tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	3addcacfe9	net/dns: fix recently added URL scheme from http to https I typoed/brainoed in the earlier `3582628691` Change-Id: Ic198a6f9911f195d9da9fc5259b5784a4b15e5e3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
andig	5f96d6211a	Remove redundant type declaration Signed-off-by: andig <cpuidle@gmx.de>	1 year ago
Brad Fitzpatrick	3582628691	net/dns/resolvconffile: link to FAQ about resolv.conf being overwritten Add link to new http://tailscale.com/s/resolvconf-overwrite page, added in tailscale/tailscale-www#2243 Change-Id: I9718399487f2ed18bf1a112581fd168aea30f232 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	6d85a94767	net/{packet,tstun}: fix typo in test helper docs Change-Id: Ifc1684fe77c7d2585e049e0dfd7340910c47a67a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	c1a2e2c380	net/{packet,tstun},wgengine/filter: fix unknown IP protocol handling `01b90df2fa` added SCTP support before (with explicit parsing for ports) and `69de3bf7bf` tried to add support for arbitrary IP protocols (as long as the ACL permited a port of "", since we might not know how to find ports from an arbitrary IP protocol, if it even has such a concept). But apparently that latter commit wasn't tested end-to-end enough. It had a lot of tests, but the tests made assumptions about layering that either weren't true, or regressed since 1.20. Notably, it didn't remove the (Filter).pre bidirectional filter that dropped all "unknown" protocol packets both leaving and entering, even if there were explicit protocol matches allowing them in. Also, don't map all unknown protocols to 0. Keep their IP protocol number parsed so it's matchable by later layers. Only reject illegal things. Fixes #6423 Updates #2162 Updates #2163 Change-Id: I9659b3ece86f4db51d644f9b34df78821758842c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Jordan Whited	25a0091f69	net/portmapper: relax handling of UPnP resp (#6946 ) Gateway devices operating as an HA pair w/VRRP or CARP may send UPnP replies from static addresses rather than the floating gateway address. This commit relaxes our source address verification such that we parse responses from non-gateway IPs, and re-point the UPnP root desc URL to the gateway IP. This ensures we are still interfacing with the gateway device (assuming L2 security intact), even though we got a root desc from a non-gateway address. This relaxed handling is required for ANY port mapping to work on certain OPNsense/pfsense distributions using CARP at the time of writing, as miniupnpd may only listen on the static, non-gateway interface address for PCP and PMP. Fixes #5502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Tom DNetto	2ac5474be1	net/flowtrack,wgengine/filter: refactor Cache to use generics Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Tom DNetto	673b3d8dbd	net/dns,userspace: remove unused DNS paths, normalize query limit on iOS With `a42a594bb3`, iOS uses netstack and hence there are no longer any platforms which use the legacy MagicDNS path. As such, we remove it. We also normalize the limit for max in-flight DNS queries on iOS (it was 64, now its 256 as per other platforms). It was 64 for the sake of being cautious about memory, but now we have 50Mb (iOS-15 and greater) instead of 15Mb so we have the spare headroom. Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
James Tucker	b2c55e62c8	net/tlsdial,tstest,version: use go command from $PATH Go now includes the GOROOT bin directory in $PATH while running tests and generate, so it is no longer necessary to construct a path using runtime.GOROOT(). Fixes #6689 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Brad Fitzpatrick	ea70aa3d98	net/dns/resolvconffile: fix handling of multiple search domains Fixes #6875 Change-Id: I57eb9312c9a1c81792ce2b5a0a0f254213b05df2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
andig	14e8afe444	go.mod, etc: bump gvisor Fixes #6554 Change-Id: Ia04ae37a47b67fa57091c9bfe1d45a1842589aa8 Signed-off-by: andig <cpuidle@gmx.de>	1 year ago
Andrew Dunham	0372e14d79	net/dns: bump DNS-over-TCP size limit to 4k We saw a few cases where we hit this limit; bumping to 4k seems relatively uncontroversial. Change-Id: I218fee3bc0d2fa5fde16eddc36497a73ebd7cbda Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	1 year ago
