tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	69f4b4595a	wgengine{,/wgint}: add wgint.Peer wrapper type, add to wgengine.Engine This adds a method to wgengine.Engine and plumbed down into magicsock to add a way to get a type-safe Tailscale-safe wrapper around a wireguard-go device.Peer that only exposes methods that are safe for Tailscale to use internally. It also removes HandshakeAttempts from PeerStatusLite that was just added as it wasn't needed yet and is now accessible ala cart as needed from the Peer type accessor. None of this is used yet. Updates #7617 Change-Id: I07be0c4e6679883e6eeddf8dbed7394c9e79c5f4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
James Tucker	7e17aeb36b	.github/workflows: fix regular breakage of go toolchains This server recently had a common ansible applied, which added a periodic /tmp cleaner, as is needed on other CI machines to deal with test tempfile leakage. The setting of $HOME to /tmp means that the go toolchain in there was regularly getting pruned by the tmp cleaner, but often incompletely, because it was also in use. Move HOME to a runner owned directory. Updates #11248 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Brad Fitzpatrick	b4ff9a578f	wgengine: rename local variable from 'found' to conventional 'ok' Updates #cleanup Change-Id: I799dc86ea9e4a3a949592abdd8e74282e7e5d086 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	a8a525282c	wgengine: use slices.Clone in two places Updates #cleanup Change-Id: I1cb30efb6d09180e82b807d6146f37897ef99307 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	74b8985e19	ipn/ipnstate, wgengine: make PeerStatusLite.LastHandshake zero Time means none ... rather than 1970. Code was using IsZero against the 1970 team (which isn't a zero value), but fortunately not anywhere that seems to have mattered. Updates #cleanup Change-Id: I708a3f2a9398aaaedc9503678b4a8a311e0e019e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Andrew Dunham	3dd8ae2f26	net/tstun: fix spelling of "WireGuard" Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida7e30f4689bc18f5f7502f53a0adb5ac3c7981a	3 months ago
Andrew Dunham	a20e46a80f	util/cache: fix missing interface methods (#11275 ) Updates #cleanup Change-Id: Ib3a33a7609530ef8c9f3f58fc607a61e8655c4b5 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	3 months ago
Andrew Dunham	23e9447871	tsweb: expose function to generate request IDs For use in corp. Updates tailscale/corp#2549 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I71debae1ce9ae48cf69cc44c2ab5c443fc3b2005	3 months ago
Mario Minardi	7912d76da0	client/web: update to typescript 5.3.3 (#11267 ) Update typescript to 5.3.3. This is a major bump from the previous version of 4.8.3. This also requires adding newer versions of @typescript-eslint/eslint-plugin and @typescript-eslint/parser to our resolutions as eslint-config-react-app pulls in versions that otherwise do not support typescript 5.x. eslint-config-react-app has not been updated in 2 years and is seemingly abandoned, so we may wish to fork it or move to a different eslint config in the future. Updates https://github.com/tailscale/corp/issues/17810 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
Andrew Dunham	c5abbcd4b4	wgengine/netstack: add a per-client limit for in-flight TCP forwards This is a fun one. Right now, when a client is connecting through a subnet router, here's roughly what happens: 1. The client initiates a connection to an IP address behind a subnet router, and sends a TCP SYN 2. The subnet router gets the SYN packet from netstack, and after running through acceptTCP, starts DialContext-ing the destination IP, without accepting the connection¹ 3. The client retransmits the SYN packet a few times while the dial is in progress, until either... 4. The subnet router successfully establishes a connection to the destination IP and sends the SYN-ACK back to the client, or... 5. The subnet router times out and sends a RST to the client. 6. If the connection was successful, the client ACKs the SYN-ACK it received, and traffic starts flowing As a result, the notification code in forwardTCP never notices when a new connection attempt is aborted, and it will wait until either the connection is established, or until the OS-level connection timeout is reached and it aborts. To mitigate this, add a per-client limit on how many in-flight TCP forwarding connections can be in-progress; after this, clients will see a similar behaviour to the global limit, where new connection attempts are aborted instead of waiting. This prevents a single misbehaving client from blocking all other clients of a subnet router by ensuring that it doesn't starve the global limiter. Also, bump the global limit again to a higher value. ¹ We can't accept the connection before establishing a connection to the remote server since otherwise we'd be opening the connection and then immediately closing it, which breaks a bunch of stuff; see #5503 for more details. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I76e7008ddd497303d75d473f534e32309c8a5144	3 months ago
Claire Wang	352c1ac96c	tailcfg: add latitude, longitude for node location (#11162 ) Updates tailscale/corp#17590 Signed-off-by: Claire Wang <claire@tailscale.com>	3 months ago
Irbe Krumina	95dcc1745b	cmd/k8s-operator: reconcile tailscale Ingresses when their backend Services change. (#11255 ) This is so that if a backend Service gets created after the Ingress, it gets picked up by the operator. Updates tailscale/tailscale#11251 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>	3 months ago
Irbe Krumina	303125d96d	cmd/k8s-operator: configure all proxies with declarative config (#11238 ) Containerboot container created for operator's ingress and egress proxies are now always configured by passing a configfile to tailscaled (tailscaled --config <configfile-path>. It does not run 'tailscale set' or 'tailscale up'. Upgrading existing setups to this version as well as downgrading existing setups at this version works. Updates tailscale/tailscale#10869 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Irbe Krumina	45d27fafd6	cmd/k8s-operator,k8s-operator,go.{mod,sum},tstest/tools: add Tailscale Kubernetes operator API docs (#11246 ) Add logic to autogenerate CRD docs. .github/workflows/kubemanifests.yaml CI workflow will fail if the doc is out of date with regard to the current CRDs. Docs can be refreshed by running make kube-generate-all. Updates tailscale/tailscale#11023 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Percy Wegmann	05acf76392	tailfs: fix race condition in tailfs_test Ues a noop authenticator to avoid potential races in gowebdav's built-in authenticator. Fixes #11259 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Keli	086ef19439	scripts/installer.sh: auto-start tailscale on Alpine (#11214 ) On Alpine, we add the tailscale service but fail to call start. This means that tailscale does not start up until the user reboots the machine. Fixes #11161 Signed-off-by: Keli Velazquez <keli@tailscale.com>	3 months ago
Brad Fitzpatrick	1cf85822d0	ipn/ipnstate, wgengine/wgint: add handshake attempts accessors Not yet used. This is being made available so magicsock/wgengine can use it to ignore certain sends (UDP + DERP) later on at least mobile, letting wireguard-go think it's doing its full attempt schedule, but we can cut it short conditionally based on what we know from the control plane. Updates #7617 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Ia367cf6bd87b2aeedd3c6f4989528acdb6773ca7	3 months ago
Brad Fitzpatrick	eb28818403	wgengine: make pendOpen time later, after dup check Otherwise on OS retransmits, we'd make redundant timers in Go's timer heap that upon firing just do nothing (well, grab a mutex and check a map and see that there's nothing to do). Updates #cleanup Change-Id: Id30b8b2d629cf9c7f8133a3f7eca5dc79e81facb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	219efebad4	wgengine: reduce critical section No need to hold wgLock while using the device to LookupPeer; that has its own mutex already. Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Ib56049fcc7163cf5a2c2e7e12916f07b4f9d67cb	3 months ago
Brad Fitzpatrick	9a8c2f47f2	types/key: remove copy returning array by value It's unnecessary. Returning an array value is already a copy. Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: If7f350b61003ea08f16a531b7b4e8ae483617939	3 months ago
Anton Tolchanov	8cc5c51888	health: warn about reverse path filtering and exit nodes When reverse path filtering is in strict mode on Linux, using an exit node blocks all network connectivity. This change adds a warning about this to `tailscale status` and the logs. Example in `tailscale status`: ``` - not connected to home DERP region 22 - The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Example in the logs: ``` 2024/02/21 21:17:07 health("overall"): error: multiple errors: not in map poll The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Nick Khyl	7ef1fb113d	cmd/tailscaled, ipn/ipnlocal, wgengine: shutdown tailscaled if wgdevice is closed Tailscaled becomes inoperative if the Tailscale Tunnel wintun adapter is abruptly removed. wireguard-go closes the device in case of a read error, but tailscaled keeps running. This adds detection of a closed WireGuard device, triggering a graceful shutdown of tailscaled. It is then restarted by the tailscaled watchdog service process. Fixes #11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Nick Khyl	b42b9817b0	net/dns: do not wait for the interface registry key to appear if the windowsManager is being closed The WinTun adapter may have been removed by the time we're closing the dns.windowsManager, and its associated interface registry key might also have been deleted. We shouldn't use winutil.OpenKeyWait and wait for the interface key to appear when performing a cleanup as a part of the windowsManager shutdown. Updates #11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
OSS Updater	82c569a83a	go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>	3 months ago
Sonia Appasamy	95f26565db	client/web: use grants on web UI frontend Starts using peer capabilities to restrict the management client on a per-view basis. This change also includes a bulky cleanup of the login-toggle.tsx file, which was getting pretty unwieldy in its previous form. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	3 months ago
Sonia Appasamy	9aa704a05d	client/web: restrict serveAPI endpoints to peer capabilities This change adds a new apiHandler struct for use from serveAPI to aid with restricting endpoints to specific peer capabilities. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	3 months ago
Anton Tolchanov	cd9cf93de6	wgengine/netstack: expose TCP forwarder drops via clientmetrics - add a clientmetric with a counter of TCP forwarder drops due to the max attempts; - fix varz metric types, as they are all counters. Updates #8210 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Percy Wegmann	50fb8b9123	tailfs: replace webdavfs with reverse proxies Instead of modeling remote WebDAV servers as actual webdav.FS instances, we now just proxy traffic to them. This not only simplifies the code, but it also allows WebDAV locking to work correctly by making sure locks are handled by the servers that need to (i.e. the ones actually serving the files). Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	e1bd7488d0	all: remove LenIter, use Go 1.22 range-over-int instead Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
mrrfv	ff1391a97e	net/dns/publicdns: add Mullvad family DNS to the list of known DoH servers Adds the new Mullvad family DNS server to the known DNS over HTTPS server list. Signed-off-by: mrrfv <rm-rfv-no-preserve-root@protonmail.com>	3 months ago
Brad Fitzpatrick	6ad6d6b252	wgengine/wglog: add TS_DEBUG_RAW_WGLOG envknob for raw wg logs Updates #7617 (part of debugging it) Change-Id: I1bcbdcf0f929e3bcf83f244b1033fd438aa6dac1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	8b9474b06a	wgengine/wgcfg: don't send UAPI to disable keep-alives on new peers That's already the default. Avoid the overhead of writing it on one side and reading it on the other to do nothing. Updates #cleanup (noticed while researching something else) Change-Id: I449c88a022271afb9be5da876bfaf438fe5d3f58 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
James Tucker	8d0d46462b	net/dns: timeout DOH requests after 10s without response headers If a client socket is remotely lost but the client is not sent an RST in response to the next request, the socket might sit in RTO for extended lengths of time, resulting in "no internet" for users. Instead, timeout after 10s, which will close the underlying socket, recovering from the situation more promptly. Updates #10967 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	0c5e65eb3f	cmd/derper: apply TCP keepalive and timeout to TLS as well I missed a case in the earlier patch, and so we're still sending 15s TCP keepalive for TLS connections, now adjusted there too. Updates tailscale/corp#17587 Updates #3363 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	c9b6d19fc9	.github/workflows: fix typo in XDG_CACHE_HOME This appears to be one of the contributors to this CI target regularly entering a bad state with a partially written toolchain. Updates #self Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	651c4899ac	net/interfaces: reduce & cleanup logs on iOS We don't need a log line every time defaultRoute is read in the good case, and we now only log default interface updates that are actually changes. Updates #3363 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Andrea Gottardo	c8c999d7a9	cli/debug: rename DERP debug mode (#11220 ) Renames a debug flag in the CLI. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
Mario Minardi	ac281dd493	client/web: update vite and vitest to latest versions (#11200 ) Update vite to 5.1.4, and vitest to 1.3.1 (their latest versions). Also remove vite-plugin-rewrite-all as this is no longer necessary with vite 5.x and has a dependency on vite 4.x. Updates https://github.com/tailscale/corp/issues/17715 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
Percy Wegmann	15b2c674bf	cmd/tailscale: add node attribute instructions to share command help This adds details on how to configure node attributes to allow sharing and accessing shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
James Tucker	131f9094fd	wgengine/wglog: quieten WireGuard logs for allowedips An increasing number of users have very large subnet route configurations, which can produce very large amounts of log data when WireGuard is reconfigured. The logs don't contain the actual routes, so they're largely useless for diagnostics, so we'll just suppress them. Fixes tailscale/corp#17532 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Andrew Dunham	e8d2fc7f7f	net/tshttpproxy: log when we're using a proxy Updates #11196 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id6334c10f52f4cfbda9f03dc8096ab7a6c54a088	3 months ago
Mario Minardi	713d2928b1	client/web: update plugin-react-swc to latest version (#11199 ) Update plugin-react-swc to the latest version (3.6.0) ahead of updating vite to 5.x. Updates https://github.com/tailscale/corp/issues/17715 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
Mario Minardi	72140da000	client/web: update vite-plugin-svgr to latest version (#11197 ) Update vite-plugin-svgr to the latest version (4.2.0) ahead of updating vite to 5.x. This is a major version bump from our previous 3.x, and requires changing the import paths used for SVGs. Updates https://github.com/tailscale/corp/issues/17715 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
James Tucker	edbad6d274	cmd/derper: add user timeout and reduce TCP keepalive The derper sends an in-protocol keepalive every 60-65s, so frequent TCP keepalives are unnecessary. In this tuning TCP keepalives should never occur for a DERP client connection, as they will send an L7 keepalive often enough to always reset the TCP keepalive timer. If however a connection does not receive an ACK promptly it will now be shutdown, which happens sooner than it would with a normal TCP keepalive tuning. This re-tuning reduces the frequency of network traffic from derp to client, reducing battery cost. Updates tailscale/corp#17587 Updates #3363 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Andrea Gottardo	0359c2f94e	util/syspolicy: add 'ResetToDefaults' (#11194 ) Updates ENG-2133. Adds the ResetToDefaults visibility policy currently only available on macOS, so that the Windows client can read its value. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
Brad Fitzpatrick	10d130b845	cmd/derper, derp, tailcfg: add admission controller URL option So derpers can check an external URL for whether to permit access to a certain public key. Updates tailscale/corp#17693 Change-Id: I8594de58f54a08be3e2dbef8bcd1ff9b728ab297 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	2988c1ec52	derp: plumb context to Server.verifyClient Updates tailscale/corp#17693 Change-Id: If17e02c77d5ad86b820e639176da2d3e61296bae Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Paul Scott	7708ab68c0	cmd/tailscale/cli: pass "-o 'CanonicalizeHostname no'" to ssh Fixes #10348 Signed-off-by: Paul Scott <paul@tailscale.com>	3 months ago
Percy Wegmann	91a1019ee2	cmd/testwrapper: apply results of all unit tests to coverage for all packages This allows coverage from tests that hit multiple packages at once to be reflected in all those packages' coverage. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Andrea Gottardo	d756622432	util/syspolicy: add ManagedBy keys for Windows (#11183 )	3 months ago

1 2 3 4 5 ...

7258 Commits (cc950c079140abfdaaf69777fa171f0bcfa63598) All Branches Search

7258 Commits (cc950c079140abfdaaf69777fa171f0bcfa63598)

All Branches