tailscale

Commit Graph

Author	SHA1	Message	Date
Maisem Ali	d1d5d52b2c	net/tstun/table: add initial RoutingTable implementation It is based on `*tempfork/device.AllowedIPs`. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	2522b0615f	tempfork/device: add a temp fork of golang.zx2c4.com/wireguard/device This will allow us to reuse the AllowedIPs for NAT decisions in a follow on commit. The files `allowedips_*.go` are as-is, `peer.go` only keeps the `Peer` declaration with a single element required for AllowedIPs. Upstream commit https://git.zx2c4.com/wireguard-go/commit/?id=052af4a8072bbbd3bfe7edf46fe3c1b350f71f08 Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	c98652c333	doctor/permissions: add new check to print process permissions Since users can run tailscaled in a variety of ways (root, non-root, non-root with process capabilities on Linux), this check will print the current process permissions to the log to aid in debugging. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida93a206123f98271a0c664775d0baba98b330c7	1 year ago
License Updater	524f53de89	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply@tailscale.com>	1 year ago
James Tucker	8c2b755b2e	tool/gocross: use grep -E over egrep to avoid warning Recent egrep builds produce a warning: ``` egrep: warning: egrep is obsolescent; using grep -E ``` Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
James Tucker	a31e43f760	go.mod: bump gvisor to 20230320 for dispatcher locking Upstream improved code around an issue showing up in CI, where sometimes shutdown will race on endpoint.dispatcher being nil'd, causing a panic down stack of injectInbound. The upstream patch makes some usage more safe, but it does not itself fix the local issue. See panic in https://github.com/tailscale/tailscale/actions/runs/4548299564/jobs/8019187385#step:7:843 See fix in google/gvisor@13d7bf69d8 Updates #7715 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
James Tucker	c628132b34	wgengine/netstack: do not send packets to netstack after close Use the local context on Impl to check for shut down state in order to drop rather than inject packets after close has begun. Netstack sets endpoint.dispatcher to nil during shutdown. After the recent adjustment in `920ec69241` we now wait for netstack to fully shutdown before we release tests. This means that we may continue to accept packets and attempt to inject them, which we must prevent in order to avoid nil pointer panic. References google/gvisor#8765 Fixes #7715 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Maisem Ali	e04acabfde	ssh/tailssh: fix race in errors returned when starting recorder There were two code paths that could fail depending on how fast the recorder responses. This fixes that by returning the correct error from both paths. Fixes #7707 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Flakes Updater	cb960d6cdd	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply@tailscale.com>	1 year ago
Jordan Whited	27e37cf9b3	go.mod, net/tstun, wgengine/magicsock: update wireguard-go (#7712 ) This commit updates the wireguard-go dependency to pull in fixes for the tun package, specifically 052af4a and aad7fca. Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
License Updater	946451b43e	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 year ago
License Updater	840d69e1eb	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 year ago
Josh Bleecher Snyder	3ba9f8dd04	util/codegen: add -copyright to control presence of copyright headers Fixes #7702 Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>	1 year ago
Will Norris	7c99210e68	log: allow toggling sockstat logs via c2n component logging Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Maisem Ali	920ec69241	tsnet,wgenegine/netstack: add test and fix resource leaks We were not closing the http.Server and were also not waiting for netstack to fully close. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Anton Tolchanov	2a933c1903	cmd/tailscale: extend hostname validation (#7678 ) In addition to checking the total hostname length, validate characters used in each DNS label and label length. Updates https://github.com/tailscale/corp/issues/10012 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
shayne	43f7ec48ca	funnel: change references from alpha to beta (#7613 ) Updates CLI and docs to reference Funnel as beta Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	3177ccabe5	ipn/ipnlocal: [serve/funnel] use actual SrcAddr as X-Forwarded-For (#7600 ) The reverse proxy was sending the ingressd IPv6 down as the X-Forwarded-For. This update uses the actual remote addr. Updates tailscale/corp#9914 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	7908b6d616	ipn/ipnlocal: [serve] Trim mountPoint prefix from proxy path (#7334 ) This change trims the mountPoint from the request URL path before sending the request to the reverse proxy. Today if you mount a proxy at `/foo` and request to `/foo/bar/baz`, we leak the `mountPoint` `/foo` as part of the request URL's path. This fix makes removed the `mountPoint` prefix from the path so proxied services receive requests as if they were running at the root (`/`) path. This could be an issue if the app generates URLs (in HTML or otherwise) and assumes `/path`. In this case, those URLs will 404. With that, I still think we should trim by default and not leak the `mountPoint` (specific to Tailscale) into whatever app is hosted. If it causes an issue with URL generation, I'd suggest looking at configuring an app-specific path prefix or running Caddy as a more advanced solution. Fixes: #6571 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Denton Gentry	ed10a1769b	scripts/installer.sh: check Photon OS version with pkg server. Photon OS support crossed streams with using pkgserve to check for supported versions `6f9aed1656`. Make Photon OS also rely on pkgserve. Updates https://github.com/tailscale/tailscale/issues/7651 Updates https://github.com/tailscale/corp/issues/8952 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Maisem Ali	5ba57e4661	ssh/tailssh: add tests for recording failure Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Denton Gentry	d5abdd915e	scripts/installer: add VMWare PhotonOS. Fixes https://github.com/tailscale/tailscale/issues/7651 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
valscale	74eb99aed1	derp, derphttp, magicsock: send new unknown peer frame when destination is unknown (#7552 ) * wgengine/magicsock: add envknob to send CallMeMaybe to non-existent peer For testing older client version responses to the PeerGone packet format change. Updates #4326 Signed-off-by: Val <valerie@tailscale.com> * derp: remove dead sclient struct member replaceLimiter Leftover from an previous solution to the duplicate client problem. Updates #2751 Signed-off-by: Val <valerie@tailscale.com> * derp, derp/derphttp, wgengine/magicsock: add new PeerGone message type Not Here Extend the PeerGone message type by adding a reason byte. Send a PeerGone "Not Here" message when an endpoint sends a disco message to a peer that this server has no record of. Fixes #4326 Signed-off-by: Val <valerie@tailscale.com> --------- Signed-off-by: Val <valerie@tailscale.com>	1 year ago
Maisem Ali	09d0b632d4	ssh/tailssh: add session recording test for non-pty sessions Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	d39a5e4417	tsnet: support TS_AUTH_KEY variant too Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	d2fd101eb4	net/tstun: only log natConfig on changes Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8ac5976897	logpolicy: do not upload logs in tests Fixes tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	7300b908fb	logpolicy: split out DialContext into a func Updates tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	ca19cf13e9	log/sockstatlog: add resource cleanup test Updates tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	33b359642e	net/dns: don't send on closed channel in resolvedManager Fixes #7686 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ibffb05539ab876b12407d77dcf2201d467895981	1 year ago
Anton Tolchanov	6f9aed1656	scripts: use pkg server to determine supported deb/rpm distros Fixes https://github.com/tailscale/corp/issues/8952 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Andrew Dunham	4cb1bfee44	net/netcheck: improve determinism in hairpinning test If multiple Go channels have a value (or are closed), receiving from them all in a select will nondeterministically return one of the two arms. In this case, it's possible that the hairpin check timer will have expired between when we start checking and before we check at all, but the hairpin packet has already been received. In such cases, we'd nondeterministically set report.HairPinning. Instead, check if we have a value in our results channel first, then select on the value and timeout channel after. Also, add a test that catches this particular failure. Fixes #1795 Change-Id: I842ab0bd38d66fabc6cabf2c2c1bb9bd32febf35 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	1 year ago
Maisem Ali	4a89642f7f	log/sockstatlog: make shutdown close idle connections Updates tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	9e81db50f6	ipn/ipnlocal: use atomicfile.WriteFile in certFileStore Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8a11f76a0d	ipn/ipnlocal: fix cert storage in Kubernetes We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	ec90522a53	ipn/ipnlocal: also store ACME keys in the certStore We were not storing the ACME keys in the state store, they would always be stored on disk. Updates #7588 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	0e203e414f	net/packet: add checksum update tests Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	0bf8c8e710	net/tstun: use p.Buffer() in more places Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	f6ea6863de	tstest/integration: add ping test w/ masquerades Updates tailscale/corp#8020 Co-authored-by: Melanie Warrick <warrick@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	bb31fd7d1c	net/tstun: add inital support for NAT v4 This adds support in tstun to utitilize the SelfNodeV4MasqAddrForThisPeer and perform the necessary modifications to the packet as it passes through tstun. Currently this only handles ICMP, UDP and TCP traffic. Subnet routers and Exit Nodes are also unsupported. Updates tailscale/corp#8020 Co-authored-by: Melanie Warrick <warrick@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	535fad16f8	net/tstun: rename filterIn/filterOut methods to be more descriptive Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	f61b306133	tailcfg: add Node.SelfNodeV4MasqAddrForThisPeer This only adds the field, to be used in a future commit. Updates tailscale/corp#8020 Co-authored-by: Melanie Warrick <warrick@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	583e86b7df	ssh/tailssh: handle session recording when running in userspace mode Previously it would dial out using the http.DefaultClient, however that doesn't work when tailscaled is running in userspace mode (e.g. when testing). Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	df89b7de10	cmd/k8s-operator: disable HTTP/2 for the auth proxy Kubernetes uses SPDY/3.1 which is incompatible with HTTP/2, disable it in the transport and server. Fixes #7645 Fixes #7646 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8a246487c2	ssh/tailssh: enable recording of non-pty sessions Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8765568373	ssh/tailssh: add docs to CastHeader fields Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	9d8b7a7383	ipn/store/kubestore: handle "/" in ipn.StateKeys Kubernetes doesn't allow slashes as keys in secrets, replace them with "__". This shows up in the kubernetes-operator now that tsnet sets resets the ServeConfig at startup. Fixes #7662 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	57a008a1e1	all: pass log IDs as the proper type rather than strings This change focuses on the backend log ID, which is the mostly commonly used in the client. Tests which don't seem to make use of the log ID just use the zero value. Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Andrew Dunham	13377e6458	ssh/tailssh: always assert our final uid/gid Move the assertions about our post-privilege-drop UID/GID out of the conditional if statement and always run them; I haven't been able to find a case where this would fail. Defensively add an envknob to disable this feature, however, which we can remove after the 1.40 release. Updates #7616 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Iaec3dba9248131920204bd6c6d34bbc57a148185	1 year ago
Andrew Dunham	9de8287d47	ssh/tailssh: lock OS thread during incubator This makes it less likely that we trip over bugs like golang/go#1435. Updates #7616 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic28c03c3ad8ed5274a795c766b767fa876029f0e	1 year ago

1 2 3 4 5 ...

5551 Commits (d1d5d52b2c11d97d11819bdade4e855b0b559b7c) All Branches Search

5551 Commits (d1d5d52b2c11d97d11819bdade4e855b0b559b7c)

All Branches