Commit Graph

74 Commits (2d0ed9967288770ba92d2ff3a5d0c44cbd9bf0e1)

Author SHA1 Message Date
Brad Fitzpatrick 2d0ed99672 wgengine, wgengine/router: add a bunch of (temporary?) engine creation logging
Trying to debug what's slow on a user's machine.

Updates #785
4 years ago
Brad Fitzpatrick 7c11f71ac5 wgengine/router: ignore errors deleting 169.254.255.255/32 route on Windows
Updates #785
4 years ago
Brad Fitzpatrick 3528d28ed1 wgengine/router: move Tailscale's winipcfg additions into wgengine/router
Part of unforking our winipcfg-go and using upstream (#760), move our
additions into our repo. (We might upstream them later if upstream has
interest)

Originally these were:

@apenwarr: "Add ifc.SyncAddresses() and SyncRoutes()."
609dcf2df5

@bradfitz: "winipcfg: make Interface.AddRoutes do as much as possible, return combined error"
e9f93d53f3

@bradfitz: "prevent unnecessary Interface.SyncAddresses work; normalize IPNets in deltaNets"
decb9ee8e1
4 years ago
Brad Fitzpatrick fd77268770 wgengine/router: enumerate all interfaces when finding Tailscale adapter by GUID
Might fix it. I've spent too much time failing to reproduce the issue. This doesn't
seem to make it worse, though (it still runs for me), so I'll include this and
see if it helps others while I still work on a reliable way to reproduce it.

Updates tailscale/corp#474
4 years ago
Brad Fitzpatrick 5bcac4eaac net/tshttpproxy: add GetProxyForURL negative cache
Otherwise when PAC server is down, we log, and each log entry is a new
HTTP request (from logtail) and a new GetProxyForURL call, which again
logs, non-stop. This is also nicer to the WinHTTP service.

Then also hook up link change notifications to the cache to reset it
if there's a chance the network might work sooner.
4 years ago
Christina Wen f0e9dcdc0a
wgengine/router: restore /etc/resolv.conf after tailscale down is called
This change is to restore /etc/resolv.conf after tailscale down is called. This is done by setting the dns.Manager before errors occur. Error collection is also added.

Fixes #723
4 years ago
Brad Fitzpatrick acafe9811f wgengine/router: run netsh advfirewall less, rename, document setFirewall 4 years ago
Christina Wen e862f90e34
wgengine/router/router_linux.go: fixed " route del failed" error (#756)
* wgengine/router/router_linux.go: Switched `cidrDiff("addr")` and `cidrDiff("route")` order

Signed-off-by: Christina Wen <christina@tailscale.com>

Co-authored-by: Christina Wen <christina@tailscale.com>
4 years ago
Brad Fitzpatrick 7e9d1f7808 wgengine/router: tighten isMissingIPv6Err
So it doesn't false positive if misused.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Anderson 8f5b52e571 net/netns: add windows support.
Also remove rebinding logic from the windows router. Magicsock will
instead rebind based on link change signals.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick a084c44afc wgengine, wgengine/router, cmd/tailscale: force netfilter mode off on Synology
For now. Get it working again so it's not stuck on 0.98.

Subnet relay can come later.

Updates #451

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 31c13013ae wgengine/router: tolerate disabled IPv6 on Windows
Fixes #412
Updates #524 (maybe fixes?)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Josh Bleecher Snyder 37b40b035b wgengine/router/dns: appease staticcheck (again) 4 years ago
Josh Bleecher Snyder a877dd575c wgengine/router/dns: remove unnecessary lint ignore line
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick 913c1bd04f wgengine/router: on Windows, add a firewall rule to allow Tailscale
Updates tailscale/tailscale#454
4 years ago
Brad Fitzpatrick 6d14678009 wgengine/router: remove unnecessary newlines in log.Printf formats 4 years ago
Brad Fitzpatrick 09d56f54a7
wgengine/router: fix Windows route sorting that caused de-dup to not work (#727)
Updates #725

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Dmytro Shynkevych a903d6c2ed
tailcfg, tsdns: derive root domains from list of nodes (#708)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Brad Fitzpatrick 461db356b9 wgengine/router/dns: fix staticcheck error on Mac 4 years ago
Dmytro Shynkevych a583e498b0
router/dns: set all domains on Windows (#672)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Mike Kramlich 6fa7a9a055 wgengine/router/router_userspace_bsd: on Mac the route program syntax expects delete not del -- this had caused router reconfig to fail in some cases. Fixes #673
Signed-off-by: Mike Kramlich <groglogic@gmail.com>
4 years ago
Dmytro Shynkevych 95a18f815c
router/dns: detect host endianness for NetworkManager.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Brad Fitzpatrick c64a43a734 wgengine/router: set MTU on Windows to min(configured,possible)
Fixes tailscale/corp#542

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Josh Bleecher Snyder 2622e8e082 wgenginer/router: fix build
Rebasing github.com/tailscale/wireguard-go to upstream
wireguard-go changed the API.

This commit is analogous to
https://git.zx2c4.com/wireguard-windows/commit/?id=6823cc10ffe193c0cb1d61a5d1828d563d3d0e5f
4 years ago
Dmytro Shynkevych 28e52a0492
all: dns refactor, add Proxied and PerDomain flags from control (#615)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Dmytro Shynkevych 8c850947db
router: split off sandboxed path from router_darwin (#624)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Dmytro Shynkevych 2ce2b63239
router: stop iOS subprocess sandbox violations (#617)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Dmytro Shynkevych 154d1cde05
router: reload systemd-resolved after changing /etc/resolv.conf (#619)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Dmytro Shynkevych c53ab3111d wgengine/router: support legacy resolvconf
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
David Anderson 189d86cce5 wgengine/router: don't use 88 or 8888 as table/rule numbers.
We originally picked those numbers somewhat at random, but with the idea
that 8 is a traditionally lucky number in Chinese culture. Unfortunately,
"88" is also neo-nazi shorthand language.

