Commit Graph

60 Commits (909c165382b8fc556207803fa6b1f66798934c5a)

Author SHA1 Message Date
Brad Fitzpatrick b97aac1718 net/interfaces: include DefaultRouteInterface in interfaces.State
And log it in wgengine on change. Changing bug in #643.

Updates #643
4 years ago
Josh Bleecher Snyder a9b1e3f9e8 net/interfaces: remove old debug old
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick 25b021388b net/netns, net/interfaces: move defaultRouteInterface, add Android fallback
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Josh Bleecher Snyder a16a793605 net/interfaces: use syscalls to find private gateway IP address
iOS doesn't let you run subprocesses,
which means we can't use netstat to get routing information.
Instead, use syscalls and grub around in the results.
We keep the old netstat version around,
both for use in non-cgo builds,
and for use testing the syscall-based version.

Note that iOS doesn't ship route.h,
so we include a copy here from the macOS 10.15 SDK
(which is itself unchanged from the 10.14 SDK).

I have tested manually that this yields the correct
gateway IP address on my own macOS and iOS devices.
More coverage would be most welcome.

Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
4 years ago
Dmytro Shynkevych 28e52a0492
all: dns refactor, add Proxied and PerDomain flags from control (#615)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Brad Fitzpatrick c253d4f948 net/interfaces: don't try to fork on iOS in likelyHomeRouterIPDarwin
No subprocesses allowed on iOS. Will need to do this differently later.
4 years ago
Brad Fitzpatrick 33a748bec1 net/interfaces: fix likelyHomeRouterIP on Android 4 years ago
David Anderson a2b4ad839b net/netcheck: lower the hairpin check timeout to 100ms.
This single check is the long pole for netcheck, and significantly slows down magicsock
tests.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson 25288567ec net/netcheck: centralize all clock values in one place.
This makes it easier to see how long a netcheck might take, and what
the slow bits might be.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson d60917c0f1 wgengine/router: switch packet marks to avoid conflict with Weave Net.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick 10ac066013 all: fix vet warnings 4 years ago
Brad Fitzpatrick 723b9eecb0 net/interfaces: set SysProcAttr.HideWindow to prevent cmd.exe flash on Windows 4 years ago
Brad Fitzpatrick 6c74065053 wgengine/magicsock, tstest/natlab: start hooking up natlab to magicsock
Also adds ephemeral port support to natlab.

Work in progress.

Pairing with @danderson.
4 years ago
Brad Fitzpatrick ecf5d69c7c net/netcheck: add missing comment asked for in earlier code review 4 years ago
Brad Fitzpatrick 742b8b44a8 net/tsaddr: new package to hold Tailscale-specific IPs/ranges
And update existing callers with (near) duplicated cases.
4 years ago
Brad Fitzpatrick 5c6d8e3053 netcheck, tailcfg, interfaces, magicsock: survey UPnP, NAT-PMP, PCP
Don't do anything with UPnP, NAT-PMP, PCP yet, but see how common they
are in the wild.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 32156330a8 net/interfaces: add func LikelyHomeRouterIP
For discovering where we might direct NAT-PMP/PCP/UPnP queries at in
the future.
4 years ago
Brad Fitzpatrick cf74e9039e net/netcheck: add an informative payload in the netcheck UDP helper packets
Per comment from @normanr:
0a5ab533c1 (r40401954)

Updates #188
4 years ago
Brad Fitzpatrick 0a5ab533c1 net/netcheck: send dummy packet out to help airport extreme in hairpin check
At least the Apple Airport Extreme doesn't allow hairpin
sends from a private socket until it's seen traffic from
that src IP:port to something else out on the internet.

See https://github.com/tailscale/tailscale/issues/188#issuecomment-600728643

And it seems that even sending to a likely-filtered RFC 5737
documentation-only IPv4 range is enough to set up the mapping.
So do that for now. In the future we might want to classify networks
that do and don't require this separately. But for now help it.

I've confirmed that this is enough to fix the hairpin check on Avery's
home network, even using the RFC 5737 IP.

Fixes #188
4 years ago
Brad Fitzpatrick 2d6e84e19e net/netcheck, wgengine/magicsock: replace more UDPAddr with netaddr.IPPort 4 years ago
Quoc-Viet Nguyen 15a23ce65f net/stun: Remove unreachable code
- Reuse IP length constants from net package.
- Remove beu16 to make endianness functions consistent.

Signed-off-by: Quoc-Viet Nguyen <afelion@gmail.com>
4 years ago
Brad Fitzpatrick deb113838e net/netcheck: use logger.ArgWriter in logConciseReport, fix comma bug, add tests 5 years ago
Brad Fitzpatrick 24009241bf net/netns: move SOCKS dialing to netns for now
This lets control & logs also use SOCKS dials.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick cf0d19f0ab net/tlsdial, derp/derphttp: finish DERPNode.CertName validation 5 years ago
Brad Fitzpatrick a5d6c9d616 net/netns: optimize defaultRouteInterface a bit
It'll be called a bunch, so worth a bit of effort. Could go further, but not yet.
(really, should hook into wgengine/monitor and only re-read on netlink changes?)

