mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 04:55:31 +00:00
all: fix spelling mistakes
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
This commit is contained in:
parent
e73657d7aa
commit
d4811f11a0
@ -106,10 +106,10 @@ func TestChirp(t *testing.T) {
|
|||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
if err := c.EnableProtocol("rando"); err == nil {
|
if err := c.EnableProtocol("rando"); err == nil {
|
||||||
t.Fatalf("enabling %q succeded", "rando")
|
t.Fatalf("enabling %q succeeded", "rando")
|
||||||
}
|
}
|
||||||
if err := c.DisableProtocol("rando"); err == nil {
|
if err := c.DisableProtocol("rando"); err == nil {
|
||||||
t.Fatalf("disabling %q succeded", "rando")
|
t.Fatalf("disabling %q succeeded", "rando")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -459,7 +459,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
|
|||||||
}
|
}
|
||||||
|
|
||||||
if resp.StatusCode != http.StatusOK {
|
if resp.StatusCode != http.StatusOK {
|
||||||
return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
|
return nil, fmt.Errorf("control api responded with %d status code", resp.StatusCode)
|
||||||
}
|
}
|
||||||
|
|
||||||
// The test ran without fail
|
// The test ran without fail
|
||||||
|
@ -674,14 +674,14 @@ func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate
|
|||||||
return &cert, nil
|
return &cert, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
|
// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
|
||||||
//
|
//
|
||||||
// Deprecated: use LocalClient.ExpandSNIName.
|
// Deprecated: use LocalClient.ExpandSNIName.
|
||||||
func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
|
func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
|
||||||
return defaultLocalClient.ExpandSNIName(ctx, name)
|
return defaultLocalClient.ExpandSNIName(ctx, name)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
|
// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
|
||||||
func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
|
func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
|
||||||
st, err := lc.StatusWithoutPeers(ctx)
|
st, err := lc.StatusWithoutPeers(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -115,7 +115,7 @@ func (c *Client) Do(req *http.Request) (*http.Response, error) {
|
|||||||
return c.httpClient().Do(req)
|
return c.httpClient().Do(req)
|
||||||
}
|
}
|
||||||
|
|
||||||
// sendRequest add the authenication key to the request and sends it. It
|
// sendRequest add the authentication key to the request and sends it. It
|
||||||
// receives the response and reads up to 10MB of it.
|
// receives the response and reads up to 10MB of it.
|
||||||
func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
|
func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
|
||||||
if !I_Acknowledge_This_API_Is_Unstable {
|
if !I_Acknowledge_This_API_Is_Unstable {
|
||||||
|
@ -23,7 +23,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
|
|||||||
up := strings.ToLower(r.Header.Get("Upgrade"))
|
up := strings.ToLower(r.Header.Get("Upgrade"))
|
||||||
|
|
||||||
// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
|
// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
|
||||||
// speak WebSockets (they still assumed DERP's binary framining). So to distinguish
|
// speak WebSockets (they still assumed DERP's binary framing). So to distinguish
|
||||||
// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
|
// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
|
||||||
if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
|
if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
|
||||||
base.ServeHTTP(w, r)
|
base.ServeHTTP(w, r)
|
||||||
|
@ -36,7 +36,7 @@ func runBugReport(ctx context.Context, args []string) error {
|
|||||||
case 1:
|
case 1:
|
||||||
note = args[0]
|
note = args[0]
|
||||||
default:
|
default:
|
||||||
return errors.New("unknown argumets")
|
return errors.New("unknown arguments")
|
||||||
}
|
}
|
||||||
logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{
|
logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{
|
||||||
Note: note,
|
Note: note,
|
||||||
|
@ -410,7 +410,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
|
|||||||
want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
|
want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
|
name: "error_exit_node_and_allow_lan_omit_with_id_pref", // Issue 3480
|
||||||
flags: []string{"--hostname=foo"},
|
flags: []string{"--hostname=foo"},
|
||||||
curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
|
curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
|
||||||
curPrefs: &ipn.Prefs{
|
curPrefs: &ipn.Prefs{
|
||||||
@ -448,7 +448,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
// Issue 3176: on Synology, don't require --accept-routes=false because user
|
// Issue 3176: on Synology, don't require --accept-routes=false because user
|
||||||
// migth've had old an install, and we don't support --accept-routes anyway.
|
// might've had an old install, and we don't support --accept-routes anyway.
|
||||||
name: "synology_permit_omit_accept_routes",
|
name: "synology_permit_omit_accept_routes",
|
||||||
flags: []string{"--hostname=foo"},
|
flags: []string{"--hostname=foo"},
|
||||||
curPrefs: &ipn.Prefs{
|
curPrefs: &ipn.Prefs{
|
||||||
|
@ -13,7 +13,7 @@
|
|||||||
|
|
||||||
func findSSH() (string, error) {
|
func findSSH() (string, error) {
|
||||||
// use C:\Windows\System32\OpenSSH\ssh.exe since unexpected behavior
|
// use C:\Windows\System32\OpenSSH\ssh.exe since unexpected behavior
|
||||||
// occured with ssh.exe provided by msys2/cygwin and other environments.
|
// occurred with ssh.exe provided by msys2/cygwin and other environments.
|
||||||
if systemRoot := os.Getenv("SystemRoot"); systemRoot != "" {
|
if systemRoot := os.Getenv("SystemRoot"); systemRoot != "" {
|
||||||
exe := filepath.Join(systemRoot, "System32", "OpenSSH", "ssh.exe")
|
exe := filepath.Join(systemRoot, "System32", "OpenSSH", "ssh.exe")
|
||||||
if st, err := os.Stat(exe); err == nil && !st.IsDir() {
|
if st, err := os.Stat(exe); err == nil && !st.IsDir() {
|
||||||
|
@ -88,7 +88,7 @@ func defaultTunName() string {
|
|||||||
// see https://github.com/tailscale/tailscale/issues/391
|
// see https://github.com/tailscale/tailscale/issues/391
|
||||||
//
|
//
|
||||||
// But Gokrazy does have the tun module built-in, so users
|
// But Gokrazy does have the tun module built-in, so users
|
||||||
// can stil run --tun=tailscale0 if they wish, if they
|
// can still run --tun=tailscale0 if they wish, if they
|
||||||
// arrange for iptables to be present or run in "tailscale
|
// arrange for iptables to be present or run in "tailscale
|
||||||
// up --netfilter-mode=off" mode, perhaps. Untested.
|
// up --netfilter-mode=off" mode, perhaps. Untested.
|
||||||
return "userspace-networking"
|
return "userspace-networking"
|
||||||
@ -158,7 +158,7 @@ func main() {
|
|||||||
flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
|
flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
|
||||||
flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
|
flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
|
||||||
flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
|
flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
|
||||||
flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
|
flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an ephemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
|
||||||
flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
|
flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
|
||||||
flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
|
flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
|
||||||
flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
|
flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
|
||||||
|
@ -193,7 +193,7 @@ func beWindowsSubprocess() bool {
|
|||||||
}
|
}
|
||||||
logid := os.Args[2]
|
logid := os.Args[2]
|
||||||
|
|
||||||
// Remove the date/time prefix; the logtail + file logggers add it.
|
// Remove the date/time prefix; the logtail + file loggers add it.
|
||||||
log.SetFlags(0)
|
log.SetFlags(0)
|
||||||
|
|
||||||
log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
|
log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
|
||||||
|
@ -57,7 +57,7 @@ func runBuild() {
|
|||||||
|
|
||||||
// fixEsbuildMetadataPaths re-keys the esbuild metadata file to use paths
|
// fixEsbuildMetadataPaths re-keys the esbuild metadata file to use paths
|
||||||
// relative to the dist directory (it normally uses paths relative to the cwd,
|
// relative to the dist directory (it normally uses paths relative to the cwd,
|
||||||
// which are akward if we're running with a different cwd at serving time).
|
// which are awkward if we're running with a different cwd at serving time).
|
||||||
func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
|
func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
|
||||||
var metadata EsbuildMetadata
|
var metadata EsbuildMetadata
|
||||||
if err := json.Unmarshal([]byte(metadataStr), &metadata); err != nil {
|
if err := json.Unmarshal([]byte(metadataStr), &metadata); err != nil {
|
||||||
|
@ -15,12 +15,12 @@ import wasmURL from "./main.wasm"
|
|||||||
* needed for the package to function.
|
* needed for the package to function.
|
||||||
*/
|
*/
|
||||||
type IPNPackageConfig = IPNConfig & {
|
type IPNPackageConfig = IPNConfig & {
|
||||||
// Auth key used to intitialize the Tailscale client (required)
|
// Auth key used to initialize the Tailscale client (required)
|
||||||
authKey: string
|
authKey: string
|
||||||
// URL of the main.wasm file that is included in the page, if it is not
|
// URL of the main.wasm file that is included in the page, if it is not
|
||||||
// accessible via a relative URL.
|
// accessible via a relative URL.
|
||||||
wasmURL?: string
|
wasmURL?: string
|
||||||
// Funtion invoked if the Go process panics or unexpectedly exits.
|
// Function invoked if the Go process panics or unexpectedly exits.
|
||||||
panicHandler: (err: string) => void
|
panicHandler: (err: string) => void
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -388,7 +388,7 @@ func main() {
|
|||||||
log.Fatal(err)
|
log.Fatal(err)
|
||||||
}
|
}
|
||||||
if runCloner {
|
if runCloner {
|
||||||
// When a new pacakge is added or when existing generated files have
|
// When a new package is added or when existing generated files have
|
||||||
// been deleted, we might run into a case where tailscale.com/cmd/cloner
|
// been deleted, we might run into a case where tailscale.com/cmd/cloner
|
||||||
// has not run yet. We detect this by verifying that all the structs we
|
// has not run yet. We detect this by verifying that all the structs we
|
||||||
// interacted with have had Clone method already generated. If they
|
// interacted with have had Clone method already generated. If they
|
||||||
|
@ -776,7 +776,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
|
|||||||
// with useful results. The first POST just gets us the DERP map which we
|
// with useful results. The first POST just gets us the DERP map which we
|
||||||
// need to do the STUN queries to discover our endpoints.
|
// need to do the STUN queries to discover our endpoints.
|
||||||
// TODO(bradfitz): we skip this optimization in tests, though,
|
// TODO(bradfitz): we skip this optimization in tests, though,
|
||||||
// because the e2e tests are currently hyperspecific about the
|
// because the e2e tests are currently hyper-specific about the
|
||||||
// ordering of things. The e2e tests need love.
|
// ordering of things. The e2e tests need love.
|
||||||
ReadOnly: readOnly || (len(epStrs) == 0 && !everEndpoints && !inTest()),
|
ReadOnly: readOnly || (len(epStrs) == 0 && !everEndpoints && !inTest()),
|
||||||
}
|
}
|
||||||
|
@ -35,7 +35,7 @@ type mapSession struct {
|
|||||||
machinePubKey key.MachinePublic
|
machinePubKey key.MachinePublic
|
||||||
keepSharerAndUserSplit bool // see Options.KeepSharerAndUserSplit
|
keepSharerAndUserSplit bool // see Options.KeepSharerAndUserSplit
|
||||||
|
|
||||||
// Fields storing state over the the coards of multiple MapResponses.
|
// Fields storing state over the course of multiple MapResponses.
