tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	c93fd0d22b	go.mod: bump wireguard-go to set CLOEXEC on tun/netlink fds To get: `c31a7b1ab4` Diff: `95b48cdb39..c31a7b1ab4` Fixes #4992 Change-Id: I077586fefcde923a2721712dd54548f97d010f72 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6b71568eb7	util/cloudenv: add Azure support & DNS IPs And rewrite cloud detection to try to do only zero or one metadata discovery request for all clouds, only doing a first (or second) as confidence increases. Work remains for Windows, but a start. And add Cloud to tailcfg.Hostinfo, which helped with testing using "tailcfg debug hostinfo". Updates #4983 (Linux only) Updates #4984 Change-Id: Ib03337089122ce0cb38c34f724ba4b4812bc614e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	88c2afd1e3	ipn/ipnlocal, net/dns, util/cloudenv: specialize DNS config on Google Cloud This does three things: If you're on GCP, it adds a .internal DNS split route to the metadata server, so we never break GCP DNS names. This lets people have some Tailscale nodes on GCP and some not (e.g. laptops at home) without having to add a Tailnet-wide .internal DNS route. If you already have such a route, though, it won't overwrite it. * If the 100.100.100.100 DNS forwarder has nowhere to forward to, it forwards it to the GCP metadata IP, which forwards to 8.8.8.8. This means there are never errNoUpstreams ("upstream nameservers not set") errors on GCP due to e.g. mangled /etc/resolv.conf (GCP default VMs don't have systemd-resolved, so it's likely a DNS supremacy fight) * makes the DNS fallback mechanism use the GCP metadata IP as a fallback before our hosted HTTP-based fallbacks I created a default GCP VM from their web wizard. It has no systemd-resolved. I then made its /etc/resolv.conf be empty and deleted its GCP hostnames in /etc/hosts. I then logged in to a tailnet with no global DNS settings. With this, tailscaled writes /etc/resolv.conf (direct mode, as no systemd-resolved) and sets it to 100.100.100.100, which then has regular DNS via the metadata IP and .internal DNS via the metadata IP as well. If the tailnet configures explicit DNS servers, those are used instead, except for .internal. This also adds a new util/cloudenv package based on version/distro where the cloud type is only detected once. We'll likely expand it in the future for other clouds, doing variants of this change for other popular cloud environments. Fixes #4911 RELNOTES=Google Cloud DNS improvements Change-Id: I19f3c2075983669b2b2c0f29a548da8de373c7cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	22c544bca7	go.mod: bump go4.org/unsafe/assume-no-moving-gc for Go 1.19beta1 Otherwise we crash at startup with Go 1.19beta1. Updates #4872 Change-Id: I371df4146735f7e066efd2edd48c1a305906c13d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	bf2fa7b184	go.mod: pin github.com/tailscale/mkctr (try #2 ) Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	81487169f0	build_docker.sh: pin github.com/tailscale/mkctr Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
James Tucker	87b44aa311	go.mod: bump golang.org/x/sys for CVE-2022-29526 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Joe Tsai	741ae9956e	tstest/integration/vms: use hujson.Standardize instead of hujson.Unmarshal (#4520 ) The hujson package transition to just being a pure AST parser and formatter for HuJSON and not an unmarshaler. Thus, parse HuJSON as such, convert it to JSON, and then use the standard JSON unmarshaler. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	6f5b91c94c	go.mod: tidy Change-Id: If3b5fe42e7dd7858dcce02a3a24a5e59736815a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	c88506caa6	ipn/ipnlocal: add Wake-on-LAN function to peerapi No CLI support yet. Just the curl'able version if you know the peerapi port. (like via a TSMP ping) Updates #306 Change-Id: I0662ba6530f7ab58d0ddb24e3664167fcd1c4bcf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	90b5f6286c	cmd/tailscale: use double quotes in the ssh subcommands Single-quote escaping is insufficient apparently. Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	53588f632d	Revert "wgengine/router,util/kmod: load & log xt_mark" This reverts commit `8d6793fd70`. Reason: breaks Android build (cgo/pthreads addition) We can try again next cycle. Change-Id: I5e7e1730a8bf399a8acfce546a6d22e11fb835d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	8d6793fd70	wgengine/router,util/kmod: load & log xt_mark Attempt to load the xt_mark kernel module when it is not present. If the load fails, log error information. It may be tempting to promote this failure to an error once it has been in use for some time, so as to avoid reaching an error with the iptables invocation, however, there are conditions under which the two stages may disagree - this change adds more useful breadcrumbs. Example new output from tailscaled running under my WSL2: ``` router: ensure module xt_mark: "/usr/sbin/modprobe xt_mark" failed: exit status 1; modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.10.43.3-microsoft-standard-WSL2 ``` Background: There are two places to lookup modules, one is `/proc/modules` "old", the other is `/sys/module/` "new". There was query_modules(2) in linux <2.6, alas, it is gone. In a docker container in the default configuration, you would get /proc/modules and /sys/module/ both populated. lsmod may work file, modprobe will fail with EPERM at `finit_module()` for an unpriviliged container. In a priviliged container the load may succeed, if some conditions are met. This condition should be avoided, but the code landing in this change does not attempt to avoid this scenario as it is both difficult to detect, and has a very uncertain impact. In an nspawn container `/proc/modules` is populated, but `/sys/module` does not exist. Modern `lsmod` versions will fail to gather most module information, without sysfs being populated with module information. In WSL2 modules are likely missing, as the in-use kernel typically is not provided by the distribution filesystem, and WSL does not mount in a module filesystem of its own. Notably the WSL2 kernel supports iptables marks without listing the xt_mark module in /sys/module, and /proc/modules is empty. On a recent kernel, we can ask the capabilities system about SYS_MODULE, that will help to disambiguate between the non-privileged container case and just being root. On older kernels these calls may fail. Update #4329 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Maisem Ali	2b8b887d55	ssh/tailssh: send banner messages during auth, move more to conn (VSCode Live Share between Brad & Maisem!) Updates #3802 Change-Id: Id8edca4481b0811debfdf56d4ccb1a46f71dd6d3 Co-Authored-By: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	14d077fc3a	ssh/tailssh: terminate ssh auth early if no policy can match Also bump github.com/tailscale/golang-x-crypto/ssh Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
James Tucker	67192a2323	go.mod: bump u-root We only use the termios subpackage, so we're unaffected by CVE-2020-7665, but the bump will let dependabot return to slumber. Fixes https://github.com/tailscale/tailscale/security/dependabot/2 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Xe Iaso	4f1d6c53cb	cmd/nginx-auth: create new Tailscale NGINX auth service (#4400 ) This conforms to the NGINX subrequest result authentication protocol[1] using the NGINX module `ngx_http_auth_request_module`. This is based on the example that @peterkeen provided on Twitter[2], but with several changes to make things more tightly locked down: * This listens over a UNIX socket instead of a TCP socket to prevent leakage to the network * This uses systemd socket activation so that systemd owns the socket and can then lock down the service to the bare minimum required to do its job without having to worry about dropping permissions * This provides additional information in HTTP response headers that can be useful for integrating with various services * This has a script to automagically create debian and redhat packages for easier distribution This will be written about on the Tailscale blog. There is more information in README.md. [1]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ [2]: https://github.com/peterkeen/tailscale/blob/main/cmd/nginx-auth-proxy/nginx-auth-proxy.go Signed-off-by: Xe Iaso <xe@tailscale.com>	2 years ago
