tailscale

Commit Graph

Author	SHA1	Message	Date
James Tucker	f27b2cf569	appc,cmd/sniproxy,ipn/ipnlocal: split sniproxy configuration code out of appc The design changed during integration and testing, resulting in the earlier implementation growing in the appc package to be intended now only for the sniproxy implementation. That code is moved to it's final location, and the current App Connector code is now renamed. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Sonia Appasamy	aa5af06165	ipn/ipnlocal: include web client port in setTCPPortsIntercepted Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	da31ce3a64	ipn/localapi: remove webclient endpoint Managing starting/stopping tailscaled web client purely via setting the RunWebClient pref. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	b370274b29	ipn/ipnlocal: pull CapabilityPreviewWebClient into webClientAtomicBool Now uses webClientAtomicBool as the source of truth for whether the web client should be running in tailscaled, with it updated when either the RunWebClient pref or CapabilityPreviewWebClient node capability changes. This avoids requiring holding the LocalBackend lock on each call to ShouldRunWebClient to check for the CapabilityPreviewWebClient value. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Andrew Lytvynov	c6a4612915	ipn/localapi: require Write access on /watch-ipn-bus with private keys (#10059 ) Clients optionally request private key filtering. If they don't, we should require Write access for the user. Updates https://github.com/tailscale/corp/issues/15506 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
James Tucker	228a82f178	ipn/ipnlocal,tailcfg: add AppConnector service to HostInfo when configured Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	6ad54fed00	appc,ipn/ipnlocal: add App Connector domain configuration from mapcap The AppConnector is now configured by the mapcap from the control plane. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	b48b7d82d0	appc,ipn/ipnlocal,net/dns/resolver: add App Connector wiring when enabled in prefs An EmbeddedAppConnector is added that when configured observes DNS responses from the PeerAPI. If a response is found matching a configured domain, routes are advertised when necessary. The wiring from a configuration in the netmap capmap is not yet done, so while the connector can be enabled, no domains can yet be added. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Will Norris	e7482f0df0	ipn/ipnlocal: prevent deadlock on WebClientShutdown WebClientShutdown tries to acquire the b.mu lock, so run it in a go routine so that it can finish shutdown after setPrefsLockedOnEntry is finished. This is the same reason b.sshServer.Shutdown is run in a go routine. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
James Tucker	0ee4573a41	ipn/ipnlocal: fix small typo Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	ca4c940a4d	ipn: introduce app connector advertisement preference and flags Introduce a preference structure to store the setting for app connector advertisement. Introduce the associated flags: tailscale up --advertise-connector{=true,=false} tailscale set --advertise-connector{=true,=false} ``` % tailscale set --advertise-connector=false % tailscale debug prefs \| jq .AppConnector.Advertise false % tailscale set --advertise-connector=true % tailscale debug prefs \| jq .AppConnector.Advertise true % tailscale up --advertise-connector=false % tailscale debug prefs \| jq .AppConnector.Advertise false % tailscale up --advertise-connector=true % tailscale debug prefs \| jq .AppConnector.Advertise true ``` Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Will Norris	66c7af3dd3	ipn: replace web client debug flag with node capability Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	44175653dc	ipn/ipnlocal: rename web fields/structs to webClient For consistency and clarity around what the LocalBackend.web field is used for. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	ea599b018c	ipn: serve web client requests from LocalBackend instead of starting a separate server listening on a particular port, use the TCPHandlerForDst method to intercept requests for the special web client port (currently 5252, probably configurable later). Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	28ad910840	ipn: add user pref for running web client This is not currently exposed as a user-settable preference through `tailscale up` or `tailscale set`. Instead, the preference is set when turning the web client on and off via localapi. In a subsequent commit, the pref will be used to automatically start the web client on startup when appropriate. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	89953b015b	ipn/ipnlocal,client/web: add web client to tailscaled Allows for serving the web interface from tailscaled, with the ability to start and stop the server via localapi endpoints (/web/start and /web/stop). This will be used to run the new full management web client, which will only be accessible over Tailscale (with an extra auth check step over noise) from the daemon. This switch also allows us to run the web interface as a long-lived service in environments where the CLI version is restricted to CGI, allowing us to manage certain auth state in memory. ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for ios builds to satisfy ios restriction from adding "text/template" and "html/template" dependencies. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Andrea Gottardo	95715c4a12	ipn/localapi: add endpoint to handle APNS payloads (#9972 ) * ipn/localapi: add endpoint to handle APNS payloads Fixes #9971. This adds a new `handle-push-message` local API endpoint. When an APNS payload is delivered to the main app, this endpoint can be used to forward the JSON body of the message to the backend, making a POST request. cc @bradfitz Signed-off-by: Andrea Gottardo <andrea@tailscale.com> * Address comments from code review Signed-off-by: Andrea Gottardo <andrea@tailscale.com> --------- Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	8 months ago
Rhea Ghosh	387a98fe28	ipn/ipnlocal: exclude tvOS devices from taildrop file targets (#10002 )	8 months ago
Tyler Smalley	baa1fd976e	ipn/localapi: require local Windows admin to set serve path (#9969 ) For a serve config with a path handler, ensure the caller is a local administrator on Windows. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Andrea Gottardo	741d7bcefe	Revert "ipn/ipnlocal: add new DNS and subnet router policies" (#9962 ) This reverts commit `32194cdc70`. Signed-off-by: Nick O'Neill <nick@tailscale.com>	8 months ago
Adrian Dewhurst	32194cdc70	ipn/ipnlocal: add new DNS and subnet router policies In addition to the new policy keys for the new options, some already-in-use but missing policy keys are also being added to util/syspolicy. Updates ENG-2133 Change-Id: Iad08ca47f839ea6a65f81b76b4f9ef21183ebdc6 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	8 months ago
Andrew Lytvynov	593c086866	clientupdate: distinguish when auto-updates are possible (#9896 ) clientupdate.Updater will have a non-nil Update func in a few cases where it doesn't actually perform an update: * on Arch-like distros, where it prints instructions on how to update * on macOS app store version, where it opens the app store page Add a new clientupdate.Arguments field to cause NewUpdater to fail when we hit one of these cases. This results in c2n updates being "not supported" and `tailscale set --auto-update` returning an error. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Maisem Ali	17b2072b72	ipn/ipnlocal: set the push device token correctly It would end up resetting whatever hostinfo we had constructed and leave the backend statemachine in a broken state. This fixes that by storing the PushDeviceToken on the LocalBackend and populating it on Hostinfo before passing it to controlclient. Updates tailscale/corp#8940 Updates tailscale/corp#15367 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	0e89245c0f	ipn/ipnlocal: drop hostinfo param from doSetHostinfoFilterServices The value being passed was the same as whats on b.hostinfo, so just use that directly. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Joe Tsai	152390e80a	ipn/localapi: avoid unkeyed literal (#9933 ) Go has no way to explicitly identify Go struct as effectively a tuple, so staticcheck assumes any external use of unkeyed literals is wrong. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Maisem Ali	f398712c00	ipn/ipnlocal: prevent changing serve config if conf.Locked This adds a check to prevent changes to ServeConfig if tailscaled is run with a Locked config. Missed in `1fc3573446`. Updates #1412 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Sonia Appasamy	68da15516f	ipn/localapi,client/web: clean up auth error handling This commit makes two changes to the web client auth flow error handling: 1. Properly passes back the error code from the noise request from the localapi. Previously we were using io.Copy, which was always setting a 200 response status code. 2. Clean up web client browser sessions on any /wait endpoint error. This avoids the user getting in a stuck state if something goes wrong with their auth path. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Irbe Krumina	eced054796	ipn/ipnlocal: close connections for removed proxy transports (#9884 ) Ensure that when a userspace proxy config is reloaded, connections for any removed proxies are safely closed Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Andrew Lytvynov	25b6974219	ipn/ipnlocal: send ClientVersion to Apple frontends (#9887 ) Apple frontends will now understand this Notify field and handle it. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Irbe Krumina	f09cb45f9d	ipn/ipnlocal: initiate proxy transport once (#9883 ) Initiates http/h2c transport for userspace proxy backend lazily and at most once. Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Sonia Appasamy	73bbf941f8	client/web: hook up auth flow Connects serveTailscaleAuth to the localapi webclient endpoint and pipes auth URLs and session cookies back to the browser to redirect users from the frontend. All behind debug flags for now. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Irbe Krumina	09b5bb3e55	ipn/ipnlocal: proxy gRPC requests over h2c if needed. (#9847 ) Updates userspace proxy to detect plaintext grpc requests using the preconfigured host prefix and request's content type header and ensure that these will be proxied over h2c. Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Joe Tsai	3f27087e9d	taildrop: switch hashing to be streaming based (#9861 ) While the previous logic was correct, it did not perform well. Resuming is a dance between the client and server, where 1. the client requests hashes for a partial file, 2. the server then computes those hashes, 3. the client computes hashes locally and compares them. 4. goto 1 while the partial file still has data While step 2 is running, the client is sitting idle. While step 3 is running, the server is sitting idle. By streaming over the block hash immediately after the server computes it, the client can start checking the hash, while the server works on the next hash (in a pipelined manner). This performs dramatically better and also uses less memory as we don't need to hold a list of hashes, but only need to handle one hash at a time. There are two detriments to this approach: * The HTTP API relies on a JSON stream, which is not a standard REST-like pattern. However, since we implement both client and server, this is fine. * While the stream is on-going, we hold an open file handle on the server side while the file is being hashed. On really slow streams, this could hold a file open forever. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Joe Tsai	7971333603	ipn: fix localapi and peerapi protocol for taildrop resume (#9860 ) Minor fixes: * The branch for listing or hashing partial files was inverted. * The host for peerapi call needs to be real (rather than bogus). * Handle remote peers that don't support resuming. * Make resume failures non-fatal (since we can still continue). This was tested locally, end-to-end system test is future work. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Andrew Lytvynov	77127a2494	clientupdate: fix background install for linux tarballs (#9852 ) Two bug fixes: 1. when tailscale update is executed as root, `os.UserCacheDir` may return an error because `$XDG_CACHE_HOME` and `$HOME` are not set; fallback to `os.TempDir` in those cases 2. on some weird distros (like my EndeavourOS), `/usr/sbin` is just a symlink to `/usr/bin`; when we resolve `tailscale` binary path from `tailscaled`, allow `tailscaled` to be in either directory Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Joe Tsai	c2a551469c	taildrop: implement asynchronous file deletion (#9844 ) File resumption requires keeping partial files around for some time, but we must still eventually delete them if never resumed. Thus, we implement asynchronous file deletion, which could spawn a background goroutine to delete the files. We also use the same mechanism for deleting files on Windows, where a file can't be deleted if there is still an open file handle. We can enqueue those with the asynchronous file deleter as well. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Brad Fitzpatrick	1fc3573446	ipn/{conffile,ipnlocal}: start booting tailscaled from a config file w/ auth key Updates #1412 Change-Id: Icd880035a31df59797b8379f4af19da5c4c453e2 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Rhea Ghosh	9d3c6bf52e	ipn/ipnlocal/peerapi: refactoring taildrop to just one endpoint (#9832 ) Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Andrew Lytvynov	b949e208bb	ipn/ipnlocal: fix AllowsUpdate disable after enable (#9827 ) The old code would always retain value `true` if it was set once, even if you then change `prefs.AutoUpdate.Apply` to `false`. Instead of using the previous value, use the default (envknob) value to OR with. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Brad Fitzpatrick	18bd98d35b	cmd/tailscaled,*: add start of configuration file support Updates #1412 Co-authored-by: Maisem Ali <maisem@tailscale.com> Change-Id: I38d559c1784d09fc804f521986c9b4b548718f7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Rhea Ghosh	71271e41d6	ipn/{ipnlocal/peerapi, localapi} initial taildrop resume api plumbing (#9798 ) This change: * adds a partial files peerAPI endpoint to get a list of partial files * adds a helper function to extract the basename of a file * updates the peer put peerAPI endpoint * updates the file put localapi endpoint to allow resume functionality Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Andrew Lytvynov	8a5b02133d	clientupdate: return ErrUnsupported for macSys clients (#9793 ) The Sparkle-based update is not quite working yet. Make `NewUpdater` return `ErrUnsupported` for it to avoid the proliferation of exceptions up the stack. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Sonia Appasamy	feabb34ea0	ipn/localapi: add debug-web-client endpoint Debug endpoint for the web client's auth flow to talk back to the control server. Restricted behind a feature flag on control. We will either be removing this debug endpoint, or renaming it before launching the web client updates. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Kristoffer Dalby	e06f2f1873	ipn/ipnlocal: change serial number policy to be PreferenceOption This commit changes the PostureChecking syspolicy key to be a PreferenceOption(user-defined, always, never) instead of Bool. This aligns better with the defaults implementation on macOS allowing CLI arguments to be read when user-defined or no defaults is set. Updates #tailscale/tailscale/5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Rhea Ghosh	8c7169105e	ipn/{ipnlocal/peerapi, localapi}: cleaning up http statuses for consistency and readability (#9796 ) Updates #cleanup Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Andrew Lytvynov	af5a586463	ipn/ipnlocal: include AutoUpdate prefs in HostInfo.AllowsUpdate (#9792 ) Updates #9260 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Joe Tsai	b1867eb23f	taildrop: add logic for resuming partial files (#9785 ) We add the following API: * type FileChecksums * type Checksum * func Manager.PartialFiles * func Manager.HashPartialFile * func ResumeReader The Manager methods provide the ability to query for partial files and retrieve a list of checksums for a given partial file. The ResumeReader function is a helper that wraps an io.Reader to discard content that is identical locally and remotely. The FileChecksums type represents the checksums of a file and is safe to JSON marshal and send over the wire. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Maisem Ali	24f322bc43	ipn/ipnlocal: do unexpired cert renewals in the background We were eagerly doing a synchronous renewal of the cert while trying to serve traffic. Instead of that, just do the cert renewal in the background and continue serving traffic as long as the cert is still valid. This regressed in `c1ecae13ab` when we introduced ARI support and were trying to make the experience of `tailscale cert` better. However, that ended up regressing the experience for tsnet as it would not always doing the renewal synchronously. Fixes #9783 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Joe Tsai	37c646d9d3	taildrop: improve the functionality and reliability of put (#9762 ) Changes made: * Move all HTTP related functionality from taildrop to ipnlocal. * Add two arguments to taildrop.Manager.PutFile to specify an opaque client ID and a resume offset (both unused for now). * Cleanup the logic of taildrop.Manager.PutFile to be easier to follow. * Implement file conflict handling where duplicate files are renamed (e.g., "IMG_1234.jpg" -> "IMG_1234 (2).jpg"). * Implement file de-duplication where "renaming" a partial file simply deletes it if it already exists with the same contents. * Detect conflicting active puts where a second concurrent put results in an error. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Maisem Ali	319607625f	ipn/ipnlocal: fix log spam from now expected paths These log paths were actually unexpected until the refactor in `fe95d81b43`. This moves the logs to the callsites where they are actually unexpected. Fixes #9670 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	9d96e05267	net/packet: split off checksum munging into different pkg The current structure meant that we were embedding netstack in the tailscale CLI and in the GUIs. This removes that by isolating the checksum munging to a different pkg which is only called from `net/tstun`. Fixes #9756 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Brad Fitzpatrick	70de16bda7	ipn/localapi: make whois take IP or IP:port as documented, fix capmap netstack lookup The whois handler was documented as taking IP (e.g. 100.101.102.103) or IP:port (e.g. usermode 127.0.0.1:1234) but that got broken at some point and we started requiring a port always. Fix that. Also, found in the process of adding tests: fix the CapMap lookup in userspace mode (it was always returning the caps of 127.0.0.1 in userspace mode). Fix and test that too. Updates #9714 Change-Id: Ie9a59744286522fa91c4b70ebe89a1e94dbded26 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Kristoffer Dalby	7f540042d5	ipn/ipnlocal: use syspolicy to determine collection of posture data Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Kristoffer Dalby	9eedf86563	posture: add get serial support for Windows/Linux This commit adds support for getting serial numbers from SMBIOS on Windows/Linux (and BSD) using go-smbios. Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Kristoffer Dalby	b4e587c3bd	tailcfg,ipn: add c2n endpoint for posture identity Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Kristoffer Dalby	886917c42b	ipn: add PostureChecks to Prefs Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Brad Fitzpatrick	6f36f8842c	cmd/tailscale, magicsock: add debug command to flip DERP homes For testing netmap patchification server-side. Updates #1909 Change-Id: Ib1d784bd97b8d4a31e48374b4567404aae5280cc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Joe Tsai	e4cb83b18b	taildrop: document and cleanup the package (#9699 ) Changes made: * Unexport declarations specific to internal taildrop functionality. * Document all exported functionality. * Move TestRedactErr to the taildrop package. * Rename and invert Handler.DirectFileDoFinalRename as AvoidFinalRename. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Rhea Ghosh	557ddced6c	{ipn/ipnlocal, taildrop}: move put logic to taildrop (#9680 ) Cleaning up taildrop logic for sending files. Updates tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com> Co-authored-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Joe Tsai	c42398b5b7	ipn/ipnlocal: cleanup incomingFile (#9678 ) This is being moved to taildrop, so clean it up to stop depending on so much unreleated functionality by removing a dependency on peerAPIHandler. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Rhea Ghosh	dc1c7cbe3e	taildrop: initial commit of taildrop functionality refactoring (#9676 ) Over time all taildrop functionality will be contained in the taildrop package. This will include end to end unit tests. This is simply the first smallest piece to move over. There is no functionality change in this commit. Updates tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com> Co-authored-by: Joseph Tsai <joetsai@tailscale.com>	9 months ago
Sonia Appasamy	3befc0ef02	client/web: restrict full management client behind browser sessions Adds `getTailscaleBrowserSession` to pull the user's session out of api requests, and `serveTailscaleAuth` to provide the "/api/auth" endpoint for browser to request auth status and new sessions. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Brad Fitzpatrick	7868393200	net/dns/resolver, ipnlocal: fix ExitDNS on Android and iOS Advertise it on Android (it looks like it already works once advertised). And both advertise & likely fix it on iOS. Yet untested. Updates #9672 Change-Id: If3b7e97f011dea61e7e75aff23dcc178b6cf9123 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	b4816e19b6	hostinfo, ipnlocal: flesh out Wake-on-LAN support, send MACs, add c2n sender This optionally uploads MAC address(es) to control, then adds a c2n handler so control can ask a node to send a WoL packet. Updates #306 RELNOTE=now supports waking up peer nodes on your LAN via Wake-on-LAN packets Change-Id: Ibea1275fcd2048dc61d7059039abfbaf1ad4f465 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	b775a3799e	util/httpm, all: add a test to make sure httpm is used consistently Updates #cleanup Change-Id: I7dbf8a02de22fc6b317ab5e29cc97792dd75352c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Val	73e53dcd1c	cmd/tailscale,ipn/ipnlocal: print debug component names Make the 'tailscale debug component-logs' command print the component names for which extra logging can be turned on, for easier discoverability of debug functions. Updates #cleanup Co-authored-by: Paul Scott <paul@tailscale.com> Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Brad Fitzpatrick	246e0ccdca	tsnet: add a test for restarting a tsnet server, fix Windows Thanks to @qur and @eric for debugging! Fixes #6973 Change-Id: Ib2cf8f030cf595cc73dd061c72e78ac19f5fae5d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Maisem Ali	354455e8be	ipn: use NodeCapMap in CheckFunnel These were missed when adding NodeCapMap and resulted in tsnet binaries not being able to turn on funnel. Fixes #9566 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
James Tucker	5c2b2fa1f8	ipn/ipnlocal: plumb ExitNodeDNSResolvers for IsWireGuardOnly exit nodes Control sends ExitNodeDNSResolvers when configured for IsWireGuardOnly nodes that are to be used as the default resolver with a lower precedence than split DNS, and a lower precedence than "Override local DNS", but otherwise before local DNS is used when the exit node is in use. Neither of the below changes were problematic, but appeared so alongside a number of other client and external changes. See tailscale/corp#14809. Reland `ea9dd8fabc`. Reland `d52ab181c3`. Updates #9377 Updates tailscale/corp#14809 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Rhea Ghosh	0275afa0c6	ipn/ipnlocal: prevent putting file if file already exists (#9515 ) Also adding tests to ensure this works. Updates tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Claire Wang	e3d6236606	winutil: refactor methods to get values from registry to also return (#9536 ) errors Updates tailscale/corp#14879 Signed-off-by: Claire Wang <claire@tailscale.com>	9 months ago
