wgengine/magicsock: add controlknob tunable for session timeout experiments

Updates #TODO Change-Id: Ifb7ee2b69545cbc457aa2bf4c4744f431edb36e2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
tool/gocross: don't absorb --tags flags passed to subcommand
2023-10-06 06:59:17 -07:00 · 2023-10-05 17:11:03 -07:00 · 2023-10-05 17:04:07 -07:00 · 2023-10-05 16:26:06 -07:00 · 2023-10-05 16:21:06 -07:00 · 2023-10-05 16:05:45 -07:00
177 changed files with 7105 additions and 2107 deletions
--- a/5
+++ b/5
@@ -1,6 +1,7 @@
 IMAGE_REPO ?= tailscale/tailscale
 SYNO_ARCH ?= "amd64"
 SYNO_DSM ?= "7"
+TAGS ?= "latest"

 vet: ## Run go vet
 	./tool/go vet ./...
@@ -67,7 +68,7 @@ publishdevimage: ## Build and publish tailscale image to location specified by $
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh
+	TAGS="${TAGS}" REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh

 publishdevoperator: ## Build and publish k8s-operator image to location specified by ${REPO}
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
@@ -75,7 +76,7 @@ publishdevoperator: ## Build and publish k8s-operator image to location specifie
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh
+	TAGS="${TAGS}" REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh

 help: ## Show this help
 	@echo "\nSpecify a command. The choices are:\n"
--- a/README.md
+++ b/README.md
@@ -41,16 +41,6 @@ We always require the latest Go release, currently Go 1.21. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)

-To include the embedded web client (accessed via the `tailscale web` command),
-first build the client assets using:
-
-```
-./tool/yarn --cwd client/web install
-./tool/yarn --cwd client/web build
-```
-
-Build the `tailscale` and `tailscaled` binaries:
-
 ```
 go install tailscale.com/cmd/tailscale{,d}
 ```
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.49.0
+1.51.0
--- a/api.md
+++ b/api.md
@@ -1434,6 +1434,18 @@ The response is a JSON object with information about the key supplied.
 }
 ```

+Response for a revoked (deleted) or expired key will have an `invalid` field set to `true`:
+
+``` jsonc
+{
+  "id": "abc123456CNTRL",
+  "created": "2022-05-05T18:55:44Z",
+  "expires": "2022-08-03T18:55:44Z",
+  "revoked": "2023-04-01T20:50:00Z",
+  "invalid": true
+}
+```
+
 <a href="tailnet-keys-key-delete"></a>

 ## Delete key
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -5,9 +5,6 @@
 # information into the binaries, so that we can track down user
 # issues.
 #
-# To include the embedded web client, build the web client assets
-# before running this script. See README.md for details.
-#
 # If you're packaging Tailscale for a distro, please consider using
 # this script, or executing equivalent commands in your
 # distro-specific build system.
--- a/client/web/assets.go
+++ b/client/web/assets.go
@@ -4,8 +4,6 @@
 package web

 import (
-	"embed"
-	"io/fs"
 	"log"
 	"net/http"
 	"net/http/httputil"
@@ -15,36 +13,16 @@ import (
 	"path/filepath"
 	"strings"

-	"tailscale.com/util/must"
+	prebuilt "github.com/tailscale/web-client-prebuilt"
 )

-// This contains all files needed to build the frontend assets.
-// Because we assign this to the blank identifier, it does not actually embed the files.
-// However, this does cause `go mod vendor` to include the files when vendoring the package.
-// External packages that use the web client can `go mod vendor`, run `yarn build` to
-// build the assets, then those asset bundles will be embedded.
-//
-//go:embed yarn.lock index.html *.js *.json src/*
-var _ embed.FS
-
-//go:embed build/*
-var embeddedFS embed.FS
-
-// staticfiles serves static files from the build directory.
-var staticfiles http.Handler
-
-func init() {
-	buildFiles := must.Get(fs.Sub(embeddedFS, "build"))
-	staticfiles = http.FileServer(http.FS(buildFiles))
-}
-
 func assetsHandler(devMode bool) (_ http.Handler, cleanup func()) {
 	if devMode {
 		// When in dev mode, proxy asset requests to the Vite dev server.
 		cleanup := startDevServer()
 		return devServerProxy(), cleanup
 	}
-	return staticfiles, nil
+	return http.FileServer(http.FS(prebuilt.FS())), nil
 }

 // startDevServer starts the JS dev server that does on-demand rebuilding
--- a/client/web/qnap.go
+++ b/client/web/qnap.go
@@ -16,21 +16,23 @@ import (
 	"net/url"
 )

-// authorizeQNAP authenticates the logged-in QNAP user and verifies
-// that they are authorized to use the web client.  It returns true if the
-// request was handled and no further processing is required.
-func authorizeQNAP(w http.ResponseWriter, r *http.Request) (handled bool) {
+// authorizeQNAP authenticates the logged-in QNAP user and verifies that they
+// are authorized to use the web client.
+// It reports true if the request is authorized to continue, and false otherwise.
+// authorizeQNAP manages writing out any relevant authorization errors to the
+// ResponseWriter itself.
+func authorizeQNAP(w http.ResponseWriter, r *http.Request) (ok bool) {
 	_, resp, err := qnapAuthn(r)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusUnauthorized)
-		return true
+		return false
 	}
 	if resp.IsAdmin == 0 {
 		http.Error(w, "user is not an admin", http.StatusForbidden)
-		return true
+		return false
 	}

-	return false
+	return true
 }

 type qnapAuthResponse struct {
--- a/client/web/src/components/app.tsx
+++ b/client/web/src/components/app.tsx
@@ -1,30 +1,123 @@
 import React from "react"
 import { Footer, Header, IP, State } from "src/components/legacy"
-import useNodeData from "src/hooks/node-data"
+import useNodeData, { NodeData } from "src/hooks/node-data"
+import { ReactComponent as ConnectedDeviceIcon } from "src/icons/connected-device.svg"
+import { ReactComponent as TailscaleIcon } from "src/icons/tailscale-icon.svg"
+import { ReactComponent as TailscaleLogo } from "src/icons/tailscale-logo.svg"

 export default function App() {
  // TODO(sonia): use isPosting value from useNodeData
  // to fill loading states.
  const { data, refreshData, updateNode } = useNodeData()

-  return (
-    <div className="py-14">
-      {!data ? (
-        // TODO(sonia): add a loading view
-        <div className="text-center">Loading...</div>
+  if (!data) {
+    // TODO(sonia): add a loading view
+    return <div className="text-center py-14">Loading...</div>
+  }
+
+  const needsLogin = data?.Status === "NeedsLogin" || data?.Status === "NoState"
+
+  return !needsLogin &&
+    (data.DebugMode === "login" || data.DebugMode === "full") ? (
+    <div className="flex flex-col items-center min-w-sm max-w-lg mx-auto py-10">
+      {data.DebugMode === "login" ? (
+        <LoginView {...data} />
      ) : (
-        <>
-          <main className="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
-            <Header
-              data={data}
-              refreshData={refreshData}
-              updateNode={updateNode}
-            />
-            <IP data={data} />
-            <State data={data} updateNode={updateNode} />
-          </main>
-          <Footer data={data} />
-        </>
+        <ManageView {...data} />
+      )}
+      <Footer className="mt-20" licensesURL={data.LicensesURL} />
+    </div>
+  ) : (
+    // Legacy client UI
+    <div className="py-14">
+      <main className="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
+        <Header data={data} refreshData={refreshData} updateNode={updateNode} />
+        <IP data={data} />
+        <State data={data} updateNode={updateNode} />
+      </main>
+      <Footer licensesURL={data.LicensesURL} />
+    </div>
+  )
+}
+
+function LoginView(props: NodeData) {
+  return (
+    <>
+      <div className="pb-52 mx-auto">
+        <TailscaleLogo />
+      </div>
+      <div className="w-full p-4 bg-stone-50 rounded-3xl border border-gray-200 flex flex-col gap-4">
+        <div className="flex gap-2.5">
+          <ProfilePic url={props.Profile.ProfilePicURL} />
+          <div className="font-medium">
+            <div className="text-neutral-500 text-xs uppercase tracking-wide">
+              Owned by
+            </div>
+            <div className="text-neutral-800 text-sm leading-tight">
+              {/* TODO(sonia): support tagged node profile view more eloquently */}
+              {props.Profile.LoginName}
+            </div>
+          </div>
+        </div>
+        <div className="px-5 py-4 bg-white rounded-lg border border-gray-200 justify-between items-center flex">
+          <div className="flex gap-3">
+            <ConnectedDeviceIcon />
+            <div className="text-neutral-800">
+              <div className="text-lg font-medium leading-[25.20px]">
+                {props.DeviceName}
+              </div>
+              <div className="text-sm leading-tight">{props.IP}</div>
+            </div>
+          </div>
+          <button className="button button-blue ml-6">Access</button>
+        </div>
+      </div>
+    </>
+  )
+}
+
+function ManageView(props: NodeData) {
+  return (
+    <div className="px-5">
+      <div className="flex justify-between mb-12">
+        <TailscaleIcon />
+        <div className="flex">
+          <p className="mr-2">{props.Profile.LoginName}</p>
+          {/* TODO(sonia): support tagged node profile view more eloquently */}
+          <ProfilePic url={props.Profile.ProfilePicURL} />
+        </div>
+      </div>
+      <p className="tracking-wide uppercase text-gray-600 pb-3">This device</p>
+      <div className="-mx-5 border rounded-md px-5 py-4 bg-white">
+        <div className="flex justify-between items-center text-lg">
+          <div className="flex items-center">
+            <ConnectedDeviceIcon />
+            <p className="font-medium ml-3">{props.DeviceName}</p>
+          </div>
+          <p className="tracking-widest">{props.IP}</p>
+        </div>
+      </div>
+      <p className="text-gray-500 pt-2">
+        Tailscale is up and running. You can connect to this device from devices
+        in your tailnet by using its name or IP address.
+      </p>
+    </div>
+  )
+}
+
+function ProfilePic({ url }: { url: string }) {
+  return (
+    <div className="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
+      {url ? (
+        <div
+          className="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
+          style={{
+            backgroundImage: `url(${url})`,
+            backgroundSize: "cover",
+          }}
+        />
+      ) : (
+        <div className="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed" />
      )}
    </div>
  )
--- a/client/web/src/components/legacy.tsx
+++ b/client/web/src/components/legacy.tsx
@@ -282,14 +282,14 @@ export function State({
  }
 }

-export function Footer(props: { data: NodeData }) {
-  const { data } = props
-
+export function Footer(props: { licensesURL: string; className?: string }) {
  return (
-    <footer className="container max-w-lg mx-auto text-center">
+    <footer
+      className={cx("container max-w-lg mx-auto text-center", props.className)}
+    >
      <a
        className="text-xs text-gray-500 hover:text-gray-600"
-        href={data.LicensesURL}
+        href={props.licensesURL}
      >
        Open Source Licenses
      </a>
--- a/client/web/src/hooks/node-data.ts
+++ b/client/web/src/hooks/node-data.ts
@@ -15,6 +15,8 @@ export type NodeData = {
  IsUnraid: boolean
  UnraidToken: string
  IPNVersion: string
+
+  DebugMode: "" | "login" | "full" // empty when not running in any debug mode
 }

 export type UserProfile = {
--- a/client/web/src/icons/connected-device.svg
+++ b/client/web/src/icons/connected-device.svg
@@ -0,0 +1,15 @@
+<svg width="40" height="40" viewBox="0 0 40 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="40" height="40" rx="20" fill="#F7F5F4"/>
+<g clip-path="url(#clip0_13627_11903)">
+<path d="M26.6666 11.6667H13.3333C12.4128 11.6667 11.6666 12.4129 11.6666 13.3333V16.6667C11.6666 17.5871 12.4128 18.3333 13.3333 18.3333H26.6666C27.5871 18.3333 28.3333 17.5871 28.3333 16.6667V13.3333C28.3333 12.4129 27.5871 11.6667 26.6666 11.6667Z" stroke="black" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M26.6666 21.6667H13.3333C12.4128 21.6667 11.6666 22.4129 11.6666 23.3333V26.6667C11.6666 27.5871 12.4128 28.3333 13.3333 28.3333H26.6666C27.5871 28.3333 28.3333 27.5871 28.3333 26.6667V23.3333C28.3333 22.4129 27.5871 21.6667 26.6666 21.6667Z" stroke="black" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M15 15H15.01" stroke="black" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M15 25H15.01" stroke="black" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</g>
+<circle cx="34" cy="34" r="4.5" fill="#1EA672" stroke="white"/>
+<defs>
+<clipPath id="clip0_13627_11903">
+<rect width="20" height="20" fill="white" transform="translate(10 10)"/>
+</clipPath>
+</defs>
+</svg>
--- a/client/web/src/icons/tailscale-icon.svg
+++ b/client/web/src/icons/tailscale-icon.svg
@@ -0,0 +1,18 @@
+<svg width="26" height="26" viewBox="0 0 26 26" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_13627_11860)">
+<path opacity="0.2" d="M3.8696 6.77137C5.56662 6.77137 6.94233 5.39567 6.94233 3.69865C6.94233 2.00163 5.56662 0.625919 3.8696 0.625919C2.17258 0.625919 0.796875 2.00163 0.796875 3.69865C0.796875 5.39567 2.17258 6.77137 3.8696 6.77137Z" fill="black"/>
+<path d="M3.8696 15.9327C5.56662 15.9327 6.94233 14.5569 6.94233 12.8599C6.94233 11.1629 5.56662 9.7872 3.8696 9.7872C2.17258 9.7872 0.796875 11.1629 0.796875 12.8599C0.796875 14.5569 2.17258 15.9327 3.8696 15.9327Z" fill="black"/>
+<path opacity="0.2" d="M3.8696 25.2646C5.56662 25.2646 6.94233 23.8889 6.94233 22.1919C6.94233 20.4949 5.56662 19.1192 3.8696 19.1192C2.17258 19.1192 0.796875 20.4949 0.796875 22.1919C0.796875 23.8889 2.17258 25.2646 3.8696 25.2646Z" fill="black"/>
+<path d="M13.0879 15.9327C14.7849 15.9327 16.1606 14.5569 16.1606 12.8599C16.1606 11.1629 14.7849 9.7872 13.0879 9.7872C11.3908 9.7872 10.0151 11.1629 10.0151 12.8599C10.0151 14.5569 11.3908 15.9327 13.0879 15.9327Z" fill="black"/>
+<path d="M13.0879 25.2646C14.7849 25.2646 16.1606 23.8889 16.1606 22.1919C16.1606 20.4949 14.7849 19.1192 13.0879 19.1192C11.3908 19.1192 10.0151 20.4949 10.0151 22.1919C10.0151 23.8889 11.3908 25.2646 13.0879 25.2646Z" fill="black"/>
+<path opacity="0.2" d="M13.0879 6.77137C14.7849 6.77137 16.1606 5.39567 16.1606 3.69865C16.1606 2.00163 14.7849 0.625919 13.0879 0.625919C11.3908 0.625919 10.0151 2.00163 10.0151 3.69865C10.0151 5.39567 11.3908 6.77137 13.0879 6.77137Z" fill="black"/>
+<path opacity="0.2" d="M22.1919 6.77137C23.8889 6.77137 25.2646 5.39567 25.2646 3.69865C25.2646 2.00163 23.8889 0.625919 22.1919 0.625919C20.4948 0.625919 19.1191 2.00163 19.1191 3.69865C19.1191 5.39567 20.4948 6.77137 22.1919 6.77137Z" fill="black"/>
+<path d="M22.1919 15.9327C23.8889 15.9327 25.2646 14.5569 25.2646 12.8599C25.2646 11.1629 23.8889 9.7872 22.1919 9.7872C20.4948 9.7872 19.1191 11.1629 19.1191 12.8599C19.1191 14.5569 20.4948 15.9327 22.1919 15.9327Z" fill="black"/>
+<path opacity="0.2" d="M22.1919 25.2646C23.8889 25.2646 25.2646 23.8889 25.2646 22.1919C25.2646 20.4949 23.8889 19.1192 22.1919 19.1192C20.4948 19.1192 19.1191 20.4949 19.1191 22.1919C19.1191 23.8889 20.4948 25.2646 22.1919 25.2646Z" fill="black"/>
+</g>
+<defs>
+<clipPath id="clip0_13627_11860">
+<rect width="26" height="26" fill="white"/>
+</clipPath>
+</defs>
+</svg>
--- a/client/web/src/icons/tailscale-logo.svg
+++ b/client/web/src/icons/tailscale-logo.svg
@@ -0,0 +1,20 @@
+<svg width="121" height="22" viewBox="0 0 121 22" fill="none" xmlns="http://www.w3.org/2000/svg">
+<ellipse cx="2.69191" cy="10.7677" rx="2.69191" ry="2.69191" fill="#141414"/>
+<ellipse cx="10.7676" cy="10.7677" rx="2.69191" ry="2.69191" fill="#141414"/>
+<ellipse opacity="0.2" cx="2.69191" cy="18.8434" rx="2.69191" ry="2.69191" fill="#141414"/>
+<circle opacity="0.2" cx="18.8433" cy="18.8434" r="2.69191" fill="#141414"/>
+<ellipse cx="10.7676" cy="18.8434" rx="2.69191" ry="2.69191" fill="#141414"/>
+<circle cx="18.8433" cy="10.7677" r="2.69191" fill="#141414"/>
+<ellipse opacity="0.2" cx="2.69191" cy="2.69191" rx="2.69191" ry="2.69191" fill="#141414"/>
+<ellipse opacity="0.2" cx="10.7676" cy="2.69191" rx="2.69191" ry="2.69191" fill="#141414"/>
+<circle opacity="0.2" cx="18.8433" cy="2.69191" r="2.69191" fill="#141414"/>
+<path d="M37.8847 19.9603C38.6525 19.9603 39.2764 19.8883 40.0202 19.7443V16.9609C39.5643 17.1289 39.0605 17.1769 38.5806 17.1769C37.4048 17.1769 36.9729 16.601 36.9729 15.4973V9.83453H40.0202V7.05116H36.9729V2.92409H33.6137V7.05116H31.4302V9.83453H33.6137V15.8092C33.6137 18.4486 35.0054 19.9603 37.8847 19.9603Z" fill="#141414"/>
+<path d="M45.5064 19.9603C47.306 19.9603 48.5057 19.3604 49.1056 18.4246C49.1536 18.8325 49.2975 19.3844 49.4895 19.7203H52.5128C52.3448 19.1444 52.2249 18.2326 52.2249 17.6328V11.0583C52.2249 8.34687 50.2813 6.81121 46.994 6.81121C44.4986 6.81121 42.555 7.747 41.4753 9.1147L43.3949 11.0103C44.2587 10.0505 45.3624 9.5466 46.7061 9.5466C48.3377 9.5466 49.0576 10.0985 49.0576 10.9143C49.0576 11.6101 48.5777 12.09 45.9863 12.09C43.4908 12.09 40.9714 13.1218 40.9714 16.0011C40.9714 18.6645 42.891 19.9603 45.5064 19.9603ZM46.1782 17.4168C44.8825 17.4168 44.2827 16.8649 44.2827 15.8812C44.2827 15.0174 45.0025 14.4415 46.2022 14.4415C48.1218 14.4415 48.6497 14.3215 49.0576 13.9136V14.9454C49.0576 16.3131 47.9058 17.4168 46.1782 17.4168Z" fill="#141414"/>
+<path d="M54.4086 5.44352H57.9118V2.30023H54.4086V5.44352ZM54.4805 19.7203H57.8398V7.05116H54.4805V19.7203Z" fill="#141414"/>
+<path d="M60.287 19.7203H63.6463V2.68414H60.287V19.7203Z" fill="#141414"/>
+<path d="M70.6285 19.9603C74.3237 19.9603 76.2193 18.0167 76.2193 15.9771C76.2193 14.1296 75.2835 12.7619 72.2122 12.21C70.0527 11.8261 68.709 11.3462 68.709 10.6024C68.709 9.95451 69.4768 9.49861 70.7725 9.49861C71.9242 9.49861 72.884 9.88252 73.6038 10.7223L75.7394 8.92274C74.6596 7.57904 72.884 6.81121 70.7725 6.81121C67.5332 6.81121 65.5177 8.53883 65.5177 10.6503C65.5177 12.9538 67.6292 13.9856 69.9087 14.3935C71.8043 14.7294 72.86 15.0893 72.86 15.9052C72.86 16.601 72.1162 17.1769 70.7005 17.1769C69.3088 17.1769 68.2291 16.529 67.7252 15.5692L64.8938 16.9129C65.5897 18.6405 67.9651 19.9603 70.6285 19.9603Z" fill="#141414"/>
+<path d="M83.7294 19.9603C86.1288 19.9603 87.8564 19.0005 89.1521 16.841L86.4648 15.4733C85.9609 16.481 85.1451 17.1769 83.7294 17.1769C81.5939 17.1769 80.4421 15.4493 80.4421 13.3617C80.4421 11.2742 81.6658 9.59459 83.7294 9.59459C85.0251 9.59459 85.8889 10.2904 86.3928 11.3462L89.1042 9.90652C88.1924 7.91497 86.3928 6.81121 83.7294 6.81121C79.3384 6.81121 77.0829 10.0265 77.0829 13.3617C77.0829 16.9849 79.8183 19.9603 83.7294 19.9603Z" fill="#141414"/>
+<path d="M94.5031 19.9603C96.3027 19.9603 97.5025 19.3604 98.1023 18.4246C98.1503 18.8325 98.2943 19.3844 98.4862 19.7203H101.51C101.342 19.1444 101.222 18.2326 101.222 17.6328V11.0583C101.222 8.34687 99.2781 6.81121 95.9908 6.81121C93.4954 6.81121 91.5518 7.747 90.472 9.1147L92.3916 11.0103C93.2554 10.0505 94.3592 9.5466 95.7029 9.5466C97.3345 9.5466 98.0543 10.0985 98.0543 10.9143C98.0543 11.6101 97.5744 12.09 94.983 12.09C92.4876 12.09 89.9682 13.1218 89.9682 16.0011C89.9682 18.6645 91.8877 19.9603 94.5031 19.9603ZM95.175 17.4168C93.8793 17.4168 93.2794 16.8649 93.2794 15.8812C93.2794 15.0174 93.9992 14.4415 95.199 14.4415C97.1185 14.4415 97.6464 14.3215 98.0543 13.9136V14.9454C98.0543 16.3131 96.9026 17.4168 95.175 17.4168Z" fill="#141414"/>
+<path d="M103.196 19.7203H106.555V2.68414H103.196V19.7203Z" fill="#141414"/>
+<path d="M114.617 19.9603C117.089 19.9603 119.08 18.9765 120.184 17.2249L117.641 15.5932C116.969 16.649 116.081 17.2249 114.617 17.2249C112.962 17.2249 111.762 16.3131 111.45 14.5375H121V13.3617C121 10.0265 118.96 6.81121 114.593 6.81121C110.442 6.81121 108.187 10.0505 108.187 13.3857C108.187 18.1367 111.762 19.9603 114.617 19.9603ZM111.57 11.8981C112.098 10.2904 113.202 9.5466 114.665 9.5466C116.321 9.5466 117.329 10.5304 117.665 11.8981H111.57Z" fill="#141414"/>
+</svg>
--- a/client/web/synology.go
+++ b/client/web/synology.go
@@ -16,11 +16,13 @@ import (
 )

 // authorizeSynology authenticates the logged-in Synology user and verifies
-// that they are authorized to use the web client.  It returns true if the
-// request was handled and no further processing is required.
-func authorizeSynology(w http.ResponseWriter, r *http.Request) (handled bool) {
+// that they are authorized to use the web client.
+// It reports true if the request is authorized to continue, and false otherwise.
+// authorizeSynology manages writing out any relevant authorization errors to the
+// ResponseWriter itself.
+func authorizeSynology(w http.ResponseWriter, r *http.Request) (ok bool) {
 	if synoTokenRedirect(w, r) {
-		return true
+		return false
 	}

 	// authenticate the Synology user
@@ -28,7 +30,7 @@ func authorizeSynology(w http.ResponseWriter, r *http.Request) (handled bool) {
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		http.Error(w, fmt.Sprintf("auth: %v: %s", err, out), http.StatusUnauthorized)
-		return true
+		return false
 	}
 	user := strings.TrimSpace(string(out))

@@ -36,14 +38,14 @@ func authorizeSynology(w http.ResponseWriter, r *http.Request) (handled bool) {
 	isAdmin, err := groupmember.IsMemberOfGroup("administrators", user)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusForbidden)
-		return true
+		return false
 	}
 	if !isAdmin {
 		http.Error(w, "not a member of administrators group", http.StatusForbidden)
-		return true
+		return false
 	}

-	return false
+	return true
 }

 func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
--- a/client/web/tsconfig.json
+++ b/client/web/tsconfig.json
@@ -10,6 +10,7 @@
    "forceConsistentCasingInFileNames": true,
    "allowSyntheticDefaultImports": true,
    "jsx": "react",
+    "types": ["vite-plugin-svgr/client", "vite/client"]
  },
  "include": ["src/**/*"],
  "exclude": ["node_modules"]
--- a/client/web/vite.config.ts
+++ b/client/web/vite.config.ts
@@ -32,7 +32,7 @@ export default defineConfig({
  ],
  build: {
    outDir: "build",
-    sourcemap: true,
+    sourcemap: false,
  },
  esbuild: {
    logOverride: {
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"crypto/rand"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -17,6 +18,8 @@ import (
 	"path/filepath"
 	"slices"
 	"strings"
+	"sync"
+	"time"

 	"github.com/gorilla/csrf"
 	"tailscale.com/client/tailscale"
@@ -35,19 +38,81 @@ import (
 type Server struct {
 	lc *tailscale.LocalClient

-	devMode bool
+	devMode     bool
+	tsDebugMode string

 	cgiMode    bool
 	pathPrefix string

 	assetsHandler http.Handler // serves frontend assets
 	apiHandler    http.Handler // serves api endpoints; csrf-protected
+
+	// browserSessions is an in-memory cache of browser sessions for the
+	// full management web client, which is only accessible over Tailscale.
+	//
+	// Users obtain a valid browser session by connecting to the web client
+	// over Tailscale and verifying their identity by authenticating on the
+	// control server.
+	//
+	// browserSessions get reset on every Server restart.
+	//
+	// The map provides a lookup of the session by cookie value
+	// (browserSession.ID => browserSession).
+	browserSessions sync.Map
+}
+
+const (
+	sessionCookieName   = "TS-Web-Session"
+	sessionCookieExpiry = time.Hour * 24 * 30 // 30 days
+)
+
+// browserSession holds data about a user's browser session
+// on the full management web client.
+type browserSession struct {
+	// ID is the unique identifier for the session.
+	// It is passed in the user's "TS-Web-Session" browser cookie.
+	ID            string
+	SrcNode       tailcfg.StableNodeID
+	SrcUser       tailcfg.UserID
+	AuthURL       string    // control server URL for user to authenticate the session
+	Authenticated time.Time // when zero, authentication not complete
+}
+
+// isAuthorized reports true if the given session is authorized
+// to be used by its associated user to access the full management
+// web client.
+//
+// isAuthorized is true only when s.Authenticated is non-zero
+// (i.e. the user has authenticated the session) and the session
+// is not expired.
+// 2023-10-05: Sessions expire by default after 30 days.
+func (s *browserSession) isAuthorized() bool {
+	switch {
+	case s == nil:
+		return false
+	case s.Authenticated.IsZero():
+		return false // awaiting auth
+	case s.isExpired(): // TODO: add time field to server?
+		return false // expired
+	}
+	return true
+}
+
+// isExpired reports true if s is expired.
+// 2023-10-05: Sessions expire by default after 30 days.
+// If s.Authenticated is zero, isExpired reports false.
+func (s *browserSession) isExpired() bool {
+	return !s.Authenticated.IsZero() && s.Authenticated.Before(time.Now().Add(-sessionCookieExpiry)) // TODO: add time field to server?
 }

 // ServerOpts contains options for constructing a new Server.
 type ServerOpts struct {
 	DevMode bool

+	// LoginOnly indicates that the server should only serve the minimal
+	// login client and not the full web client.
+	LoginOnly bool
+
 	// CGIMode indicates if the server is running as a CGI script.
 	CGIMode bool

@@ -68,9 +133,9 @@ func NewServer(ctx context.Context, opts ServerOpts) (s *Server, cleanup func())
 	s = &Server{
 		devMode:    opts.DevMode,
 		lc:         opts.LocalClient,
-		cgiMode:    opts.CGIMode,
 		pathPrefix: opts.PathPrefix,
 	}
+	s.tsDebugMode = s.debugMode()
 	s.assetsHandler, cleanup = assetsHandler(opts.DevMode)

 	// Create handler for "/api" requests with CSRF protection.
@@ -79,12 +144,33 @@ func NewServer(ctx context.Context, opts ServerOpts) (s *Server, cleanup func())
 	// The client is secured by limiting the interface it listens on,
 	// or by authenticating requests before they reach the web client.
 	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-	s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
+	if s.tsDebugMode == "login" {
+		// For the login client, we don't serve the full web client API,
+		// only the login endpoints.
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
+		s.lc.IncrementCounter(context.Background(), "web_login_client_initialization", 1)
+	} else {
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
+		s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1)
+	}

-	s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1)
 	return s, cleanup
 }

+// debugMode returns the debug mode the web client is being run in.
+// The empty string is returned in the case that this instance is
+// not running in any debug mode.
+func (s *Server) debugMode() string {
+	if !s.devMode {
+		return "" // debug modes only available in dev
+	}
+	switch mode := os.Getenv("TS_DEBUG_WEB_CLIENT_MODE"); mode {
+	case "login", "full": // valid debug modes
+		return mode
+	}
+	return ""
+}
+
 // ServeHTTP processes all requests for the Tailscale web client.
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	handler := s.serve
@@ -97,53 +183,194 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	handler(w, r)
 }

-// authorize checks if the request is authorized to access the web client for those platforms that support it.
-func authorize(w http.ResponseWriter, r *http.Request) (handled bool) {
-	if strings.HasPrefix(r.URL.Path, "/assets/") {
-		// don't require authorization for static assets
-		return false
+func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
+	if strings.HasPrefix(r.URL.Path, "/api/") {
+		// Pass API requests through to the API handler.
+		s.apiHandler.ServeHTTP(w, r)
+		return
 	}
+	if !s.devMode {
+		s.lc.IncrementCounter(context.Background(), "web_client_page_load", 1)
+	}
+	s.assetsHandler.ServeHTTP(w, r)
+}

+// authorizePlatformRequest reports whether the request from the web client
+// is authorized to access the client for those platforms that support it.
+// It reports true if the request is authorized, and false otherwise.
+// authorizePlatformRequest manages writing out any relevant authorization
+// errors to the ResponseWriter itself.
+func authorizePlatformRequest(w http.ResponseWriter, r *http.Request) (ok bool) {
 	switch distro.Get() {
 	case distro.Synology:
 		return authorizeSynology(w, r)
 	case distro.QNAP:
 		return authorizeQNAP(w, r)
 	}
-
-	return false
+	return true
 }

-func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
-	switch {
-	case authorize(w, r):
-		// Authenticate and authorize the request for platforms that support it.
-		// Return if the request was processed.
-		return
-	case strings.HasPrefix(r.URL.Path, "/api/"):
-		// Pass API requests through to the API handler.
-		s.apiHandler.ServeHTTP(w, r)
-		return
-	default:
-		if !s.devMode {
-			s.lc.IncrementCounter(context.Background(), "web_client_page_load", 1)
-		}
-		s.assetsHandler.ServeHTTP(w, r)
+// serveLoginAPI serves requests for the web login client.
+// It should only be called by Server.ServeHTTP, via Server.apiHandler,
+// which protects the handler using gorilla csrf.
+func (s *Server) serveLoginAPI(w http.ResponseWriter, r *http.Request) {
+	// The login client is run directly from client plugins,
+	// so first authenticate and authorize the request for the host platform.
+	if ok := authorizePlatformRequest(w, r); !ok {
 		return
 	}
+
+	w.Header().Set("X-CSRF-Token", csrf.Token(r))
+	if r.URL.Path != "/api/data" { // only endpoint allowed for login client
+		http.Error(w, "invalid endpoint", http.StatusNotFound)
+		return
+	}
+	switch r.Method {
+	case httpm.GET:
+		// TODO(soniaappasamy): we may want a minimal node data response here
+		s.serveGetNodeData(w, r)
+	case httpm.POST:
+		// TODO(soniaappasamy): implement
+	default:
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+	}
+	return
+}
+
+var (
+	errNoSession         = errors.New("no-browser-session")
+	errNotUsingTailscale = errors.New("not-using-tailscale")
+	errTaggedSource      = errors.New("tagged-source")
+	errNotOwner          = errors.New("not-owner")
+)
+
+// getTailscaleBrowserSession retrieves the browser session associated with
+// the request, if one exists.
+//
+// An error is returned in any of the following cases:
+//
+//   - (errNotUsingTailscale) The request was not made over tailscale.
+//
+//   - (errNoSession) The request does not have a session.
+//
+//   - (errTaggedSource) The source is a tagged node. Users must use their
+//     own user-owned devices to manage other nodes' web clients.
+//
+//   - (errNotOwner) The source is not the owner of this client (if the
+//     client is user-owned). Only the owner is allowed to manage the
+//     node via the web client.
+//
+// If no error is returned, the browserSession is always non-nil.
+// getTailscaleBrowserSession does not check whether the session has been
+// authorized by the user. Callers can use browserSession.isAuthorized.
+func (s *Server) getTailscaleBrowserSession(r *http.Request) (*browserSession, error) {
+	whoIs, err := s.lc.WhoIs(r.Context(), r.RemoteAddr)
+	switch {
+	case err != nil:
+		return nil, errNotUsingTailscale
+	case whoIs.Node.IsTagged():
+		return nil, errTaggedSource
+	}
+	srcNode := whoIs.Node.StableID
+	srcUser := whoIs.UserProfile.ID
+
+	status, err := s.lc.StatusWithoutPeers(r.Context())
+	switch {
+	case err != nil:
+		return nil, err
+	case status.Self == nil:
+		return nil, errors.New("missing self node in tailscale status")
+	case !status.Self.IsTagged() && status.Self.UserID != srcUser:
+		return nil, errNotOwner
+	}
+
+	cookie, err := r.Cookie(sessionCookieName)
+	if errors.Is(err, http.ErrNoCookie) {
+		return nil, errNoSession
+	} else if err != nil {
+		return nil, err
+	}
+	v, ok := s.browserSessions.Load(cookie.Value)
+	if !ok {
+		return nil, errNoSession
+	}
+	session := v.(*browserSession)
+	if session.SrcNode != srcNode || session.SrcUser != srcUser {
+		// In this case the browser cookie is associated with another tailscale node.
+		// Maybe the source browser's machine was logged out and then back in as a different node.
+		// Return errNoSession because there is no session for this user.
+		return nil, errNoSession
+	} else if session.isExpired() {
+		// Session expired, remove from session map and return errNoSession.
+		s.browserSessions.Delete(session.ID)
+		return nil, errNoSession
+	}
+	return session, nil
+}
+
+type authResponse struct {
+	OK      bool   `json:"ok"`                // true when user has valid auth session
+	AuthURL string `json:"authUrl,omitempty"` // filled when user has control auth action to take
+	Error   string `json:"error,omitempty"`   // filled when Ok is false
+}
+
+func (s *Server) serveTailscaleAuth(w http.ResponseWriter, r *http.Request) {
+	var resp authResponse
+
+	session, err := s.getTailscaleBrowserSession(r)
+	switch {
+	case err != nil && !errors.Is(err, errNoSession):
+		resp = authResponse{OK: false, Error: err.Error()}
+	case session == nil:
+		// TODO(tailscale/corp#14335): Create a new auth path from control,
+		// and store back to s.browserSessions and request cookie.
+	case !session.isAuthorized():
+		// TODO(tailscale/corp#14335): Check on the session auth path status from control,
+		// and store back to s.browserSessions.
+	default:
+		resp = authResponse{OK: true}
+	}
+
+	if err := json.NewEncoder(w).Encode(resp); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
 }

 // serveAPI serves requests for the web client api.
 // It should only be called by Server.ServeHTTP, via Server.apiHandler,
 // which protects the handler using gorilla csrf.
 func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
+	if s.tsDebugMode == "full" {
+		// tailscale/corp#14335: Only restrict to tailscale auth in debug "full" web client mode.
+		// TODO(sonia,will): Switch serveAPI over to always require TS auth when we're ready
+		// to remove the debug flags.
+		// For now, existing client uses platform auth (else case below).
+
+		if r.URL.Path == "/api/auth" {
+			// Serve auth, which creates a new session for the user to authenticate,
+			// in the case that the request doesn't already have one.
+			s.serveTailscaleAuth(w, r)
+			return
+		}
+		// For all other endpoints, require a valid session to proceed.
+		session, err := s.getTailscaleBrowserSession(r)
+		if err != nil || !session.isAuthorized() {
+			http.Error(w, "no valid session", http.StatusUnauthorized)
+			return
+		}
+	} else if ok := authorizePlatformRequest(w, r); !ok {
+		return
+	}
+
 	w.Header().Set("X-CSRF-Token", csrf.Token(r))
 	path := strings.TrimPrefix(r.URL.Path, "/api")
 	switch {
 	case path == "/data":
 		switch r.Method {
 		case httpm.GET:
-			s.serveGetNodeDataJSON(w, r)
+			s.serveGetNodeData(w, r)
 		case httpm.POST:
 			s.servePostNodeUpdate(w, r)
 		default:
@@ -171,16 +398,19 @@ type nodeData struct {
 	IsUnraid          bool
 	UnraidToken       string
 	IPNVersion        string
+	DebugMode         string // empty when not running in any debug mode
 }

-func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
-	st, err := s.lc.Status(ctx)
+func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
+	st, err := s.lc.Status(r.Context())
 	if err != nil {
-		return nil, err
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}
-	prefs, err := s.lc.GetPrefs(ctx)
+	prefs, err := s.lc.GetPrefs(r.Context())
 	if err != nil {
-		return nil, err
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}
 	profile := st.User[st.Self.UserID]
 	deviceName := strings.Split(st.Self.DNSName, ".")[0]
@@ -196,6 +426,7 @@ func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
 		IsUnraid:    distro.Get() == distro.Unraid,
 		UnraidToken: os.Getenv("UNRAID_CSRF_TOKEN"),
 		IPNVersion:  versionShort,
+		DebugMode:   s.tsDebugMode,
 	}
 	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
 	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
@@ -212,15 +443,6 @@ func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
 	if len(st.TailscaleIPs) != 0 {
 		data.IP = st.TailscaleIPs[0].String()
 	}
-	return data, nil
-}
-
-func (s *Server) serveGetNodeDataJSON(w http.ResponseWriter, r *http.Request) {
-	data, err := s.getNodeData(r.Context())
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
 	if err := json.NewEncoder(w).Encode(*data); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
--- a/client/web/web_test.go
+++ b/client/web/web_test.go
@@ -4,6 +4,8 @@
 package web

 import (
+	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -11,9 +13,15 @@ import (
 	"net/url"
 	"strings"
 	"testing"
+	"time"

+	"github.com/google/go-cmp/cmp"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/memnet"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/views"
 )

 func TestQnapAuthnURL(t *testing.T) {
@@ -129,3 +137,191 @@ func TestServeAPI(t *testing.T) {
 		})
 	}
 }
+
+func TestGetTailscaleBrowserSession(t *testing.T) {
+	userA := &tailcfg.UserProfile{ID: tailcfg.UserID(1)}
+	userB := &tailcfg.UserProfile{ID: tailcfg.UserID(2)}
+
+	userANodeIP := "100.100.100.101"
+	userBNodeIP := "100.100.100.102"
+	taggedNodeIP := "100.100.100.103"
+
+	var selfNode *ipnstate.PeerStatus
+	tags := views.SliceOf([]string{"tag:server"})
+	tailnetNodes := map[string]*apitype.WhoIsResponse{
+		userANodeIP: {
+			Node:        &tailcfg.Node{StableID: "Node1"},
+			UserProfile: userA,
+		},
+		userBNodeIP: {
+			Node:        &tailcfg.Node{StableID: "Node2"},
+			UserProfile: userB,
+		},
+		taggedNodeIP: {
+			Node: &tailcfg.Node{StableID: "Node3", Tags: tags.AsSlice()},
+		},
+	}
+
+	lal := memnet.Listen("local-tailscaled.sock:80")
+	defer lal.Close()
+	// Serve a testing localapi handler so we can simulate
+	// whois responses without a functioning tailnet.
+	localapi := &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/localapi/v0/whois":
+			addr := r.URL.Query().Get("addr")
+			if addr == "" {
+				t.Fatalf("/whois call missing \"addr\" query")
+			}
+			if node := tailnetNodes[addr]; node != nil {
+				if err := json.NewEncoder(w).Encode(&node); err != nil {
+					http.Error(w, err.Error(), http.StatusInternalServerError)
+					return
+				}
+				w.Header().Set("Content-Type", "application/json")
+				return
+			}
+			http.Error(w, "not a node", http.StatusUnauthorized)
+			return
+		case "/localapi/v0/status":
+			status := ipnstate.Status{Self: selfNode}
+			if err := json.NewEncoder(w).Encode(status); err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+			w.Header().Set("Content-Type", "application/json")
+			return
+		default:
+			// Only the above two endpoints get triggered from getTailscaleBrowserSession.
+			// No need to mock any of the other localapi endpoint.
+			t.Fatalf("unhandled localapi test endpoint %q, add to localapi handler func in test", r.URL.Path)
+		}
+	})}
+	defer localapi.Close()
+	go localapi.Serve(lal)
+
+	s := &Server{lc: &tailscale.LocalClient{Dial: lal.Dial}}
+
+	// Add some browser sessions to cache state.
