tailscale

Commit Graph

Author	SHA1	Message	Date
Nick Khyl	d837e0252f	wf/firewall: allow link-local multicast for permitted local routes when the killswitch is on on Windows When an Exit Node is used, we create a WFP rule to block all inbound and outbound traffic, along with several rules to permit specific types of traffic. Notably, we allow all inbound and outbound traffic to and from LocalRoutes specified in wgengine/router.Config. The list of allowed routes always includes routes for internal interfaces, such as loopback and virtual Hyper-V/WSL2 interfaces, and may also include LAN routes if the "Allow local network access" option is enabled. However, these permitting rules do not allow link-local multicast on the corresponding interfaces. This results in broken mDNS/LLMNR, and potentially other similar issues, whenever an exit node is used. In this PR, we update (wf.Firewall).UpdatePermittedRoutes() to create rules allowing outbound and inbound link-local multicast traffic to and from the permitted IP ranges, partially resolving the mDNS/LLMNR and .local name resolution issue. Since Windows does not attempt to send mDNS/LLMNR queries if a catch-all NRPT rule is present, it is still necessary to disable the creation of that rule using the disable-local-dns-override-via-nrpt nodeAttr. Updates #13571 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 weeks ago
Brad Fitzpatrick	b8af93310a	tstest: add the start of a testing wishlist Of tests we wish we could easily add. One day. Updates #13038 Change-Id: If44646f8d477674bbf2c9a6e58c3cd8f94a4e8df Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Andrea Gottardo	6de6ab015f	net/dns: tweak DoH timeout, limit MaxConnsPerHost, require TLS 1.3 (#13564 ) Updates tailscale/tailscale#6148 This is the result of some observations we made today with @raggi. The DNS over HTTPS client currently doesn't cap the number of connections it uses, either in-use or idle. A burst of DNS queries will open multiple connections. Idle connections remain open for 30 seconds (this interval is defined in the dohTransportTimeout constant). For DoH providers like NextDNS which send keep-alives, this means the cellular modem will remain up more than expected to send ACKs if any keep-alives are received while a connection remains idle during those 30 seconds. We can set the IdleConnTimeout to 10 seconds to ensure an idle connection is terminated if no other DNS queries come in after 10 seconds. Additionally, we can cap the number of connections to 1. This ensures that at all times there is only one open DoH connection, either active or idle. If idle, it will be terminated within 10 seconds from the last query. We also observed all the DoH providers we support are capable of TLS 1.3. We can force this TLS version to reduce the number of packets sent/received each time a TLS connection is established. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 weeks ago
Brad Fitzpatrick	a01b545441	control/control{client,http}: don't noise dial localhost:443 in http-only tests `1eaad7d3de` regressed some tests in another repo that were starting up a control server on `http://127.0.0.1:nnn`. Because there was no https running, and because of a bug in `1eaad7d3de` (which ended up checking the recently-dialed-control check twice in a single dial call), we ended up forcing only the use of TLS dials in a test that only had plaintext HTTP running. Instead, plumb down support for explicitly disabling TLS fallbacks and use it only when running in a test and using `http` scheme control plane URLs to 127.0.0.1 or localhost. This fixes the tests elsewhere. Updates #13597 Change-Id: I97212ded21daf0bd510891a278078daec3eebaa6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Brad Fitzpatrick	6b03e18975	control/controlhttp: rename a param from addr to optAddr for clarity And update docs. Updates #cleanup Updates #13597 (tangentially; noted this cleanup while debugging) Change-Id: I62440294c78b0bb3f5673be10318dd89af1e1bfe Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Brad Fitzpatrick	f49d218cfe	net/dnscache: don't fall back to an IPv6 dial if we don't have IPv6 I noticed while debugging a test failure elsewhere that our failure logs (when verbosity is cranked up) were uselessly attributing dial failures to failure to dial an invalid IP address (this IPv6 address we didn't have), rather than showing me the actual IPv4 connection failure. Updates #13597 (tangentially) Change-Id: I45ffbefbc7e25ebfb15768006413a705b941dae5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Brad Fitzpatrick	