Val	c608660d12	wgengine,net,ipn,disco: split up and define different types of MTU Prepare for path MTU discovery by splitting up the concept of DefaultMTU() into the concepts of the Tailscale TUN MTU, MTUs of underlying network interfaces, minimum "safe" TUN MTU, user configured TUN MTU, probed path MTU to a peer, and maximum probed MTU. Add a set of likely MTUs to probe. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Marwan Sulaiman	651620623b	ipn/ipnlocal: close foreground sessions on SetServeConfig This PR ensures zombie foregrounds are shutdown if a new ServeConfig is created that wipes the ongoing foreground ones. For example, "tailscale serve\|funnel reset\|off" should close all open sessions. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Brad Fitzpatrick	04fabcd359	ipn/{ipnlocal,localapi}, cli: add debug force-netmap-update For loading testing & profiling the cost of full netmap updates. Updates #1909 Change-Id: I0afdf5de9967f8d95c7f81d5b531ed1c92c3208f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Val	6cc5b272d8	Revert "wgengine,net,ipn,disco: split up and define different types of MTU" This reverts commit `059051c58a`. Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Val	059051c58a	wgengine,net,ipn,disco: split up and define different types of MTU Prepare for path MTU discovery by splitting up the concept of DefaultMTU() into the concepts of the Tailscale TUN MTU, MTUs of underlying network interfaces, minimum "safe" TUN MTU, user configured TUN MTU, probed path MTU to a peer, and maximum probed MTU. Add a set of likely MTUs to probe. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Joe Tsai	5473d11caa	ipn/ipnlocal: perform additional sanity check in diskPath (#9500 ) Use filepath.IsLocal to further validate the baseName. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Brad Fitzpatrick	546506a54d	ipn/ipnlocal: add a test for recent WhoIs regression This would've prevented #9470. This used to pass, fails as of `9538e9f970`, and passes again once #9472 is in. Updates #9470 Change-Id: Iab97666f7a318432fb3b6372a177ab50c55d4697 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Joe Tsai	ae89482f25	ipn/ipnlocal: fix LocalBackend.WhoIs for self (#9472 ) `9538e9f970` broke LocalBackend.WhoIs where you can no longer lookup yourself in WhoIs. This occurs because the LocalBackend.peers map only contains peers. If we fail to lookup a peer, double-check whether it is ourself. Fixes #9470 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Maisem Ali	ea9dd8fabc	Revert "ipn/ipnlocal: plumb ExitNodeDNSResolvers for IsWireGuardOnly exit nodes" This reverts commit `f6845b10f6`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
James Tucker	d52ab181c3	Revert "ipn/ipnlocal: allow Split-DNS and default resolvers with WireGuard nodes" This reverts commit `c7ce4e07e5`. Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
James Tucker	c7ce4e07e5	ipn/ipnlocal: allow Split-DNS and default resolvers with WireGuard nodes The initial implementation directly mirrored the behavior of Tailscale exit nodes, where the WireGuard exit node DNS took precedence over other configuration. This adjusted implementation treats the WireGuard DNS resolvers as a lower precedence default resolver than the tailnet default resolver, and allows split DNS configuration as well. This also adds test coverage to the existing DNS selection behavior with respect to default resolvers and split DNS routes for Tailscale exit nodes above cap 25. There may be some refinement to do in the logic in those cases, as split DNS may not be working as we intend, though that would be a pre-existing and separate issue. Updates #9377 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Tom DNetto	c08cf2a9c6	all: declare & plumb IPv6 masquerade address for peer This PR plumbs through awareness of an IPv6 SNAT/masquerade address from the wire protocol through to the low-level (tstun / wgengine). This PR is the first in two PRs for implementing IPv6 NAT support to/from peers. A subsequent PR will implement the data-plane changes to implement IPv6 NAT - this is just plumbing. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates ENG-991	10 months ago
Maisem Ali	19a9d9037f	tailcfg: add NodeCapMap Like PeerCapMap, add a field to `tailcfg.Node` which provides a map of Capability to raw JSON messages which are deferred to be parsed later by the application code which cares about the specific capabilities. This effectively allows us to prototype new behavior without having to commit to a schema in tailcfg, and it also opens up the possibilities to develop custom behavior in tsnet applications w/o having to plumb through application specific data in the MapResponse. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	4da0689c2c	tailcfg: add Node.HasCap helpers This makes a follow up change less noisy. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Sonia Appasamy	258f16f84b	ipn/ipnlocal: add tailnet MagicDNS name to ipn.LoginProfile Start backfilling MagicDNS suffixes on LoginProfiles. Updates #9286 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Brad Fitzpatrick	0d991249e1	types/netmap: remove NetworkMap.{Addresses,MachineStatus} And convert all callers over to the methods that check SelfNode. Now we don't have multiple ways to express things in tests (setting fields on SelfNode vs NetworkMap, sometimes inconsistently) and don't have multiple ways to check those two fields (often only checking one or the other). Updates #9443 Change-Id: I2d7ba1cf6556142d219fae2be6f484f528756e3c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Maisem Ali	a61caea911	tailcfg: define a type for NodeCapability Instead of untyped string, add a type to identify these. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Brad Fitzpatrick	3d37328af6	wgengine, proxymap: split out port mapping from Engine to new type (Continuing quest to remove rando stuff from the "Engine") Updates #cleanup Change-Id: I77f39902c2194410c10c054b545d70c9744250b0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	db2f37d7c6	ipn/ipnlocal: add some test accessors Updates tailscale/corp#12990 Change-Id: I82801ac4c003d2c7e1352c514adb908dbf01be87 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	9538e9f970	ipn/ipnlocal: keep internal map updated of latest Nodes post mutations We have some flaky integration tests elsewhere that have no one place to ask about the state of the world. This makes LocalBackend be that place (as it's basically there anyway) but doesn't yet add the ForTest accessor method. This adds a LocalBackend.peers map[NodeID]NodeView that is incrementally updated as mutations arrive. And then we start moving away from using NetMap.Peers at runtime (UpdateStatus no longer uses it now). And remove another copy of NodeView in the LocalBackend nodeByAddr map. Change that to point into b.peers instead. Future changes will then start streaming whole-node-granularity peer change updates to WatchIPNBus clients, tracking statefully per client what each has seen. This will get the GUI clients from receiving less of a JSON storm of updates all the time. Updates #1909 Change-Id: I14a976ca9f493bdf02ba7e6e05217363dcf422e5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	926c990a09	types/netmap: start phasing out Addresses, add GetAddresses method NetworkMap.Addresses is redundant with the SelfNode.Addresses. This works towards a TODO to delete NetworkMap.Addresses and replace it with a method. This is similar to #9389. Updates #cleanup Change-Id: Id000509ca5d16bb636401763d41bdb5f38513ba0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	fb5ceb03e3	types/netmap: deprecate NetworkMap.MachineStatus, add accessor method Step 1 of deleting it, per TODO. Updates #cleanup Change-Id: I1d3d0165ae5d8b20610227d60640997b73568733 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	0f3c279b86	ipn/ipnlocal: delete some unused code Updates #cleanup Change-Id: I90b46c476f135124d97288e776c2b428b351b8b8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	760b945bc0	ipn/{ipnlocal,ipnstate}: start simplifying UpdateStatus/StatusBuilder * Remove unnecessary mutexes (there's no concurrency) * Simplify LocalBackend.UpdateStatus using the StatusBuilder.WantPeers field that was added in `0f604923d3`, removing passing around some method values into func args. And then merge two methods. More remains, but this is a start. Updates #9433 Change-Id: Iaf2d7ec6e4e590799f00bae185465a4fd089b822 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
James Tucker	f6845b10f6	ipn/ipnlocal: plumb ExitNodeDNSResolvers for IsWireGuardOnly exit nodes This enables installing default resolvers specified by tailcfg.Node.ExitNodeDNSResolvers when the exit node is selected. Updates #9377 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Marwan Sulaiman	3421784e37	cmd/tailscale/cli: use optimistic concurrency control on SetServeConfig This PR uses the etag/if-match pattern to ensure multiple calls to SetServeConfig are synchronized. It currently errors out and asks the user to retry but we can add occ retries as a follow up. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	10 months ago
Brad Fitzpatrick	99bb355791	wgengine: remove DiscoKey method from Engine interface It has one user (LocalBackend) which can ask magicsock itself. Updates #cleanup Change-Id: I8c03cbb1e5ba57b0b442621b5fa467030c14a2e2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Tyler Smalley	82c1dd8732	cmd/tailscale: funnel wip cleanup and additional test coverage (#9316 ) General cleanup and additional test coverage of WIP code. * use enum for serveType * combine instances of ServeConfig access within unset * cleanMountPoint rewritten into cleanURLPath as it only handles URL paths * refactor and test expandProxyTargetDev > Note > Behind the `TAILSCALE_USE_WIP_CODE` flag updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	10 months ago

1 2 3 4 5 ...

1275 Commits (f5f21c213c7dd7298289f770452053ba97ec40e3)