VERSION.txt: this is v1.22.2

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
wgengine: handle nil netmaps when assigning isSubnetRouter.
2022-03-17 18:40:04 -07:00 · 2022-03-17 18:37:40 -07:00 · 2022-03-09 12:38:59 -08:00 · 2022-03-09 12:30:53 -08:00 · 2022-03-08 13:54:13 -08:00 · 2022-03-08 13:54:13 -08:00
207 changed files with 8796 additions and 1376 deletions
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -19,7 +19,7 @@ jobs:
        dry-run: false
        language: go
    - name: Upload Crash
-      uses: actions/upload-artifact@v2.2.4
+      uses: actions/upload-artifact@v2.3.1
      if: failure() && steps.build.outcome == 'success'
      with:
        name: artifacts
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17
      id: go
@@ -37,6 +37,12 @@ jobs:
        GOARCH: amd64
      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done

+    - name: iOS build most
+      env:
+        GOOS: ios
+        GOARCH: arm64
+      run: go install ./ipn/... ./wgengine/ ./types/... ./control/controlclient
+
    - uses: k0kubun/action-slack@v2.0.0
      with:
        payload: |
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -14,7 +14,7 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17

--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -15,7 +15,7 @@ jobs:

    steps:
      - name: Set up Go
-        uses: actions/setup-go@v2.1.4
+        uses: actions/setup-go@v2.1.5
        with:
          go-version: 1.17

--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -14,7 +14,7 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17

--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -14,7 +14,7 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17

--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -12,11 +12,13 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+      - name: Set GOPATH
+        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV
+
      - name: Set up Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v2.1.5
        with:
          go-version: 1.17
-        id: go

      - name: Checkout Code
        uses: actions/checkout@v1
--- a/.github/workflows/windows-race.yml
+++ b/.github/workflows/windows-race.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Install Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17.x

--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Install Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
      with:
        go-version: 1.17.x

--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@
 *.dll
 *.so
 *.dylib
+*.spk

 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled
--- a/2
+++ b/2
@@ -50,7 +50,7 @@ ARG VERSION_GIT_HASH=""
 ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH

-RUN GOARCH=$TARGETARCH go install -tags=xversion -ldflags="\
+RUN GOARCH=$TARGETARCH go install -ldflags="\
      -X tailscale.com/version.Long=$VERSION_LONG \
      -X tailscale.com/version.Short=$VERSION_SHORT \
      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -2,5 +2,5 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.

-FROM alpine:3.14
+FROM alpine:3.15
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
--- a/14
+++ b/14
@@ -1,4 +1,6 @@
 IMAGE_REPO ?= tailscale/tailscale
+SYNO_ARCH ?= "amd64"
+SYNO_DSM ?= "7"

 usage:
 	echo "See Makefile"
@@ -32,9 +34,13 @@ staticcheck:
 	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)

 spk:
-	go run github.com/tailscale/tailscale-synology@main --version=build -o tailscale.spk --source=.
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}
+
+spkall:
+	mkdir -p spks
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all

 pushspk: spk
-	echo "Pushing SPKG to root@${SYNOHOST} (env var SYNOHOST) ..."
-	scp tailscale.spk root@${SYNOHOST}:
-	ssh root@${SYNOHOST} /usr/syno/bin/synopkg install tailscale.spk
+	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
+	scp tailscale.spk root@${SYNO_HOST}:
+	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.19.0
+1.22.2
--- a/api.md
+++ b/api.md
@@ -15,6 +15,10 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
    - [POST device routes](#device-routes-post)
  - Authorize machine
    - [POST device authorized](#device-authorized-post)
+  - Tags
+    - [POST device tags](#device-tags-post)
+  - Key
+    - [POST device key](#device-key-post)
 * **[Tailnets](#tailnet)**
  - ACLs
    - [GET tailnet ACL](#tailnet-acl-get)
@@ -23,6 +27,11 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
 	- [POST tailnet ACL validate](#tailnet-acl-validate-post): run validation tests against the tailnet's existing ACL
  - [Devices](#tailnet-devices)
    - [GET tailnet devices](#tailnet-devices-get)
+  - [Keys](#tailnet-keys)
+    - [GET tailnet keys](#tailnet-keys-get)
+    - [POST tailnet key](#tailnet-keys-post)
+    - [GET tailnet key](#tailnet-keys-key-get)
+    - [DELETE tailnet key](#tailnet-keys-key-delete)
  - [DNS](#tailnet-dns)
    - [GET tailnet DNS nameservers](#tailnet-dns-nameservers-get)
    - [POST tailnet DNS nameservers](#tailnet-dns-nameservers-post)
@@ -263,6 +272,73 @@ curl 'https://api.tailscale.com/api/v2/device/11055/authorized' \
 The response is 2xx on success. The response body is currently an empty JSON
 object.

