N #4

Updates tailscale#10659 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>

…10871) Updates tailscale#7667 Signed-off-by: Anishka Singh <anishkasingh66@gmail.com>

When tailscaled is run with "-debug 127.0.0.1:12345", these metrics are available at: http://localhost:12345/debug/metrics Updates tailscale#8210 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I19db6c445ac1f8344df2bc1066a3d9c9030606f8

Plan9 CI is disabled. 3p dependencies do not build for the target. Contributor enthusiasm appears to have ceased again, and no usage has been made. Skipped gvisor, nfpm, and k8s. Updates tailscale#5794 Updates tailscale#8043 Signed-off-by: James Tucker <james@tailscale.com>

Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>

* VERSION.txt: this is v1.58.0 Signed-off-by: kari-ts <kari@tailscale.com> * VERSION.txt: this is v1.59.0 --------- Signed-off-by: kari-ts <kari@tailscale.com>

We issue redirects in a few different places, it's time to have a common helper to do target validation. Updates tailscale/corp#16875 Signed-off-by: David Anderson <danderson@tailscale.com>

The new 'toolchain' directive in go.mod can sometimes force the use of an upstream toolchain against our wishes. Concurrently, some of our dependencies have added the 'toolchain' directive, which transitively adds it to our own go.mod. Force all uses of gocross to ignore that directive and stick to our customized toolchain. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>

Updates tailscale#8043 Signed-off-by: James Tucker <james@tailscale.com>

Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>

Updates tailscale/go#83 Signed-off-by: James Tucker <james@tailscale.com>

This no longer results in a nil pointer exception when we get a valid UPnP response with no supported clients. Updates tailscale#10911 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6e3715a49a193ff5261013871ad7fff197a4d77e

…ds (tailscale#10919) Do not provision resources for a tailscale Ingress that has no valid backends. Updates tailscale#10910 Signed-off-by: Irbe Krumina <irbe@tailscale.com>

This change allows us to perform batch modification for new route advertisements and route removals. Additionally, we now handle the case where newly added routes are covered by existing ranges. This change also introduces a new appctest package that contains some shared functions used for testing. Updates tailscale/corp#16833 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>

…oute updates If control advised the connector to advertise a route that had already been discovered by DNS it would be incorrectly removed. Now those routes are preserved. Updates tailscale/corp#16833 Signed-off-by: James Tucker <james@tailscale.com>

…#10844) This commit implements probing of UDP path lifetime on the tail end of an active direct connection. Probing configuration has two parts - Cliffs, which are various timeout cliffs of interest, and CycleCanStartEvery, which limits how often a probing cycle can start, per-endpoint. Initially a statically defined default configuration will be used. The default configuration has cliffs of 10s, 30s, and 60s, with a CycleCanStartEvery of 24h. Probing results are communicated via clientmetric counters. Probing is off by default, and can be enabled via control knob. Probing is purely informational and does not yet drive any magicsock behaviors. Updates tailscale#540 Signed-off-by: Jordan Whited <jordan@tailscale.com>

Don't append a trailing slash to a request path to the reverse proxy that matches the mount point exactly. Updates tailscale#10730 Signed-off-by: Irbe Krumina <irbe@tailscale.com>

Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>

These are functionally the same as the "urn:schemas-upnp-org" services with a few minor changes, and are still used by older devices. Support them to improve our ability to obtain an external IP on such networks. Updates tailscale#10911 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I05501fad9d6f0a3b8cf19fc95eee80e7d16cc2cf

expvarx.SafeFunc wraps an expvar.Func with a time limit. On reaching the time limit, calls to Value return nil, and no new concurrent calls to the underlying expvar.Func will be started until the call completes. Updates tailscale/corp#16999 Signed-off-by: James Tucker <james@tailscale.com>

When running as non-root non-operator user, you get this error: ``` $ tailscale serve 8080 Access denied: watch IPN bus access denied, must set ipn.NotifyNoPrivateKeys when not running as admin/root or operator Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` It should fail, but the error message is confusing. With this fix: ``` $ tailscale serve 8080 sending serve config: Access denied: serve config denied Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>

Updates tailscale/corp#14698 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>

gitops-pusher supports authenticating with an API key or OAuth credentials (added in tailscale#7393). You shouldn't ever use both of those together, so we error if both are set. In tailscale/gitops-acl-action#24, OAuth support is being added to the GitHub action. In that environment, both the TS_API_KEY and OAuth variables will be set, even if they are empty values. This causes an error in gitops-pusher which expects only one to be set. Update gitops-pusher to check that only one set of environment variables are non-empty, rather than just checking if they are set. Updates tailscale#7393 Signed-off-by: Will Norris <will@tailscale.com>

Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>

When reporting ssh host keys to control, log a warning if we're unable to get the SSH host keys. Updates tailscale/escalations#21 Signed-off-by: Percy Wegmann <percy@tailscale.com>

