Commit Graph

3167 Commits

Author SHA1 Message Date
Josh Bleecher Snyder aec281e638 wgengine/magicsock: call peerMap.validate at the end of SetNetworkMap
Not for prod, maybe useful for debugging.
2021-11-10 14:05:38 -08:00
Josh Bleecher Snyder 2bef8ecece wgengine/magicsock: start peerMap.validate
The intent is that this can be used during automated stress tests
and/or while debugging to ensure that a peerMap is internally consistent.
2021-11-10 14:05:04 -08:00
Josh Bleecher Snyder 67dcfb2356 wgengine/magicsock: fix bug in peerMap.upsertEndpoint
Found by inspection. Contains before/after for easy toggling.
2021-11-10 14:03:47 -08:00
Josh Bleecher Snyder cab2c9376f wgengine/magicsock: fix typo in comment 2021-11-10 14:02:06 -08:00
Brad Fitzpatrick d972099c78 wgengine/magicsock: add a stress test
Updates tailscale/corp#3016

Change-Id: I23708e68ed44d81986d9e2be82029d4555547592
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-11-10 12:09:54 -08:00
Denton Gentry b56ba20549 VERSION.txt: this is v1.16.2
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-10-29 14:16:00 -07:00
David Anderson 6f332b4cf1 net/portmapper: ignore IGD SSDP responses from !defaultgw
Now that we multicast the SSDP query, we can get IGD offers from
devices other than the current device's default gateway. We don't want
to accidentally bind ourselves to those.

Updates #3197

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit 060ba86baa)
2021-10-29 13:49:48 -07:00
David Anderson d117f77094 net/portmapper: also send UPnP SSDP query to the SSDP multicast address.
Fixes #3197

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit 4a65b07e34)
2021-10-29 13:49:41 -07:00
Maisem Ali 647486dc46 logtail/filch: limit buffer file size to 50MB
Signed-off-by: Maisem Ali <maisem@tailscale.com>
(cherry picked from commit 05e55f4a0b)
2021-10-29 13:33:23 -07:00
Denton Gentry 4f4000fbe9 VERSION.txt: this is v1.16.1
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-10-19 17:12:50 -07:00
Brad Fitzpatrick dc9a2909ac wgengine/magicsock: remove peerMap.byDiscoKey map
No longer used.

Updates #3088

Change-Id: I0ced3f87baa4053d3838d3c4a828ed0293923825
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit c30fa5903d)
2021-10-19 12:22:26 -07:00
David Anderson 6c0723fbd6 wgengine/magicsock: track IP<>node mappings without relying on discokeys.
Updates #3088.

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit b956139b0c)
2021-10-19 12:18:17 -07:00
Brad Fitzpatrick 7fbbaff617 wgengine/magicsock: finish TODO to speed up peerMap.forEachEndpointWithDiscoKey
Now that peerMap tracks the set of nodes for a DiscoKey.

Updates #3088

Change-Id: I927bf2bdfd2b8126475f6b6acc44bc799fcb489f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 7a243ae5b1)
2021-10-19 12:18:17 -07:00
Brad Fitzpatrick b9983e6eb8 wgengine/magicsock: don't check always-non-nil endpoint for nil-ness
Continuation of 2aa5df7ac1, remove nil
check because it can never be nil. (It previously was able to be nil.)

Change-Id: I59cd9ad611dbdcbfba680ed9b22e841b00c9d5e6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 11fdb14c53)
2021-10-19 12:18:17 -07:00
David Anderson 89739e077c wgengine/magicsock: add an explicit else branch to peerMap update.
Clarifies that the replace+delete of peerinfo data is only when peerInfo
already exists.

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit e7eb46bced)
2021-10-19 12:18:17 -07:00
David Anderson ae267e0df1 disco: amplify comment that disco ping's NodeKey shouldn't be trusted by itself.
Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit 1c56643136)
2021-10-19 12:18:17 -07:00
Maisem Ali 4a531a0aed wgengine: don't try to delete legacy netfilter rules on synology.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
(cherry picked from commit 53199738fb)
2021-10-19 12:18:17 -07:00
David Anderson 5cf0619cb2 wgengine/magicsock: document and enforce that peerInfo.ep is non-nil.
Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit 2aa5df7ac1)
2021-10-19 12:18:17 -07:00
David Anderson ee02c95259 wgengine/magicsock: move discoKey fields to the mutex-protected section.
Fixes #3106

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit 521b44e653)
2021-10-19 12:18:17 -07:00
Brad Fitzpatrick cb0d784a79 wgengine/magicsock: track which NodeKey each DiscoKey was last for
This adds new fields (currently unused) to discoInfo to track what the
last verified (unambiguous) NodeKey a DiscoKey last mapped to, and
when.

