Commit Graph

841 Commits (275a20f8178cf9d028ab0c051c80ffd637c1fd02)
 

Author SHA1 Message Date
Dmytro Shynkevych 73c40c77b0
filter: prevent escape of QDecode to the heap (#417)
Performance impact:

name              old time/op  new time/op  delta
Filter/tcp_in-4   70.7ns ± 1%  30.9ns ± 1%  -56.30%  (p=0.008 n=5+5)
Filter/tcp_out-4  58.6ns ± 0%  19.4ns ± 0%  -66.87%  (p=0.000 n=5+4)
Filter/udp_in-4   96.8ns ± 2%  55.5ns ± 0%  -42.64%  (p=0.016 n=5+4)
Filter/udp_out-4   120ns ± 1%    79ns ± 1%  -33.87%  (p=0.008 n=5+5)

Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
5 years ago
David Anderson 83b6b06cc4 cmd/tailscale: fix broken build, result of borked stash pop. 5 years ago
David Anderson 3c7791f6bf cmd/tailscale: remove double negation arguments.
--no-snat becomes --snat-subnet-routes
--no-single-routes becomes --host-routes

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 5aae6b734d version: support major.minor.patch tags without breaking Apple builds.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick 984a699219 cmd/tailscale: warn to stderr that netcheck -format=json isn't stable 5 years ago
Brad Fitzpatrick 24009241bf net/netns: move SOCKS dialing to netns for now
This lets control & logs also use SOCKS dials.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick cf0d19f0ab net/tlsdial, derp/derphttp: finish DERPNode.CertName validation 5 years ago
Brad Fitzpatrick 722673f307 Update go4.org/mem, adjust to revised API. 5 years ago
Brad Fitzpatrick a5d6c9d616 net/netns: optimize defaultRouteInterface a bit
It'll be called a bunch, so worth a bit of effort. Could go further, but not yet.
(really, should hook into wgengine/monitor and only re-read on netlink changes?)

name                     old time/op    new time/op    delta
DefaultRouteInterface-8    60.8µs ±11%    44.6µs ± 5%  -26.65%  (p=0.000 n=20+19)

name                     old alloc/op   new alloc/op   delta
DefaultRouteInterface-8    3.29kB ± 0%    0.55kB ± 0%  -83.21%  (p=0.000 n=20+20)

name                     old allocs/op  new allocs/op  delta
DefaultRouteInterface-8      9.00 ± 0%      6.00 ± 0%  -33.33%  (p=0.000 n=20+20)
5 years ago
Brad Fitzpatrick 9e5d79e2f1 wgengine/magicsock: drop a bytes.Buffer sync.Pool, use logger.ArgWriter instead 5 years ago
Brad Fitzpatrick becce82246 net/netns, misc tests: remove TestOnlySkipPrivilegedOps, argv checks
The netns UID check is sufficient for now. We can do something else
later if/when needed.
5 years ago
Brad Fitzpatrick 7a410f9236 net/netns: unindent, refactor to remove some redunant code
Also:
* always error on Control failing. That's very unexpected.
* pull out sockopt funcs into their own funcs for easier future testing
5 years ago
Brad Fitzpatrick 45b139d338 net/netns: remove redundant build tag
Filename is sufficient.
5 years ago
Brad Fitzpatrick dcd7a118d3 net/netns: add a test that tailscaleBypassMark stays in sync between packages 5 years ago
Brad Fitzpatrick 1e837b8e81 net/netns: refactor the sync.Once usage a bit 5 years ago
Avery Pennarun e7ae6a2e06 net/netns, wgengine/router: support Linux machines that don't have 'ip rule'.
We'll use SO_BINDTODEVICE instead of fancy policy routing. This has
some limitations: for example, we will route all traffic through the
interface that has the main "default" (0.0.0.0/0) route, so machines
that have multiple physical interfaces might have to go through DERP to
get to some peers. But machines with multiple physical interfaces are
very likely to have policy routing (ip rule) support anyway.