+	userASession := &browserSession{
+		ID:            "cookie1",
+		SrcNode:       "Node1",
+		SrcUser:       userA.ID,
+		Authenticated: time.Time{}, // not yet authenticated
+	}
+	userBSession := &browserSession{
+		ID:            "cookie2",
+		SrcNode:       "Node2",
+		SrcUser:       userB.ID,
+		Authenticated: time.Now().Add(-2 * sessionCookieExpiry), // expired
+	}
+	userASessionAuthorized := &browserSession{
+		ID:            "cookie3",
+		SrcNode:       "Node1",
+		SrcUser:       userA.ID,
+		Authenticated: time.Now(), // authenticated and not expired
+	}
+	s.browserSessions.Store(userASession.ID, userASession)
+	s.browserSessions.Store(userBSession.ID, userBSession)
+	s.browserSessions.Store(userASessionAuthorized.ID, userASessionAuthorized)
+
+	tests := []struct {
+		name       string
+		selfNode   *ipnstate.PeerStatus
+		remoteAddr string
+		cookie     string
+
+		wantSession      *browserSession
+		wantError        error
+		wantIsAuthorized bool // response from session.isAuthorized
+	}{
+		{
+			name:        "not-connected-over-tailscale",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  "77.77.77.77",
+			wantSession: nil,
+			wantError:   errNotUsingTailscale,
+		},
+		{
+			name:        "no-session-user-self-node",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  userANodeIP,
+			cookie:      "not-a-cookie",
+			wantSession: nil,
+			wantError:   errNoSession,
+		},
+		{
+			name:        "no-session-tagged-self-node",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", Tags: &tags},
+			remoteAddr:  userANodeIP,
+			wantSession: nil,
+			wantError:   errNoSession,
+		},
+		{
+			name:        "not-owner",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  userBNodeIP,
+			wantSession: nil,
+			wantError:   errNotOwner,
+		},
+		{
+			name:        "tagged-source",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  taggedNodeIP,
+			wantSession: nil,
+			wantError:   errTaggedSource,
+		},
+		{
+			name:        "has-session",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  userANodeIP,
+			cookie:      userASession.ID,
+			wantSession: userASession,
+			wantError:   nil,
+		},
+		{
+			name:             "has-authorized-session",
+			selfNode:         &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:       userANodeIP,
+			cookie:           userASessionAuthorized.ID,
+			wantSession:      userASessionAuthorized,
+			wantError:        nil,
+			wantIsAuthorized: true,
+		},
+		{
+			name:        "session-associated-with-different-source",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userB.ID},
+			remoteAddr:  userBNodeIP,
+			cookie:      userASession.ID,
+			wantSession: nil,
+			wantError:   errNoSession,
+		},
+		{
+			name:        "session-expired",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userB.ID},
+			remoteAddr:  userBNodeIP,
+			cookie:      userBSession.ID,
+			wantSession: nil,
+			wantError:   errNoSession,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			selfNode = tt.selfNode
+			r := &http.Request{RemoteAddr: tt.remoteAddr, Header: http.Header{}}
+			if tt.cookie != "" {
+				r.AddCookie(&http.Cookie{Name: sessionCookieName, Value: tt.cookie})
+			}
+			session, err := s.getTailscaleBrowserSession(r)
+			if !errors.Is(err, tt.wantError) {
+				t.Errorf("wrong error; want=%v, got=%v", tt.wantError, err)
+			}
+			if diff := cmp.Diff(session, tt.wantSession); diff != "" {
+				t.Errorf("wrong session; (-got+want):%v", diff)
+			}
+			if gotIsAuthorized := session.isAuthorized(); gotIsAuthorized != tt.wantIsAuthorized {
+				t.Errorf("wrong isAuthorized; want=%v, got=%v", tt.wantIsAuthorized, gotIsAuthorized)
+			}
+		})
+	}
+}
--- a/clientupdate/distsign/distsign.go
+++ b/clientupdate/distsign/distsign.go
@@ -57,6 +57,7 @@ import (
 	"golang.org/x/crypto/blake2s"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/httpm"
 	"tailscale.com/util/must"
 )

@@ -335,7 +336,7 @@ func (c *Client) download(ctx context.Context, url, dst string, limit int64) ([]

 	quickCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
-	headReq := must.Get(http.NewRequestWithContext(quickCtx, http.MethodHead, url, nil))
+	headReq := must.Get(http.NewRequestWithContext(quickCtx, httpm.HEAD, url, nil))

 	res, err := hc.Do(headReq)
 	if err != nil {
@@ -349,7 +350,7 @@ func (c *Client) download(ctx context.Context, url, dst string, limit int64) ([]
 	}
 	c.logf("Download size: %v", res.ContentLength)

-	dlReq := must.Get(http.NewRequestWithContext(ctx, http.MethodGet, url, nil))
+	dlReq := must.Get(http.NewRequestWithContext(ctx, httpm.GET, url, nil))
 	dlRes, err := hc.Do(dlReq)
 	if err != nil {
 		return nil, 0, err
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -128,7 +128,9 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
 					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
 						it.Import("tailscale.com/types/ptr")
+						writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
 						writef("\tdst.%s[i] = ptr.To(*src.%s[i])", fname, fname)
+						writef("}")
 					} else {
 						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 					}
--- a/cmd/cloner/cloner_test.go
+++ b/cmd/cloner/cloner_test.go
@@ -0,0 +1,60 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+package main
+
+import (
+	"reflect"
+	"testing"
+
+	"tailscale.com/cmd/cloner/clonerex"
+)
+
+func TestSliceContainer(t *testing.T) {
+	num := 5
+	examples := []struct {
+		name string
+		in   *clonerex.SliceContainer
+	}{
+		{
+			name: "nil",
+			in:   nil,
+		},
+		{
+			name: "zero",
+			in:   &clonerex.SliceContainer{},
+		},
+		{
+			name: "empty",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{},
+			},
+		},
+		{
+			name: "nils",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{nil, nil, nil, nil, nil},
+			},
+		},
+		{
+			name: "one",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{&num},
+			},
+		},
+		{
+			name: "several",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{&num, &num, &num, &num, &num},
+			},
+		},
+	}
+
+	for _, ex := range examples {
+		t.Run(ex.name, func(t *testing.T) {
+			out := ex.in.Clone()
+			if !reflect.DeepEqual(ex.in, out) {
+				t.Errorf("Clone() = %v, want %v", out, ex.in)
+			}
+		})
+	}
+}
--- a/cmd/cloner/clonerex/clonerex.go
+++ b/cmd/cloner/clonerex/clonerex.go
@@ -0,0 +1,10 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type SliceContainer
+
+package clonerex
+
+type SliceContainer struct {
+	Slice []*int
+}
--- a/cmd/cloner/clonerex/clonerex_clone.go
+++ b/cmd/cloner/clonerex/clonerex_clone.go
@@ -0,0 +1,54 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
+
+package clonerex
+
+import (
+	"tailscale.com/types/ptr"
+)
+
+// Clone makes a deep copy of SliceContainer.
+// The result aliases no memory with the original.
+func (src *SliceContainer) Clone() *SliceContainer {
+	if src == nil {
+		return nil
+	}
+	dst := new(SliceContainer)
+	*dst = *src
+	if src.Slice != nil {
+		dst.Slice = make([]*int, len(src.Slice))
+		for i := range dst.Slice {
+			if src.Slice[i] == nil {
+				dst.Slice[i] = nil
+			} else {
+				dst.Slice[i] = ptr.To(*src.Slice[i])
+			}
+		}
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _SliceContainerCloneNeedsRegeneration = SliceContainer(struct {
+	Slice []*int
+}{})
+
+// Clone duplicates src into dst and reports whether it succeeded.
+// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,
+// where T is one of SliceContainer.
+func Clone(dst, src any) bool {
+	switch src := src.(type) {
+	case *SliceContainer:
+		switch dst := dst.(type) {
+		case *SliceContainer:
+			*dst = *src.Clone()
+			return true
+		case **SliceContainer:
+			*dst = src.Clone()
+			return true
+		}
+	}
+	return false
+}
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -36,9 +36,15 @@
 //   - TS_SOCKET: the path where the tailscaled LocalAPI socket should
 //     be created.
 //   - TS_AUTH_ONCE: if true, only attempt to log in if not already
-//     logged in. If false (the default, for backwards
-//     compatibility), forcibly log in every time the
-//     container starts.
+//     logged in. If false, forcibly log in every time the container starts.
+//     The default until 1.50.0 was false, but that was misleading: until
+//     1.50, containerboot used `tailscale up` which would ignore an authkey
+//     argument if there was already a node key. Effectively, this behaved
+//     as though TS_AUTH_ONCE were always true.
+//     In 1.50.0 the change was made to use `tailscale login` instead of `up`,
+//     and login will reauthenticate every time it is given an authkey.
+//     In 1.50.1 we set the TS_AUTH_ONCE to true, to match the previously
+//     observed behavior.
 //   - TS_SERVE_CONFIG: if specified, is the file path where the ipn.ServeConfig is located.
 //     It will be applied once tailscaled is up and running. If the file contains
 //     ${TS_CERT_DOMAIN}, it will be replaced with the value of the available FQDN.
@@ -103,7 +109,7 @@ func main() {
 		SOCKSProxyAddr:  defaultEnv("TS_SOCKS5_SERVER", ""),
 		HTTPProxyAddr:   defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
 		Socket:          defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:        defaultBool("TS_AUTH_ONCE", false),
+		AuthOnce:        defaultBool("TS_AUTH_ONCE", true),
 		Root:            defaultEnv("TS_TEST_ONLY_ROOT", "/"),
 	}

@@ -252,10 +258,13 @@ authLoop:
 	if err := tailscaleSet(ctx, cfg); err != nil {
 		log.Fatalf("failed to auth tailscale: %v", err)
 	}
-	// Remove any serve config that may have been set by a previous
-	// run of containerboot.
-	if err := client.SetServeConfig(ctx, new(ipn.ServeConfig)); err != nil {
-		log.Fatalf("failed to unset serve config: %v", err)
+
+	if cfg.ServeConfigPath != "" {
+		// Remove any serve config that may have been set by a previous run of
+		// containerboot, but only if we're providing a new one.
+		if err := client.SetServeConfig(ctx, new(ipn.ServeConfig)); err != nil {
+			log.Fatalf("failed to unset serve config: %v", err)
+		}
 	}

 	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && cfg.AuthOnce {
@@ -696,6 +705,13 @@ func installEgressForwardingRule(ctx context.Context, dstStr string, tsIPs []net
 	if err := cmdSNAT.Run(); err != nil {
 		return fmt.Errorf("setting up SNAT via iptables failed: %w", err)
 	}
+
+	cmdClamp := exec.CommandContext(ctx, argv0, "-t", "mangle", "-A", "FORWARD", "-o", "tailscale0", "-p", "tcp", "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
+	cmdClamp.Stdout = os.Stdout
+	cmdClamp.Stderr = os.Stderr
+	if err := cmdClamp.Run(); err != nil {
+		return fmt.Errorf("executing iptables failed: %w", err)
+	}
 	return nil
 }

@@ -731,6 +747,12 @@ func installIngressForwardingRule(ctx context.Context, dstStr string, tsIPs []ne
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("executing iptables failed: %w", err)
 	}
+	cmdClamp := exec.CommandContext(ctx, argv0, "-t", "mangle", "-A", "FORWARD", "-o", "tailscale0", "-p", "tcp", "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
+	cmdClamp.Stdout = os.Stdout
+	cmdClamp.Stderr = os.Stderr
+	if err := cmdClamp.Run(); err != nil {
+		return fmt.Errorf("executing iptables failed: %w", err)
+	}
 	return nil
 }

--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -129,7 +129,10 @@ func TestContainerBoot(t *testing.T) {
 		{
 			// Out of the box default: runs in userspace mode, ephemeral storage, interactive login.
 			Name: "no_args",
-			Env:  nil,
+			Env: map[string]string{
+				"TS_AUTH_ONCE": "false",
+			},
+
 			Phases: []phase{
 				{
 					WantCmds: []string{
@@ -149,7 +152,8 @@ func TestContainerBoot(t *testing.T) {
 			// Userspace mode, ephemeral storage, authkey provided on every run.
 			Name: "authkey",
 			Env: map[string]string{
-				"TS_AUTHKEY": "tskey-key",
+				"TS_AUTHKEY":   "tskey-key",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
@@ -170,7 +174,8 @@ func TestContainerBoot(t *testing.T) {
 			// Userspace mode, ephemeral storage, authkey provided on every run.
 			Name: "authkey-old-flag",
 			Env: map[string]string{
-				"TS_AUTH_KEY": "tskey-key",
+				"TS_AUTH_KEY":  "tskey-key",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
@@ -192,6 +197,7 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_STATE_DIR": filepath.Join(d, "tmp"),
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
@@ -211,8 +217,9 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "routes",
 			Env: map[string]string{
-				"TS_AUTHKEY": "tskey-key",
-				"TS_ROUTES":  "1.2.3.0/24,10.20.30.0/24",
+				"TS_AUTHKEY":   "tskey-key",
+				"TS_ROUTES":    "1.2.3.0/24,10.20.30.0/24",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
@@ -239,6 +246,7 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_ROUTES":    "1.2.3.0/24,10.20.30.0/24",
 				"TS_USERSPACE": "false",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
@@ -265,6 +273,7 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_ROUTES":    "::/64,1::/64",
 				"TS_USERSPACE": "false",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
@@ -291,6 +300,7 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_ROUTES":    "::/64,1.2.3.0/24",
 				"TS_USERSPACE": "false",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
@@ -317,6 +327,7 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
 				"TS_USERSPACE": "false",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
@@ -330,6 +341,7 @@ func TestContainerBoot(t *testing.T) {
 					WantCmds: []string{
 						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
 						"/usr/bin/iptables -t nat -I PREROUTING 1 -d 100.64.0.1 -j DNAT --to-destination 1.2.3.4",
+						"/usr/bin/iptables -t mangle -A FORWARD -o tailscale0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu",
 					},
 				},
 			},
@@ -340,6 +352,7 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTHKEY":           "tskey-key",
 				"TS_TAILNET_TARGET_IP": "100.99.99.99",
 				"TS_USERSPACE":         "false",
+				"TS_AUTH_ONCE":         "false",
 			},
 			Phases: []phase{
 				{
@@ -354,6 +367,7 @@ func TestContainerBoot(t *testing.T) {
 						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
 						"/usr/bin/iptables -t nat -I PREROUTING 1 ! -i tailscale0 -j DNAT --to-destination 100.99.99.99",
 						"/usr/bin/iptables -t nat -I POSTROUTING 1 --destination 100.99.99.99 -j SNAT --to-source 100.64.0.1",
+						"/usr/bin/iptables -t mangle -A FORWARD -o tailscale0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu",
 					},
 				},
 			},
@@ -391,6 +405,7 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"KUBERNETES_SERVICE_HOST":       kube.Host,
 				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
+				"TS_AUTH_ONCE":                  "false",
 			},
 			KubeSecret: map[string]string{
 				"authkey": "tskey-key",
@@ -428,6 +443,7 @@ func TestContainerBoot(t *testing.T) {
 				"TS_KUBE_SECRET": "",
 				"TS_STATE_DIR":   filepath.Join(d, "tmp"),
 				"TS_AUTHKEY":     "tskey-key",
+				"TS_AUTH_ONCE":   "false",
 			},
 			KubeSecret: map[string]string{},
 			Phases: []phase{
@@ -453,6 +469,7 @@ func TestContainerBoot(t *testing.T) {
 				"KUBERNETES_SERVICE_HOST":       kube.Host,
 				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
 				"TS_AUTHKEY":                    "tskey-key",
+				"TS_AUTH_ONCE":                  "false",
 			},
 			KubeSecret:    map[string]string{},
 			KubeDenyPatch: true,
@@ -522,6 +539,7 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"KUBERNETES_SERVICE_HOST":       kube.Host,
 				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
+				"TS_AUTH_ONCE":                  "false",
 			},
 			KubeSecret: map[string]string{
 				"authkey": "tskey-key",
@@ -573,6 +591,7 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"TS_SOCKS5_SERVER":              "localhost:1080",
 				"TS_OUTBOUND_HTTP_PROXY_LISTEN": "localhost:8080",
+				"TS_AUTH_ONCE":                  "false",
 			},
 			Phases: []phase{
 				{
@@ -593,6 +612,7 @@ func TestContainerBoot(t *testing.T) {
 			Name: "dns",
 			Env: map[string]string{
 				"TS_ACCEPT_DNS": "true",
+				"TS_AUTH_ONCE":  "false",
 			},
 			Phases: []phase{
 				{
@@ -614,6 +634,7 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"TS_EXTRA_ARGS":            "--widget=rotated",
 				"TS_TAILSCALED_EXTRA_ARGS": "--experiments=widgets",
+				"TS_AUTH_ONCE":             "false",
 			},
 			Phases: []phase{
 				{
@@ -633,7 +654,8 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "hostname",
 			Env: map[string]string{
-				"TS_HOSTNAME": "my-server",
+				"TS_HOSTNAME":  "my-server",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
@@ -687,7 +709,7 @@ func TestContainerBoot(t *testing.T) {
 				t.Fatalf("starting containerboot: %v", err)
 			}
 			defer func() {
-				cmd.Process.Signal(unix.SIGKILL)
+				cmd.Process.Signal(unix.SIGTERM)
 				cmd.Process.Wait()
 			}()

--- a/cmd/containerboot/test_tailscaled.sh
+++ b/cmd/containerboot/test_tailscaled.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# This is a fake tailscale CLI that records its arguments, symlinks a
+# This is a fake tailscale daemon that records its arguments, symlinks a
 # fake LocalAPI socket into place, and does nothing until terminated.
 #
 # It is used by main_test.go to test the behavior of containerboot.
@@ -33,5 +33,6 @@ if [[ -z "$socket" ]]; then
 fi

 ln -s "$TS_TEST_SOCKET" "$socket"
+trap 'rm -f "$socket"' EXIT

-while true; do sleep 1; done
+while sleep 10; do :; done
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -16,7 +16,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil+
+        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil
+        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header
   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
@@ -78,6 +79,22 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
+        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip+
+        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
+     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
+        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
+        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
+     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
+        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/tcpip/header                           from tailscale.com/net/packet
+        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header
+        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
@@ -169,7 +186,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/exp/maps                                        from tailscale.com/tailcfg
   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http
@@ -221,7 +237,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
+        encoding/base32                                              from tailscale.com/tka+
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
@@ -270,7 +286,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof
-        slices                                                       from tailscale.com/ipn+
+        slices                                                       from tailscale.com/ipn/ipnstate+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
        strings                                                      from bufio+
--- a/cmd/k8s-operator/ingress.go
+++ b/cmd/k8s-operator/ingress.go
@@ -8,11 +8,11 @@ package main
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
 	"sync"

 	"go.uber.org/zap"
-	"golang.org/x/exp/slices"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -205,20 +205,8 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 		startlog.Fatalf("could not create manager: %v", err)
 	}

-	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(_ context.Context, o client.Object) []reconcile.Request {
-		ls := o.GetLabels()
-		if ls[LabelManaged] != "true" {
-			return nil
-		}
-		return []reconcile.Request{
-			{
-				NamespacedName: types.NamespacedName{
-					Namespace: ls[LabelParentNamespace],
-					Name:      ls[LabelParentName],
-				},
-			},
-		}
-	})
+	svcFilter := handler.EnqueueRequestsFromMapFunc(serviceHandler)
+	svcChildFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("svc"))
 	eventRecorder := mgr.GetEventRecorderFor("tailscale-operator")
 	ssr := &tailscaleSTSReconciler{
 		Client:                 mgr.GetClient(),
@@ -231,9 +219,10 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 	}
 	err = builder.
 		ControllerManagedBy(mgr).
-		For(&corev1.Service{}).
-		Watches(&appsv1.StatefulSet{}, reconcileFilter).
-		Watches(&corev1.Secret{}, reconcileFilter).
+		Named("service-reconciler").
+		Watches(&corev1.Service{}, svcFilter).
+		Watches(&appsv1.StatefulSet{}, svcChildFilter).
+		Watches(&corev1.Secret{}, svcChildFilter).
 		Complete(&ServiceReconciler{
 			ssr:                   ssr,
 			Client:                mgr.GetClient(),
@@ -243,11 +232,13 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 	if err != nil {
 		startlog.Fatalf("could not create controller: %v", err)
 	}
+	ingressChildFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("ingress"))
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&networkingv1.Ingress{}).
-		Watches(&appsv1.StatefulSet{}, reconcileFilter).
-		Watches(&corev1.Secret{}, reconcileFilter).
+		Watches(&appsv1.StatefulSet{}, ingressChildFilter).
+		Watches(&corev1.Secret{}, ingressChildFilter).
+		Watches(&corev1.Service{}, ingressChildFilter).
 		Complete(&IngressReconciler{
 			ssr:      ssr,
 			recorder: eventRecorder,
@@ -268,3 +259,54 @@ type tsClient interface {
 	CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
 	DeleteDevice(ctx context.Context, nodeStableID string) error
 }
+
+func isManagedResource(o client.Object) bool {
+	ls := o.GetLabels()
+	return ls[LabelManaged] == "true"
+}
+
+func isManagedByType(o client.Object, typ string) bool {
+	ls := o.GetLabels()
+	return isManagedResource(o) && ls[LabelParentType] == typ
+}
+
+func parentFromObjectLabels(o client.Object) types.NamespacedName {
+	ls := o.GetLabels()
+	return types.NamespacedName{
+		Namespace: ls[LabelParentNamespace],
+		Name:      ls[LabelParentName],
+	}
+}
+func managedResourceHandlerForType(typ string) handler.MapFunc {
+	return func(_ context.Context, o client.Object) []reconcile.Request {
+		if !isManagedByType(o, typ) {
+			return nil
+		}
+		return []reconcile.Request{
+			{NamespacedName: parentFromObjectLabels(o)},
+		}
+	}
+
+}
+
+func serviceHandler(_ context.Context, o client.Object) []reconcile.Request {
+	if isManagedByType(o, "svc") {
+		// If this is a Service managed by a Service we want to enqueue its parent
+		return []reconcile.Request{{NamespacedName: parentFromObjectLabels(o)}}
+
+	}
+	if isManagedResource(o) {
+		// If this is a Servce managed by a resource that is not a Service, we leave it alone
+		return nil
+	}
+	// If this is not a managed Service we want to enqueue it
+	return []reconcile.Request{
+		{
+			NamespacedName: types.NamespacedName{
+				Namespace: o.GetNamespace(),
+				Name:      o.GetName(),
+			},
+		},
+	}
+
+}
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -218,7 +218,7 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 			},
 		},
 		Spec: corev1.ServiceSpec{
-			ExternalName: fmt.Sprintf("%s.operator-ns.svc", shortName),
+			ExternalName: fmt.Sprintf("%s.operator-ns.svc.cluster.local", shortName),
 			Type:         corev1.ServiceTypeExternalName,
 			Selector:     nil,
 		},
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -39,10 +39,11 @@ const (
 	FinalizerName = "tailscale.com/finalizer"

 	// Annotations settable by users on services.
-	AnnotationExpose          = "tailscale.com/expose"
-	AnnotationTags            = "tailscale.com/tags"
-	AnnotationHostname        = "tailscale.com/hostname"
-	AnnotationTailnetTargetIP = "tailscale.com/ts-tailnet-target-ip"
+	AnnotationExpose             = "tailscale.com/expose"
+	AnnotationTags               = "tailscale.com/tags"
+	AnnotationHostname           = "tailscale.com/hostname"
+	annotationTailnetTargetIPOld = "tailscale.com/ts-tailnet-target-ip"
+	AnnotationTailnetTargetIP    = "tailscale.com/tailnet-ip"

 	// Annotations settable by users on ingresses.
 	AnnotationFunnel = "tailscale.com/funnel"
--- a/cmd/k8s-operator/svc.go
+++ b/cmd/k8s-operator/svc.go
@@ -9,11 +9,11 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"slices"
 	"strings"
 	"sync"

 	"go.uber.org/zap"
-	"golang.org/x/exp/slices"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
@@ -77,7 +77,8 @@ func (a *ServiceReconciler) Reconcile(ctx context.Context, req reconcile.Request
 	} else if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to get svc: %w", err)
 	}
-	if !svc.DeletionTimestamp.IsZero() || !a.shouldExpose(svc) && !a.hasTailnetTargetAnnotation(svc) {
+	targetIP := a.tailnetTargetAnnotation(svc)
+	if !svc.DeletionTimestamp.IsZero() || !a.shouldExpose(svc) && targetIP == "" {
 		logger.Debugf("service is being deleted or is (no longer) referring to Tailscale ingress/egress, ensuring any created resources are cleaned up")
 		return reconcile.Result{}, a.maybeCleanup(ctx, logger, svc)
 	}
@@ -170,8 +171,8 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		sts.ClusterTargetIP = svc.Spec.ClusterIP
 		a.managedIngressProxies.Add(svc.UID)
 		gaugeIngressProxies.Set(int64(a.managedIngressProxies.Len()))
-	} else if a.hasTailnetTargetAnnotation(svc) {
-		sts.TailnetTargetIP = svc.Annotations[AnnotationTailnetTargetIP]
+	} else if ip := a.tailnetTargetAnnotation(svc); ip != "" {
+		sts.TailnetTargetIP = ip
 		a.managedEgressProxies.Add(svc.UID)
 		gaugeEgressProxies.Set(int64(a.managedEgressProxies.Len()))
 	}
@@ -182,8 +183,11 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		return fmt.Errorf("failed to provision: %w", err)
 	}

-	if a.hasTailnetTargetAnnotation(svc) {
-		headlessSvcName := hsvc.Name + "." + hsvc.Namespace + ".svc"
+	if sts.TailnetTargetIP != "" {
+		// TODO (irbekrm): cluster.local is the default DNS name, but
+		// can be changed by users. Make this configurable or figure out
+		// how to discover the DNS name from within operator
+		headlessSvcName := hsvc.Name + "." + hsvc.Namespace + ".svc.cluster.local"
 		if svc.Spec.ExternalName != headlessSvcName || svc.Spec.Type != corev1.ServiceTypeExternalName {
 			svc.Spec.ExternalName = headlessSvcName
 			svc.Spec.Selector = nil
@@ -261,8 +265,16 @@ func (a *ServiceReconciler) hasExposeAnnotation(svc *corev1.Service) bool {
 	return svc != nil && svc.Annotations[AnnotationExpose] == "true"
 }

-// hasTailnetTargetAnnotation reports whether Service has a
-// tailscale.com/ts-tailnet-target-ip annotation set
-func (a *ServiceReconciler) hasTailnetTargetAnnotation(svc *corev1.Service) bool {
-	return svc != nil && svc.Annotations[AnnotationTailnetTargetIP] != ""
+// hasTailnetTargetAnnotation returns the value of tailscale.com/tailnet-ip
+// annotation or of the deprecated tailscale.com/ts-tailnet-target-ip
+// annotation. If neither is set, it returns an empty string. If both are set,
+// it returns the value of the new annotation.
+func (a *ServiceReconciler) tailnetTargetAnnotation(svc *corev1.Service) string {
+	if svc == nil {
+		return ""
+	}
+	if ip := svc.Annotations[AnnotationTailnetTargetIP]; ip != "" {
+		return ip
+	}
+	return svc.Annotations[annotationTailnetTargetIPOld]
 }
--- a/cmd/netlogfmt/main.go
+++ b/cmd/netlogfmt/main.go
@@ -42,6 +42,7 @@ import (

 	"github.com/dsnet/try"
 	jsonv2 "github.com/go-json-experiment/json"
+	"github.com/go-json-experiment/json/jsontext"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netlogtype"
 	"tailscale.com/util/cmpx"
@@ -75,13 +76,13 @@ func main() {

 func processStream(r io.Reader) (err error) {
 	defer try.Handle(&err)
-	dec := jsonv2.NewDecoder(os.Stdin)
+	dec := jsontext.NewDecoder(os.Stdin)
 	for {
 		processValue(dec)
 	}
 }

-func processValue(dec *jsonv2.Decoder) {
+func processValue(dec *jsontext.Decoder) {
 	switch dec.PeekKind() {
 	case '[':
 		processArray(dec)
@@ -92,7 +93,7 @@ func processValue(dec *jsonv2.Decoder) {
 	}
 }

-func processArray(dec *jsonv2.Decoder) {
+func processArray(dec *jsontext.Decoder) {
 	try.E1(dec.ReadToken()) // parse '['
 	for dec.PeekKind() != ']' {
 		processValue(dec)
@@ -100,7 +101,7 @@ func processArray(dec *jsonv2.Decoder) {
 	try.E1(dec.ReadToken()) // parse ']'
 }

-func processObject(dec *jsonv2.Decoder) {
+func processObject(dec *jsontext.Decoder) {
 	var hasTraffic bool
 	var rawMsg []byte
 	try.E1(dec.ReadToken()) // parse '{'
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -63,9 +63,10 @@ var debugCmd = &ffcli.Command{
 			ShortHelp: "print DERP map",
 		},
 		{
-			Name:      "component-logs",
-			Exec:      runDebugComponentLogs,
-			ShortHelp: "enable/disable debug logs for a component",
+			Name:       "component-logs",
+			Exec:       runDebugComponentLogs,
+			ShortHelp:  "enable/disable debug logs for a component",
+			ShortUsage: "tailscale debug component-logs [" + strings.Join(ipn.DebuggableComponents, "|") + "]",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("component-logs")
 				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
@@ -138,6 +139,11 @@ var debugCmd = &ffcli.Command{
 			Exec:      localAPIAction("break-derp-conns"),
 			ShortHelp: "break any open DERP connections from the daemon",
 		},
+		{
+			Name:      "force-netmap-update",
+			Exec:      localAPIAction("force-netmap-update"),
+			ShortHelp: "force a full no-op netmap update (for load testing)",
+		},
 		{
 			Name:      "control-knobs",
 			Exec:      debugControlKnobs,
@@ -719,7 +725,7 @@ var debugComponentLogsArgs struct {

 func runDebugComponentLogs(ctx context.Context, args []string) error {
 	if len(args) != 1 {
-		return errors.New("usage: debug component-logs <component>")
+		return errors.New("usage: debug component-logs [" + strings.Join(ipn.DebuggableComponents, "|") + "]")
 	}
 	component := args[0]
 	dur := debugComponentLogsArgs.forDur
--- a/cmd/tailscale/cli/funnel.go
+++ b/cmd/tailscale/cli/funnel.go
@@ -164,12 +164,12 @@ func (e *serveEnv) verifyFunnelEnabled(ctx context.Context, st *ipnstate.Status,
 		// the feature flag on.
 		// TODO(sonia,tailscale/corp#10577): Remove this fallback once the
 		// control flag is turned on for all domains.
-		if err := ipn.CheckFunnelAccess(port, st.Self.Capabilities); err != nil {
+		if err := ipn.CheckFunnelAccess(port, st.Self); err != nil {
 			return err
 		}
 	default:
 		// Done with enablement, make sure the requested port is allowed.
-		if err := ipn.CheckFunnelPort(port, st.Self.Capabilities); err != nil {
+		if err := ipn.CheckFunnelPort(port, st.Self); err != nil {
 			return err
 		}
 	}
--- a/cmd/tailscale/cli/serve_dev.go
+++ b/cmd/tailscale/cli/serve_dev.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"io"
 	"log"
 	"net"
 	"net/url"
@@ -289,7 +290,7 @@ func (e *serveEnv) runServeCombined(subcmd serveMode) execFunc {
 			for {
 				_, err = watcher.Next()
 				if err != nil {
-					if errors.Is(err, context.Canceled) {
+					if errors.Is(err, io.EOF) || errors.Is(err, context.Canceled) {
 						return nil
 					}
 					return err
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -25,6 +25,7 @@ import (
 	"tailscale.com/net/interfaces"
 	"tailscale.com/util/cmpx"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/version"
 )

 var statusCmd = &ffcli.Command{
@@ -237,7 +238,7 @@ func runStatus(ctx context.Context, args []string) error {
 	}
 	printFunnelStatus(ctx)
 	if cv := st.ClientVersion; cv != nil && !cv.RunningLatest && cv.LatestVersion != "" {
-		printf("# New Tailscale version is available: %q, run `tailscale update` to update.\n", cv.LatestVersion)
+		printf("# Update available: %v -> %v, run `tailscale update` or `tailscale set --auto-update` to update.\n", version.Short(), cv.LatestVersion)
 	}
 	return nil
 }
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -499,6 +499,7 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 	startLoginInteractive := func() { loginOnce.Do(func() { localClient.StartLoginInteractive(ctx) }) }

 	go func() {
+		var cv *tailcfg.ClientVersion
 		for {
 			n, err := watcher.Next()
 			if err != nil {
@@ -509,6 +510,9 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 				msg := *n.ErrMessage
 				fatalf("backend error: %v\n", msg)
 			}
+			if n.ClientVersion != nil {
+				cv = n.ClientVersion
+			}
 			if s := n.State; s != nil {
 				switch *s {
 				case ipn.NeedsLogin:
@@ -527,6 +531,11 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 					} else if printed {
 						// Only need to print an update if we printed the "please click" message earlier.
 						fmt.Fprintf(Stderr, "Success.\n")
+						if cv != nil && !cv.RunningLatest && cv.LatestVersion != "" {
+							fmt.Fprintf(Stderr, "\nUpdate available: %v -> %v\n", version.Short(), cv.LatestVersion)
+							fmt.Fprintln(Stderr, "Changelog: https://tailscale.com/changelog/#client")
+							fmt.Fprintln(Stderr, "Run `tailscale update` or `tailscale set --auto-update` to update")
+						}
 					}
 					select {
 					case running <- true:
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -17,6 +17,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
   L 💣 github.com/godbus/dbus/v5                                    from github.com/coreos/go-systemd/v22/dbus
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header
   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
@@ -42,6 +43,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
        github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
+        github.com/peterbourgon/ff/v3/internal                       from github.com/peterbourgon/ff/v3
        github.com/pkg/errors                                        from github.com/gorilla/csrf
        github.com/skip2/go-qrcode                                   from tailscale.com/cmd/tailscale/cli
        github.com/skip2/go-qrcode/bitset                            from github.com/skip2/go-qrcode+
@@ -53,6 +55,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
   L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
+        github.com/tailscale/web-client-prebuilt                     from tailscale.com/client/web
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
@@ -62,6 +65,22 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        go4.org/netipx                                               from tailscale.com/wgengine/filter+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        gopkg.in/yaml.v2                                             from sigs.k8s.io/yaml
+        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip+
+        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
+     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
+        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
+        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
+     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
+        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/tcpip/header                           from tailscale.com/net/packet
+        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header
+        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
        k8s.io/client-go/util/homedir                                from tailscale.com/cmd/tailscale/cli
        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
@@ -175,7 +194,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   W    golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe
-        golang.org/x/exp/maps                                        from tailscale.com/cmd/tailscale/cli+
+        golang.org/x/exp/maps                                        from tailscale.com/cmd/tailscale/cli
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -34,7 +34,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/aws-sdk-go-v2/credentials/stscreds            from github.com/aws/aws-sdk-go-v2/config
   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds                from github.com/aws/aws-sdk-go-v2/config+
   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config from github.com/aws/aws-sdk-go-v2/feature/ec2/imds
+   L    github.com/aws/aws-sdk-go-v2/internal/auth                   from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
   L    github.com/aws/aws-sdk-go-v2/internal/configsources          from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn   from github.com/aws/aws-sdk-go-v2/service/ssm+
   L    github.com/aws/aws-sdk-go-v2/internal/endpoints/v2           from github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints+
   L    github.com/aws/aws-sdk-go-v2/internal/ini                    from github.com/aws/aws-sdk-go-v2/config
   L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
@@ -65,6 +67,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/encoding/httpbinding                from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm+
   L    github.com/aws/smithy-go/encoding/xml                        from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/smithy-go/endpoints                           from github.com/aws/aws-sdk-go-v2/service/ssm+
   L    github.com/aws/smithy-go/internal/sync/singleflight          from github.com/aws/smithy-go/auth/bearer
   L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
   L    github.com/aws/smithy-go/logging                             from github.com/aws/aws-sdk-go-v2/aws+
@@ -167,14 +170,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 golang.zx2c4.com/wintun                                      from github.com/tailscale/wireguard-go/tun+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/dns+
        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/tcpip+
-        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/bufferv2
-     💣 gvisor.dev/gvisor/pkg/bufferv2                               from gvisor.dev/gvisor/pkg/tcpip+
+        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip+
        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
-        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/bufferv2+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/buffer+
     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
@@ -182,7 +185,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 gvisor.dev/gvisor/pkg/sync/locking                           from gvisor.dev/gvisor/pkg/tcpip/stack
        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/bufferv2+
+        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/buffer+
        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -235,13 +238,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
        tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
        tailscale.com/ipn                                            from tailscale.com/ipn/ipnlocal+
-     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnserver+
+     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ssh/tailssh+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
        tailscale.com/ipn/ipnstate                                   from tailscale.com/control/controlclient+
        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
-        tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled+
+        tailscale.com/ipn/store                                      from tailscale.com/ipn/ipnlocal+
   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
   L    tailscale.com/ipn/store/kubestore                            from tailscale.com/ipn/store
        tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/store+
@@ -295,6 +298,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
+        tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal
     💣 tailscale.com/tempfork/device                                from tailscale.com/net/tstun/table
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
@@ -343,12 +347,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 tailscale.com/util/osdiag/internal/wsc                       from tailscale.com/util/osdiag
        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnauth
+        tailscale.com/util/race                                      from tailscale.com/net/dns/resolver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
-        tailscale.com/util/rands                                     from tailscale.com/ipn/localapi+
+        tailscale.com/util/rands                                     from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/ringbuffer                                from tailscale.com/wgengine/magicsock
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
+   W    tailscale.com/util/syspolicy                                 from tailscale.com/cmd/tailscaled
        tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/testenv                                   from tailscale.com/ipn/ipnlocal+
@@ -465,7 +471,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        flag                                                         from net/http/httptest+
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
-        hash/adler32                                                 from tailscale.com/ipn/ipnlocal+
+        hash/adler32                                                 from compress/zlib+
        hash/crc32                                                   from compress/gzip+
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
@@ -504,7 +510,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        regexp                                                       from github.com/coreos/go-iptables/iptables+
        regexp/syntax                                                from regexp
        runtime/debug                                                from github.com/klauspost/compress/zstd+
-        runtime/pprof                                                from net/http/pprof+
+        runtime/pprof                                                from tailscale.com/ipn/ipnlocal+
        runtime/trace                                                from net/http/pprof
        slices                                                       from tailscale.com/wgengine/magicsock+
        sort                                                         from compress/flate+
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -51,6 +51,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/util/osdiag"
+	"tailscale.com/util/syspolicy"
 	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/wf"
@@ -131,7 +132,7 @@ func runWindowsService(pol *logpolicy.Policy) error {
 		osdiag.LogSupportInfo(logger.WithPrefix(log.Printf, "Support Info: "), osdiag.LogSupportInfoReasonStartup)
 	}()

-	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
+	if logSCMInteractions, _ := syspolicy.GetBoolean(syspolicy.LogSCMInteractions, false); logSCMInteractions {
 		syslog, err := eventlog.Open(serviceName)
 		if err == nil {
 			syslogf = func(format string, args ...any) {
@@ -158,7 +159,7 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	syslogf("Service start pending")

 	svcAccepts := svc.AcceptStop
-	if winutil.GetPolicyInteger("FlushDNSOnSessionUnlock", 0) != 0 {
+	if flushDNSOnSessionUnlock, _ := syspolicy.GetBoolean(syspolicy.FlushDNSOnSessionUnlock, false); flushDNSOnSessionUnlock {
 		svcAccepts |= svc.AcceptSessionChange
 	}

--- a/cmd/testwrapper/flakytest/flakytest.go
+++ b/cmd/testwrapper/flakytest/flakytest.go
@@ -38,7 +38,7 @@ func Mark(t testing.TB, issue string) {
 		// We're being run under cmd/testwrapper so send our sentinel message
 		// to stderr. (We avoid doing this when the env is absent to avoid
 		// spamming people running tests without the wrapper)
-		fmt.Fprintln(os.Stderr, FlakyTestLogMessage)
+		fmt.Fprintf(os.Stderr, "%s: %s\n", FlakyTestLogMessage, issue)
 	}
 	t.Logf("flakytest: issue tracking this flaky test: %s", issue)
 }
--- a/cmd/testwrapper/testwrapper.go
+++ b/cmd/testwrapper/testwrapper.go
@@ -19,6 +19,7 @@ import (
 	"log"
 	"os"
 	"os/exec"
+	"slices"
 	"sort"
 	"strings"
 	"time"
@@ -34,18 +35,25 @@ type testAttempt struct {
 	testName      string // "TestFoo"
 	outcome       string // "pass", "fail", "skip"
 	logs          bytes.Buffer
-	isMarkedFlaky bool // set if the test is marked as flaky
+	isMarkedFlaky bool   // set if the test is marked as flaky
+	issueURL      string // set if the test is marked as flaky

 	pkgFinished bool
 }

+// packageTests describes what to run.
+// It's also JSON-marshalled to output for analysys tools to parse
+// so the fields are all exported.
+// TODO(bradfitz): move this type to its own types package?
 type packageTests struct {
-	// pattern is the package pattern to run.
-	// Must be a single pattern, not a list of patterns.
-	pattern string // "./...", "./types/key"
-	// tests is a list of tests to run. If empty, all tests in the package are
+	// Pattern is the package Pattern to run.
+	// Must be a single Pattern, not a list of patterns.
+	Pattern string // "./...", "./types/key"
+	// Tests is a list of Tests to run. If empty, all Tests in the package are
 	// run.
-	tests []string // ["TestFoo", "TestBar"]
+	Tests []string // ["TestFoo", "TestBar"]
+	// IssueURLs maps from a test name to a URL tracking its flake.
+	IssueURLs map[string]string // "TestFoo" => "https://github.com/foo/bar/issue/123"
 }

 type goTestOutput struct {
@@ -65,10 +73,10 @@ var debug = os.Getenv("TS_TESTWRAPPER_DEBUG") != ""
 // It calls close(ch) when it's done.
 func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []string, ch chan<- *testAttempt) error {
 	defer close(ch)
-	args := []string{"test", "-json", pt.pattern}
+	args := []string{"test", "-json", pt.Pattern}
 	args = append(args, otherArgs...)
