tailscale

Commit Graph

Author	SHA1	Message	Date
Elias Naur	7b901fdbbc	logpolicy: report the correct error Signed-off-by: Elias Naur <mail@eliasnaur.com>	4 years ago
Elias Naur	0068e57407	go.mod,go.sum: bump golang.org/x/sys for the Android dup2 fix No tidy, because it doesn't work for me: $ go mod tidy go: finding module for package tailscale.io/control go: finding module for package tailscale.io/control/cfgdb tailscale.com/control/controlclient tested by tailscale.com/control/controlclient.test imports tailscale.io/control: cannot find module providing package tailscale.io/control: unrecognized import path "tailscale.io/control": parse https://tailscale.io/control?go-get=1: no go-import meta tags (meta tag tailscale.com did not match import path tailscale.io/control) tailscale.com/control/controlclient tested by tailscale.com/control/controlclient.test imports tailscale.io/control/cfgdb: cannot find module providing package tailscale.io/control/cfgdb: unrecognized import path "tailscale.io/control/cfgdb": parse https://tailscale.io/control/cfgdb?go-get=1: no go-import meta tags (meta tag tailscale.com did not match import path tailscale.io/control/cfgdb) Signed-off-by: Elias Naur <mail@eliasnaur.com>	4 years ago
Avery Pennarun	9d1f48032a	cmd/tailscale: add --advertise-tags option. These will be used for dynamically changing the identity of a node, so its ACL rights can be different from your own. Note: Not all implemented yet on the server side, but we need this so we can request the tagged rights in the first place. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
David Crawshaw	5650f1ecf9	controlclient, ipn: adjust tests for tailscale.com keepalive change	4 years ago
David Crawshaw	c10f90357e	ipn/e2e_test: fix flaky logout state drain	4 years ago
David Anderson	657f331e8b	net/dnscache: remove unnecessary lint warning.	4 years ago
David Anderson	9396024bd7	portlist: move code around to avoid unused function warnings.	4 years ago
David Anderson	755fd9253c	wgengine/router: fix up docstring. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	1ac570def7	wgengine/router: split out from wgengine. The router implementations are logically separate, with their own API. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Avery Pennarun	ee3395e63a	wgengine/filter: fix linter warning. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	5e5e5db75f	Appease the "missing copyright header" check. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	65fbb9c303	wgengine/filter: support subnet mask rules, not just /32 IPs. This depends on improved support from the control server, to send the new subnet width (Bits) fields. If these are missing, we fall back to assuming their value is /32. Conversely, if the server sends Bits fields to an older client, it will interpret them as /32 addresses. Since the only rules we allow are "accept" rules, this will be narrower or equal to the intended rule, so older clients will simply reject hosts on the wider subnet (fail closed). With this change, the internal filter.Matches format has diverged from the wire format used by controlclient, so move the wire format into tailcfg and convert it to filter.Matches in controlclient. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	d6c34368e8	ipn/local: differentiate Shields Up from Uninitialized in logs. We were printing "Shields Up" when the netmap wasn't initialized yet, which while technically effectively true, turned out to be confusing when trying to debug things. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	64db026c8b	backoff: add a LogLongerThan configuration. Some programs use frequent short-duration backoffs even under non-error conditions. They can set this to avoid logging short backoffs when things are operating normally, but still get messages when longer backoffs kick in. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	ced9b4008a	ipn: clear the hostinfo.Services list when prefs.ShieldsUp==true. When shields are up, no services are available to connect to, so hide them all. This will also help them disappear from the UI menu on other nodes. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	d7429b9a8d	Add prefs.ShieldsUp and --shields-up option. This sets a default packet filter that blocks all incoming requests, giving end users more control over who can get into their machine, even if the admin hasn't set any central ACLs. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	85e675940d	wgengine/filter: allow ICMP response packets. Longer term, we should probably update the packet filter to be fully stateful, for both TCP and ICMP. That is, only ICMP packets related to a session we initiated should be allowed back in. But this is reasonably secure for now, since wireguard is already trimming most traffic. The current code would not protect against eg. Ping-of-Death style attacks from VPN nodes. Fixes tailscale/tailscale#290. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	dbc1f71e5d	ipn/message: fix some message encoding problems. - Reset() was not including a Version field, so was getting rejected; the Logout operation no longer happened when the client got disconnected. - Don't crash if we can't decode 0-byte messages, which I suspect might sometimes come through on EOF. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
David Crawshaw	2372530964	logtail/backoff: only log backoffs > 2sec Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	4 years ago
David Anderson	0038223632	tstest: rename from testy. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	e1526b796e	ipn: don't listen on the unspecified address in test To avoid the Mac firewall dialog of (test) death. See `4521a59f30` which I added to help debug this.	4 years ago
David Crawshaw	d2b7cb1e45	ipn, controlclient: add control.New parameter Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	4 years ago
Brad Fitzpatrick	f4c7eb8c44	ipn: revert part of `18017f7630` In retrospect I don't trust it and I'm afraid might've caused some Mac flakiness. I'd like more tests here before I work on this. Updates #288	4 years ago
Brad Fitzpatrick	18017f7630	ipn, wgengine/magicsock: be more idle when in Stopped state with no peers (Previously as #288, but with some more.) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
David Anderson	66c7875974	control/controlclient: wait for c1 to receive a netmap. This strictly sequences things such that c1 is fully registered in the control server before c2 creates its poll. Failure to do this can cause an inversion where c2's poll finishes establishing before c1's poll starts, which results in c2 getting disconnected rather than c1, and the test times out waiting for c1 to get kicked. Fixes #98. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	cbb1e2e853	control/controlclient: document test TestClientsReusingKeys. The test is straightforward, but it's a little perplexing if you're not overly familiar with controlclient. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
fgergo	8296c934ac	Update ifconfig_windows.go OLE calls sometimes unexpectedly fail, but retries can succeed. Change panic() to return errors. This way ConfigureInterface() retries can succeed.	4 years ago
David Anderson	9669b85b41	wgengine/magicsock: wait for endpoint updater goroutine when closing. Fixes #204. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Elias Naur	ad0795efc2	net/dnscache: don't use the Go resolver on Android The local resolver is not available for apps on Android. Signed-off-by: Elias Naur <mail@eliasnaur.com>	4 years ago
Brad Fitzpatrick	a464439658	control/controlclient: fix build break caused by overzealous gitting	4 years ago
Brad Fitzpatrick	2244cca5ff	net/tlsdial: update package doc to say it's now somewhat useless	4 years ago
Brad Fitzpatrick	58e83d8f66	tempfork/x509: moved to tailscale/go's crypto/x509 instead	4 years ago
Brad Fitzpatrick	172d72a060	Revert "net/tlsdial: add memory-optimized TLS cert verification path for iOS" This reverts commit `6fcbd4c4d4`. Decided to put it in tailscale/go's crypto/x509 instead.	4 years ago
Brad Fitzpatrick	5d67365cc9	logtail: add PrivateID.IsZero method	4 years ago
Brad Fitzpatrick	9497921f52	logpolicy: also set up TLS dialing (for iOS) for log uploads This was the last of the three places that do TLS from clients (logs, control, derp). With this, iOS should be able to use the memory-efficient x509 root CertPool.	4 years ago
