Make netlogfmt useful regardless of the exact schema of the input.
If a JSON object looks like a network log message,
then unmarshal it as one and then print it.
This allows netlogfmt to support both a stream of JSON objects
directly serialized from netlogtype.Message, or the schema
returned by the /api/v2/tailnet/{{tailnet}}/network-logs API endpoint.
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
This is a temporary hack to prevent logtail getting stuck
uploading the same excessive message over and over.
A better solution will be discussed and implemented.
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
There is utility in logging traffic statistics that occurs at the physical layer.
That is, in order to send packets virtually to a particular tailscale IP address,
what physical endpoints did we need to communicate with?
This functionality logs IP addresses identical to
what had always been logged in magicsock prior to #5823,
so there is no increase in PII being logged.
ExtractStatistics returns a mapping of connections to counts.
The source is always a Tailscale IP address (without port),
while the destination is some endpoint reachable on WAN or LAN.
As a special case, traffic routed through DERP will use 127.3.3.40
as the destination address with the port being the DERP region.
This entire feature is only enabled if data-plane audit logging
is enabled on the tailnet (by default it is disabled).
Example of type of information logged:
------------------------------------ Tx[P/s] Tx[B/s] Rx[P/s] Rx[B/s]
PhysicalTraffic: 25.80 3.39Ki 38.80 5.57Ki
100.1.2.3 -> 143.11.22.33:41641 15.40 2.00Ki 23.20 3.37Ki
100.4.5.6 -> 192.168.0.100:41641 10.20 1.38Ki 15.60 2.20Ki
100.7.8.9 -> 127.3.3.40:2 0.20 6.40 0.00 0.00
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
New plan for #5972. Instead of sending the public key in the clear
(from earlier unreleased 246274b8e9) where the client might have to
worry about it being dropped or tampered with and retrying, we'll
instead send it post-Noise handshake but before the HTTP/2 connection
begins.
This replaces the earlier extraHeaders hook with a different sort of
hook that allows us to combine two writes on the wire in one packet.
Updates #5972
Change-Id: I42cdf7c1859b53ca4dfa5610bd1b840c6986e09c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
The netlog.Message type is useful to depend on from other packages,
but doing so would transitively cause gvisor and other large packages
to be linked in.
Avoid this problem by moving all network logging types to a single package.
We also update staticcheck to take in:
003d277bcf
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Intermittently in the wild we are seeing failures when calling
`INetworkConnection::GetNetwork`. It is unclear what the root cause is, but what
is clear is that the error is happening inside the object's `IDispatch` invoker
(as opposed to the method implementation itself).
This patch replaces our wrapper for `INetworkConnection::GetNetwork` with an
alternate implementation that directly invokes the method, instead of using
`IDispatch`. I also replaced the implementations of `INetwork::SetCategory` and
`INetwork::GetCategory` while I was there.
This patch is speculative and tightly-scoped so that we could possibly add it
to a dot-release if necessary.
Updates https://github.com/tailscale/tailscale/issues/4134
Updates https://github.com/tailscale/tailscale/issues/6037
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
Forgot it when adding the Challenge types earlier.
Change-Id: Ie0872c4e6dc25e5d832aa58c7b3f66d450bf6b71
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This allows direct use of NLPublic with tka.Authority.KeyTrusted() and
similar without using tricks like converting the return value of Verifier.
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
TCP selective acknowledgement can improve throughput by an order
of magnitude in the presence of loss.
Signed-off-by: Jordan Whited <jordan@tailscale.com>
Saves about 1.4MB from the generated wasm file. The Brotli size is
basically unchanged (it's actually slightly larger, by 40K), suggesting
that most of the size delta is due to not inlining and other changes
that were easily compressible.
However, it still seems worthwhile to have a smaller final binary, to
reduce parse time and increase likelihood that we fit in the browser's
disk cache. Actual performance appears to be unchanged.
