This repository was archived by the owner on Jul 13, 2025. It is now read-only.
Fork Sync: Update from parent repository#36
Open
github-actions[bot] wants to merge 1636 commits into
Open
Conversation
Stop opening an IPN bus subscription with NotifyInitialNetMap purely to read the current netmap once. Use the LocalAPI debug current-netmap action (added in 159cf87) instead, which returns the current netmap synchronously without subscribing to the bus. Updates #12542 Change-Id: I8aa2096d65aaea4dfe62634f03ce06b5470e0e51 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
There are only a couple endpoints that check peer capabilities. Keeping permission checks with the code that assumes they were performed, rather than with the routing layer, feels easier to reason about. Check that the caller is actually a peer and pass their capabilities via a context value for handlers that want to check them. Along with this, simplify the helper handler wrappers that are not needed for most of the endpoints. Updates #40851 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Values get written into TKA state; secrets don't. Updates #cleanup Change-Id: Ief9831dcb1102f584a33b2e71b611b38ca463724 Signed-off-by: Alex Chan <alexc@tailscale.com>
also fixes memory leak with authKeyReissuing map on ProxyGroup reconciler authkey reissue. Updates #19311 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Add a node capability to help determine if the desktop clients should show services list/menu/section Updates: tailscale/corp#40900 Change-Id: Ie34b3362f921d710173b2a0dd190354352bb26f0 Signed-off-by: Rollie Ma <rollie@tailscale.com>
If another part of the client code registers a custom scheme with the forwarder, the forwarder will check resolver addresses to see if they match the scheme. If they do, the corresponding custom scheme handler will be called to find the actual address for the resolver at this moment. If the handler returns the empty string then that resolver will be ignored. This is useful if you want to dynamically determine where to send certain DNS requests. It is being added to support new app connector (conn25) work that would like to make sure it sends DNS requests to the current connector peer in a high availability configuration. Updates tailscale/corp#39858 Signed-off-by: Fran Bull <fran@tailscale.com>
…9202) Installed SplitDNS routes are always treated as wildcard domains, so the domains that we pass to the local resolver should be normalized and have any leading *. wildcard prefix removed. When looking at DNS responses to see if the domain matches, we need to consider both exact matches and wildcard matches. We now keep separate maps of exact-match domains and wildcard domains, and when we match we check to see if there's a match in the exact-match map, otherwise we check against the wild card match map until we find a match, removing a label after each check. Rather than looking for matching self-hosted domains (domains serviced by the connector being run on the self-node), the apps that are being serviced by the connector on the self-node are tracked instead. When checking to see if a DNS response should be rewritten, it is ignored if any of the matching apps for the domain are in the self-hosted apps set. Fixes tailscale/corp#39272 Signed-off-by: George Jones <george@tailscale.com>
Move HOOK_VERSION into the githook package and export it as githook.HookVersion, so tailscale/corp can reference it via the shared-code bump instead of having to bump HOOK_VERSION by hand. New launcher.sh composes the wanted version from 2 sources: the shared HOOK_VERSION and an optional repo local version, misc/git_hook/HOOK_VERSION, for repo-specific config bumps. Updates tailscale/corp#40381 Change-Id: I7cf16889ba53cb564cc2df7dfd7588748f542c55 Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
Which can be unfair around varying packet sizes. Updates tailscale/corp#40962 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
Added in 2022, this appears to be unused now. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Add a new vet checker that rejects variables, parameters, named return values, receivers, range/type-switch bindings, type parameters, struct fields, and constants named "l" (lowercase ell) or "I" (uppercase i). Both are hard to distinguish from the digit "1" and from each other in too many fonts. Rename the two pre-existing struct fields named "l" (both of type net.Listener) in drive/driveimpl/drive_test.go to "ln", matching the convention used elsewhere for net.Listener locals. Rename the test-fixture struct fields "I" (single int label) to "Int" in metrics/multilabelmap_test.go and util/deephash/deephash_test.go, preserving the "first letters of types" convention used alongside neighboring fields like I8/I16/U/U8. Also teach pkgdoc_test.go to skip testdata/ directories, which the go tool ignores; they are not real packages. Fixes #19631 Change-Id: I71ad2fa990705f7a070406ebcdb8cefa7487d849 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
The purpose of this package is to test the iOS dependency closure, but
it had drifted from the actual import list of the ipn-go-bridge package
in the corp repo (the Go side of the iOS / macOS app).
