David Anderson
86fe22a1b1
Update netaddr, and adjust wgengine/magicsock due to API change.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-30 17:36:03 -08:00
Josh Bleecher Snyder
56a7652dc9
wgkey: new package
...
This is a replacement for the key-related parts
of the wireguard-go wgcfg package.
This is almost a straight copy/paste from the wgcfg package.
I have slightly changed some of the exported functions and types
to avoid stutter, added and tweaked some comments,
and removed some now-unused code.
To avoid having wireguard-go depend on this new package,
wgcfg will keep its key types.
We translate into and out of those types at the last minute.
These few remaining uses will be eliminated alongside
the rest of the wgcfg package.
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-12-30 17:33:02 -08:00
Brad Fitzpatrick
0d94fe5f69
wgengine/router: disable IPv6 on Linux if ip rule -6 fails ( #1074 )
...
Updates #562
Fixes #973
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-12-29 08:26:17 -08:00
Josh Bleecher Snyder
2fe770ed72
all: replace wgcfg.IP and wgcfg.CIDR with netaddr types
...
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-12-28 13:00:42 -08:00
Matt Layher
bfbd6b9241
go.mod: bump github.com/mdlayher/netlink to v1.2.0
...
Signed-off-by: Matt Layher <mdlayher@gmail.com>
2020-12-23 08:08:02 -08:00
Brad Fitzpatrick
80c94168ae
wgengine: finish updating isTrimmablePeer
...
I accidentally merged Dave's change with the XXXX DO NOT SUBMIT comment
in it.
2020-12-22 14:48:24 -08:00
David Anderson
cb96b14bf4
net/packet: remove the custom IP4/IP6 types in favor of netaddr.IP.
...
Upstream netaddr has a change that makes it alloc-free, so it's safe to
use in hot codepaths. This gets rid of one of the many IP types in our
codebase.
Performance is currently worse across the board. This is likely due in
part to netaddr.IP being a larger value type (4b -> 24b for IPv4,
16b -> 24b for IPv6), and in other part due to missing low-hanging fruit
optimizations in netaddr. However, the regression is less bad than
it looks at first glance, because we'd micro-optimized packet.IP* in
the past few weeks. This change drops us back to roughly where we
were at the 1.2 release, but with the benefit of a significant
code and architectural simplification.
name old time/op new time/op delta
pkg:tailscale.com/net/packet goos:linux goarch:amd64
Decode/tcp4-8 12.2ns ± 5% 29.7ns ± 2% +142.32% (p=0.008 n=5+5)
Decode/tcp6-8 12.6ns ± 3% 65.1ns ± 2% +418.47% (p=0.008 n=5+5)
Decode/udp4-8 11.8ns ± 3% 30.5ns ± 2% +157.94% (p=0.008 n=5+5)
Decode/udp6-8 27.1ns ± 1% 65.7ns ± 2% +142.36% (p=0.016 n=4+5)
Decode/icmp4-8 24.6ns ± 2% 30.5ns ± 2% +23.65% (p=0.016 n=4+5)
Decode/icmp6-8 22.9ns ±51% 65.5ns ± 2% +186.19% (p=0.008 n=5+5)
Decode/igmp-8 18.1ns ±44% 30.2ns ± 1% +66.89% (p=0.008 n=5+5)
Decode/unknown-8 20.8ns ± 1% 10.6ns ± 9% -49.11% (p=0.016 n=4+5)
pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64
Filter/icmp4-8 30.5ns ± 1% 77.9ns ± 3% +155.01% (p=0.008 n=5+5)
Filter/tcp4_syn_in-8 43.7ns ± 3% 123.0ns ± 3% +181.72% (p=0.008 n=5+5)
Filter/tcp4_syn_out-8 24.5ns ± 2% 45.7ns ± 6% +86.22% (p=0.008 n=5+5)
Filter/udp4_in-8 64.8ns ± 1% 210.0ns ± 2% +223.87% (p=0.008 n=5+5)
Filter/udp4_out-8 119ns ± 0% 278ns ± 0% +133.78% (p=0.016 n=4+5)
Filter/icmp6-8 40.3ns ± 2% 204.4ns ± 4% +407.70% (p=0.008 n=5+5)
Filter/tcp6_syn_in-8 35.3ns ± 3% 199.2ns ± 2% +464.95% (p=0.008 n=5+5)
Filter/tcp6_syn_out-8 32.8ns ± 2% 81.0ns ± 2% +147.10% (p=0.008 n=5+5)
Filter/udp6_in-8 106ns ± 2% 290ns ± 2% +174.48% (p=0.008 n=5+5)
Filter/udp6_out-8 184ns ± 2% 314ns ± 3% +70.43% (p=0.016 n=4+5)
pkg:tailscale.com/wgengine/tstun goos:linux goarch:amd64
Write-8 9.02ns ± 3% 8.92ns ± 1% ~ (p=0.421 n=5+5)
name old alloc/op new alloc/op delta
pkg:tailscale.com/net/packet goos:linux goarch:amd64
Decode/tcp4-8 0.00B 0.00B ~ (all equal)
Decode/tcp6-8 0.00B 0.00B ~ (all equal)
Decode/udp4-8 0.00B 0.00B ~ (all equal)
Decode/udp6-8 0.00B 0.00B ~ (all equal)
Decode/icmp4-8 0.00B 0.00B ~ (all equal)
Decode/icmp6-8 0.00B 0.00B ~ (all equal)
Decode/igmp-8 0.00B 0.00B ~ (all equal)
Decode/unknown-8 0.00B 0.00B ~ (all equal)
pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64
Filter/icmp4-8 0.00B 0.00B ~ (all equal)
Filter/tcp4_syn_in-8 0.00B 0.00B ~ (all equal)
Filter/tcp4_syn_out-8 0.00B 0.00B ~ (all equal)
Filter/udp4_in-8 0.00B 0.00B ~ (all equal)
Filter/udp4_out-8 16.0B ± 0% 64.0B ± 0% +300.00% (p=0.008 n=5+5)
Filter/icmp6-8 0.00B 0.00B ~ (all equal)
Filter/tcp6_syn_in-8 0.00B 0.00B ~ (all equal)
Filter/tcp6_syn_out-8 0.00B 0.00B ~ (all equal)
Filter/udp6_in-8 0.00B 0.00B ~ (all equal)
Filter/udp6_out-8 48.0B ± 0% 64.0B ± 0% +33.33% (p=0.008 n=5+5)
name old allocs/op new allocs/op delta
pkg:tailscale.com/net/packet goos:linux goarch:amd64
Decode/tcp4-8 0.00 0.00 ~ (all equal)
Decode/tcp6-8 0.00 0.00 ~ (all equal)
Decode/udp4-8 0.00 0.00 ~ (all equal)
Decode/udp6-8 0.00 0.00 ~ (all equal)
Decode/icmp4-8 0.00 0.00 ~ (all equal)
Decode/icmp6-8 0.00 0.00 ~ (all equal)
Decode/igmp-8 0.00 0.00 ~ (all equal)
Decode/unknown-8 0.00 0.00 ~ (all equal)
pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64
Filter/icmp4-8 0.00 0.00 ~ (all equal)
Filter/tcp4_syn_in-8 0.00 0.00 ~ (all equal)
Filter/tcp4_syn_out-8 0.00 0.00 ~ (all equal)
Filter/udp4_in-8 0.00 0.00 ~ (all equal)
Filter/udp4_out-8 1.00 ± 0% 1.00 ± 0% ~ (all equal)
Filter/icmp6-8 0.00 0.00 ~ (all equal)
Filter/tcp6_syn_in-8 0.00 0.00 ~ (all equal)
Filter/tcp6_syn_out-8 0.00 0.00 ~ (all equal)
Filter/udp6_in-8 0.00 0.00 ~ (all equal)
Filter/udp6_out-8 1.00 ± 0% 1.00 ± 0% ~ (all equal)
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-22 14:44:36 -08:00
David Crawshaw
2b2a16d9a2
wgengine/router/dns: reduce windows registry key open timeout
...
