tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	eb2fa16fcc	tailcfg: bump capver for earlier cryptokey panic fix [capver 106] I should've bumped capver in `65fe0ba7b5` but forgot. This lets us turn off the cryptokey routing change from control for the affected panicky range of commits, based on capver. Updates #13332 Updates tailscale/corp#20732 Change-Id: I32c17cfcb45b2369b2b560032330551d47a0ce0b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Percy Wegmann	ecc451501c	ssh/tailssh: add ability to force V2 behavior using new feature flag Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1. Updates #11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 weeks ago
Percy Wegmann	7d83056a1b	ssh/tailssh: fix SSH on busybox systems This involved the following: 1. Pass the su command path as first of args in call to unix.Exec to make sure that busybox sees the correct program name. Busybox is a single executable userspace that implements various core userspace commands in a single binary. You'll see it used via symlinking, so that for example /bin/su symlinks to /bin/busybox. Busybox knows that you're trying to execute /bin/su because argv[0] is '/bin/su'. When we called unix.Exec, we weren't including the program name for argv[0], which caused busybox to fail with 'applet not found', meaning that it didn't know which command it was supposed to run. 2. Tell su to whitelist the SSH_AUTH_SOCK environment variable in order to support ssh agent forwarding. 3. Run integration tests on alpine, which uses busybox. 4. Increment CurrentCapabilityVersion to allow turning on SSH V2 behavior from control. Fixes #12849 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 month ago
Maisem Ali	f205efcf18	net/packet/checksum: fix v6 NAT We were copying 12 out of the 16 bytes which meant that the 1:1 NAT required would only work if the last 4 bytes happened to match between the new and old address, something that our tests accidentally had. Fix it by copying the full 16 bytes and make the tests also verify the addr and use rand addresses. Updates #9511 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Andrea Gottardo	90be06bd5b	health: introduce captive-portal-detected Warnable (#12707 ) Updates tailscale/tailscale#1634 This PR introduces a new `captive-portal-detected` Warnable which is set to an unhealthy state whenever a captive portal is detected on the local network, preventing Tailscale from connecting. ipn/ipnlocal: fix captive portal loop shutdown Change-Id: I7cafdbce68463a16260091bcec1741501a070c95 net/captivedetection: fix mutex misuse ipn/ipnlocal: ensure that we don't fail to start the timer Change-Id: I3e43fb19264d793e8707c5031c0898e48e3e7465 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 months ago
Brad Fitzpatrick	808b4139ee	wgengine/magicsock: use wireguard-go/conn.PeerAwareEndpoint If we get an non-disco presumably-wireguard-encrypted UDP packet from an IP:port we don't recognize, rather than drop the packet, give it to WireGuard anyway and let WireGuard try to figure out who it's from and tell us. This uses the new hook added in https://github.com/tailscale/wireguard-go/pull/27 Updates tailscale/corp#20732 Change-Id: I5c61a40143810592f9efac6c12808a87f924ecf2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Nick Khyl	fc28c8e7f3	cmd/cloner, cmd/viewer, util/codegen: add support for generic types and interfaces This adds support for generic types and interfaces to our cloner and viewer codegens. It updates these packages to determine whether to make shallow or deep copies based on the type parameter constraints. Additionally, if a template parameter or an interface type has View() and Clone() methods, we'll use them for getters and the cloner of the owning structure. Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Anton Tolchanov	874972b683	posture: add network hardware addresses to posture identity If an optional `hwaddrs` URL parameter is present, add network interface hardware addresses to the posture identity response. Just like with serial numbers, this requires client opt-in via MDM or `tailscale set --posture-checking=true` (https://tailscale.com/kb/1326/device-identity) Updates tailscale/corp#21371 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 months ago