30f0fa95d9	control/controlclient: bound ReportHealthChange context lifetime to Direct client's Fixes #13651 Change-Id: I8154d3cc0ca40fe7a0223b26ae2e77e8d6ba874b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Andrea Gottardo	ed1ac799c8	net/captivedetection: set Timeout on net.Dialer (#13613 ) Updates tailscale/tailscale#1634 Updates tailscale/tailscale#13265 Captive portal detection uses a custom `net.Dialer` in its `http.Client`. This custom Dialer ensures that the socket is bound specifically to the Wi-Fi interface. This is crucial because without it, if any default routes are set, the outgoing requests for detecting a captive portal would bypass Wi-Fi and go through the default route instead. The Dialer did not have a Timeout property configured, so the default system timeout was applied. This caused issues in #13265, where we attempted to make captive portal detection requests over an IPsec interface used for Wi-Fi Calling. The call to `connect()` would fail and remain blocked until the system timeout (approximately 1 minute) was reached. In #13598, I simply excluded the IPsec interface from captive portal detection. This was a quick and safe mitigation for the issue. This PR is a follow-up to make the process more robust, by setting a 3 seconds timeout on any connection establishment on any interface (this is the same timeout interval we were already setting on the HTTP client). Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 weeks ago
Nick Khyl	e66fe1f2e8	docs/windows/policy: add ADMX policy setting to configure the AuthKey Updates tailscale/corp#22120 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 weeks ago
dependabot[bot]	992ee6dd0b	.github: Bump github/codeql-action from 3.26.8 to 3.26.9 (#13625 ) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.8 to 3.26.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](`294a9d9291...461ef6c76d`) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	3 weeks ago
Brad Fitzpatrick	262c526c4e	net/portmapper: don't treat 0.0.0.0 as a valid IP Updates tailscale/corp#23538 Change-Id: I58b8c30abe43f1d1829f01eb9fb2c1e6e8db9476 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Andrew Dunham	16ef88754d	net/portmapper: don't return unspecified/local external IPs We were previously not checking that the external IP that we got back from a UPnP portmap was a valid endpoint; add minimal validation that this endpoint is something that is routeable by another host. Updates tailscale/corp#23538 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id9649e7683394aced326d5348f4caa24d0efd532	3 weeks ago
Brad Fitzpatrick	1eaad7d3de	control/controlhttp: fix connectivity on Alaska Air wifi Updates #13597 Change-Id: Ifbf52b93fd35d64fcf80f8fddbfd610008fd8742 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Brad Fitzpatrick	fd32f0ddf4	control/controlhttp: factor out some code in prep for future change This pulls out the clock and forceNoise443 code into methods on the Dialer as cleanup in its own commit to make a future change less distracting. Updates #13597 Change-Id: I7001e57fe7b508605930c5b141a061b6fb908733 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Brad Fitzpatrick	d3f302d8e2	cmd/tailscale/cli: make 'tailscale debug ts2021' try twice In prep for a future port 80 MITM fix, make the 'debug ts2021' command retry once after a failure to give it a chance to pick a new strategy. Updates #13597 Change-Id: Icb7bad60cbf0dbec78097df4a00e9795757bc8e4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Mario Minardi	8f44ba1cd6	ssh: Add logic to set accepted environment variables in SSH session (#13559 ) Add logic to set environment variables that match the SSH rule's `acceptEnv` settings in the SSH session's environment. Updates https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 weeks ago
dependabot[bot]	dd6b808acf	.github: Bump peter-evans/create-pull-request from 7.0.1 to 7.0.5 (#13626 ) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.1 to 7.0.5. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](`8867c4aba1...5e914681df`) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	3 weeks ago
Anton Tolchanov	a70287d324	logpolicy: don't create a filch buffer if logging is disabled Updates #9549 Signed-off-by: Anton Tolchanov <commits@knyar.net>	3 weeks ago
Maisem Ali	fb0f8fc0ae	cmd/tsidp: add --dir flag To better control where the tsnet state is being stored. Updates #10263 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 weeks ago