-	if len(pt.tests) > 0 {
-		runArg := strings.Join(pt.tests, "|")
+	if len(pt.Tests) > 0 {
+		runArg := strings.Join(pt.Tests, "|")
 		args = append(args, "-run", runArg)
 	}
 	if debug {
@@ -152,8 +160,9 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []st
 			pkgTests[testName].outcome = goOutput.Action
 			ch <- pkgTests[testName]
 		case "output":
-			if strings.TrimSpace(goOutput.Output) == flakytest.FlakyTestLogMessage {
+			if suffix, ok := strings.CutPrefix(strings.TrimSpace(goOutput.Output), flakytest.FlakyTestLogMessage); ok {
 				pkgTests[testName].isMarkedFlaky = true
+				pkgTests[testName].issueURL = strings.TrimPrefix(suffix, ": ")
 			} else {
 				pkgTests[testName].logs.WriteString(goOutput.Output)
 			}
@@ -208,12 +217,12 @@ func main() {

 	type nextRun struct {
 		tests   []*packageTests
-		attempt int
+		attempt int // starting at 1
 	}

 	toRun := []*nextRun{
 		{
-			tests:   []*packageTests{{pattern: pattern}},
+			tests:   []*packageTests{{Pattern: pattern}},
 			attempt: 1,
 		},
 	}
@@ -244,10 +253,11 @@ func main() {
 			os.Exit(1)
 		}
 		if thisRun.attempt > 1 {
-			fmt.Printf("\n\nAttempt #%d: Retrying flaky tests:\n\n", thisRun.attempt)
+			j, _ := json.Marshal(thisRun.tests)
+			fmt.Printf("\n\nAttempt #%d: Retrying flaky tests:\n\nflakytest failures JSON: %s\n\n", thisRun.attempt, j)
 		}

-		toRetry := make(map[string][]string) // pkg -> tests to retry
+		toRetry := make(map[string][]*testAttempt) // pkg -> tests to retry
 		for _, pt := range thisRun.tests {
 			ch := make(chan *testAttempt)
 			runErr := make(chan error, 1)
@@ -282,7 +292,7 @@ func main() {
 					continue
 				}
 				if tr.isMarkedFlaky {
-					toRetry[tr.pkg] = append(toRetry[tr.pkg], tr.testName)
+					toRetry[tr.pkg] = append(toRetry[tr.pkg], tr)
 				} else {
 					failed = true
 				}
@@ -315,10 +325,17 @@ func main() {
 		}
 		for _, pkg := range pkgs {
 			tests := toRetry[pkg]
-			sort.Strings(tests)
+			slices.SortFunc(tests, func(a, b *testAttempt) int { return strings.Compare(a.testName, b.testName) })
+			issueURLs := map[string]string{} // test name => URL
+			var testNames []string
+			for _, ta := range tests {
+				issueURLs[ta.testName] = ta.issueURL
+				testNames = append(testNames, ta.testName)
+			}
 			nextRun.tests = append(nextRun.tests, &packageTests{
-				pattern: pkg,
-				tests:   tests,
+				Pattern:   pkg,
+				Tests:     testNames,
+				IssueURLs: issueURLs,
 			})
 		}
 		toRun = append(toRun, nextRun)
--- a/cmd/tsconnect/common.go
+++ b/cmd/tsconnect/common.go
@@ -71,7 +71,7 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 				},
 			},
 		},
-		JSXMode: esbuild.JSXModeAutomatic,
+		JSX: esbuild.JSXAutomatic,
 	}, nil
 }

@@ -137,16 +137,19 @@ func runEsbuildServe(buildOptions esbuild.BuildOptions) {
 	if err != nil {
 		log.Fatalf("Cannot parse port: %v", err)
 	}
-	result, err := esbuild.Serve(esbuild.ServeOptions{
+	buildContext, ctxErr := esbuild.Context(buildOptions)
+	if ctxErr != nil {
+		log.Fatalf("Cannot create esbuild context: %v", err)
+	}
+	result, err := buildContext.Serve(esbuild.ServeOptions{
 		Port:     uint16(port),
 		Host:     host,
 		Servedir: "./",
-	}, buildOptions)
+	})
 	if err != nil {
 		log.Fatalf("Cannot start esbuild server: %v", err)
 	}
 	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
-	result.Wait()
 }

 func runEsbuild(buildOptions esbuild.BuildOptions) esbuild.BuildResult {
--- a/cmd/viewer/tests/tests_clone.go
+++ b/cmd/viewer/tests/tests_clone.go
@@ -157,7 +157,11 @@ func (src *StructWithSlices) Clone() *StructWithSlices {
 	if src.Ints != nil {
 		dst.Ints = make([]*int, len(src.Ints))
 		for i := range dst.Ints {
-			dst.Ints[i] = ptr.To(*src.Ints[i])
+			if src.Ints[i] == nil {
+				dst.Ints[i] = nil
+			} else {
+				dst.Ints[i] = ptr.To(*src.Ints[i])
+			}
 		}
 	}
 	dst.Slice = append(src.Slice[:0:0], src.Slice...)
--- a/control/controlclient/client.go
+++ b/control/controlclient/client.go
@@ -14,12 +14,20 @@ import (
 	"tailscale.com/tailcfg"
 )

+// LoginFlags is a bitmask of options to change the behavior of Client.Login
+// and LocalBackend.
 type LoginFlags int

 const (
 	LoginDefault     = LoginFlags(0)
 	LoginInteractive = LoginFlags(1 << iota) // force user login and key refresh
 	LoginEphemeral                           // set RegisterRequest.Ephemeral
+
+	// LocalBackendStartKeyOSNeutral instructs NewLocalBackend to start the
+	// LocalBackend without any OS-dependent StateStore StartKey behavior.
+	//
+	// See https://github.com/tailscale/tailscale/issues/6973.
+	LocalBackendStartKeyOSNeutral
 )

 // Client represents a client connection to the control server.
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -845,8 +845,10 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 	hi := c.hostInfoLocked()
 	backendLogID := hi.BackendLogID
 	var epStrs []string
+	var eps []netip.AddrPort
 	var epTypes []tailcfg.EndpointType
 	for _, ep := range c.endpoints {
+		eps = append(eps, ep.Addr)
 		epStrs = append(epStrs, ep.Addr.String())
 		epTypes = append(epTypes, ep.Type)
 	}
@@ -881,7 +883,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 		KeepAlive:     true,
 		NodeKey:       persist.PublicNodeKey(),
 		DiscoKey:      c.discoPubKey,
-		Endpoints:     epStrs,
+		Endpoints:     eps,
 		EndpointTypes: epTypes,
 		Stream:        isStreaming,
 		Hostinfo:      hi,
@@ -1501,7 +1503,7 @@ func (c *Direct) getNoiseClient() (*NoiseClient, error) {
 		if err != nil {
 			return nil, err
 		}
-		c.logf("creating new noise client")
+		c.logf("[v1] creating new noise client")
 		nc, err := NewNoiseClient(NoiseOpts{
 			PrivKey:      k,
 			ServerPubKey: serverNoiseKey,
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -703,6 +703,14 @@ func peerChangeDiff(was tailcfg.NodeView, n *tailcfg.Node) (_ *tailcfg.PeerChang
 			if va == nil || vb == nil || *va != *vb {
 				return nil, false
 			}
+		case "SelfNodeV6MasqAddrForThisPeer":
+			va, vb := was.SelfNodeV6MasqAddrForThisPeer(), n.SelfNodeV6MasqAddrForThisPeer
+			if va == nil && vb == nil {
+				continue
+			}
+			if va == nil || vb == nil || *va != *vb {
+				return nil, false
+			}
 		case "ExitNodeDNSResolvers":
 			va, vb := was.ExitNodeDNSResolvers(), views.SliceOfViews(n.ExitNodeDNSResolvers)

--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -29,6 +29,14 @@ import (
 	"tailscale.com/util/must"
 )

+func eps(s ...string) []netip.AddrPort {
+	var eps []netip.AddrPort
+	for _, ep := range s {
+		eps = append(eps, netip.MustParseAddrPort(ep))
+	}
+	return eps
+}
+
 func TestUpdatePeersStateFromResponse(t *testing.T) {
 	var curTime time.Time

@@ -49,7 +57,7 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 	}
 	withEP := func(ep string) func(*tailcfg.Node) {
 		return func(n *tailcfg.Node) {
-			n.Endpoints = []string{ep}
+			n.Endpoints = []netip.AddrPort{netip.MustParseAddrPort(ep)}
 		}
 	}
 	n := func(id tailcfg.NodeID, name string, mod ...func(*tailcfg.Node)) *tailcfg.Node {
@@ -197,7 +205,7 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 			mapRes: &tailcfg.MapResponse{
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:    1,
-					Endpoints: []string{"1.2.3.4:56"},
+					Endpoints: eps("1.2.3.4:56"),
 				}},
 			},
 			want:      peers(n(1, "foo", withEP("1.2.3.4:56"))),
@@ -209,7 +217,7 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 			mapRes: &tailcfg.MapResponse{
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:    1,
-					Endpoints: []string{"1.2.3.4:56"},
+					Endpoints: eps("1.2.3.4:56"),
 				}},
 			},
 			want:      peers(n(1, "foo", withDERP("127.3.3.40:3"), withEP("1.2.3.4:56"))),
@@ -222,7 +230,7 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:     1,
 					DERPRegion: 2,
-					Endpoints:  []string{"1.2.3.4:56"},
+					Endpoints:  eps("1.2.3.4:56"),
 				}},
 			},
 			want:      peers(n(1, "foo", withDERP("127.3.3.40:2"), withEP("1.2.3.4:56"))),
@@ -667,9 +675,9 @@ func TestPeerChangeDiff(t *testing.T) {
 		},
 		{
 			name: "patch-endpoints",
-			a:    &tailcfg.Node{ID: 1, Endpoints: []string{"10.0.0.1:1"}},
-			b:    &tailcfg.Node{ID: 1, Endpoints: []string{"10.0.0.2:2"}},
-			want: &tailcfg.PeerChange{NodeID: 1, Endpoints: []string{"10.0.0.2:2"}},
+			a:    &tailcfg.Node{ID: 1, Endpoints: eps("10.0.0.1:1")},
+			b:    &tailcfg.Node{ID: 1, Endpoints: eps("10.0.0.2:2")},
+			want: &tailcfg.PeerChange{NodeID: 1, Endpoints: eps("10.0.0.2:2")},
 		},
 		{
 			name: "patch-cap",
@@ -736,6 +744,18 @@ func TestPeerChangeDiff(t *testing.T) {
 			a:    &tailcfg.Node{ID: 1, User: 1},
 			b:    &tailcfg.Node{ID: 1, User: 2},
 			want: nil,
+		},
+		{
+			name: "miss-change-masq-v4",
+			a:    &tailcfg.Node{ID: 1, SelfNodeV4MasqAddrForThisPeer: ptr.To(netip.MustParseAddr("100.64.0.1"))},
+			b:    &tailcfg.Node{ID: 1, SelfNodeV4MasqAddrForThisPeer: ptr.To(netip.MustParseAddr("100.64.0.2"))},
+			want: nil,
+		},
+		{
+			name: "miss-change-masq-v6",
+			a:    &tailcfg.Node{ID: 1, SelfNodeV6MasqAddrForThisPeer: ptr.To(netip.MustParseAddr("2001::3456"))},
+			b:    &tailcfg.Node{ID: 1, SelfNodeV6MasqAddrForThisPeer: ptr.To(netip.MustParseAddr("2001::3006"))},
+			want: nil,
 		}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -797,13 +817,13 @@ func TestPatchifyPeersChanged(t *testing.T) {
 			},
 			mr1: &tailcfg.MapResponse{
 				PeersChanged: []*tailcfg.Node{
-					{ID: 1, Endpoints: []string{"10.0.0.1:1111"}, Hostinfo: hi},
+					{ID: 1, Endpoints: eps("10.0.0.1:1111"), Hostinfo: hi},
 				},
 			},
 			want: &tailcfg.MapResponse{
 				PeersChanged: nil,
 				PeersChangedPatch: []*tailcfg.PeerChange{
-					{NodeID: 1, Endpoints: []string{"10.0.0.1:1111"}},
+					{NodeID: 1, Endpoints: eps("10.0.0.1:1111")},
 				},
 			},
 		},
@@ -879,7 +899,10 @@ func TestPatchifyPeersChanged(t *testing.T) {
 			mr1 := new(tailcfg.MapResponse)
 			must.Do(json.Unmarshal(must.Get(json.Marshal(tt.mr1)), mr1))
 			ms.patchifyPeersChanged(mr1)
-			if diff := cmp.Diff(tt.want, mr1); diff != "" {
+			opts := []cmp.Option{
+				cmp.Comparer(func(a, b netip.AddrPort) bool { return a == b }),
+			}
+			if diff := cmp.Diff(tt.want, mr1, opts...); diff != "" {
 				t.Errorf("wrong result (-want +got):\n%s", diff)
 			}
 		})
@@ -905,7 +928,7 @@ func BenchmarkMapSessionDelta(b *testing.B) {
 					DERP:       "127.3.3.40:10",
 					Addresses:  []netip.Prefix{netip.MustParsePrefix("100.100.2.3/32"), netip.MustParsePrefix("fd7a:115c:a1e0::123/128")},
 					AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.100.2.3/32"), netip.MustParsePrefix("fd7a:115c:a1e0::123/128")},
-					Endpoints:  []string{"192.168.1.2:345", "192.168.1.3:678"},
+					Endpoints:  eps("192.168.1.2:345", "192.168.1.3:678"),
 					Hostinfo: (&tailcfg.Hostinfo{
 						OS:       "fooOS",
 						Hostname: "MyHostname",
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -177,6 +177,7 @@ type NoiseClient struct {

 	// mu only protects the following variables.
 	mu       sync.Mutex
+	closed   bool
 	last     *noiseConn // or nil
 	nextID   int
 	connPool map[int]*noiseConn // active connections not yet closed; see noiseConn.Close
@@ -373,6 +374,7 @@ func (nc *NoiseClient) connClosed(id int) {
 // It is a no-op and returns nil if the connection is already closed.
 func (nc *NoiseClient) Close() error {
 	nc.mu.Lock()
+	nc.closed = true
 	conns := nc.connPool
 	nc.connPool = nil
 	nc.mu.Unlock()
@@ -471,6 +473,11 @@ func (nc *NoiseClient) dial(ctx context.Context) (*noiseConn, error) {
 	ncc.h2cc = h2cc

 	nc.mu.Lock()
+	if nc.closed {
+		nc.mu.Unlock()
+		ncc.Close() // Needs to be called without holding the lock.
+		return nil, errors.New("noise client closed")
+	}
 	defer nc.mu.Unlock()
 	mak.Set(&nc.connPool, ncc.id, ncc)
 	nc.last = ncc
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -40,7 +40,7 @@ var getMachineCertificateSubjectOnce struct {
 // Example: "CN=Tailscale Inc Test Root CA,OU=Tailscale Inc Test Certificate Authority,O=Tailscale Inc,ST=ON,C=CA"
 func getMachineCertificateSubject() string {
 	getMachineCertificateSubjectOnce.Do(func() {
-		getMachineCertificateSubjectOnce.v = winutil.GetRegString("MachineCertificateSubject", "")
+		getMachineCertificateSubjectOnce.v, _ = winutil.GetRegString("MachineCertificateSubject")
 	})

 	return getMachineCertificateSubjectOnce.v
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -7,7 +7,9 @@ package controlknobs

 import (
 	"slices"
+	"strconv"
 	"sync/atomic"
+	"time"

 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
@@ -45,6 +47,17 @@ type Knobs struct {
 	// incremental (delta) netmap updates and should treat all netmap
 	// changes as "full" ones as tailscaled did in 1.48.x and earlier.
 	DisableDeltaUpdates atomic.Bool
+
+	// PeerMTUEnable is whether the node should do peer path MTU discovery.
+	PeerMTUEnable atomic.Bool
+
+	// DisableDNSForwarderTCPRetries is whether the DNS forwarder should
+	// skip retrying truncated queries over TCP.
+	DisableDNSForwarderTCPRetries atomic.Bool
+
+	// MagicsockSessionActiveTimeout is an alternate magicsock session timeout
+	// duration to use. If zero or unset, the default is used.
+	MagicsockSessionActiveTimeout syncs.AtomicValue[time.Duration]
 }

 // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
@@ -58,13 +71,15 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 		return ok || slices.Contains(selfNodeAttrs, attr)
 	}
 	var (
-		keepFullWG          = has(tailcfg.NodeAttrDebugDisableWGTrim)
-		disableDRPO         = has(tailcfg.NodeAttrDebugDisableDRPO)
-		disableUPnP         = has(tailcfg.NodeAttrDisableUPnP)
-		randomizeClientPort = has(tailcfg.NodeAttrRandomizeClientPort)
-		disableDeltaUpdates = has(tailcfg.NodeAttrDisableDeltaUpdates)
-		oneCGNAT            opt.Bool
-		forceBackgroundSTUN = has(tailcfg.NodeAttrDebugForceBackgroundSTUN)
+		keepFullWG                    = has(tailcfg.NodeAttrDebugDisableWGTrim)
+		disableDRPO                   = has(tailcfg.NodeAttrDebugDisableDRPO)
+		disableUPnP                   = has(tailcfg.NodeAttrDisableUPnP)
+		randomizeClientPort           = has(tailcfg.NodeAttrRandomizeClientPort)
+		disableDeltaUpdates           = has(tailcfg.NodeAttrDisableDeltaUpdates)
+		oneCGNAT                      opt.Bool
+		forceBackgroundSTUN           = has(tailcfg.NodeAttrDebugForceBackgroundSTUN)
+		peerMTUEnable                 = has(tailcfg.NodeAttrPeerMTUEnable)
+		dnsForwarderDisableTCPRetries = has(tailcfg.NodeAttrDNSForwarderDisableTCPRetries)
 	)

 	if has(tailcfg.NodeAttrOneCGNATEnable) {
@@ -80,6 +95,19 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 	k.OneCGNAT.Store(oneCGNAT)
 	k.ForceBackgroundSTUN.Store(forceBackgroundSTUN)
 	k.DisableDeltaUpdates.Store(disableDeltaUpdates)
+	k.PeerMTUEnable.Store(peerMTUEnable)
+	k.DisableDNSForwarderTCPRetries.Store(dnsForwarderDisableTCPRetries)
+
+	var timeout time.Duration
+	if vv := capMap[tailcfg.NodeAttrMagicsockSessionTimeout]; len(vv) > 0 {
+		if v, _ := strconv.Unquote(string(vv[0])); v != "" {
+			timeout, _ = time.ParseDuration(v)
+			timeout = max(timeout, 0)
+		}
+	}
+	if was := k.MagicsockSessionActiveTimeout.Load(); was != timeout {
+		k.MagicsockSessionActiveTimeout.Store(timeout)
+	}
 }

 // AsDebugJSON returns k as something that can be marshalled with json.Marshal
@@ -89,12 +117,15 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 		return nil
 	}
 	return map[string]any{
-		"DisableUPnP":         k.DisableUPnP.Load(),
-		"DisableDRPO":         k.DisableDRPO.Load(),
-		"KeepFullWGConfig":    k.KeepFullWGConfig.Load(),
-		"RandomizeClientPort": k.RandomizeClientPort.Load(),
-		"OneCGNAT":            k.OneCGNAT.Load(),
-		"ForceBackgroundSTUN": k.ForceBackgroundSTUN.Load(),
-		"DisableDeltaUpdates": k.DisableDeltaUpdates.Load(),
+		"DisableUPnP":                   k.DisableUPnP.Load(),
+		"DisableDRPO":                   k.DisableDRPO.Load(),
+		"KeepFullWGConfig":              k.KeepFullWGConfig.Load(),
+		"RandomizeClientPort":           k.RandomizeClientPort.Load(),
+		"OneCGNAT":                      k.OneCGNAT.Load(),
+		"ForceBackgroundSTUN":           k.ForceBackgroundSTUN.Load(),
+		"DisableDeltaUpdates":           k.DisableDeltaUpdates.Load(),
+		"PeerMTUEnable":                 k.PeerMTUEnable.Load(),
+		"DisableDNSForwarderTCPRetries": k.DisableDNSForwarderTCPRetries.Load(),
+		"MagicsockSessionActiveTimeout": k.MagicsockSessionActiveTimeout.Load().String(),
 	}
 }
--- a/flake.nix
+++ b/flake.nix
@@ -115,4 +115,4 @@
  in
    flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-TZP/FQqb21yiKMlIPXXSoN6HfiBAun+gPZHQ5cPc8L0=
+# nix-direnv cache busting line: sha256-tCc7+umCKgOmKXbElnCmDI4ntPvvHldkxi+RwQuj9ng=
--- a/go.mod
+++ b/go.mod
@@ -9,53 +9,53 @@ require (
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
 	github.com/andybalholm/brotli v1.0.5
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
-	github.com/aws/aws-sdk-go-v2 v1.18.0
-	github.com/aws/aws-sdk-go-v2/config v1.18.22
+	github.com/aws/aws-sdk-go-v2 v1.21.0
+	github.com/aws/aws-sdk-go-v2/config v1.18.42
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.64
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.33.0
-	github.com/aws/aws-sdk-go-v2/service/ssm v1.36.3
-	github.com/coreos/go-iptables v0.6.0
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.38.0
+	github.com/coreos/go-iptables v0.7.0
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
-	github.com/coreos/go-systemd/v22 v22.4.0
+	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/creack/pty v1.1.18
-	github.com/dave/jennifer v1.6.1
-	github.com/dblohm7/wingoes v0.0.0-20230821191801-fc76608aecf0
+	github.com/dave/jennifer v1.7.0
+	github.com/dblohm7/wingoes v0.0.0-20230929194252-e994401fc077
 	github.com/dsnet/try v0.0.3
-	github.com/evanw/esbuild v0.14.53
+	github.com/evanw/esbuild v0.19.4
 	github.com/frankban/quicktest v1.14.5
-	github.com/fxamacker/cbor/v2 v2.4.0
-	github.com/go-json-experiment/json v0.0.0-20230321051131-ccbac49a6929
+	github.com/fxamacker/cbor/v2 v2.5.0
+	github.com/go-json-experiment/json v0.0.0-20230922184908-dc36ffcf8533
 	github.com/go-logr/zapr v1.2.4
-	github.com/go-ole/go-ole v1.2.6
+	github.com/go-ole/go-ole v1.3.0
 	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 	github.com/golangci/golangci-lint v1.52.2
 	github.com/google/go-cmp v0.5.9
-	github.com/google/go-containerregistry v0.14.0
+	github.com/google/go-containerregistry v0.16.1
 	github.com/google/nftables v0.1.1-0.20230115205135-9aa6fdf5a28c
-	github.com/google/uuid v1.3.0
-	github.com/goreleaser/nfpm/v2 v2.32.1-0.20230803123630-24a43c5ad7cf
+	github.com/google/uuid v1.3.1
+	github.com/goreleaser/nfpm/v2 v2.33.1
 	github.com/hdevalence/ed25519consensus v0.1.0
-	github.com/iancoleman/strcase v0.2.0
+	github.com/iancoleman/strcase v0.3.0
 	github.com/illarion/gonotify v1.0.1
-	github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16
+	github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
-	github.com/jsimonetti/rtnetlink v1.3.2
+	github.com/jsimonetti/rtnetlink v1.3.5
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.16.7
+	github.com/klauspost/compress v1.17.0
 	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a
 	github.com/mattn/go-colorable v0.1.13
-	github.com/mattn/go-isatty v0.0.18
+	github.com/mattn/go-isatty v0.0.19
 	github.com/mdlayher/genetlink v1.3.2
 	github.com/mdlayher/netlink v1.7.2
 	github.com/mdlayher/sdnotify v1.0.0
-	github.com/miekg/dns v1.1.55
+	github.com/miekg/dns v1.1.56
 	github.com/mitchellh/go-ps v1.0.0
-	github.com/peterbourgon/ff/v3 v3.3.0
+	github.com/peterbourgon/ff/v3 v3.4.0
 	github.com/pkg/errors v0.9.1
-	github.com/pkg/sftp v1.13.5
-	github.com/prometheus/client_golang v1.15.1
-	github.com/prometheus/common v0.42.0
+	github.com/pkg/sftp v1.13.6
+	github.com/prometheus/client_golang v1.17.0
+	github.com/prometheus/common v0.44.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
@@ -65,43 +65,47 @@ require (
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
-	github.com/tailscale/wireguard-go v0.0.0-20230824215414-93bd5cbf7fd8
-	github.com/tc-hib/winres v0.2.0
+	github.com/tailscale/web-client-prebuilt v0.0.0-20230919211114-7bcd7bca7bc5
+	github.com/tailscale/wireguard-go v0.0.0-20230929223258-2f6748dc88e7
+	github.com/tc-hib/winres v0.2.1
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	github.com/u-root/u-root v0.11.0
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	github.com/vishvananda/netns v0.0.4
-	go.uber.org/zap v1.24.0
+	go.uber.org/zap v1.26.0
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13
-	go4.org/netipx v0.0.0-20230728180743-ad4cb58a6516
-	golang.org/x/crypto v0.12.0
-	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090
-	golang.org/x/mod v0.11.0
-	golang.org/x/net v0.14.0
-	golang.org/x/oauth2 v0.7.0
-	golang.org/x/sync v0.2.0
-	golang.org/x/sys v0.11.0
-	golang.org/x/term v0.11.0
+	go4.org/netipx v0.0.0-20230824141953-6213f710f925
+	golang.org/x/crypto v0.13.0
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
+	golang.org/x/mod v0.12.0
+	golang.org/x/net v0.15.0
+	golang.org/x/oauth2 v0.12.0
+	golang.org/x/sync v0.3.0
+	golang.org/x/sys v0.12.0
+	golang.org/x/term v0.12.0
 	golang.org/x/time v0.3.0
-	golang.org/x/tools v0.9.1
+	golang.org/x/tools v0.13.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	gvisor.dev/gvisor v0.0.0-20230504175454-7b0a1988a28f
-	honnef.co/go/tools v0.4.3
+	gvisor.dev/gvisor v0.0.0-20230928000133-4fe30062272c
+	honnef.co/go/tools v0.4.6
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/tcpproxy v0.0.0-20221017015627-91f861402626
 	inet.af/wf v0.0.0-20221017222439-36129f591884
-	k8s.io/api v0.27.2
-	k8s.io/apimachinery v0.27.2
-	k8s.io/client-go v0.27.2
+	k8s.io/api v0.28.2
+	k8s.io/apimachinery v0.28.2
+	k8s.io/client-go v0.28.2
 	nhooyr.io/websocket v1.8.7
-	sigs.k8s.io/controller-runtime v0.15.0
+	sigs.k8s.io/controller-runtime v0.16.2
 	sigs.k8s.io/yaml v1.3.0
-	software.sslmate.com/src/go-pkcs12 v0.2.0
+	software.sslmate.com/src/go-pkcs12 v0.2.1
 )

-require github.com/gorilla/securecookie v1.1.1 // indirect
+require (
+	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
+	github.com/gorilla/securecookie v1.1.1 // indirect
+)

 require (
 	4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
@@ -112,7 +116,7 @@ require (
 	github.com/AlekSi/pointer v1.2.0 // indirect
 	github.com/Antonboom/errname v0.1.9 // indirect
 	github.com/Antonboom/nilnil v0.1.4 // indirect
-	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/Djarvur/go-err113 v0.1.0 // indirect
 	github.com/GaijinEntertainment/go-exhaustruct/v2 v2.3.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
@@ -120,27 +124,27 @@ require (
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
 	github.com/OpenPeeDeeP/depguard v1.1.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
 	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
 	github.com/alingse/asasalint v0.0.11 // indirect
 	github.com/ashanbrown/forbidigo v1.5.1 // indirect
 	github.com/ashanbrown/makezero v1.1.1 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.21 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.40 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.25 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.28 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.12.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.10 // indirect
-	github.com/aws/smithy-go v1.13.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.14.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 // indirect
+	github.com/aws/smithy-go v1.14.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bkielbasa/cyclop v1.2.0 // indirect
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
@@ -159,16 +163,16 @@ require (
 	github.com/daixiang0/gci v0.10.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/denis-tingaikin/go-header v0.4.3 // indirect
-	github.com/docker/cli v23.0.5+incompatible // indirect
+	github.com/docker/cli v24.0.6+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v23.0.5+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
+	github.com/docker/docker v24.0.6+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/esimonov/ifshort v1.0.4 // indirect
 	github.com/ettle/strcase v0.1.1 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.7.0 // indirect
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/firefart/nonamedreturns v1.0.4 // indirect
@@ -177,11 +181,11 @@ require (
 	github.com/go-critic/go-critic v0.8.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.4.1 // indirect
-	github.com/go-git/go-git/v5 v5.7.0 // indirect
+	github.com/go-git/go-git/v5 v5.8.1 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/go-toolsmith/astcast v1.1.0 // indirect
 	github.com/go-toolsmith/astcopy v1.1.0 // indirect
 	github.com/go-toolsmith/astequal v1.1.0 // indirect
@@ -204,7 +208,6 @@ require (
 	github.com/golangci/revgrep v0.0.0-20220804021717-745bb2f7c2e6 // indirect
 	github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 // indirect
 	github.com/google/rpmpack v0.5.0 // indirect
@@ -256,7 +259,7 @@ require (
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mbilski/exhaustivestruct v1.2.0 // indirect
-	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/mdlayher/socket v0.5.0 // indirect
 	github.com/mgechev/revive v1.3.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
@@ -274,21 +277,21 @@ require (
 	github.com/nunnatsa/ginkgolinter v0.11.2 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
-	github.com/pierrec/lz4/v4 v4.1.17 // indirect
+	github.com/pierrec/lz4/v4 v4.1.18 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/polyfloyd/go-errorlint v1.4.1 // indirect
-	github.com/prometheus/client_model v0.4.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/quasilyte/go-ruleguard v0.3.19 // indirect
 	github.com/quasilyte/gogrep v0.5.0 // indirect
 	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
 	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/ryancurrah/gomodguard v1.3.0 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.4.0 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
@@ -297,12 +300,12 @@ require (
 	github.com/securego/gosec/v2 v2.15.0 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
-	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sivchari/containedctx v1.0.3 // indirect
 	github.com/sivchari/nosnakecase v1.7.0 // indirect
 	github.com/sivchari/tenv v1.7.1 // indirect
-	github.com/skeema/knownhosts v1.1.1 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/sonatard/noctx v0.0.2 // indirect
 	github.com/sourcegraph/go-diff v0.7.0 // indirect
 	github.com/spf13/afero v1.9.5 // indirect
@@ -328,36 +331,35 @@ require (
 	github.com/ultraware/funlen v0.0.3 // indirect
 	github.com/ultraware/whitespace v0.0.5 // indirect
 	github.com/uudashr/gocognit v1.0.6 // indirect
-	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/yagipy/maintidx v1.0.0 // indirect
 	github.com/yeya24/promlinter v0.2.0 // indirect
 	gitlab.com/bosi/decorder v0.2.3 // indirect
 	gitlab.com/digitalxero/go-conventional-commit v1.0.7 // indirect
-	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20230425010034-47ecfdc1ba53 // indirect
-	golang.org/x/image v0.7.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20230905200255-921286631fa9 // indirect
+	golang.org/x/image v0.12.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
-	k8s.io/apiextensions-apiserver v0.27.2 // indirect
-	k8s.io/component-base v0.27.2 // indirect
+	k8s.io/apiextensions-apiserver v0.28.2 // indirect
+	k8s.io/component-base v0.28.2 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	k8s.io/kube-openapi v0.0.0-20230928205116-a78145627833 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	mvdan.cc/gofumpt v0.5.0 // indirect
 	mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect
 	mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect
 	mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
 )
--- a/go.mod.sri
+++ b/go.mod.sri
@@ -1 +1 @@
-sha256-TZP/FQqb21yiKMlIPXXSoN6HfiBAun+gPZHQ5cPc8L0=
+sha256-tCc7+umCKgOmKXbElnCmDI4ntPvvHldkxi+RwQuj9ng=
--- a/go.sum
+++ b/go.sum
@@ -55,8 +55,8 @@ github.com/Antonboom/errname v0.1.9/go.mod h1:nLTcJzevREuAsgTbG85UsuiWpMpAqbKD1H
 github.com/Antonboom/nilnil v0.1.4 h1:yWIfwbCRDpJiJvs7Quz55dzeXCgORQyAG29N9/J5H2Q=
 github.com/Antonboom/nilnil v0.1.4/go.mod h1:iOov/7gRcXkeEU+EMGpBu2ORih3iyVEiWjeste1SJm8=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
-github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ=
 github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
@@ -76,11 +76,10 @@ github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBa
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/OpenPeeDeeP/depguard v1.1.1 h1:TSUznLjvp/4IUP+OQ0t/4jF4QUyxIcVX8YnghZdunyA=
 github.com/OpenPeeDeeP/depguard v1.1.1/go.mod h1:JtAMzWkmFEzDPyAd+W0NHl1lvpQKTvT9jnRVsohBKpc=
-github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec h1:vV3RryLxt42+ZIVOFbYJCH1jsZNTNmj2NYru5zfx+4E=
-github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ekTTXpdwKYF8eBlsYsDVoggDAuAjoK66k=
 github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw=
 github.com/ProtonMail/gopenpgp/v2 v2.7.1 h1:Awsg7MPc2gD3I7IFac2qE3Gdls0lZW8SzrFZ3k1oz0s=
@@ -104,7 +103,6 @@ github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
@@ -112,47 +110,58 @@ github.com/ashanbrown/forbidigo v1.5.1 h1:WXhzLjOlnuDYPYQo/eFlcFMi8X/kLfvWLYu6CS
 github.com/ashanbrown/forbidigo v1.5.1/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
 github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s=
 github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI=
-github.com/aws/aws-sdk-go-v2 v1.18.0 h1:882kkTpSFhdgYRKVZ/VCgf7sd0ru57p2JCxz4/oN5RY=
 github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
+github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc=
+github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 h1:dK82zF6kkPeCo8J1e+tGx4JdvDIQzj7ygIoLg8WMuGs=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10/go.mod h1:VeTZetY5KRJLuD/7fkQXMU6Mw7H5m/KP2J5Iy9osMno=
-github.com/aws/aws-sdk-go-v2/config v1.18.22 h1:7vkUEmjjv+giht4wIROqLs+49VWmiQMMHSduxmoNKLU=
 github.com/aws/aws-sdk-go-v2/config v1.18.22/go.mod h1:mN7Li1wxaPxSSy4Xkr6stFuinJGf3VZW3ZSNvO0q6sI=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.21 h1:VRiXnPEaaPeGeoFcXvMZOB5K/yfIXOYE3q97Kgb0zbU=
+github.com/aws/aws-sdk-go-v2/config v1.18.42 h1:28jHROB27xZwU0CB88giDSjz7M1Sba3olb5JBGwina8=
+github.com/aws/aws-sdk-go-v2/config v1.18.42/go.mod h1:4AZM3nMMxwlG+eZlxvBKqwVbkDLlnN2a4UGTL6HjaZI=
 github.com/aws/aws-sdk-go-v2/credentials v1.13.21/go.mod h1:90Dk1lJoMyspa/EDUrldTxsPns0wn6+KpRKpdAWc0uA=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 h1:jJPgroehGvjrde3XufFIJUZVK5A2L9a3KwSFgKy9n8w=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.40 h1:s8yOkDh+5b1jUDhMBtngF6zKWLDs84chUk2Vk0c38Og=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.40/go.mod h1:VtEHVAAqDWASwdOqj/1huyT6uHbs5s8FUHfDQdky/Rs=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3/go.mod h1:4Q0UFP0YJf0NrsEuEYHpM9fTSEVnD16Z3uyEF7J9JGM=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8DyjSF6fof6uL/0Y26Ma7Fg=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.64 h1:9QJQs36z61YB8nxGwRDfWXEDYbU6H7jdI6zFiAX1vag=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.64/go.mod h1:4Q7R9MFpXRdjO3YnAfUTdnuENs32WzBkASt6VxSYDYQ=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 h1:kG5eQilShqmJbv11XL1VpyDbaEJzWxd4zRiCG30GSn4=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 h1:vFQlirhuM8lLlpI7imKOMsjdQLuN9CPi+k44F/OFVsk=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 h1:gGLG7yKaXG02/jBlg210R7VgQIotiQntNhsCFejawx8=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 h1:SijA0mgjV8E+8G45ltVHs0fvKpTj8xmZJ3VwhGKtUSI=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34/go.mod h1:Etz2dj6UHYuw+Xw830KfzCfWGMzqvUTCjUj5b76GVDc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43 h1:g+qlObJH4Kn4n21g69DjspU0hKTjWtq7naZ9OLCv0ew=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43/go.mod h1:rzfdUlfA+jdgLDmPKjd3Chq9V7LVLYo1Nz++Wb91aRo=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.25 h1:AzwRi5OKKwo4QNqPf7TjeO+tK8AyOK3GVSwmRPo7/Cs=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.25/go.mod h1:SUbB4wcbSEyCvqBxv/O/IBf93RbEze7U7OnoTlpPB+g=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 h1:y2+VQzC6Zh2ojtV2LoC0MNwHWc6qXv/j2vrQtlftkdA=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11/go.mod h1:iV4q2hsqtNECrfmlXyord9u4zyuFEJX9eLgLpSPzWA8=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.28 h1:vGWm5vTpMr39tEZfQeDiDAMgk+5qsnvRny3FjLpnH5w=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.28/go.mod h1:spfrICMD6wCAhjhzHuy6DOZZ+LAIY10UxhUmLzpJTTs=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 h1:0iKliEXAcCa2qVtRs7Ot5hItA2MsufrphbRFlz1Owxo=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27/go.mod h1:EOwBD4J4S5qYszS5/3DpkejfuK+Z5/1uzICfPaZLtqw=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 h1:CdzPW9kKitgIiLV1+MHobfR5Xg25iYnyzWZhyQuSlDI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35/go.mod h1:QGF2Rs33W5MaN9gYdEQOBBFPLwTZkEhRwI33f7KIG0o=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2 h1:NbWkRxEEIRSCqxhsHQuMiTH7yo+JZW1gp8v3elSVMTQ=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2/go.mod h1:4tfW5l4IAB32VWCDEBxCRtR9T4BWy4I4kr1spr8NgZM=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.33.0 h1:L5h2fymEdVJYvn6hYO8Jx48YmC6xVmjmgHJV3oGKgmc=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.33.0/go.mod h1:J9kLNzEiHSeGMyN7238EjJmBpCniVzFda75Gxl/NqB8=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.36.3 h1:TQZH0Djie8VVgTBDOQ02M4zVHJFrNzLMsYMbNfRitVM=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.36.3/go.mod h1:p6MaesK9061w6NTiFmZpUzEkKUY5blKlwD2zYyErxKA=
-github.com/aws/aws-sdk-go-v2/service/sso v1.12.9 h1:GAiaQWuQhQQui76KjuXeShmyXqECwQ0mGRMc/rwsL+c=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.38.0 h1:JON9MBvwUlM8HXylfB2caZuH3VXz9RxO4SMp2+TNc3Q=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.38.0/go.mod h1:JjBzoceyKkpQY3v1GPIdg6kHqUFHRJ7SDlwtwoH0Qh8=
 github.com/aws/aws-sdk-go-v2/service/sso v1.12.9/go.mod h1:ouy2P4z6sJN70fR3ka3wD3Ro3KezSxU6eKGQI2+2fjI=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.9 h1:TraLwncRJkWqtIBVKI/UqBymq4+hL+3MzUOtUATuzkA=
+github.com/aws/aws-sdk-go-v2/service/sso v1.14.1 h1:YkNzx1RLS0F5qdf9v1Q8Cuv9NXCL2TkosOxhzlUPV64=
+github.com/aws/aws-sdk-go-v2/service/sso v1.14.1/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.9/go.mod h1:AFvkxc8xfBe8XA+5St5XIHHrQQtkxqrRincx4hmMHOk=
-github.com/aws/aws-sdk-go-v2/service/sts v1.18.10 h1:6UbNM/KJhMBfOI5+lpVcJ/8OA7cBSz0O6OX37SRKlSw=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1 h1:8lKOidPkmSmfUtiTgtdXWgaKItCZ/g75/jEk6Ql6GsA=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4=
 github.com/aws/aws-sdk-go-v2/service/sts v1.18.10/go.mod h1:BgQOMsg8av8jset59jelyPW7NoZcZXLVpDsXunGDrk8=
-github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
+github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 h1:s4bioTgjSFRwOoyEFzAVCmFmoowBgjTR8gkrF/sQ4wk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.22.0/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU=
 github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
+github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ=
+github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -170,7 +179,6 @@ github.com/breml/bidichk v0.2.4 h1:i3yedFWWQ7YzjdZJHnPo9d/xURinSq3OM+gyM43K4/8=
 github.com/breml/bidichk v0.2.4/go.mod h1:7Zk0kRFt1LIZxtQdl9W9JwGAcLTTkOs+tN7wuEYGJ3s=
 github.com/breml/errchkjson v0.3.1 h1:hlIeXuspTyt8Y/UmP5qy1JocGNR00KQHgfaNtRAjoxQ=
 github.com/breml/errchkjson v0.3.1/go.mod h1:XroxrzKjdiutFyW3nWhw34VGg7kiMsDQox73yWCGI2U=
-github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
 github.com/butuzov/ireturn v0.2.0 h1:kCHi+YzC150GE98WFuZQu9yrTn6GEydO2AuPLbTgnO4=
 github.com/butuzov/ireturn v0.2.0/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
@@ -181,7 +189,6 @@ github.com/caarlos0/testfs v0.4.4/go.mod h1:bRN55zgG4XCUVVHZCeU+/Tz1Q6AxEJOEJTli
 github.com/cavaliergopher/cpio v1.0.1 h1:KQFSeKmZhv0cr+kawA3a0xTQCU4QxXF1vhU7P7av2KM=
 github.com/cavaliergopher/cpio v1.0.1/go.mod h1:pBdaqQjnvXxdS/6CvNDwIANIFSP0xRKI16PX4xejRQc=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
@@ -193,24 +200,22 @@ github.com/chavacava/garif v0.0.0-20230227094218-b8c73b2037b8/go.mod h1:gakxgyXa
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.10.0 h1:nk5HPMeoBXtOzbkZBWym+ZWq1GIiHUsBFXxwewXAHLQ=
-github.com/cilium/ebpf v0.10.0/go.mod h1:DPiVdY/kT534dgc9ERmvP8mWA+9gvwgKfRvk4nNWnoE=
+github.com/cilium/ebpf v0.11.0 h1:V8gS/bTCCjX9uUnkUFUpPsksM8n1lXBAvHcpiFk1X2Y=
+github.com/cilium/ebpf v0.11.0/go.mod h1:WE7CZAnqOL2RouJ4f1uyNhqr2P4CCvXFIqdRDUgWsVs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
-github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
-github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
+github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd/v22 v22.4.0 h1:y9YHcjnjynCd/DVbg5j9L/33jQM3MxJlbj/zWskzfGU=
-github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
@@ -219,30 +224,29 @@ github.com/curioswitch/go-reassign v0.2.0 h1:G9UZyOcpk/d7Gd6mqYgd8XYWFMw/znxwGDU
 github.com/curioswitch/go-reassign v0.2.0/go.mod h1:x6OpXuWvgfQaMGks2BZybTngWjT84hqJfKoO8Tt/Roc=
 github.com/daixiang0/gci v0.10.1 h1:eheNA3ljF6SxnPD/vE4lCBusVHmV3Rs3dkKvFrJ7MR0=
 github.com/daixiang0/gci v0.10.1/go.mod h1:xtHP9N7AHdNvtRNfcx9gwTDfw7FRJx4bZUsiEfiNNAI=
-github.com/dave/jennifer v1.6.1 h1:T4T/67t6RAA5AIV6+NP8Uk/BIsXgDoqEowgycdQQLuk=
-github.com/dave/jennifer v1.6.1/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc=
+github.com/dave/jennifer v1.7.0 h1:uRbSBH9UTS64yXbh4FrMHfgfY762RD+C7bUPKODpSJE=
+github.com/dave/jennifer v1.7.0/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dblohm7/wingoes v0.0.0-20230821191801-fc76608aecf0 h1:/dgKwHVTI0J+A0zd/BHOF2CTn1deN0735cJrb+w2hbE=
-github.com/dblohm7/wingoes v0.0.0-20230821191801-fc76608aecf0/go.mod h1:6NCrWM5jRefaG7iN0iMShPalLsljHWBh9v1zxM2f8Xs=
+github.com/dblohm7/wingoes v0.0.0-20230929194252-e994401fc077 h1:WphxHslVftszsr0oZOHPaOjpmN/BsgNYF+gW/hxZXXc=
+github.com/dblohm7/wingoes v0.0.0-20230929194252-e994401fc077/go.mod h1:6NCrWM5jRefaG7iN0iMShPalLsljHWBh9v1zxM2f8Xs=
 github.com/denis-tingaikin/go-header v0.4.3 h1:tEaZKAlqql6SKCY++utLmkPLd6K8IBM20Ha7UVm+mtU=
 github.com/denis-tingaikin/go-header v0.4.3/go.mod h1:0wOCWuN71D5qIgE2nz9KrKmuYBAC2Mra5RassOIQ2/c=
-github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE=
-github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v24.0.6+incompatible h1:fF+XCQCgJjjQNIMjzaSmiKJSCcfcXb3TWTcc7GAneOY=
+github.com/docker/cli v24.0.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k=
-github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
-github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
+github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE=