Updates #5142
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
Turns out using win32 instead of shelling out to child processes is a
bit faster:
name old time/op new time/op delta
GetListIncremental-4 278ms ± 2% 0ms ± 7% -99.93% (p=0.000 n=8+10)
name old alloc/op new alloc/op delta
GetListIncremental-4 238kB ± 0% 9kB ± 0% -96.12% (p=0.000 n=10+8)
name old allocs/op new allocs/op delta
GetListIncremental-4 1.19k ± 0% 0.02k ± 0% -98.49% (p=0.000 n=10+10)
Fixes#3876 (sadly)
Change-Id: I1195ac5de21a8a8b3cdace5871d263e81aa27e91
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
It looks like this was left by mistake in 4a3e2842.
Change-Id: Ie4e3d5842548cd2e8533b3552298fb1ce9ba761a
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
To avoid annoying firewall dialogs on macOS and Windows, only run it
on Linux by default without the flag.
Change-Id: If8486c31d4243ade54b0131f673237c6c9184c08
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Add an osImpl interface that can be stateful and thus more efficient
between calls. It will later be implemented by all OSes but for now
this change only adds a Linux implementation.
Remove Port.inode. It was only used by Linux and moves into its osImpl.
Don't reopen /proc/net/* files on each run. Turns out you can just
keep then open and seek to the beginning and reread and the contents
are fresh.
name old time/op new time/op delta
GetListIncremental-8 7.29ms ± 2% 6.53ms ± 1% -10.50% (p=0.000 n=9+9)
name old alloc/op new alloc/op delta
GetListIncremental-8 1.30kB ±13% 0.70kB ± 5% -46.38% (p=0.000 n=9+10)
name old allocs/op new allocs/op delta
GetListIncremental-8 33.2 ±11% 18.0 ± 0% -45.82% (p=0.000 n=9+10)
Updates #5958
Change-Id: I4be83463cbd23c2e2fa5d0bdf38560004f53401b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
On Android, the system resolver can return IPv4 addresses as IPv6-mapped
addresses (i.e. `::ffff:a.b.c.d`). After the switch to `net/netip`
(19008a3), this case is no longer handled and a response like this will
be seen as failure to resolve any IPv4 addresses.
Handle this case by simply calling `Unmap()` on the returned IPs. Fixes#5698.
Signed-off-by: Peter Cai <peter@typeblog.net>
And respect envknob earlier. NewPoller has one caller and ignores
errors; they just signal ipnlocal to log a warning and not use the
portlist poller.
Change-Id: I4a33af936fe780cca8c7197d4d74ac31a1dc01e3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
The cute little salak belongs there. It also evens the odds if tails
start a mutiny against scales. Even though they outnumber scales, they
should still know their place. Behind.
Signed-off-by: Pontus Leitzler <leitzler@gmail.com>
name old time/op new time/op delta
GetList-8 11.2ms ± 5% 11.1ms ± 3% ~ (p=0.661 n=10+9)
name old alloc/op new alloc/op delta
GetList-8 83.3kB ± 1% 67.4kB ± 1% -19.05% (p=0.000 n=10+10)
name old allocs/op new allocs/op delta
GetList-8 2.89k ± 2% 2.19k ± 1% -24.24% (p=0.000 n=10+10)
(real issue is we're calling this code as much as we are, but easy
enough to make it efficient because it'll still need to be called
sometimes in any case)
Updates #5958
Change-Id: I90c20278d73e80315a840aed1397d24faa308d93
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Make Linux parsePorts also an append-style API and attach it to
caller's provided append base memory.
And add a little string intern pool in front of the []byte to string
for inode names.
name old time/op new time/op delta
GetList-8 11.1ms ± 4% 9.8ms ± 6% -11.68% (p=0.000 n=9+10)
name old alloc/op new alloc/op delta
GetList-8 92.8kB ± 2% 79.7kB ± 0% -14.11% (p=0.000 n=10+9)
name old allocs/op new allocs/op delta
GetList-8 2.94k ± 1% 2.76k ± 0% -6.16% (p=0.000 n=10+10)
More coming. (the bulk of the allocations are in addProcesses and
filesystem operations, most of which we should usually be able to
skip)
Updates #5958
Change-Id: I3f0c03646d314a16fef7f8346aefa7d5c96701e7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Poller.C and Poller.c were duplicated for one caller. Add an accessor
returning the receive-only version instead. It'll inline.
