Commit Graph

798 Commits (2840afabba2b14b77c4cc28524f2a739c5916c82)

Author SHA1 Message Date
Brad Fitzpatrick e64383a80e wgengine/router: document some fields a bit more
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Denton Gentry 35ab4020c7 wgengine/monitor: Linux fall back to polling
Google Cloud Run does not implement NETLINK_ROUTE RTMGRP.
If initialization of the netlink socket or group membership
fails, fall back to a polling implementation.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
4 years ago
David Anderson 90f82b6946 net/dns/resolver: add live reconfig, plumb through to ipnlocal.
The resolver still only supports a single upstream config, and
ipn/wgengine still have to split up the DNS config, but this moves
closer to unifying the DNS configs.

As a handy side-effect of the refactor, IPv6 MagicDNS records exist
now.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson f185d62dc8 net/dns/resolver: unexport Packet, only use it internally.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 5fb9e00ecf net/dns/resolver: remove Start method, fully spin up in New instead.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 075fb93e69 net/dns/resolver: remove the Config struct.
In preparation for reintroducing a runtime reconfig Config struct.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson bc81dd4690 net/dns/resolver: rename ResolverConfig to just Config.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson d99f5b1596 net/dns/resolver: factor the resolver out into a sub-package.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Naman Sood 31c7745631
wgengine/netstack: stop re-adding IPs registered by active TCP connections (#1629)
Signed-off-by: Naman Sood <mail@nsood.in>
4 years ago
Brad Fitzpatrick 7f03c0f8fe wgengine/wgcfg/nmcfg: reduce some logging when a /0 route skipped
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Josh Bleecher Snyder 7b907615d5 wgengine/wgcfg/nmcfg: remove dead code
The call to appendEndpoint updates cpeer.Endpoints.
Then it is overwritten in the next line.
The only errors from appendEndpoint occur when
the host/port pair is malformed, but that cannot happen.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Josh Bleecher Snyder 36a85e1760 wgengine/magicsock: don't call t.Fatal in magicStack.IP
It can end up executing an a new goroutine,
at which point instead of immediately stopping test execution, it hangs.
Since this is unexpected anyway, panic instead.
As a bonus, it makes call sites nicer and removes a kludge comment.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick 4c83bbf850 wgengine: add IsNetstack func and test
So we have a documented & tested way to check whether we're in
netstack mode. To be used by future commits.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 91bc723817 wgengine: add temp workaround for netstack WhoIs registration race
Updates #1616

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 41e4e02e57 net/{packet,tstun}: send peerapi port in TSMP pongs
For discovery when an explicit hostname/IP is known. We'll still
also send it via control for finding peers by a list.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Naman Sood 662fbd4a09
wgengine/netstack: Allow userspace networking mode to expose subnets (#1588)
wgengine/netstack: Allow userspace networking mode to expose subnets

Updates #504

Updates #707

Signed-off-by: Naman Sood <mail@nsood.in>
4 years ago
Brad Fitzpatrick a4c679e646 wgengine/monitor: on wall time jump, synthesize network change event
... to force rebinds of TCP connections

Fixes #1555
Updates tailscale/felicity#4

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Anderson 07bf4eb685 wgengine: rename Fake to RespondToPing.
"Fake" doesn't mean a lot any more, given that many components
of the engine can be faked out, including in valid production
configurations like userspace-networking.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 0fb738760f wgengine: make Tun optional again, default to fake.
This makes setup more explicit in prod codepaths, without
requiring a bunch of arguments or helpers for tests and
userspace mode.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick e18c3a7d84 wgengine: optimize isLocalAddr a bit
On macOS/iOS, this removes a map lookup per outgoing packet.

Noticed it while reading code, not from profiles, but can't hurt.

