tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	2aade349fc	net/dns, types/dnstypes: update some comments, tests for DoH Clarify & verify that some DoH URLs can be sent over tailcfg in some limited cases. Updates #2452 Change-Id: Ibb25db77788629c315dc26285a1059a763989e24 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	58abae1f83	net/dns/{publicdns,resolver}: add NextDNS DoH support NextDNS is unique in that users create accounts and then get user-specific DNS IPs & DoH URLs. For DoH, the customer ID is in the URL path. For IPv6, the IP address includes the customer ID in the lower bits. For IPv4, there's a fragile "IP linking" mechanism to associate your public IPv4 with an assigned NextDNS IPv4 and that tuple maps to your customer ID. We don't use the IP linking mechanism. Instead, NextDNS is DoH-only. Which means using NextDNS necessarily shunts all DNS traffic through 100.100.100.100 (programming the OS to use 100.100.100.100 as the global resolver) because operating systems can't usually do DoH themselves. Once it's in Tailscale's DoH client, we then connect out to the known NextDNS IPv4/IPv6 anycast addresses. If the control plane sends the client a NextDNS IPv6 address, we then map it to the corresponding NextDNS DoH with the same client ID, and we dial that DoH server using the combination of v4/v6 anycast IPs. Updates #2452 Change-Id: I3439d798d21d5fc9df5a2701839910f5bef85463 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	01e6565e8a	cmd/tsconnect: temporarily switch to xterm.js fork that handles popup windows Allows other work to be unblocked while xtermjs/xterm.js#4069 is worked through. To enable testing the popup window handling, the standalone app allows opening of SSH sessions in new windows by holding down the alt key while pressing the SSH button. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Mihai Parparita	2400ba28b1	cmd/tsconnect: handle terminal resizes before the SSH session is created Store the requested size is a struct field, and use that when actually creating the SSH session. Fixes #5567 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Brad Fitzpatrick	2266b59446	go.toolchain.rev: bump to Go 1.19.1 See https://github.com/tailscale/go/pull/34 Change-Id: I56806358cd1be4a2b8f509883e47c93083d82bdf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	ad7546fb9f	tailcfg: fix broken test from comment change Fix broken build from `255c0472fb` "Oh, that's safe to commit because most tests are passing and it's just a comment change!", I thought, forgetting I'd added a test that parses its comments. Change-Id: Iae93d595e06fec48831215a98adbb270f3bfda05 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	255c0472fb	tailcfg: reformat CurrentCapabilityVersion to be a bulleted list gofmt in 1.19 is now opinionated about structured text formatting in comments. It did not like our style and kept fighting us whenever we changed these lines. Give up the fight and be a bulleted list for it. See: * https://go.dev/doc/go1.19#go-doc and * https://go.dev/doc/comment Updates #4872 Change-Id: Ifae431218471217168c003ab3b4e03c394ca8105 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
License Updater	c5adc5243c	licenses: update win/apple licenses Signed-off-by: GitHub <noreply@github.com>	2 years ago
Andrew Dunham	c9961b8b95	cmd/derper: filter out useless HTTP error logs (#5563 ) These errors aren't actionable and just fill up logs with useless data. See the following Go issue for more details: https://golang.org/issue/26918 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
License Updater	8fdf137571	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply@tailscale.com>	2 years ago
Colin Adler	9c8bbc7888	wgengine/magicsock: fix panic in http debug server Fixes an panic in `(*magicsock.Conn).ServeHTTPDebug` when the `recentPongs` ring buffer for an endpoint wraps around. Signed-off-by: Colin Adler <colin1adler@gmail.com>	2 years ago
Andrew Dunham	9240f5c1e2	wgengine/netstack: only accept connection after dialing (#5503 ) If we accept a forwarded TCP connection before dialing, we can erroneously signal to a client that we support IPv6 (or IPv4) without that actually being possible. Instead, we only complete the client's TCP handshake after we've dialed the outbound connection; if that fails, we respond with a RST. Updates #5425 (maybe fixes!) Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Mihai Parparita	2f702b150e	cmd/tsconnect: add dev-pkg command for two-sided development Allows imports of the NPM package added by `1a093ef482` to be replaced with import("http://localhost:9090/pkg/pkg.js"), so that changes can be made in parallel to both the module and code that uses it (without any need for NPM publishing or even building of the package). Updates #5415 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