+github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
+github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
 github.com/dsnet/try v0.0.3 h1:ptR59SsrcFUYbT/FhAbKTV6iLkeD6O18qfIWRml2fqI=
 github.com/dsnet/try v0.0.3/go.mod h1:WBM8tRpUmnXXhY1U6/S8dt6UWdHTQ7y8A5YSkRCkq40=
 github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819 h1:RIB4cRk+lBqKK3Oy0r2gRX4ui7tuhiZq2SuTtTCi0/0=
 github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
-github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE=
-github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -250,7 +254,6 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/esimonov/ifshort v1.0.4 h1:6SID4yGWfRae/M7hkVDVVyppy8q/v9OuxNdmjLQStBA=
 github.com/esimonov/ifshort v1.0.4/go.mod h1:Pe8zjlRrJ80+q2CxHLfEOfTwxCZ4O+MuhcHcfgNWTk0=
@@ -258,26 +261,24 @@ github.com/ettle/strcase v0.1.1 h1:htFueZyVeE1XNnMEfbqp5r67qAN/4r6ya1ysq8Q+Zcw=
 github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY=
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
-github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
-github.com/evanw/esbuild v0.14.53 h1:9uU73SZUmP1jRQhaC6hPm9aoqFGYlPwfk7OrhG6AhpQ=
-github.com/evanw/esbuild v0.14.53/go.mod h1:iINY06rn799hi48UqEnaQvVfZWe6W9bET78LbvN8VWk=
+github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc=
+github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
+github.com/evanw/esbuild v0.19.4 h1:Etk+6ZCjtNxZZLEgMKSqpO0/oM0k1WYKJabaPMJ39iQ=
+github.com/evanw/esbuild v0.19.4/go.mod h1:iINY06rn799hi48UqEnaQvVfZWe6W9bET78LbvN8VWk=
 github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
 github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
 github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/firefart/nonamedreturns v1.0.4 h1:abzI1p7mAEPYuR4A+VLKn4eNDOycjYo2phmY9sfv40Y=
 github.com/firefart/nonamedreturns v1.0.4/go.mod h1:TDhe/tjI1BXo48CmYbUduTV7BdIga8MAO/xbKdcVsGI=
-github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0=
 github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
 github.com/frankban/quicktest v1.14.5/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
-github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
+github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE=
+github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo=
 github.com/fzipp/gocyclo v0.6.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.6.3 h1:ahKqKTFpO5KTPHxWZjEdPScmYaGtLo8Y4DMHoEsnp14=
@@ -294,13 +295,13 @@ github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8
 github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
-github.com/go-git/go-git/v5 v5.7.0 h1:t9AudWVLmqzlo+4bqdf7GY+46SUuRsx59SboFxkq2aE=
-github.com/go-git/go-git/v5 v5.7.0/go.mod h1:coJHKEOk5kUClpsNlXrUvPrDxY3w3gjHvhcZd8Fodw8=
+github.com/go-git/go-git/v5 v5.8.1 h1:Zo79E4p7TRk0xoRgMq0RShiTHGKcKI4+DI6BfJc/Q+A=
+github.com/go-git/go-git/v5 v5.8.1/go.mod h1:FHFuoD6yGz5OSKEBK+aWN9Oah0q54Jxl0abmj6GnqAo=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-json-experiment/json v0.0.0-20230321051131-ccbac49a6929 h1:GdbUZo0+623j+pKRhwwdf1q28IUgRc7asx3TjF9b7VQ=
-github.com/go-json-experiment/json v0.0.0-20230321051131-ccbac49a6929/go.mod h1:AHV+bpNGVGD0DCHMBhhTYtT7yeBYD9Yk92XAjB7vOgo=
+github.com/go-json-experiment/json v0.0.0-20230922184908-dc36ffcf8533 h1:1SRqDZauC9fz6vMIDLCUOULPNfOnZ0rmvZo8quraoy4=
+github.com/go-json-experiment/json v0.0.0-20230922184908-dc36ffcf8533/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -312,14 +313,16 @@ github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
 github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA=
-github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
-github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
+github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
-github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
+github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q=
 github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
@@ -421,8 +424,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0=
-github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -437,8 +440,8 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.14.0 h1:z58vMqHxuwvAsVwvKEkmVBz2TlgBgH5k6koEXBtlYkw=
-github.com/google/go-containerregistry v0.14.0/go.mod h1:aiJ2fp/SXvkWgmYHioXnbMdlgB8eXiiYOY55gfN91Wk=
+github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ=
+github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -466,8 +469,8 @@ github.com/google/rpmpack v0.5.0 h1:L16KZ3QvkFGpYhmp23iQip+mx1X39foEsqszjMNBm8A=
 github.com/google/rpmpack v0.5.0/go.mod h1:uqVAUVQLq8UY2hCDfmJ/+rtO3aw7qyhc90rCVEabEfI=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
+github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
@@ -479,8 +482,8 @@ github.com/goreleaser/chglog v0.5.0 h1:Sk6BMIpx8+vpAf8KyPit34OgWui8c7nKTMHhYx88j
 github.com/goreleaser/chglog v0.5.0/go.mod h1:Ri46M3lrMuv76FHszs3vtABR8J8k1w9JHYAzxeeOl28=
 github.com/goreleaser/fileglob v1.3.0 h1:/X6J7U8lbDpQtBvGcwwPS6OpzkNVlVEsFUVRx9+k+7I=
 github.com/goreleaser/fileglob v1.3.0/go.mod h1:Jx6BoXv3mbYkEzwm9THo7xbr5egkAraxkGorbJb4RxU=
-github.com/goreleaser/nfpm/v2 v2.32.1-0.20230803123630-24a43c5ad7cf h1:X8rzot0Te1TYSoADyMZfPt95Afhptpj0VqicKPAcmjM=
-github.com/goreleaser/nfpm/v2 v2.32.1-0.20230803123630-24a43c5ad7cf/go.mod h1:Z7rAxucnQGMGfAhpxm/UIrdH0/EcxEt91RW3mmVzx2U=
+github.com/goreleaser/nfpm/v2 v2.33.1 h1:EkdAzZyVhAI9JC1vjmjjbmnNzyH1J6Cu4JCsA7YcQuc=
+github.com/goreleaser/nfpm/v2 v2.33.1/go.mod h1:8wwWWvJWmn84xo/Sqiv0aMvEGTHlHZTXTEuVSgQpkIM=
 github.com/gorilla/csrf v1.7.1 h1:Ir3o2c1/Uzj6FBxMlAUB6SivgVMy1ONXwYgXn+/aHPE=
 github.com/gorilla/csrf v1.7.1/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
@@ -500,7 +503,6 @@ github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW
 github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M=
 github.com/gostaticanalysis/testutil v0.4.0 h1:nhdCmubdmDF6VEatUNjgUZBJKWRqugoISdUv3PPQgHY=
 github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -520,8 +522,8 @@ github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSo
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU=
 github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0=
-github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
+github.com/iancoleman/strcase v0.3.0 h1:nTXanmYxhfFAMjZL34Ov6gkzEsSJZ5DbhxWjvSASxEI=
+github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/illarion/gonotify v1.0.1 h1:F1d+0Fgbq/sDWjj/r66ekjDG+IDeecQKUFH4wNwsoio=
@@ -531,8 +533,8 @@ github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16 h1:+aAGyK41KRn8jbF2Q7PLL0Sxwg6dShGcQSeCC7nZQ8E=
-github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16/go.mod h1:IKrnDWs3/Mqq5n0lI+RxA2sB7MvN/vbMBP3ehXg65UI=
+github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a h1:S33o3djA1nPRd+d/bf7jbbXytXuK/EoXow7+aa76grQ=
+github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a/go.mod h1:zmdm3sTSDP3vOOX3CEWRkkRHtKr1DxBx+J1OQFoDQQs=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
@@ -552,8 +554,8 @@ github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/ra
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/jsimonetti/rtnetlink v1.3.2 h1:dcn0uWkfxycEEyNy0IGfx3GrhQ38LH7odjxAghimsVI=
-github.com/jsimonetti/rtnetlink v1.3.2/go.mod h1:BBu4jZCpTjP6Gk0/wfrO8qcqymnN3g0hoFqObRmUo6U=
+github.com/jsimonetti/rtnetlink v1.3.5 h1:hVlNQNRlLDGZz31gBPicsG7Q53rnlsz1l1Ix/9XlpVA=
+github.com/jsimonetti/rtnetlink v1.3.5/go.mod h1:0LFedyiTkebnd43tE4YAkWGIq9jQphow4CcwxaT2Y00=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -582,8 +584,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/kkHAIKE/contextcheck v1.1.4 h1:B6zAaLhOEEcjvUgIYEqystmnFk1Oemn8bvJhbt0GMb8=
 github.com/kkHAIKE/contextcheck v1.1.4/go.mod h1:1+i/gWqokIa+dm31mqGLZhZJ7Uh44DJGZVmr6QRBNJg=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
-github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM=
+github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -594,7 +596,6 @@ github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -635,8 +636,8 @@ github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxec
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98=
-github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
@@ -651,12 +652,12 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
 github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
-github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
-github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
+github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
+github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
 github.com/mgechev/revive v1.3.1 h1:OlQkcH40IB2cGuprTPcjB0iIUddgVZgGmDX3IAMR8D4=
 github.com/mgechev/revive v1.3.1/go.mod h1:YlD6TTWl2B8A103R9KWJSPVI9DrEf+oqr15q21Ld+5I=
-github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
-github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/miekg/dns v1.1.56 h1:5imZaSeoRNvpM9SzWNhEcP9QliKiz20/dA2QabIGVnE=
+github.com/miekg/dns v1.1.56/go.mod h1:cRm6Oo2C8TY9ZS/TqsSrseAcncm74lfK5G+ikN2SWWY=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
@@ -697,14 +698,14 @@ github.com/nunnatsa/ginkgolinter v0.11.2 h1:xzQpAsEyZe5F1RMy2Z5kn8UFCGiWfKqJOUd2
 github.com/nunnatsa/ginkgolinter v0.11.2/go.mod h1:dJIGXYXbkBswqa/pIzG0QlVTTDSBMxDoCFwhsl4Uras=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
-github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
-github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
-github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4=
+github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
+github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
-github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=
+github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
 github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
@@ -713,11 +714,11 @@ github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT9
 github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc=
 github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ=
 github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
-github.com/peterbourgon/ff/v3 v3.3.0 h1:PaKe7GW8orVFh8Unb5jNHS+JZBwWUMa2se0HM6/BI24=
-github.com/peterbourgon/ff/v3 v3.3.0/go.mod h1:zjJVUhx+twciwfDl0zBcFzl4dW8axCRyXE/eKY9RztQ=
+github.com/peterbourgon/ff/v3 v3.4.0 h1:QBvM/rizZM1cB0p0lGMdmR7HxZeI/ZrBWB4DqLkMUBc=
+github.com/peterbourgon/ff/v3 v3.4.0/go.mod h1:zjJVUhx+twciwfDl0zBcFzl4dW8axCRyXE/eKY9RztQ=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
-github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.18 h1:xaKrnTkyoqfh1YItXl56+6KJNVYWlEEPuAQW9xsplYQ=
+github.com/pierrec/lz4/v4 v4.1.18/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
 github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28=
@@ -728,8 +729,8 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
-github.com/pkg/sftp v1.13.5 h1:a3RLUqkyjYRtBTZJZ1VRrKbN3zhuPLlUc3sphVz81go=
-github.com/pkg/sftp v1.13.5/go.mod h1:wHDZ0IZX6JcBYRK1TH9bcVq8G7TLpVHYIGJRFnmPfxg=
+github.com/pkg/sftp v1.13.6 h1:JFZT4XbOU7l77xGSpOdW+pwIMqP044IyjXX6FGyEKFo=
+github.com/pkg/sftp v1.13.6/go.mod h1:tz1ryNURKu77RL+GuCzmoJYxQczL3wLNNpPWagdg4Qk=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/polyfloyd/go-errorlint v1.4.1 h1:r8ru5FhXSn34YU1GJDOuoJv2LdsQkPmK325EOpPMJlM=
@@ -739,27 +740,27 @@ github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5Fsn
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
-github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI=
-github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
+github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
+github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
-github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 h1:v7DLqVdK4VrYkVD5diGdl4sxJurKJEMnODWRJlxV9oM=
+github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
-github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
-github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
+github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
+github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/quasilyte/go-ruleguard v0.3.19 h1:tfMnabXle/HzOb5Xe9CUZYWXKfkS1KwRmZyPmD9nVcc=
 github.com/quasilyte/go-ruleguard v0.3.19/go.mod h1:lHSn69Scl48I7Gt9cX3VrbsZYvYiBYszZOZW4A+oTEw=
 github.com/quasilyte/gogrep v0.5.0 h1:eTKODPXbI8ffJMN+W2aE0+oL0z/nh8/5eNdiO34SOAo=
@@ -771,12 +772,10 @@ github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567/go.mod h1:DWNGW8
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryancurrah/gomodguard v1.3.0 h1:q15RT/pd6UggBXVBuLps8BXRvl5GPBcwVA7BJHMLuTw=
 github.com/ryancurrah/gomodguard v1.3.0/go.mod h1:ggBxb3luypPEzqVtq33ee7YSN35V28XeGnid8dnni50=
@@ -795,25 +794,25 @@ github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU=
 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs=
-github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
+github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
 github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+Wwfd0XE=
 github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4=
 github.com/sivchari/nosnakecase v1.7.0 h1:7QkpWIRMe8x25gckkFd2A5Pi6Ymo0qgr4JrhGt95do8=
 github.com/sivchari/nosnakecase v1.7.0/go.mod h1:CwDzrzPea40/GB6uynrNLiorAlgFRvRbFSgJx2Gs+QY=
 github.com/sivchari/tenv v1.7.1 h1:PSpuD4bu6fSmtWMxSGWcvqUUgIn7k3yOJhOIzVWn8Ak=
 github.com/sivchari/tenv v1.7.1/go.mod h1:64yStXKSOxDfX47NlhVwND4dHwfZDdbp2Lyl018Icvg=
-github.com/skeema/knownhosts v1.1.1 h1:MTk78x9FPgDFVFkDLTrsnnfCJl7g1C/nnKvePgrIngE=
-github.com/skeema/knownhosts v1.1.1/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo=
+github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
+github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 github.com/smartystreets/assertions v1.13.1 h1:Ef7KhSmjZcK6AVf9YbJdvPYG9avaF0ZxudX+ThRdWfU=
@@ -824,7 +823,6 @@ github.com/sonatard/noctx v0.0.2 h1:L7Dz4De2zDQhW8S0t+KUjY0MAQJd6SgVwhzNIc4ok00=
 github.com/sonatard/noctx v0.0.2/go.mod h1:kzFz+CzWSjQ2OzIm46uJZoXuBpa2+0y3T36U18dWqIo=
 github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0=
 github.com/sourcegraph/go-diff v0.7.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM=
 github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
@@ -842,7 +840,6 @@ github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YE
 github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I=
 github.com/stbenjam/no-sprintf-host-port v0.1.1 h1:tYugd/yrm1O0dV+ThCbaKZh195Dfm07ysF0U6JQXczc=
 github.com/stbenjam/no-sprintf-host-port v0.1.1/go.mod h1:TLhvtIvONRzdmkFiio4O8LHsN9N74I+PhRquPsxpL0I=
-github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@@ -881,10 +878,12 @@ github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89 h1:7xU7AFQE83h0wz/
 github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89/go.mod h1:OGMqrTzDqmJkGumUTtOv44Rp3/4xS+QFbE8Rn0AGlaU=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/wireguard-go v0.0.0-20230824215414-93bd5cbf7fd8 h1:V9kSpiTzFp7OTgJinu/kSJlsI6EfRs8wJgQ+Q+5a8v4=
-github.com/tailscale/wireguard-go v0.0.0-20230824215414-93bd5cbf7fd8/go.mod h1:QRIcq2+DbdIC5sKh/gcAZhuqu6WT6L6G8/ALPN5wqYw=
-github.com/tc-hib/winres v0.2.0 h1:gly/ivDWGvlhl7ENtEmA7wPQ6dWab1LlLq/DgcZECKE=
-github.com/tc-hib/winres v0.2.0/go.mod h1:uG6S5M2Q0/kThoqsCSYvGJODUQP9O9R0SNxUPmFIegw=
+github.com/tailscale/web-client-prebuilt v0.0.0-20230919211114-7bcd7bca7bc5 h1:wKUtQPRpjhZZvAuwYRMcjMZnpWSUEJWIbNJmLtDbR0k=
+github.com/tailscale/web-client-prebuilt v0.0.0-20230919211114-7bcd7bca7bc5/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
+github.com/tailscale/wireguard-go v0.0.0-20230929223258-2f6748dc88e7 h1:P1od5W+cX/LZZyvbKrNUXuuzxensnKEywLhxhPOeHuY=
+github.com/tailscale/wireguard-go v0.0.0-20230929223258-2f6748dc88e7/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
+github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
+github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/tdakkota/asciicheck v0.2.0 h1:o8jvnUANo0qXtnslk2d3nMKTFNlOnJjRrNcj0j9qkHM=
@@ -921,11 +920,10 @@ github.com/ultraware/funlen v0.0.3 h1:5ylVWm8wsNwH5aWo9438pwvsK0QiqVuUrt9bn7S/iL
 github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA=
 github.com/ultraware/whitespace v0.0.5 h1:hh+/cpIcopyMYbZNVov9iSxvJU3OYQg78Sfaqzi/CzI=
 github.com/ultraware/whitespace v0.0.5/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA=
-github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/uudashr/gocognit v1.0.6 h1:2Cgi6MweCsdB6kpcVQp7EW4U23iBFQWfTXiWlyp842Y=
 github.com/uudashr/gocognit v1.0.6/go.mod h1:nAIUuVBnYU7pcninia3BHOvQkpQCeO76Uscky5BOwcY=
-github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlIME=
-github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI=
+github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
+github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
 github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
 github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
@@ -935,9 +933,6 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
-github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
-github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/yagipy/maintidx v1.0.0 h1:h5NvIsCz+nRDapQ0exNv4aJ0yXSI0420omVANTv3GJM=
@@ -961,22 +956,20 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
-go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
-go4.org/netipx v0.0.0-20230728180743-ad4cb58a6516 h1:X66ZEoMN2SuaoI/dfZVYobB6E5zjZyyHUMWlCA7MgGE=
-go4.org/netipx v0.0.0-20230728180743-ad4cb58a6516/go.mod h1:TQvodOM+hJTioNQJilmLXu08JNb8i+ccq418+KWu1/Y=
+go4.org/netipx v0.0.0-20230824141953-6213f710f925 h1:eeQDDVKFkx0g4Hyy8pHgmZaK0EqB4SD6rvKbUdN3ziQ=
+go4.org/netipx v0.0.0-20230824141953-6213f710f925/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -985,16 +978,14 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1005,17 +996,16 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20230725093048-515e97ebf090 h1:Di6/M8l0O2lCLc6VVRWhgCiApHV8MnQurBnFSHsQtNY=
-golang.org/x/exp v0.0.0-20230725093048-515e97ebf090/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
+golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
+golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
 golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/exp/typeparams v0.0.0-20230425010034-47ecfdc1ba53 h1:w/MOPdQ1IoYoDou3L55ZbTx2Nhn7JAhX1BBZor8qChU=
-golang.org/x/exp/typeparams v0.0.0-20230425010034-47ecfdc1ba53/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/exp/typeparams v0.0.0-20230905200255-921286631fa9 h1:j3D9DvWRpUfIyFfDPws7LoIZ2MAI1OJHdQXtTnYtN+k=
+golang.org/x/exp/typeparams v0.0.0-20230905200255-921286631fa9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.1.0/go.mod h1:iyPr49SD/G/TBxYVB/9RRtGUT5eNbo2u4NamWeQcD5c=
-golang.org/x/image v0.7.0 h1:gzS29xtG1J5ybQlv0PuyfE3nmc6R4qB73m6LUUmvFuw=
-golang.org/x/image v0.7.0/go.mod h1:nd/q4ef1AKKYl/4kft7g+6UyGbdiqWqTP1ZAbRoV7Rg=
+golang.org/x/image v0.12.0 h1:w13vZbU4o5rKOFFR8y7M+c4A5jXDC0uXTdHYRP8X2DQ=
+golang.org/x/image v0.12.0/go.mod h1:Lu90jvHG7GfemOIcldsh9A2hS01ocl6oNO7ype5mEnk=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1044,8 +1034,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91
 golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
-golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1081,7 +1071,6 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -1091,8 +1080,8 @@ golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1103,8 +1092,8 @@ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
-golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
+golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4=
+golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1118,8 +1107,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1132,7 +1121,6 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1173,7 +1161,6 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1190,8 +1177,8 @@ golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1200,25 +1187,24 @@ golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
-golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
+golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1297,8 +1283,8 @@ golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
 golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
-golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1307,8 +1293,8 @@ golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeu
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
-gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc=
-gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
+gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1334,8 +1320,9 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
+google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -1359,7 +1346,6 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
@@ -1373,7 +1359,6 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1387,12 +1372,9 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1405,9 +1387,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1424,7 +1405,6 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -1432,13 +1412,12 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-gvisor.dev/gvisor v0.0.0-20230504175454-7b0a1988a28f h1:8GE2MRjGiFmfpon8dekPI08jEuNMQzSffVHgdupcO4E=
-gvisor.dev/gvisor v0.0.0-20230504175454-7b0a1988a28f/go.mod h1:pzr6sy8gDLfVmDAg8OYrlKvGEHw5C3PGTiBXBTCx76Q=
+gvisor.dev/gvisor v0.0.0-20230928000133-4fe30062272c h1:bYb98Ra11fJ8F2xFbZx0zg2VQ28lYqC1JxfaaF53xqY=
+gvisor.dev/gvisor v0.0.0-20230928000133-4fe30062272c/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1446,8 +1425,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.4.3 h1:o/n5/K5gXqk8Gozvs2cnL0F2S1/g1vcGCAx2vETjITw=
-honnef.co/go/tools v0.4.3/go.mod h1:36ZgoUOrqOk1GxwHhyryEkq8FQWkUO2xGuSMhUCcdvA=
+honnef.co/go/tools v0.4.6 h1:oFEHCKeID7to/3autwsWfnuv69j3NsfcXbvJKuIcep8=
+honnef.co/go/tools v0.4.6/go.mod h1:+rnGS1THNh8zMwnd2oVOTL9QF6vmfyG6ZXBULae2uc0=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 inet.af/peercred v0.0.0-20210906144145-0893ea02156a h1:qdkS8Q5/i10xU2ArJMKYhVa1DORzBfYS/qA2UK2jheg=
@@ -1456,22 +1435,22 @@ inet.af/tcpproxy v0.0.0-20221017015627-91f861402626 h1:2dMP3Ox/Wh5BiItwOt4jxRsfz
 inet.af/tcpproxy v0.0.0-20221017015627-91f861402626/go.mod h1:Tojt5kmHpDIR2jMojxzZK2w2ZR7OILODmUo2gaSwjrk=
 inet.af/wf v0.0.0-20221017222439-36129f591884 h1:zg9snq3Cpy50lWuVqDYM7AIRVTtU50y5WXETMFohW/Q=
 inet.af/wf v0.0.0-20221017222439-36129f591884/go.mod h1:bSAQ38BYbY68uwpasXOTZo22dKGy9SNvI6PZFeKomZE=
-k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo=
-k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4=
-k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo=
-k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ=
-k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg=
-k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
-k8s.io/client-go v0.27.2 h1:vDLSeuYvCHKeoQRhCXjxXO45nHVv2Ip4Fe0MfioMrhE=
-k8s.io/client-go v0.27.2/go.mod h1:tY0gVmUsHrAmjzHX9zs7eCjxcBsf8IiNe7KQ52biTcQ=
-k8s.io/component-base v0.27.2 h1:neju+7s/r5O4x4/txeUONNTS9r1HsPbyoPBAtHsDCpo=
-k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo=
+k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw=
+k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg=
+k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU=
+k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg=
+k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ=
+k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU=
+k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY=
+k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY=
+k8s.io/component-base v0.28.2 h1:Yc1yU+6AQSlpJZyvehm/NkJBII72rzlEsd6MkBQ+G0E=
+k8s.io/component-base v0.28.2/go.mod h1:4IuQPQviQCg3du4si8GpMrhAIegxpsgPngPRR/zWpzc=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
-k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
-k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
-k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20230928205116-a78145627833 h1:iFFEmmB7szQhJP42AvRD2+gzdVP7EuIKY1rJgxf0JZY=
+k8s.io/kube-openapi v0.0.0-20230928205116-a78145627833/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 mvdan.cc/gofumpt v0.5.0 h1:0EQ+Z56k8tXjj/6TQD25BFNKQXpCvT0rnansIc7Ug5E=
 mvdan.cc/gofumpt v0.5.0/go.mod h1:HBeVDtMKRZpXyxFciAirzdKklDlGu8aAy1wEbH5Y9js=
 mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed h1:WX1yoOaKQfddO/mLzdV4wptyWgoH/6hwLs7QHTixo0I=
@@ -1485,13 +1464,13 @@ nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU=
-sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk=
+sigs.k8s.io/controller-runtime v0.16.2 h1:mwXAVuEk3EQf478PQwQ48zGOXvW27UJc8NHktQVuIPU=
+sigs.k8s.io/controller-runtime v0.16.2/go.mod h1:vpMu3LpI5sYWtujJOa2uPK61nB5rbwlN7BAB8aSLvGU=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
+sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk=
+sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
-software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=
-software.sslmate.com/src/go-pkcs12 v0.2.0/go.mod h1:23rNcYsMabIc1otwLpTkCCPwUq6kQsTyowttG/as0kQ=
+software.sslmate.com/src/go-pkcs12 v0.2.1 h1:tbT1jjaeFOF230tzOIRJ6U5S1jNqpsSyNjzDd58H3J8=
+software.sslmate.com/src/go-pkcs12 v0.2.1/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-27f103a44f8fd34a2cc36995ce7bf83d04433ead
+f242beecd311476f6e6b9fa3052e253e2301e170
--- a/gomod_test.go
+++ b/gomod_test.go
@@ -0,0 +1,25 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailscaleroot
+
+import (
+	"os"
+	"testing"
+
+	"golang.org/x/mod/modfile"
+)
+
+func TestGoMod(t *testing.T) {
+	goMod, err := os.ReadFile("go.mod")
+	if err != nil {
+		t.Fatal(err)
+	}
+	f, err := modfile.Parse("go.mod", goMod, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(f.Replace) > 0 {
+		t.Errorf("go.mod has %d replace directives; expect zero in this repo", len(f.Replace))
+	}
+}
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -57,6 +57,7 @@ func New() *tailcfg.Hostinfo {
 		Cloud:           string(cloudenv.Get()),
 		NoLogsNoSupport: envknob.NoLogsNoSupport(),
 		AllowsUpdate:    envknob.AllowsRemoteUpdate(),
+		WoLMACs:         getWoLMACs(),
 	}
 }

--- a/hostinfo/hostinfo_windows.go
+++ b/hostinfo/hostinfo_windows.go
@@ -62,7 +62,8 @@ func packageTypeWindows() string {
 	if _, err := os.Stat(`C:\ProgramData\chocolatey\lib\tailscale`); err == nil {
 		return "choco"
 	}
-	if msiSentinel := winutil.GetRegInteger("MSI", 0); msiSentinel == 1 {
+	msiSentinel, _ := winutil.GetRegInteger("MSI")
+	if msiSentinel == 1 {
 		return "msi"
 	}
 	exe, err := os.Executable()
--- a/hostinfo/wol.go
+++ b/hostinfo/wol.go
@@ -0,0 +1,106 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package hostinfo
+
+import (
+	"log"
+	"net"
+	"runtime"
+	"strings"
+	"unicode"
+
+	"tailscale.com/envknob"
+)
+
+// TODO(bradfitz): this is all too simplistic and static. It needs to run
+// continuously in response to netmon events (USB ethernet adapaters might get
+// plugged in) and look for the media type/status/etc. Right now on macOS it
+// still detects a half dozen "up" en0, en1, en2, en3 etc interfaces that don't
+// have any media. We should only report the one that's actually connected.
+// But it works for now (2023-10-05) for fleshing out the rest.
+
+var wakeMAC = envknob.RegisterString("TS_WAKE_MAC") // mac address, "false" or "auto". for https://github.com/tailscale/tailscale/issues/306
+
+// getWoLMACs returns up to 10 MAC address of the local machine to send
+// wake-on-LAN packets to in order to wake it up. The returned MACs are in
+// lowercase hex colon-separated form ("xx:xx:xx:xx:xx:xx").
+//
+// If TS_WAKE_MAC=auto, it tries to automatically find the MACs based on the OS
+// type and interface properties. (TODO(bradfitz): incomplete) If TS_WAKE_MAC is
+// set to a MAC address, that sole MAC address is returned.
+func getWoLMACs() (macs []string) {
+	switch runtime.GOOS {
+	case "ios", "android":
+		return nil
+	}
+	if s := wakeMAC(); s != "" {
+		switch s {
+		case "auto":
+			ifs, _ := net.Interfaces()
+			for _, iface := range ifs {
+				if iface.Flags&net.FlagLoopback != 0 {
+					continue
+				}
+				if iface.Flags&net.FlagBroadcast == 0 ||
+					iface.Flags&net.FlagRunning == 0 ||
+					iface.Flags&net.FlagUp == 0 {
+					continue
+				}
+				if keepMAC(iface.Name, iface.HardwareAddr) {
+					macs = append(macs, iface.HardwareAddr.String())
+				}
+				if len(macs) == 10 {
+					break
+				}
+			}
+			return macs
+		case "false", "off": // fast path before ParseMAC error
+			return nil
+		}
+		mac, err := net.ParseMAC(s)
+		if err != nil {
+			log.Printf("invalid MAC %q", s)
+			return nil
+		}
+		return []string{mac.String()}
+	}
+	return nil
+}
+
+var ignoreWakeOUI = map[[3]byte]bool{
+	{0x00, 0x15, 0x5d}: true, // Hyper-V
+	{0x00, 0x50, 0x56}: true, // VMware
+	{0x00, 0x1c, 0x14}: true, // VMware
+	{0x00, 0x05, 0x69}: true, // VMware
+	{0x00, 0x0c, 0x29}: true, // VMware
+	{0x00, 0x1c, 0x42}: true, // Parallels
+	{0x08, 0x00, 0x27}: true, // VirtualBox
+	{0x00, 0x21, 0xf6}: true, // VirtualBox
+	{0x00, 0x14, 0x4f}: true, // VirtualBox
+	{0x00, 0x0f, 0x4b}: true, // VirtualBox
+	{0x52, 0x54, 0x00}: true, // VirtualBox/Vagrant
+}
+
+func keepMAC(ifName string, mac []byte) bool {
+	if len(mac) != 6 {
+		return false
+	}
+	base := strings.TrimRightFunc(ifName, unicode.IsNumber)
+	switch runtime.GOOS {
+	case "darwin":
+		switch base {
+		case "llw", "awdl", "utun", "bridge", "lo", "gif", "stf", "anpi", "ap":
+			return false
+		}
+	}
+	if mac[0] == 0x02 && mac[1] == 0x42 {
+		// Docker container.
+		return false
+	}
+	oui := [3]byte{mac[0], mac[1], mac[2]}
+	if ignoreWakeOUI[oui] {
+		return false
+	}
+	return true
+}
--- a/ipn/backend.go
+++ b/ipn/backend.go
@@ -192,6 +192,13 @@ type PartialFile struct {
 //   - "_debug_<component>_until" with value being a unix timestamp stringified
 type StateKey string

+// DebuggableComponents is a list of components whose debugging can be turned on
+// and off individually using the tailscale debug command.
+var DebuggableComponents = []string{
+	"magicsock",
+	"sockstats",
+}
+
 type Options struct {
 	// FrontendLogID is the public logtail id used by the frontend.
 	FrontendLogID string
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -9,31 +9,36 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"sort"
 	"strconv"
 	"strings"
 	"time"

+	"github.com/kortschak/wol"
 	"tailscale.com/clientupdate"
 	"tailscale.com/envknob"
 	"tailscale.com/net/sockstats"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/goroutines"
+	"tailscale.com/util/httpm"
 	"tailscale.com/version"
 )

 var c2nLogHeap func(http.ResponseWriter, *http.Request) // non-nil on most platforms (c2n_pprof.go)

+func writeJSON(w http.ResponseWriter, v any) {
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(v)
+}
+
 func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
-	writeJSON := func(v any) {
-		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(v)
-	}
 	switch r.URL.Path {
 	case "/echo":
 		// Test handler.
@@ -41,14 +46,17 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 		w.Write(body)
 	case "/update":
 		switch r.Method {
-		case http.MethodGet:
+		case httpm.GET:
 			b.handleC2NUpdateGet(w, r)
-		case http.MethodPost:
+		case httpm.POST:
 			b.handleC2NUpdatePost(w, r)
 		default:
 			http.Error(w, "bad method", http.StatusMethodNotAllowed)
 			return
 		}
+	case "/wol":
+		b.handleC2NWoL(w, r)
+		return
 	case "/logtail/flush":
 		if r.Method != "POST" {
 			http.Error(w, "bad method", http.StatusMethodNotAllowed)
@@ -63,7 +71,7 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/plain")
 		w.Write(goroutines.ScrubbedGoroutineDump(true))
 	case "/debug/prefs":
-		writeJSON(b.Prefs())
+		writeJSON(w, b.Prefs())
 	case "/debug/metrics":
 		w.Header().Set("Content-Type", "text/plain")
 		clientmetric.WritePrometheusExpositionFormat(w)
@@ -81,7 +89,7 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 		if err != nil {
 			res.Error = err.Error()
 		}
-		writeJSON(res)
+		writeJSON(w, res)
 	case "/debug/logheap":
 		if c2nLogHeap != nil {
 			c2nLogHeap(w, r)
@@ -102,7 +110,7 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, err.Error(), 500)
 			return
 		}
-		writeJSON(res)
+		writeJSON(w, res)
 	case "/sockstats":
 		if r.Method != "POST" {
 			http.Error(w, "bad method", http.StatusMethodNotAllowed)
@@ -269,3 +277,56 @@ func findCmdTailscale() (string, error) {
 	}
 	return "", fmt.Errorf("unsupported OS %v", runtime.GOOS)
 }
+
+func (b *LocalBackend) handleC2NWoL(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "POST" {
+		http.Error(w, "bad method", http.StatusMethodNotAllowed)
+		return
+	}
+	r.ParseForm()
+	var macs []net.HardwareAddr
+	for _, macStr := range r.Form["mac"] {
+		mac, err := net.ParseMAC(macStr)
+		if err != nil {
+			http.Error(w, "bad 'mac' param", http.StatusBadRequest)
+			return
+		}
+		macs = append(macs, mac)
+	}
+	var res struct {
+		SentTo []string
+		Errors []string
+	}
+	st := b.sys.NetMon.Get().InterfaceState()
+	if st == nil {
+		res.Errors = append(res.Errors, "no interface state")
+		writeJSON(w, &res)
+		return
+	}
+	var password []byte // TODO(bradfitz): support? does anything use WoL passwords?
+	for _, mac := range macs {
+		for ifName, ips := range st.InterfaceIPs {
+			for _, ip := range ips {
+				if ip.Addr().IsLoopback() || ip.Addr().Is6() {
+					continue
+				}
+				local := &net.UDPAddr{
+					IP:   ip.Addr().AsSlice(),
+					Port: 0,
+				}
+				remote := &net.UDPAddr{
+					IP:   net.IPv4bcast,
+					Port: 0,
+				}
+				if err := wol.Wake(mac, password, local, remote); err != nil {
+					res.Errors = append(res.Errors, err.Error())
+				} else {
+					res.SentTo = append(res.SentTo, ifName)
+				}
+				break // one per interface is enough
+			}
+		}
+	}
+	sort.Strings(res.SentTo)
+	writeJSON(w, &res)
+}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -62,6 +62,7 @@ import (
 	"tailscale.com/portlist"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
+	"tailscale.com/taildrop"
 	"tailscale.com/tka"
 	"tailscale.com/tsd"
 	"tailscale.com/tstime"
@@ -128,6 +129,13 @@ func RegisterNewSSHServer(fn newSSHServerFunc) {
 	newSSHServer = fn
 }

+// watchSession represents a WatchNotifications channel
+// and sessionID as required to close targeted buses.
+type watchSession struct {
+	ch        chan *ipn.Notify
+	sessionID string
+}
+
 // LocalBackend is the glue between the major pieces of the Tailscale
 // network software: the cloud control plane (via controlclient), the
 // network data plane (via wgengine), and the user-facing UIs and CLIs
@@ -233,7 +241,7 @@ type LocalBackend struct {
 	loginFlags       controlclient.LoginFlags
 	incomingFiles    map[*incomingFile]bool
 	fileWaiters      set.HandleSet[context.CancelFunc] // of wake-up funcs
-	notifyWatchers   set.HandleSet[chan *ipn.Notify]
+	notifyWatchers   set.HandleSet[*watchSession]
 	lastStatusTime   time.Time // status.AsOf value of the last processed status update
 	// directFileRoot, if non-empty, means to write received files
 	// directly to this directory, without staging them in an
@@ -301,7 +309,11 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 	dialer := sys.Dialer.Get()
 	_ = sys.MagicSock.Get() // or panic

-	pm, err := newProfileManager(store, logf)
+	goos := envknob.GOOS()
+	if loginFlags&controlclient.LocalBackendStartKeyOSNeutral != 0 {
+		goos = ""
+	}
+	pm, err := newProfileManagerWithGOOS(store, logf, goos)
 	if err != nil {
 		return nil, err
 	}
@@ -375,7 +387,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 		b.logf("[unexpected] failed to wire up PeerAPI port for engine %T", e)
 	}

-	for _, component := range debuggableComponents {
+	for _, component := range ipn.DebuggableComponents {
 		key := componentStateKey(component)
 		if ut, err := ipn.ReadStoreInt(pm.Store(), key); err == nil {
 			if until := time.Unix(ut, 0); until.After(b.clock.Now()) {
@@ -393,11 +405,6 @@ type componentLogState struct {
 	timer tstime.TimerController // if non-nil, the AfterFunc to disable it
 }

-var debuggableComponents = []string{
-	"magicsock",
-	"sockstats",
-}
-
 func componentStateKey(component string) ipn.StateKey {
 	return ipn.StateKey("_debug_" + component + "_until")
 }
@@ -429,7 +436,7 @@ func (b *LocalBackend) SetComponentDebugLogging(component string, until time.Tim
 			}
 		}
 	}
-	if setEnabled == nil || !slices.Contains(debuggableComponents, component) {
+	if setEnabled == nil || !slices.Contains(ipn.DebuggableComponents, component) {
 		return fmt.Errorf("unknown component %q", component)
 	}
 	timeUnixOrZero := func(t time.Time) int64 {
@@ -868,9 +875,16 @@ func (b *LocalBackend) WhoIs(ipp netip.AddrPort) (n tailcfg.NodeView, u tailcfg.
 			return zero, u, false
 		}
 	}
+	if b.netMap == nil {
+		return zero, u, false
+	}
 	n, ok = b.peers[nid]
 	if !ok {
-		return zero, u, false
+		// Check if this the self-node, which would not appear in peers.
+		if !b.netMap.SelfNode.Valid() || nid != b.netMap.SelfNode.ID() {
+			return zero, u, false
+		}
+		n = b.netMap.SelfNode
 	}
 	u, ok = b.netMap.UserProfiles[n.User()]
 	if !ok {
@@ -2051,7 +2065,7 @@ func (b *LocalBackend) WatchNotifications(ctx context.Context, mask ipn.NotifyWa
 		}
 	}

-	handle := b.notifyWatchers.Add(ch)
+	handle := b.notifyWatchers.Add(&watchSession{ch, sessionID})
 	b.mu.Unlock()

 	defer func() {
@@ -2096,8 +2110,8 @@ func (b *LocalBackend) WatchNotifications(ctx context.Context, mask ipn.NotifyWa
 		select {
 		case <-ctx.Done():
 			return
-		case n := <-ch:
-			if !fn(n) {
+		case n, ok := <-ch:
+			if !ok || !fn(n) {
 				return
 			}
 		}
@@ -2126,6 +2140,23 @@ func (b *LocalBackend) DebugNotify(n ipn.Notify) {
 	b.send(n)
 }

+// DebugForceNetmapUpdate forces a full no-op netmap update of the current
+// netmap in all the various subsystems (wireguard, magicsock, LocalBackend).
+//
+// It exists for load testing reasons (for issue 1909), doing what would happen
+// if a new MapResponse came in from the control server that couldn't be handled
+// incrementally.
+func (b *LocalBackend) DebugForceNetmapUpdate() {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	nm := b.netMap
+	b.e.SetNetworkMap(nm)
+	if nm != nil {
+		b.magicConn().SetDERPMap(nm.DERPMap)
+	}
+	b.setNetMapLocked(nm)
+}
+
 // send delivers n to the connected frontend and any API watchers from
 // LocalBackend.WatchNotifications (via the LocalAPI).
 //
@@ -2146,13 +2177,13 @@ func (b *LocalBackend) send(n ipn.Notify) {
 	b.mu.Lock()
 	notifyFunc := b.notify
 	apiSrv := b.peerAPIServer
-	if apiSrv.hasFilesWaiting() {
+	if mayDeref(apiSrv).taildrop.HasFilesWaiting() {
 		n.FilesWaiting = &empty.Message{}
 	}

-	for _, ch := range b.notifyWatchers {
+	for _, sess := range b.notifyWatchers {
 		select {
-		case ch <- &n:
+		case sess.ch <- &n:
 		default:
 			// Drop the notification if the channel is full.
