tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	b560386c1a	net/packet, wgengine, tstun: add inter-node TSMP protocol for connect errors This adds a new IP Protocol type, TSMP on protocol number 99 for sending inter-tailscale messages over WireGuard, currently just for why a peer rejects TCP SYNs (ACL rejection, shields up, and in the future: nothing listening, something listening on that port but wrong interface, etc) Updates #1094 Updates tailscale/corp#1185 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 years ago
Brad Fitzpatrick	5eeaea9ef9	net/packet: add TCPFlag type and some more constants Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 years ago
David Anderson	cb96b14bf4	net/packet: remove the custom IP4/IP6 types in favor of netaddr.IP. Upstream netaddr has a change that makes it alloc-free, so it's safe to use in hot codepaths. This gets rid of one of the many IP types in our codebase. Performance is currently worse across the board. This is likely due in part to netaddr.IP being a larger value type (4b -> 24b for IPv4, 16b -> 24b for IPv6), and in other part due to missing low-hanging fruit optimizations in netaddr. However, the regression is less bad than it looks at first glance, because we'd micro-optimized packet.IP* in the past few weeks. This change drops us back to roughly where we were at the 1.2 release, but with the benefit of a significant code and architectural simplification. name old time/op new time/op delta pkg:tailscale.com/net/packet goos:linux goarch:amd64 Decode/tcp4-8 12.2ns ± 5% 29.7ns ± 2% +142.32% (p=0.008 n=5+5) Decode/tcp6-8 12.6ns ± 3% 65.1ns ± 2% +418.47% (p=0.008 n=5+5) Decode/udp4-8 11.8ns ± 3% 30.5ns ± 2% +157.94% (p=0.008 n=5+5) Decode/udp6-8 27.1ns ± 1% 65.7ns ± 2% +142.36% (p=0.016 n=4+5) Decode/icmp4-8 24.6ns ± 2% 30.5ns ± 2% +23.65% (p=0.016 n=4+5) Decode/icmp6-8 22.9ns ±51% 65.5ns ± 2% +186.19% (p=0.008 n=5+5) Decode/igmp-8 18.1ns ±44% 30.2ns ± 1% +66.89% (p=0.008 n=5+5) Decode/unknown-8 20.8ns ± 1% 10.6ns ± 9% -49.11% (p=0.016 n=4+5) pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64 Filter/icmp4-8 30.5ns ± 1% 77.9ns ± 3% +155.01% (p=0.008 n=5+5) Filter/tcp4_syn_in-8 43.7ns ± 3% 123.0ns ± 3% +181.72% (p=0.008 n=5+5) Filter/tcp4_syn_out-8 24.5ns ± 2% 45.7ns ± 6% +86.22% (p=0.008 n=5+5) Filter/udp4_in-8 64.8ns ± 1% 210.0ns ± 2% +223.87% (p=0.008 n=5+5) Filter/udp4_out-8 119ns ± 0% 278ns ± 0% +133.78% (p=0.016 n=4+5) Filter/icmp6-8 40.3ns ± 2% 204.4ns ± 4% +407.70% (p=0.008 n=5+5) Filter/tcp6_syn_in-8 35.3ns ± 3% 199.2ns ± 2% +464.95% (p=0.008 n=5+5) Filter/tcp6_syn_out-8 32.8ns ± 2% 81.0ns ± 2% +147.10% (p=0.008 n=5+5) Filter/udp6_in-8 106ns ± 2% 290ns ± 2% +174.48% (p=0.008 n=5+5) Filter/udp6_out-8 184ns ± 2% 314ns ± 3% +70.43% (p=0.016 n=4+5) pkg:tailscale.com/wgengine/tstun goos:linux goarch:amd64 Write-8 9.02ns ± 3% 8.92ns ± 1% ~ (p=0.421 n=5+5) name old alloc/op new alloc/op delta pkg:tailscale.com/net/packet goos:linux goarch:amd64 Decode/tcp4-8 0.00B 0.00B ~ (all equal) Decode/tcp6-8 0.00B 0.00B ~ (all equal) Decode/udp4-8 0.00B 0.00B ~ (all equal) Decode/udp6-8 0.00B 0.00B ~ (all equal) Decode/icmp4-8 0.00B 0.00B ~ (all equal) Decode/icmp6-8 0.00B 0.00B ~ (all equal) Decode/igmp-8 0.00B 0.00B ~ (all equal) Decode/unknown-8 0.00B 0.00B ~ (all equal) pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64 Filter/icmp4-8 0.00B 0.00B ~ (all equal) Filter/tcp4_syn_in-8 0.00B 0.00B ~ (all equal) Filter/tcp4_syn_out-8 0.00B 0.00B ~ (all equal) Filter/udp4_in-8 0.00B 0.00B ~ (all equal) Filter/udp4_out-8 16.0B ± 0% 64.0B ± 0% +300.00% (p=0.008 n=5+5) Filter/icmp6-8 0.00B 0.00B ~ (all equal) Filter/tcp6_syn_in-8 0.00B 0.00B ~ (all equal) Filter/tcp6_syn_out-8 0.00B 0.00B ~ (all equal) Filter/udp6_in-8 0.00B 0.00B ~ (all