v1.74.0-sunos

Builds

• deps: bump ws from 8.14.2 to 8.17.1 in /client/web (tailscale#12524) #12524 (dependabot[bot])

Commits

• 1e8f8ee: VERSION.txt: this is v1.73.0 (tailscale#13181) (Andrea Gottardo) #13181
• 8fad8c4: tstest/tailmac: add customized macOS virtualization tooling (tailscale#13146) (Jonathan Nobels) #13146
• f95785f: util/winutil: add constants from Win32 SDK for dll blocking mitigation policies (Aaron Klotz) #13183
• 16bb541: wgengine/magicsock: replace deprecated poly1305 (tailscale#13184) (tomholford) #13175
• support setting authkey at login using syspolicy (tailscale#13061) #13061 (Andrea Gottardo)
• 01aa01f: ipn/ipnlocal: network-lock, error if no pubkey instead of panic (Kristoffer Dalby) #12505
• 2105773: cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs (pierig-n3xtio) #13169
• 8f6a235: util/winutil: add GetRegUserString/SetRegUserString accessors for storage and retrieval of string values in HKEY_CURRENT_USER (Aaron Klotz) #13188
• 93dc2de: cmd/k8s-operator: support default proxy class in k8s-operator (tailscale#12711) (ChandonPierre) #12711
• df6014f: net/tstun,wgengine{/netstack/gro}: refactor and re-enable gVisor GRO for Linux (tailscale#13172) (Jordan Whited) #13172
• 7675c3e: wgengine/netstack/gro: exclude importation of gVisor GRO pkg on iOS (tailscale#13202) (Jordan Whited) #13202
• 7d83056: ssh/tailssh: fix SSH on busybox systems (Percy Wegmann) #13040
• 151b77f: cmd/tl-longchain: tool to re-sign nodes with long rotation signatures (Anton Tolchanov) #13201
• af3d3c4: types/prefs: add a package containing generic preference types (Nick Khyl) #12830
• 4b525fd: ssh/tailssh: only chdir incubator process to user's homedir when necessary and possible (Percy Wegmann) #13171
• 8e42510: wgengine/netstack: disable gVisor GSO on Linux (tailscale#13215) (Jordan Whited) #13215
• 690d3bf: cmd/tailscale/cli: add debug command to do DNS lookups portably (Brad Fitzpatrick) #13219
• 4637ac7: ipn/ipnlocal: remember last notified taildrive shares and only notify if they've changed (Percy Wegmann) #13210
• fix new lint warnings from bumping staticcheck #13220 (Brad Fitzpatrick)
• switch to and require Go 1.23 #13220 (Brad Fitzpatrick)
• 0cb7eb9: net/dns: updated gonotify dependency to v2 that supports closable context (Ilarion Kovalchuk) #13221
• aedfb82: go.mod.sri: update SRI hash for go.mod changes (Flakes Updater) #13227
• e54c81d: types/views: add Slice.All iterator (Brad Fitzpatrick) #12913
• d00d6d6: go.mod: update to github.com/tailscale/netlink library that doesn't require vishvananda/netlink (Percy Wegmann) #13228
• 743d296: update to github.com/tailscale/netlink library that doesn't require vishvananda/netlink (Percy Wegmann) #13228
• 1191eb0: tstest/natlab: add unix address to writer for dgram mode (Jonathan Nobels) #13229
• 6280c44: go.mod.sri: update SRI hash for go.mod changes (Flakes Updater) #13234
• 3c66ee3: cmd/systray: add a basic linux systray app (Will Norris) #13237
• b091264: cmd/systray: set ipn.NotifyNoPrivateKeys, permit non-operator use (Brad Fitzpatrick) #13244