 		}
@@ -3030,7 +3061,7 @@ func (b *LocalBackend) peerAPIServicesLocked() (ret []tailcfg.Service) {
 		})
 	}
 	switch runtime.GOOS {
-	case "linux", "freebsd", "openbsd", "illumos", "darwin", "windows":
+	case "linux", "freebsd", "openbsd", "illumos", "darwin", "windows", "android", "ios":
 		// These are the platforms currently supported by
 		// net/dns/resolver/tsdns.go:Resolver.HandleExitNodeDNSQuery.
 		ret = append(ret, tailcfg.Service{
@@ -3308,9 +3339,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
 	}

 	addDefault := func(resolvers []*dnstype.Resolver) {
-		for _, r := range resolvers {
-			dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, r)
-		}
+		dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, resolvers...)
 	}

 	// If we're using an exit node and that exit node is new enough (1.19.x+)
@@ -3320,14 +3349,17 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
 		return dcfg
 	}

-	// If we're using an exit node and that exit node is IsWireGuardOnly with
-	// ExitNodeDNSResolver set, then add that as the default.
-	if resolvers, ok := wireguardExitNodeDNSResolvers(nm, peers, prefs.ExitNodeID()); ok {
-		addDefault(resolvers)
-		return dcfg
+	// If the user has set default resolvers ("override local DNS"), prefer to
+	// use those resolvers as the default, otherwise if there are WireGuard exit
+	// node resolvers, use those as the default.
+	if len(nm.DNS.Resolvers) > 0 {
+		addDefault(nm.DNS.Resolvers)
+	} else {
+		if resolvers, ok := wireguardExitNodeDNSResolvers(nm, peers, prefs.ExitNodeID()); ok {
+			addDefault(resolvers)
+		}
 	}

-	addDefault(nm.DNS.Resolvers)
 	for suffix, resolvers := range nm.DNS.Routes {
 		fqdn, err := dnsname.ToFQDN(suffix)
 		if err != nil {
@@ -3342,11 +3374,10 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
 		//
 		// While we're already populating it, might as well size the
 		// slice appropriately.
+		// Per #9498 the exact requirements of nil vs empty slice remain
+		// unclear, this is a haunted graveyard to be resolved.
 		dcfg.Routes[fqdn] = make([]*dnstype.Resolver, 0, len(resolvers))
-
-		for _, r := range resolvers {
-			dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], r)
-		}
+		dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], resolvers...)
 	}

 	// Set FallbackResolvers as the default resolvers in the
@@ -3516,10 +3547,14 @@ func (b *LocalBackend) initPeerAPIListener() {
 	}

 	ps := &peerAPIServer{
-		b:                       b,
-		rootDir:                 fileRoot,
-		directFileMode:          b.directFileRoot != "",
-		directFileDoFinalRename: b.directFileDoFinalRename,
+		b: b,
+		taildrop: &taildrop.Handler{
+			Logf:                    b.logf,
+			Clock:                   b.clock,
+			RootDir:                 fileRoot,
+			DirectFileMode:          b.directFileRoot != "",
+			DirectFileDoFinalRename: b.directFileDoFinalRename,
+		},
 	}
 	if dm, ok := b.sys.DNSManager.GetOK(); ok {
 		ps.resolver = dm.Resolver()
@@ -4403,7 +4438,7 @@ func (b *LocalBackend) WaitingFiles() ([]apitype.WaitingFile, error) {
 	b.mu.Lock()
 	apiSrv := b.peerAPIServer
 	b.mu.Unlock()
-	return apiSrv.WaitingFiles()
+	return mayDeref(apiSrv).taildrop.WaitingFiles()
 }

 // AwaitWaitingFiles is like WaitingFiles but blocks while ctx is not done,
@@ -4445,14 +4480,14 @@ func (b *LocalBackend) DeleteFile(name string) error {
 	b.mu.Lock()
 	apiSrv := b.peerAPIServer
 	b.mu.Unlock()
-	return apiSrv.DeleteFile(name)
+	return mayDeref(apiSrv).taildrop.DeleteFile(name)
 }

 func (b *LocalBackend) OpenFile(name string) (rc io.ReadCloser, size int64, err error) {
 	b.mu.Lock()
 	apiSrv := b.peerAPIServer
 	b.mu.Unlock()
-	return apiSrv.OpenFile(name)
+	return mayDeref(apiSrv).taildrop.OpenFile(name)
 }

 // hasCapFileSharing reports whether the current node has the file
@@ -4752,14 +4787,16 @@ func wireguardExitNodeDNSResolvers(nm *netmap.NetworkMap, peers map[tailcfg.Node
 	}

 	for _, p := range peers {
-		if p.StableID() == exitNodeID && p.IsWireGuardOnly() {
-			resolvers := p.ExitNodeDNSResolvers()
-			if !resolvers.IsNil() && resolvers.Len() > 0 {
-				copies := make([]*dnstype.Resolver, resolvers.Len())
-				for i := range resolvers.LenIter() {
-					copies[i] = resolvers.At(i).AsStruct()
+		if p.StableID() == exitNodeID {
+			if p.IsWireGuardOnly() {
+				resolvers := p.ExitNodeDNSResolvers()
+				if !resolvers.IsNil() && resolvers.Len() > 0 {
+					copies := make([]*dnstype.Resolver, resolvers.Len())
+					for i := range resolvers.LenIter() {
+						copies[i] = resolvers.At(i).AsStruct()
+					}
+					return copies, true
 				}
-				return copies, true
 			}
 			return nil, false
 		}
@@ -5265,3 +5302,11 @@ func (b *LocalBackend) DebugBreakTCPConns() error {
 func (b *LocalBackend) DebugBreakDERPConns() error {
 	return b.magicConn().DebugBreakDERPConns()
 }
+
+// mayDeref dereferences p if non-nil, otherwise it returns the zero value.
+func mayDeref[T any](p *T) (v T) {
+	if p == nil {
+		return v
+	}
+	return *p
+}
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -28,6 +28,7 @@ import (
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/ptr"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/util/set"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
@@ -403,10 +404,7 @@ func (panicOnUseTransport) RoundTrip(*http.Request) (*http.Response, error) {
 	panic("unexpected HTTP request")
 }

-// Issue 1573: don't generate a machine key if we don't want to be running.
-func TestLazyMachineKeyGeneration(t *testing.T) {
-	tstest.Replace(t, &panicOnMachineKeyGeneration, func() bool { return true })
-
+func newTestLocalBackend(t testing.TB) *LocalBackend {
 	var logf logger.Logf = logger.Discard
 	sys := new(tsd.System)
 	store := new(mem.Store)
@@ -421,7 +419,14 @@ func TestLazyMachineKeyGeneration(t *testing.T) {
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
+	return lb
+}

+// Issue 1573: don't generate a machine key if we don't want to be running.
+func TestLazyMachineKeyGeneration(t *testing.T) {
+	tstest.Replace(t, &panicOnMachineKeyGeneration, func() bool { return true })
+
+	lb := newTestLocalBackend(t)
 	lb.SetHTTPTestClient(&http.Client{
 		Transport: panicOnUseTransport{}, // validate we don't send HTTP requests
 	})
@@ -673,21 +678,8 @@ func TestPacketFilterPermitsUnlockedNodes(t *testing.T) {
 }

 func TestStatusWithoutPeers(t *testing.T) {
-	logf := tstest.WhileTestRunningLogger(t)
-	store := new(testStateStorage)
-	sys := new(tsd.System)
-	sys.Set(store)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
-	if err != nil {
-		t.Fatalf("NewFakeUserspaceEngine: %v", err)
-	}
-	sys.Set(e)
-	t.Cleanup(e.Close)
+	b := newTestLocalBackend(t)

-	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
-	if err != nil {
-		t.Fatalf("NewLocalBackend: %v", err)
-	}
 	var cc *mockControl
 	b.SetControlClientGetterForTesting(func(opts controlclient.Options) (controlclient.Client, error) {
 		cc = newClient(t, opts)
@@ -762,9 +754,9 @@ func TestWatchNotificationsCallbacks(t *testing.T) {
 		}
 		// Send a notification. Range over notifyWatchers to get the channel
 		// because WatchNotifications doesn't expose the handle for it.
-		for _, c := range b.notifyWatchers {
+		for _, sess := range b.notifyWatchers {
 			select {
-			case c <- n:
+			case sess.ch <- n:
 			default:
 				t.Fatalf("could not send notification")
 			}
@@ -857,6 +849,59 @@ func TestUpdateNetmapDelta(t *testing.T) {
 	}
 }

+// tests WhoIs and indirectly that setNetMapLocked updates b.nodeByAddr correctly.
+func TestWhoIs(t *testing.T) {
+	b := newTestLocalBackend(t)
+	b.setNetMapLocked(&netmap.NetworkMap{
+		SelfNode: (&tailcfg.Node{
+			ID:        1,
+			User:      10,
+			Addresses: []netip.Prefix{netip.MustParsePrefix("100.101.102.103/32")},
+		}).View(),
+		Peers: []tailcfg.NodeView{
+			(&tailcfg.Node{
+				ID:        2,
+				User:      20,
+				Addresses: []netip.Prefix{netip.MustParsePrefix("100.200.200.200/32")},
+			}).View(),
+		},
+		UserProfiles: map[tailcfg.UserID]tailcfg.UserProfile{
+			10: {
+				DisplayName: "Myself",
+			},
+			20: {
+				DisplayName: "Peer",
+			},
+		},
+	})
+	tests := []struct {
+		q        string
+		want     tailcfg.NodeID // 0 means want ok=false
+		wantName string
+	}{
+		{"100.101.102.103:0", 1, "Myself"},
+		{"100.101.102.103:123", 1, "Myself"},
+		{"100.200.200.200:0", 2, "Peer"},
+		{"100.200.200.200:123", 2, "Peer"},
+		{"100.4.0.4:404", 0, ""},
+	}
+	for _, tt := range tests {
+		t.Run(tt.q, func(t *testing.T) {
+			nv, up, ok := b.WhoIs(netip.MustParseAddrPort(tt.q))
+			var got tailcfg.NodeID
+			if ok {
+				got = nv.ID()
+			}
+			if got != tt.want {
+				t.Errorf("got nodeID %v; want %v", got, tt.want)
+			}
+			if up.DisplayName != tt.wantName {
+				t.Errorf("got name %q; want %q", up.DisplayName, tt.wantName)
+			}
+		})
+	}
+}
+
 func TestWireguardExitNodeDNSResolvers(t *testing.T) {
 	type tc struct {
 		name          string
@@ -922,41 +967,191 @@ func TestWireguardExitNodeDNSResolvers(t *testing.T) {
 		nm := &netmap.NetworkMap{}
 		gotResolvers, gotOK := wireguardExitNodeDNSResolvers(nm, peers, tc.id)

-		if gotOK != tc.wantOK || !resolversEqual(gotResolvers, tc.wantResolvers) {
+		if gotOK != tc.wantOK || !resolversEqual(t, gotResolvers, tc.wantResolvers) {
 			t.Errorf("case: %s: got %v, %v, want %v, %v", tc.name, gotOK, gotResolvers, tc.wantOK, tc.wantResolvers)
 		}
 	}
 }

-func TestDNSConfigForNetmapForWireguardExitNode(t *testing.T) {
-	resolvers := []*dnstype.Resolver{{Addr: "dns.example.com"}}
-	nm := &netmap.NetworkMap{}
-	peers := map[tailcfg.NodeID]tailcfg.NodeView{
-		1: (&tailcfg.Node{
-			ID:                   1,
-			StableID:             "1",
-			IsWireGuardOnly:      true,
-			ExitNodeDNSResolvers: resolvers,
-			Hostinfo:             (&tailcfg.Hostinfo{}).View(),
-		}).View(),
-	}
-	prefs := &ipn.Prefs{
-		ExitNodeID: "1",
-		CorpDNS:    true,
+func TestDNSConfigForNetmapForExitNodeConfigs(t *testing.T) {
+	type tc struct {
+		name                 string
+		exitNode             tailcfg.StableNodeID
+		peers                []tailcfg.NodeView
+		dnsConfig            *tailcfg.DNSConfig
+		wantDefaultResolvers []*dnstype.Resolver
+		wantRoutes           map[dnsname.FQDN][]*dnstype.Resolver
 	}

-	got := dnsConfigForNetmap(nm, peers, prefs.View(), t.Logf, "")
-	if !resolversEqual(got.DefaultResolvers, resolvers) {
-		t.Errorf("got %v, want %v", got.DefaultResolvers, resolvers)
+	defaultResolvers := []*dnstype.Resolver{{Addr: "default.example.com"}}
+	wgResolvers := []*dnstype.Resolver{{Addr: "wg.example.com"}}
+	peers := []tailcfg.NodeView{
+		(&tailcfg.Node{
+			ID:                   1,
+			StableID:             "wg",
+			IsWireGuardOnly:      true,
+			ExitNodeDNSResolvers: wgResolvers,
+			Hostinfo:             (&tailcfg.Hostinfo{}).View(),
+		}).View(),
+		// regular tailscale exit node with DNS capabilities
+		(&tailcfg.Node{
+			Cap:      26,
+			ID:       2,
+			StableID: "ts",
+			Hostinfo: (&tailcfg.Hostinfo{}).View(),
+		}).View(),
+	}
+	exitDOH := peerAPIBase(&netmap.NetworkMap{Peers: peers}, peers[0]) + "/dns-query"
+	routes := map[dnsname.FQDN][]*dnstype.Resolver{
+		"route.example.com.": {{Addr: "route.example.com"}},
+	}
+	stringifyRoutes := func(routes map[dnsname.FQDN][]*dnstype.Resolver) map[string][]*dnstype.Resolver {
+		if routes == nil {
+			return nil
+		}
+		m := make(map[string][]*dnstype.Resolver)
+		for k, v := range routes {
+			m[string(k)] = v
+		}
+		return m
+	}
+
+	tests := []tc{
+		{
+			name:                 "noExit/noRoutes/noResolver",
+			exitNode:             "",
+			peers:                peers,
+			dnsConfig:            &tailcfg.DNSConfig{},
+			wantDefaultResolvers: nil,
+			wantRoutes:           nil,
+		},
+		{
+			name:                 "tsExit/noRoutes/noResolver",
+			exitNode:             "ts",
+			peers:                peers,
+			dnsConfig:            &tailcfg.DNSConfig{},
+			wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
+			wantRoutes:           nil,
+		},
+		{
+			name:                 "tsExit/noRoutes/defaultResolver",
+			exitNode:             "ts",
+			peers:                peers,
+			dnsConfig:            &tailcfg.DNSConfig{Resolvers: defaultResolvers},
+			wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
+			wantRoutes:           nil,
+		},
+
+		// The following two cases may need to be revisited. For a shared-in
+		// exit node split-DNS may effectively break, furthermore in the future
+		// if different nodes observe different DNS configurations, even a
+		// tailnet local exit node may present a different DNS configuration,
+		// which may not meet expectations in some use cases.
+		// In the case where a default resolver is set, the default resolver
+		// should also perhaps take precedence also.
+		{
+			name:                 "tsExit/routes/noResolver",
+			exitNode:             "ts",
+			peers:                peers,
+			dnsConfig:            &tailcfg.DNSConfig{Routes: stringifyRoutes(routes)},
+			wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
+			wantRoutes:           nil,
+		},
+		{
+			name:                 "tsExit/routes/defaultResolver",
+			exitNode:             "ts",
+			peers:                peers,
+			dnsConfig:            &tailcfg.DNSConfig{Routes: stringifyRoutes(routes), Resolvers: defaultResolvers},
+			wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
+			wantRoutes:           nil,
+		},
+
+		// WireGuard exit nodes with DNS capabilities provide a "fallback" type
+		// behavior, they have a lower precedence than a default resolver, but
+		// otherwise allow split-DNS to operate as normal, and are used when
+		// there is no default resolver.
+		{
+			name:                 "wgExit/noRoutes/noResolver",
+			exitNode:             "wg",
+			peers:                peers,
+			dnsConfig:            &tailcfg.DNSConfig{},
+			wantDefaultResolvers: wgResolvers,
+			wantRoutes:           nil,
+		},
+		{
+			name:                 "wgExit/noRoutes/defaultResolver",
+			exitNode:             "wg",
+			peers:                peers,
+			dnsConfig:            &tailcfg.DNSConfig{Resolvers: defaultResolvers},
+			wantDefaultResolvers: defaultResolvers,
+			wantRoutes:           nil,
+		},
+		{
+			name:                 "wgExit/routes/defaultResolver",
+			exitNode:             "wg",
+			peers:                peers,
+			dnsConfig:            &tailcfg.DNSConfig{Routes: stringifyRoutes(routes), Resolvers: defaultResolvers},
+			wantDefaultResolvers: defaultResolvers,
+			wantRoutes:           routes,
+		},
+		{
+			name:                 "wgExit/routes/noResolver",
+			exitNode:             "wg",
+			peers:                peers,
+			dnsConfig:            &tailcfg.DNSConfig{Routes: stringifyRoutes(routes)},
+			wantDefaultResolvers: wgResolvers,
+			wantRoutes:           routes,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			nm := &netmap.NetworkMap{
+				Peers: tc.peers,
+				DNS:   *tc.dnsConfig,
+			}
+
+			prefs := &ipn.Prefs{ExitNodeID: tc.exitNode, CorpDNS: true}
+			got := dnsConfigForNetmap(nm, peersMap(tc.peers), prefs.View(), t.Logf, "")
+			if !resolversEqual(t, got.DefaultResolvers, tc.wantDefaultResolvers) {
+				t.Errorf("DefaultResolvers: got %#v, want %#v", got.DefaultResolvers, tc.wantDefaultResolvers)
+			}
+			if !routesEqual(t, got.Routes, tc.wantRoutes) {
+				t.Errorf("Routes: got %#v, want %#v", got.Routes, tc.wantRoutes)
+			}
+		})
 	}
 }

-func resolversEqual(a, b []*dnstype.Resolver) bool {
+func resolversEqual(t *testing.T, a, b []*dnstype.Resolver) bool {
+	if a == nil && b == nil {
+		return true
+	}
+	if a == nil || b == nil {
+		t.Errorf("resolversEqual: a == nil || b == nil : %#v != %#v", a, b)
+		return false
+	}
 	if len(a) != len(b) {
+		t.Errorf("resolversEqual: len(a) != len(b) : %#v != %#v", a, b)
 		return false
 	}
 	for i := range a {
 		if !a[i].Equal(b[i]) {
+			t.Errorf("resolversEqual: a != b [%d]: %v != %v", i, *a[i], *b[i])
+			return false
+		}
+	}
+	return true
+}
+
+func routesEqual(t *testing.T, a, b map[dnsname.FQDN][]*dnstype.Resolver) bool {
+	if len(a) != len(b) {
+		t.Logf("routes: len(a) != len(b): %d != %d", len(a), len(b))
+		return false
+	}
+	for name := range a {
+		if !resolversEqual(t, a[name], b[name]) {
+			t.Logf("routes: a != b [%s]: %v != %v", name, a[name], b[name])
 			return false
 		}
 	}
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -9,47 +9,39 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"hash/adler32"
 	"hash/crc32"
 	"html"
 	"io"
-	"io/fs"
 	"net"
 	"net/http"
 	"net/netip"
 	"net/url"
 	"os"
-	"path"
-	"path/filepath"
 	"runtime"
 	"slices"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"
-	"unicode"
-	"unicode/utf8"

 	"github.com/kortschak/wol"
 	"golang.org/x/net/dns/dnsmessage"
 	"golang.org/x/net/http/httpguts"
-	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
-	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/dns/resolver"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/sockstats"
 	"tailscale.com/tailcfg"
+	"tailscale.com/taildrop"
+	"tailscale.com/tstime"
 	"tailscale.com/types/views"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/multierr"
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/filter"
 )
@@ -61,390 +53,16 @@ var initListenConfig func(*net.ListenConfig, netip.Addr, *interfaces.State, stri
 var addH2C func(*http.Server)

 type peerAPIServer struct {
-	b          *LocalBackend
-	rootDir    string // empty means file receiving unavailable
-	knownEmpty atomic.Bool
-	resolver   *resolver.Resolver
+	b        *LocalBackend
+	resolver *resolver.Resolver

-	// directFileMode is whether we're writing files directly to a
-	// download directory (as *.partial files), rather than making
-	// the frontend retrieve it over localapi HTTP and write it
-	// somewhere itself. This is used on the GUI macOS versions
-	// and on Synology.
-	// In directFileMode, the peerapi doesn't do the final rename
-	// from "foo.jpg.partial" to "foo.jpg" unless
-	// directFileDoFinalRename is set.
-	directFileMode bool
-
-	// directFileDoFinalRename is whether in directFileMode we
-	// additionally move the *.direct file to its final name after
-	// it's received.
-	directFileDoFinalRename bool
-}
-
-const (
-	// partialSuffix is the suffix appended to files while they're
-	// still in the process of being transferred.
-	partialSuffix = ".partial"
-
-	// deletedSuffix is the suffix for a deleted marker file
-	// that's placed next to a file (without the suffix) that we
-	// tried to delete, but Windows wouldn't let us. These are
-	// only written on Windows (and in tests), but they're not
-	// permitted to be uploaded directly on any platform, like
-	// partial files.
-	deletedSuffix = ".deleted"
-)
-
-func validFilenameRune(r rune) bool {
-	switch r {
-	case '/':
-		return false
-	case '\\', ':', '*', '"', '<', '>', '|':
-		// Invalid stuff on Windows, but we reject them everywhere
-		// for now.
-		// TODO(bradfitz): figure out a better plan. We initially just
-		// wrote things to disk URL path-escaped, but that's gross
-		// when debugging, and just moves the problem to callers.
-		// So now we put the UTF-8 filenames on disk directly as
-		// sent.
-		return false
-	}
-	return unicode.IsPrint(r)
-}
-
-func (s *peerAPIServer) diskPath(baseName string) (fullPath string, ok bool) {
-	if !utf8.ValidString(baseName) {
-		return "", false
-	}
-	if strings.TrimSpace(baseName) != baseName {
-		return "", false
-	}
-	if len(baseName) > 255 {
-		return "", false
-	}
-	// TODO: validate unicode normalization form too? Varies by platform.
-	clean := path.Clean(baseName)
-	if clean != baseName ||
-		clean == "." || clean == ".." ||
-		strings.HasSuffix(clean, deletedSuffix) ||
-		strings.HasSuffix(clean, partialSuffix) {
-		return "", false
-	}
-	for _, r := range baseName {
-		if !validFilenameRune(r) {
-			return "", false
-		}
-	}
-	return filepath.Join(s.rootDir, baseName), true
-}
-
-// hasFilesWaiting reports whether any files are buffered in the
-// tailscaled daemon storage.
-func (s *peerAPIServer) hasFilesWaiting() bool {
-	if s == nil || s.rootDir == "" || s.directFileMode {
-		return false
-	}
-	if s.knownEmpty.Load() {
-		// Optimization: this is usually empty, so avoid opening
-		// the directory and checking. We can't cache the actual
-		// has-files-or-not values as the macOS/iOS client might
-		// in the future use+delete the files directly. So only
-		// keep this negative cache.
-		return false
-	}
-	f, err := os.Open(s.rootDir)
-	if err != nil {
-		return false
-	}
-	defer f.Close()
-	for {
-		des, err := f.ReadDir(10)
-		for _, de := range des {
-			name := de.Name()
-			if strings.HasSuffix(name, partialSuffix) {
-				continue
-			}
-			if name, ok := strings.CutSuffix(name, deletedSuffix); ok { // for Windows + tests
-				// After we're done looping over files, then try
-				// to delete this file. Don't do it proactively,
-				// as the OS may return "foo.jpg.deleted" before "foo.jpg"
-				// and we don't want to delete the ".deleted" file before
-				// enumerating to the "foo.jpg" file.
-				defer tryDeleteAgain(filepath.Join(s.rootDir, name))
-				continue
-			}
-			if de.Type().IsRegular() {
-				_, err := os.Stat(filepath.Join(s.rootDir, name+deletedSuffix))
-				if os.IsNotExist(err) {
-					return true
-				}
-				if err == nil {
-					tryDeleteAgain(filepath.Join(s.rootDir, name))
-					continue
-				}
-			}
-		}
-		if err == io.EOF {
-			s.knownEmpty.Store(true)
-		}
-		if err != nil {
-			break
-		}
-	}
-	return false
-}
-
-// WaitingFiles returns the list of files that have been sent by a
-// peer that are waiting in the buffered "pick up" directory owned by
-// the Tailscale daemon.
-//
-// As a side effect, it also does any lazy deletion of files as
-// required by Windows.
-func (s *peerAPIServer) WaitingFiles() (ret []apitype.WaitingFile, err error) {
-	if s == nil {
-		return nil, errNilPeerAPIServer
-	}
-	if s.rootDir == "" {
-		return nil, errNoTaildrop
-	}
-	if s.directFileMode {
-		return nil, nil
-	}
-	f, err := os.Open(s.rootDir)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-	var deleted map[string]bool // "foo.jpg" => true (if "foo.jpg.deleted" exists)
-	for {
-		des, err := f.ReadDir(10)
-		for _, de := range des {
-			name := de.Name()
-			if strings.HasSuffix(name, partialSuffix) {
-				continue
-			}
-			if name, ok := strings.CutSuffix(name, deletedSuffix); ok { // for Windows + tests
-				if deleted == nil {
-					deleted = map[string]bool{}
-				}
-				deleted[name] = true
-				continue
-			}
-			if de.Type().IsRegular() {
-				fi, err := de.Info()
-				if err != nil {
-					continue
-				}
-				ret = append(ret, apitype.WaitingFile{
-					Name: filepath.Base(name),
-					Size: fi.Size(),
-				})
-			}
-		}
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return nil, err
-		}
-	}
-	if len(deleted) > 0 {
-		// Filter out any return values "foo.jpg" where a
-		// "foo.jpg.deleted" marker file exists on disk.
-		all := ret
-		ret = ret[:0]
-		for _, wf := range all {
-			if !deleted[wf.Name] {
-				ret = append(ret, wf)
-			}
-		}
-		// And do some opportunistic deleting while we're here.
-		// Maybe Windows is done virus scanning the file we tried
-		// to delete a long time ago and will let us delete it now.
-		for name := range deleted {
-			tryDeleteAgain(filepath.Join(s.rootDir, name))
-		}
-	}
-	sort.Slice(ret, func(i, j int) bool { return ret[i].Name < ret[j].Name })
-	return ret, nil
+	taildrop *taildrop.Handler
 }

 var (
 	errNilPeerAPIServer = errors.New("peerapi unavailable; not listening")
-	errNoTaildrop       = errors.New("Taildrop disabled; no storage directory")
 )

-// tryDeleteAgain tries to delete path (and path+deletedSuffix) after
-// it failed earlier.  This happens on Windows when various anti-virus
-// tools hook into filesystem operations and have the file open still
-// while we're trying to delete it. In that case we instead mark it as
-// deleted (writing a "foo.jpg.deleted" marker file), but then we
-// later try to clean them up.
-//
-// fullPath is the full path to the file without the deleted suffix.
-func tryDeleteAgain(fullPath string) {
-	if err := os.Remove(fullPath); err == nil || os.IsNotExist(err) {
-		os.Remove(fullPath + deletedSuffix)
-	}
-}
-
-func (s *peerAPIServer) DeleteFile(baseName string) error {
-	if s == nil {
-		return errNilPeerAPIServer
-	}
-	if s.rootDir == "" {
-		return errNoTaildrop
-	}
-	if s.directFileMode {
-		return errors.New("deletes not allowed in direct mode")
-	}
-	path, ok := s.diskPath(baseName)
-	if !ok {
-		return errors.New("bad filename")
-	}
-	var bo *backoff.Backoff
-	logf := s.b.logf
-	t0 := s.b.clock.Now()
-	for {
-		err := os.Remove(path)
-		if err != nil && !os.IsNotExist(err) {
-			err = redactErr(err)
-			// Put a retry loop around deletes on Windows. Windows
-			// file descriptor closes are effectively asynchronous,
-			// as a bunch of hooks run on/after close, and we can't
-			// necessarily delete the file for a while after close,
-			// as we need to wait for everybody to be done with
-			// it. (on Windows, unlike Unix, a file can't be deleted
-			// if it's open anywhere)
-			// So try a few times but ultimately just leave a
-			// "foo.jpg.deleted" marker file to note that it's
-			// deleted and we clean it up later.
-			if runtime.GOOS == "windows" {
-				if bo == nil {
-					bo = backoff.NewBackoff("delete-retry", logf, 1*time.Second)
-				}
-				if s.b.clock.Since(t0) < 5*time.Second {
-					bo.BackOff(context.Background(), err)
-					continue
-				}
-				if err := touchFile(path + deletedSuffix); err != nil {
-					logf("peerapi: failed to leave deleted marker: %v", err)
-				}
-			}
-			logf("peerapi: failed to DeleteFile: %v", err)
-			return err
-		}
-		return nil
-	}
-}
-
-// redacted is a fake path name we use in errors, to avoid
-// accidentally logging actual filenames anywhere.
-const redacted = "redacted"
-
-type redactedErr struct {
-	msg   string
-	inner error
-}
-
-func (re *redactedErr) Error() string {
-	return re.msg
-}
-
-func (re *redactedErr) Unwrap() error {
-	return re.inner
-}
-
-func redactString(s string) string {
-	hash := adler32.Checksum([]byte(s))
-
-	var buf [len(redacted) + len(".12345678")]byte
-	b := append(buf[:0], []byte(redacted)...)
-	b = append(b, '.')
-	b = strconv.AppendUint(b, uint64(hash), 16)
-	return string(b)
-}
-
-func redactErr(root error) error {
-	// redactStrings is a list of sensitive strings that were redacted.
-	// It is not sufficient to just snub out sensitive fields in Go errors
-	// since some wrapper errors like fmt.Errorf pre-cache the error string,
-	// which would unfortunately remain unaffected.
-	var redactStrings []string
-
-	// Redact sensitive fields in known Go error types.
-	var unknownErrors int
-	multierr.Range(root, func(err error) bool {
-		switch err := err.(type) {
-		case *os.PathError:
-			redactStrings = append(redactStrings, err.Path)
-			err.Path = redactString(err.Path)
-		case *os.LinkError:
-			redactStrings = append(redactStrings, err.New, err.Old)
-			err.New = redactString(err.New)
-			err.Old = redactString(err.Old)
-		default:
-			unknownErrors++
-		}
-		return true
-	})
-
-	// If there are no redacted strings or no unknown error types,
-	// then we can return the possibly modified root error verbatim.
-	// Otherwise, we must replace redacted strings from any wrappers.
-	if len(redactStrings) == 0 || unknownErrors == 0 {
-		return root
-	}
-
-	// Stringify and replace any paths that we found above, then return
-	// the error wrapped in a type that uses the newly-redacted string
-	// while also allowing Unwrap()-ing to the inner error type(s).
-	s := root.Error()
-	for _, toRedact := range redactStrings {
-		s = strings.ReplaceAll(s, toRedact, redactString(toRedact))
-	}
-	return &redactedErr{msg: s, inner: root}
-}
-
-func touchFile(path string) error {
-	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE, 0666)
-	if err != nil {
-		return redactErr(err)
-	}
-	return f.Close()
-}
-
-func (s *peerAPIServer) OpenFile(baseName string) (rc io.ReadCloser, size int64, err error) {
-	if s == nil {
-		return nil, 0, errNilPeerAPIServer
-	}
-	if s.rootDir == "" {
-		return nil, 0, errNoTaildrop
-	}
-	if s.directFileMode {
-		return nil, 0, errors.New("opens not allowed in direct mode")
-	}
-	path, ok := s.diskPath(baseName)
-	if !ok {
-		return nil, 0, errors.New("bad filename")
-	}
-	if fi, err := os.Stat(path + deletedSuffix); err == nil && fi.Mode().IsRegular() {
-		tryDeleteAgain(path)
-		return nil, 0, &fs.PathError{Op: "open", Path: redacted, Err: fs.ErrNotExist}
-	}
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, 0, redactErr(err)
-	}
-	fi, err := f.Stat()
-	if err != nil {
-		f.Close()
-		return nil, 0, redactErr(err)
-	}
-	return f, fi.Size(), nil
-}
-
 func (s *peerAPIServer) listen(ip netip.Addr, ifState *interfaces.State) (ln net.Listener, err error) {
 	// Android for whatever reason often has problems creating the peerapi listener.
 	// But since we started intercepting it with netstack, it's not even important that
@@ -612,6 +230,9 @@ func (h *peerAPIHandler) isAddressValid(addr netip.Addr) bool {
 	if v := h.peerNode.SelfNodeV4MasqAddrForThisPeer(); v != nil {
 		return *v == addr
 	}
+	if v := h.peerNode.SelfNodeV6MasqAddrForThisPeer(); v != nil {
+		return *v == addr
+	}
 	pfx := netip.PrefixFrom(addr, addr.BitLen())
 	return views.SliceContains(h.selfNode.Addresses(), pfx)
 }
@@ -966,12 +587,14 @@ func (h *peerAPIHandler) handleServeSockStats(w http.ResponseWriter, r *http.Req
 }

 type incomingFile struct {
-	name        string // "foo.jpg"
-	started     time.Time
-	size        int64     // or -1 if unknown; never 0
-	w           io.Writer // underlying writer
-	ph          *peerAPIHandler
-	partialPath string // non-empty in direct mode
+	clock tstime.Clock
+
+	name           string // "foo.jpg"
+	started        time.Time
+	size           int64     // or -1 if unknown; never 0
+	w              io.Writer // underlying writer
+	sendFileNotify func()    // called when done
+	partialPath    string    // non-empty in direct mode

 	mu         sync.Mutex
 	copied     int64
@@ -983,25 +606,23 @@ func (f *incomingFile) markAndNotifyDone() {
 	f.mu.Lock()
 	f.done = true
 	f.mu.Unlock()
-	b := f.ph.ps.b
-	b.sendFileNotify()
+	f.sendFileNotify()
 }

 func (f *incomingFile) Write(p []byte) (n int, err error) {
 	n, err = f.w.Write(p)

-	b := f.ph.ps.b
 	var needNotify bool
 	defer func() {
 		if needNotify {
-			b.sendFileNotify()
+			f.sendFileNotify()
 		}
 	}()
 	if n > 0 {
 		f.mu.Lock()
 		defer f.mu.Unlock()
 		f.copied += int64(n)
-		now := b.clock.Now()
+		now := f.clock.Now()
 		if f.lastNotify.IsZero() || now.Sub(f.lastNotify) > time.Second {
 			f.lastNotify = now
 			needNotify = true
@@ -1082,11 +703,11 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "expected method PUT", http.StatusMethodNotAllowed)
 		return
 	}
-	if h.ps.rootDir == "" {
-		http.Error(w, errNoTaildrop.Error(), http.StatusInternalServerError)
+	if mayDeref(h.ps.taildrop).RootDir == "" {
+		http.Error(w, taildrop.ErrNoTaildrop.Error(), http.StatusInternalServerError)
 		return
 	}
-	if distro.Get() == distro.Unraid && !h.ps.directFileMode {
+	if distro.Get() == distro.Unraid && !h.ps.taildrop.DirectFileMode {
 		http.Error(w, "Taildrop folder not configured or accessible", http.StatusInternalServerError)
 		return
 	}
@@ -1109,17 +730,24 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "bad path encoding", 400)
 		return
 	}
-	dstFile, ok := h.ps.diskPath(baseName)
+	dstFile, ok := h.ps.taildrop.DiskPath(baseName)
 	if !ok {
 		http.Error(w, "bad filename", 400)
 		return
 	}
 	t0 := h.ps.b.clock.Now()
 	// TODO(bradfitz): prevent same filename being sent by two peers at once
-	partialFile := dstFile + partialSuffix
+
+	// prevent same filename being sent twice
+	if _, err := os.Stat(dstFile); err == nil {
+		http.Error(w, "file exists", http.StatusConflict)
+		return
+	}
+
+	partialFile := dstFile + taildrop.PartialSuffix
 	f, err := os.Create(partialFile)
 	if err != nil {
-		h.logf("put Create error: %v", redactErr(err))
+		h.logf("put Create error: %v", taildrop.RedactErr(err))
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
@@ -1133,20 +761,21 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 	var inFile *incomingFile
 	if r.ContentLength != 0 {
 		inFile = &incomingFile{
-			name:    baseName,
-			started: h.ps.b.clock.Now(),
-			size:    r.ContentLength,
-			w:       f,
-			ph:      h,
+			clock:          h.ps.b.clock,
+			name:           baseName,
+			started:        h.ps.b.clock.Now(),
+			size:           r.ContentLength,
+			w:              f,
+			sendFileNotify: h.ps.b.sendFileNotify,
 		}
-		if h.ps.directFileMode {
+		if h.ps.taildrop.DirectFileMode {
 			inFile.partialPath = partialFile
 		}
 		h.ps.b.registerIncomingFile(inFile, true)
 		defer h.ps.b.registerIncomingFile(inFile, false)
 		n, err := io.Copy(inFile, r.Body)
 		if err != nil {
-			err = redactErr(err)
+			err = taildrop.RedactErr(err)
 			f.Close()
 			h.logf("put Copy error: %v", err)
 			http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -1154,18 +783,18 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 		}
 		finalSize = n
 	}
-	if err := redactErr(f.Close()); err != nil {
+	if err := taildrop.RedactErr(f.Close()); err != nil {
 		h.logf("put Close error: %v", err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	if h.ps.directFileMode && !h.ps.directFileDoFinalRename {
+	if h.ps.taildrop.DirectFileMode && !h.ps.taildrop.DirectFileDoFinalRename {
 		if inFile != nil { // non-zero length; TODO: notify even for zero length
 			inFile.markAndNotifyDone()
 		}
 	} else {
 		if err := os.Rename(partialFile, dstFile); err != nil {
-			err = redactErr(err)
+			err = taildrop.RedactErr(err)
 			h.logf("put final rename: %v", err)
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
@@ -1179,7 +808,7 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 	// TODO: some real response
 	success = true
 	io.WriteString(w, "{}\n")
-	h.ps.knownEmpty.Store(false)
+	h.ps.taildrop.KnownEmpty.Store(false)
 	h.ps.b.sendFileNotify()
 }

@@ -1278,7 +907,7 @@ func (h *peerAPIHandler) handleWakeOnLAN(w http.ResponseWriter, r *http.Request)
 		http.Error(w, "bad 'mac' param", http.StatusBadRequest)
 		return
 	}
-	var password []byte // TODO(bradfitz): support?