Brad Fitzpatrick	09c5c9eb83	go.mod: bump x/tools for go/packages generics fix Updates #4194 Change-Id: Ia992ffb14210d5ad53f8f98d12b80d64080998e6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	8226f1482c	go.mod: bump rtnetlink for address label encoding (#4386 ) This will enable me to land tests for the upcoming monitor change in PR #4385. Update #4385 Update #4282 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	2550acfd9d	go.mod: bump netstack for clone reset fix (#4379 ) In tracking down issue #4144 and reading through the netstack code in detail, I discovered that the packet buf Clone path did not reset the packetbuf it was getting from the sync.Pool. The fix was sent upstream https://github.com/google/gvisor/pull/7385, and this bump pulls that in. At this time there is no known path that this fixes, however at the time of upstream submission this reset at least one field that could lead to incorrect packet routing if exercised, a situation that could therefore lead to an information leak. Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Xe Iaso	55161b3d92	cmd/mkpkg: use package flag (#4373 ) Also removes getopt Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Matt Layher	c79c72c4fc	go.mod: github.com/mdlayher/sdnotify@v1.0.0 Signed-off-by: Matt Layher <mdlayher@gmail.com>	2 years ago
Maisem Ali	ac2033d98c	go.mod: bump staticcheck (#4359 ) Updates #4194 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	3d180c0376	go.mod, ssh/tailssh, tempfork/gliderlabs: bump x/crypto/ssh fork for NoClientAuthCallback Prep for evaluating SSHPolicy earlier to decide whether certs are required, which requires knowing the target SSH user. Updates #3802 Change-Id: I2753ec8069e7f19c9121300d0fb0813c1c627c36 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	5a44f9f5b5	tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh While we rearrange/upstream things. gliderlabs/ssh is forked into tempfork from our prior fork at `be8b7add40` x/crypto/ssh OTOH is forked at https://github.com/tailscale/golang-x-crypto because it was gnarlier to vendor with various internal packages, etc. Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d). Updates #3802 Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	8294915780	cmd/tailscale/cli: add start of 'ssh' subcommand Updates #3802 Change-Id: Iabc07c00c7e4f43944cfe7daec8d2b66ac002289 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	4fc38888d2	go.mod: bump x/crypto for SSH change (for golang/go#51808) Updates #3802 Change-Id: Ifbd483c0144b4c86da69143b23b2a06da7672c92 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	73314009d0	go.mod: bump netstack (#4222 ) Primarily this is for f375784d83852b1e3ff20cc9de0648b3c0cf8525 and the related commits that provide buffer pooling for the endpoint code paths we use. Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Josh Bleecher Snyder	5f176f24db	go.mod: upgrade to the latest wireguard-go This pulls in a handful of fixes and an update to Go 1.18. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Josh Bleecher Snyder	8c2cb4b431	go.mod: update to latest certstore It includes a fix to allow us to use Go 1.18. We can now remove our Tailscale-only build tags. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Josh Bleecher Snyder	f695f0b178	go.mod: update golang.org/x/tools and honnef.co/go/tools This is required for staticcheck to process code using Go 1.18. This puts us on a random commit on the bleeding edge of staticcheck, which isn't great, but there don't appear to have been any releases yet that support 1.18. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Maisem Ali	da6ce27416	go.mod: move from github.com/gliderlabs/ssh to github.com/tailscale/ssh Updates #4146 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	ba1adf6c24	ssh/tailssh: make pty termios options match OpenSSH Still not sure the exact rules of how/when/who's supposed to set these, but this works for now on making them match. Baby steps. Will research more and adjust later. Updates #4146 (but not enough to fix it, something's still wrong) Updates #3802 Change-Id: I496d8cd7e31d45fe9ede88fc8894f35dc096de67 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Dmytro Shynkevych	d9a7205be5	net/tstun: set link speed to SPEED_UNKNOWN Fixes #3933. Signed-off-by: Dmytro Shynkevych <dm.shynk@gmail.com>	2 years ago
