tailscale

Commit Graph

Author	SHA1	Message	Date
David Anderson	c71754eba2	ipn/ipnserver: revert decoder memory limit. The zstd library treats that limit as a hard cap on decompressed size, in the mode we're using it, rather than a window size. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	d4127db0fe	logpolicy: add a temporary fixup for #247 . Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	0dac03876a	logpolicy: don't put log state in /. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Elias Naur	364a8508b2	ipn: add Hostname override to Prefs Overriding the hostname is required for Android, where os.Hostname is often just "localhost". Updates #409 Signed-off-by: Elias Naur <mail@eliasnaur.com>	4 years ago
Dmytro Shynkevych	73c40c77b0	filter: prevent escape of QDecode to the heap (#417 ) Performance impact: name old time/op new time/op delta Filter/tcp_in-4 70.7ns ± 1% 30.9ns ± 1% -56.30% (p=0.008 n=5+5) Filter/tcp_out-4 58.6ns ± 0% 19.4ns ± 0% -66.87% (p=0.000 n=5+4) Filter/udp_in-4 96.8ns ± 2% 55.5ns ± 0% -42.64% (p=0.016 n=5+4) Filter/udp_out-4 120ns ± 1% 79ns ± 1% -33.87% (p=0.008 n=5+5) Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>	4 years ago
David Anderson	83b6b06cc4	cmd/tailscale: fix broken build, result of borked stash pop.	4 years ago
David Anderson	3c7791f6bf	cmd/tailscale: remove double negation arguments. --no-snat becomes --snat-subnet-routes --no-single-routes becomes --host-routes Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	5aae6b734d	version: support major.minor.patch tags without breaking Apple builds. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	984a699219	cmd/tailscale: warn to stderr that netcheck -format=json isn't stable	4 years ago
Brad Fitzpatrick	24009241bf	net/netns: move SOCKS dialing to netns for now This lets control & logs also use SOCKS dials. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	cf0d19f0ab	net/tlsdial, derp/derphttp: finish DERPNode.CertName validation	4 years ago
Brad Fitzpatrick	722673f307	Update go4.org/mem, adjust to revised API.	4 years ago
Brad Fitzpatrick	a5d6c9d616	net/netns: optimize defaultRouteInterface a bit It'll be called a bunch, so worth a bit of effort. Could go further, but not yet. (really, should hook into wgengine/monitor and only re-read on netlink changes?) name old time/op new time/op delta DefaultRouteInterface-8 60.8µs ±11% 44.6µs ± 5% -26.65% (p=0.000 n=20+19) name old alloc/op new alloc/op delta DefaultRouteInterface-8 3.29kB ± 0% 0.55kB ± 0% -83.21% (p=0.000 n=20+20) name old allocs/op new allocs/op delta DefaultRouteInterface-8 9.00 ± 0% 6.00 ± 0% -33.33% (p=0.000 n=20+20)	4 years ago
Brad Fitzpatrick	9e5d79e2f1	wgengine/magicsock: drop a bytes.Buffer sync.Pool, use logger.ArgWriter instead	4 years ago
Brad Fitzpatrick	becce82246	net/netns, misc tests: remove TestOnlySkipPrivilegedOps, argv checks The netns UID check is sufficient for now. We can do something else later if/when needed.	4 years ago
Brad Fitzpatrick	7a410f9236	net/netns: unindent, refactor to remove some redunant code Also: * always error on Control failing. That's very unexpected. * pull out sockopt funcs into their own funcs for easier future testing	4 years ago
Brad Fitzpatrick	45b139d338	net/netns: remove redundant build tag Filename is sufficient.	4 years ago
Brad Fitzpatrick	dcd7a118d3	net/netns: add a test that tailscaleBypassMark stays in sync between packages	4 years ago
Brad Fitzpatrick	1e837b8e81	net/netns: refactor the sync.Once usage a bit	4 years ago
Avery Pennarun	e7ae6a2e06	net/netns, wgengine/router: support Linux machines that don't have 'ip rule'. We'll use SO_BINDTODEVICE instead of fancy policy routing. This has some limitations: for example, we will route all traffic through the interface that has the main "default" (0.0.0.0/0) route, so machines that have multiple physical interfaces might have to go through DERP to get to some peers. But machines with multiple physical interfaces are very likely to have policy routing (ip rule) support anyway. So far, the only OS I know of that needs this feature is ChromeOS (crostini). Fixes #245. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	8575b21ca8	Merge branch 'master' of github.com:tailscale/tailscale * 'master' of github.com:tailscale/tailscale: tailcfg: remove unused, unimplemented DERPNode.CertFingerprint for now net/netns: also don't err on tailscaled -fake as a regular user net/netcheck: fix HTTPS fallback bug from earlier today net/netns: don't return an error if we're not root and running the tailscale binary	4 years ago
