tailscale

Commit Graph

Author	SHA1	Message	Date
Maisem Ali	a7a394e7d9	tstest/integration: mark TestNATPing flaky Updates #12169 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	07e2487c1d	wgengine/capture: fix v6 field typo in wireshark dissector It was using a v4 field for a v6 address. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	1dd9c44d51	tsweb: mark TestStdHandler_ConnectionClosedDuringBody flaky Updates #13107 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Flakes Updater	0a6eb12f05	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	2 months ago
Maisem Ali	f205efcf18	net/packet/checksum: fix v6 NAT We were copying 12 out of the 16 bytes which meant that the 1:1 NAT required would only work if the last 4 bytes happened to match between the new and old address, something that our tests accidentally had. Fix it by copying the full 16 bytes and make the tests also verify the addr and use rand addresses. Updates #9511 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	a917718353	util/linuxfw: return nil interface not concrete type It was returning a nil `*iptablesRunner` instead of a nil `NetfilterRunner` interface which would then fail checks later. Fixes #13012 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Nick Khyl	4099a36468	util/winutil/gp: fix a busy loop bug Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Jordan Whited	d9d9d525d9	wgengine/netstack: increase gVisor's TCP send and receive buffer sizes (#12994 ) This commit increases gVisor's TCP max send (4->6MiB) and receive (4->8MiB) buffer sizes on all platforms except iOS. These values are biased towards higher throughput on high bandwidth-delay product paths. The iperf3 results below demonstrate the effect of this commit between two Linux computers with i5-12400 CPUs. 100ms of RTT latency is introduced via Linux's traffic control network emulator queue discipline. The first set of results are from commit `f0230ce` prior to TCP buffer resizing. gVisor write direction: Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 180 MBytes 151 Mbits/sec 0 sender [ 5] 0.00-10.10 sec 179 MBytes 149 Mbits/sec receiver gVisor read direction: Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.10 sec 337 MBytes 280 Mbits/sec 20 sender [ 5] 0.00-10.00 sec 323 MBytes 271 Mbits/sec receiver The second set of results are from this commit with increased TCP buffer sizes. gVisor write direction: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 297 MBytes 249 Mbits/sec 0 sender [ 5] 0.00-10.10 sec 297 MBytes 247 Mbits/sec receiver gVisor read direction: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.10 sec 501 MBytes 416 Mbits/sec 17 sender [ 5] 0.00-10.00 sec 485 MBytes 407 Mbits/sec receiver Updates #9707 Updates tailscale/corp#22119 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Andrew Dunham	9939374c48	wgengine/magicsock: use cloud metadata to get public IPs Updates #12774 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1661b6a2da7966ab667b075894837afd96f4742f	2 months ago
Andrea Gottardo	4055b63b9b	net/captivedetection: exclude cellular data interfaces (#13002 ) Updates tailscale/tailscale#1634 This PR optimizes captive portal detection on Android and iOS by excluding cellular data interfaces (`pdp*` and `rmnet`). As cellular networks do not present captive portals, frequent network switches between Wi-Fi and cellular would otherwise trigger captive detection unnecessarily, causing battery drain. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 months ago
Jordan Whited	f0230ce0b5	go.mod,net/tstun,wgengine/netstack: implement gVisor TCP GRO for Linux (#12921 ) This commit implements TCP GRO for packets being written to gVisor on Linux. Windows support will follow later. The wireguard-go dependency is updated in order to make use of newly exported IP checksum functions. gVisor is updated in order to make use of newly exported stack.PacketBuffer GRO logic. TCP throughput towards gVisor, i.e. TUN write direction, is dramatically improved as a result of this commit. Benchmarks show substantial improvement, sometimes as high as 2x. High bandwidth-delay product paths remain receive window limited, bottlenecked by gVisor's default TCP receive socket buffer size. This will be addressed in a follow-on commit. The iperf3 results below demonstrate the effect of this commit between two Linux computers with i5-12400 CPUs. There is roughly ~13us of round trip latency between them. The first result is from commit `57856fc` without TCP GRO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 4.77 GBytes 4.10 Gbits/sec 20 sender [ 5] 0.00-10.00 sec 4.77 GBytes 4.10 Gbits/sec receiver The second result is from this commit with TCP GRO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 10.6 GBytes 9.14 Gbits/sec 20 sender [ 5] 0.00-10.00 sec 10.6 GBytes 9.14 Gbits/sec receiver Updates #6816 