tailscale

Commit Graph

Author	SHA1	Message	Date
Aaron Klotz	44f13d32d7	cmd/tailscaled, util/winutil: log Windows service diagnostics when the wintun device fails to install I added new functions to winutil to obtain the state of a service and all its depedencies, serialize them to JSON, and write them to a Logf. When tstun.New returns a wrapped ERROR_DEVICE_NOT_AVAILABLE, we know that wintun installation failed. We then log the service graph rooted at "NetSetupSvc". We are interested in that specific service because network devices will not install if that service is not running. Updates https://github.com/tailscale/tailscale/issues/5531 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Brad Fitzpatrick	9bdf0cd8cd	ipn/ipnlocal: add c2n /debug/{goroutines,prefs,metrics} * and move goroutine scrubbing code to its own package for reuse * bump capver to 45 Change-Id: I9b4dfa5af44d2ecada6cc044cd1b5674ee427575 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	b1867457a6	doctor: add package for running in-depth healthchecks; use in bugreport (#5413 ) Change-Id: Iaa4e5b021a545447f319cfe8b3da2bd3e5e5782b Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Brad Fitzpatrick	58abae1f83	net/dns/{publicdns,resolver}: add NextDNS DoH support NextDNS is unique in that users create accounts and then get user-specific DNS IPs & DoH URLs. For DoH, the customer ID is in the URL path. For IPv6, the IP address includes the customer ID in the lower bits. For IPv4, there's a fragile "IP linking" mechanism to associate your public IPv4 with an assigned NextDNS IPv4 and that tuple maps to your customer ID. We don't use the IP linking mechanism. Instead, NextDNS is DoH-only. Which means using NextDNS necessarily shunts all DNS traffic through 100.100.100.100 (programming the OS to use 100.100.100.100 as the global resolver) because operating systems can't usually do DoH themselves. Once it's in Tailscale's DoH client, we then connect out to the known NextDNS IPv4/IPv6 anycast addresses. If the control plane sends the client a NextDNS IPv6 address, we then map it to the corresponding NextDNS DoH with the same client ID, and we dial that DoH server using the combination of v4/v6 anycast IPs. Updates #2452 Change-Id: I3439d798d21d5fc9df5a2701839910f5bef85463 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	c72caa6672	wgengine/magicsock: use AF_PACKET socket + BPF to read disco messages This is entirely optional (i.e. failing in this code is non-fatal) and only enabled on Linux for now. Additionally, this new behaviour can be disabled by setting the TS_DEBUG_DISABLE_AF_PACKET environment variable. Updates #3824 Replaces #5474 Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
James Tucker	ad1cc6cff9	wgengine: use Go API rather than UAPI for status Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	c66f99fcdc	tailcfg, control/controlclient, ipn/ipnlocal: add c2n (control-to-node) system This lets the control plane can make HTTP requests to nodes. Then we can use this for future things rather than slapping more stuff into MapResponse, etc. Change-Id: Ic802078c50d33653ae1f79d1e5257e7ade4408fd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	9197dd14cc	net/dns: [win] add MagicDNS entries to etc/hosts This works around the 2.3s delay in short name lookups when SNR is enabled. C:\Windows\System32\drivers\etc\hosts file. We only add known hosts that match the search domains, and we populate the list in order of Search Domains so that our matching algorithm mimics what Windows would otherwise do itself if SNR was off. Updates #1659 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Joe Tsai	03f7e4e577	util/hashx: move from sha256x (#5388 )	2 years ago
Joe Tsai	1f7479466e	util/deephash: use sha256x (#5339 ) Switch deephash to use sha256x.Hash. We add sha256x.HashString to efficiently hash a string. It uses unsafe under the hood to convert a string to a []byte. We also modify sha256x.Hash to export the underlying hash.Hash for testing purposes so that we can intercept all hash.Hash calls. Performance: name old time/op new time/op delta Hash-24 19.8µs ± 1% 19.2µs ± 1% -3.01% (p=0.000 n=10+10) HashPacketFilter-24 2.61µs ± 0% 2.53µs ± 1% -3.01% (p=0.000 n=8+10) HashMapAcyclic-24 31.3µs ± 1% 29.8µs ± 0% -4.80% (p=0.000 n=10+9) TailcfgNode-24 1.83µs ± 1% 1.82µs ± 2% ~ (p=0.305 n=10+10) HashArray-24 344ns ± 2% 323ns ± 1% -6.02% (p=0.000 n=9+10) The performance gains is not as dramatic as sha256x over sha256 due to: 1. most of the hashing already occurring through the direct memory hashing logic, and 2. what does not go through direct memory hashing is slowed down by reflect. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	ec9d13bce5	hostinfo, net/netcheck: use CutPrefix Updates #5309 Change-Id: I37e594cfd245784bf810c493de68a66d3ff20677 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	f0d6f173c9	net/netcheck: try ICMP if UDP is blocked (#5056 ) Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Tom DNetto	f50043f6cb	tka,types/key: remove dependency for tailcfg & types/ packages on tka Following the pattern elsewhere, we create a new tka-specific types package for the types that need to couple between the serialized structure types, and tka. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	4950fe60bd	syncs, all: move to using Go's new atomic types instead of ours Fixes #5185 Change-Id: I850dd532559af78c3895e2924f8237ccc328449d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	4001d0bf25	assorted: plumb tka initialization & network-lock key into tailscaled - A network-lock key is generated if it doesn't already exist, and stored in the StateStore. The public component is communicated to control during registration. - If TKA state exists on the filesystem, a tailnet key authority is initialized (but nothing is done with it for now). Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	8725b14056	all: migrate more code code to net/netip directly Instead of going through the tailscale.com/net/netaddr transitional wrappers. Updates #5162 Change-Id: I3dafd1c2effa1a6caa9b7151ecf6edd1a3fda3dd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	eb32847d85	tailcfg: add CapabilityFileSharingTarget to identify FileTargets This adds the inverse to CapabilityFileSharingSend so that senders can identify who they can Taildrop to. Updates #2101 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Tom DNetto	47f91dd732	cmd/tailscale{,d}: update depaware Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	acc3b7f259	go.mod: bump inet.af/wf, tidy This removes inet.af/netaddr from go.{mod,sum}. Updates #5162 Change-Id: I7121e9fbb96d036cf188c51f0b53731570252d69 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	a12aad6b47	all: convert more code to use net/netip directly perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	9514ed33d2	go.mod: bump gvisor.dev/gvisor Pick up https://github.com/google/gvisor/pull/7787 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	6b71568eb7	util/cloudenv: add Azure support & DNS IPs And rewrite cloud detection to try to do only zero or one metadata discovery request for all clouds, only doing a first (or second) as confidence increases. Work remains for Windows, but a start. And add Cloud to tailcfg.Hostinfo, which helped with testing using "tailcfg debug hostinfo". Updates #4983 (Linux only) Updates #4984 Change-Id: Ib03337089122ce0cb38c34f724ba4b4812bc614e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	aa37aece9c	ipn/ipnlocal, net/dns, util/cloudenv: add AWS DNS support And remove the GCP special-casing from ipn/ipnlocal; do it only in the forwarder for .internal. Fixes #4980 Fixes #4981 Change-Id: I5c481e96d91f3d51d274a80fbd37c38f16dfa5cb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	88c2afd1e3	ipn/ipnlocal, net/dns, util/cloudenv: specialize DNS config on Google Cloud This does three things: If you're on GCP, it adds a .internal DNS split route to the metadata server, so we never break GCP DNS names. This lets people have some Tailscale nodes on GCP and some not (e.g. laptops at home) without having to add a Tailnet-wide .internal DNS route. If you already have such a route, though, it won't overwrite it. * If the 100.100.100.100 DNS forwarder has nowhere to forward to, it forwards it to the GCP metadata IP, which forwards to 8.8.8.8. This means there are never errNoUpstreams ("upstream nameservers not set") errors on GCP due to e.g. mangled /etc/resolv.conf (GCP default VMs don't have systemd-resolved, so it's likely a DNS supremacy fight) * makes the DNS fallback mechanism use the GCP metadata IP as a fallback before our hosted HTTP-based fallbacks I created a default GCP VM from their web wizard. It has no systemd-resolved. I then made its /etc/resolv.conf be empty and deleted its GCP hostnames in /etc/hosts. I then logged in to a tailnet with no global DNS settings. With this, tailscaled writes /etc/resolv.conf (direct mode, as no systemd-resolved) and sets it to 100.100.100.100, which then has regular DNS via the metadata IP and .internal DNS via the metadata IP as well. If the tailnet configures explicit DNS servers, those are used instead, except for .internal. This also adds a new util/cloudenv package based on version/distro where the cloud type is only detected once. We'll likely expand it in the future for other clouds, doing variants of this change for other popular cloud environments. Fixes #4911 RELNOTES=Google Cloud DNS improvements Change-Id: I19f3c2075983669b2b2c0f29a548da8de373c7cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	13d0b8e6a4	control/controlclient, net/dnscache: use typed singleflight fork Change-Id: I12be4c5a91ae3a812fe88d9b2d15526fdbb5a921 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	edc90ebc61	net/wsconn: remove homegrown wrapper for turning a websocket.Conn into a net.Conn The one from the nhooyr/websocket package seems to work equally well. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Brad Fitzpatrick	a9b4bf1535	ipn/ipnserver, cmd/tailscaled: fix peerapi on Windows We weren't wiring up netstack.Impl to the LocalBackend in some cases on Windows. This fixes Windows 7 when run as a service. Updates #4750 (fixes after pull in to corp repo) Change-Id: I9ce51b797710f2bedfa90545776b7628c7528e99 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	a9f32656f5	control/controlhttp: allow client and server to communicate over WebSockets We can't do Noise-over-HTTP in Wasm/JS (because we don't have bidirectional communication), but we should be able to do it over WebSockets. Reuses derp WebSocket support that allows us to turn a WebSocket connection into a net.Conn. Updates #3157 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Maisem Ali	81487169f0	build_docker.sh: pin github.com/tailscale/mkctr Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Aaron Klotz	b005b79236	net/dns, paths, util/winutil: change net/dns/windowsManager NRPT management to support more than 50 domains. AFAICT this isn't documented on MSDN, but based on the issue referenced below, NRPT rules are not working when a rule specifies > 50 domains. This patch modifies our NRPT rule generator to split the list of domains into chunks as necessary, and write a separate rule for each chunk. For compatibility reasons, we continue to use the hard-coded rule ID, but as additional rules are required, we generate new GUIDs. Those GUIDs are stored under the Tailscale registry path so that we know which rules are ours. I made some changes to winutils to add additional helper functions in support of both the code and its test: I added additional registry accessors, and also moved some token accessors from paths to util/winutil. Fixes https://github.com/tailscale/coral/issues/63 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Aaron Klotz	c163b2a3f1	util/winutil, util/winutil/vss: remove winrestore and vss as they are unnecessary. I wrote this code way back at the beginning of my tenure at Tailscale when we had concerns about needing to restore deleted machine keys from backups. We never ended up using this functionality, and the code is now getting in the way, so we might as well remove it. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Aaron Klotz	d915e0054c	cmd/tailscaled: change Windows service shutdown and add optional event logging Once a stop request is received and the service updates its status to `svc.StopPending`, it should continue running until the shutdown sequence is complete, and then return out of `(*ipnService).Execute`, which automatically sends a `svc.Stopped` notification to Windows. To make this happen, I changed the loop so that it runs until `doneCh` is closed, and then returns. I also removed a spurious `svc.StopPending` notification that the Windows Service Control Manager might be interpreting as a request for more time to shut down. Finally, I added some optional logging that sends a record of service notifications to the Windows event log, allowing us to more easily correlate with any Service Control Manager errors that are sent to the same log. Change-Id: I5b596122e5e89c4c655fe747a612a52cb4e8f1e0 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Brad Fitzpatrick	c88506caa6	ipn/ipnlocal: add Wake-on-LAN function to peerapi No CLI support yet. Just the curl'able version if you know the peerapi port. (like via a TSMP ping) Updates #306 Change-Id: I0662ba6530f7ab58d0ddb24e3664167fcd1c4bcf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	3601b43530	ipn: add IPCVersion override func I've done this a handful of times in the past and again today. Time to make it a supported thing for the future. Used while debugging tailscale/corp#4559 (macsys CLI issues) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	910ae68e0b	util/mak: move tailssh's mapSet into a new package for reuse elsewhere Change-Id: Idfe95db82275fd2be6ca88f245830731a0d5aecf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	695f8a1d7e	ssh/tailssh: add support for sftp Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	53588f632d	Revert "wgengine/router,util/kmod: load & log xt_mark" This reverts commit `8d6793fd70`. Reason: breaks Android build (cgo/pthreads addition) We can try again next cycle. Change-Id: I5e7e1730a8bf399a8acfce546a6d22e11fb835d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	8d6793fd70	wgengine/router,util/kmod: load & log xt_mark Attempt to load the xt_mark kernel module when it is not present. If the load fails, log error information. It may be tempting to promote this failure to an error once it has been in use for some time, so as to avoid reaching an error with the iptables invocation, however, there are conditions under which the two stages may disagree - this change adds more useful breadcrumbs. Example new output from tailscaled running under my WSL2: ``` router: ensure module xt_mark: "/usr/sbin/modprobe xt_mark" failed: exit status 1; modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.10.43.3-microsoft-standard-WSL2 ``` Background: There are two places to lookup modules, one is `/proc/modules` "old", the other is `/sys/module/` "new". There was query_modules(2) in linux <2.6, alas, it is gone. In a docker container in the default