Commit Graph

6025 Commits

Author SHA1 Message Date
Brad Fitzpatrick
9e4d99305b go.toolchain.rev: bump Go toolchain
For tailscale/go#55 experimentation in another repo primarily,
but this is our source of truth, so we bump here.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-09 15:07:55 -08:00
David Anderson
0e4f2bdd0c pull-toolchain.sh: don't run update-flake.sh
We no longer carry an SRI hash for the toolchain, so flake
updating is no longer needed for toolchain changes.

Signed-off-by: David Anderson <danderson@tailscale.com>
2023-02-09 15:04:01 -08:00
David Anderson
33f29a1532 go.toolchain.rev: update toolchain to test iOS Go fix
Signed-off-by: David Anderson <danderson@tailscale.com>
2023-02-09 12:59:51 -08:00
Andrew Dunham
ba48ec5e39 util/linuxfw: initial implementation of package
This package is an initial implementation of something that can read
netfilter and iptables rules from the Linux kernel without needing to
shell out to an external utility; it speaks directly to the kernel using
syscalls and parses the data returned.

Currently this is read-only since it only knows how to parse a subset of
the available data.

Signed-off-by: Andrew Dunham <andrew@tailscale.com>
Change-Id: Iccadf5dcc081b73268d8ccf8884c24eb6a6f1ff5
2023-02-09 14:20:24 -05:00
Colin Adler
3c107ff301
net/connstats: fix ticker in NewStatistics (#7225)
`:=` was accidentally used, so `maxPeriod` never worked.

Signed-off-by: Colin Adler <colin1adler@gmail.com>
2023-02-09 01:24:52 -08:00
Will Norris
6ef834a6b7 get-authkey: require tags to be specified
Tailnet-owned auth keys (which all OAuth-created keys are) must include tags, since there is no user to own the registered devices.

Signed-off-by: Will Norris <will@tailscale.com>
2023-02-08 17:12:47 -08:00
Maisem Ali
89bd414be6 ipn/ipnstate: update field docs on PeerStatus.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-02-08 15:23:05 -08:00
Mihai Parparita
2f4df30c75 .github/workflows: re-enable CIFuzz job
Having an empty `on` spec results in the job still running, but it
immediately fails with a "No jobs were run" message.

Go back to the original `on: [pull_request]` spec, and disable the
workflow in the GitHub UI instead.

This reverts commit f7b3156f16.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2023-02-08 13:51:14 -08:00
Mihai Parparita
62f4df3257 net/interfaces, net/netns: add node attributes to control default interface getting and binding
With #6566 we started to more aggressively bind to the default interface
on Darwin. We are seeing some reports of the wrong cellular interface
being chosen on iOS. To help with the investigation, this adds to knobs
to control the behavior changes:
- CapabilityDebugDisableAlternateDefaultRouteInterface disables the
  alternate function that we use to get the default interface on macOS
  and iOS (implemented in tailscale/corp#8201). We still log what it
  would have returned so we can see if it gets things wrong.
- CapabilityDebugDisableBindConnToInterface is a bigger hammer that
  disables binding of connections to the default interface altogether.

Updates #7184
Updates #7188

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2023-02-08 13:15:10 -08:00
Brad Fitzpatrick
fb84ccd82d control/controlhttp: don't require valid TLS cert for Noise connection
We don't require any cert at all for Noise-over-plaintext-port-80-HTTP,
so why require a valid cert chain for Noise-over-HTTPS? The reason we use
HTTPS at all is to get through firewalls that allow tcp/443 but not tcp/80,
not because we need the security properties of TLS.

Updates #3198

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-08 12:47:01 -08:00
Brad Fitzpatrick
2477fc4952 net/netutil: only check Linux sysctls w/ procfs, assume absent means false
Fixes #7217

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-08 12:23:36 -08:00
Maisem Ali
05adf22383 cmd/k8s-operator: add support for running an auth proxy
Updates #5055

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-02-08 11:45:10 -08:00
Mihai Parparita
31e2e9a300 ipn: remove unused NLKeyStateKey constant
We stopped writing network lock keys as separate items with #6315,
the constant is no longer used.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2023-02-08 11:19:28 -08:00
Mihai Parparita
f0f2b2e22b logtail: increase maximum log line size in low memory mode
The 255 byte limit was chosen more than 3 years ago (tailscale/corp@929635c9d9),
when iOS was operating under much more significant memory constraints.
With iOS 15 the network extension has an increased limit, so increasing
it to 4K should be fine.

The motivating factor was that the network interfaces being logged
by linkChange in wgengine/userspace.go were getting truncated, and it
would be useful to know why in some cases we're choosing the pdp_ip1
cell interface instead of the pdp_ip0 one.

Updates #7184
Updates #7188

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2023-02-07 22:00:14 -08:00
M. J. Fromberger
9be47f789c
ipn/ipnlocal: fix the path for writing cert files (#7203)
Fixes #7202.

