Commit Graph

3012 Commits (865d8c0d23a4a5f538f6c4055d93dcb84d47705f)
 

Author SHA1 Message Date
Josh Bleecher Snyder 865d8c0d23 cmd: upgrade to ffcli v3
None of the breaking changes from v2 to v3 are relevant to us.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Josh Bleecher Snyder a3c5de641b portlist: stop logging stray UDP ports
These "weird" port lines show up in logs frequently.
They're the result of uninteresting races,
and they're not actionable. Remove the noise.

Remove the isLoopbackAddr case to placate staticcheck.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Brad Fitzpatrick a83f08c54b cmd/tailscale: provide a better error message when tailscaled isn't running
Fixes #2797

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 3e2a7de2e9 tailcfg: don't panic on clone of nil RegisterRequest
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick dabeda21e0 net/tstun: block looped disco traffic
Updates #1526 (maybe fixes? time will tell)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Josh Bleecher Snyder 3759fb8987 derp: deflake TestSendFreeze
On about 1 out of 500 runs, TestSendFreeze failed:

    derp_test.go:416: bob: unexpected message type derp.PeerGoneMessage

Closing alice before bob created a race.
If bob closed promptly, the test passed.
If bob closed slowly, and alice's disappearance caused
bob to receive a PeerGoneMessage before closing, the test failed.

Deflake the test by closing bob first.
With this fix, the test passed 12,000 times locally.

Fixes #2668

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Brad Fitzpatrick 0be26599ca cmd/derper: refactor STUN path for testing, add serverSTUN benchmark
Real goal is to eliminate some allocs in the STUN path, but that requires
work in the standard library.

See comments in #2783.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 0eb6cc9321 portlist: cache field index position between runs, cut two more allocs (Linux)
name          old time/op    new time/op    delta
ParsePorts-6    6.41ms ± 7%    3.15ms ± 2%  -50.84%  (p=0.000 n=9+9)

name          old alloc/op   new alloc/op   delta
ParsePorts-6      408B ± 0%      216B ± 0%  -47.06%  (p=0.002 n=8+10)

name          old allocs/op  new allocs/op  delta
ParsePorts-6      7.00 ± 0%      4.00 ± 0%  -42.86%  (p=0.000 n=10+10)

Updates tailscale/corp#2566

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 61f201f33d portlist: reuse bufio.Reader between files
name         old time/op    new time/op    delta
ListPorts-6    1.18ms ± 5%    1.16ms ± 5%     ~     (p=0.075 n=10+10)

name         old alloc/op   new alloc/op   delta
ListPorts-6    27.2kB ± 0%    14.9kB ± 0%  -45.14%  (p=0.001 n=8+9)

name         old allocs/op  new allocs/op  delta
ListPorts-6      90.0 ± 0%      84.0 ± 0%   -6.67%  (p=0.000 n=10+10)

Updates tailscale/corp#2566

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 5a9d977c78 portlist: reduce CPU parsing portlist
Avoid splitting fields in the common case. Field splitting was 84% of
the overall CPU.

name          old time/op    new time/op    delta
ParsePorts-6    33.3ms ± 2%     6.3ms ± 4%  -80.97%  (p=0.000 n=9+10)

name          old alloc/op   new alloc/op   delta
ParsePorts-6      520B ±79%      408B ± 0%  -21.49%  (p=0.046 n=10+8)

name          old allocs/op  new allocs/op  delta
ParsePorts-6      7.00 ± 0%      7.00 ± 0%     ~     (all equal)

Updates tailscale/corp#2566

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 64e9ce8df1 portlist: reduce allocs on Linux
Notably, it no longer allocates proportional to the number of open
sockets on the machine. Any alloc reduction numbers are a little
contrived with such a reduction but e.g. on a machine with 50,000
connections open:

name          old time/op    new time/op    delta
ParsePorts-6    57.7ms ± 6%    32.8ms ± 3%   -43.04%  (p=0.000 n=9+10)

name          old alloc/op   new alloc/op   delta
ParsePorts-6    24.0MB ± 0%     0.0MB ± 0%  -100.00%  (p=0.000 n=10+9)

name          old allocs/op  new allocs/op  delta
ParsePorts-6      100k ± 0%        0k ± 0%   -99.99%  (p=0.000 n=10+10)

Updates tailscale/corp#2566

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 4f648e6fcc cmd/tailscaled: disable netns earlier in userspace-networking mode
The earlier 382b349c54 was too late,
as engine creation itself needed to listen on things.