+<a name=device-tags-post></a>
+
+#### `POST /api/v2/device/:deviceID/tags` - update tags on a device
+
+Updates the tags set on a device.
+
+##### Parameters
+
+###### POST Body
+
+`tags` - The new list of tags for the device.
+
+```
+{
+  "tags": ["tag:foo", "tag:bar"]
+}
+```
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/device/11055/tags' \
+-u "tskey-yourapikey123:" \
+--data-binary '{"tags": ["tag:foo", "tag:bar"]}'
+```
+
+The response is 2xx on success. The response body is currently an empty JSON
+object.
+
+<a name=device-key-post></a>
+
+#### `POST /api/v2/device/:deviceID/key` - update device key
+
+Allows for updating properties on the device key.
+
+##### Parameters
+
+###### POST Body
+
+`keyExpiryDisabled`
+
+- Provide `true` to disable the device's key expiry. The original key expiry time is still maintained. Upon re-enabling, the key will expire at that original time.
+- Provide `false` to enable the device's key expiry. Sets the key to expire at the original expiry time prior to disabling. The key may already have expired. In that case, the device must be re-authenticated.
+- Empty value will not change the key expiry.
+
+`preauthorized`
+
+- If `true`, don't require machine authorization (if enabled on the tailnet)
+
+```
+{
+  "keyExpiryDisabled": true,
+  "preauthorized": true
+}
+```
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/device/11055/key' \
+-u "tskey-yourapikey123:" \
+--data-binary '{"keyExpiryDisabled": true}'
+```
+
+The response is 2xx on success. The response body is currently an empty JSON
+object.
+
 ## Tailnet 
 A tailnet is the name of your Tailscale network. 
 You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
@@ -670,6 +746,159 @@ Response
 }
 ```

+<a name=tailnet-keys></a>
+
+### Keys
+
+<a name=tailnet-keys-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/keys` - list the keys for a tailnet
+
+Returns a list of active keys for a tailnet
+for the user who owns the API key used to perform this query.
+Supply the tailnet of interest in the path.
+
+##### Parameters
+No parameters.
+
+##### Returns
+
+Returns a JSON object with the IDs of all active keys.
+This includes both API keys and also machine authentication keys.
+In the future, this may provide more information about each key than just the ID.
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys' \
+  -u "tskey-yourapikey123:"
+```
+
+Response:
+```
+{"keys": [
+	{"id": "kYKVU14CNTRL"},
+	{"id": "k68VdZ3CNTRL"},
+	{"id": "kJ9nq43CNTRL"},
+	{"id": "kkThgj1CNTRL"}
+]}
+```
+
+<a name=tailnet-keys-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/keys` - create a new key for a tailnet
+
+Create a new key in a tailnet associated
+with the user who owns the API key used to perform this request.
+Supply the tailnet in the path.
+
+##### Parameters
+
+###### POST Body
+`capabilities` - A mapping of resources to permissible actions.
+```
+{
+	"capabilities": {
+    "devices": {
+      "create": {
+        "reusable": false,
+        "ephemeral": false
+      }
+    }
+  }
+}
+```
+
+##### Returns
+
+Returns a JSON object with the provided capabilities in addition to the
+generated key. The key should be recorded and kept safe and secure as it
+wields the capabilities specified in the request. The identity of the key
+is embedded in the key itself and can be used to perform operations on
+the key (e.g., revoking it or retrieving information about it).
+The full key can no longer be retrieved by the server.
+
+##### Example
+
+```
+echo '{
+	"capabilities": {
+    "devices": {
+      "create": {
+        "reusable": false,
+        "ephemeral": false
+      }
+    }
+  }
+}' | curl -X POST --data-binary @- https://api.tailscale.com/api/v2/tailnet/example.com/keys \
+  -u "tskey-yourapikey123:" \
+  -H "Content-Type: application/json" | jsonfmt
+```
+
+Response:
+```
+{
+	"id":           "k123456CNTRL",
+	"key":          "tskey-k123456CNTRL-abcdefghijklmnopqrstuvwxyz",
+	"created":      "2021-12-09T23:22:39Z",
+	"expires":      "2022-03-09T23:22:39Z",
+	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
+}
+```
+
+<a name=tailnet-keys-key-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/keys/:keyid` - get information for a specific key
+
+Returns a JSON object with information about specific key.
+Supply the tailnet and key ID of interest in the path.
+
+##### Parameters
+No parameters.
+
+##### Returns
+
+Returns a JSON object with information about the key such as
+when it was created and when it expires.
+It also lists the capabilities associated with the key.
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
+  -u "tskey-yourapikey123:"
+```
+
+Response:
+```
+{
+	"id":           "k123456CNTRL",
+	"created":      "2021-12-09T22:13:53Z",
+	"expires":      "2022-03-09T22:13:53Z",
+	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
+}
+```
+
+<a name=tailnet-keys-key-delete></a>
+
+#### `DELETE /api/v2/tailnet/:tailnet/keys/:keyid` - delete a specific key
+
+Deletes a specific key.
+Supply the tailnet and key ID of interest in the path.
+
+##### Parameters
+No parameters.
+
+##### Returns
+This reports status 200 upon success.
+
+##### Example
+
+```
+curl -X DELETE 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
+  -u "tskey-yourapikey123:"
+```
+
 <a name=tailnet-dns></a>

 ### DNS
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -45,4 +45,4 @@ EOF
 	exit 0
 fi

-exec go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
+exec ./tool/go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -19,10 +19,20 @@

 set -eu

+# Use the "go" binary from the "tool" directory (which is github.com/tailscale/go)
+export PATH=$PWD/tool:$PATH
+
 eval $(./build_dist.sh shellvars)
+DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
+DEFAULT_REPOS="tailscale/tailscale,ghcr.io/tailscale/tailscale"
+DEFAULT_BASE="ghcr.io/tailscale/alpine-base:3.14"
+
+PUSH="${PUSH:-false}"
+REPOS="${REPOS:-${DEFAULT_REPOS}}"
+TAGS="${TAGS:-${DEFAULT_TAGS}}"
+BASE="${BASE:-${DEFAULT_BASE}}"

 go run github.com/tailscale/mkctr@latest \
-  --base="ghcr.io/tailscale/alpine-base:3.14" \
  --gopaths="\
    tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
    tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled" \
@@ -30,6 +40,7 @@ go run github.com/tailscale/mkctr@latest \
    -X tailscale.com/version.Long=${VERSION_LONG} \
    -X tailscale.com/version.Short=${VERSION_SHORT} \
    -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
-  --tags="v${VERSION_SHORT},v${VERSION_MINOR}" \
-  --repos="tailscale/tailscale,ghcr.io/tailscale/tailscale" \
-  --push
+  --base="${BASE}" \
+  --tags="${TAGS}" \
+  --repos="${REPOS}" \
+  --push="${PUSH}"
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -19,9 +19,9 @@ func New(socket string) (*BIRDClient, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
 	}
-	b := &BIRDClient{socket: socket, conn: conn, bs: bufio.NewScanner(conn)}
+	b := &BIRDClient{socket: socket, conn: conn, scanner: bufio.NewScanner(conn)}
 	// Read and discard the first line as that is the welcome message.
-	if _, err := b.readLine(); err != nil {
+	if _, err := b.readResponse(); err != nil {
 		return nil, err
 	}
 	return b, nil
@@ -29,9 +29,9 @@ func New(socket string) (*BIRDClient, error) {

 // BIRDClient handles communication with the BIRD Internet Routing Daemon.
 type BIRDClient struct {
-	socket string
-	conn   net.Conn
-	bs     *bufio.Scanner
+	socket  string
+	conn    net.Conn
+	scanner *bufio.Scanner
 }

 // Close closes the underlying connection to BIRD.
@@ -39,7 +39,7 @@ func (b *BIRDClient) Close() error { return b.conn.Close() }

 // DisableProtocol disables the provided protocol.
 func (b *BIRDClient) DisableProtocol(protocol string) error {
-	out, err := b.exec("disable %s\n", protocol)
+	out, err := b.exec("disable %s", protocol)
 	if err != nil {
 		return err
 	}
@@ -53,7 +53,7 @@ func (b *BIRDClient) DisableProtocol(protocol string) error {

 // EnableProtocol enables the provided protocol.
 func (b *BIRDClient) EnableProtocol(protocol string) error {
-	out, err := b.exec("enable %s\n", protocol)
+	out, err := b.exec("enable %s", protocol)
 	if err != nil {
 		return err
 	}
@@ -65,19 +65,65 @@ func (b *BIRDClient) EnableProtocol(protocol string) error {
 	return fmt.Errorf("failed to enable %s: %v", protocol, out)
 }

+// BIRD CLI docs from https://bird.network.cz/?get_doc&v=20&f=prog-2.html#ss2.9
+
+// Each session of the CLI consists of a sequence of request and replies,
+// slightly resembling the FTP and SMTP protocols.
+// Requests are commands encoded as a single line of text,
+// replies are sequences of lines starting with a four-digit code
+// followed by either a space (if it's the last line of the reply) or
+// a minus sign (when the reply is going to continue with the next line),
+// the rest of the line contains a textual message semantics of which depends on the numeric code.
+// If a reply line has the same code as the previous one and it's a continuation line,
+// the whole prefix can be replaced by a single white space character.
+//
+// Reply codes starting with 0 stand for ‘action successfully completed’ messages,
+// 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.
+
 func (b *BIRDClient) exec(cmd string, args ...interface{}) (string, error) {
 	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
 		return "", err
 	}
-	return b.readLine()
+	fmt.Fprintln(b.conn)
+	return b.readResponse()
 }

-func (b *BIRDClient) readLine() (string, error) {
-	if !b.bs.Scan() {
-		return "", fmt.Errorf("reading response from bird failed")
+// hasResponseCode reports whether the provided byte slice is
+// prefixed with a BIRD response code.
+// Equivalent regex: `^\d{4}[ -]`.
+func hasResponseCode(s []byte) bool {
+	if len(s) < 5 {
+		return false
 	}
-	if err := b.bs.Err(); err != nil {
-		return "", err
+	for _, b := range s[:4] {
+		if '0' <= b && b <= '9' {
+			continue
+		}
+		return false
 	}
-	return b.bs.Text(), nil
+	return s[4] == ' ' || s[4] == '-'
+}
+
+func (b *BIRDClient) readResponse() (string, error) {
+	var resp strings.Builder
+	var done bool
+	for !done {
+		if !b.scanner.Scan() {
+			return "", fmt.Errorf("reading response from bird failed: %q", resp.String())
+		}
+		if err := b.scanner.Err(); err != nil {
+			return "", err
+		}
+		out := b.scanner.Bytes()
+		if _, err := resp.Write(out); err != nil {
+			return "", err
+		}
+		if hasResponseCode(out) {
+			done = out[4] == ' '
+		}
+		if !done {
+			resp.WriteRune('\n')
+		}
+	}
+	return resp.String(), nil
 }
--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -0,0 +1,111 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+package chirp
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"net"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+type fakeBIRD struct {
+	net.Listener
+	protocolsEnabled map[string]bool
+	sock             string
+}
+
+func newFakeBIRD(t *testing.T, protocols ...string) *fakeBIRD {
+	sock := filepath.Join(t.TempDir(), "sock")
+	l, err := net.Listen("unix", sock)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pe := make(map[string]bool)
+	for _, p := range protocols {
+		pe[p] = false
+	}
+	return &fakeBIRD{
+		Listener:         l,
+		protocolsEnabled: pe,
+		sock:             sock,
+	}
+}
+
+func (fb *fakeBIRD) listen() error {
+	for {
+		c, err := fb.Accept()
+		if err != nil {
+			if errors.Is(err, net.ErrClosed) {
+				return nil
+			}
+			return err
+		}
+		go fb.handle(c)
+	}
+}
+
+func (fb *fakeBIRD) handle(c net.Conn) {
+	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
+	sc := bufio.NewScanner(c)
+	for sc.Scan() {
+		cmd := sc.Text()
+		args := strings.Split(cmd, " ")
+		switch args[0] {
+		case "enable":
+			en, ok := fb.protocolsEnabled[args[1]]
+			if !ok {
+				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
+			} else if en {
+				fmt.Fprintf(c, "0010-%s: already enabled\n", args[1])
+			} else {
+				fmt.Fprintf(c, "0011-%s: enabled\n", args[1])
+			}
+			fmt.Fprintln(c, "0000 ")
+			fb.protocolsEnabled[args[1]] = true
+		case "disable":
+			en, ok := fb.protocolsEnabled[args[1]]
+			if !ok {
+				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
+			} else if !en {
+				fmt.Fprintf(c, "0008-%s: already disabled\n", args[1])
+			} else {
+				fmt.Fprintf(c, "0009-%s: disabled\n", args[1])
+			}
+			fmt.Fprintln(c, "0000 ")
+			fb.protocolsEnabled[args[1]] = false
+		}
+	}
+}
+
+func TestChirp(t *testing.T) {
+	fb := newFakeBIRD(t, "tailscale")
+	defer fb.Close()
+	go fb.listen()
+	c, err := New(fb.sock)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := c.EnableProtocol("tailscale"); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.EnableProtocol("tailscale"); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.DisableProtocol("tailscale"); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.DisableProtocol("tailscale"); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.EnableProtocol("rando"); err == nil {
+		t.Fatalf("enabling %q succeded", "rando")
+	}
+	if err := c.DisableProtocol("rando"); err == nil {
+		t.Fatalf("disabling %q succeded", "rando")
+	}
+}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -104,6 +104,10 @@ func doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
 		if server := res.Header.Get("Tailscale-Version"); server != "" && server != version.Long && onVersionMismatch != nil {
 			onVersionMismatch(version.Long, server)
 		}
+		if res.StatusCode == 403 {
+			all, _ := ioutil.ReadAll(res.Body)
+			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
+		}
 		return res, nil
 	}
 	if ue, ok := err.(*url.Error); ok {
@@ -179,10 +183,6 @@ func send(ctx context.Context, method, path string, wantStatus int, body io.Read
 		return nil, err
 	}
 	if res.StatusCode != wantStatus {
-		if res.StatusCode == 403 {
-			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(slurp))}
-		}
-		err := fmt.Errorf("HTTP %s: %s (expected %v)", res.Status, slurp, wantStatus)
 		return nil, bestError(err, slurp)
 	}
 	return slurp, nil
@@ -240,6 +240,16 @@ func BugReport(ctx context.Context, note string) (string, error) {
 	return strings.TrimSpace(string(body)), nil
 }

+// DebugAction invokes a debug action, such as "rebind" or "restun".
+// These are development tools and subject to change or removal over time.
+func DebugAction(ctx context.Context, action string) error {
+	body, err := send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	return nil
+}
+
 // Status returns the Tailscale daemon's status.
 func Status(ctx context.Context) (*ipnstate.Status, error) {
 	return status(ctx, "")
@@ -284,7 +294,7 @@ func GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, siz
 	if err != nil {
 		return nil, 0, err
 	}
-	res, err := DoLocalRequest(req)
+	res, err := doLocalRequestNiceError(req)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -333,7 +343,7 @@ func PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name
 		return nil
 	}
 	all, _ := io.ReadAll(res.Body)
-	return fmt.Errorf("%s: %s", res.Status, all)
+	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
 }

 func CheckIPForwarding(ctx context.Context) error {
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -172,9 +172,15 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 		if !codegen.ContainsPointers(ft) {
 			continue
 		}
-		if named, _ := ft.(*types.Named); named != nil && !hasBasicUnderlying(ft) {
-			writef("dst.%s = *src.%s.Clone()", fname, fname)
-			continue
+		if named, _ := ft.(*types.Named); named != nil {
+			if isViewType(ft) {
+				writef("dst.%s = src.%s", fname, fname)
+				continue
+			}
+			if !hasBasicUnderlying(ft) {
+				writef("dst.%s = *src.%s.Clone()", fname, fname)
+				continue
+			}
 		}
 		switch ft := ft.Underlying().(type) {
 		case *types.Slice:
@@ -234,6 +240,17 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 	buf.Write(codegen.AssertStructUnchanged(t, thisPkg, name, "Clone", imports))
 }

+func isViewType(typ types.Type) bool {
+	t, ok := typ.Underlying().(*types.Struct)
+	if !ok {
+		return false
+	}
+	if t.NumFields() != 1 {
+		return false
+	}
+	return t.Field(0).Name() == "ж"
+}
+
 func hasBasicUnderlying(typ types.Type) bool {
 	switch typ.Underlying().(type) {
 	case *types.Slice, *types.Map:
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@@ -12,14 +12,11 @@ import (
 	"net"
 	"net/http"
 	"strings"
-	"sync"
+	"sync/atomic"
 	"time"
 )

-var (
-	dnsMu    sync.Mutex
-	dnsCache = map[string][]net.IP{}
-)
+var dnsCache atomic.Value // of []byte

 var bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")

@@ -37,6 +34,7 @@ func refreshBootstrapDNS() {
 	if *bootstrapDNS == "" {
 		return
 	}
+	dnsEntries := make(map[string][]net.IP)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
 	names := strings.Split(*bootstrapDNS, ",")
@@ -47,23 +45,23 @@ func refreshBootstrapDNS() {
 			log.Printf("bootstrap DNS lookup %q: %v", name, err)
 			continue
 		}
-		dnsMu.Lock()
-		dnsCache[name] = addrs
-		dnsMu.Unlock()
+		dnsEntries[name] = addrs
 	}
+	j, err := json.MarshalIndent(dnsEntries, "", "\t")
+	if err != nil {
+		// leave the old values in place
+		return
+	}
+	dnsCache.Store(j)
 }

 func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	bootstrapDNSRequests.Add(1)
-	dnsMu.Lock()
-	j, err := json.MarshalIndent(dnsCache, "", "\t")
-	dnsMu.Unlock()
-	if err != nil {
-		log.Printf("bootstrap DNS JSON: %v", err)
-		http.Error(w, "JSON marshal error", 500)
-		return
-	}
-
 	w.Header().Set("Content-Type", "application/json")
+	j, _ := dnsCache.Load().([]byte)
+	// Bootstrap DNS requests occur cross-regions,
+	// and are randomized per request,
+	// so keeping a connection open is pointlessly expensive.
+	w.Header().Set("Connection", "close")
 	w.Write(j)
 }
--- a/cmd/derper/bootstrap_dns_test.go
+++ b/cmd/derper/bootstrap_dns_test.go
@@ -0,0 +1,35 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"net/http"
+	"testing"
+)
+
+func BenchmarkHandleBootstrapDNS(b *testing.B) {
+	prev := *bootstrapDNS
+	*bootstrapDNS = "log.tailscale.io,login.tailscale.com,controlplane.tailscale.com,login.us.tailscale.com"
+	defer func() {
+		*bootstrapDNS = prev
+	}()
+	refreshBootstrapDNS()
+	w := new(bitbucketResponseWriter)
+	b.ReportAllocs()
+	b.ResetTimer()
+	b.RunParallel(func(b *testing.PB) {
+		for b.Next() {
+			handleBootstrapDNS(w, nil)
+		}
+	})
+}
+
+type bitbucketResponseWriter struct{}
+
+func (b *bitbucketResponseWriter) Header() http.Header { return make(http.Header) }
+
+func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p), nil }
+
+func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -67,8 +67,8 @@ func NewManualCertManager(certdir, hostname string) (certProvider, error) {
 	if err != nil {
 		return nil, fmt.Errorf("can not load cert: %w", err)
 	}
-	if x509Cert.VerifyHostname(hostname) != nil {
-		return nil, errors.New("refuse to load cert: hostname mismatch with key")
+	if err := x509Cert.VerifyHostname(hostname); err != nil {
+		return nil, fmt.Errorf("cert invalid for hostname %q: %w", hostname, err)
 	}
 	return &manualCertManager{cert: &cert, hostname: hostname}, nil
 }
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -16,6 +16,7 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
+	"math"
 	"net"
 	"net/http"
 	"os"
@@ -24,6 +25,7 @@ import (
 	"strings"
 	"time"

+	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
@@ -36,24 +38,30 @@ import (

 var (
 	dev           = flag.Bool("dev", false, "run in localhost development mode")
-	addr          = flag.String("a", ":443", "server address")
+	addr          = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
 	httpPort      = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable")
 	configPath    = flag.String("c", "", "config file path")
 	certMode      = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
 	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
 	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
 	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
-	runSTUN       = flag.Bool("stun", false, "also run a STUN server")
+	runSTUN       = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
+
 	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
 	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
 	bootstrapDNS  = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
 	verifyClients = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
+
+	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
+	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
 )

 var (
-	stats           = new(metrics.Set)
-	stunDisposition = &metrics.LabelMap{Label: "disposition"}
-	stunAddrFamily  = &metrics.LabelMap{Label: "family"}
+	stats             = new(metrics.Set)
+	stunDisposition   = &metrics.LabelMap{Label: "disposition"}
+	stunAddrFamily    = &metrics.LabelMap{Label: "family"}
+	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
+	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}

 	stunReadError  = stunDisposition.Get("read_error")
 	stunNotSTUN    = stunDisposition.Get("not_stun")
@@ -68,6 +76,8 @@ func init() {
 	stats.Set("counter_requests", stunDisposition)
 	stats.Set("counter_addrfamily", stunAddrFamily)
 	expvar.Publish("stun", stats)
+	expvar.Publish("derper_tls_request_version", tlsRequestVersion)
+	expvar.Publish("gauge_derper_tls_active_version", tlsActiveVersion)
 }

 type config struct {
@@ -237,7 +247,26 @@ func main() {
 			cert.Certificate = append(cert.Certificate, s.MetaCert())
 			return cert, nil
 		}
+		// Disable TLS 1.0 and 1.1, which are obsolete and have security issues.
+		httpsrv.TLSConfig.MinVersion = tls.VersionTLS12
 		httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.TLS != nil {
+				label := "unknown"
+				switch r.TLS.Version {
+				case tls.VersionTLS10:
+					label = "1.0"
+				case tls.VersionTLS11:
+					label = "1.1"
+				case tls.VersionTLS12:
+					label = "1.2"
+				case tls.VersionTLS13:
+					label = "1.3"
+				}
+				tlsRequestVersion.Add(label, 1)
+				tlsActiveVersion.Add(label, 1)
+				defer tlsActiveVersion.Add(label, -1)
+			}
+
 			// Set HTTP headers to appease automated security scanners.
 			//
 			// Security automation gets cranky when HTTPS sites don't
@@ -272,7 +301,7 @@ func main() {
 				}
 			}()
 		}
-		err = httpsrv.ListenAndServeTLS("", "")
+		err = rateLimitedListenAndServeTLS(httpsrv)
 	} else {
 		log.Printf("derper: serving on %s", *addr)
 		err = httpsrv.ListenAndServe()
@@ -366,3 +395,63 @@ func defaultMeshPSKFile() string {
 	}
 	return ""
 }
+
+func rateLimitedListenAndServeTLS(srv *http.Server) error {
+	addr := srv.Addr
+	if addr == "" {
+		addr = ":https"
+	}
+	ln, err := net.Listen("tcp", addr)
+	if err != nil {
+		return err
+	}
+	rln := newRateLimitedListener(ln, rate.Limit(*acceptConnLimit), *acceptConnBurst)
+	expvar.Publish("tls_listener", rln.ExpVar())
+	defer rln.Close()
+	return srv.ServeTLS(rln, "", "")
+}
+
+type rateLimitedListener struct {
+	// These are at the start of the struct to ensure 64-bit alignment
+	// on 32-bit architecture regardless of what other fields may exist
+	// in this package.
+	numAccepts expvar.Int // does not include number of rejects
+	numRejects expvar.Int
+
+	net.Listener
+
+	lim *rate.Limiter
+}
+
+func newRateLimitedListener(ln net.Listener, limit rate.Limit, burst int) *rateLimitedListener {
+	return &rateLimitedListener{Listener: ln, lim: rate.NewLimiter(limit, burst)}
+}
+
+func (l *rateLimitedListener) ExpVar() expvar.Var {
+	m := new(metrics.Set)
+	m.Set("counter_accepted_connections", &l.numAccepts)
+	m.Set("counter_rejected_connections", &l.numRejects)
+	return m
+}
+
+var errLimitedConn = errors.New("cannot accept connection; rate limited")
+
+func (l *rateLimitedListener) Accept() (net.Conn, error) {
+	// Even under a rate limited situation, we accept the connection immediately
+	// and close it, rather than being slow at accepting new connections.
+	// This provides two benefits: 1) it signals to the client that something
+	// is going on on the server, and 2) it prevents new connections from
+	// piling up and occupying resources in the OS kernel.
+	// The client will retry as needing (with backoffs in place).
+	cn, err := l.Listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+	if !l.lim.Allow() {
+		l.numRejects.Add(1)
+		cn.Close()
+		return nil, errLimitedConn
+	}
+	l.numAccepts.Add(1)
+	return cn, nil
+}
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -9,7 +9,9 @@ import (
 	"bytes"
 	"context"
 	crand "crypto/rand"
+	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"flag"
 	"fmt"
 	"html"
@@ -33,11 +35,21 @@ var (
 	listen     = flag.String("listen", ":8030", "HTTP listen address")
 )

+// certReissueAfter is the time after which we expect all certs to be
+// reissued, at minimum.
+//
+// This is currently set to the date of the LetsEncrypt ALPN revocation event of Jan 2022:
+// https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449
+//
+// If there's another revocation event, bump this again.
+var certReissueAfter = time.Unix(1643226768, 0)
+
 var (
 	mu            sync.Mutex
 	state         = map[nodePair]pairStatus{}
 	lastDERPMap   *tailcfg.DERPMap
 	lastDERPMapAt time.Time
+	certs         = map[string]*x509.Certificate{}
 )

 func main() {
@@ -46,6 +58,12 @@ func main() {
 	log.Fatal(http.ListenAndServe(*listen, http.HandlerFunc(serve)))
 }

+func setCert(name string, cert *x509.Certificate) {
+	mu.Lock()
+	defer mu.Unlock()
+	certs[name] = cert
+}
+
 type overallStatus struct {
 	good, bad []string
 }
@@ -93,6 +111,27 @@ func getOverallStatus() (o overallStatus) {
 			}
 		}
 	}
+
+	var subjs []string
+	for k := range certs {
+		subjs = append(subjs, k)
+	}
+	sort.Strings(subjs)
+
+	soon := time.Now().Add(14 * 24 * time.Hour) // in 2 weeks; autocert does 30 days by default
+	for _, s := range subjs {
+		cert := certs[s]
+		if cert.NotBefore.Before(certReissueAfter) {
+			o.addBadf("cert %q needs reissuing; NotBefore=%v", s, cert.NotBefore.Format(time.RFC3339))
+			continue
+		}
+		if cert.NotAfter.Before(soon) {
+			o.addBadf("cert %q expiring soon (%v); wasn't auto-refreshed", s, cert.NotAfter.Format(time.RFC3339))
+			continue
+		}
+		o.addGoodf("cert %q good %v - %v", s, cert.NotBefore.Format(time.RFC3339), cert.NotAfter.Format(time.RFC3339))
+	}
+
 	return
 }

@@ -359,6 +398,21 @@ func newConn(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (*de
 	if err != nil {
 		return nil, err
 	}
+	cs, ok := dc.TLSConnectionState()
+	if !ok {
+		dc.Close()
+		return nil, errors.New("no TLS state")
+	}
+	if len(cs.PeerCertificates) == 0 {
+		dc.Close()
+		return nil, errors.New("no peer certificates")
+	}
+	if cs.ServerName != n.HostName {
+		dc.Close()
+		return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
+	}
+	setCert(cs.ServerName, cs.PeerCertificates[0])
+
 	errc := make(chan error, 1)
 	go func() {
 		m, err := dc.Recv()
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -2,13 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// The hello binary runs hello.ipn.dev.
+// The hello binary runs hello.ts.net.
 package main // import "tailscale.com/cmd/hello"

 import (
 	"context"
+	"crypto/tls"
 	_ "embed"
 	"encoding/json"
+	"errors"
 	"flag"
 	"html/template"
 	"io/ioutil"
@@ -16,6 +18,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"time"

 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
@@ -69,11 +72,31 @@ func main() {
 	if *httpsAddr != "" {
 		log.Printf("running HTTPS server on %s", *httpsAddr)
 		go func() {
-			errc <- http.ListenAndServeTLS(*httpsAddr,
-				"/etc/hello/hello.ipn.dev.crt",
-				"/etc/hello/hello.ipn.dev.key",
-				nil,
-			)
+			hs := &http.Server{
+				Addr: *httpsAddr,
+				TLSConfig: &tls.Config{
+					GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+						switch hi.ServerName {
+						case "hello.ts.net":
+							return tailscale.GetCertificate(hi)
+						case "hello.ipn.dev":
+							c, err := tls.LoadX509KeyPair(
+								"/etc/hello/hello.ipn.dev.crt",
+								"/etc/hello/hello.ipn.dev.key",
+							)
+							if err != nil {
+								return nil, err
+							}
+							return &c, nil
+						}
+						return nil, errors.New("invalid SNI name")
+					},
+				},
+				IdleTimeout:       30 * time.Second,
+				ReadHeaderTimeout: 20 * time.Second,
+				MaxHeaderBytes:    10 << 10,
+			}
+			errc <- hs.ListenAndServeTLS("", "")
 		}()
 	}
 	log.Fatal(<-errc)
@@ -127,8 +150,9 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 func root(w http.ResponseWriter, r *http.Request) {
 	if r.TLS == nil && *httpsAddr != "" {
 		host := r.Host
-		if strings.Contains(r.Host, "100.101.102.103") {
-			host = "hello.ipn.dev"
+		if strings.Contains(r.Host, "100.101.102.103") ||
+			strings.Contains(r.Host, "hello.ipn.dev") {
+			host = "hello.ts.net"
 		}
 		http.Redirect(w, r, "https://"+host, http.StatusFound)
 		return
@@ -137,6 +161,10 @@ func root(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/", http.StatusFound)
 		return
 	}
+	if r.TLS != nil && *httpsAddr != "" && strings.Contains(r.Host, "hello.ipn.dev") {
+		http.Redirect(w, r, "https://hello.ts.net", http.StatusFound)
+		return
+	}
 	tmpl, err := getTmpl()
 	if err != nil {
 		w.Header().Set("Content-Type", "text/plain")
@@ -168,7 +196,7 @@ func root(w http.ResponseWriter, r *http.Request) {
 			LoginName:     who.UserProfile.LoginName,
 			ProfilePicURL: who.UserProfile.ProfilePicURL,
 			MachineName:   firstLabel(who.Node.ComputedName),
-			MachineOS:     who.Node.Hostinfo.OS,
+			MachineOS:     who.Node.Hostinfo.OS(),
 			IP:            tailscaleIP(who),
 		}
 	}
--- a/cmd/printdep/printdep.go
+++ b/cmd/printdep/printdep.go
@@ -0,0 +1,46 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The printdep command is a build system tool for printing out information
+// about dependencies.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"runtime"
+	"strings"
+
+	ts "tailscale.com"
+)
+
+var (
+	goToolchain    = flag.Bool("go", false, "print the supported Go toolchain git hash (a github.com/tailscale/go commit)")
+	goToolchainURL = flag.Bool("go-url", false, "print the URL to the tarball of the Tailscale Go toolchain")
+)
+
+func main() {
+	flag.Parse()
+	if *goToolchain {
+		fmt.Println(strings.TrimSpace(ts.GoToolchainRev))
+	}
+	if *goToolchainURL {
+		var suffix string
+		switch runtime.GOARCH {
+		case "amd64":
+			// None
+		case "arm64":
+			suffix = "-" + runtime.GOARCH
+		default:
+			log.Fatalf("unsupported GOARCH %q", runtime.GOARCH)
+		}
+		switch runtime.GOOS {
+		case "linux", "darwin":
+		default:
+			log.Fatalf("unsupported GOOS %q", runtime.GOOS)
+		}
+		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, suffix)
+	}
+}
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -13,7 +13,6 @@ import (
 	"log"
 	"net/http"
 	"os"
-	"runtime"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
@@ -92,9 +91,6 @@ func runCert(ctx context.Context, args []string) error {
 		certArgs.keyFile = domain + ".key"
 	}
 	certPEM, keyPEM, err := tailscale.CertPair(ctx, domain)
-	if tailscale.IsAccessDeniedError(err) && os.Getuid() != 0 && runtime.GOOS != "windows" {
-		return fmt.Errorf("%v\n\nUse 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root.", err)
-	}
 	if err != nil {
 		return err
 	}
@@ -108,7 +104,7 @@ func runCert(ctx context.Context, args []string) error {
 		if version.IsMacSysExt() {
 			dir = "io.tailscale.ipn.macsys"
 		}
-		printf("Warning: the macOS CLI runs in a sandbox; this binary's filesystem writes go to $HOME/Library/Containers/%s\n", dir)
+		printf("Warning: the macOS CLI runs in a sandbox; this binary's filesystem writes go to $HOME/Library/Containers/%s/Data\n", dir)
 	}
 	if certArgs.certFile != "" {
 		certChanged, err := writeIfChanged(certArgs.certFile, certPEM, 0644)
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -29,6 +29,7 @@ import (
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/syncs"
+	"tailscale.com/version/distro"
 )

 var Stderr io.Writer = os.Stderr
@@ -103,11 +104,43 @@ func newFlagSet(name string) *flag.FlagSet {
 	return fs
 }

+// CleanUpArgs rewrites command line arguments for simplicity and backwards compatibility.
+// In particular, it rewrites --authkey to --auth-key.
+func CleanUpArgs(args []string) []string {
+	out := make([]string, 0, len(args))
+	for _, arg := range args {
+		// Rewrite --authkey to --auth-key, and --authkey=x to --auth-key=x,
+		// and the same for the -authkey variant.
+		switch {
+		case arg == "--authkey", arg == "-authkey":
+			arg = "--auth-key"
+		case strings.HasPrefix(arg, "--authkey="), strings.HasPrefix(arg, "-authkey="):
+			arg = strings.TrimLeft(arg, "-")
+			arg = strings.TrimPrefix(arg, "authkey=")
+			arg = "--auth-key=" + arg
+		}
+		out = append(out, arg)
+	}
+	return out
+}
+
 // Run runs the CLI. The args do not include the binary name.
-func Run(args []string) error {
+func Run(args []string) (err error) {
 	if len(args) == 1 && (args[0] == "-V" || args[0] == "--version") {
 		args = []string{"version"}
 	}
+	if runtime.GOOS == "linux" && distro.Get() == distro.Gokrazy &&
+		os.Getenv("GOKRAZY_FIRST_START") == "1" {
+		defer func() {
+			// Exit with 125 otherwise the CLI binary is restarted
+			// forever in a loop by the Gokrazy process supervisor.
+			// See https://gokrazy.org/userguide/process-interface/
+			if err != nil {
+				log.Println(err)
+			}
+			os.Exit(125)
+		}()
+	}

 	var warnOnce sync.Once
 	tailscale.SetVersionMismatchHandler(func(clientVer, serverVer string) {
@@ -155,6 +188,9 @@ change in the future.
 	if strSliceContains(args, "debug") {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
 	}
+	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
+		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
+	}

 	if err := rootCmd.Parse(args); err != nil {
 		if errors.Is(err, flag.ErrHelp) {
@@ -170,7 +206,10 @@ change in the future.
 		}
 	})

-	err := rootCmd.Run(context.Background())
+	err = rootCmd.Run(context.Background())