|
||||||
lastNode *tailcfg.Node
|
lastNode *tailcfg.Node
|
||||||
lastDNSConfig *tailcfg.DNSConfig
|
lastDNSConfig *tailcfg.DNSConfig
|
||||||
lastDERPMap *tailcfg.DERPMap
|
lastDERPMap *tailcfg.DERPMap
|
||||||
|
@ -466,7 +466,7 @@ func TestNetmapForResponse(t *testing.T) {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResposnes
|
// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResponses
|
||||||
// entirely or have their opt.Bool values unspecified between MapResponses in a
|
// entirely or have their opt.Bool values unspecified between MapResponses in a
|
||||||
// session and that should mean no change. (as of capver 37). But two Debug
|
// session and that should mean no change. (as of capver 37). But two Debug
|
||||||
// fields existed prior to capver 37 that weren't opt.Bool; we test that we both
|
// fields existed prior to capver 37 that weren't opt.Bool; we test that we both
|
||||||
|
@ -232,7 +232,7 @@ func TestSendFreeze(t *testing.T) {
|
|||||||
// alice --> bob
|
// alice --> bob
|
||||||
// alice --> cathy
|
// alice --> cathy
|
||||||
//
|
//
|
||||||
// Then cathy stops processing messsages.
|
// Then cathy stops processing messages.
|
||||||
// That should not interfere with alice talking to bob.
|
// That should not interfere with alice talking to bob.
|
||||||
|
|
||||||
newClient := func(ctx context.Context, name string, k key.NodePrivate) (c *Client, clientConn nettest.Conn) {
|
newClient := func(ctx context.Context, name string, k key.NodePrivate) (c *Client, clientConn nettest.Conn) {
|
||||||
@ -772,7 +772,7 @@ func TestForwarderRegistration(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// Now pretend u1 was already connected locally (so clientsMesh[u1] is nil), and then we heard
|
// Now pretend u1 was already connected locally (so clientsMesh[u1] is nil), and then we heard
|
||||||
// that they're also connected to a peer of ours. That sholdn't transition the forwarder
|
// that they're also connected to a peer of ours. That shouldn't transition the forwarder
|
||||||
// from nil to the new one, not a multiForwarder.
|
// from nil to the new one, not a multiForwarder.
|
||||||
s.clients[u1] = singleClient{u1c}
|
s.clients[u1] = singleClient{u1c}
|
||||||
s.clientsMesh[u1] = nil
|
s.clientsMesh[u1] = nil
|
||||||
|
@ -199,7 +199,7 @@ func (c *Client) urlString(node *tailcfg.DERPNode) string {
|
|||||||
return fmt.Sprintf("https://%s/derp", node.HostName)
|
return fmt.Sprintf("https://%s/derp", node.HostName)
|
||||||
}
|
}
|
||||||
|
|
||||||
// AddressFamilySelector decides whethers IPv6 is preferred for
|
// AddressFamilySelector decides whether IPv6 is preferred for
|
||||||
// outbound dials.
|
// outbound dials.
|
||||||
type AddressFamilySelector interface {
|
type AddressFamilySelector interface {
|
||||||
// PreferIPv6 reports whether IPv4 dials should be slightly
|
// PreferIPv6 reports whether IPv4 dials should be slightly
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
//
|
//
|
||||||
// messageType byte (the MessageType constants below)
|
// messageType byte (the MessageType constants below)
|
||||||
// messageVersion byte (0 for now; but always ignore bytes at the end)
|
// messageVersion byte (0 for now; but always ignore bytes at the end)
|
||||||
// message-paylod [...]byte
|
// message-payload [...]byte
|
||||||
package disco
|
package disco
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -69,7 +69,7 @@ type Notify struct {
|
|||||||
State *State // if non-nil, the new or current IPN state
|
State *State // if non-nil, the new or current IPN state
|
||||||
Prefs *Prefs // if non-nil, the new or current preferences
|
Prefs *Prefs // if non-nil, the new or current preferences
|
||||||
NetMap *netmap.NetworkMap // if non-nil, the new or current netmap
|
NetMap *netmap.NetworkMap // if non-nil, the new or current netmap
|
||||||
Engine *EngineStatus // if non-nil, the new or urrent wireguard stats
|
Engine *EngineStatus // if non-nil, the new or current wireguard stats
|
||||||
BrowseToURL *string // if non-nil, UI should open a browser right now
|
BrowseToURL *string // if non-nil, UI should open a browser right now
|
||||||
BackendLogID *string // if non-nil, the public logtail ID used by backend
|
BackendLogID *string // if non-nil, the public logtail ID used by backend
|
||||||
|
|
||||||
|
@ -2173,7 +2173,7 @@ func (b *LocalBackend) GetPeerAPIPort(ip netip.Addr) (port uint16, ok bool) {
|
|||||||
// ServePeerAPIConnection serves an already-accepted connection c.
|
// ServePeerAPIConnection serves an already-accepted connection c.
|
||||||
//
|
//
|
||||||
// The remote parameter is the remote address.
|
// The remote parameter is the remote address.
|
||||||
// The local paramater is the local address (either a Tailscale IPv4
|
// The local parameter is the local address (either a Tailscale IPv4
|
||||||
// or IPv6 IP and the peerapi port for that address).
|
// or IPv6 IP and the peerapi port for that address).
|
||||||
//
|
//
|
||||||
// The connection will be closed by ServePeerAPIConnection.
|
// The connection will be closed by ServePeerAPIConnection.
|
||||||
@ -3027,7 +3027,7 @@ func (b *LocalBackend) RequestEngineStatus() {
|
|||||||
// that have happened. It is invoked from the various callbacks that
|
// that have happened. It is invoked from the various callbacks that
|
||||||
// feed events into LocalBackend.
|
// feed events into LocalBackend.
|
||||||
//
|
//
|
||||||
// TODO(apenwarr): use a channel or something to prevent re-entrancy?
|
// TODO(apenwarr): use a channel or something to prevent reentrancy?
|
||||||
// Or maybe just call the state machine from fewer places.
|
// Or maybe just call the state machine from fewer places.
|
||||||
func (b *LocalBackend) stateMachine() {
|
func (b *LocalBackend) stateMachine() {
|
||||||
b.enterState(b.nextState())
|
b.enterState(b.nextState())
|
||||||
@ -3087,7 +3087,7 @@ func (b *LocalBackend) ResetForClientDisconnect() {
|
|||||||
|
|
||||||
func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() }
|
func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() }
|
||||||
|
|
||||||
// ShouldHandleViaIP reports whether whether ip is an IPv6 address in the
|
// ShouldHandleViaIP reports whether ip is an IPv6 address in the
|
||||||
// Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
|
// Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
|
||||||
// by Tailscale.
|
// by Tailscale.
|
||||||
func (b *LocalBackend) ShouldHandleViaIP(ip netip.Addr) bool {
|
func (b *LocalBackend) ShouldHandleViaIP(ip netip.Addr) bool {
|
||||||
@ -3605,7 +3605,7 @@ func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
|
|||||||
return mc, nil
|
return mc, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// DoNoiseRequest sends a request to URL over the the control plane
|
// DoNoiseRequest sends a request to URL over the control plane
|
||||||
// Noise connection.
|
// Noise connection.
|
||||||
func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error) {
|
func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error) {
|
||||||
b.mu.Lock()
|
b.mu.Lock()
|
||||||
|
@ -44,10 +44,10 @@ type tkaState struct {
|
|||||||
//
|
//
|
||||||
// There are 4 scenarios handled here:
|
// There are 4 scenarios handled here:
|
||||||
// - Enablement: nm.TKAEnabled but b.tka == nil
|
// - Enablement: nm.TKAEnabled but b.tka == nil
|
||||||
// ∴ reach out to /machine/tka/boostrap to get the genesis AUM, then
|
// ∴ reach out to /machine/tka/bootstrap to get the genesis AUM, then
|
||||||
// initialize TKA.
|
// initialize TKA.
|
||||||
// - Disablement: !nm.TKAEnabled but b.tka != nil
|
// - Disablement: !nm.TKAEnabled but b.tka != nil
|
||||||
// ∴ reach out to /machine/tka/boostrap to read the disablement secret,
|
// ∴ reach out to /machine/tka/bootstrap to read the disablement secret,
|
||||||
// then verify and clear tka local state.
|
// then verify and clear tka local state.
|
||||||
// - Sync needed: b.tka.Head != nm.TKAHead
|
// - Sync needed: b.tka.Head != nm.TKAHead
|
||||||
// ∴ complete multi-step synchronization flow.
|
// ∴ complete multi-step synchronization flow.
|
||||||
|
@ -79,7 +79,7 @@ type peerAPIServer struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// partialSuffix is the suffix appened to files while they're
|
// partialSuffix is the suffix appended to files while they're
|
||||||
// still in the process of being transferred.
|
// still in the process of being transferred.
|
||||||
partialSuffix = ".partial"
|
partialSuffix = ".partial"
|
||||||
|
|
||||||
@ -1184,7 +1184,7 @@ func newFakePeerAPIListener(ip netip.Addr) net.Listener {
|
|||||||
// even if the kernel isn't cooperating (like on Android: Issue 4449, 4293, etc)
|
// even if the kernel isn't cooperating (like on Android: Issue 4449, 4293, etc)
|
||||||
// or we lack permission to listen on a port. It's okay to not actually listen via
|
// or we lack permission to listen on a port. It's okay to not actually listen via
|
||||||
// the kernel because on almost all platforms (except iOS as of 2022-04-20) we
|
// the kernel because on almost all platforms (except iOS as of 2022-04-20) we
|
||||||
// also intercept netstack TCP requests in to our peerapi port and hand it over
|
// also intercept incoming netstack TCP requests to our peerapi port and hand them over
|
||||||
// directly to peerapi, without involving the kernel. So this doesn't need to be
|
// directly to peerapi, without involving the kernel. So this doesn't need to be
|
||||||
// real. But the port number we return (1, in this case) is the port number we advertise
|
// real. But the port number we return (1, in this case) is the port number we advertise
|
||||||
// to peers and they connect to. 1 seems pretty safe to use. Even if the kernel's
|
// to peers and they connect to. 1 seems pretty safe to use. Even if the kernel's
|
||||||
|
@ -109,7 +109,7 @@ func TestHandlePeerAPI(t *testing.T) {
|
|||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
isSelf bool // the peer sending the request is owned by us
|
isSelf bool // the peer sending the request is owned by us
|
||||||
capSharing bool // self node has file sharing capabilty
|
capSharing bool // self node has file sharing capability
|
||||||
omitRoot bool // don't configure
|
omitRoot bool // don't configure
|
||||||
req *http.Request
|
req *http.Request
|
||||||
checks []check
|
checks []check
|
||||||
|
@ -57,7 +57,7 @@
|
|||||||
|
|
||||||
// Options is the configuration of the Tailscale node agent.
|
// Options is the configuration of the Tailscale node agent.
|
||||||
type Options struct {
|
type Options struct {
|
||||||
// VarRoot is the the Tailscale daemon's private writable
|
// VarRoot is the Tailscale daemon's private writable
|
||||||
// directory (usually "/var/lib/tailscale" on Linux) that
|
// directory (usually "/var/lib/tailscale" on Linux) that
|
||||||
// contains the "tailscaled.state" file, the "certs" directory
|
// contains the "tailscaled.state" file, the "certs" directory
|
||||||
// for TLS certs, and the "files" directory for incoming
|
// for TLS certs, and the "files" directory for incoming
|
||||||
|
@ -470,7 +470,7 @@ func TestLoadPrefsNotExist(t *testing.T) {
|
|||||||
t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
|
t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs hanldes corrupted input files.
|
// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs handles corrupted input files.
|
||||||
// See issue #954 for details.
|
// See issue #954 for details.
