tailscale

Commit Graph

Author	SHA1	Message	Date
Maisem Ali	a917718353	util/linuxfw: return nil interface not concrete type It was returning a nil `*iptablesRunner` instead of a nil `NetfilterRunner` interface which would then fail checks later. Fixes #13012 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Jordan Whited	d9d9d525d9	wgengine/netstack: increase gVisor's TCP send and receive buffer sizes (#12994 ) This commit increases gVisor's TCP max send (4->6MiB) and receive (4->8MiB) buffer sizes on all platforms except iOS. These values are biased towards higher throughput on high bandwidth-delay product paths. The iperf3 results below demonstrate the effect of this commit between two Linux computers with i5-12400 CPUs. 100ms of RTT latency is introduced via Linux's traffic control network emulator queue discipline. The first set of results are from commit `f0230ce` prior to TCP buffer resizing. gVisor write direction: Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 180 MBytes 151 Mbits/sec 0 sender [ 5] 0.00-10.10 sec 179 MBytes 149 Mbits/sec receiver gVisor read direction: Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.10 sec 337 MBytes 280 Mbits/sec 20 sender [ 5] 0.00-10.00 sec 323 MBytes 271 Mbits/sec receiver The second set of results are from this commit with increased TCP buffer sizes. gVisor write direction: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 297 MBytes 249 Mbits/sec 0 sender [ 5] 0.00-10.10 sec 297 MBytes 247 Mbits/sec receiver gVisor read direction: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.10 sec 501 MBytes 416 Mbits/sec 17 sender [ 5] 0.00-10.00 sec 485 MBytes 407 Mbits/sec receiver Updates #9707 Updates tailscale/corp#22119 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Andrew Dunham	9939374c48	wgengine/magicsock: use cloud metadata to get public IPs Updates #12774 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1661b6a2da7966ab667b075894837afd96f4742f	1 year ago
Jordan Whited	f0230ce0b5	go.mod,net/tstun,wgengine/netstack: implement gVisor TCP GRO for Linux (#12921 ) This commit implements TCP GRO for packets being written to gVisor on Linux. Windows support will follow later. The wireguard-go dependency is updated in order to make use of newly exported IP checksum functions. gVisor is updated in order to make use of newly exported stack.PacketBuffer GRO logic. TCP throughput towards gVisor, i.e. TUN write direction, is dramatically improved as a result of this commit. Benchmarks show substantial improvement, sometimes as high as 2x. High bandwidth-delay product paths remain receive window limited, bottlenecked by gVisor's default TCP receive socket buffer size. This will be addressed in a follow-on commit. The iperf3 results below demonstrate the effect of this commit between two Linux computers with i5-12400 CPUs. There is roughly ~13us of round trip latency between them. The first result is from commit `57856fc` without TCP GRO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 4.77 GBytes 4.10 Gbits/sec 20 sender [ 5] 0.00-10.00 sec 4.77 GBytes 4.10 Gbits/sec receiver The second result is from this commit with TCP GRO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 10.6 GBytes 9.14 Gbits/sec 20 sender [ 5] 0.00-10.00 sec 10.6 GBytes 9.14 Gbits/sec receiver Updates #6816 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Jordan Whited	7bc2ddaedc	go.mod,net/tstun,wgengine/netstack: implement gVisor TCP GSO for Linux (#12869 ) This commit implements TCP GSO for packets being read from gVisor on Linux. Windows support will follow later. The wireguard-go dependency is updated in order to make use of newly exported GSO logic from its tun package. A new gVisor stack.LinkEndpoint implementation has been established (linkEndpoint) that is loosely modeled after its predecessor (channel.Endpoint). This new implementation supports GSO of monster TCP segments up to 64K in size, whereas channel.Endpoint only supports up to 32K. linkEndpoint will also be required for GRO, which will be implemented in a follow-on commit. TCP throughput from gVisor, i.e. TUN read direction, is dramatically improved as a result of this commit. Benchmarks show substantial improvement through a wide range of RTT and loss conditions, sometimes as high as 5x. The iperf3 results below demonstrate the effect of this