summaryrefslogtreecommitdiffhomepage
path: root/wgengine/netstack
AgeCommit message (Collapse)AuthorFilesLines
2022-03-17all: use any instead of interface{}Josh Bleecher Snyder1-1/+1
My favorite part of generics. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2022-02-24ssh: make it build on darwinBrad Fitzpatrick1-2/+2
For local dev testing initially. Product-wise, it'll probably only be workable on the two unsandboxed builds. Updates #3802 Change-Id: Ic352f966e7fb29aff897217d79b383131bf3f92b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-02-15ssh/tailssh: move SSH code from wgengine/netstack to this new packageBrad Fitzpatrick2-145/+13
Still largely incomplete, but in a better home now. Updates #3802 Change-Id: I46c5ffdeb12e306879af801b06266839157bc624 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-02-02wgengine/netstack: start supporting different SSH usersBrad Fitzpatrick1-1/+7
Updates #3802 Change-Id: I44de6897e36b1362cd74c9b10c9cbfeb9abc3dbc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-31ipn/ipnlocal, wgengine/netstack: use netstack for peerapi serverBrad Fitzpatrick1-3/+40
We're finding a bunch of host operating systems/firewalls interact poorly with peerapi. We either get ICMP errors from the host or users need to run commands to allow the peerapi port: https://github.com/tailscale/tailscale/issues/3842#issuecomment-1025133727 ... even though the peerapi should be an internal implementation detail. Rather than fight the host OS & firewalls, this change handles the server side of peerapi entirely in netstack (except on iOS), so it never makes its way to the host OS where it might be messed with. Two main downsides are: 1) netstack isn't as fast, but we don't really need speed for peerapi. And actually, with fewer trips to/from the kernel, we might actually make up for some of the netstack performance loss by staying in userspace. 2) tcpdump / Wireshark etc packet captures will no longer see the peerapi traffic. Oh well. Crawshaw's been wanting to add packet capture server support to tailscaled, so we'll probably do that sooner now. A future change might also then use peerapi for the client-side (except on iOS). Updates #3842 (probably fixes, as well as many exit node issues I bet) Change-Id: Ibc25edbb895dc083d1f07bd3cab614134705aa39 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-26go.mod: bump netstack, switch to upstream netstackBrad Fitzpatrick1-15/+14
Now that Go 1.17 has module graph pruning (https://go.dev/doc/go1.17#go-command), we should be able to use upstream netstack without breaking our private repo's build that then depends on the tailscale.com Go module. This is that experiment. Updates #1518 (the original bug to break out netstack to own module) Updates #2642 (this updates netstack, but doesn't remove workaround) Change-Id: I27a252c74a517053462e5250db09f379de8ac8ff Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-24wgengine/netstack: add an SSH server experimentBrad Fitzpatrick2-4/+180
Disabled by default. To use, run tailscaled with: TS_SSH_ALLOW_LOGIN=you@bar.com And enable with: $ TAILSCALE_USE_WIP_CODE=true tailscale up --ssh=true Then ssh [any-user]@[your-tailscale-ip] for a root bash shell. (both the "root" and "bash" part are temporary) Updates #3802 Change-Id: I268f8c3c95c8eed5f3231d712a5dc89615a406f0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-24envknob: add new package for all the strconv.ParseBool(os.Getenv(..))Brad Fitzpatrick1-1/+2
A new package can also later record/report which knobs are checked and set. It also makes the code cleaner & easier to grep for env knobs. Change-Id: Id8a123ab7539f1fadbd27e0cbeac79c2e4f09751 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-19wgengine/netstack: clear TCP ECN bits before giving to gvisorBrad Fitzpatrick1-0/+1
Updates #2642 Change-Id: Ic219442a2656dd9dc99ae1dd91e907fd3d924987 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-19wgengine/netstack: add a missing refcount decrement after packet injectionBrad Fitzpatrick2-0/+77
Fixes #3762 Updates #3745 (probably fixes?) Change-Id: I1d3f0590fd5b8adfbc9110bc45ff717bb9e79aae Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-19wgengine/netstack: add an Impl.Close method for testsBrad Fitzpatrick1-8/+20
Change-Id: Idbb3fd6d749d3e4effdf96de77a1106584822fef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-18wgengine/netstack: add missing error logging in a RST caseBrad Fitzpatrick1-2/+3
Updates #2642 Change-Id: I9f2f8fd28fc980208b0739eb9caf9db7b0977c09 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-18wgengine/netstack: fix netstack ping timeout on darwinBrad Fitzpatrick1-1/+14
-W is milliseconds on darwin, not seconds, and empirically it's milliseconds after a 1 second base. Change-Id: I2520619e6699d9c505d9645ce4dfee4973555227 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-12wgengine/netstack: make userspace ping work when tailscaled has CAP_NET_RAWBrad Fitzpatrick2-2/+39
Updates #3710 Change-Id: Ief56c7ac20f5f09a2f940a1906b9efbf1b0d6932 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-07wgengine/netstack: fake pings through netstack on Android tooBrad Fitzpatrick1-0/+6
Every OS ping binary is slightly different. Adjust for Android's. Updates #1738 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-06wgengine/netstack: add env knob to turn on netstack debug logsBrad Fitzpatrick1-3/+9
Except for the super verbose packet-level dumps. Keep those disabled by default with a const. Updates #2642 Change-Id: Ia9eae1677e8b3fe6f457a59e44896a335d95d547 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-12-16wgengine/netstack: don't remove 255.255.255.255/32 from netstackBrad Fitzpatrick1-1/+10
The intent of the updateIPs code is to add & remove IP addresses to netstack based on what we get from the netmap. But netstack itself adds 255.255.255.255/32 apparently and we always fight it (and it adds it back?). So stop fighting it. Updates #2642 (maybe fixes? maybe.) Change-Id: I37cb23f8e3f07a42a1a55a585689ca51c2be7c60 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-12-15ipn/ipnlocal: clear magicsock's netmap on logoutJosh Bleecher Snyder1-7/+9
magicsock was hanging onto its netmap on logout, which caused tailscale status to display partial information about a bunch of zombie peers. After logout, there should be no peers. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-12-15wgengine/netstack: remove some logging on forwarding connectionsBrad Fitzpatrick1-2/+6
Change-Id: Ib1165b918cd5da38583f8e7d4be8cda54af3c81d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-12-09wgengine/netstack: in netstack/hybrid mode, fake ICMP using ping commandBrad Fitzpatrick1-0/+61
Change-Id: I42cb4b9b326337f4090d9cea532230e36944b6cb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-12-03ipn/ipnlocal, net/tsdial: make SOCKS/HTTP dials use ExitDNSBrad Fitzpatrick1-16/+8
And simplify, unexport some tsdial/netstack stuff in the the process. Fixes #3475 Change-Id: I186a5a5cbd8958e25c075b4676f7f6e70f3ff76e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-12-02net/tsdial: give netstack a Dialer, start refactoring name resolutionBrad Fitzpatrick1-20/+9
This starts to refactor tsdial.Dialer's name resolution to have different stages: in-memory MagicDNS vs system resolution. A future change will plug in ExitDNS resolution. This also plumbs a Dialer into netstack and unexports the dnsMap internals. And it removes some of the async AddNetworkMapCallback usage and replaces it with synchronous updates of the Dialer's netmap from LocalBackend, since the LocalBackend has the Dialer too. Updates #3475 Change-Id: Idcb7b1169878c74f0522f5151031ccbc49fe4cb4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-11-30net/tsdial: start of new package to unify all outbound dialing complexityBrad Fitzpatrick2-207/+3
For now this just deletes the net/socks5/tssocks implementation (and the DNSMap stuff from wgengine/netstack) and moves it into net/tsdial. Then initialize a Dialer early in tailscaled, currently only use for the outbound and SOCKS5 proxies. It will be plumbed more later. Notably, it needs to get down into the DNS forwarder for exit node DNS forwading in netstack mode. But it will also absorb all the peerapi setsockopt and netns Dial and tlsdial complexity too. Updates #1713 Change-Id: Ibc6d56ae21a22655b2fa1002d8fc3f2b2ae8b6df Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-11-21go.mod: bump inet.af/netstackBrad Fitzpatrick1-9/+24
Updates #2642 (I'd hoped, but doesn't seem to fix it) Change-Id: Id54af7c90a1206bc7018215957e20e954782b911 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-11-01cmd/tailscaled, wgengine/netstack: always wire up netstackBrad Fitzpatrick1-16/+41
Even if not in use. We plan to use it for more stuff later. (not for iOS or macOS-GUIs yet; only tailscaled) Change-Id: Idaef719d2a009be6a39f158fd8f57f8cca68e0ee Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28wgengine/netstack: include DNS.ExtraRecords in DNSMapBrad Fitzpatrick1-0/+10
So SOCKS5 dialer can dial HTTPS cert names, for instance. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-08-27wgengine/netstack: clarify a commentBrad Fitzpatrick1-6/+8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-08-25wgengine/netstack: fix crash in userspace netstack TCP forwardingBrad Fitzpatrick1-9/+36
Fixes #2658 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-07-21wgengine/netstack: implement UDP relaying to advertised subnetsBrad Fitzpatrick1-46/+96
TCP was done in 662fbd4a09664e849f0b898d1e8df13325d36efa. This does the same for UDP. Tested by hand. Integration tests will have to come later. I'd wanted to do it in this commit, but the SOCKS5 server needed for interop testing between two userspace nodes doesn't yet support UDP and I didn't want to invent some whole new userspace packet injection interface at this point, as SOCKS seems like a better route, but that's its own bug. Fixes #2302 RELNOTE=netstack mode can now UDP relay to subnets Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-07-21wgengine/netstack: fix doc commentBrad Fitzpatrick1-1/+0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-06-28wgengine/netstack: make SOCKS5 resolve names to IPv6 if self node when no IPv4Brad Fitzpatrick2-3/+127
For instance, ephemeral nodes with only IPv6 addresses can now SOCKS5-dial out to names like "foo" and resolve foo's IPv6 address rather than foo's IPv4 address and get a "no route" (*tcpip.ErrNoRoute) error from netstack's dialer. Per https://github.com/tailscale/tailscale/issues/2268#issuecomment-870027626 which is only part of the isuse. Updates #2268 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-06-23wgengine/netstack: add Impl.DialContextUDPBrad Fitzpatrick1-0/+24
Unused so far, but eventually we'll want this for SOCKS5 UDP binds (we currently only do TCP with SOCKS5), and also for #2102 for forwarding MagicDNS upstream to Tailscale IPs over netstack. Updates #2102 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-16all: adapt to opaque netaddr typesJosh Bleecher Snyder1-10/+10
This commit is a mishmash of automated edits using gofmt: gofmt -r 'netaddr.IPPort{IP: a, Port: b} -> netaddr.IPPortFrom(a, b)' -w . gofmt -r 'netaddr.IPPrefix{IP: a, Port: b} -> netaddr.IPPrefixFrom(a, b)' -w . gofmt -r 'a.IP.Is4 -> a.IP().Is4' -w . gofmt -r 'a.IP.As16 -> a.IP().As16' -w . gofmt -r 'a.IP.Is6 -> a.IP().Is6' -w . gofmt -r 'a.IP.As4 -> a.IP().As4' -w . gofmt -r 'a.IP.String -> a.IP().String' -w . And regexps: \w*(.*)\.Port = (.*) -> $1 = $1.WithPort($2) \w*(.*)\.IP = (.*) -> $1 = $1.WithIP($2) And lots of manual fixups. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-05-14tsnet: add Tailscale-as-a-library packageBrad Fitzpatrick1-2/+12
