Commit Graph

5214 Commits (01e736e1d5d9ed20b2df763dac0f99461c551c99)
 

Author SHA1 Message Date
Brad Fitzpatrick d5100e0910 net/connstats: mark TestConcurrent as flaky
Updates #7030

Change-Id: Ic46da5e5690b90b95028a68a3cf967ad86881e28
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick ba5aa2c486 version, cmd/tailscale: add version.Meta, tailscale version --json
Add `tailscale version --json` JSON output mode. This will be used
later for a double-opt-in (per node consent like Tailscale SSH +
control config) to let admins do remote upgrades via `tailscale
update` via a c2n call, which would then need to verify the
cmd/tailscale found on disk for running tailscale update corresponds
to the running tailscaled, refusing if anything looks amiss.

Plus JSON output modes are just nice to have, rather than parsing
unstable/fragile/obscure text formats.

Updates #6995
Updates #6907

Change-Id: I7821ab7fbea4612f4b9b7bdc1be1ad1095aca71b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 5ca22a0068 cmd/tailscale/cli: make 'tailscale update' support Debian/Ubuntu apt
Updates #6995

Change-Id: I3355435db583755e0fc73d76347f6423b8939dfb
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
shayne 4471e403aa
ipn/ipnlocal: [serve] listen on all-interfaces for macOS sandboxed (#6771)
On macOS (AppStore and macsys), we need to bind to ""/all-interfaces
due to the network sandbox. Ideally we would only bind to the
Tailscale interface, but macOS errors out if we try to
to listen on privileged ports binding only to a specific
interface.

We also implement the lc.Control hook, same as we do for
peerapi. It doesn't solve our problem but it's better that
we do and would likely be required when Apple gets around to
fixing per-interface priviliged port binding.

Fixes: #6364

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>
2 years ago
Brad Fitzpatrick 6793685bba go.mod: bump AWS SDK past a breaking API change of theirs
They changed a type in their SDK which meant others using the AWS APIs
in their Go programs (with newer AWS modules in their caller go.mod)
and then depending on Tailscale (for e.g. tsnet) then couldn't compile
ipn/store/awsstore.

Thanks to @thisisaaronland for bringing this up.

Fixes #7019

Change-Id: I8d2919183dabd6045a96120bb52940a9bb27193b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
shayne 73399f784b
cmd/tailscale/cli: use mock impl of LocalClient for serve cmd (#6422)
Create an interface and mock implementation of tailscale.LocalClient for
serve command tests.

Updates #6304
Closes #6372

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>
2 years ago
Jordan Whited fec888581a
wgengine/magicsock: retry failed single packet ops across rebinds (#6990)
The single packet WriteTo() through RebindingUDPConn.WriteBatch() was
not checking for a rebind between loading the PacketConn and writing to
it. Same with ReadFrom()/ReadBatch().

Fixes #6989

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2 years ago
Brad Fitzpatrick 6edf357b96 all: start groundwork for using capver for localapi & peerapi
Updates #7015

Change-Id: I3d4c11b42a727a62eaac3262a879f29bb4ce82dd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick c129bf1da1 cmd/tailscale/cli: un-alpha login+switch in ShortUsage docs
Change-Id: I580d4417cf03833dfa8f6a295fb416faa667c477
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 71a7b8581d cmd/tailscale/cli: make "update" work on Windows
Updates #6995

Co-authored-by: Aaron Klotz <aaron@tailscale.com>
Change-Id: I16622f43156a70b6fbc8205239fd489d7378d57b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Andrew Dunham 4fb663fbd2 various: mark more tests as flaky
Updates #2855
Updates #3598
Updates #7008

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I2b849e04646456b9f0c8a01563f2add752f4b2a4
2 years ago
Andrew Dunham 58ad21b252 wgengine/netstack: fix data race in tests
This uses the helper function added in #6173 to avoid flakes like:
    https://github.com/tailscale/tailscale/actions/runs/3826912237/jobs/6511078024

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: If3f1d3b9c0f64ffcb4ba9a30d3522ec49484f993
2 years ago
Andrew Dunham dd7057682c tailcfg: bump capver for Node.Expired
Updates #6932

Change-Id: I96c2467fa49201eb3d8df5cb36486370f598928c
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2 years ago
Andrew Dunham aea251d42a cmd/testwrapper: move from corp; mark magicsock test as flaky
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ibab5860f5797b3db151d3c27855333e43a9088a4
2 years ago
Brad Fitzpatrick 2df38b1feb wgengine/magicsock: quiet log flood at tailscaled shutdown
When you hit control-C on a tailscaled (notably in dev mode, but
also on any systemctl stop/restart), there is a flood of messages like:

magicsock: doing cleanup for discovery key d:aa9c92321db0807f
magicsock: doing cleanup for discovery key d:bb0f16aacadbfd46
magicsock: doing cleanup for discovery key d:b5b2d386296536f2
magicsock: doing cleanup for discovery key d:3b640649f6796c91
magicsock: doing cleanup for discovery key d:71d7b1afbcce52cd
magicsock: doing cleanup for discovery key d:315b61d7e0111377
magicsock: doing cleanup for discovery key d:9301f63dce69bf45
magicsock: doing cleanup for discovery key d:376141884d6fe072
....

