tailscale

Commit Graph

Author	SHA1	Message	Date
Will Norris	6d5c3c1637	ipn: prefer allow/denylist terminology Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Will Norris	5a3da3cd7f	ipn: add sockstat logger to stable builds This makes the sockstat logger available on all builds, but only enables it by default for unstable. For stable builds, the logger must be explicitly enabled via C2N component logger. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Aaron Klotz	90fd04cbde	ipn/ipnlocal, util/winutil/policy: modify Windows profile migration to load legacy prefs from within tailscaled I realized that a lot of the problems that we're seeing around migration and LocalBackend state can be avoided if we drive Windows pref migration entirely from within tailscaled. By doing it this way, tailscaled can automatically perform the migration as soon as the connection with the client frontend is established. Since tailscaled is already running as LocalSystem, it already has access to the user's local AppData directory. The profile manager already knows which user is connected, so we simply need to resolve the user's prefs file and read it from there. Of course, to properly migrate this information we need to also check system policies. I moved a bunch of policy resolution code out of the GUI and into a new package in util/winutil/policy. Updates #7626 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Mihai Parparita	e3cb8cc88d	ipn/ipnlocal: automatically upload sockstats logs when the period ends Avoids needing a separate c2n call to get the logs uploaded. Updates tailscale/corp#9230 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Andrew Dunham	8d3acc9235	util/sysresources, magicsock: scale DERP buffer based on system memory This adds the util/sysresources package, which currently only contains a function to return the total memory size of the current system. Then, we modify magicsock to scale the number of buffered DERP messages based on the system's available memory, ensuring that we never use a value lower than the previous constant of 32. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib763c877de4d0d4ee88869078e7d512f6a3a148d	1 year ago
Tom DNetto	483109b8fc	client/tailscale: Fix NPE caused by erroneous close in error case Fixes https://github.com/tailscale/tailscale/issues/7572 When handling an error during `StreamDebugCapture`, the response body is closed, even though the response struct is always nil. Thanks to https://github.com/darkrain42 for debugging this!! Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
shayne	59879e5770	cmd/tailscale/cli: make serve and funnel visible in list (#7737 )	1 year ago
Flakes Updater	1bf65e4760	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply@tailscale.com>	1 year ago
Mihai Parparita	38bbb30aaf	.github/workflows: remove tsconnect-pkg-publish.yml Moved to the corp repo with tailscale/corp#7990 Updates tailscale/corp#10165 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
James Tucker	f4da995940	atomicfile: reject overwriting irregular files The intent of atomicfile is to overwrite regular files. Most use cases that would overwrite irregular files, unix sockets, named pipes, devices, and so on are more than likely misuse, so disallow them. Fixes #7658 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Mihai Parparita	02582083d5	cmd/tsconnect: allow root directory to be passed in #7339 changed the root directory logic to find the ancestor of the cwd with a go.mod file. This works when running the the binary from this repo directly, but breaks when we're a dependency in another repo. Allow the directory to be passed in via a -rootdir flag (the repo that depends on it can then use `go list -m -f '{{.Dir}}' tailscale.com` or similar to pass in the value). Updates tailscale/corp#10165 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
James Tucker	40fa2a420c	envknob,net/tstun,wgengine: use TS_DEBUG_MTU consistently Noted on #5915 TS_DEBUG_MTU was not used consistently everywhere. Extract the default into a function that can apply this centrally and use it everywhere. Added envknob.Lookup{Int,Uint}Sized to make it easier to keep CodeQL happy when using converted values. Updates #5915 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Andrew Dunham	8ed4fd1dbc	envknob/logknob: add package for configurable logging A LogKnob allows enabling logs with an envknob, netmap capability, and manually, and calling a logging function when logs are enabled. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id66c608d4e488bfd4eaa5e867a8d9289686748be	1 year ago
Andrew Dunham	3b39ca9017	ipn/ipnlocal: update comment in SetComponentDebugLogging Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8c36a62079dce77fc81b9cdfb5fe723b007218ba	1 year ago
Maisem Ali	e0d291ab8a	ipn/store: add support for stores to hook into a custom dialer For stores like k8s secrets we need to dial out to the k8s API as though Tailscale wasn't running. The issue currently only manifests when you try to use an exit node while running inside a k8s cluster and are trying to use Kubernetes secrets as the backing store. This doesn't address cmd/containerboot, which I'll do in a follow up. Updates #7695 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
License Updater	2b00d6922f	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 year ago
License Updater	7b4e85aa78	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 year ago
Will Norris	e99c7c3ee5	sockstats: add labels for netlog and sockstatlog packages Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Andrew Dunham	38e4d303a2	net/tshttpproxy: don't proxy through ourselves When running a SOCKS or HTTP proxy, configure the tshttpproxy package to drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment variables. Fixes #7407 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6cd7cad7a609c639780484bad521c7514841764b	1 year ago
Will Norris	62a1e9a44f	log/sockstatlog: add delay before writing logs to disk Split apart polling of sockstats and logging them to disk. Add a 3 second delay before writing logs to disk to prevent an infinite upload loop when uploading stats to logcatcher. Fixes #7719 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Maisem Ali	985535aebc	net/tstun,wgengine/*: add support for NAT to routes This adds support to make exit nodes and subnet routers work when in scenarios where NAT is required. It also updates the NATConfig to be generated from a `wgcfg.Config` as that handles merging prefs with the netmap, so it has the required information about whether an exit node is already configured and whether routes are accepted. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	d1d5d52b2c	net/tstun/table: add initial RoutingTable implementation It is based on `*tempfork/device.AllowedIPs`. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	2522b0615f	tempfork/device: add a temp fork of golang.zx2c4.com/wireguard/device This will allow us to reuse the AllowedIPs for NAT decisions in a follow on commit. The files `allowedips_*.go` are as-is, `peer.go` only keeps the `Peer` declaration with a single element required for AllowedIPs. Upstream commit https://git.zx2c4.com/wireguard-go/commit/?id=052af4a8072bbbd3bfe7edf46fe3c1b350f71f08 Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	c98652c333	doctor/permissions: add new check to print process permissions Since users can run tailscaled in a variety of ways (root, non-root, non-root with process capabilities on Linux), this check will print the current process permissions to the log to aid in debugging. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida93a206123f98271a0c664775d0baba98b330c7	1 year ago
License Updater	524f53de89	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply@tailscale.com>	1 year ago
James Tucker	8c2b755b2e	tool/gocross: use grep -E over egrep to avoid warning Recent egrep builds produce a warning: ``` egrep: warning: egrep is obsolescent; using grep -E ``` Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
James Tucker	a31e43f760	go.mod: bump gvisor to 20230320 for dispatcher locking Upstream improved code around an issue showing up in CI, where sometimes shutdown will race on endpoint.dispatcher being nil'd, causing a panic down stack of injectInbound. The upstream patch makes some usage more safe, but it does not itself fix the local issue. See panic in https://github.com/tailscale/tailscale/actions/runs/4548299564/jobs/8019187385#step:7:843 See fix in google/gvisor@13d7bf69d8 Updates #7715 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
James Tucker	c628132b34	wgengine/netstack: do not send packets to netstack after close Use the local context on Impl to check for shut down state in order to drop rather than inject packets after close has begun. Netstack sets endpoint.dispatcher to nil during shutdown. After the recent adjustment in `920ec69241` we now wait for netstack to fully shutdown before we release tests. This means that we may continue to accept packets and attempt to inject them, which we must prevent in order to avoid nil pointer panic. References google/gvisor#8765 Fixes #7715 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Maisem Ali	e04acabfde	ssh/tailssh: fix race in errors returned when starting recorder There were two code paths that could fail depending on how fast the recorder responses. This fixes that by returning the correct error from both paths. Fixes #7707 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Flakes Updater	cb960d6cdd	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply@tailscale.com>	1 year ago
Jordan Whited	27e37cf9b3	go.mod, net/tstun, wgengine/magicsock: update wireguard-go (#7712 ) This commit updates the wireguard-go dependency to pull in fixes for the tun package, specifically 052af4a and aad7fca. Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
License Updater	946451b43e	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 year ago
License Updater	840d69e1eb	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 year ago
Josh Bleecher Snyder	3ba9f8dd04	util/codegen: add -copyright to control presence of copyright headers Fixes #7702 Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>	1 year ago
Will Norris	7c99210e68	log: allow toggling sockstat logs via c2n component logging Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Maisem Ali	920ec69241	tsnet,wgenegine/netstack: add test and fix resource leaks We were not closing the http.Server and were also not waiting for netstack to fully close. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Anton Tolchanov	2a933c1903	cmd/tailscale: extend hostname validation (#7678 ) In addition to checking the total hostname length, validate characters used in each DNS label and label length. Updates https://github.com/tailscale/corp/issues/10012 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
shayne	43f7ec48ca	funnel: change references from alpha to beta (#7613 ) Updates CLI and docs to reference Funnel as beta Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	3177ccabe5	ipn/ipnlocal: [serve/funnel] use actual SrcAddr as X-Forwarded-For (#7600 ) The reverse proxy was sending the ingressd IPv6 down as the X-Forwarded-For. This update uses the actual remote addr. Updates tailscale/corp#9914 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	7908b6d616	ipn/ipnlocal: [serve] Trim mountPoint prefix from proxy path (#7334 ) This change trims the mountPoint from the request URL path before sending the request to the reverse proxy. Today if you mount a proxy at `/foo` and request to `/foo/bar/baz`, we leak the `mountPoint` `/foo` as part of the request URL's path. This fix makes removed the `mountPoint` prefix from the path so proxied services receive requests as if they were running at the root (`/`) path. This could be an issue if the app generates URLs (in HTML or otherwise) and assumes `/path`. In this case, those URLs will 404. With that, I still think we should trim by default and not leak the `mountPoint` (specific to Tailscale) into whatever app is hosted. If it causes an issue with URL generation, I'd suggest looking at configuring an app-specific path prefix or running Caddy as a more advanced solution. Fixes: #6571 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Denton Gentry	ed10a1769b	scripts/installer.sh: check Photon OS version with pkg server. Photon OS support crossed streams with using pkgserve to check for supported versions `6f9aed1656`. Make Photon OS also rely on pkgserve. Updates https://github.com/tailscale/tailscale/issues/7651 Updates https://github.com/tailscale/corp/issues/8952 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Maisem Ali	5ba57e4661	ssh/tailssh: add tests for recording failure Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Denton Gentry	d5abdd915e	scripts/installer: add VMWare PhotonOS. Fixes https://github.com/tailscale/tailscale/issues/7651 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
valscale	74eb99aed1	derp, derphttp, magicsock: send new unknown peer frame when destination is unknown (#7552 ) * wgengine/magicsock: add envknob to send CallMeMaybe to non-existent peer For testing older client version responses to the PeerGone packet format change. Updates #4326 Signed-off-by: Val <valerie@tailscale.com> * derp: remove dead sclient struct member replaceLimiter Leftover from an previous solution to the duplicate client problem. Updates #2751 Signed-off-by: Val <valerie@tailscale.com> * derp, derp/derphttp, wgengine/magicsock: add new PeerGone message type Not Here Extend the PeerGone message type by adding a reason byte. Send a PeerGone "Not Here" message when an endpoint sends a disco message to a peer that this server has no record of. Fixes #4326 Signed-off-by: Val <valerie@tailscale.com> --------- Signed-off-by: Val <valerie@tailscale.com>	1 year ago
Maisem Ali	09d0b632d4	ssh/tailssh: add session recording test for non-pty sessions Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	d39a5e4417	tsnet: support TS_AUTH_KEY variant too Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	d2fd101eb4	net/tstun: only log natConfig on changes Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8ac5976897	logpolicy: do not upload logs in tests Fixes tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	7300b908fb	logpolicy: split out DialContext into a func Updates tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	ca19cf13e9	log/sockstatlog: add resource cleanup test Updates tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago

1 2 3 4 5 ...

5572 Commits (6d5c3c16377dda0dc932850297e013b8335689a5) All Branches Search

5572 Commits (6d5c3c16377dda0dc932850297e013b8335689a5)

All Branches