssm:eu-west-1:123456789:parameter/foo

Known limitations:
- it is not currently possible to specific a custom KMS key ID

RELNOTE=tailscaled on Linux supports using AWS SSM for state

Edits-By: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com>
 3 years ago
Brad Fitzpatrick a2e1e5d909 go.mod: bump go-ole for windows/arm64 support 
Updates #2606

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick 2d11503cff cmd/tailscale: add up --qr to show QR code 
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick 7cf8ec8108 net/tlsdial: bake in LetsEncrypt's ISRG Root X1 root 
We still try the host's x509 roots first, but if that fails (like if
the host is old), we fall back to using LetsEncrypt's root and
retrying with that.

tlsdial was used in the three main places: logs, control, DERP. But it
was missing in dnsfallback. So added it there too, so we can run fine
now on a machine with no DNS config and no root CAs configured.

Also, move SSLKEYLOGFILE support out of DERP. tlsdial is the logical place
for that support.

Fixes #1609

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
dependabot[bot] 5809386525 go.mod: bump golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10 
Bumps golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10.

---
updated-dependencies:
- dependency-name: golang.zx2c4.com/wireguard/windows
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] 0fa1da2d1b go.mod: bump golang.org/x/tools from 0.1.6 to 0.1.7 
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.6 to 0.1.7.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.1.6...v0.1.7)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] 8949305820 go.mod: bump github.com/creack/pty from 1.1.15 to 1.1.16 
Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.15 to 1.1.16.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.15...v1.1.16)

---
updated-dependencies:
- dependency-name: github.com/creack/pty
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] 7f0fcf8571 go.mod: bump github.com/pkg/sftp from 1.13.3 to 1.13.4 
Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.3 to 1.13.4.
- [Release notes](https://github.com/pkg/sftp/releases)
- [Commits](https://github.com/pkg/sftp/compare/v1.13.3...v1.13.4)

---
updated-dependencies:
- dependency-name: github.com/pkg/sftp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] b7b7d21514 go.mod: bump github.com/frankban/quicktest from 1.13.0 to 1.13.1 
Bumps [github.com/frankban/quicktest](https://github.com/frankban/quicktest) from 1.13.0 to 1.13.1.
- [Release notes](https://github.com/frankban/quicktest/releases)
- [Commits](https://github.com/frankban/quicktest/compare/v1.13.0...v1.13.1)

---
updated-dependencies:
- dependency-name: github.com/frankban/quicktest
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] 46b59e8c48 go.mod: bump github.com/google/uuid from 1.1.2 to 1.3.0 
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.2 to 1.3.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Commits](https://github.com/google/uuid/compare/v1.1.2...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
Brad Fitzpatrick b0481ba37a go.mod: bump x/tools 
Fixes #2912 (which had rebase issues)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
dependabot[bot] 9219ca49f5 go.mod: bump golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9 
Bumps golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9.

---
updated-dependencies:
- dependency-name: golang.zx2c4.com/wireguard/windows
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] c350321eec go.mod: bump github.com/gliderlabs/ssh from 0.3.2 to 0.3.3 
Bumps [github.com/gliderlabs/ssh](https://github.com/gliderlabs/ssh) from 0.3.2 to 0.3.3.
- [Release notes](https://github.com/gliderlabs/ssh/releases)
- [Commits](https://github.com/gliderlabs/ssh/compare/v0.3.2...v0.3.3)

---
updated-dependencies:
- dependency-name: github.com/gliderlabs/ssh
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] 2bb915dd0a go.mod: bump github.com/creack/pty from 1.1.9 to 1.1.15 
Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.9 to 1.1.15.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.9...v1.1.15)

---
updated-dependencies:
- dependency-name: github.com/creack/pty
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] aaea175dd0 go.mod: bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5 
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.0.4...v5.0.5)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] eeee713c69 go.mod: bump github.com/miekg/dns from 1.1.42 to 1.1.43 
Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.42 to 1.1.43.
- [Release notes](https://github.com/miekg/dns/releases)
- [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release)
- [Commits](https://github.com/miekg/dns/compare/v1.1.42...v1.1.43)

---
updated-dependencies:
- dependency-name: github.com/miekg/dns
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
dependabot[bot] dbce536316 go.mod: bump github.com/pkg/sftp from 1.13.0 to 1.13.3 
Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.0 to 1.13.3.
- [Release notes](https://github.com/pkg/sftp/releases)
- [Commits](https://github.com/pkg/sftp/compare/v1.13.0...v1.13.3)

