tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	39ffa16853	net/dnscache, net/tsdial: add DNS caching to tsdial UserDial This is enough to handle the DNS queries as generated by Go's net package (which our HTTP/SOCKS client uses), and the responses generated by the ExitDNS DoH server. This isn't yet suitable for putting on 100.100.100.100 where a number of different DNS clients would hit it, as this doesn't yet do EDNS0. It might work, but it's untested and likely incomplete. Likewise, this doesn't handle anything about truncation, as the exchanges are entirely in memory between Go or DoH. That would also need to be handled later, if/when it's hooked up to 100.100.100.100. Updates #3507 Change-Id: I1736b0ad31eea85ea853b310c52c5e6bf65c6e2a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	38d90fa330	net/portmapper: add clientmetrics for PCP/PMP responses Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Aaron Klotz	7d8feb2784	hostinfo: change Windows implementation to directly query version information using API and registry We replace the cmd.exe invocation with RtlGetNtVersionNumbers for the first three fields. On Windows 10+, we query for the fourth field which is available via the registry. The fourth field is not really documented anywhere; Firefox has been querying it successfully since Windows 10 was released, so we can be pretty confident in its longevity at this point. Fixes https://github.com/tailscale/tailscale/issues/1478 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Brad Fitzpatrick	24ea365d48	netcheck, controlclient, magicsock: add more metrics Updates #3307 Change-Id: Ibb33425764a75bde49230632f1b472f923551126 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
David Anderson	37c150aee1	derp: use new node key type. Update #3206 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	15376f975b	types/wgkey: delete, no longer used. Updates #3206 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Josh Bleecher Snyder	640de1921f	depaware: update To fix build broken by `c9bf773312`. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	31e4f60047	version: embed VERSION.txt in unstamped version Temporary measure until we switch to Go 1.18. $ go run ./cmd/tailscale version 1.17.0-date.20211022 go version: go1.17 Updates #81 Change-Id: Ic82ebffa5f46789089e5fb9810b3f29e36a47f1a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	505f844a43	cmd/derper, derp/derphttp: add websocket support Updates #3157 Change-Id: I337a919a3b350bc7bd9af567b49c4d5d6616abdd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Aaron Klotz	1991a1ac6a	net/tstun: update tun_windows for wintun 0.14 API revisions, update wireguard-go dependency to 82d2aa87aa623cb5143a41c3345da4fb875ad85d Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Brad Fitzpatrick	2d11503cff	cmd/tailscale: add up --qr to show QR code Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	173bbaa1a1	all: disable TCP keep-alives on iOS/Android Updates #2442 Updates tailscale/corp#2750 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Aaron Klotz	9ebb5d4205	ipn, paths: ensure that the state directory for Windows has the correct perms ProgramData has a permissive ACL. For us to safely store machine-wide state information, we must set a more restrictive ACL on our state directory. We set the ACL so that only talescaled's user (ie, LocalSystem) and the Administrators group may access our directory. We must include Administrators to ensure that logs continue to be easily accessible; omitting that group would force users to use special tools to log in interactively as LocalSystem, which is not ideal. (Note that the ACL we apply matches the ACL that was used for LocalSystem's AppData\Local). There are two cases where we need to reset perms: One is during migration from the old location to the new. The second case is for clean installations where we are creating the file store for the first time. Updates #2856 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Josh Bleecher Snyder	865d8c0d23	cmd: upgrade to ffcli v3 None of the breaking changes from v2 to v3 are relevant to us. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Dave Anderson	980acc38ba	types/key: add a special key with custom serialization for control private keys (#2792 ) * Revert "Revert "types/key: add MachinePrivate and MachinePublic."" This reverts commit `61c3b98a24`. Signed-off-by: David Anderson <danderson@tailscale.com> * types/key: add ControlPrivate, with custom serialization. ControlPrivate is just a MachinePrivate that serializes differently in JSON, to be compatible with how the Tailscale control plane historically serialized its private key. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	61c3b98a24	Revert "types/key: add MachinePrivate and MachinePublic." Broke the tailscale control plane due to surprise different serialization. This reverts commit `4fdb88efe1`.	3 years ago
