LocalBackend transitions to ipn.NoState when switching to a different (or new) profile.
When this happens, we should unconfigure wgengine to clear routes, DNS configuration,
firewall rules that block all traffic except to the exit node, etc.

In this PR, we update (*LocalBackend).enterStateLockedOnEntry to do just that.

Fixes tailscale#15316
Updates tailscale/corp#23967

Signed-off-by: Nick Khyl <nickk@tailscale.com>

…icitly imported

In this PR, we update ipnlocal.LocalBackend to allow registering callbacks for control client creation
and profile changes. We also allow to register ipnauth.AuditLogFunc to be called when an auditable
action is attempted.

We then use all this to invert the dependency between the auditlog and ipnlocal packages and make
the auditlog functionality optional, where it only registers its callbacks via ipnlocal-provided hooks
when the auditlog package is imported.

We then underscore-import it when building tailscaled for Windows, and we'll explicitly
import it when building xcode/ipn-go-bridge for macOS. Since there's no default log-store
location for macOS, we'll also need to call auditlog.SetStoreFilePath to specify where
pending audit logs should be persisted.

Fixes tailscale#15394
Updates tailscale/corp#26435
Updates tailscale/corp#27012

Signed-off-by: Nick Khyl <nickk@tailscale.com>

… env

Not all platforms have hardlinks, or not easily.

This lets a "tailscale" wrapper script set an environment variable
before calling tailscaled.

Updates tailscale#2233

Change-Id: I9eccc18651e56c106f336fcbbd0fd97a661d312e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

)

Re-enable HA Ingress again that was disabled for 1.82 release.

This reverts commit fea74a6.

Updates tailscale/corp#24795

Signed-off-by: Irbe Krumina <irbe@tailscale.com>

For hooking up websocket VM clients to natlab.

Updates tailscale#13038

Change-Id: Iaf728b9146042f3d0c2d3a5e25f178646dd10951
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

If we previously knew of macaddresses of a node, and they
suddenly goes to zero, ignore them and return the previous
hardware addresses.

Updates tailscale/corp#25168

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

initPeerAPIListener may be returning early unexpectedly. Add debug logging to
see what causes it to return early when it does.

Updates tailscale#14393

Signed-off-by: Percy Wegmann <percy@tailscale.com>

It only affected js/wasm and tamago.

Updates tailscale/corp#24697

Change-Id: I8fd29323ed9b663fe3fd8d4a86f26ff584a3e134
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Otherwise you can get stuck finding minor ones nonstop.

Fixes tailscale#15484

Change-Id: I7f98ac338c0b32ec1b9fdc47d053207b5fc1bf23
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Add the golang-image-ico package, which is an incredibly small package
to handle the ICO container format with PNG inside. Some profile photos
look quite pixelated when displayed at this size, but it's better than
nothing, and any Windows support is just a bonus anyway.

Updates tailscale#1708

Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d
Signed-off-by: Will Norris <will@tailscale.com>

This commit implements an experimental UDP relay server. The UDP relay
server leverages the Disco protocol for a 3-way handshake between
client and server, along with 3 new Disco message types for said
handshake. These new Disco message types are also considered
experimental, and are not yet tied to a capver.

The server expects, and imposes, a Geneve (Generic Network
Virtualization Encapsulation) header immediately following the underlay
UDP header. Geneve protocol field values have been defined for Disco
and WireGuard. The Geneve control bit must be set for the handshake
between client and server, and unset for messages relayed between
clients through the server.

Updates tailscale/corp#27101

Signed-off-by: Jordan Whited <jordan@tailscale.com>

…ailscale#15493)

fixes tailscale/corp#27506

The source address link selection on sandboxed macOS doesn't deal
with loopback addresses correctly.  This adds an explicit check to ensure
we return the loopback interface for loopback addresses instead of the
default empty interface.

Specifically, this allows the dns resolver to route queries to a loopback
IP which is a common tactic for local DNS proxies.

Tested on both macos, macsys and tailscaled.  Forwarded requests to
127/8 all bound to lo0.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>

Avoid the unbounded runtime during random allocation, if random
allocation fails after a first pass at random through the provided
ranges, pick the next free address by walking through the allocated set.

The new ipx utilities provide a bitset based allocation pool, good for
small to moderate ranges of IPv4 addresses as used in natc.

Updates tailscale#15367

Signed-off-by: James Tucker <james@tailscale.com>

…#15477)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.11 to 3.28.13.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@6bb031a...1b549b9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updates tailscale#5794

Change-Id: I696d49a3b0825ca90d3cb148b1c0dad9f7855808
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Not currently used in the OSS tree, a View for tailcfg.VIPService will
make implementing some server side changes easier.

Updates tailscale/corp#26272

Change-Id: If1ed0bea4eff8c4425d3845b433a1c562d99eb9e
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>

Updates tailscale#5794

Change-Id: I8c466cae25ae79be1097450a63e8c25c7b519331
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#5794

Change-Id: I12e8417ebd553f9951690c388fbe42228f8c9097
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#5794

Change-Id: Ib78a3ea971a2374d405b024ab88658ec34be59a6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

This wasn't right; it was spinning up new goroutines non-stop.
Revert to a boring localhost TCP implementation for now.