So far, the only OS I know of that needs this feature is ChromeOS
(crostini). Fixes #245.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 8575b21ca8 Merge branch 'master' of github.com:tailscale/tailscale
* 'master' of github.com:tailscale/tailscale:
  tailcfg: remove unused, unimplemented DERPNode.CertFingerprint for now
  net/netns: also don't err on tailscaled -fake as a regular user
  net/netcheck: fix HTTPS fallback bug from earlier today
  net/netns: don't return an error if we're not root and running the tailscale binary
5 years ago
Avery Pennarun e46238a2af wgengine: separately dedupe wireguard configs and router configs.
Otherwise iOS/macOS will reconfigure their routing every time anything
minor changes in the netmap (in particular, endpoints and DERP homes),
which is way too often.

Some users reported "network reconfigured" errors from Chrome when this
happens.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun f0b6ba78e8 wgengine: don't pass nil router.Config objects.
These are hard for swift to decode in the iOS app.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Brad Fitzpatrick 096d7a50ff tailcfg: remove unused, unimplemented DERPNode.CertFingerprint for now 5 years ago
Brad Fitzpatrick 765695eaa2 net/netns: also don't err on tailscaled -fake as a regular user
That's one of my dev workflows.
5 years ago
Brad Fitzpatrick 7f68e097dd net/netcheck: fix HTTPS fallback bug from earlier today
My earlier 3fa58303d0 tried to implement
the net/http.Tranhsport.DialTLSContext hook, but I didn't return a
*tls.Conn, so we ended up sending a plaintext HTTP request to an HTTPS
port. The response ended up being Go telling as such, not the
/derp/latency-check handler's response (which is currently still a
404). But we didn't even get the 404.

This happened to work well enough because Go's built-in error response
was still a valid HTTP response that we can measure for timing
purposes, but it's not a great answer. Notably, it means we wouldn't
be able to get a future handler to run server-side and count those
latency requests.
5 years ago
Brad Fitzpatrick 1407540b52 net/netns: don't return an error if we're not root and running the tailscale binary
tailscale netcheck was broken otherwise.

We can fix this a better way later; I'm just fixing a regression in
some way because I'm trying to work on netcheck at the moment.
5 years ago
David Anderson 5114df415e net/netns: set the bypass socket mark on linux.
This allows tailscaled's own traffic to bypass Tailscale-managed routes,
so that things like tailscale-provided default routes don't break
tailscaled itself.

Progress on #144.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick 3fa58303d0 netcheck: address some HTTP fallback measurement TODOs 5 years ago
Brad Fitzpatrick db2a216561 wgengine/magicsock: don't log on UDP send errors if address family known missing
Fixes #376
5 years ago
Brad Fitzpatrick d3134ad0c8 syncs: add AtomicBool 5 years ago
Brad Fitzpatrick 7247e896b5 net/netcheck: add Report.IPv4 and another TODO 5 years ago
Brad Fitzpatrick dd6b96ba68 types/logger: add TS_DEBUG_LOG_RATE knob to easily turn off rate limiting 5 years ago
David Crawshaw cf5d25e15b wgengine: ensure pingers are gone before returning from Close
We canceled the pingers in Close, but didn't wait around for their
goroutines to be cleaned up. This caused the ipn/e2e_test to catch
pingers in its resource leak check.

This commit introduces an object, but also simplifies the semantics
around the pinger's cancel functions. They no longer need to be called
while holding the mutex.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Brad Fitzpatrick 004780b312 ipn: restore LiveDERPs assignment in LocalBackend.parseWgStatus
Updates #421 (likely fixes it; need to do an iOS build to be sure)
5 years ago
David Anderson 03682cb271 control/controlclient: use netns package to dial connections.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 1617a232e1 logpolicy: remove deprecated DualStack directive.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson a6bd3a7e53 logpolicy: use netns for dialing log.tailscale.io. 5 years ago
David Anderson e9f7d01b91 derp/derphttp: make DERP client use netns for dial-outs. 5 years ago
Brad Fitzpatrick 9e3ad4f79f net/netns: add package for start of network namespace support
And plumb in netcheck STUN packets.

TODO: derphttp, logs, control.

Updates #144

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick a428656280 wgengine/magicsock: don't report v4 localhost addresses on IPv6-only systems
Updates #376
5 years ago
David Anderson fff062b461 wgengine/router: make runner.go linux-only for now.
Otherwise, staticcheck complains that these functions are unused
and unexported on macOS.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick f0204098d8 Revert "control/controlclient: use "getprop net.hostname" for Android hostname"
This reverts commit afb9c6a6ab.