Update the imports to match ipn-go-bridge's GOOS=ios import list,
adding many missing packages including wgengine/netstack,
feature/{taildrop,syspolicy,condregister}, the util/syspolicy/*
subpackages, types/{key,lazy,logid,netmap}, tsd, safesocket,
util/{eventbus,must,set}, and several net/* and ipn/* packages.
Drop two now-stale BadDeps entries (for now!): database/sql/driver and
github.com/google/uuid are reached via wgengine/netstack ->
github.com/prometheus-community/pro-bing, which netstack imports on
darwin || ios for ICMP user-ping, so the iOS app already ships them.
But we should fix that later.
Updates #19633
Change-Id: Ic50779fdb195685a2e8ccd7c513eee91b0feeaf8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This was originally hidden during the beta period in both `up` and `set`, then when device posture went GA we unhid the flag in `set` but not in `up`. This is confusing for users, because an error message can direct them to run `tailscale up` with this flag if they've set it previously, but the help text won't tell them what it does. Updates #5902 Updates #17972 Change-Id: I9a31946f4b3bb411feed0f5a6449d7ff9a5ba9d3 Signed-off-by: Alex Chan <alexc@tailscale.com>
…9627) When an exit node was set before launching systray, the recommended row in exit nodes rendered as not selected even when the active exit node was at the same location. This looks to be two different things: - suggestExitNode takes its own suggestion into account, and not the users active exit node. When a mullvad city is reached via the picker rather than the recommended row, the suggester's pick and prefs.ExitNodeID end up as distinct peers in the same city, resulting in an ID-only equality check missing the match. - Toggle state was constructed and mutated via .Check(), which for newly created elements may be cached (such as when launching systray, with an already active node). Fixes #19626 Signed-off-by: Evan Lowry <evan@tailscale.com>
Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
The test goroutine read lockCnt immediately after Lock returned, racing with Close: close(lk.closing) wakes lockSlow's select, whose deferred Add(-2) on lockCnt can run before Close's CAS clears the LSB. When that happens, lockCnt is briefly 1 (3 - 2) instead of 0 (1 + 2 - 2 - 1), producing "lockCnt: got 1; want 0". Move the lockCnt assertion into the main test goroutine, after both Close has returned and the Lock goroutine has finished, so both updates have settled before we read. Fixes #19647 Change-Id: Ia67036ff73a1beb528cbd621460db9048f3066ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Android rebuilds its VpnService interface when the VPN route configuration changes, which tears down long lived TCP connections through the tunnel. Use the same automatic OneCGNATRoute behavior as macOS on Android, and prefer the single CGNAT route when no other interface is using the CGNAT, falling back to fine grained peer routes otherwise. Updates #19591 Signed-off-by: kari <kari@tailscale.com>
Include the unit (s) when printing the time taken to test each package. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Commit 69c79cb (Sep 2025) moved awsstore and kubestore registration behind condregister build tags so tsnet wouldn't pull in the AWS SDK and Kubernetes client by default. The accompanying TestDeps BadDeps entry was missed, so PR #19667 (which re-added those imports) wasn't caught by the test. Add the two packages to BadDeps so future regressions fail the test. Updates #19667 Updates #12614 Change-Id: I903b7c976e5e122cc0c0b956dc73740f5d474fac Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Per recent chat with @raggi about all this, I went and looked at this test again. Updates #cleanup Change-Id: Icb7d87b1ed2cebf481ee4e358a3aa603e63fb8a4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
When HTTPS is explicitly disabled (HTTPSPort == NoPort), the JS WebSocket dialer should use ws:// instead of wss://. This matches the behavior of the non-JS client and fixes connections to development control servers e.g. http://localhost:31544. Updates tailscale/corp#40944 Signed-off-by: Adriano Sela Aviles <adriano@tailscale.com>
The tailscale.com/wif package brings in the AWS SDK
(github.com/aws/aws-sdk-go-v2/{config,sts,...} and github.com/aws/smithy-go)
to support fetching ID tokens from AWS IMDS for workload identity
federation. Until now, tsnet pulled this in unconditionally via
feature/condregister/identityfederation, costing ~70 unwanted deps for
every tsnet program whether or not it uses workload identity federation.