David Anderson	0fc1479633	go.mod: update github.com/mdlayher/netlink to 1.6.0 This unbreaks some downstream users of tailscale who end up with build errors from importing a v0 indirect dependency. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	1af26222b6	go.mod: bump netstack, switch to upstream netstack Now that Go 1.17 has module graph pruning (https://go.dev/doc/go1.17#go-command), we should be able to use upstream netstack without breaking our private repo's build that then depends on the tailscale.com Go module. This is that experiment. Updates #1518 (the original bug to break out netstack to own module) Updates #2642 (this updates netstack, but doesn't remove workaround) Change-Id: I27a252c74a517053462e5250db09f379de8ac8ff Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	39ffa16853	net/dnscache, net/tsdial: add DNS caching to tsdial UserDial This is enough to handle the DNS queries as generated by Go's net package (which our HTTP/SOCKS client uses), and the responses generated by the ExitDNS DoH server. This isn't yet suitable for putting on 100.100.100.100 where a number of different DNS clients would hit it, as this doesn't yet do EDNS0. It might work, but it's untested and likely incomplete. Likewise, this doesn't handle anything about truncation, as the exchanges are entirely in memory between Go or DoH. That would also need to be handled later, if/when it's hooked up to 100.100.100.100. Updates #3507 Change-Id: I1736b0ad31eea85ea853b310c52c5e6bf65c6e2a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Anderson	190b7a4cca	go.mod: mass update with go get -u. Gets ahead of dependabot slightly, but the updates are minor. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
dependabot[bot]	0d8ef1ff35	go.mod: bump github.com/aws/aws-sdk-go-v2/service/ssm Bumps [github.com/aws/aws-sdk-go-v2/service/ssm](https://github.com/aws/aws-sdk-go-v2) from 1.17.0 to 1.17.1. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.17.0...service/ssm/v1.17.1) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ssm dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2 years ago
dependabot[bot]	329751c48e	go.mod: bump golang.org/x/tools from 0.1.7 to 0.1.8 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.7 to 0.1.8. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.1.7...v0.1.8) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2 years ago
dependabot[bot]	9ddef8cdbf	go.mod: bump github.com/mdlayher/netlink from 1.4.1 to 1.4.2 Bumps [github.com/mdlayher/netlink](https://github.com/mdlayher/netlink) from 1.4.1 to 1.4.2. - [Release notes](https://github.com/mdlayher/netlink/releases) - [Changelog](https://github.com/mdlayher/netlink/blob/main/CHANGELOG.md) - [Commits](https://github.com/mdlayher/netlink/compare/v1.4.1...v1.4.2) --- updated-dependencies: - dependency-name: github.com/mdlayher/netlink dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2 years ago
dependabot[bot]	9140f193bc	go.mod: bump github.com/aws/aws-sdk-go-v2/feature/s3/manager Bumps [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2) from 1.7.3 to 1.7.4. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/fsx/v1.7.3...feature/s3/manager/v1.7.4) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2 years ago
Artyom Pervukhin	49a9e62d58	Replace AWS SDK v1 dependency with v2 This change drops AWS SDKv1 dependency, leaving only SDK v2 in use. Closes #3461 Signed-off-by: Artyom Pervukhin <github@artyom.dev>	2 years ago
dependabot[bot]	d89c61b812	go.mod: bump github.com/aws/aws-sdk-go-v2/service/ssm Bumps [github.com/aws/aws-sdk-go-v2/service/ssm](https://github.com/aws/aws-sdk-go-v2) from 1.16.0 to 1.17.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.16.0...service/s3/v1.17.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ssm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2 years ago
dependabot[bot]	341e1af873	go.mod: bump github.com/aws/aws-sdk-go-v2/config from 1.10.2 to 1.10.3 Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.10.2 to 1.10.3. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.10.2...config/v1.10.3) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2 years ago
David Crawshaw	1e8b4e770a	update github.com/aws/aws-sdk-go-v2 Replaces #3464, #3365, #3366 with a PR that includes the depaware fix. Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	3 years ago
dependabot[bot]	6fd6fe11f2	go.mod: bump honnef.co/go/tools from 0.2.1 to 0.2.2 Bumps [honnef.co/go/tools](https://github.com/dominikh/go-tools) from 0.2.1 to 0.2.2. - [Release notes](https://github.com/dominikh/go-tools/releases) - [Commits](https://github.com/dominikh/go-tools/compare/v0.2.1...v0.2.2) --- updated-dependencies: - dependency-name: honnef.co/go/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	f76a8d93da	go.mod: bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6 Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.5 to 5.0.6. - [Release notes](https://github.com/godbus/dbus/releases) - [Commits](https://github.com/godbus/dbus/compare/v5.0.5...v5.0.6) --- updated-dependencies: - dependency-name: github.com/godbus/dbus/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
Brad Fitzpatrick	2ea765e5d8	go.mod: bump inet.af/netstack Updates #2642 (I'd hoped, but doesn't seem to fix it) Change-Id: Id54af7c90a1206bc7018215957e20e954782b911 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
David Anderson	41da7620af	go.mod: update wireguard-go to pick up roaming toggle wgengine/wgcfg: introduce wgcfg.NewDevice helper to disable roaming at all call sites (one real plus several tests). Fixes tailscale/corp#3016. Signed-off-by: David Anderson <danderson@tailscale.com> Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	0edd2d1cd5	safesocket: add js/wasm implementation with in-memory net.Conn Updates #3157 Change-Id: Ia35b1e259011fb86f8c4e01f62146f9fd4c9b7c6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
dependabot[bot]	12148dcf48	go.mod: bump github.com/frankban/quicktest from 1.13.1 to 1.14.0 Bumps [github.com/frankban/quicktest](https://github.com/frankban/quicktest) from 1.13.1 to 1.14.0. - [Release notes](https://github.com/frankban/quicktest/releases) - [Commits](https://github.com/frankban/quicktest/compare/v1.13.1...v1.14.0) --- updated-dependencies: - dependency-name: github.com/frankban/quicktest dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
Brad Fitzpatrick	ff1954cfd9	wgengine/router: use netlink for ip rules on Linux Using temporary netlink fork in github.com/tailscale/netlink until we get the necessary changes upstream in either vishvananda/netlink or jsimonetti/rtnetlink. Updates #391 Change-Id: I6e1de96cf0750ccba53dabff670aca0c56dffb7c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	0303ec44c3	go.mod: bump netstack for mipsle fix Fixes #3233 Change-Id: I18d1af886402774ce0ecc77dae3bc71eb8ba5c9d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	dc2fbf5877	wgengine/router: start using netlink instead of 'ip' on Linux Converts up, down, add/del addresses, add/del routes. Not yet done: rules. Updates #391 Change-Id: I02554ca07046d18f838e04a626ba99bbd35266fb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	e4d2ef2b67	go.sum: tidy Change-Id: I198755a3a94d89d838ff817573fbdd198412b2f3	3 years ago
Josh Bleecher Snyder	f27950e97f	go.mod: upgrade netaddr, netstack For Go 1.18 support. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	505f844a43	cmd/derper, derp/derphttp: add websocket support Updates #3157 Change-Id: I337a919a3b350bc7bd9af567b49c4d5d6616abdd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	c209278a9b	go.mod: bump wireguard-go to pick up upstreamed js/wasm build fixes Updates #3157 Change-Id: I727cb5f77110c87850061aa3b9f03c15dbda70d3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
dependabot[bot]	eaa0aef934	go.mod: bump github.com/creack/pty from 1.1.16 to 1.1.17 Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.16 to 1.1.17. - [Release notes](https://github.com/creack/pty/releases) - [Commits](https://github.com/creack/pty/compare/v1.1.16...v1.1.17) --- updated-dependencies: - dependency-name: github.com/creack/pty dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
Aaron Klotz	1991a1ac6a	net/tstun: update tun_windows for wintun 0.14 API revisions, update wireguard-go dependency to 82d2aa87aa623cb5143a41c3345da4fb875ad85d Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Maxime VISONNEAU	4528f448d6	ipn/store/aws, cmd/tailscaled: add AWS SSM ipn.StateStore implementation From https://github.com/tailscale/tailscale/pull/1919 with edits by bradfitz@. This change introduces a new storage provider for the state file. It allows users to leverage AWS SSM parameter store natively within tailscaled, like: $ tailscaled --state=arn:aws:ssm:eu-west-1:123456789:parameter/foo Known limitations: - it is not currently possible to specific a custom KMS key ID RELNOTE=tailscaled on Linux supports using AWS SSM for state Edits-By: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com>	3 years ago