James Tucker	672c2c8de8	wgengine/magicsock: add filter to ignore disco to old/other ports Incoming disco packets are now dropped unless they match one of the current bound ports, or have a zero port. The BPF filter passes all packets with a disco header to the raw packet sockets regardless of destination port (in order to avoid needing to reconfigure BPF on rebind). If a BPF enabled node has just rebound, due to restart or rebind, it may receive and reply to disco ping packets destined for ports other than those which are presently bound. If the pong is accepted, the pinging node will now assume that it can send WireGuard traffic to the pinged port - such traffic will not reach the node as it is not destined for a bound port. The zero port is ignored, if received. This is a speculative defense and would indicate a problem in the receive path, or the BPF filter. This condition is allowed to pass as it may enable traffic to flow, however it will also enable problems with the same symptoms this patch otherwise fixes. Fixes #5536 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	be140add75	wgengine/magicsock: fix regression in initial bind for js `1f959edeb0` introduced a regression for JS where the initial bind no longer occurred at all for JS. The condition is moved deeper in the call tree to avoid proliferation of higher level conditions. Updates #5537 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	1f959edeb0	wgengine/magicksock: remove nullability of RebindingUDPConns Both RebindingUDPConns now always exist. the initial bind (which now just calls rebind) now ensures that bind is called for both, such that they both at least contain a blockForeverConn. Calling code no longer needs to assert their state. Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	56f6fe204b	go.mod, wgengine/wgint: bump wireguard-go For `b51010ba13` Change-Id: Ibf767dfad98aef7e9f0505d91c0d26f924e046d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	f52a659076	net/dnsfallback: allow setting log function (#5550 ) This broke a test in corp that enforces we don't use the log package. Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Andrew Dunham	b8596f2a2f	net/dnsfallback: cache most recent DERP map on disk (#5545 ) This is especially helpful as we launch newer DERPs over time, and older clients have progressively out-of-date static DERP maps baked in. After this, as long as the client has successfully connected once, it'll cache the most recent DERP map it knows about. Resolves an in-code comment from @bradfitz Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Maisem Ali	060ecb010f	docs/k8s: make run.sh handle SIGINT It was previously using jobcontrol to achieve this, but that apparently doesn't work when there is no tty. This makes it so that it directly handles SIGINT and SIGTERM and passes it on to tailscaled. I tested this works on a Digital Ocean K8s cluster. Fixes #5512 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	02de34fb10	cmd/derper: add flag to run derper in bootstrap-dns-only mode Change-Id: Iba128e94464afa605bc9df1f06a91d296380eed0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Will Norris	3344c3b89b	tsnet: add Server method to listener Allow callers to verify that a net.Listener is a tsnet.listener by type asserting against this Server method, as well as providing access to the underlying Server. This is initially being added to support the caddy integration in caddyserver/caddy#5002. Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Andrew Dunham	a0bae4dac8	cmd/derper: add support for unpublished bootstrap DNS entries (#5529 ) Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Tom DNetto	9132b31e43	tailcfg: refactor/implement wire structs for TKA Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Kris Brandow	19008a3023	net/dnscache: use net/netip Removes usage of net.IP and net.IPAddr where possible from net/dnscache. Fixes #5282 Signed-off-by: Kris Brandow <kris.brandow@gmail.com>	2 years ago
Brad Fitzpatrick	ba3cc08b62	cmd/tailscale/cli: add backwards compatibility 'up' processing for legacy client Updates tailscale/corp#6781 Change-Id: I843fc810cbec0140d423d65db81e90179d6e0fa5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
License Updater	d8bfb7543e	licenses: update win/apple licenses Signed-off-by: GitHub <noreply@github.com>	2 years ago
James Tucker	265b008e49	wgengine: fix race on endpoints in getStatus Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Bertrand Lorentz	a5ad57472a	cli/cert: Fix help message for --key-file Signed-off-by: Bertrand Lorentz <bertrand.lorentz@gmail.com>	2 years ago