---
updated-dependencies:
- dependency-name: github.com/pkg/sftp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 3 years ago
David Anderson 18086c4cb7 go.mod: bump github.com/klauspost/compress to 1.13.6 
Signed-off-by: David Anderson <danderson@tailscale.com>
 3 years ago
Josh Bleecher Snyder 865d8c0d23 cmd: upgrade to ffcli v3 
None of the breaking changes from v2 to v3 are relevant to us.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
David Crawshaw b2a3d1da13 tstest/integration/vms: use fork of goexpect to avoid proto/grpc dep 
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
 3 years ago
David Anderson b96159e820 go.mod: update github.com/ulikunitz/xz for https://github.com/advisories/GHSA-25xm-hr59-7c27 
Our code is not vulnerable to the issue in question: it only happens in the decompression
path for untrusted inputs, and we only use xz as part of mkpkg, which is write-only
and operates on trusted build system outputs to construct deb and rpm packages.

Still, it's nice to keep the dependabot dashboard clean.

Signed-off-by: David Anderson <danderson@tailscale.com>
 3 years ago
Brad Fitzpatrick db3586cd43 go.mod: upgrade staticcheck 
It was crashing on a PR of mine and this fixes it.
 3 years ago
Matt Layher 8ab44b339e net/tstun: use unix.Ifreq type for Linux TAP interface configuration 
Signed-off-by: Matt Layher <mdlayher@gmail.com>
 3 years ago
Brad Fitzpatrick a729070252 net/tstun: add start of Linux TAP support, with DHCP+ARP server 
Still very much a prototype (hard-coded IPs, etc) but should be
non-invasive enough to submit at this point and iterate from here.

Updates #2589

Co-Author: David Crawshaw <crawshaw@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick fdc081c291 net/portmapper: fix UPnP probing, work against all ports 
Prior to Tailscale 1.12 it detected UPnP on any port.
Starting with Tailscale 1.11.x, it stopped detecting UPnP on all ports.

Then start plumbing its discovered Location header port number to the
code that was assuming port 5000.

Fixes #2109

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Aaron Bieber c179b9b535 cmd/tsshd: switch from github.com/kr/pty to github.com/creack/pty 
The kr/pty module moved to creack/pty per the kr/pty README[1].

creack/pty brings in support for a number of OS/arch combos that
are lacking in kr/pty.

Run `go mod tidy` while here.

[1] https://github.com/kr/pty/blob/master/README.md

Signed-off-by: Aaron Bieber <aaron@bolddaemon.com>
 3 years ago
Brad Fitzpatrick aaf2df7ab1 net/{dnscache,interfaces}: use netaddr.IP.IsPrivate, delete copied code 
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Christine Dodrill 798b0da470
tstest/integration/vms: codegen for top level tests (#2441) 
This moves the distribution definitions into a maintainable hujson file
instead of just existing as constants in `distros.go`. Comments are
maintained from the inline definitions.

This uses jennifer[1] for hygenic source tree creation. This allows us
to generate a unique top-level test for each VM run. This should
hopefully help make the output of `go test` easier to read.

This also separates each test out into its own top-level test so that we
can better track the time that each distro takes. I really wish there
was a way to have the `test_codegen.go` file _always_ run as a part of
the compile process instead of having to rely on people remembering to
run `go generate`, but I am limited by my tools.

This will let us remove the `-distro-regex` flag and use `go test -run`
to pick which distros are run.

Signed-off-by: Christine Dodrill <xe@tailscale.com>
 3 years ago
julianknodt 1bb6abc604 net/portmapper: add upnp port mapping 
Add in UPnP portmapping, using goupnp library in order to get the UPnP client and run the
portmapping functions. This rips out anywhere where UPnP used to be in portmapping, and has a
flow separate from PMP and PCP.

RELNOTE=portmapper now supports UPnP mappings

Fixes #682
Updates #2109

Signed-off-by: julianknodt <julianknodt@gmail.com>
 3 years ago
Brad Fitzpatrick 1cedd944cf cmd/tailscale/cli: diagnose missing tailscaled on 'up' 
Fixes #2029

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick 1072397375 go.mod: bump wireguard/windows to a version that still exists 
Fixes #2381

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick 38be964c2b go.mod: update netstack 
Fixes a atomic alignment crash on 32-bit machines.

Fixes #2129
Fixes tailscale/tailscale-synology#66 (same)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Matt Layher 6956645ec8 go.mod: bump github.com/mdlayher/netlink to v1.4.1 
Signed-off-by: Matt Layher <mdlayher@gmail.com>
 3 years ago
Christine Dodrill 622dc7b093
tstest/integration/vms: download images from s3 (#2035) 
This makes integration tests pull pristine VM images from Amazon S3 if
they don't exist on disk. If the S3 fetch fails, it will fall back to
grabbing the image from the public internet. The VM images on the public
internet are known to be updated without warning and thusly change their
SHA256 checksum. This is not ideal for a test that we want to be able to
fire and forget, then run reliably for a very long time.