Brad Fitzpatrick	a2e1e5d909	go.mod: bump go-ole for windows/arm64 support Updates #2606 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	2d11503cff	cmd/tailscale: add up --qr to show QR code Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	7cf8ec8108	net/tlsdial: bake in LetsEncrypt's ISRG Root X1 root We still try the host's x509 roots first, but if that fails (like if the host is old), we fall back to using LetsEncrypt's root and retrying with that. tlsdial was used in the three main places: logs, control, DERP. But it was missing in dnsfallback. So added it there too, so we can run fine now on a machine with no DNS config and no root CAs configured. Also, move SSLKEYLOGFILE support out of DERP. tlsdial is the logical place for that support. Fixes #1609 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
dependabot[bot]	5809386525	go.mod: bump golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10 Bumps golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10. --- updated-dependencies: - dependency-name: golang.zx2c4.com/wireguard/windows dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	0fa1da2d1b	go.mod: bump golang.org/x/tools from 0.1.6 to 0.1.7 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.6 to 0.1.7. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.1.6...v0.1.7) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	8949305820	go.mod: bump github.com/creack/pty from 1.1.15 to 1.1.16 Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.15 to 1.1.16. - [Release notes](https://github.com/creack/pty/releases) - [Commits](https://github.com/creack/pty/compare/v1.1.15...v1.1.16) --- updated-dependencies: - dependency-name: github.com/creack/pty dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	7f0fcf8571	go.mod: bump github.com/pkg/sftp from 1.13.3 to 1.13.4 Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.3 to 1.13.4. - [Release notes](https://github.com/pkg/sftp/releases) - [Commits](https://github.com/pkg/sftp/compare/v1.13.3...v1.13.4) --- updated-dependencies: - dependency-name: github.com/pkg/sftp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	b7b7d21514	go.mod: bump github.com/frankban/quicktest from 1.13.0 to 1.13.1 Bumps [github.com/frankban/quicktest](https://github.com/frankban/quicktest) from 1.13.0 to 1.13.1. - [Release notes](https://github.com/frankban/quicktest/releases) - [Commits](https://github.com/frankban/quicktest/compare/v1.13.0...v1.13.1) --- updated-dependencies: - dependency-name: github.com/frankban/quicktest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	46b59e8c48	go.mod: bump github.com/google/uuid from 1.1.2 to 1.3.0 Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.2 to 1.3.0. - [Release notes](https://github.com/google/uuid/releases) - [Commits](https://github.com/google/uuid/compare/v1.1.2...v1.3.0) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
Brad Fitzpatrick	b0481ba37a	go.mod: bump x/tools Fixes #2912 (which had rebase issues) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
dependabot[bot]	9219ca49f5	go.mod: bump golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9 Bumps golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9. --- updated-dependencies: - dependency-name: golang.zx2c4.com/wireguard/windows dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	c350321eec	go.mod: bump github.com/gliderlabs/ssh from 0.3.2 to 0.3.3 Bumps [github.com/gliderlabs/ssh](https://github.com/gliderlabs/ssh) from 0.3.2 to 0.3.3. - [Release notes](https://github.com/gliderlabs/ssh/releases) - [Commits](https://github.com/gliderlabs/ssh/compare/v0.3.2...v0.3.3) --- updated-dependencies: - dependency-name: github.com/gliderlabs/ssh dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	2bb915dd0a	go.mod: bump github.com/creack/pty from 1.1.9 to 1.1.15 Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.9 to 1.1.15. - [Release notes](https://github.com/creack/pty/releases) - [Commits](https://github.com/creack/pty/compare/v1.1.9...v1.1.15) --- updated-dependencies: - dependency-name: github.com/creack/pty dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	