+	if tailscale.IsAccessDeniedError(err) && os.Getuid() != 0 && runtime.GOOS != "windows" {
+		return fmt.Errorf("%v\n\nUse 'sudo tailscale %s' or 'tailscale up --operator=$USER' to not require root.", err, strings.Join(args, " "))
+	}
 	if errors.Is(err, flag.ErrHelp) {
 		return nil
 	}
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -13,6 +13,7 @@ import (
 	"strings"
 	"testing"

+	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
 	"inet.af/netaddr"
 	"tailscale.com/ipn"
@@ -380,7 +381,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {

 				Hostname: "foo",
 			},
-			want: accidentalUpPrefix + " --authkey=secretrand --force-reauth=false --reset --hostname=foo",
+			want: accidentalUpPrefix + " --auth-key=secretrand --force-reauth=false --reset --hostname=foo",
 		},
 		{
 			name:  "error_exit_node_omit_with_ip_pref",
@@ -487,7 +488,8 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			}
 			var upArgs upArgsT
 			flagSet := newUpFlagSet(goos, &upArgs)
-			flagSet.Parse(tt.flags)
+			flags := CleanUpArgs(tt.flags)
+			flagSet.Parse(flags)
 			newPrefs, err := prefsFromUpArgs(upArgs, t.Logf, new(ipnstate.Status), goos)
 			if err != nil {
 				t.Fatal(err)
@@ -786,6 +788,33 @@ func TestUpdatePrefs(t *testing.T) {
 			wantSimpleUp:   true,
 			wantJustEditMP: &ipn.MaskedPrefs{WantRunningSet: true},
 		},
+		{
+			name:  "just_edit_reset",
+			flags: []string{"--reset"},
+			curPrefs: &ipn.Prefs{
+				ControlURL: ipn.DefaultControlURL,
+				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
+			},
+			env: upCheckEnv{backendState: "Running"},
+			wantJustEditMP: &ipn.MaskedPrefs{
+				AdvertiseRoutesSet:        true,
+				AdvertiseTagsSet:          true,
+				AllowSingleHostsSet:       true,
+				ControlURLSet:             true,
+				CorpDNSSet:                true,
+				ExitNodeAllowLANAccessSet: true,
+				ExitNodeIDSet:             true,
+				ExitNodeIPSet:             true,
+				HostnameSet:               true,
+				NetfilterModeSet:          true,
+				NoSNATSet:                 true,
+				OperatorUserSet:           true,
+				RouteAllSet:               true,
+				RunSSHSet:                 true,
+				ShieldsUpSet:              true,
+				WantRunningSet:            true,
+			},
+		},
 		{
 			name:  "control_synonym",
 			flags: []string{},
@@ -831,7 +860,8 @@ func TestUpdatePrefs(t *testing.T) {
 				tt.env.goos = "linux"
 			}
 			tt.env.flagSet = newUpFlagSet(tt.env.goos, &tt.env.upArgs)
-			tt.env.flagSet.Parse(tt.flags)
+			flags := CleanUpArgs(tt.flags)
+			tt.env.flagSet.Parse(flags)

 			newPrefs, err := prefsFromUpArgs(tt.env.upArgs, t.Logf, new(ipnstate.Status), tt.env.goos)
 			if err != nil {
@@ -850,16 +880,23 @@ func TestUpdatePrefs(t *testing.T) {
 			if simpleUp != tt.wantSimpleUp {
 				t.Fatalf("simpleUp=%v, want %v", simpleUp, tt.wantSimpleUp)
 			}
+			var oldEditPrefs ipn.Prefs
 			if justEditMP != nil {
+				oldEditPrefs = justEditMP.Prefs
 				justEditMP.Prefs = ipn.Prefs{} // uninteresting
 			}
 			if !reflect.DeepEqual(justEditMP, tt.wantJustEditMP) {
-				t.Fatalf("justEditMP: %v", cmp.Diff(justEditMP, tt.wantJustEditMP))
+				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was %+v", oldEditPrefs)
+				t.Fatalf("justEditMP: %v\n\n: ", cmp.Diff(justEditMP, tt.wantJustEditMP, cmpIP))
 			}
 		})
 	}
 }

+var cmpIP = cmp.Comparer(func(a, b netaddr.IP) bool {
+	return a == b
+})
+
 func TestExitNodeIPOfArg(t *testing.T) {
 	mustIP := netaddr.MustParseIP
 	tests := []struct {
@@ -989,3 +1026,29 @@ func TestExitNodeIPOfArg(t *testing.T) {
 		})
 	}
 }
+
+func TestCleanUpArgs(t *testing.T) {
+	c := qt.New(t)
+	tests := []struct {
+		in   []string
+		want []string
+	}{
+		{in: []string{"something"}, want: []string{"something"}},
+		{in: []string{}, want: []string{}},
+		{in: []string{"--authkey=0"}, want: []string{"--auth-key=0"}},
+		{in: []string{"a", "--authkey=1", "b"}, want: []string{"a", "--auth-key=1", "b"}},
+		{in: []string{"a", "--auth-key=2", "b"}, want: []string{"a", "--auth-key=2", "b"}},
+		{in: []string{"a", "-authkey=3", "b"}, want: []string{"a", "--auth-key=3", "b"}},
+		{in: []string{"a", "-auth-key=4", "b"}, want: []string{"a", "-auth-key=4", "b"}},
+		{in: []string{"a", "--authkey", "5", "b"}, want: []string{"a", "--auth-key", "5", "b"}},
+		{in: []string{"a", "-authkey", "6", "b"}, want: []string{"a", "--auth-key", "6", "b"}},
+		{in: []string{"a", "authkey", "7", "b"}, want: []string{"a", "authkey", "7", "b"}},
+		{in: []string{"--authkeyexpiry", "8"}, want: []string{"--authkeyexpiry", "8"}},
+		{in: []string{"--auth-key-expiry", "9"}, want: []string{"--auth-key-expiry", "9"}},
+	}
+
+	for _, tt := range tests {
+		got := CleanUpArgs(tt.in)
+		c.Assert(got, qt.DeepEquals, tt.want)
+	}
+}
--- a/cmd/tailscale/cli/configure-host.go
+++ b/cmd/tailscale/cli/configure-host.go
@@ -0,0 +1,85 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/hostinfo"
+	"tailscale.com/version/distro"
+)
+
+var configureHostCmd = &ffcli.Command{
+	Name:      "configure-host",
+	Exec:      runConfigureHost,
+	ShortHelp: "Configure Synology to enable more Tailscale features",
+	LongHelp: strings.TrimSpace(`
+The 'configure-host' command is intended to run at boot as root
+to create the /dev/net/tun device and give the tailscaled binary
+permission to use it.
+
+See: https://tailscale.com/kb/1152/synology-outbound/
+`),
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("configure-host")
+		return fs
+	})(),
+}
+
+var configureHostArgs struct{}
+
+func runConfigureHost(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		return errors.New("unknown arguments")
+	}
+	if runtime.GOOS != "linux" || distro.Get() != distro.Synology {
+		return errors.New("only implemented on Synology")
+	}
+	if uid := os.Getuid(); uid != 0 {
+		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
+	}
+	osVer := hostinfo.GetOSVersion()
+	isDSM6 := strings.HasPrefix(osVer, "Synology 6")
+	isDSM7 := strings.HasPrefix(osVer, "Synology 7")
+	if !isDSM6 && !isDSM7 {
+		return fmt.Errorf("unsupported DSM version %q", osVer)
+	}
+	if _, err := os.Stat("/dev/net/tun"); os.IsNotExist(err) {
+		if err := os.MkdirAll("/dev/net", 0755); err != nil {
+			return fmt.Errorf("creating /dev/net: %v", err)
+		}
+		if out, err := exec.Command("/bin/mknod", "/dev/net/tun", "c", "10", "200").CombinedOutput(); err != nil {
+			return fmt.Errorf("creating /dev/net/tun: %v, %s", err, out)
+		}
+	}
+	if err := os.Chmod("/dev/net/tun", 0666); err != nil {
+		return err
+	}
+	if isDSM6 {
+		fmt.Printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
+		return nil
+	}
+
+	const daemonBin = "/var/packages/Tailscale/target/bin/tailscaled"
+	if _, err := os.Stat(daemonBin); err != nil {
+		if os.IsNotExist(err) {
+			return fmt.Errorf("tailscaled binary not found at %s. Is the Tailscale *.spk package installed?", daemonBin)
+		}
+		return err
+	}
+	if out, err := exec.Command("/bin/setcap", "cap_net_admin,cap_net_raw+eip", daemonBin).CombinedOutput(); err != nil {
+		return fmt.Errorf("setcap: %v, %s", err, out)
+	}
+	fmt.Printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
+	return nil
+}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -22,6 +22,7 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
@@ -65,11 +66,26 @@ var debugCmd = &ffcli.Command{
 			Exec:      runEnv,
 			ShortHelp: "print cmd/tailscale environment",
 		},
+		{
+			Name:      "hostinfo",
+			Exec:      runHostinfo,
+			ShortHelp: "print hostinfo",
+		},
 		{
 			Name:      "local-creds",
 			Exec:      runLocalCreds,
 			ShortHelp: "print how to access Tailscale local API",
 		},
+		{
+			Name:      "restun",
+			Exec:      localAPIAction("restun"),
+			ShortHelp: "force a magicsock restun",
+		},
+		{
+			Name:      "rebind",
+			Exec:      localAPIAction("rebind"),
+			ShortHelp: "force a magicsock rebind",
+		},
 		{
 			Name:      "prefs",
 			Exec:      runPrefs,
@@ -244,6 +260,15 @@ func runDERPMap(ctx context.Context, args []string) error {
 	return nil
 }

+func localAPIAction(action string) func(context.Context, []string) error {
+	return func(ctx context.Context, args []string) error {
+		if len(args) > 0 {
+			return errors.New("unexpected arguments")
+		}
+		return tailscale.DebugAction(ctx, action)
+	}
+}
+
 func runEnv(ctx context.Context, args []string) error {
 	for _, e := range os.Environ() {
 		outln(e)
@@ -251,6 +276,13 @@ func runEnv(ctx context.Context, args []string) error {
 	return nil
 }

+func runHostinfo(ctx context.Context, args []string) error {
+	hi := hostinfo.New()
+	j, _ := json.MarshalIndent(hi, "", "  ")
+	os.Stdout.Write(j)
+	return nil
+}
+
 func runDaemonGoroutines(ctx context.Context, args []string) error {
 	goroutines, err := tailscale.Goroutines(ctx)
 	if err != nil {
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -16,7 +16,6 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"time"
 	"unicode/utf8"
@@ -26,6 +25,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
@@ -148,7 +148,7 @@ func runCp(ctx context.Context, args []string) error {
 				name = filepath.Base(fileArg)
 			}

-			if slow, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_SLOW_PUSH")); slow {
+			if envknob.Bool("TS_DEBUG_SLOW_PUSH") {
 				fileContents = &slowReader{r: fileContents}
 			}
 		}
@@ -324,7 +324,7 @@ func runFileGet(ctx context.Context, args []string) error {
 	for {
 		wfs, err = tailscale.WaitingFiles(ctx)
 		if err != nil {
-			return fmt.Errorf("getting WaitingFiles: %v", err)
+			return fmt.Errorf("getting WaitingFiles: %w", err)
 		}
 		if len(wfs) != 0 || !getArgs.wait {
 			break
@@ -379,7 +379,7 @@ func wipeInbox(ctx context.Context) error {
 	}
 	wfs, err := tailscale.WaitingFiles(ctx)
 	if err != nil {
-		return fmt.Errorf("getting WaitingFiles: %v", err)
+		return fmt.Errorf("getting WaitingFiles: %w", err)
 	}
 	deleted := 0
 	for _, wf := range wfs {
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -13,13 +13,13 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
-	"os"
 	"sort"
 	"strings"
 	"time"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
 	"tailscale.com/net/portmapper"
@@ -49,7 +49,7 @@ var netcheckArgs struct {

 func runNetcheck(ctx context.Context, args []string) error {
 	c := &netcheck.Client{
-		UDPBindAddr: os.Getenv("TS_DEBUG_NETCHECK_UDP_BIND"),
+		UDPBindAddr: envknob.String("TS_DEBUG_NETCHECK_UDP_BIND"),
 		PortMapper:  portmapper.NewClient(logger.WithPrefix(log.Printf, "portmap: "), nil),
 	}
 	if netcheckArgs.verbose {
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"os"
 	"strings"
 	"time"

@@ -64,6 +65,16 @@ var pingArgs struct {
 }

 func runPing(ctx context.Context, args []string) error {
+	st, err := tailscale.Status(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		printf("%s\n", description)
+		os.Exit(1)
+	}
+
 	c, bc, ctx, cancel := connect(ctx)
 	defer cancel()

--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -121,24 +121,10 @@ func runStatus(ctx context.Context, args []string) error {
 		return err
 	}

-	switch st.BackendState {
-	default:
-		fmt.Fprintf(Stderr, "unexpected state: %s\n", st.BackendState)
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		outln(description)
 		os.Exit(1)
-	case ipn.Stopped.String():
-		outln("Tailscale is stopped.")
-		os.Exit(1)
-	case ipn.NeedsLogin.String():
-		outln("Logged out.")
-		if st.AuthURL != "" {
-			printf("\nLog in at: %s\n", st.AuthURL)
-		}
-		os.Exit(1)
-	case ipn.NeedsMachineAuth.String():
-		outln("Machine is not yet authorized by tailnet admin.")
-		os.Exit(1)
-	case ipn.Running.String(), ipn.Starting.String():
-		// Run below.
 	}

 	if len(st.Health) > 0 {
@@ -222,6 +208,27 @@ func runStatus(ctx context.Context, args []string) error {
 	return nil
 }

+// isRunningOrStarting reports whether st is in state Running or Starting.
+// It also returns a description of the status suitable to display to a user.
+func isRunningOrStarting(st *ipnstate.Status) (description string, ok bool) {
+	switch st.BackendState {
+	default:
+		return fmt.Sprintf("unexpected state: %s", st.BackendState), false
+	case ipn.Stopped.String():
+		return "Tailscale is stopped.", false
+	case ipn.NeedsLogin.String():
+		s := "Logged out."
+		if st.AuthURL != "" {
+			s += fmt.Sprintf("\nLog in at: %s", st.AuthURL)
+		}
+		return s, false
+	case ipn.NeedsMachineAuth.String():
+		return "Machine is not yet authorized by tailnet admin.", false
+	case ipn.Running.String(), ipn.Starting.String():
+		return st.BackendState, true
+	}
+}
+
 func dnsOrQuoteHostname(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	baseName := dnsname.TrimSuffix(ps.DNSName, st.MagicDNSSuffix)
 	if baseName != "" {
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -24,6 +24,7 @@ import (
 	qrcode "github.com/skip2/go-qrcode"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/safesocket"
@@ -81,6 +82,8 @@ func acceptRouteDefault(goos string) bool {

 var upFlagSet = newUpFlagSet(effectiveGOOS(), &upArgs)

+func inTest() bool { return flag.Lookup("test.v") != nil }
+
 func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf := newFlagSet("up")

@@ -96,8 +99,11 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf.StringVar(&upArgs.exitNodeIP, "exit-node", "", "Tailscale exit node (IP or base name) for internet traffic, or empty string to not use an exit node")
 	upf.BoolVar(&upArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
 	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
+	if envknob.UseWIPCode() || inTest() {
+		upf.BoolVar(&upArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
+	}
 	upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "comma-separated ACL tags to request; each must start with \"tag:\" (e.g. \"tag:eng,tag:montreal,tag:ssh\")")
-	upf.StringVar(&upArgs.authKeyOrFile, "authkey", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
+	upf.StringVar(&upArgs.authKeyOrFile, "auth-key", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
 	upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
 	upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\") or empty string to not advertise routes")
 	upf.BoolVar(&upArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
@@ -131,6 +137,7 @@ type upArgsT struct {
 	exitNodeIP             string
 	exitNodeAllowLANAccess bool
 	shieldsUp              bool
+	runSSH                 bool
 	forceReauth            bool
 	forceDaemon            bool
 	advertiseRoutes        string
@@ -352,6 +359,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 	prefs.CorpDNS = upArgs.acceptDNS
 	prefs.AllowSingleHosts = upArgs.singleRoutes
 	prefs.ShieldsUp = upArgs.shieldsUp
+	prefs.RunSSH = upArgs.runSSH
 	prefs.AdvertiseRoutes = routes
 	prefs.AdvertiseTags = tags
 	prefs.Hostname = upArgs.hostname
@@ -379,7 +387,8 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 	return prefs, nil
 }

-// updatePrefs updates prefs based on curPrefs
+// updatePrefs returns how to edit preferences based on the
+// flag-provided 'prefs' and the currently active 'curPrefs'.
 //
 // It returns a non-nil justEditMP if we're already running and none of
 // the flags require a restart, so we can just do an EditPrefs call and
@@ -413,15 +422,19 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus

 	justEdit := env.backendState == ipn.Running.String() &&
 		!env.upArgs.forceReauth &&
-		!env.upArgs.reset &&
 		env.upArgs.authKeyOrFile == "" &&
 		!controlURLChanged &&
 		!tagsChanged
+
 	if justEdit {
 		justEditMP = new(ipn.MaskedPrefs)
 		justEditMP.WantRunningSet = true
 		justEditMP.Prefs = *prefs
-		env.flagSet.Visit(func(f *flag.Flag) {
+		visitFlags := env.flagSet.Visit
+		if env.upArgs.reset {
+			visitFlags = env.flagSet.VisitAll
+		}
+		visitFlags(func(f *flag.Flag) {
 			updateMaskedPrefsFromUpFlag(justEditMP, f.Name)
 		})
 	}
@@ -513,7 +526,7 @@ func runUp(ctx context.Context, args []string) error {
 	pumpErr := make(chan error, 1)
 	go func() { pumpErr <- pump(pumpCtx, bc, c) }()

-	printed := !simpleUp
+	var printed bool // whether we've yet printed anything to stdout or stderr
 	var loginOnce sync.Once
 	startLoginInteractive := func() { loginOnce.Do(func() { bc.StartLoginInteractive() }) }

@@ -539,7 +552,6 @@ func runUp(ctx context.Context, args []string) error {
 		if s := n.State; s != nil {
 			switch *s {
 			case ipn.NeedsLogin:
-				printed = true
 				startLoginInteractive()
 			case ipn.NeedsMachineAuth:
 				printed = true
@@ -713,6 +725,7 @@ func init() {
 	addPrefFlagMapping("exit-node-allow-lan-access", "ExitNodeAllowLANAccess")
 	addPrefFlagMapping("unattended", "ForceDaemon")
 	addPrefFlagMapping("operator", "OperatorUser")
+	addPrefFlagMapping("ssh", "RunSSH")
 }

 func addPrefFlagMapping(flagName string, prefNames ...string) {
@@ -730,7 +743,7 @@ func addPrefFlagMapping(flagName string, prefNames ...string) {
 // correspond to an ipn.Pref.
 func preflessFlag(flagName string) bool {
 	switch flagName {
-	case "authkey", "force-reauth", "reset", "qr", "json":
+	case "auth-key", "force-reauth", "reset", "qr", "json":
 		return true
 	}
 	return false
@@ -903,6 +916,8 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]interfac
 		switch f.Name {
 		default:
 			panic(fmt.Sprintf("unhandled flag %q", f.Name))
+		case "ssh":
+			set(prefs.RunSSH)
 		case "login-server":
 			set(prefs.ControlURL)
 		case "accept-routes":
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -270,14 +270,14 @@ func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
 	// We need a SynoToken for authenticate.cgi.
 	// So we tell the client to get one.
 	serverURL := r.URL.Scheme + "://" + r.URL.Host
-	fmt.Fprintf(w, synoTokenRedirectHTML, serverURL)
+	synoTokenRedirectHTML.Execute(w, serverURL)
 	return true
 }

-const synoTokenRedirectHTML = `<html><body>
+var synoTokenRedirectHTML = template.Must(template.New("redirect").Parse(`<html><body>
 Redirecting with session token...
 <script>
-var serverURL = %q;
+var serverURL = {{ . }};
 var req = new XMLHttpRequest();
 req.overrideMimeType("application/json");
 req.open("GET", serverURL + "/webman/login.cgi", true);
@@ -289,7 +289,7 @@ req.onload = function() {
 req.send(null);
 </script>
 </body></html>
-`
+`))

 func webHandler(w http.ResponseWriter, r *http.Request) {
 	if authRedirect(w, r) {
@@ -375,7 +375,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 			data.AdvertiseExitNode = true
 		} else {
 			if data.AdvertiseRoutes != "" {
-				data.AdvertiseRoutes = ","
+				data.AdvertiseRoutes += ","
 			}
 			data.AdvertiseRoutes += r.String()
 		}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -4,8 +4,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
+   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
   L    github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
        github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
@@ -38,7 +44,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
   L    tailscale.com/derp/wsconn                                    from tailscale.com/derp/derphttp
        tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces
+        tailscale.com/envknob                                        from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/kube                                           from tailscale.com/ipn
@@ -47,6 +54,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
+        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
@@ -73,11 +81,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/structs                                  from tailscale.com/ipn+
+        tailscale.com/types/views                                    from tailscale.com/tailcfg+
        tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
+   W    tailscale.com/util/winutil                                   from tailscale.com/hostinfo
+   W 💣 tailscale.com/util/winutil/vss                               from tailscale.com/util/winutil
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
@@ -92,6 +103,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http+
        golang.org/x/net/http/httpproxy                              from net/http
--- a/cmd/tailscale/tailscale.go
+++ b/cmd/tailscale/tailscale.go
@@ -17,6 +17,7 @@ import (

 func main() {
 	args := os.Args[1:]
+	args = cli.CleanUpArgs(args)
 	if name, _ := os.Executable(); strings.HasSuffix(filepath.Base(name), ".cgi") {
 		args = []string{"web", "-cgi"}
 	}
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -24,6 +24,7 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/derp/derphttp"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/portmapper"
@@ -224,7 +225,7 @@ func debugPortmap(ctx context.Context) error {
 	defer cancel()

 	portmapper.VerboseLogs = true
-	switch os.Getenv("TS_DEBUG_PORTMAP_TYPE") {
+	switch envknob.String("TS_DEBUG_PORTMAP_TYPE") {
 	case "":
 	case "pmp":
 		portmapper.DisablePCP = true
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -3,6 +3,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+   L    github.com/anmitsu/go-shlex                                  from github.com/gliderlabs/ssh
   L    github.com/aws/aws-sdk-go-v2                                 from github.com/aws/aws-sdk-go-v2/internal/ini
   L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
   L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/aws
@@ -60,18 +61,20 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+   L 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
+   L    github.com/gliderlabs/ssh                                    from tailscale.com/ssh/tailssh
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/google/btree                                      from inet.af/netstack/tcpip/header+
+        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/jmespath/go-jmespath                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor+
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
   L    github.com/klauspost/compress/flate                          from nhooyr.io/websocket
@@ -115,46 +118,46 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device
     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/cmd/tailscaled+
+        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/tcpip+
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip/stack
+        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs+
+     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
+        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
+        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
+        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/refsvfs2
+        gvisor.dev/gvisor/pkg/refsvfs2                               from gvisor.dev/gvisor/pkg/tcpip/stack
+     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
+     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
+     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
+        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
+     💣 gvisor.dev/gvisor/pkg/tcpip/buffer                           from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
+        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/internal/tcp                     from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/link/channel                     from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/net/tstun+
+        gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
+     💣 gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/transport                        from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+        gvisor.dev/gvisor/pkg/tcpip/transport/icmp                   from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/transport/internal/network       from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+        gvisor.dev/gvisor/pkg/tcpip/transport/internal/noop          from gvisor.dev/gvisor/pkg/tcpip/transport/raw
+        gvisor.dev/gvisor/pkg/tcpip/transport/packet                 from gvisor.dev/gvisor/pkg/tcpip/transport/raw
+        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+     💣 gvisor.dev/gvisor/pkg/tcpip/transport/tcp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
+        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
        inet.af/netaddr                                              from inet.af/wf+
-        inet.af/netstack/atomicbitops                                from inet.af/netstack/tcpip+
-     💣 inet.af/netstack/buffer                                      from inet.af/netstack/tcpip/stack
-        inet.af/netstack/context                                     from inet.af/netstack/refs+
-     💣 inet.af/netstack/gohacks                                     from inet.af/netstack/state/wire+
-        inet.af/netstack/linewriter                                  from inet.af/netstack/log
-        inet.af/netstack/log                                         from inet.af/netstack/state+
-        inet.af/netstack/rand                                        from inet.af/netstack/tcpip/network/hash+
-        inet.af/netstack/refs                                        from inet.af/netstack/refsvfs2
-        inet.af/netstack/refsvfs2                                    from inet.af/netstack/tcpip/stack
-     💣 inet.af/netstack/sleep                                       from inet.af/netstack/tcpip/transport/tcp
-     💣 inet.af/netstack/state                                       from inet.af/netstack/atomicbitops+
-        inet.af/netstack/state/wire                                  from inet.af/netstack/state
-     💣 inet.af/netstack/sync                                        from inet.af/netstack/linewriter+
-        inet.af/netstack/tcpip                                       from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/tcpip/adapters/gonet                        from tailscale.com/wgengine/netstack
-     💣 inet.af/netstack/tcpip/buffer                                from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/tcpip/hash/jenkins                          from inet.af/netstack/tcpip/stack+
-        inet.af/netstack/tcpip/header                                from inet.af/netstack/tcpip/header/parse+
-        inet.af/netstack/tcpip/header/parse                          from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/internal/tcp                          from inet.af/netstack/tcpip/stack+
-        inet.af/netstack/tcpip/link/channel                          from tailscale.com/wgengine/netstack
-        inet.af/netstack/tcpip/network/hash                          from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/network/internal/fragmentation        from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/network/internal/ip                   from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/network/ipv4                          from tailscale.com/net/tstun+
-        inet.af/netstack/tcpip/network/ipv6                          from tailscale.com/wgengine/netstack
-        inet.af/netstack/tcpip/ports                                 from inet.af/netstack/tcpip/stack+
-        inet.af/netstack/tcpip/seqnum                                from inet.af/netstack/tcpip/header+
-     💣 inet.af/netstack/tcpip/stack                                 from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/tcpip/transport                             from inet.af/netstack/tcpip/transport/icmp+
-        inet.af/netstack/tcpip/transport/icmp                        from tailscale.com/wgengine/netstack
-        inet.af/netstack/tcpip/transport/internal/network            from inet.af/netstack/tcpip/transport/icmp+
-        inet.af/netstack/tcpip/transport/internal/noop               from inet.af/netstack/tcpip/transport/raw
-        inet.af/netstack/tcpip/transport/packet                      from inet.af/netstack/tcpip/transport/raw
-        inet.af/netstack/tcpip/transport/raw                         from inet.af/netstack/tcpip/transport/icmp+
-     💣 inet.af/netstack/tcpip/transport/tcp                         from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/tcpip/transport/tcpconntrack                from inet.af/netstack/tcpip/stack
-        inet.af/netstack/tcpip/transport/udp                         from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/waiter                                      from inet.af/netstack/tcpip+
        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
   W 💣 inet.af/wf                                                   from tailscale.com/wf
   L    nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
@@ -171,6 +174,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/tailscaled+
   L    tailscale.com/derp/wsconn                                    from tailscale.com/derp/derphttp
        tailscale.com/disco                                          from tailscale.com/derp+
+        tailscale.com/envknob                                        from tailscale.com/cmd/tailscaled+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
        tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
        tailscale.com/ipn                                            from tailscale.com/client/tailscale+
@@ -181,23 +185,26 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
        tailscale.com/ipn/store/aws                                  from tailscale.com/ipn/ipnserver
        tailscale.com/kube                                           from tailscale.com/ipn
-        tailscale.com/log/filelogger                                 from tailscale.com/ipn/ipnserver
+        tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
-        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled
+        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled+
        tailscale.com/logtail                                        from tailscale.com/logpolicy+
        tailscale.com/logtail/backoff                                from tailscale.com/cmd/tailscaled+
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
-     💣 tailscale.com/metrics                                        from tailscale.com/derp
+     💣 tailscale.com/metrics                                        from tailscale.com/derp+
        tailscale.com/net/dns                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
        tailscale.com/net/dns/resolver                               from tailscale.com/net/dns+
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient+
        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscaled+
        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
+        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
        tailscale.com/net/netknob                                    from tailscale.com/logpolicy+
        tailscale.com/net/netns                                      from tailscale.com/cmd/tailscaled+
     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
+        tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/packet                                     from tailscale.com/net/tstun+
        tailscale.com/net/portmapper                                 from tailscale.com/cmd/tailscaled+
        tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
@@ -212,12 +219,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
+   L 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/wgengine/netstack
     💣 tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/tsweb                                          from tailscale.com/cmd/tailscaled
        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
@@ -231,6 +240,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
+        tailscale.com/types/views                                    from tailscale.com/tailcfg+
        tailscale.com/util/clientmetric                              from tailscale.com/ipn/localapi+
   L    tailscale.com/util/cmpver                                    from tailscale.com/net/dns
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
@@ -262,16 +272,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device
-        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+   L    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from crypto/tls+
+   L    golang.org/x/crypto/ed25519                                  from golang.org/x/crypto/ssh
        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+   L    golang.org/x/crypto/ssh                                      from github.com/gliderlabs/ssh+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http+
@@ -297,26 +310,26 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
-        golang.org/x/time/rate                                       from inet.af/netstack/tcpip/stack+
+        golang.org/x/time/rate                                       from gvisor.dev/gvisor/pkg/tcpip/stack+
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from internal/profile+
-        container/heap                                               from inet.af/netstack/tcpip/transport/tcp
+        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
        crypto/aes                                                   from crypto/ecdsa+
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509
+        crypto/dsa                                                   from crypto/x509+
        crypto/ecdsa                                                 from crypto/tls+
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls
+        crypto/rc4                                                   from crypto/tls+
        crypto/rsa                                                   from crypto/tls+
        crypto/sha1                                                  from crypto/tls+
        crypto/sha256                                                from crypto/tls+
@@ -340,7 +353,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
        hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from inet.af/netstack/tcpip/network/ipv6+