commit between two Linux computers with i5-12400 CPUs. There is roughly ~13us of round trip latency between them. The first result is from commit `57856fc` without TCP GSO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 2.51 GBytes 2.15 Gbits/sec 154 sender [ 5] 0.00-10.00 sec 2.49 GBytes 2.14 Gbits/sec receiver The second result is from this commit with TCP GSO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 12.6 GBytes 10.8 Gbits/sec 6 sender [ 5] 0.00-10.00 sec 12.6 GBytes 10.8 Gbits/sec receiver Updates #6816 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Brad Fitzpatrick	cf97cff33b	wgengine/netstack: simplify netaddrIPFromNetstackIP Updates #cleanup Change-Id: I66878b08a75d44170460cbf33c895277c187bd8d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Irbe Krumina	57856fc0d5	ipn,wgengine/magicsock: allow setting static node endpoints via tailscaled configfile (#12882 ) wgengine/magicsock,ipn: allow setting static node endpoints via tailscaled config file. Adds a new StaticEndpoints field to tailscaled config that can be used to statically configure the endpoints that the node advertizes. This field will replace TS_DEBUG_PRETENDPOINTS env var that can be used to achieve the same. Additionally adds some functionality that ensures that endpoints are updated when configfile is reloaded. Also, refactor configuring/reconfiguring components to use the same functionality when configfile is parsed the first time or subsequent times (after reload). Previously a configfile reload did not result in resetting of prefs. Now it does- but does not yet tell the relevant components to consume the new prefs. This is to be done in a follow-up. Updates tailscale/tailscale#12578 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Nick Khyl	1608831c33	wgengine/router: use quad-100 as the nexthop on Windows Windows requires routes to have a nexthop. Routes created using the interface's local IP address or an unspecified IP address ("0.0.0.0" or "::") as the nexthop are considered on-link routes. Notably, Windows treats on-link subnet routes differently, reserving the last IP in the range as the broadcast IP and therefore prohibiting TCP connections to it, resulting in WSA error 10049: "The requested address is not valid in its context. This does not happen with single-host routes, such as routes to Tailscale IP addresses, but becomes a problem with advertised subnets when all IPs in the range should be reachable. Before Windows 8, only routes created with an unspecified IP address were considered on-link, so our previous approach of using the interface's own IP as the nexthop likely worked on Windows 7. This PR updates configureInterface to use the TailscaleServiceIP (100.100.100.100) and its IPv6 counterpart as the nexthop for subnet routes. Fixes tailscale/support-escalations#57 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Brad Fitzpatrick	808b4139ee	wgengine/magicsock: use wireguard-go/conn.PeerAwareEndpoint If we get an non-disco presumably-wireguard-encrypted UDP packet from an IP:port we don't recognize, rather than drop the packet, give it to WireGuard anyway and let WireGuard try to figure out who it's from and tell us. This uses the new hook added in https://github.com/tailscale/wireguard-go/pull/27 Updates tailscale/corp#20732 Change-Id: I5c61a40143810592f9efac6c12808a87f924ecf2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Lee Briggs	b546a6e758	wgengine/magicsock: allow a CSV list for pretendpoint Load Balancers often have more than one ingress IP, so allowing us to add multiple means we can offer multiple options. Updates #12578 Change-Id: I4aa49a698d457627d2f7011796d665c67d4c7952 Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>	1 year ago
