tailscale

Commit Graph

Author	SHA1	Message	Date
Joe Tsai	9cb6c5bb78	util/httphdr: add new package for parsing HTTP headers (#9797 ) This adds support for parsing Range and Content-Range headers according to RFC 7230. The package could be extended in the future to handle other headers. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Claire Wang	754fb9a8a8	tailcfg: add tailnet field to register request (#9675 ) Updates tailscale/corp#10967 Signed-off-by: Claire Wang <claire@tailscale.com>	9 months ago
James Tucker	11348fbe72	util/nocasemaps: import nocasemaps from corp This is a dependency of other code being imported later. Updates tailscale/corp#15043 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Maisem Ali	fbfee6a8c0	cmd/containerboot: use linuxfw.NetfilterRunner This migrates containerboot to reuse the NetfilterRunner used by tailscaled instead of manipulating iptables rule itself. This has the added advantage of now working with nftables and we can potentially drop the `iptables` command from the container image in the future. Updates #9310 Co-authored-by: Irbe Krumina <irbe@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	aad3584319	util/linuxfw: move fake runner into pkg This allows using the fake runner in different packages that need to manage filter rules. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Paul Scott	4e083e4548	util/cmpver: only consider ascii numerals (#9741 ) Fixes #9740 Signed-off-by: Paul Scott <paul@tailscale.com>	9 months ago
Maisem Ali	05a1f5bf71	util/linuxfw: move detection logic Just a refactor to consolidate the firewall detection logic in a single package so that it can be reused in a later commit by containerboot. Updates #9310 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
James Tucker	ba6ec42f6d	util/linuxfw: add missing input rule to the tailscale tun Add an explicit accept rule for input to the tun interface, as a mirror to the explicit rule to accept output from the tun interface. The rule matches any packet in to our tun interface and accepts it, and the rule is positioned and prioritized such that it should be evaluated prior to conventional ufw/iptables/nft rules. Updates #391 Fixes #7332 Updates #9084 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Kristoffer Dalby	7f540042d5	ipn/ipnlocal: use syspolicy to determine collection of posture data Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Andrew Dunham	5902d51ba4	util/race: add test to confirm we don't leak goroutines Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Iff147268db50251d498fff5213adb8d4b8c999d4	9 months ago
Andrew Dunham	286c6ce27c	net/dns/resolver: race UDP and TCP queries (#9544 ) Instead of just falling back to making a TCP query to an upstream DNS server when the UDP query returns a truncated query, also start a TCP query in parallel with the UDP query after a given race timeout. This ensures that if the upstream DNS server does not reply over UDP (or if the response packet is blocked, or there's an error), we can still make queries if the server replies to TCP queries. This also adds a new package, util/race, to contain the logic required for racing two different functions and returning the first non-error answer. Updates tailscale/corp#14809 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4311702016c1093b1beaa31b135da1def6d86316	9 months ago
Brad Fitzpatrick	b775a3799e	util/httpm, all: add a test to make sure httpm is used consistently Updates #cleanup Change-Id: I7dbf8a02de22fc6b317ab5e29cc97792dd75352c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	5f5c9142cc	util/slicesx: add EqualSameNil, like slices.Equal but same nilness Then use it in tailcfg which had it duplicated a couple times. I think we have it a few other places too. And use slices.Equal in wgengine/router too. (found while looking for callers) Updates #cleanup Change-Id: If5350eee9b3ef071882a3db29a305081e4cd9d23 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Claire Wang	a56e58c244	util/syspolicy: add read boolean setting (#9592 )	9 months ago
Chris Palmer	8833dc51f1	util/set: add some useful utility functions for Set (#9535 ) Also give each type of set its own file. Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	9 months ago
Claire Wang	32c0156311	util: add syspolicy package (#9550 ) Add a more generalized package for getting policies. Updates tailcale/corp#10967 Signed-off-by: Claire Wang <claire@tailscale.com> Co-authored-by: Adrian Dewhurst <adrian@tailscale.com>	9 months ago
