| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Updates #14280
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
|
|
Updates #14280
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
|
|
Fixes #14492
-----
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Change-Id: I6dc1068d34bbfa7477e7b7a56a4325b3868c92e1
Signed-off-by: Marc Paquette <marcphilippaquette@gmail.com>
|
|
Importing the ~deprecated golang.org/x/exp/maps as "xmaps" to not
shadow the std "maps" was getting ugly.
And using slices.Collect on an iterator is verbose & allocates more.
So copy (x)maps.Keys+Values into our slicesx package instead.
Updates #cleanup
Updates #12912
Updates #14514 (pulled out of that change)
Change-Id: I5e68d12729934de93cf4a9cd87c367645f86123a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Initial support for SrcCaps was added in 5ec01bf but it was not actually
working without this.
Updates #12542
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
See #12542 for background.
Updates #12542
Change-Id: Ida312f700affc00d17681dc7551ee9672eeb1789
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Changes "Accept" TCP logs to display in verbose logs only,
and removes lines from default logging behavior.
Updates #12158
Signed-off-by: Keli Velazquez <keli@tailscale.com>
|
|
The control plane hasn't sent it to clients in ages.
Updates tailscale/corp#20965
Change-Id: I1d71a4b6dd3f75010a05c544ee39827837c30772
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This gets UDP filter overhead closer to TCP. Still ~2x, but no longer ~3x.
goos: darwin
goarch: arm64
pkg: tailscale.com/wgengine/filter
│ before │ after │
│ sec/op │ sec/op vs base │
FilterMatch/tcp-not-syn-v4-8 15.43n ± 3% 15.38n ± 5% ~ (p=0.339 n=10)
FilterMatch/udp-existing-flow-v4-8 42.45n ± 0% 34.77n ± 1% -18.08% (p=0.000 n=10)
geomean 25.59n 23.12n -9.65%
Updates #12486
Change-Id: I595cfadcc6b7234604bed9c4dd4261e087c0d4c4
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
I noticed we were allocating these every time when they could just
share the same memory. Rather than document ownership, just lock it
down with a view.
I was considering doing all of the fields but decided to just do this
one first as test to see how infectious it became. Conclusion: not
very.
Updates #cleanup (while working towards tailscale/corp#20514)
Change-Id: I8ce08519de0c9a53f20292adfbecd970fe362de0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
To show the effects of the flow LRU accounting on e.g. QUIC traffic.
For an open TCP connection:
BenchmarkFilterMatch/tcp-not-syn-v4-8 66602070 16.74 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 67718179 16.60 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 68403351 16.84 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 66076416 16.87 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 67159012 16.67 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 65009526 16.58 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 66588055 16.62 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 63037071 16.58 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 69124975 21.15 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 54482922 20.41 ns/op
And an open UDP connection:
BenchmarkFilterMatch/udp-existing-flow-v4-8 25570020 44.09 ns/op
BenchmarkFilterMatch/udp-existing-flow-v4-8 26725958 46.99 ns/op
BenchmarkFilterMatch/udp-existing-flow-v4-8 25936412 47.11 ns/op
BenchmarkFilterMatch/udp-existing-flow-v4-8 25418325 45.99 ns/op
BenchmarkFilterMatch/udp-existing-flow-v4-8 25759848 44.73 ns/op
BenchmarkFilterMatch/udp-existing-flow-v4-8 25212488 46.26 ns/op
BenchmarkFilterMatch/udp-existing-flow-v4-8 25344370 44.55 ns/op
BenchmarkFilterMatch/udp-existing-flow-v4-8 26399372 45.26 ns/op
BenchmarkFilterMatch/udp-existing-flow-v4-8 26274159 47.51 ns/op
BenchmarkFilterMatch/udp-existing-flow-v4-8 26070472 46.79 ns/op
Updates #12486
Change-Id: Ica4263fb77972cf43db5a2e9433b4429506edfde
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This moves NewContainsIPFunc from tsaddr to new ipset package.
And wgengine/filter types gets split into wgengine/filter/filtertype,
so netmap (and thus the CLI, etc) doesn't need to bring in ipset,
bart, etc.
Then add a test making sure the CLI deps don't regress.
Updates #1278
Change-Id: Ia246d6d9502bbefbdeacc4aef1bed9c8b24f54d5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
If we already know it's an incoming IPv4 packet, no need to match
against the set of IPv6s and vice versa.
goos: darwin
goarch: arm64
pkg: tailscale.com/wgengine/filter
│ before │ after │
│ sec/op │ sec/op vs base │
FilterMatch/not-local-v4-8 21.40n ± 3% 16.04n ± 1% -25.09% (p=0.000 n=10)
FilterMatch/not-local-v6-8 20.75n ± 9% 15.71n ± 0% -24.31% (p=0.000 n=10)
FilterMatch/no-match-v4-8 81.37n ± 1% 78.57n ± 3% -3.43% (p=0.005 n=10)
FilterMatch/no-match-v6-8 77.73n ± 2% 73.71n ± 3% -5.18% (p=0.002 n=10)
FilterMatch/tcp-not-syn-v4-8 21.41n ± 3% 16.86n ± 0% -21.25% (p=0.000 n=10)
FilterMatch/tcp-not-syn-v4-no-logs-8 10.04n ± 0% 10.05n ± 0% ~ (p=0.446 n=10)
geomean 29.07n 25.05n -13.84%
Updates #12486
Change-Id: I70e5024af03893327d26629a994ab2aa9811f4f3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
To show performance during heavy flows on established connections.
BenchmarkFilterMatch/tcp-not-syn-v4-8 52125848 21.46 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 52388781 21.43 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 52916954 21.32 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 52590730 21.43 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-8 53015923 21.32 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 122795029 9.783 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 100000000 10.09 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 120090948 9.747 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 122350448 10.55 ns/op
BenchmarkFilterMatch/tcp-not-syn-v4-no-logs-8 122943025 9.813 ns/op
Updates #12486
Change-Id: I8e7c9380bf969ad646851d53f8a4c287717694ea
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
I noticed the not-local-v6 numbers were nowhere near the v4 numbers
(they should be identical) and then saw this. It meant the
Addr().Next() wasn't picking an IP that was no longer local, as
assumed.
Updates #12486
Change-Id: I18dfb641f00c74c6252666bc41bd2248df15fadd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates #12486
Change-Id: If2e6d9c70212644eb4a0bc8ec6768512894a646a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
NewContainsIPFunc returns a contains matcher optimized for its
input. Use that instead of what this did before, always doing a test
over each of a list of netip.Prefixes.
goos: darwin
goarch: arm64
pkg: tailscale.com/wgengine/filter
│ before │ after │
│ sec/op │ sec/op vs base │
FilterMatch/file1-8 32.60n ± 1% 18.87n ± 1% -42.12% (p=0.000 n=10)
Updates #12486
Change-Id: I8f902bc064effb431e5b46751115942104ff6531
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Baseline, on 2020 M1 Macbook Pro, on power:
goos: darwin
goarch: arm64
pkg: tailscale.com/wgengine/filter
BenchmarkFilterMatch/file1-8 34089133 32.79 ns/op
BenchmarkFilterMatch/file1-8 35423917 32.59 ns/op
BenchmarkFilterMatch/file1-8 35208598 32.80 ns/op
BenchmarkFilterMatch/file1-8 35180470 33.39 ns/op
BenchmarkFilterMatch/file1-8 36671608 32.82 ns/op
BenchmarkFilterMatch/file1-8 35435991 33.13 ns/op
BenchmarkFilterMatch/file1-8 34689181 33.29 ns/op
BenchmarkFilterMatch/file1-8 34786053 32.94 ns/op
BenchmarkFilterMatch/file1-8 35366235 32.56 ns/op
BenchmarkFilterMatch/file1-8 35342799 32.47 ns/op
Updates #12486
Change-Id: I8f902bc064effb431e5b46751115942104ff6531
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates #11058
Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
For use in ACL tests, we need a way to check whether a packet is allowed
not just with TCP, but any protocol.
Updates #3561
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
We keep finding these.
Updates #cleanup
Change-Id: Iabc049b0f8da07341011356f0ecd5315c33ff548
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This reverts commit ee90cd02fdd4e4125ec9d12eef1195ed36ef4b2e.
The outcome is not identical for empty slices. Cloner really needs
tests!
