tailscale

Commit Graph

Author	SHA1	Message	Date
Tyler Smalley	16c59d2294	VERSION.txt: this is v1.52.1 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	7 months ago
Andrew Lytvynov	e5d93d37bf	clientupdate: do not recursively delete dirs in cleanupOldDownloads (#10093 ) In case there's a wild symlink in one of the target paths, we don't want to accidentally delete too much. Limit `cleanupOldDownloads` to deleting individual files only. Updates https://github.com/tailscale/tailscale/issues/10082 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> (cherry picked from commit `7145016414`)	7 months ago
Andrew Lytvynov	741b63479e	clientupdate: cleanup SPK and MSI downloads (#10085 ) After we're done installing, clean up the temp files. This prevents temp volumes from filling up on hosts that don't reboot often. Fixes https://github.com/tailscale/tailscale/issues/10082 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> (cherry picked from commit `6c0ac8bef3`)	7 months ago
Aaron Klotz	2855ad959c	cmd/tailscaled: pre-load wintun.dll using a fully-qualified path In corp PR #14970 I updated the installer to set a security mitigation that always forces system32 to the front of the Windows dynamic linker's search path. Unfortunately there are other products out there that, partying like it's 1995, drop their own, older version of wintun.dll into system32. Since we look there first, we end up loading that old version. We can fix this by preloading wintun using a fully-qualified path. When wintun-go then loads wintun, the dynamic linker will hand it the module that was previously loaded by us. Fixes #10023, #10025, #10052 Signed-off-by: Aaron Klotz <aaron@tailscale.com> (cherry picked from commit `47019ce1f1`)	7 months ago
Tyler Smalley	31e1690f38	VERSION.txt: this is v1.52.0 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	7 months ago
Maisem Ali	62d580f0e8	util/linuxfw: add missing error checks in tests This would surface as panics when run on Fly. Still fail, but at least don't panic. Updates #10003 Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
Rhea Ghosh	387a98fe28	ipn/ipnlocal: exclude tvOS devices from taildrop file targets (#10002 )	7 months ago
Chris Palmer	f66dc8dc0a	clientupdate: check for privileges earlier (#9964 ) Fixes #9963 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	7 months ago
Flakes Updater	f9fafe269a	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	7 months ago
Cole Helbling	087260734b	flake: drop unnecessary git input Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>	7 months ago
Cole Helbling	561e7b61c3	flake: fix systemd service by hardcoding $PORT Another solution would be to copy the `.defaults` file alongside the service file, and set the `EnvironmentFile` to point to that, but it would still be hardcoded (as the `.defaults` file would be stored in the Nix store), so I figured that this is a good solution until there is a proper NixOS module. Fixes #9995. Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>	7 months ago
Cole Helbling	9e71851a36	go.mod.sri: update Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>	7 months ago
Cole Helbling	4f62a2ed99	flake: set a default package This allows `nix build` to run, without needing to use `nix build .#tailscale`. Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>	7 months ago
Cole Helbling	f737496d7c	flake: drop unnecessary fileContents binding Since the tailscale derivation already has a `pkgs` binding, we can use `pkgs.lib`. Alternatively, we could have used `nixpkgs.lib`, as `fileContents` doesn't need a system to use (anymore?). Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>	7 months ago
Maisem Ali	9107b5eadf	cmd/tailscale/cli: use status before doing interactive feature query We were inconsistent whether we checked if the feature was already enabled which we could do cheaply using the locally available status. We would do the checks fine if we were turning on funnel, but not serve. This moves the cap checks down into enableFeatureInteractive so that are always run. Updates #9984 Co-authored-by: Tyler Smalley <tyler@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
License Updater	e94d345e26	licenses: update android licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	7 months ago
License Updater	7c7f60be22	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	7 months ago
Tyler Smalley	baa1fd976e	ipn/localapi: require local Windows admin to set serve path (#9969 ) For a serve config with a path handler, ensure the caller is a local administrator on Windows. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	7 months ago
