Commit Graph

5400 Commits

Author SHA1 Message Date
Joe Tsai
1b4e4cc1e8
wgengine/netlog: new package for traffic flow logging (#5864)
The Logger type managers a logtail.Logger for extracting
statistics from a tstun.Wrapper.
So long as Shutdown is called, it ensures that logtail
and statistic gathering resources are properly cleared up.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-12 11:57:13 -07:00
Brad Fitzpatrick
79755d3ce5 tstest/natlab: add Firewall.Reset method to drop firewall state
For future use in magicsock tests.

Updates #540

Change-Id: I2f07d1a2924f20b36e357c4533ff0a1a974d5061
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-12 10:16:16 -07:00
Denton Gentry
1b9ed9f365 VERSION.txt: this is 1.33.
We did not get this VERSION.txt file checked in at the correct time,
the prior 10 commits in `main` between the v1.32.0 tag point and
this commit were not part of release 1.32. We did no unstable builds
during this time, so the error should have no impact.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-10-12 09:53:06 -07:00
License Updater
e7519adc18 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-10-11 15:11:34 -07:00
Brad Fitzpatrick
e24de8a617 ssh/tailssh: add password-forcing workaround for buggy SSH clients
If the username includes a suffix of +password, then we accept
password auth and just let them in like it were no auth.

This exists purely for SSH clients that get confused by seeing success
to their initial auth type "none".

Co-authored-by: Maisem Ali <maisem@tailscale.com>
Change-Id: I616d4c64d042449fb164f615012f3bae246e91ec
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-11 15:03:02 -07:00
Anton Tolchanov
c070d39287 cmd/tailscaled: handle tailscaled symlink on macOS
When Tailscale is installed via Homebrew, `/usr/local/bin/tailscaled`
is a symlink to the actual binary.

Now when `tailscaled install-system-daemon` runs, it will not attempt
to overwrite that symlink if it already points to the tailscaled binary.
However, if executed binary and the link target differ, the path will
he overwritten - this can happen when a user decides to replace
Homebrew-installed tailscaled with a one compiled from source code.

Fixes #5353

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2022-10-11 16:09:26 +01:00
Denton Gentry
51d488673a scripts/installer.sh: add OSMC
Fixes https://github.com/tailscale/tailscale/issues/4960

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-10-11 04:24:41 -07:00
Emmanuel T Odeke
680f8d9793 all: fix more resource leaks found by staticmajor
Updates #5706

Signed-off-by: Emmanuel T Odeke <emmanuel@orijtech.com>
2022-10-10 20:46:56 -07:00
Brad Fitzpatrick
614a24763b tsweb: sort top-level expvars after removing type prefixes
Fixes #5778

Change-Id: I56c367338fa5686da288cc6545209ef4d6b88549
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-10 20:28:44 -07:00
Brad Fitzpatrick
0475ed4a7e cmd/ssh-auth-none-demo: put the hostname in the package doc
188.166.70.128 port 2222 for now. Some hostname later maybe.

Change-Id: I9c329410035221ed6cdff7a482727d30b77eea8b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-10 10:47:31 -07:00
Maisem Ali
7df85c6031 cmd/ssh-auth-none-demo: add banner as part of the demo
Send two banners with a second in between, this demonstrates the case
where all banners are shown after auth completes and not during.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-10-10 10:43:31 -07:00
Brad Fitzpatrick
718914b697 tsweb: remove allocs introduced by earlier change
This removes the ~9 allocs added by #5869, while still keeping struct
fields sorted (the previous commit's tests still pass). And add a test
to lock it in that this shouldn't allocate.

Updates #5778

Change-Id: I4c12b9e2a1334adc1ea5aba1777681cb9fc18fbf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-10 10:23:54 -07:00
License Updater
529e893f70 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-10-09 21:25:19 -07:00
Brad Fitzpatrick
8a187159b2 cmd/ssh-auth-none-demo: add demo SSH server that acts like Tailscale SSH
For SSH client authors to fix their clients without setting up
Tailscale stuff.

Change-Id: I8c7049398512de6cb91c13716d4dcebed4d47b9c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-09 18:07:04 -07:00
Brad Fitzpatrick
b2994568fe ipn/localapi: put all the LocalAPI methods into a map
Rather than a bunch of switch cases.

Change-Id: Id1db813ec255bfab59cbc982bee351eb36373245
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-09 18:05:55 -07:00
Maisem Ali
f172fc42f7 ssh/tailssh: close sshContext on context cancellation
This was preventing tailscaled from shutting down properly if there were
active sessions in certain states (e.g. waiting in check mode).

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-10-09 17:17:03 -07:00
Hasnain Lakhani
8fe04b035c tsweb: sort varz by name after stripping prefix (#5778)
This makes it easier to view prometheus metrics.

