tailscale

Commit Graph

Author	SHA1	Message	Date
dependabot[bot]	992ee6dd0b	.github: Bump github/codeql-action from 3.26.8 to 3.26.9 (#13625 ) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.8 to 3.26.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](`294a9d9291...461ef6c76d`) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	3 weeks ago
Brad Fitzpatrick	262c526c4e	net/portmapper: don't treat 0.0.0.0 as a valid IP Updates tailscale/corp#23538 Change-Id: I58b8c30abe43f1d1829f01eb9fb2c1e6e8db9476 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Andrew Dunham	16ef88754d	net/portmapper: don't return unspecified/local external IPs We were previously not checking that the external IP that we got back from a UPnP portmap was a valid endpoint; add minimal validation that this endpoint is something that is routeable by another host. Updates tailscale/corp#23538 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id9649e7683394aced326d5348f4caa24d0efd532	3 weeks ago
Brad Fitzpatrick	1eaad7d3de	control/controlhttp: fix connectivity on Alaska Air wifi Updates #13597 Change-Id: Ifbf52b93fd35d64fcf80f8fddbfd610008fd8742 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Brad Fitzpatrick	fd32f0ddf4	control/controlhttp: factor out some code in prep for future change This pulls out the clock and forceNoise443 code into methods on the Dialer as cleanup in its own commit to make a future change less distracting. Updates #13597 Change-Id: I7001e57fe7b508605930c5b141a061b6fb908733 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Brad Fitzpatrick	d3f302d8e2	cmd/tailscale/cli: make 'tailscale debug ts2021' try twice In prep for a future port 80 MITM fix, make the 'debug ts2021' command retry once after a failure to give it a chance to pick a new strategy. Updates #13597 Change-Id: Icb7bad60cbf0dbec78097df4a00e9795757bc8e4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Mario Minardi	8f44ba1cd6	ssh: Add logic to set accepted environment variables in SSH session (#13559 ) Add logic to set environment variables that match the SSH rule's `acceptEnv` settings in the SSH session's environment. Updates https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 weeks ago
dependabot[bot]	dd6b808acf	.github: Bump peter-evans/create-pull-request from 7.0.1 to 7.0.5 (#13626 ) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.1 to 7.0.5. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](`8867c4aba1...5e914681df`) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	3 weeks ago
Anton Tolchanov	a70287d324	logpolicy: don't create a filch buffer if logging is disabled Updates #9549 Signed-off-by: Anton Tolchanov <commits@knyar.net>	3 weeks ago
Maisem Ali	fb0f8fc0ae	cmd/tsidp: add --dir flag To better control where the tsnet state is being stored. Updates #10263 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 weeks ago
Irbe Krumina	096b090caf	cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531 ) * cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets This commit is first part of the work to allow running multiple replicas of the Kubernetes operator egress proxies per tailnet service + to allow exposing multiple tailnet services via each proxy replica. This expands the existing iptables/nftables-based proxy configuration mechanism. A proxy can now be configured to route to one or more tailnet targets via a (mounted) config file that, for each tailnet target, specifies: - the target's tailnet IP or FQDN - mappings of container ports to which cluster workloads will send traffic to tailnet target ports where the traffic should be forwarded. Example configfile contents: { "some-svc": {"tailnetTarget":{"fqdn":"foo.tailnetxyz.ts.net","ports"{"tcp:4006:80":{"protocol":"tcp","matchPort":4006,"targetPort":80},"tcp:4007:443":{"protocol":"tcp","matchPort":4007,"targetPort":443}}}} } A proxy that is configured with this config file will configure firewall rules to route cluster traffic to the tailnet targets. It will then watch the config file for updates as well as monitor relevant netmap updates and reconfigure firewall as needed. This adds a bunch of new iptables/nftables functionality to make it easier to dynamically update the firewall rules without needing to restart the proxy Pod as well as to make it easier to debug/understand the rules: - for iptables, each portmapping is a DNAT rule with a comment pointing at the 'service',i.e: -A PREROUTING ! -i tailscale0 -p tcp -m tcp --dport 4006 -m comment --comment "some-svc:tcp:4006 -> tcp:80" -j DNAT --to-destination 100.64.1.18:80 Additionally there is a SNAT rule for each tailnet target, to mask the source address. - for nftables, a separate prerouting chain is created for each tailnet target and all the portmapping rules are placed in that chain. This makes it easier to look up rules and delete services when no longer needed. (nftables allows hooking a custom chain to a prerouting hook, so no extra work is needed to ensure that the rules in the service chains are evaluated). The next steps will be to get the Kubernetes Operator to generate the configfile and ensure it is mounted to the relevant proxy nodes. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Irbe Krumina	c62b0732d2	cmd/k8s-operator: remove auth key once proxy has logged in (#13612 ) The operator creates a non-reusable auth key for each of the cluster proxies that it creates and puts in the tailscaled configfile mounted to the proxies. The proxies are always tagged, and their state is persisted in a Kubernetes Secret, so their node keys are expected to never be regenerated, so that they don't need to re-auth. Some tailnet configurations however have seen issues where the auth keys being left in the tailscaled configfile cause the proxies to end up in unauthorized state after a restart at a later point in time. Currently, we have not found a way to reproduce this issue, however this commit removes the auth key from the config once the proxy can be assumed to have logged in. If an existing, logged-in proxy is upgraded to this version, its redundant auth key will be removed from the conffile. If an existing, logged-in proxy is downgraded from this version to a previous version, it will work as before without re-issuing key as the previous code did not enforce that a key must be present. Updates tailscale/tailscale#13451 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Kristoffer Dalby	77832553e5	ipn/ipnlocal: add advertised and primary route metrics Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Tom Proctor	cab2e6ea67	cmd/k8s-operator,k8s-operator: add ProxyGroup CRD (#13591 ) The ProxyGroup CRD specifies a set of N pods which will each be a tailnet device, and will have M different ingress or egress services mapped onto them. It is the mechanism for specifying how highly available proxies need to be. This commit only adds the definition, no controller loop, and so it is not currently functional. This commit also splits out TailnetDevice and RecorderTailnetDevice into separate structs because the URL field is specific to recorders, but we want a more generic struct for use in the ProxyGroup status field. Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 weeks ago
Andrew Dunham	7ec8bdf8b1	go.mod: upgrade golangci-lint To pull in the fix for mgechev/revive#863 - seen in the GitHub Actions check below: https://github.com/tailscale/tailscale/actions/runs/11057524933/job/30721507353?pr=13600 Updates #13602 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ia04adc5d74bdbde14204645ca948794447b16776	4 weeks ago
Andrea Gottardo	69be54c7b6	net/captivedetection: exclude ipsec interfaces from captive portal detection (#13598 ) Updates tailscale/tailscale#1634 Logs from some iOS users indicate that we're pointlessly performing captive portal detection on certain interfaces named ipsec*. These are tunnels with the cellular carrier that do not offer Internet access, and are only used to provide internet calling functionality (VoLTE / VoWiFi). ``` attempting to do captive portal detection on interface ipsec1 attempting to do captive portal detection on interface ipsec6 ``` This PR excludes interfaces with the `ipsec` prefix from captive portal detection. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 weeks ago
Kristoffer Dalby	5550a17391	wgengine: make opts.Metrics mandatory Fixes #13582 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Kristoffer Dalby	7d1160ddaa	{ipn,net,tsnet}: use tsaddr helpers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Kristoffer Dalby	f03e82a97c	client/web: use tsaddr helpers Updates #cleanup Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Kristoffer Dalby	0909431660	cmd/tailscale: use tsaddr helpers Updates #cleanup Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Kristoffer Dalby	3dc33a0a5b	net/tsaddr: add WithoutExitRoutes and IsExitRoute Updates #cleanup Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Mario Minardi	c90c9938c8	ssh/tailssh: add logic for matching against AcceptEnv patterns (#13466 ) Add logic for parsing and matching against our planned format for AcceptEnv values. Namely, this supports direct matches against string values and matching where * and ? are treated as wildcard characters which match against an arbitrary number of characters and a single character respectively. Actually using this logic in non-test code will come in subsequent changes. Updates https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	4 weeks ago
James Tucker	9eb59c72c1	wgengine/magicsock: fix check for EPERM on macOS Like Linux, macOS will reply to sendto(2) with EPERM if the firewall is currently blocking writes, though this behavior is like Linux undocumented. This is often caused by a faulting network extension or content filter from EDR software. Updates #11710 Updates #12891 Updates #13511 Signed-off-by: James Tucker <james@tailscale.com>	4 weeks ago
Andrew Dunham	717d589149	metrics: revert changes to MultiLabelMap's String method This breaks its ability to be used as an expvar and is blocking a trunkd deploy. Revert for now, and add a test to ensure that we don't break it in a future change. Updates #13550 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1f1221c257c1de47b4bff0597c12f8530736116d	4 weeks ago