• d862898: go.mod.sri: update SRI hash for go.mod changes (Flakes Updater) #13238
• 3904e4d: cmd/tta, tstest/natlab/vnet: remove unneeded port 124 log hack, add log buffer (Brad Fitzpatrick) #13247
• 3b70968: cmd/vnet: add --blend and --pcap flags (Brad Fitzpatrick) #13247
• 5a99940: tstest/natlab/vnet: explicitly ignore PCP and SSDP UDP queries (Brad Fitzpatrick) #13247
• aa42ae9: tstest/natlab: make a new virtualIP type in prep for IPv6 support (Brad Fitzpatrick) #13248
• a9dc6e0: util/codegen, cmd/cloner, cmd/viewer: update codegen.LookupMethod to support alias type nodes (Nick Khyl) #13232
• 03acab2: cmd/cloner, cmd/viewer, util/codegen: add support for aliases of cloneable types (Nick Khyl) #13236
• e5fd36a: tstest/natlab: respect NATTable interface's invalid-means-drop everywhere (Brad Fitzpatrick) #13250
• 475ab1f: cmd/vnet: omit log spam when backend status hasn't changed (Brad Fitzpatrick) #13251
• 641693d: ipn/ipnlocal: install IPv6 service addr route (tailscale#13252) (Jordan Whited) #13252
• 367bfa6: tstest/integration: exercise TCP DNS queries against quad-100 (tailscale#13231) (Jordan Whited) #13231
• 9783065: tstest/integration: change log.Fatal() to t.Fatal() (tailscale#13253) (Jordan Whited) #13253
• 31b5239: tstest/natlab/vnet: flush and sync pcap file after every packet (Maisem Ali) #13255
• b78df4d: tstest/natlab/vnet: add start of IPv6 support (Brad Fitzpatrick) #13167
• 8af50fa: ipn/ipnlocal: update routes on link change with ExitNodeAllowLANAccess (James Tucker) #13246
• cccacff: types/opt: add BoolFlag for setting Bool value as a flag (Will Norris) #13264
• e0bdd5d: tstest/natlab: simplify a defer (Brad Fitzpatrick) #13259
• 3a8cfbc: tstest/natlab: be more paranoid about IP versions from gvisor (Brad Fitzpatrick) #13259
• 6dd1af0: tstest/natlab: refactor HandleEthernetPacketForRouter a bit (Brad Fitzpatrick) #13259
• 2636a83: cmd/tta: pull out test driver dialing into a type, fix bugs (Brad Fitzpatrick) #13259
• extend the gokrazy/natlab wait-for-network delay for IPv6 #13259 (Brad Fitzpatrick)
• 0157000: tstest/natlab: fix IPv6 tests, remove TODOs (Brad Fitzpatrick) #13259
• f99f970: tstest/natlab/vnet: rename some things for clarity (Brad Fitzpatrick) #13259
• 6d4973e: wgengine/netstack: use types/logger.Logf instead of stdlib log.Printf (tailscale#13267) (Jordan Whited) #13267
• d097096: net/tstun,wgengine/netstack: make inbound synthetic packet injection GSO-aware (tailscale#13266) (Jordan Whited) #13266
• bfcb356: wgengine/netstack: re-enable gVisor GSO on Linux (tailscale#13269) (Jordan Whited) #13269
• 06c31f4: tsweb/varz: remove pprof (Kristoffer Dalby) #12990
• add initial user-facing metrics #12990 (Kristoffer Dalby)
• 31cdbd6: net/tstun: fix gvisor inbound GSO packet injection (tailscale#13283) (Jordan Whited) #13283
• ff1d0aa: tstest/natlab/vnet: start adding tests (Brad Fitzpatrick) #13282
• 8b23ba7: tstest/natlab/vnet: add qemu + Virtualization.framework protocol tests (Brad Fitzpatrick) #13290
• 961ee32: ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend (Nick Khyl) #13281
• 73b3c8f: tstest/natlab/vnet: add IPv6 all-nodes support (Brad Fitzpa...

