tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	442a3a779d	feature, net/tshttpproxy: pull out support for using proxies as a feature Saves 139 KB. Also Synology support, which I saw had its own large-ish proxy parsing support on Linux, but support for proxies without Synology proxy support is reasonable, so I pulled that out as its own thing. Updates #12614 Change-Id: I22de285a3def7be77fdcf23e2bec7c83c9655593 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	39e35379d4	wgengine/router{,/osrouter}: split OS router implementations into subpackage So wgengine/router is just the docs + entrypoint + types, and then underscore importing wgengine/router/osrouter registers the constructors with the wgengine/router package. Then tsnet can not pull those in. Updates #17313 Change-Id: If313226f6987d709ea9193c8f16a909326ceefe7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	11b770fbc9	feature/logtail: pull logtail + netlog out to modular features Removes 434 KB from the minimal Linux binary, or ~3%. Primarily this comes from not linking in the zstd encoding code. Fixes #17323 Change-Id: I0a90de307dfa1ad7422db7aa8b1b46c782bfaaf7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	01e645fae1	util/backoff: rename logtail/backoff package to util/backoff It has nothing to do with logtail and is confusing named like that. Updates #cleanup Updates #17323 Change-Id: Idd34587ba186a2416725f72ffc4c5778b0b9db4a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	475b520aa2	tsconst, util/linuxfw, wgengine/router: move Linux fw consts to tsconst Now cmd/derper doesn't depend on iptables, nftables, and netlink code :) But this is really just a cleanup step I noticed on the way to making tsnet applications able to not link all the OS router code which they don't use. Updates #17313 Change-Id: Ic7b4e04e3a9639fd198e9dbeb0f7bae22a4a47a9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	dd615c8fdd	util/linuxfw, feature/buildfeatures: add ts_omit_iptables to make IPTables optional Updates #12614 Change-Id: Ic0eba982aa8468a55c63e1b763345f032a55b4e2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	f715ee2be9	cmd/tailscaled: start implementing ts_omit_netstack Baby steps. This permits building without much of gvisor, but not all of it. Updates #17283 Change-Id: I8433146e259918cc901fe86b4ea29be22075b32c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b3ae1cb0cc	wgengine/netstack/gro: permit building without GRO This only saves ~32KB in the minimal linux/amd64 binary, but it's a step towards permitting not depending on gvisor for small builds. Updates #17283 Change-Id: Iae8da5e9465127de354dbcaf25e794a6832d891b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Alex Chan	002ecb78d0	all: don't rebind variables in for loops See https://tip.golang.org/wiki/LoopvarExperiment#does-this-mean-i-dont-have-to-write-x--x-in-my-loops-anymore Updates https://github.com/tailscale/tailscale/issues/11058 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
James Tucker	8b3e88cd09	wgengine/magicsock: fix rebind debouncing (#17282 ) On platforms that are causing EPIPE at a high frequency this is resulting in non-working connections, for example when Apple decides to forcefully close UDP sockets due to an unsoliced packet rejection in the firewall. Too frequent rebinds cause a failure to solicit the endpoints triggering the rebinds, that would normally happen via CallMeMaybe. Updates #14551 Updates tailscale/corp#25648 Signed-off-by: James Tucker <james@tailscale.com>	2 months ago
Simon Law	34242df51b	derp/derpserver: clean up extraction of derp.Server (#17264 ) PR #17258 extracted `derp.Server` into `derp/derpserver.Server`. This followup patch adds the following cleanups: 1. Rename `derp_server.go` files to `derpserver.go` to match the package name. 2. Rename the `derpserver.NewServer` constructor to `derpserver.New` to reduce stuttering. 3. Remove the unnecessary `derpserver.Conn` type alias. Updates #17257 Updates #cleanup Signed-off-by: Simon Law <sfllaw@tailscale.com>	2 months ago
