The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=awly%2Fdeadcode-linuxfwtest 2026-04-15T15:05:57Z 2026-04-15T15:05:57Z Brad Fitzpatrick bradfitz@tailscale.com 2026-04-15T14:37:33Z urn:sha1:dbf468740b49f06828d5c8f9bc30f0c51cba4496 Add an opt-in metrics.LabelMap tracking why patchifyPeer fails to convert a PeersChanged entry into a PeersChangedPatch. The stats are gated behind the TS_DEBUG_PATCHIFY_PEER_MISS envknob so there is zero overhead in normal operation. peerChangeDiff now takes an optional onFalse callback that is called with the field name on every non-patchable return path. When the envknob is off, nil is passed and replaced with a no-op at the top of peerChangeDiff. The resulting metric renders as: counter_patchify_miss{why="Hostinfo"} 2 counter_patchify_miss{why="peer_not_found"} 1170 Updates tailscale/corp#40088 Change-Id: I2d4b9074bf42ec03ab296c0629a54106bafa873e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2026-04-15T07:53:40Z Claus Lensbøl claus@tailscale.com 2026-04-15T07:53:40Z urn:sha1:61c95f409c90728d3c3ad2627ea77fa4e1a48390 On some nodes (found via natlab), the existing nodes last seen could be unset. For these cases, we would want to accept the key and write a last seen. This was breaking the cached netmap natlab tests. Updates #12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-04-14T12:43:07Z Claus Lensbøl claus@tailscale.com 2026-04-14T12:43:07Z urn:sha1:27f1d4c15ddf725b83db1a34ed443b9165ce9e7a The previous filters would allow for a handful of subtle issues such as updating the last seen date when the key or online status had not changed, and making online keys unconditionally make an engine update. These have been fixed along side making no change updates from TSMP into a no-op for the engine so we don't have to reconfigure. A bunch of additional testing has been added as well. Updates #12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-04-08T13:01:07Z Claus Lensbøl claus@tailscale.com 2026-04-08T13:01:07Z urn:sha1:9e68841939170ae132935e26e5e200066b1f62c3 Instead of generating the full netmap, just fetch the peers out the the existing peers map. The extra usage was introduced with netmap caching, but there is no need to call the netmap to get this information, rather the existing peermap can be used. Updates #12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-04-07T12:52:55Z Claus Lensbøl claus@tailscale.com 2026-04-07T12:52:55Z urn:sha1:d44649a9e48137f5954fad6e7b1410f94a8a44c4 After moving around locks in 4334dfa7d5ccbee1daf5acf30b33557bbca66525, a data race were made possible. Introduce an RWlock to the mapSession itself for fetching peers. Fixes #19260 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-04-05T22:52:51Z Brad Fitzpatrick bradfitz@tailscale.com 2026-04-04T21:32:14Z urn:sha1:5ef3713c9fb0896fee566918d9f5f932c66086d9 Add a new vet analyzer that checks t.Run subtest names don't contain characters requiring quoting when re-running via "go test -run". This enforces the style guide rule: don't use spaces or punctuation in subtest names. The analyzer flags: - Direct t.Run calls with string literal names containing spaces, regex metacharacters, quotes, or other problematic characters - Table-driven t.Run(tt.name, ...) calls where tt ranges over a slice/map literal with bad name field values Also fix all 978 existing violations across 81 test files, replacing spaces with hyphens and shortening long sentence-like names to concise hyphenated forms. Updates #19242 Change-Id: Ib0ad96a111bd8e764582d1d4902fe2599454ab65 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2026-04-02T17:08:01Z Claus Lensbøl claus@tailscale.com 2026-04-02T17:08:01Z urn:sha1:ffaebd71fbacb8c8abc35820dd59bc7c7c4b0fb2 When getting a full map from control, disco keys for the nodes will also be delivered. When communicating with a peer that is running without being connected to control, and having that connection running based on a TSMP learned disco key, we need to avoid overwriting the disco key for that peer with the stale one control knows about. Add a filter that filteres out keys from control, and replace them with the TSMP learned disco keys. Updates #12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-03-30T18:26:08Z Claus Lensbøl claus@tailscale.com 2026-03-30T18:26:08Z urn:sha1:bf467727fc40acad61cc2a95c8b93ac16a163638 When disco keys are learned on a node that is connected to control and has a mapSession, wgengine will see the key as having changed, and assume that any existing connections will need to be reset. For keys learned via TSMP, the connection should not be reset as that key is learned via an active wireguard connection. If wgengine resets that connetion, a 15s timeout will occur. This change adds a map to track new keys coming in via TSMP, and removes them from the list of keys that needs to trigger wireguard resets. This is done with an interface chain from controlclient down via localBackend to userspaceEngine via the watchdog. Once a key has been actively used for preventing a wireguard reset, the key is removed from the map. If mapSession becomes a long lived process instead of being dependent on having a connection to control. This interface chain can be removed, and the event sequence from wrap->controlClient->userspaceEngine, can be changed to wrap->userspaceEngine->controlClient as we know the map will not be gunked up with stale TSMP entries. Updates #12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-03-25T00:36:34Z Claus Lensbøl claus@tailscale.com 2026-03-25T00:36:34Z urn:sha1:9a4a2db0fca60bc393dc91869bf48bd07dde7eb6 If errors occured, the updater could end up deadlocked. Closing the done channel rather than adding to it, fixes a deadlock in the corp tests. Updates #19111 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-03-20T12:56:27Z Claus Lensbøl claus@tailscale.com 2026-03-20T12:56:27Z urn:sha1:85bb5f84a5a31841e3f27d3af952701220a2394f When a client starts up without being able to connect to control, it sends its discoKey to other nodes it wants to communicate with over TSMP. This disco key will be a newer key than the one control knows about. If the client that can connect to control gets a full netmap, ensure that the disco key for the node not connected to control is not overwritten with the stale key control knows about. This is implemented through keeping track of mapSession and use that for the discokey injection if it is available. This ensures that we are not constantly resetting the wireguard connection when getting the wrong keys from control. This is implemented as: - If the key is received via TSMP: - Set lastSeen for the peer to now() - Set online for the peer to false - When processing new keys, only accept keys where either: - Peer is online - lastSeen is newer than existing last seen If mapSession is not available, as in we are not yet connected to control, punt down the disco key injection to magicsock. Ideally, we will want to have mapSession be long lived at some point in the near future so we only need to inject keys in one location and then also use that for testing and loading the cache, but that is a yak for another PR. Updates #12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com>