v1.72.1-sunos

Commits

• eb07c60: wgengine/netstack: disable gVisor GSO on Linux (tailscale#13213) (Jordan Whited) #13213
• f4a9566: VERSION.txt: this is v1.72.1 (Andrea Gottardo)
• 9a90bca: Merge tag 'v1.72.1' into sunos-1.72 (Nahum Shalman)

v1.72.0-sunos

Builds

• deps: bump github.com/docker/docker (tailscale#12966) #12966 (dependabot[bot])

Commits

• 4ff276c: VERSION.txt: this is v1.71.0 (Aaron Klotz) #12844
• remove warning (tailscale#12841) #12841 (Cameron Stokes)
• set Hostinfo.PackageType for mkctr container builds #12843 (Brad Fitzpatrick)
• f77821f: derp/derphttp: determine whether a region connect was to non-ideal node (Brad Fitzpatrick) #12725
• swallow panics #12836 (Paul Scott)
• d3af544: client/tailscale: document ACLTestFailureSummary.User field (Brad Fitzpatrick) #12852
• 1608831: wgengine/router: use quad-100 as the nexthop on Windows (Nick Khyl) #12847
• 4850186: {tool,client}: bump node version (tailscale#12840) (Mario Minardi) #12840
• 54f58d1: ipn/ipnlocal: add comment explaining auto exit node migration (Adrian Dewhurst) #12821
• log cancelled requests as 499 #12861 (Paul Scott)
• 0f57b93: cmd/k8s-operator,tstest,go.{mod,sum}: remove fybrik.io/crdoc dependency (tailscale#12862) (Irbe Krumina) #12862
• 32ce187: Add extra environment variables in deployment template (tailscale#12858) (Lee Briggs) #12858
• e7bf6e7: cmd/tailscale: add --min-validity flag to the cert command (tailscale#12822) (Andrew Lytvynov) #12822
• 20562a4: cmd/viewer, types/views, util/codegen: add viewer support for custom container types (Nick Khyl) #12809
• bd54b61: types/opt: add (Value[T]).GetOr(def T) T method (Nick Khyl) #12865
• 1f94047: go.mod.sri: update SRI hash for go.mod changes (Flakes Updater) #12880
• d500a92: util/slicesx: add HasPrefix, HasSuffix, CutPrefix, and CutSuffix functions (Nick Khyl) #12887
• 5d09649: types/lazy: add (*SyncValue[T]).SetForTest method (Nick Khyl) #12866
• update license notices #12886 (License Updater)
• 57856fc: ipn,wgengine/magicsock: allow setting static node endpoints via tailscaled configfile (tailscale#12882) (Irbe Krumina) #12882
• log all cancellations as 499s (tailscale#12894) #12894 (Paul Scott)
• 43375c6: types/lazy: re-init SyncValue during test cleanup if it wasn't set before SetForTest (Nick Khyl) #12905
• Add MiddlewareStack func to apply lists of Middleware (tailscale#12907) #12907 (Paul Scott)
• cf97cff: wgengine/netstack: simplify netaddrIPFromNetstackIP (Brad Fitzpatrick) #12922
• introduce captive-portal-detected Warnable (tailscale#12707) #12707 (Andrea Gottardo)
• 6840f47: net/dnsfallback: set CanPort80 in static DERPMap (tailscale#12929) (Andrea Gottardo) #12929
• 1bf82dd: util/osuser: run getent on non-Linux Unixes (Ross Williams) #12732
• c5623e0: go.{mod,sum},tstest/tools,k8s-operator,cmd/k8s-operator: autogenerate CRD API docs (tailscale#12884) (Irbe Krumina) #12884
• add QuietLogging option (tailscale#12838) #12838 (Paul Scott)
• a21bf10: cmd/k8s-operator,k8s-operator/sessionrecording,sessionrecording,ssh/tailssh: refactor session recording functionality (tailscale#12945) (Irbe Krumina) #12945
• 3088c61: go.mod: pull in latest github.com/tailscale/xnet (Percy Wegmann) #12951
• 19b0c8a: net/dns, health: raise health warning for failing forwarded DNS queries (tailscale#12888) (Jonathan Nobels) #12888
• 35a8fca: cmd/tailscale/cli: release portmap after netcheck (Andrew Dunham) #12956
• add some associated with scales #12953 (Brad Fitzpatrick)
• 2ab1d53: gokrazy/tsapp: add go.mod replacing two tailscale.com binaries with parent module (Brad Fitzpatrick) #12962
• 575feb4: util/osuser: turn wasm check into a const expression (Brad Fitzpatrick) #12930
• 34de96d: go.mod.sri: update SRI hash for go.mod changes (Flakes Updater) #12949
• add a warning that this is not used to build our published images (tailscale#12955) #12955 (Irbe Krumina)
• eead255: build_docker.sh: update script comment (tailscale#12970) (Irbe Krumina) #12970
• 8a8ecac: net/dns, cmd/tailscaled: plumb system health tracker into dns cleanup (tailscale#12969) (Jonathan Nobels) #12969
• 949b15d: net/captivedetection: call SetHealthy once connectivity restored (tailscale#12974) (Andrea Gottardo) #12974
• 7bc2dda: go.mod,net/tstun,wgengine/netstack: implement gVisor TCP GSO for Linux (tailscale#12869) (Jordan Whited) #12869
• 0def4f8: net/netns: on Windows, fall back to default interface index when unspecified address is passed to ControlC and bindToInterfaceByRoute is enabled (Aaron Klotz) #12981
• 004dded: net/tlsdial: relax self-signed cert health warning (Brad Fitzpatrick) #12980
• 655b4f8: net/netns: remove some logspam by avoiding logging parse errors due to unspecified addresses (Aaron Klotz) #12983
• don't show login error details with context cancelations #12992 (Brad Fitzpatrick)
• f0230ce: go.mod,net/tstun,wgengine/netstack: implement gVisor TCP GRO for Linux (tailscale#12921) (Jordan Whited) #12921
• 4055b63: net/captivedetection: exclude cellular data interfaces (tailscale#13002) (Andrea Gottardo) #13002
• 9939374: wgengine/magicsock: use cloud metadata to get public IPs (Andrew Dunham) #12997
• d9d9d52: wgengine/netstack: increase gVisor's TCP send and receive buffer sizes (tailscale#12994) (Jordan Whited) #12994
• 4099a36: util/winutil/gp: fix a busy loop bug (Nick Khyl) #13006
• a917718: util/linuxfw: return nil interface not concrete type (Maisem Ali) #13013
• f205efc: net/packet/checksum: fix v6 NAT (Maisem Ali) #13014
• 0a6eb12: go.mod.sri: update SRI hash for go.mod changes (Flakes Updater) #12967
• mark TestStdHandler_ConnectionClosedDuringBody flaky #13018 (Maisem Ali)
• 07e2487: wgengine/capture: fix v6 field typo in wireshark dissector (Maisem Ali) #13016
• a7a394e: tstest/integration: mark TestNATPing flaky (Maisem Ali) #13020
• 25f0a3f: wgengine/netstack: use build tags to exclude gVisor GRO importation on iOS (tailscale#13015) (Jordan Whited) #13015
• 17c88a1: net/captivedetection: mark TestAllEndpointsAreUpAndReturnExpectedResponse flaky (tailscale#13021) (Jordan Whited) #13021
• 0fd7374: ...

