summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)AuthorFilesLines
2024-09-04cmd/tailscale/cli: use new Go 1.23 slices.SortedBrad Fitzpatrick1-7/+3
And a grammatical nit. Updates #12912 Change-Id: I9feae53beb4d28dfe98b583373e2e0a43c801fc4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-09-04control/controlclient,posture,util/syspolicy: use predefined syspolicy keys ↵Nick Khyl3-2/+10
instead of string literals With the upcoming syspolicy changes, it's imperative that all syspolicy keys are defined in the syspolicy package for proper registration. Otherwise, the corresponding policy settings will not be read. This updates a couple of places where we still use string literals rather than syspolicy consts. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-09-04cli: implement `tailscale dns status` (#13353)Andrea Gottardo9-1/+365
Updates tailscale/tailscale#13326 This PR begins implementing a `tailscale dns` command group in the Tailscale CLI. It provides an initial implementation of `tailscale dns status` which dumps the state of the internal DNS forwarder. Two new endpoints were added in LocalAPI to support the CLI functionality: - `/netmap`: dumps a copy of the last received network map (because the CLI shouldn't have to listen to the ipn bus for a copy) - `/dns-osconfig`: dumps the OS DNS configuration (this will be very handy for the UI clients as well, as they currently do not display this information) My plan is to implement other subcommands mentioned in tailscale/tailscale#13326, such as `query`, in later PRs. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
2024-09-04ipn/ipnlocal: always send auth URL notifications when a user requests ↵Nick Khyl2-36/+65
interactive login This PR changes how LocalBackend handles interactive (initiated via StartLoginInteractive) and non-interactive (e.g., due to key expiration) logins, and when it sends the authURL to the connected clients. Specifically, - When a user initiates an interactive login by clicking Log In in the GUI, the LocalAPI calls StartLoginInteractive. If an authURL is available and hasn't expired, we immediately send it to all connected clients, suggesting them to open that URL in a browser. Otherwise, we send a login request to the control plane and set a flag indicating that an interactive login is in progress. - When LocalBackend receives an authURL from the control plane, we check if it differs from the previous one and whether an interactive login is in progress. If either condition is true, we notify all connected clients with the new authURL and reset the interactive login flag. We reset the auth URL and flags upon a successful authentication, when a different user logs in and when switching Tailscale login profiles. Finally, we remove the redundant dedup logic added to WatchNotifications in #12096 and revert the tests to their original state to ensure that calling StartLoginInteractive always produces BrowseToURL notifications, either immediately or when the authURL is received from the control plane. Fixes #13296 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-09-04net/dns: support GetBaseConfig on Darwin OSS tailscaled (#13351)Andrea Gottardo1-1/+31
Updates tailscale/tailscale#177 It appears that the OSS distribution of `tailscaled` is currently unable to get the current system base DNS configuration, as GetBaseConfig() in manager_darwin.go is unimplemented. This PR adds a basic implementation that reads the current values in `/etc/resolv.conf`, to at least unblock DNS resolution via Quad100 if `--accept-dns` is enabled. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
2024-09-04cmd/stunstamp: increase probe jitter (#13362)Jordan Whited1-1/+1
We've added more probe targets recently which has resulted in more timeouts behind restrictive NATs in localized testing that don't like how many flows we are creating at once. Not so much an issue for datacenter or cloud-hosted deployments. Updates tailscale/corp#22114 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-09-04cmd/stunstamp: use measureFn more consistently in naming/signatures (#13360)Jordan Whited3-3/+3
Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-09-04cmd/stunstamp: implement ICMP{v6} probing (#13354)Jordan Whited3-16/+179
This adds both userspace and kernel timestamping. Updates tailscale/corp#22114 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-09-03tstest/natlab: add dual stack with blackholed IPv4Brad Fitzpatrick3-3/+49
This reproduces the bug report from https://github.com/tailscale/tailscale/issues/13346 It does not yet fix it. Updates #13346 Change-Id: Ia5af7b0481a64a37efe259c798facdda6d9da618 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-09-03util/syspolicy/source: add package for reading policy settings from external ↵Nick Khyl11-2/+3009