+        hash/fnv                                                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv6+
        hash/maphash                                                 from go4.org/mem
        html                                                         from net/http/pprof+
        io                                                           from bufio+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -23,12 +23,13 @@ import (
 	"path/filepath"
 	"runtime"
 	"runtime/debug"
-	"strconv"
 	"strings"
 	"syscall"
 	"time"

 	"inet.af/netaddr"
+	"tailscale.com/control/controlclient"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
@@ -41,6 +42,7 @@ import (
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
+	"tailscale.com/tsweb"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
@@ -66,11 +68,27 @@ func defaultTunName() string {
 		// as a magic value that uses/creates any free number.
 		return "utun"
 	case "linux":
-		if distro.Get() == distro.Synology {
+		switch distro.Get() {
+		case distro.Synology:
 			// Try TUN, but fall back to userspace networking if needed.
 			// See https://github.com/tailscale/tailscale-synology/issues/35
 			return "tailscale0,userspace-networking"
+		case distro.Gokrazy:
+			// Gokrazy doesn't yet work in tun mode because the whole
+			// Gokrazy thing is no C code, and Tailscale currently
+			// depends on the iptables binary for Linux's
+			// wgengine/router.
+			// But on Gokrazy there's no legacy iptables, so we could use netlink
+			// to program nft-iptables directly. It just isn't done yet;
+			// see https://github.com/tailscale/tailscale/issues/391
+			//
+			// But Gokrazy does have the tun module built-in, so users
+			// can stil run --tun=tailscale0 if they wish, if they
+			// arrange for iptables to be present or run in "tailscale
+			// up --netfilter-mode=off" mode, perhaps. Untested.
+			return "userspace-networking"
 		}
+
 	}
 	return "tailscale0"
 }
@@ -122,7 +140,7 @@ func main() {
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, 0), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM. If empty and --statedir is provided, the default is <statedir>/tailscaled.state")
+	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state")
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
@@ -223,7 +241,7 @@ func statePathOrDefault() string {
 func ipnServerOpts() (o ipnserver.Options) {
 	// Allow changing the OS-specific IPN behavior for tests
 	// so we can e.g. test Windows-specific behaviors on Linux.
-	goos := os.Getenv("TS_DEBUG_TAILSCALED_IPN_GOOS")
+	goos := envknob.String("TS_DEBUG_TAILSCALED_IPN_GOOS")
 	if goos == "" {
 		goos = runtime.GOOS
 	}
@@ -237,8 +255,19 @@ func ipnServerOpts() (o ipnserver.Options) {
 			o.VarRoot = dir
 		}
 	}
+	if strings.HasPrefix(statePathOrDefault(), "mem:") {
+		// Register as an ephemeral node.
+		o.LoginFlags = controlclient.LoginEphemeral
+	}

 	switch goos {
+	case "js":
+		// The js/wasm client has no state storage so for now
+		// treat all interactive logins as ephemeral.
+		// TODO(bradfitz): if we start using browser LocalStorage
+		// or something, then rethink this.
+		o.LoginFlags = controlclient.LoginEphemeral
+		fallthrough
 	default:
 		o.SurviveDisconnects = true
 		o.AutostartStateKey = ipn.GlobalDaemonStateKey
@@ -271,13 +300,13 @@ func run() error {
 	}

 	var logf logger.Logf = log.Printf
-	if v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_MEMORY")); v {
+	if envknob.Bool("TS_DEBUG_MEMORY") {
 		logf = logger.RusagePrefixLog(logf)
 	}
 	logf = logger.RateLimitedFn(logf, 5*time.Second, 5, 100)

 	if args.cleanup {
-		if os.Getenv("TS_PLEASE_PANIC") != "" {
+		if envknob.Bool("TS_PLEASE_PANIC") {
 			panic("TS_PLEASE_PANIC asked us to panic")
 		}
 		dns.Cleanup(logf, args.tunname)
@@ -295,7 +324,6 @@ func run() error {
 	var debugMux *http.ServeMux
 	if args.debug != "" {
 		debugMux = newDebugMux()
-		go runDebugServer(debugMux, args.debug)
 	}

 	linkMon, err := monitor.New(logf)
@@ -314,6 +342,14 @@ func run() error {
 	if _, ok := e.(wgengine.ResolvingEngine).GetResolver(); !ok {
 		panic("internal error: exit node resolver not wired up")
 	}
+	if debugMux != nil {
+		if ig, ok := e.(wgengine.InternalsGetter); ok {
+			if _, mc, ok := ig.GetInternals(); ok {
+				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
+			}
+		}
+		go runDebugServer(debugMux, args.debug)
+	}

 	ns, err := newNetstack(logf, dialer, e)
 	if err != nil {
@@ -321,9 +357,6 @@ func run() error {
 	}
 	ns.ProcessLocalIPs = useNetstack
 	ns.ProcessSubnets = useNetstack || wrapNetstack
-	if err := ns.Start(); err != nil {
-		return fmt.Errorf("failed to start netstack: %w", err)
-	}

 	if useNetstack {
 		dialer.UseNetstackForIP = func(ip netaddr.IP) bool {
@@ -334,7 +367,6 @@ func run() error {
 			return ns.DialContextTCP(ctx, dst)
 		}
 	}
-
 	if socksListener != nil || httpProxyListener != nil {
 		if httpProxyListener != nil {
 			hs := &http.Server{Handler: httpProxyHandler(dialer.UserDial)}
@@ -384,6 +416,10 @@ func run() error {
 	if err != nil {
 		return fmt.Errorf("ipnserver.New: %w", err)
 	}
+	ns.SetLocalBackend(srv.LocalBackend())
+	if err := ns.Start(); err != nil {
+		log.Fatalf("failed to start netstack: %v", err)
+	}

 	if debugMux != nil {
 		debugMux.HandleFunc("/debug/ipn", srv.ServeHTMLStatus)
@@ -423,11 +459,7 @@ func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer)
 var wrapNetstack = shouldWrapNetstack()

 func shouldWrapNetstack() bool {
-	if e := os.Getenv("TS_DEBUG_WRAP_NETSTACK"); e != "" {
-		v, err := strconv.ParseBool(e)
-		if err != nil {
-			log.Fatalf("invalid TS_DEBUG_WRAP_NETSTACK value: %v", err)
-		}
+	if v, ok := envknob.LookupBool("TS_DEBUG_WRAP_NETSTACK"); ok {
 		return v
 	}
 	if distro.Get() == distro.Synology {
@@ -459,7 +491,20 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 			return nil, false, fmt.Errorf("createBIRDClient: %w", err)
 		}
 	}
-	if !useNetstack {
+	if useNetstack {
+		if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
+			// On Synology in netstack mode, still init a DNS
+			// manager (directManager) to avoid the health check
+			// warnings in 'tailscale status' about DNS base
+			// configuration being unavailable (from the noop
+			// manager). More in Issue 4017.
+			// TODO(bradfitz): add a Synology-specific DNS manager.
+			conf.DNS, err = dns.NewOSConfigurator(logf, "") // empty interface name
+			if err != nil {
+				return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+			}
+		}
+	} else {
 		dev, devName, err := tstun.New(logf, name)
 		if err != nil {
 			tstun.Diagnose(logf, name)
@@ -507,6 +552,7 @@ func newDebugMux() *http.ServeMux {

 func servePrometheusMetrics(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/plain")
+	tsweb.VarzHandler(w, r)
 	clientmetric.WritePrometheusExpositionFormat(w)
 }

--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -29,6 +29,7 @@ import (
 	"golang.org/x/sys/windows/svc"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
@@ -55,6 +56,11 @@ func isWindowsService() bool {
 	return v
 }

+// runWindowsService starts running Tailscale under the Windows
+// Service environment.
+//
+// At this point we're still the parent process that
+// Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
 	return svc.Run(serviceName, &ipnService{Policy: pol})
 }
@@ -68,7 +74,7 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	changes <- svc.Status{State: svc.StartPending}

 	svcAccepts := svc.AcceptStop
-	if winutil.GetRegInteger("FlushDNSOnSessionUnlock", 0) != 0 {
+	if winutil.GetPolicyInteger("FlushDNSOnSessionUnlock", 0) != 0 {
 		svcAccepts |= svc.AcceptSessionChange
 	}

@@ -93,6 +99,7 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 		select {
 		case <-doneCh:
 		case cmd := <-r:
+			log.Printf("Got Windows Service event: %v", cmdName(cmd.Cmd))
 			switch cmd.Cmd {
 			case svc.Stop:
 				cancel()
@@ -109,6 +116,42 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	return false, windows.NO_ERROR
 }

+func cmdName(c svc.Cmd) string {
+	switch c {
+	case svc.Stop:
+		return "Stop"
+	case svc.Pause:
+		return "Pause"
+	case svc.Continue:
+		return "Continue"
+	case svc.Interrogate:
+		return "Interrogate"
+	case svc.Shutdown:
+		return "Shutdown"
+	case svc.ParamChange:
+		return "ParamChange"
+	case svc.NetBindAdd:
+		return "NetBindAdd"
+	case svc.NetBindRemove:
+		return "NetBindRemove"
+	case svc.NetBindEnable:
+		return "NetBindEnable"
+	case svc.NetBindDisable:
+		return "NetBindDisable"
+	case svc.DeviceEvent:
+		return "DeviceEvent"
+	case svc.HardwareProfileChange:
+		return "HardwareProfileChange"
+	case svc.PowerEvent:
+		return "PowerEvent"
+	case svc.SessionChange:
+		return "SessionChange"
+	case svc.PreShutdown:
+		return "PreShutdown"
+	}
+	return fmt.Sprintf("Unknown-Service-Cmd-%d", c)
+}
+
 func beWindowsSubprocess() bool {
 	if beFirewallKillswitch() {
 		return true
@@ -272,7 +315,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 	// not called concurrently and is not called again once it
 	// successfully returns an engine.
 	getEngine := func() (wgengine.Engine, error) {
-		if msg := os.Getenv("TS_DEBUG_WIN_FAIL"); msg != "" {
+		if msg := envknob.String("TS_DEBUG_WIN_FAIL"); msg != "" {
 			return nil, fmt.Errorf("pretending to be a service failure: %v", msg)
 		}
 		for {
--- a/control/controlbase/conn.go
+++ b/control/controlbase/conn.go
@@ -2,12 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// Package noise implements the base transport of the Tailscale 2021
-// control protocol.
+// Package controlbase implements the base transport of the Tailscale
+// 2021 control protocol.
 //
 // The base transport implements Noise IK, instantiated with
 // Curve25519, ChaCha20Poly1305 and BLAKE2s.
-package noise
+package controlbase

 import (
 	"crypto/cipher"
--- a/control/controlbase/conn_test.go
+++ b/control/controlbase/conn_test.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package noise
+package controlbase

 import (
 	"bufio"
@@ -202,7 +202,7 @@ func TestConnStd(t *testing.T) {
 		serverErr := make(chan error, 1)
 		go func() {
 			var err error
-			c2, err = Server(context.Background(), s2, controlKey)
+			c2, err = Server(context.Background(), s2, controlKey, nil)
 			serverErr <- err
 		}()
 		c1, err = Client(context.Background(), s1, machineKey, controlKey.Public())
@@ -319,7 +319,7 @@ func pairWithConns(t *testing.T, clientConn, serverConn net.Conn) (*Conn, *Conn)
 	)
 	go func() {
 		var err error
-		server, err = Server(context.Background(), serverConn, controlKey)
+		server, err = Server(context.Background(), serverConn, controlKey, nil)
 		serverErr <- err
 	}()

--- a/control/controlbase/handshake.go
+++ b/control/controlbase/handshake.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package noise
+package controlbase

 import (
 	"context"
@@ -50,21 +50,23 @@ func protocolVersionPrologue(version uint16) []byte {
 	return strconv.AppendUint(ret, uint64(version), 10)
 }

-// Client initiates a control client handshake, returning the resulting
-// control connection.
-//
-// The context deadline, if any, covers the entire handshaking
-// process. Any preexisting Conn deadline is removed.
-func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, controlKey key.MachinePublic) (*Conn, error) {
-	if deadline, ok := ctx.Deadline(); ok {
-		if err := conn.SetDeadline(deadline); err != nil {
-			return nil, fmt.Errorf("setting conn deadline: %w", err)
-		}
-		defer func() {
-			conn.SetDeadline(time.Time{})
-		}()
-	}
+// HandshakeContinuation upgrades a net.Conn to a Conn. The net.Conn
+// is assumed to have already sent the client>server handshake
+// initiation message.
+type HandshakeContinuation func(context.Context, net.Conn) (*Conn, error)

+// ClientDeferred initiates a control client handshake, returning the
+// initial message to send to the server and a continuation to
+// finalize the handshake.
+//
+// ClientDeferred is split in this way for RTT reduction: we run this
+// protocol after negotiating a protocol switch from HTTP/HTTPS. If we
+// completely serialized the negotiation followed by the handshake,
+// we'd pay an extra RTT to transmit the handshake initiation after
+// protocol switching. By splitting the handshake into an initial
+// message and a continuation, we can embed the handshake initiation
+// into the HTTP protocol switching request and avoid a bit of delay.
+func ClientDeferred(machineKey key.MachinePrivate, controlKey key.MachinePublic) (initialHandshake []byte, continueHandshake HandshakeContinuation, err error) {
 	var s symmetricState
 	s.Initialize()

@@ -83,18 +85,53 @@ func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, c
 	s.MixHash(machineEphemeralPub.UntypedBytes())
 	cipher, err := s.MixDH(machineEphemeral, controlKey)
 	if err != nil {
-		return nil, fmt.Errorf("computing es: %w", err)
+		return nil, nil, fmt.Errorf("computing es: %w", err)
 	}
 	machineKeyPub := machineKey.Public()
 	s.EncryptAndHash(cipher, init.MachinePub(), machineKeyPub.UntypedBytes())
 	cipher, err = s.MixDH(machineKey, controlKey)
 	if err != nil {
-		return nil, fmt.Errorf("computing ss: %w", err)
+		return nil, nil, fmt.Errorf("computing ss: %w", err)
 	}
 	s.EncryptAndHash(cipher, init.Tag(), nil) // empty message payload

-	if _, err := conn.Write(init[:]); err != nil {
-		return nil, fmt.Errorf("writing initiation: %w", err)
+	cont := func(ctx context.Context, conn net.Conn) (*Conn, error) {
+		return continueClientHandshake(ctx, conn, &s, machineKey, machineEphemeral, controlKey)
+	}
+	return init[:], cont, nil
+}
+
+// Client wraps ClientDeferred and immediately invokes the returned
+// continuation with conn.
+//
+// This is a helper for when you don't need the fancy
+// continuation-style handshake, and just want to synchronously
+// upgrade a net.Conn to a secure transport.
+func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, controlKey key.MachinePublic) (*Conn, error) {
+	init, cont, err := ClientDeferred(machineKey, controlKey)
+	if err != nil {
+		return nil, err
+	}
+	if _, err := conn.Write(init); err != nil {
+		return nil, err
+	}
+	return cont(ctx, conn)
+}
+
+func continueClientHandshake(ctx context.Context, conn net.Conn, s *symmetricState, machineKey, machineEphemeral key.MachinePrivate, controlKey key.MachinePublic) (*Conn, error) {
+	// No matter what, this function can only run once per s. Ensure
+	// attempted reuse causes a panic.
+	defer func() {
+		s.finished = true
+	}()
+
+	if deadline, ok := ctx.Deadline(); ok {
+		if err := conn.SetDeadline(deadline); err != nil {
+			return nil, fmt.Errorf("setting conn deadline: %w", err)
+		}
+		defer func() {
+			conn.SetDeadline(time.Time{})
+		}()
 	}

 	// Read in the payload and look for errors/protocol violations from the server.
@@ -122,10 +159,10 @@ func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, c
 	// <- e, ee, se
 	controlEphemeralPub := key.MachinePublicFromRaw32(mem.B(resp.EphemeralPub()))
 	s.MixHash(controlEphemeralPub.UntypedBytes())
-	if _, err = s.MixDH(machineEphemeral, controlEphemeralPub); err != nil {
+	if _, err := s.MixDH(machineEphemeral, controlEphemeralPub); err != nil {
 		return nil, fmt.Errorf("computing ee: %w", err)
 	}
-	cipher, err = s.MixDH(machineKey, controlEphemeralPub)
+	cipher, err := s.MixDH(machineKey, controlEphemeralPub)
 	if err != nil {
 		return nil, fmt.Errorf("computing se: %w", err)
 	}
@@ -156,9 +193,13 @@ func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, c
 // Server initiates a control server handshake, returning the resulting
 // control connection.
 //
+// optionalInit can be the client's initial handshake message as
+// returned by ClientDeferred, or nil in which case the initial
+// message is read from conn.
+//
 // The context deadline, if any, covers the entire handshaking
 // process.
-func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate) (*Conn, error) {
+func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate, optionalInit []byte) (*Conn, error) {
 	if deadline, ok := ctx.Deadline(); ok {
 		if err := conn.SetDeadline(deadline); err != nil {
 			return nil, fmt.Errorf("setting conn deadline: %w", err)
@@ -190,7 +231,12 @@ func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate) (
 	s.Initialize()

 	var init initiationMessage
-	if _, err := io.ReadFull(conn, init.Header()); err != nil {
+	if optionalInit != nil {
+		if len(optionalInit) != len(init) {
+			return nil, sendErr("wrong handshake initiation size")
+		}
+		copy(init[:], optionalInit)
+	} else if _, err := io.ReadFull(conn, init.Header()); err != nil {
 		return nil, err
 	}
 	if init.Version() != protocolVersion {
@@ -202,8 +248,11 @@ func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate) (
 	if init.Length() != len(init.Payload()) {
 		return nil, sendErr("wrong handshake initiation length")
 	}
-	if _, err := io.ReadFull(conn, init.Payload()); err != nil {
-		return nil, err
+	// if optionalInit was provided, we have the payload already.
+	if optionalInit == nil {
+		if _, err := io.ReadFull(conn, init.Payload()); err != nil {
+			return nil, err
+		}
 	}

 	// prologue. Can only do this once we at least think the client is
--- a/control/controlbase/handshake_test.go
+++ b/control/controlbase/handshake_test.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package noise
+package controlbase

 import (
 	"bytes"
@@ -26,7 +26,7 @@ func TestHandshake(t *testing.T) {
 	)
 	go func() {
 		var err error
-		server, err = Server(context.Background(), serverConn, serverKey)
+		server, err = Server(context.Background(), serverConn, serverKey, nil)
 		serverErr <- err
 	}()

@@ -78,7 +78,7 @@ func TestNoReuse(t *testing.T) {
 		)
 		go func() {
 			var err error
-			server, err = Server(context.Background(), serverConn, serverKey)
+			server, err = Server(context.Background(), serverConn, serverKey, nil)
 			serverErr <- err
 		}()

@@ -172,7 +172,7 @@ func TestTampering(t *testing.T) {
 			serverErr             = make(chan error, 1)
 		)
 		go func() {
-			_, err := Server(context.Background(), serverConn, serverKey)
+			_, err := Server(context.Background(), serverConn, serverKey, nil)
 			// If the server failed, we have to close the Conn to
 			// unblock the client.
 			if err != nil {
@@ -200,7 +200,7 @@ func TestTampering(t *testing.T) {
 			serverErr             = make(chan error, 1)
 		)
 		go func() {
-			_, err := Server(context.Background(), serverConn, serverKey)
+			_, err := Server(context.Background(), serverConn, serverKey, nil)
 			serverErr <- err
 		}()

@@ -225,7 +225,7 @@ func TestTampering(t *testing.T) {
 			serverErr             = make(chan error, 1)
 		)
 		go func() {
-			server, err := Server(context.Background(), serverConn, serverKey)
+			server, err := Server(context.Background(), serverConn, serverKey, nil)
 			serverErr <- err
 			_, err = io.WriteString(server, strings.Repeat("a", 14))
 			serverErr <- err
@@ -266,7 +266,7 @@ func TestTampering(t *testing.T) {
 			serverErr             = make(chan error, 1)
 		)
 		go func() {
-			server, err := Server(context.Background(), serverConn, serverKey)
+			server, err := Server(context.Background(), serverConn, serverKey, nil)
 			serverErr <- err
 			var bs [100]byte
 			// The server needs a timeout if the tampering is hitting the length header.
--- a/control/controlbase/interop_test.go
+++ b/control/controlbase/interop_test.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package noise
+package controlbase

 import (
 	"context"
@@ -29,7 +29,7 @@ func TestInteropClient(t *testing.T) {
 	)

 	go func() {
-		server, err := Server(context.Background(), s2, controlKey)
+		server, err := Server(context.Background(), s2, controlKey, nil)
 		serverErr <- err
 		if err != nil {
 			return
--- a/control/controlbase/messages.go
+++ b/control/controlbase/messages.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package noise
+package controlbase

 import "encoding/binary"

--- a/control/controlbase/noiseexplorer_test.go
+++ b/control/controlbase/noiseexplorer_test.go
@@ -24,7 +24,7 @@ IK:
 * PARAMETERS                                                       *
 * ---------------------------------------------------------------- */

-package noise
+package controlbase

 import (
 	"crypto/rand"
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -266,9 +266,9 @@ func (c *Auto) authRoutine() {
 		goal := c.loginGoal
 		ctx := c.authCtx
 		if goal != nil {
-			c.logf("authRoutine: %s; wantLoggedIn=%v", c.state, goal.wantLoggedIn)
+			c.logf("[v1] authRoutine: %s; wantLoggedIn=%v", c.state, goal.wantLoggedIn)
 		} else {
-			c.logf("authRoutine: %s; goal=nil paused=%v", c.state, c.paused)
+			c.logf("[v1] authRoutine: %s; goal=nil paused=%v", c.state, c.paused)
 		}
 		c.mu.Unlock()

@@ -414,7 +414,7 @@ func (c *Auto) mapRoutine() {
 			}
 			continue
 		}
-		c.logf("mapRoutine: %s", c.state)
+		c.logf("[v1] mapRoutine: %s", c.state)
 		loggedIn := c.loggedIn
 		ctx := c.mapCtx
 		c.mu.Unlock()
@@ -445,9 +445,9 @@ func (c *Auto) mapRoutine() {

 			select {
 			case <-ctx.Done():
-				c.logf("mapRoutine: context done.")
+				c.logf("[v1] mapRoutine: context done.")
 			case <-c.newMapCh:
-				c.logf("mapRoutine: new map needed while idle.")
+				c.logf("[v1] mapRoutine: new map needed while idle.")
 			}
 		} else {
 			// Be sure this is false when we're not inside
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -21,7 +21,6 @@ import (
 	"os/exec"
 	"reflect"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -30,6 +29,7 @@ import (
 	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlknobs"
+	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
@@ -168,6 +168,10 @@ func NewDirect(opts Options) (*Direct, error) {
 		tr.DialContext = dnscache.Dialer(dialer.DialContext, dnsCache)
 		tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dnsCache, tr.TLSClientConfig)
 		tr.ForceAttemptHTTP2 = true
+		// Disable implicit gzip compression; the various
+		// handlers (register, map, set-dns, etc) do their own
+		// zstd compression per naclbox.
+		tr.DisableCompression = true
 		httpc = &http.Client{Transport: tr}
 	}

@@ -210,7 +214,7 @@ func (c *Direct) SetHostinfo(hi *tailcfg.Hostinfo) bool {
 	}
 	c.hostinfo = hi.Clone()
 	j, _ := json.Marshal(c.hostinfo)
-	c.logf("HostInfo: %s", j)
+	c.logf("[v1] HostInfo: %s", j)
 	return true
 }

@@ -241,10 +245,10 @@ func (c *Direct) GetPersist() persist.Persist {
 }

 func (c *Direct) TryLogout(ctx context.Context) error {
-	c.logf("direct.TryLogout()")
+	c.logf("[v1] direct.TryLogout()")

 	mustRegen, newURL, err := c.doLogin(ctx, loginOpt{Logout: true})
-	c.logf("TryLogout control response: mustRegen=%v, newURL=%v, err=%v", mustRegen, newURL, err)
+	c.logf("[v1] TryLogout control response: mustRegen=%v, newURL=%v, err=%v", mustRegen, newURL, err)

 	c.mu.Lock()
 	c.persist = persist.Persist{}
@@ -254,7 +258,7 @@ func (c *Direct) TryLogout(ctx context.Context) error {
 }

 func (c *Direct) TryLogin(ctx context.Context, t *tailcfg.Oauth2Token, flags LoginFlags) (url string, err error) {
-	c.logf("direct.TryLogin(token=%v, flags=%v)", t != nil, flags)
+	c.logf("[v1] direct.TryLogin(token=%v, flags=%v)", t != nil, flags)
 	return c.doLoginOrRegen(ctx, loginOpt{Token: t, Flags: flags})
 }

@@ -262,7 +266,7 @@ func (c *Direct) TryLogin(ctx context.Context, t *tailcfg.Oauth2Token, flags Log
 //
 // On success, newURL and err will both be nil.
 func (c *Direct) WaitLoginURL(ctx context.Context, url string) (newURL string, err error) {
-	c.logf("direct.WaitLoginURL")
+	c.logf("[v1] direct.WaitLoginURL")
 	return c.doLoginOrRegen(ctx, loginOpt{URL: url})
 }

@@ -465,7 +469,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	if resp.AuthURL != "" {
 		c.logf("AuthURL is %v", resp.AuthURL)
 	} else {
-		c.logf("No AuthURL")
+		c.logf("[v1] No AuthURL")
 	}

 	c.mu.Lock()
@@ -516,7 +520,7 @@ func (c *Direct) newEndpoints(localPort uint16, endpoints []tailcfg.Endpoint) (c
 	for _, ep := range endpoints {
 		epStrs = append(epStrs, ep.Addr.String())
 	}
-	c.logf("client.newEndpoints(%v, %v)", localPort, epStrs)
+	c.logf("[v2] client.newEndpoints(%v, %v)", localPort, epStrs)
 	c.localPort = localPort
 	c.endpoints = append(c.endpoints[:0], endpoints...)
 	if len(endpoints) > 0 {
@@ -768,6 +772,9 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 			go answerPing(c.logf, c.httpc, pr)
 		}

+		if resp.ControlTime != nil && !resp.ControlTime.IsZero() {
+			c.logf.JSON(1, "controltime", resp.ControlTime.UTC())
+		}
 		if resp.KeepAlive {
 			vlogf("netmap: got keep-alive")
 		} else {
@@ -821,10 +828,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm

 		if Debug.StripEndpoints {
 			for _, p := range resp.Peers {
-				// We need at least one endpoint here for now else
-				// other code doesn't even create the discoEndpoint.
-				// TODO(bradfitz): fix that and then just nil this out.
-				p.Endpoints = []string{"127.9.9.9:456"}
+				p.Endpoints = nil
 			}
 		}
 		if Debug.StripCaps {
@@ -874,8 +878,8 @@ func decode(res *http.Response, v interface{}, serverKey key.MachinePublic, mkey
 }

 var (
-	debugMap, _      = strconv.ParseBool(os.Getenv("TS_DEBUG_MAP"))
-	debugRegister, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_REGISTER"))
+	debugMap      = envknob.Bool("TS_DEBUG_MAP")
+	debugRegister = envknob.Bool("TS_DEBUG_REGISTER")
 )

 var jsonEscapedZero = []byte(`\u0000`)
@@ -985,26 +989,14 @@ type debug struct {

 func initDebug() debug {
 	return debug{
-		NetMap:         envBool("TS_DEBUG_NETMAP"),
-		ProxyDNS:       envBool("TS_DEBUG_PROXY_DNS"),
-		StripEndpoints: envBool("TS_DEBUG_STRIP_ENDPOINTS"),
-		StripCaps:      envBool("TS_DEBUG_STRIP_CAPS"),
-		Disco:          os.Getenv("TS_DEBUG_USE_DISCO") == "" || envBool("TS_DEBUG_USE_DISCO"),
+		NetMap:         envknob.Bool("TS_DEBUG_NETMAP"),
+		ProxyDNS:       envknob.Bool("TS_DEBUG_PROXY_DNS"),
+		StripEndpoints: envknob.Bool("TS_DEBUG_STRIP_ENDPOINTS"),
+		StripCaps:      envknob.Bool("TS_DEBUG_STRIP_CAPS"),
+		Disco:          envknob.BoolDefaultTrue("TS_DEBUG_USE_DISCO"),
 	}
 }

-func envBool(k string) bool {
-	e := os.Getenv(k)
-	if e == "" {
-		return false
-	}
-	v, err := strconv.ParseBool(e)
-	if err != nil {
-		panic(fmt.Sprintf("invalid non-bool %q for env var %q", e, k))
-	}
-	return v
-}
-
 var clockNow = time.Now

 // opt.Bool configs from control.
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -6,11 +6,10 @@ package controlclient

 import (
 	"log"
-	"os"
 	"sort"
-	"strconv"

 	"inet.af/netaddr"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -40,6 +39,7 @@ type mapSession struct {
 	lastDERPMap            *tailcfg.DERPMap
 	lastUserProfile        map[tailcfg.UserID]tailcfg.UserProfile
 	lastParsedPacketFilter []filter.Match
+	lastSSHPolicy          *tailcfg.SSHPolicy
 	collectServices        bool
 	previousPeers          []*tailcfg.Node // for delta-purposes
 	lastDomain             string
@@ -98,6 +98,9 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	if c := resp.DNSConfig; c != nil {
 		ms.lastDNSConfig = c
 	}
+	if p := resp.SSHPolicy; p != nil {
+		ms.lastSSHPolicy = p
+	}

 	if v, ok := resp.CollectServices.Get(); ok {
 		ms.collectServices = v
@@ -118,6 +121,7 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		Domain:          ms.lastDomain,
 		DNS:             *ms.lastDNSConfig,
 		PacketFilter:    ms.lastParsedPacketFilter,
+		SSHPolicy:       ms.lastSSHPolicy,
 		CollectServices: ms.collectServices,
 		DERPMap:         ms.lastDERPMap,
 		Debug:           resp.Debug,
@@ -134,7 +138,9 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		nm.Name = node.Name
 		nm.Addresses = filterSelfAddresses(node.Addresses)
 		nm.User = node.User
-		nm.Hostinfo = node.Hostinfo
+		if node.Hostinfo.Valid() {
+			nm.Hostinfo = *node.Hostinfo.AsStruct()
+		}
 		if node.MachineAuthorized {
 			nm.MachineStatus = tailcfg.MachineAuthorized
 		} else {
@@ -289,7 +295,7 @@ func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
 	return v2
 }

-var debugSelfIPv6Only, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_SELF_V6_ONLY"))
+var debugSelfIPv6Only = envknob.Bool("TS_DEBUG_SELF_V6_ONLY")

 func filterSelfAddresses(in []netaddr.IPPrefix) (ret []netaddr.IPPrefix) {
 	switch {
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -18,6 +18,7 @@ import (
 	"errors"
 	"fmt"
 	"sync"
+	"time"

 	"github.com/tailscale/certstore"
 	"tailscale.com/tailcfg"
@@ -73,23 +74,46 @@ func isSubjectInChain(subject string, chain []*x509.Certificate) bool {
 	return false
 }

-func selectIdentityFromSlice(subject string, ids []certstore.Identity) (certstore.Identity, []*x509.Certificate) {
+func selectIdentityFromSlice(subject string, ids []certstore.Identity, now time.Time) (certstore.Identity, []*x509.Certificate) {
+	var bestCandidate struct {
+		id    certstore.Identity
+		chain []*x509.Certificate
+	}
+
 	for _, id := range ids {
 		chain, err := id.CertificateChain()
 		if err != nil {
 			continue
 		}

+		if len(chain) < 1 {
+			continue
+		}
+
 		if !isSupportedCertificate(chain[0]) {
 			continue
 		}

-		if isSubjectInChain(subject, chain) {
-			return id, chain
+		if now.Before(chain[0].NotBefore) || now.After(chain[0].NotAfter) {
+			// Certificate is not valid at this time
+			continue
 		}
+
+		if !isSubjectInChain(subject, chain) {
+			continue
+		}
+
+		// Select the most recently issued certificate. If there is a tie, pick
+		// one arbitrarily.
+		if len(bestCandidate.chain) > 0 && bestCandidate.chain[0].NotBefore.After(chain[0].NotBefore) {
+			continue
+		}
+
+		bestCandidate.id = id
+		bestCandidate.chain = chain
 	}

-	return nil, nil
+	return bestCandidate.id, bestCandidate.chain
 }

 // findIdentity locates an identity from the Windows or Darwin certificate
@@ -105,7 +129,7 @@ func findIdentity(subject string, st certstore.Store) (certstore.Identity, []*x5
 		return nil, nil, err
 	}

-	selected, chain := selectIdentityFromSlice(subject, ids)
+	selected, chain := selectIdentityFromSlice(subject, ids, time.Now())

 	for _, id := range ids {
 		if id != selected {
--- a/control/controlclient/sign_supported_test.go
+++ b/control/controlclient/sign_supported_test.go
@@ -0,0 +1,238 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows && cgo
+// +build windows,cgo
+
+package controlclient
+
+import (
+	"crypto"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"errors"
+	"reflect"
+	"testing"
+	"time"
+
+	"github.com/tailscale/certstore"
+)
+
+const (
+	testRootCommonName = "testroot"
+	testRootSubject    = "CN=testroot"
+)
+
+type testIdentity struct {
+	chain []*x509.Certificate
+}
+
+func makeChain(rootCommonName string, notBefore, notAfter time.Time) []*x509.Certificate {
+	return []*x509.Certificate{
+		{
+			NotBefore:          notBefore,
+			NotAfter:           notAfter,
+			PublicKeyAlgorithm: x509.RSA,
+		},
+		{
+			Subject: pkix.Name{
+				CommonName: rootCommonName,
+			},
+			PublicKeyAlgorithm: x509.RSA,
+		},
+	}
+}
+
+func (t *testIdentity) Certificate() (*x509.Certificate, error) {
+	return t.chain[0], nil
+}
+
+func (t *testIdentity) CertificateChain() ([]*x509.Certificate, error) {
+	return t.chain, nil
+}
+
+func (t *testIdentity) Signer() (crypto.Signer, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (t *testIdentity) Delete() error {
+	return errors.New("not implemented")
+}
+
+func (t *testIdentity) Close() {}
+
+func TestSelectIdentityFromSlice(t *testing.T) {
+	var times []time.Time
+	for _, ts := range []string{
+		"2000-01-01T00:00:00Z",
+		"2001-01-01T00:00:00Z",
+		"2002-01-01T00:00:00Z",
+		"2003-01-01T00:00:00Z",
+	} {
+		tm, err := time.Parse(time.RFC3339, ts)
+		if err != nil {
+			t.Fatal(err)
+		}
+		times = append(times, tm)
+	}
+
+	tests := []struct {
+		name    string
+		subject string
+		ids     []certstore.Identity
+		now     time.Time
+		// wantIndex is an index into ids, or -1 for nil.
+		wantIndex int
+	}{
+		{
+			name:    "single unexpired identity",
+			subject: testRootSubject,
+			ids: []certstore.Identity{
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[0], times[2]),
+				},
+			},
+			now:       times[1],
+			wantIndex: 0,
+		},
+		{
+			name:    "single expired identity",
+			subject: testRootSubject,
+			ids: []certstore.Identity{
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[0], times[1]),
+				},
+			},
+			now:       times[2],
+			wantIndex: -1,
+		},
+		{
+			name:    "unrelated ids",
+			subject: testRootSubject,
+			ids: []certstore.Identity{
+				&testIdentity{
+					chain: makeChain("something", times[0], times[2]),
+				},
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[0], times[2]),
+				},
+				&testIdentity{
+					chain: makeChain("else", times[0], times[2]),
+				},
+			},
+			now:       times[1],
+			wantIndex: 1,
+		},
+		{
+			name:    "expired with unrelated ids",
+			subject: testRootSubject,
+			ids: []certstore.Identity{
+				&testIdentity{
+					chain: makeChain("something", times[0], times[3]),
+				},
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[0], times[1]),
+				},
+				&testIdentity{
+					chain: makeChain("else", times[0], times[3]),
+				},
+			},
+			now:       times[2],
+			wantIndex: -1,
+		},
+		{
+			name:    "one expired",
+			subject: testRootSubject,
+			ids: []certstore.Identity{
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[0], times[1]),
+				},
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[1], times[3]),
+				},
+			},
+			now:       times[2],
+			wantIndex: 1,
+		},
+		{
+			name:    "two certs both unexpired",
+			subject: testRootSubject,
+			ids: []certstore.Identity{
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[0], times[3]),
+				},
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[1], times[3]),
+				},
+			},
+			now:       times[2],
+			wantIndex: 1,
+		},
+		{
+			name:    "two unexpired one expired",
+			subject: testRootSubject,
+			ids: []certstore.Identity{
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[0], times[3]),