+	var password []byte // TODO(bradfitz): support? does anything use WoL passwords?
 	st := h.ps.b.sys.NetMon.Get().InterfaceState()
 	if st == nil {
 		http.Error(w, "failed to get interfaces state", http.StatusInternalServerError)
--- a/ipn/ipnlocal/peerapi_test.go
+++ b/ipn/ipnlocal/peerapi_test.go
@@ -23,6 +23,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tailcfg"
+	"tailscale.com/taildrop"
 	"tailscale.com/tstest"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
@@ -67,7 +68,7 @@ func bodyNotContains(sub string) check {

 func fileHasSize(name string, size int) check {
 	return func(t *testing.T, e *peerAPITestEnv) {
-		root := e.ph.ps.rootDir
+		root := e.ph.ps.taildrop.RootDir
 		if root == "" {
 			t.Errorf("no rootdir; can't check whether %q has size %v", name, size)
 			return
@@ -83,7 +84,7 @@ func fileHasSize(name string, size int) check {

 func fileHasContents(name string, want string) check {
 	return func(t *testing.T, e *peerAPITestEnv) {
-		root := e.ph.ps.rootDir
+		root := e.ph.ps.taildrop.RootDir
 		if root == "" {
 			t.Errorf("no rootdir; can't check contents of %q", name)
 			return
@@ -116,14 +117,14 @@ func TestHandlePeerAPI(t *testing.T) {
 		capSharing bool // self node has file sharing capability
 		debugCap   bool // self node has debug capability
 		omitRoot   bool // don't configure
-		req        *http.Request
+		reqs       []*http.Request
 		checks     []check
 	}{
 		{
 			name:       "not_peer_api",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("GET", "/", nil),
+			reqs:       []*http.Request{httptest.NewRequest("GET", "/", nil)},
 			checks: checks(
 				httpStatus(200),
 				bodyContains("This is my Tailscale device."),
@@ -134,7 +135,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "not_peer_api_not_owner",
 			isSelf:     false,
 			capSharing: true,
-			req:        httptest.NewRequest("GET", "/", nil),
+			reqs:       []*http.Request{httptest.NewRequest("GET", "/", nil)},
 			checks: checks(
 				httpStatus(200),
 				bodyContains("This is my Tailscale device."),
@@ -145,21 +146,21 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:     "goroutines/deny-self-no-cap",
 			isSelf:   true,
 			debugCap: false,
-			req:      httptest.NewRequest("GET", "/v0/goroutines", nil),
+			reqs:     []*http.Request{httptest.NewRequest("GET", "/v0/goroutines", nil)},
 			checks:   checks(httpStatus(403)),
 		},
 		{
 			name:     "goroutines/deny-nonself",
 			isSelf:   false,
 			debugCap: true,
-			req:      httptest.NewRequest("GET", "/v0/goroutines", nil),
+			reqs:     []*http.Request{httptest.NewRequest("GET", "/v0/goroutines", nil)},
 			checks:   checks(httpStatus(403)),
 		},
 		{
 			name:     "goroutines/accept-self",
 			isSelf:   true,
 			debugCap: true,
-			req:      httptest.NewRequest("GET", "/v0/goroutines", nil),
+			reqs:     []*http.Request{httptest.NewRequest("GET", "/v0/goroutines", nil)},
 			checks: checks(
 				httpStatus(200),
 				bodyContains("ServeHTTP"),
@@ -169,7 +170,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "reject_non_owner_put",
 			isSelf:     false,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", nil)},
 			checks: checks(
 				httpStatus(http.StatusForbidden),
 				bodyContains("Taildrop access denied"),
@@ -179,7 +180,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "owner_without_cap",
 			isSelf:     true,
 			capSharing: false,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", nil)},
 			checks: checks(
 				httpStatus(http.StatusForbidden),
 				bodyContains("file sharing not enabled by Tailscale admin"),
@@ -190,7 +191,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			omitRoot:   true,
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", nil)},
 			checks: checks(
 				httpStatus(http.StatusInternalServerError),
 				bodyContains("Taildrop disabled; no storage directory"),
@@ -200,7 +201,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_method",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("POST", "/v0/put/foo", nil),
+			reqs:       []*http.Request{httptest.NewRequest("POST", "/v0/put/foo", nil)},
 			checks: checks(
 				httpStatus(405),
 				bodyContains("expected method PUT"),
@@ -210,7 +211,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_zero_length",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", nil)},
 			checks: checks(
 				httpStatus(200),
 				bodyContains("{}"),
@@ -222,7 +223,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_non_zero_length_content_length",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("contents")),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("contents"))},
 			checks: checks(
 				httpStatus(200),
 				bodyContains("{}"),
@@ -234,7 +235,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_non_zero_length_chunked",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", struct{ io.Reader }{strings.NewReader("contents")}),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", struct{ io.Reader }{strings.NewReader("contents")})},
 			checks: checks(
 				httpStatus(200),
 				bodyContains("{}"),
@@ -246,7 +247,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_partial",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo.partial", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo.partial", nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -256,7 +257,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_deleted",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo.deleted", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo.deleted", nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -266,7 +267,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_dot",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/.", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/.", nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -276,7 +277,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_empty",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/", nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("empty filename"),
@@ -286,7 +287,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_slash",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo/bar", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo/bar", nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("directories not supported"),
@@ -296,7 +297,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_encoded_dot",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("."), nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("."), nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -306,7 +307,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_encoded_slash",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("/"), nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("/"), nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -316,7 +317,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_encoded_backslash",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("\\"), nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("\\"), nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -326,7 +327,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_encoded_dotdot",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll(".."), nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll(".."), nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -336,7 +337,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "bad_filename_encoded_dotdot_out",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("foo/../../../../../etc/passwd"), nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("foo/../../../../../etc/passwd"), nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -346,7 +347,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_spaces_and_caps",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("Foo Bar.dat"), strings.NewReader("baz")),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("Foo Bar.dat"), strings.NewReader("baz"))},
 			checks: checks(
 				httpStatus(200),
 				bodyContains("{}"),
@@ -357,7 +358,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_unicode",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("Томас и его друзья.mp3"), strings.NewReader("главный озорник")),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("Томас и его друзья.mp3"), strings.NewReader("главный озорник"))},
 			checks: checks(
 				httpStatus(200),
 				bodyContains("{}"),
@@ -368,7 +369,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_invalid_utf8",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+(hexAll("😜")[:3]), nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+(hexAll("😜")[:3]), nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -378,7 +379,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_invalid_null",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/%00", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/%00", nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -388,7 +389,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_invalid_non_printable",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/%01", nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/%01", nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -398,7 +399,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_invalid_colon",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("nul:"), nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("nul:"), nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -408,7 +409,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:       "put_invalid_surrounding_whitespace",
 			isSelf:     true,
 			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll(" foo "), nil),
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll(" foo "), nil)},
 			checks: checks(
 				httpStatus(400),
 				bodyContains("bad filename"),
@@ -418,7 +419,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:     "host-val/bad-ip",
 			isSelf:   true,
 			debugCap: true,
-			req:      httptest.NewRequest("GET", "http://12.23.45.66:1234/v0/env", nil),
+			reqs:     []*http.Request{httptest.NewRequest("GET", "http://12.23.45.66:1234/v0/env", nil)},
 			checks: checks(
 				httpStatus(403),
 			),
@@ -427,7 +428,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:     "host-val/no-port",
 			isSelf:   true,
 			debugCap: true,
-			req:      httptest.NewRequest("GET", "http://100.100.100.101/v0/env", nil),
+			reqs:     []*http.Request{httptest.NewRequest("GET", "http://100.100.100.101/v0/env", nil)},
 			checks: checks(
 				httpStatus(403),
 			),
@@ -436,11 +437,31 @@ func TestHandlePeerAPI(t *testing.T) {
 			name:     "host-val/peer",
 			isSelf:   true,
 			debugCap: true,
-			req:      httptest.NewRequest("GET", "http://peer/v0/env", nil),
+			reqs:     []*http.Request{httptest.NewRequest("GET", "http://peer/v0/env", nil)},
 			checks: checks(
 				httpStatus(200),
 			),
 		},
+		{
+			name:       "bad_duplicate_zero_length",
+			isSelf:     true,
+			capSharing: true,
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", nil), httptest.NewRequest("PUT", "/v0/put/foo", nil)},
+			checks: checks(
+				httpStatus(409),
+				bodyContains("file exists"),
+			),
+		},
+		{
+			name:       "bad_duplicate_non_zero_length_content_length",
+			isSelf:     true,
+			capSharing: true,
+			reqs:       []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("contents")), httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("contents"))},
+			checks: checks(
+				httpStatus(409),
+				bodyContains("file exists"),
+			),
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -472,13 +493,18 @@ func TestHandlePeerAPI(t *testing.T) {
 			var rootDir string
 			if !tt.omitRoot {
 				rootDir = t.TempDir()
-				e.ph.ps.rootDir = rootDir
+				if e.ph.ps.taildrop == nil {
+					e.ph.ps.taildrop = &taildrop.Handler{}
+				}
+				e.ph.ps.taildrop.RootDir = rootDir
 			}
-			e.rr = httptest.NewRecorder()
-			if tt.req.Host == "example.com" {
-				tt.req.Host = "100.100.100.101:12345"
+			for _, req := range tt.reqs {
+				e.rr = httptest.NewRecorder()
+				if req.Host == "example.com" {
+					req.Host = "100.100.100.101:12345"
+				}
+				e.ph.ServeHTTP(e.rr, req)
 			}
-			e.ph.ServeHTTP(e.rr, tt.req)
 			for _, f := range tt.checks {
 				f(t, &e)
 			}
@@ -509,7 +535,11 @@ func TestFileDeleteRace(t *testing.T) {
 			capFileSharing: true,
 			clock:          &tstest.Clock{},
 		},
-		rootDir: dir,
+		taildrop: &taildrop.Handler{
+			Logf:    t.Logf,
+			Clock:   &tstest.Clock{},
+			RootDir: dir,
+		},
 	}
 	ph := &peerAPIHandler{
 		isSelf: true,
@@ -528,7 +558,7 @@ func TestFileDeleteRace(t *testing.T) {
 		if res := rr.Result(); res.StatusCode != 200 {
 			t.Fatal(res.Status)
 		}
-		wfs, err := ps.WaitingFiles()
+		wfs, err := ps.taildrop.WaitingFiles()
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -536,10 +566,10 @@ func TestFileDeleteRace(t *testing.T) {
 			t.Fatalf("waiting files = %d; want 1", len(wfs))
 		}

-		if err := ps.DeleteFile("foo.txt"); err != nil {
+		if err := ps.taildrop.DeleteFile("foo.txt"); err != nil {
 			t.Fatal(err)
 		}
-		wfs, err = ps.WaitingFiles()
+		wfs, err = ps.taildrop.WaitingFiles()
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -557,19 +587,21 @@ func TestDeletedMarkers(t *testing.T) {
 			logf:           t.Logf,
 			capFileSharing: true,
 		},
-		rootDir: dir,
+		taildrop: &taildrop.Handler{
+			RootDir: dir,
+		},
 	}

 	nothingWaiting := func() {
 		t.Helper()
-		ps.knownEmpty.Store(false)
-		if ps.hasFilesWaiting() {
+		ps.taildrop.KnownEmpty.Store(false)
+		if ps.taildrop.HasFilesWaiting() {
 			t.Fatal("unexpected files waiting")
 		}
 	}
 	touch := func(base string) {
 		t.Helper()
-		if err := touchFile(filepath.Join(dir, base)); err != nil {
+		if err := taildrop.TouchFile(filepath.Join(dir, base)); err != nil {
 			t.Fatal(err)
 		}
 	}
@@ -598,7 +630,7 @@ func TestDeletedMarkers(t *testing.T) {

 	touch("foo.jpg.deleted")
 	touch("foo.jpg")
-	wf, err := ps.WaitingFiles()
+	wf, err := ps.taildrop.WaitingFiles()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -609,7 +641,7 @@ func TestDeletedMarkers(t *testing.T) {

 	touch("foo.jpg.deleted")
 	touch("foo.jpg")
-	if rc, _, err := ps.OpenFile("foo.jpg"); err == nil {
+	if rc, _, err := ps.taildrop.OpenFile("foo.jpg"); err == nil {
 		rc.Close()
 		t.Fatal("unexpected foo.jpg open")
 	}
@@ -618,14 +650,14 @@ func TestDeletedMarkers(t *testing.T) {
 	// And verify basics still work in non-deleted cases.
 	touch("foo.jpg")
 	touch("bar.jpg.deleted")
-	if wf, err := ps.WaitingFiles(); err != nil {
+	if wf, err := ps.taildrop.WaitingFiles(); err != nil {
 		t.Error(err)
 	} else if len(wf) != 1 {
 		t.Errorf("WaitingFiles = %d; want 1", len(wf))
 	} else if wf[0].Name != "foo.jpg" {
 		t.Errorf("unexpected waiting file %+v", wf[0])
 	}
-	if rc, _, err := ps.OpenFile("foo.jpg"); err != nil {
+	if rc, _, err := ps.taildrop.OpenFile("foo.jpg"); err != nil {
 		t.Fatal(err)
 	} else {
 		rc.Close()
@@ -734,7 +766,7 @@ func TestRedactErr(t *testing.T) {
 			}

 			t.Run("Root", func(t *testing.T) {
-				got := redactErr(tc.err()).Error()
+				got := taildrop.RedactErr(tc.err()).Error()
 				if got != tc.want {
 					t.Errorf("err = %q; want %q", got, tc.want)
 				}
@@ -743,7 +775,7 @@ func TestRedactErr(t *testing.T) {
 				wrapped := fmt.Errorf("wrapped error: %w", tc.err())
 				want := "wrapped error: " + tc.want

-				got := redactErr(wrapped).Error()
+				got := taildrop.RedactErr(wrapped).Error()
 				if got != want {
 					t.Errorf("err = %q; want %q", got, want)
 				}
--- a/ipn/ipnlocal/profiles.go
+++ b/ipn/ipnlocal/profiles.go
@@ -452,20 +452,24 @@ var defaultPrefs = func() ipn.PrefsView {
 	prefs.LoggedOut = true
 	prefs.WantRunning = false

-	prefs.ControlURL = winutil.GetPolicyString("LoginURL", "")
+	controlURL, _ := winutil.GetPolicyString("LoginURL")
+	prefs.ControlURL = controlURL
+
 	prefs.ExitNodeIP = resolveExitNodeIP(netip.Addr{})

 	// Allow Incoming (used by the UI) is the negation of ShieldsUp (used by the
 	// backend), so this has to convert between the two conventions.
-	prefs.ShieldsUp = winutil.GetPolicyString("AllowIncomingConnections", "") == "never"
-	prefs.ForceDaemon = winutil.GetPolicyString("UnattendedMode", "") == "always"
+	shieldsUp, _ := winutil.GetPolicyString("AllowIncomingConnections")
+	prefs.ShieldsUp = shieldsUp == "never"
+	forceDaemon, _ := winutil.GetPolicyString("UnattendedMode")
+	prefs.ForceDaemon = forceDaemon == "always"

 	return prefs.View()
 }()

 func resolveExitNodeIP(defIP netip.Addr) (ret netip.Addr) {
 	ret = defIP
-	if exitNode := winutil.GetPolicyString("ExitNodeIP", ""); exitNode != "" {
+	if exitNode, _ := winutil.GetPolicyString("ExitNodeIP"); exitNode != "" {
 		if ip, err := netip.ParseAddr(exitNode); err == nil {
 			ret = ip
 		}
--- a/ipn/ipnlocal/serve.go
+++ b/ipn/ipnlocal/serve.go
@@ -247,16 +247,17 @@ func (b *LocalBackend) setServeConfigLocked(config *ipn.ServeConfig, etag string

 	// If etag is present, check that it has
 	// not changed from the last config.
+	prevConfig := b.serveConfig
 	if etag != "" {
 		// Note that we marshal b.serveConfig
 		// and not use b.lastServeConfJSON as that might
 		// be a Go nil value, which produces a different
 		// checksum from a JSON "null" value.
-		previousCfg, err := json.Marshal(b.serveConfig)
+		prevBytes, err := json.Marshal(prevConfig)
 		if err != nil {
 			return fmt.Errorf("error encoding previous config: %w", err)
 		}
-		sum := sha256.Sum256(previousCfg)
+		sum := sha256.Sum256(prevBytes)
 		previousEtag := hex.EncodeToString(sum[:])
 		if etag != previousEtag {
 			return ErrETagMismatch
@@ -279,6 +280,26 @@ func (b *LocalBackend) setServeConfigLocked(config *ipn.ServeConfig, etag string
 	}

 	b.setTCPPortsInterceptedFromNetmapAndPrefsLocked(b.pm.CurrentPrefs())
+
+	// clean up and close all previously open foreground sessions
+	// if the current ServeConfig has overwritten them.
+	if prevConfig.Valid() {
+		has := func(string) bool { return false }
+		if b.serveConfig.Valid() {
+			has = b.serveConfig.Foreground().Has
+		}
+		prevConfig.Foreground().Range(func(k string, v ipn.ServeConfigView) (cont bool) {
+			if !has(k) {
+				for _, sess := range b.notifyWatchers {
+					if sess.sessionID == k {
+						close(sess.ch)
+					}
+				}
+			}
+			return true
+		})
+	}
+
 	return nil
 }

--- a/ipn/ipnlocal/serve_test.go
+++ b/ipn/ipnlocal/serve_test.go
@@ -20,6 +20,7 @@ import (
 	"path/filepath"
 	"strings"
 	"testing"
+	"time"

 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
@@ -184,6 +185,105 @@ func getEtag(t *testing.T, b any) string {
 	return hex.EncodeToString(sum[:])
 }

+// TestServeConfigForeground tests the inter-dependency
+// between a ServeConfig and a WatchIPNBus:
+// 1. Creating a WatchIPNBus returns a sessionID, that
+// 2. ServeConfig sets it as the key of the Foreground field.
+// 3. ServeConfig expects the WatchIPNBus to clean up the Foreground
+// config when the session is done.
+// 4. WatchIPNBus expects the ServeConfig to send a signal (close the channel)
+// if an incoming SetServeConfig removes previous foregrounds.
+func TestServeConfigForeground(t *testing.T) {
+	b := newTestBackend(t)
+
+	ch1 := make(chan string, 1)
+	go func() {
+		defer close(ch1)
+		b.WatchNotifications(context.Background(), ipn.NotifyInitialState, nil, func(roNotify *ipn.Notify) (keepGoing bool) {
+			if roNotify.SessionID != "" {
+				ch1 <- roNotify.SessionID
+			}
+			return true
+		})
+	}()
+
+	ch2 := make(chan string, 1)
+	go func() {
+		b.WatchNotifications(context.Background(), ipn.NotifyInitialState, nil, func(roNotify *ipn.Notify) (keepGoing bool) {
+			if roNotify.SessionID != "" {
+				ch2 <- roNotify.SessionID
+				return true
+			}
+			ch2 <- "again" // let channel know fn was called again
+			return true
+		})
+	}()
+
+	var session1 string
+	select {
+	case session1 = <-ch1:
+	case <-time.After(time.Second):
+		t.Fatal("timed out waiting on watch notifications session id")
+	}
+
+	var session2 string
+	select {
+	case session2 = <-ch2:
+	case <-time.After(time.Second):
+		t.Fatal("timed out waiting on watch notifications session id")
+	}
+
+	err := b.SetServeConfig(&ipn.ServeConfig{
+		Foreground: map[string]*ipn.ServeConfig{
+			session1: {TCP: map[uint16]*ipn.TCPPortHandler{
+				443: {TCPForward: "http://localhost:3000"}},
+			},
+			session2: {TCP: map[uint16]*ipn.TCPPortHandler{
+				999: {TCPForward: "http://localhost:4000"}},
+			},
+		},
+	}, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Setting a new serve config should shut down WatchNotifications
+	// whose session IDs are no longer found: session1 goes, session2 stays.
+	err = b.SetServeConfig(&ipn.ServeConfig{
+		TCP: map[uint16]*ipn.TCPPortHandler{
+			5000: {TCPForward: "http://localhost:5000"},
+		},
+		Foreground: map[string]*ipn.ServeConfig{
+			session2: {TCP: map[uint16]*ipn.TCPPortHandler{
+				999: {TCPForward: "http://localhost:4000"}},
+			},
+		},
+	}, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	select {
+	case _, ok := <-ch1:
+		if ok {
+			t.Fatal("expected channel to be closed")
+		}
+	case <-time.After(time.Second):
+		t.Fatal("timed out waiting on watch notifications closing")
+	}
+
+	// check that the second session is still running
+	b.send(ipn.Notify{})
+	select {
+	case _, ok := <-ch2:
+		if !ok {
+			t.Fatal("expected second session to remain open")
+		}
+	case <-time.After(time.Second):
+		t.Fatal("timed out waiting on second session")
+	}
+}
+
 func TestServeConfigETag(t *testing.T) {
 	b := newTestBackend(t)

--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -299,6 +299,11 @@ func (ps *PeerStatus) HasCap(cap tailcfg.NodeCapability) bool {
 	return ps.CapMap.Contains(cap) || slices.Contains(ps.Capabilities, cap)
 }

+// IsTagged reports whether ps is tagged.
+func (ps *PeerStatus) IsTagged() bool {
+	return ps.Tags != nil && ps.Tags.Len() > 0
+}
+
 // StatusBuilder is a request to construct a Status. A new StatusBuilder is
 // passed to various subsystems which then call methods on it to populate state.
 // Call its Status method to return the final constructed Status.
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -36,7 +36,6 @@ import (
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/portmapper"
-	"tailscale.com/net/tstun"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/tstime"
@@ -51,6 +50,7 @@ import (
 	"tailscale.com/util/osdiag"
 	"tailscale.com/util/rands"
 	"tailscale.com/version"
+	"tailscale.com/wgengine/magicsock"
 )

 type localAPIHandler func(*Handler, http.ResponseWriter, *http.Request)
@@ -557,6 +557,8 @@ func (h *Handler) serveDebug(w http.ResponseWriter, r *http.Request) {
 		err = h.b.DebugBreakTCPConns()
 	case "break-derp-conns":
 		err = h.b.DebugBreakDERPConns()
+	case "force-netmap-update":
+		h.b.DebugForceNetmapUpdate()
 	case "control-knobs":
 		k := h.b.ControlKnobs()
 		w.Header().Set("Content-Type", "application/json")
@@ -1380,8 +1382,8 @@ func (h *Handler) servePing(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "'size' parameter is only supported with disco pings", 400)
 			return
 		}
-		if size > int(tstun.DefaultMTU()) {
-			http.Error(w, fmt.Sprintf("maximum value for 'size' is %v", tstun.DefaultMTU()), 400)
+		if size > magicsock.MaxDiscoPingSize {
+			http.Error(w, fmt.Sprintf("maximum value for 'size' is %v", magicsock.MaxDiscoPingSize), 400)
 			return
 		}
 	}
--- a/ipn/serve.go
+++ b/ipn/serve.go
@@ -9,10 +9,10 @@ import (
 	"net"
 	"net/netip"
 	"net/url"
-	"slices"
 	"strconv"
 	"strings"

+	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 )

@@ -237,23 +237,21 @@ func (sc *ServeConfig) IsFunnelOn() bool {
 //  2. the node has the "funnel" nodeAttr
 //  3. the port is allowed for Funnel
 //
-// The nodeAttrs arg should be the node's Self.Capabilities which should contain
-// the attribute we're checking for and possibly warning-capabilities for
-// Funnel.
-func CheckFunnelAccess(port uint16, nodeAttrs []tailcfg.NodeCapability) error {
-	if !slices.Contains(nodeAttrs, tailcfg.CapabilityHTTPS) {
+// The node arg should be the ipnstate.Status.Self node.
+func CheckFunnelAccess(port uint16, node *ipnstate.PeerStatus) error {
+	if !node.HasCap(tailcfg.CapabilityHTTPS) {
 		return errors.New("Funnel not available; HTTPS must be enabled. See https://tailscale.com/s/https.")
 	}
-	if !slices.Contains(nodeAttrs, tailcfg.NodeAttrFunnel) {
+	if !node.HasCap(tailcfg.NodeAttrFunnel) {
 		return errors.New("Funnel not available; \"funnel\" node attribute not set. See https://tailscale.com/s/no-funnel.")
 	}
-	return CheckFunnelPort(port, nodeAttrs)
+	return CheckFunnelPort(port, node)
 }

 // CheckFunnelPort checks whether the given port is allowed for Funnel.
 // It uses the tailcfg.CapabilityFunnelPorts nodeAttr to determine the allowed
 // ports.
-func CheckFunnelPort(wantedPort uint16, nodeAttrs []tailcfg.NodeCapability) error {
+func CheckFunnelPort(wantedPort uint16, node *ipnstate.PeerStatus) error {
 	deny := func(allowedPorts string) error {
 		if allowedPorts == "" {
 			return fmt.Errorf("port %d is not allowed for funnel", wantedPort)
@@ -261,24 +259,50 @@ func CheckFunnelPort(wantedPort uint16, nodeAttrs []tailcfg.NodeCapability) erro
 		return fmt.Errorf("port %d is not allowed for funnel; allowed ports are: %v", wantedPort, allowedPorts)
 	}
 	var portsStr string
-	for _, attr := range nodeAttrs {
+	parseAttr := func(attr string) (string, error) {
+		u, err := url.Parse(attr)
+		if err != nil {
+			return "", deny("")
+		}
+		portsStr := u.Query().Get("ports")
+		if portsStr == "" {
+			return "", deny("")
+		}
+		u.RawQuery = ""
+		if u.String() != string(tailcfg.CapabilityFunnelPorts) {
+			return "", deny("")
+		}
+		return portsStr, nil
+	}
+	for attr := range node.CapMap {
 		attr := string(attr)
 		if !strings.HasPrefix(attr, string(tailcfg.CapabilityFunnelPorts)) {
 			continue
 		}
-		u, err := url.Parse(attr)
+		var err error
+		portsStr, err = parseAttr(attr)
 		if err != nil {
-			return deny("")
+			return err
 		}
-		portsStr = u.Query().Get("ports")
-		if portsStr == "" {
-			return deny("")
-		}
-		u.RawQuery = ""
-		if u.String() != string(tailcfg.CapabilityFunnelPorts) {
-			return deny("")
+		break
+	}
+	if portsStr == "" {
+		for _, attr := range node.Capabilities {
+			attr := string(attr)
+			if !strings.HasPrefix(attr, string(tailcfg.CapabilityFunnelPorts)) {
+				continue
+			}
+			var err error
+			portsStr, err = parseAttr(attr)
+			if err != nil {
+				return err
+			}
+			break
 		}
 	}
+	if portsStr == "" {
+		return deny("")
+	}
 	wantedPortString := strconv.Itoa(int(wantedPort))
 	for _, ps := range strings.Split(portsStr, ",") {
 		if ps == "" {
--- a/ipn/serve_test.go
+++ b/ipn/serve_test.go
@@ -5,6 +5,7 @@ package ipn
 import (
 	"testing"

+	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 )

@@ -26,7 +27,11 @@ func TestCheckFunnelAccess(t *testing.T) {
 		{3000, caps(portAttr, tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel), true},
 	}
 	for _, tt := range tests {
-		err := CheckFunnelAccess(tt.port, tt.caps)
+		cm := tailcfg.NodeCapMap{}
+		for _, c := range tt.caps {
+			cm[c] = nil
+		}
+		err := CheckFunnelAccess(tt.port, &ipnstate.PeerStatus{CapMap: cm})
 		switch {
 		case err != nil && tt.wantErr,
 			err == nil && !tt.wantErr:
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -11,66 +11,66 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].


 - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0/LICENSE))
- - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.18.0/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.22/config/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.13.21/credentials/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.13.3/feature/ec2/imds/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.33/internal/configsources/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.27/internal/endpoints/v2/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.34/internal/ini/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.18.0/internal/sync/singleflight/LICENSE))
- - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.27/service/internal/presigned-url/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.36.3/service/ssm/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.12.9/service/sso/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.14.9/service/ssooidc/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.18.10/service/sts/LICENSE.txt))
- - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.13.5/LICENSE))
- - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.13.5/internal/sync/singleflight/LICENSE))
- - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.6.0/LICENSE))
- - [github.com/coreos/go-systemd/v22/dbus](https://pkg.go.dev/github.com/coreos/go-systemd/v22/dbus) ([Apache-2.0](https://github.com/coreos/go-systemd/blob/v22.4.0/LICENSE))
- - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.42/config/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.13.40/credentials/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.13.11/feature/ec2/imds/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.41/internal/configsources/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.35/internal/endpoints/v2/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.43/internal/ini/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/internal/sync/singleflight/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.35/service/internal/presigned-url/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.38.0/service/ssm/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.14.1/service/sso/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.17.1/service/ssooidc/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.22.0/service/sts/LICENSE.txt))
+ - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.14.2/LICENSE))
+ - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.14.2/internal/sync/singleflight/LICENSE))
+ - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.7.0/LICENSE))
+ - [github.com/coreos/go-systemd/v22/dbus](https://pkg.go.dev/github.com/coreos/go-systemd/v22/dbus) ([Apache-2.0](https://github.com/coreos/go-systemd/blob/v22.5.0/LICENSE))
+ - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.5.0/LICENSE))
 - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/76236955d466/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
 - [github.com/google/nftables](https://pkg.go.dev/github.com/google/nftables) ([Apache-2.0](https://github.com/google/nftables/blob/9aa6fdf5a28c/LICENSE))
- - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.0/LICENSE))
+ - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.1/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.1.0/LICENSE))
 - [github.com/illarion/gonotify](https://pkg.go.dev/github.com/illarion/gonotify) ([MIT](https://github.com/illarion/gonotify/blob/v1.0.1/LICENSE))
- - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/974c6f05fe16/LICENSE))
+ - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/65c27093e38a/LICENSE))
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
- - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.2/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.16.7/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.16.7/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.16.7/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
 - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.3.2/LICENSE.md))
 - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
 - [github.com/mdlayher/sdnotify](https://pkg.go.dev/github.com/mdlayher/sdnotify) ([MIT](https://github.com/mdlayher/sdnotify/blob/v1.0.0/LICENSE.md))
- - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.1/LICENSE.md))
- - [github.com/miekg/dns](https://pkg.go.dev/github.com/miekg/dns) ([BSD-3-Clause](https://github.com/miekg/dns/blob/v1.1.55/LICENSE))
+ - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.5.0/LICENSE.md))
+ - [github.com/miekg/dns](https://pkg.go.dev/github.com/miekg/dns) ([BSD-3-Clause](https://github.com/miekg/dns/blob/v1.1.56/LICENSE))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
- - [github.com/pierrec/lz4/v4](https://pkg.go.dev/github.com/pierrec/lz4/v4) ([BSD-3-Clause](https://github.com/pierrec/lz4/blob/v4.1.17/LICENSE))
+ - [github.com/pierrec/lz4/v4](https://pkg.go.dev/github.com/pierrec/lz4/v4) ([BSD-3-Clause](https://github.com/pierrec/lz4/blob/v4.1.18/LICENSE))
 - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
 - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/93bd5cbf7fd8/LICENSE))
+ - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/2f6748dc88e7/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
 - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/3e8cd9d6bf63/LICENSE))
 - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/v1.2.1-beta.2/LICENSE))
 - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/v0.0.4/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
- - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/ad4cb58a6516/LICENSE))
+ - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.13.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/515e97eb:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
 - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://github.com/tailscale/golang-x-net/blob/9a58c47922fd/LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.3.0:LICENSE))
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.12.0:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.12.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.13.0:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/7b0a1988a28f/LICENSE))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/4fe30062272c/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))
--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -18,63 +18,64 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/akutz/memconn](https://pkg.go.dev/github.com/akutz/memconn) ([Apache-2.0](https://github.com/akutz/memconn/blob/v0.1.0/LICENSE))
 - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/909beea2cc74/LICENSE))
 - [github.com/anmitsu/go-shlex](https://pkg.go.dev/github.com/anmitsu/go-shlex) ([MIT](https://github.com/anmitsu/go-shlex/blob/38f4b401e2be/LICENSE))
- - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.18.0/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.22/config/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.13.21/credentials/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.13.3/feature/ec2/imds/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.33/internal/configsources/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.27/internal/endpoints/v2/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.34/internal/ini/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.18.0/internal/sync/singleflight/LICENSE))
- - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.27/service/internal/presigned-url/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.36.3/service/ssm/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.12.9/service/sso/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.14.9/service/ssooidc/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.18.10/service/sts/LICENSE.txt))
- - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.13.5/LICENSE))
- - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.13.5/internal/sync/singleflight/LICENSE))
- - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.6.0/LICENSE))
- - [github.com/coreos/go-systemd/v22/dbus](https://pkg.go.dev/github.com/coreos/go-systemd/v22/dbus) ([Apache-2.0](https://github.com/coreos/go-systemd/blob/v22.4.0/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.42/config/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.13.40/credentials/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.13.11/feature/ec2/imds/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.41/internal/configsources/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.35/internal/endpoints/v2/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.43/internal/ini/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/internal/sync/singleflight/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.35/service/internal/presigned-url/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.38.0/service/ssm/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.14.1/service/sso/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.17.1/service/ssooidc/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.22.0/service/sts/LICENSE.txt))
+ - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.14.2/LICENSE))
+ - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.14.2/internal/sync/singleflight/LICENSE))
+ - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.7.0/LICENSE))
+ - [github.com/coreos/go-systemd/v22/dbus](https://pkg.go.dev/github.com/coreos/go-systemd/v22/dbus) ([Apache-2.0](https://github.com/coreos/go-systemd/blob/v22.5.0/LICENSE))
 - [github.com/creack/pty](https://pkg.go.dev/github.com/creack/pty) ([MIT](https://github.com/creack/pty/blob/v1.1.18/LICENSE))
- - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/fc76608aecf0/LICENSE))
- - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
- - [github.com/go-ole/go-ole](https://pkg.go.dev/github.com/go-ole/go-ole) ([MIT](https://github.com/go-ole/go-ole/blob/v1.2.6/LICENSE))
+ - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/e994401fc077/LICENSE))
+ - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.5.0/LICENSE))
+ - [github.com/go-ole/go-ole](https://pkg.go.dev/github.com/go-ole/go-ole) ([MIT](https://github.com/go-ole/go-ole/blob/v1.3.0/LICENSE))
 - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/76236955d466/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
 - [github.com/google/nftables](https://pkg.go.dev/github.com/google/nftables) ([Apache-2.0](https://github.com/google/nftables/blob/9aa6fdf5a28c/LICENSE))
- - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.0/LICENSE))
+ - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.1/LICENSE))
 - [github.com/gorilla/csrf](https://pkg.go.dev/github.com/gorilla/csrf) ([BSD-3-Clause](https://github.com/gorilla/csrf/blob/v1.7.1/LICENSE))
 - [github.com/gorilla/securecookie](https://pkg.go.dev/github.com/gorilla/securecookie) ([BSD-3-Clause](https://github.com/gorilla/securecookie/blob/v1.1.1/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.1.0/LICENSE))
 - [github.com/illarion/gonotify](https://pkg.go.dev/github.com/illarion/gonotify) ([MIT](https://github.com/illarion/gonotify/blob/v1.0.1/LICENSE))
- - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/974c6f05fe16/LICENSE))
+ - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/65c27093e38a/LICENSE))
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
- - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.2/LICENSE.md))
+ - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
 - [github.com/kballard/go-shellquote](https://pkg.go.dev/github.com/kballard/go-shellquote) ([MIT](https://github.com/kballard/go-shellquote/blob/95032a82bc51/LICENSE))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.16.7/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.16.7/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.16.7/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
 - [github.com/kr/fs](https://pkg.go.dev/github.com/kr/fs) ([BSD-3-Clause](https://github.com/kr/fs/blob/v0.1.0/LICENSE))
 - [github.com/mattn/go-colorable](https://pkg.go.dev/github.com/mattn/go-colorable) ([MIT](https://github.com/mattn/go-colorable/blob/v0.1.13/LICENSE))
- - [github.com/mattn/go-isatty](https://pkg.go.dev/github.com/mattn/go-isatty) ([MIT](https://github.com/mattn/go-isatty/blob/v0.0.18/LICENSE))
+ - [github.com/mattn/go-isatty](https://pkg.go.dev/github.com/mattn/go-isatty) ([MIT](https://github.com/mattn/go-isatty/blob/v0.0.19/LICENSE))
 - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.3.2/LICENSE.md))
 - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
 - [github.com/mdlayher/sdnotify](https://pkg.go.dev/github.com/mdlayher/sdnotify) ([MIT](https://github.com/mdlayher/sdnotify/blob/v1.0.0/LICENSE.md))
- - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.1/LICENSE.md))
- - [github.com/miekg/dns](https://pkg.go.dev/github.com/miekg/dns) ([BSD-3-Clause](https://github.com/miekg/dns/blob/v1.1.55/LICENSE))
+ - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.5.0/LICENSE.md))
+ - [github.com/miekg/dns](https://pkg.go.dev/github.com/miekg/dns) ([BSD-3-Clause](https://github.com/miekg/dns/blob/v1.1.56/LICENSE))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
- - [github.com/peterbourgon/ff/v3](https://pkg.go.dev/github.com/peterbourgon/ff/v3) ([Apache-2.0](https://github.com/peterbourgon/ff/blob/v3.3.0/LICENSE))
- - [github.com/pierrec/lz4/v4](https://pkg.go.dev/github.com/pierrec/lz4/v4) ([BSD-3-Clause](https://github.com/pierrec/lz4/blob/v4.1.17/LICENSE))
+ - [github.com/peterbourgon/ff/v3](https://pkg.go.dev/github.com/peterbourgon/ff/v3) ([Apache-2.0](https://github.com/peterbourgon/ff/blob/v3.4.0/LICENSE))
+ - [github.com/pierrec/lz4/v4](https://pkg.go.dev/github.com/pierrec/lz4/v4) ([BSD-3-Clause](https://github.com/pierrec/lz4/blob/v4.1.18/LICENSE))
 - [github.com/pkg/errors](https://pkg.go.dev/github.com/pkg/errors) ([BSD-2-Clause](https://github.com/pkg/errors/blob/v0.9.1/LICENSE))
- - [github.com/pkg/sftp](https://pkg.go.dev/github.com/pkg/sftp) ([BSD-2-Clause](https://github.com/pkg/sftp/blob/v1.13.5/LICENSE))
+ - [github.com/pkg/sftp](https://pkg.go.dev/github.com/pkg/sftp) ([BSD-2-Clause](https://github.com/pkg/sftp/blob/v1.13.6/LICENSE))
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
 - [github.com/tailscale/certstore](https://pkg.go.dev/github.com/tailscale/certstore) ([MIT](https://github.com/tailscale/certstore/blob/78d6e1c49d8d/LICENSE.md))
 - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/93bd5cbf7fd8/LICENSE))
+ - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/7bcd7bca7bc5/LICENSE))
+ - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/2f6748dc88e7/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
 - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))
 - [github.com/u-root/u-root/pkg/termios](https://pkg.go.dev/github.com/u-root/u-root/pkg/termios) ([BSD-3-Clause](https://github.com/u-root/u-root/blob/v0.11.0/LICENSE))
@@ -83,26 +84,26 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/v0.0.4/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
- - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/ad4cb58a6516/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.12.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/515e97eb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.14.0:LICENSE))
- - [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) ([BSD-3-Clause](https://cs.opensource.google/go/x/oauth2/+/v0.7.0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.11.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.11.0:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.12.0:LICENSE))
+ - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.13.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.15.0:LICENSE))
+ - [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) ([BSD-3-Clause](https://cs.opensource.google/go/x/oauth2/+/v0.12.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.3.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.12.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.12.0:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.13.0:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))
 - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
 - [gopkg.in/yaml.v2](https://pkg.go.dev/gopkg.in/yaml.v2) ([Apache-2.0](https://github.com/go-yaml/yaml/blob/v2.4.0/LICENSE))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/7b0a1988a28f/LICENSE))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/4fe30062272c/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [inet.af/wf](https://pkg.go.dev/inet.af/wf) ([BSD-3-Clause](https://github.com/inetaf/wf/blob/36129f591884/LICENSE))
- - [k8s.io/client-go/util/homedir](https://pkg.go.dev/k8s.io/client-go/util/homedir) ([Apache-2.0](https://github.com/kubernetes/client-go/blob/v0.27.2/LICENSE))
+ - [k8s.io/client-go/util/homedir](https://pkg.go.dev/k8s.io/client-go/util/homedir) ([Apache-2.0](https://github.com/kubernetes/client-go/blob/v0.28.2/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
 - [sigs.k8s.io/yaml](https://pkg.go.dev/sigs.k8s.io/yaml) ([MIT](https://github.com/kubernetes-sigs/yaml/blob/v1.3.0/LICENSE))
- - [software.sslmate.com/src/go-pkcs12](https://pkg.go.dev/software.sslmate.com/src/go-pkcs12) ([BSD-3-Clause](https://github.com/SSLMate/go-pkcs12/blob/v0.2.0/LICENSE))
+ - [software.sslmate.com/src/go-pkcs12](https://pkg.go.dev/software.sslmate.com/src/go-pkcs12) ([BSD-3-Clause](https://github.com/SSLMate/go-pkcs12/blob/v0.2.1/LICENSE))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))
 - [tailscale.com/tempfork/device](https://pkg.go.dev/tailscale.com/tempfork/device) ([MIT](https://github.com/tailscale/tailscale/blob/HEAD/tempfork/device/LICENSE))
 - [tailscale.com/tempfork/gliderlabs/ssh](https://pkg.go.dev/tailscale.com/tempfork/gliderlabs/ssh) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/tempfork/gliderlabs/ssh/LICENSE))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -14,42 +14,42 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/909beea2cc74/LICENSE))
 - [github.com/apenwarr/fixconsole](https://pkg.go.dev/github.com/apenwarr/fixconsole) ([Apache-2.0](https://github.com/apenwarr/fixconsole/blob/5a9f6489cc29/LICENSE))
 - [github.com/apenwarr/w32](https://pkg.go.dev/github.com/apenwarr/w32) ([BSD-3-Clause](https://github.com/apenwarr/w32/blob/aa00fece76ab/LICENSE))
- - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.6.0/LICENSE))
- - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/fc76608aecf0/LICENSE))
- - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
+ - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.7.0/LICENSE))
+ - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/e994401fc077/LICENSE))
+ - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.5.0/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
 - [github.com/google/nftables](https://pkg.go.dev/github.com/google/nftables) ([Apache-2.0](https://github.com/google/nftables/blob/9aa6fdf5a28c/LICENSE))
- - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.0/LICENSE))
+ - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.1/LICENSE))
 - [github.com/gregjones/httpcache](https://pkg.go.dev/github.com/gregjones/httpcache) ([MIT](https://github.com/gregjones/httpcache/blob/901d90724c79/LICENSE.txt))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.1.0/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
- - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.2/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.16.7/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.16.7/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.16.7/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
- - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.1/LICENSE.md))
- - [github.com/miekg/dns](https://pkg.go.dev/github.com/miekg/dns) ([BSD-3-Clause](https://github.com/miekg/dns/blob/v1.1.55/LICENSE))
+ - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.5.0/LICENSE.md))
+ - [github.com/miekg/dns](https://pkg.go.dev/github.com/miekg/dns) ([BSD-3-Clause](https://github.com/miekg/dns/blob/v1.1.56/LICENSE))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
 - [github.com/nfnt/resize](https://pkg.go.dev/github.com/nfnt/resize) ([ISC](https://github.com/nfnt/resize/blob/83c6a9932646/LICENSE))
 - [github.com/peterbourgon/diskv](https://pkg.go.dev/github.com/peterbourgon/diskv) ([MIT](https://github.com/peterbourgon/diskv/blob/v2.0.1/LICENSE))
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/a3cf94ed774a/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/df3128d017f4/LICENSE))
 - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/84569fd814a9/LICENSE))
- - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.2.0/LICENSE))
+ - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.2.1/LICENSE))
 - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/v1.2.1-beta.2/LICENSE))
 - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/v0.0.4/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
- - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/ad4cb58a6516/LICENSE))
+ - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.13.0:LICENSE))
- - [golang.org/x/exp/constraints](https://pkg.go.dev/golang.org/x/exp/constraints) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/515e97eb:LICENSE))
- - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.7.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
+ - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.12.0:LICENSE))
 - [golang.org/x/mod](https://pkg.go.dev/golang.org/x/mod) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.12.0:LICENSE))
 - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://github.com/tailscale/golang-x-net/blob/9a58c47922fd/LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.3.0:LICENSE))
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.12.0:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.12.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.13.0:LICENSE))
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -65,7 +65,8 @@ func getLogTarget() string {
 			getLogTargetOnce.v = val
 		} else {
 			if runtime.GOOS == "windows" {
-				getLogTargetOnce.v = winutil.GetRegString("LogTarget", "")
+				logTarget, _ := winutil.GetRegString("LogTarget")
+				getLogTargetOnce.v = logTarget
 			}
 		}
 	})
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -17,6 +17,7 @@ import (
 	"sync/atomic"
 	"time"

+	"tailscale.com/control/controlknobs"
 	"tailscale.com/health"
 	"tailscale.com/net/dns/resolver"
 	"tailscale.com/net/netmon"
@@ -66,14 +67,14 @@ type Manager struct {

 // NewManagers created a new manager from the given config.
 // The netMon parameter is optional; if non-nil it's used to do faster interface lookups.
-func NewManager(logf logger.Logf, oscfg OSConfigurator, netMon *netmon.Monitor, dialer *tsdial.Dialer, linkSel resolver.ForwardLinkSelector) *Manager {
+func NewManager(logf logger.Logf, oscfg OSConfigurator, netMon *netmon.Monitor, dialer *tsdial.Dialer, linkSel resolver.ForwardLinkSelector, knobs *controlknobs.Knobs) *Manager {
 	if dialer == nil {
 		panic("nil Dialer")
 	}
 	logf = logger.WithPrefix(logf, "dns: ")
 	m := &Manager{
 		logf:     logf,
-		resolver: resolver.New(logf, netMon, linkSel, dialer),
+		resolver: resolver.New(logf, netMon, linkSel, dialer, knobs),
 		os:       oscfg,
 	}
 	m.ctx, m.ctxCancel = context.WithCancel(context.Background())
@@ -97,7 +98,9 @@ func (m *Manager) Set(cfg Config) error {
 	m.logf("Resolvercfg: %v", logger.ArgWriter(func(w *bufio.Writer) {
 		rcfg.WriteToBufioWriter(w)
 	}))
-	m.logf("OScfg: %+v", ocfg)
+	m.logf("OScfg: %v", logger.ArgWriter(func(w *bufio.Writer) {
+		ocfg.WriteToBufioWriter(w)
+	}))

 	if err := m.resolver.SetConfig(rcfg); err != nil {
 		return err
@@ -293,7 +296,10 @@ func toIPsOnly(resolvers []*dnstype.Resolver) (ret []netip.Addr) {
 // Query executes a DNS query received from the given address. The query is
 // provided in bs as a wire-encoded DNS query without any transport header.
 // This method is called for requests arriving over UDP and TCP.
-func (m *Manager) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([]byte, error) {
+//
+// The "family" parameter should indicate what type of DNS query this is:
+// either "tcp" or "udp".
