Commit Graph

476 Commits

Author SHA1 Message Date
Brad Fitzpatrick
3910c1edaf net/socks5/tssocks: add new package, move SOCKS5 glue out of tailscaled
Prep for #1970, #2264, #2268

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-06-28 11:34:50 -07:00
Brad Fitzpatrick
82e15d3450 cmd/tailscaled: log SOCKS5 port when port 0 requested
Part of #2158

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-06-28 08:32:50 -07:00
Brad Fitzpatrick
10d7c2583c net/dnsfallback: don't depend on derpmap.Prod
Move derpmap.Prod to a static JSON file (go:generate'd) instead,
to make its role explicit. And add a TODO about making dnsfallback
use an update-over-time DERP map file instead of a baked-in one.

Updates #1264

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-06-27 22:07:40 -07:00
julianknodt
148602a89a derp,cmd/derper: allow server to verify clients
This adds a flag to the DERP server which specifies to verify clients through a local
tailscaled. It is opt-in, so should not affect existing clients, and is mainly intended for
users who want to run their own DERP servers. It assumes there is a local tailscaled running and
will attempt to hit it for peer status information.

Updates #1264

Signed-off-by: julianknodt <julianknodt@gmail.com>
2021-06-24 14:11:16 -07:00
julianknodt
0f18801716 cmd/cloner: support maps with clone ptrs
In order to clone DERPMaps, it was necessary to extend the cloner so that it supports
nested pointers inside of maps which are also cloneable. This also adds cloning for DERPRegions
and DERPNodes because they are on DERPMap's maps.

Signed-off-by: julianknodt <julianknodt@gmail.com>
2021-06-22 22:11:38 -07:00
Brad Fitzpatrick
38be964c2b go.mod: update netstack
Fixes a atomic alignment crash on 32-bit machines.

Fixes #2129
Fixes tailscale/tailscale-synology#66 (same)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-06-22 10:34:14 -07:00
Denton Gentry
ad288baaea net/interfaces: use IPv4 link local if nothing better
The only connectivity an AWS Lambda container has is an IPv4 link-local
169.254.x.x address using NAT:
12: vtarget_1@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
                    qdisc noqueue state UP group default qlen 1000
     link/ether 7e:1c:3f:00:00:00 brd ff:ff:ff:ff:ff:ff link-netnsid 1
     inet 169.254.79.1/32 scope global vtarget_1
     valid_lft forever preferred_lft forever

If there are no other IPv4/v6 addresses available, and we are running
in AWS Lambda, allow IPv4 169.254.x.x addresses to be used.

----

Similarly, a Google Cloud Run container's only connectivity is
a Unique Local Address fddf:3978:feb1:d745::c001/128.
If there are no other addresses available then allow IPv6
Unique Local Addresses to be used.
We actually did this in an earlier release, but now refactor it to
work the same way as the IPv4 link-local support is being done.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-06-18 21:52:47 -07:00
David Crawshaw
297b3d6fa4 staticcheck.conf: turn off noisy lint errors
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-06-18 15:48:20 -07:00
julianknodt
3728634af9 derp: add debug traffic handler
This adds a handler on the DERP server for logging bytes send and received by clients of the
server, by holding open a connection and recording if there is a difference between the number
of bytes sent and received. It sends a JSON marshalled object if there is an increase in the
number of bytes.

Signed-off-by: julianknodt <julianknodt@gmail.com>
2021-06-18 15:47:55 -07:00
Brad Fitzpatrick
03311bb0d6 hostinfo: add hostinfo package, move stuff out of controlclient
And make it cheaper, so other parts of the code can check the
environment.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-06-17 14:27:01 -07:00
David Anderson
0022c3d2e2 tsweb: replace NewMux with a more flexible DebugHandler.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-06-16 19:00:47 -07:00
David Anderson
48c25fa36f tsweb: fold StdHandlerOpts and StdHandler200s with StdHandler.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-06-15 21:55:33 -07:00
David Anderson
ac07ff43bf cmd/tailscaled: start after NetworkManager and systemd-resolved.
The dependency is a "soft" ordering dependency only, meaning that
tailscaled will start after those services if those services were
going to be run anyway, but doesn't force either of them to run.
That's why it's safe to specify this dependency unconditionally,
even for systems that don't run those services.

Updates #2127.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-06-15 14:25:44 -07:00
Brad Fitzpatrick
80a4052593 cmd/tailscale, wgengine, tailcfg: don't assume LastSeen is present [mapver 20]
Updates #2107

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-06-11 08:41:16 -07:00
Christine Dodrill
8b2b899989
tstest/integration: test Alpine Linux (#2098)
Alpine Linux[1] is a minimal Linux distribution built around musl libc.
It boots very quickly, requires very little ram and is as close as you
can get to an ideal citizen for testing Tailscale on musl. Alpine has a
Tailscale package already[2], but this patch also makes it easier for us
to provide an Alpine Linux package off of pkgs in the future.

Alpine only offers Tailscale on the rolling-release edge branch.

[1]: https://alpinelinux.org/
[2]: https://pkgs.alpinelinux.org/packages?name=tailscale&branch=edge

Updates #1988

Signed-off-by: Christine Dodrill <xe@tailscale.com>
2021-06-11 09:20:13 -04:00
Maisem Ali
f944614c5c cmd/tailscale/web: add support for QNAP
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-06-10 19:06:05 +05:00
Matt Layher
6956645ec8 go.mod: bump github.com/mdlayher/netlink to v1.4.1
Signed-off-by: Matt Layher <mdlayher@gmail.com>
2021-06-08 12:01:38 -07:00
David Anderson
1c6946f971 cmd/mkpkg: allow zero files in a package.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-06-07 16:22:23 -07:00
Maisem Ali
95e296fd96 cmd/tailscale/web: restrict web access to synology admins.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-06-03 08:41:47 +05:00
Adrian Dewhurst
6d6cf88d82 control/controlclient: use our fork of certstore
The cyolosecurity fork of certstore did not update its module name and
thus can only be used with a replace directive. This interferes with
installing using `go install` so I created a tailscale fork with an
updated module name.

Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2021-05-28 12:12:45 -04:00
David Crawshaw
82b217f82e cmd/tailscale: have web POST wait for authURL
Fixes #1939

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-05-27 10:30:03 -07:00
David Crawshaw
50c976d3f1 cmd/tailscale: show web 'login' error message
For #1939

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-05-27 10:30:03 -07:00
Brad Fitzpatrick
d2c4e75099 cmd/tailscale/cli: update URL in error message for Synology unsupported feature
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-27 08:43:53 -07:00
Brad Fitzpatrick
cdd231cb7d cmd/tailscale/cli: don't warn about iptables=off on Synology
We don't use iptables on Synology, so don't scare the user.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-27 08:11:43 -07:00
Josh Bleecher Snyder
1ece91cede go.mod: upgrade wireguard-windows, de-fork wireguard-go
Pull in the latest version of wireguard-windows.

Switch to upstream wireguard-go.
This requires reverting all of our import paths.

Unfortunately, this has to happen at the same time.
The wireguard-go change is very low risk,
as that commit matches our fork almost exactly.
(The only changes are import paths, CI files, and a go.mod entry.)
So if there are issues as a result of this commit,
the first place to look is wireguard-windows changes.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-05-25 13:18:21 -07:00
Brad Fitzpatrick
a86a0361a7 go.mod: upgrade all deps
At the start of a dev cycle we'll upgrade all dependencies.

