Commit Graph

3105 Commits

Author SHA1 Message Date
David Anderson
89af51b84d wgengine: plumb locally advertised subnet routes.
With this change, advertising subnet routes configures the
firewall correctly.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-07 17:48:49 +00:00
David Anderson
89198b1691 wgengine/router: rewrite netfilter and routing logic.
New logic installs precise filters for subnet routes,
plays nice with other users of netfilter, and lays the
groundwork for fixing routing loops via policy routing.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-06 22:13:38 +00:00
David Anderson
7618d7e677 wgengine/router: simplify some cmd invocations.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-06 22:13:38 +00:00
Zijie Lu
e3559d1c45 cmd/netcheck: better DERP latency checking output
Fixes #206

Signed-off-by: Zijie Lu <zijie@tailscale.com>
2020-05-05 15:11:20 -04:00
Dmytro Shynkevych
46f4b18fe8 control/controlclient: revert extreneous synchronization.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
2020-05-05 09:39:45 -07:00
Dmytro Shynkevych
3b94eabee3 control/controlclient: synchronize hostinfo test.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
2020-05-05 07:42:48 -07:00
Brad Fitzpatrick
44b07aa708 netcheck: STUN less aggressively to known distant servers
If Australia's far away and not going to be used, it's still going to
be far away a minute later. No need to send backup
just-in-case-UDP-gets-lost STUN packets to the known far away
destinations. Those are the ones most likely to trigger retries due to
delay anyway (in random 50-250ms, currently). But we'll keep sending 1
packet to them, just in case our airplane landed.

Likewise, be less aggressive with IPv6. The main point is just to see
whether IPv6 works. No need to send up to 10 packets every round. Max
two is enough (except for the first round). This does mean our STUN
traffic graphs for IPv4-vs-IPv6 will change shape. Oh well. It was a
weird eyeball metric for IPv6 connectivity anyway and we have better
metrics.

We can tweak this policy over time. It's factored out and has tests
now.
2020-05-04 23:37:01 -07:00
Brad Fitzpatrick
828aa6dcb0 stunner: add Stunner.MaxTries option 2020-05-04 23:37:01 -07:00
Brad Fitzpatrick
495796fff1 derp/derpmap: add World.ForeachServer, check STUN server validity earlier 2020-05-04 23:37:01 -07:00
Avery Pennarun
108237798d controlclient and ipn tests: supply --advertise-tags and --advertise-routes.
This helps validate the server's behaviour when these are present.
2020-05-05 01:42:20 -04:00
Dmytro Shynkevych
68a173bc24 cmd/mkpkg: support adding empty directories.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
2020-05-04 17:57:13 -04:00
Brad Fitzpatrick
3b546dc29a portlist: make two error paths have unique messages
For debugging #339
2020-05-04 07:45:15 -07:00
Brad Fitzpatrick
fefd7e10dc types/structs: add structs.Incomparable annotation, use it where applicable
Shotizam before and output queries:

sqlite> select sum(size) from bin where func like 'type..%';
129067
=>
120216
2020-05-03 14:05:32 -07:00
Elias Naur
7b901fdbbc logpolicy: report the correct error
Signed-off-by: Elias Naur <mail@eliasnaur.com>
2020-05-01 07:05:24 -07:00
Elias Naur
0068e57407 go.mod,go.sum: bump golang.org/x/sys for the Android dup2 fix
No tidy, because it doesn't work for me:

$ go mod tidy
go: finding module for package tailscale.io/control
go: finding module for package tailscale.io/control/cfgdb
tailscale.com/control/controlclient tested by
	tailscale.com/control/controlclient.test imports
	tailscale.io/control: cannot find module providing package tailscale.io/control: unrecognized import path "tailscale.io/control": parse https://tailscale.io/control?go-get=1: no go-import meta tags (meta tag tailscale.com did not match import path tailscale.io/control)
tailscale.com/control/controlclient tested by
	tailscale.com/control/controlclient.test imports
	tailscale.io/control/cfgdb: cannot find module providing package tailscale.io/control/cfgdb: unrecognized import path "tailscale.io/control/cfgdb": parse https://tailscale.io/control/cfgdb?go-get=1: no go-import meta tags (meta tag tailscale.com did not match import path tailscale.io/control/cfgdb)

Signed-off-by: Elias Naur <mail@eliasnaur.com>
2020-05-01 18:41:19 +10:00
Avery Pennarun
9d1f48032a cmd/tailscale: add --advertise-tags option.
These will be used for dynamically changing the identity of a node, so
its ACL rights can be different from your own.

Note: Not all implemented yet on the server side, but we need this so
we can request the tagged rights in the first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-01 01:32:24 -04:00
David Crawshaw
5650f1ecf9 controlclient, ipn: adjust tests for tailscale.com keepalive change 2020-05-01 13:44:47 +10:00
David Crawshaw
c10f90357e ipn/e2e_test: fix flaky logout state drain 2020-05-01 13:44:47 +10:00
David Anderson
657f331e8b net/dnscache: remove unnecessary lint warning. 2020-04-30 20:31:44 -07:00
David Anderson
9396024bd7 portlist: move code around to avoid unused function warnings. 2020-04-30 20:31:44 -07:00
David Anderson
755fd9253c wgengine/router: fix up docstring.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-04-30 13:37:40 -07:00
David Anderson
1ac570def7 wgengine/router: split out from wgengine.
The router implementations are logically separate, with their own API.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-04-30 13:31:24 -07:00
Avery Pennarun
ee3395e63a wgengine/filter: fix linter warning.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-04-30 06:16:53 -04:00
Avery Pennarun
5e5e5db75f Appease the "missing copyright header" check.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-04-30 06:15:26 -04:00
Avery Pennarun
65fbb9c303 wgengine/filter: support subnet mask rules, not just /32 IPs.
This depends on improved support from the control server, to send the
new subnet width (Bits) fields. If these are missing, we fall back to
assuming their value is /32.

Conversely, if the server sends Bits fields to an older client, it will
interpret them as /32 addresses. Since the only rules we allow are
"accept" rules, this will be narrower or equal to the intended rule, so
older clients will simply reject hosts on the wider subnet (fail
closed).

With this change, the internal filter.Matches format has diverged
from the wire format used by controlclient, so move the wire format
into tailcfg and convert it to filter.Matches in controlclient.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-04-30 04:56:43 -04:00
Avery Pennarun
d6c34368e8 ipn/local: differentiate Shields Up from Uninitialized in logs.
We were printing "Shields Up" when the netmap wasn't initialized yet,
which while technically effectively true, turned out to be confusing
when trying to debug things.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-04-30 04:56:36 -04:00
Avery Pennarun
64db026c8b backoff: add a LogLongerThan configuration.
Some programs use frequent short-duration backoffs even under non-error
conditions. They can set this to avoid logging short backoffs when
things are operating normally, but still get messages when longer
backoffs kick in.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-04-29 05:41:39 -04:00
Avery Pennarun
ced9b4008a ipn: clear the hostinfo.Services list when prefs.ShieldsUp==true.
When shields are up, no services are available to connect to, so hide
them all. This will also help them disappear from the UI menu on
other nodes.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-04-29 05:25:45 -04:00
Avery Pennarun
d7429b9a8d Add prefs.ShieldsUp and --shields-up option.
This sets a default packet filter that blocks all incoming requests,
giving end users more control over who can get into their machine, even
if the admin hasn't set any central ACLs.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-04-29 05:25:45 -04:00
Avery Pennarun
85e675940d wgengine/filter: allow ICMP response packets.
Longer term, we should probably update the packet filter to be fully
stateful, for both TCP and ICMP. That is, only ICMP packets related to
a session *we* initiated should be allowed back in. But this is
reasonably secure for now, since wireguard is already trimming most
traffic. The current code would not protect against eg. Ping-of-Death style
attacks from VPN nodes.

Fixes tailscale/tailscale#290.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-04-29 05:25:45 -04:00
Avery Pennarun
dbc1f71e5d ipn/message: fix some message encoding problems.
- Reset() was not including a Version field, so was getting rejected;
  the Logout operation no longer happened when the client got disconnected.

- Don't crash if we can't decode 0-byte messages, which I suspect might
  sometimes come through on EOF.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-04-29 05:25:45 -04:00
David Crawshaw
2372530964 logtail/backoff: only log backoffs > 2sec
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2020-04-29 17:41:48 +10:00
David Anderson
0038223632 tstest: rename from testy.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-04-28 20:45:12 -07:00
Brad Fitzpatrick
e1526b796e ipn: don't listen on the unspecified address in test
To avoid the Mac firewall dialog of (test) death.

See 4521a59f30
which I added to help debug this.
2020-04-28 19:20:02 -07:00
David Crawshaw
d2b7cb1e45 ipn, controlclient: add control.New parameter
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2020-04-29 08:06:06 +10:00
Brad Fitzpatrick
f4c7eb8c44 ipn: revert part of 18017f7630
In retrospect I don't trust it and I'm afraid might've caused some Mac flakiness.
I'd like more tests here before I work on this.

Updates #288
2020-04-28 14:04:45 -07:00
Brad Fitzpatrick
18017f7630 ipn, wgengine/magicsock: be more idle when in Stopped state with no peers
(Previously as #288, but with some more.)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-04-28 13:41:29 -07:00
David Anderson
66c7875974 control/controlclient: wait for c1 to receive a netmap.
This strictly sequences things such that c1 is fully registered in
the control server before c2 creates its poll. Failure to do this
can cause an inversion where c2's poll finishes establishing
before c1's poll starts, which results in c2 getting disconnected
rather than c1, and the test times out waiting for c1 to get kicked.

Fixes #98.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-04-27 23:06:02 -07:00
David Anderson
cbb1e2e853 control/controlclient: document test TestClientsReusingKeys.
The test is straightforward, but it's a little perplexing if you're
not overly familiar with controlclient.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-04-27 22:48:40 -07:00
fgergo
8296c934ac Update ifconfig_windows.go
OLE calls sometimes unexpectedly fail, but retries can succeed. Change panic() to return errors. This way ConfigureInterface() retries can succeed.
2020-04-27 19:57:57 -07:00
David Anderson
9669b85b41 wgengine/magicsock: wait for endpoint updater goroutine when closing.
Fixes #204.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-04-27 14:46:10 -07:00
Elias Naur
ad0795efc2 net/dnscache: don't use the Go resolver on Android
The local resolver is not available for apps on Android.

Signed-off-by: Elias Naur <mail@eliasnaur.com>
2020-04-27 12:04:39 -07:00
Brad Fitzpatrick
a464439658 control/controlclient: fix build break caused by overzealous gitting 2020-04-27 08:18:35 -07:00
Brad Fitzpatrick
2244cca5ff net/tlsdial: update package doc to say it's now somewhat useless 2020-04-27 08:17:18 -07:00
Brad Fitzpatrick
58e83d8f66 tempfork/x509: moved to tailscale/go's crypto/x509 instead 2020-04-27 08:14:54 -07:00
Brad Fitzpatrick
172d72a060 Revert "net/tlsdial: add memory-optimized TLS cert verification path for iOS"
This reverts commit 6fcbd4c4d4.

Decided to put it in tailscale/go's crypto/x509 instead.
2020-04-27 08:13:37 -07:00
Brad Fitzpatrick
5d67365cc9 logtail: add PrivateID.IsZero method 2020-04-27 07:33:23 -07:00
Brad Fitzpatrick
9497921f52 logpolicy: also set up TLS dialing (for iOS) for log uploads
This was the last of the three places that do TLS from clients (logs,
control, derp). With this, iOS should be able to use the
memory-efficient x509 root CertPool.
2020-04-26 08:31:14 -07:00
Brad Fitzpatrick
c726c1eec9 logtail: add const DefaultHost with default server name 2020-04-26 08:31:07 -07:00
Brad Fitzpatrick
1a0f6fea58 go.mod, go.sum: bump wireguard-go, tidy 2020-04-26 08:06:06 -07:00