tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	3367136d9e	wgengine/netstack: remove old unused handleSSH hook It's leftover from an earlier Tailscale SSH wiring and I forgot to delete it apparently. Change-Id: I14f071f450e272b98d90080a71ce68ba459168d1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Joe Tsai	2327c6b05f	wgengine/netlog: preserve Tailscale addresses for exit traffic (#6165 ) Exit node traffic is aggregated to protect the privacy of those using an exit node. However, it is reasonable to at least log which nodes are making most use of an exit node. For a node using an exit node, the source will be the taiscale IP address of itself, while the destination will be zeroed out. For a node that serves as an exit node, the source will be zeroed out, while the destination will be tailscale IP address of the node that initiated the exit traffic. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	7d6775b082	wgengine: respect --no-logs-no-support flag for network logging (#6172 ) In the future this will cause a node to be unable to join the tailnet if network logging is enabled. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Maisem Ali	42f7ef631e	wgengine/netstack: use 72h as the KeepAlive Idle time for Tailscale SSH Setting TCP KeepAlives for Tailscale SSH connections results in them unnecessarily disconnecting. However, we can't turn them off completely as that would mean we start leaking sessions waiting for a peer to come back which may have gone away forever (e.g. if the node was deleted from the tailnet during a session). Updates #5021 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Joe Tsai	cfef47ddcc	wgengine: perform router reconfig for netlog-only changes (#6118 ) If the network logging configruation changes (and nothing else) we will tear down the network logger and start it back up. However, doing so will lose the router configuration state. Manually reconfigure it with the routing state. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	48ddb3af2a	wgengine/netlog: enforce hard limit on network log message sizes (#6109 ) This is a temporary hack to prevent logtail getting stuck uploading the same excessive message over and over. A better solution will be discussed and implemented. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	a3602c28bd	wgengine/netlog: embed the StableNodeID of the authoring node (#6105 ) This allows network messages to be annotated with which node it came from. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	81fd259133	wgengine/magicsock: gather physical-layer statistics (#5925 ) There is utility in logging traffic statistics that occurs at the physical layer. That is, in order to send packets virtually to a particular tailscale IP address, what physical endpoints did we need to communicate with? This functionality logs IP addresses identical to what had always been logged in magicsock prior to #5823, so there is no increase in PII being logged. ExtractStatistics returns a mapping of connections to counts. The source is always a Tailscale IP address (without port), while the destination is some endpoint reachable on WAN or LAN. As a special case, traffic routed through DERP will use 127.3.3.40 as the destination address with the port being the DERP region. This entire feature is only enabled if data-plane audit logging is enabled on the tailnet (by default it is disabled). Example of type of information logged: ------------------------------------ Tx[P/s] Tx[B/s] Rx[P/s] Rx[B/s] PhysicalTraffic: 25.80 3.39Ki 38.80 5.57Ki 100.1.2.3 -> 143.11.22.33:41641 15.40 2.00Ki 23.20 3.37Ki 100.4.5.6 -> 192.168.0.100:41641 10.20 1.38Ki 15.60 2.20Ki 100.7.8.9 -> 127.3.3.40:2 0.20 6.40 0.00 0.00 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	c21a3c4733	types/netlogtype: new package for network logging types (#6092 ) The netlog.Message type is useful to depend on from other packages, but doing so would transitively cause gvisor and other large packages to be linked in. Avoid this problem by moving all network logging types to a single package. We also update staticcheck to take in: `003d277bcf` Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Aaron Klotz	a44687e71f	wgengine/winnet: invoke some COM methods directly instead of through IDispatch. Intermittently in the wild we are seeing failures when calling `INetworkConnection::GetNetwork`. It is unclear what the root cause is, but what is clear is that the error is happening inside the object's `IDispatch` invoker (as opposed to the method implementation itself). This patch replaces our wrapper for `INetworkConnection::GetNetwork` with an alternate implementation that directly invokes the method, instead of using `IDispatch`. I also replaced the implementations of `INetwork::SetCategory` and `INetwork::GetCategory` while I was there. This patch is speculative and tightly-scoped so that we could possibly add it to a dot-release if necessary. Updates https://github.com/tailscale/tailscale/issues/4134 Updates https://github.com/tailscale/tailscale/issues/6037 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Jordan Whited	a471681e28	wgengine/netstack: enable TCP SACK (#6066 ) TCP selective acknowledgement can improve throughput by an order of magnitude in the presence of loss. Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 years ago
Andrew Dunham	74693793be	net/netcheck, tailcfg: track whether OS supports IPv6 We had previously added this to the netcheck report in #5087 but never copied it into the NetInfo struct. Additionally, add it to log lines so it's visible to support. Change-Id: Ib6266f7c6aeb2eb2a28922aeafd950fe1bf5627e Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Maisem Ali	74637f2c15	wgengine/router: [linux] add before deleting interface addrs Deleting may temporarily result in no addrs on the interface, which results in all other rules (like routes) to get dropped by the OS. I verified this fixes the problem. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
phirework	d13c9cdfb4	wgengine/magicsock: set up pathfinder (#5994 ) Sets up new file for separate silent disco goroutine, tentatively named pathfinder for now. Updates #540 Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
Brad Fitzpatrick	deac82231c	wgengine/magicsock: add start of alternate send path During development of silent disco (#540), an alternate send policy for magicsock that doesn't wake up the radio frequently with heartbeats, we want the old & new policies to coexist, like we did previously pre- and post-disco. We started to do that earlier in `5c42990c2f` but only set up the env+control knob plumbing to set a bool about which path should be used. This starts to add a way for the silent disco code to update the send path from a separate goroutine. (Part of the effort is going to de-state-machinify the event based soup that is the current disco code and make it more Go synchronous style.) So far this does nothing. (It does add an atomic load on each send but that should be noise in the grand scheme of things, and a even more rare atomic store of nil on node config changes.) Baby steps. Updates #540 Co-authored-by: Jenny Zhang <jz@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Joe Tsai	14100c0985	wgengine/magicsock: restore allocation-free endpoint.DstToString (#5971 ) The wireguard-go code unfortunately calls this unconditionally even when verbose logging is disabled. Partial revert of #5911. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	9ee3df02ee	wgengine/magicsock: remove endpoint.wgEndpoint (#5911 ) This field seems seldom used and the documentation is wrong. It is simpler to just derive its original value dynamically when endpoint.DstToString is called. This method is potentially used by wireguard-go, but not in any code path is performance sensitive. All calls to it use it in conjunction with fmt.Printf, which is going to be slow anyways since it uses Go reflection. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Maisem Ali	3555a49518	net/dns: always attempt to read the OS config on macOS/iOS Also reconfigure DNS on iOS/macOS on link changes. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
James Tucker	539c073cf0	wgengine/magicsock: set UDP socket buffer sizes to 7MB - At high data rates more buffer space is required in order to avoid packet loss during any cause of delay. - On slower machines more buffer space is required in order to avoid packet loss while decryption & tun writing is underway. - On higher latency network paths more buffer space is required in order to overcome BDP. - On Linux set with SO_*BUFFORCE to bypass net.core.{r,w}mem_max. - 7MB is the current default maximum on macOS 12.6 - Windows test is omitted, as Windows does not support getsockopt for these options. Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	4ec6d41682	wgengine/router: fix MTU configuration on Windows Always set the MTU to the Tailscale default MTU. In practice we are missing applying an MTU for IPv6 on Windows prior to this patch. This is the simplest patch to fix the problem, the code in here needs some more refactoring. Fixes #5914 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Joe Tsai	a1a43ed266	wgengine/netlog: add support for magicsock statistics (#5913 ) This sets up Logger to handle statistics at the magicsock layer, where we can correlate traffic between a particular tailscale IP address and any number of physical endpoints used to contact the node that hosts that tailscale address. We also export Message and TupleCounts to better document the JSON format that is being sent to the logging infrastructure. This commit does NOT yet enable the actual logging of magicsock statistics. That will be a future commit. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	f9120eee57	wgengine: start network logger in Userspace.Reconfig (#5908 ) If the wgcfg.Config is specified with network logging arguments, then Userspace.Reconfig starts up an asynchronous network logger, which is shutdown either upon Userspace.Close or when Userspace.Reconfig is called again without network logging or route arguments. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	49bae7fd5c	wgengine: fix typo in Engine.PeerForIP (#5912 ) Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	1b4e4cc1e8	wgengine/netlog: new package for traffic flow logging (#5864 ) The Logger type managers a logtail.Logger for extracting statistics from a tstun.Wrapper. So long as Shutdown is called, it ensures that logtail and statistic gathering resources are properly cleared up. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Emmanuel T Odeke	680f8d9793	all: fix more resource leaks found by staticmajor Updates #5706 Signed-off-by: Emmanuel T Odeke <emmanuel@orijtech.com>	2 years ago
Joe Tsai	82f5f438e0	wgengine/wgcfg: plumb down audit log IDs (#5855 ) The node and domain audit log IDs are provided in the map response, but are ultimately going to be used in wgengine since that's the layer that manages the tstun.Wrapper. Do the plumbing work to get this field passed down the stack. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	1841d0bf98	wgengine/magicsock: make debug-level stuff not logged by default And add a CLI/localapi and c2n mechanism to enable it for a fixed amount of time. Updates #1548 Change-Id: I71674aaf959a9c6761ff33bbf4a417ffd42195a7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	e5636997c5	wgengine: don't re-allocate trimmedNodes map (#5825 ) Change-Id: I512945b662ba952c47309d3bf8a1b243e05a4736 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Mihai Parparita	8343b243e7	all: consistently initialize Logf when creating tsdial.Dialers Most visible when using tsnet.Server, but could have resulted in dropped messages in a few other places too. Fixes #5743 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Josh Soref	d4811f11a0	all: fix spelling mistakes Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Andrew Dunham	420d841292	wgengine: log subnet router decision at v1 if we have a BIRD client (#5786 ) Updates tailscale/coral#82 Change-Id: I398d75f7e178ff7c531ca09899c82cf974fc30c9 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Tom DNetto	ab591906c8	wgengine/router: Increase range of rule priorities when detecting mwan3 Context: https://github.com/tailscale/tailscale/pull/5588#issuecomment-1260655929 It seems that if the interface at index 1 is down, the rule is not installed. As such, we increase the range we detect up to 2004 in the hope that at least one of the interfaces 1-4 will be up. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Emmanuel T Odeke	f981b1d9da	all: fix resource leaks with missing .Close() calls Fixes #5706 Signed-off-by: Emmanuel T Odeke <emmanuel@orijtech.com>	2 years ago
Kyle Carberry	91794f6498	wgengine/magicsock: move firstDerp check after nil derpMap check This fixes a race condition which caused `c.muCond.Broadcast()` to never fire in the `firstDerp` if block. It resulted in `Close()` hanging forever. Signed-off-by: Kyle Carberry <kyle@carberry.com>	2 years ago
Andrew Dunham	0607832397	wgengine/netstack: always respond to 4via6 echo requests (#5712 ) As the comment in the code says, netstack should always respond to ICMP echo requests to a 4via6 address, even if the netstack instance isn't normally processing subnet traffic. Follow-up to #5709 Change-Id: I504d0776c5824071b2a2e0e687bc33e24f6c4746 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Andrew Dunham	b9b0bf65a0	wgengine/netstack: handle 4via6 packets when pinging (#5709 ) Change-Id: Ib6ebbaa11219fb91b550ed7fc6ede61f83262e89 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Brad Fitzpatrick	832031d54b	wgengine/magicsock: fix recently introduced data race From `5c42990c2f`, not yet released in a stable build. Caught by existing tests. Fixes #5685 Change-Id: Ia76bb328809d9644e8b96910767facf627830600 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
phirework	5c42990c2f	wgengine/magicsock: add client flag and envknob to disable heartbeat (#5638 ) Baby steps towards turning off heartbeat pings entirely as per #540. This doesn't change any current magicsock functionality and requires additional changes to send/disco paths before the flag can be turned on. Updates #540 Change-Id: Idc9a72748e74145b068d67e6dd4a4ffe3932efd0 Signed-off-by: Jenny Zhang <jz@tailscale.com> Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
Eng Zer Jun	f0347e841f	refactor: move from io/ioutil to io and os packages The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Reference: https://golang.org/doc/go1.16#ioutil Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2 years ago
Brad Fitzpatrick	74674b110d	envknob: support changing envknobs post-init Updates #5114 Change-Id: Ia423fc7486e1b3f3180a26308278be0086fae49b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	33ee2c058e	wgengine: update comments, remove redundant code in forceFullWireguardConfig Change-Id: I464a0bce36e3a362c7d7ace0e8d2dd77fa825ee2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	f6da2220d3	wgengine: set fwmark masks in netfilter & ip rules This change masks the bitspace used when setting and querying the fwmark on packets. This allows tailscaled to play nicer with other networking software on the host, assuming the other networking software is also using fwmarks & a different mask. IPTables / mark module has always supported masks, so this is safe on the netfilter front. However, busybox only gained support for parsing + setting masks in 1.33.0, so we make sure we arent such a version before we add the "/<mask>" syntax to an ip rule command. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
David Anderson	7c49db02a2	wgengine/magicsock: don't use BPF receive when SO_MARK doesn't work. Fixes #5607 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Tom DNetto	ed2b8b3e1d	wgengine/router: reduce routing rule priority for openWRT + mwan3 Fixes #3659 Signed-off-by: Tom DNetto <tom@tailscale.com> Co-authored-by: Ian Foster <ian@vorsk.com>	2 years ago
Colin Adler	9c8bbc7888	wgengine/magicsock: fix panic in http debug server Fixes an panic in `(*magicsock.Conn).ServeHTTPDebug` when the `recentPongs` ring buffer for an endpoint wraps around. Signed-off-by: Colin Adler <colin1adler@gmail.com>	2 years ago
Andrew Dunham	9240f5c1e2	wgengine/netstack: only accept connection after dialing (#5503 ) If we accept a forwarded TCP connection before dialing, we can erroneously signal to a client that we support IPv6 (or IPv4) without that actually being possible. Instead, we only complete the client's TCP handshake after we've dialed the outbound connection; if that fails, we respond with a RST. Updates #5425 (maybe fixes!) Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
James Tucker	672c2c8de8	wgengine/magicsock: add filter to ignore disco to old/other ports Incoming disco packets are now dropped unless they match one of the current bound ports, or have a zero port. The BPF filter passes all packets with a disco header to the raw packet sockets regardless of destination port (in order to avoid needing to reconfigure BPF on rebind). If a BPF enabled node has just rebound, due to restart or rebind, it may receive and reply to disco ping packets destined for ports other than those which are presently bound. If the pong is accepted, the pinging node will now assume that it can send WireGuard traffic to the pinged port - such traffic will not reach the node as it is not destined for a bound port. The zero port is ignored, if received. This is a speculative defense and would indicate a problem in the receive path, or the BPF filter. This condition is allowed to pass as it may enable traffic to flow, however it will also enable problems with the same symptoms this patch otherwise fixes. Fixes #5536 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	be140add75	wgengine/magicsock: fix regression in initial bind for js `1f959edeb0` introduced a regression for JS where the initial bind no longer occurred at all for JS. The condition is moved deeper in the call tree to avoid proliferation of higher level conditions. Updates #5537 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	1f959edeb0	wgengine/magicksock: remove nullability of RebindingUDPConns Both RebindingUDPConns now always exist. the initial bind (which now just calls rebind) now ensures that bind is called for both, such that they both at least contain a blockForeverConn. Calling code no longer needs to assert their state. Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	56f6fe204b	go.mod, wgengine/wgint: bump wireguard-go For `b51010ba13` Change-Id: Ibf767dfad98aef7e9f0505d91c0d26f924e046d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago

1 2 3 4 5 ...

1205 Commits (bb2cba0cd1b011efad64a57b63dcc55a41fbcbdf)