tailscale

Commit Graph

Author	SHA1	Message	Date
Tom DNetto	73db56af52	ipn/ipnlocal: filter peers with bad signatures when tka is enabled Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Kristoffer Dalby	01ebef0f4f	tailcfg: add views for ControlDialPlan (#5843 )	2 years ago
Will Norris	62bc1052a2	tsweb: allow HTTPError to unwrap errors Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
License Updater	2243dbccb7	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply@tailscale.com>	2 years ago
Brad Fitzpatrick	b1bd96f114	go.mod, ssh/tailssh: fix ImplictAuthMethod typo Fixes #5745 Change-Id: Ie8bc88bd465a9cb35b0ae7782d61ce96480473ee Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Anderson	fde20f3403	cmd/pgproxy: link to blog post at the top. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Mihai Parparita	7ffd2fe005	cmd/tsconnect: switch to non-beta versions of xterm and related packages xterm 5.0 was released a few weeks ago, and it picks up xtermjs/xterm.js#4069, which was the main reason why we were on a 5.0 beta. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Joe Tsai	2934c5114c	net/tunstats: new package to track per-connection counters (#5818 ) High-level API: type Statistics struct { ... } type Counts struct { TxPackets, TxBytes, RxPackets, RxBytes uint64 } func (Statistics) UpdateTx([]byte) func (Statistics) UpdateRx([]byte) func (*Statistics) Extract() map[flowtrack.Tuple]Counts The API accepts a []byte instead of a packet.Parsed so that a future implementation can directly hash the address and port bytes, which are contiguous in most IP packets. This will be useful for a custom concurrent-safe hashmap implementation. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
David Anderson	bdf3d2a63f	cmd/pgproxy: open-source our postgres TLS-enforcing proxy. From the original commit that implemented it: It accepts Postgres connections over Tailscale only, dials out to the configured upstream database with TLS (using strong settings, not the swiss cheese that postgres defaults to), and proxies the client through. It also keeps an audit log of the sessions it passed through, along with the Tailscale-provided machine and user identity of the connecting client. In our other repo, this was: commit 92e5edf98e8c2be362f564a408939a5fc3f8c539, Change-Id I742959faaa9c7c302bc312c7dc0d3327e677dc28. Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
License Updater	c5ce355756	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply@tailscale.com>	2 years ago
Florian Lehner	7e0ffc17fd	Address GO-2022-0969 HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service. Signed-off-by: Florian Lehner <dev@der-flo.net>	2 years ago
Florian Lehner	17348915fa	Address GO-2020-0042 Due to improper path santization, RPMs containing relative file paths can cause files to be written (or overwritten) outside of the target directory. Signed-off-by: Florian Lehner <dev@der-flo.net>	2 years ago
Brad Fitzpatrick	1841d0bf98	wgengine/magicsock: make debug-level stuff not logged by default And add a CLI/localapi and c2n mechanism to enable it for a fixed amount of time. Updates #1548 Change-Id: I71674aaf959a9c6761ff33bbf4a417ffd42195a7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	5c69961a57	cmd/tailscale/cli: add --record flag to bugreport (#5826 ) Change-Id: I02bdc37a5c1a5a5d030c136ec5e84eb4c9ab1752 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Andrew Dunham	e5636997c5	wgengine: don't re-allocate trimmedNodes map (#5825 ) Change-Id: I512945b662ba952c47309d3bf8a1b243e05a4736 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
License Updater	445c8a4671	licenses: update win/apple licenses Signed-off-by: License Updater <noreply@tailscale.com>	2 years ago
Andrew Dunham	d7c0410ea8	ipn/localapi: print hostinfo and health on bugreport (#5816 ) This information is super helpful when debugging and it'd be nice to not have to scroll around in the logs to find it near a bugreport. Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Maisem Ali	4102a687e3	tsnet: fix netstack leak on Close Identified while investigating a goroutine leak in a different repo. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	5fc8843c4c	docs/k8s: [proxy] fix sysctl command Fixes #5805 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Mihai Parparita	8343b243e7	all: consistently initialize Logf when creating tsdial.Dialers Most visible when using tsnet.Server, but could have resulted in dropped messages in a few other places too. Fixes #5743 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Cuong Manh Le	a7efc7bd17	util/singleflight: sync with upstream Sync with golang.org/x/sync/singleflight at commit 8fcdb60fdcc0539c5e357b2308249e4e752147f1 Fixes #5790 Signed-off-by: Cuong Manh Le <cuong.manhle.vn@gmail.com>	2 years ago