These AWS SDK deps were originally removed from tsnet on 2025-09-29 by
commit 69c79cb ("ipn/store, feature/condregister: move AWS + Kube
store registration to condregister"). They were then accidentally added
back on 2026-01-14 by commit 6a6aa80 ("cmd,feature: add identity
token auto generation for workload identity", PR #18373) when the new
wif package was wired into tsnet via feature/identityfederation.
Drop the blanket import. tsnet programs that want workload identity
federation now opt in with:
import _ "tailscale.com/feature/identityfederation"
The hook lookup in resolveAuthKey already uses GetOk and degrades
gracefully when the feature isn't linked, so existing programs that
don't use workload identity federation see no behavior change. The
tailscale CLI still imports the condregister wrapper directly, so its
behavior is also unchanged.
Lock this in with TestDeps additions: tailscale.com/wif as a BadDep,
plus substring checks in OnDep that fail on any github.com/aws/ or
k8s.io/ dependency creeping back in.
Also, switch cmd/gitops-pusher from the condregister wrapper to a
direct import of feature/identityfederation: gitops-pusher's auth flow
calls HookExchangeJWTForTokenViaWIF directly, so it shouldn't be
subject to the ts_omit_identityfederation build tag.
Updates #12614
Change-Id: I70599f2bdd4d3666b26a859d5b76caa5d6b94507
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…helper
The (*SubscriberFunc[T]).dispatch method body — a ~40-line select
loop with slow-subscriber timer, snapshot handling, ctx-cancel
draining, and a CI stack-dump branch — was previously fully
duplicated by the Go compiler for every distinct GC shape of T.
None of that body actually depends on T except for the type
assertion and the user callback invocation.
This change moves the loop body into a non-generic dispatchFunc()
helper, leaving (*SubscriberFunc[T]).dispatch as a tiny wrapper
that:
- performs the vals.Peek().Event.(T) type assertion
- spawns the callback goroutine via `go runFuncCallback(s.read,
t, callDone)` — a regular generic function call, not a closure,
so that `go` binds the args to the goroutine's frame instead of
allocating a closure on the heap. This preserves the
zero-extra-allocation behavior of the original
(*SubscriberFunc[T]).runCallback method.
- resolves T's name via reflect.TypeFor[T]().String() (cached on
the stack rather than recomputed on each %T formatting)
- calls dispatchFunc with the callDone channel
The %T formatting in the original logf calls is replaced with %s
on the resolved name string, removing per-T fmt instantiations.
A new BenchmarkBasicFuncThroughput is added alongside the existing
BenchmarkBasicThroughput so per-event allocation behavior on the
SubscribeFunc dispatch path is covered by the benchmark suite.
Measured impact (util/eventbus/sizetest):
SubscriberFunc per-flow attribution:
linux/amd64: 912.5 B/flow -> 840.8 B/flow (-71.7 B/flow)
linux/arm64: 917.5 B/flow -> 849.9 B/flow (-67.6 B/flow)
The total per-flow size delta on amd64 dropped from 3,096.6 B to
3,039.2 B (-57 B/flow). The arm64 total stayed at 3,145.7 B
because the linker's page-aligned section sizing absorbed the
improvement on this binary; the symcost-attributed per-receiver
number is the real signal.
