tailscale

Commit Graph

Author	SHA1	Message	Date
Andrea Gottardo	b65221999c	tailcfg,net/dns: add controlknob to disable battery split DNS on iOS (#12346 ) Updates corp#15802. Adds the ability for control to disable the recently added change that uses split DNS in more cases on iOS. This will allow us to disable the feature if it leads to regression in production. We plan to remove this knob once we've verified that the feature works properly. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 days ago
Irbe Krumina	82576190a7	tailcfg,cmd/k8s-operator: moves tailscale.com/cap/kubernetes peer cap to tailcfg (#12235 ) This is done in preparation for adding kubectl session recording rules to this capability grant that will need to be unmarshalled by control, so will also need to be in a shared location. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 days ago
Andrew Dunham	36d0ac6f8e	tailcfg: use strings.CutPrefix for CheckTag; add test Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I42eddc7547a6dd50c4d5b2a9fc88a19aac9767aa	1 week ago
Percy Wegmann	08a9551a73	ssh/tailssh: fall back to using su when no TTY available on Linux This allows pam authentication to run for ssh sessions, triggering automation like pam_mkhomedir. Updates #11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 weeks ago
Maisem Ali	9a64c06a20	all: do not depend on the testing package Discovered while looking for something else. Updates tailscale/corp#18935 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 weeks ago
Brad Fitzpatrick	1384c24e41	control/controlclient: delete unused Client.Login Oauth2Token field Updates #12172 (then need to update other repos) Change-Id: I439f65e0119b09e00da2ef5c7a4f002f93558578 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Maisem Ali	482890b9ed	tailcfg: bump capver for using NodeAttrUserDialUseRoutes for DNS Missed in `f62e678df8`. Updates tailscale/corp#18725 Updates #4529 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 month ago
Maisem Ali	af97e7a793	tailcfg,all: add/plumb Node.IsJailed This adds a new bool that can be sent down from control to do jailing on the client side. Previously this would only be done from control by modifying the packet filter we sent down to clients. This would result in a lot of additional work/CPU on control, we could instead just do this on the client. This has always been a TODO which we keep putting off, might as well do it now. Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 month ago
Nick Khyl	f62e678df8	net/dns/resolver, control/controlknobs, tailcfg: use UserDial instead of SystemDial to dial DNS servers Now that tsdial.Dialer.UserDial has been updated to honor the configured routes and dial external network addresses without going through Tailscale, while also being able to dial a node/subnet router on the tailnet, we can start using UserDial to forward DNS requests. This is primarily needed for DNS over TCP when forwarding requests to internal DNS servers, but we also update getKnownDoHClientForProvider to use it. Updates tailscale/corp#18725 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 month ago
Andrew Lytvynov	c28f5767bf	various: implement stateful firewalling on Linux (#12025 ) Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>	1 month ago
Nick Khyl	caa3d7594f	ipn/ipnlocal, net/tsdial: plumb routes into tsdial and use them in UserDial We'd like to use tsdial.Dialer.UserDial instead of SystemDial for DNS over TCP. This is primarily necessary to properly dial internal DNS servers accessible over Tailscale and subnet routes. However, to avoid issues when switching between Wi-Fi and cellular, we need to ensure that we don't retain connections to any external addresses on the old interface. Therefore, we need to determine which dialer to use internally based on the configured routes. This plumbs routes and localRoutes from router.Config to tsdial.Dialer, and updates UserDial to use either the peer dialer or the system dialer, depending on the network address and the configured routes. Updates tailscale/corp#18725 Fixes #4529 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 month ago
Brad Fitzpatrick	c3c18027c6	all: make more tests pass/skip in airplane mode Updates tailscale/corp#19786 Change-Id: Iedc6730fe91c627b556bff5325bdbaf7bf79d8e6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Claire Wang	5254f6de06	tailcfg: add suggest exit node UI node attribute (#11918 ) Add node attribute to determine whether or not to show suggested exit node in UI. Updates tailscale/corp#19515 Signed-off-by: Claire Wang <claire@tailscale.com>	1 month ago