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-06wgengine/netstack: avoid delivering incoming packets to both netstack + hostBrad Fitzpatrick1-1/+8
The earlier eb06ec172f1d984bb87c589da1dd2d3f15dc6d82 fixed the flaky SSH issue (tailscale/corp#1725) by making sure that packets addressed to Tailscale IPs in hybrid netstack mode weren't delivered to netstack, but another issue remained: All traffic handled by netstack was also potentially being handled by the host networking stack, as the filter hook returned "Accept", which made it keep processing. This could lead to various random racey chaos as a function of OS/firewalls/routes/etc. Instead, once we inject into netstack, stop our caller's packet processing. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-05-05wgengine/netstack: don't pass non-subnet traffic to netstack in hybrid modeBrad Fitzpatrick1-1/+22
Fixes tailscale/corp#1725 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-21wgengine/netstack: log error when acceptUDP failsJosh Bleecher Snyder1-1/+1
I see a bunch of these in some logs I'm looking at, separated only by a few seconds. Log the error so we can tell what's going on here. Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
2021-04-21wgengine/netstack: log ForwarderRequest in readable form, only in debug mode ↵Naman Sood1-5/+12
(#1758) * wgengine/netstack: log ForwarderRequest in readable form, only in debug mode Fixes #1757 Signed-off-by: Naman Sood <mail@nsood.in>
2021-04-06cmd/tailscaled, wgengine{,/netstack}: add netstack hybrid mode, add to WindowsBrad Fitzpatrick2-7/+54
For #707 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-31wgengine/netstack: stop re-adding IPs registered by active TCP connections ↵Naman Sood1-1/+0
(#1629) Signed-off-by: Naman Sood <mail@nsood.in>
2021-03-29wgengine/netstack: Allow userspace networking mode to expose subnets (#1588)Naman Sood1-38/+114
wgengine/netstack: Allow userspace networking mode to expose subnets Updates #504 Updates #707 Signed-off-by: Naman Sood <mail@nsood.in>
2021-03-26net/tstun: rename TUN to Wrapper.David Anderson1-3/+3
The tstun packagen contains both constructors for generic tun Devices, and a wrapper that provides additional functionality. Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-26net/tstun: merge in wgengine/tstun.David Anderson1-1/+1
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-03-23all: s/Magic DNS/MagicDNS/ for consistencyBrad Fitzpatrick1-1/+1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-17wgengine/netstack: use inet.af/netstack, remove 64-bit only limitationBrad Fitzpatrick2-54/+14
This reverts the revert commit 84aba349d9a8d4e43585856c8155385f2569d35a. And changes us to use inet.af/netstack. Updates #1518 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-16Revert "wgengine/netstack: update gvisor to remove 64-bit only limitation"David Anderson2-2/+42
Breaks our corp repo due to gRPC dependency hell. This reverts commit d42f8b7f9a29a288058a03ebdf740e11b843bf26.
2021-03-15wgengine/netstack: update gvisor to remove 64-bit only limitationBrad Fitzpatrick2-42/+2
gVisor fixed their google/gvisor#1446 so we can include gVisor mode on 32-bit machines. A few minor upstream API changes, as normal. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-03-15client, cmd/hello, ipn, wgengine: fix whois for netstack-forwarded connectionsNaman Sood1-3/+17
Updates #504 Updates #707 Signed-off-by: Naman Sood <mail@nsood.in>
2021-03-08wgengine/netstack: stop UDP forwarding when one side diesNaman Sood1-5/+8
Updates #504 Updates #707 Signed-off-by: Naman Sood <mail@nsood.in>
2021-03-08wgengine/netstack: add support for incoming UDP connectionsNaman Sood1-9/+67
Updates #504 Updates #707 Signed-off-by: Naman Sood <mail@nsood.in>
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.