tailscale

Commit Graph

Author	SHA1	Message	Date
Jordan Whited	6d4973e1e0	wgengine/netstack: use types/logger.Logf instead of stdlib log.Printf (#13267 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 weeks ago
Brad Fitzpatrick	f99f970dc1	tstest/natlab/vnet: rename some things for clarity The bad naming (which had only been half updated with the IPv6 changes) tripped me up in the earlier change. Updates #13038 Change-Id: I65ce07c167e8219d35b87e1f4bf61aab4cac31ff Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	0157000cab	tstest/natlab: fix IPv6 tests, remove TODOs The reason they weren't working was because the cmd/tta agent in the guest was dialing out to the test and the vnet couldn't map its global unicast IPv6 address to a node as it was just using a map[netip.Addr]node and blindly trusting the node was populated. Instead, it was nil, so the agent connection fetching didn't work for its RoundTripper and the test could never drive the node. That map worked for IPv4 but for IPv6 we need to use the method that takes into account the node's IPv6 SLAAC address. Most call sites had been converted but I'd missed that one. Also clean up some debug, and prohibit nodes' link-local unicast addresses from dialing 2000::/3 directly for now. We can allow that to be configured opt-in later (some sort of IPv6 NAT mode. Whatever it's called.) That mode was working on accident, but was confusing: Linux would do source address selection from link local for the first few seconds and then after SLAAC and DAD, switch to using the global unicast source address. Be consistent for now and force it to use the global unicast. Updates #13038 Change-Id: I85e973aaa38b43c14611943ff45c7c825ee9200a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	9f7683e2a1	logpolicy: extend the gokrazy/natlab wait-for-network delay for IPv6 Really we need to fix logpolicy + bootstrapDNS to not be so aggressive, but this is a quick workaround meanwhile. Without this, tailscaled starts immediately while IPv6 DAD is happening for a couple seconds and logpolicy freaks out without the network available and starts spamming stderr about bootstrap DNS options. But we see that regularly anyway from people whose wifi is down. So we need to fix the general case. This is not that fix. Updates #13038 Change-Id: Iba7e536d08e59d34abded1d279f88fdc9c46d94d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	2636a83d0e	cmd/tta: pull out test driver dialing into a type, fix bugs There were a few places it could get wedged (notably the dial without a timeout). And add a knob for verbose debug logs. And keep two idle connections always. Updates #13038 Change-Id: I952ad182d7111481d97a83c12aa2ff4bfdc55fe8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	6dd1af0d1e	tstest/natlab: refactor HandleEthernetPacketForRouter a bit Move all the UDP handling to its own func to remove a bunch of "if isUDP" checks in a bunch of blocks. Updates #13038 Change-Id: If71d71b49e57651d15bd307a2233c43751cc8639 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	3a8cfbc381	tstest/natlab: be more paranoid about IP versions from gvisor I didn't actually see this, but added this while debugging something and figured it'd be good to keep. Updates #13038 Change-Id: I67934c8a329e0233f79c3b08516fd6bad6bfe22a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	e0bdd5d058	tstest/natlab: simplify a defer Updates #13038 Change-Id: I4d38701491523c64c81767b0838010609e683a9f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Will Norris	cccacff564	types/opt: add BoolFlag for setting Bool value as a flag Updates tailscale/corp#22578 Signed-off-by: Will Norris <will@tailscale.com>	4 weeks ago
James Tucker	8af50fa97c	ipn/ipnlocal: update routes on link change with ExitNodeAllowLANAccess On a major link change the LAN routes may change, so on linkChange where ChangeDelta.Major, we need to call authReconfig to ensure that new routes are observed and applied. Updates tailscale/corp#22574 Signed-off-by: James Tucker <james@tailscale.com>	4 weeks ago