Change-Id: I1f8e9c59d5e42e7df7a3fbbd82ae2b4293845916
Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2023-02-07 14:34:04 -08:00
Andrew Dunham
cab2b2b59e ipn/localapi: print envknobs on bugreport
Previously, we only printed these at startup; print those when the user
generates a bugreport as we so we don't have to go spelunking through
the logs.

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: If5b0970f09fcb4cf8839958af5d37f84e0ba6ed2
2023-02-07 11:59:32 -05:00
David Anderson
59c254579e version: unify and optimize the various not-version funcs
Signed-off-by: David Anderson <danderson@tailscale.com>
2023-02-06 22:24:14 -08:00
Maisem Ali
0fd2f71a1e ipn/ipnlocal: use presence of NodeID to identify logins
The profileManager was using the LoginName as a proxy to figure out if the profile
had logged in, however the LoginName is not present if the node was created with an
Auth Key that does not have an associated user.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-02-06 21:52:35 -08:00
Maisem Ali
2a094181df .github/workflows: use ./tool/go in go mod tidy
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-02-06 21:34:07 -08:00
Andrew Dunham
6d84f3409b ipn/ipnlocal: handle more edge cases in netmap expiry timer
We now handle the case where the NetworkMap.SelfNode has already expired
and do not return an expiry time in the past (which causes an ~infinite
loop of timers to fire).

Additionally, we now add an explicit check to ensure that the next
expiry time is never before the current local-to-the-system time, to
ensure that we don't end up in a similar situation due to clock skew.

Finally, we add more tests for this logic to ensure that we don't
regress on these edge cases.

Fixes #7193

Change-Id: Iaf8e3d83be1d133a7aab7f8d62939e508cc53f9c
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2023-02-06 20:32:25 -05:00
Tom DNetto
99b9d7a621 all: implement pcap streaming for datapath debugging
Updates: tailscale/corp#8470

Signed-off-by: Tom DNetto <tom@tailscale.com>
2023-02-04 15:54:20 -10:00
David Anderson
1acdcff63e go.toolchain.rev: update toolchain to test ios workaround
Updates tailscale/corp#9061

Signed-off-by: David Anderson <danderson@tailscale.com>
2023-02-04 15:10:42 -08:00
Denton Gentry
4daba23cd4 cmd/get-authkey: add an OAuth API client to produce an authkey
Updates https://github.com/tailscale/tailscale/issues/3243

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2023-02-03 22:52:54 -08:00
Maisem Ali
6bae55e351 ipn/ipnlocal: add support to store certs in k8s secrets
Fixes #5676

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-02-03 19:12:21 -08:00
Mihai Parparita
0e3fb91a39 net/dns/resolver: remove maxDoHInFlight
It was originally added to control memory use on iOS (#2490), but then
was relaxed conditionally when running on iOS 15 (#3098). Now that we
require iOS 15, there's no need for the limit at all, so simplify back
to the original state.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2023-02-03 17:07:12 -08:00
Mihai Parparita
b6908181ff net/tshttpproxy: more directly use Transport proxy CONNECT hooks
GetProxyConnectHeader (golang/go#41048) was upstreamed in Go 1.16 and
OnProxyConnectResponse (golang/go#54299) in Go 1.20, thus we no longer
need to guard their use by the tailscale_go build tag.

Updates #7123

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2023-02-03 16:51:50 -08:00
License Updater
0e1403ec39 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2023-02-03 11:29:04 -08:00
David Crawshaw
8cf2805cca tailcfg, localapi: plumb device token to server
Updates tailscale/corp#8940

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2023-02-03 10:28:11 -08:00
Brad Fitzpatrick
38b32be926 tailcfg: add wire fields/docs for resuming streaming map sessions
No implementation yet.

Updates #7175

Change-Id: Id242d47cdd83afe4d254c8c5826f058fe39c8bfd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-03 09:59:30 -08:00
Andrew Dunham
880a41bfcc net/dns/resolver: add envknob to debug exit node DNS queries on on Windows
Add the envknob TS_DEBUG_EXIT_NODE_DNS_NET_PKG, which enables more
verbose debug logging when calling the handleExitNodeDNSQueryWithNetPkg
function. This function is currently only called on Windows and Android.

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ieb3ca7b98837d7dc69cd9ca47609c1c52e3afd7b
2023-02-03 12:09:00 -05:00
Andrew Dunham
d2301db49c ipn/localapi: print node IDs, pubkeys, and expiry on bugreport
Having this information near the "user bugreport" line makes it easier
to identify the node and expiry without spelunking through the rest of
the logs.

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I1597c783efc06574fa4c8f211e68d835f20b6ccb
2023-02-03 11:44:39 -05:00
License Updater
0aa7b495d5 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2023-02-02 21:19:33 -08:00
David Anderson
02a2dcfc86 go.toolchain.rev: use new statically built toolchain
Also removes the toolchain builds from flake.nix. For now the flake
build uses upstream Go 1.20, a followup change will switch it back to
our custom toolchain.

Updates tailscale/corp#9005

Signed-off-by: David Anderson <danderson@tailscale.com>
2023-02-02 20:44:12 -08:00
Andrew Dunham
2dc3dc21a8 util/multierr: implement Go 1.20+'s multiple error Unwrap
Now that Go 1.20 is released, multierr.Error can implement
Unwrap() []error

Updates #7123

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ic28c2579de6799801836c447afbca8cdcba732cf
2023-02-02 14:03:51 -05:00
Andrew Dunham
5ba2543828 ipn/ipnlocal: print warning about DNS servers in bugreport --diagnose
If the user passes the --diagnose flag, print a warning if any of the
default or fallback DNS resolvers are Tailscale IPs. This can interfere
with the ability to connect to the controlplane, and is typically
something to pay attention to if there's a connectivity issue.

Change-Id: Ib14bf6228c037877fbdcd22b069212b1a4b2c456
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
2023-02-02 13:09:05 -05:00
License Updater
c4eb857405 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2023-02-02 07:51:07 -08:00
Brad Fitzpatrick
03645f0c27 net/{netns,netstat}: use new x/sys/cpu.IsBigEndian
See golang/go#57237

Change-Id: If47ab6de7c1610998a5808e945c4177c561eab45
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-02 07:41:49 -08:00
Andrew Dunham
2755f3843c health, net/tlsdial: add healthcheck for self-signed cert
When we make a connection to a server, we previously would verify with
the system roots, and then fall back to verifying with our baked-in
Let's Encrypt root if the system root cert verification failed.

We now explicitly check for, and log a health error on, self-signed
certificates. Additionally, we now always verify against our baked-in
Let's Encrypt root certificate and log an error if that isn't
successful. We don't consider this a health failure, since if we ever
change our server certificate issuer in the future older non-updated
versions of Tailscale will no longer be healthy despite being able to
connect.

Updates #3198

Change-Id: I00be5ceb8afee544ee795e3c7a2815476abc4abf
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2023-02-01 23:17:41 -05:00
Andrew Dunham
7393ce5e4f wgengine/magicsock: add envknob to print information about port selection
To aid in debugging where a customer has static port-forwards set up and
there are issues establishing a connection through that port.

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ic5558bcdb40c9119b83f79dcacf2233b07777f2a
2023-02-01 22:44:22 -05:00
Brad Fitzpatrick
cf8dd7aa09 all: use Go 1.20's bytes.Clone
Updates #7123
Updates #6257 (more to do in other repos)

Change-Id: I073e2a6d81a5d7fbecc29caddb7e057ff65239d0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-01 17:39:18 -08:00
Brad Fitzpatrick
f7b3156f16 .github/workflows: delete CIFuzz job
It doesn't yet support Go 1.20. We can bring it back later.

Updates #7123

Change-Id: I6c4a4090e910d06f34c3f4d612e737989fe85812
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-01 17:39:04 -08:00
Brad Fitzpatrick
b1248442c3 all: update to Go 1.20, use strings.CutPrefix/Suffix instead of our fork
Updates #7123
Updates #5309

Change-Id: I90bcd87a2fb85a91834a0dd4be6e03db08438672
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-01 15:23:54 -08:00
Brad Fitzpatrick
623176ebc9 go.toolchain.branch: update to Go 1.20
Updates #7123

Change-Id: I64f6d8de5bb511a23318118b4ea1146247f1ad7c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-01 15:14:05 -08:00
Will Norris
10085063fb util/vizerror: add As function to get wrapped Error
Signed-off-by: Will Norris <will@tailscale.com>
2023-02-01 14:39:13 -08:00
Will Norris
51e1ab5560 fixup! util/vizerror: add new package for visible errors
Signed-off-by: Will Norris <will@tailscale.com>
2023-02-01 12:04:04 -08:00
Will Norris
648aa00a28 fixup! util/vizerror: add new package for visible errors
Signed-off-by: Will Norris <will@tailscale.com>
2023-02-01 12:04:04 -08:00
Will Norris
a6c6979b85 fixup! util/vizerror: add new package for visible errors
Signed-off-by: Will Norris <will@tailscale.com>
2023-02-01 12:04:04 -08:00
Will Norris
598ec463bc fixup! util/vizerror: add new package for visible errors
Signed-off-by: Will Norris <will@tailscale.com>
2023-02-01 12:04:04 -08:00
Will Norris
8e6a1ab175 util/vizerror: add new package for visible errors
Signed-off-by: Will Norris <will@tailscale.com>
2023-02-01 12:04:04 -08:00
Brad Fitzpatrick
27d146d4f8 .github/ISSUE_TEMPLATE: add link to wiki/OtherSoftwareInterop
Add question about https://github.com/tailscale/tailscale/wiki/OtherSoftwareInterop
in the issue template.

Change-Id: I6ca374654e9f67be9cb447bb5d5f66a9087fd945
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-01 11:44:13 -08:00