| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This commit is a mishmash of automated edits using gofmt:
gofmt -r 'netaddr.IPPort{IP: a, Port: b} -> netaddr.IPPortFrom(a, b)' -w .
gofmt -r 'netaddr.IPPrefix{IP: a, Port: b} -> netaddr.IPPrefixFrom(a, b)' -w .
gofmt -r 'a.IP.Is4 -> a.IP().Is4' -w .
gofmt -r 'a.IP.As16 -> a.IP().As16' -w .
gofmt -r 'a.IP.Is6 -> a.IP().Is6' -w .
gofmt -r 'a.IP.As4 -> a.IP().As4' -w .
gofmt -r 'a.IP.String -> a.IP().String' -w .
And regexps:
\w*(.*)\.Port = (.*) -> $1 = $1.WithPort($2)
\w*(.*)\.IP = (.*) -> $1 = $1.WithIP($2)
And lots of manual fixups.
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
|
|
Fixes #1467
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Only use the ones in types/ipproto now.
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Add proto to flowtrack.Tuple.
Add types/ipproto leaf package to break a cycle.
Server-side ACL work remains.
Updates #1516
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates #1516
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Fixes tailscale/corp#1429.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Part of #1177, preparing for doing fancier set operations on
the allowed local nets.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
no generated code change.
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Fixes #1192 (regression)
Fixes #1193 (old bug)
|
|
This adds a new IP Protocol type, TSMP on protocol number 99 for
sending inter-tailscale messages over WireGuard, currently just for
why a peer rejects TCP SYNs (ACL rejection, shields up, and in the
future: nothing listening, something listening on that port but wrong
interface, etc)
Updates #1094
Updates tailscale/corp#1185
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Reduces allocs.
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Upstream netaddr has a change that makes it alloc-free, so it's safe to
use in hot codepaths. This gets rid of one of the many IP types in our
codebase.
Performance is currently worse across the board. This is likely due in
part to netaddr.IP being a larger value type (4b -> 24b for IPv4,
16b -> 24b for IPv6), and in other part due to missing low-hanging fruit
optimizations in netaddr. However, the regression is less bad than
it looks at first glance, because we'd micro-optimized packet.IP* in
the past few weeks. This change drops us back to roughly where we
were at the 1.2 release, but with the benefit of a significant
code and architectural simplification.
name old time/op new time/op delta
pkg:tailscale.com/net/packet goos:linux goarch:amd64
Decode/tcp4-8 12.2ns ± 5% 29.7ns ± 2% +142.32% (p=0.008 n=5+5)
Decode/tcp6-8 12.6ns ± 3% 65.1ns ± 2% +418.47% (p=0.008 n=5+5)
Decode/udp4-8 11.8ns ± 3% 30.5ns ± 2% +157.94% (p=0.008 n=5+5)
Decode/udp6-8 27.1ns ± 1% 65.7ns ± 2% +142.36% (p=0.016 n=4+5)
Decode/icmp4-8 24.6ns ± 2% 30.5ns ± 2% +23.65% (p=0.016 n=4+5)
Decode/icmp6-8 22.9ns ±51% 65.5ns ± 2% +186.19% (p=0.008 n=5+5)
Decode/igmp-8 18.1ns ±44% 30.2ns ± 1% +66.89% (p=0.008 n=5+5)
Decode/unknown-8 20.8ns ± 1% 10.6ns ± 9% -49.11% (p=0.016 n=4+5)
pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64
Filter/icmp4-8 30.5ns ± 1% 77.9ns ± 3% +155.01% (p=0.008 n=5+5)
Filter/tcp4_syn_in-8 43.7ns ± 3% 123.0ns ± 3% +181.72% (p=0.008 n=5+5)
Filter/tcp4_syn_out-8 24.5ns ± 2% 45.7ns ± 6% +86.22% (p=0.008 n=5+5)
Filter/udp4_in-8 64.8ns ± 1% 210.0ns ± 2% +223.87% (p=0.008 n=5+5)
Filter/udp4_out-8 119ns ± 0% 278ns ± 0% +133.78% (p=0.016 n=4+5)