+				},
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[1], times[3]),
+				},
+				&testIdentity{
+					chain: makeChain(testRootCommonName, times[0], times[1]),
+				},
+			},
+			now:       times[2],
+			wantIndex: 1,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotId, gotChain := selectIdentityFromSlice(tt.subject, tt.ids, tt.now)
+
+			if gotId == nil && gotChain != nil {
+				t.Error("id is nil: got non-nil chain, want nil chain")
+				return
+			}
+			if gotId != nil && gotChain == nil {
+				t.Error("id is not nil: got nil chain, want non-nil chain")
+				return
+			}
+			if tt.wantIndex == -1 {
+				if gotId != nil {
+					t.Error("got non-nil id, want nil id")
+				}
+				return
+			}
+			if gotId == nil {
+				t.Error("got nil id, want non-nil id")
+				return
+			}
+			if gotId != tt.ids[tt.wantIndex] {
+				found := -1
+				for i := range tt.ids {
+					if tt.ids[i] == gotId {
+						found = i
+						break
+					}
+				}
+				if found == -1 {
+					t.Errorf("got unknown id, want id at index %v", tt.wantIndex)
+				} else {
+					t.Errorf("got id at index %v, want id at index %v", found, tt.wantIndex)
+				}
+			}
+
+			tid, ok := tt.ids[tt.wantIndex].(*testIdentity)
+			if !ok {
+				t.Error("got non-testIdentity, want testIdentity")
+				return
+			}
+
+			if !reflect.DeepEqual(tid.chain, gotChain) {
+				t.Errorf("got unknown chain, want chain from id at index %v", tt.wantIndex)
+			}
+		})
+	}
+}
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -0,0 +1,242 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package controlhttp implements the Tailscale 2021 control protocol
+// base transport over HTTP.
+//
+// This tunnels the protocol in control/controlbase over HTTP with a
+// variety of compatibility fallbacks for handling picky or deep
+// inspecting proxies.
+//
+// In the happy path, a client makes a single cleartext HTTP request
+// to the server, the server responds with 101 Switching Protocols,
+// and the control base protocol takes place over plain TCP.
+//
+// In the compatibility path, the client does the above over HTTPS,
+// resulting in double encryption (once for the control transport, and
+// once for the outer TLS layer).
+package controlhttp
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httptrace"
+	"net/url"
+
+	"tailscale.com/control/controlbase"
+	"tailscale.com/net/dnscache"
+	"tailscale.com/net/dnsfallback"
+	"tailscale.com/net/netns"
+	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/types/key"
+)
+
+// upgradeHeader is the value of the Upgrade HTTP header used to
+// indicate the Tailscale control protocol.
+const (
+	upgradeHeaderValue  = "tailscale-control-protocol"
+	handshakeHeaderName = "X-Tailscale-Handshake"
+)
+
+// Dial connects to the HTTP server at addr, requests to switch to the
+// Tailscale control protocol, and returns an established control
+// protocol connection.
+//
+// If Dial fails to connect using addr, it also tries to tunnel over
+// TLS to <addr's host>:443 as a compatibility fallback.
+func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic) (*controlbase.Conn, error) {
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, err
+	}
+	a := &dialParams{
+		ctx:        ctx,
+		host:       host,
+		httpPort:   port,
+		httpsPort:  "443",
+		machineKey: machineKey,
+		controlKey: controlKey,
+		proxyFunc:  tshttpproxy.ProxyFromEnvironment,
+	}
+	return a.dial()
+}
+
+type dialParams struct {
+	ctx        context.Context
+	host       string
+	httpPort   string
+	httpsPort  string
+	machineKey key.MachinePrivate
+	controlKey key.MachinePublic
+	proxyFunc  func(*http.Request) (*url.URL, error) // or nil
+
+	// For tests only
+	insecureTLS bool
+}
+
+func (a *dialParams) dial() (*controlbase.Conn, error) {
+	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey)
+	if err != nil {
+		return nil, err
+	}
+
+	u := &url.URL{
+		Scheme: "http",
+		Host:   net.JoinHostPort(a.host, a.httpPort),
+		Path:   "/switch",
+	}
+	conn, httpErr := a.tryURL(u, init)
+	if httpErr == nil {
+		ret, err := cont(a.ctx, conn)
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+		return ret, nil
+	}
+
+	// Connecting over plain HTTP failed, assume it's an HTTP proxy
+	// being difficult and see if we can get through over HTTPS.
+	u.Scheme = "https"
+	u.Host = net.JoinHostPort(a.host, a.httpsPort)
+	init, cont, err = controlbase.ClientDeferred(a.machineKey, a.controlKey)
+	if err != nil {
+		return nil, err
+	}
+	conn, tlsErr := a.tryURL(u, init)
+	if tlsErr == nil {
+		ret, err := cont(a.ctx, conn)
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+		return ret, nil
+	}
+
+	return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", httpErr, tlsErr)
+}
+
+func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
+	dns := &dnscache.Resolver{
+		Forward:          dnscache.Get().Forward,
+		LookupIPFallback: dnsfallback.Lookup,
+		UseLastGood:      true,
+	}
+	dialer := netns.NewDialer(log.Printf)
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	defer tr.CloseIdleConnections()
+	tr.Proxy = a.proxyFunc
+	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
+	tr.DialContext = dnscache.Dialer(dialer.DialContext, dns)
+	// Disable HTTP2, since h2 can't do protocol switching.
+	tr.TLSClientConfig.NextProtos = []string{}
+	tr.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
+	tr.TLSClientConfig = tlsdial.Config(a.host, tr.TLSClientConfig)
+	if a.insecureTLS {
+		tr.TLSClientConfig.InsecureSkipVerify = true
+		tr.TLSClientConfig.VerifyConnection = nil
+	}
+	tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dns, tr.TLSClientConfig)
+	tr.DisableCompression = true
+
+	// (mis)use httptrace to extract the underlying net.Conn from the
+	// transport. We make exactly 1 request using this transport, so
+	// there will be exactly 1 GotConn call. Additionally, the
+	// transport handles 101 Switching Protocols correctly, such that
+	// the Conn will not be reused or kept alive by the transport once
+	// the response has been handed back from RoundTrip.
+	//
+	// In theory, the machinery of net/http should make it such that
+	// the trace callback happens-before we get the response, but
+	// there's no promise of that. So, to make sure, we use a buffered
+	// channel as a synchronization step to avoid data races.
+	//
+	// Note that even though we're able to extract a net.Conn via this
+	// mechanism, we must still keep using the eventual resp.Body to
+	// read from, because it includes a buffer we can't get rid of. If
+	// the server never sends any data after sending the HTTP
+	// response, we could get away with it, but violating this
+	// assumption leads to very mysterious transport errors (lockups,
+	// unexpected EOFs...), and we're bound to forget someday and
+	// introduce a protocol optimization at a higher level that starts
+	// eagerly transmitting from the server.
+	connCh := make(chan net.Conn, 1)
+	trace := httptrace.ClientTrace{
+		GotConn: func(info httptrace.GotConnInfo) {
+			connCh <- info.Conn
+		},
+	}
+	ctx := httptrace.WithClientTrace(a.ctx, &trace)
+	req := &http.Request{
+		Method: "POST",
+		URL:    u,
+		Header: http.Header{
+			"Upgrade":           []string{upgradeHeaderValue},
+			"Connection":        []string{"upgrade"},
+			handshakeHeaderName: []string{base64.StdEncoding.EncodeToString(init)},
+		},
+	}
+	req = req.WithContext(ctx)
+
+	resp, err := tr.RoundTrip(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusSwitchingProtocols {
+		return nil, fmt.Errorf("unexpected HTTP response: %s", resp.Status)
+	}
+
+	// From here on, the underlying net.Conn is ours to use, but there
+	// is still a read buffer attached to it within resp.Body. So, we
+	// must direct I/O through resp.Body, but we can still use the
+	// underlying net.Conn for stuff like deadlines.
+	var switchedConn net.Conn
+	select {
+	case switchedConn = <-connCh:
+	default:
+	}
+	if switchedConn == nil {
+		resp.Body.Close()
+		return nil, fmt.Errorf("httptrace didn't provide a connection")
+	}
+
+	if next := resp.Header.Get("Upgrade"); next != upgradeHeaderValue {
+		resp.Body.Close()
+		return nil, fmt.Errorf("server switched to unexpected protocol %q", next)
+	}
+
+	rwc, ok := resp.Body.(io.ReadWriteCloser)
+	if !ok {
+		resp.Body.Close()
+		return nil, errors.New("http Transport did not provide a writable body")
+	}
+
+	return &wrappedConn{switchedConn, rwc}, nil
+}
+
+type wrappedConn struct {
+	net.Conn
+	rwc io.ReadWriteCloser
+}
+
+func (w *wrappedConn) Read(bs []byte) (int, error) {
+	return w.rwc.Read(bs)
+}
+
+func (w *wrappedConn) Write(bs []byte) (int, error) {
+	return w.rwc.Write(bs)
+}
+
+func (w *wrappedConn) Close() error {
+	return w.rwc.Close()
+}
--- a/control/controlhttp/http_test.go
+++ b/control/controlhttp/http_test.go
@@ -0,0 +1,398 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlhttp
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strconv"
+	"sync"
+	"testing"
+
+	"tailscale.com/control/controlbase"
+	"tailscale.com/net/socks5"
+	"tailscale.com/types/key"
+)
+
+func TestControlHTTP(t *testing.T) {
+	tests := []struct {
+		name  string
+		proxy proxy
+	}{
+		// direct connection
+		{
+			name:  "no_proxy",
+			proxy: nil,
+		},
+		// SOCKS5
+		{
+			name:  "socks5",
+			proxy: &socksProxy{},
+		},
+		// HTTP->HTTP
+		{
+			name: "http_to_http",
+			proxy: &httpProxy{
+				useTLS:       false,
+				allowConnect: false,
+				allowHTTP:    true,
+			},
+		},
+		// HTTP->HTTPS
+		{
+			name: "http_to_https",
+			proxy: &httpProxy{
+				useTLS:       false,
+				allowConnect: true,
+				allowHTTP:    false,
+			},
+		},
+		// HTTP->any (will pick HTTP)
+		{
+			name: "http_to_any",
+			proxy: &httpProxy{
+				useTLS:       false,
+				allowConnect: true,
+				allowHTTP:    true,
+			},
+		},
+		// HTTPS->HTTP
+		{
+			name: "https_to_http",
+			proxy: &httpProxy{
+				useTLS:       true,
+				allowConnect: false,
+				allowHTTP:    true,
+			},
+		},
+		// HTTPS->HTTPS
+		{
+			name: "https_to_https",
+			proxy: &httpProxy{
+				useTLS:       true,
+				allowConnect: true,
+				allowHTTP:    false,
+			},
+		},
+		// HTTPS->any (will pick HTTP)
+		{
+			name: "https_to_any",
+			proxy: &httpProxy{
+				useTLS:       true,
+				allowConnect: true,
+				allowHTTP:    true,
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			testControlHTTP(t, test.proxy)
+		})
+	}
+}
+
+func testControlHTTP(t *testing.T, proxy proxy) {
+	client, server := key.NewMachine(), key.NewMachine()
+
+	sch := make(chan serverResult, 1)
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		conn, err := AcceptHTTP(context.Background(), w, r, server)
+		if err != nil {
+			log.Print(err)
+		}
+		res := serverResult{
+			err: err,
+		}
+		if conn != nil {
+			res.clientAddr = conn.RemoteAddr().String()
+			res.version = conn.ProtocolVersion()
+			res.peer = conn.Peer()
+			res.conn = conn
+		}
+		sch <- res
+	})
+
+	httpLn, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("HTTP listen: %v", err)
+	}
+	httpsLn, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("HTTPS listen: %v", err)
+	}
+
+	httpServer := &http.Server{Handler: handler}
+	go httpServer.Serve(httpLn)
+	defer httpServer.Close()
+
+	httpsServer := &http.Server{
+		Handler:   handler,
+		TLSConfig: tlsConfig(t),
+	}
+	go httpsServer.ServeTLS(httpsLn, "", "")
+	defer httpsServer.Close()
+
+	//ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	//defer cancel()
+
+	a := dialParams{
+		ctx:         context.Background(), //ctx,
+		host:        "localhost",
+		httpPort:    strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
+		httpsPort:   strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
+		machineKey:  client,
+		controlKey:  server.Public(),
+		insecureTLS: true,
+	}
+
+	if proxy != nil {
+		proxyEnv := proxy.Start(t)
+		defer proxy.Close()
+		proxyURL, err := url.Parse(proxyEnv)
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.proxyFunc = func(*http.Request) (*url.URL, error) {
+			return proxyURL, nil
+		}
+	} else {
+		a.proxyFunc = func(*http.Request) (*url.URL, error) {
+			return nil, nil
+		}
+	}
+
+	conn, err := a.dial()
+	if err != nil {
+		t.Fatalf("dialing controlhttp: %v", err)
+	}
+	defer conn.Close()
+	si := <-sch
+	if si.conn != nil {
+		defer si.conn.Close()
+	}
+	if si.err != nil {
+		t.Fatalf("controlhttp server got error: %v", err)
+	}
+	if clientVersion := conn.ProtocolVersion(); si.version != clientVersion {
+		t.Fatalf("client and server don't agree on protocol version: %d vs %d", clientVersion, si.version)
+	}
+	if si.peer != client.Public() {
+		t.Fatalf("server got peer pubkey %s, want %s", si.peer, client.Public())
+	}
+	if spub := conn.Peer(); spub != server.Public() {
+		t.Fatalf("client got peer pubkey %s, want %s", spub, server.Public())
+	}
+	if proxy != nil && !proxy.ConnIsFromProxy(si.clientAddr) {
+		t.Fatalf("client connected from %s, which isn't the proxy", si.clientAddr)
+	}
+}
+
+type serverResult struct {
+	err        error
+	clientAddr string
+	version    int
+	peer       key.MachinePublic
+	conn       *controlbase.Conn
+}
+
+type proxy interface {
+	Start(*testing.T) string
+	Close()
+	ConnIsFromProxy(string) bool
+}
+
+type socksProxy struct {
+	sync.Mutex
+	proxy           socks5.Server
+	ln              net.Listener
+	clientConnAddrs map[string]bool // addrs of the local end of outgoing conns from proxy
+}
+
+func (s *socksProxy) Start(t *testing.T) (url string) {
+	t.Helper()
+	s.Lock()
+	defer s.Unlock()
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listening for SOCKS server: %v", err)
+	}
+	s.ln = ln
+	s.clientConnAddrs = map[string]bool{}
+	s.proxy.Logf = t.Logf
+	s.proxy.Dialer = s.dialAndRecord
+	go s.proxy.Serve(ln)
+	return fmt.Sprintf("socks5://%s", ln.Addr().String())
+}
+
+func (s *socksProxy) Close() {
+	s.Lock()
+	defer s.Unlock()
+	s.ln.Close()
+}
+
+func (s *socksProxy) dialAndRecord(ctx context.Context, network, addr string) (net.Conn, error) {
+	var d net.Dialer
+	conn, err := d.DialContext(ctx, network, addr)
+	if err != nil {
+		return nil, err
+	}
+	s.Lock()
+	defer s.Unlock()
+	s.clientConnAddrs[conn.LocalAddr().String()] = true
+	return conn, nil
+}
+
+func (s *socksProxy) ConnIsFromProxy(addr string) bool {
+	s.Lock()
+	defer s.Unlock()
+	return s.clientConnAddrs[addr]
+}
+
+type httpProxy struct {
+	useTLS       bool // take incoming connections over TLS
+	allowConnect bool // allow CONNECT for TLS
+	allowHTTP    bool // allow plain HTTP proxying
+
+	sync.Mutex
+	ln              net.Listener
+	rp              httputil.ReverseProxy
+	s               http.Server
+	clientConnAddrs map[string]bool // addrs of the local end of outgoing conns from proxy
+}
+
+func (h *httpProxy) Start(t *testing.T) (url string) {
+	t.Helper()
+	h.Lock()
+	defer h.Unlock()
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listening for HTTP proxy: %v", err)
+	}
+	h.ln = ln
+	h.rp = httputil.ReverseProxy{
+		Director: func(*http.Request) {},
+		Transport: &http.Transport{
+			DialContext: h.dialAndRecord,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+			TLSNextProto: map[string]func(string, *tls.Conn) http.RoundTripper{},
+		},
+	}
+	h.clientConnAddrs = map[string]bool{}
+	h.s.Handler = h
+	if h.useTLS {
+		h.s.TLSConfig = tlsConfig(t)
+		go h.s.ServeTLS(h.ln, "", "")
+		return fmt.Sprintf("https://%s", ln.Addr().String())
+	} else {
+		go h.s.Serve(h.ln)
+		return fmt.Sprintf("http://%s", ln.Addr().String())
+	}
+}
+
+func (h *httpProxy) Close() {
+	h.Lock()
+	defer h.Unlock()
+	h.s.Close()
+}
+
+func (h *httpProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "CONNECT" {
+		if !h.allowHTTP {
+			http.Error(w, "http proxy not allowed", 500)
+			return
+		}
+		h.rp.ServeHTTP(w, r)
+		return
+	}
+
+	if !h.allowConnect {
+		http.Error(w, "connect not allowed", 500)
+		return
+	}
+
+	dst := r.RequestURI
+	c, err := h.dialAndRecord(context.Background(), "tcp", dst)
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+		return
+	}
+	defer c.Close()
+
+	cc, ccbuf, err := w.(http.Hijacker).Hijack()
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+		return
+	}
+	defer cc.Close()
+
+	io.WriteString(cc, "HTTP/1.1 200 OK\r\n\r\n")
+
+	errc := make(chan error, 1)
+	go func() {
+		_, err := io.Copy(cc, c)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(c, ccbuf)
+		errc <- err
+	}()
+	<-errc
+}
+
+func (h *httpProxy) dialAndRecord(ctx context.Context, network, addr string) (net.Conn, error) {
+	var d net.Dialer
+	conn, err := d.DialContext(ctx, network, addr)
+	if err != nil {
+		return nil, err
+	}
+	h.Lock()
+	defer h.Unlock()
+	h.clientConnAddrs[conn.LocalAddr().String()] = true
+	return conn, nil
+}
+
+func (h *httpProxy) ConnIsFromProxy(addr string) bool {
+	h.Lock()
+	defer h.Unlock()
+	return h.clientConnAddrs[addr]
+}
+
+func tlsConfig(t *testing.T) *tls.Config {
+	// Cert and key taken from the example code in the crypto/tls
+	// package.
+	certPem := []byte(`-----BEGIN CERTIFICATE-----
+MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+6MF9+Yw1Yy0t
+-----END CERTIFICATE-----`)
+	keyPem := []byte(`-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+-----END EC PRIVATE KEY-----`)
+	cert, err := tls.X509KeyPair(certPem, keyPem)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+}
--- a/control/controlhttp/server.go
+++ b/control/controlhttp/server.go
@@ -0,0 +1,95 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlhttp
+
+import (
+	"bufio"
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+
+	"tailscale.com/control/controlbase"
+	"tailscale.com/types/key"
+)
+
+// AcceptHTTP upgrades the HTTP request given by w and r into a
+// Tailscale control protocol base transport connection.
+//
+// AcceptHTTP always writes an HTTP response to w. The caller must not
+// attempt their own response after calling AcceptHTTP.
+func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate) (*controlbase.Conn, error) {
+	next := r.Header.Get("Upgrade")
+	if next == "" {
+		http.Error(w, "missing next protocol", http.StatusBadRequest)
+		return nil, errors.New("no next protocol in HTTP request")
+	}
+	if next != upgradeHeaderValue {
+		http.Error(w, "unknown next protocol", http.StatusBadRequest)
+		return nil, fmt.Errorf("client requested unhandled next protocol %q", next)
+	}
+
+	initB64 := r.Header.Get(handshakeHeaderName)
+	if initB64 == "" {
+		http.Error(w, "missing Tailscale handshake header", http.StatusBadRequest)
+		return nil, errors.New("no tailscale handshake header in HTTP request")
+	}
+	init, err := base64.StdEncoding.DecodeString(initB64)
+	if err != nil {
+		http.Error(w, "invalid tailscale handshake header", http.StatusBadRequest)
+		return nil, fmt.Errorf("decoding base64 handshake header: %v", err)
+	}
+
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "make request over HTTP/1", http.StatusBadRequest)
+		return nil, errors.New("can't hijack client connection")
+	}
+
+	w.Header().Set("Upgrade", upgradeHeaderValue)
+	w.Header().Set("Connection", "upgrade")
+	w.WriteHeader(http.StatusSwitchingProtocols)
+
+	conn, brw, err := hijacker.Hijack()
+	if err != nil {
+		return nil, fmt.Errorf("hijacking client connection: %w", err)
+	}
+	if err := brw.Flush(); err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("flushing hijacked HTTP buffer: %w", err)
+	}
+	if brw.Reader.Buffered() > 0 {
+		conn = &drainBufConn{conn, brw.Reader}
+	}
+
+	nc, err := controlbase.Server(ctx, conn, private, init)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("noise handshake failed: %w", err)
+	}
+
+	return nc, nil
+}
+
+// drainBufConn is a net.Conn with an initial bunch of bytes in a
+// bufio.Reader. Read drains the bufio.Reader until empty, then passes
+// through subsequent reads to the Conn directly.
+type drainBufConn struct {
+	net.Conn
+	r *bufio.Reader
+}
+
+func (b *drainBufConn) Read(bs []byte) (int, error) {
+	if b.r == nil {
+		return b.Conn.Read(bs)
+	}
+	n, err := b.r.Read(bs)
+	if b.r.Buffered() == 0 {
+		b.r = nil
+	}
+	return n, err
+}
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -7,9 +7,7 @@
 package controlknobs

 import (
-	"os"
-	"strconv"
-
+	"tailscale.com/envknob"
 	"tailscale.com/syncs"
 )

@@ -17,8 +15,7 @@ import (
 var disableUPnP syncs.AtomicBool

 func init() {
-	v, _ := strconv.ParseBool(os.Getenv("TS_DISABLE_UPNP"))
-	SetDisableUPnP(v)
+	SetDisableUPnP(envknob.Bool("TS_DISABLE_UPNP"))
 }

 // DisableUPnP reports the last reported value from control
--- a/derp/derp_client.go
+++ b/derp/derp_client.go
@@ -12,10 +12,12 @@ import (
 	"fmt"
 	"io"
 	"sync"
+	"sync/atomic"
 	"time"

 	"go4.org/mem"
 	"golang.org/x/time/rate"
+	"inet.af/netaddr"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -37,8 +39,8 @@ type Client struct {
 	rate *rate.Limiter // if non-nil, rate limiter to use

 	// Owned by Recv:
-	peeked  int   // bytes to discard on next Recv
-	readErr error // sticky read error
+	peeked  int          // bytes to discard on next Recv
+	readErr atomic.Value // of error; sticky (set by Recv)
 }

 // ClientOpt is an option passed to NewClient.
@@ -261,10 +263,18 @@ func (c *Client) ForwardPacket(srcKey, dstKey key.NodePublic, pkt []byte) (err e

 func (c *Client) writeTimeoutFired() { c.nc.Close() }

+func (c *Client) SendPing(data [8]byte) error {
+	return c.sendPingOrPong(framePing, data)
+}
+
 func (c *Client) SendPong(data [8]byte) error {
+	return c.sendPingOrPong(framePong, data)
+}
+
+func (c *Client) sendPingOrPong(typ frameType, data [8]byte) error {
 	c.wmu.Lock()
 	defer c.wmu.Unlock()
-	if err := writeFrameHeader(c.bw, framePong, 8); err != nil {
+	if err := writeFrameHeader(c.bw, typ, 8); err != nil {
 		return err
 	}
 	if _, err := c.bw.Write(data[:]); err != nil {
@@ -375,6 +385,12 @@ type PingMessage [8]byte

 func (PingMessage) msg() {}

+// PongMessage is a reply to a PingMessage from a client or server
+// with the payload sent previously in a PingMessage.
+type PongMessage [8]byte
+
+func (PongMessage) msg() {}
+
 // KeepAliveMessage is a one-way empty message from server to client, just to
 // keep the connection alive. It's like a PingMessage, but doesn't solicit
 // a reply from the client.
@@ -427,13 +443,14 @@ func (c *Client) Recv() (m ReceivedMessage, err error) {
 }

 func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err error) {
-	if c.readErr != nil {
-		return nil, c.readErr
+	readErr, _ := c.readErr.Load().(error)
+	if readErr != nil {
+		return nil, readErr
 	}
 	defer func() {
 		if err != nil {
 			err = fmt.Errorf("derp.Recv: %w", err)
-			c.readErr = err
+			c.readErr.Store(err)
 		}
 	}()

@@ -536,6 +553,15 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 			copy(pm[:], b[:])
 			return pm, nil

+		case framePong:
+			var pm PongMessage
+			if n < 8 {
+				c.logf("[unexpected] dropping short ping frame")
+				continue
+			}
+			copy(pm[:], b[:])
+			return pm, nil
+
 		case frameHealth:
 			return HealthMessage{Problem: string(b[:])}, nil

@@ -564,3 +590,22 @@ func (c *Client) setSendRateLimiter(sm ServerInfoMessage) {
 			sm.TokenBucketBytesBurst)
 	}
 }
+
+// LocalAddr returns the TCP connection's local address.
+//
+// If the client is broken in some previously detectable way, it
+// returns an error.
+func (c *Client) LocalAddr() (netaddr.IPPort, error) {
+	readErr, _ := c.readErr.Load().(error)
+	if readErr != nil {
+		return netaddr.IPPort{}, readErr
+	}
+	if c.nc == nil {
+		return netaddr.IPPort{}, errors.New("nil conn")
+	}
+	a := c.nc.LocalAddr()
+	if a == nil {
+		return netaddr.IPPort{}, errors.New("nil addr")
+	}
+	return netaddr.ParseIPPort(a.String())
+}
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -23,8 +23,8 @@ import (
 	"math"
 	"math/big"
 	"math/rand"
+	"net"
 	"net/http"
-	"os"
 	"os/exec"
 	"runtime"
 	"strconv"
@@ -39,6 +39,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/disco"
+	"tailscale.com/envknob"
 	"tailscale.com/metrics"
 	"tailscale.com/syncs"
 	"tailscale.com/types/key"
@@ -47,14 +48,14 @@ import (
 	"tailscale.com/version"
 )

-var debug, _ = strconv.ParseBool(os.Getenv("DERP_DEBUG_LOGS"))
+var debug = envknob.Bool("DERP_DEBUG_LOGS")

 // verboseDropKeys is the set of destination public keys that should
 // verbosely log whenever DERP drops a packet.
 var verboseDropKeys = map[key.NodePublic]bool{}

 func init() {
-	keys := os.Getenv("TS_DEBUG_VERBOSE_DROPS")
+	keys := envknob.String("TS_DEBUG_VERBOSE_DROPS")
 	if keys == "" {
 		return
 	}
@@ -124,6 +125,8 @@ type Server struct {
 	packetsForwardedOut          expvar.Int
 	packetsForwardedIn           expvar.Int
 	peerGoneFrames               expvar.Int // number of peer gone frames sent
+	gotPing                      expvar.Int // number of ping frames from client
+	sentPong                     expvar.Int // number of pong frames enqueued to client
 	accepts                      expvar.Int
 	curClients                   expvar.Int
 	curHomeClients               expvar.Int // ones with preferred
@@ -283,9 +286,8 @@ type PacketForwarder interface {
 // It is a defined type so that non-net connections can be used.
 type Conn interface {
 	io.WriteCloser
-
+	LocalAddr() net.Addr
 	// The *Deadline methods follow the semantics of net.Conn.
-
 	SetDeadline(time.Time) error
 	SetReadDeadline(time.Time) error
 	SetWriteDeadline(time.Time) error
@@ -662,6 +664,7 @@ func (s *Server) accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string, connN
 		connectedAt:    time.Now(),
 		sendQueue:      make(chan pkt, perClientSendQueueDepth),
 		discoSendQueue: make(chan pkt, perClientSendQueueDepth),
+		sendPongCh:     make(chan [8]byte, 1),
 		peerGone:       make(chan key.NodePublic),
 		canMesh:        clientInfo.MeshKey != "" && clientInfo.MeshKey == s.meshKey,
 	}
@@ -729,6 +732,8 @@ func (c *sclient) run(ctx context.Context) error {
 			err = c.handleFrameWatchConns(ft, fl)
 		case frameClosePeer:
 			err = c.handleFrameClosePeer(ft, fl)
+		case framePing:
+			err = c.handleFramePing(ft, fl)
 		default:
 			err = c.handleUnknownFrame(ft, fl)
 		}
@@ -766,6 +771,33 @@ func (c *sclient) handleFrameWatchConns(ft frameType, fl uint32) error {
 	return nil
 }

+func (c *sclient) handleFramePing(ft frameType, fl uint32) error {
+	c.s.gotPing.Add(1)
+	var m PingMessage
+	if fl < uint32(len(m)) {
+		return fmt.Errorf("short ping: %v", fl)
+	}
+	if fl > 1000 {
+		// unreasonably extra large. We leave some extra
+		// space for future extensibility, but not too much.
+		return fmt.Errorf("ping body too large: %v", fl)
+	}
+	_, err := io.ReadFull(c.br, m[:])
+	if err != nil {
+		return err
+	}
+	if extra := int64(fl) - int64(len(m)); extra > 0 {
+		_, err = io.CopyN(ioutil.Discard, c.br, extra)
+	}
+	select {
+	case c.sendPongCh <- [8]byte(m):
+	default:
+		// They're pinging too fast. Ignore.
+		// TODO(bradfitz): add a rate limiter too.
+	}
+	return err
+}
+
 func (c *sclient) handleFrameClosePeer(ft frameType, fl uint32) error {
 	if fl != keyLen {
 		return fmt.Errorf("handleFrameClosePeer wrong size")
@@ -1202,6 +1234,7 @@ type sclient struct {
 	remoteIPPort   netaddr.IPPort      // zero if remoteAddr is not ip:port.
 	sendQueue      chan pkt            // packets queued to this client; never closed
 	discoSendQueue chan pkt            // important packets queued to this client; never closed
+	sendPongCh     chan [8]byte        // pong replies to send to the client; never closed
 	peerGone       chan key.NodePublic // write request that a previous sender has disconnected (not used by mesh peers)
 	meshUpdate     chan struct{}       // write request to write peerStateChange
 	canMesh        bool                // clientInfo had correct mesh token for inter-region routing
@@ -1342,6 +1375,9 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 			werr = c.sendPacket(msg.src, msg.bs)
 			c.recordQueueTime(msg.enqueuedAt)
 			continue
+		case msg := <-c.sendPongCh:
+			werr = c.sendPong(msg)
+			continue
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
 			continue
@@ -1368,6 +1404,9 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		case msg := <-c.discoSendQueue:
 			werr = c.sendPacket(msg.src, msg.bs)
 			c.recordQueueTime(msg.enqueuedAt)
+		case msg := <-c.sendPongCh:
+			werr = c.sendPong(msg)
+			continue
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
 		}
@@ -1384,6 +1423,17 @@ func (c *sclient) sendKeepAlive() error {
 	return writeFrameHeader(c.bw.bw(), frameKeepAlive, 0)
 }

+// sendPong sends a pong reply, without flushing.
+func (c *sclient) sendPong(data [8]byte) error {
+	c.s.sentPong.Add(1)
+	c.setWriteDeadline()
+	if err := writeFrameHeader(c.bw.bw(), framePong, uint32(len(data))); err != nil {
+		return err
+	}
+	_, err := c.bw.Write(data[:])
+	return err
+}
+
 // sendPeerGone sends a peerGone frame, without flushing.
 func (c *sclient) sendPeerGone(peer key.NodePublic) error {
 	c.s.peerGoneFrames.Add(1)
@@ -1625,6 +1675,8 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("unknown_frames", &s.unknownFrames)
 	m.Set("home_moves_in", &s.homeMovesIn)
 	m.Set("home_moves_out", &s.homeMovesOut)
+	m.Set("got_ping", &s.gotPing)
+	m.Set("sent_pong", &s.sentPong)
 	m.Set("peer_gone_frames", &s.peerGoneFrames)
 	m.Set("packets_forwarded_out", &s.packetsForwardedOut)
 	m.Set("packets_forwarded_in", &s.packetsForwardedIn)
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -812,6 +812,14 @@ func TestClientRecv(t *testing.T) {
 			},
 			want: PingMessage{1, 2, 3, 4, 5, 6, 7, 8},
 		},
+		{
+			name: "pong",
+			input: []byte{
+				byte(framePong), 0, 0, 0, 8,
+				1, 2, 3, 4, 5, 6, 7, 8,
+			},
+			want: PongMessage{1, 2, 3, 4, 5, 6, 7, 8},
+		},
 		{
 			name: "health_bad",
 			input: []byte{
@@ -858,6 +866,23 @@ func TestClientRecv(t *testing.T) {
 	}
 }

+func TestClientSendPing(t *testing.T) {
+	var buf bytes.Buffer
+	c := &Client{
+		bw: bufio.NewWriter(&buf),
+	}
+	if err := c.SendPing([8]byte{1, 2, 3, 4, 5, 6, 7, 8}); err != nil {
+		t.Fatal(err)
+	}
+	want := []byte{
+		byte(framePing), 0, 0, 0, 8,
+		1, 2, 3, 4, 5, 6, 7, 8,
+	}
+	if !bytes.Equal(buf.Bytes(), want) {
+		t.Errorf("unexpected output\nwrote: % 02x\n want: % 02x", buf.Bytes(), want)
+	}
+}
+
 func TestClientSendPong(t *testing.T) {
 	var buf bytes.Buffer
 	c := &Client{
@@ -873,7 +898,6 @@ func TestClientSendPong(t *testing.T) {
 	if !bytes.Equal(buf.Bytes(), want) {
 		t.Errorf("unexpected output\nwrote: % 02x\n want: % 02x", buf.Bytes(), want)
 	}
-
 }

 func TestServerDupClients(t *testing.T) {
@@ -1316,3 +1340,30 @@ func TestClientSendRateLimiting(t *testing.T) {
 		t.Errorf("limited conn's bytes count = %v; want >=%v, <%v", bytesLimited, bytes1K*2, bytes1K)
 	}
 }
+
+func TestServerRepliesToPing(t *testing.T) {
+	ts := newTestServer(t)
+	defer ts.close(t)
+
+	tc := newRegularClient(t, ts, "alice")
+
+	data := [8]byte{1, 2, 3, 4, 5, 6, 7, 42}
+
+	if err := tc.c.SendPing(data); err != nil {
+		t.Fatal(err)
+	}
+
+	for {
+		m, err := tc.c.recvTimeout(time.Second)
+		if err != nil {
+			t.Fatal(err)
+		}
+		switch m := m.(type) {
+		case PongMessage:
+			if ([8]byte(m)) != data {
+				t.Fatalf("got pong %2x; want %2x", [8]byte(m), data)
+			}
+			return
+		}
+	}
+}
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -13,6 +13,7 @@ package derphttp
 import (
 	"bufio"
 	"context"
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@@ -22,16 +23,16 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"os"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

 	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/derp"
+	"tailscale.com/envknob"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
@@ -64,6 +65,12 @@ type Client struct {
 	ctx       context.Context // closed via cancelCtx in Client.Close
 	cancelCtx context.CancelFunc

+	// addrFamSelAtomic is the last AddressFamilySelector set
+	// by SetAddressFamilySelector. It's an atomic because it needs
+	// to be accessed by multiple racing routines started while
+	// Client.conn holds mu.
+	addrFamSelAtomic atomic.Value // of AddressFamilySelector
+
 	mu           sync.Mutex
 	preferred    bool
 	canAckPings  bool
@@ -72,6 +79,8 @@ type Client struct {
 	client       *derp.Client
 	connGen      int // incremented once per new connection; valid values are >0
 	serverPubKey key.NodePublic
+	tlsState     *tls.ConnectionState
+	pingOut      map[derp.PingMessage]chan<- bool // chan to send to on pong
 }

 // NewRegionClient returns a new DERP-over-HTTP client. It connects lazily.
@@ -123,6 +132,17 @@ func (c *Client) Connect(ctx context.Context) error {
 	return err
 }

+// TLSConnectionState returns the last TLS connection state, if any.
+// The client must already be connected.
+func (c *Client) TLSConnectionState() (_ *tls.ConnectionState, ok bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.closed || c.client == nil {
+		return nil, false
+	}
+	return c.tlsState, c.tlsState != nil
+}
+
 // ServerPublicKey returns the server's public key.
 //
 // It only returns a non-zero value once a connection has succeeded
@@ -180,6 +200,32 @@ func (c *Client) urlString(node *tailcfg.DERPNode) string {
 	return fmt.Sprintf("https://%s/derp", node.HostName)
 }

+// AddressFamilySelector decides whethers IPv6 is preferred for
+// outbound dials.
+type AddressFamilySelector interface {
+	// PreferIPv6 reports whether IPv4 dials should be slightly
+	// delayed to give IPv6 a better chance of winning dial races.
+	// Implementations should only return true if IPv6 is expected
+	// to succeed. (otherwise delaying IPv4 will delay the
+	// connection overall)
+	PreferIPv6() bool
+}
+
+// SetAddressFamilySelector sets the AddressFamilySelector that this
+// connection will use. It should be called before any dials.
+// The value must not be nil. If called more than once, s must
+// be the same concrete type as any prior calls.
+func (c *Client) SetAddressFamilySelector(s AddressFamilySelector) {
+	c.addrFamSelAtomic.Store(s)
+}
+
+func (c *Client) preferIPv6() bool {
+	if s, ok := c.addrFamSelAtomic.Load().(AddressFamilySelector); ok {
+		return s.PreferIPv6()
