tailscale

Commit Graph

Author	SHA1	Message	Date
Maisem Ali	1f51bb6891	net/tstun: do SNAT after filterPacketOutboundToWireGuard In a configuration where the local node (ip1) has a different IP (ip2) that it uses to communicate with a peer (ip3) we would do UDP flow tracking on the `ip2->ip3` tuple. When we receive the response from the peer `ip3->ip2` we would dnat it back to `ip3->ip1` which would then not match the flow track state and the packet would get dropped. To fix this, we should do flow tracking on the `ip1->ip3` tuple instead of `ip2->ip3` which requires doing SNAT after the running filterPacketOutboundToWireGuard. Updates tailscale/corp#19971, tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 weeks ago
Maisem Ali	af97e7a793	tailcfg,all: add/plumb Node.IsJailed This adds a new bool that can be sent down from control to do jailing on the client side. Previously this would only be done from control by modifying the packet filter we sent down to clients. This would result in a lot of additional work/CPU on control, we could instead just do this on the client. This has always been a TODO which we keep putting off, might as well do it now. Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 weeks ago
Maisem Ali	e67069550b	ipn/ipnlocal,net/tstun,wgengine: create and plumb jailed packet filter This plumbs a packet filter for jailed nodes through to the tstun.Wrapper; the filter for a jailed node is equivalent to a "shields up" filter. Currently a no-op as there is no way for control to tell the client whether a peer is jailed. Updates tailscale/corp#19623 Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com> Change-Id: I5ccc5f00e197fde15dd567485b2a99d8254391ad	4 weeks ago
Maisem Ali	5ef178fdca	net/tstun: refactor peerConfig to allow storing more details This refactors the peerConfig struct to allow storing more details about a peer and not just the masq addresses. To be used in a follow up change. As a side effect, this also makes the DNAT logic on the inbound packet stricter. Previously it would only match against the packets dst IP, not it also takes the src IP into consideration. The beahvior is at parity with the SNAT case. Updates tailscale/corp#19623 Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com> Change-Id: I5f40802bebbf0f055436eb8824e4511d0052772d	4 weeks ago
Andrew Dunham	be663c84c1	net/tstun: rename natConfig to peerConfig So that we can use this for additional, non-NAT configuration without it being confusing. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1658d59c9824217917a94ee76d2d08f0a682986f	1 month ago
Andrew Dunham	10497acc95	net/tstun: refactor natConfig to not be per-family This was a holdover from the older, pre-BART days and is no longer necessary. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I71b892bab1898077767b9ff51cef33d59c08faf8	1 month ago
Percy Wegmann	8b8b315258	net/tstun: use gaissmai/bart instead of tempfork/device This implementation uses less memory than tempfork/device, which helps avoid OOM conditions in the iOS VPN extension when switching to a Tailnet with ExitNode routing enabled. Updates tailscale/corp#18514 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Andrew Dunham	62cf83eb92	go.mod: bump gvisor The `stack.PacketBufferPtr` type no longer exists; replace it with `*stack.PacketBuffer` instead. Updates #8043 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib56ceff09166a042aa3d9b80f50b2aa2d34b3683	3 months ago
Andrew Dunham	3dd8ae2f26	net/tstun: fix spelling of "WireGuard" Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida7e30f4689bc18f5f7502f53a0adb5ac3c7981a	3 months ago
Andrew Lytvynov	2716250ee8	all: cleanup unused code, part 2 (#10670 ) And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Maisem Ali	5297bd2cff	cmd/tailscaled,net/tstun: fix data race on start-up in TUN mode Fixes #7894 Change-Id: Ice3f8019405714dd69d02bc07694f3872bb598b8 Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	9d96e05267	net/packet: split off checksum munging into different pkg The current structure meant that we were embedding netstack in the tailscale CLI and in the GUIs. This removes that by isolating the checksum munging to a different pkg which is only called from `net/tstun`. Fixes #9756 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	78a083e144	types/ipproto: drop IPProto from IPProtoVersion Based on https://github.com/golang/go/wiki/CodeReviewComments#package-names. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Tom DNetto	da1b917575	net/tstun: finish wiring IPv6 NAT support Updates https://github.com/tailscale/corp/issues/11202 Updates ENG-991 Signed-off-by: Tom DNetto <tom@tailscale.com>	8 months ago
