tailscale

Commit Graph

Author	SHA1	Message	Date
Andrew Dunham	2a9d46c38f	wgengine/magicsock: prefer private endpoints to public ones Switch our best address selection to use a scoring-based approach, where we boost each address based on whether it's a private IP or IPv6. For users in cloud environments, this biases endpoint selection towards using an endpoint that is less likely to cost the user money, and should be less surprising to users. This also involves updating the tests to not use private IPv4 addresses; other than that change, the behaviour should be identical for existing endpoints. Updates #8097 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I069e3b399daea28be66b81f7e44fc27b2943d8af	12 months ago
Brad Fitzpatrick	4d7927047c	wgengine/magicsock: annotate, skip flaky TestIsWireGuardOnlyPickEndpointByPing Updates #8037 Updates #7826 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Charlotte Brandhorst-Satzkorn	ddb4040aa0	wgengine/magicsock: add address selection for wireguard only endpoints (#7979 ) This change introduces address selection for wireguard only endpoints. If a endpoint has not been used before, an address is randomly selected to be used based on information we know about, such as if they are able to use IPv4 or IPv6. When an address is initially selected, we also initiate a new ICMP ping to the endpoints addresses to determine which endpoint offers the best latency. This information is then used to update which endpoint we should be using based on the best possible route. If the latency is the same for a IPv4 and an IPv6 address, IPv6 will be used. Updates #7826 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 year ago
Andrew Dunham	bcf7b63d7e	wgengine/magicsock: add hysteresis to endpoint selection Avoid selecting an endpoint as "better" than the current endpoint if the total latency improvement is less than 1%. This adds some hysteresis to avoid flapping between endpoints for a minimal improvement in latency. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: If8312e1768ea65c4b4d4e13d8de284b3825d7a73	1 year ago
Andrew Dunham	80b138f0df	wgengine/magicsock: keep advertising endpoints after we stop discovering them Previously, when updating endpoints we would immediately stop advertising any endpoint that wasn't discovered during determineEndpoints. This could result in, for example, a case where we performed an incremental netcheck, didn't get any of our three STUN packets back, and then dropped our STUN endpoint from the set of advertised endpoints... which would result in clients falling back to a DERP connection until the next call to determineEndpoints. Instead, let's cache endpoints that we've discovered and continue reporting them to clients until a timeout expires. In the above case where we temporarily don't have a discovered STUN endpoint, we would continue reporting the old value, then re-discover the STUN endpoint again and continue reporting it as normal, so clients never see a withdrawal. Updates tailscale/coral#108 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I42de72e7418ab328a6c732bdefc74549708cf8b9	1 year ago
Brad Fitzpatrick	10f1c90f4d	wgengine/magicsock, types/nettype, etc: finish ReadFromUDPAddrPort netip migration So we're staying within the netip.Addr/AddrPort consistently and avoiding allocs/conversions to the legacy net addr types. Updates #5162 Change-Id: I59feba60d3de39f773e68292d759766bac98c917 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
James Tucker	20f17d6e7b	wgengine/magicsock: reenable magicsock tests on Windows These tests are passing locally and on CI. They had failed earlier in the day when first fixing up CI, and it is not immediately clear why. I have cycled IPv6 support locally, but this should not have a substantial effect. Updates #7876 Signed-off-by: James Tucker <jftucker@gmail.com>	1 year ago