James Tucker	2066f9fbb2	util/linuxfw: fix crash in DelSNATRule when no rules are found Appears to be a missing nil handling case. I looked back over other usage of findRule and the others all have nil guards. findRule returns nil when no rules are found matching the arguments. Fixes #9553 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Claire Wang	e3d6236606	winutil: refactor methods to get values from registry to also return (#9536 ) errors Updates tailscale/corp#14879 Signed-off-by: Claire Wang <claire@tailscale.com>	9 months ago
David Anderson	ed50f360db	util/lru: update c.head when deleting the most recently used entry Fixes tailscale/corp#14747 Signed-off-by: David Anderson <danderson@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
Brad Fitzpatrick	dc7aa98b76	all: use set.Set consistently instead of map[T]struct{} I didn't clean up the more idiomatic map[T]bool with true values, at least yet. I just converted the relatively awkward struct{}-valued maps. Updates #cleanup Change-Id: I758abebd2bb1f64bc7a9d0f25c32298f4679c14f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
David Anderson	95082a8dde	util/lru, util/limiter: add debug helper to dump state as HTML For use in tsweb debug handlers, so that we can easily inspect cache and limiter state when troubleshooting. Updates tailscale/corp#3601 Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
Craig Rodrigues	8452d273e3	util/linuxfw: Fix comment which lists supported linux arches Only arm64 and amd64 are supported Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>	10 months ago
David Anderson	0909e90890	util/lru: replace container/list with a custom ring implementation pre-generics container/list is quite unpleasant to use, and the pointer manipulation operations for an LRU are simple enough to implement directly now that we have generic types. With this change, the LRU uses a ring (aka circularly linked list) rather than a simple doubly-linked list as its internals, because the ring makes list manipulation edge cases more regular: the only remaining edge case is the transition between 0 and 1 elements, rather than also having to deal specially with manipulating the first and last members of the list. While the primary purpose was improved readability of the code, as it turns out removing the indirection through an interface box also speeds up the LRU: │ before.txt │ after.txt │ │ sec/op │ sec/op vs base │ LRU-32 67.05n ± 2% 59.73n ± 2% -10.90% (p=0.000 n=20) │ before.txt │ after.txt │ │ B/op │ B/op vs base │ LRU-32 21.00 ± 0% 10.00 ± 0% -52.38% (p=0.000 n=20) │ before.txt │ after.txt │ │ allocs/op │ allocs/op vs base │ LRU-32 0.000 ± 0% 0.000 ± 0% ~ (p=1.000 n=20) ¹ Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
David Anderson	472eb6f6f5	util/lru: add a microbenchmark The benchmark simulates an LRU being queries with uniformly random inputs, in a set that's too large for the LRU, which should stress the eviction codepath. Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
David Anderson	96c2cd2ada	util/limiter: add a keyed token bucket rate limiter Updates tailscale/corp#3601 Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
Anton Tolchanov	86b0fc5295	util/cmpver: add a few tests covering different OS versions Updates tailscale/corp#14491 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	10 months ago
Brad Fitzpatrick	7175f06e62	util/rands: add package with HexString func We use it a number of places in different repos. Might as well make one. Another use is coming. Updates #cleanup Change-Id: Ib7ce38de0db35af998171edee81ca875102349a4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Craig Rodrigues	8683ce78c2	client/web, clientupdate, util/linuxfw, wgengine/magicsock: Use %v verb for errors Replace %w verb with %v verb when logging errors. Use %w only for wrapping errors with fmt.Errorf() Fixes: #9213 Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>	10 months ago
