tailscale

Commit Graph

Author	SHA1	Message	Date
Nick O'Neill	7901925ad3	VERSION.txt: this is v1.67.0 (#12063 ) Signed-off-by: Nick O'Neill <nick@tailscale.com>	2 months ago
Sonia Appasamy	8130656780	api.md: remove extraneous commas in json examples Updates #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	2 months ago
Anton Tolchanov	6f4a1dc6bf	ipn/ipnlocal: fix another read of keyExpired outside mutex Updates #12039 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 months ago
Brad Fitzpatrick	e968b0ecd7	cmd/tailscale,controlclient,ipnlocal: fix 'up', deflake tests more The CLI's "up" is kinda chaotic and LocalBackend.Start is kinda chaotic and they both need to be redone/deleted (respectively), but this fixes some buggy behavior meanwhile. We were previously calling StartLoginInteractive (to start the controlclient's RegisterRequest) redundantly in some cases, causing test flakes depending on timing and up's weird state machine. We only need to call StartLoginInteractive in the client if Start itself doesn't. But Start doesn't tell us that. So cheat a bit and a put the information about whether there's a current NodeKey in the ipn.Status. It used to be accessible over LocalAPI via GetPrefs as a private key but we removed that for security. But a bool is fine. So then only call StartLoginInteractive if that bool is false and don't do it in the WatchIPNBus loop. Fixes #12028 Updates #12042 Change-Id: I0923c3f704a9d6afd825a858eb9a63ca7c1df294 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	e5ef35857f	ipn/ipnlocal: fix read of keyExpired outside mutex Fixes #12039 Change-Id: I28c8a282ce12619f17103e9535841f15394ce685 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	21509db121	ipn/ipnlocal, all: plumb health trackers in tests I saw some panics in CI, like: 2024-05-08T04:30:25.9553518Z ## WARNING: (non-fatal) nil health.Tracker (being strict in CI): 2024-05-08T04:30:25.9554043Z goroutine 801 [running]: 2024-05-08T04:30:25.9554489Z tailscale.com/health.(Tracker).nil(0x0) 2024-05-08T04:30:25.9555086Z tailscale.com/health/health.go:185 +0x70 2024-05-08T04:30:25.9555688Z tailscale.com/health.(Tracker).SetUDP4Unbound(0x0, 0x0) 2024-05-08T04:30:25.9556373Z tailscale.com/health/health.go:532 +0x2f 2024-05-08T04:30:25.9557296Z tailscale.com/wgengine/magicsock.(Conn).bindSocket(0xc0003b4808, 0xc0003b4878, {0x1fbca53, 0x4}, 0x0) 2024-05-08T04:30:25.9558301Z tailscale.com/wgengine/magicsock/magicsock.go:2481 +0x12c5 2024-05-08T04:30:25.9559026Z tailscale.com/wgengine/magicsock.(Conn).rebind(0xc0003b4808, 0x0) 2024-05-08T04:30:25.9559874Z tailscale.com/wgengine/magicsock/magicsock.go:2510 +0x16f 2024-05-08T04:30:25.9561038Z tailscale.com/wgengine/magicsock.NewConn({0xc000063c80, 0x0, 0xc000197930, 0xc000197950, 0xc000197960, {0x0, 0x0}, 0xc000197970, 0xc000198ee0, 0x0, ...}) 2024-05-08T04:30:25.9562402Z tailscale.com/wgengine/magicsock/magicsock.go:476 +0xd5f 2024-05-08T04:30:25.9563779Z tailscale.com/wgengine.NewUserspaceEngine(0xc000063c80, {{0x22c8750, 0xc0001976b0}, 0x0, {0x22c3210, 0xc000063c80}, {0x22c31d8, 0x2d3c900}, 0x0, 0x0, ...}) 2024-05-08T04:30:25.9564982Z tailscale.com/wgengine/userspace.go:389 +0x159d 2024-05-08T04:30:25.9565529Z tailscale.com/ipn/ipnlocal.newTestBackend(0xc000358b60) 2024-05-08T04:30:25.9566086Z tailscale.com/ipn/ipnlocal/serve_test.go:675 +0x2a5 2024-05-08T04:30:25.9566612Z ta Updates #11874 Change-Id: I3432ed52d670743e532be4642f38dbd6e3763b1b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	727c0d6cfd	ipn/ipnserver: close a small race in ipnserver, ~simplify code There was a small window in ipnserver after we assigned a LocalBackend to the ipnserver's atomic but before we Start'ed it where our initalization Start could conflict with API calls from the LocalAPI. Simplify that a bit and lay out the rules in the docs. Updates #12028 Change-Id: Ic5f5e4861e26340599184e20e308e709edec68b1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Maisem Ali	32bc596062	ipn/ipnlocal: acquire b.mu once in Start We used to Lock, Unlock, Lock, Unlock quite a few times in Start resulting in all sorts of weird race conditions. Simplify it all and only Lock/Unlock once. Updates #11649 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	9380e2dfc6	ipn/ipnlocal: use lockAndGetUnlock in Start This removes one of the Lock,Unlock,Lock,Unlock at least in the Start function. Still has 3 more of these. Updates #11649 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	e1011f1387	ipn/ipnlocal: call SetNetInfoCallback from NewLocalBackend Instead of calling it from Start everytime, call it from NewLocalBackend once. Updates #11649 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	85b9a6c601	net/netcheck: do not add derps if IPv4/IPv6 is set to "none" It was documented as such but seems to have been dropped in a refactor, restore the behavior. This brings down the time it takes to run a single integration test by 2s which adds up quite a bit. Updates tailscale/corp#19786 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Brad Fitzpatrick	d7bdd8e2a7	go.toolchain.rev: update to Go 1.22.3 Updates #12044 Change-Id: I4ad16f2bfcec13735cb10713e028b2c5527501ed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
kari-ts	3c4c9dc1d2	web: use EditPrefs instead of passing UpdatePrefs to starting (#12040 ) Web version of https://github.com/tailscale/tailscale-android/pull/370 This allows us to update the prefs rather than creating new prefs Updates tailscale/tailscale#11731 Signed-off-by: kari-ts <kari@tailscale.com>	2 months ago
Brad Fitzpatrick	80df8ffb85	control/controlclient: early return and outdent some code I found this too hard to read before. This is pulled out of #12033 as it's unrelated cleanup in retrospect. Updates #12028 Change-Id: I727c47e573217e3d1973c5b66a76748139cf79ee Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Lytvynov	471731771c	ipn/ipnlocal: set default NoStatefulFiltering in ipn.NewPrefs (#12031 ) This way the default gets populated on first start, when no existing state exists to migrate. Also fix `ipn.PrefsFromBytes` to preserve empty fields, rather than layering `NewPrefs` values on top. Updates https://github.com/tailscale/corp/issues/19623 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Paul Scott	78fa698fe6	cmd/tailscale/cli/ffcomplete: remove fullstop from ShortHelp Updates #cleanup Signed-off-by: Paul Scott <paul@tailscale.com>	2 months ago
Maisem Ali	482890b9ed	tailcfg: bump capver for using NodeAttrUserDialUseRoutes for DNS Missed in `f62e678df8`. Updates tailscale/corp#18725 Updates #4529 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	af97e7a793	tailcfg,all: add/plumb Node.IsJailed This adds a new bool that can be sent down from control to do jailing on the client side. Previously this would only be done from control by modifying the packet filter we sent down to clients. This would result in a lot of additional work/CPU on control, we could instead just do this on the client. This has always been a TODO which we keep putting off, might as well do it now. Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	e67069550b	ipn/ipnlocal,net/tstun,wgengine: create and plumb jailed packet filter This plumbs a packet filter for jailed nodes through to the tstun.Wrapper; the filter for a jailed node is equivalent to a "shields up" filter. Currently a no-op as there is no way for control to tell the client whether a peer is jailed. Updates tailscale/corp#19623 Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com> Change-Id: I5ccc5f00e197fde15dd567485b2a99d8254391ad	2 months ago
Nick Khyl	f62e678df8	net/dns/resolver, control/controlknobs, tailcfg: use UserDial instead of SystemDial to dial DNS servers Now that tsdial.Dialer.UserDial has been updated to honor the configured routes and dial external network addresses without going through Tailscale, while also being able to dial a node/subnet router on the tailnet, we can start using UserDial to forward DNS requests. This is primarily needed for DNS over TCP when forwarding requests to internal DNS servers, but we also update getKnownDoHClientForProvider to use it. Updates tailscale/corp#18725 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Andrew Lytvynov	c28f5767bf	various: implement stateful firewalling on Linux (#12025 ) Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>	2 months ago
Maisem Ali	5ef178fdca	net/tstun: refactor peerConfig to allow storing more details This refactors the peerConfig struct to allow storing more details about a peer and not just the masq addresses. To be used in a follow up change. As a side effect, this also makes the DNAT logic on the inbound packet stricter. Previously it would only match against the packets dst IP, not it also takes the src IP into consideration. The beahvior is at parity with the SNAT case. Updates tailscale/corp#19623 Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com> Change-Id: I5f40802bebbf0f055436eb8824e4511d0052772d	2 months ago