BenchmarkGenLocalAddrFunc
BenchmarkGenLocalAddrFunc/map1
BenchmarkGenLocalAddrFunc/map1-4                16184868                69.78 ns/op
BenchmarkGenLocalAddrFunc/map2
BenchmarkGenLocalAddrFunc/map2-4                16878140                70.73 ns/op
BenchmarkGenLocalAddrFunc/or1
BenchmarkGenLocalAddrFunc/or1-4                 623055721                1.950 ns/op
BenchmarkGenLocalAddrFunc/or2
BenchmarkGenLocalAddrFunc/or2-4                 472493098                2.589 ns/op

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Anderson 93a4aa697c wgengine: default Router to a no-op router.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 440effb21a wgengine: remove Config.TUN argument. 4 years ago
Josh Bleecher Snyder 4954fbfda6 wgengine: extend TestWatchdog timeout on macOS
This works around the close syscall being slow.
We can revert this if we find a fix or if Apple makes close fast again.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
David Anderson 2df8adef9d wgengine: make the tun.Device required at construction.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 016de16b2e net/tstun: rename TUN to Wrapper.
The tstun packagen contains both constructors for generic tun
Devices, and a wrapper that provides additional functionality.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 82ab7972f4 net/tstun: rename NewFakeTUN to NewFake.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 588b70f468 net/tstun: merge in wgengine/tstun.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 2b4bfeda1a wgengine: pass in an explicit router.Router, rather than a generator.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 44d9929208 wgengine: remove Config.TUNName, require caller to create device.
Also factors out device creation and associated OS workarounds to
net/tun.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 0a84aaca0a wgengine/router: remove unused wireguard *Device argument.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick bcf571ec97 wgengine/monitor: fix OpenBSD build
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 7f174e84e6 net/interfaces: remove mutating methods, add EqualFiltered instead
Now callers (wgengine/monitor) don't need to mutate the state to remove
boring interfaces before calling State.Equal. Instead, the methods
to remove boring interfaces from the State are removed, as is
the reflect-using Equal method itself, and in their place is
a new EqualFiltered method that takes a func predicate to match
interfaces to compare.

And then the FilterInteresting predicate is added for use
with EqualFiltered to do the job that that wgengine/monitor
previously wanted.

Now wgengine/monitor can keep the full interface state around,
including the "boring" interfaces, which we'll need for peerapi on
macOS/iOS to bind to the interface index of the utunN device.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Anderson 672731ac6f many: gofmt.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 6521f02ff6 Move DNS flush logic to net/dns.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 9f7f2af008 wgengine/router/dns: move to net/dns.
Preparation for merging the APIs and whatnot.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 8432999835 Move wgengine/tsdns to net/dns.
Straight move+fixup, no other changes. In prep for merging with
wgengine/router/dns.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick 81143b6d9a ipn/ipnlocal: start of peerapi between nodes
Also some necessary refactoring of the ipn/ipnstate too.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Josh Bleecher Snyder 28af46fb3b wgengine: pass logger as a separate arg to device.NewDevice
Adapt to minor API changes in wireguard-go.
And factor out device.DeviceOptions variables.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick 2384c112c9 net/packet, wgengine/{filter,tstun}: add TSMP ping
Fixes #1467

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Josh Bleecher Snyder 4b77eca2de wgengine/magicsock: check returned error in addTestEndpoint
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick c99f260e40 wgengine/magicsock: prefer IPv6 transport if roughly equivalent latency
Fixes #1566

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick e2b3d9aa5f all: s/Magic DNS/MagicDNS/ for consistency
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 9643d8b34d wgengine/magicsock: add an addrLatency type to combine an IPPort+time.Duration
Updates #1566 (but no behavior changes as of this change)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 96dfeb2d7f wgengine: log tailscale pings
Fixes #1561

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 85138d3183 health: track whether any network interface is up
Fixes #1562

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 0994a9f7c4 wgengine{,/magicsock}: fix, improve "tailscale ping" to default routes and subnets
e.g.