Xe Iaso	3564fd61b5	cmd/gitops-pusher: standardize hujson before posting to validate (#5525 ) Apparently the validate route doesn't check content-types or handle hujson with comments correctly. This patch makes gitops-pusher convert the hujson to normal json. Signed-off-by: Xe <xe@tailscale.com> Signed-off-by: Xe <xe@tailscale.com>	2 years ago
nyghtowl	cfbbcf6d07	cmd/nginx-auth/nginx-auth: update auth to allow for new domains With MagicDNS GA, we are giving every tailnet a tailnet-<hex>.ts.net name. We will only parse out if legacy domains include beta.tailscale.net; otherwise, set tailnet to the full domain format going forward. Signed-off-by: nyghtowl <warrick@tailscale.com>	2 years ago
License Updater	9c66dce8e0	licenses: update win/apple licenses Signed-off-by: GitHub <noreply@github.com>	2 years ago
Brad Fitzpatrick	e470893ba0	wgengine/magicsock: use mak in another spot Change-Id: I0a46d6243371ae6d126005a2bd63820cb2d1db6b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	c72caa6672	wgengine/magicsock: use AF_PACKET socket + BPF to read disco messages This is entirely optional (i.e. failing in this code is non-fatal) and only enabled on Linux for now. Additionally, this new behaviour can be disabled by setting the TS_DEBUG_DISABLE_AF_PACKET environment variable. Updates #3824 Replaces #5474 Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Mihai Parparita	58f35261d0	cmd/tsconnect: remove debugging code Remove test prefix added to validate the error code from `27f36f77c3`. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Tom DNetto	be95aebabd	tka: implement credential signatures (key material delegation) This will be needed to support preauth-keys with network lock in the future, so getting the core mechanics out of the way now. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
License Updater	490acdefb6	licenses: update android licenses Signed-off-by: License Updater <noreply@tailscale.com>	2 years ago
License Updater	84b74825f0	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply@tailscale.com>	2 years ago
Brad Fitzpatrick	9bd9f37d29	go.mod: bump wireguard/windows, which moves to using net/netip Updates #5162 Change-Id: If99a3f0000bce0c01bdf44da1d513f236fd7cdf8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Charlotte Brandhorst-Satzkorn	185f2e4768	words: this title should have been a pun, but I chickened out (#5506 ) Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com> Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 years ago
Denton Gentry	53e08bd7ea	VERSION.txt: this is 1.31 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Andrew Dunham	70ed22ccf9	util/uniq: add ModifySliceFunc (#5504 ) Follow-up to #5491. This was used in control... oops! Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Tom DNetto	7ca17b6bdb	tka: validate key after UpdateKey before applying state Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Andrew Dunham	e945d87d76	util/uniq: use generics instead of reflect (#5491 ) This takes 75% less time per operation per some benchmarks on my mac. Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Andrew Dunham	1ac4a26fee	ipn/localapi: send Tailscale version in ACME User-Agent (#5499 ) Requested by a friend at Let's Encrypt. Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Brad Fitzpatrick	761163815c	tailcfg: add Hostinfo.Userspace{,Router} bits Change-Id: Iad47f904872f2df146c1f63945f79cfddeac7fe8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	9f6c8517e0	net/dns: set OS DNS to 100.100.100.100 for route-less ExtraRecords [cap 41] If ExtraRecords (Hosts) are specified without a corresponding split DNS route and global DNS is specified, then program the host OS DNS to use 100.100.100.100 so it can blend in those ExtraRecords. Updates #1543 Change-Id: If49014a5ecc8e38978ff26e54d1f74fe8dbbb9bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	27f36f77c3	cmd/tsconnect: output errors to the JS console too We were just outputting them to the terminal, but that's hard to debug because we immediately tear down the terminal when getting an error. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Xe Iaso	122bd667dc	cmd/gitops-pusher: be less paranoid about external modifications (#5488 ) This makes a "modified externally" error turn into a "modified externally" warning. It means CI won't fail if someone does something manually in the admin console. Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Joe Tsai	21cd402204	logtail: do not log when backing off (#5485 )	2 years ago

1 2 3 4 5 ...

4450 Commits (2aade349fc3f1a9d58ce98e11be9e18034926915) All Branches Search

4450 Commits (2aade349fc3f1a9d58ce98e11be9e18034926915)

All Branches