summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-01-20conn: remove _ method receiverJosh Bleecher Snyder
Minor style fix. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20tun: fix fmt.Errorf format stringsJosh Bleecher Snyder
Type tcpip.Error is not an error. I've filed https://github.com/google/gvisor/issues/5314 to fix this upstream. Until that is fixed, use %v instead of %w, to keep vet happy. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20device: remove unnecessary zeroingJosh Bleecher Snyder
Newly allocated objects are already zeroed. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20device: remove QueueInboundElement.droppedJosh Bleecher Snyder
Now that we block when enqueueing to the decryption queue, there is only one case in which we "drop" a inbound element, when decryption fails. We can use a simple, obvious, sync-free sentinel for that, elem.packet == nil. Also, we can return the message buffer to the pool slightly later, which further simplifies the code. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20device: remove QueueOutboundElement.droppedJosh Bleecher Snyder
If we block when enqueuing encryption elements to the queue, then we never drop them. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20tun/wintun/memmod: gofmtJosh Bleecher Snyder
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20tun/wintun/memmod: fix format verbJosh Bleecher Snyder
Caught by 'go vet'. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20device: check returned errors from NewPeer in TestNoiseHandshakeJosh Bleecher Snyder
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20device: remove selects from encrypt/decrypt/inbound/outbound enqueuingJosh Bleecher Snyder
Block instead. Backpressure here is fine, probably preferable. This reduces code complexity. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20device: put handshake buffer in pool in FlushPacketQueuesJosh Bleecher Snyder
This appears to have been an oversight. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-20device: use channel close to shut down and drain decryption channelJosh Bleecher Snyder
This is similar to commit e1fa1cc5560020e67d33aa7e74674853671cf0a0, but for the decryption channel. It is an alternative fix to f9f655567930a4cd78d40fa4ba0d58503335ae6a. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-13tun: add tcpip stack tunnel abstractionJason A. Donenfeld
This allows people to initiate connections over WireGuard without any underlying operating system support. I'm not crazy about the trash it adds to go.sum, but the code this actually adds to the binaries seems contained to the gvisor repo. For the TCP/IP implementation, it uses gvisor. And it borrows some internals from the Go standard library's resolver in order to bring Dial and DialContext to tun_net, along with the LookupHost helper function. This allows for things like HTTP2-over-TLS to work quite well: package main import ( "io" "log" "net" "net/http" "golang.zx2c4.com/wireguard/device" "golang.zx2c4.com/wireguard/tun" ) func main() { tun, tnet, err := tun.CreateNetTUN([]net.IP{net.ParseIP("192.168.4.29")}, []net.IP{net.ParseIP("8.8.8.8"), net.ParseIP("8.8.4.4")}, 1420) if err != nil { log.Panic(err) } dev := device.NewDevice(tun, &device.Logger{log.Default(), log.Default(), log.Default()}) dev.IpcSet(`private_key=a8dac1d8a70a751f0f699fb14ba1cff7b79cf4fbd8f09f44c6e6a90d0369604f public_key=25123c5dcd3328ff645e4f2a3fce0d754400d3887a0cb7c56f0267e20fbf3c5b endpoint=163.172.161.0:12912 allowed_ip=0.0.0.0/0 `) dev.Up() client := http.Client{ Transport: &http.Transport{ DialContext: tnet.DialContext, }, } resp, err := client.Get("https://www.zx2c4.com/ip") if err != nil { log.Panic(err) } body, err := io.ReadAll(resp.Body) if err != nil { log.Panic(err) } log.Println(string(body)) } Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-08device: receive: do not exit immediately on transient UDP receive errorsJason A. Donenfeld
Some users report seeing lines like: > Routine: receive incoming IPv4 - stopped Popping up unexpectedly. Let's sleep and try again before failing, and also log the error, and perhaps we'll eventually understand this situation better in future versions. Because we have to distinguish between the socket being closed explicitly and whatever error this is, we bump the module to require Go 1.16. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07conn: linux: do not allow ReceiveIPvX to race with CloseJason A. Donenfeld
If Close is called after ReceiveIPvX, then ReceiveIPvX will block on an invalid or potentially reused fd. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07device: receive: drain decryption queue before exiting RoutineDecryptionJason A. Donenfeld
It's possible for RoutineSequentialReceiver to try to lock an elem after RoutineDecryption has exited. Before this meant we didn't then unlock the elem, so the whole program deadlocked. As well, it looks like the flush code (which is now potentially unnecessary?) wasn't properly dropping the buffers for the not-already-dropped case. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07device: add latency and throughput benchmarksJosh Bleecher Snyder
These obviously don't perfectly capture real world performance, in which syscalls and network links have a significant impact. Nevertheless, they capture some of the internal performance factors, and they're easy and convenient to work with. Hat tip to Avery Pennarun for help designing the throughput benchmark. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: use LogLevelError for benchmarkingJosh Bleecher Snyder
This keeps the output minimal and focused on the benchmark results. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: make test infrastructure usable with benchmarksJosh Bleecher Snyder
