tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	79472a4a6e	wgengine/netstack: optimize shouldProcessInbound, avoiding 4via6 lookups All IPv6 packets for the self address were doing netip.Prefix.Contains lookups. If if we know they're for a self address (which we already previously computed and have sitting in a bool), then they can't be for a 4via6 range. Change-Id: Iaaaf1248cb3fecec229935a80548ead0eb4cb892 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	2daf0f146c	ipn/ipnlocal, wgengine/netstack: start handling ports for future serving Updates tailscale/corp#7515 Change-Id: I966e936e72a2ee99be8d0f5f16872b48cc150258 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	acf5839dd2	wgengine/netstack: add tests for shouldProcessInbound Inspired by #6235, let's explicitly test the behaviour of this function to ensure that we're not processing things we don't expect to. Change-Id: I158050a63be7410fb99452089ea607aaf89fe91a Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Andrew Dunham	e85613aa2d	net/netcheck: don't use a space in the captive portal challenge The derpers don't allow whitespace in the challenge. Change-Id: I93a8b073b846b87854fba127b5c1d80db205f658 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
ysicing	cba1312dab	util/endian: add support on Loongnix-Server (loong64) Change-Id: I8275d158779c749a4cae2b4457d390871b4b8e3c Signed-off-by: ysicing <i@ysicing.me>	2 years ago
Brad Fitzpatrick	abfdcd0f70	wgengine/netstack: fix shouldProcessInbound peerapi non-SYN handling It was eating TCP packets to peerapi ports to subnet routers. Some of the TCP flow's packets went onward, some got eaten. So some TCP flows to subnet routers, if they used an unfortunate TCP port number, got broken. Change-Id: Ifea036119ccfb081f4dfa18b892373416a5239f8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6d8320a6e9	ipn/{ipnlocal,localapi}: move most of cert.go to ipnlocal Leave only the HTTP/auth bits in localapi. Change-Id: I8e23fb417367f1e0e31483e2982c343ca74086ab Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	9be8d15979	ipn/localapi: refactor some cert code in prep for a move I want to move the guts (after the HTTP layer) of the certificate fetching into the ipnlocal package, out of localapi. As prep, refactor a bit: * add a method to do the fetch-from-cert-or-as-needed-with-refresh, rather than doing it in the HTTP hander * convert two methods to funcs, taking the one extra field (LocalBackend) then needed from their method receiver. One of the methods needed nothing from its receiver. This will make a future change easier to reason about. Change-Id: I2a7811e5d7246139927bb86e7db8009bf09b3be3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	847a8cf917	api.md: make it clearer where to get the tailnet name in API calls We added the tailnet organization name to to the settings page with tailscale/corp#6977, but the docs were not updated to reflect this. We later also changed "tailnet name" to refer to the MagicDNS hostname (tailscale/corp#7537), which further confuses things (see https://stackoverflow.com/questions/74132318). Make it slightly clearer what is the expected value for tailnet names in API calls and how to get it. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
David Anderson	5e703bdb55	docs/k8s: add secrets patching permission to the tailscale role. Fixes #6225. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	6acc27a92f	cmd/containerboot: be more targeted when enabling IP forwarding. Only enable forwarding for an IP family if any forwarding is required for that family. Fixes #6221. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	5bb7e0307c	cmd/tailscale, ipn/ipnlocal: add debug command to write to StateStore for dev Not for end users (unless directed by support). Mostly for ease of development for some upcoming webserver work. Change-Id: I43acfed217514567acb3312367b24d620e739f88 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Anderson	bf2d3cd074	cmd/containerboot: don't write device ID when not in Kubernetes. Fixes #6218. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	e0669555dd	cmd/containerboot: don't write device ID into non-existent secret. Fixes #6211 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Xe Iaso	be7556aece	tsnet/example/tshello: use strings.Cut (#6198 ) strings.Cut allows us to be more precise here. This example was written before strings.Cut existed. Signed-off-by: Xe <xe@tailscale.com> Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Andrew Dunham	c2d7940ec0	cmd/tailscaled, net/tstun: add build tags to omit BIRD and TAP Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I7a39f4eeeb583b73ecffaf4c5f086a38e3a53e2e	2 years ago