Brad Fitzpatrick	c6af5bbfe8	all: add test for package comments, fix, add comments as needed Updates #cleanup Change-Id: Ic4304e909d2131a95a38b26911f49e7b1729aaef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	42dac7c5c2	wgengine/magicsock: add debug envknob for injecting an endpoint For testing. Lee wants to play with 'AWS Global Accelerator Custom Routing with Amazon Elastic Kubernetes Service'. If this works well enough, we can promote it. Updates #12578 Change-Id: I5018347ed46c15c9709910717d27305d0aedf8f4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	d2fef01206	control/controlknobs,tailcfg,wgengine/magicsock: remove DRPO shutoff switch The DERP Return Path Optimization (DRPO) is over four years old (and on by default for over two) and we haven't had problems, so time to remove the emergency shutoff code (controlknob) which we've never used. The controlknobs are only meant for new features, to mitigate risk. But we don't want to keep them forever, as they kinda pollute the code. Updates #150 Change-Id: If021bc8fd1b51006d8bddd1ffab639bb1abb0ad1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	9df107f4f0	wgengine/magicsock: use derp-region-as-magic-AddrPort hack in fewer places And fix up a bogus comment and flesh out some other comments. Updates #cleanup Change-Id: Ia60a1c04b0f5e44e8d9587914af819df8e8f442a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrew Dunham	8487fd2ec2	wgengine/magicsock: add more DERP home clientmetrics Updates tailscale/corp#18095 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I423adca2de0730092394bb5fd5796cd35557d352	1 year ago
Andrew Dunham	8161024176	wgengine/magicsock: always set home DERP if no control conn The logic we added in #11378 would prevent selecting a home DERP if we have no control connection. Updates tailscale/corp#18095 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I44bb6ac4393989444e4961b8cfa27dc149a33c6e	1 year ago
Brad Fitzpatrick	5ec01bf3ce	wgengine/filter: support FilterRules matching on srcIP node caps [capver 100] See #12542 for background. Updates #12542 Change-Id: Ida312f700affc00d17681dc7551ee9672eeb1789 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Keli	bd50a3457d	wgengine/filter: add "Accept" TCP log lines to verbose logging (#12525 ) Changes "Accept" TCP logs to display in verbose logs only, and removes lines from default logging behavior. Updates #12158 Signed-off-by: Keli Velazquez <keli@tailscale.com>	1 year ago
Brad Fitzpatrick	21460a5b14	tailcfg, wgengine/filter: remove most FilterRule.SrcBits code The control plane hasn't sent it to clients in ages. Updates tailscale/corp#20965 Change-Id: I1d71a4b6dd3f75010a05c544ee39827837c30772 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	9e0a5cc551	net/flowtrack: optimize Tuple type for use as map key This gets UDP filter overhead closer to TCP. Still ~2x, but no longer ~3x. goos: darwin goarch: arm64 pkg: tailscale.com/wgengine/filter │ before │ after │ │ sec/op │ sec/op vs base │ FilterMatch/tcp-not-syn-v4-8 15.43n ± 3% 15.38n ± 5% ~ (p=0.339 n=10) FilterMatch/udp-existing-flow-v4-8 42.45n ± 0% 34.77n ± 1% -18.08% (p=0.000 n=10) geomean 25.59n 23.12n -9.65% Updates #12486 Change-Id: I595cfadcc6b7234604bed9c4dd4261e087c0d4c4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	bd93c3067e	wgengine/filter/filtertype: make Match.IPProto a view I noticed we were allocating these every time when they could just share the same memory. Rather than document ownership, just lock it down with a view. I was considering doing all of the fields but decided to just do this one first as test to see how infectious it became. Conclusion: not very. Updates #cleanup (while working towards tailscale/corp#20514) Change-Id: I8ce08519de0c9a53f20292adfbecd970fe362de0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrew Dunham	45d2f4301f	proxymap, various: distinguish between different protocols Previously, we were registering TCP and UDP connections in the same map, which could result in erroneously removing a mapping if one of the two connections completes while the other one is still active. Add a "proto string" argument to these functions to avoid this. Additionally, take the "proto" argument in LocalAPI, and plumb that through from the CLI and add a new LocalClient method. Updates tailscale/corp#20600 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I35d5efaefdfbf4721e315b8ca123f0c8af9125fb	1 year ago