Cameron Stokes	65c26357b1	cmd/k8s-operator, k8s-operator: fix outdated kb links (#13585 ) updates #13583 Signed-off-by: Cameron Stokes <cameron@tailscale.com>	4 weeks ago
Adrian Dewhurst	2fdbcbdf86	wgengine/magicsock: only used cached results for GetLastNetcheckReport When querying for an exit node suggestion, occasionally it triggers a new report concurrently with an existing report in progress. Generally, there should always be a recent report or one in progress, so it is redundant to start one there, and it causes concurrency issues. Fixes #12643 Change-Id: I66ab9003972f673e5d4416f40eccd7c6676272a5 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	4 weeks ago
Brad Fitzpatrick	c2f0c705e7	health: clean up updateBuiltinWarnablesLocked a bit, fix DERP warnings Updates #13265 Change-Id: Iabe4a062204a7859d869f6acfb9274437b4ea1ea Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Kristoffer Dalby	0e0e53d3b3	util/usermetrics: make usermetrics non-global this commit changes usermetrics to be non-global, this is a building block for correct metrics if a go process runs multiple tsnets or in tests. Updates #13420 Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Brad Fitzpatrick	e1bbe1bf45	derp: document the RunWatchConnectionLoop callback gotchas Updates #13566 Change-Id: I497b5adc57f8b1b97dbc3f74c0dc67140caad436 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	6f7e7a30e3	tool/gocross: make gocross-wrapper.sh keep multiple Go toolchains around So it doesn't delete and re-pull when switching between branches. Updates tailscale/corp#17686 Change-Id: Iffb989781db42fcd673c5f03dbd0ce95972ede0f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Mario Minardi	43f4131d7a	{release,version}: add DSM7.2 specific synology builds (#13405 ) Add separate builds for DSM7.2 for synology so that we can encode separate versioning information in the INFO file to distinguish between the two. Fixes https://github.com/tailscale/corp/issues/22908 Signed-off-by: Mario Minardi <mario@tailscale.com>	4 weeks ago
Andrea Gottardo	8a6f48b455	cli: add `tailscale dns query` (#13368 ) Updates tailscale/tailscale#13326 Adds a CLI subcommand to perform DNS queries using the internal DNS forwarder and observe its internals (namely, which upstream resolvers are being used). Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 weeks ago
dependabot[bot]	a98f75b783	.github: Bump tibdex/github-app-token from 1.8.0 to 2.1.0 (#9529 ) Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.0 to 2.1.0. - [Release notes](https://github.com/tibdex/github-app-token/releases) - [Commits](`b62528385c...3beb63f4bd`) --- updated-dependencies: - dependency-name: tibdex/github-app-token dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Mario Minardi <mario@tailscale.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	4 weeks ago
Mario Minardi	05d82fb0d8	.github: pin re-actors/alls-green to latest 1.x (#13558 ) Pin re-actors/alls-green usage to latest 1.x. This was previously pointing to `@release/v2` which pulls in the latest changes from this branch as they are released, with the potential to break our workflows if a breaking change or malicious version on this stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	04bbef0e8b	.github: update and pin actions/upload-artifact to latest 4.x (#13556 ) Update and pin actions/upload-artifact usage to latest 4.x. These were previously pointing to @3 which pulls in the latest v3 as they are released, with the potential to break our workflows if a breaking change or malicious version on the @3 stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	a8bd0cb9c2	.github: update and pin actions/cache to latest 4.x (#13555 ) Update and pin actions/cache usage to latest 4.x. These were previously pointing to `@3` which pulls in the latest v3 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@3` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v3 and v4 is that v4 requires Node 20 which should be a non-issue where this is run. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	a3f7e72321	.github: use and pin slackapi/slack-github-action to latest 1.x (#13554 ) Use slackapi/slack-github-action across the board and pin to latest 1.x. Previously we were referencing the 1.27.0 tag directly which is vulnerable to someone replacing that version tag with malicious code. Replace usage of ruby/action-slack with slackapi/slack-github-action as the latter is the officially supported action from slack. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	22e98cf95e	.github: pin codeql actions to latest 3.x (#13552 ) Pin codeql actions usage to latest 3.x. These were previously pointing to `@2` which pulls in the latest v2 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@2` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v2 and v3 is that v3 requires Node 20 which is a non-issue as we are running this on ubuntu latest. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	2c1bbfb902	.github: pin actions/setup-go usage to latest 5.x (#13553 ) Pin actions/checkout usage to latest 5.x. These were previously pointing to `@4` which pulls in the latest v4 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@4` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v4 and v5 is that v5 requires Node 20 which should be a non-issue where it is used. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	07991dec83	.github: pin actions/checkout to latest v3 or v4 as appropriate (#13551 ) Pin actions/checkout usage to latest 3.x or 4.x as appropriate. These were previously pointing to `@4` or `@3` which pull in the latest versions at these tags as they are released, with the potential to break our workflows if a breaking change or malicious version for either of these streams are released. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	8d508712c9	tailcfg: add AcceptEnv field to SSHRule (#13523 ) Add an `AcceptEnv` field to `SSHRule`. This will contain the collection of environment variable names / patterns that are specified in the `acceptEnv` block for the SSH rule within the policy file. This will be used in the tailscale client to filter out unacceptable environment variables. Updates: https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Joe Tsai	dc86d3589c	types/views: add SliceView.All iterator (#13536 ) And convert a all relevant usages. Updates #12912 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 month ago
Brad Fitzpatrick	3e9ca6c64b	go.toolchain.rev: bump oss, test toolchain matches go.toolchain.rev Update go.toolchain.rev for https://github.com/tailscale/go/pull/104 and add a test that, when using the tailscale_go build tag, we use the right Go toolchain. We'll crank up the strictness in later commits. Updates #13527 Change-Id: Ifb09a844858be2beb144a420e4e9dbdc5c03ae3a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Tom Proctor	d0a56a8870	cmd/containerboot: split main.go (#13517 ) containerboot's main.go had grown to well over 1000 lines with lots of disparate bits of functionality. This commit is pure copy- paste to group related functionality outside of the main function into its own set of files. Everything is still in the main package to keep the diff incremental and reviewable. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 month ago
James Tucker	af5a845a87	net/dns/resolver: fix dns-sd NXDOMAIN responses from quad-100 mdnsResponder at least as of macOS Sequoia does not find NXDOMAIN responses to these dns-sd PTR queries acceptable unless they include the question section in the response. This was found debugging #13511, once we turned on additional diagnostic reporting from mdnsResponder we witnessed: ``` Received unacceptable 12-byte response from 100.100.100.100 over UDP via utun6/27 -- id: 0x7F41 (32577), flags: 0x8183 (R/Query, RD, RA, NXDomain), counts: 0/0/0/0, ``` If the response includes a question section, the resposnes are acceptable, e.g.: ``` Received acceptable 59-byte response from 8.8.8.8 over UDP via en0/17 -- id: 0x2E55 (11861), flags: 0x8183 (R/Query, RD, RA, NXDomain), counts: 1/0/0/0, ``` This may be contributing to an issue under diagnosis in #13511 wherein some combination of conditions results in mdnsResponder no longer answering DNS queries correctly to applications on the system for extended periods of time (multiple minutes), while dig against quad-100 provides correct responses for those same domains. If additional debug logging is enabled in mdnsResponder we see it reporting: ``` Penalizing server 100.100.100.100 for 60 seconds ``` It is also possible that the reason that macOS & iOS never "stopped spamming" these queries is that they have never been replied to with acceptable responses. It is not clear if this special case handling of dns-sd PTR queries was ever beneficial, and given this evidence may have always been harmful. If we subsequently observe that the queries settle down now that they have acceptable responses, we should remove these special cases - making upstream queries very occasionally isn't a lot of battery, so we should be better off having to maintain less special cases and avoid bugs of this class. Updates #2442 Updates #3025 Updates #3363 Updates #3594 Updates #13511 Signed-off-by: James Tucker <james@tailscale.com>	1 month ago
Andrea Gottardo	3a467b66b6	go/toolchain: use ed9dc37b2b000f376a3e819cbb159e2c17a2dac6 (#13507 ) Updates tailscale/tailscale#13452 Bump the Go toolchain to the latest to pick up changes required to not crash on Android 9/10. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 month ago
M. J. Fromberger	5f89c93274	safeweb: add a ListenAndServe method to the Server type (#13498 ) Updates #13497 Change-Id: I398e9fa58ad0b9dc799ea280c9c7a32150150ee4 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	1 month ago
Jordan Whited	951884b077	net/netcheck,wgengine/magicsock: plumb OnlyTCP443 controlknob through netcheck (#13491 ) Updates tailscale/corp#17879 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Fran Bull	8b962f23d1	cmd/natc: fix nil pointer Fixes #13495 Signed-off-by: Fran Bull <fran@tailscale.com>	1 month ago
Jordan Whited	5f4a4c6744	wgengine/magicsock: fix sendUDPStd docs (#13490 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago

1 2 3 4 5 ...

8187 Commits (992ee6dd0bb17dd14d325ae6e0a35c9c741d48ab) All Branches Search

8187 Commits (992ee6dd0bb17dd14d325ae6e0a35c9c741d48ab)

All Branches