Aaron Klotz	296f53524c	netstat, portlist: update Windows implementation to disambiguate svchost processes We change our invocations of GetExtendedTcpTable to request additional information about the "module" responsible for the port. In addition to pid, this output also includes sufficient metadata to enable Windows to resolve process names and disambiguate svchost processes. We store the OS-specific output in an OSMetadata field in netstat.Entry, which portlist may then use as necessary to actually resolve the process/module name. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Joe Tsai	d9df023e6f	net/connstats: enforce maximum number of connections (#6760 ) The Tailscale logging service has a hard limit on the maximum log message size that can be accepted. We want to ensure that netlog messages never exceed this limit otherwise a client cannot transmit logs. Move the goroutine for periodically dumping netlog messages from wgengine/netlog to net/connstats. This allows net/connstats to manage when it dumps messages, either based on time or by size. Updates tailscale/corp#8427 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Jordan Whited	55b24009f7	net/tstun: don't return early from a partial tun.Read() (#6745 ) Fixes #6730 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Andrew Dunham	3f4d51c588	net/dns: don't send on closed channel when message too large Previously, if a DNS-over-TCP message was received while there were existing queries in-flight, and it was over the size limit, we'd close the 'responses' channel. This would cause those in-flight queries to send on the closed channel and panic. Instead, don't close the channel at all and rely on s.ctx being canceled, which will ensure that in-flight queries don't hang. Fixes #6725 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8267728ac37ed7ae38ddd09ce2633a5824320097	1 year ago
Brad Fitzpatrick	ca08e316af	util/endian: delete package; use updated josharian/native instead See josharian/native#3 Updates golang/go#57237 Change-Id: I238c04c6654e5b9e7d9cfb81a7bbc5e1043a84a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Jordan Whited	ea5ee6f87c	all: update golang.zx2c4.com/wireguard to github.com/tailscale/wireguard-go (#6692 ) This is temporary while we work to upstream performance work in https://github.com/WireGuard/wireguard-go/pull/64. A replace directive is less ideal as it breaks dependent code without duplication of the directive. Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 years ago
Maisem Ali	eb1adf629f	net/tstun: reuse buffered packet from pool We would call parsedPacketPool.Get() for all packets received in Read/Write. This was wasteful and not necessary, fetch a single *packet.Parsed for all packets. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Jordan Whited	76389d8baf	net/tstun, wgengine/magicsock: enable vectorized I/O on Linux (#6663 ) This commit updates the wireguard-go dependency and implements the necessary changes to the tun.Device and conn.Bind implementations to support passing vectors of packets in tailscaled. This significantly improves throughput performance on Linux. Updates #414 Signed-off-by: Jordan Whited <jordan@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Co-authored-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	1598cd0361	net/tsaddr: remove ContainsFunc helpers (they're now in x/exp/slices) x/exp/slices now has ContainsFunc (golang/go#53983) so we can delete our versions. Change-Id: I5157a403bfc1b30e243bf31c8b611da25e995078 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	79f3a5d753	net/netns, net/interfaces: explicitly bind sockets to the default interface on all Darwin variants We were previously only doing this for tailscaled-on-Darwin, but it also appears to help on iOS. Otherwise, when we rebind magicsock UDP connections after a cellular -> WiFi interface change they still keep using cellular one. To do this correctly when using exit nodes, we need to exclude the Tailscale interface when getting the default route, otherwise packets cannot leave the tunnel. There are native macOS/iOS APIs that we can use to do this, so we allow those clients to override the implementation of DefaultRouteInterfaceIndex. Updates #6565, may also help with #5156 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Maisem Ali	99aa335923	net/dns: [linux] log and add metric for dnsMode I couldn't find any logs that indicated which mode it was running in so adding that. Also added a gauge metric for dnsMode. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Joe Tsai	2e5d08ec4f	net/connstats: invert network logging data flow (#6272 ) Previously, tstun.Wrapper and magicsock.Conn managed their own statistics data structure and relied on an external call to Extract to extract (and reset) the statistics. This makes it difficult to ensure a maximum size on the statistics as the caller has no introspection into whether the number of unique connections is getting too large. Invert the control flow such that a connstats.Statistics is registered with tstun.Wrapper and magicsock.Conn. Methods on non-nil connstats.Statistics are called for every packet. This allows the implementation of connstats.Statistics (in the future) to better control when it needs to flush to ensure bounds on maximum sizes. The value registered into tstun.Wrapper and magicsock.Conn could be an interface, but that has two performance detriments: 1. Method calls on interface values are more expensive since they must go through a virtual method dispatch. 