stores We add package defining interfaces for policy stores, enabling creation of policy sources and reading settings from them. It includes a Windows-specific PlatformPolicyStore for GP and MDM policies stored in the Registry, and an in-memory TestStore for testing purposes. We also include an internal package that tracks and reports policy usage metrics when a policy setting is read from a store. Initially, it will be used only on Windows and Android, as macOS, iOS, and tvOS report their own metrics. However, we plan to use it across all platforms eventually. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-09-03cmd/tailscale/cli: add 'debug go-buildinfo' subcommandBrad Fitzpatrick1-0/+17
To dump runtime/debug.BuildInfo. Updates #1866 Change-Id: I8810390858a03b7649f9b22ef3ab910d423388da Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-09-03client/tailscale: adding missing proto field in ACL parsing structures (#13051)Seaver Thorn1-0/+2
Signed-off-by: Seaver Thorn <swthorn@ncsu.edu>
2024-09-03cmd/k8s-operator,k8s-operator/sessionrecording: ensure recording header ↵Irbe Krumina7-95/+265
contains terminal size for terminal sessions (#12965) * cmd/k8s-operator,k8s-operator/sessonrecording: ensure CastHeader contains terminal size For tsrecorder to be able to play session recordings, the recording's CastHeader must have '.Width' and '.Height' fields set to non-zero. Kubectl (or whoever is the client that initiates the 'kubectl exec' session recording) sends the terminal dimensions in a resize message that the API server proxy can intercept, however that races with the first server message that we need to record. This PR ensures we wait for the terminal dimensions to be processed from the first resize message before any other data is sent, so that for all sessions with terminal attached, the header of the session recording contains the terminal dimensions and the recording can be played by tsrecorder. Updates tailscale/tailscale#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-09-03wgengine/magicsock: actually use AF_PACKET socket for raw discoAndrew Dunham5-91/+424
Previously, despite what the commit said, we were using a raw IP socket that was *not* an AF_PACKET socket, and thus was subject to the host firewall rules. Switch to using a real AF_PACKET socket to actually get the functionality we want. Updates #13140 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: If657daeeda9ab8d967e75a4f049c66e2bca54b78
2024-09-03tailcfg: bump capver for earlier cryptokey panic fix [capver 106]Brad Fitzpatrick1-1/+2
I should've bumped capver in 65fe0ba7b5 but forgot. This lets us turn off the cryptokey routing change from control for the affected panicky range of commits, based on capver. Updates #13332 Updates tailscale/corp#20732 Change-Id: I32c17cfcb45b2369b2b560032330551d47a0ce0b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-09-03gokrazy{,/natlabapp.arm64}: start adding arm64 appliance supportBrad Fitzpatrick16-3/+392
Both for Raspberry Pis, and for running natlab tests faster on Apple Silicon Macs without emulating x86. Not fully wired up yet. Updates #1866 Updates #13038 Change-Id: I1552bf107069308f325f640773cc881ed735b5ab Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-31wgengine/magicsock: fix panic regression from cryptokey routing changeBrad Fitzpatrick1-1/+7
Fixes #13332 Updates tailscale/corp#20732 Change-Id: I30f12746844bf77f5a664bf8e8d8ebf2511a2b27 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-30ipn/ipnlocal: fix a nil pointer dereference when serving /localapi/v0/tka/statusNick Khyl1-4/+7
Fixes #13330 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-30tstest/natlab/vnet: move some boilerplate to mkPacket helperBrad Fitzpatrick2-83/+74
No need to make callers specify the redundant IP version or TTL/HopLimit or EthernetType in the common case. The mkPacket helper can set those when unset. And use the mkIPLayer in another place, simplifying some code. And rename mkPacketErr to just mkPacket, then move mkPacket to test-only code, as mustPacket. Updates #13038 Change-Id: Ic216e44dda760c69ab9bfc509370040874a47d30 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-30tstest/natlab/vnet: add syslog testsBrad Fitzpatrick3-2/+77
Updates #13038 Change-Id: I4ac96cb0a9e46a2fb1e09ddedd3614eb006c2c8c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-30tstest/natlab/vnet: add DHCP tests, ignore DHCPv4 on v6-only networksBrad Fitzpatrick2-23/+110
And clean up some of the test helpers in the process. Updates #13038 Change-Id: I3e2b5f7028a32d97af7f91941e59399a8e222b25 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-30tstest/natlab/vnet: use mkPacketErr in more placesBrad Fitzpatrick1-29/+9
I'd added this helper for tests, but then moved it to non-test code and forgot some places to use it. This uses it in more places to remove some boilerplate. Updates #13038 Change-Id: Ic4dc339be1c47a55b71d806bab421097ee3d75ed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-30posture: stop logging serial numbersAnton Tolchanov1-3/+0