It can be hundreds or even tens of thousands.

So don't do that. Not a useful log message during shutdown.

Change-Id: I029a8510741023f740877df28adff778246c18e5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 3addcacfe9 net/dns: fix recently added URL scheme from http to https
I typoed/brainoed in the earlier 3582628691

Change-Id: Ic198a6f9911f195d9da9fc5259b5784a4b15e5e3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
salman eec734a578 ipn/{ipnlocal,localapi}: ensure watcher is installed before /watch-ipn-bus/ responds with 200
This change delays the first flush in the /watch-ipn-bus/ handler
until after the watcher has been successfully installed on the IPN
bus. It does this by adding a new onWatchAdded callback to
LocalBackend.WatchNotifications().

Without this, the endpoint returns a 200 almost immediatly, and
only then installs a watcher for IPN events.  This means there's a
small window where events could be missed by clients after calling
WatchIPNBus().

Fixes tailscale/corp#8594.

Signed-off-by: salman <salman@tailscale.com>
2 years ago
Brad Fitzpatrick 3eb986fe05 control/controlhttp: add TS_FORCE_NOISE_443, TS_DEBUG_NOISE_DIAL envknobs
Updates tailscale/docker-extension#49

Change-Id: I99a154c16c92228bfdf4d2cf6c58cda00e22d72f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Tom DNetto ee6d18e35f cmd/tailscale/cli: implement --json for lock status and lock log cmds
Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
License Updater 287fe83f91 licenses: update android licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2 years ago
License Updater ef1c902c21 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2 years ago
Brad Fitzpatrick b657187a69 cmd/tailscale, logtail: add 'tailscale debug daemon-logs' logtail mechanism
Fixes #6836

Change-Id: Ia6eb39ff8972e1aa149aeeb63844a97497c2cf04
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
andig 5f96d6211a Remove redundant type declaration
Signed-off-by: andig <cpuidle@gmx.de>
2 years ago
David Anderson 72cc70ebfc flake.nix: update vendor hash.
Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Brad Fitzpatrick 3582628691 net/dns/resolvconffile: link to FAQ about resolv.conf being overwritten
Add link to new http://tailscale.com/s/resolvconf-overwrite page,
added in tailscale/tailscale-www#2243

Change-Id: I9718399487f2ed18bf1a112581fd168aea30f232
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Andrew Dunham 3a018e51bb ipn/ipnlocal: move handling of expired nodes to LocalBackend
In order to be able to synthesize a new NetMap when a node expires, have
LocalBackend start a timer when receiving a new NetMap that fires
slightly after the next node expires. Additionally, move the logic that
updates expired nodes into LocalBackend so it runs on every netmap
(whether received from controlclient or self-triggered).

Updates #6932

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I833390e16ad188983eac29eb34cc7574f555f2f3
2 years ago
Brad Fitzpatrick 6d85a94767 net/{packet,tstun}: fix typo in test helper docs
Change-Id: Ifc1684fe77c7d2585e049e0dfd7340910c47a67a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick c1a2e2c380 net/{packet,tstun},wgengine/filter: fix unknown IP protocol handling
01b90df2fa added SCTP support before
(with explicit parsing for ports) and
69de3bf7bf tried to add support for
arbitrary IP protocols (as long as the ACL permited a port of "*",
since we might not know how to find ports from an arbitrary IP
protocol, if it even has such a concept). But apparently that latter
commit wasn't tested end-to-end enough. It had a lot of tests, but the
tests made assumptions about layering that either weren't true, or
regressed since 1.20. Notably, it didn't remove the (*Filter).pre
bidirectional filter that dropped all "unknown" protocol packets both
leaving and entering, even if there were explicit protocol matches
allowing them in.

Also, don't map all unknown protocols to 0. Keep their IP protocol
number parsed so it's matchable by later layers. Only reject illegal
things.

Fixes #6423
Updates #2162
Updates #2163

Change-Id: I9659b3ece86f4db51d644f9b34df78821758842c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 3386a59cf1 wgengine/filter: include IP proto number in unknown protocol errors
Updates #6423

Change-Id: I9e363922e2c24fdc42687707c069af5bba68b93e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 006ec659e6 wgengine/filter: reorder RunOut disjunctive cases to match RunIn above
Change-Id: Ia422121cde1687044b18be7bea9e7bf51a4183b9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick d9144c73a8 cmd/tailscale: add start of "tailscale update" command
Goal: one way for users to update Tailscale, downgrade, switch tracks,
regardless of platform (Windows, most Linux distros, macOS, Synology).

This is a start.

