tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	3c1e2bba5b	ipn/ipnlocal: remove outdated iOS hacky workaround in Start We haven't needed this hack for quite some time Andrea says. Updates #11649 Change-Id: Ie854b7edd0a01e92495669daa466c7c0d57e7438 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	dd6c76ea24	ipn: remove unused Options.LegacyMigrationPrefs I'm on a mission to simplify LocalBackend.Start and its locking and deflake some tests. I noticed this hasn't been used since March 2023 when it was removed from the Windows client in corp 66be796d33c. So, delete. Updates #11649 Change-Id: I40f2cb75fb3f43baf23558007655f65a8ec5e1b2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	7ec0dc3834	ipn/ipnlocal: make StartLoginInteractive take (yet unused) context In prep for future fix to undermentioned issue. Updates tailscale/tailscale#7036 Change-Id: Ide114db917dcba43719482ffded6a9a54630d99e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Claire Wang	9171b217ba	cmd/tailscale, ipn/ipnlocal: add suggest exit node CLI option (#11407 ) Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Brad Fitzpatrick	b9aa7421d6	ipn/ipnlocal: remove some dead code (legacyBackend methods) from LocalBackend Nothing used it. Updates #11649 Change-Id: Ic1c331d947974cd7d4738ff3aafe9c498853689e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	68043a17c2	ipn/ipnlocal: centralize assignments to cc + ccAuto in new method cc vs ccAuto is a mess. It needs to go. But this is a baby step towards getting there. Updates #11649 Change-Id: I34f33934844e580bd823a7d8f2b945cf26c87b3b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	970b1e21d0	ipn/ipnlocal: inline assertClientLocked into its now sole caller Updates #11649 Change-Id: I8e2a5e59125a0cad5c0a8c9ed8930585f1735d03 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	170c618483	ipn/ipnlocal: remove dead code now that Android uses LocalAPI instead The new Android app and its libtailscale don't use this anymore; it uses LocalAPI like other clients now. Updates #11649 Change-Id: Ic9f42b41e0e0280b82294329093dc6c275f41d50 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
kari-ts	1cd51f95c7	ipnlocal: enable allow LAN for android (#11709 ) Updates tailscale/corp#18984 Updates tailscale/corp#18202	2 months ago
Brad Fitzpatrick	a5e1f7d703	ipn/{ipnlocal,localapi}: add API to toggle use of exit node This is primarily for GUIs, so they don't need to remember the most recently used exit node themselves. This adds some CLI commands, but they're disabled and behind the WIP envknob, as we need to consider naming (on/off is ambiguous with running an exit node, etc) as well as automatic exit node selection in the future. For now the CLI commands are effectively developer debug things to test the LocalAPI. Updates tailscale/corp#18724 Change-Id: I9a32b00e3ffbf5b29bfdcad996a4296b5e37be7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	aa084a29c6	ipn/ipnlocal: name the unlockOnce type, plumb more, add Unlock method This names the func() that Once-unlocked LocalBackend.mu. It does so both for docs and because it can then have a method: Unlock, for the few points that need to explicitly unlock early (the cause of all this mess). This makes those ugly points easy to find, and also can then make them stricter, panicking if the mutex is already unlocked. So a normal call to the func just once-releases the mutex, returning false if it's already done, but the Unlock method is the strict one. Then this uses it more, so most the b.mu.Unlock calls remaining are simple cases and usually defers. Updates #11649 Change-Id: Ia070db66c54a55e59d2f76fdc26316abf0dd4627 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	5e7c0b025c	ipn/ipnlocal: add some "lockedOnEntry" helpers + guardrails, fix bug A number of methods in LocalBackend (with suffixed "LockedOnEntry") require b.mu be held but unlock it on the way out. That's asymmetric and atypical and error prone. This adds a helper method to LocalBackend that locks the mutex and returns a sync.OnceFunc that unlocks the mutex. Then we pass around that unlocker func down the chain to make it explicit (and somewhat type check the passing of ownership) but also let the caller defer unlock it, in the case of errors/panics that happen before the callee gets around to calling the unlock. This revealed a latent bug in LocalBackend.DeleteProfile which double unlocked the mutex. Updates #11649 Change-Id: I002f77567973bd77b8906bfa4ec9a2049b89836a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	98cf71cd73	tailscale: switch tailfs to drive syntax for api and logs (#11625 ) This change switches the api to /drive, rather than the previous /tailfs as well as updates the log lines to reflect the new value. It also cleans up some existing tailfs references. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597 ) This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Claire Wang	262fa8a01e	ipn/ipnlocal: populate peers' capabilities (#11365 ) Populates capabilties field of peers in ipn status. Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	14683371ee	tailscale: update tailfs file and package names (#11590 ) This change updates the tailfs file and package names to their new naming convention. Updates #tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
