tailscale

Commit Graph

Author	SHA1	Message	Date
David Anderson	89af51b84d	wgengine: plumb locally advertised subnet routes. With this change, advertising subnet routes configures the firewall correctly. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	89198b1691	wgengine/router: rewrite netfilter and routing logic. New logic installs precise filters for subnet routes, plays nice with other users of netfilter, and lays the groundwork for fixing routing loops via policy routing. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	7618d7e677	wgengine/router: simplify some cmd invocations. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Zijie Lu	e3559d1c45	cmd/netcheck: better DERP latency checking output Fixes #206 Signed-off-by: Zijie Lu <zijie@tailscale.com>	4 years ago
Dmytro Shynkevych	46f4b18fe8	control/controlclient: revert extreneous synchronization. Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>	4 years ago
Dmytro Shynkevych	3b94eabee3	control/controlclient: synchronize hostinfo test. Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>	4 years ago
Brad Fitzpatrick	44b07aa708	netcheck: STUN less aggressively to known distant servers If Australia's far away and not going to be used, it's still going to be far away a minute later. No need to send backup just-in-case-UDP-gets-lost STUN packets to the known far away destinations. Those are the ones most likely to trigger retries due to delay anyway (in random 50-250ms, currently). But we'll keep sending 1 packet to them, just in case our airplane landed. Likewise, be less aggressive with IPv6. The main point is just to see whether IPv6 works. No need to send up to 10 packets every round. Max two is enough (except for the first round). This does mean our STUN traffic graphs for IPv4-vs-IPv6 will change shape. Oh well. It was a weird eyeball metric for IPv6 connectivity anyway and we have better metrics. We can tweak this policy over time. It's factored out and has tests now.	4 years ago
Brad Fitzpatrick	828aa6dcb0	stunner: add Stunner.MaxTries option	4 years ago
Brad Fitzpatrick	495796fff1	derp/derpmap: add World.ForeachServer, check STUN server validity earlier	4 years ago
Avery Pennarun	108237798d	controlclient and ipn tests: supply --advertise-tags and --advertise-routes. This helps validate the server's behaviour when these are present.	4 years ago
Dmytro Shynkevych	68a173bc24	cmd/mkpkg: support adding empty directories. Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>	4 years ago
Brad Fitzpatrick	3b546dc29a	portlist: make two error paths have unique messages For debugging #339	4 years ago
Brad Fitzpatrick	fefd7e10dc	types/structs: add structs.Incomparable annotation, use it where applicable Shotizam before and output queries: sqlite> select sum(size) from bin where func like 'type..%'; 129067 => 120216	4 years ago
Elias Naur	7b901fdbbc	logpolicy: report the correct error Signed-off-by: Elias Naur <mail@eliasnaur.com>	4 years ago
Elias Naur	0068e57407	go.mod,go.sum: bump golang.org/x/sys for the Android dup2 fix No tidy, because it doesn't work for me: $ go mod tidy go: finding module for package tailscale.io/control go: finding module for package tailscale.io/control/cfgdb tailscale.com/control/controlclient tested by tailscale.com/control/controlclient.test imports tailscale.io/control: cannot find module providing package tailscale.io/control: unrecognized import path "tailscale.io/control": parse https://tailscale.io/control?go-get=1: no go-import meta tags (meta tag tailscale.com did not match import path tailscale.io/control) tailscale.com/control/controlclient tested by tailscale.com/control/controlclient.test imports tailscale.io/control/cfgdb: cannot find module providing package tailscale.io/control/cfgdb: unrecognized import path "tailscale.io/control/cfgdb": parse https://tailscale.io/control/cfgdb?go-get=1: no go-import meta tags (meta tag tailscale.com did not match import path tailscale.io/control/cfgdb) Signed-off-by: Elias Naur <mail@eliasnaur.com>	4 years ago
Avery Pennarun	9d1f48032a	cmd/tailscale: add --advertise-tags option. These will be used for dynamically changing the identity of a node, so its ACL rights can be different from your own. Note: Not all implemented yet on the server side, but we need this so we can request the tagged rights in the first place. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
David Crawshaw	5650f1ecf9	controlclient, ipn: adjust tests for tailscale.com keepalive change	4 years ago
David Crawshaw	c10f90357e	ipn/e2e_test: fix flaky logout state drain	4 years ago
David Anderson	657f331e8b	net/dnscache: remove unnecessary lint warning.	4 years ago
David Anderson	9396024bd7	portlist: move code around to avoid unused function warnings.	4 years ago
David Anderson	755fd9253c	wgengine/router: fix up docstring. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	1ac570def7	wgengine/router: split out from wgengine. The router implementations are logically separate, with their own API. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Avery Pennarun	ee3395e63a	wgengine/filter: fix linter warning. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	5e5e5db75f	Appease the "missing copyright header" check. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	65fbb9c303	wgengine/filter: support subnet mask rules, not just /32 IPs. This depends on improved support from the control server, to send the new subnet width (Bits) fields. If these are missing, we fall back to assuming their value is /32. Conversely, if the server sends Bits fields to an older client, it will interpret them as /32 addresses. Since the only rules we allow are "accept" rules, this will be narrower or equal to the intended rule, so older clients will simply reject hosts on the wider subnet (fail closed). With this change, the internal filter.Matches format has diverged from the wire format used by controlclient, so move the wire format into tailcfg and convert it to filter.Matches in controlclient. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	d6c34368e8	ipn/local: differentiate Shields Up from Uninitialized in logs. We were printing "Shields Up" when the netmap wasn't initialized yet, which while technically effectively true, turned out to be confusing when trying to debug things. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	64db026c8b	backoff: add a LogLongerThan configuration. Some programs use frequent short-duration backoffs even under non-error conditions. They can set this to avoid logging short backoffs when things are operating normally, but still get messages when longer backoffs kick in. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	ced9b4008a	ipn: clear the hostinfo.Services list when prefs.ShieldsUp==true. When shields are up, no services are available to connect to, so hide them all. This will also help them disappear from the UI menu on other nodes. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	d7429b9a8d	Add prefs.ShieldsUp and --shields-up option. This sets a default packet filter that blocks all incoming requests, giving end users more control over who can get into their machine, even if the admin hasn't set any central ACLs. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	85e675940d	wgengine/filter: allow ICMP response packets. Longer term, we should probably update the packet filter to be fully stateful, for both TCP and ICMP. That is, only ICMP packets related to a session we initiated should be allowed back in. But this is reasonably secure for now, since wireguard is already trimming most traffic. The current code would not protect against eg. Ping-of-Death style attacks from VPN nodes. Fixes tailscale/tailscale#290. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	dbc1f71e5d	ipn/message: fix some message encoding problems. - Reset() was not including a Version field, so was getting rejected; the Logout operation no longer happened when the client got disconnected. - Don't crash if we can't decode 0-byte messages, which I suspect might sometimes come through on EOF. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
David Crawshaw	2372530964	logtail/backoff: only log backoffs > 2sec Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	4 years ago
David Anderson	0038223632	tstest: rename from testy. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	e1526b796e	ipn: don't listen on the unspecified address in test To avoid the Mac firewall dialog of (test) death. See `4521a59f30` which I added to help debug this.	4 years ago
David Crawshaw	d2b7cb1e45	ipn, controlclient: add control.New parameter Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	4 years ago
Brad Fitzpatrick	f4c7eb8c44	ipn: revert part of `18017f7630` In retrospect I don't trust it and I'm afraid might've caused some Mac flakiness. I'd like more tests here before I work on this. Updates #288	4 years ago
Brad Fitzpatrick	18017f7630	ipn, wgengine/magicsock: be more idle when in Stopped state with no peers (Previously as #288, but with some more.) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
David Anderson	66c7875974	control/controlclient: wait for c1 to receive a netmap. This strictly sequences things such that c1 is fully registered in the control server before c2 creates its poll. Failure to do this can cause an inversion where c2's poll finishes establishing before c1's poll starts, which results in c2 getting disconnected rather than c1, and the test times out waiting for c1 to get kicked. Fixes #98. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	cbb1e2e853	control/controlclient: document test TestClientsReusingKeys. The test is straightforward, but it's a little perplexing if you're not overly familiar with controlclient. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
fgergo	8296c934ac	Update ifconfig_windows.go OLE calls sometimes unexpectedly fail, but retries can succeed. Change panic() to return errors. This way ConfigureInterface() retries can succeed.	4 years ago
David Anderson	9669b85b41	wgengine/magicsock: wait for endpoint updater goroutine when closing. Fixes #204. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Elias Naur	ad0795efc2	net/dnscache: don't use the Go resolver on Android The local resolver is not available for apps on Android. Signed-off-by: Elias Naur <mail@eliasnaur.com>	4 years ago
Brad Fitzpatrick	a464439658	control/controlclient: fix build break caused by overzealous gitting	4 years ago
Brad Fitzpatrick	2244cca5ff	net/tlsdial: update package doc to say it's now somewhat useless	4 years ago
Brad Fitzpatrick	58e83d8f66	tempfork/x509: moved to tailscale/go's crypto/x509 instead	4 years ago
Brad Fitzpatrick	172d72a060	Revert "net/tlsdial: add memory-optimized TLS cert verification path for iOS" This reverts commit `6fcbd4c4d4`. Decided to put it in tailscale/go's crypto/x509 instead.	4 years ago
Brad Fitzpatrick	5d67365cc9	logtail: add PrivateID.IsZero method	4 years ago
Brad Fitzpatrick	9497921f52	logpolicy: also set up TLS dialing (for iOS) for log uploads This was the last of the three places that do TLS from clients (logs, control, derp). With this, iOS should be able to use the memory-efficient x509 root CertPool.	4 years ago
Brad Fitzpatrick	c726c1eec9	logtail: add const DefaultHost with default server name	4 years ago
Brad Fitzpatrick	1a0f6fea58	go.mod, go.sum: bump wireguard-go, tidy	4 years ago

... 8 9 10 11 12 ...

1055 Commits (1d9ab6d484196255c8f828c05ea146f4afc12893) All Branches Search

1055 Commits (1d9ab6d484196255c8f828c05ea146f4afc12893)

All Branches