equal) Filter/udp6_out-8 48.0B ± 0% 64.0B ± 0% +33.33% (p=0.008 n=5+5) name old allocs/op new allocs/op delta pkg:tailscale.com/net/packet goos:linux goarch:amd64 Decode/tcp4-8 0.00 0.00 ~ (all equal) Decode/tcp6-8 0.00 0.00 ~ (all equal) Decode/udp4-8 0.00 0.00 ~ (all equal) Decode/udp6-8 0.00 0.00 ~ (all equal) Decode/icmp4-8 0.00 0.00 ~ (all equal) Decode/icmp6-8 0.00 0.00 ~ (all equal) Decode/igmp-8 0.00 0.00 ~ (all equal) Decode/unknown-8 0.00 0.00 ~ (all equal) pkg:tailscale.com/wgengine/filter goos:linux goarch:amd64 Filter/icmp4-8 0.00 0.00 ~ (all equal) Filter/tcp4_syn_in-8 0.00 0.00 ~ (all equal) Filter/tcp4_syn_out-8 0.00 0.00 ~ (all equal) Filter/udp4_in-8 0.00 0.00 ~ (all equal) Filter/udp4_out-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) Filter/icmp6-8 0.00 0.00 ~ (all equal) Filter/tcp6_syn_in-8 0.00 0.00 ~ (all equal) Filter/tcp6_syn_out-8 0.00 0.00 ~ (all equal) Filter/udp6_in-8 0.00 0.00 ~ (all equal) Filter/udp6_out-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
Josh Bleecher Snyder	b0526e8284	net/packet: remove unnecessary mark There's no need to mask out the bottom four bits of b[0] if we are about to shift them away.	6 years ago
Josh Bleecher Snyder	efad55cf86	net/packet: speed up packet decoding The compiler is failing to draw the connection between slice cap and slice len, so is missing some obvious BCE opportunities. Give it a hint by making the cap equal to the length. The generated code is smaller and cleaner, and a bit faster. name old time/op new time/op delta Decode/tcp4-8 12.2ns ± 1% 11.6ns ± 3% -5.31% (p=0.000 n=28+29) Decode/tcp6-8 12.5ns ± 2% 11.9ns ± 2% -4.84% (p=0.000 n=30+30) Decode/udp4-8 11.5ns ± 1% 11.1ns ± 1% -3.11% (p=0.000 n=25+24) Decode/udp6-8 11.8ns ± 3% 11.4ns ± 1% -3.08% (p=0.000 n=30+26) Decode/icmp4-8 11.0ns ± 3% 10.6ns ± 1% -3.38% (p=0.000 n=25+30) Decode/icmp6-8 11.4ns ± 1% 11.1ns ± 2% -2.29% (p=0.000 n=27+30) Decode/igmp-8 10.3ns ± 0% 10.0ns ± 1% -3.26% (p=0.000 n=19+23) Decode/unknown-8 8.68ns ± 1% 8.38ns ± 1% -3.55% (p=0.000 n=28+29)	6 years ago
David Anderson	2d604b3791	net/packet: represent IP6 as two uint64s. For the operations we perform on these types (mostly net6.Contains), this encoding is much faster. Part of #19. name old time/op new time/op delta Filter/icmp4-8 27.5ns ± 1% 28.0ns ± 2% +1.89% (p=0.016 n=5+5) Filter/tcp4_syn_in-8 38.8ns ± 2% 38.3ns ± 1% -1.24% (p=0.024 n=5+5) Filter/tcp4_syn_out-8 27.6ns ±12% 24.6ns ± 1% ~ (p=0.063 n=5+5) Filter/udp4_in-8 71.5ns ± 5% 65.9ns ± 1% -7.94% (p=0.008 n=5+5) Filter/udp4_out-8 132ns ±13% 119ns ± 1% -10.29% (p=0.008 n=5+5) Filter/icmp6-8 169ns ±10% 54ns ± 1% -68.35% (p=0.008 n=5+5) Filter/tcp6_syn_in-8 149ns ± 6% 43ns ± 1% -71.11% (p=0.008 n=5+5) Filter/tcp6_syn_out-8 37.7ns ± 4% 24.3ns ± 3% -35.51% (p=0.008 n=5+5) Filter/udp6_in-8 179ns ± 5% 103ns ± 1% -42.75% (p=0.008 n=5+5) Filter/udp6_out-8 156ns ± 3% 191ns ± 1% +22.54% (p=0.008 n=5+5) Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
David Anderson	04ff3c91ee	wgengine/filter: add full IPv6 support. Part of #19. Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
David Anderson	a38e28da07	net/packet: documentation pass. Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
David Anderson	9ef39af2f2	net/packet: fix panic on invalid IHL field. Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
David Anderson	22bf48f37c	net/packet: remove {get,put}{16,32} indirection to encoding/binary. name old time/op new time/op delta Decode/tcp4-8 28.8ns ± 2% 13.1ns ± 4% -54.44% (p=0.008 n=5+5) Decode/tcp6-8 20.6ns ± 1% 12.6ns ± 2% -38.72% (p=0.008 n=5+5) Decode/udp4-8 28.2ns ± 1% 12.1ns ± 4% -57.01% (p=0.008 n=5+5) Decode/udp6-8 20.0ns ± 6% 12.1ns ± 2% -39.38% (p=0.008 n=5+5) Decode/icmp4-8 21.7ns ± 2% 11.5ns ± 1% -47.01% (p=0.008 n=5+5) Decode/icmp6-8 14.1ns ± 2% 11.8ns ± 4% -16.60% (p=0.008 n=5+5) Decode/unknown-8 9.43ns ± 2% 9.30ns ± 3% ~ (p=0.222 n=5+5) Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