This requires an AWS profile to be configured at the default path. The
S3 bucket is rigged so that the requester pays. The VM images are
currently about 6.9 gigabytes. Please keep this in mind when running
these tests on your machine.

Documentation was added to the integration test folder to aid others in
running these tests on their machine.

Some wording in the logs of the tests was altered.

Updates #1988

Signed-off-by: Christine Dodrill <xe@tailscale.com>
 3 years ago
Brad Fitzpatrick a321c24667 go.mod: update netaddr 
Involves minor IPSetBuilder.Set API change.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Christine Dodrill 14c1113d2b
tstest/integration/vms: copy locally built binaries (#2006) 
Instead of pulling packages from pkgs.tailscale.com, we should use the
tailscale binaries that are local to this git commit. This exposes a bit
of the integration testing stack in order to copy the binaries
correctly.

This commit also bumps our version of github.com/pkg/sftp to the latest
commit.

If you run into trouble with yaml, be sure to check out the
commented-out alpine linux image complete with instructions on how to
use it.

Updates #1988

Signed-off-by: Christine Dodrill <xe@tailscale.com>
 3 years ago
Adrian Dewhurst 6d6cf88d82 control/controlclient: use our fork of certstore 
The cyolosecurity fork of certstore did not update its module name and
thus can only be used with a replace directive. This interferes with
installing using `go install` so I created a tailscale fork with an
updated module name.

Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
 3 years ago
Christine Dodrill ba59c0391b
tstest/integration: add experimental integration test (#1966) 
This will spin up a few vms and then try and make them connect to a
testcontrol server.

Updates #1988

Signed-off-by: Christine Dodrill <xe@tailscale.com>
 3 years ago
Josh Bleecher Snyder 1ece91cede go.mod: upgrade wireguard-windows, de-fork wireguard-go 
Pull in the latest version of wireguard-windows.

Switch to upstream wireguard-go.
This requires reverting all of our import paths.

Unfortunately, this has to happen at the same time.
The wireguard-go change is very low risk,
as that commit matches our fork almost exactly.
(The only changes are import paths, CI files, and a go.mod entry.)
So if there are issues as a result of this commit,
the first place to look is wireguard-windows changes.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Brad Fitzpatrick a86a0361a7 go.mod: upgrade all deps 
At the start of a dev cycle we'll upgrade all dependencies.

Done with:

$ for Dep in $(cat go.mod | perl -ne '/(\S+) v/ and print "$1\n"'); do go get $Dep@upgrade; done

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Josh Bleecher Snyder 8bf2a38f29 go.mod: update wireguard-go, taking control over iOS memory usage from our fork 
Our wireguard-go fork used different values from upstream for
package device's memory limits on iOS.

This was the last blocker to removing our fork.

These values are now vars rather than consts for iOS.

c27ff9b9f6

Adjust them on startup to our preferred values.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder eb9757a290 go.mod: upgrade netaddr to get AppendTo methods 
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
David Anderson 85df1b0fa7 go.mod: bump wireguard-go. 
Signed-off-by: David Anderson <danderson@tailscale.com>
 3 years ago
Josh Bleecher Snyder 25df067dd0 all: adapt to opaque netaddr types 
This commit is a mishmash of automated edits using gofmt:

gofmt -r 'netaddr.IPPort{IP: a, Port: b} -> netaddr.IPPortFrom(a, b)' -w .
gofmt -r 'netaddr.IPPrefix{IP: a, Port: b} -> netaddr.IPPrefixFrom(a, b)' -w .

gofmt -r 'a.IP.Is4 -> a.IP().Is4' -w .
gofmt -r 'a.IP.As16 -> a.IP().As16' -w .
gofmt -r 'a.IP.Is6 -> a.IP().Is6' -w .
gofmt -r 'a.IP.As4 -> a.IP().As4' -w .
gofmt -r 'a.IP.String -> a.IP().String' -w .

And regexps:

\w*(.*)\.Port = (.*)  ->  $1 = $1.WithPort($2)
\w*(.*)\.IP = (.*)  ->  $1 = $1.WithIP($2)

And lots of manual fixups.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder cb97062bac go.mod: bump inet.af/netaddr 
For IPPort.MarshalText optimizations.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Brad Fitzpatrick d82b28ba73 go.mod: bump wireguard-go 3 years ago
Josh Bleecher Snyder c0a70f3a06 go.mod: pull in wintun alignment fix from upstream wireguard-go 
6cd106ab13...030c638da3

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Maisem Ali 7027fa06c3 wf: implement windows firewall using inet.af/wf. 
Signed-off-by: Maisem Ali <maisem@tailscale.com>
 3 years ago
Brad Fitzpatrick 3173c5a65c net/interface: remove darwin fetchRoutingTable workaround 
Fixed upstream. Bump dep.