|
||||||
func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
|
func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
|
||||||
f, err := os.CreateTemp("", "TestLoadPrefsFileWithZeroInIt")
|
f, err := os.CreateTemp("", "TestLoadPrefsFileWithZeroInIt")
|
||||||
|
@ -609,7 +609,7 @@ func NewWithConfigPath(collection, dir, cmdName string) *Policy {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
log.SetFlags(0) // other logflags are set on console, not here
|
log.SetFlags(0) // other log flags are set on console, not here
|
||||||
log.SetOutput(logOutput)
|
log.SetOutput(logOutput)
|
||||||
|
|
||||||
log.Printf("Program starting: v%v, Go %v: %#v",
|
log.Printf("Program starting: v%v, Go %v: %#v",
|
||||||
|
@ -34,7 +34,7 @@ func NewPrivateID() (id PrivateID, err error) {
|
|||||||
func (id PrivateID) MarshalText() ([]byte, error) {
|
func (id PrivateID) MarshalText() ([]byte, error) {
|
||||||
b := make([]byte, hex.EncodedLen(len(id)))
|
b := make([]byte, hex.EncodedLen(len(id)))
|
||||||
if i := hex.Encode(b, id[:]); i != len(b) {
|
if i := hex.Encode(b, id[:]); i != len(b) {
|
||||||
return nil, fmt.Errorf("logtail.PrivateID.MarhsalText: i=%d", i)
|
return nil, fmt.Errorf("logtail.PrivateID.MarshalText: i=%d", i)
|
||||||
}
|
}
|
||||||
return b, nil
|
return b, nil
|
||||||
}
|
}
|
||||||
@ -122,7 +122,7 @@ func MustParsePublicID(s string) PublicID {
|
|||||||
func (id PublicID) MarshalText() ([]byte, error) {
|
func (id PublicID) MarshalText() ([]byte, error) {
|
||||||
b := make([]byte, hex.EncodedLen(len(id)))
|
b := make([]byte, hex.EncodedLen(len(id)))
|
||||||
if i := hex.Encode(b, id[:]); i != len(b) {
|
if i := hex.Encode(b, id[:]); i != len(b) {
|
||||||
return nil, fmt.Errorf("logtail.PublicID.MarhsalText: i=%d", i)
|
return nil, fmt.Errorf("logtail.PublicID.MarshalText: i=%d", i)
|
||||||
}
|
}
|
||||||
return b, nil
|
return b, nil
|
||||||
}
|
}
|
||||||
|
@ -49,7 +49,7 @@ type Config struct {
|
|||||||
HTTPC *http.Client // if empty defaults to http.DefaultClient
|
HTTPC *http.Client // if empty defaults to http.DefaultClient
|
||||||
SkipClientTime bool // if true, client_time is not written to logs
|
SkipClientTime bool // if true, client_time is not written to logs
|
||||||
LowMemory bool // if true, logtail minimizes memory use
|
LowMemory bool // if true, logtail minimizes memory use
|
||||||
TimeNow func() time.Time // if set, subsitutes uses of time.Now
|
TimeNow func() time.Time // if set, substitutes uses of time.Now
|
||||||
Stderr io.Writer // if set, logs are sent here instead of os.Stderr
|
Stderr io.Writer // if set, logs are sent here instead of os.Stderr
|
||||||
StderrLevel int // max verbosity level to write to stderr; 0 means the non-verbose messages only
|
StderrLevel int // max verbosity level to write to stderr; 0 means the non-verbose messages only
|
||||||
Buffer Buffer // temp storage, if nil a MemoryBuffer
|
Buffer Buffer // temp storage, if nil a MemoryBuffer
|
||||||
@ -73,7 +73,7 @@ type Config struct {
|
|||||||
|
|
||||||
// IncludeProcSequence, if true, results in an ephemeral sequence number
|
// IncludeProcSequence, if true, results in an ephemeral sequence number
|
||||||
// being included in the logs. The sequence number is incremented for each
|
// being included in the logs. The sequence number is incremented for each
|
||||||
// log message sent, but is not peristed across process restarts.
|
// log message sent, but is not persisted across process restarts.
|
||||||
IncludeProcSequence bool
|
IncludeProcSequence bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -381,7 +381,7 @@ func (m *Manager) NextPacket() ([]byte, error) {
|
|||||||
return buf, nil
|
return buf, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Query executes a DNS query recieved from the given address. The query is
|
// Query executes a DNS query received from the given address. The query is
|
||||||
// provided in bs as a wire-encoded DNS query without any transport header.
|
// provided in bs as a wire-encoded DNS query without any transport header.
|
||||||
// This method is called for requests arriving over UDP and TCP.
|
// This method is called for requests arriving over UDP and TCP.
|
||||||
func (m *Manager) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([]byte, error) {
|
func (m *Manager) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([]byte, error) {
|
||||||
|
@ -274,7 +274,7 @@ func runTest(t *testing.T, isLocal bool) {
|
|||||||
runCase := func(n int) {
|
runCase := func(n int) {
|
||||||
t.Logf("Test case: %d domains\n", n)
|
t.Logf("Test case: %d domains\n", n)
|
||||||
if !isLocal {
|
if !isLocal {
|
||||||
// When !isLocal, we want to check that a GP notification occured for
|
// When !isLocal, we want to check that a GP notification occurred for
|
||||||
// every single test case.
|
// every single test case.
|
||||||
trk, err = newGPNotificationTracker()
|
trk, err = newGPNotificationTracker()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -302,7 +302,7 @@ type dnsPrio struct {
|
|||||||
for _, cfg := range cfgs {
|
for _, cfg := range cfgs {
|
||||||
if name, ok := cfg["interface"]; ok {
|
if name, ok := cfg["interface"]; ok {
|
||||||
if s, ok := name.Value().(string); ok && s == m.interfaceName {
|
if s, ok := name.Value().(string); ok && s == m.interfaceName {
|
||||||
// Config for the taislcale interface, skip.
|
// Config for the tailscale interface, skip.
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -58,7 +58,7 @@
|
|||||||
|
|
||||||
const _RP_FORCE = 1 // Flag for RefreshPolicyEx
|
const _RP_FORCE = 1 // Flag for RefreshPolicyEx
|
||||||
|
|
||||||
// nrptRuleDatabase ensapsulates access to the Windows Name Resolution Policy
|
// nrptRuleDatabase encapsulates access to the Windows Name Resolution Policy
|
||||||
// Table (NRPT).
|
// Table (NRPT).
|
||||||
type nrptRuleDatabase struct {
|
type nrptRuleDatabase struct {
|
||||||
logf logger.Logf
|
logf logger.Logf
|
||||||
|
@ -180,7 +180,7 @@ type resolverAndDelay struct {
|
|||||||
type forwarder struct {
|
type forwarder struct {
|
||||||
logf logger.Logf
|
logf logger.Logf
|
||||||
linkMon *monitor.Mon
|
linkMon *monitor.Mon
|
||||||
linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absords it
|
linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absorbs it
|
||||||
dialer *tsdial.Dialer
|
dialer *tsdial.Dialer
|
||||||
dohSem chan struct{}
|
dohSem chan struct{}
|
||||||
|
|
||||||
@ -502,7 +502,7 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
|
|||||||
// Only known DoH providers are supported currently. Specifically, we
|
// Only known DoH providers are supported currently. Specifically, we
|
||||||
// only support DoH providers where we can TCP connect to them on port
|
// only support DoH providers where we can TCP connect to them on port
|
||||||
// 443 at the same IP address they serve normal UDP DNS from (1.1.1.1,
|
// 443 at the same IP address they serve normal UDP DNS from (1.1.1.1,
|
||||||
// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custon DoH providers
|
// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custom DoH providers
|
||||||
// aren't currently supported. There's no backup DNS resolution path for
|
// aren't currently supported. There's no backup DNS resolution path for
|
||||||
// them.
|
// them.
|
||||||
urlBase := rr.name.Addr
|
urlBase := rr.name.Addr
|
||||||
|
@ -609,7 +609,7 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netip.Addr,
|
|||||||
metricDNSResolveLocalOKAll.Add(1)
|
metricDNSResolveLocalOKAll.Add(1)
|
||||||
return addrs[0], dns.RCodeSuccess
|
return addrs[0], dns.RCodeSuccess
|
||||||
|
|
||||||
// Leave some some record types explicitly unimplemented.
|
// Leave some record types explicitly unimplemented.
|
||||||
// These types relate to recursive resolution or special
|
// These types relate to recursive resolution or special
|
||||||
// DNS semantics and might be implemented in the future.
|
// DNS semantics and might be implemented in the future.
|
||||||
case dns.TypeNS, dns.TypeSOA, dns.TypeAXFR, dns.TypeHINFO:
|
case dns.TypeNS, dns.TypeSOA, dns.TypeAXFR, dns.TypeHINFO:
|
||||||
|
@ -99,7 +99,7 @@ type msgResource struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ErrCacheMiss is a sentinel error returned by MessageCache.ReplyFromCache
|
// ErrCacheMiss is a sentinel error returned by MessageCache.ReplyFromCache
|
||||||
// when the request can not be satisified from cache.
|
// when the request can not be satisfied from cache.
|
||||||
var ErrCacheMiss = errors.New("cache miss")
|
var ErrCacheMiss = errors.New("cache miss")
|
||||||
|
|
||||||
var parserPool = &sync.Pool{
|
var parserPool = &sync.Pool{
|
||||||
@ -264,7 +264,7 @@ func asciiLowerName(n dnsmessage.Name) dnsmessage.Name {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// packDNSResponse builds a DNS response for the given question and
|
// packDNSResponse builds a DNS response for the given question and
|
||||||
// transaction ID. The response resource records will have have the
|
// transaction ID. The response resource records will have the
|
||||||
// same provided TTL.
|
// same provided TTL.
|
||||||
func packDNSResponse(q msgQ, txID uint16, ttl uint32, answers []msgResource) ([]byte, error) {
|
func packDNSResponse(q msgQ, txID uint16, ttl uint32, answers []msgResource) ([]byte, error) {
|
||||||
var baseMem []byte // TODO: guess a max size based on looping over answers?
|
var baseMem []byte // TODO: guess a max size based on looping over answers?
|
||||||
|
@ -441,13 +441,13 @@ func prefixesEqual(a, b []netip.Prefix) bool {
|
|||||||
|
|
||||||
// UseInterestingInterfaces is an InterfaceFilter that reports whether i is an interesting interface.
|
// UseInterestingInterfaces is an InterfaceFilter that reports whether i is an interesting interface.
|
||||||
// An interesting interface if it is (a) not owned by Tailscale and (b) routes interesting IP addresses.
|
// An interesting interface if it is (a) not owned by Tailscale and (b) routes interesting IP addresses.
|
||||||
// See UseInterestingIPs for the defition of an interesting IP address.
|
// See UseInterestingIPs for the definition of an interesting IP address.
|
||||||
func UseInterestingInterfaces(i Interface, ips []netip.Prefix) bool {
|
func UseInterestingInterfaces(i Interface, ips []netip.Prefix) bool {
|
||||||
return !isTailscaleInterface(i.Name, ips) && anyInterestingIP(ips)
|
return !isTailscaleInterface(i.Name, ips) && anyInterestingIP(ips)
|
||||||
}
|
}
|
||||||
|
|
||||||
// UseInterestingIPs is an IPFilter that reports whether ip is an interesting IP address.
|
// UseInterestingIPs is an IPFilter that reports whether ip is an interesting IP address.
|
||||||
// An IP address is interesting if it is neither a lopback not a link local unicast IP address.
|
// An IP address is interesting if it is neither a loopback nor a link local unicast IP address.
|
||||||
func UseInterestingIPs(ip netip.Addr) bool {
|
func UseInterestingIPs(ip netip.Addr) bool {
|
||||||
return isInterestingIP(ip)
|
return isInterestingIP(ip)
|
||||||
}
|
}
|
||||||
@ -455,7 +455,7 @@ func UseInterestingIPs(ip netip.Addr) bool {
|
|||||||
// UseAllInterfaces is an InterfaceFilter that includes all interfaces.
|
// UseAllInterfaces is an InterfaceFilter that includes all interfaces.
|
||||||
func UseAllInterfaces(i Interface, ips []netip.Prefix) bool { return true }
|
func UseAllInterfaces(i Interface, ips []netip.Prefix) bool { return true }
|
||||||
|
|
||||||
// UseAllIPs is an IPFilter that includes all all IPs.
|
// UseAllIPs is an IPFilter that includes all IPs.
|
||||||
func UseAllIPs(ips netip.Addr) bool { return true }
|
func UseAllIPs(ips netip.Addr) bool { return true }
|
||||||
|
|
||||||
func (s *State) HasPAC() bool { return s != nil && s.PAC != "" }
|
func (s *State) HasPAC() bool { return s != nil && s.PAC != "" }
|
||||||
|
@ -161,7 +161,7 @@ type Client struct {
|
|||||||
|
|
||||||
// GetSTUNConn4 optionally provides a func to return the
|
// GetSTUNConn4 optionally provides a func to return the
|
||||||
// connection to use for sending & receiving IPv4 packets. If
|
// connection to use for sending & receiving IPv4 packets. If
|
||||||
// nil, an emphemeral one is created as needed.
|
// nil, an ephemeral one is created as needed.
|
||||||
GetSTUNConn4 func() STUNConn
|
GetSTUNConn4 func() STUNConn
|
||||||
|
|
||||||
// GetSTUNConn6 is like GetSTUNConn4, but for IPv6.
|
// GetSTUNConn6 is like GetSTUNConn4, but for IPv6.