Logging serial numbers every time they are read might have been useful early on, but seems unnecessary now. Updates #5902 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2024-08-29ipn/ipnlocal: fix race condition that results in a panic sending on a closed ↵Nick Khyl3-6/+21
channel Fixes #13288 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-29drive/driveimpl: use su instead of sudoPercy Wegmann1-13/+29
This allows Taildrive to work on systems like Busybox that don't have sudo. Fixes #12282 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2024-08-29net/tstun: clarify GROFilterFunc *gro.GRO usage (#13318)Jordan Whited1-3/+4
Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-08-29ssh/tailssh: add ability to force V2 behavior using new feature flagPercy Wegmann2-1/+9
Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1. Updates #11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2024-08-29dns: increase TimeToVisible before DNS unavailable warning (#13317)Andrea Gottardo1-1/+1
Updates tailscale/tailscale#13314 Some users are reporting 'DNS unavailable' spurious (?) warnings, especially on Android: https://old.reddit.com/r/Tailscale/comments/1f2ow3w/health_warning_dns_unavailable_on_tailscale/ https://old.reddit.com/r/Tailscale/comments/1f3l2il/health_warnings_dns_unavailable_what_does_it_mean/ I suspect this is caused by having a too low TimeToVisible setting on the Warnable, which triggers the unhealthy state during slow network transitions. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
2024-08-29net/tstun,wgengine/netstack: implement TCP GRO for local services (#13315)Jordan Whited4-26/+33
Throughput improves substantially when measured via netstack loopback (TS_DEBUG_NETSTACK_LOOPBACK_PORT). Before (d21ebc2): jwhited@i5-12400-2:~$ iperf3 -V -c 100.100.100.100 Starting Test: protocol: TCP, 1 streams, 131072 byte blocks Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 5.77 GBytes 4.95 Gbits/sec 0 sender [ 5] 0.00-10.01 sec 5.77 GBytes 4.95 Gbits/sec receiver After: jwhited@i5-12400-2:~$ iperf3 -V -c 100.100.100.100 Starting Test: protocol: TCP, 1 streams, 131072 byte blocks Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 12.7 GBytes 10.9 Gbits/sec 0 sender [ 5] 0.00-10.00 sec 12.7 GBytes 10.9 Gbits/sec receiver Updates tailscale/corp#22754 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-08-29tstest/integration: add UDP netstack loopback integration test (#13312)Jordan Whited1-5/+152
Updates tailscale/corp#22713 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-08-29nix: update nix and use go 1.23Kristoffer Dalby2-34/+40
Updates #12912 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-08-29ipn/ipnlocal: set WantRunning upon an interactive login, but not during a ↵Nick Khyl2-30/+63
seamless renewal or a profile switch The LocalBackend's state machine starts in NoState and soon transitions to NeedsLogin if there's no auto-start profile, with the profileManager starting with a new empty profile. Notably, entering the NeedsLogin state blocks engine updates. We expect the user to transition out of this state by logging in interactively, and we set WantRunning to true when controlclient enters the StateAuthenticated state. While our intention is correct, and completing an interactive login should set WantRunning to true, our assumption that logging into the current Tailscale profile is the only way to transition out of the NeedsLogin state is not accurate. Another common transition path includes an explicit profile switch (via LocalBackend.SwitchProfile) or an implicit switch when a Windows user connects to the backend. This results in a bug where WantRunning is set to true even when it was previously set to false, and the user expressed no intention of changing it. A similar issue occurs when switching from (sic) a Tailnet that has seamlessRenewalEnabled, regardless of the current state of the LocalBackend's state machine, and also results in unexpectedly set WantRunning. While this behavior is generally undesired, it is also incorrect that it depends on the control knobs of the Tailnet we're switching from rather than the Tailnet we're switching to. However, this issue needs to be addressed separately. This PR updates LocalBackend.SetControlClientStatus to only set WantRunning to true in response to an interactive login as indicated by a non-empty authURL. Fixes #6668 Fixes #11280 Updates #12756 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-28tstest/natlab/vnet: add more testsBrad Fitzpatrick3-31/+155
This adds tests for DNS requests, and ignoring IPv6 packets on v4-only networks. No behavior changes. But some things are pulled out into functions. And the mkPacket helpers previously just for tests are moved into non-test code to be used elsewhere to reduce duplication, doing the checksum stuff automatically. Updates #13038 Change-Id: I4dd0b73c75b2b9567b4be3f05a2792999d83f6a3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-28wgengine/netstack: implement netstack loopback (#13301)Jordan Whited2-15/+206