Will Norris	42abf13843	.github: run tests on all PRs, regardless of branch name The branch name selector "*" doesn't match branches with a "/" in their name. The vast majority of our PRs are against the main (or previously, master) branch anyway, so this will have minimal impact. But in the rare cases that we want to open a PR against a branch with a "/" in the name, tests should still run. ``` gh pr list --limit 9999 --state all --json baseRefName \| \ jq -cs '.[] \| group_by(.baseRefName) \| map({ base: .[0].baseRefName, count: map(.baseRefName) \| length}) \| sort_by(-.count) \| .[]' {"base":"main","count":4593} {"base":"master","count":226} {"base":"release-branch/1.48","count":4} {"base":"josh-and-adrian-io_uring","count":3} {"base":"release-branch/1.30","count":3} {"base":"release-branch/1.32","count":3} {"base":"release-branch/1.20","count":2} {"base":"release-branch/1.26","count":2} {"base":"release-branch/1.34","count":2} {"base":"release-branch/1.38","count":2} {"base":"Aadi/speedtest-tailscaled","count":1} {"base":"josh/io_uring","count":1} {"base":"maisem/hi","count":1} {"base":"rel-144","count":1} {"base":"release-branch/1.18","count":1} {"base":"release-branch/1.2","count":1} {"base":"release-branch/1.22","count":1} {"base":"release-branch/1.24","count":1} {"base":"release-branch/1.4","count":1} {"base":"release-branch/1.46","count":1} {"base":"release-branch/1.8","count":1} {"base":"web-client-main","count":1} ``` Updates #cleanup Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Brad Fitzpatrick	b4be4f089f	safesocket: make clear which net.Conns are winio types Follow-up to earlier #9049. Updates #9049 Change-Id: I121fbd2468770233a23ab5ee3df42698ca1dabc2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
Andrew Dunham	ef596aed9b	net/portmapper: avoid alloc in getUPnPErrorsMetric Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Iea558024c038face24cc46584421998d10f13a66	7 months ago
James Tucker	237b4b5a2a	.github/workflows: add checklocks Currently the checklocks step is not configured to fail, as we do not yet have the appropriate annotations. Updates tailscale/corp#14381 Signed-off-by: James Tucker <james@tailscale.com>	7 months ago
Tyler Smalley	131518eed1	cmd/tailscale/cli: improve error when bg serve config is present (#9961 ) We prevent shodow configs when starting a foreground when a background serve config already exists for the serve type and port. This PR improves the messaging to let the user know how to remove the previous config. Updates #8489 ENG-2314 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	7 months ago
Tyler Smalley	1873bc471b	cmd/tailscale/cli: remove http flag for funnel command (#9955 ) The `--http` flag can not be used with Funnel, so we should remove it to remove confusion. Updates #8489 ENG-2316 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	7 months ago
Val	19e5f242e0	net/portmapper: convert UPnP metrics to new syncs.Map.LoadOrInit method Simplify UPnP error metrics by using the new syncs.Map.LoadOrInit method. Updates #cleanup Signed-off-by: Val <valerie@tailscale.com>	7 months ago
Andrew Lytvynov	8326fdd60f	clientupdate: disable auto-updates on Synology for now (#9965 ) Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Flakes Updater	143bda87a3	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	7 months ago
Marwan Sulaiman	5f3cdaf283	cmd/tailscale/cli: chage port flags to uint for serve and funnel This PR changes the -https, -http, -tcp, and -tls-terminated-tcp flags from string to int and also updates the validation to ensure they fit the uint16 size as the flag library does not have a Uint16Var method. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	7 months ago
Andrea Gottardo	741d7bcefe	Revert "ipn/ipnlocal: add new DNS and subnet router policies" (#9962 ) This reverts commit `32194cdc70`. Signed-off-by: Nick O'Neill <nick@tailscale.com>	7 months ago
Marwan Sulaiman	a7e4cebb90	cmd/tailscale/cli: refactor TestServeDevConfigMutations The TestServeDevConfigMutations test has 63 steps that all run under the same scope. This tests breaks them out into isolated subtests that can be run independently. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	7 months ago
Sonia Appasamy	d79e0fde9c	client/web: split errTaggedSelf resp from getTailscaleBrowserSession Previously returned errTaggedSource in the case that of any tagged source. Now distinguishing whether the source was local or remote. We'll be presenting the two cases with varying copy on the frontend. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Sonia Appasamy	e0a4a02b35	client/web: pipe Server.timeNow() through session funcs Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Andrew Lytvynov	21b6d373b0	cmd/tailscale/cli: unhide auto-update flags and mark update as Beta (#9954 ) Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Adrian Dewhurst	32194cdc70	ipn/ipnlocal: add new DNS and subnet router policies In addition to the new policy keys for the new options, some already-in-use but missing policy keys are also being added to util/syspolicy. Updates ENG-2133 Change-Id: Iad08ca47f839ea6a65f81b76b4f9ef21183ebdc6 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	7 months ago
Marwan Sulaiman	f5a7551382	cmd/tailscale: fix help message for serve funnel We currently print out "run tailscale serve --help" when the subcmd might be funnel. This PR ensures the right subcmd is passed. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	7 months ago
Andrew Lytvynov	d3bc575f35	cmd/tailscale/cli: set Sparkle auto-update on macsys (#9952 ) On `tailscale set --auto-update`, set the Sparkle plist option for it. Also make macsys report not supporting auto-updates over c2n, since they will be triggered by Sparkle locally. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
James Tucker	6f69fe8ad7	wgnengine: remove unused field in userspaceEngine Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	7 months ago