Use 52 instead, because those are the digits above the letters
"TS" (tailscale) on a qwerty keyboard, so we're unlikely to collide with
other users. 5, 2 and 52 are also pleasantly culturally meaningless.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 972a42cb33 wgengine/router: fix router_test to match the new marks.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson d60917c0f1 wgengine/router: switch packet marks to avoid conflict with Weave Net.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Dmytro Shynkevych a3e7252ce6 wgengine/router: use better NetworkManager API
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Eduardo Kienetz 5df6be9d38 Use LittleEndian for correct byte order on DNS IPs
Nameserver IP 10.11.12.13 would otherwise get written to resolv.conf as 13.12.11.10, as was happening on my client.

Signed-off-by: Eduardo Kienetz <eduardo@kienetz.com>
4 years ago
Wendi Yu c3736250a4
wgengine: fix macos staticcheck errors (#557)
Signed-off-by: Wendi <wendi.yu@yahoo.ca>
4 years ago
Dmytro Shynkevych 30bbbe9467
wgengine/router: dns: unify on *BSD, multimode on Linux, Magic DNS (#536)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Dmytro Shynkevych 61abab999e
cmd/tailscaled: graceful shutdown (#534)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Brad Fitzpatrick 742b8b44a8 net/tsaddr: new package to hold Tailscale-specific IPs/ranges
And update existing callers with (near) duplicated cases.
4 years ago
David Crawshaw 9258d64261 wgengine/router: do not call ifconfig up if SetRoutesFunc is set
The NetworkExtension brings up the interface itself and does not have
access to `ifconfig`, which the underlying BSD userspace router attempts
to use when Up is called.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
4 years ago
Reinaldo de Souza a8635784bc wgengine: add BSD userspace router to darwin
Darwin and FreeBSD are compatible enough to share the userspace router.

The OSX router delegates to the BSD userspace router unless `SetRoutesFunc` is set.
That preserves the mechanism that allows `ipn-go-bridge` to specify its own routing behavior.

Fixes #177

Signed-off-by: Reinaldo de Souza <github@rei.nal.do>
4 years ago
David Anderson 5a32f8e181 wgengine/router: also accept exit code 254 from `ip rule del`.
iproute2 3.16.0-2 from Debian Jessie (oldoldstable) doesn't return
exit code 2 when deleting a non-existent IP rule.

Fixes #434

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 08a38f21c9 wgengine/router: don't filter subnet routing in netfilter.
We have a filter in tailscaled itself now, which is more robust
against weird network topologies (such as the one Docker creates).

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Avery Pennarun e7ae6a2e06 net/netns, wgengine/router: support Linux machines that don't have 'ip rule'.
We'll use SO_BINDTODEVICE instead of fancy policy routing. This has
some limitations: for example, we will route all traffic through the
interface that has the main "default" (0.0.0.0/0) route, so machines
that have multiple physical interfaces might have to go through DERP to
get to some peers. But machines with multiple physical interfaces are
very likely to have policy routing (ip rule) support anyway.

So far, the only OS I know of that needs this feature is ChromeOS
(crostini). Fixes #245.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun f0b6ba78e8 wgengine: don't pass nil router.Config objects.
These are hard for swift to decode in the iOS app.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
David Anderson 5114df415e net/netns: set the bypass socket mark on linux.
This allows tailscaled's own traffic to bypass Tailscale-managed routes,
so that things like tailscale-provided default routes don't break
tailscaled itself.

Progress on #144.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson fff062b461 wgengine/router: make runner.go linux-only for now.
Otherwise, staticcheck complains that these functions are unused
and unexported on macOS.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Avery Pennarun f69003fd46 router_linux: work around terrible bugs in old iptables-compat versions.
Specifically, this sequence:
	iptables -N ts-forward
	iptables -A ts-forward -m mark --mark 0x10000 -j ACCEPT
	iptables -A FORWARD -j ts-forward
doesn't work on Debian-9-using-nftables, but this sequence:
	iptables -N ts-forward
	iptables -A FORWARD -j ts-forward
	iptables -A ts-forward -m mark --mark 0x10000 -j ACCEPT
does work.

I'm sure the reason why is totally fascinating, but it's an old version
of iptables and the bug doesn't seem to exist on modern nftables, so
let's refactor our code to add rules in the always-safe order and
pretend this never happened.

Fixes #401.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 9ff51909a3 router_linux: fix behaviour when switching --netfilter-mode.
On startup, and when switching into =off and =nodivert, we were
deleting netfilter rules even if we weren't the ones that added them.

In order to avoid interfering with rules added by the sysadmin, we have
to be sure to delete rules only in the case that we added them in the
first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun a496cdc943 router_linux: remove need for iptables.ListChains().
Instead of retrieving the list of chains, or the list of rules in a
chain, just try deleting the ones we don't want and then adding the
ones we do want. An error in flushing/deleting still means the rule
doesn't exist anymore, so there was no need to check for it first.

This avoids the need to parse iptables output, which avoids the need to
ever call iptables -S, which fixes #403, among other things. It's also
much more future proof in case the iptables command line changes.

Unfortunately the iptables go module doesn't properly pass the iptables
command exit code back up when doing .Delete(), so we can't correctly
check the exit code there. (exit code 1 really means the rule didn't
exist, rather than some other weird problem).

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 8a6bd21baf router_linux: extract process runner routines into runner.go.
These will probably be useful across platforms. They're not really
Linux-specific at all.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago