tailscale

Commit Graph

Author	SHA1	Message	Date
Tom Proctor	01a7726cf7	cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies (#12577 ) cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies Don't skip installing egress forwarding rules for IPv6 (as long as the host supports IPv6), and set headless services `ipFamilyPolicy` to `PreferDualStack` to optionally enable both IP families when possible. Note that even with `PreferDualStack` set, testing a dual-stack GKE cluster with the default DNS setup of kube-dns did not correctly set both A and AAAA records for the headless service, and instead only did so when switching the cluster DNS to Cloud DNS. For both IPv4 and IPv6 to work simultaneously in a dual-stack cluster, we require headless services to return both A and AAAA records. If the host doesn't support IPv6 but the FQDN specified only has IPv6 addresses available, containerboot will exit with error code 1 and an error message because there is no viable egress route. Fixes #12215 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	3 months ago
Charlotte Brandhorst-Satzkorn	42f01afe26	cmd/tailscale/cli: exit node filter should display all exit node options (#12699 ) This change expands the `exit-node list -filter` command to display all location based exit nodes for the filtered country. This allows users to switch to alternative servers when our recommended exit node is not working as intended. This change also makes the country filter matching case insensitive, e.g. both USA and usa will work. Updates #12698 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	3 months ago
Jordan Whited	ddf94a7b39	cmd/stunstamp: fix handling of invalid DERP map resp (#12679 ) Updates tailscale/corp#20344 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
James Tucker	b565a9faa7	cmd/xdpderper: add autodetection for default interface name This makes deployment easier in hetrogenous environments. Updates ENG-4274 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Josh McKinney	18939df0a7	fix: broken tests for localhost Signed-off-by: Josh McKinney <joshka@users.noreply.github.com>	3 months ago
Brad Fitzpatrick	210264f942	cmd/derper: clarify that derper and tailscaled need to be in sync Fixes #12617 Change-Id: Ifc87b7d9cf699635087afb57febd01fb9a6d11b7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	6b801a8e9e	cmd/derper: link to various derper docs in more places In hopes it'll be found more. Updates tailscale/corp#20844 Change-Id: Ic92ee9908f45b88f8770de285f838333f9467465 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
James Tucker	46fda6bf4c	cmd/derper: add some DERP diagnostics pointers A few other minor language updates. Updates tailscale/corp#20844 Change-Id: Idba85941baa0e2714688cc8a4ec3e242e7d1a362 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Adrian Dewhurst	a6b13e6972	cmd/tailscale/cli: correct command emitted by exit node suggestion The exit node suggestion CLI command was written with the assumption that it's possible to provide a stableid on the command line, but this is incorrect. Instead, it will now emit the name of the exit node. Fixes #12618 Change-Id: Id7277f395b5fca090a99b0d13bfee7b215bc9802 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	3 months ago
Jordan Whited	94415e8029	cmd/stunstamp: remove sqlite DB and API (#12604 ) stunstamp now sends data to Prometheus via remote write, and Prometheus can serve the same data. Retaining and cleaning up old data in sqlite leads to long probing pauses, and it's not worth investing more effort to optimize the schema and/or concurrency model. Updates tailscale/corp#20344 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Brad Fitzpatrick	3485e4bf5a	derp: make RunConnectionLoop funcs take Messages, support PeerPresentFlags PeerPresentFlags was added in `5ffb2668ef` but wasn't plumbed through to the RunConnectionLoop. Rather than add yet another parameter (as IP:port was added earlier), pass in the raw PeerPresentMessage and PeerGoneMessage struct values, which are the same things, plus two fields: PeerGoneReasonType for gone and the PeerPresentFlags from `5ffb2668ef`. Updates tailscale/corp#17816 Change-Id: Ib19d9f95353651ada90656071fc3656cf58b7987 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Andrew Dunham	200d92121f	types/lazy: add Peek method to SyncValue This adds the ability to "peek" at the value of a SyncValue, so that it's possible to observe a value without computing this. Updates tailscale/corp#17122 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: I06f88c22a1f7ffcbc7ff82946335356bb0ef4622	3 months ago
Aaron Klotz	7dd76c3411	net/netns: add Windows support for bind-to-interface-by-route This is implemented via GetBestInterfaceEx. Should we encounter errors or fail to resolve a valid, non-Tailscale interface, we fall back to returning the index for the default interface instead. Fixes #12551 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 months ago
Brad Fitzpatrick	91786ff958	cmd/derper: add debug endpoint to adjust mutex profiling rate Updates #3560 Change-Id: I474421ce75c79fb66e1c306ed47daebc5a0e069e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Jordan Whited	0d6e71df70	cmd/stunstamp: add explicit metric to track timeout events (#12564 ) Timeouts could already be identified as NaN values on stunstamp_derp_stun_rtt_ns, but we can't use NaN effectively with promql to visualize them. So, this commit adds a timeouts metric that we can use with rate/delta/etc promql functions. Updates tailscale/corp#20689 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Kristoffer Dalby	dcb0f189cc	cmd/proxy-to-grafana: add flag for alternative control server Fixes #12571 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	3 months ago
Andrew Dunham	24976b5bfd	cmd/tailscale/cli: actually perform Noise request in 'debug ts2021' This actually performs a Noise request in the 'debug ts2021' command, instead of just exiting once we've dialed a connection. This can help debug certain forms of captive portals and deep packet inspection that will allow a connection, but will RST the connection when trying to send data on the post-upgraded TCP connection. Updates #1634 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1e46ca9c9a0751c55f16373a6a76cdc24fec1f18	3 months ago
Andrew Dunham	732605f961	control/controlclient: move noiseConn to internal package So that it can be later used in the 'tailscale debug ts2021' function in the CLI, to aid in debugging captive portals/WAFs/etc. Updates #1634 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Iec9423f5e7570f2c2c8218d27fc0902137e73909	3 months ago
Andrea Gottardo	8eb15d3d2d	cli/netcheck: fail with output if we time out fetching a derpmap (#12528 ) Updates tailscale/corp#20969 Right now, when netcheck starts, it asks tailscaled for a copy of the DERPMap. If it doesn't have one, it makes a HTTPS request to controlplane.tailscale.com to fetch one. This will always fail if you're on a network with a captive portal actively blocking HTTPS traffic. The code appears to hang entirely because the http.Client doesn't have a Timeout set. It just sits there waiting until the request succeeds or fails. This adds a timeout of 10 seconds, and logs more details about the status of the HTTPS request. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
Jordan Whited	a93173b56a	cmd/xdpderper,derp/xdp: implement mode that drops STUN packets (#12527 ) This is useful during maintenance as a method for shedding home client load. Updates tailscale/corp#20689 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Tom Proctor	3099323976	cmd/k8s-operator,k8s-operator,go.{mod,sum}: publish proxy status condition for annotated services (#12463 ) Adds a new TailscaleProxyReady condition type for use in corev1.Service conditions. Also switch our CRDs to use metav1.Condition instead of ConnectorCondition. The Go structs are seralized identically, but it updates some descriptions and validation rules. Update k8s controller-tools and controller-runtime deps to fix the documentation generation for metav1.Condition so that it excludes comments and TODOs. Stop expecting the fake client to populate TypeMeta in tests. See kubernetes-sigs/controller-runtime#2633 for details of the change. Finally, make some minor improvements to validation for service hostnames. Fixes #12216 Co-authored-by: Irbe Krumina <irbe@tailscale.com> Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	3 months ago