Josh Soref	d4811f11a0	all: fix spelling mistakes Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Joe Tsai	e73657d7aa	logpolicy: directly expose the logtail server URL (#5788 ) Callers of LogHost often jump through hoops to undo the loss of information dropped by LogHost (e.g., the HTTP scheme). Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	bb7be74756	net/dns/publicdns: permit more NextDNS profile bits in its IPv6 suffix I brain-o'ed the math earlier. The NextDNS prefix is /32 (actually /33, but will guarantee last bit is 0), so we have 128-32 = 96 bits (12 bytes) of config/profile ID that we can extract. NextDNS doesn't currently use all those, but might. Updates #2452 Change-Id: I249bd28500c781e45425fd00fd3f46893ae226a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Adrian Dewhurst	c581ce7b00	cmd/tailscale, client, ipn, tailcfg: add network lock modify command Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2 years ago
Andrew Dunham	420d841292	wgengine: log subnet router decision at v1 if we have a BIRD client (#5786 ) Updates tailscale/coral#82 Change-Id: I398d75f7e178ff7c531ca09899c82cf974fc30c9 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Tom DNetto	58ffe928af	ipn/ipnlocal, tka: Implement TKA synchronization with the control plane Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	ab591906c8	wgengine/router: Increase range of rule priorities when detecting mwan3 Context: https://github.com/tailscale/tailscale/pull/5588#issuecomment-1260655929 It seems that if the interface at index 1 is down, the rule is not installed. As such, we increase the range we detect up to 2004 in the hope that at least one of the interfaces 1-4 will be up. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Mihai Parparita	9214b293e3	tstime: add ParseDuration helper function More expressive than time.ParseDuration, also accepting d (days) and w (weeks) literals. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Aaron Klotz	44f13d32d7	cmd/tailscaled, util/winutil: log Windows service diagnostics when the wintun device fails to install I added new functions to winutil to obtain the state of a service and all its depedencies, serialize them to JSON, and write them to a Logf. When tstun.New returns a wrapped ERROR_DEVICE_NOT_AVAILABLE, we know that wintun installation failed. We then log the service graph rooted at "NetSetupSvc". We are interested in that specific service because network devices will not install if that service is not running. Updates https://github.com/tailscale/tailscale/issues/5531 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Brad Fitzpatrick	18159431ab	logpolicy: fix, test LogHost to work as documented Change-Id: I225c9602a7587c69c237e336d0714fc8315ea6bd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	a5fab23e8f	net/dns: format OSConfig correctly with no pointers (#5766 ) Fixes tailscale/tailscale#5669 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Andrew Dunham	4b996ad5e3	util/deephash: add AppendSum method (#5768 ) This method can be used to obtain the hex-formatted deephash.Sum instance without allocations. Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Tom DNetto	ebd1637e50	ipn/ipnlocal,tailcfg: Identify client using NodeKey in tka RPCs Updates https://github.com/tailscale/corp/pull/7024 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Mihai Parparita	e97d5634bf	control/controlhttp: use custom port for non-localhost JS noise client connections Control may not be bound to (just) localhost when sharing dev servers, allow the Wasm client to connect to it in that case too. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Emmanuel T Odeke	f981b1d9da	all: fix resource leaks with missing .Close() calls Fixes #5706 Signed-off-by: Emmanuel T Odeke <emmanuel@orijtech.com>	2 years ago
Brad Fitzpatrick	9bdf0cd8cd	ipn/ipnlocal: add c2n /debug/{goroutines,prefs,metrics} * and move goroutine scrubbing code to its own package for reuse * bump capver to 45 Change-Id: I9b4dfa5af44d2ecada6cc044cd1b5674ee427575 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Josh Soref	7686446c60	Drop duplicated `$` Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Andrew Dunham	b1867457a6	doctor: add package for running in-depth healthchecks; use in bugreport (#5413 ) Change-Id: Iaa4e5b021a545447f319cfe8b3da2bd3e5e5782b Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Tom DNetto	e3beb4429f	tka: Checkpoint every 50 updates Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	8a0cb4ef20	control/controlclient: fix recent set-dns regression SetDNS calls were broken by `6d04184325` the other day. Unreleased. Caught by tests in another repo. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	fb4e23506f	control/controlclient: stop restarting map polls on health change At some point we started restarting map polls on health change, but we don't remember why. Maybe it was a desperate workaround for something. I'm not sure it ever worked. Rather than have a haunted graveyard, remove it. In its place, though, and somewhat as a safety backup, send those updates over the HTTP/2 noise channel if we have one open. Then if there was a reason that a map poll restart would help we could do it server-side. But mostly we can gather error stats and show machine-level health info for debugging. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6d04184325	control/controlclient: add a noiseClient.post helper method In prep for a future change that would've been very copy/paste-y. And because the set-dns call doesn't currently use a context, so timeouts/cancelations are plumbed. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Will Norris	8c72aabbdf	licenses: remove win.md file This was renamed to windows.md	2 years ago
James Tucker	f7cb535693	net/speedtest: retune to meet iperf on localhost in a VM - removed some in-flow time calls - increase buffer size to 2MB to overcome syscall cost - move relative time computation from record to report time Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	146f51ce76	net/packet: fix filtering of short IPv4 fragments The fragment offset is an 8 byte offset rather than a byte offset, so the short packet limit is now in fragment block size in order to compare with the offset value. The packet flags are in the first 3 bits of the flags/frags byte, and so after conversion to a uint16 little endian value they are at the start, not the end of the value - the mask for extracting "more fragments" is adjusted to match this byte. Extremely short fragments less than 80 bytes are dropped, but fragments over 80 bytes are now accepted. Fixes #5727 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Mihai Parparita	c66e15772f	tsweb: consider 304s as successful for quiet logging Static resource handlers will generate lots of 304s, which are effectively successful responses. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Andrew Dunham	e1bdbfe710	tailcfg, control/controlhttp, control/controlclient: add ControlDialPlan field (#5648 ) * tailcfg, control/controlhttp, control/controlclient: add ControlDialPlan field This field allows the control server to provide explicit information about how to connect to it; useful if the client's link status can change after the initial connection, or if the DNS settings pushed by the control server break future connections. Change-Id: I720afe6289ec27d40a41b3dcb310ec45bd7e5f3e Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Aaron Klotz	acc7baac6d	tailcfg, util/deephash: add DataPlaneAuditLogID to Node and DomainDataPlaneAuditLogID to MapResponse We're adding two log IDs to facilitate data-plane audit logging: a node-specific log ID, and a domain-specific log ID. Updated util/deephash/deephash_test.go with revised expectations for tailcfg.Node. Updates https://github.com/tailscale/corp/issues/6991 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Kyle Carberry	91794f6498	wgengine/magicsock: move firstDerp check after nil derpMap check This fixes a race condition which caused `c.muCond.Broadcast()` to never fire in the `firstDerp` if block. It resulted in `Close()` hanging forever. Signed-off-by: Kyle Carberry <kyle@carberry.com>	2 years ago

1 2 3 4 5 ...

4564 Commits (73db56af5284a634692ef1d78dc1e700f1889e7a) All Branches Search

4564 Commits (73db56af5284a634692ef1d78dc1e700f1889e7a)

All Branches