| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
Change-Id: I038ff7705ba232e6cf8dcc9775357ef708d43762
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Stop jamming everything into one string.
Fixes #5578
Change-Id: I7dec8d6c073bddc7dc5f653e3baf2b4bf6b68378
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
The plan has changed. Doing query parameters rather than path +
heades. NextDNS added support for query parameters.
Updates #2452
Change-Id: I4783c0a06d6af90756d9c80a7512644ba702388c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
For debugging a macOS-specific magicsock issue. macOS runs in
bind-to-interface mode always. This lets me force Linux into the same
mode as macOS, even if the Linux kernel supports SO_MARK, as it
usually does.
Updates #2331 etc
Change-Id: Iac9e4a7429c1781337e716ffc914443b7aa2869d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
And put the rationale in the name too to save the callers the need for a comment.
Change-Id: I090f51b749a5a0641897ee89a8fb2e2080c8b782
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Change-Id: I14b821771681e70405a507f43229c694159265ff
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Fixes #3659
Signed-off-by: Tom DNetto <tom@tailscale.com>
Co-authored-by: Ian Foster <ian@vorsk.com>
|
|
Updates #2452
Change-Id: I0f1c34cc1672e87e7efd0adfe4088724dd0de3ed
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
More user friendly, and as a side-effect we handle SSH check mode better,
since the URL that's output is now clickable.
Fixes #5247
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
xtermjs/xterm.js#4069 was merged and published (in 5.0.0-beta.58),
no need for the fork added by 01e6565e8a0193ec940a8eca9129dadb2c05e29d.
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
Fixes #5565
Change-Id: I5626ec2116d9be451caef651dc301b7a82e35550
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: License Updater <noreply@tailscale.com>
|
|
Clarify & verify that some DoH URLs can be sent over tailcfg
in some limited cases.
Updates #2452
Change-Id: Ibb25db77788629c315dc26285a1059a763989e24
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
NextDNS is unique in that users create accounts and then get
user-specific DNS IPs & DoH URLs.
For DoH, the customer ID is in the URL path.
For IPv6, the IP address includes the customer ID in the lower bits.
For IPv4, there's a fragile "IP linking" mechanism to associate your
public IPv4 with an assigned NextDNS IPv4 and that tuple maps to your
customer ID.
We don't use the IP linking mechanism.
Instead, NextDNS is DoH-only. Which means using NextDNS necessarily
shunts all DNS traffic through 100.100.100.100 (programming the OS to
use 100.100.100.100 as the global resolver) because operating systems
can't usually do DoH themselves.
Once it's in Tailscale's DoH client, we then connect out to the known
NextDNS IPv4/IPv6 anycast addresses.
If the control plane sends the client a NextDNS IPv6 address, we then
map it to the corresponding NextDNS DoH with the same client ID, and
we dial that DoH server using the combination of v4/v6 anycast IPs.
Updates #2452
Change-Id: I3439d798d21d5fc9df5a2701839910f5bef85463
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Allows other work to be unblocked while xtermjs/xterm.js#4069 is worked
through.
To enable testing the popup window handling, the standalone app allows
opening of SSH sessions in new windows by holding down the alt key
while pressing the SSH button.
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
Store the requested size is a struct field, and use that when actually
creating the SSH session.
Fixes #5567
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
See https://github.com/tailscale/go/pull/34
Change-Id: I56806358cd1be4a2b8f509883e47c93083d82bdf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Fix broken build from 255c0472fb0f5c13c40b90eb9da87337da312e63
"Oh, that's safe to commit because most tests are passing and it's
just a comment change!", I thought, forgetting I'd added a test that
parses its comments.
Change-Id: Iae93d595e06fec48831215a98adbb270f3bfda05
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
gofmt in 1.19 is now opinionated about structured text formatting in
comments. It did not like our style and kept fighting us whenever we
changed these lines. Give up the fight and be a bulleted list for it.
See:
* https://go.dev/doc/go1.19#go-doc and
* https://go.dev/doc/comment
Updates #4872
Change-Id: Ifae431218471217168c003ab3b4e03c394ca8105
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: GitHub <noreply@github.com>
|
|
These errors aren't actionable and just fill up logs with useless data.
See the following Go issue for more details:
https://golang.org/issue/26918
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
|
|
Signed-off-by: License Updater <noreply@tailscale.com>
|
|
Fixes an panic in `(*magicsock.Conn).ServeHTTPDebug` when the
`recentPongs` ring buffer for an endpoint wraps around.
Signed-off-by: Colin Adler <colin1adler@gmail.com>
|
|
If we accept a forwarded TCP connection before dialing, we can
erroneously signal to a client that we support IPv6 (or IPv4) without
that actually being possible. Instead, we only complete the client's TCP
handshake after we've dialed the outbound connection; if that fails, we
respond with a RST.
Updates #5425 (maybe fixes!)
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
|
|
Allows imports of the NPM package added by 1a093ef4822b973ec86d481924690349eddba5cb
to be replaced with import("http://localhost:9090/pkg/pkg.js"), so that
changes can be made in parallel to both the module and code that uses
it (without any need for NPM publishing or even building of the package).
Updates #5415
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
Incoming disco packets are now dropped unless they match one of the
current bound ports, or have a zero port*.
The BPF filter passes all packets with a disco header to the raw packet
sockets regardless of destination port (in order to avoid needing to
reconfigure BPF on rebind).
If a BPF enabled node has just rebound, due to restart or rebind, it may
receive and reply to disco ping packets destined for ports other than
those which are presently bound. If the pong is accepted, the pinging
node will now assume that it can send WireGuard traffic to the pinged
port - such traffic will not reach the node as it is not destined for a
bound port.
*The zero port is ignored, if received. This is a speculative defense
and would indicate a problem in the receive path, or the BPF filter.
This condition is allowed to pass as it may enable traffic to flow,
however it will also enable problems with the same symptoms this patch
otherwise fixes.
Fixes #5536
Signed-off-by: James Tucker <james@tailscale.com>
|
|
1f959edeb0c6ad3a82fcdaa4ca65a02571493cc6 introduced a regression for JS
where the initial bind no longer occurred at all for JS.
The condition is moved deeper in the call tree to avoid proliferation of
higher level conditions.
Updates #5537
Signed-off-by: James Tucker <james@tailscale.com>
|
|
Both RebindingUDPConns now always exist. the initial bind (which now
just calls rebind) now ensures that bind is called for both, such that
they both at least contain a blockForeverConn. Calling code no longer
needs to assert their state.
Signed-off-by: James Tucker <james@tailscale.com>
|
|
For https://github.com/WireGuard/wireguard-go/commit/b51010ba13f0a3e59808fbdb1566cd2c6b834b95
Change-Id: Ibf767dfad98aef7e9f0505d91c0d26f924e046d5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This broke a test in corp that enforces we don't use the log package.
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
|
|
This is especially helpful as we launch newer DERPs over time, and older
clients have progressively out-of-date static DERP maps baked in. After
this, as long as the client has successfully connected once, it'll cache
the most recent DERP map it knows about.
Resolves an in-code comment from @bradfitz
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
|
|
It was previously using jobcontrol to achieve this, but that apparently
doesn't work when there is no tty. This makes it so that it directly
handles SIGINT and SIGTERM and passes it on to tailscaled. I tested this
works on a Digital Ocean K8s cluster.
Fixes #5512
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Change-Id: Iba128e94464afa605bc9df1f06a91d296380eed0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Allow callers to verify that a net.Listener is a tsnet.listener by type
asserting against this Server method, as well as providing access to the
underlying Server.
This is initially being added to support the caddy integration in
caddyserver/caddy#5002.
Signed-off-by: Will Norris <will@tailscale.com>
|
|
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
|
|
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
Removes usage of net.IP and net.IPAddr where possible from net/dnscache.
Fixes #5282
Signed-off-by: Kris Brandow <kris.brandow@gmail.com>
|
|
Updates tailscale/corp#6781
Change-Id: I843fc810cbec0140d423d65db81e90179d6e0fa5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: GitHub <noreply@github.com>
|
|
Signed-off-by: James Tucker <james@tailscale.com>
|
|
Signed-off-by: Bertrand Lorentz <bertrand.lorentz@gmail.com>
|
|
Apparently the validate route doesn't check content-types or handle
hujson with comments correctly. This patch makes gitops-pusher convert
the hujson to normal json.
Signed-off-by: Xe <xe@tailscale.com>
Signed-off-by: Xe <xe@tailscale.com>
|
|
With MagicDNS GA, we are giving every tailnet a tailnet-<hex>.ts.net name.
We will only parse out if legacy domains include beta.tailscale.net; otherwise,
set tailnet to the full domain format going forward.
Signed-off-by: nyghtowl <warrick@tailscale.com>
|
|
Signed-off-by: GitHub <noreply@github.com>
|
|
Change-Id: I0a46d6243371ae6d126005a2bd63820cb2d1db6b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This is entirely optional (i.e. failing in this code is non-fatal) and
only enabled on Linux for now. Additionally, this new behaviour can be
disabled by setting the TS_DEBUG_DISABLE_AF_PACKET environment variable.
Updates #3824
Replaces #5474
Co-authored-by: Andrew Dunham <andrew@du.nham.ca>
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Remove test prefix added to validate the error code from 27f36f77c364562bc1ca660c241291e23606e54d.
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
This will be needed to support preauth-keys with network lock in the future,
so getting the core mechanics out of the way now.
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
Signed-off-by: License Updater <noreply@tailscale.com>
|