James Tucker	8dec1a8724	.github/workflows: reenable Windows CI, disable broken tests We accidentally switched to ./tool/go in `4022796484` which resulted in no longer running Windows builds, as this is attempting to run a bash script. I was unable to quickly fix the various tests that have regressed, so instead I've added skips referencing #7876, which we need to back and fix. Updates #7262 Updates #7876 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Brad Fitzpatrick	6866aaeab3	wgengine/magicsock: factor out receiveIPv4 & receiveIPv6 common code Updates #2331 Change-Id: I801df38b217f5d17203e8dc3b8654f44747e0f4b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Maisem Ali	64bbf1738e	tailcfg: make SelfNodeV4MasqAddrForThisPeer a pointer This makes `omitempty` actually work, and saves bytes in each map response. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Charlotte Brandhorst-Satzkorn	c573bef0aa	tailcfg,wgengine: add initial support for WireGuard only peers A peer can have IsWireGuardOnly, which means it will not support DERP or Disco, and it must have Endpoints filled in order to be usable. In the present implementation only the first Endpoint will be used as the bestAddr. Updates tailscale/corp#10351 Co-authored-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com> Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
James Tucker	6cfcb3cae4	wgengine/magicsock: fix synchronization of endpoint disco fields Identified in review in #7821 endpoint.discoKey and endpoint.discoShort are often accessed without first taking endpoint.mu. The arrangement with endpoint.mu is inconvenient for a good number of those call-sites, so it is instead replaced with an atomic pointer to carry both pieces of disco info. This will also help with #7821 that wants to add explicit checks/guards to disable disco behaviors when disco keys are missing which is necessarily implicitly mostly covered by this change. Updates #7821 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Jordan Whited	f475e5550c	net/neterror, wgengine/magicsock: use UDP GSO and GRO on Linux (#7791 ) This commit implements UDP offloading for Linux. GSO size is passed to and from the kernel via socket control messages. Support is probed at runtime. UDP GSO is dependent on checksum offload support on the egress netdev. UDP GSO will be disabled in the event sendmmsg() returns EIO, which is a strong signal that the egress netdev does not support checksum offload. Updates tailscale/corp#8734 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Andrew Dunham	8d3acc9235	util/sysresources, magicsock: scale DERP buffer based on system memory This adds the util/sysresources package, which currently only contains a function to return the total memory size of the current system. Then, we modify magicsock to scale the number of buffered DERP messages based on the system's available memory, ensuring that we never use a value lower than the previous constant of 32. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib763c877de4d0d4ee88869078e7d512f6a3a148d	1 year ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Brad Fitzpatrick	d8feeeee4c	wgengine/magicsock: fix buggy fast path in Conn.SetNetworkMap Spotted by Maisem. Fixes #6680 Change-Id: I5fdc01de8b006a1c43a2a4848f69397f54b4453a Co-authored-By: Maisem Ali <maisem@tailscale.com> Co-authored-By: Andrew Dunham <andrew@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrew Dunham	aea251d42a	cmd/testwrapper: move from corp; mark magicsock test as flaky Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ibab5860f5797b3db151d3c27855333e43a9088a4	1 year ago
Brad Fitzpatrick	0f604923d3	ipn/ipnlocal: fix StatusWithoutPeers not populating parts of Status Fixes #4311 Change-Id: Iaae0615148fa7154f4ef8f66b455e3a6c2fa9df3 Co-authored-by: Claire Wang <claire@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Joe Tsai	d9df023e6f	net/connstats: enforce maximum number of connections (#6760 ) The Tailscale logging service has a hard limit on the maximum log message size that can be accepted. We want to ensure that netlog messages never exceed this limit otherwise a client cannot transmit logs. Move the goroutine for periodically dumping netlog messages from wgengine/netlog to net/connstats. This allows net/connstats to manage when it dumps messages, either based on time or by size. Updates tailscale/corp#8427 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Jordan Whited	ea5ee6f87c	all: update golang.zx2c4.com/wireguard to github.com/tailscale/wireguard-go (#6692 ) This is temporary while we work to upstream performance work in https://github.com/WireGuard/wireguard-go/pull/64. A replace directive is less ideal as it breaks dependent code without duplication of the directive. Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Jordan Whited	76389d8baf	net/tstun, wgengine/magicsock: enable vectorized I/O on Linux (#6663 ) This commit updates the wireguard-go dependency and implements the necessary changes to the tun.Device and conn.Bind implementations to support passing vectors of packets in tailscaled. This significantly improves throughput performance on Linux. Updates #414 Signed-off-by: Jordan Whited <jordan@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Co-authored-by: James Tucker <james@tailscale.com>	1 year ago