Then on CallMeMaybe, Pong and on most Pings, we update the mapping
from DiscoKey to the current NodeKey for that DiscoKey.

Updates #3088

Change-Id: Idc4261972084dec71cf8ec7f9861fb9178eb0a4d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit a6d02dc122)
2021-10-19 12:18:17 -07:00
Brad Fitzpatrick 430d378f7d wgengine/magicsock: fix data race with sync.Pool in error+logging path
Fixes #3122

Change-Id: Ib52e84f9bd5813d6cf2e80ce5b2296912a48e064
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit c759fcc7d3)
2021-10-19 12:18:17 -07:00
Brad Fitzpatrick ac4cda9303 disco, wgengine/magicsock: send self node key in disco pings
This lets clients quickly (sub-millisecond within a local LAN) map
from an ambiguous disco key to a node key without waiting for a
CallMeMaybe (over relatively high latency DERP).

Updates #3088

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 75a7779b42)
2021-10-19 12:18:17 -07:00
Denton Gentry 76ad9d7a7a wgengine/magicsock: don't Rebind after STUN error if closed.
https://github.com/tailscale/tailscale/pull/3014 added a
rebind on STUN failure, which means there can now be a
tailscale.com/wgengine/magicsock.(*RebindingUDPConn).ReadFromNetaddr
in progress at the end of the test waiting for a STUN
response which will never arrive.

This causes a test flake due to the resource leak in those
cases where the Conn decided to rebind. For whatever reason,
it mostly flakes with Windows.

If the Conn is closed, don't Rebind after a send error.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
(cherry picked from commit def650b3e8)
2021-10-19 12:18:17 -07:00
Brad Fitzpatrick 46fffa32ed wgengine/magicsock: don't call setAddrToDiscoLocked on DERP ping
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit f55c2bccf5)
2021-10-19 12:18:17 -07:00
Brad Fitzpatrick 3e317852ce wgengine/magicsock: finish some renamings of discoEndpoint to endpoint
Renames only; continuation of earlier 8049063d35

These kept confusing me while working on #3088

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 569f70abfd)
2021-10-19 12:18:17 -07:00
Brad Fitzpatrick f054e16451 wgengine/magicsock: delete peerMap.endpointForDiscoKey, remove remaining caller
The one remaining caller of peerMap.endpointForDiscoKey was making the
improper assumption that there's exactly 1 node with a given DiscoKey
in the network. That was the cause of #3088.

Now that all the other callers have been updated to not use
endpointForDiscoKey, there's no need to try to keep maintaining that
prone-to-misuse index.

Updates #3088

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 695df497ba)
2021-10-19 12:18:17 -07:00
Brad Fitzpatrick 0651845a2c wgengine/magicsock: remove endpointForDiscoKey call from handleDiscoMessage
A DiscoKey maps 1:n to endpoints. When we get a disco pong, we don't
necessarily know which endpoint sent it to us. Ask them all. There
will only usually be 1 (and in rare circumstances 2). So it's easier
to ask all two rather than building new maps from the random ping TxID
to its endpoint.

Updates #3088

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 04fd94acd6)
2021-10-19 12:18:16 -07:00
Brad Fitzpatrick 2d18624a8e wgengine/magicsock: remove endpoint parameter from handlePingLocked
We can reply to a ping without knowing which exact node it's from.  As
long as it's in our netmap, it's safe to reply. If there's more than
one node with that discokey, it doesn't matter who we're relpying to.

Updates #3088

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 151b4415ca)
2021-10-19 12:18:16 -07:00
Brad Fitzpatrick 07b569fe26 wgengine/magicsock: add new discoInfo type for DiscoKey state, move some fields
As more prep for removing the false assumption that you're able to
map from DiscoKey to a single peer, move the lastPingFrom and lastPingTime
fields from the endpoint type to a new discoInfo type, effectively upgrading
the old sharedDiscoKey map (which only held a *[32]byte nacl precomputed key
as its value) to discoInfo which then includes that naclbox key.

Then start plumbing it into handlePing in prep for removing the need
for handlePing to take an endpoint parameter.

Updates #3088

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit d86081f353)
2021-10-19 12:18:16 -07:00
Brad Fitzpatrick fd85b3274e wgengine/magicsock: move temporary endpoint lookup later, add TODO to remove
Updates #3088

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit e5779f019e)
2021-10-19 12:18:16 -07:00
Brad Fitzpatrick 093ae70293 wgengine/magicsock: remove redundant/wrong sharedDiscoKey delete
The pass just after in this method handles cleaning up sharedDiscoKey.
No need to do it wrong (assuming DiscoKey => 1 node) earlier.

