mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
8d1249550a
Palo Alto firewalls have a typically hard NAT, but also have a mode called Persistent DIPP that is supposed to provide consistent port mapping suitable for STUN resolution of public ports. Persistent DIPP works initially on most Palo Alto firewalls, but some models/software versions have a bug which this works around. The bug symptom presents as follows: - STUN sessions resolve a consistent public IP:port to start with - Much later netchecks report the same IP:Port for a subset of sessions, most often the users active DERP, and/or the port related to sustained traffic. - The broader set of DERPs in a full netcheck will now consistently observe a new IP:Port. - After this point of observation, new inbound connections will only succeed to the new IP:Port observed, and existing/old sessions will only work to the old binding. In this patch we now advertise the lowest latency global endpoint discovered as we always have, but in addition any global endpoints that are observed more than once in a single netcheck report. This should provide viable endpoints for potential connection establishment across a NAT with this behavior. Updates tailscale/corp#19106 Signed-off-by: James Tucker <james@tailscale.com> |
||
|---|---|---|
| .. | ||
| art | ||
| connstats | ||
| dns | ||
| dnscache | ||
| dnsfallback | ||
| flowtrack | ||
| ktimeout | ||
| memnet | ||
| netaddr | ||
| netcheck | ||
| neterror | ||
| netkernelconf | ||
| netknob | ||
| netmon | ||
| netns | ||
| netstat | ||
| netutil | ||
| packet | ||
| ping | ||
| portmapper | ||
| proxymux | ||
| routetable | ||
| socks5 | ||
| sockstats | ||
| speedtest | ||
| stun | ||
| stunserver | ||
| tcpinfo | ||
| tlsdial | ||
| tsaddr | ||
| tsdial | ||
| tshttpproxy | ||
| tstun | ||
| wsconn | ||