Mihai Parparita	bdc45b9066	wgengine/magicsock: fix panic when rebinding fails We would replace the existing real implementation of nettype.PacketConn with a blockForeverConn, but that violates the contract of atomic.Value (where the type cannot change). Fix by switching to a pointer value (atomic.Pointer[nettype.PacketConn]). A longstanding issue, but became more prevalent when we started binding connections to interfaces on macOS and iOS (#6566), which could lead to the bind call failing if the interface was no longer available. Fixes #6641 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Joe Tsai	2e5d08ec4f	net/connstats: invert network logging data flow (#6272 ) Previously, tstun.Wrapper and magicsock.Conn managed their own statistics data structure and relied on an external call to Extract to extract (and reset) the statistics. This makes it difficult to ensure a maximum size on the statistics as the caller has no introspection into whether the number of unique connections is getting too large. Invert the control flow such that a connstats.Statistics is registered with tstun.Wrapper and magicsock.Conn. Methods on non-nil connstats.Statistics are called for every packet. This allows the implementation of connstats.Statistics (in the future) to better control when it needs to flush to ensure bounds on maximum sizes. The value registered into tstun.Wrapper and magicsock.Conn could be an interface, but that has two performance detriments: 1. Method calls on interface values are more expensive since they must go through a virtual method dispatch. 2. The implementation would need a sync.Mutex to protect the statistics value instead of using an atomic.Pointer. Given that methods on constats.Statistics are called for every packet, we want reduce the CPU cost on this hot path. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Brad Fitzpatrick	3a168cc1ff	wgengine/magicsock: ignore pre-disco (pre-0.100) peers There aren't any in the wild, other than one we ran on purpose to keep us honest, but we can bump that one forward to 0.100. Change-Id: I129e70724b2d3f8edf3b496dc01eba3ac5a2a907 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Joe Tsai	81fd259133	wgengine/magicsock: gather physical-layer statistics (#5925 ) There is utility in logging traffic statistics that occurs at the physical layer. That is, in order to send packets virtually to a particular tailscale IP address, what physical endpoints did we need to communicate with? This functionality logs IP addresses identical to what had always been logged in magicsock prior to #5823, so there is no increase in PII being logged. ExtractStatistics returns a mapping of connections to counts. The source is always a Tailscale IP address (without port), while the destination is some endpoint reachable on WAN or LAN. As a special case, traffic routed through DERP will use 127.3.3.40 as the destination address with the port being the DERP region. This entire feature is only enabled if data-plane audit logging is enabled on the tailnet (by default it is disabled). Example of type of information logged: ------------------------------------ Tx[P/s] Tx[B/s] Rx[P/s] Rx[B/s] PhysicalTraffic: 25.80 3.39Ki 38.80 5.57Ki 100.1.2.3 -> 143.11.22.33:41641 15.40 2.00Ki 23.20 3.37Ki 100.4.5.6 -> 192.168.0.100:41641 10.20 1.38Ki 15.60 2.20Ki 100.7.8.9 -> 127.3.3.40:2 0.20 6.40 0.00 0.00 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	9ee3df02ee	wgengine/magicsock: remove endpoint.wgEndpoint (#5911 ) This field seems seldom used and the documentation is wrong. It is simpler to just derive its original value dynamically when endpoint.DstToString is called. This method is potentially used by wireguard-go, but not in any code path is performance sensitive. All calls to it use it in conjunction with fmt.Printf, which is going to be slow anyways since it uses Go reflection. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Eng Zer Jun	f0347e841f	refactor: move from io/ioutil to io and os packages The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Reference: https://golang.org/doc/go1.16#ioutil Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2 years ago