Brad Fitzpatrick	b78df4d48a	tstest/natlab/vnet: add start of IPv6 support Updates #13038 Change-Id: Ic3d095f167daf6c7129463e881b18f2e0d5693f5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Maisem Ali	31b5239a2f	tstest/natlab/vnet: flush and sync pcap file after every packet So that we can view the pcap as we debug interactively. Updates #13038 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 weeks ago
Jordan Whited	978306565d	tstest/integration: change log.Fatal() to t.Fatal() (#13253 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 weeks ago
Jordan Whited	367bfa607c	tstest/integration: exercise TCP DNS queries against quad-100 (#13231 ) Updates tailscale/corp#22511 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 weeks ago
Jordan Whited	641693d61c	ipn/ipnlocal: install IPv6 service addr route (#13252 ) This is the equivalent of quad-100, but for IPv6. This is technically already contained in the Tailscale IPv6 ULA prefix, but that is only installed when remote peers are visible via control with contained addrs. The service addr should always be reachable. Updates #1152 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 weeks ago
Brad Fitzpatrick	475ab1fb67	cmd/vnet: omit log spam when backend status hasn't changed Updates #13038 Change-Id: I9cc67cf18ba44ff66ba03cda486d5e111e395ce7	4 weeks ago
Brad Fitzpatrick	e5fd36ad78	tstest/natlab: respect NATTable interface's invalid-means-drop everywhere And sprinkle some more docs around. Updates #13038 Change-Id: Ia2dcf567b68170481cc2094d64b085c6b94a778a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Nick Khyl	03acab2639	cmd/cloner, cmd/viewer, util/codegen: add support for aliases of cloneable types We have several checked type assertions to types.Named in both cmd/cloner and cmd/viewer. As Go 1.23 updates the go/types package to produce Alias type nodes for type aliases, these type assertions no longer work as expected unless the new behavior is disabled with gotypesalias=0. In this PR, we add codegen.NamedTypeOf(t types.Type), which functions like t.(types.Named) but also unrolls type aliases. We then use it in place of type assertions in the cmd/cloner and cmd/viewer packages where appropriate. We also update type switches to include types.Alias alongside types.Named in relevant cases, remove *types.Struct cases when switching on types.Type.Underlying and update the tests with more cases where type aliases can be used. Updates #13224 Updates #12912 Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 weeks ago
Nick Khyl	a9dc6e07ad	util/codegen, cmd/cloner, cmd/viewer: update codegen.LookupMethod to support alias type nodes Go 1.23 updates the go/types package to produce Alias type nodes for type aliases, unless disabled with gotypesalias=0. This new default behavior breaks codegen.LookupMethod, which uses checked type assertions to types.Named and types.Interface, as only named types and interfaces have methods. In this PR, we update codegen.LookupMethod to perform method lookup on the right-hand side of the alias declaration and clearly switch on the supported type nodes types. We also improve support for various edge cases, such as when an alias is used as a type parameter constraint, and add tests for the LookupMethod function. Additionally, we update cmd/viewer/tests to include types with aliases used in type fields and generic type constraints. Updates #13224 Updates #12912 Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 weeks ago
Brad Fitzpatrick	aa42ae9058	tstest/natlab: make a new virtualIP type in prep for IPv6 support All the magic service names with virtual IPs will need IPv6 variants. Pull this out in prep. Updates #13038 Change-Id: I53b5eebd0679f9fa43dc0674805049258c83a0de Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	5a99940dfa	tstest/natlab/vnet: explicitly ignore PCP and SSDP UDP queries So we don't log about them when verbose logging is enabled. Updates #13038 Change-Id: I925bc3a23e6c93d60dd4fb4bf6a4fdc5a326de95 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	3b70968c25	cmd/vnet: add --blend and --pcap flags Updates #13038 Change-Id: Id16ea9eb94447a3d9651215f04b2525daf10b3eb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	3904e4d175	cmd/tta, tstest/natlab/vnet: remove unneeded port 124 log hack, add log buffer The natlab Test Agent (tta) still had its old log streaming hack in place where it dialed out to anything on TCP port 124 and those logs were