Updates #3088

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 36a07089ee)
2021-10-19 12:18:16 -07:00
Brad Fitzpatrick e921482548 wgengine/magicsock: pass src NodeKey to handleDiscoMessage for DERP disco msgs
And then use it to avoid another lookup-by-DiscoKey.

Updates #3088

(cherry picked from commit 3e80806804)
2021-10-19 12:18:16 -07:00
Brad Fitzpatrick 7b7ff1f2e4 wgengine/magicsock: start removing endpointForDiscoKey
It's not valid to assume that a discokey is globally unique.

This removes the first two of the four callers.

Updates #3088

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 82fa15fa3b)
2021-10-19 12:18:16 -07:00
Maisem Ali b99caad1e9 net/dns/resolver: set maxDoHInFlight to 1000 on iOS 15+.
Change-Id: Ibe8ebf22741cece6e77c0f8cfa45c0662d339c41
Signed-off-by: Maisem Ali <maisem@tailscale.com>
(cherry picked from commit 7817ab6b20)
2021-10-19 12:18:00 -07:00
Maisem Ali 56095e9824 wgengine: only use AmbientCaps on DSM7+
Signed-off-by: Maisem Ali <maisem@tailscale.com>
(cherry picked from commit 27799a1a96)
2021-10-18 13:43:07 -04:00
Maisem Ali ffaa572266 hostinfo: add EnvType for Kubernetes
Signed-off-by: Maisem Ali <maisem@tailscale.com>
(cherry picked from commit 2662a1c98c)
2021-10-14 23:03:26 -04:00
Maisem Ali d0c3c14a58 ipn/ipnlocal: use netaddr.IPSetBuilder when constructing list of interface IPPrefixes.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
(cherry picked from commit c6d3f622e9)
2021-10-14 19:24:06 -04:00
Brad Fitzpatrick 5319c57590 net/interfaces: add List, GetList
And start moving funcs to methods on List.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 4a3e2842d9)
2021-10-14 19:24:00 -04:00
Brad Fitzpatrick 9df2516f96 wgengine/router: ignore Linux ip route error adding dup route
Updates #3060
Updates #391

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 14f9c75293)
2021-10-14 19:23:52 -04:00
Brad Fitzpatrick 66ad35c04e ipn/ipnlocal: don't try to block localhost traffic when using exit nodes
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit ddf3394b40)
2021-10-14 19:23:46 -04:00
David Crawshaw 766a3a2e59 net/dns/resolver: drop dropping log
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
(cherry picked from commit 77696579f5)
2021-10-14 13:59:42 -07:00
Brad Fitzpatrick 784ce7c97c net/dns/resolver: make hasRDNSBonjourPrefix match shorter queries too
Fixes tailscale/corp#2886
Updates tailscale/corp#2820
Updates #2442

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 676fb458c3)
2021-10-13 15:50:13 -07:00
Brad Fitzpatrick 6421ee22f6 ipn: fix formatting of ExitNodeIP in MaskedPrefs
%#v on a netaddr.IP showed the netaddr.IP innards.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 751c42c097)
2021-10-13 14:53:49 -07:00
Maisem Ali d76672b5e5 docker: install ip6tables
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-10-13 14:34:53 -07:00
Maisem Ali 3706255e9f docker: only add tailscale and tailscaled binaries
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-10-13 11:44:21 -07:00
Denton Gentry b0f4f3161f
VERSION.txt: this is v1.16.0
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-10-07 12:48:56 -07:00
Brad Fitzpatrick 297d1b7cb6 net/dns/resolver: don't forward DNS-SD queries
Updates #2442
Fixes tailscale/corp#2820

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-07 12:38:55 -07:00
Brad Fitzpatrick 47044f3af7 net/dns/resolver: fix log prefix
The passed in logf already has a "dns: " prefix so they were
doubled up.
2021-10-07 12:19:41 -07:00
Brad Fitzpatrick 7634af5c6f all: gofmt
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-07 12:18:31 -07:00
Avery Pennarun 0d4a0bf60e magicsock: if STUN failed to send before, rebind before STUNning again.
On iOS (and possibly other platforms), sometimes our UDP socket would
get stuck in a state where it was bound to an invalid interface (or no
interface) after a network reconfiguration. We can detect this by
actually checking the error codes from sending our STUN packets.

If we completely fail to send any STUN packets, we know something is
very broken. So on the next STUN attempt, let's rebind the UDP socket
to try to correct any problems.

This fixes a problem where iOS would sometimes get stuck using DERP
instead of direct connections until the backend was restarted.

Fixes #2994

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2021-10-08 02:17:09 +09:00