+	}
+	return false
+}
+
 // dialWebsocketFunc is non-nil (set by websocket.go's init) when compiled in.
 var dialWebsocketFunc func(ctx context.Context, urlStr string) (net.Conn, error)

@@ -188,8 +234,7 @@ func useWebsockets() bool {
 		return true
 	}
 	if dialWebsocketFunc != nil {
-		v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_DERP_WS_CLIENT"))
-		return v
+		return envknob.Bool("TS_DEBUG_DERP_WS_CLIENT")
 	}
 	return false
 }
@@ -318,6 +363,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	var httpConn net.Conn        // a TCP conn or a TLS conn; what we speak HTTP to
 	var serverPub key.NodePublic // or zero if unknown (if not using TLS or TLS middlebox eats it)
 	var serverProtoVersion int
+	var tlsState *tls.ConnectionState
 	if c.useHTTPS() {
 		tlsConn := c.tlsClient(tcpConn, node)
 		httpConn = tlsConn
@@ -340,9 +386,10 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 		// Note that we're not specifically concerned about TLS downgrade
 		// attacks. TLS handles that fine:
 		// https://blog.gypsyengineer.com/en/security/how-does-tls-1-3-protect-against-downgrade-attacks.html
-		connState := tlsConn.ConnectionState()
-		if connState.Version >= tls.VersionTLS13 {
-			serverPub, serverProtoVersion = parseMetaCert(connState.PeerCertificates)
+		cs := tlsConn.ConnectionState()
+		tlsState = &cs
+		if cs.Version >= tls.VersionTLS13 {
+			serverPub, serverProtoVersion = parseMetaCert(cs.PeerCertificates)
 		}
 	} else {
 		httpConn = tcpConn
@@ -409,6 +456,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	c.serverPubKey = derpClient.ServerPublicKey()
 	c.client = derpClient
 	c.netConn = tcpConn
+	c.tlsState = tlsState
 	c.connGen++
 	return c.client, c.connGen, nil
 }
@@ -568,6 +616,18 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 	startDial := func(dstPrimary, proto string) {
 		nwait++
 		go func() {
+			if proto == "tcp4" && c.preferIPv6() {
+				t := time.NewTimer(200 * time.Millisecond)
+				select {
+				case <-ctx.Done():
+					// Either user canceled original context,
+					// it timed out, or the v6 dial succeeded.
+					t.Stop()
+					return
+				case <-t.C:
+					// Start v4 dial
+				}
+			}
 			dst := dstPrimary
 			if dst == "" {
 				dst = n.HostName
@@ -698,6 +758,95 @@ func (c *Client) Send(dstKey key.NodePublic, b []byte) error {
 	return err
 }

+func (c *Client) registerPing(m derp.PingMessage, ch chan<- bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.pingOut == nil {
+		c.pingOut = map[derp.PingMessage]chan<- bool{}
+	}
+	c.pingOut[m] = ch
+}
+
+func (c *Client) unregisterPing(m derp.PingMessage) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	delete(c.pingOut, m)
+}
+
+func (c *Client) handledPong(m derp.PongMessage) bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	k := derp.PingMessage(m)
+	if ch, ok := c.pingOut[k]; ok {
+		ch <- true
+		delete(c.pingOut, k)
+		return true
+	}
+	return false
+}
+
+// Ping sends a ping to the peer and waits for it either to be
+// acknowledged (in which case Ping returns nil) or waits for ctx to
+// be over and returns an error. It will wait at most 5 seconds
+// before returning an error.
+//
+// Another goroutine must be in a loop calling Recv or
+// RecvDetail or ping responses won't be handled.
+func (c *Client) Ping(ctx context.Context) error {
+	maxDL := time.Now().Add(5 * time.Second)
+	if dl, ok := ctx.Deadline(); !ok || dl.After(maxDL) {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithDeadline(ctx, maxDL)
+		defer cancel()
+	}
+	var data derp.PingMessage
+	rand.Read(data[:])
+	gotPing := make(chan bool, 1)
+	c.registerPing(data, gotPing)
+	defer c.unregisterPing(data)
+	if err := c.SendPing(data); err != nil {
+		return err
+	}
+	select {
+	case <-gotPing:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
+// SendPing writes a ping message, without any implicit connect or
+// reconnect. This is a lower-level interface that writes a frame
+// without any implicit handling of the response pong, if any. For a
+// higher-level interface, use Ping.
+func (c *Client) SendPing(data [8]byte) error {
+	c.mu.Lock()
+	closed, client := c.closed, c.client
+	c.mu.Unlock()
+	if closed {
+		return ErrClientClosed
+	}
+	if client == nil {
+		return errors.New("client not connected")
+	}
+	return client.SendPing(data)
+}
+
+// LocalAddr reports c's local TCP address, without any implicit
+// connect or reconnect.
+func (c *Client) LocalAddr() (netaddr.IPPort, error) {
+	c.mu.Lock()
+	closed, client := c.closed, c.client
+	c.mu.Unlock()
+	if closed {
+		return netaddr.IPPort{}, ErrClientClosed
+	}
+	if client == nil {
+		return netaddr.IPPort{}, errors.New("client not connected")
+	}
+	return client.LocalAddr()
+}
+
 func (c *Client) ForwardPacket(from, to key.NodePublic, b []byte) error {
 	client, _, err := c.connect(context.TODO(), "derphttp.Client.ForwardPacket")
 	if err != nil {
@@ -805,14 +954,22 @@ func (c *Client) RecvDetail() (m derp.ReceivedMessage, connGen int, err error) {
 	if err != nil {
 		return nil, 0, err
 	}
-	m, err = client.Recv()
-	if err != nil {
-		c.closeForReconnect(client)
-		if c.isClosed() {
-			err = ErrClientClosed
+	for {
+		m, err = client.Recv()
+		switch m := m.(type) {
+		case derp.PongMessage:
+			if c.handledPong(m) {
+				continue
+			}
 		}
+		if err != nil {
+			c.closeForReconnect(client)
+			if c.isClosed() {
+				err = ErrClientClosed
+			}
+		}
+		return m, connGen, err
 	}
-	return m, connGen, err
 }

 func (c *Client) isClosed() bool {
--- a/derp/derphttp/derphttp_test.go
+++ b/derp/derphttp/derphttp_test.go
@@ -154,3 +154,55 @@ func waitConnect(t testing.TB, c *Client) {
 		t.Fatalf("client first Recv was unexpected type %T", v)
 	}
 }
+
+func TestPing(t *testing.T) {
+	serverPrivateKey := key.NewNode()
+	s := derp.NewServer(serverPrivateKey, t.Logf)
+	defer s.Close()
+
+	httpsrv := &http.Server{
+		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
+		Handler:      Handler(s),
+	}
+
+	ln, err := net.Listen("tcp4", "localhost:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	serverURL := "http://" + ln.Addr().String()
+	t.Logf("server URL: %s", serverURL)
+
+	go func() {
+		if err := httpsrv.Serve(ln); err != nil {
+			if err == http.ErrServerClosed {
+				return
+			}
+			panic(err)
+		}
+	}()
+
+	c, err := NewClient(key.NewNode(), serverURL, t.Logf)
+	if err != nil {
+		t.Fatalf("NewClient: %v", err)
+	}
+	defer c.Close()
+	if err := c.Connect(context.Background()); err != nil {
+		t.Fatalf("client Connect: %v", err)
+	}
+
+	errc := make(chan error, 1)
+	go func() {
+		for {
+			m, err := c.Recv()
+			if err != nil {
+				errc <- err
+				return
+			}
+			t.Logf("Recv: %T", m)
+		}
+	}()
+	err = c.Ping(context.Background())
+	if err != nil {
+		t.Fatalf("Ping: %v", err)
+	}
+}
--- a/envknob/envknob.go
+++ b/envknob/envknob.go
@@ -0,0 +1,144 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package envknob provides access to environment-variable tweakable
+// debug settings.
+//
+// These are primarily knobs used by Tailscale developers during
+// development or by users when instructed to by Tailscale developers
+// when debugging something. They are not a stable interface and may
+// be removed or any time.
+//
+// A related package, control/controlknobs, are knobs that can be
+// changed at runtime by the control plane. Sometimes both are used:
+// an envknob for the default/explicit value, else falling back
+// to the controlknob value.
+package envknob
+
+import (
+	"log"
+	"os"
+	"strconv"
+	"sync"
+
+	"tailscale.com/types/opt"
+)
+
+var (
+	mu   sync.Mutex
+	set  = map[string]string{}
+	list []string
+)
+
+func noteEnv(k, v string) {
+	if v == "" {
+		return
+	}
+	mu.Lock()
+	defer mu.Unlock()
+	if _, ok := set[v]; !ok {
+		list = append(list, k)
+	}
+	set[k] = v
+}
+
+// logf is logger.Logf, but logger depends on envknob, so for circular
+// dependency reasons, make a type alias (so it's still assignable,
+// but has nice docs here).
+type logf = func(format string, args ...interface{})
+
+// LogCurrent logs the currently set environment knobs.
+func LogCurrent(logf logf) {
+	mu.Lock()
+	defer mu.Unlock()
+	for _, k := range list {
+		logf("envknob: %s=%q", k, set[k])
+	}
+}
+
+// String returns the named environment variable, using os.Getenv.
+//
+// If the variable is non-empty, it's also tracked & logged as being
+// an in-use knob.
+func String(envVar string) string {
+	v := os.Getenv(envVar)
+	noteEnv(envVar, v)
+	return v
+}
+
+// Bool returns the boolean value of the named environment variable.
+// If the variable is not set, it returns false.
+// An invalid value exits the binary with a failure.
+func Bool(envVar string) bool {
+	return boolOr(envVar, false)
+}
+
+// BoolDefaultTrue is like Bool, but returns true by default if the
+// environment variable isn't present.
+func BoolDefaultTrue(envVar string) bool {
+	return boolOr(envVar, true)
+}
+
+func boolOr(envVar string, implicitValue bool) bool {
+	val := os.Getenv(envVar)
+	if val == "" {
+		return implicitValue
+	}
+	b, err := strconv.ParseBool(val)
+	if err == nil {
+		noteEnv(envVar, strconv.FormatBool(b)) // canonicalize
+		return b
+	}
+	log.Fatalf("invalid boolean environment variable %s value %q", envVar, val)
+	panic("unreachable")
+}
+
+// LookupBool returns the boolean value of the named environment value.
+// The ok result is whether a value was set.
+// If the value isn't a valid int, it exits the program with a failure.
+func LookupBool(envVar string) (v bool, ok bool) {
+	val := os.Getenv(envVar)
+	if val == "" {
+		return false, false
+	}
+	b, err := strconv.ParseBool(val)
+	if err == nil {
+		return b, true
+	}
+	log.Fatalf("invalid boolean environment variable %s value %q", envVar, val)
+	panic("unreachable")
+}
+
+// OptBool is like Bool, but returns an opt.Bool, so the caller can
+// distinguish between implicitly and explicitly false.
+func OptBool(envVar string) opt.Bool {
+	b, ok := LookupBool(envVar)
+	if !ok {
+		return ""
+	}
+	var ret opt.Bool
+	ret.Set(b)
+	return ret
+}
+
+// LookupInt returns the integer value of the named environment value.
+// The ok result is whether a value was set.
+// If the value isn't a valid int, it exits the program with a failure.
+func LookupInt(envVar string) (v int, ok bool) {
+	val := os.Getenv(envVar)
+	if val == "" {
+		return 0, false
+	}
+	v, err := strconv.Atoi(val)
+	if err == nil {
+		noteEnv(envVar, val)
+		return v, true
+	}
+	log.Fatalf("invalid integer environment variable %s: %v", envVar, val)
+	panic("unreachable")
+}
+
+// UseWIPCode is whether TAILSCALE_USE_WIP_CODE is set to permit use
+// of Work-In-Progress code.
+func UseWIPCode() bool { return Bool("TAILSCALE_USE_WIP_CODE") }
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/go-ole/go-ole v1.2.6
 	github.com/godbus/dbus/v5 v5.0.6
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
-	github.com/google/go-cmp v0.5.6
+	github.com/google/go-cmp v0.5.7
 	github.com/google/uuid v1.3.0
 	github.com/goreleaser/nfpm v1.10.3
 	github.com/iancoleman/strcase v0.2.0
@@ -28,7 +28,7 @@ require (
 	github.com/jsimonetti/rtnetlink v0.0.0-20211203074127-fd9a11f42291
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/klauspost/compress v1.13.6
-	github.com/mdlayher/netlink v1.4.2
+	github.com/mdlayher/netlink v1.6.0
 	github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697
 	github.com/miekg/dns v1.1.43
 	github.com/mitchellh/go-ps v1.0.0
@@ -48,17 +48,17 @@ require (
 	github.com/vishvananda/netlink v1.1.1-0.20211101163509-b10eb8fe5cf6
 	go4.org/mem v0.0.0-20210711025021-927187094b94
 	golang.org/x/crypto v0.0.0-20211202192323-5770296d904e
-	golang.org/x/net v0.0.0-20211205041911-012df41ee64c
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20211205182925-97ca703d548d
+	golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.8
 	golang.zx2c4.com/wireguard v0.0.0-20211116201604-de7c702ace45
 	golang.zx2c4.com/wireguard/windows v0.4.10
+	gvisor.dev/gvisor v0.0.0-20220126021142-d8aa030b2591
 	honnef.co/go/tools v0.2.2
 	inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6
-	inet.af/netstack v0.0.0-20211120045802-8aa80cf23d3c
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/wf v0.0.0-20211204062712-86aaea0a7310
 	nhooyr.io/websocket v1.8.7
@@ -160,7 +160,7 @@ require (
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
 	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 // indirect
+	github.com/josharian/native v1.0.0 // indirect
 	github.com/julz/importas v0.0.0-20210922140945-27e0a5d4dee2 // indirect
 	github.com/kevinburke/ssh_config v1.1.0 // indirect
 	github.com/kisielk/errcheck v1.6.0 // indirect
@@ -181,7 +181,7 @@ require (
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/mbilski/exhaustivestruct v1.2.0 // indirect
-	github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb // indirect
+	github.com/mdlayher/socket v0.1.1 // indirect
 	github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517 // indirect
 	github.com/mgechev/revive v1.1.2 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,6 +1,7 @@
 4d63.com/gochecknoglobals v0.0.0-20201008074935-acfc0b28355a/go.mod h1:wfdC5ZjKSPr7CybKEcgJhUOgeAQW1+7WcyK8OvUilfo=
 4d63.com/gochecknoglobals v0.1.0 h1:zeZSRqj5yCg28tCkIV/z/lWbwvNm5qnKVS15PI8nhD0=
 4d63.com/gochecknoglobals v0.1.0/go.mod h1:wfdC5ZjKSPr7CybKEcgJhUOgeAQW1+7WcyK8OvUilfo=
+bazil.org/fuse v0.0.0-20200407214033-5883e5a4b512/go.mod h1:FbcW6z/2VytnFDhZfumh8Ss8zxHE6qpMP5sHTRe0EaM=
 bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
@@ -58,6 +59,13 @@ github.com/Antonboom/errname v0.1.5 h1:IM+A/gz0pDhKmlt5KSNTVAvfLMb+65RxavBXpRtCU
 github.com/Antonboom/errname v0.1.5/go.mod h1:DugbBstvPFQbv/5uLcRRzfrNqKE9tVdVCqWCLp6Cifo=
 github.com/Antonboom/nilnil v0.1.0 h1:DLDavmg0a6G/F4Lt9t7Enrbgb3Oph6LnDE6YVsmTt74=
 github.com/Antonboom/nilnil v0.1.0/go.mod h1:PhHLvRPSghY5Y7mX4TW+BHZQYo1A8flE5H20D3IPZBo=
+github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
+github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
+github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
+github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
@@ -80,16 +88,21 @@ github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZC
 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
+github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
 github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
 github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY=
 github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
+github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/OpenPeeDeeP/depguard v1.0.1 h1:VlW4R6jmBIv3/u1JNlawEvJMM4J+dPORPaZasQee8Us=
 github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmUx/1V+TNhjQvM=
 github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
 github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3 h1:XcF0cTDJeiuZ5NU8w7WUDge0HRwwNRmxj/GGk6KSA6g=
 github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
+github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
 github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8=
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
@@ -164,6 +177,7 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.11.1 h1:QKR7wy5e650q70PFKMfGF9sTo0rZ
 github.com/aws/aws-sdk-go-v2/service/sts v1.11.1/go.mod h1:UV2N5HaPfdbDpkgkz4sRzWCvQswZjdO1FfqCWl0t7RA=
 github.com/aws/smithy-go v1.9.0 h1:c7FUdEqrQA1/UVKKCNDFQPNKGp4FQg3YW4Ck5SLTG58=
 github.com/aws/smithy-go v1.9.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
+github.com/bazelbuild/rules_go v0.27.0/go.mod h1:MC23Dc/wkXEyk3Wpq6lCqz0ZAYOZDw2DR5y3N1q2i7M=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -188,6 +202,7 @@ github.com/butuzov/ireturn v0.1.1 h1:QvrO2QF2+/Cx1WA/vETCIYBKtRjc30vesdoPUNo1EbY
 github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
+github.com/cenkalti/backoff v1.1.1-0.20190506075156-2146c9339422/go.mod h1:b6Nc7NRH5C4aCISLry0tLnTjcuTEvoiqcWDdsU0sOGM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
@@ -201,6 +216,8 @@ github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af/go.mod h1:Qjyv4H3/
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
+github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.7.0 h1:1k/q3ATgxSXRdrmPfH8d7YK0GfqVsEKZAX9dQZvs56k=
 github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
@@ -209,8 +226,28 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
+github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM=
+github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
+github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
+github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw=
+github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.3.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/continuity v0.2.1/go.mod h1:wCYX+dRqZdImhGucXOqTQn05AhX6EUDaGEMUzTFFpLg=
+github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
+github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
+github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
+github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok=
+github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
+github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
+github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -222,6 +259,8 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
+github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
@@ -238,6 +277,7 @@ github.com/daixiang0/gci v0.2.9 h1:iwJvwQpBZmMg31w+QQ6jsyZ54KEATn6/nfARbBNW294=
 github.com/daixiang0/gci v0.2.9/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc=
 github.com/dave/jennifer v1.4.1 h1:XyqG6cn5RQsTj3qlWQTKlRGAyrTcsk1kUmWdZBzRjDw=
 github.com/dave/jennifer v1.4.1/go.mod h1:7jEdnm+qBcxl8PC0zyp7vxcpSRnzXSt9r39tpTVGlwA=
+github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -247,9 +287,14 @@ github.com/denis-tingajkin/go-header v0.4.2 h1:jEeSF4sdv8/3cT/WY8AgDHUoItNSoEZ7q
 github.com/denis-tingajkin/go-header v0.4.2/go.mod h1:eLRHAVXzE5atsKAnNRDB90WHCFFnBUn4RN0nRcs1LJA=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
+github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
+github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -259,12 +304,14 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
+github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/esimonov/ifshort v1.0.3 h1:JD6x035opqGec5fZ0TLjXeROD2p5H7oLGn8MKfy9HTM=
 github.com/esimonov/ifshort v1.0.3/go.mod h1:yZqNJUrNn20K8Q9n2CrjTKYyVEmX209Hgu+M1LBpeZE=
 github.com/ettle/strcase v0.1.1 h1:htFueZyVeE1XNnMEfbqp5r67qAN/4r6ya1ysq8Q+Zcw=
 github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY=
+github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
@@ -284,6 +331,7 @@ github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5
 github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM=
 github.com/fzipp/gocyclo v0.3.1 h1:A9UeX3HJSXTBzvHzhqoYVuE0eAhe+aM8XBCCwsPMZOc=
 github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E=
+github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
@@ -319,10 +367,15 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
 github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q=
 github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
@@ -369,6 +422,7 @@ github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6Wezm
 github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.0.2 h1:CoAavW/wd/kulfZmSIBt6p24n4j7tHgNVCjsfHVNUbo=
 github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
+github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro=
 github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -377,6 +431,7 @@ github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
@@ -399,6 +454,7 @@ github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -466,8 +522,10 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
+github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/goterm v0.0.0-20190703233501-fc88cf888a3f/go.mod h1:nOFQdrUlIlx6M6ODdSpBj1NVA+VgLC6kmw60mkw34H4=
 github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 h1:CVuJwN34x4xM2aT4sIKhmeib40NeBPhRihNjQmpJsA4=
@@ -494,6 +552,7 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1 h1:BRIy5qQZKSC/nthA5ueW547F73BV5hMoIoxhPfhxa3k=
 github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1/go.mod h1:+y9lKiqDhR4zkLl+V9h4q0rdyrYVsWWm6LLCQP33DIk=
+github.com/google/subcommands v1.0.2-0.20190508160503-636abe8753b8/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
 github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw=
 github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -504,9 +563,12 @@ github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
+github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/googleapis/gnostic v0.4.0/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
 github.com/gookit/color v1.3.1/go.mod h1:R3ogXq2B9rTbXoSHJ1HyUVAZ3poOJHpd9nQmyGZsfvQ=
 github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ=
 github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo=
+github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU=
 github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254/go.mod h1:M9mZEtGIsR1oDaZagNPNG9iq9n2HrhZ17dsXk73V3Lw=
@@ -521,6 +583,7 @@ github.com/goreleaser/nfpm v1.10.3/go.mod h1:EEC7YD5wi+ol0MiAshpgPANBOkjXDl7wqTL
 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -543,6 +606,7 @@ github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW
 github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M=
 github.com/gostaticanalysis/testutil v0.4.0 h1:nhdCmubdmDF6VEatUNjgUZBJKWRqugoISdUv3PPQgHY=
 github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
@@ -599,6 +663,7 @@ github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
@@ -631,8 +696,9 @@ github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhB
 github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
-github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 h1:uhL5Gw7BINiiPAo24A2sxkcDI0Jt/sqp1v5xQCniEFA=
 github.com/josharian/native v0.0.0-20200817173448-b6b71def0850/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
+github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/txtarfs v0.0.0-20210218200122-0702f000015a/go.mod h1:izVPOvVRsHiKkeGCT6tYBNWyDVuzj9wAaBb5R9qamfw=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
@@ -647,6 +713,7 @@ github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190/go.mod h1:NmK
 github.com/jsimonetti/rtnetlink v0.0.0-20211022192332-93da33804786/go.mod h1:v4hqbTdfQngbVSZJVWUhGE/lbTFf9jb+ygmNUDQMuOs=
 github.com/jsimonetti/rtnetlink v0.0.0-20211203074127-fd9a11f42291 h1:0J2ntV09uHLUHC79Z3YKJX2EnfOKL2QkMuHabu4L8JM=
 github.com/jsimonetti/rtnetlink v0.0.0-20211203074127-fd9a11f42291/go.mod h1:J7jazXS6RFR/oZT8XdfdD2KQ1bl56ukeE1qt4w8UQaI=
+github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -695,6 +762,7 @@ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
@@ -727,6 +795,7 @@ github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP
 github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
+github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/maratori/testpackage v1.0.1 h1:QtJ5ZjqapShm0w5DosRjg0PRlSdAdlx+W6cCKoALdbQ=
 github.com/maratori/testpackage v1.0.1/go.mod h1:ddKdw+XG0Phzhx8BFDTKgpWP4i7MpApTE5fXSKAqwDU=
 github.com/matoous/godox v0.0.0-20190911065817-5d6d842e92eb/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s=
@@ -736,6 +805,7 @@ github.com/matoous/godox v0.0.0-20210227103229-6504466cf951/go.mod h1:1BELzlh859
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE=
 github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU=
+github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a/go.mod h1:M1qoD/MqPgTZIk0EWKB38wE28ACRfVcn+cU08jyArI0=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@@ -767,9 +837,7 @@ github.com/mbilski/exhaustivestruct v1.2.0 h1:wCBmUnSYufAHO6J4AVWY6ff+oxWxsVFrwg
 github.com/mbilski/exhaustivestruct v1.2.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc=
 github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQobyTjI/tJyq2HG+i/dfSoFUt8/aZCM+GKtmFk/Y=
 github.com/mdlayher/ethtool v0.0.0-20210210192532-2b88debcdd43/go.mod h1:+t7E0lkKfbBsebllff1xdTmyJt8lH37niI6kwFk9OTo=
-github.com/mdlayher/ethtool v0.0.0-20211028163843-288d040e9d60 h1:tHdB+hQRHU10CfcK0furo6rSNgZ38JT8uPh70c/pFD8=
 github.com/mdlayher/ethtool v0.0.0-20211028163843-288d040e9d60/go.mod h1:aYbhishWc4Ai3I2U4Gaa2n3kHWSwzme6EsG/46HRQbE=
-github.com/mdlayher/genetlink v1.0.0 h1:OoHN1OdyEIkScEmRgxLEe2M9U8ClMytqA5niynLtfj0=
 github.com/mdlayher/genetlink v1.0.0/go.mod h1:0rJ0h4itni50A86M2kHcgS85ttZazNt7a8H2a2cw0Gc=
 github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
 github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M=
@@ -781,16 +849,18 @@ github.com/mdlayher/netlink v1.2.2-0.20210123213345-5cc92139ae3e/go.mod h1:bacnN
 github.com/mdlayher/netlink v1.3.0/go.mod h1:xK/BssKuwcRXHrtN04UBkwQ6dY9VviGGuriDdoPSWys=
 github.com/mdlayher/netlink v1.4.0/go.mod h1:dRJi5IABcZpBD2A3D0Mv/AiX8I9uDEu5oGkAVrekmf8=
 github.com/mdlayher/netlink v1.4.1/go.mod h1:e4/KuJ+s8UhfUpO9z00/fDZZmhSrs+oxyqAS9cNgn6Q=
-github.com/mdlayher/netlink v1.4.2 h1:3sbnJWe/LETovA7yRZIX3f9McVOWV3OySH6iIBxiFfI=
 github.com/mdlayher/netlink v1.4.2/go.mod h1:13VaingaArGUTUxFLf/iEovKxXji32JAtF858jZYEug=
+github.com/mdlayher/netlink v1.6.0 h1:rOHX5yl7qnlpiVkFWoqccueppMtXzeziFjWAjLg6sz0=
+github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA=
 github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697 h1:PBb7ld5cQGfxHF2pKvb/ydtuPwdRaltGI4e0QSCuiNI=
 github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697/go.mod h1:HtjVsQfsrBm1GDcDTUFn4ZXhftxTwO/hxrvEiRc61U4=
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
 github.com/mdlayher/socket v0.0.0-20211007213009-516dcbdf0267/go.mod h1:nFZ1EtZYK8Gi/k6QNu7z7CgO20i/4ExeQswwWuPmG/g=
-github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb h1:2dC7L10LmTqlyMVzFJ00qM25lqESg9Z4u3GuEXN5iHY=
 github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb/go.mod h1:nFZ1EtZYK8Gi/k6QNu7z7CgO20i/4ExeQswwWuPmG/g=
+github.com/mdlayher/socket v0.1.1 h1:q3uOGirUPfAV2MUoaC7BavjQ154J7+JOkTWyiV+intI=
+github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs=
 github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517 h1:zpIH83+oKzcpryru8ceC6BxnoG8TBrhgAvRg8obzup0=
 github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg=
 github.com/mgechev/revive v1.1.2 h1:MiYA/o9M7REjvOF20QN43U8OtXDDHQFKLCtJnxLGLog=
@@ -831,20 +901,24 @@ github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJ
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mohae/deepcopy v0.0.0-20170308212314-bb9b5e7adda9/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/moricho/tparallel v0.2.1 h1:95FytivzT6rYzdJLdtfn6m1bfFJylOJK41+lgv/EHf4=
 github.com/moricho/tparallel v0.2.1/go.mod h1:fXEIZxG2vdfl0ZF8b42f5a78EhjjD5mX8qUplsoSU4k=
 github.com/mozilla/scribe v0.0.0-20180711195314-fb71baf557c1/go.mod h1:FIczTrinKo8VaLxe6PWTPEXRXDIHz2QAwiaBaP5/4a8=
 github.com/mozilla/tls-observatory v0.0.0-20200317151703-4fa42e1c2dee/go.mod h1:SrKMQvPiws7F7iqYp8/TX+IhxCYhzr6N/1yb8cwHsGk=
 github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo=
 github.com/mwitkow/go-proto-validators v0.2.0/go.mod h1:ZfA1hW+UH/2ZHOWvQ3HnQaU0DtnpXu850MZiy+YUgcc=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/nakabonne/nestif v0.3.0/go.mod h1:dI314BppzXjJ4HsCnbo7XzrJHPszZsjnk5wEBSYHI2c=
 github.com/nakabonne/nestif v0.3.1 h1:wm28nZjhQY5HyYPx+weN3Q65k6ilSBxDb8v5S81B81U=
 github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE=
@@ -868,13 +942,17 @@ github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXW
 github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@@ -883,6 +961,12 @@ github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
+github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc90/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.3-0.20211123151946-c2389c3cb60a/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
@@ -944,8 +1028,10 @@ github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB8
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.32.1 h1:hWIdL3N2HoUx3B8j3YN9mWor0qhY/NlEKZEaXxuIRh4=
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
+github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
@@ -1031,6 +1117,7 @@ github.com/sourcegraph/go-diff v0.6.1 h1:hmA1LzxW0n1c3Q4YbrFgg4P99GSnebYa3x8gr0H
 github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.4.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/afero v1.5.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY=
@@ -1041,17 +1128,20 @@ github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA=
 github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
+github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI=
 github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw=
 github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
+github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
@@ -1064,6 +1154,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.3.0 h1:NGXK3lHquSN08v5vWalVI/L8XU9hdzE/G6xsrze47As=
 github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
@@ -1077,6 +1168,7 @@ github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/sylvia7788/contextcheck v1.0.4 h1:MsiVqROAdr0efZc/fOCt0c235qm9XJqHtWwM+2h2B04=
 github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3 h1:fEubocuQkrlcuYeXelhYq/YcKvVVe1Ah7saQEtj98Mo=
 github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3/go.mod h1:2P+hpOwd53e7JMX/L4f3VXkv1G+33ES6IWZSrkIeWNs=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HPjrSuJYEkdZ+0ItmGQAQ75cRHIiftIyE=
@@ -1124,8 +1216,10 @@ github.com/tommy-muehle/go-mnd/v2 v2.4.0 h1:1t0f8Uiaq+fqKteUR4N9Umr6E99R+lDnLnq7
 github.com/tommy-muehle/go-mnd/v2 v2.4.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
+github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c h1:BFvcl34IGnw8yvJi8hlqLFo9EshRInwWBs2M5fGWzQA=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
@@ -1141,6 +1235,7 @@ github.com/ultraware/whitespace v0.0.4 h1:If7Va4cM03mpgrNH9k49/VOicWpGoG70XPBFFO
 github.com/ultraware/whitespace v0.0.4/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/uudashr/gocognit v1.0.1/go.mod h1:j44Ayx2KW4+oB6SWMv8KsmHzZrOInQav7D3cQMJ5JUM=
 github.com/uudashr/gocognit v1.0.5 h1:rrSex7oHr3/pPLQ0xoWq108XMU8s678FJcQ+aSfOHa4=
 github.com/uudashr/gocognit v1.0.5/go.mod h1:wgYz0mitoKOTysqxTDMOUXg+Jb5SvtihkfmugIZYpEA=
@@ -1152,6 +1247,7 @@ github.com/valyala/quicktemplate v1.7.0/go.mod h1:sqKJnoaOF88V07vkO+9FL8fb9uZg/V
 github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE=
+github.com/vishvananda/netlink v1.0.1-0.20190930145447-2ec5bdc52b86/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
 github.com/vishvananda/netlink v1.1.1-0.20211101163509-b10eb8fe5cf6 h1:167a2omrzz+nN9Of6lN/0yOB9itzw+IOioRThNZ30jA=
 github.com/vishvananda/netlink v1.1.1-0.20211101163509-b10eb8fe5cf6/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
@@ -1220,6 +1316,7 @@ golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -1227,6 +1324,7 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -1287,6 +1385,7 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1303,6 +1402,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -1312,6 +1412,7 @@ golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -1354,8 +1455,8 @@ golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211101193420-4a448f8816b3/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211201190559-0a0e4e1bb54c/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211205041911-012df41ee64c h1:7SfqwP5fxEtl/P02w5IhKc86ziJ+A25yFrkVgoy2FT8=
-golang.org/x/net v0.0.0-20211205041911-012df41ee64c/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1373,6 +1474,7 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1388,6 +1490,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1397,6 +1500,7 @@ golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1411,6 +1515,7 @@ golang.org/x/sys v0.0.0-20190606122018-79a91cf218c4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1419,13 +1524,16 @@ golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1447,6 +1555,7 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1493,6 +1602,7 @@ golang.org/x/sys v0.0.0-20210915083310-ed5796bab164/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211002104244-808efd93c36d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1500,12 +1610,14 @@ golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211205182925-97ca703d548d h1:FjkYO/PPp4Wi0EAUOVLxePm7qVW4r4ctbWpURyuOD0E=
-golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 h1:XDXtA5hveEEV8JB2l7nhMTp3t3cHp9ZpwcdjqyEWLlo=
+golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1526,6 +1638,7 @@ golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1701,6 +1814,7 @@ google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvx
 google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
 google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
@@ -1738,6 +1852,7 @@ google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxH
 google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24=
 google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
 google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
+google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
 google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
 google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
 google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
@@ -1746,6 +1861,7 @@ google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEc
 google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
@@ -1772,6 +1888,7 @@ google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQ
 google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
+google.golang.org/grpc v1.42.0-dev.0.20211020220737-f00baa6c3c84/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -1799,6 +1916,7 @@ gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -1825,6 +1943,9 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+gvisor.dev/gvisor v0.0.0-20220126021142-d8aa030b2591 h1:acuXPUADpJMtawdLCUje9xKlQN/8utegCB/Hr/ZgEuY=