v1.70.0-sunos

sunos: update go modules

v1.70.0-beta-sunos

Bug Fixes

• broken tests for localhost #12200 (Josh McKinney)

Builds

• deps: bump golang.org/x/image from 0.15.0 to 0.18.0 #12629 (dependabot[bot])

Continuous Integration

• enable checklocks workflow for specific packages #12626 (Andrew Dunham)

Commits

• 5f12139: VERSION.txt: this is v1.69.0 (tailscale#12441) (Mario Minardi) #12441
• d0f1a83: net/dnscache: use parent context to perform lookup (Andrew Dunham) #12418
• 02e3c04: net/dns: re-query system resolvers on no-upstream resolver failure on apple platforms (tailscale#12398) (Jonathan Nobels) #12398
• d7fdc01: ssh/tailssh: check IsSELinuxEnforcing in tailscaled process (Percy Wegmann) #12445
• ccdd2e6: cmd/derper: add a README (Brad Fitzpatrick) #12446
• 88f2d23: wgengine/netstack: fix 4via6 subnet routes (tailscale#12454) (Irbe Krumina) #12454
• 72c8f77: wgengine/netstack: add test for tailscale#12448 (Andrew Dunham) #12458
• 6908fb0: ipn/localapi,client/tailscale,cmd/derper: add WhoIs lookup by nodekey, use in derper (Brad Fitzpatrick) #12466
• 65888d9: derp/xdp,cmd/xdpderper: initial skeleton (tailscale#12390) (Jordan Whited) #12390
• update PeerAPIDNS Port value documentation #12271 (James Tucker)
• 9189fe0: cmd/stunc: support user-specified port (tailscale#12469) (Jordan Whited) #12469
• bd2a6d5: util/winutil: add UserProfile type for (un)loading user profiles (Aaron Klotz) #12428
• e8ca30a: xcode/iOS: support serial number collection via MDM on iOS (tailscale#11429) (Andrea Gottardo) #11429
• begin work to use structured health warnings instead of strings, pipe changes into ipn.Notify (tailscale#12406) #12406 (Andrea Gottardo)
• 7354547: util/winutil: update UserProfile to ensure any environment variables in the roaming profile path are expanded (Aaron Klotz) #12471
• create a catch-all NRPT rule when "Override local DNS" is enabled on Windows #12426 (Nick Khyl)
• fix data race in new warnable code #12481 (Brad Fitzpatrick)
• e2c0d69: wgengine/filter: add filter benchmark (Brad Fitzpatrick) #12490
• 21ed31e: wgengine/filter: use NewContainsIPFunc for Srcs matches (Brad Fitzpatrick) #12488
• 7574f58: wgengine/filter: add more benchmarks, make names more explicit (Brad Fitzpatrick) #12493
• 491483d: cmd/viewer,type/views: add MapSlice for maps of slices (Maisem Ali) #12492
• 64ac64f: net/tsaddr: use bart in NewContainsIPFunc, add tests, benchmarks (Brad Fitzpatrick) #12487
• 10e8a2a: wgengine/filter: fix copy/pasteo in new benchmark's v6 CIDR (Brad Fitzpatrick) #12496
• d4220a7: wgengine/filter: add TCP non-SYN benchmarks (Brad Fitzpatrick) #12497
• 36b1b4a: wgengine/filter: split local+logging lookups by IPv4-vs-IPv6 (Brad Fitzpatrick) #12491
• 86e0f9b: net/ipset, wgengine/filter/filtertype: add split-out packages (Brad Fitzpatrick) #12499
• bf2d13c: net/ipset: return all closures from named wrappers (Brad Fitzpatrick) #12500
• 20a5f93: wgengine/filter: add UDP flow benchmark (Brad Fitzpatrick) #12502
• 1f6645b: net/ipset: skip the loop over Prefixes when there's only one (Brad Fitzpatrick) #12503
• a1ab7f7: client/tailscale: add NodeID to device (Kristoffer Dalby) #12506
• allow switching from unstable to stable tracks (tailscale#12477) #12477 (Andrew Lytvynov)
• 674c998: cmd/tailscale/cli: do not allow update --version on macOS (tailscale#12508) (Andrew Lytvynov) #12508
• 8cc2738: cmd/{containerboot,k8s-operator}: store proxy device ID early to help with cleanup for broken proxies (tailscale#12425) (Irbe Krumina) #12425
• 315f3d5: derp/xdp: fix handling of zero value UDP checksums (tailscale#12510) (Jordan Whited) #12510
• 2db2d04: types/logid: add Add method (tailscale#12478) (Joe Tsai) #12478
• add a verifyClients check to the consistency check #12515 (James Tucker)
• update Windows hostinfo to include MSIDist registry value #12523 (Aaron Klotz)
• 45d2f43: proxymap, various: distinguish between different protocols (Andrew Dunham) #12385
• 3099323: cmd/k8s-operator,k8s-operator,go.{mod,sum}: publish proxy status condition for annotated services (tailscale#12463) (Tom Proctor) #12463
• bfb775c: go.mod.sri: update SRI hash for go.mod changes (Flakes Updater) #11777
• bd93c30: wgengine/filter/filtertype: make Match.IPProto a view (Brad Fitzpatrick) #12526
• expose DependsOn to local API via UnhealthyState (tailscale#12513) #12513 (Andrea Gottardo)
• a93173b: cmd/xdpderper,derp/xdp: implement mode that drops STUN packets (tailscale#12527) (Jordan Whited) #12527
• 8eb15d3: cli/netcheck: fail with output if we time out fetching a derpmap (tailscale#12528) (Andrea Gottardo) #12528
• include DERP region name in bad derp notifications (tailscale#12530) #12530 (Andrea Gottardo)
• 9e0a5cc: net/flowtrack: optimize Tuple type for use as map key (Brad Fitzpatrick) #12507
• 162d593: net/flowtrack: fix, test String method (Brad Fitzpatrick) #12533
• 21460a5: tailcfg, wgengine/filter: remove most FilterRule.SrcBits code (Brad Fitzpatrick) #12529
• fix fmt verb for nodekeys #12539 (Brad Fitzpatrick)
• don't verify mesh peers when --verify-clients is set #12540 (Brad Fitzpatrick)
• fix nil DERPMap dereference panic #12535 (Andrea Gottardo)
• 1023b2a: util/deephash: fix test regression on 32-bit (Brad Fitzpatrick) #12544
• 0004827: control/controlhttp: add health warning for macOS filtering blocking Tailscale (tailscale#12546) (Brad Fitzpatrick) #12546
• 732605f: control/controlclient: move noiseConn to internal package (Andrew Dunham) #12550
• 24976b5: cmd/tailscale/cli: actually perform Noise request in 'debug ts2021' (Andrew Dunham) #12550
• 730f036: ssh/tailssh: replace incubator process with su instead of running su as child (Percy Wegmann) #12470
• bd50a34: wgengine/filter: add "Accept" TCP log lines to verbose logging (tailscale#12525) (Keli...

v1.68.2-sunos

Commits

• test SigCredential signatures and netmap filtering #12684 (Anton Tolchanov)
• 1b92ce1: ipn/ipnlocal: allow multiple signature chains from the same SigCredential (Anton Tolchanov) #12684
• 0629929: net/dns: recheck DNS config on SERVFAIL errors (tailscale#12547) (Jonathan Nobels) #12685
• c79c500: VERSION.txt: this is v1.68.2 (Anton Tolchanov)
• c061a7c: Merge tag 'v1.68.2' into sunos-1.68 (Nahum Shalman)