Brad Fitzpatrick	20a5f939ba	wgengine/filter: add UDP flow benchmark To show the effects of the flow LRU accounting on e.g. QUIC traffic. For an open TCP connection: BenchmarkFilterMatch/tcp-not-syn-v4-8 66602070 16.74 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 67718179 16.60 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 68403351 16.84 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 66076416 16.87 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 67159012 16.67 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 65009526 16.58 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 66588055 16.62 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 63037071 16.58 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 69124975 21.15 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 54482922 20.41 ns/op And an open UDP connection: BenchmarkFilterMatch/udp-existing-flow-v4-8 25570020 44.09 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 26725958 46.99 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25936412 47.11 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25418325 45.99 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25759848 44.73 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25212488 46.26 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 25344370 44.55 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 26399372 45.26 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 26274159 47.51 ns/op BenchmarkFilterMatch/udp-existing-flow-v4-8 26070472 46.79 ns/op Updates #12486 Change-Id: Ica4263fb77972cf43db5a2e9433b4429506edfde Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	86e0f9b912	net/ipset, wgengine/filter/filtertype: add split-out packages This moves NewContainsIPFunc from tsaddr to new ipset package. And wgengine/filter types gets split into wgengine/filter/filtertype, so netmap (and thus the CLI, etc) doesn't need to bring in ipset, bart, etc. Then add a test making sure the CLI deps don't regress. Updates #1278 Change-Id: Ia246d6d9502bbefbdeacc4aef1bed9c8b24f54d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	36b1b4af2f	wgengine/filter: split local+logging lookups by IPv4-vs-IPv6 If we already know it's an incoming IPv4 packet, no need to match against the set of IPv6s and vice versa. goos: darwin goarch: arm64 pkg: tailscale.com/wgengine/filter │ before │ after │ │ sec/op │ sec/op vs base │ FilterMatch/not-local-v4-8 21.40n ± 3% 16.04n ± 1% -25.09% (p=0.000 n=10) FilterMatch/not-local-v6-8 20.75n ± 9% 15.71n ± 0% -24.31% (p=0.000 n=10) FilterMatch/no-match-v4-8 81.37n ± 1% 78.57n ± 3% -3.43% (p=0.005 n=10) FilterMatch/no-match-v6-8 77.73n ± 2% 73.71n ± 3% -5.18% (p=0.002 n=10) FilterMatch/tcp-not-syn-v4-8 21.41n ± 3% 16.86n ± 0% -21.25% (p=0.000 n=10) FilterMatch/tcp-not-syn-v4-no-logs-8 10.04n ± 0% 10.05n ± 0% ~ (p=0.446 n=10) geomean 29.07n 25.05n -13.84% Updates #12486 Change-Id: I70e5024af03893327d26629a994ab2aa9811f4f3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	d4220a76da	wgengine/filter: add TCP non-SYN benchmarks To show performance during heavy flows on established connections. BenchmarkFilterMatch/tcp-not-syn-v4-8 52125848 21.46 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 52388781 21.43 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 52916954 21.32 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 52590730 21.43 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-8 53015923 21.32 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 122795029 9.783 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 100000000 10.09 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 120090948 9.747 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 122350448 10.55 ns/op BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 122943025 9.813 ns/op Updates #12486 Change-Id: I8e7c9380bf969ad646851d53f8a4c287717694ea Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	10e8a2a05c	wgengine/filter: fix copy/pasteo in new benchmark's v6 CIDR I noticed the not-local-v6 numbers were nowhere near the v4 numbers (they should be identical) and then saw this. It meant the Addr().Next() wasn't picking an IP that was no longer local, as assumed. Updates #12486 Change-Id: I18dfb641f00c74c6252666bc41bd2248df15fadd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7574f586aa	wgengine/filter: add more benchmarks, make names more explicit Updates #12486 Change-Id: If2e6d9c70212644eb4a0bc8ec6768512894a646a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	21ed31e33a	wgengine/filter: use NewContainsIPFunc for Srcs matches NewContainsIPFunc returns a contains matcher optimized for its input. Use that instead of what this did before, always doing a test over each of a list of netip.Prefixes. goos: darwin goarch: arm64 pkg: tailscale.com/wgengine/filter │ before │ after │ │ sec/op │ sec/op vs base │ FilterMatch/file1-8 32.60n ± 1% 18.87n ± 1% -42.12% (p=0.000 n=10) Updates #12486 Change-Id: I8f902bc064effb431e5b46751115942104ff6531 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	e2c0d69c9c	wgengine/filter: add filter benchmark Baseline, on 2020 M1 Macbook Pro, on power: goos: darwin goarch: arm64 pkg: tailscale.com/wgengine/filter BenchmarkFilterMatch/file1-8 34089133 32.79 ns/op BenchmarkFilterMatch/file1-8 35423917 32.59 ns/op BenchmarkFilterMatch/file1-8 35208598 32.80 ns/op BenchmarkFilterMatch/file1-8 35180470 33.39 ns/op BenchmarkFilterMatch/file1-8 36671608 32.82 ns/op BenchmarkFilterMatch/file1-8 35435991 33.13 ns/op BenchmarkFilterMatch/file1-8 34689181 33.29 ns/op BenchmarkFilterMatch/file1-8 34786053 32.94 ns/op BenchmarkFilterMatch/file1-8 35366235 32.56 ns/op BenchmarkFilterMatch/file1-8 35342799 32.47 ns/op Updates #12486 Change-Id: I8f902bc064effb431e5b46751115942104ff6531 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrea Gottardo	a8ee83e2c5	health: begin work to use structured health warnings instead of strings, pipe changes into ipn.Notify (#12406 ) Updates tailscale/tailscale#4136 This PR is the first round of work to move from encoding health warnings as strings and use structured data instead. The current health package revolves around the idea of Subsystems. Each subsystem can have (or not have) a Go error associated with it. The overall health of the backend is given by the concatenation of all these errors. This PR polishes the concept of Warnable introduced by @bradfitz a few weeks ago. Each Warnable is a component of the backend (for instance, things like 'dns' or 'magicsock' are Warnables). Each Warnable has a unique identifying code. A Warnable is an entity we can warn the user about, by setting (or unsetting) a WarningState for it. Warnables have: - an identifying Code, so that the GUI can track them as their WarningStates come and go - a Title, which the GUIs can use to tell the user what component of the backend is broken - a Text, which is a function that is called with a set of Args to generate a more detailed error message to explain the unhappy state Additionally, this PR also begins to send Warnables and their WarningStates through LocalAPI to the clients, using ipn.Notify messages. An ipn.Notify is only issued when a warning is added or removed from the Tracker. In a next PR, we'll get rid of subsystems entirely, and we'll start using structured warnings for all errors affecting the backend functionality. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 years ago
Andrew Dunham	72c8f7700b	wgengine/netstack: add test for #12448 This refactors the logic for determining whether a packet should be sent to the host or not into a function, and then adds tests for it. Updates #11304 Updates #12448 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ief9afa98eaffae00e21ceb7db073c61b170355e5	2 years ago
Irbe Krumina	88f2d234a4	wgengine/netstack: fix 4via6 subnet routes (#12454 ) Fix a bug where, for a subnet router that advertizes 4via6 route, all packets with a source IP matching the 4via6 address were being sent to the host itself. Instead, only send to host packets whose destination address is host's local address. Fixes tailscale/tailscale#12448 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Aaron Klotz	3511d1f8a2	cmd/tailscaled, net/dns, wgengine/router: start Windows child processes with DETACHED_PROCESS when I/O is being piped When we're starting child processes on Windows that are CLI programs that don't need to output to a console, we should pass in DETACHED_PROCESS as a CreationFlag on SysProcAttr. This prevents the OS from even creating a console for the child (and paying the associated time/space penalty for new conhost processes). This is more efficient than letting the OS create the console window and then subsequently trying to hide it, which we were doing at a few callsites. Fixes #12270 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Andrew Dunham	e88a5dbc92	various: fix lint warnings Some lint warnings caught by running 'make lint' locally. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1534ed6f2f5e1eb029658906f9d62607dad98ca3	2 years ago