Filter/icmp6-8 40.3ns ± 2% 204.4ns ± 4% +407.70% (p=0.008 n=5+5)
Filter/tcp6_syn_in-8 35.3ns ± 3% 199.2ns ± 2% +464.95% (p=0.008 n=5+5)
Filter/tcp6_syn_out-8 32.8ns ± 2% 81.0ns ± 2% +147.10% (p=0.008 n=5+5)
Filter/udp6_in-8 106ns ± 2% 290ns ± 2% +174.48% (p=0.008 n=5+5)
Filter/udp6_out-8 184ns ± 2% 314ns ± 3% +70.43% (p=0.016 n=4+5)
pkg:tailscale.com/wgengine/tstun goos:linux goarch:amd64
Write-8 9.02ns ± 3% 8.92ns ± 1% ~ (p=0.421 n=5+5)
name old alloc/op new alloc/op delta
pkg:tailscale.com/net/packet goos:linux goarch:amd64
Decode/tcp4-8 0.00B 0.00B ~ (all equal)
Decode/tcp6-8 0.00B 0.00B ~ (all equal)
Decode/udp4-8 0.00B 0.00B ~ (all equal)
Decode/udp6-8 0.00B 0.00B ~ (all equal)
Decode/icmp4-8 0.00B 0.00B ~ (all equal)
Decode/icmp6-8 0.00B 0.00B ~ (all equal)
Decode/igmp-8 0.00B 0.00B ~ (all equal)
Decode/unknown-8 0.00B 0.00B ~ (all equal)
pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64
Filter/icmp4-8 0.00B 0.00B ~ (all equal)
Filter/tcp4_syn_in-8 0.00B 0.00B ~ (all equal)
Filter/tcp4_syn_out-8 0.00B 0.00B ~ (all equal)
Filter/udp4_in-8 0.00B 0.00B ~ (all equal)
Filter/udp4_out-8 16.0B ± 0% 64.0B ± 0% +300.00% (p=0.008 n=5+5)
Filter/icmp6-8 0.00B 0.00B ~ (all equal)
Filter/tcp6_syn_in-8 0.00B 0.00B ~ (all equal)
Filter/tcp6_syn_out-8 0.00B 0.00B ~ (all equal)
Filter/udp6_in-8 0.00B 0.00B ~ (all equal)
Filter/udp6_out-8 48.0B ± 0% 64.0B ± 0% +33.33% (p=0.008 n=5+5)
name old allocs/op new allocs/op delta
pkg:tailscale.com/net/packet goos:linux goarch:amd64
Decode/tcp4-8 0.00 0.00 ~ (all equal)
Decode/tcp6-8 0.00 0.00 ~ (all equal)
Decode/udp4-8 0.00 0.00 ~ (all equal)
Decode/udp6-8 0.00 0.00 ~ (all equal)
Decode/icmp4-8 0.00 0.00 ~ (all equal)
Decode/icmp6-8 0.00 0.00 ~ (all equal)
Decode/igmp-8 0.00 0.00 ~ (all equal)
Decode/unknown-8 0.00 0.00 ~ (all equal)
pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64
Filter/icmp4-8 0.00 0.00 ~ (all equal)
Filter/tcp4_syn_in-8 0.00 0.00 ~ (all equal)
Filter/tcp4_syn_out-8 0.00 0.00 ~ (all equal)
Filter/udp4_in-8 0.00 0.00 ~ (all equal)
Filter/udp4_out-8 1.00 ± 0% 1.00 ± 0% ~ (all equal)
Filter/icmp6-8 0.00 0.00 ~ (all equal)
Filter/tcp6_syn_in-8 0.00 0.00 ~ (all equal)
Filter/tcp6_syn_out-8 0.00 0.00 ~ (all equal)
Filter/udp6_in-8 0.00 0.00 ~ (all equal)
Filter/udp6_out-8 1.00 ± 0% 1.00 ± 0% ~ (all equal)
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
|
|
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
While the code was correct, I broke it during a refactoring and
tests didn't detect it. This fixes that glitch.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
matchIPsOnly gets 5% slower when inlining, despite significantly reduced
memory ops and slightly tighter code.
Part of #19.
Filter/tcp6_syn_in-8 45.5ns ± 1% 42.4ns ± 2% -6.86% (p=0.000 n=10+10)
Filter/udp6_in-8 107ns ± 2% 94ns ± 2% -11.50% (p=0.000 n=9+10)
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Doesn't materially affect benchmarks, but shrinks match6 by 30 instructions
and halves memory loads.
Part of #19.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Part of #19.
name old time/op new time/op delta
Filter/icmp4-8 32.2ns ± 3% 32.5ns ± 2% ~ (p=0.524 n=10+8)
Filter/icmp6-8 49.7ns ± 6% 43.1ns ± 4% -13.12% (p=0.000 n=9+10)
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Part of #19.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
For the operations we perform on these types (mostly net6.Contains),
this encoding is much faster.
