Commit Graph

887 Commits (742b8b44a801768c696d33b41ff4ac6a6e0d0104)
 

Author SHA1 Message Date
Dmytro Shynkevych 33b2f30cea
wgengine: wrap tun.Device to support filtering and packet injection (#358)
Right now, filtering and packet injection in wgengine depend
on a patch to wireguard-go that probably isn't suitable for upstreaming.

This need not be the case: wireguard-go/tun.Device is an interface.
For example, faketun.go implements it to mock a TUN device for testing.

This patch implements the same interface to provide filtering
and packet injection at the tunnel device level,
at which point the wireguard-go patch should no longer be necessary.

This patch has the following performance impact on i7-7500U @ 2.70GHz,
tested in the following namespace configuration:
┌────────────────┐    ┌─────────────────────────────────┐     ┌────────────────┐
│      $ns1      │    │               $ns0              │     │      $ns2      │
│    client0     │    │      tailcontrol, logcatcher    │     │     client1    │
│  ┌─────┐       │    │  ┌──────┐         ┌──────┐      │     │  ┌─────┐       │
│  │vethc│───────┼────┼──│vethrc│         │vethrs│──────┼─────┼──│veths│       │
│  ├─────┴─────┐ │    │  ├──────┴────┐    ├──────┴────┐ │     │  ├─────┴─────┐ │
│  │10.0.0.2/24│ │    │  │10.0.0.1/24│    │10.0.1.1/24│ │     │  │10.0.1.2/24│ │
│  └───────────┘ │    │  └───────────┘    └───────────┘ │     │  └───────────┘ │
└────────────────┘    └─────────────────────────────────┘     └────────────────┘
Before:
---------------------------------------------------
| TCP send               | UDP send               |
|------------------------|------------------------|
| 557.0 (±8.5) Mbits/sec | 3.03 (±0.02) Gbits/sec |
---------------------------------------------------
After:
---------------------------------------------------
| TCP send               | UDP send               |
|------------------------|------------------------|
| 544.8 (±1.6) Mbits/sec | 3.13 (±0.02) Gbits/sec |
---------------------------------------------------
The impact on receive performance is similar.

Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
5 years ago
David Anderson 9ccbcda612 wgengine/router: rename config.Settings to config.Config, make pointer.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 72cae5504c wgengine: generate and plumb router.Settings in from ipn.
This saves a layer of translation, and saves us having to
pass in extra bits and pieces of the netmap and prefs to
wgengine. Now it gets one Wireguard config, and one OS
network stack config.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick e42ec4efba derp/derphttp: use SOCKS/etc proxies for derphttp dials
Updates #227

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Wendi Yu 3663797815 Reduce logspam from node with no peers
Signed-off-by: Wendi Yu <wendi.yu@yahoo.ca>
5 years ago
David Anderson cd01bcc395 wgengine/router: allow loopback traffic from our own IP(s).
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick 64f6104e63 portlist: reduce log spam/scariness for portlist in mac sandbox
Fixes tailscale/corp#235
5 years ago
David Anderson bfdc8175b1 wgengine/router: add a setting to disable SNAT for subnet routes.
Part of #320.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick 8eda667aa1 types/logger: simplify mutex locking in rate-limited logger
Updates #365

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
halulu 874be6566d
netcheck: DERP latency over HTTPS when UDP is blocked
* netcheck: DERP letency over HTTPS when UDP failed