Fixes #2827
Updates #2822

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 382b349c54 cmd/tailscaled: disable netns in userspace-networking mode
Updates #2827
Updates #2822

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 31c1331415 wgengine/magicsock: deflake TestReceiveFromAllocs
100 iterations isn't enough with background allocs happening
apparently. 1000 seems to be reliable.

Fixes #2826

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick a353fbd3b4 tstest: make MemLogger.String acquire its mutex
Updates #2781 (might even fix it, but its real issue is that
SetPrivateKey starts a ReSTUN goroutines which then logs, and
that bug and data race existed prior to MemLogger existing)
3 years ago
Brad Fitzpatrick a76c8eea58
api: document new API to authorize a device (#2825)
Fixes #2813

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick d5851d2e06 cmd/derper: fix real staticcheck failure from prior commit
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Silver Bullet d8c5d00ecb
cmd/derper: support manual TLS certificate mode (#2793)
Add a mode control for derp server, and add a "manual" mode
to get derp server certificate. Under manual mode, certificate
is searched in the directory given by "--cert-dir". Certificate
should in PEM format, and use "hostname.{key,crt}" as filename.
If no hostname is used, search by the hostname given for listen.

Fixes #2794

Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>
3 years ago
Brad Fitzpatrick de63e85810 words: remove two plurals, one with a typo
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 12dc7c2df8 net/interfaces: remove stray C header file
I meant to delete it as part of 974be2ec5c
when the darwin code was ported from C to Go.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 2238814b99 wgengine/magicsock: fix crash introduced in recent cleanups
Fixes #2801

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 640134421e all: update tests to use tstest.MemLogger
And give MemLogger a mutex, as one caller had, which does match the logf
contract better.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 48bdffd395 net/portmapper: remove GITHUB_ACTIONS check
It's now redundant.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick cf855e8988 version: bump date
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 48933b0382 ipn/ipnlocal: flesh out the dnsConfigForNetmap tests
Follow-up to #2805 and #2806

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 7fe6ecf165 ipn/ipnlocal: add MagicDNS records for IPv6-only nodes
Updates #2268

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 90b0cd0c51 ipn/ipnlocal: start adding some netmap to DNS config tests
Follow-up to #2805

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 4c68b7df7c tstest: add MemLogger bytes.Buffer wrapper with Logf method
We use it tons of places. Updated three at least in this PR.

Another use in next commit.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 30a614f9b9 ipn/ipnlocal: return early, outdent a bunch in dnsConfigForNetmap
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 2bb0eb5f7e ipn/ipnlocal: pull out dns.Config construction to its own func
In prep for other bug fixes & tests. It's hard to test when it was
intermingled into LocalBackend.authReconfig.

Now it's a pure function.

And rename variable 'uc' (user config?) to the since idiomatic
'prefs'.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
David Crawshaw b2a3d1da13 tstest/integration/vms: use fork of goexpect to avoid proto/grpc dep
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
3 years ago
David Crawshaw 9502b515f1 net/dns: replace resolver IPs with type for DoH
We currently plumb full URLs for DNS resolvers from the control server
down to the client. But when we pass the values into the net/dns
package, we throw away any URL that isn't a bare IP. This commit
continues the plumbing, and gets the URL all the way to the built in
forwarder. (It stops before plumbing URLs into the OS configurations
that can handle them.)

For #2596

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
3 years ago
Brad Fitzpatrick 7bfd4f521d cmd/tailscale: fix "tailscale ip $self-host-hostname"
And in the process, fix the related confusing error messages from
pinging your own IP or hostname.