$ tailscale ping 1.1.1.1
exit node found but not enabled

$ tailscale ping 10.2.200.2
node "tsbfvlan2" found, but not using its 10.2.200.0/24 route

$ sudo tailscale  up --accept-routes
$ tailscale ping 10.2.200.2
pong from tsbfvlan2 (100.124.196.94) via 10.2.200.34:41641 in 1ms

$ tailscale ping mon.ts.tailscale.com
pong from monitoring (100.88.178.64) via DERP(sfo) in 83ms
pong from monitoring (100.88.178.64) via DERP(sfo) in 21ms
pong from monitoring (100.88.178.64) via [2604:a880:4:d1::37:d001]:41641 in 22ms

This necessarily moves code up from magicsock to wgengine, so we can
look at the actual wireguard config.

Fixes #1564

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 7e0d12e7cc wgengine/magicsock: don't update control if only endpoint order changes
Updates #1559

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 1eb95c7e32 net/packet, wgengine{,/filter}: remove net/packet IPProto forwarding consts
Only use the ones in types/ipproto now.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 01b90df2fa net/packet, wgengine/filter: support SCTP
Add proto to flowtrack.Tuple.

Add types/ipproto leaf package to break a cycle.

Server-side ACL work remains.

Updates #1516

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 90a6fb7ffe tailcfg: add FilterRule.IPProto
Updates #1516

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 32562a82a9 wgengine/magicsock: annotate a few more disco logs as verbose
Fixes #1540

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick c19ed37b0f wgengine/magicsock: mark some legacy debug log output as verbose
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick aa79a57f63 wgengine/netstack: use inet.af/netstack, remove 64-bit only limitation
This reverts the revert commit 84aba349d9.

And changes us to use inet.af/netstack.

Updates #1518

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Anderson 84aba349d9 Revert "wgengine/netstack: update gvisor to remove 64-bit only limitation"
Breaks our corp repo due to gRPC dependency hell.

This reverts commit d42f8b7f9a.
4 years ago
Brad Fitzpatrick e0f2796b43 wgengine: don't diagnose iOS NWPathMonitor connection probe timeouts
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 0f90586da8 wgengine/monitor: skip more route messages on darwin
Should help iOS battery life on NEProvider.wake/skip events
with useless route updates that shouldn't cause re-STUNs.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick d42f8b7f9a wgengine/netstack: update gvisor to remove 64-bit only limitation
gVisor fixed their google/gvisor#1446 so we can include gVisor mode
on 32-bit machines.

A few minor upstream API changes, as normal.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 232cfda280 wgengine/router: report to control when setPrivateNetwork fails
Fixes #1503

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick ba8c6d0775 health, controlclient, ipn, magicsock: tell health package state of things
Not yet checking anything. Just plumbing states into the health package.

Updates #1505

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Naman Sood 770aa71ffb client, cmd/hello, ipn, wgengine: fix whois for netstack-forwarded connections
Updates #504

Updates #707

Signed-off-by: Naman Sood <mail@nsood.in>
4 years ago
Brad Fitzpatrick 44ab0acbdb net/portmapper, wgengine/monitor: cache gateway IP info until link changes
Cuts down allocs & CPU in steady state (on regular STUN probes) when network
is unchanging.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick d580b3f09e wgengine/router: fix go vet failure on BSDs
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Aleksandar Pesic 25d2dd868b wgengine/router: flushdns in windows when router config changes
Fixes: https://github.com/tailscale/tailscale/issues/1430

Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>
4 years ago
Brad Fitzpatrick c81814e4f8 derp{,/derphttp},magicsock: tell DERP server when ping acks can be expected
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick f9f3b67f3a wgengine{,tsdns}: rebind MagicDNS forwarders on link change
Fixes #1480

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Anderson fa6110e47b wgengine/router: don't touch interface routes
Developed by a cast of dozens.

Fixes #1448

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick c576fea60e wgengine/magicsock: delete unused WhoIs method that was moved elsewhere
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 0430c2dd12 wgengine/tsdns: truncate Map.PrettyDiffFrom string at 1KB
Hello's were painful.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Anderson d79a2f3809 wgengine/filter: only log packets to/from non-default routes.
Fixes tailscale/corp#1429.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick ef7bac2895 tailcfg, net/portmapper, wgengine/magicsock: add NetInfo.HavePortMap
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 79d8288f0a wgengine/magicsock, derp, derp/derphttp: respond to DERP server->client pings
No server support yet, but we want Tailscale 1.6 clients to be able to respond
to them when the server can do it.