+gvisor.dev/gvisor v0.0.0-20220126021142-d8aa030b2591/go.mod h1:vmN0Pug/s8TJmpnt30DvrEfZ5vDl52psGLU04tFuK2U=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1842,12 +1963,20 @@ howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
 inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6 h1:acCzuUSQ79tGsM/O50VRFySfMm19IoMKL+sZztZkCxw=
 inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6/go.mod h1:y3MGhcFMlh0KZPMuXXow8mpjxxAk3yoDNsp4cQz54i8=
-inet.af/netstack v0.0.0-20211120045802-8aa80cf23d3c h1:nr31qYr+91rWD8klUkPx3eGTZzumCC414UJG1QRKZTc=
-inet.af/netstack v0.0.0-20211120045802-8aa80cf23d3c/go.mod h1:KOJdAzQzMLKzwFEdOOnrnSrLIhaFVB+NQoME/e5wllA=
 inet.af/peercred v0.0.0-20210906144145-0893ea02156a h1:qdkS8Q5/i10xU2ArJMKYhVa1DORzBfYS/qA2UK2jheg=
 inet.af/peercred v0.0.0-20210906144145-0893ea02156a/go.mod h1:FjawnflS/udxX+SvpsMgZfdqx2aykOlkISeAsADi5IU=
 inet.af/wf v0.0.0-20211204062712-86aaea0a7310 h1:0jKHTf+W75kYRyg5bto1UT+r18QmAz2u/5pAs/fx4zo=
 inet.af/wf v0.0.0-20211204062712-86aaea0a7310/go.mod h1:ViGMZRA6+RA318D7GCncrjv5gHUrPYrNDejjU12tikA=
+k8s.io/api v0.16.13/go.mod h1:QWu8UWSTiuQZMMeYjwLs6ILu5O74qKSJ0c+4vrchDxs=
+k8s.io/apimachinery v0.16.13/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
+k8s.io/apimachinery v0.16.14-rc.0/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
+k8s.io/client-go v0.16.13/go.mod h1:UKvVT4cajC2iN7DCjLgT0KVY/cbY6DGdUCyRiIfws5M=
+k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/kube-openapi v0.0.0-20200410163147-594e756bea31/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/utils v0.0.0-20190801114015-581e00157fb1/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 mvdan.cc/gofumpt v0.0.0-20200802201014-ab5a8192947d/go.mod h1:bzrjFmaD6+xqohD3KYP0H2FEuxknnBmyyOxdhLdaIws=
 mvdan.cc/gofumpt v0.0.0-20201129102820-5c11c50e9475/go.mod h1:E4LOcu9JQEtnYXtB1Y51drqh2Qr2Ngk9J3YrRCwcbd0=
 mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
@@ -1866,6 +1995,7 @@ nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20180114231543-2291e8f0f237/go.mod h1:/xvNRWUqm0+/ZMiF4EX00vrSCMsE4/NHb+Pt3freEeQ=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 h1:SqYE5+A2qvRhErbsXFfUEUmpWEKxxRSMgGLkvRAFOV4=
--- a/go.toolchain.branch
+++ b/go.toolchain.branch
@@ -0,0 +1 @@
+tailscale.go1.17
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -0,0 +1 @@
+dce70b6d327c7a30b81701f4cc134b56c4e6c229
--- a/health/health.go
+++ b/health/health.go
@@ -9,13 +9,14 @@ package health
 import (
 	"errors"
 	"fmt"
-	"os"
+	"net/http"
 	"runtime"
 	"sort"
 	"sync"
 	"sync/atomic"
 	"time"

+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/multierr"
 )
@@ -28,6 +29,8 @@ var (
 	watchers = map[*watchHandle]func(Subsystem, error){} // opt func to run if error state changes
 	timer    *time.Timer

+	debugHandler = map[string]http.Handler{}
+
 	inMapPoll               bool
 	inMapPollSince          time.Time
 	lastMapPollEndedAt      time.Time
@@ -61,6 +64,9 @@ const (
 	// SysDNSOS is the name of the net/dns OSConfigurator subsystem.
 	SysDNSOS = Subsystem("dns-os")

+	// SysDNSManager is the name of the net/dns manager subsystem.
+	SysDNSManager = Subsystem("dns-manager")
+
 	// SysNetworkCategory is the name of the subsystem that sets
 	// the Windows network adapter's "category" (public, private, domain).
 	// If it's unhealthy, the Windows firewall rules won't match.
@@ -107,6 +113,10 @@ func DNSHealth() error { return get(SysDNS) }
 // SetDNSOSHealth sets the state of the net/dns.OSConfigurator
 func SetDNSOSHealth(err error) { set(SysDNSOS, err) }

+// SetDNSManagerHealth sets the state of the Linux net/dns manager's
+// discovery of the /etc/resolv.conf situation.
+func SetDNSManagerHealth(err error) { set(SysDNSManager, err) }
+
 // DNSOSHealth returns the net/dns.OSConfigurator error state.
 func DNSOSHealth() error { return get(SysDNSOS) }

@@ -116,6 +126,18 @@ func SetNetworkCategoryHealth(err error) { set(SysNetworkCategory, err) }

 func NetworkCategoryHealth() error { return get(SysNetworkCategory) }

+func RegisterDebugHandler(typ string, h http.Handler) {
+	mu.Lock()
+	defer mu.Unlock()
+	debugHandler[typ] = h
+}
+
+func DebugHandler(typ string) http.Handler {
+	mu.Lock()
+	defer mu.Unlock()
+	return debugHandler[typ]
+}
+
 func get(key Subsystem) error {
 	mu.Lock()
 	defer mu.Unlock()
@@ -168,7 +190,8 @@ func GotStreamedMapResponse() {
 	selfCheckLocked()
 }

-// SetInPollNetMap records that we're in
+// SetInPollNetMap records whether the client has an open
+// HTTP long poll open to the control plane.
 func SetInPollNetMap(v bool) {
 	mu.Lock()
 	defer mu.Unlock()
@@ -183,6 +206,14 @@ func SetInPollNetMap(v bool) {
 	}
 }

+// GetInPollNetMap reports whether the client has an open
+// HTTP long poll open to the control plane.
+func GetInPollNetMap() bool {
+	mu.Lock()
+	defer mu.Unlock()
+	return inMapPoll
+}
+
 // SetMagicSockDERPHome notes what magicsock's view of its home DERP is.
 func SetMagicSockDERPHome(region int) {
 	mu.Lock()
@@ -284,7 +315,7 @@ func OverallError() error {
 	return overallErrorLocked()
 }

-var fakeErrForTesting = os.Getenv("TS_DEBUG_FAKE_HEALTH_ERROR")
+var fakeErrForTesting = envknob.String("TS_DEBUG_FAKE_HEALTH_ERROR")

 func overallErrorLocked() error {
 	if !anyInterfaceUp {
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -10,7 +10,6 @@ import (
 	"bufio"
 	"io"
 	"os"
-	"path/filepath"
 	"runtime"
 	"strings"
 	"sync/atomic"
@@ -32,13 +31,17 @@ func New() *tailcfg.Hostinfo {
 		Hostname:    hostname,
 		OS:          version.OS(),
 		OSVersion:   GetOSVersion(),
-		Package:     packageType(),
+		Package:     packageTypeCached(),
 		GoArch:      runtime.GOARCH,
 		DeviceModel: deviceModel(),
 	}
 }

-var osVersion func() string // non-nil on some platforms
+// non-nil on some platforms
+var (
+	osVersion   func() string
+	packageType func() string
+)

 // GetOSVersion returns the OSVersion of current host if available.
 func GetOSVersion() string {
@@ -51,28 +54,18 @@ func GetOSVersion() string {
 	return ""
 }

-func packageType() string {
+func packageTypeCached() string {
 	if v, _ := packagingType.Load().(string); v != "" {
 		return v
 	}
-	switch runtime.GOOS {
-	case "windows":
-		if _, err := os.Stat(`C:\ProgramData\chocolatey\lib\tailscale`); err == nil {
-			return "choco"
-		}
-	case "darwin":
-		// Using tailscaled or IPNExtension?
-		exe, _ := os.Executable()
-		return filepath.Base(exe)
-	case "linux":
-		// Report whether this is in a snap.
-		// See https://snapcraft.io/docs/environment-variables
-		// We just look at two somewhat arbitrarily.
-		if os.Getenv("SNAP_NAME") != "" && os.Getenv("SNAP") != "" {
-			return "snap"
-		}
+	if packageType == nil {
+		return ""
 	}
-	return ""
+	v := packageType()
+	if v != "" {
+		SetPackage(v)
+	}
+	return v
 }

 // EnvType represents a known environment type.
--- a/hostinfo/hostinfo_darwin.go
+++ b/hostinfo/hostinfo_darwin.go
@@ -0,0 +1,23 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build darwin
+// +build darwin
+
+package hostinfo
+
+import (
+	"os"
+	"path/filepath"
+)
+
+func init() {
+	packageType = packageTypeDarwin
+}
+
+func packageTypeDarwin() string {
+	// Using tailscaled or IPNExtension?
+	exe, _ := os.Executable()
+	return filepath.Base(exe)
+}
--- a/hostinfo/hostinfo_linux.go
+++ b/hostinfo/hostinfo_linux.go
@@ -21,6 +21,7 @@ import (

 func init() {
 	osVersion = osVersionLinux
+	packageType = packageTypeLinux

 	if v := linuxDeviceModel(); v != "" {
 		SetDeviceModel(v)
@@ -112,6 +113,18 @@ func osVersionLinux() string {
 		return fmt.Sprintf("Synology %s%s", m["productversion"], attr)
 	case distro.OpenWrt:
 		return fmt.Sprintf("OpenWrt %s%s", m["DISTRIB_RELEASE"], attr)
+	case distro.Gokrazy:
+		return fmt.Sprintf("Gokrazy%s", attr)
 	}
 	return fmt.Sprintf("Other%s", attr)
 }
+
+func packageTypeLinux() string {
+	// Report whether this is in a snap.
+	// See https://snapcraft.io/docs/environment-variables
+	// We just look at two somewhat arbitrarily.
+	if os.Getenv("SNAP_NAME") != "" && os.Getenv("SNAP") != "" {
+		return "snap"
+	}
+	return ""
+}
--- a/hostinfo/hostinfo_windows.go
+++ b/hostinfo/hostinfo_windows.go
@@ -6,14 +6,18 @@ package hostinfo

 import (
 	"fmt"
+	"os"
+	"path/filepath"
 	"sync/atomic"

 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
+	"tailscale.com/util/winutil"
 )

 func init() {
 	osVersion = osVersionWindows
+	packageType = packageTypeWindows
 }

 var winVerCache atomic.Value // of string
@@ -56,3 +60,25 @@ func getUBR() (uint32, error) {

 	return uint32(val), nil
 }
+
+func packageTypeWindows() string {
+	if _, err := os.Stat(`C:\ProgramData\chocolatey\lib\tailscale`); err == nil {
+		return "choco"
+	}
+	if msiSentinel := winutil.GetRegInteger("MSI", 0); msiSentinel == 1 {
+		return "msi"
+	}
+	exe, err := os.Executable()
+	if err != nil {
+		return ""
+	}
+	dir := filepath.Dir(exe)
+	nsisUninstaller := filepath.Join(dir, "Uninstall-Tailscale.exe")
+	_, err = os.Stat(nsisUninstaller)
+	if err == nil {
+		return "nsis"
+	}
+	// Atypical. Not worth trying to detect. Likely open
+	// source tailscaled or a developer running by hand.
+	return ""
+}
--- a/ipn/ipnlocal/dnsconfig_test.go
+++ b/ipn/ipnlocal/dnsconfig_test.go
@@ -111,7 +111,8 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+				OnlyIPv6: true,
+				Routes:   map[dnsname.FQDN][]dnstype.Resolver{},
 				Hosts: map[dnsname.FQDN][]netaddr.IP{
 					"b.net.":       ips("fe75::2"),
 					"myname.net.":  ips("fe75::1"),
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -27,6 +27,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
+	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
@@ -38,6 +39,7 @@ import (
 	"tailscale.com/net/tsdial"
 	"tailscale.com/paths"
 	"tailscale.com/portlist"
+	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/empty"
@@ -46,6 +48,7 @@ import (
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
+	"tailscale.com/types/views"
 	"tailscale.com/util/deephash"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/multierr"
@@ -55,6 +58,7 @@ import (
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
+	"tailscale.com/wgengine/magicsock"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/wgcfg"
 	"tailscale.com/wgengine/wgcfg/nmcfg"
@@ -63,7 +67,7 @@ import (
 var controlDebugFlags = getControlDebugFlags()

 func getControlDebugFlags() []string {
-	if e := os.Getenv("TS_DEBUG_CONTROL_FLAGS"); e != "" {
+	if e := envknob.String("TS_DEBUG_CONTROL_FLAGS"); e != "" {
 		return strings.Split(e, ",")
 	}
 	return nil
@@ -98,6 +102,7 @@ type LocalBackend struct {
 	serverURL             string           // tailcontrol URL
 	newDecompressor       func() (controlclient.Decompressor, error)
 	varRoot               string // or empty if SetVarRoot never called
+	sshAtomicBool         syncs.AtomicBool

 	filterHash deephash.Sum

@@ -132,6 +137,7 @@ type LocalBackend struct {
 	prevIfState      *interfaces.State
 	peerAPIServer    *peerAPIServer // or nil
 	peerAPIListeners []*peerAPIListener
+	loginFlags       controlclient.LoginFlags
 	incomingFiles    map[*incomingFile]bool
 	// directFileRoot, if non-empty, means to write received files
 	// directly to this directory, without staging them in an
@@ -162,10 +168,14 @@ type clientGen func(controlclient.Options) (controlclient.Client, error)
 // but is not actually running.
 //
 // If dialer is nil, a new one is made.
-func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, dialer *tsdial.Dialer, e wgengine.Engine) (*LocalBackend, error) {
+func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, dialer *tsdial.Dialer, e wgengine.Engine, loginFlags controlclient.LoginFlags) (*LocalBackend, error) {
 	if e == nil {
 		panic("ipn.NewLocalBackend: engine must not be nil")
 	}
+
+	hi := hostinfo.New()
+	logf.JSON(1, "Hostinfo", hi)
+	envknob.LogCurrent(logf)
 	if dialer == nil {
 		dialer = new(tsdial.Dialer)
 	}
@@ -191,6 +201,7 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 		state:          ipn.NoState,
 		portpoll:       portpoll,
 		gotPortPollRes: make(chan struct{}),
+		loginFlags:     loginFlags,
 	}

 	// Default filter blocks everything and logs nothing, until Start() is called.
@@ -211,7 +222,7 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 	wiredPeerAPIPort := false
 	if ig, ok := e.(wgengine.InternalsGetter); ok {
 		if tunWrap, _, ok := ig.GetInternals(); ok {
-			tunWrap.PeerAPIPort = b.getPeerAPIPortForTSMPPing
+			tunWrap.PeerAPIPort = b.GetPeerAPIPort
 			wiredPeerAPIPort = true
 		}
 	}
@@ -375,11 +386,18 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 			}
 		}
 		if b.netMap != nil {
-			s.MagicDNSSuffix = b.netMap.MagicDNSSuffix()
 			s.CertDomains = append([]string(nil), b.netMap.DNS.CertDomains...)
+			s.MagicDNSSuffix = b.netMap.MagicDNSSuffix()
+			if s.CurrentTailnet == nil {
+				s.CurrentTailnet = &ipnstate.TailnetStatus{}
+			}
+			s.CurrentTailnet.MagicDNSSuffix = b.netMap.MagicDNSSuffix()
+			s.CurrentTailnet.MagicDNSEnabled = b.netMap.DNS.Proxied
+			s.CurrentTailnet.Name = b.netMap.Domain
 		}
 	})
 	sb.MutateSelfStatus(func(ss *ipnstate.PeerStatus) {
+		ss.Online = health.GetInPollNetMap()
 		if b.netMap != nil {
 			ss.HostName = b.netMap.Hostinfo.Hostname
 			ss.DNSName = b.netMap.Name
@@ -426,19 +444,31 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 		exitNodeOption := tsaddr.PrefixesContainsFunc(p.AllowedIPs, func(r netaddr.IPPrefix) bool {
 			return r.Bits() == 0
 		})
+		var tags *views.StringSlice
+		var primaryRoutes *views.IPPrefixSlice
+		if p.Tags != nil {
+			v := views.StringSliceOf(p.Tags)
+			tags = &v
+		}
+		if p.PrimaryRoutes != nil {
+			v := views.IPPrefixSliceOf(p.PrimaryRoutes)
+			primaryRoutes = &v
+		}
 		sb.AddPeer(p.Key, &ipnstate.PeerStatus{
 			InNetworkMap:   true,
 			ID:             p.StableID,
 			UserID:         p.User,
 			TailscaleIPs:   tailscaleIPs,
-			HostName:       p.Hostinfo.Hostname,
+			Tags:           tags,
+			PrimaryRoutes:  primaryRoutes,
+			HostName:       p.Hostinfo.Hostname(),
 			DNSName:        p.Name,
-			OS:             p.Hostinfo.OS,
+			OS:             p.Hostinfo.OS(),
 			KeepAlive:      p.KeepAlive,
 			Created:        p.Created,
 			LastSeen:       lastSeen,
 			Online:         p.Online != nil && *p.Online,
-			ShareeNode:     p.Hostinfo.ShareeNode,
+			ShareeNode:     p.Hostinfo.ShareeNode(),
 			ExitNode:       p.StableID != "" && p.StableID == b.prefs.ExitNodeID,
 			ExitNodeOption: exitNodeOption,
 		})
@@ -536,6 +566,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		// Since st.NetMap==nil means "netmap is unchanged", there is
 		// no other way to represent this change.
 		b.setNetMapLocked(nil)
+		b.e.SetNetworkMap(new(netmap.NetworkMap))
 	}

 	prefs := b.prefs
@@ -600,7 +631,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 			if strings.TrimSpace(diff) == "" {
 				b.logf("[v1] netmap diff: (none)")
 			} else {
-				b.logf("netmap diff:\n%v", diff)
+				b.logf("[v1] netmap diff:\n%v", diff)
 			}
 		}

@@ -878,7 +909,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	if b.inServerMode || runtime.GOOS == "windows" {
 		b.logf("Start: serverMode=%v", b.inServerMode)
 	}
-	applyPrefsToHostinfo(hostinfo, b.prefs)
+	b.applyPrefsToHostinfo(hostinfo, b.prefs)

 	b.setNetMapLocked(nil)
 	persistv := b.prefs.Persist
@@ -899,7 +930,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 			timer := time.NewTimer(time.Second)
 			select {
 			case <-b.gotPortPollRes:
-				b.logf("got initial portlist info in %v", time.Since(t0).Round(time.Millisecond))
+				b.logf("[v1] got initial portlist info in %v", time.Since(t0).Round(time.Millisecond))
 				timer.Stop()
 			case <-timer.C:
 				b.logf("timeout waiting for initial portlist")
@@ -1018,7 +1049,12 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 				// wifi": you get internet access, but to additionally
 				// get LAN access the LAN(s) need to be offered
 				// explicitly as well.
-				s, err := shrinkDefaultRoute(r)
+				localInterfaceRoutes, hostIPs, err := interfaceRoutes()
+				if err != nil {
+					b.logf("getting local interface routes: %v", err)
+					continue
+				}
+				s, err := shrinkDefaultRoute(r, localInterfaceRoutes, hostIPs)
 				if err != nil {
 					b.logf("computing default route filter: %v", err)
 					continue
@@ -1042,17 +1078,17 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 	}

 	if !haveNetmap {
-		b.logf("netmap packet filter: (not ready yet)")
+		b.logf("[v1] netmap packet filter: (not ready yet)")
 		b.setFilter(filter.NewAllowNone(b.logf, logNets))
 		return
 	}

 	oldFilter := b.e.GetFilter()
 	if shieldsUp {
-		b.logf("netmap packet filter: (shields up)")
+		b.logf("[v1] netmap packet filter: (shields up)")
 		b.setFilter(filter.NewShieldsUpFilter(localNets, logNets, oldFilter, b.logf))
 	} else {
-		b.logf("netmap packet filter: %v filters", len(packetFilter))
+		b.logf("[v1] netmap packet filter: %v filters", len(packetFilter))
 		b.setFilter(filter.New(packetFilter, localNets, logNets, oldFilter, b.logf))
 	}
 }
@@ -1162,17 +1198,14 @@ func interfaceRoutes() (ips *netaddr.IPSet, hostIPs []netaddr.IP, err error) {
 }

 // shrinkDefaultRoute returns an IPSet representing the IPs in route,
-// minus those in removeFromDefaultRoute and local interface subnets.
-func shrinkDefaultRoute(route netaddr.IPPrefix) (*netaddr.IPSet, error) {
-	interfaceRoutes, hostIPs, err := interfaceRoutes()
-	if err != nil {
-		return nil, err
-	}
+// minus those in removeFromDefaultRoute and localInterfaceRoutes,
+// plus the IPs in hostIPs.
+func shrinkDefaultRoute(route netaddr.IPPrefix, localInterfaceRoutes *netaddr.IPSet, hostIPs []netaddr.IP) (*netaddr.IPSet, error) {
 	var b netaddr.IPSetBuilder
 	// Add the default route.
 	b.AddPrefix(route)
 	// Remove the local interface routes.
-	b.RemoveSet(interfaceRoutes)
+	b.RemoveSet(localInterfaceRoutes)

 	// Having removed all the LAN subnets, re-add the hosts's own
 	// IPs. It's fine for clients to connect to an exit node's public
@@ -1344,7 +1377,7 @@ func (b *LocalBackend) popBrowserAuthNow() {
 }

 // For testing lazy machine key generation.
-var panicOnMachineKeyGeneration, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_PANIC_MACHINE_KEY"))
+var panicOnMachineKeyGeneration = envknob.Bool("TS_DEBUG_PANIC_MACHINE_KEY")

 func (b *LocalBackend) createGetMachinePrivateKeyFunc() func() (key.MachinePrivate, error) {
 	var cache atomic.Value
@@ -1494,19 +1527,19 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 		}
 	}

-	b.logf("using backend prefs")
 	bs, err := b.store.ReadState(key)
 	switch {
 	case errors.Is(err, ipn.ErrStateNotExist):
 		b.prefs = ipn.NewPrefs()
 		b.prefs.WantRunning = false
-		b.logf("created empty state for %q: %s", key, b.prefs.Pretty())
+		b.logf("using backend prefs; created empty state for %q: %s", key, b.prefs.Pretty())
 		return nil
 	case err != nil:
-		return fmt.Errorf("store.ReadState(%q): %v", key, err)
+		return fmt.Errorf("backend prefs: store.ReadState(%q): %v", key, err)
 	}
 	b.prefs, err = ipn.PrefsFromBytes(bs, false)
 	if err != nil {
+		b.logf("using backend prefs for %q", key)
 		return fmt.Errorf("PrefsFromBytes: %v", err)
 	}

@@ -1529,7 +1562,10 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 		}
 	}

-	b.logf("backend prefs for %q: %s", key, b.prefs.Pretty())
+	b.logf("using backend prefs for %q: %s", key, b.prefs.Pretty())
+
+	b.sshAtomicBool.Set(b.prefs != nil && b.prefs.RunSSH)
+
 	return nil
 }

@@ -1548,13 +1584,14 @@ func (b *LocalBackend) InServerMode() bool {
 }

 // Login implements Backend.
+// As of 2022-02-17, this is only exists for tests.
 func (b *LocalBackend) Login(token *tailcfg.Oauth2Token) {
 	b.mu.Lock()
 	b.assertClientLocked()
 	cc := b.cc
 	b.mu.Unlock()

-	cc.Login(token, controlclient.LoginInteractive)
+	cc.Login(token, b.loginFlags|controlclient.LoginInteractive)
 }

 // StartLoginInteractive implements Backend. It requests a new
@@ -1573,15 +1610,7 @@ func (b *LocalBackend) StartLoginInteractive() {
 	if url != "" {
 		b.popBrowserAuthNow()
 	} else {
-		flags := controlclient.LoginInteractive
-		if runtime.GOOS == "js" {
-			// The js/wasm client has no state storage so for now
-			// treat all interactive logins as ephemeral.
-			// TODO(bradfitz): if we start using browser LocalStorage
-			// or something, then rethink this.
-			flags |= controlclient.LoginEphemeral
-		}
-		cc.Login(nil, flags)
+		cc.Login(nil, b.loginFlags|controlclient.LoginInteractive)
 	}
 }

@@ -1703,6 +1732,8 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 	netMap := b.netMap
 	stateKey := b.stateKey

+	b.sshAtomicBool.Set(newp.RunSSH)
+
 	oldp := b.prefs
 	newp.Persist = oldp.Persist // caller isn't allowed to override this
 	b.prefs = newp
@@ -1716,7 +1747,7 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {

 	oldHi := b.hostinfo
 	newHi := oldHi.Clone()
-	applyPrefsToHostinfo(newHi, newp)
+	b.applyPrefsToHostinfo(newHi, newp)
 	b.hostinfo = newHi
 	hostInfoChanged := !oldHi.Equal(newHi)
 	userID := b.userID
@@ -1774,7 +1805,9 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 	b.send(ipn.Notify{Prefs: newp})
 }

-func (b *LocalBackend) getPeerAPIPortForTSMPPing(ip netaddr.IP) (port uint16, ok bool) {
+// GetPeerAPIPort returns the port number for the peerapi server
+// running on the provided IP.
+func (b *LocalBackend) GetPeerAPIPort(ip netaddr.IP) (port uint16, ok bool) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	for _, pln := range b.peerAPIListeners {
@@ -1785,6 +1818,27 @@ func (b *LocalBackend) getPeerAPIPortForTSMPPing(ip netaddr.IP) (port uint16, ok
 	return 0, false
 }

+// ServePeerAPIConnection serves an already-accepted connection c.
+//
+// The remote parameter is the remote address.
+// The local paramater is the local address (either a Tailscale IPv4
+// or IPv6 IP and the peerapi port for that address).
+//
+// The connection will be closed by ServePeerAPIConnection.
+func (b *LocalBackend) ServePeerAPIConnection(remote, local netaddr.IPPort, c net.Conn) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	for _, pln := range b.peerAPIListeners {
+		if pln.ip == local.IP() {
+			go pln.ServeConn(remote, c)
+			return
+		}
+	}
+	b.logf("[unexpected] no peerAPI listener found for %v", local)
+	c.Close()
+	return
+}
+
 func (b *LocalBackend) peerAPIServicesLocked() (ret []tailcfg.Service) {
 	for _, pln := range b.peerAPIListeners {
 		proto := tailcfg.PeerAPI4
@@ -1879,15 +1933,15 @@ func (b *LocalBackend) authReconfig() {
 	b.mu.Unlock()

 	if blocked {
-		b.logf("authReconfig: blocked, skipping.")
+		b.logf("[v1] authReconfig: blocked, skipping.")
 		return
 	}
 	if nm == nil {
-		b.logf("authReconfig: netmap not yet valid. Skipping.")
+		b.logf("[v1] authReconfig: netmap not yet valid. Skipping.")
 		return
 	}
 	if !prefs.WantRunning {
-		b.logf("authReconfig: skipping because !WantRunning.")
+		b.logf("[v1] authReconfig: skipping because !WantRunning.")
 		return
 	}

@@ -1946,6 +2000,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 	// selfV6Only is whether we only have IPv6 addresses ourselves.
 	selfV6Only := tsaddr.PrefixesContainsFunc(nm.Addresses, tsaddr.PrefixIs6) &&
 		!tsaddr.PrefixesContainsFunc(nm.Addresses, tsaddr.PrefixIs4)
+	dcfg.OnlyIPv6 = selfV6Only

 	// Populate MagicDNS records. We do this unconditionally so that
 	// quad-100 can always respond to MagicDNS queries, even if the OS
@@ -2115,7 +2170,7 @@ func (b *LocalBackend) TailscaleVarRoot() string {
 		return b.varRoot
 	}
 	switch runtime.GOOS {
-	case "ios", "android":
+	case "ios", "android", "darwin":
 		dir, _ := paths.AppSharedDir.Load().(string)
 		return dir
 	}
@@ -2377,7 +2432,9 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		}
 	}

-	rs.Routes = append(rs.Routes, netaddr.IPPrefixFrom(tsaddr.TailscaleServiceIP(), 32))
+	if tsaddr.PrefixesContainsFunc(rs.LocalAddrs, tsaddr.PrefixIs4) {
+		rs.Routes = append(rs.Routes, netaddr.IPPrefixFrom(tsaddr.TailscaleServiceIP(), 32))
+	}

 	return rs
 }
@@ -2395,13 +2452,23 @@ func unmapIPPrefixes(ippsList ...[]netaddr.IPPrefix) (ret []netaddr.IPPrefix) {
 	return ret
 }

-func applyPrefsToHostinfo(hi *tailcfg.Hostinfo, prefs *ipn.Prefs) {
+// Warning: b.mu might be held. Currently (2022-02-17) both callers hold it.
+func (b *LocalBackend) applyPrefsToHostinfo(hi *tailcfg.Hostinfo, prefs *ipn.Prefs) {
 	if h := prefs.Hostname; h != "" {
 		hi.Hostname = h
 	}
 	hi.RoutableIPs = append(prefs.AdvertiseRoutes[:0:0], prefs.AdvertiseRoutes...)
 	hi.RequestTags = append(prefs.AdvertiseTags[:0:0], prefs.AdvertiseTags...)
 	hi.ShieldsUp = prefs.ShieldsUp
+
+	var sshHostKeys []string
+	if prefs.RunSSH {
+		// TODO(bradfitz): this is called with b.mu held. Not ideal.
+		// If the filesystem gets wedged or something we could block for
+		// a long time. But probably fine.
+		sshHostKeys = b.getSSHHostKeyPublicStrings()
+	}
+	hi.SSH_HostKeys = sshHostKeys
 }

 // enterState transitions the backend into newState, updating internal
@@ -2609,8 +2676,11 @@ func (b *LocalBackend) ResetForClientDisconnect() {
 	b.authURL = ""
 	b.authURLSticky = ""
 	b.activeLogin = ""
+	b.sshAtomicBool.Set(false)
 }

+func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Get() }
+
 // Logout tells the controlclient that we want to log out, and
 // transitions the local engine to the logged-out state without
 // waiting for controlclient to be in that state.
@@ -2904,9 +2974,10 @@ func (b *LocalBackend) registerIncomingFile(inf *incomingFile, active bool) {
 // It returns the empty string if the peer doesn't support the peerapi
 // or there's no matching address family based on the netmap's own addresses.
 func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {
-	if nm == nil || peer == nil {
+	if nm == nil || peer == nil || !peer.Hostinfo.Valid() {
 		return ""
 	}
+
 	var have4, have6 bool
 	for _, a := range nm.Addresses {
 		if !a.IsSingleIP() {
@@ -2920,7 +2991,9 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {
 		}
 	}
 	var p4, p6 uint16
-	for _, s := range peer.Hostinfo.Services {
+	svcs := peer.Hostinfo.Services()
+	for i, n := 0, svcs.Len(); i < n; i++ {
+		s := svcs.At(i)
 		switch s.Proto {
 		case tailcfg.PeerAPI4:
 			p4 = s.Port
@@ -3126,7 +3199,9 @@ func exitNodeCanProxyDNS(nm *netmap.NetworkMap, exitNodeID tailcfg.StableNodeID)
 		if p.StableID != exitNodeID {
 			continue
 		}
-		for _, s := range p.Hostinfo.Services {
+		services := p.Hostinfo.Services()
+		for i, n := 0, services.Len(); i < n; i++ {
+			s := services.At(i)
 			if s.Proto == tailcfg.PeerAPIDNS && s.Port >= 1 {
 				return peerAPIBase(nm, p) + "/dns-query", true
 			}
@@ -3134,3 +3209,33 @@ func exitNodeCanProxyDNS(nm *netmap.NetworkMap, exitNodeID tailcfg.StableNodeID)
 	}
 	return "", false
 }
+
+func (b *LocalBackend) DebugRebind() error {
+	mc, err := b.magicConn()
+	if err != nil {
+		return err
+	}
+	mc.Rebind()
+	return nil
+}
+
+func (b *LocalBackend) DebugReSTUN() error {
+	mc, err := b.magicConn()
+	if err != nil {
+		return err
+	}
+	mc.ReSTUN("explicit-debug")
+	return nil
+}
+
+func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
+	ig, ok := b.e.(wgengine.InternalsGetter)
+	if !ok {
+		return nil, errors.New("engine isn't InternalsGetter")
+	}
+	_, mc, ok := ig.GetInternals()
+	if !ok {
+		return nil, errors.New("failed to get internals")
+	}
+	return mc, nil
+}
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -178,9 +178,31 @@ func TestShrinkDefaultRoute(t *testing.T) {
 		},
 	}

+	// Construct a fake local network environment to make this test hermetic.
+	// localInterfaceRoutes and hostIPs would normally come from calling interfaceRoutes,
+	// and localAddresses would normally come from calling interfaces.LocalAddresses.
+	var b netaddr.IPSetBuilder
+	for _, c := range []string{"127.0.0.0/8", "192.168.9.0/24", "fe80::/32"} {
+		p := netaddr.MustParseIPPrefix(c)
+		b.AddPrefix(p)
+	}
+	localInterfaceRoutes, err := b.IPSet()
+	if err != nil {
+		t.Fatal(err)
+	}
+	hostIPs := []netaddr.IP{
+		netaddr.MustParseIP("127.0.0.1"),
+		netaddr.MustParseIP("192.168.9.39"),
+		netaddr.MustParseIP("fe80::1"),
+		netaddr.MustParseIP("fe80::437d:feff:feca:49a7"),
+	}
+	localAddresses := []netaddr.IP{
+		netaddr.MustParseIP("192.168.9.39"),
+	}
+
 	for _, test := range tests {
 		def := netaddr.MustParseIPPrefix(test.route)
-		got, err := shrinkDefaultRoute(def)
+		got, err := shrinkDefaultRoute(def, localInterfaceRoutes, hostIPs)
 		if err != nil {
 			t.Fatalf("shrinkDefaultRoute(%q): %v", test.route, err)
 		}
@@ -194,11 +216,7 @@ func TestShrinkDefaultRoute(t *testing.T) {
 				t.Errorf("shrink(%q).Contains(%v) = true, want false", test.route, ip)
 			}
 		}
-		ips, _, err := interfaces.LocalAddresses()
-		if err != nil {
-			t.Fatal(err)
-		}
-		for _, ip := range ips {
+		for _, ip := range localAddresses {
 			want := test.localIPFn(ip)
 			if gotContains := got.Contains(ip); gotContains != want {
 				t.Errorf("shrink(%q).Contains(%v) = %v, want %v", test.route, ip, gotContains, want)
@@ -328,12 +346,12 @@ func TestPeerAPIBase(t *testing.T) {
 					netaddr.MustParseIPPrefix("100.64.1.2/32"),
 					netaddr.MustParseIPPrefix("fe70::2/128"),
 				},
-				Hostinfo: tailcfg.Hostinfo{
+				Hostinfo: (&tailcfg.Hostinfo{
 					Services: []tailcfg.Service{
 						{Proto: "peerapi4", Port: 444},
 						{Proto: "peerapi6", Port: 666},
 					},
-				},
+				}).View(),
 			},
 			want: "http://100.64.1.2:444",
 		},
@@ -349,12 +367,12 @@ func TestPeerAPIBase(t *testing.T) {
 					netaddr.MustParseIPPrefix("100.64.1.2/32"),
 					netaddr.MustParseIPPrefix("fe70::2/128"),
 				},
-				Hostinfo: tailcfg.Hostinfo{
+				Hostinfo: (&tailcfg.Hostinfo{
 					Services: []tailcfg.Service{
 						{Proto: "peerapi4", Port: 444},
 						{Proto: "peerapi6", Port: 666},
 					},
-				},
+				}).View(),
 			},
 			want: "http://[fe70::2]:666",
 		},
@@ -371,11 +389,11 @@ func TestPeerAPIBase(t *testing.T) {
 					netaddr.MustParseIPPrefix("100.64.1.2/32"),
 					netaddr.MustParseIPPrefix("fe70::2/128"),
 				},
-				Hostinfo: tailcfg.Hostinfo{
+				Hostinfo: (&tailcfg.Hostinfo{
 					Services: []tailcfg.Service{
 						{Proto: "peerapi4", Port: 444},
 					},
-				},
+				}).View(),
 			},
 			want: "http://100.64.1.2:444",
 		},
@@ -392,11 +410,11 @@ func TestPeerAPIBase(t *testing.T) {
 					netaddr.MustParseIPPrefix("100.64.1.2/32"),
 					netaddr.MustParseIPPrefix("fe70::2/128"),
 				},
-				Hostinfo: tailcfg.Hostinfo{
+				Hostinfo: (&tailcfg.Hostinfo{
 					Services: []tailcfg.Service{
 						{Proto: "peerapi6", Port: 666},
 					},
-				},
+				}).View(),
 			},
 			want: "http://[fe70::2]:666",
 		},
@@ -445,7 +463,7 @@ func TestLazyMachineKeyGeneration(t *testing.T) {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
 	t.Cleanup(eng.Close)
-	lb, err := NewLocalBackend(logf, "logid", store, nil, eng)
+	lb, err := NewLocalBackend(logf, "logid", store, nil, eng, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
--- a/ipn/ipnlocal/loglines_test.go
+++ b/ipn/ipnlocal/loglines_test.go
@@ -54,7 +54,7 @@ func TestLocalLogLines(t *testing.T) {
 	}
 	t.Cleanup(e.Close)

-	lb, err := NewLocalBackend(logf, idA.String(), store, nil, e)
+	lb, err := NewLocalBackend(logf, idA.String(), store, nil, e, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -32,11 +32,13 @@ import (
 	"golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/dns/resolver"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netutil"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
@@ -409,7 +411,7 @@ func (s *peerAPIServer) listen(ip netaddr.IP, ifState *interfaces.State) (ln net
 	}

 	// Make a best effort to pick a deterministic port number for
-	// the ip The lower three bytes are the same for IPv4 and IPv6
+	// the ip. The lower three bytes are the same for IPv4 and IPv6
 	// Tailscale addresses (at least currently), so we'll usually
 	// get the same port number on both address families for
 	// dev/debugging purposes, which is nice. But it's not so
@@ -480,47 +482,34 @@ func (pln *peerAPIListener) serve() {
 			c.Close()
 			continue
 		}
-		peerNode, peerUser, ok := pln.lb.WhoIs(ipp)
-		if !ok {
-			logf("peerapi: unknown peer %v", ipp)
-			c.Close()
-			continue
-		}
-		h := &peerAPIHandler{
-			ps:         pln.ps,
-			isSelf:     pln.ps.selfNode.User == peerNode.User,
-			remoteAddr: ipp,
-			peerNode:   peerNode,
-			peerUser:   peerUser,
-		}
-		httpServer := &http.Server{
-			Handler: h,
-		}
-		if addH2C != nil {
-			addH2C(httpServer)
-		}
-		go httpServer.Serve(&oneConnListener{Listener: pln.ln, conn: c})
+		pln.ServeConn(ipp, c)
 	}
 }

-type oneConnListener struct {
-	net.Listener
-	conn net.Conn
-}
-
-func (l *oneConnListener) Accept() (c net.Conn, err error) {
-	c = l.conn
-	if c == nil {
-		err = io.EOF
+func (pln *peerAPIListener) ServeConn(src netaddr.IPPort, c net.Conn) {
+	logf := pln.lb.logf
+	peerNode, peerUser, ok := pln.lb.WhoIs(src)
+	if !ok {
+		logf("peerapi: unknown peer %v", src)
+		c.Close()
 		return
 	}
-	err = nil
-	l.conn = nil
-	return
+	h := &peerAPIHandler{
+		ps:         pln.ps,
+		isSelf:     pln.ps.selfNode.User == peerNode.User,
+		remoteAddr: src,
+		peerNode:   peerNode,
+		peerUser:   peerUser,
+	}
+	httpServer := &http.Server{
+		Handler: h,
+	}
+	if addH2C != nil {
+		addH2C(httpServer)
+	}
+	go httpServer.Serve(netutil.NewOneConnListener(c, pln.ln.Addr()))
 }

-func (l *oneConnListener) Close() error { return nil }
-
 // peerAPIHandler serves the Peer API for a source specific client.
 type peerAPIHandler struct {
 	ps         *peerAPIServer
@@ -553,6 +542,12 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case "/v0/metrics":
 		h.handleServeMetrics(w, r)
 		return
+	case "/v0/magicsock":
+		h.handleServeMagicsock(w, r)
+		return
+	case "/v0/dnsfwd":
+		h.handleServeDNSFwd(w, r)
+		return
 	}
 	who := h.peerUser.DisplayName