Andrew Dunham	c72caa6672	wgengine/magicsock: use AF_PACKET socket + BPF to read disco messages This is entirely optional (i.e. failing in this code is non-fatal) and only enabled on Linux for now. Additionally, this new behaviour can be disabled by setting the TS_DEBUG_DISABLE_AF_PACKET environment variable. Updates #3824 Replaces #5474 Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	a12aad6b47	all: convert more code to use net/netip directly perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6a396731eb	all: use various net/netip parse funcs directly Mechanical change with perl+goimports. Changed {Must,}Parse{IP,IPPrefix,IPPort} to their netip variants, then goimports -d . Finally, removed the net/netaddr wrappers, to prevent future use. Updates #5162 Change-Id: I59c0e38b5fbca5a935d701645789cddf3d7863ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Josh Bleecher Snyder	0868329936	all: use any instead of interface{} My favorite part of generics. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Josh Bleecher Snyder	5f176f24db	go.mod: upgrade to the latest wireguard-go This pulls in a handful of fixes and an update to Go 1.18. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Josh Bleecher Snyder	1b57b0380d	wgengine/magicsock: remove final alloc from ReceiveFrom And now that we don't have to play escape analysis and inlining games, simplify the code. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Josh Bleecher Snyder	08cf54f386	wgengine/magicsock: fix goMajorVersion for 1.18 ts release The version string changed slightly. Adapt. And always check the current Go version to prevent future accidental regressions. I would have missed this one had I not explicitly manually checked it. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Brad Fitzpatrick	addda5b96f	wgengine/magicsock: fix watchdog timeout on Close when IPv6 not available The blockForeverConn was only using its sync.Cond one side. Looks like it was just forgotten. Fixes #3671 Change-Id: I4ed0191982cdd0bfd451f133139428a4fa48238c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	486059589b	all: gofmt -w -s (simplify) tests And it updates the build tag style on a couple files. Change-Id: I84478d822c8de3f84b56fa1176c99d2ea5083237 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7901289578	wgengine/magicsock: add a stress test And add a peerMap validate method that checks its internal invariants. Updates tailscale/corp#3016 Change-Id: I23708e68ed44d81986d9e2be82029d4555547592 Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	5a60781919	wgengine/magicsock: increase TestDiscokeyChange connection timeout I believe that this should eliminate the flakiness. If GitHub CI manages to be even slower that can be believed (and I can believe a lot at this point), then we should roll this back and make some more invasive changes. Updates #654 Fixes #3247 (I hope) Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	9da22dac3d	wgengine/magicsock: fix bug in peerMap.upsertEndpoint Found by inspection by David Crawshaw while investigating tailscale/corp#3016. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
David Anderson	41da7620af	go.mod: update wireguard-go to pick up roaming toggle wgengine/wgcfg: introduce wgcfg.NewDevice helper to disable roaming at all call sites (one real plus several tests). Fixes tailscale/corp#3016. Signed-off-by: David Anderson <danderson@tailscale.com> Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
David Anderson	0532eb30db	all: replace tailcfg.DiscoKey with key.DiscoPublic. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	7e6a1ef4f1	tailcfg: use key.NodePublic in wire protocol types. Updates #3206. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	72ace0acba	wgengine/magicsock: use key.NodePublic instead of tailcfg.NodeKey. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	d6e7cec6a7	types/netmap: use key.NodePublic instead of tailcfg.NodeKey. Update #3206 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	418adae379	various: use NodePublic.AsNodeKey() instead of tailcfg.NodeKeyFromNodePublic() Updates #3206 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	eeb97fd89f	various: remove remaining uses of key.NewPrivate. Updates #3206 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	ef241f782e	wgengine/magicsock: remove uses of tailcfg.DiscoKey. Updates #3206 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	55b6753c11	wgengine/magicsock: remove use of key.{Public,Private}. Updates #3206 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	c1d009b9e9	ipn/ipnstate: use key.NodePublic instead of the generic key.Public. Updates #3206. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago

1 2 3 4 5

226 Commits (2a9d46c38f551ec147dbfc447687a91254cde8dc)