tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	a5e1f7d703	ipn/{ipnlocal,localapi}: add API to toggle use of exit node This is primarily for GUIs, so they don't need to remember the most recently used exit node themselves. This adds some CLI commands, but they're disabled and behind the WIP envknob, as we need to consider naming (on/off is ambiguous with running an exit node, etc) as well as automatic exit node selection in the future. For now the CLI commands are effectively developer debug things to test the LocalAPI. Updates tailscale/corp#18724 Change-Id: I9a32b00e3ffbf5b29bfdcad996a4296b5e37be7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	aa084a29c6	ipn/ipnlocal: name the unlockOnce type, plumb more, add Unlock method This names the func() that Once-unlocked LocalBackend.mu. It does so both for docs and because it can then have a method: Unlock, for the few points that need to explicitly unlock early (the cause of all this mess). This makes those ugly points easy to find, and also can then make them stricter, panicking if the mutex is already unlocked. So a normal call to the func just once-releases the mutex, returning false if it's already done, but the Unlock method is the strict one. Then this uses it more, so most the b.mu.Unlock calls remaining are simple cases and usually defers. Updates #11649 Change-Id: Ia070db66c54a55e59d2f76fdc26316abf0dd4627 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	5e7c0b025c	ipn/ipnlocal: add some "lockedOnEntry" helpers + guardrails, fix bug A number of methods in LocalBackend (with suffixed "LockedOnEntry") require b.mu be held but unlock it on the way out. That's asymmetric and atypical and error prone. This adds a helper method to LocalBackend that locks the mutex and returns a sync.OnceFunc that unlocks the mutex. Then we pass around that unlocker func down the chain to make it explicit (and somewhat type check the passing of ownership) but also let the caller defer unlock it, in the case of errors/panics that happen before the callee gets around to calling the unlock. This revealed a latent bug in LocalBackend.DeleteProfile which double unlocked the mutex. Updates #11649 Change-Id: I002f77567973bd77b8906bfa4ec9a2049b89836a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	38377c37b5	ipn/localapi: sort localapi handler map keys Updates #cleanup Change-Id: I750ed8d033954f1f8786fb35dd16895bb1c5af8e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	8c75da27fc	drive: move normalizeShareName into pkg drive and make func public (#11638 ) This change makes the normalizeShareName function public, so it can be used for validation in control. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	98cf71cd73	tailscale: switch tailfs to drive syntax for api and logs (#11625 ) This change switches the api to /drive, rather than the previous /tailfs as well as updates the log lines to reflect the new value. It also cleans up some existing tailfs references. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597 ) This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Brad Fitzpatrick	b9611461e5	ipn/ipnlocal: q-encode (RFC 2047) Tailscale serve header values Updates #11603 RELNOTE=Tailscale serve headers are now RFC 2047 Q-encoded Change-Id: I1314b65ecf5d39a5a601676346ec2c334fdef042 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Claire Wang	262fa8a01e	ipn/ipnlocal: populate peers' capabilities (#11365 ) Populates capabilties field of peers in ipn status. Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	14683371ee	tailscale: update tailfs file and package names (#11590 ) This change updates the tailfs file and package names to their new naming convention. Updates #tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
James Tucker	7558a1d594	ipn/ipnlocal: disable sockstats on (unstable) mobile by default We're tracking down a new instance of memory usage, and excessive memory usage from sockstats is definitely not going to help with debugging, so disable it by default on mobile. Updates tailscale/corp#18514 Signed-off-by: James Tucker <james@tailscale.com>	2 months ago
Percy Wegmann	66e4d843c1	ipn/localapi: add support for multipart POST to file-put This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	bed818a978	ipn/localapi: add support for multipart POST to file-put This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	eb42a16da9	ipn/ipnlocal: report Taildrive access message on failed responses For example, if we get a 404 when downloading a file, we'll report access. Also, to reduce verbosty of logs, this elides 0 length files. Updates tailscale/corp#17818 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	acb611f034	ipn/localipn: introduce logs for tailfs (#11496 ) This change introduces some basic logging into the access and share pathways for tailfs. Updates tailscale/corp#17818 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Brad Fitzpatrick	a36cfb4d3d	tailcfg, ipn/ipnlocal, wgengine/magicsock: add only-tcp-443 node attr Updates tailscale/corp#17879 Change-Id: I0dc305d147b76c409cf729b599a94fa723aef0e0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	7b34154df2	all: deprecate Node.Capabilities (more), remove PeerChange.Capabilities [capver 89] First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b104688e04	ipn/ipnlocal, types/netmap: replace hasCapability with set lookup on NetworkMap When node attributes were super rare, the O(n) slice scans looking for node attributes was more acceptable. But now more code and more users are using increasingly more node attributes. Time to make it a map. Noticed while working on tailscale/corp#17879 Updates #cleanup Change-Id: Ic17c80341f418421002fbceb47490729048756d2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Percy Wegmann	8c88853db6	ipn/ipnlocal: add c2n /debug/pprof/allocs endpoint This behaves the same as typical debug/pprof/allocs. Updates tailscale/corp#18514 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