Andrew Dunham	45d2f4301f	proxymap, various: distinguish between different protocols Previously, we were registering TCP and UDP connections in the same map, which could result in erroneously removing a mapping if one of the two connections completes while the other one is still active. Add a "proto string" argument to these functions to avoid this. Additionally, take the "proto" argument in LocalAPI, and plumb that through from the CLI and add a new LocalClient method. Updates tailscale/corp#20600 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I35d5efaefdfbf4721e315b8ca123f0c8af9125fb	3 months ago
Irbe Krumina	8cc2738609	cmd/{containerboot,k8s-operator}: store proxy device ID early to help with cleanup for broken proxies (#12425 ) * cmd/containerboot: store device ID before setting up proxy routes. For containerboot instances whose state needs to be stored in a Kubernetes Secret, we additonally store the device's ID, FQDN and IPs. This is used, between other, by the Kubernetes operator, who uses the ID to delete the device when resources need cleaning up and writes the FQDN and IPs on various kube resource statuses for visibility. This change shifts storing device ID earlier in the proxy setup flow, to ensure that if proxy routing setup fails, the device can still be deleted. Updates tailscale/tailscale#12146 Signed-off-by: Irbe Krumina <irbe@tailscale.com> * code review feedback Signed-off-by: Irbe Krumina <irbe@tailscale.com> --------- Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Andrew Lytvynov	674c998e93	cmd/tailscale/cli: do not allow update --version on macOS (#12508 ) We do not support specific version updates or track switching on macOS. Do not populate the flag to avoid confusion. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	3 months ago
Brad Fitzpatrick	86e0f9b912	net/ipset, wgengine/filter/filtertype: add split-out packages This moves NewContainsIPFunc from tsaddr to new ipset package. And wgengine/filter types gets split into wgengine/filter/filtertype, so netmap (and thus the CLI, etc) doesn't need to bring in ipset, bart, etc. Then add a test making sure the CLI deps don't regress. Updates #1278 Change-Id: Ia246d6d9502bbefbdeacc4aef1bed9c8b24f54d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	64ac64fb66	net/tsaddr: use bart in NewContainsIPFunc, add tests, benchmarks NewContainsIPFunc was previously documented as performing poorly if there were many netip.Prefixes to search over. As such, we never it used it in such cases. This updates it to use bart at a certain threshold (over 6 prefixes, currently), at which point the bart lookup overhead pays off. This is currently kinda useless because we're not using it. But now we can and get wins elsewhere. And we can remove the caveat in the docs. goos: darwin goarch: arm64 pkg: tailscale.com/net/tsaddr │ before │ after │ │ sec/op │ sec/op vs base │ NewContainsIPFunc/empty-8 2.215n ± 11% 2.239n ± 1% +1.08% (p=0.022 n=10) NewContainsIPFunc/cidr-list-1-8 17.44n ± 0% 17.59n ± 6% +0.89% (p=0.000 n=10) NewContainsIPFunc/cidr-list-2-8 27.85n ± 0% 28.13n ± 1% +1.01% (p=0.000 n=10) NewContainsIPFunc/cidr-list-3-8 36.05n ± 0% 36.56n ± 13% +1.41% (p=0.000 n=10) NewContainsIPFunc/cidr-list-4-8 43.73n ± 0% 44.38n ± 1% +1.50% (p=0.000 n=10) NewContainsIPFunc/cidr-list-5-8 51.61n ± 2% 51.75n ± 0% ~ (p=0.101 n=10) NewContainsIPFunc/cidr-list-10-8 95.65n ± 0% 68.92n ± 0% -27.94% (p=0.000 n=10) NewContainsIPFunc/one-ip-8 4.466n ± 0% 4.469n ± 1% ~ (p=0.491 n=10) NewContainsIPFunc/two-ip-8 8.002n ± 1% 7.997n ± 4% ~ (p=0.697 n=10) NewContainsIPFunc/three-ip-8 27.98n ± 1% 27.75n ± 0% -0.82% (p=0.012 n=10) geomean 19.60n 19.07n -2.71% Updates #12486 Change-Id: I2e2320cc4384f875f41721374da536bab995c1ce Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Maisem Ali	491483d599	cmd/viewer,type/views: add MapSlice for maps of slices This abstraction provides a nicer way to work with maps of slices without having to write out three long type params. This also allows it to provide an AsMap implementation which copies the map and the slices at least. Updates tailscale/corp#20910 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 months ago
Nick Khyl	c32efd9118	various: create a catch-all NRPT rule when "Override local DNS" is enabled on Windows Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers associated with all network adapters, even when "Override local DNS" is enabled and/or a Mullvad exit node is being used, resulting in DNS leaks. This also adds "disable-local-dns-override-via-nrpt" nodeAttr that can be used to disable the new behavior if needed. Fixes tailscale/corp#20718 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Aaron Klotz	bd2a6d5386	util/winutil: add UserProfile type for (un)loading user profiles S4U logons do not automatically load the associated user profile. In this PR we add UserProfile to handle that part. Windows docs indicate that we should try to resolve a remote profile path when present, so we attempt to do so when the local computer is joined to a domain. Updates #12383 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 months ago
Jordan Whited	9189fe007b	cmd/stunc: support user-specified port (#12469 ) Updates tailscale/corp#20689 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	65888d95c9	derp/xdp,cmd/xdpderper: initial skeleton (#12390 ) This commit introduces a userspace program for managing an experimental eBPF XDP STUN server program. derp/xdp contains the eBPF pseudo-C along with a Go pkg for loading it and exporting its metrics. cmd/xdpderper is a package main user of derp/xdp. Updates tailscale/corp#20689 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Brad Fitzpatrick	ccdd2e6650	cmd/derper: add a README Updates tailscale/corp#20844 Change-Id: Ie3ca5dd7f582f4f298339dd3cd2039243c204ef8 Co-authored-by: James Tucker <james@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com> Co-authored-by: Andrew Dunham <andrew@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
JunYanBJSS	4c01ce9f43	tsnet: fix error formatting bug Fixes #12411 Signed-off-by: JunYanBJSS <johnnycocoyan@hotmail.com>	3 months ago
Aaron Klotz	3511d1f8a2	cmd/tailscaled, net/dns, wgengine/router: start Windows child processes with DETACHED_PROCESS when I/O is being piped When we're starting child processes on Windows that are CLI programs that don't need to output to a console, we should pass in DETACHED_PROCESS as a CreationFlag on SysProcAttr. This prevents the OS from even creating a console for the child (and paying the associated time/space penalty for new conhost processes). This is more efficient than letting the OS create the console window and then subsequently trying to hide it, which we were doing at a few callsites. Fixes #12270 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 months ago
Irbe Krumina	bc53ebd4a0	ipn/{ipnlocal,localapi},net/netkernelconf,client/tailscale,cmd/containerboot: optionally enable UDP GRO forwarding for containers (#12410 ) Add a new TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS env var that can be set for tailscale/tailscale container running as a subnet router or exit node to enable UDP GRO forwarding for improved performance. See https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes This is currently considered an experimental approach; the configuration support is partially to allow further experimentation with containerized environments to evaluate the performance improvements. Updates tailscale/tailscale#12295 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Irbe Krumina	6f2bae019f	cmd/k8s-nameserver: fix AAAA record query response (#12412 ) Return empty response and NOERROR for AAAA record queries for DNS names for which we have an A record. This is to allow for callers that might be first sending an AAAA query and then, if that does not return a response, follow with an A record query. Previously we were returning NOTIMPL that caused some callers to potentially not follow with an A record query or misbehave in different ways. Also return NXDOMAIN for AAAA record queries for names that we DO NOT have an A record for to ensure that the callers do not follow up with an A record query. Returning an empty response and NOERROR is the behaviour that RFC 4074 recommends: https://datatracker.ietf.org/doc/html/rfc4074 Updates tailscale/tailscale#12321 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Aaron Klotz	df86576989	util/winutil: add AllocateContiguousBuffer and SetNTString helper funcs AllocateContiguousBuffer is for allocating structs with trailing buffers containing additional data. It is to be used for various Windows structures containing pointers to data located immediately after the struct. SetNTString performs in-place setting of windows.NTString and windows.NTUnicodeString. Updates #12383 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 months ago
Irbe Krumina	c3e2b7347b	tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236 ) This PR is in prep of adding logic to control to be able to parse tailscale.com/cap/kubernetes grants in control: - moves the type definition of PeerCapabilityKubernetes cap to a location shared with control. - update the Kubernetes cap rule definition with fields for granting kubectl exec session recording capabilities. - adds a convenience function to produce tailcfg.RawMessage from an arbitrary cap rule and a test for it. An example grant defined via ACLs: "grants": [{ "src": ["tag:eng"], "dst": ["tag:k8s-operator"], "app": { "tailscale.com/cap/kubernetes": [{ "recorder": ["tag:my-recorder"] “enforceRecorder”: true }], }, } ] This grant enforces `kubectl exec` sessions from tailnet clients, matching `tag:eng` via API server proxy matching `tag:k8s-operator` to be recorded and recording to be sent to a tsrecorder instance, matching `tag:my-recorder`. The type needs to be shared with control because we want control to parse this cap and resolve tags to peer IPs. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Irbe Krumina	807934f00c	cmd/k8s-operator,k8s-operator: allow proxies accept advertized routes. (#12388 ) Add a new .spec.tailscale.acceptRoutes field to ProxyClass, that can be optionally set to true for the proxies to accept routes advertized by other nodes on tailnet (equivalent of setting --accept-routes to true). Updates tailscale/tailscale#12322,tailscale/tailscale#10684 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Irbe Krumina	53d9cac196	k8s-operator/apis/v1alpha1,cmd/k8s-operator/deploy/examples: update DNSConfig description (#11971 ) Also removes hardcoded image repo/tag from example DNSConfig resource as the operator now knows how to default those. Updates tailscale/tailscale#11019 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Tom Proctor	23e26e589f	cmd/k8s-operator,k8s-opeerator: include Connector's MagicDNS name and tailnet IPs in status (#12359 ) Add new fields TailnetIPs and Hostname to Connector Status. These contain the addresses of the Tailscale node that the operator created for the Connector to aid debugging. Fixes #12214 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 months ago
Irbe Krumina	3a6d3f1a5b	cmd/k8s-operator,k8s-operator,go.{mod,sum}: make individual proxy images/image pull policies configurable (#11928 ) cmd/k8s-operator,k8s-operator,go.{mod,sum}: make individual proxy images/image pull policies configurable Allow to configure images and image pull policies for individual proxies via ProxyClass.Spec.StatefulSet.Pod.{TailscaleContainer,TailscaleInitContainer}.Image, and ProxyClass.Spec.StatefulSet.Pod.{TailscaleContainer,TailscaleInitContainer}.ImagePullPolicy fields. Document that we have images in ghcr.io on the relevant Helm chart fields. Updates tailscale/tailscale#11675 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Andrew Dunham	e88a5dbc92	various: fix lint warnings Some lint warnings caught by running 'make lint' locally. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1534ed6f2f5e1eb029658906f9d62607dad98ca3	4 months ago
Brad Fitzpatrick	8a11a43c28	cmd/derpprobe: support 'local' derpmap to get derp map via LocalAPI To make it easier for people to monitor their custom DERP fleet. Updates tailscale/corp#20654 Change-Id: Id8af22936a6d893cc7b6186d298ab794a2672524 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Jordan Whited	6e106712f6	cmd/stunstamp: support probing multiple ports (#12356 ) Updates tailscale/corp#20344 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Maisem Ali	36e8e8cd64	wgengine/magicsock: use math/rands/v2 Updates #11058 Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Fran Bull	573c8bd8c7	cmd/natc: add --wg-port flag Updates tailscale/corp#20503 Signed-off-by: Fran Bull <fran@tailscale.com>	4 months ago
Maisem Ali	4a8cb1d9f3	all: use math/rand/v2 more Updates #11058 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Fran Bull	d2d459d442	cmd/natc: add --ignore-destinations flag Updates tailscale/corp#20503 Signed-off-by: Fran Bull <fran@tailscale.com>	4 months ago
Jordan Whited	cf1e6c6e55	cmd/stunstamp: fix remote write retry (#12348 ) Evaluation of remote write errors was using errors.Is() where it should have been using errors.As(). Updates tailscale/corp#20344 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago

1 2 3 4 5 ...

1858 Commits (c8fe9f0064127c8be5c8641ff523d06e9293080b)