Commit Graph

5930 Commits

Author SHA1 Message Date
Maisem Ali
c434e47f2d ssh/tailssh: always use current time for policy evaluation
Whenever the SSH policy changes we revaluate all open connections to
make sure they still have access. This check was using the wrong
timestamp and would match against expired policies, however this really
isn't a problem today as we don't have policy that would be impacted by
this check. Fixing it for future use.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 12:25:04 -07:00
Maisem Ali
a7d2024e35 ssh/tailssh: allow multiple sessions on the same conn
Fixes #4920
Fixes tailscale/corp#5633
Updates #4479

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 11:54:54 -07:00
mattn
1d04e01d1e
use C:\Windows\System32\OpenSSH\ssh.exe (#4933)
cmd/tailscale: make ssh command prefer Windows ssh.exe over PATH

Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
2022-06-25 22:26:21 -07:00
Adam Eijdenberg
9294a14a37 ssh/tailssh: limit setgroups to 16 on macOS
Fixes #4938

Signed-off-by: Adam Eijdenberg <adam@continusec.com>
2022-06-25 22:17:53 -07:00
Adam Eijdenberg
7f807fef6c ssh/tailssh: fix /usr/bin/login args on macOS
Fixes #4931

Signed-off-by: Adam Eijdenberg <adam@continusec.com>
2022-06-25 22:17:53 -07:00
Brad Fitzpatrick
35782f891d util/deephash: add canMemHash func + typeInfo property
Currently unused. (breaking up a bigger change)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-25 13:09:30 -07:00
Brad Fitzpatrick
7b9a901489 util/deephash: add packet filter benchmark
(breaking up parts of another change)

This adds a PacketFilter hashing benchmark with an input that both
contains every possible field, but also is somewhat representative in
the shape of what real packet filters contain.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-25 12:55:15 -07:00
James Tucker
c88bd53b1b .github/workflows: windows-race: print gcc version
Signed-off-by: James Tucker <james@tailscale.com>
2022-06-24 15:30:36 -07:00
Maisem Ali
2d65c1a950 client/tailscale: update ACLRow and ACLTest with new ACL fields
Signed-off-by: Maisem Ali <maisem@tailscale.com>
Co-authored-by: Will Norris <will@tailscale.com>
2022-06-24 12:20:08 -07:00
Aaron Klotz
4baf34cf25 net/dns: set appropriate Windows registry values to prevent it from sending DNS changes concerning our interface to AD domain controllers.
We do this unconditionally inside SetDNS such that the values are always set
before we make any other changes to DNS configurations.

It should not be harmful for the settings to remain even when other DNS
settings are cleared out (since they only affect our network interface).

See https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003 for details about the registry value.

Fixes https://github.com/tailscale/tailscale/issues/4829

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-06-24 11:41:33 -06:00
Aaron Klotz
8cdfd12977 net/dns: update Windows split DNS settings to work alongside other NRPT entries set by group policy.
When there are group policy entries for the NRPT that do not belong to Tailscale,
we recognize that we need to add ourselves to group policy and use that registry
key instead of the local one. We also refresh the group policy settings as
necessary to ensure that our changes take effect immediately.

Fixes https://github.com/tailscale/tailscale/issues/4607

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-06-23 15:42:22 -06:00
James Tucker
76256d22d8 wgengine/router: windows: set SkipAsSource on IPv6 LL addresses
Link-local addresses on the Tailscale interface are not routable.
Ideally they would be removed, however, a concern exists that the
operating system will attempt to re-add them which would lead to
thrashing.

Setting SkipAsSource attempts to avoid production of packets using the
address as a source in any default behaviors.

Before, in powershell: `ping (hostname)` would ping the link-local
address of the Tailscale interface, and fail.
After: `ping (hostname)` now pings the link-local address on the next
highest priority metric local interface.

Fixes #4647
Signed-off-by: James Tucker <james@tailscale.com>
2022-06-22 15:26:40 -07:00
Brad Fitzpatrick
8c5c87be26 util/deephash: fix collisions between different types
Updates #4883

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-21 22:29:04 -07:00
Tom DNetto
4f6fa3d63a shell.nix: use 1.18 from system nixpkgs
(Now that 22.05 / 22.11 are released and presumably everyone has updated).

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-06-21 15:36:39 -07:00
Xe Iaso
dee95d0894
cmd/gitops-pusher: add new GitOps assistant (#4893)
This is for an upcoming blogpost on how to manage Tailscale ACLs using a
GitOps flow. This tool is intended to be used in CI and will allow users
to have a git repository be the ultimate source of truth for their ACL
file. This enables ACL changes to be proposed, approved and discussed
before they are applied.

Signed-off-by: Xe <xe@tailscale.com>
2022-06-21 16:04:48 -04:00
Sofiane Hamlaoui
1007983159 Adding pkg for Freebsd installation
Signed-off-by: Sofiane Hamlaoui <s0fianehaml40u1@gmail.com>
2022-06-20 11:31:10 -07:00
Sofiane Hamlaoui
51cc0e503b adding --noconfirm to pacman installation
Signed-off-by: Sofiane Hamlaoui <s0fianehaml40u1@gmail.com>
2022-06-20 11:31:10 -07:00
Brad Fitzpatrick
87a4c75fd4 control/controlclient, ipn/ipnlocal: remove Client.SetExpirySooner, fix race
Client.SetExpirySooner isn't part of the state machine. Remove it from
the Client interface.

