Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: tailscale/tailscale
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.68.1
Choose a base ref
...
head repository: tailscale/tailscale
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.68.2
Choose a head ref
  • 4 commits
  • 10 files changed
  • 2 contributors

Commits on Jul 2, 2024

  1. tka: test SigCredential signatures and netmap filtering 

    This change moves handling of wrapped auth keys to the `tka` package and
adds a test covering auth key originating signatures (SigCredential) in
netmap.

Updates tailscale/corp#19764

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
    @knyar
    knyar committed Jul 2, 2024
    Configuration menu
    Copy the full SHA
    db1691f View commit details
    Browse the repository at this point in the history

  2. ipn/ipnlocal: allow multiple signature chains from the same SigCreden… 

    …tial

Detection of duplicate Network Lock signature chains added in
01847e0 failed to account for chains
originating with a SigCredential signature, which is used for wrapped
auth keys. This results in erroneous removal of signatures that
originate from the same re-usable auth key.

This change ensures that multiple nodes created by the same re-usable
auth key are not getting filtered out by the network lock.

Updates tailscale/corp#19764

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
    @knyar
    knyar committed Jul 2, 2024
    Configuration menu
    Copy the full SHA
    1b92ce1 View commit details
    Browse the repository at this point in the history

  3. net/dns: recheck DNS config on SERVFAIL errors (#12547) 

    Fixes tailscale/corp#20677

Replaces the original attempt to rectify this (by injecting a netMon
event) which was both heavy handed, and missed cases where the
netMon event was "minor".

On apple platforms, the fetching the interface's nameservers can
and does return an empty list in certain situations. Apple's API
in particular is very limiting here. The header hints at notifications
for dns changes which would let us react ahead of time, but it's all
private APIs.

To avoid remaining in the state where we end up with no
nameservers but we absolutely need them, we'll react
to a lack of upstream nameservers by attempting to re-query
the OS.

We'll rate limit this to space out the attempts. It seems relatively
harmless to attempt a reconfig every 5 seconds (triggered
by an incoming query) if the network is in this broken state.

Missing nameservers might possibly be a persistent condition
(vs a transient error), but that would also imply that something
out of our control is badly misconfigured.

Tested by randomly returning [] for the nameservers. When switching
between Wifi networks, or cell->wifi, this will randomly trigger
the bug, and we appear to reliably heal the DNS state.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
    @barnstar @knyar
    barnstar authored and knyar committed Jul 2, 2024
    Configuration menu
    Copy the full SHA
    0629929 View commit details
    Browse the repository at this point in the history

  4. VERSION.txt: this is v1.68.2 

    Signed-off-by: Anton Tolchanov <anton@tailscale.com>
    @knyar
    knyar committed Jul 2, 2024
    Configuration menu
    Copy the full SHA
    c79c500 View commit details
    Browse the repository at this point in the history
Loading