Fran Bull	1bd1b387b2	appc: add flag shouldStoreRoutes and controlknob for it When an app connector is reconfigured and domains to route are removed, we would like to no longer advertise routes that were discovered for those domains. In order to do this we plan to store which routes were discovered for which domains. Add a controlknob so that we can enable/disable the new behavior. Updates #11008 Signed-off-by: Fran Bull <fran@tailscale.com>	1 month ago
Claire Wang	d5fc52a0f5	tailcfg: add auto exit node attribute (#11871 ) Updates tailscale/corp#19515 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Percy Wegmann	955ad12489	ipn/ipnlocal: only show Taildrive peers to which ACLs grant us access This improves convenience and security. * Convenience - no need to see nodes that can't share anything with you. * Security - malicious nodes can't expose shares to peers that aren't allowed to access their shares. Updates tailscale/corp#19432 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Brad Fitzpatrick	c39cde79d2	tailcfg: remove some unused fields from RegisterResponseAuth Fixes #19334 Change-Id: Id6463f28af23078a7bc25b9280c99d4491bd9651 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	05bfa022f2	tailcfg: pointerify RegisterRequest.Auth, omitemptify RegisterResponseAuth We were storing server-side lots of: "Auth":{"Provider":"","LoginName":"","Oauth2Token":null,"AuthKey":""}, That was about 7% of our total storage of pending RegisterRequest bodies. Updates tailscale/corp#19327 Change-Id: Ib73842759a2b303ff5fe4c052a76baea0d68ae7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Claire Wang	c24f2eee34	tailcfg: rename exit node destination network flow log node attribute (#11779 ) Updates tailscale/corp#18625 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Adrian Dewhurst	ca5cb41b43	tailcfg: document use of CapMap for peers Updates tailscale/corp#17516 Updates #11508 Change-Id: Iad2dafb38ffb9948bc2f3dfaf9c268f7d772cf56 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2 months ago
Claire Wang	976d3c7b5f	tailcfg: add exit destination for network flow logs node attribute (#11698 ) Updates tailscale/corp#18625 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	98cf71cd73	tailscale: switch tailfs to drive syntax for api and logs (#11625 ) This change switches the api to /drive, rather than the previous /tailfs as well as updates the log lines to reflect the new value. It also cleans up some existing tailfs references. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597 ) This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	14683371ee	tailscale: update tailfs file and package names (#11590 ) This change updates the tailfs file and package names to their new naming convention. Updates #tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Brad Fitzpatrick	a36cfb4d3d	tailcfg, ipn/ipnlocal, wgengine/magicsock: add only-tcp-443 node attr Updates tailscale/corp#17879 Change-Id: I0dc305d147b76c409cf729b599a94fa723aef0e0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	7b34154df2	all: deprecate Node.Capabilities (more), remove PeerChange.Capabilities [capver 89] First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	20e9f3369d	control/controlclient: send load balancing hint HTTP request header Updates tailscale/corp#1297 Change-Id: I0b102081e81dfc1261f4b05521ab248a2e4a1298 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Mario Minardi	e0886ad167	ipn/ipnlocal, tailcfg: add disable-web-client node attribute (#11418 ) Add a disable-web-client node attribute and add handling for disabling the web client when this node attribute is set. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
Claire Wang	74e33b9c50	tailcfg: bump CapabilityVersion (#11368 ) bump version for adding NodeAttrSuggestExitNode remove extra s from NodeAttrSuggestExitNode Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	3 months ago
Claire Wang	d610f8eec0	tailcfg: add suggest exit node related node attribute (#11329 ) Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	3 months ago
Claire Wang	352c1ac96c	tailcfg: add latitude, longitude for node location (#11162 ) Updates tailscale/corp#17590 Signed-off-by: Claire Wang <claire@tailscale.com>	3 months ago