When the TS_DEBUG_NETSTACK_LOOPBACK_PORT environment variable is set, netstack will loop back (dnat to addressFamilyLoopback:loopbackPort) TCP & UDP flows originally destined to localServicesIP:loopbackPort. localServicesIP is quad-100 or the IPv6 equivalent. Updates tailscale/corp#22713 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-08-28ipn/ipnlocal: refactor and cleanup profileManagerNick Khyl7-155/+349
In preparation for multi-user and unattended mode improvements, we are refactoring and cleaning up `ipn/ipnlocal.profileManager`. The concept of the "current user", which is only relevant on Windows, is being deprecated and will soon be removed to allow more than one Windows user to connect and utilize `LocalBackend` according to that user's access rights to the device and specific Tailscale profiles. We plan to pass the user's identity down to the `profileManager`, where it can be used to determine the user's access rights to a given `LoginProfile`. While the new permission model in `ipnauth` requires more work and is currently blocked pending PR reviews, we are updating the `profileManager` to reduce its reliance on the concept of a single OS user being connected to the backend at the same time. We extract the switching to the default Tailscale profile, which may also trigger legacy profile migration, from `profileManager.SetCurrentUserID`. This introduces `profileManager.DefaultUserProfileID`, which returns the default profile ID for the current user, and `profileManager.SwitchToDefaultProfile`, which is essentially a shorthand for `pm.SwitchProfile(pm.DefaultUserProfileID())`. Both methods will eventually be updated to accept the user's identity and utilize that user's default profile. We make access checks more explicit by introducing the `profileManager.checkProfileAccess` method. The current implementation continues to use `profileManager.currentUserID` and `LoginProfile.LocalUserID` to determine whether access to a given profile should be granted. This will be updated to utilize the `ipnauth` package and the new permissions model once it's ready. We also expand access checks to be used more widely in the `profileManager`, not just when switching or listing profiles. This includes access checks in methods like `SetPrefs` and, most notably, `DeleteProfile` and `DeleteAllProfiles`, preventing unprivileged Windows users from deleting Tailscale profiles owned by other users on the same device, including profiles owned by local admins. We extract `profileManager.ProfilePrefs` and `profileManager.SetProfilePrefs` methods that can be used to get and set preferences of a given `LoginProfile` if `profileManager.checkProfileAccess` permits access to it. We also update `profileManager.setUnattendedModeAsConfigured` to always enable unattended mode on Windows if `Prefs.ForceDaemon` is true in the current `LoginProfile`, even if `profileManager.currentUserID` is `""`. This facilitates enabling unattended mode via `tailscale up --unattended` even if `tailscale-ipn.exe` is not running, such as when a Group Policy or MDM-deployed script runs at boot time, or when Tailscale is used on a Server Code or otherwise headless Windows environments. See #12239, #2137, #3186 and https://github.com/tailscale/tailscale/pull/6255#issuecomment-2016623838 for details. Fixes #12239 Updates tailscale/corp#18342 Updates #3186 Updates #2137 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-28tstest/natlab/vnet: add IPv6 all-nodes supportBrad Fitzpatrick3-18/+75
This adds support for sending packets to 33:33:00:00:01 at IPv6 multicast address ff02::1 to send to all nodes. Nothing in Tailscale depends on this (yet?), but it makes debugging in VMs behind natlab easier (e.g. you can ping all nodes), and other things might depend on this in the future. Mostly I'm trying to flesh out the IPv6 support in natlab now that we can write vnet tests. Updates #13038 Change-Id: If590031fcf075690ca35c7b230a38c3e72e621eb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-28ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving ↵Nick Khyl8-215/+333
access checks from the localapi.Handler to the LocalBackend Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client. These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config) requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues. We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other platforms when switching between profiles that have different OperatorUser values in ipn.Prefs. We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device (e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation. The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device and against the current (and/or the target) profile. This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next PRs and removing the deprecated methods and the Permit* flags at the end of the transition. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27tstest/natlab/vnet: add qemu + Virtualization.framework protocol testsBrad Fitzpatrick2-15/+189