Brad Fitzpatrick	21dc5f4e21	derp/derpserver: split off derp.Server out of derp into its own package This exports a number of things from the derp (generic + client) package to be used by the new derpserver package, as now used by cmd/derper. And then enough other misc changes to lock in that cmd/tailscaled can be configured to not bring in tailscale.com/client/local. (The webclient in particular, even when disabled, was bringing it in, so that's now fixed) Fixes #17257 Change-Id: I88b6c7958643fb54f386dd900bddf73d2d4d96d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b54cdf9f38	all: use buildfeatures.HasCapture const in a handful of places Help out the linker's dead code elimination. Updates #12614 Change-Id: I6c13cb44d3250bf1e3a01ad393c637da4613affb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Jonathan Nobels	4af15a1148	magicsock: fix deadlock in SetStaticEndpoints (#17247 ) updates tailscale/corp#32600 A localAPI/cli call to reload-config can end up leaving magicsock's mutex locked. We were missing an unlock for the early exit where there's no change in the static endpoints when the disk-based config is loaded. This is not likely the root cause of the linked issue - just noted during investigation. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	2 months ago
M. J. Fromberger	daad5c2b5c	wgengine/router: use eventbus.Monitor in linuxRouter (#17232 ) This commit does not change the order or meaning of any eventbus activity, it only updates the way the plumbing is set up. Updates #15160 Change-Id: I61b863f9c05459d530a4c34063a8bad9046c0e27 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	2 months ago
M. J. Fromberger	2b6bc11586	wgengine: use eventbus.Client.Monitor to simplify subscriber maintenance (#17203 ) This commit does not change the order or meaning of any eventbus activity, it only updates the way the plumbing is set up. Updates #15160 Change-Id: I40c23b183c2a6a6ea3feec7767c8e5417019fc07 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	3 months ago
Claus Lensbøl	df362d0a08	net/netmon: make ChangeDelta event not a pointer (#17112 ) This makes things work slightly better over the eventbus. Also switches ipnlocal to use the event over the eventbus instead of the direct callback. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	3 months ago
Brad Fitzpatrick	99b3f69126	feature/portmapper: make the portmapper & its debugging tools modular Starting at a minimal binary and adding one feature back... tailscaled tailscale combined (linux/amd64) 30073135 17451704 31543692 omitting everything + 480302 + 10258 + 493896 .. add debugportmapper + 475317 + 151943 + 467660 .. add portmapper + 500086 + 162873 + 510511 .. add portmapper+debugportmapper Fixes #17148 Change-Id: I90bd0e9d1bd8cbe64fa2e885e9afef8fb5ee74b1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
M. J. Fromberger	8608e42103	feature,ipn/ipnlocal,wgengine: improve how eventbus shutdown is handled (#17156 ) Instead of waiting for a designated subscription to close as a canary for the bus being stopped, use the bus Client's own signal for closure added in #17118. Updates #cleanup Change-Id: I384ea39f3f1f6a030a6282356f7b5bdcdf8d7102 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	3 months ago
Claus Lensbøl	2015ce4081	health,ipn/ipnlocal: introduce eventbus in heath.Tracker (#17085 ) The Tracker was using direct callbacks to ipnlocal. This PR moves those to be triggered via the eventbus. Additionally, the eventbus is now closed on exit from tailscaled explicitly, and health is now a SubSystem in tsd. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	3 months ago
Brad Fitzpatrick	4cca9f7c67	all: add ts_omit_serve, start making tailscale serve/funnel be modular tailscaled tailscale combined (linux/amd64) 29853147 17384418 31412596 omitting everything + 621570 + 219277 + 554256 .. add serve Updates #17128 Change-Id: I87c2c6c3d3fc2dc026c3de8ef7000a813b41d31c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	8b48f3847d	net/netmon, wgengine/magicsock: simplify LinkChangeLogLimiter signature Remove the need for the caller to hold on to and call an unregister function. Both two callers (one real, one test) already have a context they can use. Use context.AfterFunc instead. There are no observable side effects from scheduling too late if the goroutine doesn't run sync. Updates #17148 Change-Id: Ie697dae0e797494fa8ef27fbafa193bfe5ceb307 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Alex Chan	5c24f0ed80	wgengine/magicsock: send a valid payload in TestNetworkDownSendErrors This test ostensibly checks whether we record an error metric if a packet is dropped because the network is down, but the network connectivity is irrelevant -- the send error is actually because the arguments to Send() are invalid: RebindingUDPConn.WriteWireGuardBatchTo: [unexpected] offset (0) != Geneve header length (8) This patch changes the test so we try to send a valid packet, and we verify this by sending it once before taking the network down. The new error is: magicsock: network down which is what we're trying to test. We then test sending an invalid payload as a separate test case. Updates tailscale/corp#22075 Signed-off-by: Alex Chan <alexc@tailscale.com>	3 months ago
Jordan Whited	998a667cd5	wgengine/magicsock: don't add DERP addrs to endpointState (#17147 ) endpointState is used for tracking UDP direct connection candidate addresses. If it contains a DERP addr, then direct connection path discovery will always send a wasteful disco ping over it. Additionally, CLI "tailscale ping" via peer relay will race over DERP, leading to a misleading result if pong arrives via DERP first. Disco pongs arriving via DERP never influence path selection. Disco ping/pong via DERP only serves "tailscale ping" reporting. Updates #17121 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	fb9d9ba86e	wgengine/magicsock: add TS_DEBUG_NEVER_DIRECT_UDP debug knob (#17094 ) Updates tailscale/corp#30903 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	6feb6f3c75	wgengine/magicsock: add relayManager event logs (#17091 ) These are gated behind magicsock component debug logging. Updates tailscale/corp#30818 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	2d9d869d3d	wgengine/magicsock: fix debug disco printing of alloc resp disco keys (#17087 ) Updates tailscale/corp#30818 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
James Tucker	a29545e9cc	wgengine/magicsock: log the peer failing disco writes are intended for Updates tailscale/corp#31762 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	3b68d607be	wgengine/magicsock: drop DERP queue from head rather than tail If the DERP queue is full, drop the oldest item first, rather than the youngest, on the assumption that older data is more likely to be unanswerable. Updates tailscale/corp#31762 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	f5d3c59a92	wgengine/magicsock: shorten process internal DERP queue DERP writes go via TCP and the host OS will have plenty of buffer space. We've observed in the wild with a backed up TCP socket kernel side buffers of >2.4MB. The DERP internal queue being larger causes an increase in the probability that the contents of the backbuffer are "dead letters" - packets that were assumed to be lost. A first step to improvement is to size this queue only large enough to avoid some of the initial connect stall problem, but not large enough that it is contributing in a substantial way to buffer bloat / dead-letter retention. Updates tailscale/corp#31762 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	d42f0b6a21	util/ringbuffer: rename to ringlog I need a ringbuffer in the more traditional sense, one that has a notion of item removal as well as tail loss on overrun. This implementation is really a clearable log window, and is used as such where it is used. Updates #cleanup Updates tailscale/corp#31762 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Jordan Whited	575664b263	wgengine/magicsock: make endpoint.discoPing peer relay aware (#16946 ) Updates tailscale/corp#30333 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	9403ba8c69	wgengine/magicsock: trigger peer relay path discovery on CallMeMaybe RX (#16929 ) Updates tailscale/corp#30333 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	b17cfe4aed	wgengine/magicsock,net/sockopts: export Windows ICMP suppression logic (#16917 ) For eventual use by net/udprelay.Server. Updates tailscale/corp#31506 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	641a90ea33	net/sockopts,wgengine/magicsock: export socket buffer sizing logic (#16909 ) For eventual use by net/udprelay.Server Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	16bc0a5558	net/{batching,packet},wgengine/magicsock: export batchingConn (#16848 ) For eventual use by net/udprelay.Server. Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	cde65dba16	wgengine/magicsock: add clientmetric for Peer Relay challenge reception (#16834 ) Updates tailscale/corp#30527 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	4fa27db8dd	wgengine/magicsock: add clientmetrics for locally delivered Peer Relay alloc disco (#16833 ) Expected when Peer Relay'ing via self. These disco messages never get sealed, and never leave the process. Updates tailscale/corp#30527 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	36397f1794	wgengine/magicsock: add clientmetrics for TX direction Peer Relay disco messages (#16831 ) Updates tailscale/corp#30527 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	d122f0350e	control/controlknobs,tailcfg,wgengine/magicsock: deprecate NodeAttrDisableMagicSockCryptoRouting (#16818 ) Peer Relay is dependent on crypto routing, therefore crypto routing is now mandatory. Updates tailscale/corp#20732 Updates tailscale/corp#31083 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	4666d4ca2a	wgengine/magicsock: fix missing Conn.hasPeerRelayServers.Store() call (#16792 ) This commit also extends the updateRelayServersSet unit tests to cover onNodeViewsUpdate. Fixes tailscale/corp#31080 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	0374e6d906	wgengine/magicsock: add lazyEndpoint.FromPeer tests (#16791 ) Updates tailscale/corp#30903 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	02967ffcf2	wgengine/magicsock: add lazyEndpoint.InitiationMessagePublicKey tests (#16790 ) Updates tailscale/corp#30903 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	908f20e0a5	wgengine/magicsock: add receiveIP() unit tests (#16781 ) One of these tests highlighted a Geneve encap bug, which is also fixed in this commit. looksLikeInitMsg was passed a packet post Geneve header stripping with slice offsets that had not been updated to account for the stripping. Updates tailscale/corp#30903 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Claus Lensbøl	5bb42e3018	wgengine/router: rely on events for deleted IP rules (#16744 ) Adds the eventbus to the router subsystem. The event is currently only used on linux. Also includes facilities to inject events into the bus. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	4 months ago
Jordan Whited	b0018f1e7d	wgengine/magicsock: fix looksLikeInitiationMsg endianness (#16771 ) WireGuard message type is little-endian encoded. Updates tailscale/corp#30903 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
M. J. Fromberger	b34cdc9710	ipn,net,tsnet,wgengine: make an eventbus mandatory where it is used (#16594 ) In the components where an event bus is already plumbed through, remove the exceptions that allow it to be omitted, and update all the tests that relied on those workarounds execute properly. This change applies only to the places where we're already using the bus; it does not enforce the existence of a bus in other components (yet), Updates #15160 Change-Id: Iebb92243caba82b5eb420c49fc3e089a77454f65 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	4 months ago
Jordan Whited	a9f3fd1c67	wgengine/magicsock: fix magicsock deadlock around Conn.NoteRecvActivity (#16687 ) Updates #16651 Updates tailscale/corp#30836 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	179745b83e	wgengine/magicsock: update discoInfo docs (#16638 ) discoInfo is also used for holding peer relay server disco keys. Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	1677fb1905	wgengine/magicsock,all: allocate peer relay over disco instead of PeerAPI (#16603 ) Updates tailscale/corp#30583 Updates tailscale/corp#30534 Updates tailscale/corp#30557 Signed-off-by: Dylan Bargatze <dylan@tailscale.com> Signed-off-by: Jordan Whited <jordan@tailscale.com> Co-authored-by: Dylan Bargatze <dylan@tailscale.com>	5 months ago
Jordan Whited	36aeacb297	wgengine/magicsock: add peer relay metrics (#16582 ) Updates tailscale/corp#30040 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	3c6d17e6f1	cmd/tailscale/cli,ipn/ipnlocal,wgengine/magicsock: implement tailscale debug peer-relay-servers (#16577 ) Updates tailscale/corp#30036 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	d65c0fd2d0	tailcfg,wgengine/magicsock: set peer relay CapVer (#16531 ) Updates tailscale/corp#27502 Updates tailscale/corp#30051 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	b63f8a457d	wgengine/magicsock: prioritize trusted peer relay paths over untrusted (#16559 ) A trusted peer relay path is always better than an untrusted direct or peer relay path. Updates tailscale/corp#30412 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	fc5050048e	wgengine/magicsock: don't acquire Conn.mu in udpRelayEndpointReady (#16557 ) udpRelayEndpointReady used to write into the peerMap, which required holding Conn.mu, but this changed in `f9e7131`. Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	bd29a1c8c1	feature/relayserver,wgengine/magicsock: remove WIP gating of peer relay (#16533 ) Updates tailscale/corp#30051 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Dylan Bargatze	fed72e2aa9	cmd/tailscale, ipn/ipnstate, wgengine/magicsock: update ping output for peer relay (#16515 ) Updates the output for "tailscale ping" to indicate if a peer relay was traversed, just like the output for DERP or direct connections. Fixes tailscale/corp#30034 Signed-off-by: Dylan Bargatze <dylan@tailscale.com>	5 months ago
Jordan Whited	f9bfd8118a	wgengine/magicsock: resolve epAddr collisions across peer relay conns (#16526 ) Updates tailscale/corp#30042 Updates tailscale/corp#29422 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	6a0fad1e10	wgengine/magicsock: don't peer relay if NodeAttrOnlyTCP443 is set (#16517 ) Updates tailscale/corp#30138 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	ae8641735d	cmd/tailscale/cli,ipn/ipnstate,wgengine/magicsock: label peer-relay (#16510 ) Updates tailscale/corp#30033 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Dylan Bargatze	d40b25326c	tailcfg, wgengine/magicsock: disable all UDP relay usage if disable-relay-client is set (#16492 ) If the NodeAttrDisableRelayClient node attribute is set, ensures that a node cannot allocate endpoints on a UDP relay server itself, and cannot use newly-discovered paths (via disco/CallMeMaybeVia) that traverse a UDP relay server. Fixes tailscale/corp#30180 Signed-off-by: Dylan Bargatze <dylan@tailscale.com>	5 months ago
Jordan Whited	008a238acd	wgengine/magicsock: support self as candidate peer relay (#16499 ) Updates tailscale/corp#30247 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	a60e0caf6a	wgengine/magicsock: remove conn.InitiationAwareEndpoint TODO (#16498 ) It was implemented in `5b0074729d`. Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	5b0074729d	go.mod,wgengine/magicsock: implement conn.InitiationAwareEndpoint (#16486 ) Since a [lazyEndpoint] makes wireguard-go responsible for peer ID, but wireguard-go may not yet be configured for said peer, we need a JIT hook around initiation message reception to call what is usually called from an [endpoint]. Updates tailscale/corp#30042 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Naman Sood	04d24cdbd4	wgengine/netstack: correctly proxy half-closed TCP connections TCP connections are two unidirectional data streams, and if one of these streams closes, we should not assume the other half is closed as well. For example, if an HTTP client closes its write half of the connection early, it may still be expecting to receive data on its read half, so we should keep the server -> client half of the connection open, while terminating the client -> server half. Fixes tailscale/corp#29837. Signed-off-by: Naman Sood <mail@nsood.in>	5 months ago
Jordan Whited	a84d58015c	wgengine/magicsock: fix lazyEndpoint DstIP() vs SrcIP() (#16453 ) These were flipped. DstIP() and DstIPBytes() are used internally by wireguard-go as part of a handshake DoS mitigation strategy. Updates tailscale/corp#20732 Updates tailscale/corp#30042 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	3b32cc7586	wgengine/magicsock: simplify Geneve-encapsulated disco.Ping handling (#16448 ) Just make [relayManager] always handle it, there's no benefit to checking bestAddr's. Also, remove passing of disco.Pong to [relayManager] in endpoint.handlePongConnLocked(), which is redundant with the callsite in Conn.handleDiscoMessage(). Conn.handleDiscoMessage() already passes to [relayManager] if the txID us not known to any [*endpoint]. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	540eb05638	wgengine/magicsock: make Conn.Send() lazyEndpoint aware (#16465 ) A lazyEndpoint may end up on this TX codepath when wireguard-go is deemed "under load" and ends up transmitting a cookie reply using the received conn.Endpoint. Updates tailscale/corp#20732 Updates tailscale/corp#30042 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Dylan Bargatze	92a114c66d	tailcfg, feature/relayserver, wgengine/magicsock: invert UDP relay server nodeAttrs (#16444 ) Inverts the nodeAttrs related to UDP relay client/server enablement to disablement, and fixes up the corresponding logic that uses them. Also updates the doc comments on both nodeAttrs. Fixes tailscale/corp#30024 Signed-off-by: Dylan Bargatze <dylan@tailscale.com>	5 months ago
Jordan Whited	f9e7131772	wgengine/magicsock: make lazyEndpoint load bearing for UDP relay (#16435 ) Cryptokey Routing identification is now required to set an [epAddr] into the peerMap for Geneve-encapsulated [epAddr]s. Updates tailscale/corp#27502 Updates tailscale/corp#29422 Updates tailscale/corp#30042 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	d2edf7133a	wgengine/magicsock: remove references to rucPtr (#16441 ) It used to be a *RebindingUDPConn, now it's just a RebindingUDPConn. Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	47e77565c6	wgengine/magicsock: avoid handshaking relay endpoints that are trusted (#16412 ) Changes to our src/address family can trigger blackholes. This commit also adds a missing set of trustBestAddrUntil when setting a UDP relay path as bestAddr. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	3dc694b4f1	wgengine/magicsock: clear UDP relay bestAddr's on disco ping timeout (#16410 ) Otherwise we can end up mirroring packets to them forever. We may eventually want to relax this to direct paths as well, but start with UDP relay paths, which have a higher chance of becoming untrusted and never working again, to be conservative. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	0a64e86a0d	wgengine/magicsock: move UDP relay path discovery to heartbeat() (#16407 ) This was previously hooked around direct UDP path discovery / CallMeMaybe transmission, and related conditions. Now it is subject to relay-specific considerations. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	b32a01b2dc	disco,net/udprelay,wgengine/magicsock: support relay re-binding (#16388 ) Relay handshakes may now occur multiple times over the lifetime of a relay server endpoint. Handshake messages now include a handshake generation, which is client specified, as a means to trigger safe challenge reset server-side. Relay servers continue to enforce challenge values as single use. They will only send a given value once, in reply to the first arriving bind message for a handshake generation. VNI has been added to the handshake messages, and we expect the outer Geneve header value to match the sealed value upon reception. Remote peer disco pub key is now also included in handshake messages, and it must match the receiver's expectation for the remote, participating party. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	b2bf7e988e	wgengine/magicsock: add envknob to toggle UDP relay feature (#16396 ) Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	51d00e135b	wgengine/magicsock: fix relayManager alloc work cleanup (#16387 ) Premature cancellation was preventing the work from ever being cleaned up in runLoop(). Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Nick Khyl	9e28bfc69c	ipn/ipnlocal,wgengine/magicsock: wait for magicsock to process pending events on authReconfig Updates #16369 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
Jordan Whited	31eebdb0f8	wgengine/magicsock: send CallMeMaybeVia for relay endpoints (#16360 ) If we acted as the allocator we are responsible for signaling it to the remote peer in a CallMeMaybeVia message over DERP. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	a589863d61	feature/relayserver,net/udprelay,wgengine/magicsock: implement retry (#16347 ) udprelay.Server is lazily initialized when the first request is received over peerAPI. These early requests have a high chance of failure until the first address discovery cycle has completed. Return an ErrServerNotReady error until the first address discovery cycle has completed, and plumb retry handling for this error all the way back to the client in relayManager. relayManager can now retry after a few seconds instead of waiting for the next path discovery cycle, which could take another minute or longer. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	9288efe592	wgengine/magicsock: remove premature return in handshakeServerEndpoint (#16351 ) Any return underneath this select case must belong to a type switch case. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	0905936c45	wgengine/magicsock: set Geneve header protocol for WireGuard (#16350 ) Otherwise receives interpret as naked WireGuard. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	61958f531c	wgengine/magicsock: set conn field in relayHandshakeDiscoMsgEvent (#16348 ) Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	e935a28a19	wgengine/magicsock: set rxDiscoMsgCh field in relayHandshakeWork (#16349 ) Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Jordan Whited	cd9b9a8cad	wgengine/magicsock: fix relay endpoint allocation URL (#16344 ) Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	d3bb34c628	wgengine/magicsock: generate relay server set from tailnet policy (#16331 ) Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	583f740c0b	Revert "types/netmap,wgengine/magicsock: propagate CapVer to magicsock.endpoint (#16244 )" (#16322 ) This reverts commit `6a93b17c8c`. The reverted commit added more complexity than it was worth at the current stage. Handling delta CapVer changes requires extensive changes to relayManager datastructures in order to also support delta updates of relay servers. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	fcab50b276	ipn/ipnlocal,wgengine{/magicsock}: replace SetNetworkMap with eventbus (#16299 ) Same with UpdateNetmapDelta. Updates tailscale/corp#27502 Updates #15160 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	8e6f63cf11	ipn/ipnlocal,wgengine/magicsock: use eventbus for node & filter updates (#16271 ) nodeBackend now publishes filter and node changes to eventbus topics that are consumed by magicsock.Conn Updates tailscale/corp#27502 Updates tailscale/corp#29543 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	6a93b17c8c	types/netmap,wgengine/magicsock: propagate CapVer to magicsock.endpoint (#16244 ) This enables us to mark nodes as relay capable or not. We don't actually do that yet, as we haven't established a relay CapVer. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	9501f66985	wgengine/magicsock: don't cancel in-progress relayManager work (#16233 ) It might complete, interrupting it reduces the chances of establishing a relay path. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	c343bffa72	wgengine/relaymanager: don't start runLoop() on init() (#16231 ) This is simply for consistency with relayManagerInputEvent(), which should be the sole launcher of runLoop(). Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	67b1693c13	wgengine/magicsock: enable setting relay epAddr's as bestAddr (#16229 ) relayManager can now hand endpoint a relay epAddr for it to consider as bestAddr. endpoint and Conn disco ping/pong handling are now VNI-aware. Updates tailscale/corp#27502 Updates tailscale/corp#29422 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	66ae8737f4	wgengine/magicsock: make endpoint.bestAddr Geneve-aware (#16195 ) This commit adds a new type to magicsock, epAddr, which largely ends up replacing netip.AddrPort in packet I/O paths throughout, enabling Geneve encapsulation over UDP awareness. The conn.ReceiveFunc for UDP has been revamped to fix and more clearly distinguish the different classes of packets we expect to receive: naked STUN binding messages, naked disco, naked WireGuard, Geneve-encapsulated disco, and Geneve-encapsulated WireGuard. Prior to this commit, STUN matching logic in the RX path could swallow a naked WireGuard packet if the keypair index, which is randomly generated, happened to overlap with a subset of the STUN magic cookie. Updates tailscale/corp#27502 Updates tailscale/corp#29326 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Claus Lensbøl	3f7a9f82e3	wgengine/magicsock: fix bpf fragmentation jump offsets (#16204 ) Fragmented datagrams would be processed instead of being dumped right away. In reality, thse datagrams would be dropped anyway later so there should functionally not be any change. Additionally, the feature is off by default. Closes #16203 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	6 months ago
Jordan Whited	5f35143d83	go.mod,wgengine/magicsock: update wireguard-go (#16148 ) Our conn.Bind implementation is updated to make Send() offset-aware for future VXLAN/Geneve encapsulation support. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	ffc8ec289b	wgengine/magicsock: implement relayManager endpoint probing (#16029 ) relayManager is responsible for disco ping/pong probing of relay endpoints once a handshake is complete. Future work will enable relayManager to set a relay endpoint as the best UDP path on an endpoint if appropriate. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Jordan Whited	70b6e8ca98	wgengine/magicsock: fix outdated heartbeat comment (#16023 ) heartbeatInterval is currently 3s. Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Jordan Whited	3cc80cce6a	wgengine/magicsock: introduce virtualNetworkID type (#16021 ) This type improves code clarity and reduces the chance of heap alloc as we pass it as a non-pointer. VNI being a 3-byte value enables us to track set vs unset via the reserved/unused byte. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Jordan Whited	87a4f17883	wgengine/magicsock: fix pong handling 'EndpointChange' reporting (#16018 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago

1 2 3 4 5 ...

1813 Commits (c2e474e729b4b665cf5acafa29f89c11af71ac35)