archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
8,045 Commits
662 Branches
152 Tags
99 MiB
mpminardi/accept-env-pattern-match
main
kari/hostinfopkg
mpminardi/dsm-7-2-builds
mpminardi/accept-env-tailcfg
irbekrm/egresshafw
angott/dns-cli-stream
dependabot/npm_and_yarn/client/web/vite-5.1.8
angott/dns-cli-query
kradalby/userfacing-metrics-moar
maisem/tsnet-forward
bradfitz/derp_flow_track
bradfitz/rm_x_crypto_fork
release-branch/1.74
bradfitz/tool_go
angott/captive-exit-node-disablement
flakes
dependabot/github_actions/ruby/action-slack-3.2.2
raggi/natlab-latency-loss
bradfitz/bumptoolchain
angott/tvos-23087
raggi/trimpathtest
nickkhyl/http2-for-win-safesocket
fran/natc-consensus-prototype
nickkhyl/login-notifications
irbekrm/egresshapm
dependabot/npm_and_yarn/cmd/tsconnect/micromatch-4.0.8
irbekrm/egressha
nickkhyl/authurl-notify-backport
jwhited/test-local-forwarder
release-branch/1.72
jonathan/missing_resolvers
knyar/userfacing-metrics
andrew/disco-af-packet-refactor
jwhited/gvisor-revert-gro
irbekrm/proxycidrs
22332-macos-sequoia-hostname
knyar/metrictype
dependabot/go_modules/github.com/docker/docker-26.1.5incompatible
bradfitz/vnet2
jwhited/derp-https-tcp-connect
raggi/callmebaby
awly/cli-json-docs
raggi/linux6644
irbekrm/reload_config
maisem/flake-3
nickkhyl/syspolicy-new
jonathan/vznet
knyar/varz
irbekrm/dnat
raggi/dnsfallback
irbekrm/websocket
andrew/captive-use-atomic
marwan/offunc
jwhited/gVisor-gso-gro
release-branch/1.70
tomhjp/e2e-tests
irbekrm/kubetestsetup
irbekrm/eks
dsnet/syncs-lock
raggi/derp-route-optimization
will-systray
bradfitz/json2
andrew/dns-more-logging
andrew/net-dns-systemd-no-stub
release-branch/1.68
fran/fix-appc-write-new-domain
adrian/fix-vet-failures
angott/dns-warnables
andrew/workgraph
agottardo-patch-1
bradfitz/resume
irbekrm/operator_linux_only
nickkhyl/posture-sn-override
kradalby/chaos
angott/ignore-some-warnings-startup
dependabot/npm_and_yarn/cmd/tsconnect/braces-3.0.3
irbekrm/fixsubnets
irbekrm/dnstest
irbekrm/fix
irbekrm/accept_routes
percy/issue8593
percy/issue8593-prep
jonathan/sugg_exit_node_fix
release-branch/1.66
icio/public-key-short
clairew/handle-auto-exit-node-value
knyar/install2
will/tsnet-udp
raggi/web-zst-precompress
raggi/gocross-empty-goos-goarch
andrew/dns-fallback
andrew/prom-omit-metrics
jwhited/android-packet-vectors
knyar/renew
bradfitz/debug_tstest
clairew/revert-storing-last-suggested
andrew/debug-integration-tests
fran/appc-ensmallen-gh-preset
ox/11854-3-sftp
percy/cherry-pick-2648d475d751b47755958f47a366e300b6b6de0a
ox/corp-19592
ox/11954-3
ox/11854
kevin/Split_Remove_advertised_routes_from_pref
dsnet/logtail-buffer2
bradfitz/dataplane_logs_no_logs_no_support
nickkhyl/ipn-user-identity
irbekrm/extsvcnftableslb
andrew/dns-wrap-errors
release-branch/1.64
noncombatant/safeweb-cleanup
bradfitz/login_retry
patrickod/installer-yml-fixup
release-branch/1.64.0
fran/appc-store-routes-by-source
andrew/controlclient-use-last-addr
enable-exit-node-dst-logs
clairew/peer-node-capability-documentation
revert-11590-catzkorn/penguin
enable-exit-node-dst-logs-2
licenses/corp
dsnet/logpolicy-opts
licenses/android
jonathan/taildrop_path
licenses/cli
release-branch/1.62
clairew/log-dst-exit-node
fran/appc-domain-delte-prototype
irbekrm/maybe_fix_v6
oxtoacart/golden_memory
irbekrm/cherry_fix_panic
oxtoacart/no_indent_status
angott/corp-18441
soniaappasamy/serve-funnel-ui
brafitz/remote-config
andrew/control-key-store
maisem/proxy-1
release-branch/1.60
andrew/netstack-forwarder-debug
oxtoacart/immediately_access_shares
knyar/install
irbekrm/splitkeys
oxtoacart/automount
angott/sleep-debug-apis
clairew/suggest-non-mullvad-exit-node
tom/tka4
clairew/add-latitude-longitude
irbekrm/operatorversion
oxtoacart/dsnet_codereview_fixes
clairew/client-suggest-node-poc
raggi/rand
flyingsquirrel_bak
will/containerboot-webui
irbekrm/clustermagicdns
noncombatant/add-hello-systemd
catzkorn/jira
release-branch/1.58
kradalby/view-only-type
clairew/add-disco-pong-padding
clairew/receive-icmp-errors
dgentry-b10911
irbekrm/proxyclass2
irbekrm/proxyclass
irbekrm/byocerts
knyar/worklifeposture
dsnet/httpio
will/webclient-mobile
will/webclient-csrf
irbekrm/static_crd
irbekrm/manifests_crd
maisem/exp-k8s
release-branch/1.44
irbekrm/containerbootdeclarativeconf
kube_exp
irbekrm/conf
raggi/stun-subprocess
andrew/nixos-vm-tests
irbekrm/set_args
andrew/peer-ipv6-addrs
irbekrm/external_services
irbekrm/os
irbekrm/pull_in_certs
dependabot/github_actions/github/codeql-action-3
dependabot/github_actions/actions/upload-artifact-4
irbekrm/kube_build_tags
release-branch/1.56
jwhited/derp-cmm-timestamp
naman/web-client-update-fixes
dependabot/github_actions/actions/setup-go-5
soniaappasamy/use-swr
marwan/displayname
release-branch/1.54
danderson/debug-garden
jwhited/unsafe-exp
clairew/test-wrapper-file
bradfitz/compontent_logs
kradalby-keys-db-interface
kradalby/keys-db-interface
andrew/upnp-unfork
bm/tsoidc
irbekrm/le
knyar/restartmap
kristoffer/editable-tailnet-displayname
raggi/document-deprecated-approach
dsnet/statestore
awly/version-override
bradfitz/silentdisco_knob
richard/15372
raggi/icmplistener
awly/linux-sudoers-local-admin-poc
release-branch/1.52
soniaappasamy/web-auth-restructure
bradfitz/ipx_set_contains
knyar/derpmesh
irbekrm/chartandcli
richard/15037-2
bradfitz/linuxfw_nil_table
richard/15037
bradfitz/tbug
bradfitz/derp_mesh
valscale/meshFix
will/sonia/web-tailscaled
tyler/serve-status
maisem/ni
maisem/hi
rhea/apple-test
dgentry-nix-flake
dgentry-coverage
c761d10
bradfitz/gocross_wantver
awly/ipnlocal-watchnotifications-clientversion
bradfitz/integration_more_tun
bradfitz/recursive_controlknob
dgentry-authkey
dependabot/npm_and_yarn/cmd/tsconnect/postcss-8.4.31
bm/4via6
bradfitz/sessionactivetimeout
release-branch/1.50
rhea/taildrop-resume
andrew/peercap-ipv6-aaaa
irbekrm/k8sipnftheuristics
irbekrm/kubeipnft
irbekrm/k8sipnft
dgentry-istoreos
knyar/posturemac
dependabot/github_actions/tibdex/github-app-token-2.1.0
irbekrm/egress
raggi/restore-extra-records-dns
aaron/win_process_mitigations
danderson/lru-rollback
clairew/mdm-interface
angott/userdefaults-reader
andrew/bump-esbuild
andrew/netns-more-logging
release-branch/1.48
irbekrm/k8s-autopilot
dsnet/viewer-jsonv2
marwan/altmem_stash
irbekrm/k8s-nftables
marwan/postmem
maisem/fix-deadlock
bradfitz/matrix
irbekrm/egress-dns
bradfitz/wait_unpause
bradfitz/calc_state
irbekrm/svc_conditions
soniaappasamy/fix-test-flake
marwan/servedev
soniaappasamy/fix-web-client-lock
raggi/netfilter-runtime
raggi/netfilter-add-modes
marwan/scmem
bradfitz/ignore_ula
clairew/tstime-net
clairew/tstime-wgengine
bradfitz/tkasig_type
shayne/k8s-serve
bradfitz/gui_netmap
macsys-update
catzkorn/netcheckuout
andrew/doctor-conntrack
tsweb/client-ui
valscale/ptb
raggi/gotoolchain
irbekrm/improve_logout
maisem/doc
rhea/egress
noncombatant/large-int-string
release-branch/1.46
andrew/captive-portal-package
s/pmtud
andrew/derp-bound-latency
andrew/health-state
bradfitz/gokrazy_dns
clairew/use-tstime-etc
bradfitz/negdep
raggi/stunc
raggi/gvisor-hostarch-deptest
crawshaw/art-table
irbekrm/fix_logout_loop
clairew/refactor-new-timer
clairew/test-wrapper-write-file
s/tsnetd
bradfitz/countrycode
crawshaw/stunchild
tom/disco
raggi/v6masq
release-branch/1.42
raggi/heartbeat-timebomb
raggi/derp-probe-stun-loss
raggi/tsdebugger
tom/derp
andrew/ipn-debug-1.42.0
marwan/portlistrefactor
marwan/noconstructor
angott/allow-thunderbolt-bridge
marwan/polleropts
marwan/noconstructor2
andrew/slicesx-deduplicate
unraid-web
release-branch/1.40
kristoffer/enable-mips-pkgs
s/eq
raggi/atomiccloseonce
raggi/bump-goreleaserv2
marwan/tmp
catzkorn/addrsend
raggi/gofuzz
shayne/funnel_cmd
release-branch/1.38
dgentry/atomicfile
andrew/derp-region-location
tom/tka6
maisem/k8s-cache
azure
andrew/fastjson
crawshaw/lnclose
crawshaw/tsnet1
crawshaw/httpconnect
Xe/tsnet-funnel
dgentry/sniproxy-dns
andrew/util-dnsconfig
andrew/cloudenv-location
release-branch/1.36
aaron/migrate_windows
crawshaw/pidlisten
andrew/router-drop-ula
will/vizerr
danderson/mkversion
crawshaw/activesum
andrew/doctor-scutil
danderson/version-private3
bradfitz/sassy
bradfitz/win_unattended_warning