aaea175dd0	go.mod: bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5 Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.4 to 5.0.5. - [Release notes](https://github.com/godbus/dbus/releases) - [Commits](https://github.com/godbus/dbus/compare/v5.0.4...v5.0.5) --- updated-dependencies: - dependency-name: github.com/godbus/dbus/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	eeee713c69	go.mod: bump github.com/miekg/dns from 1.1.42 to 1.1.43 Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.42 to 1.1.43. - [Release notes](https://github.com/miekg/dns/releases) - [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release) - [Commits](https://github.com/miekg/dns/compare/v1.1.42...v1.1.43) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	dbce536316	go.mod: bump github.com/pkg/sftp from 1.13.0 to 1.13.3 Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.0 to 1.13.3. - [Release notes](https://github.com/pkg/sftp/releases) - [Commits](https://github.com/pkg/sftp/compare/v1.13.0...v1.13.3) --- updated-dependencies: - dependency-name: github.com/pkg/sftp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
David Anderson	18086c4cb7	go.mod: bump github.com/klauspost/compress to 1.13.6 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Josh Bleecher Snyder	865d8c0d23	cmd: upgrade to ffcli v3 None of the breaking changes from v2 to v3 are relevant to us. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
David Crawshaw	b2a3d1da13	tstest/integration/vms: use fork of goexpect to avoid proto/grpc dep Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	3 years ago
David Anderson	b96159e820	go.mod: update github.com/ulikunitz/xz for https://github.com/advisories/GHSA-25xm-hr59-7c27 Our code is not vulnerable to the issue in question: it only happens in the decompression path for untrusted inputs, and we only use xz as part of mkpkg, which is write-only and operates on trusted build system outputs to construct deb and rpm packages. Still, it's nice to keep the dependabot dashboard clean. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Brad Fitzpatrick	db3586cd43	go.mod: upgrade staticcheck It was crashing on a PR of mine and this fixes it.	3 years ago
Matt Layher	8ab44b339e	net/tstun: use unix.Ifreq type for Linux TAP interface configuration Signed-off-by: Matt Layher <mdlayher@gmail.com>	3 years ago
Brad Fitzpatrick	a729070252	net/tstun: add start of Linux TAP support, with DHCP+ARP server Still very much a prototype (hard-coded IPs, etc) but should be non-invasive enough to submit at this point and iterate from here. Updates #2589 Co-Author: David Crawshaw <crawshaw@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	fdc081c291	net/portmapper: fix UPnP probing, work against all ports Prior to Tailscale 1.12 it detected UPnP on any port. Starting with Tailscale 1.11.x, it stopped detecting UPnP on all ports. Then start plumbing its discovered Location header port number to the code that was assuming port 5000. Fixes #2109 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Aaron Bieber	c179b9b535	cmd/tsshd: switch from github.com/kr/pty to github.com/creack/pty The kr/pty module moved to creack/pty per the kr/pty README[1]. creack/pty brings in support for a number of OS/arch combos that are lacking in kr/pty. Run `go mod tidy` while here. [1] https://github.com/kr/pty/blob/master/README.md Signed-off-by: Aaron Bieber <aaron@bolddaemon.com>	3 years ago
Brad Fitzpatrick	aaf2df7ab1	net/{dnscache,interfaces}: use netaddr.IP.IsPrivate, delete copied code Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Christine Dodrill	798b0da470	tstest/integration/vms: codegen for top level tests (#2441 ) This moves the distribution definitions into a maintainable hujson file instead of just existing as constants in `distros.go`. Comments are maintained from the inline definitions. This uses jennifer[1] for hygenic source tree creation. This allows us to generate a unique top-level test for each VM run. This should hopefully help make the output of `go test` easier to read. This also separates each test out into its own top-level test so that we can better track the time that each distro takes. I really wish there was a way to have the `test_codegen.go` file _always_ run as a part of the compile process instead of having to rely on people remembering to run `go generate`, but I am limited by my tools. This will let us remove the `-distro-regex` flag and use `go test -run` to pick which distros are run. Signed-off-by: Christine Dodrill <xe@tailscale.com>	3 years ago
julianknodt	1bb6abc604	net/portmapper: add upnp port mapping Add in UPnP portmapping, using goupnp library in order to get the UPnP client and run the portmapping functions. This rips out anywhere where UPnP used to be in portmapping, and has a flow separate from PMP and PCP. RELNOTE=portmapper now supports UPnP mappings Fixes #682 Updates #2109 Signed-off-by: julianknodt <julianknodt@gmail.com>	3 years ago
Brad Fitzpatrick	1cedd944cf	cmd/tailscale/cli: diagnose missing tailscaled on 'up' Fixes #2029 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	1072397375	go.mod: bump wireguard/windows to a version that still exists Fixes #2381 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	38be964c2b	go.mod: update netstack Fixes a atomic alignment crash on 32-bit machines. Fixes #2129 Fixes tailscale/tailscale-synology#66 (same) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Matt Layher	6956645ec8	go.mod: bump github.com/mdlayher/netlink to v1.4.1 Signed-off-by: Matt Layher <mdlayher@gmail.com>	3 years ago
Christine Dodrill	622dc7b093	tstest/integration/vms: download images from s3 (#2035 ) This makes integration tests pull pristine VM images from Amazon S3 if they don't exist on disk. If the S3 fetch fails, it will fall back to grabbing the image from the public internet. The VM images on the public internet are known to be updated without warning and thusly change their SHA256 checksum. This is not ideal for a test that we want to be able to fire and forget, then run reliably for a very long time. This requires an AWS profile to be configured at the default path. The S3 bucket is rigged so that the requester pays. The VM images are currently about 6.9 gigabytes. Please keep this in mind when running these tests on your machine. Documentation was added to the integration test folder to aid others in running these tests on their machine. Some wording in the logs of the tests was altered. Updates #1988 Signed-off-by: Christine Dodrill <xe@tailscale.com>	3 years ago
Brad Fitzpatrick	a321c24667	go.mod: update netaddr Involves minor IPSetBuilder.Set API change. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Christine Dodrill	14c1113d2b	tstest/integration/vms: copy locally built binaries (#2006 ) Instead of pulling packages from pkgs.tailscale.com, we should use the tailscale binaries that are local to this git commit. This exposes a bit of the integration testing stack in order to copy the binaries correctly. This commit also bumps our version of github.com/pkg/sftp to the latest commit. If you run into trouble with yaml, be sure to check out the commented-out alpine linux image complete with instructions on how to use it. Updates #1988 Signed-off-by: Christine Dodrill <xe@tailscale.com>	3 years ago
Adrian Dewhurst	6d6cf88d82	control/controlclient: use our fork of certstore The cyolosecurity fork of certstore did not update its module name and thus can only be used with a replace directive. This interferes with installing using `go install` so I created a tailscale fork with an updated module name. Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	3 years ago
Christine Dodrill	ba59c0391b	tstest/integration: add experimental integration test (#1966 ) This will spin up a few vms and then try and make them connect to a testcontrol server. Updates #1988 Signed-off-by: Christine Dodrill <xe@tailscale.com>	3 years ago
Josh Bleecher Snyder	1ece91cede	go.mod: upgrade wireguard-windows, de-fork wireguard-go Pull in the latest version of wireguard-windows. Switch to upstream wireguard-go. This requires reverting all of our import paths. Unfortunately, this has to happen at the same time. The wireguard-go change is very low risk, as that commit matches our fork almost exactly. (The only changes are import paths, CI files, and a go.mod entry.) So if there are issues as a result of this commit, the first place to look is wireguard-windows changes. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago

1 2 3 4 5 ...

320 Commits (1410682fb68e650786940811784c835ddb786e5a)