Fixes #2803

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 4917a96aec cmd/tailscale: fix typo/pasteo in error message text
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Denton Gentry 1d1efbb599 hostinfo: add FreeBSD support.
Add specific handling for common appliances based on FreeBSD:
- pfSense
    HostInfo: {"OS":"freebsd","OSVersion":"pfSense 2.5.2-RELEASE; version=12.2-STABLE"
- OPNsense
    HostInfo: {"OS":"freebsd","OSVersion":"OPNsense 21.7.1 (amd64/OpenSSL); version=12.1-RELEASE-p19-HBSD"
- TrueNAS
    HostInfo: {"OS":"freebsd","OSVersion":"TrueNAS-12.0-U5.1 (6c639bd48a); version=12.2-RELEASE-p9"
- FreeNAS
    HostInfo: {"OS":"freebsd","OSVersion":"FreeNAS-11.3-U5 (2e4ded5a0a); version=11.3-RELEASE-p14",

- regular FreeBSD
    HostInfo: {"OS":"freebsd","OSVersion":"FreeBSD; version=12.2-RELEASE"

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
3 years ago
Brad Fitzpatrick 5a58fd8933 net/dnsfallback: go generate, pick up new DERPs
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
David Anderson efe8020dfa wgengine/magicsock: fix race condition in tests.
AFAICT this was always present, the log read mid-execution was never safe.
But it seems like the recent magicsock refactoring made the race much
more likely.

Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
Evan Anderson 000f90d4d7 wgengine/wglog: Fix docstring on wireguardGoString to match args
@danderson linked this on Twitter and I noticed the mismatch.

Signed-off-by: Evan Anderson <evan.k.anderson@gmail.com>
3 years ago
David Anderson 69c897a763 net/dnsfallback: run go generate to pick up new derp9s.
Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
David Anderson bb6fdfb243 net/dns: fix the build on freebsd (missing default case in switch)
Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
David Anderson b3b1c06b3a net/dns: only restart systemd-resolved if we changed /etc/resolv.conf.
Reported on IRC: in an edge case, you can end up with a directManager DNS
manager and --accept-dns=false, in which case we should do nothing, but
actually end up restarting resolved whenever the netmap changes, even though
the user told us to not manage DNS.

Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
David Anderson 10547d989d net/dns: exhaustively test DNS selection paths for linux.
Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
David Anderson c071bcda33 net/dns: relax systemd-resolved detection.
Reported on IRC: a resolv.conf that contained two entries for
"nameserver 127.0.0.53", which defeated our "is resolved actually
in charge" check. Relax that check to allow any number of nameservers,
as long as they're all 127.0.0.53.

Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
Dave Anderson 980acc38ba
types/key: add a special key with custom serialization for control private keys (#2792)
* Revert "Revert "types/key: add MachinePrivate and MachinePublic.""

This reverts commit 61c3b98a24.

Signed-off-by: David Anderson <danderson@tailscale.com>

* types/key: add ControlPrivate, with custom serialization.

ControlPrivate is just a MachinePrivate that serializes differently
in JSON, to be compatible with how the Tailscale control plane
historically serialized its private key.

Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
David Anderson 61c3b98a24 Revert "types/key: add MachinePrivate and MachinePublic."
Broke the tailscale control plane due to surprise different serialization.

This reverts commit 4fdb88efe1.
3 years ago
David Anderson 4fdb88efe1 types/key: add MachinePrivate and MachinePublic.
Plumb throughout the codebase as a replacement for the mixed use of
tailcfg.MachineKey and wgkey.Private/Public.

Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
David Anderson 4ce091cbd8 version: use `go` from the current toolchain to compile in tests.
Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
Brad Fitzpatrick d1cb7a2639 metrics: use SYS_OPENAT
New systems like arm64 don't even have SYS_OPEN.
3 years ago
David Anderson 159d88aae7 go.mod: tidy.
Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago
David Anderson b96159e820 go.mod: update github.com/ulikunitz/xz for https://github.com/advisories/GHSA-25xm-hr59-7c27
Our code is not vulnerable to the issue in question: it only happens in the decompression
path for untrusted inputs, and we only use xz as part of mkpkg, which is write-only
and operates on trusted build system outputs to construct deb and rpm packages.

Still, it's nice to keep the dependabot dashboard clean.

Signed-off-by: David Anderson <danderson@tailscale.com>
3 years ago