James Tucker	7558a1d594	ipn/ipnlocal: disable sockstats on (unstable) mobile by default We're tracking down a new instance of memory usage, and excessive memory usage from sockstats is definitely not going to help with debugging, so disable it by default on mobile. Updates tailscale/corp#18514 Signed-off-by: James Tucker <james@tailscale.com>	2 months ago
Percy Wegmann	66e4d843c1	ipn/localapi: add support for multipart POST to file-put This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	bed818a978	ipn/localapi: add support for multipart POST to file-put This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	eb42a16da9	ipn/ipnlocal: report Taildrive access message on failed responses For example, if we get a 404 when downloading a file, we'll report access. Also, to reduce verbosty of logs, this elides 0 length files. Updates tailscale/corp#17818 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	acb611f034	ipn/localipn: introduce logs for tailfs (#11496 ) This change introduces some basic logging into the access and share pathways for tailfs. Updates tailscale/corp#17818 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Brad Fitzpatrick	a36cfb4d3d	tailcfg, ipn/ipnlocal, wgengine/magicsock: add only-tcp-443 node attr Updates tailscale/corp#17879 Change-Id: I0dc305d147b76c409cf729b599a94fa723aef0e0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	7b34154df2	all: deprecate Node.Capabilities (more), remove PeerChange.Capabilities [capver 89] First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b104688e04	ipn/ipnlocal, types/netmap: replace hasCapability with set lookup on NetworkMap When node attributes were super rare, the O(n) slice scans looking for node attributes was more acceptable. But now more code and more users are using increasingly more node attributes. Time to make it a map. Noticed while working on tailscale/corp#17879 Updates #cleanup Change-Id: Ic17c80341f418421002fbceb47490729048756d2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Mario Minardi	d2ccfa4edd	cmd/tailscale,ipn/ipnlocal: enable web client over quad 100 by default (#11419 ) Enable the web client over 100.100.100.100 by default. Accepting traffic from [tailnet IP]:5252 still requires setting the `webclient` user pref. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	2 months ago
Mario Minardi	e0886ad167	ipn/ipnlocal, tailcfg: add disable-web-client node attribute (#11418 ) Add a disable-web-client node attribute and add handling for disabling the web client when this node attribute is set. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	2 months ago
Andrew Lytvynov	decd9893e4	ipn/ipnlocal: validate domain of PopBrowserURL on default control URL (#11394 ) If the client uses the default Tailscale control URL, validate that all PopBrowserURLs are under tailscale.com or *.tailscale.com. This reduces the risk of a compromised control plane opening phishing pages for example. The client trusts control for many other things, but this is one easy way to reduce that trust a bit. Fixes #11393 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	3 months ago
Brad Fitzpatrick	ad33e47270	ipn/{ipnlocal,localapi}: add debug verb to force spam IPN bus NetMap To force the problem in its worst case scenario before fixing it. Updates tailscale/corp#17859 Change-Id: I2c8b8e5f15c7801e1ab093feeafac52ec175a763 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	6c160e6321	ipn,tailfs: tie TailFS share configuration to user profile Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	fd942b5384	ipn/ipnlocal: reduce allocations in TailFS share notifications This eliminates unnecessary map.Clone() calls and also eliminates repetitive notifications about the same set of shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	e324a5660f	ipn: include full tailfs shares in ipn notifications This allows the Mac application to regain access to restricted folders after restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	b68a09cb34	ipn/ipnlocal: make active IPN sessions keyed by sessionID We used a HandleSet before when we didn't have a unique handle. But a sessionID is a unique handle, so use that instead. Then that replaces the other map we had. And now we'll have a way to look up an IPN session by sessionID for later. Updates tailscale/corp#17859 Change-Id: I5f647f367563ec8783c643e49f93817b341d9064 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	2d5d6f5403	ipn,wgengine: only intercept TailFS traffic on quad 100 This fixes a regression introduced with `993acf4` and released in v1.60.0. The regression caused us to intercept all userspace traffic to port 8080 which prevented users from exposing their own services to their tailnet at port 8080. Now, we only intercept traffic to port 8080 if it's bound for 100.100.100.100 or fd7a:115c:a1e0::53. Fixes #11283 Signed-off-by: Percy Wegmann <percy@tailscale.com> (cherry picked from commit `17cd0626f3`)	3 months ago