configuration, you would get /proc/modules and /sys/module/ both populated. lsmod may work file, modprobe will fail with EPERM at `finit_module()` for an unpriviliged container. In a priviliged container the load may succeed, if some conditions are met. This condition should be avoided, but the code landing in this change does not attempt to avoid this scenario as it is both difficult to detect, and has a very uncertain impact. In an nspawn container `/proc/modules` is populated, but `/sys/module` does not exist. Modern `lsmod` versions will fail to gather most module information, without sysfs being populated with module information. In WSL2 modules are likely missing, as the in-use kernel typically is not provided by the distribution filesystem, and WSL does not mount in a module filesystem of its own. Notably the WSL2 kernel supports iptables marks without listing the xt_mark module in /sys/module, and /proc/modules is empty. On a recent kernel, we can ask the capabilities system about SYS_MODULE, that will help to disambiguate between the non-privileged container case and just being root. On older kernels these calls may fail. Update #4329 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	8ee044ea4a	ssh/tailssh: make the SSH server a singleton, register with LocalBackend Remove the weird netstack -> tailssh dependency and instead have tailssh register itself with ipnlocal when linked. This makes tailssh.server a singleton, so we can have a global map of all sessions. Updates #3802 Change-Id: Iad5caec3a26a33011796878ab66b8e7b49339f29 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
phirework	83c734a6e0	net/dns, util/publicdns: extract public DNS mapping into own package (#4405 ) This extracts DOH mapping of known public DNS providers in forwarder.go into its own package, to be consumed by other repos Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
James Tucker	2550acfd9d	go.mod: bump netstack for clone reset fix (#4379 ) In tracking down issue #4144 and reading through the netstack code in detail, I discovered that the packet buf Clone path did not reset the packetbuf it was getting from the sync.Pool. The fix was sent upstream https://github.com/google/gvisor/pull/7385, and this bump pulls that in. At this time there is no known path that this fixes, however at the time of upstream submission this reset at least one field that could lead to incorrect packet routing if exercised, a situation that could therefore lead to an information leak. Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	c6ac29bcc4	wgengine/netstack: disable refsvfs2 leak tracking (#4378 ) In addition an envknob (TS_DEBUG_NETSTACK_LEAK_MODE) now provides access to set leak tracking to more useful values. Fixes #4309 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	5a44f9f5b5	tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh While we rearrange/upstream things. gliderlabs/ssh is forked into tempfork from our prior fork at `be8b7add40` x/crypto/ssh OTOH is forked at https://github.com/tailscale/golang-x-crypto because it was gnarlier to vendor with various internal packages, etc. Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d). Updates #3802 Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Aaron Klotz	6e91f872af	net/tshttpproxy: ensure we pass the correct flags to WinHttpOpen on Win7 and Win8.0 The best flag to use on Win7 and Win8.0 is deprecated in Win8.1, so we resolve the flag depending on OS version info. Fixes https://github.com/tailscale/tailscale/issues/4201 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Josh Bleecher Snyder	997b19545b	syncs: use TryLock and TryRLock instead of unsafe The docs say: Note that while correct uses of TryLock do exist, they are rare, and use of TryLock is often a sign of a deeper problem in a particular use of mutexes. Rare code! Or bad code! Who can tell! Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Josh Bleecher Snyder	8c2cb4b431	go.mod: update to latest certstore It includes a fix to allow us to use Go 1.18. We can now remove our Tailscale-only build tags. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Josh Bleecher Snyder	26021b07ec	control/controlclient: only build certstore-related code with the Tailscale Go toolchain The certstore code is impacted by golang/go#51726. The Tailscale Go toolchain fork contains a temporary workaround, so it can compile it. Once the upstream toolchain can compile certstore, presumably in Go 1.18.1, we can revert this change. Note that depaware runs with the upstream toolchain. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Josh Bleecher Snyder	1b57b0380d	wgengine/magicsock: remove final alloc from ReceiveFrom And now that we don't have to play escape analysis and inlining games, simplify the code. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Josh Bleecher Snyder	71b535fc94	go.mod: require Go 1.18 Also, update depaware for Go 1.18's dependency tree. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago

1 2 3 4 5

234 Commits (445c8a46710f6f99634cc57037dae9184486feae)