Updates #1345

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Josh Bleecher Snyder 96ef8d34ef ipn/ipnlocal: switch from testify to quicktest 
Per discussion, we want to have only one test assertion library,
and we want to start by exploring quicktest.

This was a mostly mechanical translation.
I think we could make this nicer by defining a few helper
closures at the beginning of the test. Later.

Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
 3 years ago
David Anderson bf5fc8edda go.mod: update wireguard-go. 
Signed-off-by: David Anderson <danderson@tailscale.com>
 3 years ago
Josh Bleecher Snyder ae36b57b71 go.mod: upgrade wireguard-go 
This should be the last bump before 1.8.

Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
 3 years ago
Brad Fitzpatrick 8efc7834f2 go.mod: bump wireguard-go 
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick 5ecc7c7200 cmd/tailscale: make the new 'up' errors prettier and more helpful 
Fixes #1746

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Josh Bleecher Snyder f72a120016 go.mod: upgrade to latest wireguard-go 
Pull in minor upstream changes.

Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
 3 years ago
Josh Bleecher Snyder 7183e1f052 go.mod: update wireguard-go again 
To pick up https://go-review.googlesource.com/c/sys/+/307129.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder 63c00764e1 go.mod: update to latest wireguard-go and x/sys 
To fix windows checkptr failures.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder b3ceca1dd7 wgengine/...: split into multiple receive functions 
Upstream wireguard-go has changed its receive model.
NewDevice now accepts a conn.Bind interface.

The conn.Bind is stateless; magicsock.Conns are stateful.
To work around this, we add a connBind type that supports
cheap teardown and bring-up, backed by a Conn.

The new conn.Bind allows us to specify a set of receive functions,
rather than having to shoehorn everything into ReceiveIPv4 and ReceiveIPv6.
This lets us plumbing DERP messages directly into wireguard-go,
instead of having to mux them via ReceiveIPv4.

One consequence of the new conn.Bind layer is that
closing the wireguard-go device is now indistinguishable
from the routine bring-up and tear-down normally experienced
by a conn.Bind. We thus have to explicitly close the magicsock.Conn
when the close the wireguard-go device.

One downside of this change is that we are reliant on wireguard-go
to call receiveDERP to process DERP messages. This is fine for now,
but is perhaps something we should fix in the future.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder 1df162b05b wgengine/magicsock: adapt CreateEndpoint signature to match wireguard-go 
Part of a temporary change to make merging wireguard-go easier.
See https://github.com/tailscale/wireguard-go/pull/45.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Brad Fitzpatrick 47363c95b0 go.mod: bump wireguard-go 3 years ago
Brad Fitzpatrick a7be780155 go.mod, go.sum: bump wireguard-go 3 years ago
David Anderson 95ca86c048 go.mod: update to new wireguard-go version. 
Signed-off-by: David Anderson <danderson@tailscale.com>
 3 years ago
Adrian Dewhurst 04dd6d1dae
control/controlclient: sign RegisterRequest (#1549) 
control/controlclient: sign RegisterRequest

Some customers wish to verify eligibility for devices to join their
tailnets using machine identity certificates. TLS client certs could
potentially fulfill this role but the initial customer for this feature
has technical requirements that prevent their use. Instead, the
certificate is loaded from the Windows local machine certificate store
and uses its RSA public key to sign the RegisterRequest message.

There is room to improve the flexibility of this feature in future and
it is currently only tested on Windows (although Darwin theoretically
works too), but this offers a reasonable starting place for now.

Updates tailscale/coral#6

Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
 3 years ago
Josh Bleecher Snyder 28af46fb3b wgengine: pass logger as a separate arg to device.NewDevice 
Adapt to minor API changes in wireguard-go.
And factor out device.DeviceOptions variables.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder 79f02de55f go.sum: add entries for upstream wireguard-go 
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Brad Fitzpatrick 0a02aaf813 control, ipn, tailcfg: remove golang.org/x/oauth2 dep, add tailcfg.Oauth2Token 
golang.org/x/oauth2 pulls in App Engine and grpc module dependencies,
screwing up builds that depend on this module.

Some background on the problem:
https://go.googlesource.com/proposal/+/master/design/36460-lazy-module-loading.md

Fixes tailscale/corp#1471

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick aa79a57f63 wgengine/netstack: use inet.af/netstack, remove 64-bit only limitation 
This reverts the revert commit 84aba349d9.

And changes us to use inet.af/netstack.