Irbe Krumina	096b090caf	cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531 ) * cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets This commit is first part of the work to allow running multiple replicas of the Kubernetes operator egress proxies per tailnet service + to allow exposing multiple tailnet services via each proxy replica. This expands the existing iptables/nftables-based proxy configuration mechanism. A proxy can now be configured to route to one or more tailnet targets via a (mounted) config file that, for each tailnet target, specifies: - the target's tailnet IP or FQDN - mappings of container ports to which cluster workloads will send traffic to tailnet target ports where the traffic should be forwarded. Example configfile contents: { "some-svc": {"tailnetTarget":{"fqdn":"foo.tailnetxyz.ts.net","ports"{"tcp:4006:80":{"protocol":"tcp","matchPort":4006,"targetPort":80},"tcp:4007:443":{"protocol":"tcp","matchPort":4007,"targetPort":443}}}} } A proxy that is configured with this config file will configure firewall rules to route cluster traffic to the tailnet targets. It will then watch the config file for updates as well as monitor relevant netmap updates and reconfigure firewall as needed. This adds a bunch of new iptables/nftables functionality to make it easier to dynamically update the firewall rules without needing to restart the proxy Pod as well as to make it easier to debug/understand the rules: - for iptables, each portmapping is a DNAT rule with a comment pointing at the 'service',i.e: -A PREROUTING ! -i tailscale0 -p tcp -m tcp --dport 4006 -m comment --comment "some-svc:tcp:4006 -> tcp:80" -j DNAT --to-destination 100.64.1.18:80 Additionally there is a SNAT rule for each tailnet target, to mask the source address. - for nftables, a separate prerouting chain is created for each tailnet target and all the portmapping rules are placed in that chain. This makes it easier to look up rules and delete services when no longer needed. (nftables allows hooking a custom chain to a prerouting hook, so no extra work is needed to ensure that the rules in the service chains are evaluated). The next steps will be to get the Kubernetes Operator to generate the configfile and ensure it is mounted to the relevant proxy nodes. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Irbe Krumina	c62b0732d2	cmd/k8s-operator: remove auth key once proxy has logged in (#13612 ) The operator creates a non-reusable auth key for each of the cluster proxies that it creates and puts in the tailscaled configfile mounted to the proxies. The proxies are always tagged, and their state is persisted in a Kubernetes Secret, so their node keys are expected to never be regenerated, so that they don't need to re-auth. Some tailnet configurations however have seen issues where the auth keys being left in the tailscaled configfile cause the proxies to end up in unauthorized state after a restart at a later point in time. Currently, we have not found a way to reproduce this issue, however this commit removes the auth key from the config once the proxy can be assumed to have logged in. If an existing, logged-in proxy is upgraded to this version, its redundant auth key will be removed from the conffile. If an existing, logged-in proxy is downgraded from this version to a previous version, it will work as before without re-issuing key as the previous code did not enforce that a key must be present. Updates tailscale/tailscale#13451 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Kristoffer Dalby	77832553e5	ipn/ipnlocal: add advertised and primary route metrics Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Tom Proctor	cab2e6ea67	cmd/k8s-operator,k8s-operator: add ProxyGroup CRD (#13591 ) The ProxyGroup CRD specifies a set of N pods which will each be a tailnet device, and will have M different ingress or egress services mapped onto them. It is the mechanism for specifying how highly available proxies need to be. This commit only adds the definition, no controller loop, and so it is not currently functional. This commit also splits out TailnetDevice and RecorderTailnetDevice into separate structs because the URL field is specific to recorders, but we want a more generic struct for use in the ProxyGroup status field. Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 weeks ago
Andrew Dunham	7ec8bdf8b1	go.mod: upgrade golangci-lint To pull in the fix for mgechev/revive#863 - seen in the GitHub Actions check below: https://github.com/tailscale/tailscale/actions/runs/11057524933/job/30721507353?pr=13600 Updates #13602 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ia04adc5d74bdbde14204645ca948794447b16776	4 weeks ago
Andrea Gottardo	69be54c7b6	net/captivedetection: exclude ipsec interfaces from captive portal detection (#13598 ) Updates tailscale/tailscale#1634 Logs from some iOS users indicate that we're pointlessly performing captive portal detection on certain interfaces named ipsec*. These are tunnels with the cellular carrier that do not offer Internet access, and are only used to provide internet calling functionality (VoLTE / VoWiFi). ``` attempting to do captive portal detection on interface ipsec1 attempting to do captive portal detection on interface ipsec6 ``` This PR excludes interfaces with the `ipsec` prefix from captive portal detection. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 weeks ago
Kristoffer Dalby	5550a17391	wgengine: make opts.Metrics mandatory Fixes #13582 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Kristoffer Dalby	7d1160ddaa	{ipn,net,tsnet}: use tsaddr helpers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Kristoffer Dalby	f03e82a97c	client/web: use tsaddr helpers Updates #cleanup Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Kristoffer Dalby	0909431660	cmd/tailscale: use tsaddr helpers Updates #cleanup Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Kristoffer Dalby	3dc33a0a5b	net/tsaddr: add WithoutExitRoutes and IsExitRoute Updates #cleanup Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Mario Minardi	c90c9938c8	ssh/tailssh: add logic for matching against AcceptEnv patterns (#13466 ) Add logic for parsing and matching against our planned format for AcceptEnv values. Namely, this supports direct matches against string values and matching where * and ? are treated as wildcard characters which match against an arbitrary number of characters and a single character respectively. Actually using this logic in non-test code will come in subsequent changes. Updates https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	4 weeks ago
James Tucker	9eb59c72c1	wgengine/magicsock: fix check for EPERM on macOS Like Linux, macOS will reply to sendto(2) with EPERM if the firewall is currently blocking writes, though this behavior is like Linux undocumented. This is often caused by a faulting network extension or content filter from EDR software. Updates #11710 Updates #12891 Updates #13511 Signed-off-by: James Tucker <james@tailscale.com>	4 weeks ago
Andrew Dunham	717d589149	metrics: revert changes to MultiLabelMap's String method This breaks its ability to be used as an expvar and is blocking a trunkd deploy. Revert for now, and add a test to ensure that we don't break it in a future change. Updates #13550 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1f1221c257c1de47b4bff0597c12f8530736116d	4 weeks ago
Cameron Stokes	65c26357b1	cmd/k8s-operator, k8s-operator: fix outdated kb links (#13585 ) updates #13583 Signed-off-by: Cameron Stokes <cameron@tailscale.com>	4 weeks ago
Adrian Dewhurst	2fdbcbdf86	wgengine/magicsock: only used cached results for GetLastNetcheckReport When querying for an exit node suggestion, occasionally it triggers a new report concurrently with an existing report in progress. Generally, there should always be a recent report or one in progress, so it is redundant to start one there, and it causes concurrency issues. Fixes #12643 Change-Id: I66ab9003972f673e5d4416f40eccd7c6676272a5 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	4 weeks ago
Brad Fitzpatrick	c2f0c705e7	health: clean up updateBuiltinWarnablesLocked a bit, fix DERP warnings Updates #13265 Change-Id: Iabe4a062204a7859d869f6acfb9274437b4ea1ea Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Kristoffer Dalby	0e0e53d3b3	util/usermetrics: make usermetrics non-global this commit changes usermetrics to be non-global, this is a building block for correct metrics if a go process runs multiple tsnets or in tests. Updates #13420 Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Brad Fitzpatrick	e1bbe1bf45	derp: document the RunWatchConnectionLoop callback gotchas Updates #13566 Change-Id: I497b5adc57f8b1b97dbc3f74c0dc67140caad436 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	6f7e7a30e3	tool/gocross: make gocross-wrapper.sh keep multiple Go toolchains around So it doesn't delete and re-pull when switching between branches. Updates tailscale/corp#17686 Change-Id: Iffb989781db42fcd673c5f03dbd0ce95972ede0f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Mario Minardi	43f4131d7a	{release,version}: add DSM7.2 specific synology builds (#13405 ) Add separate builds for DSM7.2 for synology so that we can encode separate versioning information in the INFO file to distinguish between the two. Fixes https://github.com/tailscale/corp/issues/22908 Signed-off-by: Mario Minardi <mario@tailscale.com>	4 weeks ago
Andrea Gottardo	8a6f48b455	cli: add `tailscale dns query` (#13368 ) Updates tailscale/tailscale#13326 Adds a CLI subcommand to perform DNS queries using the internal DNS forwarder and observe its internals (namely, which upstream resolvers are being used). Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 weeks ago
dependabot[bot]	a98f75b783	.github: Bump tibdex/github-app-token from 1.8.0 to 2.1.0 (#9529 ) Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.0 to 2.1.0. - [Release notes](https://github.com/tibdex/github-app-token/releases) - [Commits](`b62528385c...3beb63f4bd`) --- updated-dependencies: - dependency-name: tibdex/github-app-token dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Mario Minardi <mario@tailscale.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	4 weeks ago
Mario Minardi	05d82fb0d8	.github: pin re-actors/alls-green to latest 1.x (#13558 ) Pin re-actors/alls-green usage to latest 1.x. This was previously pointing to `@release/v2` which pulls in the latest changes from this branch as they are released, with the potential to break our workflows if a breaking change or malicious version on this stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	04bbef0e8b	.github: update and pin actions/upload-artifact to latest 4.x (#13556 ) Update and pin actions/upload-artifact usage to latest 4.x. These were previously pointing to @3 which pulls in the latest v3 as they are released, with the potential to break our workflows if a breaking change or malicious version on the @3 stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	a8bd0cb9c2	.github: update and pin actions/cache to latest 4.x (#13555 ) Update and pin actions/cache usage to latest 4.x. These were previously pointing to `@3` which pulls in the latest v3 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@3` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v3 and v4 is that v4 requires Node 20 which should be a non-issue where this is run. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	a3f7e72321	.github: use and pin slackapi/slack-github-action to latest 1.x (#13554 ) Use slackapi/slack-github-action across the board and pin to latest 1.x. Previously we were referencing the 1.27.0 tag directly which is vulnerable to someone replacing that version tag with malicious code. Replace usage of ruby/action-slack with slackapi/slack-github-action as the latter is the officially supported action from slack. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	22e98cf95e	.github: pin codeql actions to latest 3.x (#13552 ) Pin codeql actions usage to latest 3.x. These were previously pointing to `@2` which pulls in the latest v2 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@2` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v2 and v3 is that v3 requires Node 20 which is a non-issue as we are running this on ubuntu latest. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	2c1bbfb902	.github: pin actions/setup-go usage to latest 5.x (#13553 ) Pin actions/checkout usage to latest 5.x. These were previously pointing to `@4` which pulls in the latest v4 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@4` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v4 and v5 is that v5 requires Node 20 which should be a non-issue where it is used. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	07991dec83	.github: pin actions/checkout to latest v3 or v4 as appropriate (#13551 ) Pin actions/checkout usage to latest 3.x or 4.x as appropriate. These were previously pointing to `@4` or `@3` which pull in the latest versions at these tags as they are released, with the potential to break our workflows if a breaking change or malicious version for either of these streams are released. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	8d508712c9	tailcfg: add AcceptEnv field to SSHRule (#13523 ) Add an `AcceptEnv` field to `SSHRule`. This will contain the collection of environment variable names / patterns that are specified in the `acceptEnv` block for the SSH rule within the policy file. This will be used in the tailscale client to filter out unacceptable environment variables. Updates: https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago

1 2 3 4 5 ...

8196 Commits (d837e0252f0ce9bd0a153c0911688e7e13a08a32) All Branches Search

8196 Commits (d837e0252f0ce9bd0a153c0911688e7e13a08a32)

All Branches