Commit Graph

730 Commits

Author SHA1 Message Date
David Anderson
720c1ad0f0 net/dns: insert OS base config when emulating split DNS.
Part of #953.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-07 15:40:31 -07:00
David Anderson
e560be6443 net/dns: sort matchDomains to avoid test flake.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-07 15:40:31 -07:00
David Anderson
68f76e9aa1 net/dns: add GetBaseConfig to OSConfigurator interface.
Part of #953, required to make split DNS work on more basic
platforms.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-07 15:40:31 -07:00
David Anderson
fe9cd61d71 net/dns: add tests for DNS config generation.
Part of #953.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-07 15:40:31 -07:00
David Anderson
0ba6d03768 net/dns/resolver: add a test helper to get at the resolver config.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-07 15:40:31 -07:00
David Anderson
da4cc8bbb4 net/dns: handle all possible translations of high-level DNS config.
With this change, all OSes can sort-of do split DNS, except that the
default upstream is hardcoded to 8.8.8.8 pending further plumbing.
Additionally, Windows 8-10 can do split DNS fully correctly, without
the 8.8.8.8 hack.

Part of #953.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-07 15:40:31 -07:00
Brad Fitzpatrick
939861773d net/tstun: accept peerapi connections through the filter
Fixes tailscale/corp#1545

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-07 12:29:20 -07:00
Maisem Ali
57756ef673 net/nettest: make nettest.NewConn pass x/net/nettest.TestConn.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-04-06 15:34:29 -07:00
David Anderson
e0e677a8f6 net/dns: split out search domains and match domains in OSConfig.
It seems that all the setups that support split DNS understand
this distinction, and it's an important one when translating
high-level configuration.

Part of #953.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-06 15:27:09 -07:00
David Anderson
a8dcda9c9a net/dns: start of compat hacks for Windows 7.
Correctly reports that Win7 cannot do split DNS, and has a helper to
discover the "base" resolvers for the system.

Part of #953

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-06 15:27:09 -07:00
David Anderson
3e915ac783 net/dns: implement OS-level split DNS for Windows.
Part of #953.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 22:53:10 -07:00
David Anderson
c16a926bf2 net/dns: set OSConfig.Primary.
OS implementations are going to support split DNS soon.
Until they're all in place, hardcode Primary=true to get
the old behavior.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 22:53:10 -07:00
David Anderson
bc4381447f net/tstun: return the real interface name at device creation.
This is usually the same as the requested interface, but on some
unixes can vary based on device number allocation, and on Windows
it's the GUID instead of the pretty name, since everything relating
to configuration wants the GUID.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 22:53:10 -07:00
David Anderson
de6dc4c510 net/dns: add a Primary field to OSConfig.
Currently ignored.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 13:05:47 -07:00
David Anderson
b2a597b288 net/dns: rename Set to SetDNS in OSConfigurator.
wgengine/router.CallbackRouter needs to support both the Router
and OSConfigurator interfaces, so the setters can't both be called
Set.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 10:55:35 -07:00
David Anderson
7d84ee6c98 net/dns: unify the OS manager and internal resolver.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 10:55:35 -07:00
David Anderson
1bf91c8123 net/dns/resolver: remove unused err return value.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 10:55:35 -07:00
David Anderson
6a206fd0fb net/dns: rename impl to os.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 10:55:35 -07:00
David Anderson
c4530971db net/dns/resolver: remove leftover debug print.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 10:55:35 -07:00
David Anderson
4c61ebacf4 wgengine: move DNS configuration out of wgengine/router.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-05 10:55:35 -07:00
David Anderson
748670f1e9 net/dns: fix typo in docstring.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-02 18:44:02 -07:00
David Anderson
a39d2403bc net/dns: disable NetworkManager and resolved configurators temporarily.
They need some rework to do the right thing, in the meantime the direct
and resolvconf managers will work out.

The resolved implementation was never selected due to control-side settings.
The networkmanager implementation mostly doesn't get selected due to
unforeseen interactions with `resolvconf` on many platforms.
Both implementations also need rework to support the various routing modes
they're capable of.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-02 02:41:33 -07:00
David Anderson
befd8e4e68 net/dns: replace managerImpl with OSConfigurator in code.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-02 02:34:40 -07:00
David Anderson
077d4dc8c7 net/dns: add an OSConfigurator interface.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-02 01:49:17 -07:00
David Anderson
6ad44f9fdf wgengine: take in dns.Config, split out to resolver.Config and dns.OSConfig.
Stepping stone towards having the DNS package handle the config splitting.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-02 00:59:44 -07:00
David Anderson
2edb57dbf1 net/dns: add new Config that captures tailscale+OS DNS config.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-02 00:59:44 -07:00
David Anderson
8af9d770cf net/dns: rename Config to OSConfig.
Making way for a new higher level config struct.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-02 00:59:44 -07:00
David Anderson
fcfc0d3a08 net/dns: remove ManagerConfig, pass relevant args directly.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-01 23:26:52 -07:00
David Anderson
0ca04f1e01 net/dns: put noop.go back, limit with build tags for staticcheck.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-01 23:14:13 -07:00
David Anderson
95470c3448 net/dns: remove Cleanup manager parameter.
It's only use to skip some optional initialization during cleanup,
but that work is very minor anyway, and about to change drastically.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-01 23:06:56 -07:00
David Anderson
cf361bb9b1 net/dns: remove PerDomain from Config.
It's currently unused, and no longer makes sense with the upcoming
DNS infrastructure. Keep it in tailcfg for now, since we need protocol
compat for a bit longer.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-01 22:55:44 -07:00
David Anderson
f77ba75d6c wgengine/router: move DNS cleanup into the DNS package.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-01 22:35:34 -07:00
David Anderson
9f105d3968 net/dns/resolver: teach the forwarder to do per-domain routing.
Given a DNS route map, the forwarder selects the right set of
upstreams for a given name.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-01 19:42:48 -07:00
David Anderson
90f82b6946 net/dns/resolver: add live reconfig, plumb through to ipnlocal.
The resolver still only supports a single upstream config, and
ipn/wgengine still have to split up the DNS config, but this moves
closer to unifying the DNS configs.

As a handy side-effect of the refactor, IPv6 MagicDNS records exist
now.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-04-01 01:44:03 -07:00
David Anderson
caeafc4a32 net/dns/resolver: fix package docstring.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-31 23:42:28 -07:00
David Anderson
dbe4f6f42d net/dns/resolver: unexport Resolve and ResolveReverse.
They're only used internally and in tests, and have surprising
semantics in that they only resolve MagicDNS names, not upstream
resolver queries.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-31 23:35:26 -07:00
David Anderson
cdeb8d6816 net/dns/resolver: fix staticcheck error.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-31 23:19:09 -07:00
David Anderson
f185d62dc8 net/dns/resolver: unexport Packet, only use it internally.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-31 23:12:31 -07:00
David Anderson
5fb9e00ecf net/dns/resolver: remove Start method, fully spin up in New instead.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-31 23:12:31 -07:00
David Anderson
075fb93e69 net/dns/resolver: remove the Config struct.
In preparation for reintroducing a runtime reconfig Config struct.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-31 23:12:31 -07:00
David Anderson
bc81dd4690 net/dns/resolver: rename ResolverConfig to just Config.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-31 23:12:31 -07:00
David Anderson
d99f5b1596 net/dns/resolver: factor the resolver out into a sub-package.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-31 23:12:30 -07:00
Denton Gentry
09148c07ba interfaces: check correct error /proc/net/route
wrap io.EOF if we hit https://github.com/google/gvisor/issues/5732
Check for the correct err.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-03-31 14:37:26 -07:00
Denton Gentry
a9745a0b68 interfaces: try larger read from /proc/net/route
Work around https://github.com/google/gvisor/issues/5732
by trying to read /proc/net/route with a larger bufsize if
it fails the first time.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-03-30 12:33:53 -07:00
Denton Gentry
54ba6194f7 interfaces: allow IPv6 ULA as a valid address.
IPv6 Unique Local Addresses are sometimes used with Network
Prefix Translation to reach the Internet. In that respect
their use is similar to the private IPv4 address ranges
10/8, 172.16/12, and 192.168/16.

Treat them as sufficient for AnyInterfaceUp(), but specifically
exclude Tailscale's own IPv6 ULA prefix to avoid mistakenly
trying to bootstrap Tailscale using Tailscale.

This helps in supporting Google Cloud Run, where the addresses
are 169.254.8.1/32 and fddf:3978:feb1:d745::c001/128 on eth1.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-03-30 12:33:53 -07:00
Denton Gentry
ecf310be3c net/tsaddr: IsUla() for IPv6 Unique Local Address
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-03-30 12:33:53 -07:00
Brad Fitzpatrick
41e4e02e57 net/{packet,tstun}: send peerapi port in TSMP pongs
For discovery when an explicit hostname/IP is known. We'll still
also send it via control for finding peers by a list.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-29 15:18:23 -07:00
David Anderson
25e0bb0a4e net/tstun: rename wrap_windows.go to tun_windows.go.
The code has nothing to do with wrapping, it's windows-specific
driver initialization code.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-26 23:17:59 -07:00
David Anderson
22d53fe784 net/tstun: document exported function.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-26 23:17:01 -07:00
David Anderson
016de16b2e net/tstun: rename TUN to Wrapper.
The tstun packagen contains both constructors for generic tun
Devices, and a wrapper that provides additional functionality.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-26 23:15:22 -07:00
David Anderson
82ab7972f4 net/tstun: rename NewFakeTUN to NewFake.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-26 22:46:47 -07:00
David Anderson
588b70f468 net/tstun: merge in wgengine/tstun.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-26 22:31:54 -07:00
David Anderson
018200aeba net/tstun: rename from net/tun.
We depend on wireguard-go/tun, identical leaf packages can be
confusing in code.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-26 22:31:54 -07:00
David Anderson
44d9929208 wgengine: remove Config.TUNName, require caller to create device.
Also factors out device creation and associated OS workarounds to
net/tun.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-26 21:08:11 -07:00
Brad Fitzpatrick
7f174e84e6 net/interfaces: remove mutating methods, add EqualFiltered instead
Now callers (wgengine/monitor) don't need to mutate the state to remove
boring interfaces before calling State.Equal. Instead, the methods
to remove boring interfaces from the State are removed, as is
the reflect-using Equal method itself, and in their place is
a new EqualFiltered method that takes a func predicate to match
interfaces to compare.

And then the FilterInteresting predicate is added for use
with EqualFiltered to do the job that that wgengine/monitor
previously wanted.

Now wgengine/monitor can keep the full interface state around,
including the "boring" interfaces, which we'll need for peerapi on
macOS/iOS to bind to the interface index of the utunN device.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-26 09:11:48 -07:00
Brad Fitzpatrick
7dc88e4c1e net/interfaces: track more interface metadata in State
We have it already but threw it away. But macOS/iOS code will
be needing the interface index, so hang on to it.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-26 09:11:48 -07:00
David Anderson
6521f02ff6 Move DNS flush logic to net/dns.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-25 17:40:52 -07:00
David Anderson
9f7f2af008 wgengine/router/dns: move to net/dns.
Preparation for merging the APIs and whatnot.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-25 16:25:30 -07:00
David Anderson
8432999835 Move wgengine/tsdns to net/dns.
Straight move+fixup, no other changes. In prep for merging with
wgengine/router/dns.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-25 16:25:30 -07:00
Brad Fitzpatrick
2384c112c9 net/packet, wgengine/{filter,tstun}: add TSMP ping
Fixes #1467

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-24 09:50:01 -07:00
Brad Fitzpatrick
e2b3d9aa5f all: s/Magic DNS/MagicDNS/ for consistency
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-23 14:25:28 -07:00
Brad Fitzpatrick
1eb95c7e32 net/packet, wgengine{,/filter}: remove net/packet IPProto forwarding consts
Only use the ones in types/ipproto now.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-20 21:45:47 -07:00
Brad Fitzpatrick
01b90df2fa net/packet, wgengine/filter: support SCTP
Add proto to flowtrack.Tuple.

Add types/ipproto leaf package to break a cycle.

Server-side ACL work remains.

Updates #1516

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-20 21:34:13 -07:00
Aleksandar Pesic
7b57310966 net/interfaces: use windows API to get the default route instead of parsing route print output
Fixes: #1470

Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>
2021-03-19 14:07:36 +01:00
David Anderson
6fb5d4080c net/portmapper: silently handle PCP NOT_AUTHORIZED responses.
Fixes #1525.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-17 19:44:35 -07:00
Brad Fitzpatrick
d5fd373f09 net/interfaces: skip IPv6 link-local interfaces like we do for IPv4
We strip them control-side anyway, and we already strip IPv4 link
local, so there's no point uploading them.  And iOS has a ton of them,
which results in somewhat silly amount of traffic in the MapRequest.

We'll be doing same-LAN-inter-tailscaled link-local traffic a
different way, with same-LAN discovery.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-16 12:52:34 -07:00
Brad Fitzpatrick
44ab0acbdb net/portmapper, wgengine/monitor: cache gateway IP info until link changes
Cuts down allocs & CPU in steady state (on regular STUN probes) when network
is unchanging.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-15 14:27:39 -07:00
Brad Fitzpatrick
974be2ec5c net/interfaces: rewrite the darwin likelyHomeRouterIP from C to Go
We basically already had the RIB-parsing Go code for this in both
net/interfaces and wgengine/monitor, for other reasons.

Fixes #1426
Fixes #1471

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-15 13:27:36 -07:00
Brad Fitzpatrick
c6358f2247 net/netcheck: add a few more STUN retries for prior DERP home
For #1310, maybe.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-12 11:46:08 -08:00
Brad Fitzpatrick
0a84359d2d tailcfg, net/netcheck: let control mark "Avoid" bit on DERP regions
So a region can be used if needed, but won't be STUN-probed or used as
its home.

This gives us another possible debugging mechanism for #1310, or can
be used as a short-term measure against DERP flip-flops for people
equidistant between regions if our hysteresis still isn't good enough.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-12 10:43:24 -08:00
David Anderson
d79a2f3809 wgengine/filter: only log packets to/from non-default routes.
Fixes tailscale/corp#1429.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-09 16:24:09 -08:00
Brad Fitzpatrick
ef7bac2895 tailcfg, net/portmapper, wgengine/magicsock: add NetInfo.HavePortMap
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-09 15:17:24 -08:00
Brad Fitzpatrick
fee74e7ea7 net/interfaces, wgengine/monitor: fix false positives link changes
interfaces.State.String tries to print a concise summary of the
network state, removing any interfaces that don't have any or any
interesting IP addresses. On macOS and iOS, for instance, there are a
ton of misc things.

But the link monitor based its are-there-changes decision on
interfaces.State.Equal, which just used reflect.DeepEqual, including
comparing all the boring interfaces. On macOS, when turning wifi on or off, there
are a ton of misc boring interface changes, resulting in hitting an earlier
check I'd added on suspicion this was happening:

    [unexpected] network state changed, but stringification didn't

This fixes that by instead adding a new
interfaces.State.RemoveUninterestingInterfacesAndAddresses method that
does, uh, that. Then use that in the monitor. So then when Equal is
used later, it's DeepEqualing the already-cleaned version with only
interesting interfaces.

This makes cmd/tailscaled debug --monitor much less noisy.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-08 20:46:39 -08:00
Brad Fitzpatrick
b14ea68754 net/interfaces: log why when we failed to look up gateway on macOS
Not beautiful, but I'm debugging connectivity problems on
NEProvider.sleep+wake and need more clues.

Updates #1426
Updates tailscale/corp#1289

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-05 09:44:55 -08:00
Brad Fitzpatrick
d37b3b02cd net/dnsfallback: fix infinite loop and limit number of candidates
Updates #1455 (fixes the DNS spin part, but other things aren't ideal there)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-04 19:19:40 -08:00
Brad Fitzpatrick
829eb8363a net/interfaces: sort returned addresses from LocalAddresses
Also change the type to netaddr.IP while here, because it made sorting
easier.

Updates tailscale/corp#1397

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-04 07:04:39 -08:00
Brad Fitzpatrick
10f48087f4 net/tshttpproxy: call winhttp calls from a fixed OS thread
We often see things in logs like:

2021-03-02 17:52:45.2456258 +0800 +0800: winhttp: Open: The parameter is incorrect.
2021-03-02 17:52:45.2506261 +0800 +0800: tshttpproxy: winhttp: GetProxyForURL("https://log.tailscale.io/c/tailnode.log.tailscale.io/5037bb42f4bc330e2d6143e191a7ff7e837c6be538139231de69a439536e0d68"): ERROR_INVALID_PARAMETER [unexpected]

I have a hunch that WinHTTP has thread-local state. If so, this would fix it.
If not, this is pretty harmless.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-03 19:16:04 -08:00
Brad Fitzpatrick
8a55d463c8 net/interfaces: merge darwin files for DefaultRouteInterface in sandbox
DefaultRouteInterface was previously guarded by build tags such that
it was only accessible to tailscaled-on-macos, but there was no reason
for that. It runs fine in the sandbox and gives better default info,
so merge its file into interfaces_darwin.go.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-02 21:15:25 -08:00
David Anderson
8d77dfdacb wgengine/router: add a dummy IPv6 address if needed for default routing.
Fixes #1339

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-02 19:32:04 -08:00
Brad Fitzpatrick
63ed4dd6c9 net/portmapper: fix typo
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-02 12:26:54 -08:00
David Anderson
f647e3daaf ipn/ipnlocal: transform default routes into "all but LAN" routes.
Fixes #1177.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-01 18:47:43 -08:00
Brad Fitzpatrick
9df4185c94 control/controlclient, net/{dnscache,dnsfallback}: add DNS fallback mechanism
Updates #1405
Updates #1403

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-01 18:42:03 -08:00
Brad Fitzpatrick
38dc6fe758 cmd/tailscaled, wgengine: remove --fake, replace with netstack
And add a --socks5-server flag.

And fix a race in SOCKS5 replies where the response header was written
concurrently with the copy from the backend.

Co-authored with Naman Sood.

Updates #707
Updates #504

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-01 11:09:19 -08:00
Naman Sood
fe16ef6812 net/socks5: create SOCKS5 package for proxy server in userspace networking
Updates #707
Updates #504

Signed-off-by: Naman Sood <mail@nsood.in>
2021-02-26 13:44:49 -08:00
Brad Fitzpatrick
000b80de9d net/interfaces: go idle on macOS when wifi/etc is down, ignore utun* interfaces
Updates tailscale/corp#1289
Updates tailscale/corp#1367
Updates tailscale/corp#1378
Updates tailscale/felicity#4
2021-02-25 15:47:29 -08:00
Brad Fitzpatrick
c64bd587ae net/portmapper: add NAT-PMP client, move port mapping service probing
* move probing out of netcheck into new net/portmapper package
* use PCP ANNOUNCE op codes for PCP discovery, rather than causing
  short-lived (sub-second) side effects with a 1-second-expiring map +
  delete.
* track when we heard things from the router so we can be less wasteful
  in querying the router's port mapping services in the future
* use portmapper from magicsock to map a public port

Fixes #1298
Fixes #1080
Fixes #1001
Updates #864

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-02-23 09:07:38 -08:00
Brad Fitzpatrick
6a2c6541da net/tshttpproxy: support HTTP proxy environment credentials on Windows too
and some minor style nits.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-02-18 08:27:37 -08:00
Christine Dodrill
3e5c3e932c
net/tshttpproxy: support basic auth when available (#1354)
This allows proxy URLs such as:

    http://azurediamond:hunter2@192.168.122.154:38274

to be used in order to dial out to control, logs or derp servers.

Signed-off-by: Christine Dodrill <xe@tailscale.com>
2021-02-17 16:01:47 -05:00
Brad Fitzpatrick
f4ae745b0b net/{interfaces,netns}: add some new tests, missed from prior commit
I meant for these to be part of 52e24aa966.
2021-02-14 21:18:27 -08:00
Brad Fitzpatrick
e923639feb net/interfaces: fix staticcheck error on darwin 2021-02-14 21:17:12 -08:00
Brad Fitzpatrick
52e24aa966 net/{interfaces,ns}: add tailscaled-mode darwin routing looping prevention
Fixes #1331

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-02-14 12:47:47 -08:00
Brad Fitzpatrick
20e66c5b92 net/interfaces: reconcile interface filtering with address printing in logs
The interface.State logging tried to only log interfaces which had
interesting IPs, but the what-is-interesting checks differed between
the code that gathered the interface names to print and the printing
of their addresses.
2021-02-12 18:42:45 -08:00
Josh Bleecher Snyder
138055dd70 tstest/natlab: use net.ErrClosed instead of a new error
Upstream wireguard-go decided to use errors.Is(err, net.ErrClosed)
instead of checking the error string.

It also provided an unsafe linknamed version of net.ErrClosed
for clients running Go 1.15. Switch to that.

This reduces the time required for the wgengine/magicsock tests
on my machine from ~35s back to the ~13s it was before
456cf8a376.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-02-05 13:44:46 -08:00
Brad Fitzpatrick
d37058af72 net/packet: add some more TSMP packet reject reasons and MaybeBroken bit
Unused for now, but I want to backport this commit to 1.4 so 1.6 can
start sending these and then at least 1.4 logs will stringify nicely.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-02-04 10:59:07 -08:00
David Crawshaw
d139fa9c92 net/interfaces: use a uint32_t for ipv4 address
The code was using a C "int", which is a signed 32-bit integer.
That means some valid IP addresses were negative numbers.
(In particular, the default router address handed out by AT&T
fiber: 192.168.1.254. No I don't know why they do that.)
A negative number is < 255, and so was treated by the Go code
as an error.

This fixes the unit test failure:

	$ go test -v -run=TestLikelyHomeRouterIPSyscallExec ./net/interfaces
	=== RUN   TestLikelyHomeRouterIPSyscallExec
	    interfaces_darwin_cgo_test.go:15: syscall() = invalid IP, false, netstat = 192.168.1.254, true
	--- FAIL: TestLikelyHomeRouterIPSyscallExec (0.00s)

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-02-02 13:32:58 -08:00
Brad Fitzpatrick
35e10c78fc net/interfaces: don't send over zt* interfaces
Fixes #1208

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-26 15:20:43 -08:00
David Anderson
692a011b54 net/interfaces: remove IsTailscaleIP, make callers use tsaddr.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-01-26 15:10:51 -08:00
Josh Bleecher Snyder
7c1a9e8616 net/nettest: de-flake tests on Windows
Windows has a low resolution timer.
Some of the tests assumed that unblock takes effect immediately.

Consider:

t := time.Now()
elapsed := time.Now().After(t)

It seems plausible that elapsed should always be true.
However, with a low resolution timer, that might fail.

Change time.Now().After to !time.Now().Before,
so that unblocking always takes effect immediately.

Fixes #873.
2021-01-15 18:21:56 -08:00
Josh Bleecher Snyder
a64d06f15c net/nettest: remove pointless checks in tests
If err == nil, then !errors.Is(err, anything).
2021-01-15 18:21:56 -08:00
Josh Bleecher Snyder
503db5540f net/nettest: add missing check at end of TestLimit
This appears to have been an oversight.
2021-01-15 18:21:56 -08:00
Brad Fitzpatrick
b560386c1a net/packet, wgengine, tstun: add inter-node TSMP protocol for connect errors
This adds a new IP Protocol type, TSMP on protocol number 99 for
sending inter-tailscale messages over WireGuard, currently just for
why a peer rejects TCP SYNs (ACL rejection, shields up, and in the
future: nothing listening, something listening on that port but wrong
interface, etc)

Updates #1094
Updates tailscale/corp#1185

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-15 14:03:57 -08:00
Denton Gentry
ac42757cd7 netcheck: use reflect in sortRegions test.
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-01-12 04:29:28 -08:00
Denton Gentry
43e060b0e5 netcheck: test sortRegions
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-01-12 04:29:28 -08:00
Brad Fitzpatrick
5eeaea9ef9 net/packet: add TCPFlag type and some more constants
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-11 22:09:09 -08:00
Brad Fitzpatrick
ad3fb6125d net/flowtrack: add Tuple.String method
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-11 22:09:09 -08:00
Brad Fitzpatrick
676b5b7946 net/netcheck: improve the preferred DERP hysteresis
Users in Amsterdam (as one example) were flipping back and forth
between equidistant London & Frankfurt relays too much.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-11 14:50:47 -08:00
Brad Fitzpatrick
4d15e954bd net/flowtrack: add new package to specialize groupcache/lru key type
Reduces allocs.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-11 13:08:03 -08:00
Brad Fitzpatrick
66be052a70 net/dnscache: work on IPv6-only hosts (again)
This fixes the regression where we had stopped working on IPv6-only
hosts.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-06 19:53:13 -08:00
Josh Bleecher Snyder
1e88050403 net/tsaddr: add ChromeOS contains tests
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-12-28 16:48:43 -08:00
David Anderson
cb96b14bf4 net/packet: remove the custom IP4/IP6 types in favor of netaddr.IP.
Upstream netaddr has a change that makes it alloc-free, so it's safe to
use in hot codepaths. This gets rid of one of the many IP types in our
codebase.

Performance is currently worse across the board. This is likely due in
part to netaddr.IP being a larger value type (4b -> 24b for IPv4,
16b -> 24b for IPv6), and in other part due to missing low-hanging fruit
optimizations in netaddr. However, the regression is less bad than
it looks at first glance, because we'd micro-optimized packet.IP* in
the past few weeks. This change drops us back to roughly where we
were at the 1.2 release, but with the benefit of a significant
code and architectural simplification.

name                   old time/op    new time/op    delta
pkg:tailscale.com/net/packet goos:linux goarch:amd64
Decode/tcp4-8            12.2ns ± 5%    29.7ns ± 2%  +142.32%  (p=0.008 n=5+5)
Decode/tcp6-8            12.6ns ± 3%    65.1ns ± 2%  +418.47%  (p=0.008 n=5+5)
Decode/udp4-8            11.8ns ± 3%    30.5ns ± 2%  +157.94%  (p=0.008 n=5+5)
Decode/udp6-8            27.1ns ± 1%    65.7ns ± 2%  +142.36%  (p=0.016 n=4+5)
Decode/icmp4-8           24.6ns ± 2%    30.5ns ± 2%   +23.65%  (p=0.016 n=4+5)
Decode/icmp6-8           22.9ns ±51%    65.5ns ± 2%  +186.19%  (p=0.008 n=5+5)
Decode/igmp-8            18.1ns ±44%    30.2ns ± 1%   +66.89%  (p=0.008 n=5+5)
Decode/unknown-8         20.8ns ± 1%    10.6ns ± 9%   -49.11%  (p=0.016 n=4+5)
pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64
Filter/icmp4-8           30.5ns ± 1%    77.9ns ± 3%  +155.01%  (p=0.008 n=5+5)
Filter/tcp4_syn_in-8     43.7ns ± 3%   123.0ns ± 3%  +181.72%  (p=0.008 n=5+5)
Filter/tcp4_syn_out-8    24.5ns ± 2%    45.7ns ± 6%   +86.22%  (p=0.008 n=5+5)
Filter/udp4_in-8         64.8ns ± 1%   210.0ns ± 2%  +223.87%  (p=0.008 n=5+5)
Filter/udp4_out-8         119ns ± 0%     278ns ± 0%  +133.78%  (p=0.016 n=4+5)
Filter/icmp6-8           40.3ns ± 2%   204.4ns ± 4%  +407.70%  (p=0.008 n=5+5)
Filter/tcp6_syn_in-8     35.3ns ± 3%   199.2ns ± 2%  +464.95%  (p=0.008 n=5+5)
Filter/tcp6_syn_out-8    32.8ns ± 2%    81.0ns ± 2%  +147.10%  (p=0.008 n=5+5)
Filter/udp6_in-8          106ns ± 2%     290ns ± 2%  +174.48%  (p=0.008 n=5+5)
Filter/udp6_out-8         184ns ± 2%     314ns ± 3%   +70.43%  (p=0.016 n=4+5)
pkg:tailscale.com/wgengine/tstun goos:linux goarch:amd64
Write-8                  9.02ns ± 3%    8.92ns ± 1%      ~     (p=0.421 n=5+5)

name                   old alloc/op   new alloc/op   delta
pkg:tailscale.com/net/packet goos:linux goarch:amd64
Decode/tcp4-8             0.00B          0.00B           ~     (all equal)
Decode/tcp6-8             0.00B          0.00B           ~     (all equal)
Decode/udp4-8             0.00B          0.00B           ~     (all equal)
Decode/udp6-8             0.00B          0.00B           ~     (all equal)
Decode/icmp4-8            0.00B          0.00B           ~     (all equal)
Decode/icmp6-8            0.00B          0.00B           ~     (all equal)
Decode/igmp-8             0.00B          0.00B           ~     (all equal)
Decode/unknown-8          0.00B          0.00B           ~     (all equal)
pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64
Filter/icmp4-8            0.00B          0.00B           ~     (all equal)
Filter/tcp4_syn_in-8      0.00B          0.00B           ~     (all equal)
Filter/tcp4_syn_out-8     0.00B          0.00B           ~     (all equal)
Filter/udp4_in-8          0.00B          0.00B           ~     (all equal)
Filter/udp4_out-8         16.0B ± 0%     64.0B ± 0%  +300.00%  (p=0.008 n=5+5)
Filter/icmp6-8            0.00B          0.00B           ~     (all equal)
Filter/tcp6_syn_in-8      0.00B          0.00B           ~     (all equal)
Filter/tcp6_syn_out-8     0.00B          0.00B           ~     (all equal)
Filter/udp6_in-8          0.00B          0.00B           ~     (all equal)
Filter/udp6_out-8         48.0B ± 0%     64.0B ± 0%   +33.33%  (p=0.008 n=5+5)

name                   old allocs/op  new allocs/op  delta
pkg:tailscale.com/net/packet goos:linux goarch:amd64
Decode/tcp4-8              0.00           0.00           ~     (all equal)
Decode/tcp6-8              0.00           0.00           ~     (all equal)
Decode/udp4-8              0.00           0.00           ~     (all equal)
Decode/udp6-8              0.00           0.00           ~     (all equal)
Decode/icmp4-8             0.00           0.00           ~     (all equal)
Decode/icmp6-8             0.00           0.00           ~     (all equal)
Decode/igmp-8              0.00           0.00           ~     (all equal)
Decode/unknown-8           0.00           0.00           ~     (all equal)
pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64
Filter/icmp4-8             0.00           0.00           ~     (all equal)
Filter/tcp4_syn_in-8       0.00           0.00           ~     (all equal)
Filter/tcp4_syn_out-8      0.00           0.00           ~     (all equal)
Filter/udp4_in-8           0.00           0.00           ~     (all equal)
Filter/udp4_out-8          1.00 ± 0%      1.00 ± 0%      ~     (all equal)
Filter/icmp6-8             0.00           0.00           ~     (all equal)
Filter/tcp6_syn_in-8       0.00           0.00           ~     (all equal)
Filter/tcp6_syn_out-8      0.00           0.00           ~     (all equal)
Filter/udp6_in-8           0.00           0.00           ~     (all equal)
Filter/udp6_out-8          1.00 ± 0%      1.00 ± 0%      ~     (all equal)

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-22 14:44:36 -08:00
Brad Fitzpatrick
d0baece5fa go.mod: bump inet.af/netaddr to non-allocating version 2020-12-22 14:25:32 -08:00
Brad Fitzpatrick
053a1d1340 all: annotate log verbosity levels on most egregiously spammy log prints
Fixes #924
Fixes #282

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-12-21 12:59:33 -08:00
David Anderson
baa7937998 net/interfaces: return IPv6 addresses from LocalAddresses.
In practice, we already provide IPv6 endpoint addresses via netcheck,
and that address is likely to match a local address anyway (i.e. no NAT66).
The comment at that piece of the code mentions needing to figure out a
good priority ordering, but that only applies to non-active-discovery
clients, who already don't do anything with IPv6 addresses.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-19 13:50:44 -08:00
David Anderson
aa353b8d0f net/packet: add an IP6 constructor from a raw byte array.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-12-19 13:50:44 -08:00
Josh Bleecher Snyder
a6cad71fb2 go.mod: upgrade staticcheck to 0.1.0
Also run go.mod and fix some staticcheck warnings.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-12-14 14:01:29 -08:00
Brad Fitzpatrick
08f94b3b50 net/netcheck: fix offset of unspecified address in PCP request packet
Fixes #810
2020-12-08 15:22:26 -08:00
Brad Fitzpatrick
05e5233e07 net/netcheck: don't send flood of PCP unmap requests to router
Updates #810
2020-12-06 19:46:11 -08:00
Josh Bleecher Snyder
1ebbaaaebb net/interfaces: make syscall and netstat agree when multiple gateways are present
likelyHomeRouterIPDarwinSyscall iterates through the list of routes,
looking for a private gateway, returning the first one it finds.

likelyHomeRouterIPDarwinExec does the same thing,
except that it returns the last one it finds.

As a result, when there are multiple gateways,
TestLikelyHomeRouterIPSyscallExec fails.
(At least, I think that that is what is happening;
I am going inferring from observed behavior.)

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-11-19 12:14:58 -08:00
Brad Fitzpatrick
5d96ecd5e6 net/netstat: remove a bit more unsafe
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-11-17 13:49:24 -08:00
David Anderson
3c508a58cc wgengine/filter: don't filter GCP DNS.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-16 14:08:27 -08:00
Brad Fitzpatrick
7a01cd27ca net/netstat: remove some unsafe
Just removing any unnecessary unsafe while auditing unsafe usage for #921.
2020-11-14 21:24:09 -08:00
Brad Fitzpatrick
45d96788b5 net/netns: remove use of unsafe on Windows
Found while auditing unsafe for #921 via the list at:

https://github.com/tailscale/tailscale/issues/921#issuecomment-727365383

No need for unsafe here, so remove it.
2020-11-14 19:53:10 -08:00
Josh Bleecher Snyder
b0526e8284 net/packet: remove unnecessary mark
There's no need to mask out the bottom four bits
of b[0] if we are about to shift them away.
2020-11-13 18:31:38 -08:00
Josh Bleecher Snyder
efad55cf86 net/packet: speed up packet decoding
The compiler is failing to draw the connection between
slice cap and slice len, so is missing some obvious BCE opportunities.
Give it a hint by making the cap equal to the length.
The generated code is smaller and cleaner, and a bit faster.

name              old time/op    new time/op    delta
Decode/tcp4-8       12.2ns ± 1%    11.6ns ± 3%  -5.31%  (p=0.000 n=28+29)
Decode/tcp6-8       12.5ns ± 2%    11.9ns ± 2%  -4.84%  (p=0.000 n=30+30)
Decode/udp4-8       11.5ns ± 1%    11.1ns ± 1%  -3.11%  (p=0.000 n=25+24)
Decode/udp6-8       11.8ns ± 3%    11.4ns ± 1%  -3.08%  (p=0.000 n=30+26)
Decode/icmp4-8      11.0ns ± 3%    10.6ns ± 1%  -3.38%  (p=0.000 n=25+30)
Decode/icmp6-8      11.4ns ± 1%    11.1ns ± 2%  -2.29%  (p=0.000 n=27+30)
Decode/igmp-8       10.3ns ± 0%    10.0ns ± 1%  -3.26%  (p=0.000 n=19+23)
Decode/unknown-8    8.68ns ± 1%    8.38ns ± 1%  -3.55%  (p=0.000 n=28+29)
2020-11-13 18:31:38 -08:00
David Anderson
2d604b3791 net/packet: represent IP6 as two uint64s.
For the operations we perform on these types (mostly net6.Contains),
this encoding is much faster.

Part of #19.

name                   old time/op    new time/op    delta
Filter/icmp4-8           27.5ns ± 1%    28.0ns ± 2%   +1.89%  (p=0.016 n=5+5)
Filter/tcp4_syn_in-8     38.8ns ± 2%    38.3ns ± 1%   -1.24%  (p=0.024 n=5+5)
Filter/tcp4_syn_out-8    27.6ns ±12%    24.6ns ± 1%     ~     (p=0.063 n=5+5)
Filter/udp4_in-8         71.5ns ± 5%    65.9ns ± 1%   -7.94%  (p=0.008 n=5+5)
Filter/udp4_out-8         132ns ±13%     119ns ± 1%  -10.29%  (p=0.008 n=5+5)
Filter/icmp6-8            169ns ±10%      54ns ± 1%  -68.35%  (p=0.008 n=5+5)
Filter/tcp6_syn_in-8      149ns ± 6%      43ns ± 1%  -71.11%  (p=0.008 n=5+5)
Filter/tcp6_syn_out-8    37.7ns ± 4%    24.3ns ± 3%  -35.51%  (p=0.008 n=5+5)
Filter/udp6_in-8          179ns ± 5%     103ns ± 1%  -42.75%  (p=0.008 n=5+5)
Filter/udp6_out-8         156ns ± 3%     191ns ± 1%  +22.54%  (p=0.008 n=5+5)

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-12 21:41:21 -08:00
David Anderson
04ff3c91ee wgengine/filter: add full IPv6 support.
Part of #19.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-12 21:41:15 -08:00
Brad Fitzpatrick
a2d78b4d3e net/dnscache, control/controlclient: use DNS cache when dialing control
Cache DNS results of earlier login.tailscale.com control dials, and use
them for future dials if DNS is slow or broken.

Fixes various issues with trickier setups with the domain's DNS server
behind a subnet router.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-11-11 12:50:04 -08:00
Brad Fitzpatrick
97e82c6cc0 net/netcheck: remove unused DNSCache from netcheck
It's easy to add back later if/when the TODO is implemented.
2020-11-11 11:52:35 -08:00
Brad Fitzpatrick
19b0cfe89e all: prepare for GOOS=ios in Go 1.16
Work with either way for now on iOS (darwin/arm64 vs ios/arm64).

In February when Go 1.16 comes out we'll have a universal binary for
darwin/arm64 (macOS) and will drop support for Go 1.15 and its
darwin/amd64 meaning iOS. (it'll mean macOS).

Context:

* https://tip.golang.org/doc/go1.16#darwin
* https://github.com/golang/go/issues/38485
* https://github.com/golang/go/issues/42100
2020-11-11 09:17:04 -08:00
David Anderson
a38e28da07 net/packet: documentation pass.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 22:29:00 -08:00
David Anderson
c2cc3acbaf net/packet: remove NewIP, offer only a netaddr constructor.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 22:03:47 -08:00
David Anderson
d7ee3096dd net/packet: documentation cleanups.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 21:12:55 -08:00
David Anderson
9ef39af2f2 net/packet: fix panic on invalid IHL field.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 20:23:54 -08:00
David Anderson
22bf48f37c net/packet: remove {get,put}{16,32} indirection to encoding/binary.
name              old time/op    new time/op    delta
Decode/tcp4-8       28.8ns ± 2%    13.1ns ± 4%  -54.44%  (p=0.008 n=5+5)
Decode/tcp6-8       20.6ns ± 1%    12.6ns ± 2%  -38.72%  (p=0.008 n=5+5)
Decode/udp4-8       28.2ns ± 1%    12.1ns ± 4%  -57.01%  (p=0.008 n=5+5)
Decode/udp6-8       20.0ns ± 6%    12.1ns ± 2%  -39.38%  (p=0.008 n=5+5)
Decode/icmp4-8      21.7ns ± 2%    11.5ns ± 1%  -47.01%  (p=0.008 n=5+5)
Decode/icmp6-8      14.1ns ± 2%    11.8ns ± 4%  -16.60%  (p=0.008 n=5+5)
Decode/unknown-8    9.43ns ± 2%    9.30ns ± 3%     ~     (p=0.222 n=5+5)

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 20:23:54 -08:00
David Anderson
55b1221db2 net/packet: support full IPv6 decoding.
The packet filter still rejects all IPv6, but decodes enough from v6
packets to do something smarter in a followup.

name              time/op
Decode/tcp4-8     28.8ns ± 2%
Decode/tcp6-8     20.6ns ± 1%
Decode/udp4-8     28.2ns ± 1%
Decode/udp6-8     20.0ns ± 6%
Decode/icmp4-8    21.7ns ± 2%
Decode/icmp6-8    14.1ns ± 2%
Decode/unknown-8  9.43ns ± 2%

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 20:23:54 -08:00
David Anderson
89894c6930 net/packet: add IPv6 source and destination IPs to Parsed.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-10 20:23:54 -08:00
Brad Fitzpatrick
d192bd0f86 net/interfaces: ignore bogus proxy URLs from winhttp [windows]
Updates tailscale/corp#853
2020-11-10 11:30:18 -08:00
David Anderson
6e52633c53 net/packet: record allocations in benchmark. 2020-11-10 02:19:55 -08:00
David Anderson
093431f5dd net/packet: s/ParsedPacket/Parsed/ to avoid package stuttering.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-09 23:52:54 -08:00
David Anderson
427bf2134f net/packet: rename from wgengine/packet.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-11-09 16:25:24 -08:00
Brad Fitzpatrick
1036f51a56 net/tshttpproxy: aggressively rate-limit error logs in Transport.Proxy path
Otherwise log upload HTTP requests generate proxy errrors which
generate logs which generate HTTP requests which generate proxy
errors which generate more logs, etc.

Fixes #879
2020-11-03 09:23:57 -08:00
Brad Fitzpatrick
7ac91c15bd net/netcheck: fix tests on Windows
Updates #50
2020-10-28 09:10:35 -07:00
Brad Fitzpatrick
fd2a30cd32 wgengine/magicsock: make test pass on Windows and without firewall dialog box
Updates #50
2020-10-28 09:02:08 -07:00
David Anderson
5c35c35e7f tsaddr: add helpers for the Tailscale IPv6 range, and 4to6 conversion.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-10-15 15:15:24 -07:00
Brad Fitzpatrick
551e1e99e9 net/netns: don't bind to device for localhost connections
Fixes derphttp test failures on Windows (for #50).
2020-10-13 15:24:07 -07:00
Alex Brainman
f2ce64f0c6 wgengine/router: unfork winipcfg-go package, use upstream
Use golang.zx2c4.com/wireguard/windows/tunnel/winipcfg
instead of github.com/tailscale/winipcfg-go package.

Updates #760

Signed-off-by: Alex Brainman <alex.brainman@gmail.com>
2020-10-13 09:21:22 -07:00
Brad Fitzpatrick
6ee219a25d ipn, wgengine, magicsock, tsdns: be quieter and less aggressive when offline
If no interfaces are up, calm down and stop spamming so much. It was
noticed as especially bad on Windows, but probably was bad
everywhere. I just have the best network conditions testing on a
Windows VM.

Updates #604
2020-10-06 15:26:53 -07:00
Brad Fitzpatrick
587bdc4280 ipn, wgengine: disable subnet routes if network has PAC configuration
Not configurable yet.

Updates tailscale/corp#653

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-10-05 21:04:23 -07:00
Brad Fitzpatrick
ed5d5f920f net/interfaces: add interfaces.State.String method 2020-10-02 12:15:05 -07:00
Brad Fitzpatrick
cab3eb995f net/interfaces: quiet PAC detection logging in no-PAC case, add benchmark 2020-10-01 22:02:39 -07:00
Brad Fitzpatrick
8051ecff55 net/interfaces: add State.PAC field, populate it on Windows
Not used for anything yet (except logging), but populate the current
proxy autoconfig PAC URL in Interfaces.State.

A future change will do things based on it.
2020-10-01 15:33:37 -07:00
Brad Fitzpatrick
8893c2ee78 net/interfaces, net/netns: move default route interface code to interfaces
To populate interfaces.State.DefaultRouteInterface.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-09-22 19:02:17 -07:00
Brad Fitzpatrick
fda9dc8815 net/netns: document Windows socket binding a bit more
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-09-22 13:05:26 -07:00
Brad Fitzpatrick
963b927d5b net/tshttpproxy: appease staticcheck 2020-09-21 15:01:30 -07:00
Brad Fitzpatrick
5bcac4eaac net/tshttpproxy: add GetProxyForURL negative cache
Otherwise when PAC server is down, we log, and each log entry is a new
HTTP request (from logtail) and a new GetProxyForURL call, which again
logs, non-stop. This is also nicer to the WinHTTP service.

Then also hook up link change notifications to the cache to reset it
if there's a chance the network might work sooner.
2020-09-21 14:05:28 -07:00
David Anderson
8f5b52e571 net/netns: add windows support.
Also remove rebinding logic from the windows router. Magicsock will
instead rebind based on link change signals.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-09-14 16:28:49 -07:00
Brad Fitzpatrick
40e12c17ec net/netcheck: remove mistaken double Mutex.Unlock in error path
Thanks to @dotaheor for noticing.

Fixes #751
2020-09-11 07:55:49 -07:00
Brad Fitzpatrick
f65eb4e5c1 net/netstat: start of new netstat package, with Windows for now
This will be used in a future change to do localhost connection
authentication. This lets us quickly map a localhost TCP connection to
a PID. (A future change will then map a pid to a user)

TODO: pull portlist's netstat code into this package. Then portlist
will be fast on Windows without requiring shelling out to netstat.exe.
2020-09-10 15:24:49 -07:00
Brad Fitzpatrick
9c25968b63 net/tshttpproxy: fix typo in Windows code added at least second
I ran tests & vet & staticcheck, but for Linux, not Windows.
(#728 would be nice)
2020-09-02 21:25:38 -07:00
Brad Fitzpatrick
b026a638c7 net/tshttpproxy: if winhttp.GetProxyForURL blocks too long, use previous value
We currently have a chickend-and-egg situation in some environments
where we can set up routes that WinHTTP's WPAD/PAC resolution service
needs to download the PAC file to evaluate GetProxyForURL, but the PAC
file is behind a route for which we need to call GetProxyForURL to
e.g. dial a DERP server.

As a short-term fix, just assume that the most recently returned proxy
is good enough for such situations.
2020-09-02 21:15:36 -07:00
Brad Fitzpatrick
74ee374667 net/tshttpproxy: add more winhttp logging
Notably around duration of calls.
2020-08-28 21:37:49 -07:00
Brad Fitzpatrick
1e0be5a458 tshttp, derphttp: send Proxy-Authorization, not Authorization, to proxies
Whoops. But weirdly, sending Authorization sometimes worked?
2020-08-28 21:01:00 -07:00
Brad Fitzpatrick
2bac125cad net/tshttpproxy: move the TS_DEBUG_FAKE_PROXY_AUTH knob up a level 2020-08-27 08:17:57 -07:00
Brad Fitzpatrick
28f9cd06f5 tshttpproxy, controlclient, derphttp, logpolicy: send Negotiate auth to proxies
For Windows only, and only when built with Tailscale's Go tree.

Updates tailscale/corp#583
2020-08-26 20:08:05 -07:00
Brad Fitzpatrick
f915ab6552 net/tshttpproxy: add start of Kerberos Negotiate auth to proxies on Windows
For now only used by a new cmd/tailscale debug --get-url
subcommand. Not yet wired up to the places making HTTP requests.

Updates tailscale/corp#583
2020-08-25 13:49:06 -07:00
renthraysk
10cad39abd
net/stun: Fix STUN attribute padding (#710)
net/stun: fix STUN attribute padding

Signed-off-by: RenThraysk <renthraysk@gmail.com>
2020-08-24 12:52:13 -07:00
Brad Fitzpatrick
9be1917c5b net/tshttpproxy: discard secondary Windows proxies for now 2020-08-24 09:21:33 -07:00
Brad Fitzpatrick
1e562886f5 net/netcheck: in verbose mode, probe all regions
So 'tailscale netcheck --verbose' shows all regions' latencies.
2020-08-19 20:47:17 -07:00
Brad Fitzpatrick
c5eb57f4d6 net/tshttpproxy: new package, support WPAD/PAC proxies on Windows
Updates tailscale/corp#553

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-08-18 15:40:56 -07:00
Brad Fitzpatrick
dbb4c246fa wgengine/monitor: add Windows linkchange monitor
Updates tailscale/corp#553

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-08-13 07:39:26 -07:00
Brad Fitzpatrick
b97aac1718 net/interfaces: include DefaultRouteInterface in interfaces.State
And log it in wgengine on change. Changing bug in #643.

Updates #643
2020-08-12 12:48:34 -07:00
Josh Bleecher Snyder
a9b1e3f9e8 net/interfaces: remove old debug old
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-08-10 14:28:16 -07:00
Brad Fitzpatrick
25b021388b net/netns, net/interfaces: move defaultRouteInterface, add Android fallback
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-08-10 13:02:47 -07:00
Josh Bleecher Snyder
a16a793605 net/interfaces: use syscalls to find private gateway IP address
iOS doesn't let you run subprocesses,
which means we can't use netstat to get routing information.
Instead, use syscalls and grub around in the results.
We keep the old netstat version around,
both for use in non-cgo builds,
and for use testing the syscall-based version.

Note that iOS doesn't ship route.h,
so we include a copy here from the macOS 10.15 SDK
(which is itself unchanged from the 10.14 SDK).

I have tested manually that this yields the correct
gateway IP address on my own macOS and iOS devices.
More coverage would be most welcome.

Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
2020-08-04 15:45:56 -07:00
Dmytro Shynkevych
28e52a0492
all: dns refactor, add Proxied and PerDomain flags from control (#615)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
2020-07-31 16:27:09 -04:00
Brad Fitzpatrick
c253d4f948 net/interfaces: don't try to fork on iOS in likelyHomeRouterIPDarwin
No subprocesses allowed on iOS. Will need to do this differently later.
2020-07-31 10:35:15 -07:00
Brad Fitzpatrick
33a748bec1 net/interfaces: fix likelyHomeRouterIP on Android 2020-07-28 09:12:04 -07:00
David Anderson
a2b4ad839b net/netcheck: lower the hairpin check timeout to 100ms.
This single check is the long pole for netcheck, and significantly slows down magicsock
tests.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-07-27 14:09:54 -07:00
David Anderson
25288567ec net/netcheck: centralize all clock values in one place.
This makes it easier to see how long a netcheck might take, and what
the slow bits might be.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-07-27 14:09:54 -07:00
David Anderson
d60917c0f1 wgengine/router: switch packet marks to avoid conflict with Weave Net.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-07-22 01:24:46 +00:00
Brad Fitzpatrick
10ac066013 all: fix vet warnings 2020-07-16 08:39:38 -07:00
Brad Fitzpatrick
723b9eecb0 net/interfaces: set SysProcAttr.HideWindow to prevent cmd.exe flash on Windows 2020-07-15 12:43:48 -07:00
Brad Fitzpatrick
6c74065053 wgengine/magicsock, tstest/natlab: start hooking up natlab to magicsock
Also adds ephemeral port support to natlab.

Work in progress.

Pairing with @danderson.
2020-07-10 14:32:58 -07:00
Brad Fitzpatrick
ecf5d69c7c net/netcheck: add missing comment asked for in earlier code review 2020-07-08 15:26:56 -07:00
Brad Fitzpatrick
742b8b44a8 net/tsaddr: new package to hold Tailscale-specific IPs/ranges
And update existing callers with (near) duplicated cases.
2020-07-06 22:33:29 -07:00
Brad Fitzpatrick
5c6d8e3053 netcheck, tailcfg, interfaces, magicsock: survey UPnP, NAT-PMP, PCP
Don't do anything with UPnP, NAT-PMP, PCP yet, but see how common they
are in the wild.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-07-06 15:25:35 -07:00
Brad Fitzpatrick
32156330a8 net/interfaces: add func LikelyHomeRouterIP
For discovering where we might direct NAT-PMP/PCP/UPnP queries at in
the future.
2020-07-06 10:38:00 -07:00
Brad Fitzpatrick
cf74e9039e net/netcheck: add an informative payload in the netcheck UDP helper packets
Per comment from @normanr:
0a5ab533c1 (r40401954)

Updates #188
2020-07-06 09:55:11 -07:00
Brad Fitzpatrick
0a5ab533c1 net/netcheck: send dummy packet out to help airport extreme in hairpin check
At least the Apple Airport Extreme doesn't allow hairpin
sends from a private socket until it's seen traffic from
that src IP:port to something else out on the internet.

See https://github.com/tailscale/tailscale/issues/188#issuecomment-600728643

And it seems that even sending to a likely-filtered RFC 5737
documentation-only IPv4 range is enough to set up the mapping.
So do that for now. In the future we might want to classify networks
that do and don't require this separately. But for now help it.

I've confirmed that this is enough to fix the hairpin check on Avery's
home network, even using the RFC 5737 IP.

Fixes #188
2020-07-06 08:24:22 -07:00
Brad Fitzpatrick
2d6e84e19e net/netcheck, wgengine/magicsock: replace more UDPAddr with netaddr.IPPort 2020-06-30 13:25:13 -07:00
Quoc-Viet Nguyen
15a23ce65f net/stun: Remove unreachable code
- Reuse IP length constants from net package.
- Remove beu16 to make endianness functions consistent.

Signed-off-by: Quoc-Viet Nguyen <afelion@gmail.com>
2020-06-15 07:55:21 -07:00
Brad Fitzpatrick
deb113838e net/netcheck: use logger.ArgWriter in logConciseReport, fix comma bug, add tests 2020-06-11 21:37:15 -07:00
Brad Fitzpatrick
24009241bf net/netns: move SOCKS dialing to netns for now
This lets control & logs also use SOCKS dials.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-06-01 11:00:03 -07:00
Brad Fitzpatrick
cf0d19f0ab net/tlsdial, derp/derphttp: finish DERPNode.CertName validation 2020-06-01 09:01:37 -07:00
Brad Fitzpatrick
a5d6c9d616 net/netns: optimize defaultRouteInterface a bit
It'll be called a bunch, so worth a bit of effort. Could go further, but not yet.
(really, should hook into wgengine/monitor and only re-read on netlink changes?)

name                     old time/op    new time/op    delta
DefaultRouteInterface-8    60.8µs ±11%    44.6µs ± 5%  -26.65%  (p=0.000 n=20+19)

name                     old alloc/op   new alloc/op   delta
DefaultRouteInterface-8    3.29kB ± 0%    0.55kB ± 0%  -83.21%  (p=0.000 n=20+20)

name                     old allocs/op  new allocs/op  delta
DefaultRouteInterface-8      9.00 ± 0%      6.00 ± 0%  -33.33%  (p=0.000 n=20+20)
2020-05-31 15:37:09 -07:00
Brad Fitzpatrick
becce82246 net/netns, misc tests: remove TestOnlySkipPrivilegedOps, argv checks
The netns UID check is sufficient for now. We can do something else
later if/when needed.
2020-05-31 14:40:18 -07:00
Brad Fitzpatrick
7a410f9236 net/netns: unindent, refactor to remove some redunant code
Also:
* always error on Control failing. That's very unexpected.
* pull out sockopt funcs into their own funcs for easier future testing
2020-05-31 14:29:54 -07:00
Brad Fitzpatrick
45b139d338 net/netns: remove redundant build tag
Filename is sufficient.
2020-05-31 14:05:54 -07:00
Brad Fitzpatrick
dcd7a118d3 net/netns: add a test that tailscaleBypassMark stays in sync between packages 2020-05-31 14:02:13 -07:00
Brad Fitzpatrick
1e837b8e81 net/netns: refactor the sync.Once usage a bit 2020-05-31 14:01:20 -07:00
Avery Pennarun
e7ae6a2e06 net/netns, wgengine/router: support Linux machines that don't have 'ip rule'.
We'll use SO_BINDTODEVICE instead of fancy policy routing. This has
some limitations: for example, we will route all traffic through the
interface that has the main "default" (0.0.0.0/0) route, so machines
that have multiple physical interfaces might have to go through DERP to
get to some peers. But machines with multiple physical interfaces are
very likely to have policy routing (ip rule) support anyway.

So far, the only OS I know of that needs this feature is ChromeOS
(crostini). Fixes #245.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-31 04:31:01 -04:00
Brad Fitzpatrick
765695eaa2 net/netns: also don't err on tailscaled -fake as a regular user
That's one of my dev workflows.
2020-05-29 22:40:26 -07:00
Brad Fitzpatrick
7f68e097dd net/netcheck: fix HTTPS fallback bug from earlier today
My earlier 3fa58303d0 tried to implement
the net/http.Tranhsport.DialTLSContext hook, but I didn't return a
*tls.Conn, so we ended up sending a plaintext HTTP request to an HTTPS
port. The response ended up being Go telling as such, not the
/derp/latency-check handler's response (which is currently still a
404). But we didn't even get the 404.

This happened to work well enough because Go's built-in error response
was still a valid HTTP response that we can measure for timing
purposes, but it's not a great answer. Notably, it means we wouldn't
be able to get a future handler to run server-side and count those
latency requests.
2020-05-29 22:33:08 -07:00
Brad Fitzpatrick
1407540b52 net/netns: don't return an error if we're not root and running the tailscale binary
tailscale netcheck was broken otherwise.

We can fix this a better way later; I'm just fixing a regression in
some way because I'm trying to work on netcheck at the moment.
2020-05-29 21:58:31 -07:00
David Anderson
5114df415e net/netns: set the bypass socket mark on linux.
This allows tailscaled's own traffic to bypass Tailscale-managed routes,
so that things like tailscale-provided default routes don't break
tailscaled itself.

Progress on #144.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-29 15:16:58 -07:00
Brad Fitzpatrick
3fa58303d0 netcheck: address some HTTP fallback measurement TODOs 2020-05-29 13:34:09 -07:00
Brad Fitzpatrick
7247e896b5 net/netcheck: add Report.IPv4 and another TODO 2020-05-29 12:41:30 -07:00
David Anderson
e9f7d01b91 derp/derphttp: make DERP client use netns for dial-outs. 2020-05-28 23:48:08 +00:00
Brad Fitzpatrick
9e3ad4f79f net/netns: add package for start of network namespace support
And plumb in netcheck STUN packets.

TODO: derphttp, logs, control.

Updates #144

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-05-28 16:20:16 -07:00
Brad Fitzpatrick
0245bbe97b Make netcheck handle v6-only interfaces better, faster.
Also:

* add -verbose flag to cmd/tailscale netcheck
* remove some API from the interfaces package
* convert some of the interfaces package to netaddr.IP
* don't even send IPv4 probes on machines with no IPv4 (or only v4
  loopback)
* and once three regions have replied, stop waiting for other probes
  at 2x the slowest duration.

Updates #376
2020-05-28 10:04:20 -07:00
Avery Pennarun
7cd9ff3dde net/netcheck: fix race condition initializting RegionLatency maps.
Under some conditions, code would try to look things up in the maps
before the first call to updateLatency. I don't see any reason to delay
initialization of the maps, so let's just init them right away when
creating the Report instance.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-28 03:41:37 -04:00
Brad Fitzpatrick
b0c10fa610 stun, netcheck: move under net 2020-05-25 09:18:24 -07:00
David Anderson
657f331e8b net/dnscache: remove unnecessary lint warning. 2020-04-30 20:31:44 -07:00
Elias Naur
ad0795efc2 net/dnscache: don't use the Go resolver on Android
The local resolver is not available for apps on Android.

Signed-off-by: Elias Naur <mail@eliasnaur.com>
2020-04-27 12:04:39 -07:00
Brad Fitzpatrick
2244cca5ff net/tlsdial: update package doc to say it's now somewhat useless 2020-04-27 08:17:18 -07:00
Brad Fitzpatrick
172d72a060 Revert "net/tlsdial: add memory-optimized TLS cert verification path for iOS"
This reverts commit 6fcbd4c4d4.

Decided to put it in tailscale/go's crypto/x509 instead.
2020-04-27 08:13:37 -07:00
Brad Fitzpatrick
6fcbd4c4d4 net/tlsdial: add memory-optimized TLS cert verification path for iOS
Behind a build tag for now.
2020-04-25 13:55:51 -07:00
Brad Fitzpatrick
b6fa5a69be net/tlsdial: add package for TLS dials, and make DERP & controlclient use it
This will do the iOS-optimized cert checking in a following change.
2020-04-25 13:24:53 -07:00
Brad Fitzpatrick
c0697e1feb net/interfaces: add IsExpensive and up state to State
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-04-10 20:25:12 -07:00
Brad Fitzpatrick
a4ef345737 cmd/tailscale: add status subcommand
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-03-27 20:34:36 -07:00
David Anderson
315a5e5355 scripts: add a license header checker.
Signed-off-by: David Anderson <dave@natulte.net>
2020-03-17 21:34:44 -07:00
David Crawshaw
41ac4a79d6 net/nettest: new package with net-like testing primitives
This is a lot like wiring up a local UDP socket, read and write
deadlines work. The big difference is the Block feature, which
lets you stop the packet flow without breaking the connection.
This lets you emulate broken sockets and test timeouts actually
work.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2020-03-12 14:42:48 -04:00
Brad Fitzpatrick
023df9239e Move linkstate boring change filtering to magicsock
So we can at least re-STUN on boring updates.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-03-10 12:50:03 -07:00
Brad Fitzpatrick
5c1e443d34 wgengine/monitor: don't call LinkChange when interfaces look unchanged
Basically, don't trust the OS-level link monitor to only tell you
interesting things. Sanity check it.

Also, move the interfaces package into the net directory now that we
have it.
2020-03-10 11:03:19 -07:00
Brad Fitzpatrick
bd0e20f351 net/dnscache: ignore annoying staticcheck check 2020-03-09 22:12:22 -07:00
Brad Fitzpatrick
d44325295e net/dnscache: initialize the single Resolver more directly 2020-03-09 21:05:01 -07:00
David Crawshaw
cac68fe102 net/dnscache: do not PreferGo on macOS/iOS
With this commit my iPhone can now DERP.
2020-03-09 14:20:09 -04:00
Brad Fitzpatrick
8f0fd01efd net/dnscache: add copyright header to test 2020-03-09 11:07:31 -07:00
David Crawshaw
5a1ce4adae net/dnscache: parse passed CIDR
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2020-03-09 13:11:35 -04:00
Brad Fitzpatrick
2cff9016e4 net/dnscache: add overly simplistic DNS cache package for selective use
I started to write a full DNS caching resolver and I realized it was
overkill and wouldn't work on Windows even in Go 1.14 yet, so I'm
doing this tiny one instead for now, just for all our netcheck STUN
derp lookups, and connections to DERP servers. (This will be caching a
exactly 8 DNS entries, all ours.)

Fixes #145 (can be better later, of course)
2020-03-05 12:23:37 -08:00