Brad Fitzpatrick	c726c1eec9	logtail: add const DefaultHost with default server name	4 years ago
Brad Fitzpatrick	1a0f6fea58	go.mod, go.sum: bump wireguard-go, tidy	4 years ago
Brad Fitzpatrick	95a658e1e3	control/controlclient: also rename HTTPC in the tests	4 years ago
Brad Fitzpatrick	eb6de2bd88	control/controlclient: restore Options.HTTPC as Options.HTTPTestClient I removed the HTTPC field in `b6fa5a69be` but it was apparently still used in [oss-skipped] tests. Restore it, but name it so it's more obvious that it's only for tests. (It currently is, and I'd like to keep it like that for now.)	4 years ago
Brad Fitzpatrick	6fcbd4c4d4	net/tlsdial: add memory-optimized TLS cert verification path for iOS Behind a build tag for now.	4 years ago
Brad Fitzpatrick	b6fa5a69be	net/tlsdial: add package for TLS dials, and make DERP & controlclient use it This will do the iOS-optimized cert checking in a following change.	4 years ago
Brad Fitzpatrick	d427fc023e	tempfork/x509: remove the bundle tag in our fork We want to be able to omit from only one (not both)	4 years ago
Brad Fitzpatrick	28c632c97b	tempfork/x509: store certs for iOS compressed in binary, parse lazily	4 years ago
Brad Fitzpatrick	8fd8fc9c7d	tempfork/x509: fix build on darwin and windows These fixes were originally in the updates to CL 229917 after Trybots failed there. See https://go-review.googlesource.com/c/go/+/229917/1..3	4 years ago
Brad Fitzpatrick	bfc1261ab6	crypto/x509: keep smaller root cert representation in memory until needed (from patchset 1, c12c890c64dd6372b3893af1e6f5ab11802c9e81, of https://go-review.googlesource.com/c/go/+/230025/1, with merges fixes due to parent commit's differents from its ps1..ps3) Instead of parsing the PEM files and then storing the *Certificate values forever, still parse them to see if they're valid and pick out some fields, but then only store the decoded pem.Block.Bytes until that cert is first needed. Saves about 500K of memory on my (Debian stable) machine after doing a tls.Dial or calling x509.SystemCertPool. A more aggressive version of this is still possible: we can not keep the pem.Block.Bytes in memory either, and re-read them from disk when necessary. But dealing with files disappearing and even large multi-cert PEM files changing (with offsets sliding around) made this conservative version attractive. It doesn't change the slurp-roots-on-startup semantics. It just does so with less memory retained. Change-Id: I3aea333f4749ae3b0026042ec3ff7ac015c72204	4 years ago
Brad Fitzpatrick	f5993f2440	crypto/x509: add support for CertPool to load certs lazily (from patchset 1, 7cdc3c3e7427c9ef69e19224d6036c09c5ea1723, of https://go-review.googlesource.com/c/go/+/229917/1) This will allow building CertPools that consume less memory. (Most certs are never accessed. Different users/programs access different ones, but not many.) This CL only adds the new internal mechanism (and uses it for the old AddCert) but does not modify any existing root pool behavior. (That is, the default Unix roots are still all slurped into memory as of this CL) Change-Id: Ib3a42e4050627b5e34413c595d8ced839c7bfa14	4 years ago
Brad Fitzpatrick	6b232b5a79	Disable staticcheck for tempfork packages.	4 years ago
Numerous Gophers	3bab226299	Add fork of Go 1.15-dev's crypto/x509 Snapshotted from Go commit 619c7a48a38b28b521591b490fd14ccb7ea5e821 (https://go-review.googlesource.com/c/go/+/229762, "crypto/x509: add x509omitbundledroots build tag to not embed roots") With 975c01342a25899962969833d8b2873dc8856a4f (https://go-review.googlesource.com/c/go/+/220721) removed, because it depends on other stuff in Go std that doesn't yet exist in a Go release. Also, add a subset fork of Go's internal/testenv, for use by x509's tests.	4 years ago
Elias Naur	2dac4f2b24	wgengine/monitor: disable monitor on Android Netlink is not supported on Android. Signed-off-by: Elias Naur <mail@eliasnaur.com>	4 years ago
David Anderson	eccae0cd0c	tsweb: add ReturnHandlerFunc. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago

1 2 3 4 5 ...

592 Commits (7b901fdbbc5153ea356e34372bdbfd94164becd0) All Branches Search

592 Commits (7b901fdbbc5153ea356e34372bdbfd94164becd0)

All Branches