Updates #1310

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 387e83c8fe wgengine/magicsock: fix Conn.Rebind race that let ErrClosed errors be read
There was a logical race where Conn.Rebind could acquire the
RebindingUDPConn mutex, close the connection, fail to rebind, release
the mutex, and then because the mutex was no longer held, ReceiveIPv4
wouldn't retry reads that failed with net.ErrClosed, letting that
error back to wireguard-go, which would then stop running that receive
IP goroutine.

Instead, keep the RebindingUDPConn mutex held for the entirety of the
replacement in all cases.

Updates tailscale/corp#1289

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick fee74e7ea7 net/interfaces, wgengine/monitor: fix false positives link changes
interfaces.State.String tries to print a concise summary of the
network state, removing any interfaces that don't have any or any
interesting IP addresses. On macOS and iOS, for instance, there are a
ton of misc things.

But the link monitor based its are-there-changes decision on
interfaces.State.Equal, which just used reflect.DeepEqual, including
comparing all the boring interfaces. On macOS, when turning wifi on or off, there
are a ton of misc boring interface changes, resulting in hitting an earlier
check I'd added on suspicion this was happening:

    [unexpected] network state changed, but stringification didn't

This fixes that by instead adding a new
interfaces.State.RemoveUninterestingInterfacesAndAddresses method that
does, uh, that. Then use that in the monitor. So then when Equal is
used later, it's DeepEqualing the already-cleaned version with only
interesting interfaces.

This makes cmd/tailscaled debug --monitor much less noisy.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Denton Gentry 04e72f95cc wgengine/router: add OpenBSD IPv6 support.
Similar to FreeBSD in https://github.com/tailscale/tailscale/issues/1307,
add IPv6 addresses with a prefix length of 48.

Fixes https://github.com/tailscale/tailscale/issues/1372

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
4 years ago
Brad Fitzpatrick c445e3d327 wgengine/magicsock: fix typo in comment 4 years ago
Aleksandar Pesic 258d0e8d9a wgengine/monitor: simplify the Windows monitor to make it more reliable
Updates tailscale/tailscale#1414

Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>
4 years ago
Naman Sood 4c80344e27 wgengine/netstack: stop UDP forwarding when one side dies
Updates #504

Updates #707

Signed-off-by: Naman Sood <mail@nsood.in>
4 years ago
Naman Sood 7325b5a7ba wgengine/netstack: add support for incoming UDP connections
Updates #504

Updates #707

Signed-off-by: Naman Sood <mail@nsood.in>
4 years ago
Denton Gentry bcea88da46 wgengine: support FreeBSD with IPv6.
Fixes https://github.com/tailscale/tailscale/issues/1307 for keepsies.

We cannot set the tun interface address as a /128 on FreeBSD,
due to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218508
Instead we set the interface address as a /48, which is enabled
by commit 82edf94df7.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
4 years ago
Denton Gentry c8af6bc009 Revert "freebsd: ignore IPv6 for now"
This reverts commit 061422affc.

We have a way to support IPv6 on FreeBSD now.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
4 years ago
Brad Fitzpatrick 602f92ec30 wgengine/monitor: log warning if state changes but stringification doesn't
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick a6d098c750 wgengine/magicsock: log when DERP connection succeeds
Updates #1310
4 years ago
Brad Fitzpatrick 829eb8363a net/interfaces: sort returned addresses from LocalAddresses
Also change the type to netaddr.IP while here, because it made sorting
easier.

Updates tailscale/corp#1397

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick ffa70a617d wgengine{,/monitor}: restore Engine.LinkChange, add Mon.InjectEvent
The Engine.LinkChange method was recently removed in
e3df29d488 while misremembering how
Android's link state mechanism worked.

Rather than do some last minute rearchitecting of link state on
Android before Tailscale 1.6, restore the old Engine.LinkChange hook
for now so the Android client doesn't need any changes. But change how
it's implemented to instead inject an event into the link monitor.