streamed to the host running the tests. But we'd since added gokrazy syslog streaming support, which made that redundant. So remove all the port 124 stuff. And then make sure we log to stderr so gokrazy logs it to syslog. Also, keep the first 1MB of logs in memory in tta too, exported via localhost:8034/logs for interactive debugging. That was very useful during debugging when I added IPv6 support. (which is coming in future PRs) Updates #13038 Change-Id: Ieed904a704410b9031d5fd5f014a73412348fa7f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Flakes Updater	d862898fd3	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	4 weeks ago
Brad Fitzpatrick	b091264c0a	cmd/systray: set ipn.NotifyNoPrivateKeys, permit non-operator use Otherwise you get "Access denied: watch IPN bus access denied, must set ipn.NotifyNoPrivateKeys when not running as admin/root or operator". This lets a non-operator at least start the app and see the status, even if they can't change everything. (the web UI is unaffected by operator) A future change can add a LocalAPI call to check permissions and guide people through adding a user as an operator (perhaps the web client can do that?) Updates #1708 Change-Id: I699e035a251b4ebe14385102d5e7a2993424c4b7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Will Norris	3c66ee3f57	cmd/systray: add a basic linux systray app This adds a systray app for linux, similar to the apps for macOS and windows. There are already a number of community-developed systray apps, but most of them are either long abandoned, are built for a specific desktop environment, or simply wrap the tailscale CLI. This uses fyne.io/systray (a fork of github.com/getlantern/systray) which uses newer D-Bus specifications to render the tray icon and menu. This results in a pretty broad support for modern desktop environments. This initial commit lacks a number of features like profile switching, device listing, and exit node selection. This is really focused on the application structure, the interaction with LocalAPI, and some system integration pieces like the app icon, notifications, and the clipboard. Updates #1708 Signed-off-by: Will Norris <will@tailscale.com>	4 weeks ago
Flakes Updater	6280c44be1	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	4 weeks ago
Jonathan Nobels	1191eb0e3d	tstest/natlab: add unix address to writer for dgram mode updates tailcale/corp#22371 For dgram mode, we need to store the write addresses of the client socket(s) alongside the writer functions and the write operation needs to use WriteToUnix. Unix also has multiple clients writing to the same socket, so the serve method is modified to handle packets from multiple mac addresses. Cleans up a bit of cruft from the initial tailmac tooling commit. Now all the macOS packets are belong to us. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	4 weeks ago
Percy Wegmann	743d296073	update to github.com/tailscale/netlink library that doesn't require vishvananda/netlink Fixes #12298 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 weeks ago
Percy Wegmann	d00d6d6dc2	go.mod: update to github.com/tailscale/netlink library that doesn't require vishvananda/netlink After the upstream PR is merged, we can point directly at github.com/vishvananda/netlink and retire github.com/tailscale/netlink. See https://github.com/vishvananda/netlink/pull/1006 Updates #12298 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 weeks ago
Brad Fitzpatrick	e54c81d1d0	types/views: add Slice.All iterator And convert a few callers as an example, but nowhere near all. Updates #12912 Change-Id: I5eaa12a29a6cd03b58d6f1072bd27bc0467852f2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Flakes Updater	aedfb82876	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	4 weeks ago
Ilarion Kovalchuk	0cb7eb9b75	net/dns: updated gonotify dependency to v2 that supports closable context Signed-off-by: Ilarion Kovalchuk <illarion.kovalchuk@gmail.com>	4 weeks ago