+func (m *Manager) Query(ctx context.Context, bs []byte, family string, from netip.AddrPort) ([]byte, error) {
 	select {
 	case <-m.ctx.Done():
 		return nil, net.ErrClosed
@@ -307,7 +313,7 @@ func (m *Manager) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([]
 		return nil, errFullQueue
 	}
 	defer atomic.AddInt32(&m.activeQueriesAtomic, -1)
-	return m.resolver.Query(ctx, bs, from)
+	return m.resolver.Query(ctx, bs, family, from)
 }

 const (
@@ -369,7 +375,7 @@ func (s *dnsTCPSession) handleWrites() {
 }

 func (s *dnsTCPSession) handleQuery(q []byte) {
-	resp, err := s.m.Query(s.ctx, q, s.srcAddr)
+	resp, err := s.m.Query(s.ctx, q, "tcp", s.srcAddr)
 	if err != nil {
 		s.m.logf("tcp query: %v", err)
 		return
@@ -464,7 +470,7 @@ func Cleanup(logf logger.Logf, interfaceName string) {
 		logf("creating dns cleanup: %v", err)
 		return
 	}
-	dns := NewManager(logf, oscfg, nil, &tsdial.Dialer{Logf: logf}, nil)
+	dns := NewManager(logf, oscfg, nil, &tsdial.Dialer{Logf: logf}, nil, nil)
 	if err := dns.Down(); err != nil {
 		logf("dns down: %v", err)
 	}
--- a/net/dns/manager_tcp_test.go
+++ b/net/dns/manager_tcp_test.go
@@ -87,7 +87,7 @@ func TestDNSOverTCP(t *testing.T) {
 			SearchDomains: fqdns("coffee.shop"),
 		},
 	}
-	m := NewManager(t.Logf, &f, nil, new(tsdial.Dialer), nil)
+	m := NewManager(t.Logf, &f, nil, new(tsdial.Dialer), nil, nil)
 	m.resolver.TestOnlySetHook(f.SetResolver)
 	m.Set(Config{
 		Hosts: hosts(
@@ -172,7 +172,7 @@ func TestDNSOverTCP_TooLarge(t *testing.T) {
 			SearchDomains: fqdns("coffee.shop"),
 		},
 	}
-	m := NewManager(log, &f, nil, new(tsdial.Dialer), nil)
+	m := NewManager(log, &f, nil, new(tsdial.Dialer), nil, nil)
 	m.resolver.TestOnlySetHook(f.SetResolver)
 	m.Set(Config{
 		Hosts:         hosts("andrew.ts.com.", "1.2.3.4"),
--- a/net/dns/manager_test.go
+++ b/net/dns/manager_test.go
@@ -613,7 +613,7 @@ func TestManager(t *testing.T) {
 				SplitDNS:   test.split,
 				BaseConfig: test.bs,
 			}
-			m := NewManager(t.Logf, &f, nil, new(tsdial.Dialer), nil)
+			m := NewManager(t.Logf, &f, nil, new(tsdial.Dialer), nil, nil)
 			m.resolver.TestOnlySetHook(f.SetResolver)

 			if err := m.Set(test.in); err != nil {
--- a/net/dns/osconfig.go
+++ b/net/dns/osconfig.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
+	"strings"

 	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
@@ -65,6 +66,42 @@ type OSConfig struct {
 	MatchDomains []dnsname.FQDN
 }

+func (o *OSConfig) WriteToBufioWriter(w *bufio.Writer) {
+	if o == nil {
+		w.WriteString("<nil>")
+		return
+	}
+	w.WriteString("{")
+	if len(o.Hosts) > 0 {
+		fmt.Fprintf(w, "Hosts:%v ", o.Hosts)
+	}
+	if len(o.Nameservers) > 0 {
+		fmt.Fprintf(w, "Nameservers:%v ", o.Nameservers)
+	}
+	if len(o.SearchDomains) > 0 {
+		fmt.Fprintf(w, "SearchDomains:%v ", o.SearchDomains)
+	}
+	if len(o.MatchDomains) > 0 {
+		w.WriteString("SearchDomains:[")
+		sp := ""
+		var numARPA int
+		for _, s := range o.MatchDomains {
+			if strings.HasSuffix(string(s), ".arpa.") {
+				numARPA++
+				continue
+			}
+			w.WriteString(sp)
+			w.WriteString(string(s))
+			sp = " "
+		}
+		w.WriteString("]")
+		if numARPA > 0 {
+			fmt.Fprintf(w, "+%darpa", numARPA)
+		}
+	}
+	w.WriteString("}")
+}
+
 func (o OSConfig) IsZero() bool {
 	return len(o.Nameservers) == 0 && len(o.SearchDomains) == 0 && len(o.MatchDomains) == 0
 }
--- a/net/dns/publicdns/publicdns.go
+++ b/net/dns/publicdns/publicdns.go
@@ -137,6 +137,7 @@ const (
 // populate is called once to initialize the knownDoH and dohIPsOfBase maps.
 func populate() {
 	// Cloudflare
+	// https://developers.cloudflare.com/1.1.1.1/ip-addresses/
 	addDoH("1.1.1.1", "https://cloudflare-dns.com/dns-query")
 	addDoH("1.0.0.1", "https://cloudflare-dns.com/dns-query")
 	addDoH("2606:4700:4700::1111", "https://cloudflare-dns.com/dns-query")
@@ -170,10 +171,17 @@ func populate() {
 	// addDoH("208.67.220.123", "https://doh.familyshield.opendns.com/dns-query")

 	// Quad9
+	// https://www.quad9.net/service/service-addresses-and-features
 	addDoH("9.9.9.9", "https://dns.quad9.net/dns-query")
 	addDoH("149.112.112.112", "https://dns.quad9.net/dns-query")
 	addDoH("2620:fe::fe", "https://dns.quad9.net/dns-query")
-	addDoH("2620:fe::fe:9", "https://dns.quad9.net/dns-query")
+	addDoH("2620:fe::9", "https://dns.quad9.net/dns-query")
+
+	// Quad9 +ECS +DNSSEC
+	addDoH("9.9.9.11", "https://dns11.quad9.net/dns-query")
+	addDoH("149.112.112.11", "https://dns11.quad9.net/dns-query")
+	addDoH("2620:fe::11", "https://dns11.quad9.net/dns-query")
+	addDoH("2620:fe::fe:11", "https://dns11.quad9.net/dns-query")

 	// Quad9 -DNSSEC
 	addDoH("9.9.9.10", "https://dns10.quad9.net/dns-query")
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -18,9 +18,11 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

 	dns "golang.org/x/net/dns/dnsmessage"
+	"tailscale.com/control/controlknobs"
 	"tailscale.com/envknob"
 	"tailscale.com/net/dns/publicdns"
 	"tailscale.com/net/dnscache"
@@ -34,6 +36,7 @@ import (
 	"tailscale.com/types/nettype"
 	"tailscale.com/util/cloudenv"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/util/race"
 	"tailscale.com/version"
 )

@@ -68,6 +71,14 @@ const (
 	// DNS queries to the "fallback" DNS server IP for a known provider
 	// (e.g. how long to wait to query Google's 8.8.4.4 after 8.8.8.8).
 	wellKnownHostBackupDelay = 200 * time.Millisecond
+
+	// udpRaceTimeout is the timeout after which we will start a DNS query
+	// over TCP while waiting for the UDP query to complete.
+	udpRaceTimeout = 2 * time.Second
+
+	// tcpQueryTimeout is the timeout for a DNS query performed over TCP.
+	// It matches the default 5sec timeout of the 'dig' utility.
+	tcpQueryTimeout = 5 * time.Second
 )

 // txid identifies a DNS transaction.
@@ -180,6 +191,8 @@ type forwarder struct {
 	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absorbs it
 	dialer  *tsdial.Dialer

+	controlKnobs *controlknobs.Knobs // or nil
+
 	ctx       context.Context    // good until Close
 	ctxCancel context.CancelFunc // closes ctx

@@ -206,12 +219,13 @@ func init() {
 	rand.Seed(time.Now().UnixNano())
 }

-func newForwarder(logf logger.Logf, netMon *netmon.Monitor, linkSel ForwardLinkSelector, dialer *tsdial.Dialer) *forwarder {
+func newForwarder(logf logger.Logf, netMon *netmon.Monitor, linkSel ForwardLinkSelector, dialer *tsdial.Dialer, knobs *controlknobs.Knobs) *forwarder {
 	f := &forwarder{
-		logf:    logger.WithPrefix(logf, "forward: "),
-		netMon:  netMon,
-		linkSel: linkSel,
-		dialer:  dialer,
+		logf:         logger.WithPrefix(logf, "forward: "),
+		netMon:       netMon,
+		linkSel:      linkSel,
+		dialer:       dialer,
+		controlKnobs: knobs,
 	}
 	f.ctx, f.ctxCancel = context.WithCancel(context.Background())
 	return f
@@ -443,7 +457,10 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
 	return res, err
 }

-var verboseDNSForward = envknob.RegisterBool("TS_DEBUG_DNS_FORWARD_SEND")
+var (
+	verboseDNSForward = envknob.RegisterBool("TS_DEBUG_DNS_FORWARD_SEND")
+	skipTCPRetry      = envknob.RegisterBool("TS_DNS_FORWARD_SKIP_TCP_RETRY")
+)

 // send sends packet to dst. It is best effort.
 //
@@ -477,10 +494,99 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 		return nil, fmt.Errorf("tls:// resolvers not supported yet")
 	}

-	return f.sendUDP(ctx, fq, rr)
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	isUDPQuery := fq.family == "udp"
+	skipTCP := skipTCPRetry() || (f.controlKnobs != nil && f.controlKnobs.DisableDNSForwarderTCPRetries.Load())
+
+	// Print logs about retries if this was because of a truncated response.
+	var explicitRetry atomic.Bool // true if truncated UDP response retried
+	defer func() {
+		if !explicitRetry.Load() {
+			return
+		}
+		if err == nil {
+			f.logf("forwarder.send(%q): successfully retried via TCP", rr.name.Addr)
+		} else {
+			f.logf("forwarder.send(%q): could not retry via TCP: %v", rr.name.Addr, err)
+		}
+	}()
+
+	firstUDP := func(ctx context.Context) ([]byte, error) {
+		resp, err := f.sendUDP(ctx, fq, rr)
+		if err != nil {
+			return nil, err
+		}
+		if !truncatedFlagSet(resp) {
+			// Successful, non-truncated response; no retry.
+			return resp, nil
+		}
+
+		// If this is a UDP query, return it regardless of whether the
+		// response is truncated or not; the client can retry
+		// communicating with tailscaled over TCP. There's no point
+		// falling back to TCP for a truncated query if we can't return
+		// the results to the client.
+		if isUDPQuery {
+			return resp, nil
+		}
+
+		if skipTCP {
+			// Envknob or control knob disabled the TCP retry behaviour;
+			// just return what we have.
+			return resp, nil
+		}
+
+		// This is a TCP query from the client, and the UDP response
+		// from the upstream DNS server is truncated; map this to an
+		// error to cause our retry helper to immediately kick off the
+		// TCP retry.
+		explicitRetry.Store(true)
+		return nil, truncatedResponseError{resp}
+	}
+	thenTCP := func(ctx context.Context) ([]byte, error) {
+		// If we're skipping the TCP fallback, then wait until the
+		// context is canceled and return that error (i.e. not
+		// returning anything).
+		if skipTCP {
+			<-ctx.Done()
+			return nil, ctx.Err()
+		}
+
+		return f.sendTCP(ctx, fq, rr)
+	}
+
+	// If the input query is TCP, then don't have a timeout between
+	// starting UDP and TCP.
+	timeout := udpRaceTimeout
+	if !isUDPQuery {
+		timeout = 0
+	}
+
+	// Kick off the race between the UDP and TCP queries.
+	rh := race.New[[]byte](timeout, firstUDP, thenTCP)
+	resp, err := rh.Start(ctx)
+	if err == nil {
+		return resp, nil
+	}
+
+	// If we got a truncated UDP response, return that instead of an error.
+	var trErr truncatedResponseError
+	if errors.As(err, &trErr) {
+		return trErr.res, nil
+	}
+	return nil, err
 }

+type truncatedResponseError struct {
+	res []byte
+}
+
+func (tr truncatedResponseError) Error() string { return "response truncated" }
+
 var errServerFailure = errors.New("response code indicates server issue")
+var errTxIDMismatch = errors.New("txid doesn't match")

 func (f *forwarder) sendUDP(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) (ret []byte, err error) {
 	ipp, ok := rr.name.IPPort()
@@ -545,7 +651,7 @@ func (f *forwarder) sendUDP(ctx context.Context, fq *forwardQuery, rr resolverAn
 	txid := getTxID(out)
 	if txid != fq.txid {
 		metricDNSFwdUDPErrorTxID.Add(1)
-		return nil, errors.New("txid doesn't match")
+		return nil, errTxIDMismatch
 	}
 	rcode := getRCode(out)
 	// don't forward transient errors back to the client when the server fails
@@ -577,6 +683,92 @@ func (f *forwarder) sendUDP(ctx context.Context, fq *forwardQuery, rr resolverAn
 	return out, nil
 }

+func (f *forwarder) sendTCP(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) (ret []byte, err error) {
+	ipp, ok := rr.name.IPPort()
+	if !ok {
+		metricDNSFwdErrorType.Add(1)
+		return nil, fmt.Errorf("unrecognized resolver type %q", rr.name.Addr)
+	}
+	metricDNSFwdTCP.Add(1)
+	ctx = sockstats.WithSockStats(ctx, sockstats.LabelDNSForwarderTCP, f.logf)
+
+	// Specify the exact family to work around https://github.com/golang/go/issues/52264
+	tcpFam := "tcp4"
+	if ipp.Addr().Is6() {
+		tcpFam = "tcp6"
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, tcpQueryTimeout)
+	defer cancel()
+
+	conn, err := f.dialer.SystemDial(ctx, tcpFam, ipp.String())
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+
+	fq.closeOnCtxDone.Add(conn)
+	defer fq.closeOnCtxDone.Remove(conn)
+
+	ctxOrErr := func(err2 error) ([]byte, error) {
+		if err := ctx.Err(); err != nil {
+			return nil, err
+		}
+		return nil, err2
+	}
+
+	// Write the query to the server.
+	query := make([]byte, len(fq.packet)+2)
+	binary.BigEndian.PutUint16(query, uint16(len(fq.packet)))
+	copy(query[2:], fq.packet)
+	if _, err := conn.Write(query); err != nil {
+		metricDNSFwdTCPErrorWrite.Add(1)
+		return ctxOrErr(err)
+	}
+
+	metricDNSFwdTCPWrote.Add(1)
+
+	// Read the header length back from the server
+	var length uint16
+	if err := binary.Read(conn, binary.BigEndian, &length); err != nil {
+		metricDNSFwdTCPErrorRead.Add(1)
+		return ctxOrErr(err)
+	}
+
+	// Now read the response
+	out := make([]byte, length)
+	n, err := io.ReadFull(conn, out)
+	if err != nil {
+		metricDNSFwdTCPErrorRead.Add(1)
+		return ctxOrErr(err)
+	}
+
+	if n < int(length) {
+		f.logf("sendTCP: packet too small (%d bytes)", n)
+		return nil, io.ErrUnexpectedEOF
+	}
+	out = out[:n]
+	txid := getTxID(out)
+	if txid != fq.txid {
+		metricDNSFwdTCPErrorTxID.Add(1)
+		return nil, errTxIDMismatch
+	}
+
+	rcode := getRCode(out)
+
+	// don't forward transient errors back to the client when the server fails
+	if rcode == dns.RCodeServerFailure {
+		f.logf("sendTCP: response code indicating server failure: %d", rcode)
+		metricDNSFwdTCPErrorServer.Add(1)
+		return nil, errServerFailure
+	}
+
+	// TODO(andrew): do we need to do this?
+	//clampEDNSSize(out, maxResponseBytes)
+	metricDNSFwdTCPSuccess.Add(1)
+	return out, nil
+}
+
 // resolvers returns the resolvers to use for domain.
 func (f *forwarder) resolvers(domain dnsname.FQDN) []resolverAndDelay {
 	f.mu.Lock()
@@ -601,6 +793,7 @@ func (f *forwarder) resolvers(domain dnsname.FQDN) []resolverAndDelay {
 type forwardQuery struct {
 	txid   txid
 	packet []byte
+	family string // "tcp" or "udp"

 	// closeOnCtxDone lets send register values to Close if the
 	// caller's ctx expires. This avoids send from allocating its
@@ -686,6 +879,7 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 	fq := &forwardQuery{
 		txid:           getTxID(query.bs),
 		packet:         query.bs,
+		family:         query.family,
 		closeOnCtxDone: new(closePool),
 	}
 	defer fq.closeOnCtxDone.Close()
@@ -727,7 +921,7 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 			case <-ctx.Done():
 				metricDNSFwdErrorContext.Add(1)
 				return ctx.Err()
-			case responseChan <- packet{v, query.addr}:
+			case responseChan <- packet{v, query.family, query.addr}:
 				metricDNSFwdSuccess.Add(1)
 				return nil
 			}
@@ -737,7 +931,7 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 			}
 			numErr++
 			if numErr == len(resolvers) {
-				if firstErr == errServerFailure {
+				if errors.Is(firstErr, errServerFailure) {
 					res, err := servfailResponse(query)
 					if err != nil {
 						f.logf("building servfail response: %v", err)
--- a/net/dns/resolver/forwarder_test.go
+++ b/net/dns/resolver/forwarder_test.go
@@ -4,14 +4,28 @@
 package resolver

 import (
+	"bytes"
+	"context"
+	"encoding/binary"
+	"errors"
 	"flag"
 	"fmt"
+	"io"
+	"net"
+	"net/netip"
+	"os"
 	"reflect"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"testing"
 	"time"

 	dns "golang.org/x/net/dns/dnsmessage"
+	"tailscale.com/control/controlknobs"
+	"tailscale.com/envknob"
+	"tailscale.com/net/netmon"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/types/dnstype"
 )

@@ -240,3 +254,396 @@ func FuzzClampEDNSSize(f *testing.F) {
 		clampEDNSSize(data, maxResponseBytes)
 	})
 }
+
+type testDNSServerOptions struct {
+	SkipUDP bool
+	SkipTCP bool
+}
+
+func runDNSServer(tb testing.TB, opts *testDNSServerOptions, response []byte, onRequest func(bool, []byte)) (port uint16) {
+	if opts != nil && opts.SkipUDP && opts.SkipTCP {
+		tb.Fatal("cannot skip both UDP and TCP servers")
+	}
+
+	tcpResponse := make([]byte, len(response)+2)
+	binary.BigEndian.PutUint16(tcpResponse, uint16(len(response)))
+	copy(tcpResponse[2:], response)
+
+	// Repeatedly listen until we can get the same port.
+	const tries = 25
+	var (
+		tcpLn *net.TCPListener
+		udpLn *net.UDPConn
+		err   error
+	)
+	for try := 0; try < tries; try++ {
+		if tcpLn != nil {
+			tcpLn.Close()
+			tcpLn = nil
+		}
+
+		tcpLn, err = net.ListenTCP("tcp4", &net.TCPAddr{
+			IP:   net.IPv4(127, 0, 0, 1),
+			Port: 0, // Choose one
+		})
+		if err != nil {
+			tb.Fatal(err)
+		}
+		udpLn, err = net.ListenUDP("udp4", &net.UDPAddr{
+			IP:   net.IPv4(127, 0, 0, 1),
+			Port: tcpLn.Addr().(*net.TCPAddr).Port,
+		})
+		if err == nil {
+			break
+		}
+	}
+	if tcpLn == nil || udpLn == nil {
+		if tcpLn != nil {
+			tcpLn.Close()
+		}
+		if udpLn != nil {
+			udpLn.Close()
+		}
+
+		// Skip instead of being fatal to avoid flaking on extremely
+		// heavily-loaded CI systems.
+		tb.Skipf("failed to listen on same port for TCP/UDP after %d tries", tries)
+	}
+
+	port = uint16(tcpLn.Addr().(*net.TCPAddr).Port)
+
+	handleConn := func(conn net.Conn) {
+		defer conn.Close()
+
+		// Read the length header, then the buffer
+		var length uint16
+		if err := binary.Read(conn, binary.BigEndian, &length); err != nil {
+			tb.Logf("error reading length header: %v", err)
+			return
+		}
+		req := make([]byte, length)
+		n, err := io.ReadFull(conn, req)
+		if err != nil {
+			tb.Logf("error reading query: %v", err)
+			return
+		}
+		req = req[:n]
+		onRequest(true, req)
+
+		// Write response
+		if _, err := conn.Write(tcpResponse); err != nil {
+			tb.Logf("error writing response: %v", err)
+			return
+		}
+	}
+
+	var wg sync.WaitGroup
+
+	if opts == nil || !opts.SkipTCP {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			for {
+				conn, err := tcpLn.Accept()
+				if err != nil {
+					return
+				}
+				go handleConn(conn)
+			}
+		}()
+	}
+
+	handleUDP := func(addr netip.AddrPort, req []byte) {
+		onRequest(false, req)
+		if _, err := udpLn.WriteToUDPAddrPort(response, addr); err != nil {
+			tb.Logf("error writing response: %v", err)
+		}
+	}
+
+	if opts == nil || !opts.SkipUDP {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			for {
+				buf := make([]byte, 65535)
+				n, addr, err := udpLn.ReadFromUDPAddrPort(buf)
+				if err != nil {
+					return
+				}
+				buf = buf[:n]
+				go handleUDP(addr, buf)
+			}
+		}()
+	}
+
+	tb.Cleanup(func() {
+		tcpLn.Close()
+		udpLn.Close()
+		tb.Logf("waiting for listeners to finish...")
+		wg.Wait()
+	})
+	return
+}
+
+func enableDebug(tb testing.TB) {
+	const debugKnob = "TS_DEBUG_DNS_FORWARD_SEND"
+	oldVal := os.Getenv(debugKnob)
+	envknob.Setenv(debugKnob, "true")
+	tb.Cleanup(func() { envknob.Setenv(debugKnob, oldVal) })
+}
+
+func makeLargeResponse(tb testing.TB, domain string) (request, response []byte) {
+	name := dns.MustNewName(domain)
+
+	builder := dns.NewBuilder(nil, dns.Header{})
+	builder.StartQuestions()
+	builder.Question(dns.Question{
+		Name:  name,
+		Type:  dns.TypeA,
+		Class: dns.ClassINET,
+	})
+	builder.StartAnswers()
+	for i := 0; i < 120; i++ {
+		builder.AResource(dns.ResourceHeader{
+			Name:  name,
+			Class: dns.ClassINET,
+			TTL:   300,
+		}, dns.AResource{
+			A: [4]byte{127, 0, 0, byte(i)},
+		})
+	}
+
+	var err error
+	response, err = builder.Finish()
+	if err != nil {
+		tb.Fatal(err)
+	}
+	if len(response) <= maxResponseBytes {
+		tb.Fatalf("got len(largeResponse)=%d, want > %d", len(response), maxResponseBytes)
+	}
+
+	// Our request is a single A query for the domain in the answer, above.
+	builder = dns.NewBuilder(nil, dns.Header{})
+	builder.StartQuestions()
+	builder.Question(dns.Question{
+		Name:  dns.MustNewName(domain),
+		Type:  dns.TypeA,
+		Class: dns.ClassINET,
+	})
+	request, err = builder.Finish()
+	if err != nil {
+		tb.Fatal(err)
+	}
+
+	return
+}
+
+func runTestQuery(tb testing.TB, port uint16, request []byte, modify func(*forwarder)) ([]byte, error) {
+	netMon, err := netmon.New(tb.Logf)
+	if err != nil {
+		tb.Fatal(err)
+	}
+
+	var dialer tsdial.Dialer
+	dialer.SetNetMon(netMon)
+
+	fwd := newForwarder(tb.Logf, netMon, nil, &dialer, nil)
+	if modify != nil {
+		modify(fwd)
+	}
+
+	fq := &forwardQuery{
+		txid:           getTxID(request),
+		packet:         request,
+		closeOnCtxDone: new(closePool),
+		family:         "tcp",
+	}
+	defer fq.closeOnCtxDone.Close()
+
+	rr := resolverAndDelay{
+		name: &dnstype.Resolver{Addr: fmt.Sprintf("127.0.0.1:%d", port)},
+	}
+
+	return fwd.send(context.Background(), fq, rr)
+}
+
+func mustRunTestQuery(tb testing.TB, port uint16, request []byte, modify func(*forwarder)) []byte {
+	resp, err := runTestQuery(tb, port, request, modify)
+	if err != nil {
+		tb.Fatalf("error making request: %v", err)
+	}
+	return resp
+}
+
+func TestForwarderTCPFallback(t *testing.T) {
+	enableDebug(t)
+
+	const domain = "large-dns-response.tailscale.com."
+
+	// Make a response that's very large, containing a bunch of localhost addresses.
+	request, largeResponse := makeLargeResponse(t, domain)
+
+	var sawTCPRequest atomic.Bool
+	port := runDNSServer(t, nil, largeResponse, func(isTCP bool, gotRequest []byte) {
+		if isTCP {
+			t.Logf("saw TCP request")
+			sawTCPRequest.Store(true)
+		} else {
+			t.Logf("saw UDP request")
+		}
+
+		if !bytes.Equal(request, gotRequest) {
+			t.Errorf("invalid request\ngot: %+v\nwant: %+v", gotRequest, request)
+		}
+	})
+
+	resp := mustRunTestQuery(t, port, request, nil)
+	if !bytes.Equal(resp, largeResponse) {
+		t.Errorf("invalid response\ngot: %+v\nwant: %+v", resp, largeResponse)
+	}
+	if !sawTCPRequest.Load() {
+		t.Errorf("DNS server never saw TCP request")
+	}
+
+	// NOTE: can't assert that we see a UDP request here since we might
+	// race and run the TCP query first. We test the UDP codepath in
+	// TestForwarderTCPFallbackDisabled below, though.
+}
+
+// Test to ensure that if the UDP listener is unresponsive, we always make a
+// TCP request even if we never get a response.
+func TestForwarderTCPFallbackTimeout(t *testing.T) {
+	enableDebug(t)
+
+	const domain = "large-dns-response.tailscale.com."
+
+	// Make a response that's very large, containing a bunch of localhost addresses.
+	request, largeResponse := makeLargeResponse(t, domain)
+
+	var sawTCPRequest atomic.Bool
+	opts := &testDNSServerOptions{SkipUDP: true}
+	port := runDNSServer(t, opts, largeResponse, func(isTCP bool, gotRequest []byte) {
+		if isTCP {
+			t.Logf("saw TCP request")
+			sawTCPRequest.Store(true)
+		} else {
+			t.Error("saw unexpected UDP request")
+		}
+
+		if !bytes.Equal(request, gotRequest) {
+			t.Errorf("invalid request\ngot: %+v\nwant: %+v", gotRequest, request)
+		}
+	})
+
+	resp := mustRunTestQuery(t, port, request, nil)
+	if !bytes.Equal(resp, largeResponse) {
+		t.Errorf("invalid response\ngot: %+v\nwant: %+v", resp, largeResponse)
+	}
+	if !sawTCPRequest.Load() {
+		t.Errorf("DNS server never saw TCP request")
+	}
+}
+
+func TestForwarderTCPFallbackDisabled(t *testing.T) {
+	enableDebug(t)
+
+	const domain = "large-dns-response.tailscale.com."
+
+	// Make a response that's very large, containing a bunch of localhost addresses.
+	request, largeResponse := makeLargeResponse(t, domain)
+
+	var sawUDPRequest atomic.Bool
+	port := runDNSServer(t, nil, largeResponse, func(isTCP bool, gotRequest []byte) {
+		if isTCP {
+			t.Error("saw unexpected TCP request")
+		} else {
+			t.Logf("saw UDP request")
+			sawUDPRequest.Store(true)
+		}
+
+		if !bytes.Equal(request, gotRequest) {
+			t.Errorf("invalid request\ngot: %+v\nwant: %+v", gotRequest, request)
+		}
+	})
+
+	resp := mustRunTestQuery(t, port, request, func(fwd *forwarder) {
+		// Disable retries for this test.
+		fwd.controlKnobs = &controlknobs.Knobs{}
+		fwd.controlKnobs.DisableDNSForwarderTCPRetries.Store(true)
+	})
+
+	wantResp := append([]byte(nil), largeResponse[:maxResponseBytes]...)
+
+	// Set the truncated flag on the expected response, since that's what we expect.
+	flags := binary.BigEndian.Uint16(wantResp[2:4])
+	flags |= dnsFlagTruncated
+	binary.BigEndian.PutUint16(wantResp[2:4], flags)
+
+	if !bytes.Equal(resp, wantResp) {
+		t.Errorf("invalid response\ngot (%d): %+v\nwant (%d): %+v", len(resp), resp, len(wantResp), wantResp)
+	}
+	if !sawUDPRequest.Load() {
+		t.Errorf("DNS server never saw UDP request")
+	}
+}
+
+// Test to ensure that we propagate DNS errors
+func TestForwarderTCPFallbackError(t *testing.T) {
+	enableDebug(t)
+
+	const domain = "error-response.tailscale.com."
+
+	// Our response is a SERVFAIL
+	response := func() []byte {
+		name := dns.MustNewName(domain)
+
+		builder := dns.NewBuilder(nil, dns.Header{
+			RCode: dns.RCodeServerFailure,
+		})
+		builder.StartQuestions()
+		builder.Question(dns.Question{
+			Name:  name,
+			Type:  dns.TypeA,
+			Class: dns.ClassINET,
+		})
+		response, err := builder.Finish()
+		if err != nil {
+			t.Fatal(err)
+		}
+		return response
+	}()
+
+	// Our request is a single A query for the domain in the answer, above.
+	request := func() []byte {
+		builder := dns.NewBuilder(nil, dns.Header{})
+		builder.StartQuestions()
+		builder.Question(dns.Question{
+			Name:  dns.MustNewName(domain),
+			Type:  dns.TypeA,
+			Class: dns.ClassINET,
+		})
+		request, err := builder.Finish()
+		if err != nil {
+			t.Fatal(err)
+		}
+		return request
+	}()
+
+	var sawRequest atomic.Bool
+	port := runDNSServer(t, nil, response, func(isTCP bool, gotRequest []byte) {
+		sawRequest.Store(true)
+		if !bytes.Equal(request, gotRequest) {
+			t.Errorf("invalid request\ngot: %+v\nwant: %+v", gotRequest, request)
+		}
+	})
+
+	_, err := runTestQuery(t, port, request, nil)
+	if !sawRequest.Load() {
+		t.Error("did not see DNS request")
+	}
+	if err == nil {
+		t.Error("wanted error, got nil")
+	} else if !errors.Is(err, errServerFailure) {
+		t.Errorf("wanted errServerFailure, got: %v", err)
+	}
+}
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -23,6 +23,7 @@ import (
 	"time"

 	dns "golang.org/x/net/dns/dnsmessage"
+	"tailscale.com/control/controlknobs"
 	"tailscale.com/envknob"
 	"tailscale.com/net/dns/resolvconffile"
 	"tailscale.com/net/netaddr"
@@ -53,8 +54,9 @@ var (
 )

 type packet struct {
-	bs   []byte
-	addr netip.AddrPort // src for a request, dst for a response
+	bs     []byte
+	family string         // either "tcp" or "udp"
+	addr   netip.AddrPort // src for a request, dst for a response
 }

 // Config is a resolver configuration.
@@ -206,7 +208,7 @@ type ForwardLinkSelector interface {

 // New returns a new resolver.
 // netMon optionally specifies a network monitor to use for socket rebinding.
-func New(logf logger.Logf, netMon *netmon.Monitor, linkSel ForwardLinkSelector, dialer *tsdial.Dialer) *Resolver {
+func New(logf logger.Logf, netMon *netmon.Monitor, linkSel ForwardLinkSelector, dialer *tsdial.Dialer, knobs *controlknobs.Knobs) *Resolver {
 	if dialer == nil {
 		panic("nil Dialer")
 	}
@@ -218,7 +220,7 @@ func New(logf logger.Logf, netMon *netmon.Monitor, linkSel ForwardLinkSelector,
 		ipToHost: map[netip.Addr]dnsname.FQDN{},
 		dialer:   dialer,
 	}
-	r.forwarder = newForwarder(r.logf, netMon, linkSel, dialer)
+	r.forwarder = newForwarder(r.logf, netMon, linkSel, dialer, knobs)
 	return r
 }

@@ -266,7 +268,7 @@ func (r *Resolver) Close() {
 // bound on per-query resource usage.
 const dnsQueryTimeout = 10 * time.Second

-func (r *Resolver) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([]byte, error) {
+func (r *Resolver) Query(ctx context.Context, bs []byte, family string, from netip.AddrPort) ([]byte, error) {
 	metricDNSQueryLocal.Add(1)
 	select {
 	case <-r.closed:
@@ -281,7 +283,7 @@ func (r *Resolver) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([
 		ctx, cancel := context.WithTimeout(ctx, dnsQueryTimeout)
 		defer close(responses)
 		defer cancel()
-		err = r.forwarder.forwardWithDestChan(ctx, packet{bs, from}, responses)
+		err = r.forwarder.forwardWithDestChan(ctx, packet{bs, family, from}, responses)
 		if err != nil {
 			select {
 			// Best effort: use any error response sent by forwardWithDestChan.
@@ -348,7 +350,7 @@ func (r *Resolver) HandleExitNodeDNSQuery(ctx context.Context, q []byte, from ne
 		// but for now that's probably good enough. Later we'll
 		// want to blend in everything from scutil --dns.
 		fallthrough
-	case "linux", "freebsd", "openbsd", "illumos":
+	case "linux", "freebsd", "openbsd", "illumos", "ios":
 		nameserver, err := stubResolverForOS()
 		if err != nil {
 			r.logf("stubResolverForOS: %v", err)
@@ -358,18 +360,21 @@ func (r *Resolver) HandleExitNodeDNSQuery(ctx context.Context, q []byte, from ne
 		// TODO: more than 1 resolver from /etc/resolv.conf?

 		var resolvers []resolverAndDelay
-		if nameserver == tsaddr.TailscaleServiceIP() || nameserver == tsaddr.TailscaleServiceIPv6() {
+		switch nameserver {
+		case tsaddr.TailscaleServiceIP(), tsaddr.TailscaleServiceIPv6():
 			// If resolv.conf says 100.100.100.100, it's coming right back to us anyway
 			// so avoid the loop through the kernel and just do what we
 			// would've done anyway. By not passing any resolvers, the forwarder
 			// will use its default ones from our DNS config.
-		} else {
+		case netip.Addr{}:
+			// Likewise, if the platform has no resolv.conf, just use our defaults.
+		default:
 			resolvers = []resolverAndDelay{{
 				name: &dnstype.Resolver{Addr: net.JoinHostPort(nameserver.String(), "53")},
 			}}
 		}

-		err = r.forwarder.forwardWithDestChan(ctx, packet{q, from}, ch, resolvers...)
+		err = r.forwarder.forwardWithDestChan(ctx, packet{q, "tcp", from}, ch, resolvers...)
 		if err != nil {
 			metricDNSExitProxyErrorForward.Add(1)
 			return nil, err
@@ -390,7 +395,7 @@ var debugExitNodeDNSNetPkg = envknob.RegisterBool("TS_DEBUG_EXIT_NODE_DNS_NET_PK

 // handleExitNodeDNSQueryWithNetPkg takes a DNS query message in q and
 // return a reply (for the ExitDNS DoH service) using the net package's
-// native APIs. This is only used on Windows for now.
+// native APIs.
 //
 // If resolver is nil, the net.Resolver zero value is used.
 //
@@ -529,7 +534,13 @@ var errEmptyResolvConf = errors.New("resolv.conf has no nameservers")

 // stubResolverForOS returns the IP address of the first nameserver in
 // /etc/resolv.conf.
+//
+// It may also return the netip.Addr zero value and a nil error to mean
+// that the platform has no resolv.conf.
 func stubResolverForOS() (ip netip.Addr, err error) {
+	if runtime.GOOS == "ios" {
+		return netip.Addr{}, nil // no resolv.conf on iOS
+	}
 	fi, err := os.Stat(resolvconffile.Path)
 	if err != nil {
 		return netip.Addr{}, err
@@ -1306,6 +1317,14 @@ var (
 	metricDNSFwdUDPErrorRead   = clientmetric.NewCounter("dns_query_fwd_udp_error_read")
 	metricDNSFwdUDPSuccess     = clientmetric.NewCounter("dns_query_fwd_udp_success")

+	metricDNSFwdTCP            = clientmetric.NewCounter("dns_query_fwd_tcp")       // on entry
+	metricDNSFwdTCPWrote       = clientmetric.NewCounter("dns_query_fwd_tcp_wrote") // sent TCP packet
+	metricDNSFwdTCPErrorWrite  = clientmetric.NewCounter("dns_query_fwd_tcp_error_write")
+	metricDNSFwdTCPErrorServer = clientmetric.NewCounter("dns_query_fwd_tcp_error_server")
+	metricDNSFwdTCPErrorTxID   = clientmetric.NewCounter("dns_query_fwd_tcp_error_txid")
+	metricDNSFwdTCPErrorRead   = clientmetric.NewCounter("dns_query_fwd_tcp_error_read")
+	metricDNSFwdTCPSuccess     = clientmetric.NewCounter("dns_query_fwd_tcp_success")
+
 	metricDNSFwdDoH               = clientmetric.NewCounter("dns_query_fwd_doh")
 	metricDNSFwdDoHErrorStatus    = clientmetric.NewCounter("dns_query_fwd_doh_error_status")
 	metricDNSFwdDoHErrorCT        = clientmetric.NewCounter("dns_query_fwd_doh_error_content_type")
--- a/net/dns/resolver/tsdns_test.go
+++ b/net/dns/resolver/tsdns_test.go
@@ -233,7 +233,7 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 }

 func syncRespond(r *Resolver, query []byte) ([]byte, error) {
-	return r.Query(context.Background(), query, netip.AddrPort{})
+	return r.Query(context.Background(), query, "udp", netip.AddrPort{})
 }

 func mustIP(str string) netip.Addr {
@@ -315,7 +315,7 @@ func TestRDNSNameToIPv6(t *testing.T) {
 }

 func newResolver(t testing.TB) *Resolver {
-	return New(t.Logf, nil /* no network monitor */, nil /* no link selector */, new(tsdial.Dialer))
+	return New(t.Logf, nil /* no network monitor */, nil /* no link selector */, new(tsdial.Dialer), nil /* no control knobs */)
 }

 func TestResolveLocal(t *testing.T) {
@@ -1016,7 +1016,7 @@ func TestForwardLinkSelection(t *testing.T) {
 			return "special"
 		}
 		return ""
-	}), new(tsdial.Dialer))
+	}), new(tsdial.Dialer), nil /* no control knobs */)

 	// Test non-special IP.
 	if got, err := fwd.packetListener(netip.Addr{}); err != nil {
@@ -1449,7 +1449,7 @@ func TestServfail(t *testing.T) {
 	r.SetConfig(cfg)

 	pkt, err := syncRespond(r, dnspacket("test.site.", dns.TypeA, noEdns))
-	if err != errServerFailure {
+	if !errors.Is(err, errServerFailure) {
 		t.Errorf("err = %v, want %v", err, errServerFailure)
 	}

--- a/net/dnsfallback/dnsfallback.go
+++ b/net/dnsfallback/dnsfallback.go
@@ -1,10 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-//go:generate go run update-dns-fallbacks.go
-
 // Package dnsfallback contains a DNS fallback mechanism
 // for starting up Tailscale when the system DNS is broken or otherwise unavailable.
+//
+// The data is backed by a JSON file `dns-fallback-servers.json` that is updated
+// by `update-dns-fallbacks.go`:
+//
+//	(cd net/dnsfallback; go run update-dns-fallbacks.go)
 package dnsfallback

 import (
@@ -23,7 +26,6 @@ import (
 	"sync/atomic"
 	"time"

-	"go4.org/netipx"
 	"tailscale.com/atomicfile"
 	"tailscale.com/envknob"
 	"tailscale.com/net/dns/recursive"
@@ -77,11 +79,13 @@ func MakeLookupFunc(logf logger.Logf, netMon *netmon.Monitor) func(ctx context.C
 				metricRecursiveErrors.Add(1)
 				return
 			}
-			slices.SortFunc(addrs, netipx.CompareAddr)
+
+			compareAddr := func(a, b netip.Addr) int { return a.Compare(b) }
+			slices.SortFunc(addrs, compareAddr)

 			// Wait for a response from the main function
 			oldAddrs := <-addrsCh
-			slices.SortFunc(oldAddrs, netipx.CompareAddr)
+			slices.SortFunc(oldAddrs, compareAddr)

 			matches := slices.Equal(addrs, oldAddrs)

--- a/net/packet/packet.go
+++ b/net/packet/packet.go
@@ -10,6 +10,8 @@ import (
 	"net/netip"
 	"strings"

+	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/types/ipproto"
 )
@@ -453,11 +455,14 @@ func (q *Parsed) IsEchoResponse() bool {
 }

 // UpdateSrcAddr updates the source address in the packet buffer (e.g. during
-// SNAT). It also updates the checksum. Currently (2022-12-10) only TCP/UDP/ICMP
-// over IPv4 is supported. It panics if called with IPv6 addr.
+// SNAT). It also updates the checksum. Currently (2023-09-22) only TCP/UDP/ICMP
+// is supported. It panics if provided with an address in a different
+// family to the parsed packet.
 func (q *Parsed) UpdateSrcAddr(src netip.Addr) {
-	if q.IPVersion != 4 || src.Is6() {
-		panic("UpdateSrcAddr: only IPv4 is supported")
+	if src.Is6() && q.IPVersion != 6 {
+		panic("UpdateSrcAddr: cannot write IPv6 address to v4 packet")
+	} else if src.Is4() && q.IPVersion != 4 {
+		panic("UpdateSrcAddr: cannot write IPv4 address to v6 packet")
 	}
 	q.CaptureMeta.DidSNAT = true
 	q.CaptureMeta.OriginalSrc = q.Src
@@ -466,19 +471,27 @@ func (q *Parsed) UpdateSrcAddr(src netip.Addr) {
 	q.Src = netip.AddrPortFrom(src, q.Src.Port())

 	b := q.Buffer()
-	v4 := src.As4()
-	copy(b[12:16], v4[:])
-	updateV4PacketChecksums(q, old, src)
+	if src.Is6() {
+		v6 := src.As16()
+		copy(b[8:24], v6[:])
+		updateV6PacketChecksums(q, old, src)
+	} else {
+		v4 := src.As4()
+		copy(b[12:16], v4[:])
+		updateV4PacketChecksums(q, old, src)
+	}
 }

-// UpdateDstAddr updates the source address in the packet buffer (e.g. during
+// UpdateDstAddr updates the destination address in the packet buffer (e.g. during
 // DNAT). It also updates the checksum. Currently (2022-12-10) only TCP/UDP/ICMP
-// over IPv4 is supported. It panics if called with IPv6 addr.