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
bufferSize = 256 * 1024
|
bufferSize = 256 * 1024
|
||||||
)
|
)
|
||||||
|
|
||||||
// Listener is a net.Listener using using NewConn to create pairs of network
|
// Listener is a net.Listener using NewConn to create pairs of network
|
||||||
// connections connected in memory using a buffered pipe. It also provides a
|
// connections connected in memory using a buffered pipe. It also provides a
|
||||||
// Dial method to establish new connections.
|
// Dial method to establish new connections.
|
||||||
type Listener struct {
|
type Listener struct {
|
||||||
|
@ -195,7 +195,7 @@ func ipForwardSysctlKey(format sysctlFormat, p protocol, iface string) string {
|
|||||||
// given interface.
|
// given interface.
|
||||||
// The iface param determines which interface to check against, "" means to check
|
// The iface param determines which interface to check against, "" means to check
|
||||||
// global config.
|
// global config.
|
||||||
// It tries to lookup the value directly from `/proc/sys`, and fallsback to
|
// It tries to lookup the value directly from `/proc/sys`, and falls back to
|
||||||
// using `sysctl` on failure.
|
// using `sysctl` on failure.
|
||||||
func ipForwardingEnabledLinux(p protocol, iface string) (bool, error) {
|
func ipForwardingEnabledLinux(p protocol, iface string) (bool, error) {
|
||||||
k := ipForwardSysctlKey(slashFormat, p, iface)
|
k := ipForwardSysctlKey(slashFormat, p, iface)
|
||||||
|
@ -40,7 +40,7 @@ type Header interface {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// HeaderChecksummer is implemented by Header implementations that
|
// HeaderChecksummer is implemented by Header implementations that
|
||||||
// need to do a checksum over their paylods.
|
// need to do a checksum over their payloads.
|
||||||
type HeaderChecksummer interface {
|
type HeaderChecksummer interface {
|
||||||
Header
|
Header
|
||||||
|
|
||||||
|
@ -202,7 +202,7 @@ func TestPingerMismatch(t *testing.T) {
|
|||||||
|
|
||||||
func mockPinger(t *testing.T, clock *tstest.Clock) (*Pinger, func()) {
|
func mockPinger(t *testing.T, clock *tstest.Clock) (*Pinger, func()) {
|
||||||
// In tests, we use UDP so that we can test without being root; this
|
// In tests, we use UDP so that we can test without being root; this
|
||||||
// doesn't matter becuase we mock out the ICMP reply below to be a real
|
// doesn't matter because we mock out the ICMP reply below to be a real
|
||||||
// ICMP echo reply packet.
|
// ICMP echo reply packet.
|
||||||
conn, err := net.ListenPacket("udp4", "127.0.0.1:0")
|
conn, err := net.ListenPacket("udp4", "127.0.0.1:0")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
"tailscale.com/types/logger"
|
"tailscale.com/types/logger"
|
||||||
)
|
)
|
||||||
|
|
||||||
// TestIGD is an IGD (Intenet Gateway Device) for testing. It supports fake
|
// TestIGD is an IGD (Internet Gateway Device) for testing. It supports fake
|
||||||
// implementations of NAT-PMP, PCP, and/or UPnP to test clients against.
|
// implementations of NAT-PMP, PCP, and/or UPnP to test clients against.
|
||||||
type TestIGD struct {
|
type TestIGD struct {
|
||||||
upnpConn net.PacketConn // for UPnP discovery
|
upnpConn net.PacketConn // for UPnP discovery
|
||||||
|
@ -58,7 +58,7 @@ type Dialer struct {
|
|||||||
linkMon *monitor.Mon
|
linkMon *monitor.Mon
|
||||||
linkMonUnregister func()
|
linkMonUnregister func()
|
||||||
exitDNSDoHBase string // non-empty if DoH-proxying exit node in use; base URL+path (without '?')
|
exitDNSDoHBase string // non-empty if DoH-proxying exit node in use; base URL+path (without '?')
|
||||||
dnsCache *dnscache.MessageCache // nil until first first non-empty SetExitDNSDoH
|
dnsCache *dnscache.MessageCache // nil until first non-empty SetExitDNSDoH
|
||||||
nextSysConnID int
|
nextSysConnID int
|
||||||
activeSysConns map[int]net.Conn // active connections not yet closed
|
activeSysConns map[int]net.Conn // active connections not yet closed
|
||||||
}
|
}
|
||||||
@ -210,7 +210,7 @@ func (d *Dialer) userDialResolve(ctx context.Context, network, addr string) (net
|
|||||||
exitDNSDoH := d.exitDNSDoHBase
|
exitDNSDoH := d.exitDNSDoHBase
|
||||||
d.mu.Unlock()
|
d.mu.Unlock()
|
||||||
|
|
||||||
// MagicDNS or otherwise baked in to the NetworkMap? Try that first.
|
// MagicDNS or otherwise baked into the NetworkMap? Try that first.
|
||||||
ipp, err := dns.resolveMemory(ctx, network, addr)
|
ipp, err := dns.resolveMemory(ctx, network, addr)
|
||||||
if err != errUnresolved {
|
if err != errUnresolved {
|
||||||
return ipp, err
|
return ipp, err
|
||||||
|
@ -89,7 +89,7 @@ func GetAuthHeader(u *url.URL) (string, error) {
|
|||||||
|
|
||||||
var condSetTransportGetProxyConnectHeader func(*http.Transport)
|
var condSetTransportGetProxyConnectHeader func(*http.Transport)
|
||||||
|
|
||||||
// SetTarnsportGetProxyConnectHeader sets the provided Transport's
|
// SetTransportGetProxyConnectHeader sets the provided Transport's
|
||||||
// GetProxyConnectHeader field, if the current build of Go supports
|
// GetProxyConnectHeader field, if the current build of Go supports
|
||||||
// it.
|
// it.
|
||||||
//
|
//
|
||||||
|
@ -204,7 +204,7 @@ func TestSynologyProxiesFromConfig(t *testing.T) {
|
|||||||
|
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("non-existent config", func(t *testing.T) {
|
t.Run("nonexistent config", func(t *testing.T) {
|
||||||
openReader = nil
|
openReader = nil
|
||||||
openErr = os.ErrNotExist
|
openErr = os.ErrNotExist
|
||||||
|
|
||||||
|
@ -173,7 +173,7 @@ type Wrapper struct {
|
|||||||
// See the comment in the middle of Wrap.Read.
|
// See the comment in the middle of Wrap.Read.
|
||||||
type tunReadResult struct {
|
type tunReadResult struct {
|
||||||
// Only one of err, packet or data should be set, and are read in that order
|
// Only one of err, packet or data should be set, and are read in that order
|
||||||
// of precendence.
|
// of precedence.
|
||||||
err error
|
err error
|
||||||
packet *stack.PacketBuffer
|
packet *stack.PacketBuffer
|
||||||
data []byte
|
data []byte
|
||||||
|
@ -63,7 +63,7 @@ func DefaultTailscaledStateFile() string {
|
|||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
// MkStateDir ensures that dirPath, the daemon's configurtaion directory
|
// MkStateDir ensures that dirPath, the daemon's configuration directory
|
||||||
// containing machine keys etc, both exists and has the correct permissions.
|
// containing machine keys etc, both exists and has the correct permissions.
|
||||||
// We want it to only be accessible to the user the daemon is running under.
|
// We want it to only be accessible to the user the daemon is running under.
|
||||||
func MkStateDir(dirPath string) error {
|
func MkStateDir(dirPath string) error {
|
||||||
|
@ -236,7 +236,7 @@ func (v varExporter) String() string {
|
|||||||
return string(bs)
|
return string(bs)
|
||||||
}
|
}
|
||||||
|
|
||||||
// WritePrometheus writes the the state of all probes to w.
|
// WritePrometheus writes the state of all probes to w.
|
||||||
//
|
//
|
||||||
// For each probe, WritePrometheus exports 5 variables:
|
// For each probe, WritePrometheus exports 5 variables:
|
||||||
// - <prefix>_interval_secs, how frequently the probe runs.
|
// - <prefix>_interval_secs, how frequently the probe runs.
|
||||||
|
@ -29,7 +29,7 @@ type contextReader struct {
|
|||||||
// consumed.
|
// consumed.
|
||||||
buffered []byte
|
buffered []byte
|
||||||
// readErr is a previous read error that was seen while filling buffered. It
|
// readErr is a previous read error that was seen while filling buffered. It
|
||||||
// should be returned to the caller after bufffered is consumed.
|
// should be returned to the caller after buffered is consumed.
|
||||||
readErr error
|
readErr error
|
||||||
|
|
||||||
mu sync.Mutex // guards ch only
|
mu sync.Mutex // guards ch only
|
||||||
@ -40,7 +40,7 @@ type contextReader struct {
|
|||||||
ch chan readResult
|
ch chan readResult
|
||||||
}
|
}
|
||||||
|
|
||||||
// HasOutstandingRead reports whether there's an oustanding Read call that's
|
// HasOutstandingRead reports whether there's an outstanding Read call that's
|
||||||
// either currently blocked in a Read or whose result hasn't been consumed.
|
// either currently blocked in a Read or whose result hasn't been consumed.
|
||||||
func (w *contextReader) HasOutstandingRead() bool {
|
func (w *contextReader) HasOutstandingRead() bool {
|
||||||
w.mu.Lock()
|
w.mu.Lock()
|
||||||
@ -97,14 +97,14 @@ func (w *contextReader) ReadContext(ctx context.Context, p []byte) (n int, err e
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// contextReaderSesssion implements ssh.Session, wrapping another
|
// contextReaderSession implements ssh.Session, wrapping another
|
||||||
// ssh.Session but changing its Read method to use contextReader.
|
// ssh.Session but changing its Read method to use contextReader.
|
||||||
type contextReaderSesssion struct {
|
type contextReaderSession struct {
|
||||||
ssh.Session
|
ssh.Session
|
||||||
cr *contextReader
|
cr *contextReader
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a contextReaderSesssion) Read(p []byte) (n int, err error) {
|
func (a contextReaderSession) Read(p []byte) (n int, err error) {
|
||||||
if a.cr.HasOutstandingRead() {
|
if a.cr.HasOutstandingRead() {
|
||||||
return a.cr.ReadContext(context.Background(), p)
|
return a.cr.ReadContext(context.Background(), p)
|
||||||
}
|
}
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
// Use of this source code is governed by a BSD-style
|
// Use of this source code is governed by a BSD-style
|
||||||
// license that can be found in the LICENSE file.