Behavior is unchanged: BenchmarkBasicThroughput stays at 0
allocs/op and BenchmarkBasicFuncThroughput holds at the same 2
allocs/op, 144 B/op as the prior eventbus implementation. All
eventbus tests pass.
Updates #12614
Change-Id: I85f933f50f58cd25bbfe5cc46bdda7aab22f0bf7
Signed-off-by: James Tucker <james@tailscale.com>
Updates #cleanup Signed-off-by: Erisa A <erisa@tailscale.com>
Running all vmtests in tstest/natlab/vmtest locally was breaking later
tasks in the queue. The goroutine dump on timeout had goroutines hanging
around for 9 minutes, meaning that something was not getting cleaned up.
goroutine 262 [select, 9 minutes]:
gvisor.dev/gvisor/pkg/tcpip/adapters/gonet.commonRead({...})
Add a timeout of Now() to gonet TCP connections when the test ends
(inspired by ServeUnixConn()), and wait for them to shut down before
exiting the test.
Updates #13038
Signed-off-by: Claus Lensbøl <claus@tailscale.com>
Re-exec the test binary as a thin wrapper that holds a pipe inherited from the test. When the test goes away (any reason, including SIGKILL, panic, or OOM), the kernel closes the pipe write end; the wrapper sees EOF and SIGKILLs itself, taking QEMU and its children with it. Updates #13038 Change-Id: Ib2151098193551396c1d7bb51b07da3bd6b2cfb4 Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
The `CreateStateForTest` helper reduces boilerplate in cases where the test only cares about the trusted keys and not the disablement values (and makes it more obvious where the disablement values are meaningful). The `setupChonkStorage` helper reduces the boilerplate when creating on-disk TKA storage in tests. The `fakeLocalBackend` helper reduces the boilerplate when setting up a `LocalBackend` instance in the IPN tests. Updates #cleanup Change-Id: Iacfba1be5f7fab208eec11e4369d63c7d7519da5 Signed-off-by: Alex Chan <alexc@tailscale.com>
…20117) Since deltas are only (at present) received from the control plane, processing a delta signifies we are no longer operating on a netmap fully loaded from cache, even if most of the netmap is still in the same configuration. Updates #12542 Change-Id: I84132c4bf2dde6e5c1c57144645edb986b051dca Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
Add an UpdatePeers method to the cache. This allows us to support netmap peer deltas, by allowing just the peers to be updated in an existing cache. As a safety check, reject an update if there was no base netmap data to apply a change to. Then, when processing peer mutations in the backend, capture any changes that should be applied to the cache and update it, if one is enabled. Updates #12542 Change-Id: I2f8790a8fdc5e85fce6700ba4821a8cb10dddffa Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
Package features/conn25 wires up the hooks directly on the tun wrapper without needing to go through the userspace engine, so this codepath is unused and not needed. Updates #cleanup Signed-off-by: Michael Ben-Ami <mzb@tailscale.com>
#20118) Bumps wireguard-go pin to include the roaming endpoints fix, and two internal enhancements. Pulls stock wireguard-go for non-tailscale simulation in tests, to use its endpoint discovery mechanism. Updates #20082 Change-Id: I2ff282cb7fe4ab099ce5e780a1d40ae86a6a6964 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>
…nfig (#20056) tailscale serve set-config now also accepts the legacy raw ipn.ServeConfig format (as emitted by `tailscale serve status --json` and consumed via TS_SERVE_CONFIG, which has no "version" field), so the common serve-status-edit-set workflow stops failing. Only the services-oriented content is applied; any node-level fields are skipped with a warning to stderr pointing users at get-config to migrate. Fixes tailscale/corp#39793 Signed-off-by: Brendan Creane <bcreane@gmail.com>
…ner paths (#20123) Add a workflow that requests review from @tailscale/k8s-devs on PRs touching Kubernetes operator, kube libraries, container build, etc. Also cleans up check out code on k8s and dataplane workflow. Updates #cleanup Change-Id: I6fd7cacf71e1299f7e8f546ef52c4063fbf6bab8 Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