Updates #755, etc

Change-Id: I23466da1ba41b45f0029ca79a17f5796c2eedd92
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Mihai Parparita 67f82e62a1 ipn/ipnlocal: add Expired to PeerStatus
Needed for clients that get information via the /v0/status LocalAPI
endpoint (e.g. to not offer expired exit nodes as options).

Updates tailscale/corp#8702

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2 years ago
phirework f011a0923a
cmd/tailscale/cli: style synology outgoing access info (#6959)
Follow-up to #6957.

Updates #4015

Signed-off-by: Jenny Zhang <jz@tailscale.com>
2 years ago
Andrew Dunham 11ce5b7e57 ipn/ipnlocal, wgengine/magicsock: check Expired bool on Node; print error in Ping
Change-Id: Ic5f533f175a6e1bb73d4957d8c3f970add42e82e
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2 years ago
Brad Fitzpatrick 5eded58924 cmd/tailscale/cli: make web show/link Synology outgoing connection mode/docs
Fixes #4015

Change-Id: I8230bb0cc3d621b6fa02ab2462cea104fa1e9cf9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Matthias Gabriel 355c3b2be7 control/controlhttp: fix header case-sensitivity
Change-Id: I49269bc969a80382997ec5c9de33c4f56d9dc787
Signed-off-by: Matthias Gabriel <matthias.gabriel@etit.tu-chemnitz.de>
2 years ago
Brad Fitzpatrick 61dfbc0a6e cmd/tailscale/cli: plumb TUN mode into tailscale web template
UI works remains, but data is there now.

Updates #4015

Change-Id: Ib91e94718b655ad60a63596e59468f3b3b102306
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
salman 8a1201ac42 cmd/tailscale: correct order for -terminate-tls flag in serve tcp usage
The -terminate-tls flag is for the tcp subsubcommand, not the serve
subcommand like the usage example suggests.

Signed-off-by: salman <salman@tailscale.com>
2 years ago
Brad Fitzpatrick faf2d30439 version: advertise unstable track in CLI, daemon start-up
Fixes #865

Change-Id: I166e56c3744b0a113973682b9a5327d7aec189f1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Jordan Whited 25a0091f69
net/portmapper: relax handling of UPnP resp (#6946)
Gateway devices operating as an HA pair w/VRRP or CARP may send UPnP
replies from static addresses rather than the floating gateway address.
This commit relaxes our source address verification such that we parse
responses from non-gateway IPs, and re-point the UPnP root desc
URL to the gateway IP. This ensures we are still interfacing with the
gateway device (assuming L2 security intact), even though we got a
root desc from a non-gateway address.

This relaxed handling is required for ANY port mapping to work on certain
OPNsense/pfsense distributions using CARP at the time of writing, as
miniupnpd may only listen on the static, non-gateway interface address
for PCP and PMP.

Fixes #5502

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2 years ago
License Updater b76dffa594 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2 years ago
Andrew Dunham 6f18fbce8d tailcfg: document zero value for KeyExpiry
Change-Id: I50889f0205ecf66c415f50f9019c190448c991fc
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2 years ago
Tom DNetto 2ac5474be1 net/flowtrack,wgengine/filter: refactor Cache to use generics
Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
Will Norris 3becf82dd3 types/views: add SliceEqualAnyOrder func
This is based on the tagsEqual func from corp/control/control.go, moved
here so that it can be reused in other places.

Signed-off-by: Will Norris <will@tailscale.com>
2 years ago
Andrew Dunham 1e67947cfa control/controlclient, tailcfg: add Node.Expired field, set for expired nodes
Nodes that are expired, taking into account the time delta calculated
from MapResponse.ControlTime have the newly-added Expired boolean set.
For additional defense-in-depth, also replicate what control does and
clear the Endpoints and DERP fields, and additionally set the node key
to a bogus value.

Updates #6932

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ia2bd6b56064416feee28aef5699ca7090940662a
2 years ago
Denton Gentry 22ebb25e83 cmd/tailscale: disable HTTPS verification for QNAP auth.
QNAP's "Force HTTPS" mode redirects even localhost HTTP to
HTTPS, but uses a self-signed certificate which fails
verification. We accommodate this by disabling checking
of the cert.

Fixes https://github.com/tailscale/tailscale/issues/6903

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2 years ago
James Tucker 2afa1672ac ipn/ipnlocal: disallow unsigned peers from WoL
Unsigned peers should not be allowed to generate Wake-on-Lan packets,
only access Funnel.

Updates #6934
Updates #7515
Updates #6475

Signed-off-by: James Tucker <james@tailscale.com>
2 years ago
License Updater 237b1108b3 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2 years ago
Will Norris fff617c988 go.mod: bump golang.org/x/net and dependencies
I don't think CVE-2022-41717 necessarily impacts us (maybe as part of
funnel?), but it came up in a recent security scan so worth updating
anyway.

Signed-off-by: Will Norris <will@tailscale.com>
2 years ago
License Updater c684ca7a0c licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2 years ago