Updates #207

Signed-off-by: Zijie Lu <zijie@tailscale.com>

* netcheck: async DERP latency check over HTTPS

Updates #207

Signed-off-by: Zijie Lu <zijie@tailscale.com>

* netcheck: DERP latency check over HTTPS: fix concurrent map

Updates #207

Signed-off-by: Zijie Lu <zijie@tailscale.com>

* netcheck: DERP latency check over HTTPS: some improvements

Updates #207

Signed-off-by: Zijie Lu <zijie@tailscale.com>

* netcheck: DERP latency check over HTTPS: use timeout context

Updates #207

Signed-off-by: Zijie Lu <zijie@tailscale.com>

* netcheck: DERP latency check over HTTPS: use report mutex

Updates #207

Signed-off-by: Zijie Lu <zijie@tailscale.com>

* netcheck: DERP latency check over HTTPS if UDP is BLOCKED

Updates #207

Signed-off-by: Zijie Lu <zijie@tailscale.com>

* netcheck: DERP latency check over HTTPS: new function measureHTTPSLatency

Updates #207

Signed-off-by: Zijie Lu <zijie@tailscale.com>
5 years ago
Brad Fitzpatrick 8a3e77fc43 ipn, wgengine/filter: remove exported type aliases 5 years ago
David Anderson 8b0be7475b cmd/tailscale: warn subnet route users if IP forwarding is off. #320
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson ad1cfe8bbe cmd/tailscale: support IPs or CIDRs in -advertise-routes.
Fixes #370.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 21ac65d3da wgengine/router: explicitly detect and complain about busybox's `ip`.
Defensive programming against #368 in environments other than Docker,
e.g. if you try using Tailscale in Alpine Linux directly, sans
container.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson e00b814a24 Dockerfile: install iproute2 in the container image.
Fixes #368.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 381b94d4d1 wgengine/router: include command output if `ip rule list` fails.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson e83d02ffd1 wgengine: don't double-close tundev on setup error.
Part of #368.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson efc1feedc9 wgengine/router: include more information when iptables ops fail.
The iptables package we use doesn't include command output, so we're
left with guessing what went wrong most of the time. This will at
least narrow things down to which operation failed.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick 529e2cb31a ipn: add AllowVersionSkew bool to Notify & Message
For "tailscale status" on macOS (from separately downloaded
cmd/tailscale binary against App Store IPNExtension).

(This isn't all of it, but I've had this sitting around uncommitted.)
5 years ago
Wendi Yu fde384b359 Fix macOS build
staticcheck used to fail on macOS (and presumably windows) due to a
variable declared in a common package that was only used by the Linux
build, which would prevent `redo pr` from passing on Mac. Moved variable
declaration from the common file to the Linux-specific one to resolve
the compiler complaint.

Signed-off-by: Wendi Yu <wendi.yu@yahoo.ca>
5 years ago
David Anderson e16f7e48a3 wgengine: simplify wgcfg.* to netaddr.* conversion.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 48b1e85e8a types/logger: fix deadlock in the burst case.
Fixes #365.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson ccbd0937d0 wgengine: avoid v6 mapped v4 IPs when converting to netaddr types.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Sylvain Rabot 74d6ab995d ipn/ipnstate: improve HTML output
Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
5 years ago
Wendi Yu 0c69b4e00d
Implement rate limiting on log messages (#356)
Implement rate limiting on log messages

Addresses issue #317, where logs can get spammed with the same message
nonstop. Created a rate limiting closure on logging functions, which
limits the number of messages being logged per second based on format
string. To keep memory usage as constant as possible, the previous cache
purging at periodic time intervals has been replaced by an LRU that
discards the oldest string when the capacity of the cache is reached.


Signed-off-by: Wendi Yu <wendi.yu@yahoo.ca>
5 years ago
Wendi Yu 499c8fcbb3
Replace our ratelimiter with standard rate package (#359)
* Replace our ratelimiter with standard rate package

Signed-off-by: Wendi Yu <wendi.yu@yahoo.ca>
5 years ago
David Anderson b01db109f5 wgengine/router: use inet.af/netaddr, not wgcfg.CIDR.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson b8f01eed34 wgengine/router: remove wireguard-go config from settings.
Instead, pass in only exactly the relevant configuration pieces
that the OS network stack cares about.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 8861bb5a19 wgengine/router: alter API to support multiple addrs, and use on linux.
FreeBSD and OpenBSD will error out with a complaint if we pass >1 address
right now, but we don't yet so that's okay.
5 years ago
David Anderson 6802481bf5 wgengine/router: don't use gateway routes on linux. 5 years ago
David Anderson 78b1ed39ea wgengine/router: add more documentation. 5 years ago
David Anderson c9de43cd59 wgengine/router: fix typo.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 89af51b84d wgengine: plumb locally advertised subnet routes.
With this change, advertising subnet routes configures the
firewall correctly.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 89198b1691 wgengine/router: rewrite netfilter and routing logic.
New logic installs precise filters for subnet routes,
plays nice with other users of netfilter, and lays the
groundwork for fixing routing loops via policy routing.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 7618d7e677 wgengine/router: simplify some cmd invocations.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Zijie Lu e3559d1c45 cmd/netcheck: better DERP latency checking output
Fixes #206