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Brad Fitzpatrick	cc370314e7	health: don't show login error details with context cancelations Fixes #12991 Change-Id: I2a5e109395761b720ecf1069d0167cf0caf72876 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Aaron Klotz	655b4f8fc5	net/netns: remove some logspam by avoiding logging parse errors due to unspecified addresses I updated the address parsing stuff to return a specific error for unspecified hosts passed as empty strings, and look for that when logging errors. I explicitly did not make parseAddress return a netip.Addr containing an unspecified address because at this layer, in the absence of any host, we don't necessarily know the address family we're dealing with. For the purposes of this code I think this is fine, at least until we implement #12588. Fixes #12979 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 months ago
Brad Fitzpatrick	004dded0a8	net/tlsdial: relax self-signed cert health warning It seems some security software or macOS itself might be MITMing TLS (for ScreenTime?), so don't warn unless it fails x509 validation against system roots. Updates #3198 Change-Id: I6ea381b5bb6385b3d51da4a1468c0d803236b7bf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Aaron Klotz	0def4f8e38	net/netns: on Windows, fall back to default interface index when unspecified address is passed to ControlC and bindToInterfaceByRoute is enabled We were returning an error instead of binding to the default interface. Updates #12979 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 months ago
Jordan Whited	7bc2ddaedc	go.mod,net/tstun,wgengine/netstack: implement gVisor TCP GSO for Linux (#12869 ) This commit implements TCP GSO for packets being read from gVisor on Linux. Windows support will follow later. The wireguard-go dependency is updated in order to make use of newly exported GSO logic from its tun package. A new gVisor stack.LinkEndpoint implementation has been established (linkEndpoint) that is loosely modeled after its predecessor (channel.Endpoint). This new implementation supports GSO of monster TCP segments up to 64K in size, whereas channel.Endpoint only supports up to 32K. linkEndpoint will also be required for GRO, which will be implemented in a follow-on commit. TCP throughput from gVisor, i.e. TUN read direction, is dramatically improved as a result of this commit. Benchmarks show substantial improvement through a wide range of RTT and loss conditions, sometimes as high as 5x. The iperf3 results below demonstrate the effect of this commit between two Linux computers with i5-12400 CPUs. There is roughly ~13us of round trip latency between them. The first result is from commit `57856fc` without TCP GSO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 2.51 GBytes 2.15 Gbits/sec 154 sender [ 5] 0.00-10.00 sec 2.49 GBytes 2.14 Gbits/sec receiver The second result is from this commit with TCP GSO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 12.6 GBytes 10.8 Gbits/sec 6 sender [ 5] 0.00-10.00 sec 12.6 GBytes 10.8 Gbits/sec receiver Updates #6816 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Andrea Gottardo	949b15d858	net/captivedetection: call SetHealthy once connectivity restored (#12974 ) Fixes tailscale/tailscale#12973 Updates tailscale/tailscale#1634 There was a logic issue in the captive detection code we shipped in https://github.com/tailscale/tailscale/pull/12707. Assume a captive portal has been detected, and the user notified. Upon switching to another Wi-Fi that does not have a captive portal, we were issuing a signal to interrupt any pending captive detection attempt. However, we were not also setting the `captive-portal-detected` warnable to healthy. The result was that any "captive portal detected" alert would not be cleared from the UI. Also fixes a broken log statement value. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 months ago
Jonathan Nobels	8a8ecac6a7	net/dns, cmd/tailscaled: plumb system health tracker into dns cleanup (#12969 ) fixes tailscale#12968 The dns manager cleanup func was getting passed a nil health tracker, which will panic. Fixed to pass it the system health tracker. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	2 months ago
Irbe Krumina	eead25560f	build_docker.sh: update script comment (#12970 ) It is no longer correct to state that we don't support running Tailscale in containers or on Kubernetes. Updates tailscale/tailscale#12842 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
dependabot[bot]	1b64961320	build(deps): bump github.com/docker/docker (#12966 ) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 25.0.5+incompatible to 26.1.4+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v25.0.5...v26.1.4) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2 months ago