2. The implementation would need a sync.Mutex to protect the statistics value instead of using an atomic.Pointer. Given that methods on constats.Statistics are called for every packet, we want reduce the CPU cost on this hot path. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Denton Gentry	b8fe89d15f	net/portmapper: add test for Huawei router Updates https://github.com/tailscale/tailscale/issues/6320 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Andrew Dunham	ec790e58df	net/dns: retry overwriting hosts file on Windows Updates #5753 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I60f81bd3325d5ba5383b947c7a7aaa5b14e460f6	2 years ago
Mihai Parparita	33520920c3	all: use strs.CutPrefix and strs.CutSuffix more Updates places where we use HasPrefix + TrimPrefix to use the combined function. Updates #5309 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Aaron Klotz	41e1d336cc	net/dns: change windows DNS manager to use pointer receiver This is safer given that we need to close the NRPT database. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Brad Fitzpatrick	e9c851b04b	ipn/ipnlocal: also accept service IP IPv6 literal in brackets for quad100 The fix in `4fc8538e2` was sufficient for IPv6. Browsers (can?) send the IPv6 literal, even without a port number, in brackets. Updates tailscale/corp#7948 Change-Id: I0e429d3de4df8429152c12f251ab140b0c8f6b77 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	22238d897b	all: standardize on PeerAPI Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	fb392e34b5	net/tshttpproxy: don't ignore env-based HTTP proxies after system lookups fail There was a mechanism in tshttpproxy to note that a Windows proxy lookup failed and to stop hitting it so often. But that turns out to fire a lot (no PAC file configured at all results in a proxy lookup), so after the first proxy lookup, we were enabling the "omg something's wrong, stop looking up proxies" bit for awhile, which was then also preventing the normal Go environment-based proxy lookups from working. This at least fixes environment-based proxies. Plenty of other Windows-specific proxy work remains (using WinHttpGetIEProxyConfigForCurrentUser instead of just PAC files, ignoring certain types of errors, etc), but this should fix the regression reported in #4811. Updates #4811 Change-Id: I665e1891897d58e290163bda5ca51a22a017c5f9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	3114eacbb8	ipn/ipnlocal: don't warn about serve listener failing on IPv6-less machines Fixes #6303 Change-Id: Ie1ce12938f68dfa0533246bbe3b9d7f3e749a243 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	90bd74fc05	net/dns: add a health warning when Linux /etc/resolv.conf is overwritten Change-Id: I925b4d904bc7ed920bc5afee11e6dcb2ffc2fbfd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	001f482aca	net/dns: make "direct" mode on Linux warn on resolv.conf fights Run an inotify goroutine and watch if another program takes over /etc/inotify.conf. Log if so. For now this only logs. In the future I want to wire it up into the health system to warn (visible in "tailscale status", etc) about the situation, with a short URL to more info about how you should really be using systemd-resolved if you want programs to not fight over your DNS files on Linux. Updates #4254 etc etc Change-Id: I86ad9125717d266d0e3822d4d847d88da6a0daaa Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	8e85227059	cmd/tailscale/cli: [set] handle selectively modifying routes/exit node Noticed this while debugging something else, we would reset all routes if either `--advertise-exit-node` or `--advertise-routes` were set. This handles correctly updating them. Also added tests. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	66b4a363bd	net/dns/resolver: add yet another 4via6 DNS form that's hopefully more robust $ dig +short @100.100.100.100 aaaa 10-2-5-3-via-7.foo-bar.ts.net fd7a:115c:a1e0:b1a:0:7:a02:503 $ dig +short @100.100.100.100 aaaa 10-2-5-3-via-7 fd7a:115c:a1e0:b1a:0:7:a02:503 $ ping 10-2-5-3-via-7 PING 10-2-5-3-via-7(fd7a:115c:a1e0:b1a:0:7:a02:503 (fd7a:115c:a1e0:b1a:0:7:a02:503)) 56 data bytes ... Change-Id: Ice8f954518a6a2fca8b2c04da7f31f61d78cdec4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	e85613aa2d	net/netcheck: don't use a space in the captive portal challenge The derpers don't allow whitespace in the challenge. Change-Id: I93a8b073b846b87854fba127b5c1d80db205f658 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Andrew Dunham	c2d7940ec0	cmd/tailscaled, net/tstun: add build tags to omit BIRD and TAP Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I7a39f4eeeb583b73ecffaf4c5f086a38e3a53e2e	2 years ago
