tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	21460a5b14	tailcfg, wgengine/filter: remove most FilterRule.SrcBits code The control plane hasn't sent it to clients in ages. Updates tailscale/corp#20965 Change-Id: I1d71a4b6dd3f75010a05c544ee39827837c30772 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	9e0a5cc551	net/flowtrack: optimize Tuple type for use as map key This gets UDP filter overhead closer to TCP. Still ~2x, but no longer ~3x. goos: darwin goarch: arm64 pkg: tailscale.com/wgengine/filter │ before │ after │ │ sec/op │ sec/op vs base │ FilterMatch/tcp-not-syn-v4-8 15.43n ± 3% 15.38n ± 5% ~ (p=0.339 n=10) FilterMatch/udp-existing-flow-v4-8 42.45n ± 0% 34.77n ± 1% -18.08% (p=0.000 n=10) geomean 25.59n 23.12n -9.65% Updates #12486 Change-Id: I595cfadcc6b7234604bed9c4dd4261e087c0d4c4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	bd93c3067e	wgengine/filter/filtertype: make Match.IPProto a view I noticed we were allocating these every time when they could just share the same memory. Rather than document ownership, just lock it down with a view. I was considering doing all of the fields but decided to just do this one first as test to see how infectious it became. Conclusion: not very. Updates #cleanup (while working towards tailscale/corp#20514) Change-Id: I8ce08519de0c9a53f20292adfbecd970fe362de0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	20a5f939ba	wgengine/filter: add UDP flow benchmark To show the effects of the flow LRU accounting on e.g. QUIC traffic. For an open TCP connection: BenchmarkFilterMatch/tcp-not-syn-v4-8 66602070 16.74 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 67718179 16.60 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 68403351 16.84 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 66076416 16.87 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 67159012 16.67 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 65009526 16.58 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 66588055 16.62 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 63037071 16.58 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 69124975 21.15 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 54482922 20.41 ns/op And an open UDP connection: BenchmarkFilterMatch/udp-existing-flow-v4-8 25570020 44.09 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 26725958 46.99 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25936412 47.11 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25418325 45.99 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25759848 44.73 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25212488 46.26 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25344370 44.55 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 26399372 45.26 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 26274159 47.51 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 26070472 46.79 ns/op Updates #12486 Change-Id: Ica4263fb77972cf43db5a2e9433b4429506edfde Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	86e0f9b912	net/ipset, wgengine/filter/filtertype: add split-out packages This moves NewContainsIPFunc from tsaddr to new ipset package. And wgengine/filter types gets split into wgengine/filter/filtertype, so netmap (and thus the CLI, etc) doesn't need to bring in ipset, bart, etc. Then add a test making sure the CLI deps don't regress. Updates #1278 Change-Id: Ia246d6d9502bbefbdeacc4aef1bed9c8b24f54d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	36b1b4af2f	wgengine/filter: split local+logging lookups by IPv4-vs-IPv6 If we already know it's an incoming IPv4 packet, no need to match against the set of IPv6s and vice versa. goos: darwin goarch: arm64 pkg: tailscale.com/wgengine/filter │ before │ after │ │ sec/op │ sec/op vs base │ FilterMatch/not-local-v4-8 21.40n ± 3% 16.04n ± 1% -25.09% (p=0.000 n=10) FilterMatch/not-local-v6-8 20.75n ± 9% 15.71n ± 0% -24.31% (p=0.000 n=10) FilterMatch/no-match-v4-8 81.37n ± 1% 78.57n ± 3% -3.43% (p=0.005 n=10) FilterMatch/no-match-v6-8 77.73n ± 2% 73.71n ± 3% -5.18% (p=0.002 n=10) FilterMatch/tcp-not-syn-v4-8 21.41n ± 3% 16.86n ± 0% -21.25% (p=0.000 n=10) FilterMatch/tcp-not-syn-v4-no-logs-8 10.04n ± 0% 10.05n ± 0% ~ (p=0.446 n=10) geomean 29.07n 25.05n -13.84% Updates #12486 Change-Id: I70e5024af03893327d26629a994ab2aa9811f4f3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	d4220a76da	wgengine/filter: add TCP non-SYN benchmarks To show performance during heavy flows on established connections. BenchmarkFilterMatch/tcp-not-syn-v4-8 52125848 21.46 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 52388781 21.43 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 52916954 21.32 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 52590730 21.43 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 53015923 21.32 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 122795029 9.783 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 100000000 10.09 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 120090948 9.747 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 122350448 10.55 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 122943025 9.813 ns/op Updates #12486 Change-Id: I8e7c9380bf969ad646851d53f8a4c287717694ea Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	10e8a2a05c	wgengine/filter: fix copy/pasteo in new benchmark's v6 CIDR I noticed the not-local-v6 numbers were nowhere near the v4 numbers (they should be identical) and then saw this. It meant the Addr().Next() wasn't picking an IP that was no longer local, as assumed. Updates #12486 Change-Id: I18dfb641f00c74c6252666bc41bd2248df15fadd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	7574f586aa	wgengine/filter: add more benchmarks, make names more explicit Updates #12486 Change-Id: If2e6d9c70212644eb4a0bc8ec6768512894a646a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	21ed31e33a	wgengine/filter: use NewContainsIPFunc for Srcs matches NewContainsIPFunc returns a contains matcher optimized for its input. Use that instead of what this did before, always doing a test over each of a list of netip.Prefixes. goos: darwin goarch: arm64 pkg: tailscale.com/wgengine/filter │ before │ after │ │ sec/op │ sec/op vs base │ FilterMatch/file1-8 32.60n ± 1% 18.87n ± 1% -42.12% (p=0.000 n=10) Updates #12486 Change-Id: I8f902bc064effb431e5b46751115942104ff6531 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	e2c0d69c9c	wgengine/filter: add filter benchmark Baseline, on 2020 M1 Macbook Pro, on power: goos: darwin goarch: arm64 pkg: tailscale.com/wgengine/filter BenchmarkFilterMatch/file1-8 34089133 32.79 ns/op BenchmarkFilterMatch/file1-8 35423917 32.59 ns/op BenchmarkFilterMatch/file1-8 35208598 32.80 ns/op BenchmarkFilterMatch/file1-8 35180470 33.39 ns/op BenchmarkFilterMatch/file1-8 36671608 32.82 ns/op BenchmarkFilterMatch/file1-8 35435991 33.13 ns/op BenchmarkFilterMatch/file1-8 34689181 33.29 ns/op BenchmarkFilterMatch/file1-8 34786053 32.94 ns/op BenchmarkFilterMatch/file1-8 35366235 32.56 ns/op BenchmarkFilterMatch/file1-8 35342799 32.47 ns/op Updates #12486 Change-Id: I8f902bc064effb431e5b46751115942104ff6531 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Maisem Ali	a61caea911	tailcfg: define a type for NodeCapability Instead of untyped string, add a type to identify these. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Brad Fitzpatrick	bc0eb6b914	all: import x/exp/maps as xmaps to distinguish from Go 1.21 "maps" Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	e8551d6b40	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Maisem Ali	1ecc16da5f	tailcfg,ipn/ipnlocal,wgengine: add values to PeerCapabilities Define PeerCapabilty and PeerCapMap as the new way of sending down inter-peer capability information. Previously, this was unstructured and you could only send down strings which got too limiting for certain usecases. Instead add the ability to send down raw JSON messages that are opaque to Tailscale but provide the applications to define them however they wish. Also update accessors to use the new values. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	12 months ago
Maisem Ali	1a30b2d73f	all: use tstest.Replace more Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Josh Soref	d4811f11a0	all: fix spelling mistakes Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Brad Fitzpatrick	a12aad6b47	all: convert more code to use net/netip directly perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6a396731eb	all: use various net/netip parse funcs directly Mechanical change with perl+goimports. Changed {Must,}Parse{IP,IPPrefix,IPPort} to their netip variants, then goimports -d . Finally, removed the net/netaddr wrappers, to prevent future use. Updates #5162 Change-Id: I59c0e38b5fbca5a935d701645789cddf3d7863ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom	9343967317	wgengine/filter: preallocate some hot slices in MatchesFromFilterRules (#4672 ) Profiling identified this as a fairly hot path for growing a slice. Given this is only used in control & when a new packet filter is received, this shouldnt be hot in the client.	2 years ago
Brad Fitzpatrick	16f3520089	all: add arbitrary capability support Updates #4217 RELNOTE=start of WhoIsResponse capability support Change-Id: I6522998a911fe49e2f003077dad6164c017eed9b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	f2041c9088	all: use strings.Cut even more Change-Id: I943ce72c6f339589235bddbe10d07799c4e37979 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Josh Bleecher Snyder	0868329936	all: use any instead of interface{} My favorite part of generics. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Brad Fitzpatrick	69de3bf7bf	wgengine/filter: let unknown IPProto match if IP okay & match allows all ports RELNOTE=yes Change-Id: I96eaf3cf550cee7bb6cdb4ad81fc761e280a1b2a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ff9727c9ff	wgengine/filter: fix, test NewAllowAllForTest I probably broke it when SCTP support was added but nothing apparently ever used NewAllowAllForTest so it wasn't noticed when it broke. Change-Id: Ib5a405be233d53cb7fcc61d493ae7aa2d1d590a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	94fb42d4b2	all: use testingutil.MinAllocsPerRun There are a few remaining uses of testing.AllocsPerRun: Two in which we only log the number of allocations, and one in which dynamically calculate the allocations target based on a different AllocsPerRun run. This also allows us to tighten the "no allocs" test in wgengine/filter. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	9da4181606	tstime/rate: new package This is a simplified rate limiter geared for exactly our needs: A fast, mono.Time-based rate limiter for use in tstun. It was generated by stripping down the x/time/rate rate limiter to just our needs and switching it to use mono.Time. It removes one time.Now call per packet. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	a321c24667	go.mod: update netaddr Involves minor IPSetBuilder.Set API change. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	25df067dd0	all: adapt to opaque netaddr types This commit is a mishmash of automated edits using gofmt: gofmt -r 'netaddr.IPPort{IP: a, Port: b} -> netaddr.IPPortFrom(a, b)' -w . gofmt -r 'netaddr.IPPrefix{IP: a, Port: b} -> netaddr.IPPrefixFrom(a, b)' -w . gofmt -r 'a.IP.Is4 -> a.IP().Is4' -w . gofmt -r 'a.IP.As16 -> a.IP().As16' -w . gofmt -r 'a.IP.Is6 -> a.IP().Is6' -w . gofmt -r 'a.IP.As4 -> a.IP().As4' -w . gofmt -r 'a.IP.String -> a.IP().String' -w . And regexps: \w(.)