The API on the DNS record parser is slightly subtle and requires explicit handling of unhandled records. Failure to advance previously resulted in an infinite loop in the pretty responder for any reply that contains a record other than A/AAAA/TXT. Updates tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>

Updates: corp#16409 Signed-off-by: Tom DNetto <tom@tailscale.com>

…ain is routed If any domain along a CNAME chain matches any of the routed domains, add routes for the discovered domains. Fixes tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>

If an app connector is also configured as an exit node, it should still advertise discovered routes that are not covered by advertised routes, excluding the exit node routes. Updates tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>

Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>

Providing a hash.Block512 is an implementation detail of how deephash works today, but providing an opaque type with mostly equivalent API (i.e., HashUint8, HashBytes, etc. methods) is still sensible. Thus, define a public Hasher type that exposes exactly the API that an implementation of SelfHasher would want to call. This gives us freedom to change the hashing algorithm of deephash at some point in the future. Also, this type is likely going to be called by types that are going to memoize their own hash results, we additionally add a HashSum method to simplify this use case. Add documentation to SelfHasher on how a type might implement it. Updates: corp#16409 Signed-off-by: Joe Tsai <joetsai@digital-static.net>

Fixes https://github.com/tailscale/corp/issues/17104 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>

Use Http.StatusOk instead of 200 Updates #cleanup

views.Slice are meant to be immutable, and if used as such it is at times desirable to use them as a key in a map. For non-viewed slices it was kinda doable by creating a custom key struct but views.Slice didn't allow for the same so add a method to create that struct here. Updates tailscale/corp#17122 Signed-off-by: Maisem Ali <maisem@tailscale.com>

Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: corp#17075

Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>

Advertise DNS discovered addresses as a single preference update rather than one at a time. Sort the list of observed addresses and use binary search to consult the list. Updates tailscale/corp#16636 Signed-off-by: James Tucker <james@tailscale.com>

We had missed regressions from privileged tests not running, now they can run. Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>

Updates #self Signed-off-by: James Tucker <james@tailscale.com>

Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: corp#17075

Updates tailscale#11058 Change-Id: I95eecdc7afe2b5f8189016fdb8a773f78e9f5c42 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#11058 Change-Id: I3785c1f1bea4a4663e7e5fb6d209d3caedae436d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#11058 Change-Id: I0f63be498be33d71bd90b7956f9fe9666fd7a696 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#11064 Updates tailscale#11058 Change-Id: I63acc13dece3379a0b2df573afecfd245b7cd6c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>

…roxying cluster traffic to a cluster target via ingress proxy (tailscale#11036) * cmd/containerboot,cmd/k8s-operator/deploy/manifests: optionally forward cluster traffic via ingress proxy. If a tailscale Ingress has tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation, configure the associated ingress proxy to have its tailscale serve proxy to listen on Pod's IP address. This ensures that cluster traffic too can be forwarded via this proxy to the ingress backend(s). In containerboot, if EXPERIMENTAL_PROXY_CLUSTER_TRAFFIC_VIA_INGRESS is set to true and the node is Kubernetes operator ingress proxy configured via Ingress, make sure that traffic from within the cluster can be proxied to the ingress target. Updates tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>

Signed-off-by: License Updater <noreply+license-updater@tailscale.com>

The new read-only mode is only accessible when running `tailscale web` by passing a new `-readonly` flag. This new mode is identical to the existing login mode with two exceptions: - the management client in tailscaled is not started (though if it is already running, it is left alone) - the client does not prompt the user to login or switch to the management client. Instead, a message is shown instructing the user to use other means to manage the device. Updates tailscale#10979 Signed-off-by: Will Norris <will@tailscale.com>

add the curly-quotes eslint plugin (same that we use for the admin panel), and fix existing straight quotes in the current web UI. Updates #cleanup Signed-off-by: Will Norris <will@tailscale.com>

Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>

Update logs for synology builds to more clearly callout which variant is being built. The two existing variants are: 1. Sideloaded (can be manual installed on a device by anyone) 2. Package center distribution (by the tailscale team) Updates #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>

Fixes tailscale/support-escalations#23. authURLs returned by control expire after 1 hour from creation. Customer reported that the Tailscale client on macOS would sending users to a stale authentication page when clicking on the `Login...` menu item. This can happen when clicking on Login after leaving the device unattended for several days. The device key expires, leading to the creation of a new authURL, however the client doesn't keep track of when the authURL was created. Meaning that `login-interactive` would send the user to an authURL that had expired server-side a long time before. This PR ensures that whenever `login-interactive` is called via LocalAPI, an authURL that is too old won't be used. We force control to give us a new authURL whenever it's been more than 30 minutes since the last authURL was sent down from control. Apply suggestions from code review Set interval to 6 days and 23 hours Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>

This change fixes the format of tailscale status output when location based exit nodes are present. Fixes tailscale#11065 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>

Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>

Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

`os.LookupEnv` may return true if the variable is present in the environment but an empty string. We should only attempt to set OAuth Config if thsoe values are non-empty. Updates gitops-acl-action#33 Signed-off-by: Jenny Zhang <jz@tailscale.com>