Avery Pennarun	e46238a2af	wgengine: separately dedupe wireguard configs and router configs. Otherwise iOS/macOS will reconfigure their routing every time anything minor changes in the netmap (in particular, endpoints and DERP homes), which is way too often. Some users reported "network reconfigured" errors from Chrome when this happens. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	f0b6ba78e8	wgengine: don't pass nil router.Config objects. These are hard for swift to decode in the iOS app. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Brad Fitzpatrick	096d7a50ff	tailcfg: remove unused, unimplemented DERPNode.CertFingerprint for now	4 years ago
Brad Fitzpatrick	765695eaa2	net/netns: also don't err on tailscaled -fake as a regular user That's one of my dev workflows.	4 years ago
Brad Fitzpatrick	7f68e097dd	net/netcheck: fix HTTPS fallback bug from earlier today My earlier `3fa58303d0` tried to implement the net/http.Tranhsport.DialTLSContext hook, but I didn't return a *tls.Conn, so we ended up sending a plaintext HTTP request to an HTTPS port. The response ended up being Go telling as such, not the /derp/latency-check handler's response (which is currently still a 404). But we didn't even get the 404. This happened to work well enough because Go's built-in error response was still a valid HTTP response that we can measure for timing purposes, but it's not a great answer. Notably, it means we wouldn't be able to get a future handler to run server-side and count those latency requests.	4 years ago
Brad Fitzpatrick	1407540b52	net/netns: don't return an error if we're not root and running the tailscale binary tailscale netcheck was broken otherwise. We can fix this a better way later; I'm just fixing a regression in some way because I'm trying to work on netcheck at the moment.	4 years ago
David Anderson	5114df415e	net/netns: set the bypass socket mark on linux. This allows tailscaled's own traffic to bypass Tailscale-managed routes, so that things like tailscale-provided default routes don't break tailscaled itself. Progress on #144. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	3fa58303d0	netcheck: address some HTTP fallback measurement TODOs	4 years ago
Brad Fitzpatrick	db2a216561	wgengine/magicsock: don't log on UDP send errors if address family known missing Fixes #376	4 years ago
Brad Fitzpatrick	d3134ad0c8	syncs: add AtomicBool	4 years ago
Brad Fitzpatrick	7247e896b5	net/netcheck: add Report.IPv4 and another TODO	4 years ago
Brad Fitzpatrick	dd6b96ba68	types/logger: add TS_DEBUG_LOG_RATE knob to easily turn off rate limiting	4 years ago
David Crawshaw	cf5d25e15b	wgengine: ensure pingers are gone before returning from Close We canceled the pingers in Close, but didn't wait around for their goroutines to be cleaned up. This caused the ipn/e2e_test to catch pingers in its resource leak check. This commit introduces an object, but also simplifies the semantics around the pinger's cancel functions. They no longer need to be called while holding the mutex. Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	4 years ago
Brad Fitzpatrick	004780b312	ipn: restore LiveDERPs assignment in LocalBackend.parseWgStatus Updates #421 (likely fixes it; need to do an iOS build to be sure)	4 years ago
David Anderson	03682cb271	control/controlclient: use netns package to dial connections. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	1617a232e1	logpolicy: remove deprecated DualStack directive. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	a6bd3a7e53	logpolicy: use netns for dialing log.tailscale.io.	4 years ago