Signed-off-by: Zijie Lu <zijie@tailscale.com>
5 years ago
Dmytro Shynkevych 46f4b18fe8 control/controlclient: revert extreneous synchronization.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
5 years ago
Dmytro Shynkevych 3b94eabee3 control/controlclient: synchronize hostinfo test.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
5 years ago
Brad Fitzpatrick 44b07aa708 netcheck: STUN less aggressively to known distant servers
If Australia's far away and not going to be used, it's still going to
be far away a minute later. No need to send backup
just-in-case-UDP-gets-lost STUN packets to the known far away
destinations. Those are the ones most likely to trigger retries due to
delay anyway (in random 50-250ms, currently). But we'll keep sending 1
packet to them, just in case our airplane landed.

Likewise, be less aggressive with IPv6. The main point is just to see
whether IPv6 works. No need to send up to 10 packets every round. Max
two is enough (except for the first round). This does mean our STUN
traffic graphs for IPv4-vs-IPv6 will change shape. Oh well. It was a
weird eyeball metric for IPv6 connectivity anyway and we have better
metrics.

We can tweak this policy over time. It's factored out and has tests
now.
5 years ago
Brad Fitzpatrick 828aa6dcb0 stunner: add Stunner.MaxTries option 5 years ago
Brad Fitzpatrick 495796fff1 derp/derpmap: add World.ForeachServer, check STUN server validity earlier 5 years ago
Avery Pennarun 108237798d controlclient and ipn tests: supply --advertise-tags and --advertise-routes.
This helps validate the server's behaviour when these are present.
5 years ago
Dmytro Shynkevych 68a173bc24 cmd/mkpkg: support adding empty directories.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
5 years ago
Brad Fitzpatrick 3b546dc29a portlist: make two error paths have unique messages
For debugging #339
5 years ago
Brad Fitzpatrick fefd7e10dc types/structs: add structs.Incomparable annotation, use it where applicable
Shotizam before and output queries:

sqlite> select sum(size) from bin where func like 'type..%';
129067
=>
120216
5 years ago
Elias Naur 7b901fdbbc logpolicy: report the correct error
Signed-off-by: Elias Naur <mail@eliasnaur.com>
5 years ago
Elias Naur 0068e57407 go.mod,go.sum: bump golang.org/x/sys for the Android dup2 fix
No tidy, because it doesn't work for me:

$ go mod tidy
go: finding module for package tailscale.io/control
go: finding module for package tailscale.io/control/cfgdb
tailscale.com/control/controlclient tested by
	tailscale.com/control/controlclient.test imports
	tailscale.io/control: cannot find module providing package tailscale.io/control: unrecognized import path "tailscale.io/control": parse https://tailscale.io/control?go-get=1: no go-import meta tags (meta tag tailscale.com did not match import path tailscale.io/control)
tailscale.com/control/controlclient tested by
	tailscale.com/control/controlclient.test imports
	tailscale.io/control/cfgdb: cannot find module providing package tailscale.io/control/cfgdb: unrecognized import path "tailscale.io/control/cfgdb": parse https://tailscale.io/control/cfgdb?go-get=1: no go-import meta tags (meta tag tailscale.com did not match import path tailscale.io/control/cfgdb)

Signed-off-by: Elias Naur <mail@eliasnaur.com>
5 years ago
Avery Pennarun 9d1f48032a cmd/tailscale: add --advertise-tags option.
These will be used for dynamically changing the identity of a node, so
its ACL rights can be different from your own.

Note: Not all implemented yet on the server side, but we need this so
we can request the tagged rights in the first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
David Crawshaw 5650f1ecf9 controlclient, ipn: adjust tests for tailscale.com keepalive change 5 years ago
David Crawshaw c10f90357e ipn/e2e_test: fix flaky logout state drain 5 years ago