Brad Fitzpatrick	036334e913	net/netcheck: deflake (maybe) magicsock's TestNewConn Updates #6207 Change-Id: I51d200d0b42b9a1ef799d0abfc8d4bd871c50cf2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	da8def8e13	all: remove old +build tags The //go:build syntax was introduced in Go 1.17: https://go.dev/doc/go1.17#build-lines gofmt has kept the +build and go:build lines in sync since then, but enough time has passed. Time to remove them. Done with: perl -i -npe 's,^// \+build.*\n,,' $(git grep -l -F '+build') Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	d57cba8655	net/tshttpproxy: add clientmetrics on Windows proxy lookup paths To collect some data on how widespread this is and whether there's any correlation between different versions of Windows, etc. Updates #4811 Change-Id: I003041d0d7e61d2482acd8155c1a4ed413a2c5c4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	f4ff26f577	types/pad32: delete package Use Go 1.19's new 64-bit alignment ~hidden feature instead. Fixes #5356 Change-Id: Ifcbcb115875a7da01df3bc29e9e7feadce5bc956 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Anton Tolchanov	e25ab75795	net/dns: getting base DNS config is not supported on macOS Instead of returning a custom error, use ErrGetBaseConfigNotSupported that seems to be intended for this use case. This fixes DNS resolution on macOS clients compiled from source. Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Joe Tsai	c21a3c4733	types/netlogtype: new package for network logging types (#6092 ) The netlog.Message type is useful to depend on from other packages, but doing so would transitively cause gvisor and other large packages to be linked in. Avoid this problem by moving all network logging types to a single package. We also update staticcheck to take in: `003d277bcf` Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Andrew Dunham	95f3dd1346	net/interfaces: don't dereference null pointer if no destination/netmask Fixes #6065 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I7159b8cbb8d5f47c0668cf83e59167f182f1defd	2 years ago
Andrew Dunham	ba459aeef5	net/interfaces: don't call GetList in List.ForeachInterface It looks like this was left by mistake in `4a3e2842`. Change-Id: Ie4e3d5842548cd2e8533b3552298fb1ce9ba761a Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Peter Cai	4597ec1037	net/dnscache: Handle 4-in-6 addresses in DNS responses On Android, the system resolver can return IPv4 addresses as IPv6-mapped addresses (i.e. `::ffff:a.b.c.d`). After the switch to `net/netip` (`19008a3`), this case is no longer handled and a response like this will be seen as failure to resolve any IPv4 addresses. Handle this case by simply calling `Unmap()` on the returned IPs. Fixes #5698. Signed-off-by: Peter Cai <peter@typeblog.net>	2 years ago
Andrew Dunham	74693793be	net/netcheck, tailcfg: track whether OS supports IPv6 We had previously added this to the netcheck report in #5087 but never copied it into the NetInfo struct. Additionally, add it to log lines so it's visible to support. Change-Id: Ib6266f7c6aeb2eb2a28922aeafd950fe1bf5627e Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Andrew Dunham	e966f024b0	net/dns: print systemd-resolved ResolvConfMode The ResolvConfMode property is documented to return how systemd-resolved is currently managing /etc/resolv.conf. Include that information in the debug line, when available, to assist in debugging DNS issues. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1ae3a257df1d318d0193a8c7f135c458ec45093e	2 years ago
Andrew Dunham	223126fe5b	cmd/derper, net/netcheck: add challenge/response to generate_204 endpoint The Lufthansa in-flight wifi generates a synthetic 204 response to the DERP server's /generate_204 endpoint. This PR adds a basic challenge/response to the endpoint; something sufficiently complicated that it's unlikely to be implemented by a captive portal. We can then check for the expected response to verify whether we're being MITM'd. Follow-up to #5601 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I94a68c9a16a7be7290200eea6a549b64f02ff48f	2 years ago