James Tucker	e0f97738ee	localapi: reduce garbage production in bus watcher Updates #optimization Signed-off-by: James Tucker <james@tailscale.com>	2 months ago
Brad Fitzpatrick	6a860cfb35	ipn/ipnlocal: add c2n pprof option to force a GC Like net/http/pprof has. Updates tailscale/corp#18514 Change-Id: I264adb6dcf5732d19707783b29b7273b4ca69cf4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Percy Wegmann	067ed0bf6f	ipnlocal: ensure TailFS share notifications are non-nil This allows the UI to distinguish between 'no shares' versus 'not being notified about shares'. Updates ENG-2843 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Irbe Krumina	b0c3e6f6c5	cmd/k8s-operator,ipn/conf.go: fix --accept-routes for proxies (#11453 ) Fix a bug where all proxies got configured with --accept-routes set to true. The bug was introduced in https://github.com/tailscale/tailscale/pull/11238. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Mario Minardi	d2ccfa4edd	cmd/tailscale,ipn/ipnlocal: enable web client over quad 100 by default (#11419 ) Enable the web client over 100.100.100.100 by default. Accepting traffic from [tailnet IP]:5252 still requires setting the `webclient` user pref. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	2 months ago
Mario Minardi	e0886ad167	ipn/ipnlocal, tailcfg: add disable-web-client node attribute (#11418 ) Add a disable-web-client node attribute and add handling for disabling the web client when this node attribute is set. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	2 months ago
Andrew Lytvynov	decd9893e4	ipn/ipnlocal: validate domain of PopBrowserURL on default control URL (#11394 ) If the client uses the default Tailscale control URL, validate that all PopBrowserURLs are under tailscale.com or *.tailscale.com. This reduces the risk of a compromised control plane opening phishing pages for example. The client trusts control for many other things, but this is one easy way to reduce that trust a bit. Fixes #11393 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	3 months ago
Brad Fitzpatrick	ad33e47270	ipn/{ipnlocal,localapi}: add debug verb to force spam IPN bus NetMap To force the problem in its worst case scenario before fixing it. Updates tailscale/corp#17859 Change-Id: I2c8b8e5f15c7801e1ab093feeafac52ec175a763 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	e496451928	ipn,cmd/tailscale,client/tailscale: add support for renaming TailFS shares - Updates API to support renaming TailFS shares. - Adds a CLI rename subcommand for renaming a share. - Renames the CLI subcommand 'add' to 'set' to make it clear that this is an add or update. - Adds a unit test for TailFS in ipnlocal Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	6c160e6321	ipn,tailfs: tie TailFS share configuration to user profile Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	fd942b5384	ipn/ipnlocal: reduce allocations in TailFS share notifications This eliminates unnecessary map.Clone() calls and also eliminates repetitive notifications about the same set of shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	6f66f5a75a	ipn: add comment about thread-safety to StateStore Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Andrea Gottardo	0cb86468ca	ipn/localapi: add set-gui-visible endpoint Updates tailscale/corp#17859 Provides a local API endpoint to be called from the GUI to inform the backend when the client menu is opened or closed. cc @bradfitz Signed-off-by: Andrea Gottardo <andrea@gottardo.me> Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
Percy Wegmann	00373f07ac	ipn/ipnlocal: exclude mullvad exit nodes from TailFS peers list This is a temporary solution to at least omit Mullvad exit nodes from the list of TailFS peers. Once we can identify peers that are actually sharing via TailFS, we can remove this, but for alpha it'll be sufficient to just omit Mullvad. Updates tailscale/corp#17766 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Sonia Appasamy	c58c59ee54	{ipn,cmd/tailscale/cli}: move ServeConfig mutation logic to ipn/serve Moving logic that manipulates a ServeConfig into recievers on the ServeConfig in the ipn package. This is setup work to allow the web client and cli to both utilize these shared functions to edit the serve config. Any logic specific to flag parsing or validation is left untouched in the cli command. The web client will similarly manage its validation of user's requested changes. If validation logic becomes similar-enough, we can make a serve util for shared functionality, which likely does not make sense in ipn. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	3 months ago
Sonia Appasamy	65c3c690cf	{ipn/serve,cmd/tailscale/cli}: move some shared funcs to ipn In preparation for changes to allow configuration of serve/funnel from the web client, this commit moves some functionality that will be shared between the CLI and web client to the ipn package's serve.go file, where some other util funcs are already defined. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	3 months ago