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
// This file contains the code for the incubator process. Taiscaled
|
// This file contains the code for the incubator process. Tailscaled
|
||||||
// launches the incubator as the same user as it was launched as. The
|
// launches the incubator as the same user as it was launched as. The
|
||||||
// incubator then registers a new session with the OS, sets its UID
|
// incubator then registers a new session with the OS, sets its UID
|
||||||
// and groups to the specified `--uid`, `--gid` and `--groups`, and
|
// and groups to the specified `--uid`, `--gid` and `--groups`, and
|
||||||
// then lauches the requested `--cmd`.
|
// then launches the requested `--cmd`.
|
||||||
|
|
||||||
//go:build linux || (darwin && !ios)
|
//go:build linux || (darwin && !ios)
|
||||||
// +build linux darwin,!ios
|
// +build linux darwin,!ios
|
||||||
|
@ -181,7 +181,7 @@ func (c *conn) logf(format string, args ...any) {
|
|||||||
c.srv.logf(format, args...)
|
c.srv.logf(format, args...)
|
||||||
}
|
}
|
||||||
|
|
||||||
// PublicKeyHandler implements ssh.PublicKeyHandler is called by the the
|
// PublicKeyHandler implements ssh.PublicKeyHandler is called by the
|
||||||
// ssh.Server when the client presents a public key.
|
// ssh.Server when the client presents a public key.
|
||||||
func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error {
|
func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error {
|
||||||
c.mu.Lock()
|
c.mu.Lock()
|
||||||
@ -205,7 +205,7 @@ func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error {
|
|||||||
var errPubKeyRequired = errors.New("ssh publickey required")
|
var errPubKeyRequired = errors.New("ssh publickey required")
|
||||||
|
|
||||||
// NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by
|
// NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by
|
||||||
// the the ssh.Server when the client first connects with the "none"
|
// the ssh.Server when the client first connects with the "none"
|
||||||
// authentication method.
|
// authentication method.
|
||||||
func (c *conn) NoClientAuthCallback(cm gossh.ConnMetadata) (*gossh.Permissions, error) {
|
func (c *conn) NoClientAuthCallback(cm gossh.ConnMetadata) (*gossh.Permissions, error) {
|
||||||
if c.insecureSkipTailscaleAuth {
|
if c.insecureSkipTailscaleAuth {
|
||||||
@ -595,7 +595,7 @@ func (c *conn) handleSessionPostSSHAuth(s ssh.Session) {
|
|||||||
if cr.HasOutstandingRead() {
|
if cr.HasOutstandingRead() {
|
||||||
// There was some buffered input while we were waiting for the policy
|
// There was some buffered input while we were waiting for the policy
|
||||||
// decision.
|
// decision.
|
||||||
s = contextReaderSesssion{s, cr}
|
s = contextReaderSession{s, cr}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Do this check after auth, but before starting the session.
|
// Do this check after auth, but before starting the session.
|
||||||
@ -1326,7 +1326,7 @@ type CastHeader struct {
|
|||||||
Timestamp: now.Unix(),
|
Timestamp: now.Unix(),
|
||||||
Env: map[string]string{
|
Env: map[string]string{
|
||||||
"TERM": term,
|
"TERM": term,
|
||||||
// TODO(bradiftz): anything else important?
|
// TODO(bradfitz): anything else important?
|
||||||
// including all seems noisey, but maybe we should
|
// including all seems noisey, but maybe we should
|
||||||
// for auditing. But first need to break
|
// for auditing. But first need to break
|
||||||
// launchProcess's startWithStdPipes and
|
// launchProcess's startWithStdPipes and
|
||||||
|
@ -117,7 +117,7 @@ func (u StableNodeID) IsZero() bool {
|
|||||||
// A user can have multiple logins associated with it (e.g. gmail and github oauth).
|
// A user can have multiple logins associated with it (e.g. gmail and github oauth).
|
||||||
// (Note: none of our UIs support this yet.)
|
// (Note: none of our UIs support this yet.)
|
||||||
//
|
//
|
||||||
// Some properties are inhereted from the logins and can be overridden, such as
|
// Some properties are inherited from the logins and can be overridden, such as
|
||||||
// display name and profile picture.
|
// display name and profile picture.
|
||||||
//
|
//
|
||||||
// Other properties must be the same for all logins associated with a user.
|
// Other properties must be the same for all logins associated with a user.
|
||||||
@ -249,7 +249,7 @@ type Node struct {
|
|||||||
// the owner of the node. When forOwner is false, the hostname is
|
// the owner of the node. When forOwner is false, the hostname is
|
||||||
// never included in the return value.
|
// never included in the return value.
|
||||||
//
|
//
|
||||||
// Return value is either either "Name" or "Name (Hostname)", where
|
// Return value is either "Name" or "Name (Hostname)", where
|
||||||
// Name is the node's MagicDNS base name (for normal non-shared-in
|
// Name is the node's MagicDNS base name (for normal non-shared-in
|
||||||
// nodes), FQDN (without trailing dot, for shared-in nodes), or
|
// nodes), FQDN (without trailing dot, for shared-in nodes), or
|
||||||
// Hostname (if no MagicDNS). Hostname is only included in the
|
// Hostname (if no MagicDNS). Hostname is only included in the
|
||||||
@ -864,7 +864,7 @@ type RegisterResponse struct {
|
|||||||
MachineAuthorized bool // TODO(crawshaw): move to using MachineStatus
|
MachineAuthorized bool // TODO(crawshaw): move to using MachineStatus
|
||||||
AuthURL string // if set, authorization pending
|
AuthURL string // if set, authorization pending
|
||||||
|
|
||||||
// Error indiciates that authorization failed. If this is non-empty,
|
// Error indicates that authorization failed. If this is non-empty,
|
||||||
// other status fields should be ignored.
|
// other status fields should be ignored.
|
||||||
Error string
|
Error string
|
||||||
}
|
}
|
||||||
@ -992,7 +992,7 @@ type NetPortRange struct {
|
|||||||
|
|
||||||
// CapGrant grants capabilities in a FilterRule.
|
// CapGrant grants capabilities in a FilterRule.
|
||||||
type CapGrant struct {
|
type CapGrant struct {
|
||||||
// Dsts are the destination IP ranges that this capabilty
|
// Dsts are the destination IP ranges that this capability
|
||||||
// grant matches.
|
// grant matches.
|
||||||
Dsts []netip.Prefix
|
Dsts []netip.Prefix
|
||||||
|
|
||||||
@ -1006,7 +1006,7 @@ type CapGrant struct {
|
|||||||
//
|
//
|
||||||
// A rule is logically a set of source CIDRs to match (described by
|
// A rule is logically a set of source CIDRs to match (described by
|
||||||
// SrcIPs and SrcBits), and a set of destination targets that are then
|
// SrcIPs and SrcBits), and a set of destination targets that are then
|
||||||
// allowed if a source IP is mathces of those CIDRs.
|
// allowed if a source IP is matches of those CIDRs.
|
||||||
type FilterRule struct {
|
type FilterRule struct {
|
||||||
// SrcIPs are the source IPs/networks to match.
|
// SrcIPs are the source IPs/networks to match.
|
||||||
//
|
//
|
||||||
@ -1124,7 +1124,7 @@ type DNSConfig struct {
|
|||||||
// MagicDNS config.
|
// MagicDNS config.
|
||||||
ExtraRecords []DNSRecord `json:",omitempty"`
|
ExtraRecords []DNSRecord `json:",omitempty"`
|
||||||
|
|
||||||
// ExitNodeFilteredSuffixes are the the DNS suffixes that the
|
// ExitNodeFilteredSuffixes are the DNS suffixes that the
|
||||||
// node, when being an exit node DNS proxy, should not answer.
|
// node, when being an exit node DNS proxy, should not answer.
|
||||||
//
|
//
|
||||||
// The entries do not contain trailing periods and are always
|
// The entries do not contain trailing periods and are always
|
||||||
@ -1828,7 +1828,7 @@ type SSHAction struct {
|
|||||||
//
|
//
|
||||||
// The "OverTLS" prefix is to loudly declare that this exchange
|
// The "OverTLS" prefix is to loudly declare that this exchange
|
||||||
// doesn't happen over Noise and can be intercepted/MITM'ed by
|
// doesn't happen over Noise and can be intercepted/MITM'ed by
|
||||||
// enterprise/corp proxies where the orgnanization can put TLS roots
|
// enterprise/corp proxies where the organization can put TLS roots
|
||||||
// on devices.
|
// on devices.
|
||||||
type OverTLSPublicKeyResponse struct {
|
type OverTLSPublicKeyResponse struct {
|
||||||
// LegacyPublic specifies the control plane server's original
|
// LegacyPublic specifies the control plane server's original
|
||||||
|
@ -98,7 +98,7 @@ type TKAInfo struct {
|
|||||||
// This field exists to disambiguate a nil TKAInfo in a delta mapresponse
|
// This field exists to disambiguate a nil TKAInfo in a delta mapresponse
|
||||||
// from a nil TKAInfo indicating TKA should be disabled.
|
// from a nil TKAInfo indicating TKA should be disabled.
|
||||||
//
|
//
|
||||||
// TODO(tom): Implement /machine/tka/boostrap as a noise endpoint, to
|
// TODO(tom): Implement /machine/tka/bootstrap as a noise endpoint, to
|
||||||
// communicate the genesis AUM & any disablement secrets.
|
// communicate the genesis AUM & any disablement secrets.
|
||||||
Disabled bool `json:",omitempty"`
|
Disabled bool `json:",omitempty"`
|
||||||
}
|
}
|
||||||
|
@ -60,7 +60,7 @@ func (h AUMHash) IsZero() bool {
|
|||||||
//
|
//
|
||||||
// Only the Key optional field may be set.
|
// Only the Key optional field may be set.
|
||||||
AUMAddKey
|
AUMAddKey
|
||||||
// A RemoveKey AUM describes hte removal of a key trusted by TKA.
|
// A RemoveKey AUM describes the removal of a key trusted by TKA.
|
||||||
//
|
//
|
||||||
// Only the KeyID optional field may be set.
|
// Only the KeyID optional field may be set.
|
||||||
AUMRemoveKey
|
AUMRemoveKey
|
||||||
|
@ -67,7 +67,7 @@ func (s *scenarioTest) mkNodeWithForks(name string, signWithDefault bool, chains
|
|||||||
for parentName, chain := range chains {
|
for parentName, chain := range chains {
|
||||||
parent, exists := n.AUMs[parentName]
|
parent, exists := n.AUMs[parentName]
|
||||||
if !exists {
|
if !exists {
|
||||||
panic("cannot use non-existent parent: " + parentName)
|
panic("cannot use nonexistent parent: " + parentName)
|
||||||
}
|
}
|
||||||
parentHash := parent.Hash()
|
parentHash := parent.Hash()
|
||||||
chain.Nodes[chain.FirstIdent].ParentHash = &parentHash
|
chain.Nodes[chain.FirstIdent].ParentHash = &parentHash
|
||||||
@ -216,7 +216,7 @@ func TestScenarioHelpers(t *testing.T) {
|
|||||||
s.checkHaveConsensus(control, n)
|
s.checkHaveConsensus(control, n)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestNormalPropergation(t *testing.T) {
|
func TestNormalPropagation(t *testing.T) {
|
||||||
s := testScenario(t, `
|
s := testScenario(t, `
|
||||||
G -> L1 -> L2
|
G -> L1 -> L2
|
||||||
G.template = genesis
|
G.template = genesis
|
||||||
@ -242,7 +242,7 @@ func TestNormalPropergation(t *testing.T) {
|
|||||||
s.checkHaveConsensus(n1, n2)
|
s.checkHaveConsensus(n1, n2)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestForkingPropergation(t *testing.T) {
|
func TestForkingPropagation(t *testing.T) {
|
||||||
pub, priv := testingKey25519(t, 2)
|
pub, priv := testingKey25519(t, 2)
|
||||||
key := Key{Kind: Key25519, Public: pub, Votes: 2}
|
key := Key{Kind: Key25519, Public: pub, Votes: 2}
|
||||||
|
|
||||||
@ -278,7 +278,7 @@ func TestForkingPropergation(t *testing.T) {
|
|||||||
s.testSyncsBetween(control, n2)
|
s.testSyncsBetween(control, n2)
|
||||||
s.checkHaveConsensus(control, n2)
|
s.checkHaveConsensus(control, n2)
|
||||||
|
|
||||||
// No wozzles propergating from n2->CTRL, what about CTRL->n1?