Updates #9601
Signed-off-by: James Tucker <james@tailscale.com>
|
|
A wild @josharian appears with a good suggestion for a refactor, thanks
Josh!
Updates #9410
Signed-off-by: James Tucker <james@tailscale.com>
|
|
This adds a new RawMessage type backed by string instead of the
json.RawMessage which is backed by []byte. The byte slice makes
the generated views be a lot more defensive than the need to be
which we can get around by using a string instead.
Updates #cleanup
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Instead of untyped string, add a type to identify these.
Updates #cleanup
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
tailcfg.Node zero-value clone equality checks failed when I added a
[]*foo to the structure, as the zero value and it's clone contained a
different slice header.
Updates #9377
Updates #9408
Signed-off-by: James Tucker <james@tailscale.com>
|
|
Updates #8419
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates #8419
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Define PeerCapabilty and PeerCapMap as the new way of sending down
inter-peer capability information.
Previously, this was unstructured and you could only send down strings
which got too limiting for certain usecases. Instead add the ability
to send down raw JSON messages that are opaque to Tailscale but provide
the applications to define them however they wish.
Also update accessors to use the new values.
Updates #4217
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
This updates all source files to use a new standard header for copyright
and license declaration. Notably, copyright no longer includes a date,
and we now use the standard SPDX-License-Identifier header.
This commit was done almost entirely mechanically with perl, and then
some minimal manual fixes.
Updates #6865
Signed-off-by: Will Norris <will@tailscale.com>
|
|
01b90df2fa4f9101e4f0ae8334b00dd9c3ccc148 added SCTP support before
(with explicit parsing for ports) and
69de3bf7bfddb37b4c0e076c93115f82a51ec407 tried to add support for
arbitrary IP protocols (as long as the ACL permited a port of "*",
since we might not know how to find ports from an arbitrary IP
protocol, if it even has such a concept). But apparently that latter
commit wasn't tested end-to-end enough. It had a lot of tests, but the
tests made assumptions about layering that either weren't true, or
regressed since 1.20. Notably, it didn't remove the (*Filter).pre
bidirectional filter that dropped all "unknown" protocol packets both
leaving and entering, even if there were explicit protocol matches
allowing them in.
Also, don't map all unknown protocols to 0. Keep their IP protocol
number parsed so it's matchable by later layers. Only reject illegal
things.
Fixes #6423
Updates #2162
Updates #2163
Change-Id: I9659b3ece86f4db51d644f9b34df78821758842c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates #6423
Change-Id: I9e363922e2c24fdc42687707c069af5bba68b93e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Change-Id: Ia422121cde1687044b18be7bea9e7bf51a4183b9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
Updates #6865
Change-Id: I6b86c646968ebbd4553cf37df5e5612fbf5c5f7d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
|
|
Instead of going through the tailscale.com/net/netaddr transitional
wrappers.
Updates #5162
Change-Id: I3dafd1c2effa1a6caa9b7151ecf6edd1a3fda3dd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates #5210
Change-Id: Ib02cd5e43d0a8db60c1f09755a8ac7b140b670be
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Mechanical change with perl+goimports.
Changed {Must,}Parse{IP,IPPrefix,IPPort} to their netip variants, then
goimports -d .
Finally, removed the net/netaddr wrappers, to prevent future use.
Updates #5162
Change-Id: I59c0e38b5fbca5a935d701645789cddf3d7863ad
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates #5162
Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Profiling identified this as a fairly hot path for growing a slice.
Given this is only used in control & when a new packet filter is received, this shouldnt be hot in the client.
|
|
Also run go generate again for Copyright updates.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Updates #4217
RELNOTE=start of WhoIsResponse capability support
Change-Id: I6522998a911fe49e2f003077dad6164c017eed9b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Change-Id: I943ce72c6f339589235bddbe10d07799c4e37979
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
My favorite part of generics.
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
|
|
More remain.
Change-Id: I6ec562cc1f687600758deae1c9d7dbd0d04004cb
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
A new package can also later record/report which knobs are checked and
set. It also makes the code cleaner & easier to grep for env knobs.
Change-Id: Id8a123ab7539f1fadbd27e0cbeac79c2e4f09751
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
RELNOTE=yes
Change-Id: I96eaf3cf550cee7bb6cdb4ad81fc761e280a1b2a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