David Anderson	4fdb88efe1	types/key: add MachinePrivate and MachinePublic. Plumb throughout the codebase as a replacement for the mixed use of tailcfg.MachineKey and wgkey.Private/Public. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Brad Fitzpatrick	99a1c74a6a	metrics: optimize CurrentFDs to not allocate on Linux It was 50% of our allocs on one of our servers. (!!) Updates #2784 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Maisem Ali	0842e2f45b	ipn/store: add ability to store data as k8s secrets. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Brad Fitzpatrick	21cb0b361f	safesocket: add connect retry loop to wait for tailscaled Updates #2708 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	d5e1abd0c4	cmd/tailscale/cli: only write cert file if it changed Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	57b794c338	ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	d2aa144dcc	syncs: bump known good version to include Go 1.17 Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	ec9f3f4cc0	cmd/tailscale: update depaware Missing from prior commit. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	a4e19f2233	version: remove rsc.io/goversion dependency rsc.io/goversion is really expensive. Running version.ReadExe on tailscaled on darwin allocates 47k objects, almost 11mb. All we want is the module info. For that, all we need to do is scan through the binary looking for the magic start/end strings and then grab the bytes in between them. We can do that easily and quickly with nothing but a 64k buffer. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
David Crawshaw	360223fccb	types/dnstype: introduce new package for Resolver So the type can be used in net/dns without introducing a tailcfg dependency. For #2596 Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	3 years ago
Brad Fitzpatrick	fd7b738e5b	derp: use pad32 package for padding, reduce duplication Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	fdc081c291	net/portmapper: fix UPnP probing, work against all ports Prior to Tailscale 1.12 it detected UPnP on any port. Starting with Tailscale 1.11.x, it stopped detecting UPnP on all ports. Then start plumbing its discovered Location header port number to the code that was assuming port 5000. Fixes #2109 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	f3c96df162	ipn/ipnstate: move tailscale status "active" determination to tailscaled Fixes #2579 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	9da4181606	tstime/rate: new package This is a simplified rate limiter geared for exactly our needs: A fast, mono.Time-based rate limiter for use in tstun. It was generated by stripping down the x/time/rate rate limiter to just our needs and switching it to use mono.Time. It removes one time.Now call per packet. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	8a3d52e882	wgengine/magicsock: use mono.Time magicsock makes multiple calls to Now per packet. Move to mono.Now. Changing some of the calls to use package mono has a cascading effect, causing non-per-packet call sites to also switch. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
julianknodt	1bb6abc604	net/portmapper: add upnp port mapping Add in UPnP portmapping, using goupnp library in order to get the UPnP client and run the portmapping functions. This rips out anywhere where UPnP used to be in portmapping, and has a flow separate from PMP and PCP. RELNOTE=portmapper now supports UPnP mappings Fixes #682 Updates #2109 Signed-off-by: julianknodt <julianknodt@gmail.com>	3 years ago
Denton Gentry	e28bc49e5f	netns_linux: remove special handling for tests. With netns handling localhost now, existing tests no longer need special handling. The tests set up their connections to localhost, and the connections work without fuss. Remove the special handling for tests. Also remove the hostinfo.TestCase support, since this was the only use of it. It can be added back later if really needed, but it would be better to try to make tests work without special cases. Signed-off-by: Denton Gentry <dgentry@tailscale.com>	3 years ago
Denton Gentry	d2480fd508	net/netns: support !CAP_NET_ADMIN netns_linux checked whether "ip rule" could run to determine whether to use SO_MARK for network namespacing. However in Linux environments which lack CAP_NET_ADMIN, such as various container runtimes, the "ip rule" command succeeds but SO_MARK fails due to lack of permission. SO_BINDTODEVICE would work in these environments, but isn't tried. In addition to running "ip rule" check directly whether SO_MARK works or not. Among others, this allows Microsoft Azure App Service and AWS App Runner to work. Signed-off-by: Denton Gentry <dgentry@tailscale.com>	3 years ago
Brad Fitzpatrick	1cedd944cf	cmd/tailscale/cli: diagnose missing tailscaled on 'up' Fixes #2029 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
julianknodt	506c2fe8e2	cmd/tailscale: make netcheck use active DERP map, delete static copy After allowing for custom DERP maps, it's convenient to be able to see their latency in netcheck. This adds a query to the local tailscaled for the current DERPMap. Updates #1264 Signed-off-by: julianknodt <julianknodt@gmail.com>	3 years ago
julianknodt	148602a89a	derp,cmd/derper: allow server to verify clients This adds a flag to the DERP server which specifies to verify clients through a local tailscaled. It is opt-in, so should not affect existing clients, and is mainly intended for users who want to run their own DERP servers. It assumes there is a local tailscaled running and will attempt to hit it for peer status information. Updates #1264 Signed-off-by: julianknodt <julianknodt@gmail.com>	3 years ago