Doesn't work. See:

    https://github.com/tailscale/tailscale/issues/409#issuecomment-635241550

Looks pretty dire:

    https://medium.com/capital-one-tech/how-to-get-an-android-device-nickname-d5eab12f4ced

Updates #409
5 years ago
Brad Fitzpatrick 0245bbe97b Make netcheck handle v6-only interfaces better, faster.
Also:

* add -verbose flag to cmd/tailscale netcheck
* remove some API from the interfaces package
* convert some of the interfaces package to netaddr.IP
* don't even send IPv4 probes on machines with no IPv4 (or only v4
  loopback)
* and once three regions have replied, stop waiting for other probes
  at 2x the slowest duration.

Updates #376
5 years ago
Brad Fitzpatrick c5495288a6 Bump inet.af/netaddr dep for FromStdIP behavior change I want to depend on. 5 years ago
Brad Fitzpatrick 9bbcdba2b3 tempfork/internal/testenv: remove
It was for our x509 fork and no longer needed. (x509 changes
went into our Go fork instead)
5 years ago
Brad Fitzpatrick a96165679c cmd/tailscale: add netcheck flags for incremental reports, JSON output 5 years ago
Avery Pennarun f69003fd46 router_linux: work around terrible bugs in old iptables-compat versions.
Specifically, this sequence:
	iptables -N ts-forward
	iptables -A ts-forward -m mark --mark 0x10000 -j ACCEPT
	iptables -A FORWARD -j ts-forward
doesn't work on Debian-9-using-nftables, but this sequence:
	iptables -N ts-forward
	iptables -A FORWARD -j ts-forward
	iptables -A ts-forward -m mark --mark 0x10000 -j ACCEPT
does work.

I'm sure the reason why is totally fascinating, but it's an old version
of iptables and the bug doesn't seem to exist on modern nftables, so
let's refactor our code to add rules in the always-safe order and
pretend this never happened.

Fixes #401.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 9ff51909a3 router_linux: fix behaviour when switching --netfilter-mode.
On startup, and when switching into =off and =nodivert, we were
deleting netfilter rules even if we weren't the ones that added them.

In order to avoid interfering with rules added by the sysadmin, we have
to be sure to delete rules only in the case that we added them in the
first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun a496cdc943 router_linux: remove need for iptables.ListChains().
Instead of retrieving the list of chains, or the list of rules in a
chain, just try deleting the ones we don't want and then adding the
ones we do want. An error in flushing/deleting still means the rule
doesn't exist anymore, so there was no need to check for it first.

This avoids the need to parse iptables output, which avoids the need to
ever call iptables -S, which fixes #403, among other things. It's also
much more future proof in case the iptables command line changes.

Unfortunately the iptables go module doesn't properly pass the iptables
command exit code back up when doing .Delete(), so we can't correctly
check the exit code there. (exit code 1 really means the rule didn't
exist, rather than some other weird problem).

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 8a6bd21baf router_linux: extract process runner routines into runner.go.
These will probably be useful across platforms. They're not really
Linux-specific at all.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 34c30eaea0 router_linux: use only baseline 'ip rule' features that exist in old kernels.
This removes the use of suppress_ifgroup and fwmark "x/y" notation,
which are, among other things, not available in busybox and centos6.

We also use the return codes from the 'ip' program instead of trying to
parse its output.

I also had to remove the previous hack that routed all of 100.64.0.0/10
by default, because that would add the /10 route into the 'main' route
table instead of the new table 88, which is no good. It was a terrible
hack anyway; if we wanted to capture that route, we should have
captured it explicitly as a subnet route, not as part of the addr. Note
however that this change affects all platforms, so hopefully there
won't be any surprises elsewhere.

Fixes #405
Updates #320, #144

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 85d93fc4e3 cmd/tailscale: make ip_forward warnings more actionable.
Let's actually list the file we checked
(/proc/sys/net/ipv4/ip_forward). That gives the admin something
specific to look for when they get this message.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 99aa33469e cmd/tailscale: be quiet when no interaction or errors are needed.
We would print a message about "nothing more to do", which some people
thought was an error or warning. Let's only print a message after
authenticating if we previously asked for interaction, and let's
shorten that message to just "Success," which is what it means.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago