Commit Graph

114 Commits (73c40c77b0ede8744f3a1bcaa9b2d3b9d74b6c09)

Author SHA1 Message Date
Avery Pennarun f0b6ba78e8 wgengine: don't pass nil router.Config objects.
These are hard for swift to decode in the iOS app.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
4 years ago
Brad Fitzpatrick 004780b312 ipn: restore LiveDERPs assignment in LocalBackend.parseWgStatus
Updates #421 (likely fixes it; need to do an iOS build to be sure)
4 years ago
Avery Pennarun 34c30eaea0 router_linux: use only baseline 'ip rule' features that exist in old kernels.
This removes the use of suppress_ifgroup and fwmark "x/y" notation,
which are, among other things, not available in busybox and centos6.

We also use the return codes from the 'ip' program instead of trying to
parse its output.

I also had to remove the previous hack that routed all of 100.64.0.0/10
by default, because that would add the /10 route into the 'main' route
table instead of the new table 88, which is no good. It was a terrible
hack anyway; if we wanted to capture that route, we should have
captured it explicitly as a subnet route, not as part of the addr. Note
however that this change affects all platforms, so hopefully there
won't be any surprises elsewhere.

Fixes #405
Updates #320, #144

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
4 years ago
David Anderson 2b74236567 ipn: move e2e_test back to corp repo.
It depends on corp things, so can't run here anyway.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick e6b84f2159 all: make client use server-provided DERP map, add DERP region support
Instead of hard-coding the DERP map (except for cmd/tailscale netcheck
for now), get it from the control server at runtime.

And make the DERP map support multiple nodes per region with clients
picking the first one that's available. (The server will balance the
order presented to clients for load balancing)

This deletes the stunner package, merging it into the netcheck package
instead, to minimize all the config hooks that would've been
required.

Also fix some test flakes & races.

Fixes #387 (Don't hard-code the DERP map)
Updates #388 (Add DERP region support)
Fixes #399 (wgengine: flaky tests)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson e8b3a5e7a1 wgengine/filter: implement a destination IP pre-filter.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Avery Pennarun 3ed2124356 ipn: Resolve some resource leaks in test.
Updates tailscale/corp#255.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun ea8f92b312 ipn/local: get rid of some straggling calls to the log module.
Use b.logf() instead.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun db051fb013 ipnserver and logpolicy: configure zstd with low-memory settings.
The compressed blobs we send back and forth are small and infrequent,
which doesn't justify the 8MB * GOMAXPROCS memory that was being
allocated. This was the overwhelming majority of memory use in
tailscaled. On my system it goes from ~100M RSS to ~15M RSS (which is
still suspiciously high, but we can worry about that more later).

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
David Anderson c97c45f268 ipn: sprinkle documentation and clarity rewrites through LocalBackend.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Wendi Yu bb55694c95
wgengine: log node IDs when peers are added/removed (#381)
Also stop logging data sent/received from nodes we're not connected to (ie all those `x`s being logged in the `peers: ` line)
Signed-off-by: Wendi <wendi.yu@yahoo.ca>
5 years ago
David Anderson 0fe262f093 ipn: plumb NetfilterMode all the way out to the CLI.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 292606a975 wgengine/router: support multiple levels of netfilter involvement.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Avery Pennarun 08acb502e5 Add tstest.PanicOnLog(), and fix various problems detected by this.
If a test calls log.Printf, 'go test' horrifyingly rearranges the
output to no longer be in chronological order, which makes debugging
virtually impossible. Let's stop that from happening by making
log.Printf panic if called from any module, no matter how deep, during
tests.

This required us to change the default error handler in at least one
http.Server, as well as plumbing a bunch of logf functions around,
especially in magicsock and wgengine, but also in logtail and backoff.

To add insult to injury, 'go test' also rearranges the output when a
parent test has multiple sub-tests (all the sub-test's t.Logf is always
printed after all the parent tests t.Logf), so we need to screw around
with a special Logf that can point at the "current" t (current_t.Logf)
in some places. Probably our entire way of using subtests is wrong,
since 'go test' would probably like to run them all in parallel if you
called t.Parallel(), but it definitely can't because the're all
manipulating the shared state created by the parent test. They should
probably all be separate toplevel tests instead, with common
setup/teardown logic. But that's a job for another time.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 89a6f27cf8 Merge remote-tracking branch 'origin/master' into base
* origin/master:
  types/logger: add ArgWriter
  wgengine: wrap tun.Device to support filtering and packet injection (#358)
5 years ago
Avery Pennarun a7edf11a40 {ipn,control/controlclient}/tests: pass a logf function to control.New().
This matches the new API requirements.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Dmytro Shynkevych 33b2f30cea
wgengine: wrap tun.Device to support filtering and packet injection (#358)
Right now, filtering and packet injection in wgengine depend
on a patch to wireguard-go that probably isn't suitable for upstreaming.

This need not be the case: wireguard-go/tun.Device is an interface.
For example, faketun.go implements it to mock a TUN device for testing.

This patch implements the same interface to provide filtering
and packet injection at the tunnel device level,
at which point the wireguard-go patch should no longer be necessary.

This patch has the following performance impact on i7-7500U @ 2.70GHz,
tested in the following namespace configuration:
┌────────────────┐    ┌─────────────────────────────────┐     ┌────────────────┐
│      $ns1      │    │               $ns0              │     │      $ns2      │
│    client0     │    │      tailcontrol, logcatcher    │     │     client1    │
│  ┌─────┐       │    │  ┌──────┐         ┌──────┐      │     │  ┌─────┐       │
│  │vethc│───────┼────┼──│vethrc│         │vethrs│──────┼─────┼──│veths│       │
│  ├─────┴─────┐ │    │  ├──────┴────┐    ├──────┴────┐ │     │  ├─────┴─────┐ │
│  │10.0.0.2/24│ │    │  │10.0.0.1/24│    │10.0.1.1/24│ │     │  │10.0.1.2/24│ │
│  └───────────┘ │    │  └───────────┘    └───────────┘ │     │  └───────────┘ │
└────────────────┘    └─────────────────────────────────┘     └────────────────┘
Before:
---------------------------------------------------
| TCP send               | UDP send               |
|------------------------|------------------------|
| 557.0 (±8.5) Mbits/sec | 3.03 (±0.02) Gbits/sec |
---------------------------------------------------
After:
---------------------------------------------------
| TCP send               | UDP send               |
|------------------------|------------------------|
| 544.8 (±1.6) Mbits/sec | 3.13 (±0.02) Gbits/sec |
---------------------------------------------------
The impact on receive performance is similar.

Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
5 years ago
David Anderson 9ccbcda612 wgengine/router: rename config.Settings to config.Config, make pointer.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 72cae5504c wgengine: generate and plumb router.Settings in from ipn.
This saves a layer of translation, and saves us having to
pass in extra bits and pieces of the netmap and prefs to
wgengine. Now it gets one Wireguard config, and one OS
network stack config.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Wendi Yu 3663797815 Reduce logspam from node with no peers
Signed-off-by: Wendi Yu <wendi.yu@yahoo.ca>
5 years ago
David Anderson bfdc8175b1 wgengine/router: add a setting to disable SNAT for subnet routes.
Part of #320.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick 8a3e77fc43 ipn, wgengine/filter: remove exported type aliases 5 years ago
Brad Fitzpatrick 529e2cb31a ipn: add AllowVersionSkew bool to Notify & Message
For "tailscale status" on macOS (from separately downloaded
cmd/tailscale binary against App Store IPNExtension).

(This isn't all of it, but I've had this sitting around uncommitted.)
5 years ago
Sylvain Rabot 74d6ab995d ipn/ipnstate: improve HTML output
Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
5 years ago
Wendi Yu 0c69b4e00d
Implement rate limiting on log messages (#356)
Implement rate limiting on log messages

Addresses issue #317, where logs can get spammed with the same message
nonstop. Created a rate limiting closure on logging functions, which
limits the number of messages being logged per second based on format
string. To keep memory usage as constant as possible, the previous cache
purging at periodic time intervals has been replaced by an LRU that
discards the oldest string when the capacity of the cache is reached.


