Commit Graph

565 Commits (b78df4d48ab81e211650d33fcbdaecb7b6f6b87d)

Author SHA1 Message Date
Avery Pennarun 65fbb9c303 wgengine/filter: support subnet mask rules, not just /32 IPs.
This depends on improved support from the control server, to send the
new subnet width (Bits) fields. If these are missing, we fall back to
assuming their value is /32.

Conversely, if the server sends Bits fields to an older client, it will
interpret them as /32 addresses. Since the only rules we allow are
"accept" rules, this will be narrower or equal to the intended rule, so
older clients will simply reject hosts on the wider subnet (fail
closed).

With this change, the internal filter.Matches format has diverged
from the wire format used by controlclient, so move the wire format
into tailcfg and convert it to filter.Matches in controlclient.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
David Anderson 0038223632 tstest: rename from testy.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Crawshaw d2b7cb1e45 ipn, controlclient: add control.New parameter
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
David Anderson 66c7875974 control/controlclient: wait for c1 to receive a netmap.
This strictly sequences things such that c1 is fully registered in
the control server before c2 creates its poll. Failure to do this
can cause an inversion where c2's poll finishes establishing
before c1's poll starts, which results in c2 getting disconnected
rather than c1, and the test times out waiting for c1 to get kicked.

Fixes #98.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson cbb1e2e853 control/controlclient: document test TestClientsReusingKeys.
The test is straightforward, but it's a little perplexing if you're
not overly familiar with controlclient.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick a464439658 control/controlclient: fix build break caused by overzealous gitting 5 years ago
Brad Fitzpatrick 172d72a060 Revert "net/tlsdial: add memory-optimized TLS cert verification path for iOS"
This reverts commit 6fcbd4c4d4.

Decided to put it in tailscale/go's crypto/x509 instead.
5 years ago
Brad Fitzpatrick 95a658e1e3 control/controlclient: also rename HTTPC in the tests 5 years ago
Brad Fitzpatrick eb6de2bd88 control/controlclient: restore Options.HTTPC as Options.HTTPTestClient
I removed the HTTPC field in b6fa5a69be but it was apparently still
used in [oss-skipped] tests.

Restore it, but name it so it's more obvious that it's only for
tests. (It currently is, and I'd like to keep it like that for now.)
5 years ago
Brad Fitzpatrick 6fcbd4c4d4 net/tlsdial: add memory-optimized TLS cert verification path for iOS
Behind a build tag for now.
5 years ago
Brad Fitzpatrick b6fa5a69be net/tlsdial: add package for TLS dials, and make DERP & controlclient use it
This will do the iOS-optimized cert checking in a following change.
5 years ago
Brad Fitzpatrick 0a50ecbad3 control/controlclient: add missing vlog, for consistency with other sites 5 years ago
Brad Fitzpatrick b8594dc937 control/controlclient: fix deadlock in timeout+keepalive race
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 347a926ac4 control/controlclient: add opt-in netmap verbose debugging env var 5 years ago
Brad Fitzpatrick 45f2b53aca all: remove unnecessary trailing newlines in format patterns for consistency
And document on logger.Logf that it's unnecessary.
5 years ago
David Crawshaw 6b2e29867e controlclient: add auth key test
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
David Crawshaw 3f087466f5 controlclient: add auth key
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
David Crawshaw 2f8719741e controlclient: do not send duplicate hostinfo/netinfo
This should never happen, so log when it does so we can fix it.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Brad Fitzpatrick 4524dcf51e version: move runtime.OS to tailscale OS mapping func to version
So other code can use this without duplicating the policy.
5 years ago
David Crawshaw 0590ad68be controlclient, ipn: adjust tests for authURL semantic changes
The tests cheat at filling out web forms by directly POSTing to
the target. The target for authURLs has changed slightly, the base
authURL now redirects the user to the login page.