Updates #cleanup Go 1.22.0 introduced the ability to use more expressive routing patterns that include HTTP method when constructing ServeMux entries. Applications that attempted to use these patterns in combination with the old `tsweb.Debugger` would experience a panic as Go would not permit the use of matching rules with mixed level of specificity. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>

…1087)" (tailscale#11089) This reverts commit 291f91d. Updates #cleanup This PR needs additional changes to the registration of child handlers under /debug Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>

Relates to golang/go#62278 Updates tailscale#11058 Signed-off-by: keisku <keisuke.umegaki.630@gmail.com>

Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I10dca601c79411b412180a46b3f82136e40544b0

For user-owned nodes, only the owner is ever allowed to manage the node. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>

The new math/rand/v2 package includes an m-local global random number generator that can not be reseeded by the user, which is suitable for most uses without the RNG pools we have in a number of areas of the code base. The new API still does not have an allocation-free way of performing a seeded operations, due to the long term compiler bug around interface parameter escapes, and the Source interface. This change introduces the two APIs that math/rand/v2 can not yet replace efficiently: seeded Perm() and Shuffle() operations. This implementation chooses to use the PCG random source from math/rand/v2, as with sufficient compiler optimization, this source should boil down to only two on-stack registers for random state under ideal conditions. Updates #17243 Signed-off-by: James Tucker <james@tailscale.com>

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 4.4.9 to 4.5.2. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v4.5.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v4.5.2/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>

- Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

Starts TailFS for Windows too, initializes shares on startup. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

As part of tailscale#10631, we stopped using function pointers for subcommands, preventing us from registering platform-specific installSystemDaemon and uninstallSystemDaemon subcommands. Fixes tailscale#11099 Signed-off-by: Percy Wegmann <percy@tailscale.com>

Updates tailscale#4984 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib229eb40af36a80e6b0fd1dd0cabb07f0d50a7d1

Removing as per go/group-all-the-things. Updates tailscale/corp#17445 Signed-off-by: Maisem Ali <maisem@tailscale.com>

Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>

Fixes tailscale#1115 Signed-off-by: Percy Wegmann <percy@tailscale.com>

FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

For a second we thought this was allocating but we were looking at a CPU profile (which showed calls to mallocgc view makeslice) instead of the alloc profile. Updates golang/go#65685 (which if fixed wouldn't have confused us) Change-Id: Ic0132310d52d8a65758a516142525339aa23b1ed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

…w ProxyClass custom resource (tailscale#11074) * cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource. ProxyClass custom resource can be used to specify customizations for the proxy resources created by the operator. Add a reconciler that validates ProxyClass resources and sets a Ready condition to True or False with a corresponding reason and message. This is required because some fields (labels and annotations) require complex validations that cannot be performed at custom resource apply time. Reconcilers that use the ProxyClass to configure proxy resources are expected to verify that the ProxyClass is Ready and not proceed with resource creation if configuration from a ProxyClass that is not yet Ready is required. If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet. If a tailscale Ingress has a tailscale.com/proxy-class annotation and the referenced ProxyClass custom resource is available and Ready, apply configuration from the ProxyClass to the proxy resources that will be created for the Ingress. Add a new .proxyClass field to the Connector spec. If connector.spec.proxyClass is set to a ProxyClass that is available and Ready, apply configuration from the ProxyClass to the proxy resources created for the Connector. Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml Signed-off-by: Irbe Krumina <irbe@tailscale.com>

* tsweb: update ServeMux matching to 1.22.0 syntax Updates #cleanup Go 1.22.0 introduced the ability to use more expressive routing patterns that include HTTP method when constructing ServeMux entries. Applications that attempted to use these patterns in combination with the old `tsweb.Debugger` would experience a panic as Go would not permit the use of matching rules with mixed level of specificity. We now specify the method for each `/debug` handler to prevent incompatibilities. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>

…ing MibIPforwardRow2 when possible Looking at profiles, we spend a lot of time in winipcfg.LUID.DeleteRoute looking up the routing table entry for the provided RouteData. But we already have the row! We previously obtained that data via the full table dump we did in getInterfaceRoutes. We can make this a lot faster by hanging onto a reference to the wipipcfg.MibIPforwardRow2 and executing the delete operation directly on that. Fixes tailscale#11123 Signed-off-by: Aaron Klotz <aaron@tailscale.com>

…1090)" (tailscale#11125) This reverts commit 30c9189. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>

Signed-off-by: Nathan Woodburn <github@nathan.woodburn.au>

Updates tailscale#11129 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic594868ba3bc31f6d3b0721ecba4090749a81f7f

Updates inetaf/tcpproxy#39 Change-Id: I7fee276b116bd08397347c6c949011d76a2842cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>

This package uses a count-min sketch and a heap to track the top K items in a stream of data. Tracking a new item and adding a count to an existing item both require no memory allocations and is at worst O(log(k)) complexity. Change-Id: I0553381be3fef2470897e2bd806d43396f2dbb36 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>