Anton Tolchanov	d499afac78	net/interfaces: improve default route detection Instead of treating any interface with a non-ifscope route as a potential default gateway, now verify that a given route is actually a default route (0.0.0.0/0 or ::/0). Fixes #5879 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Anton Tolchanov	9c2ad7086c	net/interfaces: deduplicate route table parsing on Darwin and FreeBSD Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Mihai Parparita	9d04ffc782	net/wsconn: add back custom wrapper for turning a websocket.Conn into a net.Conn We removed it in #4806 in favor of the built-in functionality from the nhooyr.io/websocket package. However, it has an issue with deadlines that has not been fixed yet (see nhooyr/websocket#350). Temporarily go back to using a custom wrapper (using the fix from our fork) so that derpers will stop closing connections too aggressively. Updates #5921 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Maisem Ali	3555a49518	net/dns: always attempt to read the OS config on macOS/iOS Also reconfigure DNS on iOS/macOS on link changes. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	9a264dac01	net/netcheck: fix crash in checkCaptivePortal If netcheck happens before there's a derpmap. This seems to only affect Headscale because it doesn't send a derpmap as early? Change-Id: I51e0dfca8e40623e04702bc9cc471770ca20d2c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Joe Tsai	1b4e4cc1e8	wgengine/netlog: new package for traffic flow logging (#5864 ) The Logger type managers a logtail.Logger for extracting statistics from a tstun.Wrapper. So long as Shutdown is called, it ensures that logtail and statistic gathering resources are properly cleared up. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Maisem Ali	ecf6cdd830	ssh/tailssh: add TestSSHAuthFlow Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Joe Tsai	84e8f25c21	net/tstun: rename statististics method (#5852 ) Rename StatisticsEnable as SetStatisticsEnabled to be consistent with other similarly named methods. Rename StatisticsExtract as ExtractStatistics to follow the convention where methods start with a verb. It was originally named with Statistics as a prefix so that statistics related methods would sort well in godoc, but that property no longer holds. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	dd045a3767	net/flowtrack: add json tags to Tuple (#5849 ) By convention, JSON serialization uses camelCase. Specify such names on the Tuple type. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	a73c423c8a	net/tunstats: add Counts.Add (#5848 ) The Counts.Add method merges two Counts together. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	24ebf161e8	net/tstun: instrument Wrapper with statistics gathering (#5847 ) If Wrapper.StatisticsEnable is enabled, then per-connection counters are maintained. If enabled, Wrapper.StatisticsExtract must be periodically called otherwise there is unbounded memory growth. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	2934c5114c	net/tunstats: new package to track per-connection counters (#5818 ) High-level API: type Statistics struct { ... } type Counts struct { TxPackets, TxBytes, RxPackets, RxBytes uint64 } func (Statistics) UpdateTx([]byte) func (Statistics) UpdateRx([]byte) func (*Statistics) Extract() map[flowtrack.Tuple]Counts The API accepts a []byte instead of a packet.Parsed so that a future implementation can directly hash the address and port bytes, which are contiguous in most IP packets. This will be useful for a custom concurrent-safe hashmap implementation. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Mihai Parparita	8343b243e7	all: consistently initialize Logf when creating tsdial.Dialers Most visible when using tsnet.Server, but could have resulted in dropped messages in a few other places too. Fixes #5743 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Josh Soref	d4811f11a0	all: fix spelling mistakes Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Brad Fitzpatrick	bb7be74756	net/dns/publicdns: permit more NextDNS profile bits in its IPv6 suffix I brain-o'ed the math earlier. The NextDNS prefix is /32 (actually /33, but will guarantee last bit is 0), so we have 128-32 = 96 bits (12 bytes) of config/profile ID that we can extract. NextDNS doesn't currently use all those, but might. Updates #2452 Change-Id: I249bd28500c781e45425fd00fd3f46893ae226a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	a5fab23e8f	net/dns: format OSConfig correctly with no pointers (#5766 ) Fixes tailscale/tailscale#5669 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Emmanuel T Odeke	f981b1d9da	all: fix resource leaks with missing .Close() calls Fixes #5706 Signed-off-by: Emmanuel T Odeke <emmanuel@orijtech.com>	2 years ago
Andrew Dunham	b1867457a6	doctor: add package for running in-depth healthchecks; use in bugreport (#5413 ) Change-Id: Iaa4e5b021a545447f319cfe8b3da2bd3e5e5782b Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
James Tucker	f7cb535693	net/speedtest: retune to meet iperf on localhost in a VM - removed some in-flow time calls - increase buffer size to 2MB to overcome syscall cost - move relative time computation from record to report time Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	146f51ce76	net/packet: fix filtering of short IPv4 fragments The fragment offset is an 8 byte offset rather than a byte offset, so the short packet limit is now in fragment block size in order to compare with the offset value. The packet flags are in the first 3 bits of the flags/frags byte, and so after conversion to a uint16 little endian value they are at the start, not the end of the value - the mask for extracting "more fragments" is adjusted to match this byte. Extremely short fragments less than 80 bytes are dropped, but fragments over 80 bytes are now accepted. Fixes #5727 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Andrew Dunham	c6162c2a94	net/netcheck: add check for captive portal (#5593 ) This doesn't change any behaviour for now, other than maybe running a full netcheck more often. The intent is to start gathering data on captive portals, and additionally, seeing this in the 'tailscale netcheck' command should provide a bit of additional information to users. Updates #1634 Change-Id: I6ba08f9c584dc0200619fa97f9fde1a319f25c76 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Denton Gentry	42f1d92ae0	net/netns: implement UseSocketMark for Android. Build fails on Android: `../../../../go/pkg/mod/tailscale.com@v1.1.1-0.20220916223019-65c24b6334e9/wgengine/magicsock/magicsock_linux.go:133:12: undefined: netns.UseSocketMark` Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Eng Zer Jun	f0347e841f	refactor: move from io/ioutil to io and os packages The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Reference: https://golang.org/doc/go1.16#ioutil Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2 years ago
Brad Fitzpatrick	74674b110d	envknob: support changing envknobs post-init Updates #5114 Change-Id: Ia423fc7486e1b3f3180a26308278be0086fae49b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	cf61070e26	net/dnscache: add better logging to bootstrap DNS path (#5640 ) Change-Id: I4cde3a72e06dac18df856a0cfeac10ab7e3a9108 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Mihai Parparita	82e82d9b7a	net/dns/resolver: remove unused responseTimeout constant Timeout is now enforced elsewhere, see discussion in https://github.com/tailscale/tailscale/pull/4408#discussion_r970092333. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
nyghtowl	0f16640546	net/dns: fix fmt error on Revert print Fixes #5619 Signed-off-by: nyghtowl <warrick@tailscale.com>	2 years ago
David Anderson	7c49db02a2	wgengine/magicsock: don't use BPF receive when SO_MARK doesn't work. Fixes #5607 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	024257ef5a	net/stun: unmap IPv4 addresses in 16 byte STUN replies Updates #5602 Change-Id: I2276ad2bfb415b9ff52f37444f2a1d74b38543b1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	708b7bff3d	net/dns/publicdns: also support NextDNS DoH query parameters The plan has changed. Doing query parameters rather than path + heades. NextDNS added support for query parameters. Updates #2452 Change-Id: I4783c0a06d6af90756d9c80a7512644ba702388c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	81bc4992f2	net/netns: add TS_FORCE_LINUX_BIND_TO_DEVICE for Linux For debugging a macOS-specific magicsock issue. macOS runs in bind-to-interface mode always. This lets me force Linux into the same mode as macOS, even if the Linux kernel supports SO_MARK, as it usually does. Updates #2331 etc Change-Id: Iac9e4a7429c1781337e716ffc914443b7aa2869d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	e7376aca25	net/dns/resolver: set DNS-over-HTTPS Accept and User-Agent header on requests Change-Id: I14b821771681e70405a507f43229c694159265ff Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	c14361e70e	net/dns/publicdns: support NextDNS DoH URLs with path parameters Updates #2452 Change-Id: I0f1c34cc1672e87e7efd0adfe4088724dd0de3ed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	2aade349fc	net/dns, types/dnstypes: update some comments, tests for DoH Clarify & verify that some DoH URLs can be sent over tailcfg in some limited cases. Updates #2452 Change-Id: Ibb25db77788629c315dc26285a1059a763989e24 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	58abae1f83	net/dns/{publicdns,resolver}: add NextDNS DoH support NextDNS is unique in that users create accounts and then get user-specific DNS IPs & DoH URLs. For DoH, the customer ID is in the URL path. For IPv6, the IP address includes the customer ID in the lower bits. For IPv4, there's a fragile "IP linking" mechanism to associate your public IPv4 with an assigned NextDNS IPv4 and that tuple maps to your customer ID. We don't use the IP linking mechanism. Instead, NextDNS is DoH-only. Which means using NextDNS