andrew/hostinfo-HavePortMap
skriptble/ssh-recording-persist
crawshaw/ondemanddomains
danderson/helm
andrew/peer-status-KeyExpiry
bradfitz/noise_debug_more
release-branch/1.34
cloner
danderson/backport
clairew/tsnet_get_own_ip
bradfitz/tidy
raggi/tsweb-compression
bradfitz/fix_ipn_cloner
danderson/bootstrap
will/enforce-hostname
mihaip/delete-all-profiles
release-branch/1.32
shayne/serve_empty_text_handler
bradfitz/hostinfo_ingress_bit
mihaip/logout-async-start
net-audit-log/1.32
bradfitz/set_prefs_locked
mihaip/fas
bradfitz/port_intercept
andrew/net-tsaddr-mapviaaddr
danderson/tsburrito
andrew/tstest-goroutine-ignore
andrew/monitor-link-change
danderson/k8s
andrew/debug-subnet-router
andrew/metrics-distribution
crawshaw/accumulatorcfg
bradfitz/keyboard-interactive
bradfitz/tailpipe
vm
raggi/accept-routes-filter
nyghtowl/tailnet-name2
buildjet
buildjet-vs-github
andrew/netns-macos-route
walterp-api
andrew/linux-router-v4-disabled
bradfitz/distro_ubuntu
tom/iptables
release-branch/1.30
tom/tka2
andrew/dnscache-debugging-1.22.2
andrew/controlclient-dial
raggi/experiment-queues
bradfitz/u32
ip6tables
catzkorn/derp-benchmark
jwhited/wireguard-go-vectorized-bind
catzkorn/otel-init
bradfitz/appendf
mihaip/js-cli
dsnet/tsweb-499s
bradfitz/deephash_early_exit
crawshaw/xdp
dsnet/logtail-zstd-single-segment
Xe/gitops-pusher-three-version-problem
Xe/gitops-pusher-acl-test-error-output
Xe/gitops-pusher-ffcli
bradfitz/ssh_auth_none_demo
release-branch/1.28
catzkorn/otel-derp
bradfitz/shared_split_dns
nyghtowl/fix-resolved
release-branch/1.26
bradfitz/explicit_empty_test_3808
crawshaw/preservenetinfo
miriah-3808-reset-operator
dsnet/tsnet-logging
mihaip/wasm-taildrop
crawshaw/stunname
bradfitz/wasm_play
bradfitz/dot
bradfitz/tcp_flows
release-branch/1.24
raggi/netstack_fwd_close
bradfitz/netstack_fwd_close
merge-tag
cross-android
bradfitz/kmod
bradfitz/ssh_banner
bradfitz/ping
tom/integration
bradfitz/ssh_policy_earlier
bradfitz/derpy_cast
bradfitz/cli_admin
release-branch/1.22
aaron/go-ole-ref
bradfitz/key_rotation_prep
josh/tswebflags
release-branch/1.20
crawshaw/envtype
danderson/tsweb-server
bradfitz/autocert_force
bradfitz/use_netstack_upstream
Xe/winui-bugreport-without-tailscaled
bradfitz/hostinfo_basically_equal
release-branch/1.18
aaron/loglog
aaron/dnsapc
bradfitz/demo_client_hijack
bradfitz/windns
bradfitz/exit_node_forward_dns
bradfitz/1.18.1
Xe/tailtlsproxy
bradfitz/allsrc
josh/peermap
danderson/ebpf
bradfitz/1_16_stress_netmap
danderson/nodekey-move
danderson/nodekey-delete-old
danderson/nodekey-cleanup
danderson/magicsock-discokey
release-branch/1.16
danderson/magicsock-node-key
crawshaw/updatefallback
release-branch/1.14
bradfitz/1.14
bradfitz/updates
josh/immutable-views
bradfitz/portmap_gh_actions
danderson/kernel-tailscale
bradfitz/win_default_route
release-branch/1.12
jknodt/logging
simenghe/add-tsmpping-call
josh/opt-getstatus
Aadi/speedtest-tailscaled
dsnet/admin-cli
bradfitz/portmap_test
jknodt/portmap_test
upnpdebug
jknodt/upnp_reuse
crawshaw/peerdoh
josh/debug-flake
simenghe/pingresult-work
jknodt/derp_flow
tps/tailscaled
jknodt/vms_ref
jknodt/integ_test
josh/fast-time
josh/coarsetime
bradfitz/derp_flow
release-branch/1.10
josh/io_uring
josh/deflake-pipe-again
Xe/testcontrol-v6
jknodt/io-uring
simenghe/admin-ping-test
jknodt/periodic_probe
simenghe/isoping
Xe/private-logcatcher-in-process
simenghe/tcpnodeping
bradfitz/deephash_methods
crawshaw/deephash
josh/de-select-tstun-wrapper
Xe/debug-nixos-build
simenghe/isoping-experiment
crawshaw/dnswslhackery
jknodt/userderp
jknodt/bw_rep2
crawshaw/wslresolvconf
jknodt/upnp
crawshaw/magicdnsalways
simenghe/flakeresolve
rec_in_use_after_5_sec
bradfitz/acme
release-branch/1.8
simenghe/add-httphandlers-ping
simenghe/add-ping-route-testcontrol-mux
simeng-pingtest
Xe/test-install-script-libvirtd
apenwarr/check184
crawshaw/newbackendserver
adding-address-ips-totestcontrolnode
onebinary
Xe/synology-does-actually-work-with-subnet-routes-til
bradfitz/netstack_port_map
bradfitz/demo_pinger
apenwarr/fixes
apenwarr/relogin
josh/NewIPPort
josh/IPWithPort
bradfitz/integration_tests
josh/opt-dp-wip
bradfitz/ping_notes
bradfitz/dropped_by_filter_logspam
bradfitz/netstack_drop_silent
bradfitz/log_rate_test
bradfitz/issue_1840_rebased_tree
bradfitz/issue_1849_rebased_tree
crawshaw/syno
apenwarr/statefix
apenwarr/statetest
josh/wip/endpoint-serialize
apenwarr/ioslogin
rosszurowski/cli-fix-typo
bradfitz/cli_pretty
bradfitz/win_delete_retry
bradfitz/sleep
naman/netstack-request-logging
naman/ephem-expand-range
bradfitz/macos_progress
bradfitz/ip_of
crawshaw/localapi404
crawshaw/movefiles
crawshaw/socket
crawshaw/cgi
naman/netstack-subnet-routing
josh/wip/create-endpoint-no-public-key
Xe/log-target-registry-key
release-branch/1.6
bradfitz/ipv6_link_local_strip
bradfitz/darwin_gw
Xe/disallow-local-ip-for-exit-node
release-branch/1.4
crawshaw/upjson
bradfitz/proposed_1.4.6
bradfitz/derp_steer
crawshaw/tailscalestatus
Xe/reset-logid-on-logout-login
naman/netstack-incoming
mkramlich/macos-brew2
naman/netstack-outgoing-udp-test
mkramlich/macos-brew
bradfitz/proposed-1.4.5
peske/ifacewatcher
Xe/hello-vr
crawshaw/filchsync
Xe/derphttp-panic-fix
peske/elnotfound
Xe/rel-144-fix-ipv6-broken-in-tests
bradfitz/darwin_creds
josh/longblock
josh/udp-alloc-less
josh/simplify-filch
josh/remove-ipcgetfilter
Xe/envvar-name-TS
Xe/TS-envvar-name
Xe/do-windows-logserver-better
Xe/log-target-flag
crawshaw/ipuint
bradfitz/hello
bradfitz/linux_v6_off
bradfitz/call_me_maybe_eps
bradfitz/api_docs
alexbrainman/use_wg_dns_code
naman/netstack-use-tailscale-ip
josh/debug-TestLikelyHomeRouterIPSyscallExec
noerror-not-notimp
bradfitz/umaskless_permissions
naman/netstack-bump-version
bradfitz/lite_endpoint_update
c22wen/api-docs
bradfitz/grafana_auth_proxy
crawshaw/dnsguid
nix-shell
release-branch/1.2
bradfitz/acl_tags_in_tailscale_status
bradfitz/expiry_spin
josh/no-goroutine-per-udp-read-2
crawshaw/tailcfg
bradfitz/wgengine_monitor_windows_take2
netstat-unsafe
bradfitz/ipn_empty
bradfitz/win_firewall_async
bradfitz/machine_key
apenwarr/faketun
crawshaw/cloner
crawshaw/jsonhandler
c22wen/route-addr
c22wen/magicsock.go
bradfitz/gvisor_netstack
crawshaw/loadtest
dshynkev/dns-autoset
crawshaw/e2etest
bradfitz/win_wpad_pac
release-branch/1.0
bradfitz/linux_default_route_interface
bradfitz/release-branch-1.0
crawshaw/restartlimit
clone
dshynkev/dns-name
dshynkev/dns-refactor
bradfitz/go_vet
crawshaw/tswebextra
crawshaw/pinger2
lzjluzijie/all_proxy
rate-limiting
lzjluzijie/227_http_proxy
crawshaw/rebind
crawshaw/hostinfo
crawshaw/derp-nokeepalives
crawshaw/derptimeout
crawshaw/derpdial2
crawshaw/derpdial
crawshaw/ipn
crawshaw/e2e_test
crawshaw/ipn2
crawshaw/magicsock
crawshaw/magicsock-infping
crawshaw/spray
crawshaw/br1
v1.74.1
v1.74.0
v1.72.1
v1.72.0
v1.70.0
v1.68.2
v1.68.1
v1.68.0
v1.66.4
v1.66.3
v1.66.2
v1.66.1
v1.66.0
v1.64.2
v1.64.1
v1.64.0
v1.62.1
v1.62.0
v1.60.1
v1.60.0
v1.58.2
v1.58.1
v1.58.0
v1.44.3
v1.56.1
v1.56.0
v1.54.1
v1.54.0
v1.52.1
v1.52.0
v1.50.1
v1.50.0
v1.48.2
v1.48.1
v1.48.0
v1.46.1
v1.46.0
v1.44.2
v1.44.0
v1.42.1
v1.42.0
v1.40.1
v1.40.0
v1.38.4
v1.38.3
v1.38.2
v1.38.1
v1.38.0
v1.36.2
v1.36.1
v1.36.0
v1.34.2
v1.34.1
v1.34.0
v1.32.3
v1.32.2
v1.32.1
v1.32.0
v1.30.2
v1.30.1
v1.30.0
v1.28.0
v1.26.2
v1.26.1
v1.26.0
v1.24.2
v1.24.1
v1.24.0
v1.22.2
v1.22.1
v1.22.0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.18.2
v1.18.1
v1.18.0
v1.16.2
v1.16.1
v1.16.0
v1.14.6
v1.14.5
v1.14.4
v1.14.3
v1.14.0
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.12.0
v1.10.2
v1.10.1
v1.10.0
v1.8.8
v1.8.7
v1.8.6
v1.8.5
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.6.0
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.2.10
v1.2.9
v1.2.8
v1.2.7
v1.2.6
v1.2.5
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.1.0
v1.0.0
v0.100.0
v0.99.1
v0.99.0
v0.98.1
v0.98
v0.98.0
v0.97
v0.96.1
v0.96
coral-gitops
gitops-1.30.0
gitops-1.58.2
nginx-auth-0.1.2
v0.100.0-107
v0.100.0-153
v1.61.0-pre
v1.63.0-pre
v1.65.0-pre
v1.67.0-pre
v1.69.0-pre
v1.71.0-pre
v1.73.0-pre
v1.75.0-pre
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b78df4d48a'
${ noResults }
Commit Graph

1932 Commits (b78df4d48ab81e211650d33fcbdaecb7b6f6b87d)

Author SHA1 Message Date
Jonathan Nobels 8a8ecac6a7
net/dns, cmd/tailscaled: plumb system health tracker into dns cleanup (#12969) 
fixes tailscale#12968

The dns manager cleanup func was getting passed a nil
health tracker, which will panic.  Fixed to pass it
the system health tracker.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
 2 months ago
Andrew Dunham 35a8fca379 cmd/tailscale/cli: release portmap after netcheck 
Updates #12954

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ic14f037b48a79b1263b140c6699579b466d89310
 2 months ago
Irbe Krumina a21bf100f3
cmd/k8s-operator,k8s-operator/sessionrecording,sessionrecording,ssh/tailssh: refactor session recording functionality (#12945) 
cmd/k8s-operator,k8s-operator/sessionrecording,sessionrecording,ssh/tailssh: refactor session recording functionality

Refactor SSH session recording functionality (mostly the bits related to
Kubernetes API server proxy 'kubectl exec' session recording):

- move the session recording bits used by both Tailscale SSH
and the Kubernetes API server proxy into a shared sessionrecording package,
to avoid having the operator to import ssh/tailssh

- move the Kubernetes API server proxy session recording functionality
into a k8s-operator/sessionrecording package, add some abstractions
in preparation for adding support for a second streaming protocol (WebSockets)

Updates tailscale/corp#19821

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 2 months ago
Irbe Krumina c5623e0471
go.{mod,sum},tstest/tools,k8s-operator,cmd/k8s-operator: autogenerate CRD API docs (#12884) 
Re-instates the functionality that generates CRD API docs, but using
a different library as the one we were using earlier seemed to have
some issues with its Git history.
Also regenerates the docs (make kube-generate-all).

Updates tailscale/tailscale#12859

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 2 months ago
Andrea Gottardo 90be06bd5b
health: introduce captive-portal-detected Warnable (#12707) 
Updates tailscale/tailscale#1634

This PR introduces a new `captive-portal-detected` Warnable which is set to an unhealthy state whenever a captive portal is detected on the local network, preventing Tailscale from connecting.



ipn/ipnlocal: fix captive portal loop shutdown


Change-Id: I7cafdbce68463a16260091bcec1741501a070c95

net/captivedetection: fix mutex misuse

ipn/ipnlocal: ensure that we don't fail to start the timer


Change-Id: I3e43fb19264d793e8707c5031c0898e48e3e7465

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
 2 months ago
Nick Khyl 20562a4fb9 cmd/viewer, types/views, util/codegen: add viewer support for custom container types 
This adds support for container-like types such as Container[T] that
don't explicitly specify a view type for T. Instead, a package implementing
a container type should also implement and export a ContainerView[T, V] type
and a ContainerViewOf(*Container[T]) ContainerView[T, V] function, which
returns a view for the specified container, inferring the element view type V
from the element type T.

Updates #12736

Signed-off-by: Nick Khyl <nickk@tailscale.com>
 2 months ago
Andrew Lytvynov e7bf6e716b
cmd/tailscale: add --min-validity flag to the cert command (#12822) 
Some users run "tailscale cert" in a cron job to renew their
certificates on disk. The time until the next cron job run may be long
enough for the old cert to expire with our default heristics.

Add a `--min-validity` flag which ensures that the returned cert is
valid for at least the provided duration (unless it's longer than the
cert lifetime set by Let's Encrypt).

Updates #8725

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
 2 months ago
Lee Briggs 32ce18716b
Add extra environment variables in deployment template (#12858) 
Fixes #12857

Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>
 2 months ago
Irbe Krumina 0f57b9340b
cmd/k8s-operator,tstest,go.{mod,sum}: remove fybrik.io/crdoc dependency (#12862) 
Remove fybrik.io/crdoc dependency as it is causing issues for folks attempting
to vendor tailscale using GOPROXY=direct.
This means that the CRD API docs in ./k8s-operator/api.md will no longer
be generated- I am going to look at replacing it with another tool
in a follow-up.

Updates tailscale/tailscale#12859

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 2 months ago
Irbe Krumina 2742153f84
cmd/k8s-operator: add a metric to track the amount of ProxyClass resources (#12833) 
Updates tailscale/tailscale#10709

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 2 months ago
Adrian Dewhurst 0834712c91 ipn: allow FQDN in exit node selection 
To match the format of exit node suggestions and ensure that the result
is not ambiguous, relax exit node CLI selection to permit using a FQDN
including the trailing dot.

Updates #12618

Change-Id: I04b9b36d2743154aa42f2789149b2733f8555d3f
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
 2 months ago
Nick Khyl fd0acc4faf cmd/cloner, cmd/viewer: add _test prefix for files generated with the test build tag 
Updates #12736

Signed-off-by: Nick Khyl <nickk@tailscale.com>
 2 months ago
Linus Brogan 9609b26541 cmd/tailscale: resolve taildrive share paths 
Fixes #12258.

Signed-off-by: Linus Brogan <git@linusbrogan.com>
 2 months ago
Nick Khyl fc28c8e7f3 cmd/cloner, cmd/viewer, util/codegen: add support for generic types and interfaces 
This adds support for generic types and interfaces to our cloner and viewer codegens.
It updates these packages to determine whether to make shallow or deep copies based
on the type parameter constraints. Additionally, if a template parameter or an interface
type has View() and Clone() methods, we'll use them for getters and the cloner of the
owning structure.

Updates #12736

Signed-off-by: Nick Khyl <nickk@tailscale.com>
 2 months ago
Brad Fitzpatrick c6af5bbfe8 all: add test for package comments, fix, add comments as needed 
Updates #cleanup

Change-Id: Ic4304e909d2131a95a38b26911f49e7b1729aaef
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2 months ago
Irbe Krumina 986d60a094
cmd/k8s-operator: add metrics for attempted/uploaded session recordings (#12765) 
Updates tailscale/corp#19821

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 2 months ago
Irbe Krumina 6a982faa7d
cmd/k8s-operator: send container name to session recorder (#12763) 
Updates tailscale/corp#19821

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 2 months ago
Nick Khyl 726d5d507d cmd/k8s-operator: update depaware.txt 
This fixes an issue caused by the merge order of 2b638f550d and 8bd442ba8c.

Updates #Cleanup

Signed-off-by: Nick Khyl <nickk@tailscale.com>
 2 months ago
Maisem Ali 2238ca8a05 go.mod: bump bart 
Updates #bart

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2 months ago
Nick Khyl 8bd442ba8c util/winutil/gp, net/dns: add package for Group Policy API 
This adds a package with GP-related functions and types to be used in the future PRs.
It also updates nrptRuleDatabase to use the new package instead of its own gpNotificationWatcher implementation.

Updates #12687

Signed-off-by: Nick Khyl <nickk@tailscale.com>
 2 months ago
Andrew Lytvynov b8af91403d
clientupdate: return true for CanAutoUpdate for macsys (#12746) 
While `clientupdate.Updater` won't be able to apply updates on macsys,
we use `clientupdate.CanAutoUpdate` to gate the EditPrefs endpoint in
localAPI. We should allow the GUI client to set AutoUpdate.Apply on
macsys for it to properly get reported to the control plane. This also
allows the tailnet-wide default for auto-updates to propagate to macsys
clients.

Updates https://github.com/tailscale/corp/issues/21339

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
 2 months ago
Nick Khyl e21d8768f9 types/opt: add generic Value[T any] for optional values of any types 
Updates #12736

Signed-off-by: Nick Khyl <nickk@tailscale.com>
 2 months ago
Irbe Krumina ba517ab388
cmd/k8s-operator,ssh/tailssh,tsnet: optionally record 'kubectl exec' sessions via Kubernetes operator's API server proxy (#12274) 
cmd/k8s-operator,ssh/tailssh,tsnet: optionally record kubectl exec sessions

The Kubernetes operator's API server proxy, when it receives a request
for 'kubectl exec' session now reads 'RecorderAddrs', 'EnforceRecorder'
fields from tailcfg.KubernetesCapRule.
If 'RecorderAddrs' is set to one or more addresses (of a tsrecorder instance(s)),
it attempts to connect to those and sends the session contents
to the recorder before forwarding the request to the kube API
server. If connection cannot be established or fails midway,
it is only allowed if 'EnforceRecorder' is not true (fail open).

Updates tailscale/corp#19821

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Maisem Ali <maisem@tailscale.com>
 2 months ago
Maisem Ali 2b638f550d cmd/k8s-operator: add depaware.txt 
Updates #12742

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2 months ago
Tom Proctor 01a7726cf7
cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies (#12577) 
cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies

Don't skip installing egress forwarding rules for IPv6 (as long as the host
supports IPv6), and set headless services `ipFamilyPolicy` to
`PreferDualStack` to optionally enable both IP families when possible. Note
that even with `PreferDualStack` set, testing a dual-stack GKE cluster with
the default DNS setup of kube-dns did not correctly set both A and
AAAA records for the headless service, and instead only did so when
switching the cluster DNS to Cloud DNS. For both IPv4 and IPv6 to work
simultaneously in a dual-stack cluster, we require headless services to
return both A and AAAA records.

If the host doesn't support IPv6 but the FQDN specified only has IPv6
addresses available, containerboot will exit with error code 1 and an
error message because there is no viable egress route.

Fixes #12215

Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
 3 months ago
Charlotte Brandhorst-Satzkorn 42f01afe26
cmd/tailscale/cli: exit node filter should display all exit node options (#12699) 
This change expands the `exit-node list -filter` command to display all
location based exit nodes for the filtered country. This allows users
to switch to alternative servers when our recommended exit node is not
working as intended.

This change also makes the country filter matching case insensitive,
e.g. both USA and usa will work.

Updates #12698

Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
 3 months ago
Jordan Whited ddf94a7b39
cmd/stunstamp: fix handling of invalid DERP map resp (#12679) 
Updates tailscale/corp#20344

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 3 months ago
James Tucker b565a9faa7 cmd/xdpderper: add autodetection for default interface name 
This makes deployment easier in hetrogenous environments.

Updates ENG-4274

Signed-off-by: James Tucker <james@tailscale.com>
 3 months ago
Josh McKinney 18939df0a7 fix: broken tests for localhost 
Signed-off-by: Josh McKinney <joshka@users.noreply.github.com>
 3 months ago
Brad Fitzpatrick 210264f942 cmd/derper: clarify that derper and tailscaled need to be in sync 
Fixes #12617

Change-Id: Ifc87b7d9cf699635087afb57febd01fb9a6d11b7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 months ago
Brad Fitzpatrick 6b801a8e9e cmd/derper: link to various derper docs in more places 
In hopes it'll be found more.

Updates tailscale/corp#20844

Change-Id: Ic92ee9908f45b88f8770de285f838333f9467465
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 months ago
James Tucker 46fda6bf4c cmd/derper: add some DERP diagnostics pointers 
A few other minor language updates.

Updates tailscale/corp#20844

Change-Id: Idba85941baa0e2714688cc8a4ec3e242e7d1a362
Signed-off-by: James Tucker <james@tailscale.com>
 3 months ago
Adrian Dewhurst a6b13e6972 cmd/tailscale/cli: correct command emitted by exit node suggestion 
The exit node suggestion CLI command was written with the assumption
that it's possible to provide a stableid on the command line, but this
is incorrect. Instead, it will now emit the name of the exit node.

Fixes #12618

Change-Id: Id7277f395b5fca090a99b0d13bfee7b215bc9802
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
 3 months ago
Jordan Whited 94415e8029
cmd/stunstamp: remove sqlite DB and API (#12604) 
stunstamp now sends data to Prometheus via remote write, and Prometheus
can serve the same data. Retaining and cleaning up old data in sqlite
leads to long probing pauses, and it's not worth investing more effort
to optimize the schema and/or concurrency model.

Updates tailscale/corp#20344

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 3 months ago
Brad Fitzpatrick 3485e4bf5a derp: make RunConnectionLoop funcs take Messages, support PeerPresentFlags 
PeerPresentFlags was added in 5ffb2668ef but wasn't plumbed through to
the RunConnectionLoop. Rather than add yet another parameter (as
IP:port was added earlier), pass in the raw PeerPresentMessage and
PeerGoneMessage struct values, which are the same things, plus two
fields: PeerGoneReasonType for gone and the PeerPresentFlags from
5ffb2668ef.

Updates tailscale/corp#17816

Change-Id: Ib19d9f95353651ada90656071fc3656cf58b7987
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 months ago
Andrew Dunham 200d92121f types/lazy: add Peek method to SyncValue 
This adds the ability to "peek" at the value of a SyncValue, so that
it's possible to observe a value without computing this.

Updates tailscale/corp#17122

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Change-Id: I06f88c22a1f7ffcbc7ff82946335356bb0ef4622
 3 months ago
Aaron Klotz 7dd76c3411 net/netns: add Windows support for bind-to-interface-by-route 
This is implemented via GetBestInterfaceEx. Should we encounter errors
or fail to resolve a valid, non-Tailscale interface, we fall back to
returning the index for the default interface instead.

Fixes #12551

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
 3 months ago
Brad Fitzpatrick 91786ff958 cmd/derper: add debug endpoint to adjust mutex profiling rate 
Updates #3560

Change-Id: I474421ce75c79fb66e1c306ed47daebc5a0e069e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 months ago
Jordan Whited 0d6e71df70
cmd/stunstamp: add explicit metric to track timeout events (#12564) 
Timeouts could already be identified as NaN values on
stunstamp_derp_stun_rtt_ns, but we can't use NaN effectively with
promql to visualize them. So, this commit adds a timeouts metric that
we can use with rate/delta/etc promql functions.

Updates tailscale/corp#20689

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 3 months ago
Kristoffer Dalby dcb0f189cc cmd/proxy-to-grafana: add flag for alternative control server 
Fixes #12571

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
 3 months ago
Andrew Dunham 24976b5bfd cmd/tailscale/cli: actually perform Noise request in 'debug ts2021' 
This actually performs a Noise request in the 'debug ts2021' command,
instead of just exiting once we've dialed a connection. This can help
debug certain forms of captive portals and deep packet inspection that
will allow a connection, but will RST the connection when trying to send
data on the post-upgraded TCP connection.

Updates #1634

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I1e46ca9c9a0751c55f16373a6a76cdc24fec1f18
 3 months ago
Andrew Dunham 732605f961 control/controlclient: move noiseConn to internal package 
So that it can be later used in the 'tailscale debug ts2021' function in
the CLI, to aid in debugging captive portals/WAFs/etc.

Updates #1634

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Iec9423f5e7570f2c2c8218d27fc0902137e73909
 3 months ago
Andrea Gottardo 8eb15d3d2d
cli/netcheck: fail with output if we time out fetching a derpmap (#12528) 
Updates tailscale/corp#20969

Right now, when netcheck starts, it asks tailscaled for a copy of the DERPMap. If it doesn't have one, it makes a HTTPS request to controlplane.tailscale.com to fetch one.

This will always fail if you're on a network with a captive portal actively blocking HTTPS traffic. The code appears to hang entirely because the http.Client doesn't have a Timeout set. It just sits there waiting until the request succeeds or fails.

This adds a timeout of 10 seconds, and logs more details about the status of the HTTPS request.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
 3 months ago
Jordan Whited a93173b56a
cmd/xdpderper,derp/xdp: implement mode that drops STUN packets (#12527) 
This is useful during maintenance as a method for shedding home client
load.

Updates tailscale/corp#20689

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 3 months ago
Tom Proctor 3099323976
cmd/k8s-operator,k8s-operator,go.{mod,sum}: publish proxy status condition for annotated services (#12463) 
Adds a new TailscaleProxyReady condition type for use in corev1.Service
conditions.

Also switch our CRDs to use metav1.Condition instead of
ConnectorCondition. The Go structs are seralized identically, but it
updates some descriptions and validation rules. Update k8s
controller-tools and controller-runtime deps to fix the documentation
generation for metav1.Condition so that it excludes comments and
TODOs.

Stop expecting the fake client to populate TypeMeta in tests. See
kubernetes-sigs/controller-runtime#2633 for details of the change.

Finally, make some minor improvements to validation for service hostnames.

Fixes #12216

Co-authored-by: Irbe Krumina <irbe@tailscale.com>
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
 3 months ago
Andrew Dunham 45d2f4301f proxymap, various: distinguish between different protocols 
Previously, we were registering TCP and UDP connections in the same map,
which could result in erroneously removing a mapping if one of the two
connections completes while the other one is still active.

Add a "proto string" argument to these functions to avoid this.
Additionally, take the "proto" argument in LocalAPI, and plumb that
through from the CLI and add a new LocalClient method.

Updates tailscale/corp#20600

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I35d5efaefdfbf4721e315b8ca123f0c8af9125fb
 3 months ago
Irbe Krumina 8cc2738609
cmd/{containerboot,k8s-operator}: store proxy device ID early to help with cleanup for broken proxies (#12425) 
* cmd/containerboot: store device ID before setting up proxy routes.