Updates #cleanup NixOS packages are immutable and attempts to update via our tarball mechanism will always fail as a result. Instead we now direct users to update their nix channel or nixpkgs flake input to receive the latest Tailscale release. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>

Updates tailscale#11137 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Idbe862d80e428adb044249c47d9096b87f29d5d8

Fixes tailscale#10857 Signed-off-by: Jason Barnett <J@sonBarnett.com>

Signed-off-by: Percy Wegmann <percy@tailscale.com>

Small fix to make sure doctor API endpoint returns correctly - I spotted it when checking my tailscaled node and noticed it was handled slightly different compare to the rest Signed-off-by: San <santrancisco@users.noreply.github.com>

Updates tailscale#11151 Signed-off-by: Will Norris <will@tailscale.com>

Instead of constructing the `ip:port` string ourselves, use netip.AddrPortFrom which handles IPv6 correctly. Updates tailscale#11164 Signed-off-by: Will Norris <will@tailscale.com>

…le#11127) Adds logic in gocross to detect environment variables and pass the right flags so that the backend can be built with the visionOS SDK. Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>

This fixes an infinite loop caused by the configuration of systemd-resolved on Amazon Linux 2023 and how that interacts with Tailscale's "direct" mode. We now drop the Tailscale service IP from the OS's "base configuration" when we detect this configuration. Updates tailscale#7816 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I73a4ea8e65571eb368c7e179f36af2c049a588ee

From a packet trace we have seen log connections being closed prematurely by the client, resulting in unnecessary extra TLS setup traffic. Updates tailscale#3363 Updates tailscale/corp#9230 Updates tailscale/corp#8564 Signed-off-by: James Tucker <james@tailscale.com>

And confusing error message that duplicated the valid cert domains. Fixes tailscale/corp#15876 Change-Id: I098bc45d83c8d1e0a233dcdf3188869cce66e128 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

So we can probe load balancers by their unique DNS name but without asking for that cert name. Updates tailscale/corp#13050 Change-Id: Ie4c0a2f951328df64281ed1602b4e624e3c8cf2e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Setting a user timeout will be a more practical tuning knob for a number of endpoints, this provides a way to set it. Updates tailscale/corp#17587 Signed-off-by: James Tucker <james@tailscale.com>

…packages This allows coverage from tests that hit multiple packages at once to be reflected in all those packages' coverage. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>

Fixes tailscale#10348 Signed-off-by: Paul Scott <paul@tailscale.com>

Updates tailscale/corp#17693 Change-Id: If17e02c77d5ad86b820e639176da2d3e61296bae Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

So derpers can check an external URL for whether to permit access to a certain public key. Updates tailscale/corp#17693 Change-Id: I8594de58f54a08be3e2dbef8bcd1ff9b728ab297 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates ENG-2133. Adds the ResetToDefaults visibility policy currently only available on macOS, so that the Windows client can read its value. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>

The derper sends an in-protocol keepalive every 60-65s, so frequent TCP keepalives are unnecessary. In this tuning TCP keepalives should never occur for a DERP client connection, as they will send an L7 keepalive often enough to always reset the TCP keepalive timer. If however a connection does not receive an ACK promptly it will now be shutdown, which happens sooner than it would with a normal TCP keepalive tuning. This re-tuning reduces the frequency of network traffic from derp to client, reducing battery cost. Updates tailscale/corp#17587 Updates tailscale#3363 Signed-off-by: James Tucker <james@tailscale.com>

Update vite-plugin-svgr to the latest version (4.2.0) ahead of updating vite to 5.x. This is a major version bump from our previous 3.x, and requires changing the import paths used for SVGs. Updates tailscale/corp#17715 Signed-off-by: Mario Minardi <mario@tailscale.com>

Update plugin-react-swc to the latest version (3.6.0) ahead of updating vite to 5.x. Updates tailscale/corp#17715 Signed-off-by: Mario Minardi <mario@tailscale.com>

Updates tailscale#11196 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id6334c10f52f4cfbda9f03dc8096ab7a6c54a088

An increasing number of users have very large subnet route configurations, which can produce very large amounts of log data when WireGuard is reconfigured. The logs don't contain the actual routes, so they're largely useless for diagnostics, so we'll just suppress them. Fixes tailscale/corp#17532 Signed-off-by: James Tucker <james@tailscale.com>

This adds details on how to configure node attributes to allow sharing and accessing shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

Update vite to 5.1.4, and vitest to 1.3.1 (their latest versions). Also remove vite-plugin-rewrite-all as this is no longer necessary with vite 5.x and has a dependency on vite 4.x. Updates tailscale/corp#17715 Signed-off-by: Mario Minardi <mario@tailscale.com>

Renames a debug flag in the CLI. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>

We don't need a log line every time defaultRoute is read in the good case, and we now only log default interface updates that are actually changes. Updates tailscale#3363 Signed-off-by: James Tucker <james@tailscale.com>