Brad Fitzpatrick	c6af5bbfe8	all: add test for package comments, fix, add comments as needed Updates #cleanup Change-Id: Ic4304e909d2131a95a38b26911f49e7b1729aaef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	42dac7c5c2	wgengine/magicsock: add debug envknob for injecting an endpoint For testing. Lee wants to play with 'AWS Global Accelerator Custom Routing with Amazon Elastic Kubernetes Service'. If this works well enough, we can promote it. Updates #12578 Change-Id: I5018347ed46c15c9709910717d27305d0aedf8f4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	d2fef01206	control/controlknobs,tailcfg,wgengine/magicsock: remove DRPO shutoff switch The DERP Return Path Optimization (DRPO) is over four years old (and on by default for over two) and we haven't had problems, so time to remove the emergency shutoff code (controlknob) which we've never used. The controlknobs are only meant for new features, to mitigate risk. But we don't want to keep them forever, as they kinda pollute the code. Updates #150 Change-Id: If021bc8fd1b51006d8bddd1ffab639bb1abb0ad1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	489b990240	tailcfg: bump CurrentCapabilityVersion to capture SSH agent forwarding fix Updates #12467 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	5ec01bf3ce	wgengine/filter: support FilterRules matching on srcIP node caps [capver 100] See #12542 for background. Updates #12542 Change-Id: Ida312f700affc00d17681dc7551ee9672eeb1789 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	21460a5b14	tailcfg, wgengine/filter: remove most FilterRule.SrcBits code The control plane hasn't sent it to clients in ages. Updates tailscale/corp#20965 Change-Id: I1d71a4b6dd3f75010a05c544ee39827837c30772 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Maisem Ali	491483d599	cmd/viewer,type/views: add MapSlice for maps of slices This abstraction provides a nicer way to work with maps of slices without having to write out three long type params. This also allows it to provide an AsMap implementation which copies the map and the slices at least. Updates tailscale/corp#20910 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 months ago
Nick Khyl	c32efd9118	various: create a catch-all NRPT rule when "Override local DNS" is enabled on Windows Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers associated with all network adapters, even when "Override local DNS" is enabled and/or a Mullvad exit node is being used, resulting in DNS leaks. This also adds "disable-local-dns-override-via-nrpt" nodeAttr that can be used to disable the new behavior if needed. Fixes tailscale/corp#20718 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Andrea Gottardo	e8ca30a5c7	xcode/iOS: support serial number collection via MDM on iOS (#11429 ) Fixes tailscale/corp#18366. This PR provides serial number collection on iOS, by allowing system administrators to pass a `DeviceSerialNumber` MDM key which can be read by the `posture` package in Go. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
James Tucker	85ad0c276c	tailcfg: update PeerAPIDNS Port value documentation We do not intend to use this value for feature support communication in the future, and have applied changes elsewhere that now fix the expected value. Updates tailscale/corp#19391 Updates tailscale/corp#20398 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Irbe Krumina	a95ea31a4e	kube,tailcfg: store parsed recorder tags in a separate field (#12429 ) Add an additional RecorderAddrs field to tailscale.com/cap/kubernetes capability. RecorderAddrs will only be populated by control with the addresses of any tsrecorder tags set via Recorder. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Nick Khyl	3672f66c74	tailcfg: bump capver for NodeAttrDisableSplitDNSWhenNoCustomResolvers Missed in `b65221999c`. Updates tailscale/corp#15802 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Irbe Krumina	c3e2b7347b	tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236 ) This PR is in prep of adding logic to control to be able to parse tailscale.com/cap/kubernetes grants in control: - moves the type definition of PeerCapabilityKubernetes cap to a location shared with control. - update the Kubernetes cap rule definition with fields for granting kubectl exec session recording capabilities. - adds a convenience function to produce tailcfg.RawMessage from an arbitrary cap rule and a test for it. An example grant defined via ACLs: "grants": [{ "src": ["tag:eng"], "dst": ["tag:k8s-operator"], "app": { "tailscale.com/cap/kubernetes": [{ "recorder": ["tag:my-recorder"] “enforceRecorder”: true }], }, } ] This grant enforces `kubectl exec` sessions from tailnet clients, matching `tag:eng` via API server proxy matching `tag:k8s-operator` to be recorded and recording to be sent to a tsrecorder instance, matching `tag:my-recorder`. The type needs to be shared with control because we want control to parse this cap and resolve tags to peer IPs. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Andrea Gottardo	b65221999c	tailcfg,net/dns: add controlknob to disable battery split DNS on iOS (#12346 ) Updates corp#15802. Adds the ability for control to disable the recently added change that uses split DNS in more cases on iOS. This will allow us to disable the feature if it leads to regression in production. We plan to remove this knob once we've verified that the feature works properly. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 months ago
Irbe Krumina	82576190a7	tailcfg,cmd/k8s-operator: moves tailscale.com/cap/kubernetes peer cap to tailcfg (#12235 ) This is done in preparation for adding kubectl session recording rules to this capability grant that will need to be unmarshalled by control, so will also need to be in a shared location. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Andrew Dunham	36d0ac6f8e	tailcfg: use strings.CutPrefix for CheckTag; add test Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I42eddc7547a6dd50c4d5b2a9fc88a19aac9767aa	4 months ago
Percy Wegmann	08a9551a73	ssh/tailssh: fall back to using su when no TTY available on Linux This allows pam authentication to run for ssh sessions, triggering automation like pam_mkhomedir. Updates #11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Maisem Ali	9a64c06a20	all: do not depend on the testing package Discovered while looking for something else. Updates tailscale/corp#18935 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Brad Fitzpatrick	1384c24e41	control/controlclient: delete unused Client.Login Oauth2Token field Updates #12172 (then need to update other repos) Change-Id: I439f65e0119b09e00da2ef5c7a4f002f93558578 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Maisem Ali	482890b9ed	tailcfg: bump capver for using NodeAttrUserDialUseRoutes for DNS Missed in `f62e678df8`. Updates tailscale/corp#18725 Updates #4529 Signed-off-by: Maisem Ali <maisem@tailscale.com>	5 months ago
Maisem Ali	af97e7a793	tailcfg,all: add/plumb Node.IsJailed This adds a new bool that can be sent down from control to do jailing on the client side. Previously this would only be done from control by modifying the packet filter we sent down to clients. This would result in a lot of additional work/CPU on control, we could instead just do this on the client. This has always been a TODO which we keep putting off, might as well do it now. Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	5 months ago
Nick Khyl	f62e678df8	net/dns/resolver, control/controlknobs, tailcfg: use UserDial instead of SystemDial to dial DNS servers Now that tsdial.Dialer.UserDial has been updated to honor the configured routes and dial external network addresses without going through Tailscale, while also being able to dial a node/subnet router on the tailnet, we can start using UserDial to forward DNS requests. This is primarily needed for DNS over TCP when forwarding requests to internal DNS servers, but we also update getKnownDoHClientForProvider to use it. Updates tailscale/corp#18725 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
Andrew Lytvynov	c28f5767bf	various: implement stateful firewalling on Linux (#12025 ) Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>	5 months ago
Nick Khyl	caa3d7594f	ipn/ipnlocal, net/tsdial: plumb routes into tsdial and use them in UserDial We'd like to use tsdial.Dialer.UserDial instead of SystemDial for DNS over TCP. This is primarily necessary to properly dial internal DNS servers accessible over Tailscale and subnet routes. However, to avoid issues when switching between Wi-Fi and cellular, we need to ensure that we don't retain connections to any external addresses on the old interface. Therefore, we need to determine which dialer to use internally based on the configured routes. This plumbs routes and localRoutes from router.Config to tsdial.Dialer, and updates UserDial to use either the peer dialer or the system dialer, depending on the network address and the configured routes. Updates tailscale/corp#18725 Fixes #4529 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