|
// No wozzles propagating from n2->CTRL, what about CTRL->n1?
|
||||||
s.testSyncsBetween(control, n1)
|
s.testSyncsBetween(control, n1)
|
||||||
s.checkHaveConsensus(n1, n2)
|
s.checkHaveConsensus(n1, n2)
|
||||||
|
|
||||||
@ -290,7 +290,7 @@ func TestForkingPropergation(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestInvalidAUMPropergationRejected(t *testing.T) {
|
func TestInvalidAUMPropagationRejected(t *testing.T) {
|
||||||
s := testScenario(t, `
|
s := testScenario(t, `
|
||||||
G -> L1 -> L2
|
G -> L1 -> L2
|
||||||
G.template = genesis
|
G.template = genesis
|
||||||
@ -324,7 +324,7 @@ func TestInvalidAUMPropergationRejected(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestUnsignedAUMPropergationRejected(t *testing.T) {
|
func TestUnsignedAUMPropagationRejected(t *testing.T) {
|
||||||
s := testScenario(t, `
|
s := testScenario(t, `
|
||||||
G -> L1 -> L2
|
G -> L1 -> L2
|
||||||
G.template = genesis
|
G.template = genesis
|
||||||
@ -357,7 +357,7 @@ func TestUnsignedAUMPropergationRejected(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestBadSigAUMPropergationRejected(t *testing.T) {
|
func TestBadSigAUMPropagationRejected(t *testing.T) {
|
||||||
s := testScenario(t, `
|
s := testScenario(t, `
|
||||||
G -> L1 -> L2
|
G -> L1 -> L2
|
||||||
G.template = genesis
|
G.template = genesis
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
// SigRotation signature and sign it again with their rotation key. That
|
// SigRotation signature and sign it again with their rotation key. That
|
||||||
// way, SigRotation nesting should only be 2 deep in the common case.
|
// way, SigRotation nesting should only be 2 deep in the common case.
|
||||||
SigRotation
|
SigRotation
|
||||||
// SigCredential describes a signature over a specifi public key, signed
|
// SigCredential describes a signature over a specific public key, signed
|
||||||
// by a key in the tailnet key authority referenced by the specified keyID.
|
// by a key in the tailnet key authority referenced by the specified keyID.
|
||||||
// In effect, SigCredential delegates the ability to make a signature to
|
// In effect, SigCredential delegates the ability to make a signature to
|
||||||
// a different public/private key pair.
|
// a different public/private key pair.
|
||||||
|
@ -25,7 +25,7 @@ type Clock struct {
|
|||||||
sync.Mutex
|
sync.Mutex
|
||||||
}
|
}
|
||||||
|
|
||||||
// Now returns the virtual clock's current time, and avances it
|
// Now returns the virtual clock's current time, and advances it
|
||||||
// according to its step configuration.
|
// according to its step configuration.
|
||||||
func (c *Clock) Now() time.Time {
|
func (c *Clock) Now() time.Time {
|
||||||
c.Lock()
|
c.Lock()
|
||||||
|
@ -53,7 +53,7 @@ func generate(goos string) {
|
|||||||
`)
|
`)
|
||||||
for _, dep := range x.Imports {
|
for _, dep := range x.Imports {
|
||||||
if !strings.Contains(dep, ".") {
|
if !strings.Contains(dep, ".") {
|
||||||
// Omit stanard library deps.
|
// Omit standard library deps.
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
fmt.Fprintf(&out, "\t_ %q\n", dep)
|
fmt.Fprintf(&out, "\t_ %q\n", dep)
|
||||||
|
@ -463,7 +463,7 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey key.
|
|||||||
case <-doneCh:
|
case <-doneCh:
|
||||||
}
|
}
|
||||||
// TODO(bradfitz): support a side test API to mark an
|
// TODO(bradfitz): support a side test API to mark an
|
||||||
// auth as failued so we can send an error response in
|
// auth as failed so we can send an error response in
|
||||||
// some follow-ups? For now all are successes.
|
// some follow-ups? For now all are successes.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -73,7 +73,7 @@
|
|||||||
|
|
||||||
# The path on disk to the "source code" of the package, in this case it is
|
# The path on disk to the "source code" of the package, in this case it is
|
||||||
# the path to the binaries that are built. This needs to be the raw
|
# the path to the binaries that are built. This needs to be the raw
|
||||||
# unquoted slash-separated path, not a string contaning the path because Nix
|
# unquoted slash-separated path, not a string containing the path because Nix
|
||||||
# has a special path type.
|
# has a special path type.
|
||||||
src = {{.BinPath}};
|
src = {{.BinPath}};
|
||||||
|
|
||||||
|
@ -78,7 +78,7 @@ func TestMITMProxy(t *testing.T) {
|
|||||||
// - The first thing we do is append the nsslcrtd_program stanza to the config.
|
// - The first thing we do is append the nsslcrtd_program stanza to the config.
|
||||||
// This must be an absolute path and is based on the nix path of the squid derivation,
|
// This must be an absolute path and is based on the nix path of the squid derivation,
|
||||||
// so we compute and write it out here.
|
// so we compute and write it out here.
|
||||||
// - Squid expects a pre-initalized directory layout, so we create that in /tmp/squid then
|
// - Squid expects a pre-initialized directory layout, so we create that in /tmp/squid then
|
||||||
// invoke squid with -z to have it fill in the rest.
|
// invoke squid with -z to have it fill in the rest.
|
||||||
// - Doing a meddler-in-the-middle attack requires using some fake keys, so we create
|
// - Doing a meddler-in-the-middle attack requires using some fake keys, so we create
|
||||||
// them using openssl and then use the security_file_certgen tool to setup squids' ssl_db.
|
// them using openssl and then use the security_file_certgen tool to setup squids' ssl_db.
|
||||||
|
@ -92,7 +92,7 @@ func mustPrefix(s string) netip.Prefix {
|
|||||||
func NewInternet() *Network {
|
func NewInternet() *Network {
|
||||||
return &Network{
|
return &Network{
|
||||||
Name: "internet",
|
Name: "internet",
|
||||||
// easily recognizable internett-y addresses
|
// easily recognizable internetty addresses
|
||||||
Prefix4: mustPrefix("1.0.0.0/24"),
|
Prefix4: mustPrefix("1.0.0.0/24"),
|
||||||
Prefix6: mustPrefix("1111::/64"),
|
Prefix6: mustPrefix("1111::/64"),
|
||||||
}
|
}
|
||||||
@ -243,7 +243,7 @@ func (f *Interface) String() string {
|
|||||||
if f.name != "" {
|
if f.name != "" {
|
||||||
return f.name
|
return f.name
|
||||||
}
|
}
|
||||||
return fmt.Sprintf("unamed-interface-on-network-%p", f.net)
|
return fmt.Sprintf("unnamed-interface-on-network-%p", f.net)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Contains reports whether f contains ip as an IP.
|
// Contains reports whether f contains ip as an IP.
|
||||||
|
@ -412,7 +412,7 @@ func (l loggingResponseWriter) Flush() {
|
|||||||
//
|
//
|
||||||
// It is the error type to be (optionally) used by Handler.ServeHTTPReturn.
|
// It is the error type to be (optionally) used by Handler.ServeHTTPReturn.
|
||||||
type HTTPError struct {
|
type HTTPError struct {
|
||||||
Code int // HTTP response code to send to client; 0 means means 500
|
Code int // HTTP response code to send to client; 0 means 500
|
||||||
Msg string // Response body to send to client
|
Msg string // Response body to send to client
|
||||||
Err error // Detailed error to log on the server
|
Err error // Detailed error to log on the server
|
||||||
Header http.Header // Optional set of HTTP headers to set in the response
|
Header http.Header // Optional set of HTTP headers to set in the response
|
||||||
|
@ -63,7 +63,7 @@ func (k DiscoPrivate) Public() DiscoPublic {
|
|||||||
return ret
|
return ret
|
||||||
}
|
}
|
||||||
|
|
||||||
// Shared returns the DiscoShared for communication betweek k and p.
|
// Shared returns the DiscoShared for communication between k and p.
|
||||||
func (k DiscoPrivate) Shared(p DiscoPublic) DiscoShared {
|
func (k DiscoPrivate) Shared(p DiscoPublic) DiscoShared {
|
||||||
if k.IsZero() || p.IsZero() {
|
if k.IsZero() || p.IsZero() {
|
||||||
panic("can't compute shared secret with zero keys")
|
panic("can't compute shared secret with zero keys")
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
// be enough to disqualify it on its own.
|
// be enough to disqualify it on its own.
|
||||||
//
|
//
|
||||||
// Unlike rate.Limiter, this token bucket does not attempt to
|
// Unlike rate.Limiter, this token bucket does not attempt to
|
||||||
// do any locking of its own. Don't try to access it re-entrantly.
|
// do any locking of its own. Don't try to access it reentrantly.
|
||||||
// That's fine inside this types/logger package because we already have
|
// That's fine inside this types/logger package because we already have
|
||||||
// locking at a higher level.
|
// locking at a higher level.
|
||||||
type tokenBucket struct {
|
type tokenBucket struct {
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
)
|
)
|
||||||
|
|
||||||
// Bool represents an optional boolean to be JSON-encoded. The string
|
// Bool represents an optional boolean to be JSON-encoded. The string
|
||||||
// is either "true", "false", or the enmpty string to mean unset.
|
// is either "true", "false", or the empty string to mean unset.
|
||||||
//
|
//
|
||||||
// As a special case, the underlying string may also be the string
|
// As a special case, the underlying string may also be the string
|
||||||
// "unset" as as a synonym for the empty string. This lets the
|
// "unset" as as a synonym for the empty string. This lets the
|
||||||
|
@ -197,7 +197,7 @@ func WritePrometheusExpositionFormat(w io.Writer) {
|
|||||||
const (
|
const (
|
||||||
// metricLogNameFrequency is how often a metric's name=>id
|
// metricLogNameFrequency is how often a metric's name=>id
|
||||||
// mapping is redundantly put in the logs. In other words,
|
// mapping is redundantly put in the logs. In other words,
|
||||||
// this is how how far in the logs you need to fetch from a
|
// this is how far in the logs you need to fetch from a
|
||||||
// given point in time to recompute the metrics at that point
|
// given point in time to recompute the metrics at that point
|
||||||
// in time.
|
// in time.
|
||||||
metricLogNameFrequency = 4 * time.Hour
|
metricLogNameFrequency = 4 * time.Hour
|
||||||
|
@ -434,7 +434,7 @@ func makeMapHasher(t reflect.Type) typeHasherFunc {
|
|||||||
mh := mapHasherPool.Get().(*mapHasher)
|
mh := mapHasherPool.Get().(*mapHasher)
|
||||||
defer mapHasherPool.Put(mh)
|
defer mapHasherPool.Put(mh)
|
||||||
|
|
||||||
// Hash a map in a sort-free mannar.
|
// Hash a map in a sort-free manner.
|
||||||
// It relies on a map being a an unordered set of KV entries.
|
// It relies on a map being a an unordered set of KV entries.
|
||||||
// So long as we hash each KV entry together, we can XOR all the
|
// So long as we hash each KV entry together, we can XOR all the
|
||||||
// individual hashes to produce a unique hash for the entire map.
|
// individual hashes to produce a unique hash for the entire map.
|
||||||
|
@ -552,7 +552,7 @@ func TestGetTypeHasher(t *testing.T) {
|
|||||||
out: "\x01\x00\x00\x00\x02\x00\x00\x00\x03\x04\x00\x00\x00",
|
out: "\x01\x00\x00\x00\x02\x00\x00\x00\x03\x04\x00\x00\x00",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "IntIntByteInt-canddr",
|
name: "IntIntByteInt-canaddr",
|
||||||
val: &IntIntByteInt{1, 2, 3, 4},
|
val: &IntIntByteInt{1, 2, 3, 4},
|
||||||
out: "\x01\x01\x00\x00\x00\x02\x00\x00\x00\x03\x04\x00\x00\x00",
|
out: "\x01\x01\x00\x00\x00\x02\x00\x00\x00\x03\x04\x00\x00\x00",
|
||||||
},
|
},
|
||||||
@ -604,9 +604,9 @@ func TestSliceCycle(t *testing.T) {
|
|||||||
type S []S
|
type S []S
|
||||||
c := qt.New(t)
|
c := qt.New(t)
|
||||||
|
|
||||||
a := make(S, 1) // cylic graph of 1 node
|
a := make(S, 1) // cyclic graph of 1 node
|
||||||
a[0] = a
|
a[0] = a
|
||||||
b := make(S, 1) // cylic graph of 1 node
|
b := make(S, 1) // cyclic graph of 1 node
|
||||||
b[0] = b
|
b[0] = b
|
||||||
ha := Hash(&a)
|
ha := Hash(&a)
|
||||||
hb := Hash(&b)
|
hb := Hash(&b)
|
||||||
@ -642,9 +642,9 @@ func TestMapCycle(t *testing.T) {
|
|||||||
type M map[string]M
|
type M map[string]M
|
||||||
c := qt.New(t)
|
c := qt.New(t)
|
||||||
|
|
||||||
a := make(M) // cylic graph of 1 node
|
a := make(M) // cyclic graph of 1 node
|
||||||
a["self"] = a
|
a["self"] = a
|
||||||
b := make(M) // cylic graph of 1 node
|
b := make(M) // cyclic graph of 1 node
|
||||||
b["self"] = b
|
b["self"] = b
|
||||||
ha := Hash(&a)
|
ha := Hash(&a)
|
||||||
hb := Hash(&b)
|
hb := Hash(&b)
|
||||||
@ -897,7 +897,7 @@ func TestArrayAllocs(t *testing.T) {
|
|||||||
|
|
||||||
// In theory, there should be no allocations. However, escape analysis on
|
// In theory, there should be no allocations. However, escape analysis on
|
||||||
// certain architectures fails to detect that certain cases do not escape.
|
// certain architectures fails to detect that certain cases do not escape.
|
||||||
// This discrepency currently affects sha256.digest.Sum.
|
// This discrepancy currently affects sha256.digest.Sum.
|
||||||
// Measure the number of allocations in sha256 to ensure that Hash does
|
// Measure the number of allocations in sha256 to ensure that Hash does
|
||||||
// not allocate on top of its usage of sha256.
|
// not allocate on top of its usage of sha256.
|
||||||
// See https://golang.org/issue/48055.
|
// See https://golang.org/issue/48055.
|
||||||
|
@ -27,7 +27,7 @@
|
|||||||
// rely on pointer.asValue to convert the pointer back to a reflect.Value.
|
// rely on pointer.asValue to convert the pointer back to a reflect.Value.
|
||||||
// Conversion of an unsafe.Pointer to reflect.Value guarantees that the
|
// Conversion of an unsafe.Pointer to reflect.Value guarantees that the
|
||||||
// read-only flag in the reflect.Value is unpopulated, avoiding panics that may
|
// read-only flag in the reflect.Value is unpopulated, avoiding panics that may
|
||||||
// othewise have occurred since the value was obtained from an unexported field.
|
// otherwise have occurred since the value was obtained from an unexported field.
|
||||||
type unsafePointer struct{ p unsafe.Pointer }
|
type unsafePointer struct{ p unsafe.Pointer }
|
||||||
|
|
||||||
func unsafePointerOf(v reflect.Value) unsafePointer {
|
func unsafePointerOf(v reflect.Value) unsafePointer {
|
||||||
|
@ -104,7 +104,7 @@ func TestSanitizeLabel(t *testing.T) {
|
|||||||
{"mixed", "Avery's iPhone 4(SE)", "averys-iphone-4se"},
|
{"mixed", "Avery's iPhone 4(SE)", "averys-iphone-4se"},
|
||||||
{"dotted", "mon.ipn.dev", "mon-ipn-dev"},
|
{"dotted", "mon.ipn.dev", "mon-ipn-dev"},
|
||||||
{"email", "admin@example.com", "admin-example-com"},
|
{"email", "admin@example.com", "admin-example-com"},
|
||||||
{"boudary", ".bound.ary.", "bound-ary"},
|
{"boundary", ".bound.ary.", "bound-ary"},
|
||||||
{"bad_trailing", "a-", "a"},
|
{"bad_trailing", "a-", "a"},
|
||||||
{"bad_leading", "-a", "a"},
|
{"bad_leading", "-a", "a"},
|
||||||
{"bad_both", "-a-", "a"},
|
{"bad_both", "-a-", "a"},
|
||||||
|
@ -52,7 +52,7 @@ func NonNil(ptr interface{}) {
|
|||||||
|
|
||||||
// NonNilSliceForJSON makes sure that *slicePtr is non-nil so it will
|
// NonNilSliceForJSON makes sure that *slicePtr is non-nil so it will
|
||||||
// won't be omitted from JSON serialization and possibly confuse JavaScript
|
// won't be omitted from JSON serialization and possibly confuse JavaScript
|
||||||
// clients expecting it to be preesnt.
|
// clients expecting it to be present.
|
||||||
func NonNilSliceForJSON[T any, S ~[]T](slicePtr *S) {
|
func NonNilSliceForJSON[T any, S ~[]T](slicePtr *S) {
|
||||||
if *slicePtr != nil {
|
if *slicePtr != nil {
|
||||||
return
|
return
|
||||||
@ -62,7 +62,7 @@ func NonNilSliceForJSON[T any, S ~[]T](slicePtr *S) {
|
|||||||
|
|
||||||
// NonNilMapForJSON makes sure that *slicePtr is non-nil so it will
|
// NonNilMapForJSON makes sure that *slicePtr is non-nil so it will
|
||||||
// won't be omitted from JSON serialization and possibly confuse JavaScript
|
// won't be omitted from JSON serialization and possibly confuse JavaScript
|
||||||
// clients expecting it to be preesnt.
|
// clients expecting it to be present.
|
||||||
func NonNilMapForJSON[K comparable, V any, M ~map[K]V](mapPtr *M) {
|
func NonNilMapForJSON[K comparable, V any, M ~map[K]V](mapPtr *M) {
|
||||||
if *mapPtr != nil {
|
if *mapPtr != nil {
|
||||||
return
|
return
|
||||||
|
@ -88,7 +88,7 @@ type Firewall struct {
|
|||||||
permittedRoutes map[netip.Prefix][]*wf.Rule
|
permittedRoutes map[netip.Prefix][]*wf.Rule
|
||||||
}
|
}
|
||||||
|
|
||||||
// New returns a new Firewall for the provdied interface ID.
|
// New returns a new Firewall for the provided interface ID.
|
||||||
func New(luid uint64) (*Firewall, error) {
|
func New(luid uint64) (*Firewall, error) {
|
||||||
session, err := wf.New(&wf.Options{
|
session, err := wf.New(&wf.Options{
|
||||||
Name: "Tailscale firewall",
|
Name: "Tailscale firewall",
|
||||||
|
@ -305,7 +305,7 @@ func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response {
|
|||||||
pkt.Decode(dummyPacket) // initialize private fields
|
pkt.Decode(dummyPacket) // initialize private fields
|
||||||
switch {
|
switch {
|
||||||
case (srcIP.Is4() && dstIP.Is6()) || (srcIP.Is6() && srcIP.Is4()):
|
case (srcIP.Is4() && dstIP.Is6()) || (srcIP.Is6() && srcIP.Is4()):
|
||||||
// Mistmatched address families, no filters will
|
// Mismatched address families, no filters will
|
||||||
// match.
|
// match.
|
||||||
return Drop
|
return Drop
|
||||||
case srcIP.Is4():
|
case srcIP.Is4():
|
||||||
@ -523,7 +523,7 @@ func (f *Filter) runOut(q *packet.Parsed) (r Response, why string) {
|
|||||||
return Accept, "ok out"
|
return Accept, "ok out"
|
||||||
}
|
}
|
||||||
|
|
||||||
// direction is whether a packet was flowing in to this machine, or
|
// direction is whether a packet was flowing into this machine, or
|
||||||
// flowing out.
|
// flowing out.
|
||||||
type direction int
|
type direction int
|
||||||
|
|
||||||
|
@ -166,7 +166,7 @@ func TestUDPState(t *testing.T) {
|
|||||||
a4 := parsed(ipproto.UDP, "119.119.119.119", "102.102.102.102", 4242, 4343)
|
a4 := parsed(ipproto.UDP, "119.119.119.119", "102.102.102.102", 4242, 4343)
|
||||||
b4 := parsed(ipproto.UDP, "102.102.102.102", "119.119.119.119", 4343, 4242)
|
b4 := parsed(ipproto.UDP, "102.102.102.102", "119.119.119.119", 4343, 4242)
|
||||||
|
|
||||||
// Unsollicited UDP traffic gets dropped
|
// Unsolicited UDP traffic gets dropped
|
||||||
if got := acl.RunIn(&a4, flags); got != Drop {
|
if got := acl.RunIn(&a4, flags); got != Drop {
|
||||||
t.Fatalf("incoming initial packet not dropped, got=%v: %v", got, a4)
|
t.Fatalf("incoming initial packet not dropped, got=%v: %v", got, a4)
|
||||||
}
|
}
|
||||||
@ -182,7 +182,7 @@ func TestUDPState(t *testing.T) {
|
|||||||
a6 := parsed(ipproto.UDP, "2001::2", "2001::1", 4242, 4343)
|
a6 := parsed(ipproto.UDP, "2001::2", "2001::1", 4242, 4343)
|
||||||
b6 := parsed(ipproto.UDP, "2001::1", "2001::2", 4343, 4242)
|
b6 := parsed(ipproto.UDP, "2001::1", "2001::2", 4343, 4242)
|
||||||
|
|
||||||
// Unsollicited UDP traffic gets dropped
|
// Unsolicited UDP traffic gets dropped
|
||||||
if got := acl.RunIn(&a6, flags); got != Drop {
|
if got := acl.RunIn(&a6, flags); got != Drop {
|
||||||
t.Fatalf("incoming initial packet not dropped: %v", a4)
|
t.Fatalf("incoming initial packet not dropped: %v", a4)
|
||||||
}
|
}
|
||||||
|
@ -2460,11 +2460,11 @@ func (c *Conn) maybeCloseDERPsOnRebind(okayLocalIPs []netip.Prefix) {
|
|||||||
for regionID, ad := range c.activeDerp {
|
for regionID, ad := range c.activeDerp {
|
||||||
la, err := ad.c.LocalAddr()
|
la, err := ad.c.LocalAddr()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.closeOrReconectDERPLocked(regionID, "rebind-no-localaddr")
|
c.closeOrReconnectDERPLocked(regionID, "rebind-no-localaddr")
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if !tsaddr.PrefixesContainsIP(okayLocalIPs, la.Addr()) {
|
if !tsaddr.PrefixesContainsIP(okayLocalIPs, la.Addr()) {
|
||||||
c.closeOrReconectDERPLocked(regionID, "rebind-default-route-change")
|
c.closeOrReconnectDERPLocked(regionID, "rebind-default-route-change")
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
regionID := regionID
|
regionID := regionID
|
||||||
@ -2475,7 +2475,7 @@ func (c *Conn) maybeCloseDERPsOnRebind(okayLocalIPs []netip.Prefix) {
|
|||||||
if err := dc.Ping(ctx); err != nil {
|
if err := dc.Ping(ctx); err != nil {
|
||||||
c.mu.Lock()
|
c.mu.Lock()
|
||||||
defer c.mu.Unlock()
|
defer c.mu.Unlock()
|
||||||
c.closeOrReconectDERPLocked(regionID, "rebind-ping-fail")
|
c.closeOrReconnectDERPLocked(regionID, "rebind-ping-fail")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
c.logf("post-rebind ping of DERP region %d okay", regionID)
|
c.logf("post-rebind ping of DERP region %d okay", regionID)
|
||||||
@ -2484,14 +2484,14 @@ func (c *Conn) maybeCloseDERPsOnRebind(okayLocalIPs []netip.Prefix) {
|
|||||||
c.logActiveDerpLocked()
|
c.logActiveDerpLocked()
|
||||||
}
|
}
|
||||||
|
|
||||||
// closeOrReconectDERPLocked closes the DERP connection to the
|
// closeOrReconnectDERPLocked closes the DERP connection to the
|
||||||
// provided regionID and starts reconnecting it if it's our current
|
// provided regionID and starts reconnecting it if it's our current
|
||||||
// home DERP.