Maisem Ali	306b85b9a3	cmd/k8s-operator: add metrics to track usage Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Brad Fitzpatrick	4af22f3785	util/deephash: add IncludeFields, ExcludeFields HasherForType Options Updates tailscale/corp#6198 Change-Id: Iafc18c5b947522cf07a42a56f35c0319cc7b1c94 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Aaron Klotz	6b6a8cf843	util/osdiag: add query for Windows page file configuration and status It's very common for OOM crashes on Windows to be caused by lack of page file space (the NT kernel does not overcommit). Since Windows automatically manages page file space by default, unless the machine is out of disk space, this is typically caused by manual page file configurations that are too small. This patch obtains the current page file size, the amount of free page file space, and also determines whether the page file is automatically or manually managed. Fixes #9090 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Aaron Klotz	5fb1695bcb	util/osdiag, util/osdiag/internal/wsc: add code to probe the Windows Security Center for installed software The Windows Security Center is a component that manages the registration of security products on a Windows system. Only products that have obtained a special cert from Microsoft may register themselves using the WSC API. Practically speaking, most vendors do in fact sign up for the program as it enhances their legitimacy. From our perspective, this is useful because it gives us a high-signal source of information to query for the security products installed on the system. I've tied this query into the osdiag package and is run during bugreports. It uses COM bindings that were automatically generated by my prototype metadata processor, however that program still has a few bugs, so I had to make a few manual tweaks. I dropped those binding into an internal package because (for the moment, at least) they are effectively purpose-built for the osdiag use case. We also update the wingoes dependency to pick up BSTR. Fixes #10646 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Aaron Klotz	ea693eacb6	util/winutil: add RegisterForRestart, allowing programs to indicate their preferences to the Windows restart manager In order for the installer to restart the GUI correctly post-upgrade, we need the GUI to be able to register its restart preferences. This PR adds API support for doing so. I'm adding it to OSS so that it is available should we need to do any such registrations on OSS binaries in the future. Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Brad Fitzpatrick	1b223566dd	util/linuxfw: fix typo in unexported doc comment And flesh it out and use idiomatic doc style ("whether" for bools) and end in a period while there anyway. Updates #cleanup Change-Id: Ieb82f13969656e2340c3510e7b102dc8e6932611 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	f35ff84ee2	util/deephash: relax an annoyingly needy test I'd added a test case of deephash against a tailcfg.Node to make sure it worked at all more than anything. We don't care what the exact bytes are in this test, just that it doesn't fail. So adjust for that. Then when we make changes to tailcfg.Node and types under it, we don't need to keep adjusting this test. Updates #cleanup Change-Id: Ibf4fa42820aeab8f5292fe65f9f92ffdb0b4407b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
KevinLiang10	b040094b90	util/linuxfw: reorganize nftables rules to allow it to work with ufw This commit tries to mimic the way iptables-nft work with the filewall rules. We follow the convention of using tables like filter, nat and the conventional chains, to make our nftables implementation work with ufw. Updates: #391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com>	11 months ago
Brad Fitzpatrick	bc0eb6b914	all: import x/exp/maps as xmaps to distinguish from Go 1.21 "maps" Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	e8551d6b40	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Aaron Klotz	c17a817769	util/osdiag: add logging for winsock layered service providers to Windows bugreports The Layered Service Provider (LSP) is a deprecated (but still supported) mechanism for inserting user-mode DLLs into a filter chain between the Winsock API surface (ie, ws2_32.dll) and the internal user-mode interface to the networking stack. While their use is becoming more rare due to the aforementioned deprecation, it is still possible for third-party software to install their DLLs into this filter chain and interfere with Winsock API calls. Knowing whether this is happening is useful for troubleshooting. Fixes https://github.com/tailscale/tailscale/issues/8142 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	11 months ago
Aaron Klotz	b07347640c	util/winutil/authenticode: add missing docs for CertSubjectError A #cleanup PR. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	11 months ago