Added a test case which demonstrates the new behavior - the test
initially failed as the output was ordered in the same order
as the fields were declared in the struct (i.e. foo_a, bar_a, foo_b,
bar_b). For that reason, I also had to change an existing test case
to sort the fields in the new expected order.

Signed-off-by: Hasnain Lakhani <m.hasnain.lakhani@gmail.com>
2022-10-09 16:55:51 -07:00
License Updater
d29ec4d7a4 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-10-09 16:49:03 -07:00
Maisem Ali
4de1601ef4 ssh/tailssh: add support for sending multiple banners
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-10-09 14:59:48 -07:00
License Updater
91b5c50b43 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-10-09 11:43:06 -07:00
Maisem Ali
ecf6cdd830 ssh/tailssh: add TestSSHAuthFlow
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-10-09 10:27:31 -07:00
Maisem Ali
f16b77de5d ssh/tailssh: do the full auth flow during ssh auth
Fixes #5091

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-10-09 10:27:31 -07:00
License Updater
c8a3d02989 licenses: update android licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-10-09 08:23:16 -07:00
Brad Fitzpatrick
6d76764f37 ipn/ipnlocal: fix taildrop target list UI bug
The macOS and iOS apps that used the /localapi/v0/file-targets handler
were getting too many candidate targets. They wouldn't actually accept
the file. This is effectively just a UI glitch in the wrong hosts
being listed as valid targets from the source side.

Change-Id: I6907a5a1c3c66920e5ec71601c044e722e7cb888
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-07 21:21:23 -07:00
Maisem Ali
b84ec521bf ssh/tailssh: do not send EOT on session disconnection
This was assumed to be the fix for mosh not working, however turns out
all we really needed was the duplicate fd also introduced in the same
commit (af412e8874).

Fixes #5103

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-10-07 07:52:35 -07:00
Joe Tsai
82f5f438e0
wgengine/wgcfg: plumb down audit log IDs (#5855)
The node and domain audit log IDs are provided in the map response,
but are ultimately going to be used in wgengine since
that's the layer that manages the tstun.Wrapper.

Do the plumbing work to get this field passed down the stack.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-06 16:19:38 -07:00
Mihai Parparita
92ad56ddcb cmd/tsconnect: close the SSH session an unload event instead of beforeunload
The window may not end up getting unloaded (if other beforeunload
handlers prevent the event), thus we should only close the SSH session
if it's truly getting unloaded.

Updates tailscale/corp#7304

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-10-06 13:17:15 -07:00
Joe Tsai
84e8f25c21
net/tstun: rename statististics method (#5852)
Rename StatisticsEnable as SetStatisticsEnabled to be consistent
with other similarly named methods.

Rename StatisticsExtract as ExtractStatistics to follow
the convention where methods start with a verb.
It was originally named with Statistics as a prefix so that
statistics related methods would sort well in godoc,
but that property no longer holds.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-06 10:46:09 -07:00
Joe Tsai
dd045a3767
net/flowtrack: add json tags to Tuple (#5849)
By convention, JSON serialization uses camelCase.
Specify such names on the Tuple type.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-05 19:40:49 -07:00
Joe Tsai
a73c423c8a
net/tunstats: add Counts.Add (#5848)
The Counts.Add method merges two Counts together.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-05 13:18:08 -07:00
Joe Tsai
3af0d4d0f2
logtail: always record timestamps in UTC (#5732)
Upstream optimizations to the Go time package will make
unmarshaling of time.Time 3-6x faster. See:
* https://go.dev/cl/425116
* https://go.dev/cl/425197
* https://go.dev/cl/429862

The last optimization avoids a []byte -> string allocation
if the timestamp string less than than 32B.
Unfortunately, the presence of a timezone breaks that optimization.
Drop recording of timezone as this is non-essential information.

Most of the performance gains is upon unmarshal,
but there is also a slight performance benefit to
not marshaling the timezone as well.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-05 12:27:52 -07:00
Joe Tsai
c321363d2c
logtail: support a copy ID (#5851)
The copy ID operates similar to a CC in email where
a message is sent to both the primary ID and also the copy ID.
A given log message is uploaded once, but the log server
records it twice for each ID.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-05 12:25:10 -07:00
Joe Tsai
24ebf161e8
net/tstun: instrument Wrapper with statistics gathering (#5847)
If Wrapper.StatisticsEnable is enabled,
then per-connection counters are maintained.
If enabled, Wrapper.StatisticsExtract must be periodically called
otherwise there is unbounded memory growth.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-05 12:24:30 -07:00
Tom DNetto
a37ee8483f ipn/ipnlocal: fix data race from missing lock in NetworkLockStatus
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-10-05 11:51:49 -07:00
Brad Fitzpatrick
7714261566 go.toolchain.rev: update to Go 1.19.2
Changes: https://github.com/tailscale/go/commits/build-3fd24dee31726924c1b61c8037a889b30b8aa0f6

Change-Id: I61b83eef2b812879544a5226687606ae792b0786
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-05 11:22:00 -07:00
Tom DNetto
8602061f32 ipn/ipnlocal,tka: Fix bugs found by integration testing
* tka.State.staticValidateCheckpoint could call methods on a contained key prior to calling StaticValidate on that key
 * Remove broken backoff / RPC retry logic from tka methods in ipn/ipnlocal, to be fixed at a later time
 * Fix NetworkLockModify() which would attempt to take b.mu twice and deadlock, remove now-unused dependence on netmap
 * Add methods on ipnlocal.LocalBackend to be used in integration tests
 * Use TAILSCALE_USE_WIP_CODE as the feature flag so it can be manipulated in tests

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-10-05 11:12:34 -07:00
Tom DNetto
73db56af52 ipn/ipnlocal: filter peers with bad signatures when tka is enabled
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-10-05 10:56:17 -07:00
Kristoffer Dalby
01ebef0f4f
tailcfg: add views for ControlDialPlan (#5843) 2022-10-05 16:18:26 +02:00
Will Norris
62bc1052a2 tsweb: allow HTTPError to unwrap errors
Signed-off-by: Will Norris <will@tailscale.com>
2022-10-04 21:15:44 -07:00
License Updater
2243dbccb7 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-10-04 20:11:30 -07:00
Brad Fitzpatrick
b1bd96f114 go.mod, ssh/tailssh: fix ImplictAuthMethod typo
Fixes #5745

Change-Id: Ie8bc88bd465a9cb35b0ae7782d61ce96480473ee
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-04 19:51:05 -07:00
David Anderson
fde20f3403 cmd/pgproxy: link to blog post at the top.
Signed-off-by: David Anderson <danderson@tailscale.com>
2022-10-04 16:47:12 -07:00
Mihai Parparita
7ffd2fe005 cmd/tsconnect: switch to non-beta versions of xterm and related packages
xterm 5.0 was released a few weeks ago, and it picks up
xtermjs/xterm.js#4069, which was the main reason why we were on a 5.0
beta.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-10-04 15:51:36 -07:00
Joe Tsai
2934c5114c
net/tunstats: new package to track per-connection counters (#5818)
High-level API:

	type Statistics struct { ... }
	type Counts struct { TxPackets, TxBytes, RxPackets, RxBytes uint64 }
	func (*Statistics) UpdateTx([]byte)
	func (*Statistics) UpdateRx([]byte)
	func (*Statistics) Extract() map[flowtrack.Tuple]Counts

The API accepts a []byte instead of a packet.Parsed so that a future
implementation can directly hash the address and port bytes,
which are contiguous in most IP packets.
This will be useful for a custom concurrent-safe hashmap implementation.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-04 15:10:33 -07:00
David Anderson
bdf3d2a63f cmd/pgproxy: open-source our postgres TLS-enforcing proxy.
From the original commit that implemented it:

  It accepts Postgres connections over Tailscale only, dials
  out to the configured upstream database with TLS (using
  strong settings, not the swiss cheese that postgres defaults to),
  and proxies the client through.

  It also keeps an audit log of the sessions it passed through,
  along with the Tailscale-provided machine and user identity
  of the connecting client.

In our other repo, this was:
commit 92e5edf98e8c2be362f564a408939a5fc3f8c539,
Change-Id I742959faaa9c7c302bc312c7dc0d3327e677dc28.

Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: David Anderson <danderson@tailscale.com>
2022-10-04 14:54:52 -07:00
License Updater
c5ce355756 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-10-04 11:09:26 -07:00
Florian Lehner
7e0ffc17fd Address GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean
shutdown that was preempted by a fatal error. This condition can
be exploited by a malicious client to cause a denial of service.

Signed-off-by: Florian Lehner <dev@der-flo.net>
2022-10-04 11:06:25 -07:00
Florian Lehner
17348915fa Address GO-2020-0042
Due to improper path santization, RPMs containing relative file
paths can cause files to be written (or overwritten) outside of the
target directory.

Signed-off-by: Florian Lehner <dev@der-flo.net>
2022-10-04 11:06:25 -07:00
Brad Fitzpatrick
1841d0bf98 wgengine/magicsock: make debug-level stuff not logged by default
And add a CLI/localapi and c2n mechanism to enable it for a fixed
amount of time.

Updates #1548

Change-Id: I71674aaf959a9c6761ff33bbf4a417ffd42195a7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-10-04 11:05:50 -07:00
Andrew Dunham
5c69961a57
cmd/tailscale/cli: add --record flag to bugreport (#5826)
Change-Id: I02bdc37a5c1a5a5d030c136ec5e84eb4c9ab1752
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
2022-10-04 14:03:46 -04:00