Percy Wegmann	50fb8b9123	tailfs: replace webdavfs with reverse proxies Instead of modeling remote WebDAV servers as actual webdav.FS instances, we now just proxy traffic to them. This not only simplifies the code, but it also allows WebDAV locking to work correctly by making sure locks are handled by the servers that need to (i.e. the ones actually serving the files). Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	10d130b845	cmd/derper, derp, tailcfg: add admission controller URL option So derpers can check an external URL for whether to permit access to a certain public key. Updates tailscale/corp#17693 Change-Id: I8594de58f54a08be3e2dbef8bcd1ff9b728ab297 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Maisem Ali	370ecb4654	tailcfg: remove UserProfile.Groups Removing as per go/group-all-the-things. Updates tailscale/corp#17445 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Percy Wegmann	ddcffaef7a	tailfs: disable TailFSForLocal via policy Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	abab0d4197	tailfs: clean up naming and package structure - Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	993acf4475	tailfs: initial implementation Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Joe Tsai	94a4f701c2	all: use reflect.TypeFor now available in Go 1.22 (#11078 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Brad Fitzpatrick	2bd3c1474b	util/cmpx: delete now that we're using Go 1.22 Updates #11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Jordan Whited	8b47322acc	wgengine/magicsock: implement probing of UDP path lifetime (#10844 ) This commit implements probing of UDP path lifetime on the tail end of an active direct connection. Probing configuration has two parts - Cliffs, which are various timeout cliffs of interest, and CycleCanStartEvery, which limits how often a probing cycle can start, per-endpoint. Initially a statically defined default configuration will be used. The default configuration has cliffs of 10s, 30s, and 60s, with a CycleCanStartEvery of 24h. Probing results are communicated via clientmetric counters. Probing is off by default, and can be enabled via control knob. Probing is purely informational and does not yet drive any magicsock behaviors. Updates #540 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Sonia Appasamy	331a6d105f	client/web: add initial types for using peer capabilities Sets up peer capability types for future use within the web client views and APIs. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	5 months ago
James 'zofrex' Sanderson	124dc10261	controlclient,tailcfg,types: expose MaxKeyDuration via localapi (#10401 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	5 months ago
James 'zofrex' Sanderson	10c595d962	ipn/ipnlocal: refresh node key without blocking if cap enabled (#10529 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	5 months ago
Andrew Lytvynov	1302bd1181	all: cleanup unused code, part 1 (#10661 ) Run `staticcheck` with `U1000` to find unused code. This cleans up about a half of it. I'll do the other half separately to keep PRs manageable. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Andrew Lytvynov	945cf836ee	ipn: apply tailnet-wide default for auto-updates (#10508 ) When auto-update setting in local Prefs is unset, apply the tailnet default value from control. This only happens once, when we apply the default (or when the user manually overrides it), tailnet default no longer affects the node. Updates #16244 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Naman Sood	650c67a0a1	tailcfg: bump CapabilityVersion for Linux netfilter NodeAttrs and c2n endpoint Updates tailscale/corp#14029. Signed-off-by: Naman Sood <mail@nsood.in>	6 months ago
Naman Sood	0a59754eda	linuxfw,wgengine/route,ipn: add c2n and nodeattrs to control linux netfilter Updates tailscale/corp#14029. Signed-off-by: Naman Sood <mail@nsood.in>	6 months ago
Brad Fitzpatrick	fb829ea7f1	control/controlclient: support incremental packet filter updates [capver 81] Updates #10299 Change-Id: I87e4235c668a1db7de7ef1abc743f0beecb86d3d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	cca27ef96a	ipn/ipnlocal: add c2n method to check on TLS cert fetch status So the control plane can delete TXT records more aggressively after client's done with ACME fetch. Updates tailscale/corp#15848 Change-Id: I4f1140305bee11ee3eee93d4fec3aef2bd6c5a7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago

1 2 3 4 5 ...

458 Commits (main)