name                     old time/op    new time/op    delta
DefaultRouteInterface-8    60.8µs ±11%    44.6µs ± 5%  -26.65%  (p=0.000 n=20+19)

name                     old alloc/op   new alloc/op   delta
DefaultRouteInterface-8    3.29kB ± 0%    0.55kB ± 0%  -83.21%  (p=0.000 n=20+20)

name                     old allocs/op  new allocs/op  delta
DefaultRouteInterface-8      9.00 ± 0%      6.00 ± 0%  -33.33%  (p=0.000 n=20+20)
5 years ago
Brad Fitzpatrick becce82246 net/netns, misc tests: remove TestOnlySkipPrivilegedOps, argv checks
The netns UID check is sufficient for now. We can do something else
later if/when needed.
5 years ago
Brad Fitzpatrick 7a410f9236 net/netns: unindent, refactor to remove some redunant code
Also:
* always error on Control failing. That's very unexpected.
* pull out sockopt funcs into their own funcs for easier future testing
5 years ago
Brad Fitzpatrick 45b139d338 net/netns: remove redundant build tag
Filename is sufficient.
5 years ago
Brad Fitzpatrick dcd7a118d3 net/netns: add a test that tailscaleBypassMark stays in sync between packages 5 years ago
Brad Fitzpatrick 1e837b8e81 net/netns: refactor the sync.Once usage a bit 5 years ago
Avery Pennarun e7ae6a2e06 net/netns, wgengine/router: support Linux machines that don't have 'ip rule'.
We'll use SO_BINDTODEVICE instead of fancy policy routing. This has
some limitations: for example, we will route all traffic through the
interface that has the main "default" (0.0.0.0/0) route, so machines
that have multiple physical interfaces might have to go through DERP to
get to some peers. But machines with multiple physical interfaces are
very likely to have policy routing (ip rule) support anyway.

So far, the only OS I know of that needs this feature is ChromeOS
(crostini). Fixes #245.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Brad Fitzpatrick 765695eaa2 net/netns: also don't err on tailscaled -fake as a regular user
That's one of my dev workflows.
5 years ago
Brad Fitzpatrick 7f68e097dd net/netcheck: fix HTTPS fallback bug from earlier today
My earlier 3fa58303d0 tried to implement
the net/http.Tranhsport.DialTLSContext hook, but I didn't return a
*tls.Conn, so we ended up sending a plaintext HTTP request to an HTTPS
port. The response ended up being Go telling as such, not the
/derp/latency-check handler's response (which is currently still a
404). But we didn't even get the 404.

This happened to work well enough because Go's built-in error response
was still a valid HTTP response that we can measure for timing
purposes, but it's not a great answer. Notably, it means we wouldn't
be able to get a future handler to run server-side and count those
latency requests.
5 years ago
Brad Fitzpatrick 1407540b52 net/netns: don't return an error if we're not root and running the tailscale binary
tailscale netcheck was broken otherwise.

We can fix this a better way later; I'm just fixing a regression in
some way because I'm trying to work on netcheck at the moment.
5 years ago
David Anderson 5114df415e net/netns: set the bypass socket mark on linux.
This allows tailscaled's own traffic to bypass Tailscale-managed routes,
so that things like tailscale-provided default routes don't break
tailscaled itself.

Progress on #144.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick 3fa58303d0 netcheck: address some HTTP fallback measurement TODOs 5 years ago
Brad Fitzpatrick 7247e896b5 net/netcheck: add Report.IPv4 and another TODO 5 years ago
David Anderson e9f7d01b91 derp/derphttp: make DERP client use netns for dial-outs. 5 years ago
Brad Fitzpatrick 9e3ad4f79f net/netns: add package for start of network namespace support
And plumb in netcheck STUN packets.

TODO: derphttp, logs, control.

Updates #144

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 0245bbe97b Make netcheck handle v6-only interfaces better, faster.
Also:

* add -verbose flag to cmd/tailscale netcheck
* remove some API from the interfaces package
* convert some of the interfaces package to netaddr.IP
* don't even send IPv4 probes on machines with no IPv4 (or only v4
  loopback)
* and once three regions have replied, stop waiting for other probes
  at 2x the slowest duration.

Updates #376
5 years ago
Avery Pennarun 7cd9ff3dde net/netcheck: fix race condition initializting RegionLatency maps.
Under some conditions, code would try to look things up in the maps
before the first call to updateLatency. I don't see any reason to delay
initialization of the maps, so let's just init them right away when
creating the Report instance.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Brad Fitzpatrick b0c10fa610 stun, netcheck: move under net 5 years ago
David Anderson 657f331e8b net/dnscache: remove unnecessary lint warning. 5 years ago
Elias Naur ad0795efc2 net/dnscache: don't use the Go resolver on Android
The local resolver is not available for apps on Android.

Signed-off-by: Elias Naur <mail@eliasnaur.com>
5 years ago
Brad Fitzpatrick 2244cca5ff net/tlsdial: update package doc to say it's now somewhat useless 5 years ago
Brad Fitzpatrick 172d72a060 Revert "net/tlsdial: add memory-optimized TLS cert verification path for iOS"
This reverts commit 6fcbd4c4d4.

Decided to put it in tailscale/go's crypto/x509 instead.
5 years ago
Brad Fitzpatrick 6fcbd4c4d4 net/tlsdial: add memory-optimized TLS cert verification path for iOS
Behind a build tag for now.
5 years ago
Brad Fitzpatrick b6fa5a69be net/tlsdial: add package for TLS dials, and make DERP & controlclient use it
This will do the iOS-optimized cert checking in a following change.
5 years ago
Brad Fitzpatrick c0697e1feb net/interfaces: add IsExpensive and up state to State
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick a4ef345737 cmd/tailscale: add status subcommand
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago