Commit Graph

5043 Commits

Author SHA1 Message Date
Brad Fitzpatrick
8ee044ea4a ssh/tailssh: make the SSH server a singleton, register with LocalBackend
Remove the weird netstack -> tailssh dependency and instead have tailssh
register itself with ipnlocal when linked.

This makes tailssh.server a singleton, so we can have a global map of
all sessions.

Updates #3802

Change-Id: Iad5caec3a26a33011796878ab66b8e7b49339f29
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-15 13:45:39 -07:00
Brad Fitzpatrick
da14e024a8 tailcfg, ssh/tailssh: optionally support SSH public keys in wire policy
And clean up logging.

Updates #3802

Change-Id: I756dc2d579a16757537142283d791f1d0319f4f0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-15 13:36:57 -07:00
Brad Fitzpatrick
df9ce972c7 tailcfg, ipn/ipnlocal: add debug flag to enable one-big-CGNAT/10 route
To experiment with avoiding Chrome ERR_NETWORK_CHANGED errors on route
changes.

Updates #3102

Change-Id: I339da14c684fdac45ac261566aa21bf2198672ff
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-14 14:47:42 -07:00
phirework
52d32c94d8
net/dns/publicdns: add missing call to sync.Once.Do (#4410)
Signed-off-by: Jenny Zhang <jz@tailscale.com>
2022-04-14 17:45:58 -04:00
phirework
83c734a6e0
net/dns, util/publicdns: extract public DNS mapping into own package (#4405)
This extracts DOH mapping of known public DNS providers in
forwarder.go into its own package, to be consumed by other repos

Signed-off-by: Jenny Zhang <jz@tailscale.com>
2022-04-14 17:15:54 -04:00
James Tucker
8de7f9bff7 tailscaled: no longer tune gcpercent
Usage of userspace-networking is increasing, and the aggressive GC
tuning causes a significant reduction in performance in that mode.

Signed-off-by: James Tucker <james@tailscale.com>
2022-04-14 11:41:45 -07:00
Xe Iaso
4f1d6c53cb
cmd/nginx-auth: create new Tailscale NGINX auth service (#4400)
This conforms to the NGINX subrequest result authentication protocol[1]
using the NGINX module `ngx_http_auth_request_module`. This is based on
the example that @peterkeen provided on Twitter[2], but with several
changes to make things more tightly locked down:

* This listens over a UNIX socket instead of a TCP socket to prevent
  leakage to the network
* This uses systemd socket activation so that systemd owns the socket
  and can then lock down the service to the bare minimum required to do
  its job without having to worry about dropping permissions
* This provides additional information in HTTP response headers that can
  be useful for integrating with various services
* This has a script to automagically create debian and redhat packages
  for easier distribution

This will be written about on the Tailscale blog. There is more
information in README.md.

[1]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
[2]: https://github.com/peterkeen/tailscale/blob/main/cmd/nginx-auth-proxy/nginx-auth-proxy.go

Signed-off-by: Xe Iaso <xe@tailscale.com>
2022-04-14 11:55:35 -04:00
Maisem Ali
50b4b8b2c6 ipn/ipnlocal: make peerIPs return a sorted slice
Currently peerIPs doesn't do any sorting of the routes it returns. This
is typically fine, however imagine the case of an HA subnet router
failover. When a route R moves from peer A to peer B, the output of
peerIPs changes. This in turn causes all the deephash check inside
wgengine to fail as the hashed value of [R1, R2] is different than
the hashed value of [R2, R1]. When the hash check failes, it causes
wgengine to reconfigure all routes in the OS. This is especially
problematic for macOS and iOS where we use the NetworkExtension.

This commit makes it that the peerIPs are always sorted when returned,
thus making the hash be consistent as long as the list of routes remains
static.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-13 16:30:17 -07:00
Brad Fitzpatrick
a49d8d5200 Revert ".github/workflows: work around golang/go#51629"
This reverts commit 2a412ac9ee.

Updates #4194

Change-Id: I0098b66b71d20bea301ca79058c1cdd201237dd0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-13 14:27:01 -07:00
Brad Fitzpatrick
09c5c9eb83 go.mod: bump x/tools for go/packages generics fix
Updates #4194

Change-Id: Ia992ffb14210d5ad53f8f98d12b80d64080998e6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-13 14:27:01 -07:00
Tom DNetto
dec68166e4 tstest/integration/vms: smoke test derphttp through mitm proxies
Updates #4377

Very smoky/high-level test to ensure that derphttp internals play well
with an agressive (stare + bump) meddler-in-the-middle proxy.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-04-12 13:24:29 -07:00
Ilya Mateyko
2748750aa2 ipn/ipnstate: make status page more mobile-friendly
Signed-off-by: Ilya Mateyko <me@astrophena.name>
2022-04-12 12:33:31 -07:00
Maisem Ali
c87ed52ad4 cmd/tailscale: add id-token subcommand
RELNOTE=Initial support for getting OIDC ID Tokens

Updates tailscale/corp#4347

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-12 12:04:04 -07:00
Brad Fitzpatrick
3ae701f0eb net/tsaddr, wgengine/netstack: add IPv6 range that forwards to site-relative IPv4
This defines a new magic IPv6 prefix, fd7a:115c:a1e0:b1a::/64, a
subset of our existing /48, where the final 32 bits are an IPv4
address, and the middle 32 bits are a user-chosen "site ID". (which
must currently be 0000:00xx; the top 3 bytes must be zero for now)

e.g., I can say my home LAN's "site ID" is "0000:00bb" and then
advertise its 10.2.0.0/16 IPv4 range via IPv6, like:

    tailscale up --advertise-routes=fd7a:115c:a1e0:b1a::bb:10.2.0.0/112

(112 being /128 minuse the /96 v6 prefix length)

Then people in my tailnet can:

     $ curl '[fd7a:115c:a1e0:b1a::bb:10.2.0.230]'
     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ....

Updates #3616, etc

RELNOTE=initial support for TS IPv6 addresses to route v4 "via" specific nodes

Change-Id: I9b49b6ad10410a24b5866b9fbc69d3cae1f600ef
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-11 17:26:07 -07:00
David Eger
f992749b98 cmd/tailscale: Add file get --loop flag.
To "automatically receive taildrop files to my Downloads directory,"
user currently has to run 'tailscale file get' in a loop.  Make
it easy to do this without shell.

Updates: #2312

Signed-off-by: David Eger <david.eger@gmail.com>
2022-04-11 17:23:08 -07:00
James Tucker
f4aad61e67 wgengine/monitor: ignore duplicate RTM_NEWADDRs
Ignoring the events at this layer is the simpler path for right now, a
broader change should follow to suppress irrelevant change events in a
higher layer so as to avoid related problems with other monitoring paths
on other platforms.  This approach may also carry a small risk that it
applies an at-most-once invariant low in the chain that could be assumed
otherwise higher in the code.

I adjusted the newAddrMessage type to include interface index rather
than a label, as labels are not always supplied, and in particular on my
test hosts they were consistently missing for ipv6 address messages.

I adjusted the newAddrMessage.Addr field to be populated from
Attributes.Address rather than Attributes.Local, as again for ipv6
.Local was always empty, and with ipv4 the .Address and .Local contained
the same contents in each of my test environments.

Update #4282

Signed-off-by: James Tucker <james@tailscale.com>
2022-04-11 14:35:19 -07:00
James Tucker
2f69c383a5 wgengine/monitor: add envknob TS_DEBUG_NETLINK
While I trust the test behavior, I also want to assert the behavior in a
reproduction environment, this envknob gives me the log information I
need to do so.

Update #4282

Signed-off-by: James Tucker <james@tailscale.com>
2022-04-11 14:35:19 -07:00
Tom DNetto
8f6d8cf979 tstest/integration/vms: test on stable nixos (21.11)
I would like to do some more customized integration tests in the future,
(specifically, bringing up a mitm proxy and testing tailscaled through that)
so hoping to bring back the nixos wiring to support that.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-04-11 12:54:56 -07:00
James Tucker
8226f1482c
go.mod: bump rtnetlink for address label encoding (#4386)
This will enable me to land tests for the upcoming monitor change in
PR #4385.

Update #4385
Update #4282

Signed-off-by: James Tucker <james@tailscale.com>
2022-04-08 14:17:53 -07:00
Tom DNetto
f923ce6f87 shell.nix: use tailscale-go for compilation
This change builds a derivation for tailscale-go and makes it available in the
users development environment. This is consistent with the shell.nix in corp/.

Once go1.18 is in a stable Nixpkgs release we can avoid relying on derivations
from nixpkgs head. For now, this works well, and the fetched derivations are
cached in the Nix store according to the usual rules.

Fixes #4231

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-04-08 14:10:50 -07:00
Tom
24bdcbe5c7
net/dns, net/dns/resolver, wgengine: refactor DNS request path (#4364)
* net/dns, net/dns/resolver, wgengine: refactor DNS request path

Previously, method calls into the DNS manager/resolver types handled DNS
requests rather than DNS packets. This is fine for UDP as one packet
corresponds to one request or response, however will not suit an
implementation that supports DNS over TCP.

To support PRs implementing this in the future, wgengine delegates
all handling/construction of packets to the magic DNS endpoint, to
the DNS types themselves. Handling IP packets at this level enables
future support for both UDP and TCP.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-04-08 12:17:31 -07:00
Tom DNetto
3b3d1b9350 tstest/integration/vms: consistently use two dashes for command-line switches
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-04-08 09:54:22 -07:00
Xiaochao Dong (@damnever)
7d97800d52 cmd/tailscale: make web mode preserve URL scheme in Synology redirect
Signed-off-by: Xiaochao Dong (@damnever) <the.xcdong@gmail.com>
2022-04-08 06:18:13 -07:00
James Tucker
2550acfd9d
go.mod: bump netstack for clone reset fix (#4379)
In tracking down issue #4144 and reading through the netstack code in
detail, I discovered that the packet buf Clone path did not reset the
packetbuf it was getting from the sync.Pool. The fix was sent upstream
https://github.com/google/gvisor/pull/7385, and this bump pulls that in.
At this time there is no known path that this fixes, however at the time
of upstream submission this reset at least one field that could lead to
incorrect packet routing if exercised, a situation that could therefore
lead to an information leak.

Signed-off-by: James Tucker <james@tailscale.com>
2022-04-07 19:03:18 -07:00
David Anderson
f570372b4d control/controlbase: don't enforce a max protocol version at handshake time.
Doing so makes development unpleasant, because we have to first break the
client by bumping to a version the control server rejects, then upgrade
the control server to make it accept the new version.

This strict rejection at handshake time is only necessary if we want to
blocklist some vulnerable protocol versions in the future. So, switch
to a default-permissive stance: until we have such a version that we
have to eagerly block early, we'll accept whatever version the client
presents, and leave it to the user of controlbase.Conn to make decisions
based on that version.

Noise still enforces that the client and server *agree* on what protocol
version is being used, and the control server still has the option to
finish the handshake and then hang up with an in-noise error, rather
than abort at the handshake level.

Updates #3488

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-04-07 17:55:29 -07:00
James Tucker
c6ac29bcc4
wgengine/netstack: disable refsvfs2 leak tracking (#4378)
In addition an envknob (TS_DEBUG_NETSTACK_LEAK_MODE) now provides access
to set leak tracking to more useful values.

Fixes #4309

Signed-off-by: James Tucker <james@tailscale.com>
2022-04-07 17:21:45 -07:00
Tom DNetto
858ab80172 tstest/integration/vms: fix docs, qemu-img invocation
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-04-07 15:40:14 -07:00
Xe Iaso
55161b3d92
cmd/mkpkg: use package flag (#4373)
Also removes getopt

Signed-off-by: Xe <xe@tailscale.com>
2022-04-07 16:38:33 -04:00
David Anderson
02ad987e24 control/controlbase: make the protocol version number selectable.
This is so that we can plumb our client capability version through
the protocol as the Noise version. The capability version increments
more frequently than strictly required (the Noise version only needs
to change when cryptographically-significant changes are made to
the protocol, whereas the capability version also indicates changes
in non-cryptographically-significant parts of the protocol), but this
gives us a safe pre-auth way to determine if the client supports
future protocol features, while still relying on Noise's strong
assurance that the client and server have agreed on the same version.

Currently, the server executes the same protocol regardless of the
version number, and just presents the version to the caller so they
can do capability-based things in the upper RPC protocol. In future,
we may add a ratchet to disallow obsolete protocols, or vary the
Noise handshake behavior based on requested version.

Updates #3488

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-04-07 13:25:28 -07:00
Xe Iaso
be861797b4
cmd/mkpkg: add name argument (#4372)
* shell.nix: rename goimports to gotools

Signed-off-by: Xe <xe@tailscale.com>

* cmd/mkpkg: allow specifying description and name in flag args

Signed-off-by: Xe <xe@tailscale.com>
2022-04-07 16:05:04 -04:00
Ramya Nagarajan
e014b4d970
api: update acl/validate data format (#4366)
Expected input is JSON formatted []policy.ACLTest

Signed-off-by: Ramya Nagarajan <ramya@tailscale.com>
2022-04-07 10:33:52 -07:00
Matt Layher
c79c72c4fc go.mod: github.com/mdlayher/sdnotify@v1.0.0
Signed-off-by: Matt Layher <mdlayher@gmail.com>
2022-04-06 19:25:50 -07:00
Tom
6be7931eb4
net/dns/resolver: return symbolic PTR records for TS service IPs (#4361)
Fixes #1233

Signed-off-by: Tom DNetto <tom@tailscale.com>

Co-authored-by: Tom DNetto <tom@tailscale.com>
2022-04-06 15:56:21 -07:00
oliverpool
0b273e1857 cmd/tailscale: drop special exit code 125 for gokrazy
No needed since gokrazy doesn't restart successful processes anymore: https://github.com/gokrazy/gokrazy/pull/127

Signed-off-by: Olivier Charvin <git@olivier.pfad.fr>
2022-04-06 06:21:44 -07:00
Maisem Ali
3603a18710 ipn/localapi: add endpoint to request id token
Updates tailscale/corp#4347

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-05 14:48:45 -07:00
Maisem Ali
035e8ab00e tailcfg: add Token{Request,Response} types
Updates tailscale/corp#4347

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-05 14:48:45 -07:00
Joe Tsai
01adcfa688
tailcfg: add omitempty to all fields of Hostinfo (#4360)
This reduces the noise when marshaling only a subset of this type.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-04-05 13:25:14 -07:00
Maisem Ali
ac2033d98c
go.mod: bump staticcheck (#4359)
Updates #4194

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-05 12:24:33 -07:00
Maisem Ali
9f604f2bd3
derp: add (*Server).IsClientConnectedForTest func. (#4331)
This allows tests to verfiy that a DERP connection was actually
established.

Related to #4326
Updates tailscale/corp#2579

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-03-30 10:50:50 -07:00
Brad Fitzpatrick
3d180c0376 go.mod, ssh/tailssh, tempfork/gliderlabs: bump x/crypto/ssh fork for NoClientAuthCallback
Prep for evaluating SSHPolicy earlier to decide whether certs are
required, which requires knowing the target SSH user.

Updates #3802

Change-Id: I2753ec8069e7f19c9121300d0fb0813c1c627c36
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-29 18:17:34 -07:00
Maisem Ali
f4686a76a1
envknob: use the correct key when logging (#4319) 2022-03-29 14:04:12 -07:00
Maisem Ali
309ddef852
net/netutil: add CheckIPForwardingLinux (#4301)
Combine the code between `LocalBackend.CheckIPForwarding` and
`controlclient.ipForwardingBroken`.

Fixes #4300

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-03-28 10:24:11 -07:00
David Anderson
7c7f37342f prober: used keyed initializer for LimitedReader.
Reported by go vet.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-03-26 21:45:27 -07:00
Maisem Ali
909f40da84
util/groupmember: remove redundant code (#4298)
Now that we have 30faf968b1
this is no longer needed.

Fixes #3001

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-03-26 21:45:06 -07:00
Brad Fitzpatrick
e4d8d5e78b net/packet, wgengine/netstack: remove workaround for old gvisor ECN bug
Fixes #2642

Change-Id: Ic02251d24a4109679645d1c8336e0f961d0cce13
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-26 21:24:24 -07:00
Brad Fitzpatrick
5a44f9f5b5 tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh
While we rearrange/upstream things.

gliderlabs/ssh is forked into tempfork from our prior fork
at be8b7add40

x/crypto/ssh OTOH is forked at
https://github.com/tailscale/golang-x-crypto because it was gnarlier
to vendor with various internal packages, etc.
Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d).

Updates #3802

Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-26 21:07:01 -07:00
Maisem Ali
6fecc16c3b ipn/ipnlocal: do not process old status messages received out of order
When `setWgengineStatus` is invoked concurrently from multiple
goroutines, it is possible that the call invoked with a newer status is
processed before a call with an older status. e.g. a status that has
endpoints might be followed by a status without endpoints. This causes
unnecessary work in the engine and can result in packet loss.

This patch adds an `AsOf time.Time` field to the status to specifiy when the
status was calculated, which later allows `setWgengineStatus` to ignore
any status messages it receives that are older than the one it has
already processed.

Updates tailscale/corp#2579

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-03-26 20:23:50 -07:00
Brad Fitzpatrick
753f1bfad4 cmd/tailscale: write fewer known_hosts, resolve ssh host to FQDN early
Updates #3802

Change-Id: Ic44fa2e6661a9c046e725c04fa6b8213d3d4d2b2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-25 15:17:27 -07:00
Brad Fitzpatrick
df93158aac cmd/tailscale: generate known_hosts file for 'tailscale ssh'
Updates #3802

Change-Id: I7a0052392f000ee44fc8e719f6666756aab91f3d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-25 14:10:48 -07:00
Brad Fitzpatrick
cceacda5eb ipn/ipnstate: put SSH Host Keys in ipnstate.PeerStatus
Updates #3802

Change-Id: I47ba3b4545b25988f375bd867aecd98bb0da8d79
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-25 12:14:39 -07:00