Brad Fitzpatrick	7a5263e6d0	util/linuxfw: rename ErrorFWModeNotSupported Go style is for error variables to start with "err" (or "Err") and for error types to end in "Error". Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Aaron Klotz	3d2e35c053	util/winutil/authenticode: fix an inaccurate doc comment A #cleanup PR Signed-off-by: Aaron Klotz <aaron@tailscale.com>	11 months ago
Brad Fitzpatrick	66f27c4beb	all: require Go 1.21 Updates #8419 Change-Id: I809b6a4d59d92a2ab6ec587ccbb9053376bf02c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Maisem Ali	682fd72f7b	util/testenv: add new package to hold InTest Removes duplicated code. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
KevinLiang10	ae63c51ff1	wgengine/router: add auto selection heuristic for iptables/nftables This commit replaces the TS_DEBUG_USE_NETLINK_NFTABLES envknob with a TS_DEBUG_FIREWALL_MODE that should be set to either 'iptables' or 'nftables' to select firewall mode manually, other wise tailscaled will automatically choose between iptables and nftables depending on environment and system availability. updates: #319 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com>	11 months ago
Aaron Klotz	37925b3e7a	go.mod, cmd/tailscaled, ipn/localapi, util/osdiag, util/winutil, util/winutil/authenticode: add Windows module list to OS-specific logs that are written upon bugreport * We update wingoes to pick up new version information functionality (See pe/version.go in the https://github.com/dblohm7/wingoes repo); * We move the existing LogSupportInfo code (including necessary syscall stubs) out of util/winutil into a new package, util/osdiag, and implement the public LogSupportInfo function may be implemented for other platforms as needed; * We add a new reason argument to LogSupportInfo and wire that into localapi's bugreport implementation; * We add module information to the Windows implementation of LogSupportInfo when reason indicates a bugreport. We enumerate all loaded modules in our process, and for each one we gather debug, authenticode signature, and version information. Fixes #7802 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	11 months ago
Aaron Klotz	7adf15f90e	cmd/tailscale/cli, util/winutil/authenticode: flesh out authenticode support Previously, tailscale upgrade was doing the bare minimum for checking authenticode signatures via `WinVerifyTrustEx`. This is fine, but we can do better: * WinVerifyTrustEx verifies that the binary's signature is valid, but it doesn't determine whose signature is valid; tailscale upgrade should also ensure that the binary is actually signed by us. * I added the ability to check the signatures of MSI files. * In future PRs I will be adding diagnostic logging that lists details about every module (ie, DLL) loaded into our process. As part of that metadata, I want to be able to extract information about who signed the binaries. This code is modelled on some C++ I wrote for Firefox back in the day. See https://searchfox.org/mozilla-central/rev/27e4816536c891d85d63695025f2549fd7976392/toolkit/xre/dllservices/mozglue/Authenticode.cpp for reference. Fixes #8284 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	11 months ago
David Anderson	52212f4323	all: update exp/slices and fix call sites slices.SortFunc suffered a late-in-cycle API breakage. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	11 months ago
Maisem Ali	1ecc16da5f	tailcfg,ipn/ipnlocal,wgengine: add values to PeerCapabilities Define PeerCapabilty and PeerCapMap as the new way of sending down inter-peer capability information. Previously, this was unstructured and you could only send down strings which got too limiting for certain usecases. Instead add the ability to send down raw JSON messages that are opaque to Tailscale but provide the applications to define them however they wish. Also update accessors to use the new values. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
Brad Fitzpatrick	88cc0ad9f7	util/linuxfw: remove yet-unused code to fix linux/arm64 crash The util/linuxfw/iptables.go had a bunch of code that wasn't yet used (in prep for future work) but because of its imports, ended up initializing code deep within gvisor that panicked on init on arm64 systems not using 4KB pages. This deletes the unused code to delete the imports and remove the panic. We can then cherry-pick this back to the branch and restore it later in a different way. A new test makes sure we don't regress in the future by depending on the panicking package in question. Fixes #8658 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	12 months ago

1 2 3 4 5 ...

266 Commits (5297bd2cff8ed03679d06c44d5fb5296a67dee65)