David Anderson	e9f7d01b91	derp/derphttp: make DERP client use netns for dial-outs.	4 years ago
Brad Fitzpatrick	9e3ad4f79f	net/netns: add package for start of network namespace support And plumb in netcheck STUN packets. TODO: derphttp, logs, control. Updates #144 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	a428656280	wgengine/magicsock: don't report v4 localhost addresses on IPv6-only systems Updates #376	4 years ago
David Anderson	fff062b461	wgengine/router: make runner.go linux-only for now. Otherwise, staticcheck complains that these functions are unused and unexported on macOS. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	f0204098d8	Revert "control/controlclient: use "getprop net.hostname" for Android hostname" This reverts commit `afb9c6a6ab`. Doesn't work. See: https://github.com/tailscale/tailscale/issues/409#issuecomment-635241550 Looks pretty dire: https://medium.com/capital-one-tech/how-to-get-an-android-device-nickname-d5eab12f4ced Updates #409	4 years ago
Brad Fitzpatrick	0245bbe97b	Make netcheck handle v6-only interfaces better, faster. Also: * add -verbose flag to cmd/tailscale netcheck * remove some API from the interfaces package * convert some of the interfaces package to netaddr.IP * don't even send IPv4 probes on machines with no IPv4 (or only v4 loopback) * and once three regions have replied, stop waiting for other probes at 2x the slowest duration. Updates #376	4 years ago
Brad Fitzpatrick	c5495288a6	Bump inet.af/netaddr dep for FromStdIP behavior change I want to depend on.	4 years ago
Brad Fitzpatrick	9bbcdba2b3	tempfork/internal/testenv: remove It was for our x509 fork and no longer needed. (x509 changes went into our Go fork instead)	4 years ago
Brad Fitzpatrick	a96165679c	cmd/tailscale: add netcheck flags for incremental reports, JSON output	4 years ago
Avery Pennarun	f69003fd46	router_linux: work around terrible bugs in old iptables-compat versions. Specifically, this sequence: iptables -N ts-forward iptables -A ts-forward -m mark --mark 0x10000 -j ACCEPT iptables -A FORWARD -j ts-forward doesn't work on Debian-9-using-nftables, but this sequence: iptables -N ts-forward iptables -A FORWARD -j ts-forward iptables -A ts-forward -m mark --mark 0x10000 -j ACCEPT does work. I'm sure the reason why is totally fascinating, but it's an old version of iptables and the bug doesn't seem to exist on modern nftables, so let's refactor our code to add rules in the always-safe order and pretend this never happened. Fixes #401. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	9ff51909a3	router_linux: fix behaviour when switching --netfilter-mode. On startup, and when switching into =off and =nodivert, we were deleting netfilter rules even if we weren't the ones that added them. In order to avoid interfering with rules added by the sysadmin, we have to be sure to delete rules only in the case that we added them in the first place. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago
Avery Pennarun	a496cdc943	router_linux: remove need for iptables.ListChains(). Instead of retrieving the list of chains, or the list of rules in a chain, just try deleting the ones we don't want and then adding the ones we do want. An error in flushing/deleting still means the rule doesn't exist anymore, so there was no need to check for it first. This avoids the need to parse iptables output, which avoids the need to ever call iptables -S, which fixes #403, among other things. It's also much more future proof in case the iptables command line changes. Unfortunately the iptables go module doesn't properly pass the iptables command exit code back up when doing .Delete(), so we can't correctly check the exit code there. (exit code 1 really means the rule didn't exist, rather than some other weird problem). Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	4 years ago

... 3 4 5 6 7 ...

945 Commits (8163521c33ab94d03f7ddcf414a4077044d361d6) All Branches Search

945 Commits (8163521c33ab94d03f7ddcf414a4077044d361d6)

All Branches