Updates tailscale#5794

Change-Id: If93caa20a12ee4e741c0c72b0d91cc0cc5870152
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#5794

Change-Id: I0f96383dea2ad017988d300df723ce906debb007
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Otherwise this was repeated closing control/derp connections all the time
on netmon changes. Arguably we should do this on all platforms?

Updates tailscale#5794

Change-Id: If6bbeff554235f188bab2a40ab75e08dd14746b2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#5794

Change-Id: Ia7e71c32e6c0cd79eb32b6c2c2d4e9a6d8c3e4d6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#5794

Change-Id: Id7bdc08263e98a1848ffce0dd25fc034747d7393
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

To ease local debugging and have fewer moving pieces while bringing up
Plan 9 support.

Updates tailscale#5794

Change-Id: I2dc98e73bbb0d4d4730dc47203efc0550a0ac0a0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#5794

Change-Id: Ibf74d017e38e0713d19bef437f26685280d79f6f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#5794

Change-Id: Ia6b2429d57b79770e4c278f011504f726136db5b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#5794

Change-Id: I7b05cd29ec02085cb503bbcd0beb61bf455002ac
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#5794

Change-Id: I77df1eb9bea9f079a25337cb7bbd498cf8a19135
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

…erator

The same message was used for "up" and "down" permission failures, but
"set" works better for both. Suggesting "up --operator" for a "down"
permission failure was confusing.

It's not like the latter command works in one shot anyway.

Fixes tailscale#16008

Change-Id: I6e4225ef06ce2d8e19c40bece8104e254c2aa525
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Taildrop wasn't working on iOS since tailscale#15971 because GetExt didn't work
until after init, but that PR moved Init until after Start.

This makes GetExt work before LocalBackend.Start (ExtensionHost.Init).

Updates tailscale#15812

Change-Id: I6e87257cd97a20f86083a746d39df223e5b6791b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

This type improves code clarity and reduces the chance of heap alloc as
we pass it as a non-pointer. VNI being a 3-byte value enables us to
track set vs unset via the reserved/unused byte.

Updates tailscale/corp#27502

Signed-off-by: Jordan Whited <jordan@tailscale.com>

…6020)

Updates tailscale#15895

Signed-off-by: Irbe Krumina <irbe@tailscale.com>

Use of the httptest client doesn't render header ordering
as expected.

Use http.DefaultClient for the test to ensure that
the header ordering test is valid.

Updates tailscale/corp#27370

Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>

heartbeatInterval is currently 3s.

Updates #cleanup

Signed-off-by: Jordan Whited <jordan@tailscale.com>

Create FileOps for calling platform-specific file operations such as SAF APIs in Taildrop
Update taildrop.PutFile to support both traditional and SAF modes

Updates tailscale#15263

Signed-off-by: kari-ts <kari@tailscale.com>

…scale#15986)

Registering a new store is cheap, it just adds a map entry. No need to
lazy-init it with sync.Once and an intermediate slice holding init
functions.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>

…tailscale#16110)

fixes tailscale#16082

RouteAll should be true by default on iOS and Android.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
(cherry picked from commit 842df37)

…le#16059)

fixes tailscale/corp#25612

We now keep track of any dns configurations which we could not
compile. This gives RecompileDNSConfig a configuration to
attempt to recompile and apply when the OS pokes us to indicate
that the interface dns servers have changed/updated.   The manager config
will remain unset until we have the required information to compile
it correctly which should eliminate the problematic SERVFAIL
responses (especially on macOS 15).

This also removes the missingUpstreamRecovery func in the forwarder
which is no longer required now that we have proper error handling
and recovery manager and the client.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
(cherry picked from commit 5e54819)

…tailscale#16129) (tailscale#16140)

In 1.84 we made 'tailscale set'/'tailscale up' error out if duplicate
command line flags are passed.
This broke some container configurations as we have two env vars that
can be used to set --accept-dns flag:
- TS_ACCEPT_DNS- specifically for --accept-dns
- TS_EXTRA_ARGS- accepts any arbitrary 'tailscale up'/'tailscale set'
flag.

We default TS_ACCEPT_DNS to false (to make the container behaviour more
declarative), which with the new restrictive CLI behaviour resulted in
failure for users who had set --accept-dns via TS_EXTRA_ARGS as the flag would be
provided twice.

This PR re-instates the previous behaviour by checking if TS_EXTRA_ARGS
contains --accept-dns flag and if so using its value to override TS_ACCEPT_DNS.

Updates tailscale#16108


(cherry picked from commit 5b670eb)

Signed-off-by: Irbe Krumina <irbe@tailscale.com>

… for Ingress with ProxyGroup (tailscale#16199) (tailscale#16226)

Updates tailscale/corp#24795


(cherry picked from commit 4456f77)

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

Signed-off-by: Nick O'Neill <nick@tailscale.com>