Maisem Ali	3056a98bbd	net/tstun: add better logging of natV4Config It might as well have been spewing out gibberish. This adds a nicer output format for us to be able to read and identify whats going on. Sample output ``` natV4Config{nativeAddr: 100.83.114.95, listenAddrs: [10.32.80.33], dstMasqAddrs: [10.32.80.33: 407 peers]} ``` Fixes tailscale/corp#14650 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Tom DNetto	c08cf2a9c6	all: declare & plumb IPv6 masquerade address for peer This PR plumbs through awareness of an IPv6 SNAT/masquerade address from the wire protocol through to the low-level (tstun / wgengine). This PR is the first in two PRs for implementing IPv6 NAT support to/from peers. A subsequent PR will implement the data-plane changes to implement IPv6 NAT - this is just plumbing. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates ENG-991	9 months ago
Brad Fitzpatrick	dc7aa98b76	all: use set.Set consistently instead of map[T]struct{} I didn't clean up the more idiomatic map[T]bool with true values, at least yet. I just converted the relatively awkward struct{}-valued maps. Updates #cleanup Change-Id: I758abebd2bb1f64bc7a9d0f25c32298f4679c14f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	e8551d6b40	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Maisem Ali	3ae7140690	net/tstun: handle exit nodes in NAT configs In the case where the exit node requires SNAT, we would SNAT all traffic not just the traffic meant to go through the exit node. This was a result of the default route being added to the routing table which would match basically everything. In this case, we need to account for all peers in the routing table not just the ones that require NAT. Fix and add a test. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	04a3118d45	net/tstun: add tests for captureHook Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I630f852d9f16c951c721b34f2bc4128e68fe9475	1 year ago
Maisem Ali	64bbf1738e	tailcfg: make SelfNodeV4MasqAddrForThisPeer a pointer This makes `omitempty` actually work, and saves bytes in each map response. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Tom DNetto	6a627e5a33	net, wgengine/capture: encode NAT addresses in pcap stream Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Maisem Ali	985535aebc	net/tstun,wgengine/*: add support for NAT to routes This adds support to make exit nodes and subnet routers work when in scenarios where NAT is required. It also updates the NATConfig to be generated from a `wgcfg.Config` as that handles merging prefs with the netmap, so it has the required information about whether an exit node is already configured and whether routes are accepted. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	d2fd101eb4	net/tstun: only log natConfig on changes Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	0bf8c8e710	net/tstun: use p.Buffer() in more places Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	bb31fd7d1c	net/tstun: add inital support for NAT v4 This adds support in tstun to utitilize the SelfNodeV4MasqAddrForThisPeer and perform the necessary modifications to the packet as it passes through tstun. Currently this only handles ICMP, UDP and TCP traffic. Subnet routers and Exit Nodes are also unsupported. Updates tailscale/corp#8020 Co-authored-by: Melanie Warrick <warrick@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	535fad16f8	net/tstun: rename filterIn/filterOut methods to be more descriptive Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Tom DNetto	2ca6dd1f1d	wgengine: start logging DISCO frames to pcap stream Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Tom DNetto	99b9d7a621	all: implement pcap streaming for datapath debugging Updates: tailscale/corp#8470 Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
andig	14e8afe444	go.mod, etc: bump gvisor Fixes #6554 Change-Id: Ia04ae37a47b67fa57091c9bfe1d45a1842589aa8 Signed-off-by: andig <cpuidle@gmx.de>	1 year ago
Jordan Whited	55b24009f7	net/tstun: don't return early from a partial tun.Read() (#6745 ) Fixes #6730 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Jordan Whited	ea5ee6f87c	all: update golang.zx2c4.com/wireguard to github.com/tailscale/wireguard-go (#6692 ) This is temporary while we work to upstream performance work in https://github.com/WireGuard/wireguard-go/pull/64. A replace directive is less ideal as it breaks dependent code without duplication of the directive. Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 years ago
