VERSION.txt: this is v1.74.2

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
net/captivedetection: exclude ipsec interfaces from captive portal detection (#13598 )
2024-10-01 11:47:38 -07:00 · 2024-10-01 08:46:40 -07:00 · 2024-09-18 11:54:26 -07:00 · 2024-09-18 11:53:18 -07:00 · 2024-09-16 11:07:02 -07:00 · 2024-09-12 12:58:22 -07:00
7 changed files with 27 additions and 15 deletions
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.73.0
+1.74.2
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-0a7392ba4471f578e5160b6ea21def6ae8e4a072
+ed9dc37b2b000f376a3e819cbb159e2c17a2dac6
--- a/net/captivedetection/captivedetection.go
+++ b/net/captivedetection/captivedetection.go
@@ -112,7 +112,7 @@ func (d *Detector) detectCaptivePortalWithGOOS(ctx context.Context, netMon *netm
 // interfaces on iOS and Android, respectively, and would be needlessly battery-draining.
 func interfaceNameDoesNotNeedCaptiveDetection(ifName string, goos string) bool {
 	ifName = strings.ToLower(ifName)
-	excludedPrefixes := []string{"tailscale", "tun", "tap", "docker", "kube", "wg"}
+	excludedPrefixes := []string{"tailscale", "tun", "tap", "docker", "kube", "wg", "ipsec"}
 	if goos == "windows" {
 		excludedPrefixes = append(excludedPrefixes, "loopback", "tunnel", "ppp", "isatap", "teredo", "6to4")
 	} else if goos == "darwin" || goos == "ios" {
--- a/tstest/integration/nat/nat_test.go
+++ b/tstest/integration/nat/nat_test.go
@@ -171,11 +171,15 @@ func easyPMP(c *vnet.Config) *vnet.Node {
 		fmt.Sprintf("192.168.%d.1/24", n), vnet.EasyNAT, vnet.NATPMP))
 }

-// easy + port mapping + host firewall
-func easyPMPFW(c *vnet.Config) *vnet.Node {
+// easy + port mapping + host firewall + BPF
+func easyPMPFWPlusBPF(c *vnet.Config) *vnet.Node {
 	n := c.NumNodes() + 1
 	return c.AddNode(
 		vnet.HostFirewall,
+		vnet.TailscaledEnv{
+			Key:   "TS_ENABLE_RAW_DISCO",
+			Value: "true",
+		},
 		vnet.TailscaledEnv{
 			Key:   "TS_DEBUG_RAW_DISCO",
 			Value: "1",
@@ -199,8 +203,8 @@ func easyPMPFWNoBPF(c *vnet.Config) *vnet.Node {
 	return c.AddNode(
 		vnet.HostFirewall,
 		vnet.TailscaledEnv{
-			Key:   "TS_DEBUG_DISABLE_RAW_DISCO",
-			Value: "1",
+			Key:   "TS_ENABLE_RAW_DISCO",
+			Value: "false",
 		},
 		c.AddNetwork(
 			fmt.Sprintf("2.%d.%d.%d", n, n, n), // public IP
@@ -531,7 +535,7 @@ func TestSameLAN(t *testing.T) {
 // * client machine has a stateful host firewall (e.g. ufw)
 func TestBPFDisco(t *testing.T) {
 	nt := newNatTest(t)
-	nt.runTest(easyPMPFW, hard)
+	nt.runTest(easyPMPFWPlusBPF, hard)
 	nt.want(routeDirect)
 }

--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -508,13 +508,13 @@ func NewConn(opts Options) (*Conn, error) {
 	if d4, err := c.listenRawDisco("ip4"); err == nil {
 		c.logf("[v1] using BPF disco receiver for IPv4")
 		c.closeDisco4 = d4
-	} else {
+	} else if !errors.Is(err, errors.ErrUnsupported) {
 		c.logf("[v1] couldn't create raw v4 disco listener, using regular listener instead: %v", err)
 	}
 	if d6, err := c.listenRawDisco("ip6"); err == nil {
 		c.logf("[v1] using BPF disco receiver for IPv6")
 		c.closeDisco6 = d6
-	} else {
+	} else if !errors.Is(err, errors.ErrUnsupported) {
 		c.logf("[v1] couldn't create raw v6 disco listener, using regular listener instead: %v", err)
 	}

--- a/wgengine/magicsock/magicsock_default.go
+++ b/wgengine/magicsock/magicsock_default.go
@@ -7,6 +7,7 @@ package magicsock

 import (
 	"errors"
+	"fmt"
 	"io"

 	"tailscale.com/types/logger"
@@ -14,7 +15,7 @@ import (
 )

 func (c *Conn) listenRawDisco(family string) (io.Closer, error) {
-	return nil, errors.New("raw disco listening not supported on this OS")
+	return nil, fmt.Errorf("raw disco listening not supported on this OS: %w", errors.ErrUnsupported)
 }

 func trySetSocketBuffer(pconn nettype.PacketConn, logf logger.Logf) {
--- a/wgengine/magicsock/magicsock_linux.go
+++ b/wgengine/magicsock/magicsock_linux.go
@@ -38,8 +38,11 @@ const (
 	discoMinHeaderSize = len(disco.Magic) + 32 /* key length */ + disco.NonceLen
 )

-// Enable/disable using raw sockets to receive disco traffic.
-var debugDisableRawDisco = envknob.RegisterBool("TS_DEBUG_DISABLE_RAW_DISCO")
+var (
+	// Opt-in for using raw sockets to receive disco traffic; added for
+	// #13140 and replaces the older "TS_DEBUG_DISABLE_RAW_DISCO".
+	envknobEnableRawDisco = envknob.RegisterBool("TS_ENABLE_RAW_DISCO")
+)

 // debugRawDiscoReads enables logging of raw disco reads.
 var debugRawDiscoReads = envknob.RegisterBool("TS_DEBUG_RAW_DISCO")
@@ -166,8 +169,12 @@ var (
 // and BPF filter.
 // https://github.com/tailscale/tailscale/issues/3824
 func (c *Conn) listenRawDisco(family string) (io.Closer, error) {
-	if debugDisableRawDisco() {
-		return nil, errors.New("raw disco listening disabled by debug flag")
+	if !envknobEnableRawDisco() {
+		// Return an 'errors.ErrUnsupported' to prevent the callee from
+		// logging; when we switch this to an opt-out (vs. an opt-in),
+		// drop the ErrUnsupported so that the callee logs that it was
+		// disabled.
+		return nil, fmt.Errorf("raw disco not enabled: %w", errors.ErrUnsupported)
 	}

 	// https://github.com/tailscale/tailscale/issues/5607
Author	SHA1	Message	Date
Andrea Gottardo	3332ccd0ad	VERSION.txt: this is v1.74.2 Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2024-10-01 11:47:38 -07:00
Andrea Gottardo	c8d38a6a5d	net/captivedetection: exclude ipsec interfaces from captive portal detection (#13598 ) Updates tailscale/tailscale#1634 Logs from some iOS users indicate that we're pointlessly performing captive portal detection on certain interfaces named ipsec*. These are tunnels with the cellular carrier that do not offer Internet access, and are only used to provide internet calling functionality (VoLTE / VoWiFi). ``` attempting to do captive portal detection on interface ipsec1 attempting to do captive portal detection on interface ipsec6 ``` This PR excludes interfaces with the `ipsec` prefix from captive portal detection. Signed-off-by: Andrea Gottardo <andrea@gottardo.me> (cherry picked from commit `69be54c7b6`)	2024-10-01 08:46:40 -07:00
Andrea Gottardo	0ca17be4a2	VERSION.txt: this is v1.74.1 Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2024-09-18 11:54:26 -07:00
Andrea Gottardo	5d8173dc58	go/toolchain: use ed9dc37b2b000f376a3e819cbb159e2c17a2dac6 (#13507 ) Updates tailscale/tailscale#13452 Bump the Go toolchain to the latest to pick up changes required to not crash on Android 9/10. Signed-off-by: Andrea Gottardo <andrea@gottardo.me> (cherry picked from commit `3a467b66b6`)	2024-09-18 11:53:18 -07:00
Andrew Dunham	9700e610c0	wgengine/magicsock: disable raw disco by default; add envknob to enable Updates #13140 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ica85b2ac8ac7eab4ec5413b212f004aecc453279 (cherry picked from commit `40833a7524`)	2024-09-16 11:07:02 -07:00
kari-ts	2118d0cf41	VERSION.txt: this is v1.74.0 Signed-off-by: kari-ts <kari@tailscale.com>	2024-09-12 12:58:22 -07:00
@@ -1 +1 @@
 .73.0
 .74.2