Part of #19.
name old time/op new time/op delta
Filter/icmp4-8 27.5ns ± 1% 28.0ns ± 2% +1.89% (p=0.016 n=5+5)
Filter/tcp4_syn_in-8 38.8ns ± 2% 38.3ns ± 1% -1.24% (p=0.024 n=5+5)
Filter/tcp4_syn_out-8 27.6ns ±12% 24.6ns ± 1% ~ (p=0.063 n=5+5)
Filter/udp4_in-8 71.5ns ± 5% 65.9ns ± 1% -7.94% (p=0.008 n=5+5)
Filter/udp4_out-8 132ns ±13% 119ns ± 1% -10.29% (p=0.008 n=5+5)
Filter/icmp6-8 169ns ±10% 54ns ± 1% -68.35% (p=0.008 n=5+5)
Filter/tcp6_syn_in-8 149ns ± 6% 43ns ± 1% -71.11% (p=0.008 n=5+5)
Filter/tcp6_syn_out-8 37.7ns ± 4% 24.3ns ± 3% -35.51% (p=0.008 n=5+5)
Filter/udp6_in-8 179ns ± 5% 103ns ± 1% -42.75% (p=0.008 n=5+5)
Filter/udp6_out-8 156ns ± 3% 191ns ± 1% +22.54% (p=0.008 n=5+5)
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Part of #19.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
The packet filter still rejects all IPv6, but decodes enough from v6
packets to do something smarter in a followup.
name time/op
Decode/tcp4-8 28.8ns ± 2%
Decode/tcp6-8 20.6ns ± 1%
Decode/udp4-8 28.2ns ± 1%
Decode/udp6-8 20.0ns ± 6%
Decode/icmp4-8 21.7ns ± 2%
Decode/icmp6-8 14.1ns ± 2%
Decode/unknown-8 9.43ns ± 2%
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
The goal is to move some of the shenanigans we have elsewhere into the filter
package, so that all the weird things to do with poking at the filter is in
a single place, behind clean APIs.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
It only served to obscure the underlying slice type without
adding much value.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
We still use the packet.* alloc-free types in the data path, but
the compilation from netaddr to packet happens within the filter
package.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Updates #629
|
|
Eventually we'll probably support multicast. For now it's just log spam.
Fixes #629
|
|
control/controlclient, wgengine/filter: extract parsePacketFilter to new constructor in wgengine/filter
Signed-off-by: chungdaniel <daniel@tailscale.com>
|
|
|
|
|
|
And add tests.
Fixes #618
Updates #402
|
|
The OS (tries) to send these but we drop them. No need to worry the
user with spam that we're dropping it.
Fixes #402
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
As prep for IPv6 log spam fixes in a future change.
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
Performance impact:
name old time/op new time/op delta
Filter/tcp_in-4 70.7ns ± 1% 30.9ns ± 1% -56.30% (p=0.008 n=5+5)
Filter/tcp_out-4 58.6ns ± 0% 19.4ns ± 0% -66.87% (p=0.000 n=5+4)
Filter/udp_in-4 96.8ns ± 2% 55.5ns ± 0% -42.64% (p=0.016 n=5+4)
Filter/udp_out-4 120ns ± 1% 79ns ± 1% -33.87% (p=0.008 n=5+5)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
If a test calls log.Printf, 'go test' horrifyingly rearranges the
output to no longer be in chronological order, which makes debugging
virtually impossible. Let's stop that from happening by making
log.Printf panic if called from any module, no matter how deep, during
tests.
This required us to change the default error handler in at least one
http.Server, as well as plumbing a bunch of logf functions around,
especially in magicsock and wgengine, but also in logtail and backoff.
To add insult to injury, 'go test' also rearranges the output when a
parent test has multiple sub-tests (all the sub-test's t.Logf is always
printed after all the parent tests t.Logf), so we need to screw around
with a special Logf that can point at the "current" t (current_t.Logf)
in some places. Probably our entire way of using subtests is wrong,
since 'go test' would probably like to run them all in parallel if you
called t.Parallel(), but it definitely can't because the're all
manipulating the shared state created by the parent test. They should
probably all be separate toplevel tests instead, with common
setup/teardown logic. But that's a job for another time.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
|
|
|