Maisem Ali	eb1adf629f	net/tstun: reuse buffered packet from pool We would call parsedPacketPool.Get() for all packets received in Read/Write. This was wasteful and not necessary, fetch a single *packet.Parsed for all packets. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Jordan Whited	76389d8baf	net/tstun, wgengine/magicsock: enable vectorized I/O on Linux (#6663 ) This commit updates the wireguard-go dependency and implements the necessary changes to the tun.Device and conn.Bind implementations to support passing vectors of packets in tailscaled. This significantly improves throughput performance on Linux. Updates #414 Signed-off-by: Jordan Whited <jordan@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Co-authored-by: James Tucker <james@tailscale.com>	2 years ago
Joe Tsai	2e5d08ec4f	net/connstats: invert network logging data flow (#6272 ) Previously, tstun.Wrapper and magicsock.Conn managed their own statistics data structure and relied on an external call to Extract to extract (and reset) the statistics. This makes it difficult to ensure a maximum size on the statistics as the caller has no introspection into whether the number of unique connections is getting too large. Invert the control flow such that a connstats.Statistics is registered with tstun.Wrapper and magicsock.Conn. Methods on non-nil connstats.Statistics are called for every packet. This allows the implementation of connstats.Statistics (in the future) to better control when it needs to flush to ensure bounds on maximum sizes. The value registered into tstun.Wrapper and magicsock.Conn could be an interface, but that has two performance detriments: 1. Method calls on interface values are more expensive since they must go through a virtual method dispatch. 2. The implementation would need a sync.Mutex to protect the statistics value instead of using an atomic.Pointer. Given that methods on constats.Statistics are called for every packet, we want reduce the CPU cost on this hot path. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	f4ff26f577	types/pad32: delete package Use Go 1.19's new 64-bit alignment ~hidden feature instead. Fixes #5356 Change-Id: Ifcbcb115875a7da01df3bc29e9e7feadce5bc956 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Joe Tsai	c21a3c4733	types/netlogtype: new package for network logging types (#6092 ) The netlog.Message type is useful to depend on from other packages, but doing so would transitively cause gvisor and other large packages to be linked in. Avoid this problem by moving all network logging types to a single package. We also update staticcheck to take in: `003d277bcf` Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	1b4e4cc1e8	wgengine/netlog: new package for traffic flow logging (#5864 ) The Logger type managers a logtail.Logger for extracting statistics from a tstun.Wrapper. So long as Shutdown is called, it ensures that logtail and statistic gathering resources are properly cleared up. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	84e8f25c21	net/tstun: rename statististics method (#5852 ) Rename StatisticsEnable as SetStatisticsEnabled to be consistent with other similarly named methods. Rename StatisticsExtract as ExtractStatistics to follow the convention where methods start with a verb. It was originally named with Statistics as a prefix so that statistics related methods would sort well in godoc, but that property no longer holds. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	24ebf161e8	net/tstun: instrument Wrapper with statistics gathering (#5847 ) If Wrapper.StatisticsEnable is enabled, then per-connection counters are maintained. If enabled, Wrapper.StatisticsExtract must be periodically called otherwise there is unbounded memory growth. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Josh Soref	d4811f11a0	all: fix spelling mistakes Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Maisem Ali	a9f6cd41fd	all: use syncs.AtomicValue Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	9bb5a038e5	all: use atomic.Pointer Also add some missing docs. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	a12aad6b47	all: convert more code to use net/netip directly perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	9514ed33d2	go.mod: bump gvisor.dev/gvisor Pick up https://github.com/google/gvisor/pull/7787 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Mihai Parparita	86069874c9	net/tstun, wgengine: use correct type for counter metrics We were marking them as gauges, but they are only ever incremented, thus counter is more appropriate. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
James Tucker	f9e86e64b7	*: use WireGuard where logged, printed or named Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	ae483d3446	wgengine, net/packet, cmd/tailscale: add ICMP echo Updates tailscale/corp#754 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago

1 2

79 Commits (main)