Updates #1518

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick a217078f67 go.mod: update golang.org/x/oauth2 
go.sum gets a bit wild, but tolerable.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick ec1b31ea83 go.mod: update golang.org/x/{crypto,sync,sys,term,time} 
These ones don't have large dependency trees.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Brad Fitzpatrick a4fa2c5611 go.mod, go.sum: go mod tidy 
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
David Anderson 84aba349d9 Revert "wgengine/netstack: update gvisor to remove 64-bit only limitation" 
Breaks our corp repo due to gRPC dependency hell.

This reverts commit d42f8b7f9a.
 3 years ago
Brad Fitzpatrick d42f8b7f9a wgengine/netstack: update gvisor to remove 64-bit only limitation 
gVisor fixed their google/gvisor#1446 so we can include gVisor mode
on 32-bit machines.

A few minor upstream API changes, as normal.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Denton Gentry 6756f20632 go.mod: update peercred 
Adds FreeBSD support.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
 3 years ago
David Anderson b83c273737 wgengine/filter: use IPSet for localNets instead of prefixes. 
Part of #1177, preparing for doing fancier set operations on
the allowed local nets.

Signed-off-by: David Anderson <danderson@tailscale.com>
 3 years ago
Matt Layher 2c500cee23 go.mod: bump github.com/mdlayher/netlink, github.com/jsimonetti/rtnetlink 
Signed-off-by: Matt Layher <mdlayher@gmail.com>
 3 years ago
Filippo Valsorda 39f7a61e9c tstest/staticcheck: import the main package to fix "go mod tidy" 
Importing the non-main package was missing some dependencies that
"go mod tidy" would then cleanup. Also added a non-ignore build tag to
avoid other tools getting upset about importing a main package.

Signed-off-by: Filippo Valsorda <hi@filippo.io>
 3 years ago
Filippo Valsorda 87f2e4c12c go.mod: bump github.com/kr/pty to build on openbsd/arm64 
$ GOOS=openbsd GOARCH=arm64 go install tailscale.com/cmd/...@latest
pkg/mod/github.com/kr/pty@v1.1.4-0.20190131011033-7dc38fb350b1/pty_openbsd.go:24:10: undefined: ptmget
pkg/mod/github.com/kr/pty@v1.1.4-0.20190131011033-7dc38fb350b1/pty_openbsd.go:25:34: undefined: ioctl_PTMGET

"go mod tidy" did some unrelated work in go.sum, maybe because it was
not run with Go 1.16 before.

Signed-off-by: Filippo Valsorda <hi@filippo.io>
 3 years ago
Brad Fitzpatrick d3efe8caf6 safesocket, ipn/ipnserver: look up peer creds on Darwin 
And open up socket permissions like Linux, now that we know who
connections are from.

This uses the new inet.af/peercred that supports Linux and Darwin at
the moment.

Fixes #1347
Fixes #1348

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Josh Bleecher Snyder 11bbfbd8bb go.mod: update to latest wireguard-go 
All changes are trivial.
 3 years ago
Josh Bleecher Snyder 1f0fa8b814 go.mod: pull in upstream wireguard-go bug fixes 3 years ago
Josh Bleecher Snyder 4a82e36491 go.mod: bump to latest wireguard-go 
Stabilization and performance improvements.
 3 years ago
Josh Bleecher Snyder aa6856a9eb wgengine: adapt to wireguard-go changes 
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder dd10babaed wgenginer/magicsock: remove Addrs methods 
They are now unused.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder fe7c3e9c17 all: move wgcfg from wireguard-go 
This is mostly code movement from the wireguard-go repo.

Most of the new wgcfg package corresponds to the wireguard-go wgcfg package.

wgengine/wgcfg/device{_test}.go was device/config{_test}.go.
There were substantive but simple changes to device_test.go to remove
internal package device references.

The API of device.Config (now wgcfg.DeviceConfig) grew an error return;
we previously logged the error and threw it away.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Brad Fitzpatrick daf2c70a08 go.mod: bump wireguard-go 3 years ago
Brad Fitzpatrick c78ed5b399 go.sum: update (forgotten after earlier wireguard-go update again) 3 years ago
Brad Fitzpatrick 3ac952d4e9 go.sum: update 3 years ago
Brad Fitzpatrick b00c0e5f60 go.sum: update 3 years ago
Brad Fitzpatrick f85769b1ed wgengine/magicsock: drop netaddr.IPPort cache 
netaddr.IP no longer allocates, so don't need a cache or all its associated
code/complexity.

This totally removes groupcache/lru from the deps.