Denton Gentry	ad288baaea	net/interfaces: use IPv4 link local if nothing better The only connectivity an AWS Lambda container has is an IPv4 link-local 169.254.x.x address using NAT: 12: vtarget_1@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 7e:1c:3f:00:00:00 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet 169.254.79.1/32 scope global vtarget_1 valid_lft forever preferred_lft forever If there are no other IPv4/v6 addresses available, and we are running in AWS Lambda, allow IPv4 169.254.x.x addresses to be used. ---- Similarly, a Google Cloud Run container's only connectivity is a Unique Local Address fddf:3978:feb1:d745::c001/128. If there are no other addresses available then allow IPv6 Unique Local Addresses to be used. We actually did this in an earlier release, but now refactor it to work the same way as the IPv4 link-local support is being done. Signed-off-by: Denton Gentry <dgentry@tailscale.com>	3 years ago
Maisem Ali	f944614c5c	cmd/tailscale/web: add support for QNAP Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Maisem Ali	95e296fd96	cmd/tailscale/web: restrict web access to synology admins. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Brad Fitzpatrick	a86a0361a7	go.mod: upgrade all deps At the start of a dev cycle we'll upgrade all dependencies. Done with: $ for Dep in $(cat go.mod \| perl -ne '/(\S+) v/ and print "$1\n"'); do go get $Dep@upgrade; done Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	5666663370	net/packet: use netaddr AppendTo methods This lets us remote the types/strbuilder package, which had only a single user. And it's faster. name old time/op new time/op delta String/tcp4-8 175ns ± 0% 58ns ± 1% -66.95% (p=0.000 n=10+9) String/tcp6-8 226ns ± 1% 136ns ± 1% -39.85% (p=0.000 n=10+10) String/udp4-8 175ns ± 1% 58ns ± 1% -67.01% (p=0.000 n=10+9) String/udp6-8 230ns ± 1% 140ns ± 0% -39.32% (p=0.000 n=10+9) String/icmp4-8 164ns ± 0% 50ns ± 1% -69.89% (p=0.000 n=10+10) String/icmp6-8 217ns ± 1% 129ns ± 0% -40.46% (p=0.000 n=10+10) String/igmp-8 196ns ± 0% 56ns ± 1% -71.32% (p=0.000 n=10+10) String/unknown-8 2.06ns ± 1% 2.06ns ± 2% ~ (p=0.985 n=10+10) name old alloc/op new alloc/op delta String/tcp4-8 32.0B ± 0% 32.0B ± 0% ~ (all equal) String/tcp6-8 168B ± 0% 96B ± 0% -42.86% (p=0.000 n=10+10) String/udp4-8 32.0B ± 0% 32.0B ± 0% ~ (all equal) String/udp6-8 168B ± 0% 96B ± 0% -42.86% (p=0.000 n=10+10) String/icmp4-8 32.0B ± 0% 32.0B ± 0% ~ (all equal) String/icmp6-8 104B ± 0% 64B ± 0% -38.46% (p=0.000 n=10+10) String/igmp-8 48.0B ± 0% 48.0B ± 0% ~ (all equal) String/unknown-8 0.00B 0.00B ~ (all equal) name old allocs/op new allocs/op delta String/tcp4-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) String/tcp6-8 3.00 ± 0% 1.00 ± 0% -66.67% (p=0.000 n=10+10) String/udp4-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) String/udp6-8 3.00 ± 0% 1.00 ± 0% -66.67% (p=0.000 n=10+10) String/icmp4-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) String/icmp6-8 3.00 ± 0% 1.00 ± 0% -66.67% (p=0.000 n=10+10) String/igmp-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) String/unknown-8 0.00 0.00 ~ (all equal) Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	ca65c6cbdb	cmd/tailscale: make 'file cp' have better error messages on bad targets Say when target isn't owned by current user, and when target doesn't exist in netmap. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Avery Pennarun	19c3e6cc9e	types/logger: rate limited: more hysteresis, better messages. - Switch to our own simpler token bucket, since x/time/rate is missing necessary stuff (can't provide your own time func; can't check the current bucket contents) and it's overkill anyway. - Add tests that actually include advancing time. - Don't remove the rate limit on a message until there's enough room to print at least two more of them. When we do, we'll also print how many we dropped, as a contextual reminder that some were previously lost. (This is more like how the Linux kernel does it.) - Reformat the [RATE LIMITED] messages to be shorter, and to not corrupt original message. Instead, we print the message, then print its format string. - Use %q instead of \"%s\", for more accurate parsing later, if the format string contained quotes. Fixes #1772 Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	3 years ago
Brad Fitzpatrick	8554694616	cmd/tailscale: add 'tailscale file get' subcommand Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	5ecc7c7200	cmd/tailscale: make the new 'up' errors prettier and more helpful Fixes #1746 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	db5e269463	client/tailscale/apitype: move local API types to new apitype package They were scattered/duplicated in misc places before. It can't be in the client package itself for circular dep reasons. This new package is basically tailcfg but for localhost communications, instead of to control. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	9972c02b60	cmd/tailscale/cli: don't let up change prefs based on implicit flag values This changes the behavior of "tailscale up". Previously "tailscale up" always did a new Start and reset all the settings. Now "tailscale up" with no flags just brings the world [back] up. (The opposite of "tailscale down"). But with flags, "tailscale up" now only is allowed to change preferences if they're explicitly named in the flags. Otherwise it's an error. Or you need to use --reset to explicitly nuke everything. RELNOTE=tailscale up change Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	50b309c1eb	ipn/localapi, cmd/tailscale: add API to get prefs, CLI debug command to show Updates #1436 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
David Crawshaw	f0863346c2	cmd/tailscale: add web subcommand Used as an app frontend UI on Synology. Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	3 years ago

1 2 3

103 Commits (2c94e3c4adef5730c6c3fb8a65240c61554cea19)