Fixes #1427

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Denton Gentry 061422affc freebsd: ignore IPv6 for now
FreeBSD tun devices don't work with the way we implement IPv6
https://github.com/tailscale/tailscale/issues/1307

At least for now, remove any IPv6 addresses from the netmap.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
4 years ago
David Anderson 1cb0ffc3ff wgengine/router: make windows gracefully handle disabled IPv4 or IPv6.
This is necessary because either protocol can be disabled globally by a
Windows registry policy, at which point trying to touch that address
family results in "Element not found" errors. This change skips programming
address families that Windows tell us are unavailable.

Fixes #1396.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick f858b0d25f wgengine/netstack: remove some v2 logging by default
Even with [v2], it still logtails and takes time to format.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Naman Sood d01c60dad5 wgengine/netstack: use system dialer to contact servers on localhost
Updates #504

Updates #707

Signed-off-by: Naman Sood <mail@nsood.in>
4 years ago
Brad Fitzpatrick 7461dded88 wgengine/monitor: on unsupported platforms, use a polling implementation
Not great, but lets people working on new ports get going more quickly
without having to do everything up front.

As the link monitor is getting used more, I felt bad having a useless
implementation.

Updates #815
Updates #1427

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Anderson 8d77dfdacb wgengine/router: add a dummy IPv6 address if needed for default routing.
Fixes #1339

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick c3e5903b91 wgengine/magicsock: remove leftover portmapper debug logging
It's already logged at the right time in logEndpointChange.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Naman Sood 95c03d1ead wgengine/netstack: forward incoming connections to localhost
Updates #707
Updates #504

Signed-off-by: Naman Sood <mail@nsood.in>
4 years ago
Brad Fitzpatrick 471f0c470a wgengine/monitor: skip some macOS route updates, fix debounce regression
Debound was broken way back in 5c1e443d34 and we never noticed.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick f304a45481 wgengine/monitor: add skipped failing test for Darwin route message bug
Updates #1416

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 31721759f3 wgengine/monitor: don't return nil, nil in darwin monitor
We used to allow that, but now it just crashes.

Separately I need to figure out why it got into this path at all,
which is #1416.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Christine Dodrill b89c757817 wgengine/tsdns: explicitly reject .onion lookups
Tor has a location-hidden service feature that enables users to host services
from inside the Tor network. Each of these gets a unique DNS name that ends with
.onion. As it stands now, if a misbehaving application somehow manages to make
a .onion DNS request to our DNS server, we will forward that to the DNS server,
which could leak that to malicious third parties. See the recent bug Brave had
with this[1] for more context.

RFC 7686 suggests that name resolution APIs and libraries MUST respond with
NXDOMAIN unless they can actually handle Tor lookups. We can't handle .onion
lookups, so we reject them.

[1]: https://twitter.com/albinowax/status/1362737949872431108

Fixes tailscale/corp#1351

Signed-off-by: Christine Dodrill <xe@tailscale.com>
4 years ago
Brad Fitzpatrick 24fa616e73 wgengine/monitor: make Darwin monitor shut down cleanly, add test
Don't use os.NewFile or (*os.File).Close on the AF_ROUTE socket. It
apparently does weird things to the fd and at least doesn't seem to
close it. Just use the unix package.

The test doesn't actually fail reliably before the fix, though. It
was an attempt. But this fixes the integration tests.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 487c520109 wgengine: fix bug from earlier commit
Commit e3df29d488 introduced this bug where the
interfaces-were-changed-or-not bit got lost.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Anderson 793cb131f0 wgengine/router: toggle killswitch when using default routes on windows.
Fixes #1398.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick e3df29d488 wgengine{,/monitor}: move interface state fetching/comparing to monitor
Gets it out of wgengine so the Engine isn't responsible for being a
callback registration hub for it.

This also removes the Engine.LinkChange method, as it's no longer
necessary.  The monitor tells us about changes; it doesn't seem to
need any help. (Currently it was only used by Swift, but as of
14dc790137 we just do the same from Go)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago