tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	80df8ffb85	control/controlclient: early return and outdent some code I found this too hard to read before. This is pulled out of #12033 as it's unrelated cleanup in retrospect. Updates #12028 Change-Id: I727c47e573217e3d1973c5b66a76748139cf79ee Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Lytvynov	471731771c	ipn/ipnlocal: set default NoStatefulFiltering in ipn.NewPrefs (#12031 ) This way the default gets populated on first start, when no existing state exists to migrate. Also fix `ipn.PrefsFromBytes` to preserve empty fields, rather than layering `NewPrefs` values on top. Updates https://github.com/tailscale/corp/issues/19623 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Paul Scott	78fa698fe6	cmd/tailscale/cli/ffcomplete: remove fullstop from ShortHelp Updates #cleanup Signed-off-by: Paul Scott <paul@tailscale.com>	2 months ago
Maisem Ali	482890b9ed	tailcfg: bump capver for using NodeAttrUserDialUseRoutes for DNS Missed in `f62e678df8`. Updates tailscale/corp#18725 Updates #4529 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	af97e7a793	tailcfg,all: add/plumb Node.IsJailed This adds a new bool that can be sent down from control to do jailing on the client side. Previously this would only be done from control by modifying the packet filter we sent down to clients. This would result in a lot of additional work/CPU on control, we could instead just do this on the client. This has always been a TODO which we keep putting off, might as well do it now. Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	e67069550b	ipn/ipnlocal,net/tstun,wgengine: create and plumb jailed packet filter This plumbs a packet filter for jailed nodes through to the tstun.Wrapper; the filter for a jailed node is equivalent to a "shields up" filter. Currently a no-op as there is no way for control to tell the client whether a peer is jailed. Updates tailscale/corp#19623 Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com> Change-Id: I5ccc5f00e197fde15dd567485b2a99d8254391ad	2 months ago
Nick Khyl	f62e678df8	net/dns/resolver, control/controlknobs, tailcfg: use UserDial instead of SystemDial to dial DNS servers Now that tsdial.Dialer.UserDial has been updated to honor the configured routes and dial external network addresses without going through Tailscale, while also being able to dial a node/subnet router on the tailnet, we can start using UserDial to forward DNS requests. This is primarily needed for DNS over TCP when forwarding requests to internal DNS servers, but we also update getKnownDoHClientForProvider to use it. Updates tailscale/corp#18725 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Andrew Lytvynov	c28f5767bf	various: implement stateful firewalling on Linux (#12025 ) Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>	2 months ago
Maisem Ali	5ef178fdca	net/tstun: refactor peerConfig to allow storing more details This refactors the peerConfig struct to allow storing more details about a peer and not just the masq addresses. To be used in a follow up change. As a side effect, this also makes the DNAT logic on the inbound packet stricter. Previously it would only match against the packets dst IP, not it also takes the src IP into consideration. The beahvior is at parity with the SNAT case. Updates tailscale/corp#19623 Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com> Change-Id: I5f40802bebbf0f055436eb8824e4511d0052772d	2 months ago
Brad Fitzpatrick	f3d2fd22ef	cmd/tailscale/cli: don't start WatchIPNBus until after up's initial Start The CLI "up" command is a historical mess, both on the CLI side and the LocalBackend side. We're getting closer to cleaning it up, but in the meantime it was again implicated in flaky tests. In this case, the background goroutine running WatchIPNBus was very occasionally running enough to get to its StartLoginInteractive call before the original goroutine did its Start call. That meant integration tests were very rarely but sometimes logging in with the default control plane URL out on the internet (controlplane.tailscale.com) instead of the localhost control server for tests. This also might've affected new Headscale etc users on initial "up". Fixes #11960 Fixes #11962 Change-Id: I36f8817b69267a99271b5ee78cb7dbf0fcc0bd34 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	aadb8d9d21	ipn/ipnlocal: don't send an empty BrowseToURL w/ WatchIPNBus NotifyInitialState I noticed this while working on the following fix to #11962. Updates #11962 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: I4c5894d8899d1ae8c42f54ecfd4d05a4a7ac598c	2 months ago
Brad Fitzpatrick	e26f76a1c4	tstest/integration: add more debugging, logs to catch flaky test Updates #11962 Change-Id: I1ab0db69bdf8d1d535aa2cef434c586311f0fe18 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Nick Khyl	caa3d7594f	ipn/ipnlocal, net/tsdial: plumb routes into tsdial and use them in UserDial We'd like to use tsdial.Dialer.UserDial instead of SystemDial for DNS over TCP. This is primarily necessary to properly dial internal DNS servers accessible over Tailscale and subnet routes. However, to avoid issues when switching between Wi-Fi and cellular, we need to ensure that we don't retain connections to any external addresses on the old interface. Therefore, we need to determine which dialer to use internally based on the configured routes. This plumbs routes and localRoutes from router.Config to tsdial.Dialer, and updates UserDial to use either the peer dialer or the system dialer, depending on the network address and the configured routes. Updates tailscale/corp#18725 Fixes #4529 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Brad Fitzpatrick	ce8969d82b	net/portmapper: add envknob to disable portmapper in localhost integration tests Updates #11962 Change-Id: I8212cd814985b455d96986de0d4c45f119516cb3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	7e0dd61e61	ipn/ipnlocal, tstest/integration: add panic to catch flaky test in the act Updates #11962 Change-Id: Ifa24b82f9c76639bfd83278a7c2fe9cf42897bbb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
License Updater	258b5042fe	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	2 months ago
Brad Fitzpatrick	c3c18027c6	all: make more tests pass/skip in airplane mode Updates tailscale/corp#19786 Change-Id: Iedc6730fe91c627b556bff5325bdbaf7bf79d8e6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Claire Wang	41f2195899	util/syspolicy: add auto exit node related keys (#11996 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Brad Fitzpatrick	1a963342c7	util/set: add Of variant of SetOf that takes variadic parameter set.Of(1, 2, 3) is prettier than set.SetOf([]int{1, 2, 3}). I was going to change the signature of SetOf but then I noticed its name has stutter anyway, so I kept it for compatibility. People can prefer to use set.Of for new code or slowly migrate. Also add a lazy Make method, which I often find myself wanting, without having to resort to uglier mak.Set(&set, k, struct{}{}). Updates #cleanup Change-Id: Ic6f3870115334efcbd65e79c437de2ad3edb7625 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Will Norris	80decd83c1	tsweb: remove redundant bumpStartIfNeeded func Updates #12001 Signed-off-by: Will Norris <will@tailscale.com>	2 months ago
Maisem Ali	ed843e643f	types/views: add AppendStrings util func Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	fd6ba43b97	types/views: remove duplicate SliceContainsFunc We already have `(Slice[T]).ContainsFunc`. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Will Norris	46980c9664	tsweb: ensure in-flight requests are always marked as finished The inflight request tracker only starts recording a new bucket after the first non-error request. Unfortunately, it's written in such a way that ONLY successful requests are ever marked as being finished. Once a bucket has had at least one successful request and begun to be tracked, all subsequent error cases are never marked finished and always appear as in-flight. This change ensures that if a request is recorded has having been started, we also mark it as finished at the end. Updates tailscale/corp#19767 Signed-off-by: Will Norris <will@tailscale.com>	2 months ago
Percy Wegmann	817badf9ca	ipn/ipnlocal: reuse transport across Taildrive remotes This prevents us from opening a new connection on each HTTP request. Updates #11967 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	2cf764e998	drive: actually cache results on statcache Updates #11967 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Irbe Krumina	406293682c	cmd/k8s-operator: cleanup runReconciler signature (#11993 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Claire Wang	35872e86d2	ipnlocal, magicsock: store last suggested exit node id in local backend (#11959 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Brad Fitzpatrick	b62cfc430a	tstest/integration/testcontrol: fix data race Noticed in earlier GitHub actions failure. Fixes #11994 Change-Id: Iba8d753caaa3dacbe2da9171d96c5f99b12e62d7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Dunham	e9505e5432	ipn/ipnlocal: plumb health.Tracker into profileManager constructor Setting the field after-the-fact wasn't working because we could migrate prefs on creation, which would set health status for auto updates. Updates #11986 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I41d79ebd61d64829a3a9e70586ce56f62d24ccfd	2 months ago
Brad Fitzpatrick	e42c4396cf	net/netcheck: don't spam on ICMP socket permission denied errors While debugging a failing test in airplane mode on macOS, I noticed netcheck logspam about ICMP socket creation permission denied errors. Apparently macOS just can't do those, or at least not in airplane mode. Not worth spamming about. Updates #cleanup Change-Id: I302620cfd3c8eabb25202d7eef040c01bd8a843c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	15fc6cd966	derp/derphttp: fix netcheck HTTPS probes The netcheck client, when no UDP is available, probes distance using HTTPS. Several problems: * It probes using /derp/latency-check. * But cmd/derper serves the handler at /derp/probe * Despite the difference, it work by accident until `c8f4dfc8c0` which made netcheck's probe require a 2xx status code. * in tests, we only use derphttp.Handler, so the cmd/derper-installed mux routes aren't preesnt, so there's no probe. That breaks tests in airplane mode. netcheck.Client then reports "unexpected HTTP status 426" (Upgrade Required) This makes derp handle both /derp/probe and /derp/latency-check equivalently, and in both cmd/derper and derphttp.Handler standalone modes. I notice this when wgengine/magicsock TestActiveDiscovery was failing in airplane mode (no wifi). It still doesn't pass, but it gets further. Fixes #11989 Change-Id: I45213d4bd137e0f29aac8bd4a9ac92091065113f	2 months ago
Brad Fitzpatrick	1fe0983f2d	cmd/derper,tstest/nettest: skip network-needing test in airplane mode Not buying wifi on a short flight is a good way to find tests that require network. Whoops. Updates #cleanup Change-Id: Ibe678e9c755d27269ad7206413ffe9971f07d298 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	46f3feae96	ssh/tailssh: plumb health.Tracker in test In prep for it being required in more places. Updates #11874 Change-Id: Ib743205fc2a6c6ff3d2c4ed3a2b28cac79156539 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	4fa6cbec27	ssh/tailssh: use ptr.To in test Updates #cleanup Change-Id: Ic98ba1b63c8205084b30f59f0ca343788edea5b0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	ee3bd4dbda	derp/derphttp, net/netcheck: plumb netmon.Monitor to derp netcheck client Fixes #11981 Change-Id: I0e15a09f93aefb3cfddbc12d463c1c08b83e09fd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Percy Wegmann	a03cb866b4	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	745fb31bd4	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	07e783c7be	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	3349e86c0a	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	0c11fd978b	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	9d22ec0ba2	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Irbe Krumina	cd633a7252	cmd/k8s-operator/deploy,k8s-operator: document that metrics are unstable (#11979 ) Updates#11292 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Andrew Dunham	f97d0ac994	net/dns/resolver: add better error wrapping To aid in debugging exactly what's going wrong, instead of the not-particularly-useful "dns udp query: context deadline exceeded" error that we currently get. Updates #3786 Updates #10768 Updates #11620 (etc.) Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I76334bf0681a8a2c72c90700f636c4174931432c	2 months ago
Claire Wang	e0287a4b33	wgengine: add exit destination logging enable for wgengine logger (#11952 ) Updates tailscale/corp#18625 Co-authored-by: Kevin Liang <kevinliang@tailscale.com> Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Irbe Krumina	19b31ac9a6	cmd/{k8s-operator,k8s-nameserver},k8s-operator: update nameserver config with records for ingress/egress proxies (#11019 ) cmd/k8s-operator: optionally update dnsrecords Configmap with DNS records for proxies. This commit adds functionality to automatically populate DNS records for the in-cluster ts.net nameserver to allow cluster workloads to resolve MagicDNS names associated with operator's proxies. The records are created as follows: * For tailscale Ingress proxies there will be a record mapping the MagicDNS name of the Ingress device and each proxy Pod's IP address. * For cluster egress proxies, configured via tailscale.com/tailnet-fqdn annotation, there will be a record for each proxy Pod, mapping the MagicDNS name of the exposed tailnet workload to the proxy Pod's IP. No records will be created for any other proxy types. Records will only be created if users have configured the operator to deploy an in-cluster ts.net nameserver by applying tailscale.com/v1alpha1.DNSConfig. It is user's responsibility to add the ts.net nameserver as a stub nameserver for ts.net DNS names. https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns https://cloud.google.com/kubernetes-engine/docs/how-to/kube-dns#upstream_nameservers See also https://github.com/tailscale/tailscale/pull/11017 Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Maisem Ali	a49ed2e145	derp,ipn/ipnlocal: stop calling rand.Seed It's deprecated and using it gets us the old slow behavior according to https://go.dev/blog/randv2. > Having eliminated repeatability of the global output stream, Go 1.20 > was also able to make the global generator scale better in programs > that don’t call rand.Seed, replacing the Go 1 generator with a very > cheap per-thread wyrand generator already used inside the Go > runtime. This removed the global mutex and made the top-level > functions scale much better. Programs that do call rand.Seed fall > back to the mutex-protected Go 1 generator. Updates #7123 Change-Id: Ia5452e66bd16b5457d4b1c290a59294545e13291 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Brad Fitzpatrick	96712e10a7	health, ipn/ipnlocal: move more health warning code into health.Tracker In prep for making health warnings rich objects with metadata rather than a bunch of strings, start moving it all into the same place. We'll still ultimately need the stringified form for the CLI and LocalAPI for compatibility but we'll next convert all these warnings into Warnables that have severity levels and such, and legacy stringification will just be something each Warnable thing can do. Updates #4136 Change-Id: I83e189435daae3664135ed53c98627c66e9e53da Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Dunham	be663c84c1	net/tstun: rename natConfig to peerConfig So that we can use this for additional, non-NAT configuration without it being confusing. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1658d59c9824217917a94ee76d2d08f0a682986f	2 months ago
Andrew Dunham	10497acc95	net/tstun: refactor natConfig to not be per-family This was a holdover from the older, pre-BART days and is no longer necessary. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I71b892bab1898077767b9ff51cef33d59c08faf8	2 months ago
Andrew Lytvynov	13e1355546	scripts/installer.sh: remove unnecessary escaping in grep (#11950 ) Updates #11263 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago

1 2 3 4 5 ...

7564 Commits (80df8ffb8557b286367aaeb4f323cd9e42914657) All Branches Search

7564 Commits (80df8ffb8557b286367aaeb4f323cd9e42914657)

All Branches