Brad Fitzpatrick	c3c18027c6	all: make more tests pass/skip in airplane mode Updates tailscale/corp#19786 Change-Id: Iedc6730fe91c627b556bff5325bdbaf7bf79d8e6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Claire Wang	5254f6de06	tailcfg: add suggest exit node UI node attribute (#11918 ) Add node attribute to determine whether or not to show suggested exit node in UI. Updates tailscale/corp#19515 Signed-off-by: Claire Wang <claire@tailscale.com>	5 months ago
Fran Bull	1bd1b387b2	appc: add flag shouldStoreRoutes and controlknob for it When an app connector is reconfigured and domains to route are removed, we would like to no longer advertise routes that were discovered for those domains. In order to do this we plan to store which routes were discovered for which domains. Add a controlknob so that we can enable/disable the new behavior. Updates #11008 Signed-off-by: Fran Bull <fran@tailscale.com>	5 months ago
Claire Wang	d5fc52a0f5	tailcfg: add auto exit node attribute (#11871 ) Updates tailscale/corp#19515 Signed-off-by: Claire Wang <claire@tailscale.com>	5 months ago
Percy Wegmann	955ad12489	ipn/ipnlocal: only show Taildrive peers to which ACLs grant us access This improves convenience and security. * Convenience - no need to see nodes that can't share anything with you. * Security - malicious nodes can't expose shares to peers that aren't allowed to access their shares. Updates tailscale/corp#19432 Signed-off-by: Percy Wegmann <percy@tailscale.com>	5 months ago
Brad Fitzpatrick	c39cde79d2	tailcfg: remove some unused fields from RegisterResponseAuth Fixes #19334 Change-Id: Id6463f28af23078a7bc25b9280c99d4491bd9651 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Brad Fitzpatrick	05bfa022f2	tailcfg: pointerify RegisterRequest.Auth, omitemptify RegisterResponseAuth We were storing server-side lots of: "Auth":{"Provider":"","LoginName":"","Oauth2Token":null,"AuthKey":""}, That was about 7% of our total storage of pending RegisterRequest bodies. Updates tailscale/corp#19327 Change-Id: Ib73842759a2b303ff5fe4c052a76baea0d68ae7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Claire Wang	c24f2eee34	tailcfg: rename exit node destination network flow log node attribute (#11779 ) Updates tailscale/corp#18625 Signed-off-by: Claire Wang <claire@tailscale.com>	5 months ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Adrian Dewhurst	ca5cb41b43	tailcfg: document use of CapMap for peers Updates tailscale/corp#17516 Updates #11508 Change-Id: Iad2dafb38ffb9948bc2f3dfaf9c268f7d772cf56 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	5 months ago
Claire Wang	976d3c7b5f	tailcfg: add exit destination for network flow logs node attribute (#11698 ) Updates tailscale/corp#18625 Signed-off-by: Claire Wang <claire@tailscale.com>	5 months ago
Charlotte Brandhorst-Satzkorn	98cf71cd73	tailscale: switch tailfs to drive syntax for api and logs (#11625 ) This change switches the api to /drive, rather than the previous /tailfs as well as updates the log lines to reflect the new value. It also cleans up some existing tailfs references. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	6 months ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597 ) This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	6 months ago
Charlotte Brandhorst-Satzkorn	14683371ee	tailscale: update tailfs file and package names (#11590 ) This change updates the tailfs file and package names to their new naming convention. Updates #tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	6 months ago
Brad Fitzpatrick	a36cfb4d3d	tailcfg, ipn/ipnlocal, wgengine/magicsock: add only-tcp-443 node attr Updates tailscale/corp#17879 Change-Id: I0dc305d147b76c409cf729b599a94fa723aef0e0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Brad Fitzpatrick	7b34154df2	all: deprecate Node.Capabilities (more), remove PeerChange.Capabilities [capver 89] First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Brad Fitzpatrick	20e9f3369d	control/controlclient: send load balancing hint HTTP request header Updates tailscale/corp#1297 Change-Id: I0b102081e81dfc1261f4b05521ab248a2e4a1298 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Mario Minardi	e0886ad167	ipn/ipnlocal, tailcfg: add disable-web-client node attribute (#11418 ) Add a disable-web-client node attribute and add handling for disabling the web client when this node attribute is set. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	6 months ago

1 2 3 4 5 ...

479 Commits (71b550c73cc4606d366fea4478152d3b0f18b59b)