Done with:

$ for Dep in $(cat go.mod | perl -ne '/(\S+) v/ and print "$1\n"'); do go get $Dep@upgrade; done

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-24 13:04:59 -07:00
Josh Bleecher Snyder
5666663370 net/packet: use netaddr AppendTo methods
This lets us remote the types/strbuilder package,
which had only a single user.
And it's faster.

name              old time/op    new time/op    delta
String/tcp4-8        175ns ± 0%      58ns ± 1%  -66.95%  (p=0.000 n=10+9)
String/tcp6-8        226ns ± 1%     136ns ± 1%  -39.85%  (p=0.000 n=10+10)
String/udp4-8        175ns ± 1%      58ns ± 1%  -67.01%  (p=0.000 n=10+9)
String/udp6-8        230ns ± 1%     140ns ± 0%  -39.32%  (p=0.000 n=10+9)
String/icmp4-8       164ns ± 0%      50ns ± 1%  -69.89%  (p=0.000 n=10+10)
String/icmp6-8       217ns ± 1%     129ns ± 0%  -40.46%  (p=0.000 n=10+10)
String/igmp-8        196ns ± 0%      56ns ± 1%  -71.32%  (p=0.000 n=10+10)
String/unknown-8    2.06ns ± 1%    2.06ns ± 2%     ~     (p=0.985 n=10+10)

name              old alloc/op   new alloc/op   delta
String/tcp4-8        32.0B ± 0%     32.0B ± 0%     ~     (all equal)
String/tcp6-8         168B ± 0%       96B ± 0%  -42.86%  (p=0.000 n=10+10)
String/udp4-8        32.0B ± 0%     32.0B ± 0%     ~     (all equal)
String/udp6-8         168B ± 0%       96B ± 0%  -42.86%  (p=0.000 n=10+10)
String/icmp4-8       32.0B ± 0%     32.0B ± 0%     ~     (all equal)
String/icmp6-8        104B ± 0%       64B ± 0%  -38.46%  (p=0.000 n=10+10)
String/igmp-8        48.0B ± 0%     48.0B ± 0%     ~     (all equal)
String/unknown-8     0.00B          0.00B          ~     (all equal)

name              old allocs/op  new allocs/op  delta
String/tcp4-8         1.00 ± 0%      1.00 ± 0%     ~     (all equal)
String/tcp6-8         3.00 ± 0%      1.00 ± 0%  -66.67%  (p=0.000 n=10+10)
String/udp4-8         1.00 ± 0%      1.00 ± 0%     ~     (all equal)
String/udp6-8         3.00 ± 0%      1.00 ± 0%  -66.67%  (p=0.000 n=10+10)
String/icmp4-8        1.00 ± 0%      1.00 ± 0%     ~     (all equal)
String/icmp6-8        3.00 ± 0%      1.00 ± 0%  -66.67%  (p=0.000 n=10+10)
String/igmp-8         1.00 ± 0%      1.00 ± 0%     ~     (all equal)
String/unknown-8      0.00           0.00          ~     (all equal)

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-05-20 20:42:18 -07:00
Maisem Ali
234cc87f48 cmd/tailscaled: use the wf package instead of wireguard-windows/firewall
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-05-17 13:07:25 -07:00
Josh Bleecher Snyder
25df067dd0 all: adapt to opaque netaddr types
This commit is a mishmash of automated edits using gofmt:

gofmt -r 'netaddr.IPPort{IP: a, Port: b} -> netaddr.IPPortFrom(a, b)' -w .
gofmt -r 'netaddr.IPPrefix{IP: a, Port: b} -> netaddr.IPPrefixFrom(a, b)' -w .

gofmt -r 'a.IP.Is4 -> a.IP().Is4' -w .
gofmt -r 'a.IP.As16 -> a.IP().As16' -w .
gofmt -r 'a.IP.Is6 -> a.IP().Is6' -w .
gofmt -r 'a.IP.As4 -> a.IP().As4' -w .
gofmt -r 'a.IP.String -> a.IP().String' -w .

And regexps:

\w*(.*)\.Port = (.*)  ->  $1 = $1.WithPort($2)
\w*(.*)\.IP = (.*)  ->  $1 = $1.WithIP($2)

And lots of manual fixups.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-05-16 14:52:00 -07:00
Josh Bleecher Snyder
6f62bbae79 cmd/tailscale: make ping --until-direct require direct connection to exit 0
If --until-direct is set, the goal is to make a direct connection.
If we failed at that, say so, and exit with an error.

RELNOTE=tailscale ping --until-direct (the default) now exits with
a non-zero exit code if no direct connection was established.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-05-13 15:07:19 -07:00
Brad Fitzpatrick
36a26e6a71 internal/deephash: rename from deepprint
Yes, it printed, but that was an implementation detail for hashing.

And coming optimization will make it print even less.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-11 12:11:16 -07:00
Maisem Ali
7027fa06c3 wf: implement windows firewall using inet.af/wf.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-05-10 09:57:07 -07:00
Brad Fitzpatrick
5190435d6e cmd/tailscale: rewrite the "up" checker, fix bugs
The old way was way too fragile and had felt like it had more special
cases than normal cases. (see #1874, #1860, #1834, etc) It became very
obvious the old algorithm didn't work when we made the output be
pretty and try to show the user the command they need to run in
5ecc7c7200 for #1746)

The new algorithm is to map the prefs (current and new) back to flags
and then compare flags. This nicely handles the OS-specific flags and
the n:1 and 1:n flag:pref cases.

No change in the existing already-massive test suite, except some ordering
differences (the missing items are now sorted), but some new tests are
added for behavior that was broken before. In particular, it now:

* preserves non-pref boolean flags set to false, and preserves exit
  node IPs (mapping them back from the ExitNodeID pref, as well as
  ExitNodeIP),

* doesn't ignore --advertise-exit-node when doing an EditPrefs call
  (#1880)

* doesn't lose the --operator on the non-EditPrefs paths (e.g. with
  --force-reauth, or when the backend was not in state Running).

Fixes #1880

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-07 09:31:55 -07:00
Brad Fitzpatrick
e78e26b6fb cmd/tailscale: fix another up warning with exit nodes
The --advertise-routes and --advertise-exit-node flags both mutating
one pref is the gift that keeps on giving.

I need to rewrite the this up warning code to first map prefs back to
flag values and then just compare flags instead of comparing prefs,
but this is the minimal fix for now.

This also includes work on the tests, to make them easier to write
(and more accurate), by letting you write the flag args directly and
have that parse into the upArgs/MaskedPrefs directly, the same as the
code, rather than them being possibly out of sync being written by
hand.

Fixes https://twitter.com/EXPbits/status/1390418145047887877

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-06 15:50:58 -07:00
Brad Fitzpatrick
2585edfaeb cmd/tailscale: fix tailscale up --advertise-exit-node validation
Fixes #1859

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-05 20:50:47 -07:00
Brad Fitzpatrick
52e1031428 cmd/tailscale: gofmt
From 6d10655dc3

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-04 13:04:33 -07:00
Avery Pennarun
6d10655dc3 ipnlocal: accept a new opts.UpdatePrefs field.
This is needed because the original opts.Prefs field was at some point
subverted for use in frontend->backend state migration for backward
compatibility on some platforms. We still need that feature, but we
also need the feature of providing the full set of prefs from
`tailscale up`, *not* including overwriting the prefs.Persist keys, so
we can't use the original field from `tailscale up`.

`tailscale up` had attempted to compensate for that by doing SetPrefs()
before Start(), but that violates the ipn.Backend contract, which says
you should call Start() before anything else (that's why it's called
Start()). As a result, doing SetPrefs({ControlURL=...,
WantRunning=true}) would cause a connection to the *previous* control
server (because WantRunning=true), and then connect to the *new*
control server only after running Start().

This problem may have been avoided before, but only by pure luck.

It turned out to be relatively harmless since the connection to the old
control server was immediately closed and replaced anyway, but it
created a race condition that could have caused spurious notifications
or rejected keys if the server responded quickly.

As already covered by existing TODOs, a better fix would be to have
Start() get out of the business of state migration altogether. But
we're approaching a release so I want to make the minimum possible fix.

Fixes #1840.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2021-05-04 15:19:25 -04:00
Josh Bleecher Snyder
7dbbe0c7c7 cmd/tailscale/cli: fix running from Xcode
We were over-eager in running tailscale in GUI mode.
f42ded7acf fixed that by
checking for a variety of shell-ish env vars and using those
to force us into CLI mode.

However, for reasons I don't understand, those shell env vars
are present when Xcode runs Tailscale.app on my machine.
(I've changed no configs, modified nothing on a brand new machine.)
Work around that by adding an additional "only in GUI mode" check.

Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
2021-05-04 11:37:02 -07:00
Josh Bleecher Snyder
9360f36ebd all: use lower-case letters at the start of error message
Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
2021-05-04 08:54:50 -07:00
Brad Fitzpatrick
962bf74875 cmd/tailscale: fail if tailscaled closes the IPN connection
I was going to write a test for this using the tstest/integration test
stuff, but the testcontrol implementation isn't quite there yet (it
always registers nodes and doesn't provide AuthURLs). So, manually
tested for now.

Fixes #1843

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-04 07:51:23 -07:00
David Crawshaw
1f48d3556f cmd/tailscale/cli: don't report outdated auth URL to web UI
This brings the web 'up' logic into line with 'tailscale up'.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-05-03 11:18:58 -07:00
David Crawshaw
1336ed8d9e cmd/tailscale/cli: skip new tab on web login
It doesn't work properly.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-05-03 11:18:58 -07:00
Brad Fitzpatrick
ca65c6cbdb cmd/tailscale: make 'file cp' have better error messages on bad targets
Say when target isn't owned by current user, and when target doesn't
exist in netmap.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-03 10:33:55 -07:00
Brad Fitzpatrick
90002be6c0 cmd/tailscale: make pref-revert checks ignore OS-irrelevant prefs
This fixes #1833 in two ways:

* stop setting NoSNAT on non-Linux. It only matters on Linux and the flag
  is hidden on non-Linux, but the code was still setting it. Because of
  that, the new pref-reverting safety checks were failing when it was
  changing.

* Ignore the two Linux-only prefs changing on non-Linux.

Fixes #1833

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-03 09:37:50 -07:00
Brad Fitzpatrick
fb67d8311c cmd/tailscale: pull out, parameterize up FlagSet creation for tests
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-03 09:23:55 -07:00
Brad Fitzpatrick
f6e3240dee cmd/tailscale/cli: add test to catch ipn.Pref additions 2021-04-30 13:29:06 -07:00
Avery Pennarun
6caa02428e cmd/tailscale/cli/up: "LoggedOut" pref is implicit.
There's no need to warn that it was not provided on the command line
after doing a sequence of up; logout; up --args. If you're asking for
tailscale to be up, you always mean that you prefer LoggedOut to become
false.

Fixes #1828

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2021-04-30 16:15:04 -04:00
Avery Pennarun
19c3e6cc9e types/logger: rate limited: more hysteresis, better messages.
- Switch to our own simpler token bucket, since x/time/rate is missing
  necessary stuff (can't provide your own time func; can't check the
  current bucket contents) and it's overkill anyway.

- Add tests that actually include advancing time.

- Don't remove the rate limit on a message until there's enough room to
  print at least two more of them. When we do, we'll also print how
  many we dropped, as a contextual reminder that some were previously
  lost. (This is more like how the Linux kernel does it.)

- Reformat the [RATE LIMITED] messages to be shorter, and to not
  corrupt original message. Instead, we print the message, then print
  its format string.

- Use %q instead of \"%s\", for more accurate parsing later, if the
  format string contained quotes.

Fixes #1772

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2021-04-30 01:01:15 -04:00
Josh Bleecher Snyder
20e04418ff net/dns: add GOOS build tags
Fixes #1786

Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
2021-04-29 21:34:55 -07:00
David Anderson
72b6d98298 net/interfaces: return all Tailscale addresses from Tailscale().
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-29 12:25:47 -07:00