672c2c8de8
Incoming disco packets are now dropped unless they match one of the current bound ports, or have a zero port*. The BPF filter passes all packets with a disco header to the raw packet sockets regardless of destination port (in order to avoid needing to reconfigure BPF on rebind). If a BPF enabled node has just rebound, due to restart or rebind, it may receive and reply to disco ping packets destined for ports other than those which are presently bound. If the pong is accepted, the pinging node will now assume that it can send WireGuard traffic to the pinged port - such traffic will not reach the node as it is not destined for a bound port. *The zero port is ignored, if received. This is a speculative defense and would indicate a problem in the receive path, or the BPF filter. This condition is allowed to pass as it may enable traffic to flow, however it will also enable problems with the same symptoms this patch otherwise fixes. Fixes #5536 Signed-off-by: James Tucker <james@tailscale.com> |
||
|---|---|---|
| .bencher | ||
| .github | ||
| atomicfile | ||
| chirp | ||
| client/tailscale | ||
| cmd | ||
| control | ||
| derp | ||
| disco | ||
| docs | ||
| envknob | ||
| health | ||
| hostinfo | ||
| internal/tooldeps | ||
| ipn | ||
| jsondb | ||
| kube | ||
| licenses | ||
| log | ||
| logpolicy | ||
| logtail | ||
| metrics | ||
| net | ||
| packages/deb | ||
| paths | ||
| portlist | ||
| prober | ||
| safesocket | ||
| scripts | ||
| smallzstd | ||
| ssh/tailssh | ||
| syncs | ||
| tailcfg | ||
| tempfork | ||
| tka | ||
| tool | ||
| tsconst | ||
| tsnet | ||
| tstest | ||
| tstime | ||
| tsweb | ||
| types | ||
| util | ||
| version | ||
| wf | ||
| wgengine | ||
| words | ||
| .gitattributes | ||
| .gitignore | ||
| ALPINE.txt | ||
| AUTHORS | ||
| CODE_OF_CONDUCT.md | ||
| Dockerfile | ||
| Dockerfile.base | ||
| LICENSE | ||
| Makefile | ||
| PATENTS | ||
| README.md | ||
| SECURITY.md | ||
| VERSION.txt | ||
| api.md | ||
| build_dist.sh | ||
| build_docker.sh | ||
| go.mod | ||
| go.sum | ||
| go.toolchain.branch | ||
| go.toolchain.rev | ||
| pull-toolchain.sh | ||
| shell.nix | ||
| staticcheck.conf | ||
| version-embed.go | ||
README.md
Tailscale
Private WireGuard® networks made easy
Overview
This repository contains all the open source Tailscale client code and
the tailscaled daemon and tailscale CLI tool. The tailscaled
daemon runs on Linux, Windows and macOS, and to varying degrees on FreeBSD, OpenBSD, and Darwin. (The Tailscale iOS and Android apps use this repo's code, but this repo doesn't contain the mobile GUI code.)
The Android app is at https://github.com/tailscale/tailscale-android
The Synology package is at https://github.com/tailscale/tailscale-synology
Using
We serve packages for a variety of distros at https://pkgs.tailscale.com .
Other clients
The macOS, iOS, and Windows clients use the code in this repository but additionally include small GUI wrappers that are not open source.
Building
go install tailscale.com/cmd/tailscale{,d}
If you're packaging Tailscale for distribution, use build_dist.sh
instead, to burn commit IDs and version info into the binaries:
./build_dist.sh tailscale.com/cmd/tailscale
./build_dist.sh tailscale.com/cmd/tailscaled
If your distro has conventions that preclude the use of
build_dist.sh, please do the equivalent of what it does in your
distro's way, so that bug reports contain useful version information.
We require the latest Go release, currently Go 1.19.
Bugs
Please file any issues about this code or the hosted service on the issue tracker.
Contributing
PRs welcome! But please file bugs. Commit messages should reference bugs.
We require Developer Certificate of
Origin
Signed-off-by lines in commits.
About Us
Tailscale is primarily developed by the people at https://github.com/orgs/tailscale/people. For other contributors, see:
- https://github.com/tailscale/tailscale/graphs/contributors
- https://github.com/tailscale/tailscale-android/graphs/contributors
Legal
WireGuard is a registered trademark of Jason A. Donenfeld.