|
// home DERP.
|
||||||
//
|
//
|
||||||
// why is a reason for logging.
|
// why is a reason for logging.
|
||||||
//
|
//
|
||||||
// c.mu must be held.
|
// c.mu must be held.
|
||||||
func (c *Conn) closeOrReconectDERPLocked(regionID int, why string) {
|
func (c *Conn) closeOrReconnectDERPLocked(regionID int, why string) {
|
||||||
c.closeDerpLocked(regionID, why)
|
c.closeDerpLocked(regionID, why)
|
||||||
if !c.privateKey.IsZero() && c.myDerp == regionID {
|
if !c.privateKey.IsZero() && c.myDerp == regionID {
|
||||||
c.startDerpHomeConnectLocked()
|
c.startDerpHomeConnectLocked()
|
||||||
@ -2788,7 +2788,7 @@ func (c *Conn) ReSTUN(why string) {
|
|||||||
// reconfigures the engine with a zero private key.)
|
// reconfigures the engine with a zero private key.)
|
||||||
//
|
//
|
||||||
// This used to just check c.privateKey.IsZero, but that broke
|
// This used to just check c.privateKey.IsZero, but that broke
|
||||||
// some end-to-end tests tests that didn't ever set a private
|
// some end-to-end tests that didn't ever set a private
|
||||||
// key somehow. So for now, only stop doing work if we ever
|
// key somehow. So for now, only stop doing work if we ever
|
||||||
// had a key, which helps real users, but appeases tests for
|
// had a key, which helps real users, but appeases tests for
|
||||||
// now. TODO: rewrite those tests to be less brittle or more
|
// now. TODO: rewrite those tests to be less brittle or more
|
||||||
@ -4022,7 +4022,7 @@ func (de *endpoint) handleCallMeMaybe(m *disco.CallMeMaybe) {
|
|||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Delete any prior CalllMeMaybe endpoints that weren't included
|
// Delete any prior CallMeMaybe endpoints that weren't included
|
||||||
// in this message.
|
// in this message.
|
||||||
for ep, want := range de.isCallMeMaybeEP {
|
for ep, want := range de.isCallMeMaybeEP {
|
||||||
if !want {
|
if !want {
|
||||||
@ -4119,17 +4119,17 @@ type ippEndpointCache struct {
|
|||||||
type discoInfo struct {
|
type discoInfo struct {
|
||||||
// discoKey is the same as the Conn.discoInfo map key,
|
// discoKey is the same as the Conn.discoInfo map key,
|
||||||
// just so you can pass around a *discoInfo alone.
|
// just so you can pass around a *discoInfo alone.
|
||||||
// Not modifed once initiazed.
|
// Not modified once initialized.
|
||||||
discoKey key.DiscoPublic
|
discoKey key.DiscoPublic
|
||||||
|
|
||||||
// discoShort is discoKey.ShortString().
|
// discoShort is discoKey.ShortString().
|
||||||
// Not modifed once initiazed;
|
// Not modified once initialized;
|
||||||
discoShort string
|
discoShort string
|
||||||
|
|
||||||
// sharedKey is the precomputed key for communication with the
|
// sharedKey is the precomputed key for communication with the
|
||||||
// peer that has the DiscoKey used to look up this *discoInfo in
|
// peer that has the DiscoKey used to look up this *discoInfo in
|
||||||
// Conn.discoInfo.
|
// Conn.discoInfo.
|
||||||
// Not modifed once initialized.
|
// Not modified once initialized.
|
||||||
sharedKey key.DiscoShared
|
sharedKey key.DiscoShared
|
||||||
|
|
||||||
// Mutable fields follow, owned by Conn.mu:
|
// Mutable fields follow, owned by Conn.mu:
|
||||||
|
@ -570,7 +570,7 @@ func unicastIPNets(ifc *winipcfg.IPAdapterAddresses) []netip.Prefix {
|
|||||||
//
|
//
|
||||||
// Any IPv6 link-local addresses are not deleted out of caution as some
|
// Any IPv6 link-local addresses are not deleted out of caution as some
|
||||||
// configurations may repeatedly re-add them. Link-local addresses are adjusted
|
// configurations may repeatedly re-add them. Link-local addresses are adjusted
|
||||||
// to set SkipAsSource. SkipAsSource prevents the addresses from being addded to
|
// to set SkipAsSource. SkipAsSource prevents the addresses from being added to
|
||||||
// DNS locally or remotely and from being picked as a source address for
|
// DNS locally or remotely and from being picked as a source address for
|
||||||
// outgoing packets with unspecified sources. See #4647 and
|
// outgoing packets with unspecified sources. See #4647 and
|
||||||
// https://web.archive.org/web/20200912120956/https://devblogs.microsoft.com/scripting/use-powershell-to-change-ip-behavior-with-skipassource/
|
// https://web.archive.org/web/20200912120956/https://devblogs.microsoft.com/scripting/use-powershell-to-change-ip-behavior-with-skipassource/
|
||||||
|
@ -214,7 +214,7 @@ func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, linkMon *monit
|
|||||||
//
|
//
|
||||||
// As such, if we are running on openWRT, detect a mwan3 config, AND detect a rule
|
// As such, if we are running on openWRT, detect a mwan3 config, AND detect a rule
|
||||||
// with a preference 2001 (corresponding to the first interface wman3 manages), we
|
// with a preference 2001 (corresponding to the first interface wman3 manages), we
|
||||||
// shift the priority of our policies to 13xx. This effectively puts us betwen mwan3's
|
// shift the priority of our policies to 13xx. This effectively puts us between mwan3's
|
||||||
// permit-by-src-ip rules and mwan3 lookup of its own routing table which would drop
|
// permit-by-src-ip rules and mwan3 lookup of its own routing table which would drop
|
||||||
// the packet.
|
// the packet.
|
||||||
isMWAN3, err := checkOpenWRTUsingMWAN3()
|
isMWAN3, err := checkOpenWRTUsingMWAN3()
|
||||||
|
@ -148,7 +148,7 @@ func (r *userspaceBSDRouter) Set(cfg *Config) (reterr error) {
|
|||||||
}
|
}
|
||||||
newRoutes[route] = struct{}{}
|
newRoutes[route] = struct{}{}
|
||||||
}
|
}
|
||||||
// Delete any pre-existing routes.
|
// Delete any preexisting routes.
|
||||||
for route := range r.routes {
|
for route := range r.routes {
|
||||||
if _, keep := newRoutes[route]; !keep {
|
if _, keep := newRoutes[route]; !keep {
|
||||||
net := netipx.PrefixIPNet(route)
|
net := netipx.PrefixIPNet(route)
|
||||||
|
@ -120,7 +120,7 @@ func cleanup(logf logger.Logf, interfaceName string) {
|
|||||||
// but it can be REALLY SLOW to change the Windows firewall for reasons not understood.
|
// but it can be REALLY SLOW to change the Windows firewall for reasons not understood.
|
||||||
// Like 4 minutes slow. But usually it's tens of milliseconds.
|
// Like 4 minutes slow. But usually it's tens of milliseconds.
|
||||||
// See https://github.com/tailscale/tailscale/issues/785.
|
// See https://github.com/tailscale/tailscale/issues/785.
|
||||||
// So this tracks the desired state and runs the actual adjusting code asynchrounsly.
|
// So this tracks the desired state and runs the actual adjusting code asynchronously.
|
||||||
type firewallTweaker struct {
|
type firewallTweaker struct {
|
||||||
logf logger.Logf
|
logf logger.Logf
|
||||||
tunGUID windows.GUID
|
tunGUID windows.GUID
|
||||||
|
@ -549,7 +549,7 @@ func (e *userspaceEngine) pollResolver() {
|
|||||||
// stable!) but I'm worried that a future regression would be easier to debug
|
// stable!) but I'm worried that a future regression would be easier to debug
|
||||||
// with these knobs in place.
|
// with these knobs in place.
|
||||||
func forceFullWireguardConfig(numPeers int) bool {
|
func forceFullWireguardConfig(numPeers int) bool {
|
||||||
// Did the user explicitly enable trimmming via the environment variable knob?
|
// Did the user explicitly enable trimming via the environment variable knob?
|
||||||
if b, ok := debugTrimWireguard().Get(); ok {
|
if b, ok := debugTrimWireguard().Get(); ok {
|
||||||
return !b
|
return !b
|
||||||
}
|
}
|
||||||
@ -562,7 +562,7 @@ func forceFullWireguardConfig(numPeers int) bool {
|
|||||||
// isTrimmablePeer reports whether p is a peer that we can trim out of the
|
// isTrimmablePeer reports whether p is a peer that we can trim out of the
|
||||||
// network map.
|
// network map.
|
||||||
//
|
//
|
||||||
// For implementation simplificy, we can only trim peers that have
|
// For implementation simplicity, we can only trim peers that have
|
||||||
// only non-subnet AllowedIPs (an IPv4 /32 or IPv6 /128), which is the
|
// only non-subnet AllowedIPs (an IPv4 /32 or IPv6 /128), which is the
|
||||||
// common case for most peers. Subnet router nodes will just always be
|
// common case for most peers. Subnet router nodes will just always be
|
||||||
// created in the wireguard-go config.
|
// created in the wireguard-go config.
|
||||||
@ -664,7 +664,7 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[key.Node
|
|||||||
activeCutoff := e.timeNow().Add(-lazyPeerIdleThreshold)
|
activeCutoff := e.timeNow().Add(-lazyPeerIdleThreshold)
|
||||||
|
|
||||||
// Not all peers can be trimmed from the network map (see
|
// Not all peers can be trimmed from the network map (see
|
||||||
// isTrimmablePeer). For those are are trimmable, keep track of
|
// isTrimmablePeer). For those that are trimmable, keep track of
|
||||||
// their NodeKey and Tailscale IPs. These are the ones we'll need
|
// their NodeKey and Tailscale IPs. These are the ones we'll need
|
||||||
// to install tracking hooks for to watch their send/receive
|
// to install tracking hooks for to watch their send/receive
|
||||||
// activity.
|
// activity.
|
||||||
|
Loading…
Reference in New Issue
Block a user