Irbe Krumina	32308fcf71	Dockerfile: add a warning that this is not used to build our published images (#12955 ) Add a warning that the Dockerfile in the OSS repo is not the currently used mechanism to build the images we publish - for folks who want to contribute to image build scripts or otherwise need to understand the image build process that we use. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Flakes Updater	34de96d06e	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	2 months ago
Brad Fitzpatrick	575feb486f	util/osuser: turn wasm check into a const expression All wasi* are GOARCH wasm, so check that instead. Updates #12732 Change-Id: Id3cc346295c1641bcf80a6c5eb1ad65488509656 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	2ab1d532e8	gokrazy/tsapp: add go.mod replacing two tailscale.com binaries with parent module Updates #1866 Change-Id: I1ee7d41f7ee55806fb7ad94d0333dd0ec33d8efd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	360046e5c3	words: add some associated with scales Updates tailscale/corp#14698 Change-Id: Ica7f179bd368d3c15f58fb236d377881cd80efcf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Dunham	35a8fca379	cmd/tailscale/cli: release portmap after netcheck Updates #12954 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic14f037b48a79b1263b140c6699579b466d89310	2 months ago
Jonathan Nobels	19b0c8a024	net/dns, health: raise health warning for failing forwarded DNS queries (#12888 ) updates tailscale/corp#21823 Misconfigured, broken, or blocked DNS will often present as "internet is broken'" to the end user. This plumbs the health tracker into the dns manager and forwarder and adds a health warning with a 5 second delay that is raised on failures in the forwarder and lowered on successes. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	2 months ago
Percy Wegmann	3088c6105e	go.mod: pull in latest github.com/tailscale/xnet This picks up https://github.com/tailscale/xnet/pull/1 so that clients can move files even when holding only a lock for the source file. Updates #12941 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Irbe Krumina	a21bf100f3	cmd/k8s-operator,k8s-operator/sessionrecording,sessionrecording,ssh/tailssh: refactor session recording functionality (#12945 ) cmd/k8s-operator,k8s-operator/sessionrecording,sessionrecording,ssh/tailssh: refactor session recording functionality Refactor SSH session recording functionality (mostly the bits related to Kubernetes API server proxy 'kubectl exec' session recording): - move the session recording bits used by both Tailscale SSH and the Kubernetes API server proxy into a shared sessionrecording package, to avoid having the operator to import ssh/tailssh - move the Kubernetes API server proxy session recording functionality into a k8s-operator/sessionrecording package, add some abstractions in preparation for adding support for a second streaming protocol (WebSockets) Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Paul Scott	1bf7ed0348	tsweb: add QuietLogging option (#12838 ) Allows the use of tsweb.LogHandler exclusively for callbacks describing the handler HTTP requests. Fixes #12837 Signed-off-by: Paul Scott <paul@tailscale.com>	2 months ago
Irbe Krumina	c5623e0471	go.{mod,sum},tstest/tools,k8s-operator,cmd/k8s-operator: autogenerate CRD API docs (#12884 ) Re-instates the functionality that generates CRD API docs, but using a different library as the one we were using earlier seemed to have some issues with its Git history. Also regenerates the docs (make kube-generate-all). Updates tailscale/tailscale#12859 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Ross Williams	1bf82ddf84	util/osuser: run getent on non-Linux Unixes Remove the restriction that getent is skipped on non-Linux unixes. Improve validation of the parsed output from getent, in case unknown systems return unusable information. Fixes #12730. Signed-off-by: Ross Williams <ross@ross-williams.net>	2 months ago
Andrea Gottardo	6840f471c0	net/dnsfallback: set CanPort80 in static DERPMap (#12929 ) Updates tailscale/corp#21949 As discussed with @raggi, this PR updates the static DERPMap embedded in the client to reflect the availability of HTTP on the DERP servers run by Tailscale. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 months ago
Andrea Gottardo	90be06bd5b	health: introduce captive-portal-detected Warnable (#12707 ) Updates tailscale/tailscale#1634 This PR introduces a new `captive-portal-detected` Warnable which is set to an unhealthy state whenever a captive portal is detected on the local network, preventing Tailscale from connecting. ipn/ipnlocal: fix captive portal loop shutdown Change-Id: I7cafdbce68463a16260091bcec1741501a070c95 net/captivedetection: fix mutex misuse ipn/ipnlocal: ensure that we don't fail to start the timer Change-Id: I3e43fb19264d793e8707c5031c0898e48e3e7465 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 months ago
Brad Fitzpatrick	cf97cff33b	wgengine/netstack: simplify netaddrIPFromNetstackIP Updates #cleanup Change-Id: I66878b08a75d44170460cbf33c895277c187bd8d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Paul Scott	855da47777	tsweb: Add MiddlewareStack func to apply lists of Middleware (#12907 ) Fixes #12909 Signed-off-by: Paul Scott <paul@tailscale.com>	2 months ago
Nick Khyl	43375c6efb	types/lazy: re-init SyncValue during test cleanup if it wasn't set before SetForTest Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Paul Scott	ba7f2d129e	tsweb: log all cancellations as 499s (#12894 ) Updates #12141 Signed-off-by: Paul Scott <paul@tailscale.com>	2 months ago
Irbe Krumina	57856fc0d5	ipn,wgengine/magicsock: allow setting static node endpoints via tailscaled configfile (#12882 ) wgengine/magicsock,ipn: allow setting static node endpoints via tailscaled config file. Adds a new StaticEndpoints field to tailscaled config that can be used to statically configure the endpoints that the node advertizes. This field will replace TS_DEBUG_PRETENDPOINTS env var that can be used to achieve the same. Additionally adds some functionality that ensures that endpoints are updated when configfile is reloaded. Also, refactor configuring/reconfiguring components to use the same functionality when configfile is parsed the first time or subsequent times (after reload). Previously a configfile reload did not result in resetting of prefs. Now it does- but does not yet tell the relevant components to consume the new prefs. This is to be done in a follow-up. Updates tailscale/tailscale#12578 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
License Updater	9904421853	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	2 months ago
Nick Khyl	5d09649b0b	types/lazy: add (SyncValue[T]).SetForTest method It is sometimes necessary to change a global lazy.SyncValue for the duration of a test. This PR adds a (SyncValue[T]).SetForTest method to facilitate that. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Nick Khyl	d500a92926	util/slicesx: add HasPrefix, HasSuffix, CutPrefix, and CutSuffix functions The standard library includes these for strings and byte slices, but it lacks similar functions for generic slices of comparable types. Although they are not as commonly used, these functions are useful in scenarios such as working with field index sequences (i.e., []int) via reflection. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Flakes Updater	1f94047475	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	2 months ago
Nick Khyl	bd54b61746	types/opt: add (Value[T]).GetOr(def T) T method Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Nick Khyl	20562a4fb9	cmd/viewer, types/views, util/codegen: add viewer support for custom container types This adds support for container-like types such as Container[T] that don't explicitly specify a view type for T. Instead, a package implementing a container type should also implement and export a ContainerView[T, V] type and a ContainerViewOf(*Container[T]) ContainerView[T, V] function, which returns a view for the specified container, inferring the element view type V from the element type T. Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Andrew Lytvynov	e7bf6e716b	cmd/tailscale: add --min-validity flag to the cert command (#12822 ) Some users run "tailscale cert" in a cron job to renew their certificates on disk. The time until the next cron job run may be long enough for the old cert to expire with our default heristics. Add a `--min-validity` flag which ensures that the returned cert is valid for at least the provided duration (unless it's longer than the cert lifetime set by Let's Encrypt). Updates #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Lee Briggs	32ce18716b	Add extra environment variables in deployment template (#12858 ) Fixes #12857 Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>	2 months ago
Irbe Krumina	0f57b9340b	cmd/k8s-operator,tstest,go.{mod,sum}: remove fybrik.io/crdoc dependency (#12862 ) Remove fybrik.io/crdoc dependency as it is causing issues for folks attempting to vendor tailscale using GOPROXY=direct. This means that the CRD API docs in ./k8s-operator/api.md will no longer be generated- I am going to look at replacing it with another tool in a follow-up. Updates tailscale/tailscale#12859 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Paul Scott	b2c522ce95	tsweb: log cancelled requests as 499 Fixes #12860 Signed-off-by: Paul Scott <paul@tailscale.com>	2 months ago
Adrian Dewhurst	54f58d1143	ipn/ipnlocal: add comment explaining auto exit node migration Updates tailscale/corp#19681 Change-Id: I6d396780b058ff0fbea0e9e53100f04ef3b76339 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2 months ago

1 2 3 4 5 ...

7922 Commits (a7a394e7d9d32991ddd3b6f99ed9efa95e88e01f) All Branches Search

7922 Commits (a7a394e7d9d32991ddd3b6f99ed9efa95e88e01f)

All Branches