| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Needed for Android.
Signed-off-by: Elias Naur <mail@eliasnaur.com>
|
|
|
|
This prevents hostname being forced to os.Hostname despite override
when control is contacted for the first time after starting tailscaled.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
|
|
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
|
|
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
The StartLoginInteractive command is for delegating the sign-in flow
to a browser. The Android Gooogle Sign-In SDK inverts the flow by
giving the client ID tokens.
Add a new backend command for accepting such tokens by exposing the existing
controlclient.Client.Login support for OAuth2 tokens. Introduce a custom
TokenType to distinguish ID tokens from other OAuth2 tokens.
Signed-off-by: Elias Naur <mail@eliasnaur.com>
|
|
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
We want the macOS Network Extension to share fate with the UI frontend,
so we need the backend to know when the frontend disappears.
One easy way to do that is to reuse the existing TCP server it's
already running (for tailscale status clietns).
We now tell the frontend our ephemeral TCP port number, and then have
the UI connect to it, so the backend can know when it disappears.
There are likely Swift ways of doing this, but I couldn't find them
quickly enough, so I reached for the hammer I knew.
|
|
More remain.
Fixes tailscale/corp#432
|
|
So Windows service failures can be propagated to the Windows UI client.
|
|
This change adds to tsdns the ability to delegate lookups to upstream nameservers.
This is crucial for setting Magic DNS as the system resolver.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
Generate the disco key ourselves and give out the public half instead.
Fixes #525
|
|
There's a lot of confusion around what tailscale status shows, so make it better:
show region names, last write time, and put stars around DERP too if active.
Now stars are always present if activity, and always somewhere.
|
|
It's just a config wrapper that passes "use less memory at the
expense of compression" parameters by default, so that we don't
accidentally construct resource-hungry (de)compressors.
Also includes a benchmark that measures the memory cost of the
small variants vs. the stock variants. The savings are significant
on both compressors (~8x less memory) and decompressors (~1.4x less,
not including the savings from the significantly smaller
window on the compression side - with those savings included it's
more like ~140x smaller).
BenchmarkSmallEncoder-8 56174 19354 ns/op 31 B/op 0 allocs/op
BenchmarkSmallEncoderWithBuild-8 2900 382940 ns/op 1746547 B/op 36 allocs/op
BenchmarkStockEncoder-8 48921 25761 ns/op 286 B/op 0 allocs/op
BenchmarkStockEncoderWithBuild-8 426 2630241 ns/op 13843842 B/op 124 allocs/op
BenchmarkSmallDecoder-8 123814 9344 ns/op 0 B/op 0 allocs/op
BenchmarkSmallDecoderWithBuild-8 41547 27455 ns/op 27694 B/op 31 allocs/op
BenchmarkStockDecoder-8 129832 9417 ns/op 1 B/op 0 allocs/op
BenchmarkStockDecoderWithBuild-8 25561 51751 ns/op 39607 B/op 92 allocs/op
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
This adds a new magicsock endpoint type only used when both sides
support discovery (that is, are advertising a discovery
key). Otherwise the old code is used.
So far the new code only communicates over DERP as proof that the new
code paths are wired up. None of the actually discovery messaging is
implemented yet.
Support for discovery (generating and advertising a key) are still
behind an environment variable for now.
Updates #483
|
|
Now we can have magicsock make decisions based on tailcfg.Debug
settings sent by the server.
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Looks like it's only used by tests.
|
|
Later we'll want to use the presence of a discovery key as a signal
that the node knows how to participate in discovery. Currently the
code generates keys and sends them to the control server but doesn't
do anything with them, which is a bad state to stay in lest we release
this code and end up with nodes in the future that look like they're
functional with the new discovery protocol but aren't.
So for now, make this opt-in as a debug option for now, until the rest
of it is in.
Updates #483
|
|
Signed-Off-By: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
Not actually used yet.
Updates #483
|
|
|
|
Signed-Off-By: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
Signed-Off-By: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
The zstd library treats that limit as a hard cap on decompressed
size, in the mode we're using it, rather than a window size.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Overriding the hostname is required for Android, where os.Hostname
is often just "localhost".
Updates #409
Signed-off-by: Elias Naur <mail@eliasnaur.com>
|
|
These are hard for swift to decode in the iOS app.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
|
|
Updates #421 (likely fixes it; need to do an iOS build to be sure)
|
|
This removes the use of suppress_ifgroup and fwmark "x/y" notation,
which are, among other things, not available in busybox and centos6.
We also use the return codes from the 'ip' program instead of trying to
parse its output.
I also had to remove the previous hack that routed all of 100.64.0.0/10
by default, because that would add the /10 route into the 'main' route
table instead of the new table 88, which is no good. It was a terrible
hack anyway; if we wanted to capture that route, we should have
captured it explicitly as a subnet route, not as part of the addr. Note
however that this change affects all platforms, so hopefully there
won't be any surprises elsewhere.
Fixes #405
Updates #320, #144
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
|
|
It depends on corp things, so can't run here anyway.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Instead of hard-coding the DERP map (except for cmd/tailscale netcheck
for now), get it from the control server at runtime.
And make the DERP map support multiple nodes per region with clients
picking the first one that's available. (The server will balance the
order presented to clients for load balancing)
This deletes the stunner package, merging it into the netcheck package
instead, to minimize all the config hooks that would've been
required.
Also fix some test flakes & races.
Fixes #387 (Don't hard-code the DERP map)
Updates #388 (Add DERP region support)
Fixes #399 (wgengine: flaky tests)
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Updates tailscale/corp#255.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
|
|
Use b.logf() instead.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
|
|
The compressed blobs we send back and forth are small and infrequent,
which doesn't justify the 8MB * GOMAXPROCS memory that was being
allocated. This was the overwhelming majority of memory use in
tailscaled. On my system it goes from ~100M RSS to ~15M RSS (which is
still suspiciously high, but we can worry about that more later).
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Also stop logging data sent/received from nodes we're not connected to (ie all those `x`s being logged in the `peers: ` line)
Signed-off-by: Wendi <wendi.yu@yahoo.ca>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
If a test calls log.Printf, 'go test' horrifyingly rearranges the
output to no longer be in chronological order, which makes debugging
virtually impossible. Let's stop that from happening by making
log.Printf panic if called from any module, no matter how deep, during
tests.
This required us to change the default error handler in at least one
http.Server, as well as plumbing a bunch of logf functions around,
especially in magicsock and wgengine, but also in logtail and backoff.
To add insult to injury, 'go test' also rearranges the output when a
parent test has multiple sub-tests (all the sub-test's t.Logf is always
printed after all the parent tests t.Logf), so we need to screw around
with a special Logf that can point at the "current" t (current_t.Logf)
in some places. Probably our entire way of using subtests is wrong,
since 'go test' would probably like to run them all in parallel if you
called t.Parallel(), but it definitely can't because the're all
manipulating the shared state created by the parent test. They should
probably all be separate toplevel tests instead, with common
setup/teardown logic. But that's a job for another time.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
|
|
* origin/master:
types/logger: add ArgWriter
wgengine: wrap tun.Device to support filtering and packet injection (#358)
|
|
This matches the new API requirements.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
|
|
Right now, filtering and packet injection in wgengine depend
on a patch to wireguard-go that probably isn't suitable for upstreaming.
This need not be the case: wireguard-go/tun.Device is an interface.
For example, faketun.go implements it to mock a TUN device for testing.
This patch implements the same interface to provide filtering
and packet injection at the tunnel device level,
at which point the wireguard-go patch should no longer be necessary.
This patch has the following performance impact on i7-7500U @ 2.70GHz,
tested in the following namespace configuration:
┌────────────────┐ ┌─────────────────────────────────┐ ┌────────────────┐
│ $ns1 │ │ $ns0 │ │ $ns2 │
│ client0 │ │ tailcontrol, logcatcher │ │ client1 │
│ ┌─────┐ │ │ ┌──────┐ ┌──────┐ │ │ ┌─────┐ │
│ │vethc│───────┼────┼──│vethrc│ │vethrs│──────┼─────┼──│veths│ │
│ ├─────┴─────┐ │ │ ├──────┴────┐ ├──────┴────┐ │ │ ├─────┴─────┐ │
│ │10.0.0.2/24│ │ │ │10.0.0.1/24│ │10.0.1.1/24│ │ │ │10.0.1.2/24│ │
│ └───────────┘ │ │ └───────────┘ └───────────┘ │ │ └───────────┘ │
└────────────────┘ └─────────────────────────────────┘ └────────────────┘
Before:
---------------------------------------------------
| TCP send | UDP send |
|------------------------|------------------------|
| 557.0 (±8.5) Mbits/sec | 3.03 (±0.02) Gbits/sec |
---------------------------------------------------
After:
---------------------------------------------------
| TCP send | UDP send |
|------------------------|------------------------|
| 544.8 (±1.6) Mbits/sec | 3.13 (±0.02) Gbits/sec |
---------------------------------------------------
The impact on receive performance is similar.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
This saves a layer of translation, and saves us having to
pass in extra bits and pieces of the netmap and prefs to
wgengine. Now it gets one Wireguard config, and one OS
network stack config.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: Wendi Yu <wendi.yu@yahoo.ca>
|
|
Part of #320.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