Brad Fitzpatrick	696711cc17	all: switch to and require Go 1.23 Updates #12912 Change-Id: Ib4ae26eb5fb68ad2216cab4913811b94f7eed5b6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	0ff474ff37	all: fix new lint warnings from bumping staticcheck In prep for updating to new staticcheck required for Go 1.23. Updates #12912 Change-Id: If77892a023b79c6fa798f936fc80428fd4ce0673 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Percy Wegmann	4637ac732e	ipn/ipnlocal: remember last notified taildrive shares and only notify if they've changed Fixes #13195 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 month ago
Brad Fitzpatrick	690d3bfafe	cmd/tailscale/cli: add debug command to do DNS lookups portably To avoid dig vs nslookup vs $X availability issues between OSes/distros. And to be in Go, to match the resolver we use. Updates #13038 Change-Id: Ib7e5c351ed36b5470a42cbc230b8f27eed9a1bf8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Jordan Whited	8e42510a71	wgengine/netstack: disable gVisor GSO on Linux (#13215 ) net/tstun.Wrapper.InjectInboundPacketBuffer is not GSO-aware, which can break quad-100 TCP streams as a result. Linux is the only platform where gVisor GSO was previously enabled. Updates tailscale/corp#22511 Updates #13211 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Percy Wegmann	4b525fdda0	ssh/tailssh: only chdir incubator process to user's homedir when necessary and possible Instead of changing the working directory before launching the incubator process, this now just changes the working directory after dropping privileges, at which point we're more likely to be able to enter the user's home directory since we're running as the user. For paths that use the 'login' or 'su -l' commands, those already take care of changing the working directory to the user's home directory. Fixes #13120 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 month ago
Nick Khyl	af3d3c433b	types/prefs: add a package containing generic preference types This adds a new package containing generic types to be used for defining preference hierarchies. These include prefs.Item, prefs.List, prefs.StructList, and prefs.StructMap. Each of these types represents a configurable preference, holding the preference's state, value, and metadata. The metadata includes the default value (if it differs from the zero value of the Go type) and flags indicating whether a preference is managed via syspolicy or is hidden/read-only for another reason. This information can be marshaled and sent to the GUI, CLI and web clients as a source of truth regarding preference configuration, management, and visibility/mutability states. We plan to use these types to define device preferences, such as the updater preferences, the permission mode to be used on Windows with #tailscale/corp#18342, and certain global options that are currently exposed as tailscaled flags. We also aim to eventually use these types for profile-local preferences in ipn.Prefs and and as a replacement for ipn.MaskedPrefs. The generic preference types are compatible with the tailscale.com/cmd/viewer and tailscale.com/cmd/cloner utilities. Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 month ago
Anton Tolchanov	151b77f9d6	cmd/tl-longchain: tool to re-sign nodes with long rotation signatures In Tailnet Lock, there is an implicit limit on the number of rotation signatures that can be chained before the signature becomes too long. This program helps tailnet admins to identify nodes that have signatures with long chains and prints commands to re-sign those node keys with a fresh direct signature. It's a temporary mitigation measure, and we will remove this tool as we design and implement a long-term approach for rotation signatures. Example output: ``` 2024/08/20 18:25:03 Self: does not need re-signing 2024/08/20 18:25:03 Visible peers with valid signatures: 2024/08/20 18:25:03 Peer xxx2.yy.ts.net. (100.77.192.34) nodeid=nyDmhiZiGA11KTM59, current signature kind=direct: does not need re-signing 2024/08/20 18:25:03 Peer xxx3.yy.ts.net. (100.84.248.22) nodeid=ndQ64mDnaB11KTM59, current signature kind=direct: does not need re-signing 2024/08/20 18:25:03 Peer xxx4.yy.ts.net. (100.85.253.53) nodeid=nmZfVygzkB21KTM59, current signature kind=rotation: chain length 4, printing command to re-sign tailscale lock sign nodekey:530bddbfbe69e91fe15758a1d6ead5337aa6307e55ac92dafad3794f8b3fc661 tlpub:4bf07597336703395f2149dce88e7c50dd8694ab5bbde3d7c2a1c7b3e231a3c2 ``` To support this, the NetworkLockStatus localapi response now includes information about signatures of all peers rather than just the invalid ones. This is not displayed by default in `tailscale lock status`, but will be surfaced in `tailscale lock status --json`. Updates #13185 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 month ago
Percy Wegmann	7d83056a1b	ssh/tailssh: fix SSH on busybox systems This involved the following: 1. Pass the su command path as first of args in call to unix.Exec to make sure that busybox sees the correct program name. Busybox is a single executable userspace that implements various core userspace commands in a single binary. You'll see it used via symlinking, so that for example /bin/su symlinks to /bin/busybox. Busybox knows that you're trying to execute /bin/su because argv[0] is '/bin/su'. When we called unix.Exec, we weren't including the program name for argv[0], which caused busybox to fail with 'applet not found', meaning that it didn't know which command it was supposed to run. 2. Tell su to whitelist the SSH_AUTH_SOCK environment variable in order to support ssh agent forwarding. 3. Run integration tests on alpine, which uses busybox. 4. Increment CurrentCapabilityVersion to allow turning on SSH V2 behavior from control. Fixes #12849 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 month ago
Jordan Whited	7675c3ebf2	wgengine/netstack/gro: exclude importation of gVisor GRO pkg on iOS (#13202 ) In `df6014f1d7` we removed build tag gating preventing importation, which tripped a NetworkExtension limit test in corp. This was a reversal of `25f0a3fc8f` which actually made the situation worse, hence the simplification. This commit goes back to the strategy in `25f0a3fc8f`, and gets us back under the limit in my local testing. Admittedly, we don't fully understand the effects of importing or excluding importation of this package, and have seen mixed results, but this commit allows us to move forward again. Updates tailscale/corp#22125 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Jordan Whited	df6014f1d7	net/tstun,wgengine{/netstack/gro}: refactor and re-enable gVisor GRO for Linux (#13172 ) In `2f27319baf` we disabled GRO due to a data race around concurrent calls to tstun.Wrapper.Write(). This commit refactors GRO to be thread-safe, and re-enables it on Linux. This refactor now carries a GRO type across tstun and netstack APIs with a lifetime that is scoped to a single tstun.Wrapper.Write() call. In `25f0a3fc8f` we used build tags to prevent importation of gVisor's GRO package on iOS as at the time we believed it was contributing to additional memory usage on that platform. It wasn't, so this commit simplifies and removes those build tags. Updates tailscale/corp#22353 Updates tailscale/corp#22125 Updates #6816 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
ChandonPierre	93dc2ded6e	cmd/k8s-operator: support default proxy class in k8s-operator (#12711 ) Signed-off-by: ChandonPierre <cpierre@coreweave.com> Closes #12421	1 month ago
Aaron Klotz	8f6a2353d8	util/winutil: add GetRegUserString/SetRegUserString accessors for storage and retrieval of string values in HKEY_CURRENT_USER Fixes #13187 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 month ago
pierig-n3xtio	2105773874	cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs fixes: #13168 Signed-off-by: Pierig Le Saux <pierig@n3xt.io>	1 month ago
Kristoffer Dalby	01aa01f310	ipn/ipnlocal: network-lock, error if no pubkey instead of panic Updates tailscale/corp#20931 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 month ago
Andrea Gottardo	9d2b1820f1	ipnlocal: support setting authkey at login using syspolicy (#13061 ) Updates tailscale/corp#22120 Adds the ability to start the backend by reading an authkey stored in the syspolicy database (MDM). This is useful for devices that are provisioned in an unattended fashion. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 month ago
tomholford	16bb541adb	wgengine/magicsock: replace deprecated poly1305 (#13184 ) Signed-off-by: tomholford <tomholford@users.noreply.github.com>	1 month ago

1 2 3 4 5 ...

8055 Commits (6d4973e1e0ecac168b0aa9dbdda5f07c6f418bb2) All Branches Search

8055 Commits (6d4973e1e0ecac168b0aa9dbdda5f07c6f418bb2)

All Branches