Also go mod tidy.
 3 years ago
Naman Sood f69e46175d
wengine/netstack: bump gvisor to latest version 
* wengine/netstack: bump gvisor to latest version

Signed-off-by: Naman Sood <naman@tailscale.com>

* update dependencies

Signed-off-by: Naman Sood <naman@tailscale.com>

* Don't change hardcoded IP

Signed-off-by: Naman Sood <naman@tailscale.com>
 3 years ago
Brad Fitzpatrick 5aa5db89d6 cmd/tailscaled, wgengine/netstack: add start of gvisor userspace netstack work 
Not usefully functional yet (mostly a proof of concept), but getting
it submitted for some work @namansood is going to do atop this.

Updates #707
Updates #634
Updates #48
Updates #835
 3 years ago
Brad Fitzpatrick a4cc31e7d8 go.sum: update 3 years ago
David Anderson 8fc11d582d go.sum: update to match wireguard-go version update. 
Signed-off-by: David Anderson <dave@natulte.net>
 3 years ago
David Anderson 86fe22a1b1 Update netaddr, and adjust wgengine/magicsock due to API change. 
Signed-off-by: David Anderson <danderson@tailscale.com>
 3 years ago
Josh Bleecher Snyder 56a7652dc9 wgkey: new package 
This is a replacement for the key-related parts
of the wireguard-go wgcfg package.

This is almost a straight copy/paste from the wgcfg package.
I have slightly changed some of the exported functions and types
to avoid stutter, added and tweaked some comments,
and removed some now-unused code.

To avoid having wireguard-go depend on this new package,
wgcfg will keep its key types.

We translate into and out of those types at the last minute.
These few remaining uses will be eliminated alongside
the rest of the wgcfg package.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Brad Fitzpatrick c2edb2865b go.sum: update 3 years ago
Josh Bleecher Snyder cf2ac2d123 go.mod: upgrade inet.af/netaddr 
To pick up IPPrefix.Contains fix.
 3 years ago
Josh Bleecher Snyder 2fe770ed72 all: replace wgcfg.IP and wgcfg.CIDR with netaddr types 
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Matt Layher bfbd6b9241 go.mod: bump github.com/mdlayher/netlink to v1.2.0 
Signed-off-by: Matt Layher <mdlayher@gmail.com>
 3 years ago
Brad Fitzpatrick d0baece5fa go.mod: bump inet.af/netaddr to non-allocating version 3 years ago
Brad Fitzpatrick 90c8519765 go.sum: update 3 years ago
David Anderson f5e33ad761 go.mod: update inet.af/netaddr, go mod tidy. 
Signed-off-by: David Anderson <danderson@tailscale.com>
 3 years ago
Brad Fitzpatrick fa412c8760 wgengine/filter, wgengine/magicsock: use new IP.BitLen to simplify some code 3 years ago
Brad Fitzpatrick afcf134812 wgengine/filter, tailcfg: support CIDRs+ranges in PacketFilter (mapver 7) 
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 years ago
Christine Dodrill 2485faf69a
Merge branch 'main' into report-status-systemd 3 years ago
Christine Dodrill 7ea809897d ipn/ipnserver: enable systemd-notify support 
Addresses #964

Still to be done:
- Figure out the correct logging lines in util/systemd
- Figure out if we need to slip the systemd.Status function anywhere
  else
- Log util/systemd errors? (most of the errors are of the "you cannot do
  anything about this, but it might be a bad idea to crash the program if
  it errors" kind)

Assistance in getting this over the finish line would help a lot.