Brad Fitzpatrick	036334e913	net/netcheck: deflake (maybe) magicsock's TestNewConn Updates #6207 Change-Id: I51d200d0b42b9a1ef799d0abfc8d4bd871c50cf2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	db2cc393af	util/dirwalk, metrics, portlist: add new package for fast directory walking This is similar to the golang.org/x/tools/internal/fastwalk I'd previously written but not recursive and using mem.RO. The metrics package already had some Linux-specific directory reading code in it. Move that out to a new general package that can be reused by portlist too, which helps its scanning of all /proc files: name old time/op new time/op delta FindProcessNames-8 2.79ms ± 6% 2.45ms ± 7% -12.11% (p=0.000 n=10+10) name old alloc/op new alloc/op delta FindProcessNames-8 62.9kB ± 0% 33.5kB ± 0% -46.76% (p=0.000 n=9+10) name old allocs/op new allocs/op delta FindProcessNames-8 2.25k ± 0% 0.38k ± 0% -82.98% (p=0.000 n=9+10) Change-Id: I75db393032c328f12d95c39f71c9742c375f207a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	21ef7e5c35	portlist: add macOS osImpl, finish migration to new style Previously: * `036f70b7b4` for linux * `35bee36549` for windows This does macOS. And removes all the compat code for the old style. (e.g. iOS, js are no longer mentioned; all platforms without implementations just default to not doing anything) One possible regression is that platforms without explicit implementations previously tried to do the "netstat -na" style to get open ports (but not process names). Maybe that worked on FreeBSD and OpenBSD previously, but nobody ever really tested it. And it was kinda useless without associated process names. So better off removing those for now until they get a good implementation. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	da8def8e13	all: remove old +build tags The //go:build syntax was introduced in Go 1.17: https://go.dev/doc/go1.17#build-lines gofmt has kept the +build and go:build lines in sync since then, but enough time has passed. Time to remove them. Done with: perl -i -npe 's,^// \+build.*\n,,' $(git grep -l -F '+build') Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	bb2cba0cd1	ipn: add missing check for nil Notify.Prefs This was missed in `6afe26575c` Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	6afe26575c	ipn: make Notify.Prefs be a *ipn.PrefsView It is currently a `ipn.PrefsView` which means when we do a JSON roundtrip, we go from an invalid Prefs to a valid one. This makes it a pointer, which fixes the JSON roundtrip. This was introduced in `0957bc5af2`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Adrian Dewhurst	c3a5489e72	util/winutil: remove log spam for missing registry keys It's normal for HKLM\SOFTWARE\Policies\Tailscale to not exist but that currently produces a lot of log spam. Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2 years ago
David Anderson	76904b82e7	cmd/containerboot: PID1 for running tailscaled in a container. This implements the same functionality as the former run.sh, but in Go and with a little better awareness of tailscaled's lifecycle. Also adds TS_AUTH_ONCE, which fixes the unfortunate behavior run.sh had where it would unconditionally try to reauth every time if you gave it an authkey, rather than try to use it only if auth is actually needed. This makes it a bit nicer to deploy these containers in automation, since you don't have to run the container once, then go and edit its definition to remove authkeys. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Maisem Ali	0759d78f12	tailcfg: bump CurrentCapabilityVersion for EarlyNoise Updates #5972 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	a413fa4f85	control/controlclient: export NoiseClient This allows reusing the NoiseClient in other repos without having to reimplement the earlyPayload logic. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	d57cba8655	net/tshttpproxy: add clientmetrics on Windows proxy lookup paths To collect some data on how widespread this is and whether there's any correlation between different versions of Windows, etc. Updates #4811 Change-Id: I003041d0d7e61d2482acd8155c1a4ed413a2c5c4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	e55ae53169	tailcfg: add Node.UnsignedPeerAPIOnly to let server mark node as peerapi-only capver 48 Change-Id: I20b2fa81d61ef8cc8a84e5f2afeefb68832bd904 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	3367136d9e	wgengine/netstack: remove old unused handleSSH hook It's leftover from an earlier Tailscale SSH wiring and I forgot to delete it apparently. Change-Id: I14f071f450e272b98d90080a71ce68ba459168d1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
License Updater	18fa1a0ad7	licenses: update win/apple licenses Signed-off-by: License Updater <noreply@tailscale.com>	2 years ago
