tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	e6983baa73	cmd/tailscale/cli: fix macOS crash reading envknob in init (#11667 ) And add a test. Regression from `a5e1f7d703` Fixes tailscale/corp#19036 Change-Id: If90984049af0a4820c96e1f77ddf2fce8cb3043f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Chloé Vulquin	0f3a292ebd	cli/configure: respect $KUBECONFIG (#11604 ) cmd/tailscale/cli: respect $KUBECONFIG * `$KUBECONFIG` is a `$PATH`-like: it defines a list. `tailscale config kubeconfig` works like the rest of the ecosystem so that if $KUBECONFIG is set it will write to the first existant file in the list, if none exist then the final entry in the list. * if `$KUBECONFIG` is an empty string, the old logic takes over. Notes: * The logic for file detection is inlined based on what `kind` does. Technically it's a race condition, since the file could be removed/added in between the processing steps, but the fallout shouldn't be too bad. https://github.com/kubernetes-sigs/kind/blob/v0.23.0-alpha/pkg/cluster/internal/kubeconfig/internal/kubeconfig/paths.go * The sandboxed (App Store) variant relies on a specific temporary entitlement to access the ~/.kube/config file. The entitlement is only granted to specific files, and so is not applicable to paths supplied by the user at runtime. While there may be other ways to achieve this access to arbitrary kubeconfig files, it's out of scope for now. Updates #11645 Signed-off-by: Chloé Vulquin <code@toast.bunkerlabs.net>	3 weeks ago
Brad Fitzpatrick	c71e8db058	cmd/tailscale/cli: stop spamming os.Stdout/os.Stderr in tests After: bradfitz@book1pro tailscale.com % ./tool/go test -c ./cmd/tailscale/cli bradfitz@book1pro tailscale.com % ./cli.test bradfitz@book1pro tailscale.com % Before: bradfitz@book1pro tailscale.com % ./tool/go test -c ./cmd/tailscale/cli bradfitz@book1pro tailscale.com % ./cli.test Warning: funnel=on for foo.test.ts.net:443, but no serve config run: `tailscale serve --help` to see how to configure handlers Warning: funnel=on for foo.test.ts.net:443, but no serve config run: `tailscale serve --help` to see how to configure handlers USAGE funnel <serve-port> {on\|off} funnel status [--json] Funnel allows you to publish a 'tailscale serve' server publicly, open to the entire internet. Turning off Funnel only turns off serving to the internet. It does not affect serving to your tailnet. SUBCOMMANDS status show current serve/funnel status error: path must be absolute error: invalid TCP source "localhost:5432": missing port in address error: invalid TCP source "tcp://somehost:5432" must be one of: localhost or 127.0.0.1 tcp://somehost:5432error: invalid TCP source "tcp://somehost:0" must be one of: localhost or 127.0.0.1 tcp://somehost:0error: invalid TCP source "tcp://somehost:65536" must be one of: localhost or 127.0.0.1 tcp://somehost:65536error: path must be absolute error: cannot serve web; already serving TCP You don't have permission to enable this feature. This also moves the color handling up to a generic spot so it's not just one subcommand doing it itself. See https://github.com/tailscale/tailscale/issues/11626#issuecomment-2041795129 Fixes #11643 Updates #11626 Change-Id: I3a49e659dcbce491f4a2cb784be20bab53f72303 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Anton Tolchanov	5336362e64	prober: export probe class and metrics from bandwidth prober - Wrap each prober function into a probe class that allows associating metric labels and custom metrics with a given probe; - Make sure all existing probe classes set a `class` metric label; - Move bandwidth probe size from being a metric label to a separate gauge metric; this will make it possible to use it to calculate average used bandwidth using a PromQL query; - Also export transfer time for the bandwidth prober (more accurate than the total probe time, since it excludes connection establishment time). Updates tailscale/corp#17912 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 weeks ago
Anton Tolchanov	21671ca374	prober: remove unused notification code Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 weeks ago