\.Port = (.) -> $1 = $1.WithPort($2) \w(.)\.IP = (.) -> $1 = $1.WithIP($2) And lots of manual fixups. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	1eb95c7e32	net/packet, wgengine{,/filter}: remove net/packet IPProto forwarding consts Only use the ones in types/ipproto now. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	01b90df2fa	net/packet, wgengine/filter: support SCTP Add proto to flowtrack.Tuple. Add types/ipproto leaf package to break a cycle. Server-side ACL work remains. Updates #1516 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	90a6fb7ffe	tailcfg: add FilterRule.IPProto Updates #1516 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
David Anderson	d79a2f3809	wgengine/filter: only log packets to/from non-default routes. Fixes tailscale/corp#1429. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	b83c273737	wgengine/filter: use IPSet for localNets instead of prefixes. Part of #1177, preparing for doing fancier set operations on the allowed local nets. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Brad Fitzpatrick	5eeaea9ef9	net/packet: add TCPFlag type and some more constants Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
David Anderson	cb96b14bf4	net/packet: remove the custom IP4/IP6 types in favor of netaddr.IP. Upstream netaddr has a change that makes it alloc-free, so it's safe to use in hot codepaths. This gets rid of one of the many IP types in our codebase. Performance is currently worse across the board. This is likely due in part to netaddr.IP being a larger value type (4b -> 24b for IPv4, 16b -> 24b for IPv6), and in other part due to missing low-hanging fruit optimizations in netaddr. However, the regression is less bad than it looks at first glance, because we'd micro-optimized packet.IP* in the past few weeks. This change drops us back to roughly where we were at the 1.2 release, but with the benefit of a significant code and architectural simplification. name old time/op new time/op delta pkg:tailscale.com/net/packet goos:linux goarch:amd64 Decode/tcp4-8 12.2ns ± 5% 29.7ns ± 2% +142.32% (p=0.008 n=5+5) Decode/tcp6-8 12.6ns ± 3% 65.1ns ± 2% +418.47% (p=0.008 n=5+5) Decode/udp4-8 11.8ns ± 3% 30.5ns ± 2% +157.94% (p=0.008 n=5+5) Decode/udp6-8 27.1ns ± 1% 65.7ns ± 2% +142.36% (p=0.016 n=4+5) Decode/icmp4-8 24.6ns ± 2% 30.5ns ± 2% +23.65% (p=0.016 n=4+5) Decode/icmp6-8 22.9ns ±51% 65.5ns ± 2% +186.19% (p=0.008 n=5+5) Decode/igmp-8 18.1ns ±44% 30.2ns ± 1% +66.89% (p=0.008 n=5+5) Decode/unknown-8 20.8ns ± 1% 10.6ns ± 9% -49.11% (p=0.016 n=4+5) pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64 Filter/icmp4-8 30.5ns ± 1% 77.9ns ± 3% +155.01% (p=0.008 n=5+5) Filter/tcp4_syn_in-8 43.7ns ± 3% 123.0ns ± 3% +181.72% (p=0.008 n=5+5) Filter/tcp4_syn_out-8 24.5ns ± 2% 45.7ns ± 6% +86.22% (p=0.008 n=5+5) Filter/udp4_in-8 64.8ns ± 1% 210.0ns ± 2% +223.87% (p=0.008 n=5+5) Filter/udp4_out-8 119ns ± 0% 278ns ± 0% +133.78% (p=0.016 n=4+5) Filter/icmp6-8 40.3ns ± 2% 204.4ns ± 4% +407.70% (p=0.008 n=5+5) Filter/tcp6_syn_in-8 35.3ns ± 3% 199.2ns ± 2% +464.95% (p=0.008 n=5+5) Filter/tcp6_syn_out-8 32.8ns ± 2% 81.0ns ± 2% +147.10% (p=0.008 n=5+5) Filter/udp6_in-8 106ns ± 2% 290ns ± 2% +174.48% (p=0.008 n=5+5) Filter/udp6_out-8 184ns ± 2% 314ns ± 3% +70.43% (p=0.016 n=4+5) pkg:tailscale.com/wgengine/tstun goos:linux goarch:amd64 Write-8 9.02ns ± 3% 8.92ns ± 1% ~ (p=0.421 n=5+5) name old alloc/op new alloc/op delta pkg:tailscale.com/net/packet goos:linux goarch:amd64 Decode/tcp4-8 0.00B 0.00B ~ (all equal) Decode/tcp6-8 0.00B 0.00B ~ (all equal) Decode/udp4-8 0.00B 0.00B ~ (all equal) Decode/udp6-8 0.00B 0.00B ~ (all equal) Decode/icmp4-8 0.00B 0.00B ~ (all equal) Decode/icmp6-8 0.00B 0.00B ~ (all equal) Decode/igmp-8 0.00B 0.00B ~ (all equal) Decode/unknown-8 0.00B 0.00B ~ (all equal) pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64 Filter/icmp4-8 0.00B 0.00B ~ (all equal) Filter/tcp4_syn_in-8 0.00B 0.00B ~ (all equal) Filter/tcp4_syn_out-8 0.00B 0.00B ~ (all equal) Filter/udp4_in-8 0.00B 0.00B ~ (all equal) Filter/udp4_out-8 16.0B ± 0% 64.0B ± 0% +300.00% (p=0.008 n=5+5) Filter/icmp6-8 0.00B 0.00B ~ (all equal) Filter/tcp6_syn_in-8 0.00B 0.00B ~ (all equal) Filter/tcp6_syn_out-8 0.00B 0.00B ~ (all equal) Filter/udp6_in-8 0.00B 0.00B ~ (all equal) Filter/udp6_out-8 48.0B ± 0% 64.0B ± 0% +33.33% (p=0.008 n=5+5) name old allocs/op new allocs/op delta pkg:tailscale.com/net/packet goos:linux goarch:amd64 Decode/tcp4-8 0.00 0.00 ~ (all equal) Decode/tcp6-8 0.00 0.00 ~ (all equal) Decode/udp4-8 0.00 0.00 ~ (all equal) Decode/udp6-8 0.00 0.00 ~ (all equal) Decode/icmp4-8 0.00 0.00 ~ (all equal) Decode/icmp6-8 0.00 0.00 ~ (all equal) Decode/igmp-8 0.00 0.00 ~ (all equal) Decode/unknown-8 0.00 0.00 ~ (all equal) pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64 Filter/icmp4-8 0.00 0.00 ~ (all equal) Filter/tcp4_syn_in-8 0.00 0.00 ~ (all equal) Filter/tcp4_syn_out-8 0.00 0.00 ~ (all equal) Filter/udp4_in-8 0.00 0.00 ~ (all equal) Filter/udp4_out-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) Filter/icmp6-8 0.00 0.00 ~ (all equal) Filter/tcp6_syn_in-8 0.00 0.00 ~ (all equal) Filter/tcp6_syn_out-8 0.00 0.00 ~ (all equal) Filter/udp6_in-8 0.00 0.00 ~ (all equal) Filter/udp6_out-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	afcf134812	wgengine/filter, tailcfg: support CIDRs+ranges in PacketFilter (mapver 7) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
David Anderson	2eb474dd8d	wgengine/filter: add test cases for len(dsts) > 1. While the code was correct, I broke it during a refactoring and tests didn't detect it. This fixes that glitch. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Josh Bleecher Snyder	47380ebcfb	wgengine/filter: twiddle bits to optimize Part of #19. name old time/op new time/op delta Filter/icmp4-8 32.2ns ± 3% 32.5ns ± 2% ~ (p=0.524 n=10+8) Filter/icmp6-8 49.7ns ± 6% 43.1ns ± 4% -13.12% (p=0.000 n=9+10) Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	5062131aad	wgengine/filter: treat * as both a v4 and v6 wildcard. Part of #19. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	04ff3c91ee	wgengine/filter: add full IPv6 support. Part of #19. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	c2cc3acbaf	net/packet: remove NewIP, offer only a netaddr constructor. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	55b1221db2	net/packet: support full IPv6 decoding. The packet filter still rejects all IPv6, but decodes enough from v6 packets to do something smarter in a followup. name time/op Decode/tcp4-8 28.8ns ± 2% Decode/tcp6-8 20.6ns ± 1% Decode/udp4-8 28.2ns ± 1% Decode/udp6-8 20.0ns ± 6% Decode/icmp4-8 21.7ns ± 2% Decode/icmp6-8 14.1ns ± 2% Decode/unknown-8 9.43ns ± 2% Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	89894c6930	net/packet: add IPv6 source and destination IPs to Parsed. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	093431f5dd	net/packet: s/ParsedPacket/Parsed/ to avoid package stuttering. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	c48253e63b	wgengine/filter: add a method to run the packet filter without a packet. The goal is to move some of the shenanigans we have elsewhere into the filter package, so that all the weird things to do with poking at the filter is in a single place, behind clean APIs. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	7a54910990	wgengine/filter: remove helper vars, mark NewAllowAll test-only. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago

1 2

69 Commits (bd50a3457dd82bd6693541b013212a2b9bf019b6)