Maisem Ali	36e8e8cd64	wgengine/magicsock: use math/rands/v2 Updates #11058 Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	4a8cb1d9f3	all: use math/rand/v2 more Updates #11058 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Andrea Gottardo	d636407f14	net/dns: don't set MatchDomains on Apple platforms when no upstream nameservers available (#12334 ) This PR addresses a DNS issue on macOS as discussed this morning. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 years ago
Maisem Ali	42cfbf427c	tsnet,wgengine/netstack: add ListenPacket and tests This adds a new ListenPacket function on tsnet.Server which acts mostly like `net.ListenPacket`. Unlike `Server.Listen`, this requires listening on a specific IP and does not automatically listen on both V4 and V6 addresses of the Server when the IP is unspecified. To test this, it also adds UDP support to tsdial.Dialer.UserDial and plumbs it through the localapi. Then an associated test to make sure the UDP functionality works from both sides. Updates #12182 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	2d2b62c400	wgengine/router: probe generally-unused "ip" command style lazily This busybox fwmaskWorks check was added before we moved away from using the "ip" command to using netlink directly. So it's now just wasted work (and log spam on Gokrazy) to check the "ip" command capabilities if we're never going to use it. Do it lazily instead. Updates #12277 Change-Id: I8ab9acf64f9c0d8240ce068cb9ec8c0f6b1ecee7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	9351eec3e1	net/netcheck: remove hairpin probes Palo Alto reported interpreting hairpin probes as LAND attacks, and the firewalls may be responding to this by shutting down otherwise in use NAT sessions prematurely. We don't currently make use of the outcome of the hairpin probes, and they contribute to other user confusion with e.g. the AirPort Extreme hairpin session workaround. We decided in response to remove the whole probe feature as a result. Updates #188 Updates tailscale/corp#19106 Updates tailscale/corp#19116 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Andrew Lytvynov	c9179bc261	various: disable stateful filtering by default (#12197 ) After some analysis, stateful filtering is only necessary in tailnets that use `autogroup:danger-all` in `src` in ACLs. And in those cases users explicitly specify that hosts outside of the tailnet should be able to reach their nodes. To fix local DNS breakage in containers, we disable stateful filtering by default. Updates #12108 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 years ago
Brad Fitzpatrick	964282d34f	ipn,wgengine: remove vestigial Prefs.AllowSingleHosts It was requested by the first customer 4-5 years ago and only used for a brief moment of time. We later added netmap visibility trimming which removes the need for this. It's been hidden by the CLI for quite some time and never documented anywhere else. This keeps the CLI flag, though, out of caution. It just returns an error if it's set to anything but true (its default). Fixes #12058 Change-Id: I7514ba572e7b82519b04ed603ff9f3bdbaecfda7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	8d1249550a	net/netcheck,wgengine/magicsock: add potential workaround for Palo Alto DIPP misbehavior Palo Alto firewalls have a typically hard NAT, but also have a mode called Persistent DIPP that is supposed to provide consistent port mapping suitable for STUN resolution of public ports. Persistent DIPP works initially on most Palo Alto firewalls, but some models/software versions have a bug which this works around. The bug symptom presents as follows: - STUN sessions resolve a consistent public IP:port to start with - Much later netchecks report the same IP:Port for a subset of sessions, most often the users active DERP, and/or the port related to sustained traffic. - The broader set of DERPs in a full netcheck will now consistently observe a new IP:Port. - After this point of observation, new inbound connections will only succeed to the new IP:Port observed, and existing/old sessions will only work to the old binding. In this patch we now advertise the lowest latency global endpoint discovered as we always have, but in addition any global endpoints that are observed more than once in a single netcheck report. This should provide viable endpoints for potential connection establishment across a NAT with this behavior. Updates tailscale/corp#19106 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Andrea Gottardo	e5f67f90a2	xcode: allow ICMP ping relay on macOS + iOS platforms (#12048 ) Fixes tailscale/tailscale#10393 Fixes tailscale/corp#15412 Fixes tailscale/corp#19808 On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using. Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 years ago
