tailscale

Commit Graph

Author	SHA1	Message	Date
Maisem Ali	80ba161c40	wgengine/monitor: do not ignore changes to pdp_ip* One current theory (among other things) on battery consumption is that magicsock is resorting to using the IPv6 over LTE even on WiFi. One thing that could explain this is that we do not get link change updates for the LTE modem as we ignore them in this list. This commit makes us not ignore changes to `pdp_ip` as a test. Updates #3363 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	1a19aed410	ipn/ipnlocal: do not initialize peer api listeners when shutting down Updates tailscale/corp#4824 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	e97209c6bf	net/dns: add tailscaled-on-macOS DNS OSConfigurator This populates DNS suffixes ("ts.net", etc) in /etc/resolver/* files to point to 100.100.100.100 so MagicDNS works. It also sets search domains. Updates #4276 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	bbca2c78cb	tsnet: fix mem.Store check for normal nodes There was a typo in the check it was doing `!ok` instead of `ok`, this restructures it a bit to read better. Fixes #4506 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Denton Gentry	d819bb3bb0	VERSION.txt: This is 1.25.0 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Maisem Ali	2265587d38	wgengine/{,magicsock}: add metrics for rebinds and restuns Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Tom DNetto	78fededaa5	net/dns/resolver: support magic resolution of via-<siteid>.<ip4> domains Updates #3616 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	910ae68e0b	util/mak: move tailssh's mapSet into a new package for reuse elsewhere Change-Id: Idfe95db82275fd2be6ca88f245830731a0d5aecf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	c2eff20008	ssh/tailssh: avoid user ssh configuration in tests Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	700bd37730	tshttpproxy: support synology proxy configuration Fixes #4395 Fixes #2605 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Maisem Ali	90b5f6286c	cmd/tailscale: use double quotes in the ssh subcommands Single-quote escaping is insufficient apparently. Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	db70774685	cmd/tailscale/cli: do not use syscall.Exec from macOS sandbox Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Tom DNetto	37c94c07cd	shell.nix: update go toolchain Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
David Anderson	a364bf2b62	ssh/tailssh: various typo fixes, clarifications. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	c994eba763	ssh/tailssh: simplify matchRule with Reject rules Updates #3802 Change-Id: I59fe111eef5ac8abbcbcec922e293712a65a4830 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	31094d557b	ssh/tailssh: chmod the auth socket to be only user accessible Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	337c77964b	ssh/tailssh: set groups and gid in the incubated process Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	8ac4d52b59	ssh/tailssh: filter accepted environment variables Noted by @danderson Updates #3802 Change-Id: Iac70717ed57f11726209ac1ea93ddc6696605f94 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	89832c1a95	tailcfg: fix typo in SessionDuration field name Noted by @danderson. Updates #3802 Change-Id: Ide15f3f28e30f6abb5c94d7dcd218bd9482752a0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	695f8a1d7e	ssh/tailssh: add support for sftp Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	53588f632d	Revert "wgengine/router,util/kmod: load & log xt_mark" This reverts commit `8d6793fd70`. Reason: breaks Android build (cgo/pthreads addition) We can try again next cycle. Change-Id: I5e7e1730a8bf399a8acfce546a6d22e11fb835d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	df26c63793	net/dns/resolver, net/tsaddr: fix reverse lookups in 4to6 IP range Fixes #4439 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
James Tucker	8d6793fd70	wgengine/router,util/kmod: load & log xt_mark Attempt to load the xt_mark kernel module when it is not present. If the load fails, log error information. It may be tempting to promote this failure to an error once it has been in use for some time, so as to avoid reaching an error with the iptables invocation, however, there are conditions under which the two stages may disagree - this change adds more useful breadcrumbs. Example new output from tailscaled running under my WSL2: ``` router: ensure module xt_mark: "/usr/sbin/modprobe xt_mark" failed: exit status 1; modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.10.43.3-microsoft-standard-WSL2 ``` Background: There are two places to lookup modules, one is `/proc/modules` "old", the other is `/sys/module/` "new". There was query_modules(2) in linux <2.6, alas, it is gone. In a docker container in the default configuration, you would get /proc/modules and /sys/module/ both populated. lsmod may work file, modprobe will fail with EPERM at `finit_module()` for an unpriviliged container. In a priviliged container the load may succeed, if some conditions are met. This condition should be avoided, but the code landing in this change does not attempt to avoid this scenario as it is both difficult to detect, and has a very uncertain impact. In an nspawn container `/proc/modules` is populated, but `/sys/module` does not exist. Modern `lsmod` versions will fail to gather most module information, without sysfs being populated with module information. In WSL2 modules are likely missing, as the in-use kernel typically is not provided by the distribution filesystem, and WSL does not mount in a module filesystem of its own. Notably the WSL2 kernel supports iptables marks without listing the xt_mark module in /sys/module, and /proc/modules is empty. On a recent kernel, we can ask the capabilities system about SYS_MODULE, that will help to disambiguate between the non-privileged container case and just being root. On older kernels these calls may fail. Update #4329 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	f7cb6630e7	tailcfg: document SSHPrincipal.PubKeys URL expansions From `f74ee80abe` which lacked docs. Updates #3802 Change-Id: Ia7df05a486ae383cc6d9aca9dfe487b04e243ad5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	5b4154342e	ssh/tailssh: fix double SSH-2.0- prefix in greeting banner gliderlabs/ssh was already adding the "SSH-2.0-" prefix. Updates #3802 Change-Id: I19a1cd9308371a2898e7883cf26e94c9b54bab29 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7a097ccc83	ipn/ipnlocal: close peerapi listeners on LocalBackend.Shutdown For tests. Now that we can always listen (whereas we used to fail prior to `a2c330c496`), some goroutine leak checks were failing in tests in another repo after that change. Change-Id: Id95a4b71167eca61962a48616d79741b9991e0bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	2b8b887d55	ssh/tailssh: send banner messages during auth, move more to conn (VSCode Live Share between Brad & Maisem!) Updates #3802 Change-Id: Id8edca4481b0811debfdf56d4ccb1a46f71dd6d3 Co-Authored-By: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Denton Gentry	13f75b9667	scripts/install: add Alma Linux. Tested using an Alma Linux 8.5 VM. Updates https://github.com/tailscale/tailscale/issues/2915 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Denton Gentry	c2b907c965	scripts/installer: support LinuxMint Debian. The primary distribution for LinuxMint is based on Ubuntu, but there is an alternate Debian-based distribution called LMDE. Both variations identify themselves as "linuxmint" We added UBUNTU_VERSION to the Ubuntu handling for linuxmint, the only distribution so far found to do this. Instead, split linuxmint out into its own case and use either UBUNTU_VERSION or DEBIAN_VERSION, whichever is present. Tested on an LMDE 5 (elsie) VM. Updates https://github.com/tailscale/tailscale/issues/2915 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Denton Gentry	61868f281e	scripts/installer: call emerge with --ask=n Fixes https://github.com/tailscale/tailscale/issues/4354 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Denton Gentry	db7da6622a	scripts/installer: add ParrotOS support Support ParrotSec https://parrotsec.org/ Tested using a Parrot 5.0 VM. Updates https://github.com/tailscale/tailscale/issues/2915 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Brad Fitzpatrick	d413850bd7	cmd/tailscale: add "debug via" subcommand to do CIDR math for via ranges $ tailscale debug via 0xb 10.2.0.0/16 fd7a:115c:a1e0:b1a:0🅱️a02:0/112 $ tailscale debug via fd7a:115c:a1e0:b1a:0🅱️a02:0/112 site 11 (0xb), 10.2.0.0/16 Previously: `3ae701f0eb` This adds a little debug tool to do CIDR math to make converting between those ranges easier for now. Updates #3616 Change-Id: I98302e95d17765bfaced3ecbb71cbd43e84bff46 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	f74ee80abe	ssh/tailssh: support expansions in public key fetch URL too Updates #3802 Change-Id: I5aa98bdab14fd1c1c00ba63b93f8d7e670f72437 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	14d077fc3a	ssh/tailssh: terminate ssh auth early if no policy can match Also bump github.com/tailscale/golang-x-crypto/ssh Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	a2c330c496	ipn/ipnlocal: use the fake peerapi listener as fallback if netstack available The previous commit (`1b89662eff`) this for Android, but we can also use this on any platform if we we would otherwise fail. Change-Id: I4cd78b40e9e77fca5cc8e717dd48ac173101bed4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	136f30fc92	wgengine/monitor: split the unexpected stringification log line It unfortuantely gets truncated because it's too long, split it into 3 different log lines to circumvent truncation. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	8e40bfc6ea	wgengine/monitor: ignore OS-specific uninteresting interfaces Currently we ignore these interfaces in the darwin osMon but then would consider it interesting when checking if anything had changed. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	1b89662eff	ipn/ipnlocal: make peerapi listener on Android avoid the kernel We intercept the peerapi port in netstack anyway, so there's no reason the linux kernel on Android needs to know about it. It's only getting in the way and causing problems for reasons we don't fully understand. But we don't even need to understand it because it's not relevant anymore. Instead, provide a dummy net.Listener that just sits and blocks to pacify the rest of the code that assumes it can be stuck in a Listener.Accept call and call Listener.Close and Listener.Addr. We'll likely do this for all platforms in the future, if/when we also link in netstack on iOS. Updates #4449 Updates #4293 Updates #3986 Change-Id: Ic2d3fe2f3cee60fc527356a3368830f17aeb75ae Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	cf9b9a7fec	tstest/iosdeps: add test for forbidden iOS dependencies Fixes #4463 Change-Id: I8305710e8a075263ae9a88a29624b19032d5beeb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	8b81254992	ipn/ipnlocal: reject tailscale up --ssh if disabled on tailnet Updates #3802 Change-Id: I3f1e839391fe9b28270f506f4bb8d8e3d36716f5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	0ce67ccda6	wgengine/router: make supportsV6NAT check catch more cases Updates #4459 Change-Id: Ic27621569d2739298e652769d10e38608c6012be Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Xe Iaso	fc2f628d4c	cmd/nginx-auth: maintainer scripts and tailnet checking (#4460 ) * cmd/nginx-auth: add maintainer scripts Signed-off-by: Xe <xe@tailscale.com> * cmd/nginx-auth: add Expected-Tailnet header and documentation Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Blake Mizerany	33fa43252e	cmd/proxy-to-grafana: prevent premature termination This commit changes proxy-to-grafana to report errors while polling for tailscaled status instead of terminating at the first sign of an error. This allows tailscale some time to come up before the proxy decides to give up. Signed-off-by: Blake Mizerany <blake.mizerany@gmail.com>	2 years ago
Tom DNetto	c8f4dfc8c0	derp/derphttp,net/netcheck: improve netcheck behavior under MITM proxies In cases where tailscale is operating behind a MITM proxy, we need to consider that a lot more of the internals of our HTTP requests are visible and may be used as part of authorization checks. As such, we need to 'behave' as closely as possible to ideal. - Some proxies do authorization or consistency checks based the on Host header or HTTP URI, instead of just the IP/hostname/SNI. As such, we need to construct a `*http.Request` with a valid URI everytime HTTP is going to be used on the wire, even if its over TLS. Aside from the singular instance in net/netcheck, I couldn't find anywhere else a http.Request was constructed incorrectly. - Some proxies may deny requests, typically by returning a 403 status code. We should not consider these requests as a valid latency check, so netcheck semantics have been updated to consider >299 status codes as a failed probe. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	cc575fe4d6	net/dns: schedule DoH upgrade explicitly, fix Resolver.Addr confusion Two changes in one: * make DoH upgrades an explicitly scheduled send earlier, when we come up with the resolvers-and-delay send plan. Previously we were getting e.g. four Google DNS IPs and then spreading them out in time (for back when we only did UDP) but then later we added DoH upgrading at the UDP packet layer, which resulted in sometimes multiple DoH queries to the same provider running (each doing happy eyeballs dialing to 4x IPs themselves) for each of the 4 source IPs. Instead, take those 4 Google/Cloudflare IPs and schedule 5 things: first the DoH query (which can use all 4 IPs), and then each of the 4 IPs as UDP later. * clean up the dnstype.Resolver.Addr confusion; half the code was using it as an IP string (as documented) as half was using it as an IP:port (from some prior type we used), primarily for tests. Instead, document it was being primarily an IP string but also accepting an IP:port for tests, then add an accessor method on it to get the IPPort and use that consistently everywhere. Change-Id: Ifdd72b9e45433a5b9c029194d50db2b9f9217b53 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	e3a4952527	net/dns/resolver: count errors when racing DNS queries, fail earlier If all N queries failed, we waited until context timeout (in 5 seconds) to return. This makes (*forwarder).forward fail fast when the network's unavailable. Change-Id: Ibbb3efea7ed34acd3f3b29b5fee00ba8c7492569 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	d9efbd97cb	net/dns: remove an unused function Change-Id: I7c920c76223ffac37954ef2a18754afc52177598 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	c13be0c509	tailcfg: clarify how SSHPolicy.Rules are evaluated between auth phases Updates #3802 Change-Id: I321183a8a2b065a40dca8dd95ca90cd822a17ff8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	91a187bf87	ssh/tailssh: make checkStillValid also consider username changes Currently if the policy changes and the session is logged in with local user "u1" and the new policy says they can only login with "u2" now, the user doesn't get kicked out because they had requested `rando@<ssh-host>` and the defaulting had made that go to `u1`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	a04eebf59f	ipn/ipnlocal: also use SSHPolicies when updating filterHash Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago

1 2 3 4 5 ...

3960 Commits (80ba161c40f676c9118d92b4fc6d10cbececb329) All Branches Search

3960 Commits (80ba161c40f676c9118d92b4fc6d10cbececb329)

All Branches