Additionally, the authURL cycle now checks the cookie is set
correctly, so we add cookie jars where necessary to pass the
cookie through.
5 years ago
Brad Fitzpatrick 8b3f6be008 control/controlclient: flip IPv6 to be on by default
The DEBUG_INCLUDE_IPV6 environment variable is now an opt-out.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Avery Pennarun a56e853b72 cmd/relaynode: delete it!
tailscale+tailscaled now completely obsoletes relaynode, so let's let
it finally go away.
5 years ago
David Anderson 73fccd8b06 control/controlclient: remove old compat PacketFilter initialization.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Brad Fitzpatrick 64aff0db7b control/controlclient: add TODO to delete the UAPI method 5 years ago
Brad Fitzpatrick af277a6762 controlclient, magicsock: add debug knob to request IPv6 endpoints
Add opt-in method to request IPv6 endpoints from the control plane.
For now they should just be skipped. A previous version of this CL was
unconditional and reportedly had problems that I can't reproduce. So
make it a knob until the mystery is solved.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Crawshaw 13eed1e88b controlclient: remove common log on very quiet nodes
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
David Anderson 0be475ba46 Revert "tailcfg, controlclient, magicsock: request IPv6 endpoints, but ignore them"
Breaks something deep in wireguard or magicsock's brainstem, no packets at all
can flow. All received packets fail decryption with "invalid mac1".

This reverts commit 94024355ed.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Brad Fitzpatrick 94024355ed tailcfg, controlclient, magicsock: request IPv6 endpoints, but ignore them
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 073bb8de80 control/controlclient: don't use Node as value type 5 years ago
David Crawshaw 73cae4eb11 tailcfg, controlclient: standardize on wgcfg ShortString key printing
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
David Crawshaw 5a0822eefd controlclient, ipn: fix tests for new control param 5 years ago
Brad Fitzpatrick e085aec8ef all: update to wireguard-go API changes
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Crawshaw 1b2be3f1c8 controlclient: test peer keepalive directive
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
David Crawshaw 8712164a0a controlclient: use per-peer KeepAlive signal
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Brad Fitzpatrick 19cc4f8b8e control/controlclient: remove a number literal in string slice offset 5 years ago
Avery Pennarun 8b8e3f08a0 Fix staticcheck complaint. 5 years ago
Avery Pennarun b4897e7de8 controlclient/netmap: write our own b.ConciseDiffFrom(a) function.
This removes the need for go-cmp, which is extremely bloaty so we had
to leave it out of iOS. As a result, we had also left it out of macOS,
and so we didn't print netmap diffs at all on darwin-based platforms.
Oops.

As a bonus, the output format of the new function is way better.

Minor oddity: because I used the dumbest possible diff algorithm, the
sort order is a bit dumb. We print all "removed" lines and then print
all "added" lines, rather than doing the usual diff-like thing of
interspersing them. This probably doesn't matter (maybe it's an
improvement).
5 years ago
Avery Pennarun 96bb05ce2f controlclient: reformat netmap.Concise() and add DERP server info.
The .Concise() view had grown hard to read over time. Originally, we
assumed a peer almost always had just one endpoint and one-or-more
allowedips. With magicsock, we now almost always have multiple
endpoints per peer. And empirically, almost every peer has only one
allowedip.

Change their order so we can line up allowedips vertically. Also do
some tweaking to make multiple endpoints easier to read.

While we're here, add a column to show the home DERP server of each
peer, if any.
5 years ago
Avery Pennarun f2e2ffa423 controlclient: log the entire netmap up to every 5 minutes.
We log it once upon receiving the first copy of the map, then
subsequently when a new one appears, but only if we haven't logged one
less than 5 minutes ago.

This avoids overly cluttering the log (as we did before, logging the
netmap every time one appeared, which could be hundreds of lines every
few seconds), but still gives the log enough context to help in
diagnosing problems retroactively.
5 years ago
David Crawshaw d99498bee2 controlclient: set default TimeNow function
Panic on call to nil func found by expanded ipn/e2e_test.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Brad Fitzpatrick b27d4c017a magicsock, wgengine, ipn, controlclient: plumb regular netchecks to map poll
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Crawshaw 61529ac459 controlclient, tailcfg: deliver DERP addresses in a separate field
We still include them directly in the controlclient network map
just where we have been. Client plumbing we can do later.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Brad Fitzpatrick 7172f3dbf4 version: add IsMobile func
And use it control/controlclient.
5 years ago
David Crawshaw d417be6a4b controlclinet: clone filter.MatchAllowAll
This avoids a non-obvious data race, where the JSON decoder ends
up creating do-nothing writes into global variables.

	==================
	WARNING: DATA RACE
	Write at 0x0000011e1860 by goroutine 201:
	  tailscale.com/wgengine/packet.(*IP).UnmarshalJSON()
	      /home/crawshaw/repo/corp/oss/wgengine/packet/packet.go:83 +0x2d9
	  encoding/json.(*decodeState).literalStore()
	      /home/crawshaw/go/go/src/encoding/json/decode.go:877 +0x445e
	...
	  encoding/json.Unmarshal()
	      /home/crawshaw/go/go/src/encoding/json/decode.go:107 +0x1de
	  tailscale.com/control/controlclient.(*Direct).decodeMsg()
	      /home/crawshaw/repo/corp/oss/control/controlclient/direct.go:615 +0x1ab
	  tailscale.com/control/controlclient.(*Direct).PollNetMap()
	      /home/crawshaw/repo/corp/oss/control/controlclient/direct.go:525 +0x1053
	  tailscale.com/control/controlclient.(*Client).mapRoutine()
	      /home/crawshaw/repo/corp/oss/control/controlclient/auto.go:428 +0x3a6
	Previous read at 0x0000011e1860 by goroutine 86:
	  tailscale.com/wgengine/filter.matchIPWithoutPorts()
	      /home/crawshaw/repo/corp/oss/wgengine/filter/match.go:108 +0x91
	  tailscale.com/wgengine/filter.(*Filter).runIn()
	      /home/crawshaw/repo/corp/oss/wgengine/filter/filter.go:147 +0x3c6
	  tailscale.com/wgengine/filter.(*Filter).RunIn()
	      /home/crawshaw/repo/corp/oss/wgengine/filter/filter.go:127 +0xb0
	  tailscale.com/wgengine.(*userspaceEngine).SetFilter.func1()
	      /home/crawshaw/repo/corp/oss/wgengine/userspace.go:390 +0xfc
	  github.com/tailscale/wireguard-go/device.(*Device).RoutineDecryption()
	      /home/crawshaw/repo/corp/wireguard-go/device/receive.go:295 +0xa1f

For #112

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
David Crawshaw 4e3ff4b63b controlclient: allow prefixed endpoints in tests 5 years ago
Brad Fitzpatrick 25797c8c2a all: rename deep "Copy" methods to conventional Go name "Clone" 5 years ago
David Crawshaw 6879581891 controlclient: adjust user expiry test
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Brad Fitzpatrick 758744a4e3 Fix some Hostinfo value usages from the previous commit. 5 years ago
Brad Fitzpatrick d8de11a01b control: make Hostinfo accessed by pointer
Fix potential races in copying aliased slices by value.

Also few little doc updates.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick cc7b9b0dff control/controlclient: fix priority of DERP server, add comment 5 years ago
Brad Fitzpatrick c02f4b5a1f control/controlclient: add temporary mechanism to force derp on
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Avery Pennarun 57bbafde84 cmd/relaynode: drop local --acl-file in favour of central packet filter.
relaynode itself is not long for this world, deprecated in favour of
tailscale/tailscaled. But now that the control server supports central
distribution of packet filters, let's actually take advantage of it in
a final, backward compatible release of relaynode.
5 years ago
David Anderson 59ba2e6316 ipn: implement Prefs.Equals efficiently.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Brad Fitzpatrick 2896be60db Move "logger" package to under types, now that we have it.
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 747c7d7ce2 types/empty: add Message, stop using mysterious *struct{}
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 587c3fcac4 control/controlclient, wgengine/magicsock: misc cleanups
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Crawshaw 2b947b3b40 controlclient: handle nil Logf option 5 years ago
Shawn Smith 1ca83fd205 fix typos
Signed-off-by: Shawn Smith <shawnpsmith@gmail.com>
5 years ago
David Crawshaw 33dfb8999e controlclient, ipn: update tests for key pointer change
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
David Anderson 1cd278aa0b control/policy: make error strings staticcheck-compliant.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 542f46ed4d controlclient: remove unused function.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 2227ede8af controlclient: fix staticcheck lint.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson fe9af19da9 controlclient: remove unnecessary comparison to bool.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Crawshaw 87334fb332 wgengine, controlclient: fewer pointers in wgcfg key types
Signed-off-by: David Crawshaw <david@zentus.com>
5 years ago
Earl Lee a8d8b8719a Move Linux client & common packages into a public repo. 5 years ago