`go run` builds a manifest-less .exe, so Windows applies installer- detection heuristics and requests admin privileges to programs that contains "install", "setup", or "update". Rename to dodge that. Updates #20133 Change-Id: I144d3fcb076d7a02e4a3eb9fd079ee022a035c76 Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
decode6 didn't parse the IPv6 Fragment extension header (Next Header 44), so any source-fragmented IPv6 packet was classified as an unknown protocol and matched no ACL rule. The filter then silently dropped it and counted it as an "acl" drop, even on allow-all tailnets, blackholing large UDP (DNS, WebRTC, etc.) over a tailnet's IPv6 addresses. IPv4 fragments were already handled by decode4. Parse the fragment header the same way: read the first fragment's transport ports so the filter matches it like an unfragmented packet, pass later fragments through as ipproto.Fragment, and reject overlapping-fragment offsets (RFC 1858) and first fragments too short to hold the transport header as unknown. Fixes #20083 Signed-off-by: Steve Avery <hello@stevenavery.com>
…ew/removed peers The earlier aa5da2e made peer adds and removes through a netmap delta path that mutates only nodeBackend, on the assumption that PeerForIP, lookupPeerByIP, the engine's wireguard config (e.lastCfgFull), the engine BART, wgdev's PeerLookupFunc closure, and the engine's cached netmap (e.netMap) would all stay correct without further updates. They don't. I'd totally forgotten that Engine.PeerForIP has its own alternate IP-to-peer lookup codepath. Concretely, all of these failed for a peer that arrived via [tailcfg.MapResponse.PeersChanged] (and never via a full [tailcfg.MapResponse.Peers] list): - [wgengine.Engine.PeerForIP] read from e.netMap and e.lastCfgFull (neither updated on the delta path) and so missed the new peer. The rando non-data-plane callers (Ping, TSMP, pendopen, debug endpoints, tsdial.Dialer.UseNetstackForIP for tsnet and onlyNetstack tailscaled) all returned "no matching peer". - The engine BART (built from e.lastCfgFull) missed the new peer's subnet routes / exit-node default routes. - wgdev's [device.PeerLookupFunc] closure (rebuilt only inside wgcfg.ReconfigDevice) didn't have the new peer's noise key, so outbound encryption to the new peer dropped the packet even when SetPeerByIPPacketFunc returned the right NodePublic. - And nothing in the delta path triggered NodeMutationRemove to flow through to authReconfig either, so the same stale state pointed at removed peers indefinitely. So just (functionally) revert it for now, to have something easily cherry-pickable to the 1.100 release branch. Proper fixes can come later for the next release. This also adds three new tests: - TestPingPeerLearnedViaDelta runs disco and TSMP subtests over a delta-added peer with only self addresses. disco exercises the cold PeerForIP path (magicsock); TSMP exercises the full data path through wgdev encryption. Both fail without this fix. - TestPingSubnetRouteOfDeltaPeer exercises a subnet-router peer arriving via delta. With s1 in --accept-routes mode, an IP inside the advertised CIDR must resolve to s2 and a TSMP ping must round-trip. Hits the BART + lastCfgFull + wgdev staleness in one go. - TestPingSelfReturnsIsLocalIP is a regression guard for the IsSelf early-out in Engine.Ping. Passes on main today; included here so future refactors of PeerForIP can't regress self handling without test breakage. Updates tailscale/corp#43394 Change-Id: I7a049271359bd73e7147ae9e2554e85614c2b8d2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates #19989 Updates tailscale/corp#42874 Change-Id: I843ed95bc7b0f5cd38ba1467332c6b022901e254 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
) ipnlocal.LocalBackend.populatePeerStatusLocked assumed that Hostinfo was always valid, but that’s not always true, especially in tests. ipnlocal.peerAPIPorts suffered from a similar assumption. This patch checks for NodeView.Valid and Hostinfo.Valid; assuming the zero value as a safe default. Updates #8948 Updates #12542 Signed-off-by: Simon Law <sfllaw@tailscale.com>