To test how virtual machines connect to the natlab vnet code. Updates #13038 Change-Id: Ia4fd4b0c1803580ee7d94cc9878d777ad4f24f82 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-27tstest/natlab/vnet: start adding testsBrad Fitzpatrick3-99/+402
And refactor some of vnet.go for testability. The only behavioral change (with a new test) is that ethernet broadcasts no longer get sent back to the sender. Updates #13038 Change-Id: Ic2e7e7d6d8805b7b7f2b5c52c2c5ba97101cef14 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-27net/tstun: fix gvisor inbound GSO packet injection (#13283)Jordan Whited2-4/+9
buffs[0] was not sized to hold pkt with GSO, resulting in a panic. Updates tailscale/corp#22511 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-08-27usermetric: add initial user-facing metricsKristoffer Dalby17-22/+368
This commit adds a new usermetric package and wires up metrics across the tailscale client. Updates tailscale/corp#22075 Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-08-27tsweb/varz: remove pprofKristoffer Dalby3-3/+2
Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-08-26wgengine/netstack: re-enable gVisor GSO on Linux (#13269)Jordan Whited1-1/+1
This was previously disabled in 8e42510 due to missing GSO-awareness in tstun, which was resolved in d097096. Updates tailscale/corp#22511 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-08-26net/tstun,wgengine/netstack: make inbound synthetic packet injection ↵Jordan Whited3-20/+79
GSO-aware (#13266) Updates tailscale/corp#22511 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-08-26wgengine/netstack: use types/logger.Logf instead of stdlib log.Printf (#13267)Jordan Whited1-3/+2
Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-08-26tstest/natlab/vnet: rename some things for clarityBrad Fitzpatrick2-15/+17
The bad naming (which had only been half updated with the IPv6 changes) tripped me up in the earlier change. Updates #13038 Change-Id: I65ce07c167e8219d35b87e1f4bf61aab4cac31ff Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-26tstest/natlab: fix IPv6 tests, remove TODOsBrad Fitzpatrick2-21/+57
The reason they weren't working was because the cmd/tta agent in the guest was dialing out to the test and the vnet couldn't map its global unicast IPv6 address to a node as it was just using a map[netip.Addr]*node and blindly trusting the *node was populated. Instead, it was nil, so the agent connection fetching didn't work for its RoundTripper and the test could never drive the node. That map worked for IPv4 but for IPv6 we need to use the method that takes into account the node's IPv6 SLAAC address. Most call sites had been converted but I'd missed that one. Also clean up some debug, and prohibit nodes' link-local unicast addresses from dialing 2000::/3 directly for now. We can allow that to be configured opt-in later (some sort of IPv6 NAT mode. Whatever it's called.) That mode was working on accident, but was confusing: Linux would do source address selection from link local for the first few seconds and then after SLAAC and DAD, switch to using the global unicast source address. Be consistent for now and force it to use the global unicast. Updates #13038 Change-Id: I85e973aaa38b43c14611943ff45c7c825ee9200a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-26logpolicy: extend the gokrazy/natlab wait-for-network delay for IPv6Brad Fitzpatrick1-1/+38
Really we need to fix logpolicy + bootstrapDNS to not be so aggressive, but this is a quick workaround meanwhile. Without this, tailscaled starts immediately while IPv6 DAD is happening for a couple seconds and logpolicy freaks out without the network available and starts spamming stderr about bootstrap DNS options. But we see that regularly anyway from people whose wifi is down. So we need to fix the general case. This is not that fix. Updates #13038 Change-Id: Iba7e536d08e59d34abded1d279f88fdc9c46d94d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-26cmd/tta: pull out test driver dialing into a type, fix bugsBrad Fitzpatrick1-39/+111
There were a few places it could get wedged (notably the dial without a timeout). And add a knob for verbose debug logs. And keep two idle connections always. Updates #13038 Change-Id: I952ad182d7111481d97a83c12aa2ff4bfdc55fe8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-26tstest/natlab: refactor HandleEthernetPacketForRouter a bitBrad Fitzpatrick1-36/+45
Move all the UDP handling to its own func to remove a bunch of "if isUDP" checks in a bunch of blocks. Updates #13038 Change-Id: If71d71b49e57651d15bd307a2233c43751cc8639 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>