+// is supported. It panics if provided with an address in a different
+// family to the parsed packet.
 func (q *Parsed) UpdateDstAddr(dst netip.Addr) {
-	if q.IPVersion != 4 || dst.Is6() {
-		panic("UpdateDstAddr: only IPv4 is supported")
+	if dst.Is6() && q.IPVersion != 6 {
+		panic("UpdateDstAddr: cannot write IPv6 address to v4 packet")
+	} else if dst.Is4() && q.IPVersion != 4 {
+		panic("UpdateDstAddr: cannot write IPv4 address to v6 packet")
 	}
-
 	q.CaptureMeta.DidDNAT = true
 	q.CaptureMeta.OriginalDst = q.Dst

@@ -486,9 +499,15 @@ func (q *Parsed) UpdateDstAddr(dst netip.Addr) {
 	q.Dst = netip.AddrPortFrom(dst, q.Dst.Port())

 	b := q.Buffer()
-	v4 := dst.As4()
-	copy(b[16:20], v4[:])
-	updateV4PacketChecksums(q, old, dst)
+	if dst.Is6() {
+		v6 := dst.As16()
+		copy(b[24:36], v6[:])
+		updateV6PacketChecksums(q, old, dst)
+	} else {
+		v4 := dst.As4()
+		copy(b[16:20], v4[:])
+		updateV4PacketChecksums(q, old, dst)
+	}
 }

 // EchoIDSeq extracts the identifier/sequence bytes from an ICMP Echo response,
@@ -572,13 +591,13 @@ func updateV4PacketChecksums(p *Parsed, old, new netip.Addr) {
 	tr := p.Transport()
 	switch p.IPProto {
 	case ipproto.UDP, ipproto.DCCP:
-		if len(tr) < 8 {
+		if len(tr) < header.UDPMinimumSize {
 			// Not enough space for a UDP header.
 			return
 		}
 		updateV4Checksum(tr[6:8], o4[:], n4[:])
 	case ipproto.TCP:
-		if len(tr) < 18 {
+		if len(tr) < header.TCPMinimumSize {
 			// Not enough space for a TCP header.
 			return
 		}
@@ -596,6 +615,39 @@ func updateV4PacketChecksums(p *Parsed, old, new netip.Addr) {
 	}
 }

+// updateV6PacketChecksums updates the checksums in the packet buffer.
+// p is modified in place.
+// If p.IPProto is unknown, no checksums are updated.
+func updateV6PacketChecksums(p *Parsed, old, new netip.Addr) {
+	if len(p.Buffer()) < 40 {
+		// Not enough space for an IPv6 header.
+		return
+	}
+	o6, n6 := tcpip.AddrFrom16Slice(old.AsSlice()), tcpip.AddrFrom16Slice(new.AsSlice())
+
+	// Now update the transport layer checksums, where applicable.
+	tr := p.Transport()
+	switch p.IPProto {
+	case ipproto.ICMPv6:
+		if len(tr) < header.ICMPv6MinimumSize {
+			return
+		}
+		header.ICMPv6(tr).UpdateChecksumPseudoHeaderAddress(o6, n6)
+	case ipproto.UDP, ipproto.DCCP:
+		if len(tr) < header.UDPMinimumSize {
+			return
+		}
+		header.UDP(tr).UpdateChecksumPseudoHeaderAddress(o6, n6, true)
+	case ipproto.TCP:
+		if len(tr) < header.TCPMinimumSize {
+			return
+		}
+		header.TCP(tr).UpdateChecksumPseudoHeaderAddress(o6, n6, true)
+	case ipproto.SCTP:
+		// No transport layer update required.
+	}
+}
+
 // updateV4Checksum calculates and updates the checksum in the packet buffer for
 // a change between old and new. The oldSum must point to the 16-bit checksum
 // field in the packet buffer that holds the old checksum value, it will be
--- a/net/packet/packet_test.go
+++ b/net/packet/packet_test.go
@@ -13,6 +13,9 @@ import (
 	"testing"
 	"unicode"

+	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/checksum"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"tailscale.com/tstest"
 	"tailscale.com/types/ipproto"
 	"tailscale.com/util/must"
@@ -45,7 +48,7 @@ func fullHeaderChecksumV4(b []byte) uint16 {
 	return ^uint16(s)
 }

-func TestHeaderChecksums(t *testing.T) {
+func TestHeaderChecksumsV4(t *testing.T) {
 	// This is not a good enough test, because it doesn't
 	// check the various packet types or the many edge cases
 	// of the checksum algorithm. But it's a start.
@@ -109,6 +112,108 @@ func TestHeaderChecksums(t *testing.T) {
 	}
 }

+func TestNatChecksumsV6UDP(t *testing.T) {
+	a1, a2 := netip.MustParseAddr("a::1"), netip.MustParseAddr("b::1")
+
+	// Make a fake UDP packet with 32 bytes of zeros as the datagram payload.
+	b := header.IPv6(make([]byte, header.IPv6MinimumSize+header.UDPMinimumSize+32))
+	b.Encode(&header.IPv6Fields{
+		PayloadLength:     header.UDPMinimumSize + 32,
+		TransportProtocol: header.UDPProtocolNumber,
+		HopLimit:          16,
+		SrcAddr:           tcpip.AddrFrom16Slice(a1.AsSlice()),
+		DstAddr:           tcpip.AddrFrom16Slice(a2.AsSlice()),
+	})
+	udp := header.UDP(b[header.IPv6MinimumSize:])
+	udp.Encode(&header.UDPFields{
+		SrcPort: 42,
+		DstPort: 43,
+		Length:  header.UDPMinimumSize + 32,
+	})
+	xsum := header.PseudoHeaderChecksum(
+		header.UDPProtocolNumber,
+		tcpip.AddrFrom16Slice(a1.AsSlice()),
+		tcpip.AddrFrom16Slice(a2.AsSlice()),
+		uint16(header.UDPMinimumSize+32),
+	)
+	xsum = checksum.Checksum(b.Payload()[header.UDPMinimumSize:], xsum)
+	udp.SetChecksum(^udp.CalculateChecksum(xsum))
+	if !udp.IsChecksumValid(tcpip.AddrFrom16Slice(a1.AsSlice()), tcpip.AddrFrom16Slice(a2.AsSlice()), checksum.Checksum(b.Payload()[header.UDPMinimumSize:], 0)) {
+		t.Fatal("test broken; initial packet has incorrect checksum")
+	}
+
+	// Parse the packet.
+	var p Parsed
+	p.Decode(b)
+	t.Log(p.String())
+
+	// Update the source address of the packet to be the same as the dest.
+	p.UpdateSrcAddr(a2)
+	if !udp.IsChecksumValid(tcpip.AddrFrom16Slice(a2.AsSlice()), tcpip.AddrFrom16Slice(a2.AsSlice()), checksum.Checksum(b.Payload()[header.UDPMinimumSize:], 0)) {
+		t.Fatal("incorrect checksum after updating source address")
+	}
+
+	// Update the dest address of the packet to be the original source address.
+	p.UpdateDstAddr(a1)
+	if !udp.IsChecksumValid(tcpip.AddrFrom16Slice(a2.AsSlice()), tcpip.AddrFrom16Slice(a1.AsSlice()), checksum.Checksum(b.Payload()[header.UDPMinimumSize:], 0)) {
+		t.Fatal("incorrect checksum after updating destination address")
+	}
+}
+
+func TestNatChecksumsV6TCP(t *testing.T) {
+	a1, a2 := netip.MustParseAddr("a::1"), netip.MustParseAddr("b::1")
+
+	// Make a fake TCP packet with no payload.
+	b := header.IPv6(make([]byte, header.IPv6MinimumSize+header.TCPMinimumSize))
+	b.Encode(&header.IPv6Fields{
+		PayloadLength:     header.TCPMinimumSize,
+		TransportProtocol: header.TCPProtocolNumber,
+		HopLimit:          16,
+		SrcAddr:           tcpip.AddrFrom16Slice(a1.AsSlice()),
+		DstAddr:           tcpip.AddrFrom16Slice(a2.AsSlice()),
+	})
+	tcp := header.TCP(b[header.IPv6MinimumSize:])
+	tcp.Encode(&header.TCPFields{
+		SrcPort:       42,
+		DstPort:       43,
+		SeqNum:        1,
+		AckNum:        2,
+		DataOffset:    header.TCPMinimumSize,
+		Flags:         3,
+		WindowSize:    4,
+		Checksum:      0,
+		UrgentPointer: 5,
+	})
+	xsum := header.PseudoHeaderChecksum(
+		header.TCPProtocolNumber,
+		tcpip.AddrFrom16Slice(a1.AsSlice()),
+		tcpip.AddrFrom16Slice(a2.AsSlice()),
+		uint16(header.TCPMinimumSize),
+	)
+	tcp.SetChecksum(^tcp.CalculateChecksum(xsum))
+
+	if !tcp.IsChecksumValid(tcpip.AddrFrom16Slice(a1.AsSlice()), tcpip.AddrFrom16Slice(a2.AsSlice()), 0, 0) {
+		t.Fatal("test broken; initial packet has incorrect checksum")
+	}
+
+	// Parse the packet.
+	var p Parsed
+	p.Decode(b)
+	t.Log(p.String())
+
+	// Update the source address of the packet to be the same as the dest.
+	p.UpdateSrcAddr(a2)
+	if !tcp.IsChecksumValid(tcpip.AddrFrom16Slice(a2.AsSlice()), tcpip.AddrFrom16Slice(a2.AsSlice()), 0, 0) {
+		t.Fatal("incorrect checksum after updating source address")
+	}
+
+	// Update the dest address of the packet to be the original source address.
+	p.UpdateDstAddr(a1)
+	if !tcp.IsChecksumValid(tcpip.AddrFrom16Slice(a2.AsSlice()), tcpip.AddrFrom16Slice(a1.AsSlice()), 0, 0) {
+		t.Fatal("incorrect checksum after updating destination address")
+	}
+}
+
 func mustIPPort(s string) netip.AddrPort {
 	ipp, err := netip.ParseAddrPort(s)
 	if err != nil {
--- a/net/portmapper/portmapper.go
+++ b/net/portmapper/portmapper.go
@@ -28,6 +28,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/nettype"
 	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/mak"
 )

 // DebugKnobs contains debug configuration that can be provided when creating a
@@ -1024,3 +1025,31 @@ var (
 	// we received a UPnP response with a new meta.
 	metricUPnPUpdatedMeta = clientmetric.NewCounter("portmap_upnp_updated_meta")
 )
+
+// UPnP error metric that's keyed by code; lazily registered on first read
+var (
+	metricUPnPErrorsByCodeMu sync.Mutex
+	metricUPnPErrorsByCode   map[int]*clientmetric.Metric
+)
+
+func getUPnPErrorsMetric(code int) *clientmetric.Metric {
+	metricUPnPErrorsByCodeMu.Lock()
+	defer metricUPnPErrorsByCodeMu.Unlock()
+	mm := metricUPnPErrorsByCode[code]
+	if mm != nil {
+		return mm
+	}
+
+	// Metric names cannot contain a hyphen, so we handle negative numbers
+	// by prefixing the name with a "minus_".
+	var codeStr string
+	if code < 0 {
+		codeStr = fmt.Sprintf("portmap_upnp_errors_with_code_minus_%d", -code)
+	} else {
+		codeStr = fmt.Sprintf("portmap_upnp_errors_with_code_%d", code)
+	}
+
+	mm = clientmetric.NewCounter(codeStr)
+	mak.Set(&metricUPnPErrorsByCode, code, mm)
+	return mm
+}
--- a/net/portmapper/portmapper_test.go
+++ b/net/portmapper/portmapper_test.go
@@ -124,3 +124,14 @@ func TestPCPIntegration(t *testing.T) {
 		t.Errorf("got nil mapping after successful createOrGetMapping")
 	}
 }
+
+// Test to ensure that metric names generated by this function do not contain
+// invalid characters.
+//
+// See https://github.com/tailscale/tailscale/issues/9551
+func TestGetUPnPErrorsMetric(t *testing.T) {
+	// This will panic if the metric name is invalid.
+	getUPnPErrorsMetric(100)
+	getUPnPErrorsMetric(0)
+	getUPnPErrorsMetric(-100)
+}
--- a/net/portmapper/upnp.go
+++ b/net/portmapper/upnp.go
@@ -337,9 +337,14 @@ func (c *Client) getUPnPPortMapping(
 	// duration; see the following issue for details:
 	//    https://github.com/tailscale/tailscale/issues/9343
 	if err != nil {
+		code, ok := getUPnPErrorCode(err)
+		if ok {
+			getUPnPErrorsMetric(code).Add(1)
+		}
+
 		// From the UPnP spec: http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf
 		//     725: OnlyPermanentLeasesSupported
-		if isUPnPError(err, 725) {
+		if ok && code == 725 {
 			newPort, err = addAnyPortMapping(
 				ctx,
 				client,
@@ -387,13 +392,13 @@ func (c *Client) getUPnPPortMapping(
 	return upnp.external, true
 }

-// isUPnPError returns whether the provided error is a UPnP error response with
-// the given error code. It returns false if the error is not a SOAP error, or
-// the inner error details are not a UPnP error.
-func isUPnPError(err error, errCode int) bool {
+// getUPnPErrorCode returns the UPnP error code from the given response, if the
+// error is a SOAP error in the proper format, and a boolean indicating whether
+// the provided error was actually a UPnP error.
+func getUPnPErrorCode(err error) (int, bool) {
 	soapErr, ok := err.(*soap.SOAPFaultError)
 	if !ok {
-		return false
+		return 0, false
 	}

 	var upnpErr struct {
@@ -402,13 +407,12 @@ func isUPnPError(err error, errCode int) bool {
 		Description string `xml:"errorDescription"`
 	}
 	if err := xml.Unmarshal([]byte(soapErr.Detail.Raw), &upnpErr); err != nil {
-		return false
+		return 0, false
 	}
 	if upnpErr.XMLName.Local != "UPnPError" {
-		return false
+		return 0, false
 	}
-
-	return upnpErr.Code == errCode
+	return upnpErr.Code, true
 }

 type uPnPDiscoResponse struct {
--- a/net/sockstats/label_string.go
+++ b/net/sockstats/label_string.go
@@ -20,11 +20,12 @@ func _() {
 	_ = x[LabelMagicsockConnUDP6-9]
 	_ = x[LabelNetlogLogger-10]
 	_ = x[LabelSockstatlogLogger-11]
+	_ = x[LabelDNSForwarderTCP-12]
 }

-const _Label_name = "ControlClientAutoControlClientDialerDERPHTTPClientLogtailLoggerDNSForwarderDoHDNSForwarderUDPNetcheckClientPortmapperClientMagicsockConnUDP4MagicsockConnUDP6NetlogLoggerSockstatlogLogger"
+const _Label_name = "ControlClientAutoControlClientDialerDERPHTTPClientLogtailLoggerDNSForwarderDoHDNSForwarderUDPNetcheckClientPortmapperClientMagicsockConnUDP4MagicsockConnUDP6NetlogLoggerSockstatlogLoggerDNSForwarderTCP"

-var _Label_index = [...]uint8{0, 17, 36, 50, 63, 78, 93, 107, 123, 140, 157, 169, 186}
+var _Label_index = [...]uint8{0, 17, 36, 50, 63, 78, 93, 107, 123, 140, 157, 169, 186, 201}

 func (i Label) String() string {
 	if i >= Label(len(_Label_index)-1) {
--- a/net/sockstats/sockstats.go
+++ b/net/sockstats/sockstats.go
@@ -51,6 +51,7 @@ const (
 	LabelMagicsockConnUDP6   Label = 9  // wgengine/magicsock/magicsock.go
 	LabelNetlogLogger        Label = 10 // wgengine/netlog/logger.go
 	LabelSockstatlogLogger   Label = 11 // log/sockstatlog/logger.go
+	LabelDNSForwarderTCP     Label = 12 // net/dns/resolver/forwarder.go
 )

 // WithSockStats instruments a context so that sockets created with it will
--- a/net/tstun/mtu.go
+++ b/net/tstun/mtu.go
@@ -1,33 +1,148 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
+
 package tstun

-import "tailscale.com/envknob"
-
-const (
-	maxMTU     uint32 = 65536
-	defaultMTU uint32 = 1280
+import (
+	"tailscale.com/envknob"
 )

-// DefaultMTU returns either the constant default MTU of 1280, or the value set
-// in TS_DEBUG_MTU clamped to a maximum of 65536.
-func DefaultMTU() uint32 {
-	// DefaultMTU is the Tailscale default MTU for now.
-	//
-	// wireguard-go defaults to 1420 bytes, which only works if the
-	// "outer" MTU is 1500 bytes. This breaks on DSL connections
-	// (typically 1492 MTU) and on GCE (1460 MTU?!).
-	//
-	// 1280 is the smallest MTU allowed for IPv6, which is a sensible
-	// "probably works everywhere" setting until we develop proper PMTU
-	// discovery.
-	tunMTU := defaultMTU
-	if mtu, ok := envknob.LookupUintSized("TS_DEBUG_MTU", 10, 32); ok {
-		mtu := uint32(mtu)
-		if mtu > maxMTU {
-			mtu = maxMTU
-		}
-		tunMTU = mtu
+// The MTU (Maximum Transmission Unit) of a network interface is the largest
+// packet that can be sent or received through that interface, including all
+// headers above the link layer (e.g. IP headers, UDP headers, Wireguard
+// headers, etc.). We have to think about several different values of MTU:
+//
+// Wire MTU: The MTU of an interface underneath the tailscale TUN, e.g. an
+// Ethernet network card will default to a 1500 byte MTU. The user may change
+// this MTU at any time.
+//
+// TUN MTU: The current MTU of the tailscale TUN. This MTU is adjusted downward
+// to make room for the wireguard/tailscale headers. For example, if the
+// underlying network interface's MTU is 1500 bytes, the maximum size of a
+// packet entering the tailscale TUN is 1420 bytes. The user may change this MTU
+// at any time via the OS's tools (ifconfig, ip, etc.).
+//
+// User configured initial MTU: The MTU the tailscale TUN should be created
+// with, set by the user via TS_DEBUG_MTU. It should be adjusted down from the
+// underlying interface MTU by 80 bytes to make room for the wireguard
+// headers. This envknob is mostly for debugging. This value is used once at TUN
+// creation and ignored thereafter.
+//
+// User configured current MTU: The MTU set via the OS's tools (ifconfig, ip,
+// etc.). This MTU can change at any time. Setting the MTU this way goes through
+// the MTU() method of tailscale's TUN wrapper.
+//
+// Maximum probed MTU: This is the largest MTU size that we send probe packets
+// for.
+//
+// Safe MTU: If the tailscale TUN MTU is set to this value, almost all packets
+// will get to their destination. Tailscale defaults to this MTU in the absence
+// of path MTU probe information or user MTU configuration. We may occasionally
+// find a path that needs a smaller MTU but it is very rare.
+//
+// Peer MTU: This is the path MTU to a peer's current best endpoint. It defaults
+// to the Safe MTU unless we have path MTU probe results that tell us otherwise.
+//
+// Initial MTU: This is the MTU tailscaled creates the TUN with. In order of
+// priority, it is:
+//
+// 1. If set, the value of TS_DEBUG_MTU clamped to a maximum of 65536
+// 2. If TS_DEBUG_ENABLE_PMTUD is set, the maximum size MTU we probe, minus wg
+//    overhead
+// 3. If TS_DEBUG_ENABLE_PMTUD is not set, the Safe MTU
+//
+// Current MTU: This the MTU of the tailscale TUN at any given moment
+// after TUN creation. In order of priority, it is:
+//
+// 1. The MTU set by the user via the OS, if it has ever been set
+// 2. If TS_DEBUG_ENABLE_PMTUD is set, the maximum size MTU we probe, minus wg
+//    overhead
+// 4. If TS_DEBUG_ENABLE_PMTUD is not set, the Safe MTU
+
+// TUNMTU is the MTU for the tailscale TUN.
+type TUNMTU uint32
+
+// WireMTU is the MTU for the underlying network devices.
+type WireMTU uint32
+
+const (
+	// maxTUNMTU is the largest MTU we will consider for the Tailscale
+	// TUN. This is inherited from wireguard-go and can be surprisingly
+	// small; on Windows it is currently 2048 - 32 bytes and iOS it is 1700
+	// - 32 bytes.
+	// TODO(val,raggi): On Windows this seems to derive from RIO driver
+	// constraints in Wireguard but we don't use RIO so could probably make
+	// this bigger.
+	maxTUNMTU TUNMTU = TUNMTU(MaxPacketSize)
+	// safeTUNMTU is the default "safe" MTU for the Tailscale TUN that we
+	// use in the absence of other information such as path MTU probes.
+	safeTUNMTU TUNMTU = 1280
+)
+
+// MaxProbedWireMTU is the largest MTU we will test for path MTU
+// discovery.
+var MaxProbedWireMTU WireMTU = 9000
+
+func init() {
+	if MaxProbedWireMTU > WireMTU(maxTUNMTU) {
+		MaxProbedWireMTU = WireMTU(maxTUNMTU)
 	}
-	return tunMTU
+}
+
+// wgHeaderLen is the length of all the headers Wireguard adds to a packet
+// in the worst case (IPv6). This constant is for use when we can't or
+// shouldn't use information about the IP version of a specific packet
+// (e.g., calculating the MTU for the Tailscale interface.
+//
+// A Wireguard header includes:
+//
+// - 20-byte IPv4 header or 40-byte IPv6 header
+// - 8-byte UDP header
+// - 4-byte type
+// - 4-byte key index
+// - 8-byte nonce
+// - 16-byte authentication tag
+const wgHeaderLen = 40 + 8 + 4 + 4 + 8 + 16
+
+// TUNToWireMTU takes the MTU that the Tailscale TUN presents to the user and
+// returns the on-the-wire MTU necessary to transmit the largest packet that
+// will fit through the TUN, given that we have to add wireguard headers.
+func TUNToWireMTU(t TUNMTU) WireMTU {
+	return WireMTU(t + wgHeaderLen)
+}
+
+// WireToTUNMTU takes the MTU of an underlying network device and returns the
+// largest possible MTU for a Tailscale TUN operating on top of that device,
+// given that we have to add wireguard headers.
+func WireToTUNMTU(w WireMTU) TUNMTU {
+	if w < wgHeaderLen {
+		return 0
+	}
+	return TUNMTU(w - wgHeaderLen)
+}
+
+// DefaultTUNMTU returns the MTU we use to set the Tailscale TUN
+// MTU. It is also the path MTU that we default to if we have no
+// information about the path to a peer.
+//
+// 1. If set, the value of TS_DEBUG_MTU clamped to a maximum of MaxTunMTU
+// 2. If TS_DEBUG_ENABLE_PMTUD is set, the maximum size MTU we probe, minus wg overhead
+// 3. If TS_DEBUG_ENABLE_PMTUD is not set, the Safe MTU
+func DefaultTUNMTU() TUNMTU {
+	if m, ok := envknob.LookupUintSized("TS_DEBUG_MTU", 10, 32); ok {
+		return min(TUNMTU(m), maxTUNMTU)
+	}
+
+	debugPMTUD, _ := envknob.LookupBool("TS_DEBUG_ENABLE_PMTUD")
+	if debugPMTUD {
+		return WireToTUNMTU(MaxProbedWireMTU)
+	}
+
+	return safeTUNMTU
+}
+
+// DefaultWireMTU returns the default TUN MTU, adjusted for wireguard
+// overhead.
+func DefaultWireMTU() WireMTU {
+	return TUNToWireMTU(DefaultTUNMTU())
 }
--- a/net/tstun/mtu_test.go
+++ b/net/tstun/mtu_test.go
@@ -4,25 +4,93 @@ package tstun

 import (
 	"os"
+	"strconv"
 	"testing"
 )

-func TestDefaultMTU(t *testing.T) {
-	orig := os.Getenv("TS_DEBUG_MTU")
-	defer os.Setenv("TS_DEBUG_MTU", orig)
+// Test the default MTU in the presence of various envknobs.
+func TestDefaultTunMTU(t *testing.T) {
+	// Save and restore the envknobs we will be changing.

+	// TS_DEBUG_MTU sets the MTU to a specific value.
+	defer os.Setenv("TS_DEBUG_MTU", os.Getenv("TS_DEBUG_MTU"))
 	os.Setenv("TS_DEBUG_MTU", "")
-	if DefaultMTU() != 1280 {
-		t.Errorf("DefaultMTU() = %d, want 1280", DefaultMTU())
+
+	// TS_DEBUG_ENABLE_PMTUD enables path MTU discovery.
+	defer os.Setenv("TS_DEBUG_ENABLE_PMTUD", os.Getenv("TS_DEBUG_ENABLE_PMTUD"))
+	os.Setenv("TS_DEBUG_ENABLE_PMTUD", "")
+
+	// With no MTU envknobs set, we should get the conservative MTU.
+	if DefaultTUNMTU() != safeTUNMTU {
+		t.Errorf("default TUN MTU = %d, want %d", DefaultTUNMTU(), safeTUNMTU)
 	}

-	os.Setenv("TS_DEBUG_MTU", "9000")
-	if DefaultMTU() != 9000 {
-		t.Errorf("DefaultMTU() = %d, want 9000", DefaultMTU())
+	// If set, TS_DEBUG_MTU should set the MTU.
+	mtu := maxTUNMTU - 1
+	os.Setenv("TS_DEBUG_MTU", strconv.Itoa(int(mtu)))
+	if DefaultTUNMTU() != mtu {
+		t.Errorf("default TUN MTU = %d, want %d, TS_DEBUG_MTU ignored", DefaultTUNMTU(), mtu)
 	}

-	os.Setenv("TS_DEBUG_MTU", "123456789")
-	if DefaultMTU() != maxMTU {
-		t.Errorf("DefaultMTU() = %d, want %d", DefaultMTU(), maxMTU)
+	// MTU should be clamped to maxTunMTU.
+	mtu = maxTUNMTU + 1
+	os.Setenv("TS_DEBUG_MTU", strconv.Itoa(int(mtu)))
+	if DefaultTUNMTU() != maxTUNMTU {
+		t.Errorf("default TUN MTU = %d, want %d, clamping failed", DefaultTUNMTU(), maxTUNMTU)
+	}
+
+	// If PMTUD is enabled, the MTU should default to the largest probed
+	// MTU, but only if the user hasn't requested a specific MTU.
+	os.Setenv("TS_DEBUG_MTU", "")
+	os.Setenv("TS_DEBUG_ENABLE_PMTUD", "true")
+	if DefaultTUNMTU() != WireToTUNMTU(MaxProbedWireMTU) {
+		t.Errorf("default TUN MTU = %d, want %d", DefaultTUNMTU(), WireToTUNMTU(MaxProbedWireMTU))
+	}
+	// TS_DEBUG_MTU should take precedence over TS_DEBUG_ENABLE_PMTUD.
+	mtu = WireToTUNMTU(MaxProbedWireMTU - 1)
+	os.Setenv("TS_DEBUG_MTU", strconv.Itoa(int(mtu)))
+	if DefaultTUNMTU() != mtu {
+		t.Errorf("default TUN MTU = %d, want %d", DefaultTUNMTU(), mtu)
+	}
+}
+
+// Test the conversion of wire MTU to/from Tailscale TUN MTU corner cases.
+func TestMTUConversion(t *testing.T) {
+	tests := []struct {
+		w WireMTU
+		t TUNMTU
+	}{
+		{w: 0, t: 0},
+		{w: wgHeaderLen - 1, t: 0},
+		{w: wgHeaderLen, t: 0},
+		{w: wgHeaderLen + 1, t: 1},
+		{w: 1360, t: 1280},
+		{w: 1500, t: 1420},
+		{w: 9000, t: 8920},
+	}
+
+	for _, tt := range tests {
+		m := WireToTUNMTU(tt.w)
+		if m != tt.t {
+			t.Errorf("conversion of wire MTU %v to TUN MTU = %v, want %v", tt.w, m, tt.t)
+		}
+	}
+
+	tests2 := []struct {
+		t TUNMTU
+		w WireMTU
+	}{
+		{t: 0, w: wgHeaderLen},
+		{t: 1, w: wgHeaderLen + 1},
+		{t: 1280, w: 1360},
+		{t: 1420, w: 1500},
+		{t: 8920, w: 9000},
+	}
+
+	for _, tt := range tests2 {
+		m := TUNToWireMTU(tt.t)
+		if m != tt.w {
+			t.Errorf("conversion of TUN MTU %v to wire MTU = %v, want %v", tt.t, m, tt.w)
+		}
 	}
 }
--- a/net/tstun/tap_linux.go
+++ b/net/tstun/tap_linux.go
@@ -296,9 +296,9 @@ func packLayer2UDP(payload []byte, srcMAC, dstMAC net.HardwareAddr, src, dst net
 	payloadStart := len(buf) - len(payload)
 	copy(buf[payloadStart:], payload)
 	srcB := src.Addr().As4()
-	srcIP := tcpip.Address(srcB[:])
+	srcIP := tcpip.AddrFromSlice(srcB[:])
 	dstB := dst.Addr().As4()
-	dstIP := tcpip.Address(dstB[:])
+	dstIP := tcpip.AddrFromSlice(dstB[:])
 	// Ethernet header
 	eth := header.Ethernet(buf)
 	eth.Encode(&header.EthernetFields{
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -44,7 +44,7 @@ func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
 		}
 		dev, err = createTAP(tapName, bridgeName)
 	} else {
-		dev, err = tun.CreateTUN(tunName, int(DefaultMTU()))
+		dev, err = tun.CreateTUN(tunName, int(DefaultTUNMTU()))
 	}
 	if err != nil {
 		return nil, "", err
--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -98,8 +98,8 @@ type Wrapper struct {
 	// timeNow, if non-nil, will be used to obtain the current time.
 	timeNow func() time.Time

-	// natV4Config stores the current NAT configuration.
-	natV4Config atomic.Pointer[natV4Config]
+	// natConfig stores the current NAT configuration.
+	natConfig atomic.Pointer[natConfig]

 	// vectorBuffer stores the oldest unconsumed packet vector from tdev. It is
 	// allocated in wrap() and the underlying arrays should never grow.
@@ -481,14 +481,9 @@ func (t *Wrapper) sendVectorOutbound(r tunVectorReadResult) {
 	t.vectorOutbound <- r
 }

-// snatV4 does SNAT on p if it's an IPv4 packet and the destination
-// address requires a different source address.
-func (t *Wrapper) snatV4(p *packet.Parsed) {
-	if p.IPVersion != 4 {
-		return
-	}
-
-	nc := t.natV4Config.Load()
+// snat does SNAT on p if the destination address requires a different source address.
+func (t *Wrapper) snat(p *packet.Parsed) {
+	nc := t.natConfig.Load()
 	oldSrc := p.Src.Addr()
 	newSrc := nc.selectSrcIP(oldSrc, p.Dst.Addr())
 	if oldSrc != newSrc {
@@ -496,13 +491,9 @@ func (t *Wrapper) snatV4(p *packet.Parsed) {
 	}
 }

-// dnatV4 does destination NAT on p if it's an IPv4 packet.
-func (t *Wrapper) dnatV4(p *packet.Parsed) {
-	if p.IPVersion != 4 {
-		return
-	}
-
-	nc := t.natV4Config.Load()
+// dnat does destination NAT on p.
+func (t *Wrapper) dnat(p *packet.Parsed) {
+	nc := t.natConfig.Load()
 	oldDst := p.Dst.Addr()
 	newDst := nc.mapDstIP(oldDst)
 	if newDst != oldDst {
@@ -521,15 +512,79 @@ func findV4(addrs []netip.Prefix) netip.Addr {
 	return netip.Addr{}
 }

-// natV4Config is the configuration for IPv4 NAT.
+// findV6 returns the first Tailscale IPv6 address in addrs.
+func findV6(addrs []netip.Prefix) netip.Addr {
+	for _, ap := range addrs {
+		a := ap.Addr()
+		if a.Is6() && tsaddr.IsTailscaleIP(a) {
+			return a
+		}
+	}
+	return netip.Addr{}
+}
+
+// natConfig is the configuration for NAT.
 // It should be treated as immutable.
 //
 // The nil value is a valid configuration.
-type natV4Config struct {
-	// nativeAddr is the IPv4 Tailscale Address of the current node.
+type natConfig struct {
+	v4, v6 *natFamilyConfig
+}
+
+func (c *natConfig) String() string {
+	if c == nil {
+		return "<nil>"
+	}
+
+	var b strings.Builder
+	b.WriteString("natConfig{")
+	fmt.Fprintf(&b, "v4: %v, ", c.v4)
+	fmt.Fprintf(&b, "v6: %v", c.v6)
+	b.WriteString("}")
+	return b.String()
+}
+
+// mapDstIP returns the destination IP to use for a packet to dst.
+// If dst is not one of the listen addresses, it is returned as-is,
+// otherwise the native address is returned.
+func (c *natConfig) mapDstIP(oldDst netip.Addr) netip.Addr {
+	if c == nil {
+		return oldDst
+	}
+	if oldDst.Is4() {
+		return c.v4.mapDstIP(oldDst)
+	}
+	if oldDst.Is6() {
+		return c.v6.mapDstIP(oldDst)
+	}
+	return oldDst
+}
+
+// selectSrcIP returns the source IP to use for a packet to dst.
+// If the packet is not from the native address, it is returned as-is.
+func (c *natConfig) selectSrcIP(oldSrc, dst netip.Addr) netip.Addr {
+	if c == nil {
+		return oldSrc
+	}
+	if oldSrc.Is4() {
+		return c.v4.selectSrcIP(oldSrc, dst)
+	}
+	if oldSrc.Is6() {
+		return c.v6.selectSrcIP(oldSrc, dst)
+	}
+	return oldSrc
+}
+
+// natFamilyConfig is the NAT configuration for a particular
+// address family.
+// It should be treated as immutable.
+//
+// The nil value is a valid configuration.
+type natFamilyConfig struct {
+	// nativeAddr is the Tailscale Address of the current node.
 	nativeAddr netip.Addr

-	// listenAddrs is the set of IPv4 addresses that should be
+	// listenAddrs is the set of addresses that should be
 	// mapped to the native address. These are the addresses that
 	// peers will use to connect to this node.
 	listenAddrs views.Map[netip.Addr, struct{}] // masqAddr -> struct{}
@@ -545,10 +600,48 @@ type natV4Config struct {
 	dstAddrToPeerKeyMapper *table.RoutingTable
 }

+func (c *natFamilyConfig) String() string {
+	if c == nil {
+		return "natFamilyConfig(nil)"
+	}
+	var b strings.Builder
+	b.WriteString("natFamilyConfig{")
+	fmt.Fprintf(&b, "nativeAddr: %v, ", c.nativeAddr)
+	fmt.Fprint(&b, "listenAddrs: [")
+
+	i := 0
+	c.listenAddrs.Range(func(k netip.Addr, _ struct{}) bool {
+		if i > 0 {
+			b.WriteString(", ")
+		}
+		b.WriteString(k.String())
+		i++
+		return true
+	})
+	count := map[netip.Addr]int{}
+	c.dstMasqAddrs.Range(func(_ key.NodePublic, v netip.Addr) bool {
+		count[v]++
+		return true
+	})
+
+	i = 0
+	b.WriteString("], dstMasqAddrs: [")
+	for k, v := range count {
+		if i > 0 {
+			b.WriteString(", ")
+		}
+		fmt.Fprintf(&b, "%v: %v peers", k, v)
+		i++
+	}
+	b.WriteString("]}")
+
+	return b.String()
+}
+
 // mapDstIP returns the destination IP to use for a packet to dst.
 // If dst is not one of the listen addresses, it is returned as-is,
 // otherwise the native address is returned.
-func (c *natV4Config) mapDstIP(oldDst netip.Addr) netip.Addr {
+func (c *natFamilyConfig) mapDstIP(oldDst netip.Addr) netip.Addr {
 	if c == nil {
 		return oldDst
 	}
@@ -560,7 +653,7 @@ func (c *natV4Config) mapDstIP(oldDst netip.Addr) netip.Addr {

 // selectSrcIP returns the source IP to use for a packet to dst.
 // If the packet is not from the native address, it is returned as-is.
-func (c *natV4Config) selectSrcIP(oldSrc, dst netip.Addr) netip.Addr {
+func (c *natFamilyConfig) selectSrcIP(oldSrc, dst netip.Addr) netip.Addr {
 	if c == nil {
 		return oldSrc
 	}
@@ -577,16 +670,25 @@ func (c *natV4Config) selectSrcIP(oldSrc, dst netip.Addr) netip.Addr {
 	return oldSrc
 }

-// natConfigFromWireGuardConfig generates a natV4Config from nm.
-// If v4 NAT is not required, it returns nil.
-func natConfigFromWGConfig(wcfg *wgcfg.Config) *natV4Config {
+// natConfigFromWGConfig generates a natFamilyConfig from nm,
+// for the indicated address family.
+// If NAT is not required for that address family, it returns nil.
+func natConfigFromWGConfig(wcfg *wgcfg.Config, addrFam ipproto.IPProtoVersion) *natFamilyConfig {
 	if wcfg == nil {
 		return nil
 	}
-	nativeAddr := findV4(wcfg.Addresses)
+
+	var nativeAddr netip.Addr
+	switch addrFam {
+	case ipproto.IPProtoVersion4:
+		nativeAddr = findV4(wcfg.Addresses)
+	case ipproto.IPProtoVersion6:
+		nativeAddr = findV6(wcfg.Addresses)
+	}
 	if !nativeAddr.IsValid() {
 		return nil
 	}
+
 	var (
 		rt           table.RoutingTableBuilder
 		dstMasqAddrs map[key.NodePublic]netip.Addr
@@ -599,17 +701,25 @@ func natConfigFromWGConfig(wcfg *wgcfg.Config) *natV4Config {
 	exitNodeRequiresMasq := false // true if using an exit node and it requires masquerading
 	for _, p := range wcfg.Peers {
 		isExitNode := slices.Contains(p.AllowedIPs, tsaddr.AllIPv4()) || slices.Contains(p.AllowedIPs, tsaddr.AllIPv6())
-		if isExitNode && p.V4MasqAddr != nil && p.V4MasqAddr.IsValid() {
-			exitNodeRequiresMasq = true
+		if isExitNode {
+			hasMasqAddrsForFamily := false ||
+				(addrFam == ipproto.IPProtoVersion4 && p.V4MasqAddr != nil && p.V4MasqAddr.IsValid()) ||
+				(addrFam == ipproto.IPProtoVersion6 && p.V6MasqAddr != nil && p.V6MasqAddr.IsValid())
+			if hasMasqAddrsForFamily {
+				exitNodeRequiresMasq = true
+			}
 			break
 		}
 	}
 	for i := range wcfg.Peers {
 		p := &wcfg.Peers[i]
 		var addrToUse netip.Addr
-		if p.V4MasqAddr != nil && p.V4MasqAddr.IsValid() {
+		if addrFam == ipproto.IPProtoVersion4 && p.V4MasqAddr != nil && p.V4MasqAddr.IsValid() {
 			addrToUse = *p.V4MasqAddr
 			mak.Set(&listenAddrs, addrToUse, struct{}{})
+		} else if addrFam == ipproto.IPProtoVersion6 && p.V6MasqAddr != nil && p.V6MasqAddr.IsValid() {
+			addrToUse = *p.V6MasqAddr
+			mak.Set(&listenAddrs, addrToUse, struct{}{})
 		} else if exitNodeRequiresMasq {
 			addrToUse = nativeAddr
 		} else {
@@ -621,7 +731,7 @@ func natConfigFromWGConfig(wcfg *wgcfg.Config) *natV4Config {
 	if len(listenAddrs) == 0 && len(dstMasqAddrs) == 0 {
 		return nil
 	}
-	return &natV4Config{
+	return &natFamilyConfig{
 		nativeAddr:             nativeAddr,
 		listenAddrs:            views.MapOf(listenAddrs),
 		dstMasqAddrs:           views.MapOf(dstMasqAddrs),
@@ -630,12 +740,16 @@ func natConfigFromWGConfig(wcfg *wgcfg.Config) *natV4Config {
 }

 // SetNetMap is called when a new NetworkMap is received.
-// It currently (2023-03-01) only updates the IPv4 NAT configuration.
 func (t *Wrapper) SetWGConfig(wcfg *wgcfg.Config) {
-	cfg := natConfigFromWGConfig(wcfg)
-	old := t.natV4Config.Swap(cfg)
+	v4, v6 := natConfigFromWGConfig(wcfg, ipproto.IPProtoVersion4), natConfigFromWGConfig(wcfg, ipproto.IPProtoVersion6)
+	var cfg *natConfig
+	if v4 != nil || v6 != nil {
+		cfg = &natConfig{v4: v4, v6: v6}
+	}
+
+	old := t.natConfig.Swap(cfg)
 	if !reflect.DeepEqual(old, cfg) {
-		t.logf("nat config: %+v", cfg)
+		t.logf("nat config: %v", cfg)
 	}
 }

@@ -748,7 +862,7 @@ func (t *Wrapper) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
 	for _, data := range res.data {
 		p.Decode(data[res.dataOffset:])

-		t.snatV4(p)
+		t.snat(p)
 		if m := t.destIPActivity.Load(); m != nil {
 			if fn := m[p.Dst.Addr()]; fn != nil {
 				fn()
@@ -805,7 +919,7 @@ func (t *Wrapper) injectedRead(res tunInjectedRead, buf []byte, offset int) (int
 	p := parsedPacketPool.Get().(*packet.Parsed)
 	defer parsedPacketPool.Put(p)
 	p.Decode(buf[offset : offset+n])
-	t.snatV4(p)
+	t.snat(p)

 	if m := t.destIPActivity.Load(); m != nil {
 		if fn := m[p.Dst.Addr()]; fn != nil {
@@ -927,7 +1041,7 @@ func (t *Wrapper) Write(buffs [][]byte, offset int) (int, error) {
 	captHook := t.captureHook.Load()
 	for _, buff := range buffs {
 		p.Decode(buff[offset:])
-		t.dnatV4(p)
+		t.dnat(p)
 		if !t.disableFilter {
 			if t.filterPacketInboundFromWireGuard(p, captHook) != filter.Accept {
 				metricPacketInDrop.Add(1)
@@ -992,7 +1106,7 @@ func (t *Wrapper) InjectInboundPacketBuffer(pkt stack.PacketBufferPtr) error {
 	if captHook != nil {
 		captHook(capture.SynthesizedToLocal, t.now(), p.Buffer(), p.CaptureMeta)
 	}
-	t.dnatV4(p)
+	t.dnat(p)

 	return t.InjectInboundDirect(buf, PacketStartOffset)
 }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .49.0
 .51.0