Percy Wegmann	e324a5660f	ipn: include full tailfs shares in ipn notifications This allows the Mac application to regain access to restricted folders after restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	b68a09cb34	ipn/ipnlocal: make active IPN sessions keyed by sessionID We used a HandleSet before when we didn't have a unique handle. But a sessionID is a unique handle, so use that instead. Then that replaces the other map we had. And now we'll have a way to look up an IPN session by sessionID for later. Updates tailscale/corp#17859 Change-Id: I5f647f367563ec8783c643e49f93817b341d9064 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	2d5d6f5403	ipn,wgengine: only intercept TailFS traffic on quad 100 This fixes a regression introduced with `993acf4` and released in v1.60.0. The regression caused us to intercept all userspace traffic to port 8080 which prevented users from exposing their own services to their tailnet at port 8080. Now, we only intercept traffic to port 8080 if it's bound for 100.100.100.100 or fd7a:115c:a1e0::53. Fixes #11283 Signed-off-by: Percy Wegmann <percy@tailscale.com> (cherry picked from commit `17cd0626f3`)	3 months ago
Brad Fitzpatrick	69f4b4595a	wgengine{,/wgint}: add wgint.Peer wrapper type, add to wgengine.Engine This adds a method to wgengine.Engine and plumbed down into magicsock to add a way to get a type-safe Tailscale-safe wrapper around a wireguard-go device.Peer that only exposes methods that are safe for Tailscale to use internally. It also removes HandshakeAttempts from PeerStatusLite that was just added as it wasn't needed yet and is now accessible ala cart as needed from the Peer type accessor. None of this is used yet. Updates #7617 Change-Id: I07be0c4e6679883e6eeddf8dbed7394c9e79c5f4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	74b8985e19	ipn/ipnstate, wgengine: make PeerStatusLite.LastHandshake zero Time means none ... rather than 1970. Code was using IsZero against the 1970 team (which isn't a zero value), but fortunately not anywhere that seems to have mattered. Updates #cleanup Change-Id: I708a3f2a9398aaaedc9503678b4a8a311e0e019e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	1cf85822d0	ipn/ipnstate, wgengine/wgint: add handshake attempts accessors Not yet used. This is being made available so magicsock/wgengine can use it to ignore certain sends (UDP + DERP) later on at least mobile, letting wireguard-go think it's doing its full attempt schedule, but we can cut it short conditionally based on what we know from the control plane. Updates #7617 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Ia367cf6bd87b2aeedd3c6f4989528acdb6773ca7	3 months ago
Anton Tolchanov	8cc5c51888	health: warn about reverse path filtering and exit nodes When reverse path filtering is in strict mode on Linux, using an exit node blocks all network connectivity. This change adds a warning about this to `tailscale status` and the logs. Example in `tailscale status`: ``` - not connected to home DERP region 22 - The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Example in the logs: ``` 2024/02/21 21:17:07 health("overall"): error: multiple errors: not in map poll The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Nick Khyl	7ef1fb113d	cmd/tailscaled, ipn/ipnlocal, wgengine: shutdown tailscaled if wgdevice is closed Tailscaled becomes inoperative if the Tailscale Tunnel wintun adapter is abruptly removed. wireguard-go closes the device in case of a read error, but tailscaled keeps running. This adds detection of a closed WireGuard device, triggering a graceful shutdown of tailscaled. It is then restarted by the tailscaled watchdog service process. Fixes #11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Brad Fitzpatrick	e1bd7488d0	all: remove LenIter, use Go 1.22 range-over-int instead Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	794af40f68	ipn/ipnlocal: remove ancient transition mechanism for https certs And confusing error message that duplicated the valid cert domains. Fixes tailscale/corp#15876 Change-Id: I098bc45d83c8d1e0a233dcdf3188869cce66e128 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
San	69f5664075	ipn/ipnlocal: fix doctor API endpoint (#11155 ) Small fix to make sure doctor API endpoint returns correctly - I spotted it when checking my tailscaled node and noticed it was handled slightly different compare to the rest Signed-off-by: San <santrancisco@users.noreply.github.com>	4 months ago
Andrew Dunham	52f16b5d10	doctor/ethtool, ipn/ipnlocal: add ethtool bugreport check Updates #11137 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Idbe862d80e428adb044249c47d9096b87f29d5d8	4 months ago
Brad Fitzpatrick	61a1644c2a	go.mod, all: move away from inet.af domain seized by Taliban Updates inetaf/tcpproxy#39 Change-Id: I7fee276b116bd08397347c6c949011d76a2842cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Percy Wegmann	c42a4e407a	tailfs: listen for local clients only on 100.100.100.100 FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Maisem Ali	370ecb4654	tailcfg: remove UserProfile.Groups Removing as per go/group-all-the-things. Updates tailscale/corp#17445 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago

1 2 3 4 5 ...

1359 Commits (09524b58f37ec6d1c5d75850a694ac791ef56128)