This appears to be one of the contributors to this CI target regularly entering a bad state with a partially written toolchain. Updates #self Signed-off-by: James Tucker <james@tailscale.com>

I missed a case in the earlier patch, and so we're still sending 15s TCP keepalive for TLS connections, now adjusted there too. Updates tailscale/corp#17587 Updates tailscale#3363 Signed-off-by: James Tucker <james@tailscale.com>

If a client socket is remotely lost but the client is not sent an RST in response to the next request, the socket might sit in RTO for extended lengths of time, resulting in "no internet" for users. Instead, timeout after 10s, which will close the underlying socket, recovering from the situation more promptly. Updates tailscale#10967 Signed-off-by: James Tucker <james@tailscale.com>

That's already the default. Avoid the overhead of writing it on one side and reading it on the other to do nothing. Updates #cleanup (noticed while researching something else) Change-Id: I449c88a022271afb9be5da876bfaf438fe5d3f58 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates tailscale#7617 (part of debugging it) Change-Id: I1bcbdcf0f929e3bcf83f244b1033fd438aa6dac1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

…rvers Adds the new Mullvad family DNS server to the known DNS over HTTPS server list. Signed-off-by: mrrfv <rm-rfv-no-preserve-root@protonmail.com>

Updates tailscale#11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Instead of modeling remote WebDAV servers as actual webdav.FS instances, we now just proxy traffic to them. This not only simplifies the code, but it also allows WebDAV locking to work correctly by making sure locks are handled by the servers that need to (i.e. the ones actually serving the files). Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

- add a clientmetric with a counter of TCP forwarder drops due to the max attempts; - fix varz metric types, as they are all counters. Updates tailscale#8210 Signed-off-by: Anton Tolchanov <anton@tailscale.com>

This change adds a new apiHandler struct for use from serveAPI to aid with restricting endpoints to specific peer capabilities. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>

Starts using peer capabilities to restrict the management client on a per-view basis. This change also includes a bulky cleanup of the login-toggle.tsx file, which was getting pretty unwieldy in its previous form. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>

Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>

…windowsManager is being closed The WinTun adapter may have been removed by the time we're closing the dns.windowsManager, and its associated interface registry key might also have been deleted. We shouldn't use winutil.OpenKeyWait and wait for the interface key to appear when performing a cleanup as a part of the windowsManager shutdown. Updates tailscale#11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>

…ce is closed Tailscaled becomes inoperative if the Tailscale Tunnel wintun adapter is abruptly removed. wireguard-go closes the device in case of a read error, but tailscaled keeps running. This adds detection of a closed WireGuard device, triggering a graceful shutdown of tailscaled. It is then restarted by the tailscaled watchdog service process. Fixes tailscale#11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>

When reverse path filtering is in strict mode on Linux, using an exit node blocks all network connectivity. This change adds a warning about this to `tailscale status` and the logs. Example in `tailscale status`: ``` - not connected to home DERP region 22 - The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see tailscale#3310 ``` Example in the logs: ``` 2024/02/21 21:17:07 health("overall"): error: multiple errors: not in map poll The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see tailscale#3310 ``` Updates tailscale#3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>

It's unnecessary. Returning an array value is already a copy. Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: If7f350b61003ea08f16a531b7b4e8ae483617939

No need to hold wgLock while using the device to LookupPeer; that has its own mutex already. Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Ib56049fcc7163cf5a2c2e7e12916f07b4f9d67cb

Otherwise on OS retransmits, we'd make redundant timers in Go's timer heap that upon firing just do nothing (well, grab a mutex and check a map and see that there's nothing to do). Updates #cleanup Change-Id: Id30b8b2d629cf9c7f8133a3f7eca5dc79e81facb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Not yet used. This is being made available so magicsock/wgengine can use it to ignore certain sends (UDP + DERP) later on at least mobile, letting wireguard-go think it's doing its full attempt schedule, but we can cut it short conditionally based on what we know from the control plane. Updates tailscale#7617 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Ia367cf6bd87b2aeedd3c6f4989528acdb6773ca7

On Alpine, we add the tailscale service but fail to call start. This means that tailscale does not start up until the user reboots the machine. Fixes tailscale#11161 Signed-off-by: Keli Velazquez <keli@tailscale.com>

Ues a noop authenticator to avoid potential races in gowebdav's built-in authenticator. Fixes tailscale#11259 Signed-off-by: Percy Wegmann <percy@tailscale.com>

…e Kubernetes operator API docs (tailscale#11246) Add logic to autogenerate CRD docs. .github/workflows/kubemanifests.yaml CI workflow will fail if the doc is out of date with regard to the current CRDs. Docs can be refreshed by running make kube-generate-all. Updates tailscale#11023 Signed-off-by: Irbe Krumina <irbe@tailscale.com>