Claire Wang	e070af7414	ipnlocal, magicsock: add more description to storing last suggested exit (#11998 ) node related functions Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	2 years ago
Andrew Dunham	5708fc0639	wgengine/router: print Docker warning when stateful filtering is enabled When Docker is detected on the host and stateful filtering is enabled, Docker containers may be unable to reach Tailscale nodes (depending on the network settings of a container). Detect Docker when stateful filtering is enabled and print a health warning to aid users in noticing this issue. We avoid printing the warning if the current node isn't advertising any subnet routes and isn't an exit node, since without one of those being true, the node wouldn't have the correct AllowedIPs in WireGuard to allow a Docker container to connect to another Tailscale node anyway. Updates #12070 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Idef538695f4d101b0ef6f3fb398c0eaafc3ae281	2 years ago
Andrew Dunham	8f7f9ac17e	wgengine/netstack: handle 4via6 routes that are advertised by the same node Previously, a node that was advertising a 4via6 route wouldn't be able to make use of that same route; the packet would be delivered to Tailscale, but since we weren't accepting it in handleLocalPackets, the packet wouldn't be delivered to netstack and would never hit the 4via6 logic. Let's add that support so that usage of 4via6 is consistent regardless of where the connection is initiated from. Updates #11304 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic28dc2e58080d76100d73b93360f4698605af7cb	2 years ago
Brad Fitzpatrick	21509db121	ipn/ipnlocal, all: plumb health trackers in tests I saw some panics in CI, like: 2024-05-08T04:30:25.9553518Z ## WARNING: (non-fatal) nil health.Tracker (being strict in CI): 2024-05-08T04:30:25.9554043Z goroutine 801 [running]: 2024-05-08T04:30:25.9554489Z tailscale.com/health.(Tracker).nil(0x0) 2024-05-08T04:30:25.9555086Z tailscale.com/health/health.go:185 +0x70 2024-05-08T04:30:25.9555688Z tailscale.com/health.(Tracker).SetUDP4Unbound(0x0, 0x0) 2024-05-08T04:30:25.9556373Z tailscale.com/health/health.go:532 +0x2f 2024-05-08T04:30:25.9557296Z tailscale.com/wgengine/magicsock.(Conn).bindSocket(0xc0003b4808, 0xc0003b4878, {0x1fbca53, 0x4}, 0x0) 2024-05-08T04:30:25.9558301Z tailscale.com/wgengine/magicsock/magicsock.go:2481 +0x12c5 2024-05-08T04:30:25.9559026Z tailscale.com/wgengine/magicsock.(Conn).rebind(0xc0003b4808, 0x0) 2024-05-08T04:30:25.9559874Z tailscale.com/wgengine/magicsock/magicsock.go:2510 +0x16f 2024-05-08T04:30:25.9561038Z tailscale.com/wgengine/magicsock.NewConn({0xc000063c80, 0x0, 0xc000197930, 0xc000197950, 0xc000197960, {0x0, 0x0}, 0xc000197970, 0xc000198ee0, 0x0, ...}) 2024-05-08T04:30:25.9562402Z tailscale.com/wgengine/magicsock/magicsock.go:476 +0xd5f 2024-05-08T04:30:25.9563779Z tailscale.com/wgengine.NewUserspaceEngine(0xc000063c80, {{0x22c8750, 0xc0001976b0}, 0x0, {0x22c3210, 0xc000063c80}, {0x22c31d8, 0x2d3c900}, 0x0, 0x0, ...}) 2024-05-08T04:30:25.9564982Z tailscale.com/wgengine/userspace.go:389 +0x159d 2024-05-08T04:30:25.9565529Z tailscale.com/ipn/ipnlocal.newTestBackend(0xc000358b60) 2024-05-08T04:30:25.9566086Z tailscale.com/ipn/ipnlocal/serve_test.go:675 +0x2a5 2024-05-08T04:30:25.9566612Z ta Updates #11874 Change-Id: I3432ed52d670743e532be4642f38dbd6e3763b1b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	af97e7a793	tailcfg,all: add/plumb Node.IsJailed This adds a new bool that can be sent down from control to do jailing on the client side. Previously this would only be done from control by modifying the packet filter we sent down to clients. This would result in a lot of additional work/CPU on control, we could instead just do this on the client. This has always been a TODO which we keep putting off, might as well do it now. Updates tailscale/corp#19623 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago

1 2 3 4 5 ...

1560 Commits (f205efcf1856c2338989c5e76e2d23fde24fd532)