Brad Fitzpatrick	f3d2fd22ef	cmd/tailscale/cli: don't start WatchIPNBus until after up's initial Start The CLI "up" command is a historical mess, both on the CLI side and the LocalBackend side. We're getting closer to cleaning it up, but in the meantime it was again implicated in flaky tests. In this case, the background goroutine running WatchIPNBus was very occasionally running enough to get to its StartLoginInteractive call before the original goroutine did its Start call. That meant integration tests were very rarely but sometimes logging in with the default control plane URL out on the internet (controlplane.tailscale.com) instead of the localhost control server for tests. This also might've affected new Headscale etc users on initial "up". Fixes #11960 Fixes #11962 Change-Id: I36f8817b69267a99271b5ee78cb7dbf0fcc0bd34 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	aadb8d9d21	ipn/ipnlocal: don't send an empty BrowseToURL w/ WatchIPNBus NotifyInitialState I noticed this while working on the following fix to #11962. Updates #11962 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: I4c5894d8899d1ae8c42f54ecfd4d05a4a7ac598c	2 months ago
Brad Fitzpatrick	e26f76a1c4	tstest/integration: add more debugging, logs to catch flaky test Updates #11962 Change-Id: I1ab0db69bdf8d1d535aa2cef434c586311f0fe18 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Nick Khyl	caa3d7594f	ipn/ipnlocal, net/tsdial: plumb routes into tsdial and use them in UserDial We'd like to use tsdial.Dialer.UserDial instead of SystemDial for DNS over TCP. This is primarily necessary to properly dial internal DNS servers accessible over Tailscale and subnet routes. However, to avoid issues when switching between Wi-Fi and cellular, we need to ensure that we don't retain connections to any external addresses on the old interface. Therefore, we need to determine which dialer to use internally based on the configured routes. This plumbs routes and localRoutes from router.Config to tsdial.Dialer, and updates UserDial to use either the peer dialer or the system dialer, depending on the network address and the configured routes. Updates tailscale/corp#18725 Fixes #4529 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Brad Fitzpatrick	ce8969d82b	net/portmapper: add envknob to disable portmapper in localhost integration tests Updates #11962 Change-Id: I8212cd814985b455d96986de0d4c45f119516cb3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	7e0dd61e61	ipn/ipnlocal, tstest/integration: add panic to catch flaky test in the act Updates #11962 Change-Id: Ifa24b82f9c76639bfd83278a7c2fe9cf42897bbb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
License Updater	258b5042fe	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	2 months ago
Brad Fitzpatrick	c3c18027c6	all: make more tests pass/skip in airplane mode Updates tailscale/corp#19786 Change-Id: Iedc6730fe91c627b556bff5325bdbaf7bf79d8e6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Claire Wang	41f2195899	util/syspolicy: add auto exit node related keys (#11996 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Brad Fitzpatrick	1a963342c7	util/set: add Of variant of SetOf that takes variadic parameter set.Of(1, 2, 3) is prettier than set.SetOf([]int{1, 2, 3}). I was going to change the signature of SetOf but then I noticed its name has stutter anyway, so I kept it for compatibility. People can prefer to use set.Of for new code or slowly migrate. Also add a lazy Make method, which I often find myself wanting, without having to resort to uglier mak.Set(&set, k, struct{}{}). Updates #cleanup Change-Id: Ic6f3870115334efcbd65e79c437de2ad3edb7625 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Will Norris	80decd83c1	tsweb: remove redundant bumpStartIfNeeded func Updates #12001 Signed-off-by: Will Norris <will@tailscale.com>	2 months ago