Switch from *testing.T to testing.TB. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07memmod: apply explicit build tags to _32 and _64 filesJason A. Donenfeld
Since _32 and _64 aren't valid goarchs, they don't match _GOOS_GOARCH, and so the existing tags wind up not being restricted to windows-only. This fixes the problem by adding windows to the tags explicitly. We could also fix it by calling the files _32_windows or _64_windows, but that changes the convention with the other single-arch files. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07tun: make customization of WintunPool and requested GUID more obviousJason A. Donenfeld
Persnickety consumers can now do: func init() { tun.WintunPool, _ = wintun.MakePool("Flurp") tun.WintunStaticRequestedGUID, _ = windows.GUIDFromString("{5ae2716f-0b3e-4dc4-a8b5-48eba11a6e16}") } Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07all: use ++ to incrementJosh Bleecher Snyder
Make the code slightly more idiomatic. No functional changes. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: remove unnecessary zeroingJosh Bleecher Snyder
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: call wg.Add outside the goroutineJosh Bleecher Snyder
One of the first rules of WaitGroups is that you call wg.Add outside of a goroutine, not inside it. Fix this embarrassing mistake. This prevents an extremely rare race condition (2 per 100,000 runs) which could occur when attempting to start a new peer concurrently with shutting down a device. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: remove QueueInboundElement leak with stopped peersJosh Bleecher Snyder
This is particularly problematic on mobile, where there is a fixed number of elements. If most of them leak, it'll impact performance; if all of them leak, the device will permanently deadlock. I have a test that detects element leaks, which is how I found this one. There are some remaining leaks that I have not yet tracked down, but this is the most prominent by far. I will commit the test when it passes reliably. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: simplify UAPI helper methodsJosh Bleecher Snyder
bufio is not required. strings.Builder is cheaper than bytes.Buffer for constructing strings. io.Writer is more flexible than io.StringWriter, and just as cheap (when used with io.WriteString). Run gofmt. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: fix alignment of peer stats memberJason A. Donenfeld
This was shifted by 2 bytes when making persistent keepalive into a u32. Fix it by placing it after the aligned region. Fixes: e739ff7 ("device: fix persistent_keepalive_interval data races") Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07device: add UAPI helper methodsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07conn: do not SO_REUSEADDR on linuxJason A. Donenfeld
SO_REUSEADDR does not make sense for unicast UDP sockets. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07device: add missing colon to error lineJason A. Donenfeld
People are actually hitting this condition, so make it uniform. Also, change a printf into a println, to match the other conventions. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07device: fix error shadowing before log printBrad Fitzpatrick
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-07device: fix data race in peer.timersActiveJosh Bleecher Snyder
Found by the race detector and existing tests. To avoid introducing a lock into this hot path, calculate and cache whether any peers exist. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: fix races from changing private_keyJosh Bleecher Snyder
Access keypair.sendNonce atomically. Eliminate one unnecessary initialization to zero. Mutate handshake.lastSentHandshake with the mutex held. Co-authored-by: David Anderson <danderson@tailscale.com> Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: always name *Queue*Element variables elemJosh Bleecher Snyder
They're called elem in most places. Rename a few local variables to make it consistent. This makes it easier to grep the code for things like elem.Drop. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: use channel close to shut down and drain outbound channelJosh Bleecher Snyder
This is a similar treatment to the handling of the encryption channel found a few commits ago: Use the closing of the channel to manage goroutine lifetime and shutdown. It is considerably simpler because there is only a single writer. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: fix persistent_keepalive_interval data racesJosh Bleecher Snyder
Co-authored-by: David Anderson <danderson@tailscale.com> Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: use channel close to shut down and drain encryption channelJosh Bleecher Snyder
The new test introduced in this commit used to deadlock about 1% of the time. I believe that the deadlock occurs as follows: * The test completes, calling device.Close. * device.Close closes device.signals.stop. * RoutineEncryption stops. * The deferred function in RoutineEncryption drains device.queue.encryption. * RoutineEncryption exits. * A peer's RoutineNonce processes an element queued in peer.queue.nonce. * RoutineNonce puts that element into the outbound and encryption queues. * RoutineSequentialSender reads that elements from the outbound queue. * It waits for that element to get Unlocked by RoutineEncryption. * RoutineEncryption has already exited, so RoutineSequentialSender blocks forever. * device.RemoveAllPeers calls peer.Stop on all peers. * peer.Stop waits for peer.routines.stopping, which blocks forever. Rather than attempt to add even more ordering to the already complex centralized shutdown orchestration, this commit moves towards a data-flow-oriented shutdown. The device.queue.encryption gets closed when there will be no more writes to it. All device.queue.encryption readers always read until the channel is closed and then exit. We thus guarantee that any element that enters the encryption queue also exits it. This removes the need for central control of the lifetime of RoutineEncryption, removes the need to drain the encryption queue on shutdown, and simplifies RoutineEncryption. This commit also fixes a data race. When RoutineSequentialSender drains its queue on shutdown, it needs to lock the elem before operating on it, just as the main body does. The new test in this commit passed 50k iterations with the race detector enabled and 150k iterations with the race detector disabled, with no failures. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: simplify copying counter to nonceJosh Bleecher Snyder
Since we already have it packed into a uint64 in a known byte order, write it back out again the same byte order instead of copying byte by byte. This should also generate more efficient code, because the compiler can do a single uint64 write, instead of eight bounds checks and eight byte writes. Due to a missed optimization, it actually generates a mishmash of smaller writes: 1 byte, 4 bytes, 2 bytes, 1 byte. This is https://golang.org/issue/41663. The code is still better than before, and will get better yet once that compiler bug gets fixed. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: add a helper to generate uapi configsJosh Bleecher Snyder
This makes it easier to work with configs in tests. It'll see heavier use over upcoming commits; this commit only adds the infrastructure. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: use defer to simplify peer.NewTimerJosh Bleecher Snyder
This also makes the lifetime of modifyingLock more prominent. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: accept any io.Reader in device.IpcSetOperationJosh Bleecher Snyder
Any io.Reader will do, and there are no performance concerns here. This is technically backwards incompatible, but it is very unlikely to break any existing code. It is compatible with the existing uses in wireguard-{windows,android,apple} and also will allow us to slightly simplify it if desired. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: increase timeout in testsJosh Bleecher Snyder
When running many concurrent test processing using https://godoc.org/golang.org/x/tools/cmd/stress the processing sometimes cannot complete a ping in under 300ms. Increase the timeout to 5s to reduce the rate of false positives. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: prevent spurious errors while closing a deviceJosh Bleecher Snyder
When closing a device, packets that are in flight can make it to SendBuffer, which then returns an error. Those errors add noise but no light; they do not reflect an actual problem. Adding the synchronization required to prevent this from occurring is currently expensive and error-prone. Instead, quietly drop such packets instead of returning an error. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: remove starting waitgroupsJosh Bleecher Snyder
In each case, the starting waitgroup did nothing but ensure that the goroutine has launched. Nothing downstream depends on the order in which goroutines launch, and if the Go runtime scheduler is so broken that goroutines don't get launched reasonably promptly, we have much deeper problems. Given all that, simplify the code. Passed a race-enabled stress test 25,000 times without failure. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07device: make test setup more robustJosh Bleecher Snyder
Picking two free ports to use for a test is difficult. The free port we selected might no longer be free when we reach for it a second time. On my machine, this failure mode led to failures approximately once per thousand test runs. Since failures are rare, and threading through and checking for all possible errors is complicated, fix this with a big hammer: Retry if either device fails to come up. Also, if you accidentally pick the same port twice, delightful confusion ensues. The handshake failures manifest as crypto errors, which look scary. Again, fix with retries. To make these retries easier to implement, use testing.T.Cleanup instead of defer to close devices. This requires Go 1.14. Update go.mod accordingly. Go 1.13 is no longer supported anyway. With these fixes, 'go test -race' ran 100,000 times without failure. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-01-07wintun: do not load dll in init()Jason A. Donenfeld
This prevents linking to wintun.dll until it's actually needed, which should improve startup time. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-07tun/tuntest: make genICMPv4 allocate lessJosh Bleecher Snyder
It doesn't really matter, because it is only used in tests, but it does remove some noise from pprof profiles. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-12-08device: avoid copying lock in testsJosh Bleecher Snyder
This doesn't cause any practical problems as it is, but vet (rightly) flags this code as copying a mutex. It is easy to fix, so do so. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-12-08device: clear pointers when returning elems to poolsJosh Bleecher Snyder
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-12-08device: use labeled for loop instead of gotoJosh Bleecher Snyder
Minor code cleanup; no functional changes. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2020-11-27memmod: fix import loading function usageJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>