…scale#11238) Containerboot container created for operator's ingress and egress proxies are now always configured by passing a configfile to tailscaled (tailscaled --config <configfile-path>. It does not run 'tailscale set' or 'tailscale up'. Upgrading existing setups to this version as well as downgrading existing setups at this version works. Updates tailscale#10869 Signed-off-by: Irbe Krumina <irbe@tailscale.com>

…rvices change. (tailscale#11255) This is so that if a backend Service gets created after the Ingress, it gets picked up by the operator. Updates tailscale#11251 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>

Updates tailscale/corp#17590 Signed-off-by: Claire Wang <claire@tailscale.com>

This is a fun one. Right now, when a client is connecting through a subnet router, here's roughly what happens: 1. The client initiates a connection to an IP address behind a subnet router, and sends a TCP SYN 2. The subnet router gets the SYN packet from netstack, and after running through acceptTCP, starts DialContext-ing the destination IP, without accepting the connection¹ 3. The client retransmits the SYN packet a few times while the dial is in progress, until either... 4. The subnet router successfully establishes a connection to the destination IP and sends the SYN-ACK back to the client, or... 5. The subnet router times out and sends a RST to the client. 6. If the connection was successful, the client ACKs the SYN-ACK it received, and traffic starts flowing As a result, the notification code in forwardTCP never notices when a new connection attempt is aborted, and it will wait until either the connection is established, or until the OS-level connection timeout is reached and it aborts. To mitigate this, add a per-client limit on how many in-flight TCP forwarding connections can be in-progress; after this, clients will see a similar behaviour to the global limit, where new connection attempts are aborted instead of waiting. This prevents a single misbehaving client from blocking all other clients of a subnet router by ensuring that it doesn't starve the global limiter. Also, bump the global limit again to a higher value. ¹ We can't accept the connection before establishing a connection to the remote server since otherwise we'd be opening the connection and then immediately closing it, which breaks a bunch of stuff; see tailscale#5503 for more details. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I76e7008ddd497303d75d473f534e32309c8a5144

Update typescript to 5.3.3. This is a major bump from the previous version of 4.8.3. This also requires adding newer versions of @typescript-eslint/eslint-plugin and @typescript-eslint/parser to our resolutions as eslint-config-react-app pulls in versions that otherwise do not support typescript 5.x. eslint-config-react-app has not been updated in 2 years and is seemingly abandoned, so we may wish to fork it or move to a different eslint config in the future. Updates tailscale/corp#17810 Signed-off-by: Mario Minardi <mario@tailscale.com>

For use in corp. Updates tailscale/corp#2549 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I71debae1ce9ae48cf69cc44c2ab5c443fc3b2005

Updates #cleanup Change-Id: Ib3a33a7609530ef8c9f3f58fc607a61e8655c4b5 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>

Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida7e30f4689bc18f5f7502f53a0adb5ac3c7981a

…eans none ... rather than 1970. Code was using IsZero against the 1970 team (which isn't a zero value), but fortunately not anywhere that seems to have mattered. Updates #cleanup Change-Id: I708a3f2a9398aaaedc9503678b4a8a311e0e019e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates #cleanup Change-Id: I1cb30efb6d09180e82b807d6146f37897ef99307 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates #cleanup Change-Id: I799dc86ea9e4a3a949592abdd8e74282e7e5d086 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

This server recently had a common ansible applied, which added a periodic /tmp cleaner, as is needed on other CI machines to deal with test tempfile leakage. The setting of $HOME to /tmp means that the go toolchain in there was regularly getting pruned by the tmp cleaner, but often incompletely, because it was also in use. Move HOME to a runner owned directory. Updates tailscale#11248 Signed-off-by: James Tucker <james@tailscale.com>

This adds a method to wgengine.Engine and plumbed down into magicsock to add a way to get a type-safe Tailscale-safe wrapper around a wireguard-go device.Peer that only exposes methods that are safe for Tailscale to use internally. It also removes HandshakeAttempts from PeerStatusLite that was just added as it wasn't needed yet and is now accessible ala cart as needed from the Peer type accessor. None of this is used yet. Updates tailscale#7617 Change-Id: I07be0c4e6679883e6eeddf8dbed7394c9e79c5f4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Starting in Vite 5, Vite now issues a deprecation warning when using a CJS-based Vite config file. This commit fixes it by adding the `"type": "module"` to our package.json to opt our files into ESM module behaviours. Fixes #cleanup Signed-off-by: Ross Zurowski <ross@rosszurowski.com>

This fixes a regression introduced with 993acf4 and released in v1.60.0. The regression caused us to intercept all userspace traffic to port 8080 which prevented users from exposing their own services to their tailnet at port 8080. Now, we only intercept traffic to port 8080 if it's bound for 100.100.100.100 or fd7a:115c:a1e0::53. Fixes tailscale#11283 Signed-off-by: Percy Wegmann <percy@tailscale.com> (cherry picked from commit 17cd062)