Add UploadLogs, a stateless alternative to NewLogger for callers that want to push a batch of log entries without the background uploader, ring buffer, stderr echoing, or network-up gating that a Logger provides. Entries are encoded, batched up to the server's maximum upload size, and POSTed synchronously; unlike Logger it does not retry. The Logger construction is split into a new unexported newLogger so the connection/encode/upload machinery is shared without starting the background goroutine. Log entries are modeled as a generic LogEntry[T] whose Value is inlined (via go-json-experiment) alongside the reserved "logtail" metadata member. T may be a struct (or pointer), a map with a string key, or a jsontext.Value; use jsontext.Value to mix differently-shaped payloads in a single upload. UploadLogs fills in client_time/proc_id/proc_seq from the Config where the caller leaves them zero. Updates tailscale/corp#40908 Change-Id: Idbf23cd0eb8233082fbdb9abed0f6f153b9225ba Signed-off-by: James Scott <jim@tailscale.com>
util/def: add def.Bool and def.Duration default parse helpers Replace multiple instances of def.Bool and def.Duration with a new util/def package. Updates #20018 Co-authored-by: Bobby <boby@codelabs.co.id> Co-authored-by: Simon Law <sfllaw@tailscale.com> Signed-off-by: Bobby <boby@codelabs.co.id> Signed-off-by: Simon Law <sfllaw@tailscale.com>
…eader Follow-up cleanups to the IPv6 fragment extension header support added in the previous commit: - Document that minFragBlks is sized for IPv4 but intentionally reused by decode6 for IPv6 fragments, where it is conservative (IPv6 fragments carry no per-fragment IP header) and only ever rejects more later fragments as Unknown, never fewer. - Add a TestDecode case for a first fragment reachable only through a chained extension header (base Next Header = Hop-by-Hop Options, which chains to Fragment). decode6 only parses the Fragment header when it is the base header's immediate Next Header, so this must classify as Unknown. The test locks in that scoping decision. Updates #20083 Updates #20140 Change-Id: Ibece03c6baf2385b0cc399f179819b08cbe921cc Signed-off-by: James Tucker <james@tailscale.com>
Updates #cleanup Signed-off-by: Simon Law <sfllaw@tailscale.com>
) Add support for the still pending encoding.ScalarMarshaler and encoding.ScalarUnmarshaler interfaces, approved in golang/go#56235. This patch deprecates geo.Point.MarshalUint64 in favour of geo.Point.MarshalScalar and also adds an inline directive for go fix. The same applies for the UnmarshalUint64 and UnmarshalScalar methods. Updates #16583 Signed-off-by: Simon Law <sfllaw@tailscale.com>
Mappings from transit IPs to real IPs are stored ephemerally in the connector, so they're lost on restart. When we send a packet to the connector with a transit IP it does not recognize, it sends us a TSMP message saying so (see #19883). If we (the client) know of such a mapping, we now re-send it to the connector so that a connection can proceed. Fixes tailscale/corp#34256. Signed-off-by: Naman Sood <mail@nsood.in>
…0151) In PR #17809, @bradfitz tried to fix tsnet_test.TestConn by making the second tailscaled start after the first was fully set up. On slow runners, the Ping for connectivity to the second server would race against that server establishing a connection with its DERP home. If the Ping arrived too soon, the DERP server would respond with PeerGoneNotHome and the Ping would wait for its full timeout before failing the test. This patch introduces waitForHomeDERPConnected and makes startServer block until the server’s home DERP has established its connection. This patch also reduces the Ping timeout to 10 seconds for the tsnet tests, which should be enough that a hung Ping is fast enough for interactive debugging, but with enough headroom for a RekeyTimeout. Fixes #12766 Signed-off-by: Simon Law <sfllaw@tailscale.com>
The Logger previously took a *netmap.NetworkMap at Startup and on every ReconfigNetworkMap call, denormalizing it into per-IP and self lookup maps. That denormalization is O(n) over all peers and ran on every netmap update, contributing to the broader quadratic behavior we want to eliminate when a single peer is added or removed. Instead, this makes netlog ask LocalBackend (well, nodeBackend) for the info it needs, letting us remove the netmap.NetworkMap type entirely from the netlog package. This is a dependency to removing the netmap.NetworkMap type from upstream callers, like wgengine.Engine in general. Updates #12542 Change-Id: Ib5f2de96e788a667332c0a6f7ac833b3d0053b5c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
… netmap caching is disabled Updates #20081 Signed-off-by: Jordan Whited <jordan@tailscale.com>
This patch adds: - Set.All which returns an iter.Seq to complement Set.Slice. - Set.AddSeq which adds an iter.Seq. - Set.DeleteSeq which deletes an iter.Seq to complement Set.AddSeq and provide the missing method for deleting multiple elements. - Set.DeleteSlice and Set.DeleteSet to complement AddSlice and AddSet. Updates #cleanup Signed-off-by: Simon Law <sfllaw@tailscale.com>
…ss (#19983) Add support for configuring egress to destinations reachable via 4via6 subnet routes, using either the synthesized 4via6 address or the MagicDNS name (in the form <IPv4-with-hyphens>-via-<siteID>[.*]). Also update the Connector to validate and advertise 4via6 subnet routes. Export net/netutil.ValidateViaPrefix so it can be reused by the Connector validation logic. This change only affects standalone egress proxies — ProxyGroup egress requires IPv6 support before it can use 4via6. Updates #19334 Change-Id: I6faecd6eb61ab55fc0cd97fe417af6b6a12fe7fc Signed-off-by: Becky Pauley <becky@tailscale.com>
Updates #cleanup Change-Id: Ic1f430cd5dbf6cc1a385c59074a5d5cabe6fca57 Signed-off-by: Alex Chan <alexc@tailscale.com>
This patch adds support for the fmt.Stringer interface to the
ipn.NotifyWatchOpt enum. This is useful when debugging these bitmasks.
For example:
fmt.Printf("%s", ipn.NotifyPeerChanges | ipn.NotifyNoNetMap)
// Output: (ipn.NotifyPeerChanges | ipn.NotifyNoNetMap)
Fixes #20066
Signed-off-by: Simon Law <sfllaw@tailscale.com>
…relay Updates #20156 Signed-off-by: Jordan Whited <jordan@tailscale.com>
…0167) In direct mode we write resolv.conf via a temp file and rename(2), which preserves the source's generic etc_t label instead of net_conf_t, causing AVC denials when NetworkManager later manages the file. Run restorecon after the rename (Linux, SELinux-enforcing, best effort) to restore the policy-default label. Fixes #20149 Signed-off-by: Brendan Creane <bcreane@gmail.com>
If we don't close the connection between SSH server and recorder explicitly once it's idle after the upload stream is closed, the connection stays open and holds on to a port on the server. This leads to port exhaustion on the server in the medium to long run. To avoid this, close the idle connections explicitly. As an extra step of precaution, set an idleConnTimeout of 30 seconds on both the HTTP1 and HTTP2 recorder clients. Updates tailscale/corp#43742 Signed-off-by: Gesa Stupperich <gesa@tailscale.com>
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
Add HTTPBandwidth/HTTPBandwidthWithDialAddr probe classes that download a fixed number of bytes and record transfer time and bytes transferred as Prometheus counters for bandwidth measurement, plus HTTPWithDialAddr and the shared NewProbeTransport and HTTPBandwidthMetrics helpers. The dial-address override lets a probe target a specific backend (e.g. a single Funnel ingress node) while SNI, the Host header, and TLS cert validation continue to derive from the URL host. HTTPBandwidthMetrics is exported so other bandwidth probes (e.g. a receiver-reported upload probe) emit an identical metric set and compare under a shared direction label. Updates tailscale/corp#41587 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.