Signed-off-by: Christine Dodrill <me@christine.website>

util/systemd: rename the nonlinux file to appease the magic

Signed-off-by: Christine Dodrill <me@christine.website>

util/systemd: fix package name

Signed-off-by: Christine Dodrill <me@christine.website>

util/systemd: fix review feedback from @mdlayher

Signed-off-by: Christine Dodrill <me@christine.website>

cmd/tailscale{,d}: update depaware manifests

Signed-off-by: Christine Dodrill <me@christine.website>

util/systemd: use sync.Once instead of func init

Signed-off-by: Christine Dodrill <me@christine.website>

control/controlclient: minor review feedback fixes

Signed-off-by: Christine Dodrill <me@christine.website>

{control,ipn,systemd}: fix review feedback

Signed-off-by: Christine Dodrill <me@christine.website>

review feedback fixes

Signed-off-by: Christine Dodrill <me@christine.website>

ipn: fix sprintf call

Signed-off-by: Christine Dodrill <me@christine.website>

ipn: make staticcheck less sad

Signed-off-by: Christine Dodrill <me@christine.website>

ipn: print IP address in connected status

Signed-off-by: Christine Dodrill <me@christine.website>

ipn: review feedback

Signed-off-by: Christine Dodrill <me@christine.website>

final fixups

Signed-off-by: Christine Dodrill <me@christine.website>
 3 years ago
Josh Bleecher Snyder ce4d68b416 go.mod: upgrade depaware version 
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder a6cad71fb2 go.mod: upgrade staticcheck to 0.1.0 
Also run go.mod and fix some staticcheck warnings.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 3 years ago
Josh Bleecher Snyder 6db9c4a173 wgenginer/router/dns: use constant from golang.org/x/sys/windows 
Made available in https://golang.org/cl/277153
 3 years ago
Aleksandar Pesic 338fd44657 Replace registry-access code, update wireguard-go and x/sys/windows. 
Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>
 3 years ago
Brad Fitzpatrick bce865b61b logpolicy: migrate from x/crypto/ssh/terminal to x/term 3 years ago
Brad Fitzpatrick 9cb6ee3777 go.mod, go.sum: update 3 years ago
Brad Fitzpatrick 19c2c6403d Update go.sum 3 years ago
Josh Bleecher Snyder aa9d7f4665 tstime: add Parse3339B, for byte slices 
Use go4.org/mem for memory safety.
A slight performance hit, but a huge performance win
for clients who start with a []byte.
The perf hit is due largely to the MapHash call, which adds ~25ns.
That is necessary to keep the fast path allocation-free.

name                     old time/op    new time/op    delta
GoParse3339/Z-8             281ns ± 1%     283ns ± 2%     ~     (p=0.366 n=9+9)
GoParse3339/TZ-8            509ns ± 0%     510ns ± 1%     ~     (p=0.059 n=9+9)
GoParse3339InLocation-8     330ns ± 1%     330ns ± 0%     ~     (p=0.802 n=10+6)
Parse3339/Z-8              69.3ns ± 1%    74.4ns ± 1%   +7.45%  (p=0.000 n=9+10)
Parse3339/TZ-8              110ns ± 1%     140ns ± 3%  +27.42%  (p=0.000 n=9+10)
ParseInt-8                 8.20ns ± 1%    8.17ns ± 1%     ~     (p=0.452 n=9+9)

name                     old alloc/op   new alloc/op   delta
GoParse3339/Z-8             0.00B          0.00B          ~     (all equal)
GoParse3339/TZ-8             160B ± 0%      160B ± 0%     ~     (all equal)
GoParse3339InLocation-8     0.00B          0.00B          ~     (all equal)
Parse3339/Z-8               0.00B          0.00B          ~     (all equal)
Parse3339/TZ-8              0.00B          0.00B          ~     (all equal)

name                     old allocs/op  new allocs/op  delta
GoParse3339/Z-8              0.00           0.00          ~     (all equal)
GoParse3339/TZ-8             3.00 ± 0%      3.00 ± 0%     ~     (all equal)
GoParse3339InLocation-8      0.00           0.00          ~     (all equal)
Parse3339/Z-8                0.00           0.00          ~     (all equal)
Parse3339/TZ-8               0.00           0.00          ~     (all equal)


Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 4 years ago
Brad Fitzpatrick 7a01cd27ca net/netstat: remove some unsafe 
Just removing any unnecessary unsafe while auditing unsafe usage for #921.
 4 years ago
Brad Fitzpatrick cccdd81441 go.mod: update some deps to get past a wireguard-windows checkptr fix 4 years ago
David Anderson ce45f4f3ff wgengine/filter: inline ip6InList into match. 
matchIPsOnly gets 5% slower when inlining, despite significantly reduced
memory ops and slightly tighter code.

Part of #19.

Filter/tcp6_syn_in-8     45.5ns ± 1%    42.4ns ± 2%   -6.86%  (p=0.000 n=10+10)
Filter/udp6_in-8          107ns ± 2%      94ns ± 2%  -11.50%  (p=0.000 n=9+10)

Signed-off-by: David Anderson <danderson@tailscale.com>
 4 years ago
chungdaniel e7ac9a4b90
tsweb: refactor JSONHandler to take status code from error if it is present (#905) 
This change is to make JSONHandler error handling intuitive, as before there would be two sources of HTTP status code when HTTPErrors were generated: one as the first return value of the handler function, and one nested inside the HTTPError. Previously, it took the first return value as the status code, and ignored the code inside the HTTPError. Now, it should expect the first return value to be 0 if there is an error, and it takes the status code of the HTTPError to set as the response code.

Signed-off-by: Daniel Chung <daniel@tailscale.com>
 4 years ago
Brad Fitzpatrick f33da73a82 go.sum: update 4 years ago
Brad Fitzpatrick 371f1a9502 go.sum: add a missing entry that Go keeps adding 4 years ago
Alex Brainman f2ce64f0c6 wgengine/router: unfork winipcfg-go package, use upstream 
Use golang.zx2c4.com/wireguard/windows/tunnel/winipcfg
instead of github.com/tailscale/winipcfg-go package.