v1.68.1-sunos

Commits

• 7901925: VERSION.txt: this is v1.67.0 (tailscale#12063) (Nick O'Neill) #12063
• 8f7f9ac: wgengine/netstack: handle 4via6 routes that are advertised by the same node (Andrew Dunham) #12016
• b5dbf15: cmd/k8s-operator: default nameserver image to tailscale/k8s-nameserver:unstable (tailscale#11991) (Irbe Krumina) #11991
• ac638f3: util/linuxfw: fix stateful packet filtering in nftables mode (Anton Tolchanov) #12068
• 21abb7f: cmd/tailscale: add missing set flags for linux (Maisem Ali) #12072
• 25e32cc: util/linuxfw: fix table name in DelStatefulRule (Andrew Dunham) #12077
• 5708fc0: wgengine/router: print Docker warning when stateful filtering is enabled (Andrew Dunham) #12076
• e070af7: ipnlocal, magicsock: add more description to storing last suggested exit (tailscale#11998) (Claire Wang) #11998
• d86d1e7: cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: turn off stateful filter for egress proxies. (tailscale#12075) (Irbe Krumina) #12075
• parse depth 1 PROPFIND results to include children in cache #12000 (Percy Wegmann)
• split user facing and backend logging #12095 (Maisem Ali)
• I had a feline we were missing some words (tailscale#12098) #12098 (Charlotte Brandhorst-Satzkorn)
• 79b2d42: types/views: move AsMap to Map from *Map (Maisem Ali) #12103
• add some fruit with scales (tailscale#8460) #8460 (Parker Higgins)
• 8aa5c35: ipn/ipnlocal: simplify authURL vs authURLSticky, remove interact field (Brad Fitzpatrick) #12096
• 7ef2f72: util/linuxfw: fix IPv6 availability check for nftables (tailscale#12009) (Irbe Krumina) #12009
• remove stats goroutine, use a timer #12130 (Andrew Dunham)
• fix macOS uploads by increasing build number prefix (tailscale#12134) #12134 (Andrea Gottardo)
• 1f51bb6: net/tstun: do SNAT after filterPacketOutboundToWireGuard (Maisem Ali) #12133
• plumb a now-required netmon to derphttp #12142 (Brad Fitzpatrick)
• 7f83f9f: Net/DNS/Publicdns: update the IPv6 range that we use to recreate route endpoint for control D (Kevin Liang) #12145
• add Info func to expose EmbeddedInfo #12147 (Maisem Ali)
• b094e8c: api.md: document user invite apis (Sonia Appasamy) #12074
• 8994760: api.md: document device invite apis (Sonia Appasamy) #12064
• 359ef61: Revert "version: add Info func to expose EmbeddedInfo" (Maisem Ali) #12155
• add GitCommitTime to Meta #12155 (Maisem Ali)
• 76c30e0: cmd/containerboot: warn when an ingress proxy with an IPv4 tailnet address is being created for an IPv6 backend(s) (tailscale#12159) (Irbe Krumina) #12159
• 87f00d7: tool/gocross: treat empty GOOS/GOARCH as native GOOS/GOARCH (James Tucker) #12160
• rewrite LOCK paths #12137 (Percy Wegmann)
• allow ICMP ping relay on macOS + iOS platforms (tailscale#12048) #12048 (Andrea Gottardo)
• create new home for API docs and split into catagory files (tailscale#12116) #12116 (Charlotte Brandhorst-Satzkorn)
• 8d12495: net/netcheck,wgengine/magicsock: add potential workaround for Palo Alto DIPP misbehavior (James Tucker) #12161
• adb7a86: cmd/stunc: support ipv6 address targets (tailscale#12166) (Jordan Whited) #12166
• include device and user invites API documentation (tailscale#12168) #12168 (Charlotte Brandhorst-Satzkorn)
• 47b3476: util/lru: add Clear method (Andrew Dunham) #12176
• 1384c24: control/controlclient: delete unused Client.Login Oauth2Token field (Brad Fitzpatrick) #12173
• 964282d: ipn,wgengine: remove vestigial Prefs.AllowSingleHosts (Brad Fitzpatrick) #12171
• 4f4f317: api.md: direct TOC links to new publicapi docs location (Charlotte Brandhorst-Satzkorn) #12175
• update license notices #12196 (License Updater)
• disable stateful filtering by default (tailscale#12197) #12197 (Andrew Lytvynov)
• 9351eec: net/netcheck: remove hairpin probes (James Tucker) #12205
• 72f0f53: cmd/k8s-operator: fix typo (tailscale#12217) (Irbe Krumina) #12217
• 3c9be07: cmd/derper: support TXT-mediated unpublished bootstrap DNS rollouts (Brad Fitzpatrick) #12219
• 538c2e8: tool/gocross: add debug data to CGO builds (James Tucker) #12223
• 4214e5f: logtail/backoff: update Backoff.BackOff docs (tailscale#12229) (Jordan Whited) #12229
• do not depend on the testing package #12233 (Maisem Ali)
• 87ee559: net/netcheck: apply some polish suggested from tailscale#12161 (James Tucker) #12164
• 8e4a294: util/pool: add package for storing and using a pool of items (Andrew Dunham) #12091
• d0d33f2: cmd/k8s-operator: add a note pointing at ProxyClass (tailscale#12246) (Irbe Krumina) #12246
• 5ad0dad: go generate directives reorder for 'make kube-generate-all' (tailscale#12210) (signed-long) #12210
• f1d10c1: ipn/ipnlocal: allowed suggested exit nodes policy (tailscale#12240) (Claire Wang) #12240
• 08a9551: ssh/tailssh: fall back to using su when no TTY available on Linux (Percy Wegmann) #11910
• dd77111: xcode/iOS: set MatchDomains when no route requires a custom DNS resolver (tailscale#10576) (Andrea Gottardo) #10576
• 0acb61f: serve.go, tsnet.go: Fix "in in" typo (tailscale#12279) (Walter Poupore) #12279
• 909a292: util/linuxfw: don't try cleaning iptables on gokrazy (Brad Fitzpatrick) #12284
• 2d2b62c: wgengine/router: probe generally-unused "ip" command style lazily (Brad Fitzpatrick) #12284
• 1ea100e: cmd/tailscaled, ipn/conffile: support ec2 user-data config file (Brad Fitzpatrick) #12287
• 776a052: ipn/ipnlocal: support c2n updates with old systemd versions (tailscale#12296) (Andrew Lytvynov) #12296
• 3212093: cmd/tailscale/cli: print node signature in tailscale lock status (Anton Tolchanov) #12275
• fix dropReason metrics labels (tailscale#12288) #12288 ([Spike Curtis](0...