Maisem Ali	ed843e643f	types/views: add AppendStrings util func Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Maisem Ali	fd6ba43b97	types/views: remove duplicate SliceContainsFunc We already have `(Slice[T]).ContainsFunc`. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Will Norris	46980c9664	tsweb: ensure in-flight requests are always marked as finished The inflight request tracker only starts recording a new bucket after the first non-error request. Unfortunately, it's written in such a way that ONLY successful requests are ever marked as being finished. Once a bucket has had at least one successful request and begun to be tracked, all subsequent error cases are never marked finished and always appear as in-flight. This change ensures that if a request is recorded has having been started, we also mark it as finished at the end. Updates tailscale/corp#19767 Signed-off-by: Will Norris <will@tailscale.com>	2 months ago
Percy Wegmann	817badf9ca	ipn/ipnlocal: reuse transport across Taildrive remotes This prevents us from opening a new connection on each HTTP request. Updates #11967 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	2cf764e998	drive: actually cache results on statcache Updates #11967 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Irbe Krumina	406293682c	cmd/k8s-operator: cleanup runReconciler signature (#11993 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Claire Wang	35872e86d2	ipnlocal, magicsock: store last suggested exit node id in local backend (#11959 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Brad Fitzpatrick	b62cfc430a	tstest/integration/testcontrol: fix data race Noticed in earlier GitHub actions failure. Fixes #11994 Change-Id: Iba8d753caaa3dacbe2da9171d96c5f99b12e62d7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Dunham	e9505e5432	ipn/ipnlocal: plumb health.Tracker into profileManager constructor Setting the field after-the-fact wasn't working because we could migrate prefs on creation, which would set health status for auto updates. Updates #11986 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I41d79ebd61d64829a3a9e70586ce56f62d24ccfd	2 months ago
Brad Fitzpatrick	e42c4396cf	net/netcheck: don't spam on ICMP socket permission denied errors While debugging a failing test in airplane mode on macOS, I noticed netcheck logspam about ICMP socket creation permission denied errors. Apparently macOS just can't do those, or at least not in airplane mode. Not worth spamming about. Updates #cleanup Change-Id: I302620cfd3c8eabb25202d7eef040c01bd8a843c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	15fc6cd966	derp/derphttp: fix netcheck HTTPS probes The netcheck client, when no UDP is available, probes distance using HTTPS. Several problems: * It probes using /derp/latency-check. * But cmd/derper serves the handler at /derp/probe * Despite the difference, it work by accident until `c8f4dfc8c0` which made netcheck's probe require a 2xx status code. * in tests, we only use derphttp.Handler, so the cmd/derper-installed mux routes aren't preesnt, so there's no probe. That breaks tests in airplane mode. netcheck.Client then reports "unexpected HTTP status 426" (Upgrade Required) This makes derp handle both /derp/probe and /derp/latency-check equivalently, and in both cmd/derper and derphttp.Handler standalone modes. I notice this when wgengine/magicsock TestActiveDiscovery was failing in airplane mode (no wifi). It still doesn't pass, but it gets further. Fixes #11989 Change-Id: I45213d4bd137e0f29aac8bd4a9ac92091065113f	2 months ago
Brad Fitzpatrick	1fe0983f2d	cmd/derper,tstest/nettest: skip network-needing test in airplane mode Not buying wifi on a short flight is a good way to find tests that require network. Whoops. Updates #cleanup Change-Id: Ibe678e9c755d27269ad7206413ffe9971f07d298 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	46f3feae96	ssh/tailssh: plumb health.Tracker in test In prep for it being required in more places. Updates #11874 Change-Id: Ib743205fc2a6c6ff3d2c4ed3a2b28cac79156539 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	4fa6cbec27	ssh/tailssh: use ptr.To in test Updates #cleanup Change-Id: Ic98ba1b63c8205084b30f59f0ca343788edea5b0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	ee3bd4dbda	derp/derphttp, net/netcheck: plumb netmon.Monitor to derp netcheck client Fixes #11981 Change-Id: I0e15a09f93aefb3cfddbc12d463c1c08b83e09fd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Percy Wegmann	a03cb866b4	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	745fb31bd4	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago

1 2 3 4 5 ...

7627 Commits (f1d10c12acf69fcb7509c6aaff65e1a9c8897715) All Branches Search

7627 Commits (f1d10c12acf69fcb7509c6aaff65e1a9c8897715)

All Branches