We used a HandleSet before when we didn't have a unique handle. But a sessionID is a unique handle, so use that instead. Then that replaces the other map we had. And now we'll have a way to look up an IPN session by sessionID for later. Updates tailscale/corp#17859 Change-Id: I5f647f367563ec8783c643e49f93817b341d9064 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>

This was just added in 69f4b45 which doesn't yet use it. This still doesn't yet use it. It just pushes it down deeper into magicsock where it'll used later. Updates tailscale#7617 Change-Id: If2f8fd380af150ffc763489e1ff4f8ca2899fac6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

This allows the sandboxed Mac application to store security- scoped URL bookmarks in order to maintain access to restricted folders across restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

This allows the Mac application to regain access to restricted folders after restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

…#11303) Ensure that the latest DNATNonTailscaleTraffic rule gets inserted on top of any pre-existing rules. Updates tailscale#11281 Signed-off-by: Irbe Krumina <irbe@tailscale.com>

…tailscale#11310) The package info output can list multiple package versions, and not in descending order. Find the newest version in the output, instead of the first one. Fixes tailscale#11309 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>

Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>

… user When serving TailFS shares, tailscaled executes another tailscaled to act as a file server. It attempts to execute this child process as an unprivileged user using sudo -u. This is important to avoid accessing files as root, which would result in potential privilege escalation. Previously, tailscaled assumed that it was running as someone who can sudo -u, and would fail if it was unable to sudo -u. With this commit, if tailscaled is unable to sudo -u as the requested user, and tailscaled is not running as root, then tailscaled executes the the file server process under the same identity that ran tailscaled, since this is already an unprivileged identity. In the unlikely event that tailscaled is running as root but is unable to sudo -u, it will refuse to run the child file server process in order to avoid privilege escalation. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

Update docs for static Tailscale deployments on kube to always use firewall mode autodection when in non-userspace. Also add a note about running multiple replicas and a few suggestions how folks could do that. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>

Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>

Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>

Updates tailscale/corp#17199 Signed-off-by: Paul Scott <paul@tailscale.com>

Updates tailscale/corp#18000 Change-Id: I45de95e974ea55b0dac2218b3c82d124c4793390 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

In preparation for changes to allow configuration of serve/funnel from the web client, this commit moves some functionality that will be shared between the CLI and web client to the ipn package's serve.go file, where some other util funcs are already defined. Updates tailscale#10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>

Since link-local addresses are definitionally more likely to be a direct (lower-latency, more reliable) connection than a non-link-local private address, give those a bit of a boost when selecting endpoints. Updates tailscale#8097 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I93fdeb07de55ba39ba5fcee0834b579ca05c2a4e

Signed-off-by: License Updater <noreply+license-updater@tailscale.com>

Updates tailscale/corp#17770 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

Moving logic that manipulates a ServeConfig into recievers on the ServeConfig in the ipn package. This is setup work to allow the web client and cli to both utilize these shared functions to edit the serve config. Any logic specific to flag parsing or validation is left untouched in the cli command. The web client will similarly manage its validation of user's requested changes. If validation logic becomes similar-enough, we can make a serve util for shared functionality, which likely does not make sense in ipn. Updates tailscale#10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>

This is a temporary solution to at least omit Mullvad exit nodes from the list of TailFS peers. Once we can identify peers that are actually sharing via TailFS, we can remove this, but for alpha it'll be sufficient to just omit Mullvad. Updates tailscale/corp#17766 Signed-off-by: Percy Wegmann <percy@tailscale.com>

@bradfitz

Updates tailscale/corp#17859 Provides a local API endpoint to be called from the GUI to inform the backend when the client menu is opened or closed. cc @bradfitz Signed-off-by: Andrea Gottardo <andrea@gottardo.me> Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>

Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>

This eliminates unnecessary map.Clone() calls and also eliminates repetitive notifications about the same set of shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

Remove IPv6 NAT check when routing is being set up using nftables. This is unnecessary as support for nftables was added after support for IPv6. https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s04.html https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources Additionally, run an extra check for IPv6 NAT support when the routing is set up with iptables. This is because the earlier checks rely on being able to use modprobe and on /proc/net/ip6_tables_names being populated on start - these conditions are usually not true in container environments. Updates tailscale#11344 Signed-off-by: Irbe Krumina <irbe@tailscale.com>

In case we want to change the format to something opaque later. Updates tailscale/corp#2549 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie2eac8b885b694be607e9d5101d24b650026d89c

The `stack.PacketBufferPtr` type no longer exists; replace it with `*stack.PacketBuffer` instead. Updates tailscale#8043 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib56ceff09166a042aa3d9b80f50b2aa2d34b3683

This test could hang because the subprocess was blocked on writing to the stdout pipe if we find the address we're looking for early in the output. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I68d82c22a5d782098187ae6d8577e43063b72573

There should not be a need to do that unless we run on host network Signed-off-by: Irbe Krumina <irbe@tailscale.com>

So we can use it in trunkd to quiet down the logs there. Updates tailscale#5563 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie3177dc33f5ad103db832aab5a3e0e4f128f973f

Run yarn-deduplicate on yarn.lock to dedupe packages. This is being done to reduce the number of redundant packages fetched by yarn when existing versions in the lockfile satisfy the version dependency we need. See https://github.com/scinos/yarn-deduplicate for details on the tool used to perform this deduplication. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>

bump version for adding NodeAttrSuggestExitNode remove extra s from NodeAttrSuggestExitNode Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>

Synology requires version numbers are within int32 range. This change updates the version logic to keep things closer within the range, and errors on building when the range is exceeded. Updates #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>

This pretty much always results in an outage because peers won't discover our new home region and thus won't be able to establish connectivity. Updates tailscale/corp#18095 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic0d09133f198b528dd40c6383b16d7663d9d37a7

Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>

Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

…hares - Updates API to support renaming TailFS shares. - Adds a CLI rename subcommand for renaming a share. - Renames the CLI subcommand 'add' to 'set' to make it clear that this is an add or update. - Adds a unit test for TailFS in ipnlocal Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>

build_docker, update-flake: cleanup and apply shellcheck fixes Was editing this file to match my needs while shellcheck warnings bugged me out. REV isn't getting used anywhere. Better remove it. Updates #cleanup Signed-off-by: Panchajanya1999 <kernel@panchajanya.dev> Signed-off-by: James Tucker <james@tailscale.com>

Updates tailscale#11344 Updates tailscale#11354 Signed-off-by: James Tucker <james@tailscale.com>

tailscale#11381) There are container environments such as GitHub codespaces that have partial IPv6 support - routing support is enabled at the kernel level, but lacking IPv6 filter support in the iptables module. In the specific example of the codespaces environment, this also has pre-existing legacy iptables rules in the IPv4 tables, as such the nascent firewall mode detection will always pick iptables. We would previously fault trying to install rules to the filter table, this catches that condition earlier, and disables IPv6 support under these conditions. Updates tailscale#5621 Updates tailscale#11344 Updates tailscale#11354 Signed-off-by: James Tucker <james@tailscale.com>

Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>

To force the problem in its worst case scenario before fixing it. Updates tailscale/corp#17859 Change-Id: I2c8b8e5f15c7801e1ab093feeafac52ec175a763 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

This fixes a bug that was introduced in tailscale#11258 where the handling of the per-client limit didn't properly account for the fact that the gVisor TCP forwarder will return 'true' to indicate that it's handled a duplicate SYN packet, but not launch the handler goroutine. In such a case, we neither decremented our per-client limit in the wrapper function, nor did we do so in the handler function, leading to our per-client limit table slowly filling up without bound. Fix this by doing the same duplicate-tracking logic that the TCP forwarder does so we can detect such cases and appropriately decrement our in-flight counter. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib6011a71d382a10d68c0802593f34b8153d06892

Updates #cleanup Signed-off-by: Anton Tolchanov <anton@tailscale.com>

Signed-off-by: Anton Tolchanov <anton@tailscale.com>

Updates tailscale/corp#17912 Signed-off-by: Anton Tolchanov <anton@tailscale.com>

Signed-off-by: Anton Tolchanov <anton@tailscale.com>

* net/interfaces: fix android "route ip+net: netlinkrib: permission denied" * remove github ci

Signed-off-by: Asutorufa <16442314+Asutorufa@users.noreply.github.com>

N #4

N #4

Commits on Jan 19, 2024

Commits on Jan 20, 2024

Commits on Jan 22, 2024

Commits on Jan 23, 2024

Commits on Jan 24, 2024

Commits on Jan 25, 2024

Commits on Jan 27, 2024

Commits on Jan 29, 2024

Commits on Jan 30, 2024

Commits on Jan 31, 2024

Commits on Feb 1, 2024

Commits on Feb 2, 2024

Commits on Feb 5, 2024

Commits on Feb 6, 2024

Commits on Feb 7, 2024

Commits on Feb 8, 2024

Commits on Feb 9, 2024

Commits on Feb 10, 2024

Commits on Feb 11, 2024

Commits on Feb 12, 2024

Commits on Feb 13, 2024

Commits on Feb 14, 2024

Commits on Feb 15, 2024

Commits on Feb 16, 2024

Commits on Feb 17, 2024

Commits on Feb 19, 2024

Commits on Feb 20, 2024

Commits on Feb 21, 2024

Commits on Feb 22, 2024

Commits on Feb 23, 2024

Commits on Feb 24, 2024

Commits on Feb 25, 2024

Commits on Feb 26, 2024

Commits on Feb 27, 2024

Commits on Feb 28, 2024

Commits on Feb 29, 2024

Commits on Mar 1, 2024

Commits on Mar 4, 2024

Commits on Mar 5, 2024

Commits on Mar 6, 2024

Commits on Mar 7, 2024

Commits on Mar 8, 2024

Commits on Mar 9, 2024

Commits on Mar 10, 2024

Commits on Mar 11, 2024

Commits on Mar 13, 2024