The windows key timeout is longer than the wgengine watchdog timeout,
which means we never reach the timeout, instead the process exits.
Reduce the timeout so if we do hit it, at least the process continues.
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2020-12-21 17:24:58 -05:00
David Crawshaw
b4f70d8232
wgengine/router/dns: use the correct interface GUID
...
On Win10, there's a hardcoded GUID and this works.
On Win7, this GUID changes and we need to ask the tun for its
LUID and convert that from the GUID.
This commit uses the computed GUID that is placed in InterfaceName.
Diagnosed by Jason Donnenfeld. (Thanks!)
2020-12-21 16:43:24 -05:00
Brad Fitzpatrick
15c064f76f
wgengine/router/dns: remove unsafe endianness detection on Linux
2020-12-21 13:11:09 -08:00
Brad Fitzpatrick
f9659323df
wgengine/router/dns: fix typo in comment
2020-12-21 13:07:30 -08:00
Brad Fitzpatrick
053a1d1340
all: annotate log verbosity levels on most egregiously spammy log prints
...
Fixes #924
Fixes #282
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-12-21 12:59:33 -08:00
David Anderson
294ceb513c
ipn, wgengine/magicsock: fix tailscale status
display.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-19 13:50:44 -08:00
David Anderson
891110e64c
wgengine: expand lazy config to work with dual-stacked peers.
...
Lazy wg configuration now triggers if a peer has only endpoint
addresses (/32 for IPv4, /128 for IPv6). Subnet routers still
trigger eager configuration to avoid the need for a CIDR match
in the hot packet path.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-19 13:50:44 -08:00
David Anderson
c8c493f3d9
wgengine/magicsock: make ReceiveIPv4 a little easier to follow.
...
The previous code used a lot of whole-function variables and shared
behavior that only triggered based on prior action from a single codepath.
Instead of that, move the small amounts of "shared" code into each switch
case.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-18 01:15:53 -08:00
David Anderson
0ad109f63d
wgengine/magicsock: move legacy endpoint creation into legacy.go.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-18 01:15:53 -08:00
David Anderson
f873da5b16
wgengine/magicsock: move more legacy endpoint handling.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-18 01:15:53 -08:00
David Anderson
58fcd103c4
wgengine/magicsock: move legacy sending code to legacy.go.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-18 01:15:53 -08:00
David Anderson
65ae66260f
wgengine/magicsock: unexport AddrSet.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-18 01:15:53 -08:00
David Anderson
c9b9afd761
wgengine/magicsock: move most legacy nat traversal bits to another file.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-18 01:15:53 -08:00
Brad Fitzpatrick
741c513e51
wgengine/tsdns: fix error response marshaling, improve bad query logs
...
Updates #995
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-12-17 12:46:08 -08:00
David Anderson
554a20becb
wgengine/magicsock: only log about lazy config when actually doing lazy config.
...
Before, tailscaled would log every 10 seconds when the periodic noteRecvActivity
call happens. This is noisy, but worse it's misleading, because the message
suggests that the disco code is starting a lazy config run for a missing peer,
whereas in fact it's just an internal piece of keepalive logic.
With this change, we still log when going from 0->1 tunnel for the peer, but
not every 10s thereafter.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-17 12:11:36 -08:00
Brad Fitzpatrick
fa412c8760
wgengine/filter, wgengine/magicsock: use new IP.BitLen to simplify some code
2020-12-15 12:12:56 -08:00
Brad Fitzpatrick
afcf134812
wgengine/filter, tailcfg: support CIDRs+ranges in PacketFilter (mapver 7)
...
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-12-15 11:00:37 -08:00
David Anderson
9cee0bfa8c
wgengine/magicsock: sprinkle more docstrings.
...
Magicsock is too damn big, but this might help me page it back
in faster next time.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-14 23:59:17 -08:00
Josh Bleecher Snyder
6db9c4a173
wgenginer/router/dns: use constant from golang.org/x/sys/windows
...
Made available in https://golang.org/cl/277153
2020-12-10 17:23:01 -08:00
Aleksandar Pesic
0dc295a640
Isolate WireGuard code into a separate file with appropriate copyright info in header.
...
Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>
2020-12-11 01:08:41 +01:00
Aleksandar Pesic
d854fe95d2
Trivial change in function description.
...
Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>
2020-12-11 00:55:37 +01:00
Aleksandar Pesic
338fd44657
Replace registry-access code, update wireguard-go and x/sys/windows.
...
Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>
2020-12-11 00:37:24 +01:00
Aleksandar Pesic
274d32d0aa
Prepare for the new wireguard-go API.
...
Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>
2020-12-11 00:08:28 +01:00
Brad Fitzpatrick
7b92f8e718
wgengine/magicsock: add start of magicsock benchmarks (Conn.ReceiveIPv4 for now)
...
And only single-threaded for now. Will get fancier later.
Updates #414
2020-12-02 20:26:54 -08:00
Brad Fitzpatrick
713cbe84c1
wgengine/magicsock: use net.JoinHostPort when host might have colons (udp6)
...
Only affected tests. (where it just generated log spam)
2020-12-02 20:19:28 -08:00
David Anderson
be6fe393c5
wgengine: don't try pinging IPv6 addresses in legacy pinger.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-01 20:09:32 -08:00
Brad Fitzpatrick
eccc167733
wgengine/monitor: fix memory corruption in Windows implementation
...
I used the Windows APIs wrong previously, but it had worked just
enough.
Updates #921
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-11-18 14:51:27 -08:00
Brad Fitzpatrick
d9e2edb5ae
wgengine: reconfigure wireguard peer in two steps when its disco key changes
...
First remove the device (to clear its wireguard session key), and then
add it back.
Fixes #929
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-11-16 15:26:42 -08:00
David Anderson
3c508a58cc
wgengine/filter: don't filter GCP DNS.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-16 14:08:27 -08:00
Brad Fitzpatrick
fc8bc76e58
wgengine/router: lock goroutine to OS thread before using OLE [windows]
...
See https://github.com/tailscale/tailscale/issues/921#issuecomment-727526807
Not yet sure whether this is our problem, but it can't hurt at least,
and seems like what we're supposed to do.
Updates #921
2020-11-16 09:55:44 -08:00
David Anderson
2eb474dd8d
wgengine/filter: add test cases for len(dsts) > 1.
...
While the code was correct, I broke it during a refactoring and
tests didn't detect it. This fixes that glitch.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-12 21:41:52 -08:00
David Anderson
ce45f4f3ff
wgengine/filter: inline ip6InList into match.
...
matchIPsOnly gets 5% slower when inlining, despite significantly reduced
memory ops and slightly tighter code.
Part of #19 .
Filter/tcp6_syn_in-8 45.5ns ± 1% 42.4ns ± 2% -6.86% (p=0.000 n=10+10)
Filter/udp6_in-8 107ns ± 2% 94ns ± 2% -11.50% (p=0.000 n=9+10)
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-12 21:41:47 -08:00
David Anderson
3fdae12f0c
wgengine/filter: eliminate unnecessary memory loads.
...
Doesn't materially affect benchmarks, but shrinks match6 by 30 instructions
and halves memory loads.
Part of #19 .
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-12 21:41:40 -08:00
Josh Bleecher Snyder
47380ebcfb
wgengine/filter: twiddle bits to optimize
...
Part of #19 .
name old time/op new time/op delta
Filter/icmp4-8 32.2ns ± 3% 32.5ns ± 2% ~ (p=0.524 n=10+8)
Filter/icmp6-8 49.7ns ± 6% 43.1ns ± 4% -13.12% (p=0.000 n=9+10)
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-12 21:41:33 -08:00
David Anderson
5062131aad
wgengine/filter: treat * as both a v4 and v6 wildcard.
...
Part of #19 .
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-12 21:41:29 -08:00
David Anderson
2d604b3791
net/packet: represent IP6 as two uint64s.
...
For the operations we perform on these types (mostly net6.Contains),
this encoding is much faster.
Part of #19 .
name old time/op new time/op delta
Filter/icmp4-8 27.5ns ± 1% 28.0ns ± 2% +1.89% (p=0.016 n=5+5)
Filter/tcp4_syn_in-8 38.8ns ± 2% 38.3ns ± 1% -1.24% (p=0.024 n=5+5)
Filter/tcp4_syn_out-8 27.6ns ±12% 24.6ns ± 1% ~ (p=0.063 n=5+5)
Filter/udp4_in-8 71.5ns ± 5% 65.9ns ± 1% -7.94% (p=0.008 n=5+5)
Filter/udp4_out-8 132ns ±13% 119ns ± 1% -10.29% (p=0.008 n=5+5)
Filter/icmp6-8 169ns ±10% 54ns ± 1% -68.35% (p=0.008 n=5+5)
Filter/tcp6_syn_in-8 149ns ± 6% 43ns ± 1% -71.11% (p=0.008 n=5+5)
Filter/tcp6_syn_out-8 37.7ns ± 4% 24.3ns ± 3% -35.51% (p=0.008 n=5+5)
Filter/udp6_in-8 179ns ± 5% 103ns ± 1% -42.75% (p=0.008 n=5+5)
Filter/udp6_out-8 156ns ± 3% 191ns ± 1% +22.54% (p=0.008 n=5+5)
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-12 21:41:21 -08:00
David Anderson
04ff3c91ee
wgengine/filter: add full IPv6 support.
...
Part of #19 .
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-12 21:41:15 -08:00
David Anderson
a664aac877
wgengine/router: disable IPv6 if v6 policy routing is unavailable.
...
Fixes #895 .
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-11 15:31:15 -08:00
Brad Fitzpatrick
19b0cfe89e
all: prepare for GOOS=ios in Go 1.16
...
Work with either way for now on iOS (darwin/arm64 vs ios/arm64).
In February when Go 1.16 comes out we'll have a universal binary for
darwin/arm64 (macOS) and will drop support for Go 1.15 and its
darwin/amd64 meaning iOS. (it'll mean macOS).
Context:
* https://tip.golang.org/doc/go1.16#darwin
* https://github.com/golang/go/issues/38485
* https://github.com/golang/go/issues/42100
2020-11-11 09:17:04 -08:00
David Anderson
c2cc3acbaf
net/packet: remove NewIP, offer only a netaddr constructor.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 22:03:47 -08:00
David Anderson
55b1221db2
net/packet: support full IPv6 decoding.
...
The packet filter still rejects all IPv6, but decodes enough from v6
packets to do something smarter in a followup.
name time/op
Decode/tcp4-8 28.8ns ± 2%
Decode/tcp6-8 20.6ns ± 1%
Decode/udp4-8 28.2ns ± 1%
Decode/udp6-8 20.0ns ± 6%
Decode/icmp4-8 21.7ns ± 2%
Decode/icmp6-8 14.1ns ± 2%
Decode/unknown-8 9.43ns ± 2%
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 20:23:54 -08:00
David Anderson
89894c6930
net/packet: add IPv6 source and destination IPs to Parsed.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 20:23:54 -08:00
Brad Fitzpatrick
450cfedeba
wgengine/magicsock: quiet an IPv6 warning in tests
...
In tests, we force binding to localhost to avoid OS firewall warning
dialogs.
But for IPv6, we were trying (and failing) to bind to 127.0.0.1.
You'd think we'd just say "localhost", but that's apparently ill
defined. See
https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost
and golang/go#22826 . (It's bitten me in the past, but I can't
remember specific bugs.)
So use "::1" explicitly for "udp6", which makes the test quieter.
2020-11-10 09:14:29 -08:00