And fix a use of LocalBackend.cc without acquiring the lock that
guards that field.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-19 22:08:29 -07:00
Brad Fitzpatrick
ef0d740270 control/controlclient: remove Client.SetStatusFunc
It can't change at runtime. Make it an option.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-19 21:54:39 -07:00
Brad Fitzpatrick
70a2797064 control/controlclient, ipn/ipnlocal: remove some Client methods
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-19 18:11:59 -07:00
Brad Fitzpatrick
a1e429f7c3 control/controlclient, types/netmap: remove unused LocalPort field
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-19 17:22:00 -07:00
Brad Fitzpatrick
526b0b6890 control/controlclient: start simplifying netmap fetch APIs
Step 1 of many, cleaning up the direct/auto client & restarting map
requests that leads to all the unnecessary map requests.

Updates tailscale/corp#5761

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-19 15:43:12 -07:00
Brad Fitzpatrick
467eb2eca0 cmd/tailscale/cli, ipn/ipnlocal: give SSH tips when off/unconfigured
Updates #3802

Change-Id: I6b9a3175f68a6daa670f912561f2c2ececc07770
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-17 19:37:59 -07:00
Brad Fitzpatrick
99ed54926b tailcfg: define some Node.Capabilities about SSH, its config
Updates #3802

Change-Id: Icb4ccbc6bd1c6304013bfc553d04007844a5c0bf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-17 12:14:50 -07:00
Brad Fitzpatrick
13d0b8e6a4 control/controlclient, net/dnscache: use typed singleflight fork
Change-Id: I12be4c5a91ae3a812fe88d9b2d15526fdbb5a921
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-17 10:20:16 -07:00
Brad Fitzpatrick
59ed846277 util/singleflight: add fork of singleflight with generics
Forked from golang.org/x/sync/singleflight at
the x/sync repo's commit 67f06af15bc961c363a7260195bcd53487529a21

Updates golang/go#53427

Change-Id: Iec2b47b7777940017bb9b3db9bd7d93ba4a2e394
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-17 10:20:16 -07:00
Brad Fitzpatrick
757ecf7e80 util/deephash: fix map hashing when key & element have the same type
Regression from 09afb8e35b, in which the
same reflect.Value scratch value was being used as the map iterator
copy destination.

Also: make nil and empty maps hash differently, add test.

Fixes #4871

Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com>
Change-Id: I67f42524bc81f694c1b7259d6682200125ea4a66
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-16 22:29:47 -07:00
Brad Fitzpatrick
22c544bca7 go.mod: bump go4.org/unsafe/assume-no-moving-gc for Go 1.19beta1
Otherwise we crash at startup with Go 1.19beta1.

Updates #4872

Change-Id: I371df4146735f7e066efd2edd48c1a305906c13d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-16 20:40:22 -07:00
Brad Fitzpatrick
f31588786f util/deephash: don't track cycles on non-recursive types
name              old time/op    new time/op    delta
Hash-8              67.3µs ±20%    76.5µs ±16%     ~     (p=0.143 n=10+10)
HashMapAcyclic-8    63.0µs ± 2%    56.3µs ± 1%  -10.65%  (p=0.000 n=10+8)
TailcfgNode-8       9.18µs ± 2%    6.52µs ± 3%  -28.96%  (p=0.000 n=9+10)
HashArray-8          732ns ± 3%     709ns ± 1%   -3.21%  (p=0.000 n=10+10)

name              old alloc/op   new alloc/op   delta
Hash-8               24.0B ± 0%     24.0B ± 0%     ~     (all equal)
HashMapAcyclic-8     0.00B          0.00B          ~     (all equal)
TailcfgNode-8        0.00B          0.00B          ~     (all equal)
HashArray-8          0.00B          0.00B          ~     (all equal)

name              old allocs/op  new allocs/op  delta
Hash-8                1.00 ± 0%      1.00 ± 0%     ~     (all equal)
HashMapAcyclic-8      0.00           0.00          ~     (all equal)
TailcfgNode-8         0.00           0.00          ~     (all equal)
HashArray-8           0.00           0.00          ~     (all equal)

Change-Id: I28642050d837dff66b2db54b2b0e6d272a930be8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-16 18:39:10 -07:00
Brad Fitzpatrick
36ea837736 util/deephash: fix map hashing to actually hash elements
Fixes #4868

