Commit Graph

4188 Commits

Author SHA1 Message Date
Maya Kaczorowski
1b20d1ce54
Dockerfile, build_docker: change Docker warning 2021-10-12 13:21:51 -07:00
apenwarr
5b06c50669 Bug report template: remove empty 'title' field.
Mysteriously, GitHub can't parse it if it's an empty string rather than
just missing.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2021-10-13 04:38:28 +09:00
Maya Kaczorowski
525f15bf81 Dockerfile, build_docker: change Docker warning
Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
2021-10-12 12:27:39 -07:00
Avery Pennarun
9c3ae750da Bug template: remove "[Bug]: " prefix for the common case.
Also shorten "[FR]:" to "FR:" to save precious subject line space.

I don't mind a prefix to distinguish feature requests, but the majority
of cases are bugs. Let's preserve as many chars as possible for the
specific topic when looking at subject lines in gmail.

(Now, if only it wouldn't include [tailscale/tailscale] on every
message...)

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2021-10-13 04:14:59 +09:00
Smitty
b382161fe5 tsdns: don't forward transient DNS errors
When a DNS server claims to be unable or unwilling to handle a request,
instead of passing that refusal along to the client, just treat it as
any other error trying to connect to the DNS server. This prevents DNS
requests from failing based on if a server can respond with a transient
error before another server is able to give an actual response. DNS
requests only failing *sometimes* is really hard to find the cause of
(#1033).

Signed-off-by: Smitty <me@smitop.com>
2021-10-12 09:35:25 -04:00
Brad Fitzpatrick
92215065eb cmd/derpprobe: fix fmt bug
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-11 20:27:31 -07:00
Brad Fitzpatrick
13ef8e3c06 cmd/derpprobe: also do UDP STUN probing
Updates #3049

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-11 20:25:14 -07:00
Brad Fitzpatrick
a2e1e5d909 go.mod: bump go-ole for windows/arm64 support
Updates #2606

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-11 08:48:25 -07:00
Denton Gentry
5d6198adee netcheck: don't log ErrGatewayRange
"skipping portmap; gateway range likely lacks support" is really
spammy on cloud systems, and not very useful in debugging.

Fixes https://github.com/tailscale/tailscale/issues/3034

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-10-10 10:47:03 -07:00
Denton Gentry
d883747d8b net/dns/resolver: don't forward DNS-SD on all platforms
We added the initial handling only for macOS and iOS.
With 1.16.0 now released, suppress forwarding DNS-SD
on all platforms to test it through the 1.17.x cycle.

Updates #2442

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-10-08 17:14:59 -07:00
Maya Kaczorowski
e5dddb2b99
.github: fix checkboxes in bug report 2021-10-08 09:37:15 -07:00
Maya Kaczorowski
3b0ee07713 .github: fix checkboxes in bug report
Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
2021-10-08 09:27:36 -07:00
Maya Kaczorowski
af04726c18
.github: change templates to yml 2021-10-08 09:17:26 -07:00
Maya Kaczorowski
d7a2828fed .github: change templates to yml
Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
2021-10-08 09:05:03 -07:00
Maya Kaczorowski
1f506d2351
.github: update issue templates 2021-10-07 17:46:53 -07:00
Maya Kaczorowski
8bdb2c3adc .github: update issue templates
Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
2021-10-07 17:26:23 -07:00
Denton Gentry
3675fafec6 VERSION.txt: new unstable v1.17.0
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-10-07 13:07:04 -07:00
Brad Fitzpatrick
297d1b7cb6 net/dns/resolver: don't forward DNS-SD queries
Updates #2442
Fixes tailscale/corp#2820

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-07 12:38:55 -07:00
Brad Fitzpatrick
47044f3af7 net/dns/resolver: fix log prefix
The passed in logf already has a "dns: " prefix so they were
doubled up.
2021-10-07 12:19:41 -07:00
Brad Fitzpatrick
7634af5c6f all: gofmt
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-07 12:18:31 -07:00
Avery Pennarun
0d4a0bf60e magicsock: if STUN failed to send before, rebind before STUNning again.
On iOS (and possibly other platforms), sometimes our UDP socket would
get stuck in a state where it was bound to an invalid interface (or no
interface) after a network reconfiguration. We can detect this by
actually checking the error codes from sending our STUN packets.

If we completely fail to send any STUN packets, we know something is
very broken. So on the next STUN attempt, let's rebind the UDP socket
to try to correct any problems.

This fixes a problem where iOS would sometimes get stuck using DERP
instead of direct connections until the backend was restarted.

Fixes #2994

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2021-10-08 02:17:09 +09:00
Maisem Ali
52be1c0c78 tsnet: run the LocalAPI handler
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-10-07 10:01:03 -07:00
David Anderson
830f641c6b wgengine/magicsock: update discokeys on netmap change.
Fixes #3008.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-10-06 14:52:47 -07:00
Brad Fitzpatrick
2d11503cff cmd/tailscale: add up --qr to show QR code
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-06 11:13:31 -07:00
Brad Fitzpatrick
2501a694cb net/interfaces: add RegisterInterfaceGetter for Android
Updates #2293

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-06 10:43:12 -07:00
Aaron Klotz
df7899759d cmd/tailscaled: set the correct flag for receiving Windows session change events
This feature wasn't working until I realized that we also need to opt into
the events. MSDN wasn't so generous as to make this easy to deduce.

Updates #2956

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-10-06 10:23:55 -06:00
David Crawshaw
cc9cf97cbe cli: web advertise exit node button
A couple of gnarly assumptions in this code, as always with the async
message thing.

UI button is based on the DNS settings in the admin panel.

Co-authored-by: Maisem Ali <maisem@tailscale.com>
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-10-06 07:35:43 -07:00
Brad Fitzpatrick
0410f1a35a util/groupmember: adjust build tags for osusergo
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 15:38:57 -07:00
Brad Fitzpatrick
2a0d3f72c5 util/groupmember: fix typo of package's name in its package doc
And canonicalize a func comment while I'm here.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 15:21:18 -07:00
Brad Fitzpatrick
cb4a2c00d1 ipn: remove unused Prefs.OSVersion and Prefs.DeviceModel
iOS and Android no longer use these. They both now (as of today)
use the hostinfo.SetFoo setters instead.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 15:18:32 -07:00
Brad Fitzpatrick
67e5fabdbd hostinfo, ipn/ipnlocal: add SetPackage, remove ipnlocal hacks
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 15:02:35 -07:00
Brad Fitzpatrick
81269fad28 hostinfo: add SetOSVersion like SetDeviceModel, deprecate ipn.Prefs way
Turns out the iOS client has been only sending the OS version it first
started at. This whole hostinfo-via-prefs mechanism was never a good idea.
Start removing it.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 13:29:06 -07:00
Brad Fitzpatrick
98b3fa78aa cmd/tailscale: let certs/keys be written to stdout, warn about macOS sandbox
Fixes https://twitter.com/SeanHood/status/1443668378468720647

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 12:12:09 -07:00
Brad Fitzpatrick
2d464cecd1 cmd/tailscale: make netcheck work when logged out
Fixes #2993

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 11:42:51 -07:00
Brad Fitzpatrick
58e1475ec7 hostinfo: look up Synology hardware a more specific way
Fixes #2991

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 10:28:28 -07:00
Brad Fitzpatrick
a71fb6428d version: new month, new date bump 2021-10-04 08:56:41 -07:00
Brad Fitzpatrick
22a1a5d7cf ipn/ipnlocal: for IPv6-only nodes, publish IPv6 MagicDNS records of peers
See https://github.com/tailscale/tailscale/issues/2970#issuecomment-931885268

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 08:54:23 -07:00
David Crawshaw
45f51d4fa6 types/opt: implement Bool.Scan
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-10-03 15:24:13 -07:00
Brad Fitzpatrick
6d43cbc325 ipn/ipnlocal: make sure mobile clients don't use the old control server URL
The new frontends are better for battery.

Updates #2442
Updates tailscale/corp#2750

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-03 14:11:12 -07:00
Nathan Dias
babd163aac bencher: add config to suppress failures on benchmark regressions.
This config update will let tailscale use bencher without worrying about the bencher check appearing as failed due to a benchmark regressing.

Updates #2938

Signed-off-by: Nathan Dias <nathan@orijtech.com>
2021-10-01 16:16:02 -07:00
Brad Fitzpatrick
09c2462ae5 net/tlsdial: add forgotten test file for go mod tidy
I forgot to include this file in the earlier
7cf8ec8108 commit.

This exists purely to keep "go mod tidy" happy.

Updates #1609

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-01 10:30:01 -07:00
Brad Fitzpatrick
f62e6d83a9 cmd/tailscale: make cert subcommand give hints on access denied
Lot of people have been hitting this.

Now it says:

    $ tailscale cert tsdev.corp.ts.net
    Access denied: cert access denied

    Use 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-01 10:27:48 -07:00
Brad Fitzpatrick
7cf8ec8108 net/tlsdial: bake in LetsEncrypt's ISRG Root X1 root
We still try the host's x509 roots first, but if that fails (like if
the host is old), we fall back to using LetsEncrypt's root and
retrying with that.

tlsdial was used in the three main places: logs, control, DERP. But it
was missing in dnsfallback. So added it there too, so we can run fine
now on a machine with no DNS config and no root CAs configured.

Also, move SSLKEYLOGFILE support out of DERP. tlsdial is the logical place
for that support.

Fixes #1609

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-01 08:30:07 -07:00
Brad Fitzpatrick
b10a55e4ed cmd/tailscale/cli: fix typo in cert usage 2021-09-30 21:23:18 -07:00
Filippo Valsorda
d7ce2be5f4 net/dns/resolver: add unsecured Quad9 resolvers
DNSSEC is an availability issue, as recently demonstrated by the
Slack issue, with limited security advantage. DoH on the other hand
is a critical security upgrade. This change adds DoH support for the
non-DNSSEC endpoints of Quad9.

https://www.quad9.net/service/service-addresses-and-features#unsec
Signed-off-by: Filippo Valsorda <hi@filippo.io>
2021-09-30 18:08:19 -07:00
Brad Fitzpatrick
891e7986cc cmd/tailscale: make cert give hints on usage failure
Like mentioning which cert domain(s) are valid.
2021-09-29 14:35:00 -07:00
Brad Fitzpatrick
080381c79f net/tstun: block looped disco traffic, take 17
It was in the wrong filter direction before, per CPU profiles
we now have.

Updates #1526 (maybe fixes? time will tell)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29 14:17:40 -07:00
Brad Fitzpatrick
3618e8d8ac cmd/tailscaled: rename outbound HTTP proxy flag
The old name invited confusion:

* is this the HTTP proxy to use ourselves? (no, that's
  via an environment variable, per proxy conventions)
* is this for LetsEncrypt https-to-localhost-http
  proxying? (no, that'll come later)

So rename to super verbose --outbound-http-proxy-listen
before the 1.16.0 release to make it clear what it is.
It listens (serves) and it's for outbound, not inbound.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29 11:25:09 -07:00
Brad Fitzpatrick
b822b5c798 cmd/tailscale: let up --authkey be of form file:/path/to/secret
Fixes #2958

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29 09:27:17 -07:00
Aaron Klotz
e016eaf410 cmd/tailscaled: conditionally flush Windows DNS cache on SessionChange
For the service, all we need to do is handle the `svc.SessionChange` command.
Upon receipt of a `windows.WTS_SESSION_UNLOCK` event, we fire off a goroutine to flush the DNS cache.
(Windows expects responses to service requests to be quick, so we don't want to do that synchronously.)

This is gated on an integral registry value named `FlushDNSOnSessionUnlock`,
whose value we obtain during service initialization.

(See [this link](https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nc-winsvc-lphandler_function_ex) for information re: handling `SERVICE_CONTROL_SESSIONCHANGE`.)

Fixes #2956

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-09-29 09:43:22 -06:00