Tyler Smalley	269a498c1e	cmd/tailscale/cli: serve --set-path should not force background mode (#9905 ) A few people have run into issues with understanding why `--set-path` started in background mode, and/or why they couldn't use a path in foreground mode. This change allows `--set-path` to be used in either case (foreground or background). updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	7 months ago
Thomas Kosiewski	b2ae8fdf80	derp/derphttp: strip port numbers from URL hostname When trying to set up multiple derper instances meshing with each other, it turned out that while one can specify an alternative listening port using the -a flag, the TLS hostname gets incorrectly determined and includes the set alternative listening port as part of the hostname. Thus, the TLS hostname validation always fails when the -mesh-with values have ports. Updates #9949 Signed-off-by: Thomas Kosiewski <thomas.kosiewski@loft.sh>	7 months ago
Brad Fitzpatrick	514539b611	wgengine/magicsock: close disco listeners on Conn.Close, fix Linux root TestNewConn TestNewConn now passes as root on Linux. It wasn't closing the BPF listeners and their goroutines. The code is still a mess of two Close overlapping code paths, but that can be refactored later. For now, make the two close paths more similar. Updates #9945 Change-Id: I8a3cf5fb04d22ba29094243b8e645de293d9ed85 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Andrew Lytvynov	593c086866	clientupdate: distinguish when auto-updates are possible (#9896 ) clientupdate.Updater will have a non-nil Update func in a few cases where it doesn't actually perform an update: * on Arch-like distros, where it prints instructions on how to update * on macOS app store version, where it opens the app store page Add a new clientupdate.Arguments field to cause NewUpdater to fail when we hit one of these cases. This results in c2n updates being "not supported" and `tailscale set --auto-update` returning an error. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
James Tucker	7df6f8736a	wgengine/netstack: only add addresses to correct protocols Prior to an earlier netstack bump this code used a string conversion path to cover multiple cases of behavior seemingly checking for unspecified addresses, adding unspecified addresses to v6. The behavior is now crashy in netstack, as it is enforcing address length in various areas of the API, one in particular being address removal. As netstack is now protocol specific, we must not create invalid protocol addresses - an address is v4 or v6, and the address value contained inside must match. If a control path attempts to do something otherwise it is now logged and skipped rather than incorrect addressing being added. Fixes tailscale/corp#15377 Signed-off-by: James Tucker <james@tailscale.com>	7 months ago
Tyler Smalley	35d7b3aa27	cmd/tailscale/cli: updates help and background messaging (#9929 ) * Fixes issue with template string not being provided in help text * Updates background information to provide full URL, including path, to make it clear the source and destination * Restores some tests * Removes AllowFunnel in ServeConfig if no proxy exists for that port. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	7 months ago
Marwan Sulaiman	c53ee37912	cmd/tailscale: add set-raw to the new serve funnel commands This PR adds the same set-raw from the old flow into the new one so that users can continue to use it when transitioning into the new flow. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	7 months ago
Marwan Sulaiman	f232d4554a	cmd/tailscale: translate old serve commands to new ones This PR fixes the isLegacyInvocation to better catch serve and funnel legacy commands. In addition, it now also returns a string that translates the old command into the new one so that users can have an easier transition story. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	7 months ago
Sonia Appasamy	62d08d26b6	client/web: set Server.cgiMode field Updates tailscale/corp#15373 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> Co-authored-by: Will Norris <will@tailscale.com>	7 months ago
Maisem Ali	17b2072b72	ipn/ipnlocal: set the push device token correctly It would end up resetting whatever hostinfo we had constructed and leave the backend statemachine in a broken state. This fixes that by storing the PushDeviceToken on the LocalBackend and populating it on Hostinfo before passing it to controlclient. Updates tailscale/corp#8940 Updates tailscale/corp#15367 Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
Maisem Ali	0e89245c0f	ipn/ipnlocal: drop hostinfo param from doSetHostinfoFilterServices The value being passed was the same as whats on b.hostinfo, so just use that directly. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
Joe Tsai	152390e80a	ipn/localapi: avoid unkeyed literal (#9933 ) Go has no way to explicitly identify Go struct as effectively a tuple, so staticcheck assumes any external use of unkeyed literals is wrong. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	7 months ago

1 2 3 4 5 ...

6619 Commits (16c59d2294cadfcfa84e6e9d035a93e535538b42) All Branches Search

6619 Commits (16c59d2294cadfcfa84e6e9d035a93e535538b42)

All Branches