Change-Id: I574fd139cb7f7033dd93527344e6aa0e625477c7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-16 11:32:12 -07:00
Brad Fitzpatrick
4005134263 tailcfg: clarify some of the MapRequest variants
Change-Id: Ia09bd69856e372c3a6b64cda7ddb34029b32a11b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-14 13:08:55 -07:00
Joe Tsai
0f05b2c13f
tsnet: use tailscaled as prefix for state file names (#4816)
Use the "tailscaled" prefix instead of "tsnet" for state file names:
1. It is consistent with the pre-existing {{Dir}}/tailscaled.state file.
2. It makes the file layout of `tsnet` and `tailscaled` identical,
   so that they are compatible with each other.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-06-09 11:46:43 -07:00
Denton Gentry
1392a93445 socks5: add a simple test
Start up a backend service, put a SOCKS5 server in front
of it, and verify that we can get data from the backend via
SOCKS5.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-09 10:41:06 -07:00
Denton Gentry
7fffddce8e net/portmapper: enable for iOS
In the 1.27 unstable releases we set the min-version to iOS15,
which means we have 50 MBytes of RAM in the Network Extension.
https://tailscale.com/blog/go-linker/

Include the UPnP/NAT-PMP/PCP portmapper support now that there
is memory for it.

Fixes https://github.com/tailscale/tailscale/issues/2495
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-09 10:40:25 -07:00
Mihai Parparita
2990c2b1cf control/controlhttp: use secure WebSockets protocol by default
Forcing the insecure protocol (and perserving the port number) is only
desired for localhost testing, in prod we need to use wss:// to avoid
mixed-content errors.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-08 15:29:21 -07:00
Tom DNetto
32c6823cf5 tsweb: implement interceptor for error page presentation
Updates https://github.com/tailscale/corp/issues/5605

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-06-08 15:21:16 -07:00
Mihai Parparita
b788a5ba7e tailcfg: add HostinfoView version of TailscaleSSHEnabled
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-08 12:08:14 -07:00
Praneet Loke
d8c05fc1b2
Update a Taildrop error message (#4818)
ipn/ipnlocal: update error message on Taildrop send while not connected

Signed-off-by: Praneet <1466314+praneetloke@users.noreply.github.com>
2022-06-08 09:11:50 -07:00
Brad Fitzpatrick
d3643fa151 cmd/tailscale: add 'debug ts2021' Noise connectivity subcommand
Updates #3488

Change-Id: I9272e68f66c4cf36fb98dd1248a74d3817447690
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-08 09:07:05 -07:00
Joe Tsai
96f73b3894
logtail: do not panic in PrivateID.PublicID (#4815)
It is not idiomatic for Go code to panic for situations that
can be normal. For example, if a server receives PrivateID
from a client, it is normal for the server to call
PrivateID.PublicID to validate that the PublicID matches.
However, doing so would panic prior to this change.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-06-07 17:25:05 -07:00
Melanie Warrick
3a182d5dd6
ipn/ipnstate: add ExitNodeStatus to share the exit node if it is in use, the IP, ID and whether its online. (#4761)
-
Updates #4619

Signed-off-by: nyghtowl <warrick@tailscale.com>
2022-06-07 12:31:10 -07:00
Mihai Parparita
6246fa32f0 wasm: add test for disallowed JS/WASM dependencies
Ensures that binary size gains like the ones from #4802 and #4813
don't regress.

Updates #3517

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-07 12:19:11 -07:00
Mihai Parparita
c41837842b wasm: drop pprof dependency
We can use the browser tools to profile, pprof adds 200K to the binary size.

Updates #3157

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-07 12:16:16 -07:00
Ross Zurowski
bb67999808
tailcfg: add TailscaleSSHEnabled helper check (#4812)
This commit adds a helper to check if Tailscale SSH is enabled. We're
currently checking the SSH_HostKeys field in a few places, but later
plan to add an explicit bool. This helper makes the check and any future
changes easier.

Signed-off-by: Ross Zurowski <ross@rosszurowski.com>
2022-06-07 14:50:08 -04:00
Will Norris
09363064b5
tsnet: use proper log ID
refactor logpolicy config loading to make it easier to reuse from
outside the package.  Within tsnet, setup a basic logtail config.

Signed-off-by: Will Norris <will@tailscale.com>
2022-06-07 10:09:21 -07:00
Mihai Parparita
edc90ebc61 net/wsconn: remove homegrown wrapper for turning a websocket.Conn into a net.Conn
The one from the nhooyr/websocket package seems to work equally well.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-07 09:28:56 -07:00
Denton Gentry
cfb5bd0559 VERSION.txt: this is v1.27.0
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-06 16:11:18 -07:00
Brad Fitzpatrick
db83926121 go.toolchain.rev: bump Go to 1.18.3 (+ Tailscale patches)
See 04d67b90d8

Diff:

bb6009ec7c..04d67b90d8

Change-Id: Ic0abd3058f3696c3f8007e1004ab4bf377c5323c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-06 15:46:28 -07:00
Mihai Parparita
27a1ad6a70
wasm: exclude code that's not used on iOS for Wasm too
It has similar size constraints. Saves ~1.9MB from the Wasm build.

Updates #3157

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-06 13:52:52 -07:00
Brad Fitzpatrick
4007601f73 cmd/controlclient: wire up PingRequest peerapi pings too
Updates tailscale/corp#754

Change-Id: I61ac3fc44783b54bd02455bcb0baf19159b7a9d2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-06 13:41:34 -07:00