Signed-off-by: Wendi Yu <wendi.yu@yahoo.ca>
5 years ago
David Anderson 89af51b84d wgengine: plumb locally advertised subnet routes.
With this change, advertising subnet routes configures the
firewall correctly.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Avery Pennarun 108237798d controlclient and ipn tests: supply --advertise-tags and --advertise-routes.
This helps validate the server's behaviour when these are present.
5 years ago
Brad Fitzpatrick fefd7e10dc types/structs: add structs.Incomparable annotation, use it where applicable
Shotizam before and output queries:

sqlite> select sum(size) from bin where func like 'type..%';
129067
=>
120216
5 years ago
Avery Pennarun 9d1f48032a cmd/tailscale: add --advertise-tags option.
These will be used for dynamically changing the identity of a node, so
its ACL rights can be different from your own.

Note: Not all implemented yet on the server side, but we need this so
we can request the tagged rights in the first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
David Crawshaw 5650f1ecf9 controlclient, ipn: adjust tests for tailscale.com keepalive change 5 years ago
David Crawshaw c10f90357e ipn/e2e_test: fix flaky logout state drain 5 years ago
David Anderson 1ac570def7 wgengine/router: split out from wgengine.
The router implementations are logically separate, with their own API.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Avery Pennarun d6c34368e8 ipn/local: differentiate Shields Up from Uninitialized in logs.
We were printing "Shields Up" when the netmap wasn't initialized yet,
which while technically effectively true, turned out to be confusing
when trying to debug things.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun ced9b4008a ipn: clear the hostinfo.Services list when prefs.ShieldsUp==true.
When shields are up, no services are available to connect to, so hide
them all. This will also help them disappear from the UI menu on
other nodes.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun d7429b9a8d Add prefs.ShieldsUp and --shields-up option.
This sets a default packet filter that blocks all incoming requests,
giving end users more control over who can get into their machine, even
if the admin hasn't set any central ACLs.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun dbc1f71e5d ipn/message: fix some message encoding problems.
- Reset() was not including a Version field, so was getting rejected;
  the Logout operation no longer happened when the client got disconnected.

- Don't crash if we can't decode 0-byte messages, which I suspect might
  sometimes come through on EOF.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
David Anderson 0038223632 tstest: rename from testy.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick e1526b796e ipn: don't listen on the unspecified address in test
To avoid the Mac firewall dialog of (test) death.

See 4521a59f30
which I added to help debug this.
5 years ago
David Crawshaw d2b7cb1e45 ipn, controlclient: add control.New parameter
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Brad Fitzpatrick f4c7eb8c44 ipn: revert part of 18017f7630
In retrospect I don't trust it and I'm afraid might've caused some Mac flakiness.
I'd like more tests here before I work on this.

Updates #288
5 years ago
Brad Fitzpatrick 18017f7630 ipn, wgengine/magicsock: be more idle when in Stopped state with no peers
(Previously as #288, but with some more.)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 45f2b53aca all: remove unnecessary trailing newlines in format patterns for consistency
And document on logger.Logf that it's unnecessary.
5 years ago
Brad Fitzpatrick 3a3b64301e wgengine: quiet some engine reconfig logging, make more consistent
Updates #282

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick b24029717b ipn: outdent some code in if that's statically always true 5 years ago
David Crawshaw 1747d099e9 ipn: add auth key
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Brad Fitzpatrick 8ca796d144 ipn, ipn/policy: filter portlist to a short list of "interesting" ports
Adds new package ipn/policy to be shared between node client & control server.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Crawshaw 0590ad68be controlclient, ipn: adjust tests for authURL semantic changes
The tests cheat at filling out web forms by directly POSTing to
the target. The target for authURLs has changed slightly, the base
authURL now redirects the user to the login page.

Additionally, the authURL cycle now checks the cookie is set
correctly, so we add cookie jars where necessary to pass the
cookie through.
5 years ago
Brad Fitzpatrick a4ef345737 cmd/tailscale: add status subcommand
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick f51f18b42b ipn: move FakeBackend to a test-only file 5 years ago
Brad Fitzpatrick 322499473e cmd/tailscaled, wgengine, ipn: add /debug/ipn handler with world state
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago