tailscale

Commit Graph

Author	SHA1	Message	Date
Nick Khyl	2a2228f97b	util/syspolicy/setting: make setting.RawItem JSON-marshallable We add setting.RawValue, a new type that facilitates unmarshalling JSON numbers and arrays as uint64 and []string (instead of float64 and []any) for policy setting values. We then use it to make setting.RawItem JSON-marshallable and update the tests. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	2cc1100d24	util/syspolicy/source: use errors instead of github.com/pkg/errors Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	2336c340c4	util/syspolicy: implement a syspolicy store that reads settings from environment variables In this PR, we implement (but do not use yet, pending #13727 review) a syspolicy/source.Store that reads policy settings from environment variables. It converts a CamelCase setting.Key, such as AuthKey or ExitNodeID, to a SCREAMING_SNAKE_CASE, TS_-prefixed environment variable name, such as TS_AUTH_KEY and TS_EXIT_NODE_ID. It then looks up the variable and attempts to parse it according to the expected value type. If the environment variable is not set, the policy setting is considered not configured in this store (the syspolicy package will still read it from other sources). Similarly, if the environment variable has an invalid value for the setting type, it won't be used (though the reported/logged error will differ). Updates #13193 Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	e815ae0ec4	util/syspolicy, ipn/ipnlocal: update syspolicy package to utilize syspolicy/rsop In this PR, we update the syspolicy package to utilize syspolicy/rsop under the hood, and remove syspolicy.CachingHandler, syspolicy.windowsHandler and related code which is no longer used. We mark the syspolicy.Handler interface and RegisterHandler/SetHandlerForTest functions as deprecated, but keep them temporarily until they are no longer used in other repos. We also update the package to register setting definitions for all existing policy settings and to register the Registry-based, Windows-specific policy stores when running on Windows. Finally, we update existing internal and external tests to use the new API and add a few more tests and benchmarks. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	0f4c9c0ecb	cmd/viewer: import types/views when generating a getter for a map field Fixes #13873 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	ff5f233c3a	util/syspolicy: add rsop package that provides access to the resultant policy In this PR we add syspolicy/rsop package that facilitates policy source registration and provides access to the resultant policy merged from all registered sources for a given scope. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Kristoffer Dalby	40c991f6b8	wgengine: instrument with usermetrics Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 year ago
Percy Wegmann	2cadb80fb2	util/vizerror: add WrapWithMessage Thus new function allows constructing vizerrors that combine a message appropriate for display to users with a wrapped underlying error. Updates tailscale/corp#23781 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago
Nick Khyl	da40609abd	util/syspolicy, ipn: add "tailscale debug component-logs" support Fixes #13313 Fixes #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	29cf59a9b4	util/syspolicy/setting: update Snapshot to use Go 1.23 iterators Updates #12912 Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Irbe Krumina	9bd158cc09	cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658 ) The AddSNATRuleForDst rule was adding a new rule each time it was called including: - if a rule already existed - if a rule matching the destination, but with different desired source already existed This was causing issues especially for the in-progress egress HA proxies work, where the rules are now refreshed more frequently, so more redundant rules were being created. This change: - only creates the rule if it doesn't already exist - if a rule for the same dst, but different source is found, delete it - also ensures that egress proxies refresh firewall rules if the node's tailnet IP changes Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Irbe Krumina	096b090caf	cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531 ) * cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets This commit is first part of the work to allow running multiple replicas of the Kubernetes operator egress proxies per tailnet service + to allow exposing multiple tailnet services via each proxy replica. This expands the existing iptables/nftables-based proxy configuration mechanism. A proxy can now be configured to route to one or more tailnet targets via a (mounted) config file that, for each tailnet target, specifies: - the target's tailnet IP or FQDN - mappings of container ports to which cluster workloads will send traffic to tailnet target ports where the traffic should be forwarded. Example configfile contents: { "some-svc": {"tailnetTarget":{"fqdn":"foo.tailnetxyz.ts.net","ports"{"tcp:4006:80":{"protocol":"tcp","matchPort":4006,"targetPort":80},"tcp:4007:443":{"protocol":"tcp","matchPort":4007,"targetPort":443}}}} } A proxy that is configured with this config file will configure firewall rules to route cluster traffic to the tailnet targets. It will then watch the config file for updates as well as monitor relevant netmap updates and reconfigure firewall as needed. This adds a bunch of new iptables/nftables functionality to make it easier to dynamically update the firewall rules without needing to restart the proxy Pod as well as to make it easier to debug/understand the rules: - for iptables, each portmapping is a DNAT rule with a comment pointing at the 'service',i.e: -A PREROUTING ! -i tailscale0 -p tcp -m tcp --dport 4006 -m comment --comment "some-svc:tcp:4006 -> tcp:80" -j DNAT --to-destination 100.64.1.18:80 Additionally there is a SNAT rule for each tailnet target, to mask the source address. - for nftables, a separate prerouting chain is created for each tailnet target and all the portmapping rules are placed in that chain. This makes it easier to look up rules and delete services when no longer needed. (nftables allows hooking a custom chain to a prerouting hook, so no extra work is needed to ensure that the rules in the service chains are evaluated). The next steps will be to get the Kubernetes Operator to generate the configfile and ensure it is mounted to the relevant proxy nodes. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Kristoffer Dalby	0e0e53d3b3	util/usermetrics: make usermetrics non-global this commit changes usermetrics to be non-global, this is a building block for correct metrics if a go process runs multiple tsnets or in tests. Updates #13420 Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 year ago
Brad Fitzpatrick	cec779e771	util/slicesx: add FirstElementEqual and LastElementEqual And update a few callers as examples of motivation. (there are a couple others, but these are the ones where it's prettier) Updates #cleanup Change-Id: Ic8c5cb7af0a59c6e790a599136b591ebe16d38eb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Maisem Ali	4d6a8224d5	util/linuxfw: fall back to nftables when iptables not found When the desired netfilter mode was unset, we would always try to use the `iptables` binary. In such cases if iptables was not found, tailscaled would just crash as seen in #13440. To work around this, in those cases check if the `iptables` binary even exists and if it doesn't fall back to the nftables implementation. Verified that it works on stock Ubuntu 24.04. Updates #5621 Updates #8555 Updates #8762 Fixes #13440 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Nick Khyl	11d205f6c4	control/controlclient,posture,util/syspolicy: use predefined syspolicy keys instead of string literals With the upcoming syspolicy changes, it's imperative that all syspolicy keys are defined in the syspolicy package for proper registration. Otherwise, the corresponding policy settings will not be read. This updates a couple of places where we still use string literals rather than syspolicy consts. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	aeb15dea30	util/syspolicy/source: add package for reading policy settings from external stores We add package defining interfaces for policy stores, enabling creation of policy sources and reading settings from them. It includes a Windows-specific PlatformPolicyStore for GP and MDM policies stored in the Registry, and an in-memory TestStore for testing purposes. We also include an internal package that tracks and reports policy usage metrics when a policy setting is read from a store. Initially, it will be used only on Windows and Android, as macOS, iOS, and tvOS report their own metrics. However, we plan to use it across all platforms eventually. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Kristoffer Dalby	a2c42d3cd4	usermetric: add initial user-facing metrics This commit adds a new usermetric package and wires up metrics across the tailscale client. Updates tailscale/corp#22075 Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 year ago
Nick Khyl	03acab2639	cmd/cloner, cmd/viewer, util/codegen: add support for aliases of cloneable types We have several checked type assertions to types.Named in both cmd/cloner and cmd/viewer. As Go 1.23 updates the go/types package to produce Alias type nodes for type aliases, these type assertions no longer work as expected unless the new behavior is disabled with gotypesalias=0. In this PR, we add codegen.NamedTypeOf(t types.Type), which functions like t.(types.Named) but also unrolls type aliases. We then use it in place of type assertions in the cmd/cloner and cmd/viewer packages where appropriate. We also update type switches to include types.Alias alongside types.Named in relevant cases, remove *types.Struct cases when switching on types.Type.Underlying and update the tests with more cases where type aliases can be used. Updates #13224 Updates #12912 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	a9dc6e07ad	util/codegen, cmd/cloner, cmd/viewer: update codegen.LookupMethod to support alias type nodes Go 1.23 updates the go/types package to produce Alias type nodes for type aliases, unless disabled with gotypesalias=0. This new default behavior breaks codegen.LookupMethod, which uses checked type assertions to types.Named and types.Interface, as only named types and interfaces have methods. In this PR, we update codegen.LookupMethod to perform method lookup on the right-hand side of the alias declaration and clearly switch on the supported type nodes types. We also improve support for various edge cases, such as when an alias is used as a type parameter constraint, and add tests for the LookupMethod function. Additionally, we update cmd/viewer/tests to include types with aliases used in type fields and generic type constraints. Updates #13224 Updates #12912 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Aaron Klotz	8f6a2353d8	util/winutil: add GetRegUserString/SetRegUserString accessors for storage and retrieval of string values in HKEY_CURRENT_USER Fixes #13187 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Andrea Gottardo	9d2b1820f1	ipnlocal: support setting authkey at login using syspolicy (#13061 ) Updates tailscale/corp#22120 Adds the ability to start the backend by reading an authkey stored in the syspolicy database (MDM). This is useful for devices that are provisioned in an unattended fashion. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Aaron Klotz	f95785f22b	util/winutil: add constants from Win32 SDK for dll blocking mitigation policies Fixes #13182 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
cai.li	2506bf5b06	fix #13076 : codegen error when using anonymous struct Signed-off-by: cai.li <cai.li@qingteng.cn>	1 year ago
Nick Khyl	67df9abdc6	util/syspolicy/setting: add package that contains types for the next syspolicy PRs Package setting contains types for defining and representing policy settings. It facilitates the registration of setting definitions using Register and RegisterDefinition, and the retrieval of registered setting definitions via Definitions and DefinitionOf. This package is intended for use primarily within the syspolicy package hierarchy, and added in a preparation for the next PRs. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Maisem Ali	a917718353	util/linuxfw: return nil interface not concrete type It was returning a nil `*iptablesRunner` instead of a nil `NetfilterRunner` interface which would then fail checks later. Fixes #13012 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Nick Khyl	4099a36468	util/winutil/gp: fix a busy loop bug Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Brad Fitzpatrick	575feb486f	util/osuser: turn wasm check into a const expression All wasi* are GOARCH wasm, so check that instead. Updates #12732 Change-Id: Id3cc346295c1641bcf80a6c5eb1ad65488509656 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Ross Williams	1bf82ddf84	util/osuser: run getent on non-Linux Unixes Remove the restriction that getent is skipped on non-Linux unixes. Improve validation of the parsed output from getent, in case unknown systems return unusable information. Fixes #12730. Signed-off-by: Ross Williams <ross@ross-williams.net>	1 year ago
Nick Khyl	d500a92926	util/slicesx: add HasPrefix, HasSuffix, CutPrefix, and CutSuffix functions The standard library includes these for strings and byte slices, but it lacks similar functions for generic slices of comparable types. Although they are not as commonly used, these functions are useful in scenarios such as working with field index sequences (i.e., []int) via reflection. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	20562a4fb9	cmd/viewer, types/views, util/codegen: add viewer support for custom container types This adds support for container-like types such as Container[T] that don't explicitly specify a view type for T. Instead, a package implementing a container type should also implement and export a ContainerView[T, V] type and a ContainerViewOf(*Container[T]) ContainerView[T, V] function, which returns a view for the specified container, inferring the element view type V from the element type T. Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	fc28c8e7f3	cmd/cloner, cmd/viewer, util/codegen: add support for generic types and interfaces This adds support for generic types and interfaces to our cloner and viewer codegens. It updates these packages to determine whether to make shallow or deep copies based on the type parameter constraints. Additionally, if a template parameter or an interface type has View() and Clone() methods, we'll use them for getters and the cloner of the owning structure. Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Brad Fitzpatrick	c6af5bbfe8	all: add test for package comments, fix, add comments as needed Updates #cleanup Change-Id: Ic4304e909d2131a95a38b26911f49e7b1729aaef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Nick Khyl	8bd442ba8c	util/winutil/gp, net/dns: add package for Group Policy API This adds a package with GP-related functions and types to be used in the future PRs. It also updates nrptRuleDatabase to use the new package instead of its own gpNotificationWatcher implementation. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Aaron Klotz	e181f12a7b	util/winutil/s4u: fix some doc comments in the s4u package This is #cleanup Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Tom Proctor	01a7726cf7	cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies (#12577 ) cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies Don't skip installing egress forwarding rules for IPv6 (as long as the host supports IPv6), and set headless services `ipFamilyPolicy` to `PreferDualStack` to optionally enable both IP families when possible. Note that even with `PreferDualStack` set, testing a dual-stack GKE cluster with the default DNS setup of kube-dns did not correctly set both A and AAAA records for the headless service, and instead only did so when switching the cluster DNS to Cloud DNS. For both IPv4 and IPv6 to work simultaneously in a dual-stack cluster, we require headless services to return both A and AAAA records. If the host doesn't support IPv6 but the FQDN specified only has IPv6 addresses available, containerboot will exit with error code 1 and an error message because there is no viable egress route. Fixes #12215 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Aaron Klotz	b292f7f9ac	util/winutil/s4u: fix incorrect token type specified in s4u Login This was correct before, I think I just made a copy/paste error when updating that PR. Updates #12383 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Aaron Klotz	5f177090e3	util/winutil: ensure domain controller address is used when retrieving remote profile information We cannot directly pass a flat domain name into NetUserGetInfo; we must resolve the address of a domain controller first. This PR implements the appropriate resolution mechanisms to do that, and also exposes a couple of new utility APIs for future needs. Fixes #12627 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Aaron Klotz	da078b4c09	util/winutil: add package for logging into Windows via Service-for-User (S4U) This PR ties together pseudoconsoles, user profiles, s4u logons, and process creation into what is (hopefully) a simple API for various Tailscale services to obtain Windows access tokens without requiring knowledge of any Windows passwords. It works both for domain-joined machines (Kerberos) and non-domain-joined machines. The former case is fairly straightforward as it is fully documented. OTOH, the latter case is not documented, though it is fully defined in the C headers in the Windows SDK. The documentation blanks were filled in by reading the source code of Microsoft's Win32 port of OpenSSH. We need to do a bit of acrobatics to make conpty work correctly while creating a child process with an s4u token; see the doc comments above startProcessInternal for details. Updates #12383 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Irbe Krumina	24a40f54d9	util/linuxfw: verify that IPv6 if available if (#12598 ) nftable runner for an IPv6 address gets requested. Updates tailscale/tailscale#12215 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Brad Fitzpatrick	1023b2a82c	util/deephash: fix test regression on 32-bit Fix regression from `bd93c3067e` where I didn't notice the 32-bit test failure was real and not its usual slowness-related regression. Yay failure blindness. Updates #12526 Change-Id: I00e33bba697e2cdb61a0d76a71b62406f6c2eeb9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	21460a5b14	tailcfg, wgengine/filter: remove most FilterRule.SrcBits code The control plane hasn't sent it to clients in ages. Updates tailscale/corp#20965 Change-Id: I1d71a4b6dd3f75010a05c544ee39827837c30772 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	bd93c3067e	wgengine/filter/filtertype: make Match.IPProto a view I noticed we were allocating these every time when they could just share the same memory. Rather than document ownership, just lock it down with a view. I was considering doing all of the fields but decided to just do this one first as test to see how infectious it became. Conclusion: not very. Updates #cleanup (while working towards tailscale/corp#20514) Change-Id: I8ce08519de0c9a53f20292adfbecd970fe362de0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Aaron Klotz	7354547bd8	util/winutil: update UserProfile to ensure any environment variables in the roaming profile path are expanded Updates #12383 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Andrea Gottardo	e8ca30a5c7	xcode/iOS: support serial number collection via MDM on iOS (#11429 ) Fixes tailscale/corp#18366. This PR provides serial number collection on iOS, by allowing system administrators to pass a `DeviceSerialNumber` MDM key which can be read by the `posture` package in Go. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Aaron Klotz	bd2a6d5386	util/winutil: add UserProfile type for (un)loading user profiles S4U logons do not automatically load the associated user profile. In this PR we add UserProfile to handle that part. Windows docs indicate that we should try to resolve a remote profile path when present, so we attempt to do so when the local computer is joined to a domain. Updates #12383 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Andrew Dunham	93cd2ab224	util/singleflight: add DoChanContext This is a variant of DoChan that supports context propagation, such that the context provided to the inner function will only be canceled when there are no more waiters for a given key. This can be used to deduplicate expensive and cancelable calls among multiple callers safely. Updates #11935 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ibe1fb67442a854babbc6924fd8437b02cc9e7bcf	2 years ago
Aaron Klotz	df86576989	util/winutil: add AllocateContiguousBuffer and SetNTString helper funcs AllocateContiguousBuffer is for allocating structs with trailing buffers containing additional data. It is to be used for various Windows structures containing pointers to data located immediately after the struct. SetNTString performs in-place setting of windows.NTString and windows.NTUnicodeString. Updates #12383 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Aaron Klotz	34e8820301	util/winutil: add conpty package and helper for building windows.StartupInfoEx StartupInfoBuilder is a helper for constructing StartupInfoEx structures featuring proc/thread attribute lists. Calling its setters triggers the appropriate setting of fields, adjusting flags as necessary, and populating the proc/thread attribute list as necessary. Currently it supports four features: setting std handles, setting pseudo-consoles, specifying handles for inheritance, and specifying jobs. The conpty package simplifies creation of pseudo-consoles, their associated pipes, and assignment of the pty to StartupInfoEx proc/thread attributes. Updates #12383 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Maisem Ali	36e8e8cd64	wgengine/magicsock: use math/rands/v2 Updates #11058 Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	4a8cb1d9f3	all: use math/rand/v2 more Updates #11058 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	909a292a8d	util/linuxfw: don't try cleaning iptables on gokrazy It just generates log spam. Updates #12277 Change-Id: I5f65c0859e86de0a5349f9d26c9805e7c26b9371 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	8e4a29433f	util/pool: add package for storing and using a pool of items This can be used to implement a persistent pool (i.e. one that isn't cleared like sync.Pool is) of items–e.g. database connections. Some benchmarks vs. a naive implementation that uses a single map iteration show a pretty meaningful improvement: $ benchstat -col /impl ./bench.txt goos: darwin goarch: arm64 pkg: tailscale.com/util/pool │ Pool │ map │ │ sec/op │ sec/op vs base │ Pool_AddDelete-10 10.56n ± 2% 15.11n ± 1% +42.97% (p=0.000 n=10) Pool_TakeRandom-10 56.75n ± 4% 1899.50n ± 20% +3246.84% (p=0.000 n=10) geomean 24.49n 169.4n +591.74% Updates tailscale/corp#19900 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie509cb65573c4726cfc3da9a97093e61c216ca18	2 years ago
Maisem Ali	9a64c06a20	all: do not depend on the testing package Discovered while looking for something else. Updates tailscale/corp#18935 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Andrew Dunham	47b3476eb7	util/lru: add Clear method Updates tailscale/corp#20109 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I751a669251a70f0134dd1540c19b274a97608a93	2 years ago
Irbe Krumina	7ef2f72135	util/linuxfw: fix IPv6 availability check for nftables (#12009 ) * util/linuxfw: fix IPv6 NAT availability check for nftables When running firewall in nftables mode, there is no need for a separate NAT availability check (unlike with iptables, there are no hosts that support nftables, but not IPv6 NAT - see tailscale/tailscale#11353). This change fixes a firewall NAT availability check that was using the no-longer set ipv6NATAvailable field by removing the field and using a method that, for nftables, just checks that IPv6 is available. Updates tailscale/tailscale#12008 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Andrew Dunham	25e32cc3ae	util/linuxfw: fix table name in DelStatefulRule Updates #12061 Follow-up to #12072 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I2ba8c4bff14d93816760ff5eaa1a16f17bad13c1	2 years ago
Anton Tolchanov	ac638f32c0	util/linuxfw: fix stateful packet filtering in nftables mode To match iptables: `b5dbf155b1/util/linuxfw/iptables_runner.go (L536)` Updates #12066 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Andrew Lytvynov	c28f5767bf	various: implement stateful firewalling on Linux (#12025 ) Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Claire Wang	41f2195899	util/syspolicy: add auto exit node related keys (#11996 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Brad Fitzpatrick	1a963342c7	util/set: add Of variant of SetOf that takes variadic parameter set.Of(1, 2, 3) is prettier than set.SetOf([]int{1, 2, 3}). I was going to change the signature of SetOf but then I noticed its name has stutter anyway, so I kept it for compatibility. People can prefer to use set.Of for new code or slowly migrate. Also add a lazy Make method, which I often find myself wanting, without having to resort to uglier mak.Set(&set, k, struct{}{}). Updates #cleanup Change-Id: Ic6f3870115334efcbd65e79c437de2ad3edb7625 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7455e027e9	util/slicesx: add AppendMatching We had this in a different repo, but moving it here, as this a more fitting package. Updates #cleanup Change-Id: I5fb9b10e465932aeef5841c67deba4d77d473d57 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrea Gottardo	1d3e77f373	util/syspolicy: add ReadStringArray interface (#11857 ) Fixes tailscale/corp#19459 This PR adds the ability for users of the syspolicy handler to read string arrays from the MDM solution configured on the system. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 years ago
Irbe Krumina	add62af7c6	util/linuxfw,go.{mod,sum}: don't log errors when deleting non-existant chains and rules (#11852 ) This PR bumps iptables to a newer version that has a function to detect 'NotExists' errors and uses that function to determine whether errors received on iptables rule and chain clean up are because the rule/chain does not exist- if so don't log the error. Updates corp#19336 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Irbe Krumina	3af0f526b8	cmd{containerboot,k8s-operator},util/linuxfw: support ExternalName Services (#11802 ) * cmd/containerboot,util/linuxfw: support proxy backends specified by DNS name Adds support for optionally configuring containerboot to proxy traffic to backends configured by passing TS_EXPERIMENTAL_DEST_DNS_NAME env var to containerboot. Containerboot will periodically (every 10 minutes) attempt to resolve the DNS name and ensure that all traffic sent to the node's tailnet IP gets forwarded to the resolved backend IP addresses. Currently: - if the firewall mode is iptables, traffic will be load balanced accross the backend IP addresses using round robin. There are no health checks for whether the IPs are reachable. - if the firewall mode is nftables traffic will only be forwarded to the first IP address in the list. This is to be improved. * cmd/k8s-operator: support ExternalName Services Adds support for exposing endpoints, accessible from within a cluster to the tailnet via DNS names using ExternalName Services. This can be done by annotating the ExternalName Service with tailscale.com/expose: "true" annotation. The operator will deploy a proxy configured to route tailnet traffic to the backend IPs that service.spec.externalName resolves to. The backend IPs must be reachable from the operator's namespace. Updates tailscale/tailscale#10606 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Percy Wegmann	b7e5122226	util/osuser: add unit test for parseGroupIds Updates #11682 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
Andrew Dunham	e985c6e58f	ssh/tailssh: try fetching group IDs for user with the 'id' command Since the tailscaled binaries that we distribute are static and don't link cgo, we previously wouldn't fetch group IDs that are returned via NSS. Try shelling out to the 'id' command, similar to how we call 'getent', to detect such cases. Updates #11682 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I9bdc938bd76c71bc130d44a97cc2233064d64799	2 years ago
Joe Tsai	63b3c82587	ipn/local: log OS-specific diagnostic information as JSON (#11700 ) There is an undocumented 16KiB limit for text log messages. However, the limit for JSON messages is 256KiB. Even worse, logging JSON as text results in significant overhead since each double quote needs to be escaped. Instead, use logger.Logf.JSON to explicitly log the info as JSON. We also modify osdiag to return the information as structured data rather than implicitly have the package log on our behalf. This gives more control to the caller on how to log. Updates #7802 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	271cfdb3d3	util/syspolicy: clean up doc grammar and consistency Updates #cleanup Change-Id: I912574cbd5ef4d8b7417b8b2a9b9a2ccfef88840 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	d0f3fa7d7e	util/fastuuid: add a more efficient uuid generator This still generates github.com/google/uuid UUID objects, but does so using a ChaCha8 CSPRNG from the stdlib rand/v2 package. The public API is backed by a sync.Pool to provide good performance in highly concurrent operation. Under high load the read API produces a lot of extra garbage and overhead by way of temporaries and syscalls. This implementation reduces both to minimal levels, and avoids any long held global lock by utilizing sync.Pool. Updates tailscale/corp#18266 Updates tailscale/corp#19054 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	db760d0bac	cmd/tailscaled: move cleanup to an implicit action during startup This removes a potentially increased boot delay for certain boot topologies where they block on ExecStartPre that may have socket activation dependencies on other system services (such as systemd-resolved and NetworkManager). Also rename cleanup to clean up in affected/immediately nearby places per code review commentary. Fixes #11599 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Nick Khyl	8d83adde07	util/winutil/winenv: add package for current Windows environment details Package winenv provides information about the current Windows environment. This includes details such as whether the device is a server or workstation, and if it is AD domain-joined, MDM-registered, or neither. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 years ago
Irbe Krumina	1fbaf26106	util/linuxfw: fix chain comparison (#11639 ) Don't compare pointer fields by pointer value, but by the actual value Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Joe Tsai	4bbac72868	util/truncate: support []byte as well (#11614 ) There are no mutations to the input, so we can support both ~string and ~[]byte just fine. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	1a38d2a3b4	util/zstdframe: support specifying a MaxWindowSize (#11595 ) Specifying a smaller window size during compression provides a knob to tweak the tradeoff between memory usage and the compression ratio. Updates tailscale/corp#18514 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Irbe Krumina	92ca770b8d	util/linuxfw: fix MSS clamping in nftables mode (#11588 ) MSS clamping for nftables was mostly not ran due to to an earlier rule in the FORWARD chain issuing accept verdict. This commit places the clamping rule into a chain of its own to ensure that it gets ran. Updates tailscale/tailscale#11002 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Irbe Krumina	5fb721d4ad	util/linuxfw,wgengine/router: skip IPv6 firewall configuration in partial iptables mode (#11546 ) We have hosts that support IPv6, but not IPv6 firewall configuration in iptables mode. We also have hosts that have some support for IPv6 firewall configuration in iptables mode, but do not have iptables filter table. We should: - configure ip rules for all hosts that support IPv6 - only configure firewall rules in iptables mode if the host has iptables filter table. Updates tailscale/tailscale#11540 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Percy Wegmann	bed818a978	ipn/localapi: add support for multipart POST to file-put This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 years ago
James Tucker	3f7313dbdb	util/linuxfw,wgengine/router: enable IPv6 configuration when netfilter is disabled Updates #11434 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Joe Tsai	d4bfe34ba7	util/zstdframe: add package for stateless zstd compression (#11481 ) The Go zstd package is not friendly for stateless zstd compression. Passing around multiple zstd.Encoder just for stateless compression is a waste of memory since the memory is never freed and seldom used if no compression operations are happening. For performance, we pool the relevant Encoder/Decoder with the specific options set. Functionally, this package is a wrapper over the Go zstd package with a more ergonomic API for stateless operations. This package can be used to cleanup various pre-existing zstd.Encoder pools or one-off handlers spread throughout our codebases. Performance: BenchmarkEncode/Best 1690 610926 ns/op 25.78 MB/s 1 B/op 0 allocs/op zstd_test.go:137: memory: 50.336 MiB zstd_test.go:138: ratio: 3.269x BenchmarkEncode/Better 10000 100939 ns/op 156.04 MB/s 0 B/op 0 allocs/op zstd_test.go:137: memory: 20.399 MiB zstd_test.go:138: ratio: 3.131x BenchmarkEncode/Default 15775 74976 ns/op 210.08 MB/s 105 B/op 0 allocs/op zstd_test.go:137: memory: 1.586 MiB zstd_test.go:138: ratio: 3.064x BenchmarkEncode/Fastest 23222 53977 ns/op 291.81 MB/s 26 B/op 0 allocs/op zstd_test.go:137: memory: 599.458 KiB zstd_test.go:138: ratio: 2.898x BenchmarkEncode/FastestLowMemory 23361 50789 ns/op 310.13 MB/s 15 B/op 0 allocs/op zstd_test.go:137: memory: 334.458 KiB zstd_test.go:138: ratio: 2.898x BenchmarkEncode/FastestNoChecksum 23086 50253 ns/op 313.44 MB/s 26 B/op 0 allocs/op zstd_test.go:137: memory: 599.458 KiB zstd_test.go:138: ratio: 2.900x BenchmarkDecode/Checksum 70794 17082 ns/op 300.96 MB/s 4 B/op 0 allocs/op zstd_test.go:163: memory: 316.438 KiB BenchmarkDecode/NoChecksum 74935 15990 ns/op 321.51 MB/s 4 B/op 0 allocs/op zstd_test.go:163: memory: 316.438 KiB BenchmarkDecode/LowMemory 71043 16739 ns/op 307.13 MB/s 0 B/op 0 allocs/op zstd_test.go:163: memory: 79.347 KiB We can see that the options are taking effect where compression ratio improves with higher levels and compression speed diminishes. We can also see that LowMemory takes effect where the pooled coder object references less memory than other cases. We can see that the pooling is taking effect as there are 0 amortized allocations. Additional performance: BenchmarkEncodeParallel/zstd-24 1857 619264 ns/op 1796 B/op 49 allocs/op BenchmarkEncodeParallel/zstdframe-24 1954 532023 ns/op 4293 B/op 49 allocs/op BenchmarkDecodeParallel/zstd-24 5288 197281 ns/op 2516 B/op 49 allocs/op BenchmarkDecodeParallel/zstdframe-24 6441 196254 ns/op 2513 B/op 49 allocs/op In concurrent usage, handling the pooling in this package has a marginal benefit over the zstd package, which relies on a Go channel as the pooling mechanism. In particular, coders can be freed by the GC when not in use. Coders can be shared throughout the program if they use this package instead of multiple independent pools doing the same thing. The allocations are unrelated to pooling as they're caused by the spawning of goroutines. Updates #cleanup Updates tailscale/corp#18514 Updates tailscale/corp#17653 Updates tailscale/corp#18005 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	5d1c72f76b	wgengine/magicsock: don't use endpoint debug ringbuffer on mobile. Save some memory. Updates tailscale/corp#18514 Change-Id: Ibcaf3c6d8e5cc275c81f04141d0f176e2249509b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	512fc0b502	util/reload: add new package to handle periodic value loading This can be used to reload a value periodically, whether from disk or another source, while handling jitter and graceful shutdown. Updates tailscale/corp#1297 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Iee2b4385c9abae59805f642a7308837877cb5b3f	2 years ago
James Tucker	055117ad45	util/linuxfw: fix support for containers without IPv6 iptables filters (#11381 ) There are container environments such as GitHub codespaces that have partial IPv6 support - routing support is enabled at the kernel level, but lacking IPv6 filter support in the iptables module. In the specific example of the codespaces environment, this also has pre-existing legacy iptables rules in the IPv4 tables, as such the nascent firewall mode detection will always pick iptables. We would previously fault trying to install rules to the filter table, this catches that condition earlier, and disables IPv6 support under these conditions. Updates #5621 Updates #11344 Updates #11354 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	43fba6e04d	util/linuxfw: correct logical error in NAT table check (#11380 ) Updates #11344 Updates #11354 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Irbe Krumina	90c4067010	util/linuxfw: add container-friendly IPv6 NAT check (#11353 ) Remove IPv6 NAT check when routing is being set up using nftables. This is unnecessary as support for nftables was added after support for IPv6. https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s04.html https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources Additionally, run an extra check for IPv6 NAT support when the routing is set up with iptables. This is because the earlier checks rely on being able to use modprobe and on /proc/net/ip6_tables_names being populated on start - these conditions are usually not true in container environments. Updates tailscale/tailscale#11344 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Paul Scott	2fa20e3787	util/cmpver: add Less/LessEq helper funcs Updates tailscale/corp#17199 Signed-off-by: Paul Scott <paul@tailscale.com>	2 years ago
Irbe Krumina	097c5ed927	util/linuxfw: insert rather than append nftables DNAT rule (#11303 ) Ensure that the latest DNATNonTailscaleTraffic rule gets inserted on top of any pre-existing rules. Updates tailscale/tailscale#11281 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Andrew Dunham	a20e46a80f	util/cache: fix missing interface methods (#11275 ) Updates #cleanup Change-Id: Ib3a33a7609530ef8c9f3f58fc607a61e8655c4b5 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Andrea Gottardo	0359c2f94e	util/syspolicy: add 'ResetToDefaults' (#11194 ) Updates ENG-2133. Adds the ResetToDefaults visibility policy currently only available on macOS, so that the Windows client can read its value. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 years ago
Andrea Gottardo	d756622432	util/syspolicy: add ManagedBy keys for Windows (#11183 )	2 years ago
Andrew Dunham	b7104cde4a	util/topk: add package containing a probabilistic top-K tracker This package uses a count-min sketch and a heap to track the top K items in a stream of data. Tracking a new item and adding a count to an existing item both require no memory allocations and is at worst O(log(k)) complexity. Change-Id: I0553381be3fef2470897e2bd806d43396f2dbb36 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Andrew Dunham	c1c50cfcc0	util/cloudenv: add support for DigitalOcean Updates #4984 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib229eb40af36a80e6b0fd1dd0cabb07f0d50a7d1	2 years ago
James Tucker	24bac27632	util/rands: add Shuffle and Perm functions with on-stack RNG state The new math/rand/v2 package includes an m-local global random number generator that can not be reseeded by the user, which is suitable for most uses without the RNG pools we have in a number of areas of the code base. The new API still does not have an allocation-free way of performing a seeded operations, due to the long term compiler bug around interface parameter escapes, and the Source interface. This change introduces the two APIs that math/rand/v2 can not yet replace efficiently: seeded Perm() and Shuffle() operations. This implementation chooses to use the PCG random source from math/rand/v2, as with sufficient compiler optimization, this source should boil down to only two on-stack registers for random state under ideal conditions. Updates #17243 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Joe Tsai	94a4f701c2	all: use reflect.TypeFor now available in Go 1.22 (#11078 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	efddad7d7d	util/deephash: cleanup TODO in TestHash (#11080 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	2bd3c1474b	util/cmpx: delete now that we're using Go 1.22 Updates #11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	0b16620b80	.github/workflows: add privileged tests workflow We had missed regressions from privileged tests not running, now they can run. Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Joe Tsai	60657ac83f	util/deephash: tighten up SelfHasher API (#11012 ) Providing a hash.Block512 is an implementation detail of how deephash works today, but providing an opaque type with mostly equivalent API (i.e., HashUint8, HashBytes, etc. methods) is still sensible. Thus, define a public Hasher type that exposes exactly the API that an implementation of SelfHasher would want to call. This gives us freedom to change the hashing algorithm of deephash at some point in the future. Also, this type is likely going to be called by types that are going to memoize their own hash results, we additionally add a HashSum method to simplify this use case. Add documentation to SelfHasher on how a type might implement it. Updates: corp#16409 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	84f8311bcd	util/deephash: document pathological deephash behavior (#11010 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago

1 2 3 4 5 ...

459 Commits (e17abbf461c0c014da0b38ec4bf44b00f2bc7ee4)