necessarily shunts all DNS traffic through 100.100.100.100 (programming the OS to use 100.100.100.100 as the global resolver) because operating systems can't usually do DoH themselves. Once it's in Tailscale's DoH client, we then connect out to the known NextDNS IPv4/IPv6 anycast addresses. If the control plane sends the client a NextDNS IPv6 address, we then map it to the corresponding NextDNS DoH with the same client ID, and we dial that DoH server using the combination of v4/v6 anycast IPs. Updates #2452 Change-Id: I3439d798d21d5fc9df5a2701839910f5bef85463 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	f52a659076	net/dnsfallback: allow setting log function (#5550 ) This broke a test in corp that enforces we don't use the log package. Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Andrew Dunham	b8596f2a2f	net/dnsfallback: cache most recent DERP map on disk (#5545 ) This is especially helpful as we launch newer DERPs over time, and older clients have progressively out-of-date static DERP maps baked in. After this, as long as the client has successfully connected once, it'll cache the most recent DERP map it knows about. Resolves an in-code comment from @bradfitz Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Kris Brandow	19008a3023	net/dnscache: use net/netip Removes usage of net.IP and net.IPAddr where possible from net/dnscache. Fixes #5282 Signed-off-by: Kris Brandow <kris.brandow@gmail.com>	2 years ago
Brad Fitzpatrick	9bd9f37d29	go.mod: bump wireguard/windows, which moves to using net/netip Updates #5162 Change-Id: If99a3f0000bce0c01bdf44da1d513f236fd7cdf8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	9f6c8517e0	net/dns: set OS DNS to 100.100.100.100 for route-less ExtraRecords [cap 41] If ExtraRecords (Hosts) are specified without a corresponding split DNS route and global DNS is specified, then program the host OS DNS to use 100.100.100.100 so it can blend in those ExtraRecords. Updates #1543 Change-Id: If49014a5ecc8e38978ff26e54d1f74fe8dbbb9bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	68d9d161f4	net/dns: [win] fix regression in disableDynamicUpdate Somehow I accidentally set the wrong registry value here. It should be DisableDynamicUpdate=1 and not EnableDNSUpdate=0. This is a regression from `545639e`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Nahum Shalman	214242ff62	net/dns/publicdns: Add Mullvad DoH See https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/ The Mullvad DoH servers appear to only speak HTTP/2 and the use of a non-nil DialContext in the http.Transport means that ForceAttemptHTTP2 must be set to true to be able to use them. Signed-off-by: Nahum Shalman <nahamu@gmail.com>	2 years ago
Maisem Ali	9197dd14cc	net/dns: [win] add MagicDNS entries to etc/hosts This works around the 2.3s delay in short name lookups when SNR is enabled. C:\Windows\System32\drivers\etc\hosts file. We only add known hosts that match the search domains, and we populate the list in order of Search Domains so that our matching algorithm mimics what Windows would otherwise do itself if SNR was off. Updates #1659 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Kris Brandow	9ae1161e85	net/dnscache: fix v4addrs to return only v4 addrs Update the v4addrs function to filter out IPv6 addresses. Fixes regression from `8725b14056`. Signed-off-by: Kris Brandow <kris.brandow@gmail.com>	2 years ago
Kris Brandow	8f38afbf8e	net/stun: convert to use net/netip.AddrPort Convert ParseResponse and Response to use netip.AddrPort instead of net.IP and separate port. Fixes #5281 Signed-off-by: Kris Brandow <kris.brandow@gmail.com>	2 years ago
Maisem Ali	25865f81ee	net/dns: disable NetBIOS on Tailscale interfaces Like LLMNR, NetBIOS also adds resolution delays and we don't support it anyway so just disable it on the interface. Updates #1659 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	545639ee44	util/winutil: consolidate interface specific registry keys Code movement to allow reuse in a follow up PR. Updates #1659 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	1cff719015	net/dns: [win] respond with SERVFAIL queries when no resolvers Currently we forward unmatched queries to the default resolver on Windows. This results in duplicate queries being issued to the same resolver which is just wasted. Updates #1659 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Andrew Dunham	d942a2ff56	net/dnscache: try IPv6 addresses first (#5349 ) Signed-off-by: Andrew Dunham <andrew@tailscale.com> Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Maisem Ali	3bb57504af	net/dns/resolver: add comments clarifying nil error returns Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago

1 2 3 4 5 ...

776 Commits (f61b3061330393de2f8c8aa7b013375f557c9738)