Joe Tsai	2327c6b05f	wgengine/netlog: preserve Tailscale addresses for exit traffic (#6165 ) Exit node traffic is aggregated to protect the privacy of those using an exit node. However, it is reasonable to at least log which nodes are making most use of an exit node. For a node using an exit node, the source will be the taiscale IP address of itself, while the destination will be zeroed out. For a node that serves as an exit node, the source will be zeroed out, while the destination will be tailscale IP address of the node that initiated the exit traffic. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Andrew Dunham	e975cb6b05	ipn/ipnlocal: fix test flake when we log after a test completes This switches from using an atomic.Bool to a mutex for reasons that are described in the commit, and should address the flakes that we're still seeing. Fixes #3020 Change-Id: I4e39471c0eb95886db03020ea1ccf688c7564a11 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Tom DNetto	0af57fce4c	cmd/tailscale,ipn: implement lock sign command Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Joe Tsai	7d6775b082	wgengine: respect --no-logs-no-support flag for network logging (#6172 ) In the future this will cause a node to be unable to join the tailnet if network logging is enabled. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	910db02652	client/tailscale, tsnet, ipn/ipnlocal: prove nodekey ownership over noise Fixes #5972 Change-Id: Ic33a93d3613ac5dbf172d6a8a459ca06a7f9e547 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
License Updater	8c790207a0	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply@tailscale.com>	2 years ago
Brad Fitzpatrick	a0ed2c2eb5	go.mod: bump golang-x-crypto Fixes #5533 Change-Id: I403de0e9ed5a9a63055242a86720d6f4e0899af7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	06b55ab50f	prober: fix test flake This was tested by running 10000 test iterations and observing no flakes after this change was made. Change-Id: Ib036fd03a3a17800132c53c838cc32bfe2961306 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Brad Fitzpatrick	988c1f0ac7	control/controlclient, tailcfg: add support for EarlyNoise payload before http/2 Not yet used, but skipped over, parsed, and tested. Updates #5972 Change-Id: Icd00196959ce266ae16a6c9244bd5e458e2c2947 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	a7f7e79245	cmd/tailscale/cli: hide old, useless --host-routes flag It was from very early Tailscale and no longer makes sense. Change-Id: I31b4e728789f26b0376ebe73aa1b4bbbb1d62607 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	f4ff26f577	types/pad32: delete package Use Go 1.19's new 64-bit alignment ~hidden feature instead. Fixes #5356 Change-Id: Ifcbcb115875a7da01df3bc29e9e7feadce5bc956 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Aoang	60f77ba515	Fix vm ci tests clogging in fork repository pull request fix: https://github.com/tailscale/tailscale/issues/5771 Signed-off-by: Aoang <aoang@x2oe.com>	2 years ago
Maisem Ali	1440742a1c	ssh/tailssh: use root / as cmd.Dir when users HomeDir doesn't exist Fixes #5224 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Mihai Parparita	2be951a582	cmd/tsconnect: fix null pointer dereference when DNS lookups fail If we never had a chance to open the SSH session we should not try to close it. Fixes #6089 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
License Updater	e2519813b1	licenses: update win/apple licenses Signed-off-by: License Updater <noreply@tailscale.com>	2 years ago
Maisem Ali	42f7ef631e	wgengine/netstack: use 72h as the KeepAlive Idle time for Tailscale SSH Setting TCP KeepAlives for Tailscale SSH connections results in them unnecessarily disconnecting. However, we can't turn them off completely as that would mean we start leaking sessions waiting for a peer to come back which may have gone away forever (e.g. if the node was deleted from the tailnet during a session). Updates #5021 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Tom DNetto	d98305c537	cmd,ipn/ipnlocal,tailcfg: implement TKA disablement * Plumb disablement values through some of the internals of TKA enablement. * Transmit the node's TKA hash at the end of sync so the control plane understands each node's head. * Implement /machine/tka/disable RPC to actuate disablement on the control plane. There is a partner PR for the control server I'll send shortly. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Denton Gentry	3d8eda5b72	scripts/install.sh: add RHEL7. Fixes https://github.com/tailscale/tailscale/issues/5729 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Denton Gentry	5677ed1e85	scripts/installer.sh: add Debian Sid (rolling release) There is no VERSION_ID. root@sid:~# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux bookworm/sid" NAME="Debian GNU/Linux" VERSION_CODENAME=bookworm ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" Fixes https://github.com/tailscale/tailscale/issues/5522 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Denton Gentry	798dba14eb	scripts/install.sh: add openSUSE Leap 15.4 Fixes https://github.com/tailscale/tailscale/issues/6095 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago

1 2 3 4 5 ...

4759 Commits (79472a4a6e0510785a9cf4182f343978182844e6) All Branches Search

4759 Commits (79472a4a6e0510785a9cf4182f343978182844e6)

All Branches