Anton Tolchanov	8cc5c51888	health: warn about reverse path filtering and exit nodes When reverse path filtering is in strict mode on Linux, using an exit node blocks all network connectivity. This change adds a warning about this to `tailscale status` and the logs. Example in `tailscale status`: ``` - not connected to home DERP region 22 - The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Example in the logs: ``` 2024/02/21 21:17:07 health("overall"): error: multiple errors: not in map poll The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Nick Khyl	7ef1fb113d	cmd/tailscaled, ipn/ipnlocal, wgengine: shutdown tailscaled if wgdevice is closed Tailscaled becomes inoperative if the Tailscale Tunnel wintun adapter is abruptly removed. wireguard-go closes the device in case of a read error, but tailscaled keeps running. This adds detection of a closed WireGuard device, triggering a graceful shutdown of tailscaled. It is then restarted by the tailscaled watchdog service process. Fixes #11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Brad Fitzpatrick	e1bd7488d0	all: remove LenIter, use Go 1.22 range-over-int instead Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Andrew Dunham	52f16b5d10	doctor/ethtool, ipn/ipnlocal: add ethtool bugreport check Updates #11137 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Idbe862d80e428adb044249c47d9096b87f29d5d8	4 months ago
Percy Wegmann	c42a4e407a	tailfs: listen for local clients only on 100.100.100.100 FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Maisem Ali	370ecb4654	tailcfg: remove UserProfile.Groups Removing as per go/group-all-the-things. Updates tailscale/corp#17445 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Percy Wegmann	87154a2f88	tailfs: fix startup issues on windows Starts TailFS for Windows too, initializes shares on startup. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	ddcffaef7a	tailfs: disable TailFSForLocal via policy Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	abab0d4197	tailfs: clean up naming and package structure - Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	993acf4475	tailfs: initial implementation Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Andrea Gottardo	6c79f55d48	ipnlocal: force-regen new authURL when it is too old (#10971 ) Fixes tailscale/support-escalations#23. authURLs returned by control expire after 1 hour from creation. Customer reported that the Tailscale client on macOS would sending users to a stale authentication page when clicking on the `Login...` menu item. This can happen when clicking on Login after leaving the device unattended for several days. The device key expires, leading to the creation of a new authURL, however the client doesn't keep track of when the authURL was created. Meaning that `login-interactive` would send the user to an authURL that had expired server-side a long time before. This PR ensures that whenever `login-interactive` is called via LocalAPI, an authURL that is too old won't be used. We force control to give us a new authURL whenever it's been more than 30 minutes since the last authURL was sent down from control. Apply suggestions from code review Set interval to 6 days and 23 hours Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 months ago
Brad Fitzpatrick	2bd3c1474b	util/cmpx: delete now that we're using Go 1.22 Updates #11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
James Tucker	ba70cbb930	ipn/ipnlocal: fix app connector route advertisements on exit nodes If an app connector is also configured as an exit node, it should still advertise discovered routes that are not covered by advertised routes, excluding the exit node routes. Updates tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Percy Wegmann	fad6bae764	ipnlocal: log failure to get ssh host keys When reporting ssh host keys to control, log a warning if we're unable to get the SSH host keys. Updates tailscale/escalations#21 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Jordan Whited	8b47322acc	wgengine/magicsock: implement probing of UDP path lifetime (#10844 ) This commit implements probing of UDP path lifetime on the tail end of an active direct connection. Probing configuration has two parts - Cliffs, which are various timeout cliffs of interest, and CycleCanStartEvery, which limits how often a probing cycle can start, per-endpoint. Initially a statically defined default configuration will be used. The default configuration has cliffs of 10s, 30s, and 60s, with a CycleCanStartEvery of 24h. Probing results are communicated via clientmetric counters. Probing is off by default, and can be enabled via control knob. Probing is purely informational and does not yet drive any magicsock behaviors. Updates #540 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Charlotte Brandhorst-Satzkorn	ce4553b988	appc,ipn/ipnlocal: optimize preference adjustments when routes update This change allows us to perform batch modification for new route advertisements and route removals. Additionally, we now handle the case where newly added routes are covered by existing ranges. This change also introduces a new appctest package that contains some shared functions used for testing. Updates tailscale/corp#16833 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	4 months ago
James Tucker	8250582fe6	ipn/ipnlocal: make app connector configuration concurrent If there are routes changes as a side effect of an app connector configuration update, the connector configuration may want to reenter a lock, so must be started asynchronously. Updates tailscale/corp#16833 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago

1 2 3 4 5 ...

655 Commits (3c1e2bba5bb8b48f42ba01f98427ae5574b76827)