Brad Fitzpatrick	b0fbd85592	net/tsdial: partially fix "tailscale nc" (UserDial) on macOS At least in the case of dialing a Tailscale IP. Updates #4529 Change-Id: I9fd667d088a14aec4a56e23aabc2b1ffddafa3fe Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Brad Fitzpatrick	a5e1f7d703	ipn/{ipnlocal,localapi}: add API to toggle use of exit node This is primarily for GUIs, so they don't need to remember the most recently used exit node themselves. This adds some CLI commands, but they're disabled and behind the WIP envknob, as we need to consider naming (on/off is ambiguous with running an exit node, etc) as well as automatic exit node selection in the future. For now the CLI commands are effectively developer debug things to test the LocalAPI. Updates tailscale/corp#18724 Change-Id: I9a32b00e3ffbf5b29bfdcad996a4296b5e37be7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Maisem Ali	3f4c5daa15	wgengine/netstack: remove SubnetRouterWrapper It was used when we only supported subnet routers on linux and would nil out the SubnetRoutes slice as no other router worked with it, but now we support subnet routers on ~all platforms. The field it was setting to nil is now only used for network logging and nowhere else, so keep the field but drop the SubnetRouterWrapper as it's not useful. Updates #cleanup Change-Id: Id03f9b6ec33e47ad643e7b66e07911945f25db79 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 weeks ago
alexelisenko	fe22032fb3	net/dns/{publicdns,resolver}: add start of Control D support Updates #7946 [@bradfitz fixed up version of #8417] Change-Id: I1dbf6fa8d525b25c0d7ad5c559a7f937c3cd142a Signed-off-by: alexelisenko <39712468+alexelisenko@users.noreply.github.com> Signed-off-by: Alex Paguis <alex@windscribe.com>	3 weeks ago
Brad Fitzpatrick	aa084a29c6	ipn/ipnlocal: name the unlockOnce type, plumb more, add Unlock method This names the func() that Once-unlocked LocalBackend.mu. It does so both for docs and because it can then have a method: Unlock, for the few points that need to explicitly unlock early (the cause of all this mess). This makes those ugly points easy to find, and also can then make them stricter, panicking if the mutex is already unlocked. So a normal call to the func just once-releases the mutex, returning false if it's already done, but the Unlock method is the strict one. Then this uses it more, so most the b.mu.Unlock calls remaining are simple cases and usually defers. Updates #11649 Change-Id: Ia070db66c54a55e59d2f76fdc26316abf0dd4627 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	5e7c0b025c	ipn/ipnlocal: add some "lockedOnEntry" helpers + guardrails, fix bug A number of methods in LocalBackend (with suffixed "LockedOnEntry") require b.mu be held but unlock it on the way out. That's asymmetric and atypical and error prone. This adds a helper method to LocalBackend that locks the mutex and returns a sync.OnceFunc that unlocks the mutex. Then we pass around that unlocker func down the chain to make it explicit (and somewhat type check the passing of ownership) but also let the caller defer unlock it, in the case of errors/panics that happen before the callee gets around to calling the unlock. This revealed a latent bug in LocalBackend.DeleteProfile which double unlocked the mutex. Updates #11649 Change-Id: I002f77567973bd77b8906bfa4ec9a2049b89836a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Flakes Updater	efb710d0e5	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	4 weeks ago
Brad Fitzpatrick	38377c37b5	ipn/localapi: sort localapi handler map keys Updates #cleanup Change-Id: I750ed8d033954f1f8786fb35dd16895bb1c5af8e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Maisem Ali	21b32b467e	tsweb: handle panics in retHandler We would have incomplete stats and missing logs in cases of panics. Updates tailscale/corp#18687 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 weeks ago
Brad Fitzpatrick	ac2522092d	cmd/tailscale/cli: make exit-node list not random The output was changing randomly per run, due to range over a map. Then some misc style tweaks I noticed while debugging. Fixes #11629 Change-Id: I67aef0e68566994e5744d4828002f6eb70810ee1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
James Tucker	6e334e64a1	net/netcheck,wgengine/magicsock: align DERP frame receive time heuristics The netcheck package and the magicksock package coordinate via the health package, but both sides have time based heuristics through indirect dependencies. These were misaligned, so the implemented heuristic aimed at reducing DERP moves while there is active traffic were non-operational about 3/5ths of the time. It is problematic to setup a good test for this integration presently, so instead I added comment breadcrumbs along with the initial fix. Updates #8603 Signed-off-by: James Tucker <james@tailscale.com>	4 weeks ago
Irbe Krumina	1fbaf26106	util/linuxfw: fix chain comparison (#11639 ) Don't compare pointer fields by pointer value, but by the actual value Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Charlotte Brandhorst-Satzkorn	8c75da27fc	drive: move normalizeShareName into pkg drive and make func public (#11638 ) This change makes the normalizeShareName function public, so it can be used for validation in control. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	4 weeks ago
Will Morrison	306bacc669	cmd/tailscale/cli: Add CLI command to update certs on Synology devices. Fixes #4674 Signed-off-by: Will Morrison <william.barr.morrison@gmail.com>	4 weeks ago
Brad Fitzpatrick	9699bb0a20	metrics: fix outdated docs on MultiLabelMap And make NewMultiLabelMap panic earlier (at construction time) if the comparable struct type T violates the documented rules, rather than panicking at Add time. Updates #cleanup Change-Id: Ib1a03babdd501b8d699c4f18b1097a56c916c6d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Joonas Kuorilehto	fe0cfec4ad	wgengine/router: enable ip forwarding on gokrazy Only on Gokrazy, set sysctls to enable IP forwarding so subnet routing and advertised exit node works. Fixes #11405 Signed-off-by: Joonas Kuorilehto <joneskoo@derbian.fi>	4 weeks ago
Joe Tsai	4bbac72868	util/truncate: support []byte as well (#11614 ) There are no mutations to the input, so we can support both ~string and ~[]byte just fine. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 weeks ago
Charlotte Brandhorst-Satzkorn	98cf71cd73	tailscale: switch tailfs to drive syntax for api and logs (#11625 ) This change switches the api to /drive, rather than the previous /tailfs as well as updates the log lines to reflect the new value. It also cleans up some existing tailfs references. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	4 weeks ago
Percy Wegmann	853e3e29a0	wgengine/router: provide explicit hook to signal Android when VPN needs to be reconfigured This allows clients to avoid establishing their VPN multiple times when both routes and DNS are changing in rapid succession. Updates tailscale/corp#18928 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 weeks ago
Joe Tsai	1a38d2a3b4	util/zstdframe: support specifying a MaxWindowSize (#11595 ) Specifying a smaller window size during compression provides a knob to tweak the tradeoff between memory usage and the compression ratio. Updates tailscale/corp#18514 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 weeks ago
Andrew Dunham	7d7d159824	prober: support creating multiple probes in ForEachAddr So that we can e.g. check TLS on multiple ports for a given IP. Updates tailscale/corp#16367 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I81d840a4c88138de1cbb2032b917741c009470e6	4 weeks ago
Andrew Dunham	ac574d875c	prober: add helper function to check all IPs for a DNS hostname This allows us to check all IP addresses (and address families) for a given DNS hostname while dynamically discovering new IPs and removing old ones as they're no longer valid. Also add a testable example that demonstrates how to use it. Alternative to #11610 Updates tailscale/corp#16367 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6d6f39bafc30e6dfcf6708185d09faee2a374599	4 weeks ago
Brad Fitzpatrick	8d7894c68e	clientupdate, net/dns: fix some "tailsacle" typos Updates #cleanup Change-Id: I982175e74b0c8c5b3e01a573e5785e6596b7ac39 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	92d3f64e95	go.toolchain.rev: bump to Go 1.22.2 Update tailscale/corp#18893 Change-Id: I4c04f5153ad43429d7f510c9ac2194c3b2fbc6c1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597 ) This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	4 weeks ago
Brad Fitzpatrick	2409661a0d	control/controlclient: delete old naclbox code, require ts2021 Noise Updates #11585 Updates tailscale/corp#18882 Change-Id: I90e2e4a211c58d429e2b128604614dde18986442 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	b9611461e5	ipn/ipnlocal: q-encode (RFC 2047) Tailscale serve header values Updates #11603 RELNOTE=Tailscale serve headers are now RFC 2047 Q-encoded Change-Id: I1314b65ecf5d39a5a601676346ec2c334fdef042 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Claire Wang	262fa8a01e	ipn/ipnlocal: populate peers' capabilities (#11365 ) Populates capabilties field of peers in ipn status. Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	4 weeks ago
James Tucker	9eaa56df93	tsweb: update doc on BucketedStatsOptions.Finish to match behavior I originally came to update this to match the documented behavior, but the code is deliberately avoiding this behavior currently, making it hard to decide how to update this. For now just align the documentation to the behavior. Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	4 weeks ago
Charlotte Brandhorst-Satzkorn	14683371ee	tailscale: update tailfs file and package names (#11590 ) This change updates the tailfs file and package names to their new naming convention. Updates #tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	4 weeks ago
Brad Fitzpatrick	1c259100b0	cmd/{derper,derpprobe}: add --version flag Fixes #11582 Change-Id: If99fc1ab6b89d624fbb07bd104dd882d2c7b50b4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Patrick O'Doherty	1535d0feca	safeweb: move http.Serve for HTTP redirects into lib (#11592 ) Refactor the interaction between caller/library when establishing the HTTP to HTTPS redirects by moving the call to http.Serve into safeweb. This makes linting for other uses of http.Serve easier without having to account for false positives created by the old interface. Updates https://github.com/tailscale/corp/issues/8027 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	4 weeks ago