v1.66.4-sunos

Commits

• c7a51ae: net/tstun: do SNAT after filterPacketOutboundToWireGuard (tailscale#12140) (Andrew Lytvynov) #12140
• disable stateful filtering by default (tailscale#12197) (Andrew Lytvynov)
• e64efe4: VERSION.txt: this is v1.66.4 (Andrew Lytvynov)
• be2fad1: Merge tag 'v1.66.4' into sunos-1.66 (Nahum Shalman)

v1.66.3-sunos

Commits

• c88abff: cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: turn off stateful filter for egress proxies. (tailscale#12088) (Irbe Krumina) #12088
• 32cb8a3: ipn/ipnlocal: simplify authURL vs authURLSticky, remove interact field (Brad Fitzpatrick)
• 9d2768a: util/linuxfw: fix IPv6 availability check for nftables (tailscale#12009) (tailscale#12123) (Irbe Krumina) #12123
• 78566fd: VERSION.txt: this is v1.66.2 (Nick O'Neill)
• fix macOS uploads by increasing build number prefix (tailscale#12134) (Andrea Gottardo)
• eae73f8: VERSION.txt: this is v1.66.3 (Nick O'Neill)
• 5a2a40e: Merge tag 'v1.66.3' into sunos-1.66 (Nahum Shalman)

v1.66.1-sunos

Builds

• deps: bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (tailscale#11410) #11410 (dependabot[bot])
• deps-dev: bump vite from 5.1.4 to 5.1.7 in /client/web #11609 (dependabot[bot])

