You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tailscale/net
James Tucker 8d1249550a net/netcheck,wgengine/magicsock: add potential workaround for Palo Alto DIPP misbehavior
Palo Alto firewalls have a typically hard NAT, but also have a mode
called Persistent DIPP that is supposed to provide consistent port
mapping suitable for STUN resolution of public ports. Persistent DIPP
works initially on most Palo Alto firewalls, but some models/software
versions have a bug which this works around.

The bug symptom presents as follows:

- STUN sessions resolve a consistent public IP:port to start with
- Much later netchecks report the same IP:Port for a subset of
  sessions, most often the users active DERP, and/or the port related
  to sustained traffic.
- The broader set of DERPs in a full netcheck will now consistently
  observe a new IP:Port.
- After this point of observation, new inbound connections will only
  succeed to the new IP:Port observed, and existing/old sessions will
  only work to the old binding.

In this patch we now advertise the lowest latency global endpoint
discovered as we always have, but in addition any global endpoints that
are observed more than once in a single netcheck report. This should
provide viable endpoints for potential connection establishment across
a NAT with this behavior.

Updates tailscale/corp#19106

Signed-off-by: James Tucker <james@tailscale.com>
6 months ago
..
art all: use Go 1.22 range-over-int 7 months ago
connstats all: use Go 1.22 range-over-int 7 months ago
dns Net/DNS/Publicdns: update the IPv6 range that we use to recreate route endpoint for control D 6 months ago
dnscache net/netns, net/dns/resolver, etc: make netmon required in most places 6 months ago
dnsfallback tsd, ipnlocal, etc: add tsd.System.HealthTracker, start some plumbing 6 months ago
flowtrack all: update copyright and license headers 2 years ago
ktimeout net/ktimeout: add a package to set TCP user timeout 9 months ago
memnet net/memnet: export the network name (#9111) 1 year ago
netaddr all: update copyright and license headers 2 years ago
netcheck net/netcheck,wgengine/magicsock: add potential workaround for Palo Alto DIPP misbehavior 6 months ago
neterror net/neterror, wgengine/magicsock: use UDP GSO and GRO on Linux (#7791) 2 years ago
netkernelconf client/tailscale,ipn/{ipnlocal,localapi}: check UDP GRO config (#10071) 1 year ago
netknob all: update copyright and license headers 2 years ago
netmon net/netmon: remove spammy log statements (#11953) 6 months ago
netns net/{interfaces,netmon}, all: merge net/interfaces package into net/netmon 6 months ago
netstat net/{netns,netstat}: use new x/sys/cpu.IsBigEndian 2 years ago
netutil net/netmon, add: add netmon.State type alias of interfaces.State 6 months ago
packet all: use Go 1.22 range-over-int 7 months ago
ping net/ping: fix ICMP echo code field to 0 1 year ago
portmapper net/portmapper: add envknob to disable portmapper in localhost integration tests 6 months ago
proxymux all: cleanup unused code, part 1 (#10661) 11 months ago
routetable net/{interfaces,netmon}, all: merge net/interfaces package into net/netmon 6 months ago
socks5 net/socks5: add password auth support 2 years ago
sockstats net/{interfaces,netmon}, all: merge net/interfaces package into net/netmon 6 months ago
speedtest all: update copyright and license headers 2 years ago
stun all: make more tests pass/skip in airplane mode 6 months ago
stunserver all: use Go 1.22 range-over-int 7 months ago
tcpinfo all: use Go 1.22 range-over-int 7 months ago
tlsdial tsd, ipnlocal, etc: add tsd.System.HealthTracker, start some plumbing 6 months ago
tsaddr types/views: remove duplicate SliceContainsFunc 6 months ago
tsdial ipn/ipnlocal, net/tsdial: plumb routes into tsdial and use them in UserDial 6 months ago
tshttpproxy all: use Go 1.22 range-over-int 7 months ago
tstun net/tstun: do SNAT after filterPacketOutboundToWireGuard 6 months ago
wsconn net/wsconn: accept a remote addr string and plumb it through 1 year ago