David Anderson	55b1221db2	net/packet: support full IPv6 decoding. The packet filter still rejects all IPv6, but decodes enough from v6 packets to do something smarter in a followup. name time/op Decode/tcp4-8 28.8ns ± 2% Decode/tcp6-8 20.6ns ± 1% Decode/udp4-8 28.2ns ± 1% Decode/udp6-8 20.0ns ± 6% Decode/icmp4-8 21.7ns ± 2% Decode/icmp6-8 14.1ns ± 2% Decode/unknown-8 9.43ns ± 2% Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
David Anderson	89894c6930	net/packet: add IPv6 source and destination IPs to Parsed. Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
David Anderson	093431f5dd	net/packet: s/ParsedPacket/Parsed/ to avoid package stuttering. Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
David Anderson	427bf2134f	net/packet: rename from wgengine/packet. Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
David Anderson	19df6a2ee2	wgengine/packet: rename types to reflect their v4-only-ness, document. Signed-off-by: David Anderson <danderson@tailscale.com>	6 years ago
Brad Fitzpatrick	b4d97d2532	wgengine/filter: fix IPv4 IGMP spam omission, also omit ff02::16 spam And add tests. Fixes #618 Updates #402	6 years ago
Brad Fitzpatrick	3e3c24b8f6	wgengine/packet: add IPVersion field, don't use IPProto to note version As prep for IPv6 log spam fixes in a future change. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 years ago
Dmytro Shynkevych	07e02ec9d3	wgengine/tsdns: add test and prevent useless updates (#449 ) Signed-Off-By: Dmytro Shynkevych <dmytro@tailscale.com>	6 years ago
Dmytro Shynkevych	511840b1f6	tsdns: initial implementation of a Tailscale DNS resolver (#396 ) Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>	6 years ago
Dmytro Shynkevych	059b1d10bb	wgengine/packet: refactor and expose UDP header marshaling (#408 ) Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>	6 years ago
Brad Fitzpatrick	43ded2b581	wgengine/packet: add some tests, more docs, minor Go style, performance changes	6 years ago
Avery Pennarun	65fbb9c303	wgengine/filter: support subnet mask rules, not just /32 IPs. This depends on improved support from the control server, to send the new subnet width (Bits) fields. If these are missing, we fall back to assuming their value is /32. Conversely, if the server sends Bits fields to an older client, it will interpret them as /32 addresses. Since the only rules we allow are "accept" rules, this will be narrower or equal to the intended rule, so older clients will simply reject hosts on the wider subnet (fail closed). With this change, the internal filter.Matches format has diverged from the wire format used by controlclient, so move the wire format into tailcfg and convert it to filter.Matches in controlclient. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	6 years ago
Avery Pennarun	85e675940d	wgengine/filter: allow ICMP response packets. Longer term, we should probably update the packet filter to be fully stateful, for both TCP and ICMP. That is, only ICMP packets related to a session we initiated should be allowed back in. But this is reasonably secure for now, since wireguard is already trimming most traffic. The current code would not protect against eg. Ping-of-Death style attacks from VPN nodes. Fixes tailscale/tailscale#290. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	6 years ago
David Anderson	43becc4334	wgengine/packet: fix minor lint errors. Signed-off-by: David Anderson <dave@natulte.net>	6 years ago
Earl Lee	a8d8b8719a	Move Linux client & common packages into a public repo.	6 years ago

14 Commits (524fb2c1908dc06b166f2a4fd2015d00b7d5ea92)