Updates #760

Signed-off-by: Alex Brainman <alex.brainman@gmail.com>
 4 years ago
Avery Pennarun 6332bc5e08 controlclient: print http errors if result code != 200. 
Turns out for the particular error I was chasing, it actually returns
200 and zero data. But this code mirrors the same check in the map
poll, and is the right thing to do in the name of future debugging.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
 4 years ago
Josh Bleecher Snyder a5103a4cae all: upgrade to latest version of depaware 4 years ago
Brad Fitzpatrick 94a68a113b go.sum: tidy 4 years ago
Brad Fitzpatrick ec95e901e6 go.sum: update 4 years ago
Brad Fitzpatrick 56a787fff8 go.mod, go.sum: bump wireguard-go 4 years ago
Christina Wen f0e9dcdc0a
wgengine/router: restore /etc/resolv.conf after tailscale down is called 
This change is to restore /etc/resolv.conf after tailscale down is called. This is done by setting the dns.Manager before errors occur. Error collection is also added.

Fixes #723
 4 years ago
Brad Fitzpatrick 3aeb2e204c go.mod: bump github.com/tailscale/winipcfg-go for some Windows fixes 4 years ago
Josh Bleecher Snyder 3f4d93feb2 go.mod: bump depaware to get diffs out of -check, again 
I had to use

go get -u github.com/tailscale/depaware@e09ee10c18249e4bf198e66bbd47babcd502637a

to force it to the correct version; it kept selecting head~1.

Maybe because the branch is called main instead of master?
Maybe because of some delay?
 4 years ago
Josh Bleecher Snyder 41f6c78c53 go.mod: bump depaware to get diffs out of -check 4 years ago
Brad Fitzpatrick 158202dbb1 go mod tidy 4 years ago
Brad Fitzpatrick 22ed3c503e
Add depaware.txt files and GitHub checks. (#745) 
See https://github.com/tailscale/depaware

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 4 years ago
Brad Fitzpatrick 82a3721661 go.sum: update 4 years ago
Brad Fitzpatrick f915ab6552 net/tshttpproxy: add start of Kerberos Negotiate auth to proxies on Windows 
For now only used by a new cmd/tailscale debug --get-url
subcommand. Not yet wired up to the places making HTTP requests.

Updates tailscale/corp#583
 4 years ago
Brad Fitzpatrick c5eb57f4d6 net/tshttpproxy: new package, support WPAD/PAC proxies on Windows 
Updates tailscale/corp#553

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 4 years ago
David Anderson 1b5b59231b derp: break down received packets by kind (disco vs. wireguard). 
Signed-off-by: David Anderson <danderson@tailscale.com>
 4 years ago
Brad Fitzpatrick 87cbc067c2 cmd/tailscale/cli: validate advertised routes' IP address-vs-network bits 
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 4 years ago
Brad Fitzpatrick b840e7dd5b go mod tidy 4 years ago
Josh Bleecher Snyder 1b27eb431a go.mod: update to newly rebased wireguard-go 4 years ago
Brad Fitzpatrick 84f2320972 go.sum: update 4 years ago
Brad Fitzpatrick 43e2efe441 go mod tidy 4 years ago
Brad Fitzpatrick 648268192b go.mod: bump wireguard-go 4 years ago
Brad Fitzpatrick 7cf50f6c84 go.sum: update 4 years ago
Dmytro Shynkevych 3efc29d39d
go.mod: bump netaddr. 
Closes #567.

Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
 4 years ago
Brad Fitzpatrick cdfea347d0 wgengine: update for tailscale/wireguard-go API changes 
* update to new HandshakeDone signature
* use new Device.IpcGetOperationFiltered call to avoid sending allowed_ips

See dd6c1c8fe1
 4 years ago
Dmytro Shynkevych 30bbbe9467
wgengine/router: dns: unify on *BSD, multimode on Linux, Magic DNS (#536) 
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
 4 years ago
Brad Fitzpatrick 6c74065053 wgengine/magicsock, tstest/natlab: start hooking up natlab to magicsock 
Also adds ephemeral port support to natlab.

Work in progress.

Pairing with @danderson.
 4 years ago
Brad Fitzpatrick edcbb5394e go.sum: update 4 years ago
Dmytro Shynkevych 21d1dbfce0 wgengine/tsdns: local DNS server for testing 
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
 4 years ago
Dmytro Shynkevych 67ebba90e1
tsdns: dual resolution mode, IPv6 support (#526) 
This change adds to tsdns the ability to delegate lookups to upstream nameservers.
This is crucial for setting Magic DNS as the system resolver.

Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
 4 years ago
Brad Fitzpatrick 32156330a8 net/interfaces: add func LikelyHomeRouterIP 
For discovering where we might direct NAT-PMP/PCP/UPnP queries at in
the future.
 4 years ago