For containerboot instances whose state needs to be stored
in a Kubernetes Secret, we additonally store the device's
ID, FQDN and IPs.
This is used, between other, by the Kubernetes operator,
who uses the ID to delete the device when resources need
cleaning up and writes the FQDN and IPs on various kube
resource statuses for visibility.

This change shifts storing device ID earlier in the proxy setup flow,
to ensure that if proxy routing setup fails,
the device can still be deleted.

Updates tailscale/tailscale#12146

Signed-off-by: Irbe Krumina <irbe@tailscale.com>

* code review feedback

Signed-off-by: Irbe Krumina <irbe@tailscale.com>

---------

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 3 months ago
Andrew Lytvynov 674c998e93
cmd/tailscale/cli: do not allow update --version on macOS (#12508) 
We do not support specific version updates or track switching on macOS.
Do not populate the flag to avoid confusion.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
 3 months ago
Brad Fitzpatrick 86e0f9b912 net/ipset, wgengine/filter/filtertype: add split-out packages 
This moves NewContainsIPFunc from tsaddr to new ipset package.

And wgengine/filter types gets split into wgengine/filter/filtertype,
so netmap (and thus the CLI, etc) doesn't need to bring in ipset,
bart, etc.

Then add a test making sure the CLI deps don't regress.

Updates #1278

Change-Id: Ia246d6d9502bbefbdeacc4aef1bed9c8b24f54d5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 months ago
Brad Fitzpatrick 64ac64fb66 net/tsaddr: use bart in NewContainsIPFunc, add tests, benchmarks 
NewContainsIPFunc was previously documented as performing poorly if
there were many netip.Prefixes to search over. As such, we never it used it
in such cases.

This updates it to use bart at a certain threshold (over 6 prefixes,
currently), at which point the bart lookup overhead pays off.

This is currently kinda useless because we're not using it. But now we
can and get wins elsewhere. And we can remove the caveat in the docs.

    goos: darwin
    goarch: arm64
    pkg: tailscale.com/net/tsaddr
                                     │    before    │                after                 │
                                     │    sec/op    │    sec/op     vs base                │
    NewContainsIPFunc/empty-8          2.215n ± 11%   2.239n ±  1%   +1.08% (p=0.022 n=10)
    NewContainsIPFunc/cidr-list-1-8    17.44n ±  0%   17.59n ±  6%   +0.89% (p=0.000 n=10)
    NewContainsIPFunc/cidr-list-2-8    27.85n ±  0%   28.13n ±  1%   +1.01% (p=0.000 n=10)
    NewContainsIPFunc/cidr-list-3-8    36.05n ±  0%   36.56n ± 13%   +1.41% (p=0.000 n=10)
    NewContainsIPFunc/cidr-list-4-8    43.73n ±  0%   44.38n ±  1%   +1.50% (p=0.000 n=10)
    NewContainsIPFunc/cidr-list-5-8    51.61n ±  2%   51.75n ±  0%        ~ (p=0.101 n=10)
    NewContainsIPFunc/cidr-list-10-8   95.65n ±  0%   68.92n ±  0%  -27.94% (p=0.000 n=10)
    NewContainsIPFunc/one-ip-8         4.466n ±  0%   4.469n ±  1%        ~ (p=0.491 n=10)
    NewContainsIPFunc/two-ip-8         8.002n ±  1%   7.997n ±  4%        ~ (p=0.697 n=10)
    NewContainsIPFunc/three-ip-8       27.98n ±  1%   27.75n ±  0%   -0.82% (p=0.012 n=10)
    geomean                            19.60n         19.07n         -2.71%

Updates #12486

Change-Id: I2e2320cc4384f875f41721374da536bab995c1ce
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 months ago
Maisem Ali 491483d599 cmd/viewer,type/views: add MapSlice for maps of slices 
This abstraction provides a nicer way to work with
maps of slices without having to write out three long type
params.

This also allows it to provide an AsMap implementation which
copies the map and the slices at least.

Updates tailscale/corp#20910

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 3 months ago
Nick Khyl c32efd9118 various: create a catch-all NRPT rule when "Override local DNS" is enabled on Windows 
Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers
associated with all network adapters, even when "Override local DNS" is enabled and/or
a Mullvad exit node is being used, resulting in DNS leaks.

This also adds "disable-local-dns-override-via-nrpt" nodeAttr that can be used to disable
the new behavior if needed.

Fixes tailscale/corp#20718

Signed-off-by: Nick Khyl <nickk@tailscale.com>
 3 months ago
Aaron Klotz bd2a6d5386 util/winutil: add UserProfile type for (un)loading user profiles 
S4U logons do not automatically load the associated user profile. In this
PR we add UserProfile to handle that part. Windows docs indicate that
we should try to resolve a remote profile path when present, so we attempt
to do so when the local computer is joined to a domain.

Updates #12383

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
 3 months ago
Jordan Whited 9189fe007b
cmd/stunc: support user-specified port (#12469) 
Updates tailscale/corp#20689

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 3 months ago
Jordan Whited 65888d95c9
derp/xdp,cmd/xdpderper: initial skeleton (#12390) 
This commit introduces a userspace program for managing an experimental
eBPF XDP STUN server program. derp/xdp contains the eBPF pseudo-C along
with a Go pkg for loading it and exporting its metrics.
cmd/xdpderper is a package main user of derp/xdp.

Updates tailscale/corp#20689

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 3 months ago
Brad Fitzpatrick ccdd2e6650 cmd/derper: add a README 
Updates tailscale/corp#20844

Change-Id: Ie3ca5dd7f582f4f298339dd3cd2039243c204ef8
Co-authored-by: James Tucker <james@tailscale.com>
Co-authored-by: Maisem Ali <maisem@tailscale.com>
Co-authored-by: Andrew Dunham <andrew@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 3 months ago
JunYanBJSS 4c01ce9f43 tsnet: fix error formatting bug 
Fixes #12411

Signed-off-by: JunYanBJSS <johnnycocoyan@hotmail.com>
 3 months ago
Aaron Klotz 3511d1f8a2 cmd/tailscaled, net/dns, wgengine/router: start Windows child processes with DETACHED_PROCESS when I/O is being piped 
When we're starting child processes on Windows that are CLI programs that
don't need to output to a console, we should pass in DETACHED_PROCESS as a
CreationFlag on SysProcAttr. This prevents the OS from even creating a console
for the child (and paying the associated time/space penalty for new conhost
processes). This is more efficient than letting the OS create the console
window and then subsequently trying to hide it, which we were doing at a few
callsites.

Fixes #12270

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
 3 months ago
Irbe Krumina bc53ebd4a0
ipn/{ipnlocal,localapi},net/netkernelconf,client/tailscale,cmd/containerboot: optionally enable UDP GRO forwarding for containers (#12410) 
Add a new TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS env var
that can be set for tailscale/tailscale container running as
a subnet router or exit node to enable UDP GRO forwarding
for improved performance.
See https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes
This is currently considered an experimental approach;
the configuration support is partially to allow further experimentation
with containerized environments to evaluate the performance
improvements.

Updates tailscale/tailscale#12295

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 3 months ago
Irbe Krumina 6f2bae019f
cmd/k8s-nameserver: fix AAAA record query response (#12412) 
Return empty response and NOERROR for AAAA record queries
for DNS names for which we have an A record.
This is to allow for callers that might be first sending an AAAA query and then,
if that does not return a response, follow with an A record query.
Previously we were returning NOTIMPL that caused some callers
to potentially not follow with an A record query or misbehave in different ways.

Also return NXDOMAIN for AAAA record queries for names
that we DO NOT have an A record for to ensure that the callers
do not follow up with an A record query.

Returning an empty response and NOERROR is the behaviour
that RFC 4074 recommends:
https://datatracker.ietf.org/doc/html/rfc4074

Updates tailscale/tailscale#12321

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 3 months ago
Aaron Klotz df86576989 util/winutil: add AllocateContiguousBuffer and SetNTString helper funcs 
AllocateContiguousBuffer is for allocating structs with trailing buffers
containing additional data. It is to be used for various Windows structures
containing pointers to data located immediately after the struct.

SetNTString performs in-place setting of windows.NTString and
windows.NTUnicodeString.

Updates #12383

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
 3 months ago
Irbe Krumina c3e2b7347b
tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236) 
This PR is in prep of adding logic to control to be able to parse
tailscale.com/cap/kubernetes grants in control:
- moves the type definition of PeerCapabilityKubernetes cap to a location
shared with control.
- update the Kubernetes cap rule definition with fields for granting
kubectl exec session recording capabilities.
- adds a convenience function to produce tailcfg.RawMessage from an
arbitrary cap rule and a test for it.

An example grant defined via ACLs:
"grants": [{
      "src": ["tag:eng"],
      "dst": ["tag:k8s-operator"],
      "app": {
        "tailscale.com/cap/kubernetes": [{
            "recorder": ["tag:my-recorder"]
	    “enforceRecorder”: true
        }],
      },
    }
]
This grant enforces `kubectl exec` sessions from tailnet clients,
matching `tag:eng` via API server proxy matching `tag:k8s-operator`
to be recorded and recording to be sent to a tsrecorder instance,
matching `tag:my-recorder`.

The type needs to be shared with control because we want
control to parse this cap and resolve tags to peer IPs.

Updates tailscale/corp#19821

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 3 months ago
Irbe Krumina 807934f00c
cmd/k8s-operator,k8s-operator: allow proxies accept advertized routes. (#12388) 
Add a new .spec.tailscale.acceptRoutes field to ProxyClass,
that can be optionally set to true for the proxies to
accept routes advertized by other nodes on tailnet (equivalent of
setting --accept-routes to true).

Updates tailscale/tailscale#12322,tailscale/tailscale#10684

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 4 months ago
Irbe Krumina 53d9cac196
k8s-operator/apis/v1alpha1,cmd/k8s-operator/deploy/examples: update DNSConfig description (#11971) 
Also removes hardcoded image repo/tag from example DNSConfig resource
as the operator now knows how to default those.

Updates tailscale/tailscale#11019

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 4 months ago
Tom Proctor 23e26e589f
cmd/k8s-operator,k8s-opeerator: include Connector's MagicDNS name and tailnet IPs in status (#12359) 
Add new fields TailnetIPs and Hostname to Connector Status. These
contain the addresses of the Tailscale node that the operator created
for the Connector to aid debugging.

Fixes #12214

Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
 4 months ago
Irbe Krumina 3a6d3f1a5b
cmd/k8s-operator,k8s-operator,go.{mod,sum}: make individual proxy images/image pull policies configurable (#11928) 
cmd/k8s-operator,k8s-operator,go.{mod,sum}: make individual proxy images/image pull policies configurable

Allow to configure images and image pull policies for individual proxies
via ProxyClass.Spec.StatefulSet.Pod.{TailscaleContainer,TailscaleInitContainer}.Image,
and ProxyClass.Spec.StatefulSet.Pod.{TailscaleContainer,TailscaleInitContainer}.ImagePullPolicy
fields.
Document that we have images in ghcr.io on the relevant Helm chart fields.

Updates tailscale/tailscale#11675

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 4 months ago
Andrew Dunham e88a5dbc92 various: fix lint warnings 
Some lint warnings caught by running 'make lint' locally.

Updates #cleanup

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I1534ed6f2f5e1eb029658906f9d62607dad98ca3
 4 months ago
Brad Fitzpatrick 8a11a43c28 cmd/derpprobe: support 'local' derpmap to get derp map via LocalAPI 
To make it easier for people to monitor their custom DERP fleet.

Updates tailscale/corp#20654

Change-Id: Id8af22936a6d893cc7b6186d298ab794a2672524
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 4 months ago
Jordan Whited 6e106712f6
cmd/stunstamp: support probing multiple ports (#12356) 
Updates tailscale/corp#20344

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 4 months ago
Maisem Ali 36e8e8cd64 wgengine/magicsock: use math/rands/v2 
Updates #11058

Co-authored-by: James Tucker <james@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
 4 months ago
Fran Bull 573c8bd8c7 cmd/natc: add --wg-port flag 
Updates tailscale/corp#20503

Signed-off-by: Fran Bull <fran@tailscale.com>
 4 months ago
Maisem Ali 4a8cb1d9f3 all: use math/rand/v2 more 
Updates #11058

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 4 months ago
Fran Bull d2d459d442 cmd/natc: add --ignore-destinations flag 
Updates tailscale/corp#20503

Signed-off-by: Fran Bull <fran@tailscale.com>
 4 months ago
Jordan Whited cf1e6c6e55
cmd/stunstamp: fix remote write retry (#12348) 
Evaluation of remote write errors was using errors.Is() where it should
have been using errors.As().

Updates tailscale/corp#20344

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 4 months ago
Irbe Krumina 82576190a7
tailcfg,cmd/k8s-operator: moves tailscale.com/cap/kubernetes peer cap to tailcfg (#12235) 
This is done in preparation for adding kubectl
session recording rules to this capability grant that will need to
be unmarshalled by control, so will also need to be
in a shared location.

Updates tailscale/corp#19821

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 4 months ago
signed-long 1dc3136a24
cmd/k8s-operator: Support image 'repo' or 'repository' keys in helm values file (#12285) 
cmd/k8s-operator/deploy/chart: Support image 'repo' or 'repository' keys in helm values

Fixes #12100

Signed-off-by: Michael Long <michaelongdev@gmail.com>
 4 months ago
Jordan Whited ba0dd493c8
cmd/stunstamp: validate STUN tx ID in responses (#12339) 
Extremely late arriving responses may leak across probing intervals.

Updates tailscale/corp#20344

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 4 months ago
Maisem Ali 2f2f588c80 cmd/natc: use ListenPacket 
Now that tsnet supports it, use it.

Updates tailscale/corp#20503

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 4 months ago
Maisem Ali 0b1a8586eb cmd/natc: initial implementation of a NAT based connector 
This adds a new prototype `cmd/natc` which can be used
to expose a services/domains to the tailnet.

It requires the user to specify a set of IPv4 prefixes
from the CGNAT range. It advertises these as normal subnet
routes. It listens for DNS on the first IP of the first range
provided to it.

When it gets a DNS query it allocates an IP for that domain
from the v4 range. Subsequent connections to the assigned IP
are then tcp proxied to the domain.

It is marked as a WIP prototype and requires the use of the
`TAILSCALE_USE_WIP_CODE` env var.

Updates tailscale/corp#20503

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 4 months ago
Jordan Whited d21c00205d
cmd/stunstamp: implement service to measure DERP STUN RTT (#12241) 
stunstamp timestamping includes userspace and SO_TIMESTAMPING kernel
timestamping where available. Measurements are written locally to a
sqlite DB, exposed over an HTTP API, and written to prometheus
via remote-write protocol.

Updates tailscale/corp#20344

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 4 months ago
Maisem Ali 42cfbf427c tsnet,wgengine/netstack: add ListenPacket and tests 
This adds a new ListenPacket function on tsnet.Server
which acts mostly like `net.ListenPacket`.

Unlike `Server.Listen`, this requires listening on a
specific IP and does not automatically listen on both
V4 and V6 addresses of the Server when the IP is unspecified.

To test this, it also adds UDP support to tsdial.Dialer.UserDial
and plumbs it through the localapi. Then an associated test
to make sure the UDP functionality works from both sides.

Updates #12182

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 4 months ago
Irbe Krumina c2a4719e9e
cmd/tailscale/cli: allow 'tailscale up' to succeed if --stateful-filtering is not explicitly set on linux (#12312) 
This fixes an issue where, on containerized environments an upgrade
1.66.3 -> 1.66.4 failed with default containerboot configuration.
This was because containerboot by default runs 'tailscale up'
that requires all previously set flags to be explicitly provided
on subsequent runs and we explicitly set --stateful-filtering
to true on 1.66.3, removed that settingon 1.66.4.

Updates tailscale/tailscale#12307

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com>
 4 months ago
ChandonPierre 0a5bd63d32
ipn/store/kubestore, cmd/containerboot: allow overriding client api server URL via ENV (#12115) 
Updates tailscale/tailscale#11397

Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
 4 months ago
Anton Tolchanov 32120932a5 cmd/tailscale/cli: print node signature in `tailscale lock status` 
- Add current node signature to `ipnstate.NetworkLockStatus`;
- Print current node signature in a human-friendly format as part
  of `tailscale lock status`.

Examples:

```
$ tailscale lock status
Tailnet lock is ENABLED.

This node is accessible under tailnet lock. Node signature:
SigKind: direct
Pubkey: [OTB3a]
KeyID: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943
WrappingPubkey: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943

This node's tailnet-lock key: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943

Trusted signing keys:
	tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943	1	(self)
	tlpub:6fa21d242a202b290de85926ba3893a6861888679a73bc3a43f49539d67c9764	1	(pre-auth key kq3NzejWoS11KTM59)
```

For a node created via a signed auth key:

```
This node is accessible under tailnet lock. Node signature:
SigKind: rotation
Pubkey: [e3nAO]
Nested:
  SigKind: credential
  KeyID: tlpub:6fa21d242a202b290de85926ba3893a6861888679a73bc3a43f49539d67c9764
  WrappingPubkey: tlpub:3623b0412cab0029cb1918806435709b5947ae03554050f20caf66629f21220a
```

For a node that rotated its key a few times:

```
This node is accessible under tailnet lock. Node signature:
SigKind: rotation
Pubkey: [DOzL4]
Nested:
  SigKind: rotation
  Pubkey: [S/9yU]
  Nested:
    SigKind: rotation
    Pubkey: [9E9v4]
    Nested:
      SigKind: direct
      Pubkey: [3QHTJ]
      KeyID: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943
      WrappingPubkey: tlpub:2faa280025d3aba0884615f710d8c50590b052c01a004c2b4c2c9434702ae9d0
```

Updates tailscale/corp#19764

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
 4 months ago
Brad Fitzpatrick 1ea100e2e5 cmd/tailscaled, ipn/conffile: support ec2 user-data config file 
Updates #1412
Updates #1866

Change-Id: I4d08fb233b80c2078b3b28ffc18559baabb4a081
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 4 months ago
signed-long 5ad0dad15e
go generate directives reorder for 'make kube-generate-all' (#12210) 
Fixes #11980

Signed-off-by: Michael Long <michaelongdev@gmail.com>
 4 months ago
Irbe Krumina d0d33f257f
cmd/k8s-operator: add a note pointing at ProxyClass (#12246) 
Updates tailscale/tailscale#12242

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 4 months ago
Maisem Ali 9a64c06a20 all: do not depend on the testing package 
Discovered while looking for something else.

Updates tailscale/corp#18935

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 4 months ago
Brad Fitzpatrick 3c9be07214 cmd/derper: support TXT-mediated unpublished bootstrap DNS rollouts 
Updates tailscale/coral#127

Change-Id: I2712c50630d0d1272c30305fa5a1899a19ffacef
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 4 months ago
Irbe Krumina 72f0f53ed0
cmd/k8s-operator: fix typo (#12217) 
Fixes#cleanup

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 4 months ago
James Tucker 9351eec3e1 net/netcheck: remove hairpin probes 
Palo Alto reported interpreting hairpin probes as LAND attacks, and the
firewalls may be responding to this by shutting down otherwise in use NAT sessions
prematurely. We don't currently make use of the outcome of the hairpin
probes, and they contribute to other user confusion with e.g. the
AirPort Extreme hairpin session workaround. We decided in response to
remove the whole probe feature as a result.

Updates #188
Updates tailscale/corp#19106
Updates tailscale/corp#19116

Signed-off-by: James Tucker <james@tailscale.com>
 4 months ago
Andrew Lytvynov c9179bc261
various: disable stateful filtering by default (#12197) 
After some analysis, stateful filtering is only necessary in tailnets
that use `autogroup:danger-all` in `src` in ACLs. And in those cases
users explicitly specify that hosts outside of the tailnet should be
able to reach their nodes. To fix local DNS breakage in containers, we
disable stateful filtering by default.

Updates #12108

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
 4 months ago
Brad Fitzpatrick 964282d34f ipn,wgengine: remove vestigial Prefs.AllowSingleHosts 
It was requested by the first customer 4-5 years ago and only used
for a brief moment of time. We later added netmap visibility trimming
which removes the need for this.

It's been hidden by the CLI for quite some time and never documented
anywhere else.

This keeps the CLI flag, though, out of caution. It just returns an
error if it's set to anything but true (its default).

Fixes #12058

Change-Id: I7514ba572e7b82519b04ed603ff9f3bdbaecfda7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 4 months ago
Jordan Whited adb7a86559
cmd/stunc: support ipv6 address targets (#12166) 
Updates #cleanup

Signed-off-by: Jordan Whited <jordan@tailscale.com>
 4 months ago
James Tucker 8d1249550a net/netcheck,wgengine/magicsock: add potential workaround for Palo Alto DIPP misbehavior 
Palo Alto firewalls have a typically hard NAT, but also have a mode
called Persistent DIPP that is supposed to provide consistent port
mapping suitable for STUN resolution of public ports. Persistent DIPP
works initially on most Palo Alto firewalls, but some models/software
versions have a bug which this works around.

The bug symptom presents as follows:

- STUN sessions resolve a consistent public IP:port to start with
- Much later netchecks report the same IP:Port for a subset of
  sessions, most often the users active DERP, and/or the port related
  to sustained traffic.
- The broader set of DERPs in a full netcheck will now consistently
  observe a new IP:Port.
- After this point of observation, new inbound connections will only
  succeed to the new IP:Port observed, and existing/old sessions will
  only work to the old binding.

In this patch we now advertise the lowest latency global endpoint
discovered as we always have, but in addition any global endpoints that
are observed more than once in a single netcheck report. This should
provide viable endpoints for potential connection establishment across
a NAT with this behavior.

Updates tailscale/corp#19106

Signed-off-by: James Tucker <james@tailscale.com>
 4 months ago
Andrea Gottardo e5f67f90a2
xcode: allow ICMP ping relay on macOS + iOS platforms (#12048) 
Fixes tailscale/tailscale#10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
 4 months ago
Irbe Krumina 76c30e014d
cmd/containerboot: warn when an ingress proxy with an IPv4 tailnet address is being created for an IPv6 backend(s) (#12159) 
Updates tailscale/tailscale#12156

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
 4 months ago
Maisem Ali 486a423716 tsnet: split user facing and backend logging 
This adds a new `UserLogf` field to the `Server` struct.
When set this any logs generated by Server are logged using
`UserLogf` and all spammy backend logs are logged to `Logf`.

If it `UserLogf` is unset, we default to `log.Printf` and
if `Logf` is unset we discard all the spammy logs.

Fixes #12094

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 4 months ago
Irbe Krumina d86d1e7601
cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: turn off stateful filter for egress proxies. (#12075) 
Turn off stateful filtering for egress proxies to allow cluster
traffic to be forwarded to tailnet.

Allow configuring stateful filter via tailscaled config file.

Deprecate EXPERIMENTAL_TS_CONFIGFILE_PATH env var and introduce a new
TS_EXPERIMENTAL_VERSIONED_CONFIG env var that can be used to provide
containerboot a directory that should contain one or more
tailscaled config files named cap-<tailscaled-cap-version>.hujson.
Containerboot will pick the one with the newest capability version
that is not newer than its current capability version.

Proxies with this change will not work with older Tailscale
Kubernetes operator versions - users must ensure that
the deployed operator is at the same version or newer (up to
4 version skew) than the proxies.

Updates tailscale/tailscale#12061

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Maisem Ali <maisem@tailscale.com>
 4 months ago
Maisem Ali 21abb7f402 cmd/tailscale: add missing set flags for linux 
We were missing `snat-subnet-routes`, `stateful-filtering`
and `netfilter-mode`. Add those to set too.

Fixes #12061

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 4 months ago