 	fmt.Fprintf(w, `<html>
@@ -781,6 +776,21 @@ func (h *peerAPIHandler) handleServeEnv(w http.ResponseWriter, r *http.Request)
 	json.NewEncoder(w).Encode(data)
 }

+func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Request) {
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
+		return
+	}
+	eng := h.ps.b.e
+	if ig, ok := eng.(wgengine.InternalsGetter); ok {
+		if _, mc, ok := ig.GetInternals(); ok {
+			mc.ServeHTTPDebug(w, r)
+			return
+		}
+	}
+	http.Error(w, "miswired", 500)
+}
+
 func (h *peerAPIHandler) handleServeMetrics(w http.ResponseWriter, r *http.Request) {
 	if !h.isSelf {
 		http.Error(w, "not owner", http.StatusForbidden)
@@ -790,6 +800,19 @@ func (h *peerAPIHandler) handleServeMetrics(w http.ResponseWriter, r *http.Reque
 	clientmetric.WritePrometheusExpositionFormat(w)
 }

+func (h *peerAPIHandler) handleServeDNSFwd(w http.ResponseWriter, r *http.Request) {
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
+		return
+	}
+	dh := health.DebugHandler("dnsfwd")
+	if dh == nil {
+		http.Error(w, "not wired up", 500)
+		return
+	}
+	dh.ServeHTTP(w, r)
+}
+
 func (h *peerAPIHandler) replyToDNSQueries() bool {
 	if h.isSelf {
 		// If the peer is owned by the same user, just allow it
--- a/ipn/ipnlocal/ssh.go
+++ b/ipn/ipnlocal/ssh.go
@@ -0,0 +1,58 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+// +build linux
+
+package ipnlocal
+
+import (
+	"errors"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"golang.org/x/crypto/ssh"
+	"tailscale.com/envknob"
+)
+
+var useHostKeys = envknob.Bool("TS_USE_SYSTEM_SSH_HOST_KEYS")
+
+func (b *LocalBackend) GetSSH_HostKeys() ([]ssh.Signer, error) {
+	// TODO(bradfitz): generate host keys, at least as needed if
+	// an existing SSH server didn't put them on disk. But also
+	// because people may want tailscale-specific ones. For now be
+	// lazy and reuse the host ones.
+	return b.getSystemSSH_HostKeys()
+}
+
+func (b *LocalBackend) getSystemSSH_HostKeys() (ret []ssh.Signer, err error) {
+	// TODO(bradfitz): cache this?
+	for _, typ := range []string{"rsa", "ecdsa", "ed25519"} {
+		hostKey, err := ioutil.ReadFile("/etc/ssh/ssh_host_" + typ + "_key")
+		if os.IsNotExist(err) {
+			continue
+		}
+		if err != nil {
+			return nil, err
+		}
+		signer, err := ssh.ParsePrivateKey(hostKey)
+		if err != nil {
+			return nil, err
+		}
+		ret = append(ret, signer)
+	}
+	if len(ret) == 0 {
+		return nil, errors.New("no system SSH host keys found")
+	}
+	return ret, nil
+}
+
+func (b *LocalBackend) getSSHHostKeyPublicStrings() (ret []string) {
+	signers, _ := b.GetSSH_HostKeys()
+	for _, signer := range signers {
+		ret = append(ret, strings.TrimSpace(string(ssh.MarshalAuthorizedKey(signer.PublicKey()))))
+	}
+	return ret
+}
--- a/ipn/ipnlocal/ssh_stub.go
+++ b/ipn/ipnlocal/ssh_stub.go
@@ -0,0 +1,12 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !linux
+// +build !linux
+
+package ipnlocal
+
+func (b *LocalBackend) getSSHHostKeyPublicStrings() []string {
+	return nil
+}
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -87,8 +87,9 @@ func (nt *notifyThrottler) drain(count int) []ipn.Notify {
 type mockControl struct {
 	tb         testing.TB
 	opts       controlclient.Options
-	logf       logger.Logf
+	logfActual logger.Logf
 	statusFunc func(controlclient.Status)
+	preventLog syncs.AtomicBool

 	mu          sync.Mutex
 	calls       []string
@@ -104,6 +105,13 @@ func newMockControl(tb testing.TB) *mockControl {
 	}
 }

+func (cc *mockControl) logf(format string, args ...interface{}) {
+	if cc.preventLog.Get() || cc.logfActual == nil {
+		return
+	}
+	cc.logfActual(format, args...)
+}
+
 func (cc *mockControl) SetStatusFunc(fn func(controlclient.Status)) {
 	cc.statusFunc = fn
 }
@@ -284,14 +292,15 @@ func TestStateMachine(t *testing.T) {
 	t.Cleanup(e.Close)

 	cc := newMockControl(t)
-	b, err := NewLocalBackend(logf, "logid", store, nil, e)
+	t.Cleanup(func() { cc.preventLog.Set(true) }) // hacky way to pacify issue 3020
+	b, err := NewLocalBackend(logf, "logid", store, nil, e, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
 	b.SetControlClientGetterForTesting(func(opts controlclient.Options) (controlclient.Client, error) {
 		cc.mu.Lock()
 		cc.opts = opts
-		cc.logf = opts.Logf
+		cc.logfActual = opts.Logf
 		cc.authBlocked = true
 		cc.persist = cc.opts.Persist
 		cc.mu.Unlock()
@@ -305,6 +314,9 @@ func TestStateMachine(t *testing.T) {
 	notifies.expect(0)

 	b.SetNotifyCallback(func(n ipn.Notify) {
+		if cc.preventLog.Get() {
+			return
+		}
 		if n.State != nil ||
 			n.Prefs != nil ||
 			n.BrowseToURL != nil ||
@@ -315,6 +327,7 @@ func TestStateMachine(t *testing.T) {
 			logf("\n(ignored) %v\n\n", n)
 		}
 	})
+	t.Cleanup(func() { b.SetNotifyCallback(nil) }) // hacky way to pacify issue 3020

 	// Check that it hasn't called us right away.
 	// The state machine should be idle until we call Start().
@@ -941,14 +954,14 @@ func TestWGEngineStatusRace(t *testing.T) {
 	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	c.Assert(err, qt.IsNil)
 	t.Cleanup(eng.Close)
-	b, err := NewLocalBackend(logf, "logid", new(ipn.MemoryStore), nil, eng)
+	b, err := NewLocalBackend(logf, "logid", new(ipn.MemoryStore), nil, eng, 0)
 	c.Assert(err, qt.IsNil)

 	cc := newMockControl(t)
 	b.SetControlClientGetterForTesting(func(opts controlclient.Options) (controlclient.Client, error) {
 		cc.mu.Lock()
 		defer cc.mu.Unlock()
-		cc.logf = opts.Logf
+		cc.logfActual = opts.Logf
 		return cc, nil
 	})

--- a/ipn/ipnserver/proxyconnect.go
+++ b/ipn/ipnserver/proxyconnect.go
@@ -0,0 +1,74 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipnserver
+
+import (
+	"bufio"
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"time"
+
+	"tailscale.com/logpolicy"
+	"tailscale.com/types/logger"
+)
+
+// handleProxyConnectConn handles a CONNECT request to
+// log.tailscale.io (or whatever the configured log server is). This
+// is intended for use by the Windows GUI client to log via when an
+// exit node is in use, so the logs don't go out via the exit node and
+// instead go directly, like tailscaled's. The dialer tried to do that
+// in the unprivileged GUI by binding to a specific interface, but the
+// "Internet Kill Switch" installed by tailscaled for exit nodes
+// precludes that from working and instead the GUI fails to dial out.
+// So, go through tailscaled (with a CONNECT request) instead.
+func (s *Server) handleProxyConnectConn(ctx context.Context, br *bufio.Reader, c net.Conn, logf logger.Logf) {
+	defer c.Close()
+
+	c.SetReadDeadline(time.Now().Add(5 * time.Second)) // should be long enough to send the HTTP headers
+	req, err := http.ReadRequest(br)
+	if err != nil {
+		logf("ReadRequest: %v", err)
+		return
+	}
+	c.SetReadDeadline(time.Time{})
+
+	if req.Method != "CONNECT" {
+		logf("ReadRequest: unexpected method %q, not CONNECT", req.Method)
+		return
+	}
+
+	hostPort := req.RequestURI
+	logHost := logpolicy.LogHost()
+	allowed := net.JoinHostPort(logHost, "443")
+	if hostPort != allowed {
+		logf("invalid CONNECT target %q; want %q", hostPort, allowed)
+		io.WriteString(c, "HTTP/1.1 403 Forbidden\r\n\r\nBad CONNECT target.\n")
+		return
+	}
+
+	tr := logpolicy.NewLogtailTransport(logHost)
+	back, err := tr.DialContext(ctx, "tcp", hostPort)
+	if err != nil {
+		logf("error CONNECT dialing %v: %v", hostPort, err)
+		io.WriteString(c, "HTTP/1.1 502 Fail\r\n\r\nConnect failure.\n")
+		return
+	}
+	defer back.Close()
+
+	io.WriteString(c, "HTTP/1.1 200 OK\r\n\r\n")
+
+	errc := make(chan error, 2)
+	go func() {
+		_, err := io.Copy(c, back)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(back, br)
+		errc <- err
+	}()
+	<-errc
+}
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -20,6 +20,7 @@ import (
 	"os/exec"
 	"os/signal"
 	"os/user"
+	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
@@ -31,13 +32,14 @@ import (
 	"inet.af/netaddr"
 	"inet.af/peercred"
 	"tailscale.com/control/controlclient"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/localapi"
 	"tailscale.com/ipn/store/aws"
-	"tailscale.com/log/filelogger"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/netstat"
+	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
@@ -46,6 +48,7 @@ import (
 	"tailscale.com/util/groupmember"
 	"tailscale.com/util/pidowner"
 	"tailscale.com/util/systemd"
+	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
@@ -82,6 +85,9 @@ type Options struct {
 	// the actual definition of "disconnect" is when the
 	// connection count transitions from 1 to 0.
 	SurviveDisconnects bool
+
+	// LoginFlags specifies the LoginFlags to pass to the client.
+	LoginFlags controlclient.LoginFlags
 }

 // Server is an IPN backend and its set of 0 or more active localhost
@@ -181,6 +187,13 @@ func (s *Server) getConnIdentity(c net.Conn) (ci connIdentity, err error) {
 func lookupUserFromID(logf logger.Logf, uid string) (*user.User, error) {
 	u, err := user.LookupId(uid)
 	if err != nil && runtime.GOOS == "windows" && errors.Is(err, syscall.Errno(0x534)) {
+		// The below workaround is only applicable when uid represents a
+		// valid security principal. Omitting this check causes us to succeed
+		// even when uid represents a deleted user.
+		if !winutil.IsSIDValidPrincipal(uid) {
+			return nil, err
+		}
+
 		logf("[warning] issue 869: os/user.LookupId failed; ignoring")
 		// Work around https://github.com/tailscale/tailscale/issues/869 for
 		// now. We don't strictly need the username. It's just a nice-to-have.
@@ -239,12 +252,28 @@ func bufferHasHTTPRequest(br *bufio.Reader) bool {
 		mem.Contains(mem.B(peek), mem.S(" HTTP/"))
 }

+// bufferIsConnect reports whether br looks like it's likely an HTTP
+// CONNECT request.
+//
+// Invariant: br has already had at least 4 bytes Peek'ed.
+func bufferIsConnect(br *bufio.Reader) bool {
+	peek, _ := br.Peek(br.Buffered())
+	return mem.HasPrefix(mem.B(peek), mem.S("CONN"))
+}
+
 func (s *Server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	// First see if it's an HTTP request.
 	br := bufio.NewReader(c)
 	c.SetReadDeadline(time.Now().Add(time.Second))
 	br.Peek(4)
 	c.SetReadDeadline(time.Time{})
+
+	// Handle logtail CONNECT requests early. (See docs on handleProxyConnectConn)
+	if bufferIsConnect(br) {
+		s.handleProxyConnectConn(ctx, br, c, logf)
+		return
+	}
+
 	isHTTPReq := bufferHasHTTPRequest(br)

 	ci, err := s.addConn(c, isHTTPReq)
@@ -283,7 +312,7 @@ func (s *Server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 			ErrorLog:    logger.StdLogger(logf),
 			Handler:     s.localhostHandler(ci),
 		}
-		httpServer.Serve(&oneConnListener{&protoSwitchConn{s: s, br: br, Conn: c}})
+		httpServer.Serve(netutil.NewOneConnListener(&protoSwitchConn{s: s, br: br, Conn: c}, nil))
 		return
 	}

@@ -429,6 +458,49 @@ func (s *Server) localAPIPermissions(ci connIdentity) (read, write bool) {
 	return false, false
 }

+// userIDFromString maps from either a numeric user id in string form
+// ("998") or username ("caddy") to its string userid ("998").
+// It returns the empty string on error.
+func userIDFromString(v string) string {
+	if v == "" || isAllDigit(v) {
+		return v
+	}
+	u, err := user.Lookup(v)
+	if err != nil {
+		return ""
+	}
+	return u.Uid
+}
+
+func isAllDigit(s string) bool {
+	for i := 0; i < len(s); i++ {
+		if b := s[i]; b < '0' || b > '9' {
+			return false
+		}
+	}
+	return true
+}
+
+// connCanFetchCerts reports whether ci is allowed to fetch HTTPS
+// certs from this server when it wouldn't otherwise be able to.
+//
+// That is, this reports whether ci should grant additional
+// capabilities over what the conn would otherwise be able to do.
+//
+// For now this only returns true on Unix machines when
+// TS_PERMIT_CERT_UID is set the to the userid of the peer
+// connection. It's intended to give your non-root webserver access
+// (www-data, caddy, nginx, etc) to certs.
+func (s *Server) connCanFetchCerts(ci connIdentity) bool {
+	if ci.IsUnixSock && ci.Creds != nil {
+		connUID, ok := ci.Creds.UserID()
+		if ok && connUID == userIDFromString(envknob.String("TS_PERMIT_CERT_UID")) {
+			return true
+		}
+	}
+	return false
+}
+
 // registerDisconnectSub adds ch as a subscribe to connection disconnect
 // events. If add is false, the subscriber is removed.
 func (s *Server) registerDisconnectSub(ch chan<- struct{}, add bool) {
@@ -614,6 +686,8 @@ func tryWindowsAppDataMigration(logf logger.Logf, path string) string {
 // Special cases:
 //
 //   * empty string means to use an in-memory store
+//   * if the string begins with "mem:", the suffix
+//     is ignored and an in-memory store is used.
 //   * if the string begins with "kube:", the suffix
 //     is a Kubernetes secret name
 //   * if the string begins with "arn:", the value is
@@ -622,9 +696,12 @@ func StateStore(path string, logf logger.Logf) (ipn.StateStore, error) {
 	if path == "" {
 		return &ipn.MemoryStore{}, nil
 	}
+	const memPrefix = "mem:"
 	const kubePrefix = "kube:"
 	const arnPrefix = "arn:"
 	switch {
+	case strings.HasPrefix(path, memPrefix):
+		return &ipn.MemoryStore{}, nil
 	case strings.HasPrefix(path, kubePrefix):
 		secretName := strings.TrimPrefix(path, kubePrefix)
 		store, err := ipn.NewKubeStore(secretName)
@@ -751,7 +828,7 @@ func Run(ctx context.Context, logf logger.Logf, ln net.Listener, store ipn.State
 //
 // To start it, use the Server.Run method.
 func New(logf logger.Logf, logid string, store ipn.StateStore, eng wgengine.Engine, dialer *tsdial.Dialer, serverModeUser *user.User, opts Options) (*Server, error) {
-	b, err := ipnlocal.NewLocalBackend(logf, logid, store, dialer, eng)
+	b, err := ipnlocal.NewLocalBackend(logf, logid, store, dialer, eng, opts.LoginFlags)
 	if err != nil {
 		return nil, fmt.Errorf("NewLocalBackend: %v", err)
 	}
@@ -869,14 +946,6 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		panic("cannot determine executable: " + err.Error())
 	}

-	if runtime.GOOS == "windows" {
-		if len(args) != 2 && args[0] != "/subproc" {
-			panic(fmt.Sprintf("unexpected arguments %q", args))
-		}
-		logID := args[1]
-		logf = filelogger.New("tailscale-service", logID, logf)
-	}
-
 	var proc struct {
 		mu sync.Mutex
 		p  *os.Process
@@ -908,6 +977,14 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		startTime := time.Now()
 		log.Printf("exec: %#v %v", executable, args)
 		cmd := exec.Command(executable, args...)
+		if runtime.GOOS == "windows" {
+			extraEnv, err := loadExtraEnv()
+			if err != nil {
+				logf("errors loading extra env file; ignoring: %v", err)
+			} else {
+				cmd.Env = append(os.Environ(), extraEnv...)
+			}
+		}

 		// Create a pipe object to use as the subproc's stdin.
 		// When the writer goes away, the reader gets EOF.
@@ -1016,29 +1093,6 @@ func getEngineUntilItWorksWrapper(getEngine func() (wgengine.Engine, error)) fun
 	}
 }

-type dummyAddr string
-type oneConnListener struct {
-	conn net.Conn
-}
-
-func (l *oneConnListener) Accept() (c net.Conn, err error) {
-	c = l.conn
-	if c == nil {
-		err = io.EOF
-		return
-	}
-	err = nil
-	l.conn = nil
-	return
-}
-
-func (l *oneConnListener) Close() error { return nil }
-
-func (l *oneConnListener) Addr() net.Addr { return dummyAddr("unused-address") }
-
-func (a dummyAddr) Network() string { return string(a) }
-func (a dummyAddr) String() string  { return string(a) }
-
 // protoSwitchConn is a net.Conn that's we want to speak HTTP to but
 // it's already had a few bytes read from it to determine that it's
 // HTTP. So we Read from its bufio.Reader. On Close, we we tell the
@@ -1059,6 +1113,7 @@ func (psc *protoSwitchConn) Close() error {
 func (s *Server) localhostHandler(ci connIdentity) http.Handler {
 	lah := localapi.NewHandler(s.b, s.logf, s.backendLogID)
 	lah.PermitRead, lah.PermitWrite = s.localAPIPermissions(ci)
+	lah.PermitCert = s.connCanFetchCerts(ci)

 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if strings.HasPrefix(r.URL.Path, "/localapi/") {
@@ -1177,3 +1232,47 @@ func findTrueNASTaildropDir(name string) (dir string, err error) {
 	}
 	return "", fmt.Errorf("shared folder %q not found", name)
 }
+
+func loadExtraEnv() (env []string, err error) {
+	if runtime.GOOS != "windows" {
+		return nil, nil
+	}
+	name := filepath.Join(os.Getenv("ProgramData"), "Tailscale", "tailscaled-env.txt")
+	contents, err := os.ReadFile(name)
+	if os.IsNotExist(err) {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	for _, line := range strings.Split(string(contents), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" || line[0] == '#' {
+			continue
+		}
+		k, v, ok := stringsCut(line, "=")
+		if !ok || k == "" {
+			continue
+		}
+		if strings.HasPrefix(v, `"`) {
+			var err error
+			v, err = strconv.Unquote(v)
+			if err != nil {
+				return nil, fmt.Errorf("invalid value in line %q: %v", line, err)
+			}
+			env = append(env, k+"="+v)
+		} else {
+			env = append(env, line)
+		}
+	}
+	return env, nil
+}
+
+// stringsCut is Go 1.18's strings.Cut.
+// TODO(bradfitz): delete this when we depend on Go 1.18.
+func stringsCut(s, sep string) (before, after string, found bool) {
+	if i := strings.Index(s, sep); i >= 0 {
+		return s[:i], s[i+len(sep):], true
+	}
+	return s, "", false
+}
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -20,6 +20,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
+	"tailscale.com/types/views"
 	"tailscale.com/util/dnsname"
 )

@@ -42,13 +43,15 @@ type Status struct {
 	// problems are detected)
 	Health []string

-	// MagicDNSSuffix is the network's MagicDNS suffix for nodes
-	// in the network such as "userfoo.tailscale.net".
-	// There are no surrounding dots.
-	// MagicDNSSuffix should be populated regardless of whether a domain
-	// has MagicDNS enabled.
+	// This field is the legacy name of CurrentTailnet.MagicDNSSuffix.
+	//
+	// Deprecated: use CurrentTailnet.MagicDNSSuffix instead.
 	MagicDNSSuffix string

+	// CurrentTailnet is information about the tailnet that the node
+	// is currently connected to. When not connected, this field is nil.
+	CurrentTailnet *TailnetStatus
+
 	// CertDomains are the set of DNS names for which the control
 	// plane server will assist with provisioning TLS
 	// certificates. See SetDNSRequest for dns-01 ACME challenges
@@ -60,6 +63,24 @@ type Status struct {
 	User map[tailcfg.UserID]tailcfg.UserProfile
 }

+// TailnetStatus is information about a Tailscale network ("tailnet").
+type TailnetStatus struct {
+	// Name is the name of the network that's currently in use.
+	Name string
+
+	// MagicDNSSuffix is the network's MagicDNS suffix for nodes
+	// in the network such as "userfoo.tailscale.net".
+	// There are no surrounding dots.
+	// MagicDNSSuffix should be populated regardless of whether a domain
+	// has MagicDNS enabled.
+	MagicDNSSuffix string
+
+	// MagicDNSEnabled is whether or not the network has MagicDNS enabled.
+	// Note that the current device may still not support MagicDNS if
+	// `--accept-dns=false` was used.
+	MagicDNSEnabled bool
+}
+
 func (s *Status) Peers() []key.NodePublic {
 	kk := make([]key.NodePublic, 0, len(s.Peer))
 	for k := range s.Peer {
@@ -81,15 +102,23 @@ type PeerStatusLite struct {
 }

 type PeerStatus struct {
-	ID        tailcfg.StableNodeID
-	PublicKey key.NodePublic
-	HostName  string // HostInfo's Hostname (not a DNS name or necessarily unique)
-	DNSName   string
-	OS        string // HostInfo.OS
-	UserID    tailcfg.UserID
-
+	ID           tailcfg.StableNodeID
+	PublicKey    key.NodePublic
+	HostName     string // HostInfo's Hostname (not a DNS name or necessarily unique)
+	DNSName      string
+	OS           string // HostInfo.OS
+	UserID       tailcfg.UserID
 	TailscaleIPs []netaddr.IP // Tailscale IP(s) assigned to this node

+	// Tags are the list of ACL tags applied to this node.
+	// See tailscale.com/tailcfg#Node.Tags for more information.
+	Tags *views.StringSlice `json:",omitempty"`
+
+	// PrimaryRoutes are the routes this node is currently the primary
+	// subnet router for, as determined by the control plane. It does
+	// not include the IPs in TailscaleIPs.
+	PrimaryRoutes *views.IPPrefixSlice `json:",omitempty"`
+
 	// Endpoints:
 	Addrs   []string
 	CurAddr string // one of Addrs, or unique if roaming
@@ -246,6 +275,12 @@ func (sb *StatusBuilder) AddPeer(peer key.NodePublic, st *PeerStatus) {
 	if v := st.TailscaleIPs; v != nil {
 		e.TailscaleIPs = v
 	}
+	if v := st.PrimaryRoutes; v != nil && !v.IsNil() {
+		e.PrimaryRoutes = v
+	}
+	if v := st.Tags; v != nil && !v.IsNil() {
+		e.Tags = v
+	}
 	if v := st.OS; v != "" {
 		e.OS = st.OS
 	}
--- a/ipn/localapi/cert.go
+++ b/ipn/localapi/cert.go
@@ -29,12 +29,12 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"sync"
 	"time"

 	"golang.org/x/crypto/acme"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/types/logger"
 )
@@ -63,10 +63,10 @@ func (h *Handler) certDir() (string, error) {
 	return full, nil
 }

-var acmeDebug, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_ACME"))
+var acmeDebug = envknob.Bool("TS_DEBUG_ACME")

 func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
+	if !h.PermitWrite && !h.PermitCert {
 		http.Error(w, "cert access denied", http.StatusForbidden)
 		return
 	}
@@ -239,6 +239,7 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 					}
 				}
 				if !ok {
+					logf("starting SetDNS call...")
 					err = h.b.SetDNS(ctx, key, rec)
 					if err != nil {
 						return nil, fmt.Errorf("SetDNS %q => %q: %w", key, rec, err)
@@ -256,26 +257,18 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 		}
 	}

-	wait0 := time.Now()
 	orderURI := order.URI
-	for {
-		order, err = ac.WaitOrder(ctx, orderURI)
-		if err == nil {
-			break
+	order, err = ac.WaitOrder(ctx, orderURI)
+	if err != nil {
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
 		}
-		if oe, ok := err.(*acme.OrderError); ok && oe.Status == acme.StatusInvalid {
-			if time.Since(wait0) > 2*time.Minute {
-				return nil, errors.New("timeout waiting for order to not be invalid")
-			}
-			log.Printf("order invalid; waiting...")
-			select {
-			case <-time.After(5 * time.Second):
-				continue
-			case <-ctx.Done():
-				return nil, ctx.Err()
-			}
+		if oe, ok := err.(*acme.OrderError); ok {
+			logf("acme: WaitOrder: OrderError status %q", oe.Status)
+		} else {
+			logf("acme: WaitOrder error: %v", err)
 		}
-		return nil, fmt.Errorf("WaitOrder: %v", err)
+		return nil, err
 	}
 	traceACME(order)

@@ -296,10 +289,12 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 		return nil, err
 	}

+	logf("requesting cert...")
 	der, _, err := ac.CreateOrderCert(ctx, order.FinalizeURL, csr, true)
 	if err != nil {
 		return nil, fmt.Errorf("CreateOrder: %v", err)
 	}
+	logf("got cert")

 	var certPEM bytes.Buffer
 	for _, b := range der {
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -52,8 +52,15 @@ type Handler struct {
 	PermitRead bool

 	// PermitWrite is whether mutating HTTP handlers are allowed.
+	// If PermitWrite is true, everything is allowed.
+	// It effectively means that the user is root or the admin
+	// (operator user).
 	PermitWrite bool

+	// PermitCert is whether the client is additionally granted
+	// cert fetching access.
+	PermitCert bool
+
 	b            *ipnlocal.LocalBackend
 	logf         logger.Logf
 	backendLogID string
@@ -113,6 +120,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveDERPMap(w, r)
 	case "/localapi/v0/metrics":
 		h.serveMetrics(w, r)
+	case "/localapi/v0/debug":
+		h.serveDebug(w, r)
 	case "/":
 		io.WriteString(w, "tailscaled\n")
 	default:
@@ -195,6 +204,35 @@ func (h *Handler) serveMetrics(w http.ResponseWriter, r *http.Request) {
 	clientmetric.WritePrometheusExpositionFormat(w)
 }

+func (h *Handler) serveDebug(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "debug access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != "POST" {
+		http.Error(w, "POST required", http.StatusMethodNotAllowed)
+		return
+	}
+	action := r.FormValue("action")
+	var err error
+	switch action {
+	case "rebind":
+		err = h.b.DebugRebind()
+	case "restun":
+		err = h.b.DebugReSTUN()
+	case "":
+		err = fmt.Errorf("missing parameter 'action'")
+	default:
+		err = fmt.Errorf("unknown action %q", action)
+	}
+	if err != nil {
+		http.Error(w, err.Error(), 400)
+		return
+	}
+	w.Header().Set("Content-Type", "text/plain")
+	io.WriteString(w, "done\n")
+}
+
 // serveProfileFunc is the implementation of Handler.serveProfile, after auth,
 // for platforms where we want to link it in.
 var serveProfileFunc func(http.ResponseWriter, *http.Request)
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -98,6 +98,11 @@ type Prefs struct {
 	// DNS configuration, if it exists.
 	CorpDNS bool

+	// RunSSH bool is whether this node should run an SSH
+	// server, permitting access to peers according to the
+	// policies as configured by the Tailnet's admin(s).
+	RunSSH bool
+
 	// WantRunning indicates whether networking should be active on
 	// this node.
 	WantRunning bool
@@ -193,6 +198,7 @@ type MaskedPrefs struct {
 	ExitNodeIPSet             bool `json:",omitempty"`
 	ExitNodeAllowLANAccessSet bool `json:",omitempty"`
 	CorpDNSSet                bool `json:",omitempty"`
+	RunSSHSet                 bool `json:",omitempty"`
 	WantRunningSet            bool `json:",omitempty"`
 	LoggedOutSet              bool `json:",omitempty"`
 	ShieldsUpSet              bool `json:",omitempty"`
@@ -277,6 +283,9 @@ func (p *Prefs) pretty(goos string) string {
 		sb.WriteString("mesh=false ")
 	}
 	fmt.Fprintf(&sb, "dns=%v want=%v ", p.CorpDNS, p.WantRunning)
+	if p.RunSSH {
+		sb.WriteString("ssh=true ")
+	}
 	if p.LoggedOut {
 		sb.WriteString("loggedout=true ")
 	}
@@ -348,6 +357,7 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		p.ExitNodeIP == p2.ExitNodeIP &&
 		p.ExitNodeAllowLANAccess == p2.ExitNodeAllowLANAccess &&
 		p.CorpDNS == p2.CorpDNS &&
+		p.RunSSH == p2.RunSSH &&
 		p.WantRunning == p2.WantRunning &&
 		p.LoggedOut == p2.LoggedOut &&
 		p.NotepadURLs == p2.NotepadURLs &&
@@ -426,6 +436,47 @@ func (p *Prefs) AdminPageURL() string {
 	return url + "/admin/machines"
 }

+// AdvertisesExitNode reports whether p is advertising both the v4 and
+// v6 /0 exit node routes.
+func (p *Prefs) AdvertisesExitNode() bool {
+	if p == nil {
+		return false
+	}
+	var v4, v6 bool
+	for _, r := range p.AdvertiseRoutes {
+		if r.Bits() != 0 {
+			continue
+		}
+		if r.IP().Is4() {
+			v4 = true
+		} else if r.IP().Is6() {
+			v6 = true
+		}
+	}
+	return v4 && v6
+}
+
+// SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two
+// /0 exit node routes.
+func (p *Prefs) SetAdvertiseExitNode(runExit bool) {
+	if p == nil {
+		return
+	}
+	all := p.AdvertiseRoutes
+	p.AdvertiseRoutes = p.AdvertiseRoutes[:0]
+	for _, r := range all {
+		if r.Bits() != 0 {
+			p.AdvertiseRoutes = append(p.AdvertiseRoutes, r)
+		}
+	}
+	if !runExit {
+		return
+	}
+	p.AdvertiseRoutes = append(p.AdvertiseRoutes,
+		netaddr.IPPrefixFrom(netaddr.IPv4(0, 0, 0, 0), 0),
+		netaddr.IPPrefixFrom(netaddr.IPv6Unspecified(), 0))
+}
+
 // PrefsFromBytes deserializes Prefs from a JSON blob. If
 // enforceDefaults is true, Prefs.RouteAll and Prefs.AllowSingleHosts
 // are forced on.
--- a/ipn/prefs_clone.go
+++ b/ipn/prefs_clone.go
@@ -40,6 +40,7 @@ var _PrefsCloneNeedsRegeneration = Prefs(struct {
 	ExitNodeIP             netaddr.IP
 	ExitNodeAllowLANAccess bool
 	CorpDNS                bool
+	RunSSH                 bool
 	WantRunning            bool
 	LoggedOut              bool
 	ShieldsUp              bool
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -42,6 +42,7 @@ func TestPrefsEqual(t *testing.T) {
 		"ExitNodeIP",
 		"ExitNodeAllowLANAccess",
 		"CorpDNS",
+		"RunSSH",
 		"WantRunning",
 		"LoggedOut",
 		"ShieldsUp",
@@ -646,3 +647,35 @@ func TestMaskedPrefsPretty(t *testing.T) {
 		}
 	}
 }
+
+func TestPrefsExitNode(t *testing.T) {
+	var p *Prefs
+	if p.AdvertisesExitNode() {
+		t.Errorf("nil shouldn't advertise exit node")
+	}
+	p = NewPrefs()
+	if p.AdvertisesExitNode() {
+		t.Errorf("default shouldn't advertise exit node")
+	}
+	p.AdvertiseRoutes = []netaddr.IPPrefix{
+		netaddr.MustParseIPPrefix("10.0.0.0/16"),
+	}
+	p.SetAdvertiseExitNode(true)
+	if got, want := len(p.AdvertiseRoutes), 3; got != want {
+		t.Errorf("routes = %d; want %d", got, want)
+	}
+	p.SetAdvertiseExitNode(true)
+	if got, want := len(p.AdvertiseRoutes), 3; got != want {
+		t.Errorf("routes = %d; want %d", got, want)
+	}
+	if !p.AdvertisesExitNode() {
+		t.Errorf("not advertising after enable")
+	}
+	p.SetAdvertiseExitNode(false)
+	if p.AdvertisesExitNode() {
+		t.Errorf("advertising after disable")
+	}
+	if got, want := len(p.AdvertiseRoutes), 1; got != want {
+		t.Errorf("routes = %d; want %d", got, want)
+	}
+}
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -8,11 +8,14 @@
 package logpolicy

 import (
+	"bufio"
 	"bytes"
 	"context"
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"log"
 	"net"
@@ -22,13 +25,14 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
 	"time"

 	"golang.org/x/term"
 	"tailscale.com/atomicfile"
+	"tailscale.com/envknob"
+	"tailscale.com/log/filelogger"
 	"tailscale.com/logtail"
 	"tailscale.com/logtail/filch"
 	"tailscale.com/net/dnscache"
@@ -38,6 +42,7 @@ import (
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/paths"
+	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
@@ -65,6 +70,15 @@ func getLogTarget() string {
 	return getLogTargetOnce.v
 }

+// LogHost returns the hostname only (without port) of the configured
+// logtail server, or the default.
+func LogHost() string {
+	if v := getLogTarget(); v != "" {
+		return v
+	}
+	return logtail.DefaultHost
+}
+
 // Config represents an instance of logs in a collection.
 type Config struct {
 	Collection string
@@ -213,7 +227,7 @@ func runningUnderSystemd() bool {
 }

 func redirectStderrToLogPanics() bool {
-	return runningUnderSystemd() || os.Getenv("TS_PLEASE_PANIC") != ""
+	return runningUnderSystemd() || envknob.Bool("TS_PLEASE_PANIC")
 }

 // winProgramDataAccessible reports whether the directory (assumed to
@@ -391,7 +405,7 @@ func New(collection string) *Policy {
 	} else {
 		lflags = log.LstdFlags
 	}
-	if v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_LOG_TIME")); v {
+	if envknob.Bool("TS_DEBUG_LOG_TIME") {
 		lflags = log.LstdFlags | log.Lmicroseconds
 	}
 	if runningUnderSystemd() {
@@ -524,8 +538,20 @@ func New(collection string) *Policy {
 		}
 	}
 	lw := logtail.NewLogger(c, log.Printf)
+
+	var logOutput io.Writer = lw
+
+	if runtime.GOOS == "windows" && c.Collection == logtail.CollectionNode {
+		logID := newc.PublicID.String()
+		exe, _ := os.Executable()
+		if strings.EqualFold(filepath.Base(exe), "tailscaled.exe") {
+			diskLogf := filelogger.New("tailscale-service", logID, lw.Logf)
+			logOutput = logger.FuncWriter(diskLogf)
+		}
+	}
+
 	log.SetFlags(0) // other logflags are set on console, not here
-	log.SetOutput(lw)
+	log.SetOutput(logOutput)

 	log.Printf("Program starting: v%v, Go %v: %#v",
 		version.Long,
@@ -545,6 +571,16 @@ func New(collection string) *Policy {
 	}
 }

+// dialLog is used by NewLogtailTransport to log the happy path of its
+// own dialing.
+//
+// By default it goes nowhere and is only enabled when
+// tailscaled's in verbose mode.
+//
+// log.Printf isn't used so its own logs don't loop back into logtail
+// in the happy path, thus generating more logs.
+var dialLog = log.New(io.Discard, "logtail: ", log.LstdFlags|log.Lmsgprefix)
+
 // SetVerbosityLevel controls the verbosity level that should be
 // written to stderr. 0 is the default (not verbose). Levels 1 or higher
 // are increasingly verbose.
@@ -552,6 +588,9 @@ func New(collection string) *Policy {
 // It should not be changed concurrently with log writes.
 func (p *Policy) SetVerbosityLevel(level int) {
 	p.Logtail.SetVerbosityLevel(level)
+	if level > 0 {
+		dialLog.SetOutput(os.Stderr)
+	}
 }

 // Close immediately shuts down the logger.
@@ -598,10 +637,28 @@ func NewLogtailTransport(host string) *http.Transport {
 		c, err := nd.DialContext(ctx, netw, addr)
 		d := time.Since(t0).Round(time.Millisecond)
 		if err == nil {
-			log.Printf("logtail: dialed %q in %v", addr, d)
+			dialLog.Printf("dialed %q in %v", addr, d)
 			return c, nil
 		}

+		if version.IsWindowsGUI() && strings.HasPrefix(netw, "tcp") {
+			if c, err := safesocket.Connect(safesocket.DefaultConnectionStrategy("")); err == nil {
+				fmt.Fprintf(c, "CONNECT %s HTTP/1.0\r\n\r\n", addr)
+				br := bufio.NewReader(c)
+				res, err := http.ReadResponse(br, nil)
+				if err == nil && res.StatusCode != 200 {
+					err = errors.New(res.Status)
+				}
+				if err != nil {
+					log.Printf("logtail: CONNECT response error from tailscaled: %v", err)
+					c.Close()
+				} else {
+					dialLog.Printf("connected via tailscaled")
+					return c, nil
+				}
+			}
+		}
+
 		// If we failed to dial, try again with bootstrap DNS.
 		log.Printf("logtail: dial %q failed: %v (in %v), trying bootstrap...", addr, err, d)
 		dnsCache := &dnscache.Resolver{
@@ -626,7 +683,7 @@ func NewLogtailTransport(host string) *http.Transport {
 	// TODO(bradfitz): remove this debug knob once we've decided
 	// to upload via HTTP/1 or HTTP/2 (probably HTTP/1). Or we might just enforce
 	// it server-side.
-	if h1, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_FORCE_H1_LOGS")); h1 {
+	if envknob.Bool("TS_DEBUG_FORCE_H1_LOGS") {
 		tr.TLSClientConfig = nil // DefaultTransport's was already initialized w/ h2
 		tr.ForceAttemptHTTP2 = false
 		tr.TLSNextProto = map[string]func(authority string, c *tls.Conn) http.RoundTripper{}
--- a/logtail/backoff/backoff.go
+++ b/logtail/backoff/backoff.go
@@ -71,7 +71,7 @@ func (b *Backoff) BackOff(ctx context.Context, err error) {
 	d = time.Duration(float64(d) * (rand.Float64() + 0.5))

 	if d >= b.LogLongerThan {
-		b.logf("%s: backoff: %d msec", b.name, d.Milliseconds())
+		b.logf("%s: [v1] backoff: %d msec", b.name, d.Milliseconds())
 	}
 	t := b.NewTimer(d)
 	select {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .19.0
 .22.2