Poller.Err was unused. Remove.
Then Poller is opaque.
The channel usage and shutdown was a bit sketchy. Clean it up.
And document some things.
Change-Id: I5669e54f51a6a13492cf5485c83133bda7ea3ce9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
In prep for reducing garbage, being able to reuse memory. So far this
doesn't actually reuse much. This is just changing signatures around.
But some improvement in any case:
bradfitz@tsdev:~/src/tailscale.com$ ~/go/bin/benchstat before after
name old time/op new time/op delta
GetList-8 11.8ms ± 9% 9.9ms ± 3% -15.98% (p=0.000 n=10+10)
name old alloc/op new alloc/op delta
GetList-8 99.5kB ± 2% 91.9kB ± 0% -7.62% (p=0.000 n=9+9)
name old allocs/op new allocs/op delta
GetList-8 3.05k ± 1% 2.93k ± 0% -3.83% (p=0.000 n=8+9)
More later, once parsers can reuse strings from previous parses.
Updates #5958
Change-Id: I76cd5048246dd24d11c4e263d8bb8041747fb2b0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
It's an internal implementation detail, and I plan to refactor it
for performance (garbage) reasons anyway, so start by hiding it.
Updates #5958
Change-Id: I2c0d1f743d3495c5f798d1d8afc364692cd9d290
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
We had previously added this to the netcheck report in #5087 but never
copied it into the NetInfo struct. Additionally, add it to log lines so
it's visible to support.
Change-Id: Ib6266f7c6aeb2eb2a28922aeafd950fe1bf5627e
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
By default all probes with the same probe interval that have been added
together will run on a synchronized schedule, which results in spiky
resource usage and potential throttling by third-party systems (for
example, OCSP servers used by the TLS probes).
To address this, prober can now run in "spread" mode that will
introduce a random delay before the first run of each probe.
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
What's better than getting a community request?
A community request from another Charlotte!
Bun and hops!
Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
Deleting may temporarily result in no addrs on the interface, which results in
all other rules (like routes) to get dropped by the OS.
I verified this fixes the problem.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
Sets up new file for separate silent disco goroutine, tentatively named
pathfinder for now.
Updates #540
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Jenny Zhang <jz@tailscale.com>
During development of silent disco (#540), an alternate send policy
for magicsock that doesn't wake up the radio frequently with
heartbeats, we want the old & new policies to coexist, like we did
previously pre- and post-disco.
We started to do that earlier in 5c42990c2f but only set up the
env+control knob plumbing to set a bool about which path should be
used.
This starts to add a way for the silent disco code to update the send
path from a separate goroutine. (Part of the effort is going to
de-state-machinify the event based soup that is the current disco
code and make it more Go synchronous style.)
So far this does nothing. (It does add an atomic load on each send
but that should be noise in the grand scheme of things, and a even more
rare atomic store of nil on node config changes.)
Baby steps.
Updates #540
Co-authored-by: Jenny Zhang <jz@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This ensures that each DERP server is probed individually (TLS and STUN)
and also manages per-region mesh probing. Actual probing code has been
copied from cmd/derpprobe.
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Months upon months I ponder about this,
Adding new words onto our little lists.
Given our integrity I should not have missed,
Including the creatures from folklore and myth.
Carefully curated, many of them hiss,
Don't forget about the ones hiding in the abyss.
Now they are added, I cannot resist,
Searching for more words for me to enlist.
Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
It was unused in this repo. The Windows client used it, but it can move there.
Change-Id: I572816fd80cbbf1b8db734879b6280857d5bd2a7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