Commits

• 09524b5: VERSION.txt: this is v1.64.0 (Jenny Zhang) #11690
• 2207643: VERSION.txt: this is v1.65.0 (Jenny Zhang) #11691
• add gliderlabs/ssh license #11694 (Will Norris)
• update license notices #11666 (License Updater)
• 4d5d669: net/dns: unconditionally write NRPT rules to local settings (Aaron Klotz) #11684
• optimize JSON processing (tailscale#11671) #11671 (Joe Tsai)
• add exit destination for network flow logs node attribute (tailscale#11698) #11698 (Claire Wang)
• enable allow LAN for android (tailscale#11709) #11709 (kari-ts)
• a1abd12: cmd/tailscaled, net/tstun: build for aix/ppc64 (Brad Fitzpatrick) #11721
• 65f2151: go.mod.sri: update SRI hash for go.mod changes (Flakes Updater) #11722
• 170c618: ipn/ipnlocal: remove dead code now that Android uses LocalAPI instead (Brad Fitzpatrick) #11724
• 970b1e2: ipn/ipnlocal: inline assertClientLocked into its now sole caller (Brad Fitzpatrick) #11725
• 68043a1: ipn/ipnlocal: centralize assignments to cc + ccAuto in new method (Brad Fitzpatrick) #11725
• 8186cd0: ipn/ipnlocal: delete redundant TestStatusWithoutPeers (Brad Fitzpatrick) #11725
• bad3159: ipn/ipnlocal: delete useless SetControlClientGetterForTesting use (Brad Fitzpatrick) #11726
• 271cfdb: util/syspolicy: clean up doc grammar and consistency (Brad Fitzpatrick) #11728
• set default state path on AIX #11730 (Brad Fitzpatrick)
• b9aa742: ipn/ipnlocal: remove some dead code (legacyBackend methods) from LocalBackend (Brad Fitzpatrick) #11739
• fix default SYNO_ARCH in Makefile #11747 (Brad Fitzpatrick)
• 38fb23f: cmd/k8s-operator,k8s-operator: allow users to configure proxy env vars via ProxyClass (tailscale#11743) (Irbe Krumina) #11743
• 952e06a: wgengine/router: don't attempt route cleanup on Synology (Brad Fitzpatrick) #11746
• 14c8b67: Revert "licenses: add gliderlabs/ssh license" (Will Norris) #11748
• 449f46c: wgengine/magicsock: rebind/restun if a syscall.EPERM error is returned (tailscale#11711) (Charlotte Brandhorst-Satzkorn) #11711
• 9171b21: cmd/tailscale, ipn/ipnlocal: add suggest exit node CLI option (tailscale#11407) (Claire Wang) #11407
• 7ec0dc3: ipn/ipnlocal: make StartLoginInteractive take (yet unused) context (Brad Fitzpatrick) #11751
• remove unused Options.LegacyMigrationPrefs #11752 (Brad Fitzpatrick)
• 3c1e2bb: ipn/ipnlocal: remove outdated iOS hacky workaround in Start (Brad Fitzpatrick) #11754
• document use of CapMap for peers #11759 (Adrian Dewhurst)
• 26f9bbc: cmd/k8s-operator,k8s-operator: document tailscale.com Custom Resource Definitions better. (tailscale#11665) (Irbe Krumina) #11665
• 0fba9e7: cmd/tailscale/cli: prevent concurrent Start calls in 'up' (Brad Fitzpatrick) #11761
• 7e2b426: ipn/{localapi, ipnlocal}: forget the prior exit node when localAPI is used to zero the ExitNodeID (tailscale#11681) (Jonathan Nobels) #11681
• 068db1f: net/interfaces: delete unused unexported function (Brad Fitzpatrick) #11765
• use Go 1.22 range-over-int #11764 (Brad Fitzpatrick)
• 62d4be8: cmd/tailscale/cli: fix drive --help usage identation (Paul Scott) #11757
• a50e4e6: cmd/tailscale/cli: remove duplicate "tailscale " in drive subcmd usage (Paul Scott) #11757
• eb34b8a: cmd/tailscale/cli: remove explicit usageFunc - its default (Paul Scott) #11757
• 3ff3445: cmd/tailscale/cli: improve ShortHelp/ShortUsage unit test, fix new errors (Paul Scott) #11757
• d07ede4: cmd/tailscale/cli: fix "subcommand required" errors when typod (Paul Scott) #11757
• 454a03a: cmd/tailscale/cli: prepend "tailscale" to usage errors (Paul Scott) #11757
• 226486e: net/interfaces: handle removed interfaces in State.Equal (Andrew Dunham) #11763
• 3ef7f89: go.{mod,sum}: bump nftables to the latest commit (tailscale#11772) (Irbe Krumina) #11772
• 21a0fe1: ipn/store: omit AWS & Kubernetes support on 'small' Linux GOARCHes (Brad Fitzpatrick) #11778
• 82394de: cmd/tailscale: add shell tab-completion (Paul Scott) #11336
• b85c2b2: net/dns/resolver: use SystemDial in DoH forwarder (Andrew Dunham) #11692
• set SameSite=Strict, with an option for Lax (tailscale#11781) #11781 (Chris Palmer)
• 22bd506: ipn/ipnlocal: hold the mutex when in onTailnetDefaultAutoUpdate (tailscale#11786) (Andrew Lytvynov) #11786
• 03d5d1f: wgengine/magicsock: disable portmapper in tunchan-faked tests (Brad Fitzpatrick) #11787
• c8b0adb: docs/windows/policy: add missing key expiration warning interval (Adrian Dewhurst) #11774
• e775de3: go.mod: bump golang.org/x/net (tailscale#11775) (Andrew Lytvynov) #11775
• allow object-src: self in CSP (tailscale#11782) #11782 (Chris Palmer)
• 02c6af2: cmd/tailscale: clarify Taildrive grants in help text (Percy Wegmann) #11783
• use Distro field for distinguishing Windows Server builds #11796 (Aaron Klotz)
• create android impl (tailscale#11784) #11784 (kari-ts)
• rename exit node destination network flow log node attribute (tailscale#11779) #11779 (Claire Wang)
• rewrite Location headers #11798 (Percy Wegmann)
• 94c0403: ipn/ipnlocal: strip origin and referer headers from Taildrive requests (Percy Wegmann) #11756
• d16c129: ipn/ipnlocal: remove origin and referer headers from Taildrive requests (Percy Wegmann) #11756
• bbe194c: cmd/k8s-operator: correctly determine cluster domain (tailscale#11512) (I...