James Tucker	f384742375	net/packet: allow more ICMP errors We now allow some more ICMP errors to flow, specifically: - ICMP parameter problem in both IPv4 and IPv6 (corrupt headers) - ICMP Packet Too Big (for IPv6 PMTU) Updates #311 Updates #8102 Updates #11002 Signed-off-by: James Tucker <james@tailscale.com>	4 weeks ago
Irbe Krumina	92ca770b8d	util/linuxfw: fix MSS clamping in nftables mode (#11588 ) MSS clamping for nftables was mostly not ran due to to an earlier rule in the FORWARD chain issuing accept verdict. This commit places the clamping rule into a chain of its own to ensure that it gets ran. Updates tailscale/tailscale#11002 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Kyle Carberry	27038ee3c2	hostinfo: cache device model to speed up init This was causing a relatively consistent ~10ms of delay on Linux. Signed-off-by: Kyle Carberry <kyle@carberry.com>	4 weeks ago
Brad Fitzpatrick	ec87e219ae	logtail: delete unused code from old way to configure zstd Updates #cleanup Change-Id: I666ecf08ea67e461adf2a3f4daa9d1753b2dc1e4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Joe Tsai	e2586bc674	logtail: always zstd compress with FastestCompression and LowMemory (#11583 ) This is based on empirical testing using actual logs data. FastestCompression only incurs a marginal <1% compression ratio hit for a 2.25x reduction in memory use for small payloads (which are common if log uploads happen at a decently high frequency). The memory savings for large payloads is much lower (less than 1.1x reduction). LowMemory only incurs a marginal <5% hit on performance for a 1.6-2.0x reduction in memory use for small or large payloads. The memory gains for both settings justifies the loss of benefits, which are arguably minimal. tailscale/corp#18514 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 month ago
James Tucker	7558a1d594	ipn/ipnlocal: disable sockstats on (unstable) mobile by default We're tracking down a new instance of memory usage, and excessive memory usage from sockstats is definitely not going to help with debugging, so disable it by default on mobile. Updates tailscale/corp#18514 Signed-off-by: James Tucker <james@tailscale.com>	1 month ago
Asutorufa	e20ce7bf0c	net/dns: close ctx when close dns directManager Signed-off-by: Asutorufa <16442314+Asutorufa@users.noreply.github.com>	1 month ago
Will Norris	1d2af801fa	.github/workflows: remove go-licenses action This is now handled by an action running in corp. Updates tailscale/corp#18803 Signed-off-by: Will Norris <will@tailscale.com>	1 month ago
License Updater	e80b99cdd1	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 month ago
Andrew Lytvynov	5aa4cfad06	safeweb: detect mux handler conflicts (#11562 ) When both muxes match, and one of them is a wildcard "/" pattern (which is common in browser muxes), choose the more specific pattern. If both are non-wildcard matches, there is a pattern overlap, so return an error. Updates https://github.com/tailscale/corp/issues/8027 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 month ago
Brad Fitzpatrick	e7599c1f7e	logtail: prevent js/wasm clients from picking TLS client cert Corp details: https://github.com/tailscale/corp/issues/18177#issuecomment-2026598715 https://github.com/tailscale/corp/pull/18775#issuecomment-2027505036 Updates tailscale/corp#18177 Change-Id: I7c03a4884540b8519e0996088d085af77991f477 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Irbe Krumina	5fb721d4ad	util/linuxfw,wgengine/router: skip IPv6 firewall configuration in partial iptables mode (#11546 ) We have hosts that support IPv6, but not IPv6 firewall configuration in iptables mode. We also have hosts that have some support for IPv6 firewall configuration in iptables mode, but do not have iptables filter table. We should: - configure ip rules for all hosts that support IPv6 - only configure firewall rules in iptables mode if the host has iptables filter table. Updates tailscale/tailscale#11540 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Patrick O'Doherty	af61179c2f	safeweb: add opt-in inline style CSP toggle (#11551 ) Allow the use of inline styles with safeweb via an opt-in configuration item. This will append `style-src "self" "unsafe-inline"` to the default CSP. The `style-src` directive will be used in lieu of the fallback `default-src "self"` directive. Updates tailscale/corp#8027 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	1 month ago

... 2 3 4 5 6 ...

7517 Commits (main) All Branches Search

7517 Commits (main)

All Branches