ipn/ipnlocal: remove windows exception from profile migration

The check in question results in profiles never being migrated to backend
prefs on Windows clients. We should be doing that on Windows too.

This should be save vis-a-vis unattended mode since we won't see the
unmigrated prefs until the GUI signs in.

Fixes #7398

Signed-off-by: Aaron Klotz <aaron@tailscale.com>

.github/workflows/go-licenses.yml

@@ -17,7 +17,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  update-licenses:
+  tailscale:
     runs-on: ubuntu-latest
 
     steps:
@@ -42,7 +42,7 @@ jobs:
           go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
 
       - name: Get access token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
         id: generate-token
         with:
           app_id: ${{ secrets.LICENSING_APP_ID }}

.github/workflows/update-flake.yml

@@ -16,7 +16,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  update-flake:
+  tailscale:
     runs-on: ubuntu-latest
 
     steps:
@@ -27,7 +27,7 @@ jobs:
         run: ./update-flake.sh
 
       - name: Get access token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
         id: generate-token
         with:
           app_id: ${{ secrets.LICENSING_APP_ID }}

VERSION.txt

@@ -1 +1 @@
-1.39.0
+1.37.0

build_dist.sh

@@ -16,7 +16,7 @@ if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then
 	go="./tool/go"
 fi
 
-eval `GOOS=$($go env GOHOSTOS) GOARCH=$($go env GOHOSTARCH) $go run ./cmd/mkversion`
+eval `$go run ./cmd/mkversion`
 
 if [ "$1" = "shellvars" ]; then
 	cat <<EOF

client/tailscale/acl.go

@@ -103,7 +103,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 // it as a string.
 // HuJSON is JSON with a few modifications to make it more human-friendly. The primary
 // changes are allowing comments and trailing comments. See the following links for more info:
-// https://tailscale.com/s/acl-format
+// https://tailscale.com/kb/1018/acls?q=acl#tailscale-acl-policy-format
 // https://github.com/tailscale/hujson
 func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 	// Format return errors to be descriptive.

client/tailscale/localclient.go

@@ -36,7 +36,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
-	"tailscale.com/types/tkatype"
 )
 
 // defaultLocalClient is the default LocalClient when using the legacy
@@ -368,34 +367,6 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }
 
-// DebugPortmap invokes the debug-portmap endpoint, and returns an
-// io.ReadCloser that can be used to read the logs that are printed during this
-// process.
-func (lc *LocalClient) DebugPortmap(ctx context.Context, duration time.Duration, ty, gwSelf string) (io.ReadCloser, error) {
-	vals := make(url.Values)
-	vals.Set("duration", duration.String())
-	vals.Set("type", ty)
-	if gwSelf != "" {
-		vals.Set("gateway_and_self", gwSelf)
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+apitype.LocalAPIHost+"/localapi/v0/debug-portmap?"+vals.Encode(), nil)
-	if err != nil {
-		return nil, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("HTTP %s: %s", res.Status, body)
-	}
-
-	return res.Body, nil
-}
-
 // SetDevStoreKeyValue set a statestore key/value. It's only meant for development.
 // The schema (including when keys are re-read) is not a stable interface.
 func (lc *LocalClient) SetDevStoreKeyValue(ctx context.Context, key, value string) error {
@@ -850,30 +821,6 @@ func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key, disa
 	return decodeJSON[*ipnstate.NetworkLockStatus](body)
 }
 
-// NetworkLockWrapPreauthKey wraps a pre-auth key with information to
-// enable unattended bringup in the locked tailnet.
-func (lc *LocalClient) NetworkLockWrapPreauthKey(ctx context.Context, preauthKey string, tkaKey key.NLPrivate) (string, error) {
-	encodedPrivate, err := tkaKey.MarshalText()
-	if err != nil {
-		return "", err
-	}
-
-	var b bytes.Buffer
-	type wrapRequest struct {
-		TSKey  string
-		TKAKey string // key.NLPrivate.MarshalText
-	}
-	if err := json.NewEncoder(&b).Encode(wrapRequest{TSKey: preauthKey, TKAKey: string(encodedPrivate)}); err != nil {
-		return "", err
-	}
-
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/wrap-preauth-key", 200, &b)
-	if err != nil {
-		return "", fmt.Errorf("error: %w", err)
-	}
-	return string(body), nil
-}
-
 // NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
 func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) error {
 	var b bytes.Buffer
@@ -911,15 +858,6 @@ func (lc *LocalClient) NetworkLockSign(ctx context.Context, nodeKey key.NodePubl
 	return nil
 }
 
-// NetworkLockAffectedSigs returns all signatures signed by the specified keyID.
-func (lc *LocalClient) NetworkLockAffectedSigs(ctx context.Context, keyID tkatype.KeyID) ([]tkatype.MarshaledSignature, error) {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/affected-sigs", 200, bytes.NewReader(keyID))
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
-	}
-	return decodeJSON[[]tkatype.MarshaledSignature](body)
-}
-
 // NetworkLockLog returns up to maxEntries number of changes to network-lock state.
 func (lc *LocalClient) NetworkLockLog(ctx context.Context, maxEntries int) ([]ipnstate.NetworkLockUpdate, error) {
 	v := url.Values{}

cmd/containerboot/kube.go

@@ -6,28 +6,138 @@
 package main
 
 import (
+	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"io"
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
+	"strings"
+	"time"
 
-	"tailscale.com/kube"
 	"tailscale.com/tailcfg"
+	"tailscale.com/util/multierr"
 )
 
+// checkSecretPermissions checks the secret access permissions of the current
+// pod. It returns an error if the basic permissions tailscale needs are
+// missing, and reports whether the patch permission is additionally present.
+//
+// Errors encountered during the access checking process are logged, but ignored
+// so that the pod tries to fail alive if the permissions exist and there's just
+// something wrong with SelfSubjectAccessReviews. There shouldn't be, pods
+// should always be able to use SSARs to assess their own permissions, but since
+// we didn't use to check permissions this way we'll be cautious in case some
+// old version of k8s deviates from the current behavior.
+func checkSecretPermissions(ctx context.Context, secretName string) (canPatch bool, err error) {
+	var errs []error
+	for _, verb := range []string{"get", "update"} {
+		ok, err := checkPermission(ctx, verb, secretName)
+		if err != nil {
+			log.Printf("error checking %s permission on secret %s: %v", verb, secretName, err)
+		} else if !ok {
+			errs = append(errs, fmt.Errorf("missing %s permission on secret %q", verb, secretName))
+		}
+	}
+	if len(errs) > 0 {
+		return false, multierr.New(errs...)
+	}
+	ok, err := checkPermission(ctx, "patch", secretName)
+	if err != nil {
+		log.Printf("error checking patch permission on secret %s: %v", secretName, err)
+		return false, nil
+	}
+	return ok, nil
+}
+
+// checkPermission reports whether the current pod has permission to use the
+// given verb (e.g. get, update, patch) on secretName.
+func checkPermission(ctx context.Context, verb, secretName string) (bool, error) {
+	sar := map[string]any{
+		"apiVersion": "authorization.k8s.io/v1",
+		"kind":       "SelfSubjectAccessReview",
+		"spec": map[string]any{
+			"resourceAttributes": map[string]any{
+				"namespace": kubeNamespace,
+				"verb":      verb,
+				"resource":  "secrets",
+				"name":      secretName,
+			},
+		},
+	}
+	bs, err := json.Marshal(sar)
+	if err != nil {
+		return false, err
+	}
+	req, err := http.NewRequest("POST", "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews", bytes.NewReader(bs))
+	if err != nil {
+		return false, err
+	}
+	resp, err := doKubeRequest(ctx, req)
+	if err != nil {
+		return false, err
+	}
+	defer resp.Body.Close()
+	bs, err = io.ReadAll(resp.Body)
+	if err != nil {
+		return false, err
+	}
+	var res struct {
+		Status struct {
+			Allowed bool `json:"allowed"`
+		} `json:"status"`
+	}
+	if err := json.Unmarshal(bs, &res); err != nil {
+		return false, err
+	}
+	return res.Status.Allowed, nil
+}
+
 // findKeyInKubeSecret inspects the kube secret secretName for a data
 // field called "authkey", and returns its value if present.
 func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error) {
-	s, err := kc.GetSecret(ctx, secretName)
+	req, err := http.NewRequest("GET", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", kubeNamespace, secretName), nil)
 	if err != nil {
 		return "", err
 	}
-	ak, ok := s.Data["authkey"]
-	if !ok {
-		return "", nil
+	resp, err := doKubeRequest(ctx, req)
+	if err != nil {
+		if resp != nil && resp.StatusCode == http.StatusNotFound {
+			// Kube secret doesn't exist yet, can't have an authkey.
+			return "", nil
+		}
+		return "", err
 	}
-	return string(ak), nil
+	defer resp.Body.Close()
+
+	bs, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	// We use a map[string]any here rather than import corev1.Secret,
+	// because we only do very limited things to the secret, and
+	// importing corev1 adds 12MiB to the compiled binary.
+	var s map[string]any
+	if err := json.Unmarshal(bs, &s); err != nil {
+		return "", err
+	}
+	if d, ok := s["data"].(map[string]any); ok {
+		if v, ok := d["authkey"].(string); ok {
+			bs, err := base64.StdEncoding.DecodeString(v)
+			if err != nil {
+				return "", err
+			}
+			return string(bs), nil
+		}
+	}
+	return "", nil
 }
 
 // storeDeviceInfo writes deviceID into the "device_id" data field of the kube
@@ -35,38 +145,65 @@ func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error)
 func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string) error {
 	// First check if the secret exists at all. Even if running on
 	// kubernetes, we do not necessarily store state in a k8s secret.
-	if _, err := kc.GetSecret(ctx, secretName); err != nil {
-		if s, ok := err.(*kube.Status); ok {
-			if s.Code >= 400 && s.Code <= 499 {
-				// Assume the secret doesn't exist, or we don't have
-				// permission to access it.
-				return nil
-			}
+	req, err := http.NewRequest("GET", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", kubeNamespace, secretName), nil)
+	if err != nil {
+		return err
+	}
+	resp, err := doKubeRequest(ctx, req)
+	if err != nil {
+		if resp != nil && resp.StatusCode >= 400 && resp.StatusCode <= 499 {
+			// Assume the secret doesn't exist, or we don't have
+			// permission to access it.
+			return nil
 		}
 		return err
 	}
 
-	m := &kube.Secret{
-		Data: map[string][]byte{
-			"device_id":   []byte(deviceID),
-			"device_fqdn": []byte(fqdn),
+	m := map[string]map[string]string{
+		"stringData": {
+			"device_id":   string(deviceID),
+			"device_fqdn": fqdn,
 		},
 	}
-	return kc.StrategicMergePatchSecret(ctx, secretName, m, "tailscale-container")
+	var b bytes.Buffer
+	if err := json.NewEncoder(&b).Encode(m); err != nil {
+		return err
+	}
+	req, err = http.NewRequest("PATCH", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s?fieldManager=tailscale-container", kubeNamespace, secretName), &b)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/strategic-merge-patch+json")
+	if _, err := doKubeRequest(ctx, req); err != nil {
+		return err
+	}
+	return nil
 }
 
 // deleteAuthKey deletes the 'authkey' field of the given kube
 // secret. No-op if there is no authkey in the secret.
 func deleteAuthKey(ctx context.Context, secretName string) error {
 	// m is a JSON Patch data structure, see https://jsonpatch.com/ or RFC 6902.
-	m := []kube.JSONPatch{
+	m := []struct {
+		Op   string `json:"op"`
+		Path string `json:"path"`
+	}{
 		{
 			Op:   "remove",
 			Path: "/data/authkey",
 		},
 	}
-	if err := kc.JSONPatchSecret(ctx, secretName, m); err != nil {
-		if s, ok := err.(*kube.Status); ok && s.Code == http.StatusUnprocessableEntity {
+	var b bytes.Buffer
+	if err := json.NewEncoder(&b).Encode(m); err != nil {
+		return err
+	}
+	req, err := http.NewRequest("PATCH", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s?fieldManager=tailscale-container", kubeNamespace, secretName), &b)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json-patch+json")
+	if resp, err := doKubeRequest(ctx, req); err != nil {
+		if resp != nil && resp.StatusCode == http.StatusUnprocessableEntity {
 			// This is kubernetes-ese for "the field you asked to
 			// delete already doesn't exist", aka no-op.
 			return nil
@@ -76,22 +213,65 @@ func deleteAuthKey(ctx context.Context, secretName string) error {
 	return nil
 }
 
-var kc *kube.Client
+var (
+	kubeHost      string
+	kubeNamespace string
+	kubeToken     string
+	kubeHTTP      *http.Transport
+)
 
 func initKube(root string) {
-	if root != "/" {
-		// If we are running in a test, we need to set the root path to the fake
-		// service account directory.
-		kube.SetRootPathForTesting(root)
+	// If running in Kubernetes, set things up so that doKubeRequest
+	// can talk successfully to the kube apiserver.
+	if os.Getenv("KUBERNETES_SERVICE_HOST") == "" {
+		return
 	}
-	var err error
-	kc, err = kube.New()
+
+	kubeHost = os.Getenv("KUBERNETES_SERVICE_HOST") + ":" + os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")
+
+	bs, err := os.ReadFile(filepath.Join(root, "var/run/secrets/kubernetes.io/serviceaccount/namespace"))
 	if err != nil {
-		log.Fatalf("Error creating kube client: %v", err)
+		log.Fatalf("Error reading kube namespace: %v", err)
 	}
-	if root != "/" {
-		// If we are running in a test, we need to set the URL to the
-		// httptest server.
-		kc.SetURL(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
+	kubeNamespace = strings.TrimSpace(string(bs))
+
+	bs, err = os.ReadFile(filepath.Join(root, "var/run/secrets/kubernetes.io/serviceaccount/token"))
+	if err != nil {
+		log.Fatalf("Error reading kube token: %v", err)
+	}
+	kubeToken = strings.TrimSpace(string(bs))
+
+	bs, err = os.ReadFile(filepath.Join(root, "var/run/secrets/kubernetes.io/serviceaccount/ca.crt"))
+	if err != nil {
+		log.Fatalf("Error reading kube CA cert: %v", err)
+	}
+	cp := x509.NewCertPool()
+	cp.AppendCertsFromPEM(bs)
+	kubeHTTP = &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs: cp,
+		},
+		IdleConnTimeout: time.Second,
 	}
 }
+
+// doKubeRequest sends r to the kube apiserver.
+func doKubeRequest(ctx context.Context, r *http.Request) (*http.Response, error) {
+	if kubeHTTP == nil {
+		panic("not in kubernetes")
+	}
+
+	r.URL.Scheme = "https"
+	r.URL.Host = kubeHost
+	r.Header.Set("Authorization", "Bearer "+kubeToken)
+	r.Header.Set("Accept", "application/json")
+
+	resp, err := kubeHTTP.RoundTrip(r)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		return resp, fmt.Errorf("got non-200/201 status code %d", resp.StatusCode)
+	}
+	return resp, nil
+}

cmd/containerboot/main.go

@@ -123,7 +123,7 @@ func main() {
 	defer cancel()
 
 	if cfg.InKubernetes && cfg.KubeSecret != "" {
-		canPatch, err := kc.CheckSecretPermissions(ctx, cfg.KubeSecret)
+		canPatch, err := checkSecretPermissions(ctx, cfg.KubeSecret)
 		if err != nil {
 			log.Fatalf("Some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
 		}

cmd/containerboot/main_test.go

@@ -607,7 +607,7 @@ func TestContainerBoot(t *testing.T) {
 			}()
 
 			var wantCmds []string
-			for i, p := range test.Phases {
+			for _, p := range test.Phases {
 				lapi.Notify(p.Notify)
 				wantCmds = append(wantCmds, p.WantCmds...)
 				waitArgs(t, 2*time.Second, d, argFile, strings.Join(wantCmds, "\n"))
@@ -626,7 +626,7 @@ func TestContainerBoot(t *testing.T) {
 					return nil
 				})
 				if err != nil {
-					t.Fatalf("phase %d: %v", i, err)
+					t.Fatal(err)
 				}
 				err = tstest.WaitFor(2*time.Second, func() error {
 					for path, want := range p.WantFiles {
@@ -983,13 +983,13 @@ func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
 			}
 		case "application/strategic-merge-patch+json":
 			req := struct {
-				Data map[string][]byte `json:"data"`
+				Data map[string]string `json:"stringData"`
 			}{}
 			if err := json.Unmarshal(bs, &req); err != nil {
 				panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
 			}
 			for key, val := range req.Data {
-				k.secret[key] = string(val)
+				k.secret[key] = val
 			}
 		default:
 			panic(fmt.Sprintf("unknown content type %q", r.Header.Get("Content-Type")))

cmd/derper/bootstrap_dns.go

@@ -14,7 +14,6 @@ import (
 	"time"
 
 	"tailscale.com/syncs"
-	"tailscale.com/util/slicesx"
 )
 
 const refreshTimeout = time.Minute
@@ -53,13 +52,6 @@ func refreshBootstrapDNS() {
 	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
 	defer cancel()
 	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
-	// Randomize the order of the IPs for each name to avoid the client biasing
-	// to IPv6
-	for k := range dnsEntries {
-		ips := dnsEntries[k]
-		slicesx.Shuffle(ips)
-		dnsEntries[k] = ips
-	}
 	j, err := json.MarshalIndent(dnsEntries, "", "\t")
 	if err != nil {
 		// leave the old values in place

cmd/derper/bootstrap_dns_test.go

@@ -11,12 +11,14 @@ import (
 	"net/url"
 	"reflect"
 	"testing"
-
-	"tailscale.com/tstest"
 )
 
 func BenchmarkHandleBootstrapDNS(b *testing.B) {
-	tstest.Replace(b, bootstrapDNS, "log.tailscale.io,login.tailscale.com,controlplane.tailscale.com,login.us.tailscale.com")
+	prev := *bootstrapDNS
+	*bootstrapDNS = "log.tailscale.io,login.tailscale.com,controlplane.tailscale.com,login.us.tailscale.com"
+	defer func() {
+		*bootstrapDNS = prev
+	}()
 	refreshBootstrapDNS()
 	w := new(bitbucketResponseWriter)
 	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.io"), nil)

cmd/derper/depaware.txt

@@ -47,7 +47,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
         tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
-        tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
         tailscale.com/net/stun                                       from tailscale.com/cmd/derper
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
         tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
@@ -87,7 +86,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/util/multierr                                  from tailscale.com/health
         tailscale.com/util/set                                       from tailscale.com/health
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-        tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
         tailscale.com/util/vizerror                                  from tailscale.com/tsweb
    W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
         tailscale.com/version                                        from tailscale.com/derp+

cmd/get-authkey/main.go

@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: BSD-3-Clause
 
 // get-authkey allocates an authkey using an OAuth API client
-// https://tailscale.com/s/oauth-clients and prints it
+// https://tailscale.com/kb/1215/oauth-clients/ and prints it
 // to stdout for scripts to capture and use.
 package main
 

cmd/gitops-pusher/gitops-pusher.go

@@ -22,7 +22,6 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/tailscale/hujson"
-	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/util/httpm"
 )
 
@@ -43,9 +42,9 @@ func modifiedExternallyError() {
 	}
 }
 
-func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error {
+func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
 	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, client, tailnet, apiKey)
+		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
 		if err != nil {
 			return err
 		}
@@ -74,7 +73,7 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
 			return nil
 		}
 
-		if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil {
+		if err := applyNewACL(ctx, tailnet, apiKey, *policyFname, controlEtag); err != nil {
 			return err
 		}
 
@@ -84,9 +83,9 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
 	}
 }
 
-func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error {
+func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
 	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, client, tailnet, apiKey)
+		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
 		if err != nil {
 			return err
 		}
@@ -114,16 +113,16 @@ func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(contex
 			return nil
 		}
 
-		if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil {
+		if err := testNewACLs(ctx, tailnet, apiKey, *policyFname); err != nil {
 			return err
 		}
 		return nil
 	}
 }
 
-func getChecksums(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error {
+func getChecksums(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
 	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, client, tailnet, apiKey)
+		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
 		if err != nil {
 			return err
 		}
@@ -152,24 +151,8 @@ func main() {
 		log.Fatal("set envvar TS_TAILNET to your tailnet's name")
 	}
 	apiKey, ok := os.LookupEnv("TS_API_KEY")
-	oauthId, oiok := os.LookupEnv("TS_OAUTH_ID")
-	oauthSecret, osok := os.LookupEnv("TS_OAUTH_SECRET")
-	if !ok && (!oiok || !osok) {
-		log.Fatal("set envvar TS_API_KEY to your Tailscale API key or TS_OAUTH_ID and TS_OAUTH_SECRET to your Tailscale OAuth ID and Secret")
-	}
-	if ok && (oiok || osok) {
-		log.Fatal("set either the envvar TS_API_KEY or TS_OAUTH_ID and TS_OAUTH_SECRET")
-	}
-	var client *http.Client
-	if oiok {
-		oauthConfig := &clientcredentials.Config{
-			ClientID:     oauthId,
-			ClientSecret: oauthSecret,
-			TokenURL:     fmt.Sprintf("https://%s/api/v2/oauth/token", *apiServer),
-		}
-		client = oauthConfig.Client(context.Background())
-	} else {
-		client = http.DefaultClient
+	if !ok {
+		log.Fatal("set envvar TS_API_KEY to your Tailscale API key")
 	}
 	cache, err := LoadCache(*cacheFname)
 	if err != nil {
@@ -186,7 +169,7 @@ func main() {
 		ShortUsage: "gitops-pusher [options] apply",
 		ShortHelp:  "Pushes changes to CONTROL",
 		LongHelp:   `Pushes changes to CONTROL`,
-		Exec:       apply(cache, client, tailnet, apiKey),
+		Exec:       apply(cache, tailnet, apiKey),
 	}
 
 	testCmd := &ffcli.Command{
@@ -194,7 +177,7 @@ func main() {
 		ShortUsage: "gitops-pusher [options] test",
 		ShortHelp:  "Tests ACL changes",
 		LongHelp:   "Tests ACL changes",
-		Exec:       test(cache, client, tailnet, apiKey),
+		Exec:       test(cache, tailnet, apiKey),
 	}
 
 	cksumCmd := &ffcli.Command{
@@ -202,7 +185,7 @@ func main() {
 		ShortUsage: "Shows checksums of ACL files",
 		ShortHelp:  "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
 		LongHelp:   "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
-		Exec:       getChecksums(cache, client, tailnet, apiKey),
+		Exec:       getChecksums(cache, tailnet, apiKey),
 	}
 
 	root := &ffcli.Command{
@@ -245,7 +228,7 @@ func sumFile(fname string) (string, error) {
 	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }
 
-func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname, oldEtag string) error {
+func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag string) error {
 	fin, err := os.Open(policyFname)
 	if err != nil {
 		return err
@@ -261,7 +244,7 @@ func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	req.Header.Set("Content-Type", "application/hujson")
 	req.Header.Set("If-Match", `"`+oldEtag+`"`)
 
-	resp, err := client.Do(req)
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return err
 	}
@@ -282,7 +265,7 @@ func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	return nil
 }
 
-func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname string) error {
+func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error {
 	data, err := os.ReadFile(policyFname)
 	if err != nil {
 		return err
@@ -300,7 +283,7 @@ func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	req.SetBasicAuth(apiKey, "")
 	req.Header.Set("Content-Type", "application/hujson")
 
-	resp, err := client.Do(req)
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return err
 	}
@@ -363,7 +346,7 @@ type ACLTestErrorDetail struct {
 	Errors []string `json:"errors"`
 }
 
-func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string) (string, error) {
+func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
 	req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
 	if err != nil {
 		return "", err
@@ -372,7 +355,7 @@ func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string
 	req.SetBasicAuth(apiKey, "")
 	req.Header.Set("Accept", "application/hujson")
 
-	resp, err := client.Do(req)
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", err
 	}

cmd/k8s-operator/manifests/authproxy-rbac.yaml

@@ -7,7 +7,7 @@ metadata:
   name: tailscale-auth-proxy
 rules:
 - apiGroups: [""]
-  resources: ["users", "groups"]
+  resources: ["users"]
   verbs: ["impersonate"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1

cmd/k8s-operator/operator.go

@@ -99,9 +99,9 @@ func main() {
 	tsClient.HTTPClient = credentials.Client(context.Background())
 
 	if shouldRunAuthProxy {
-		hostinfo.SetApp("k8s-operator-proxy")
+		hostinfo.SetPackage("k8s-operator-proxy")
 	} else {
-		hostinfo.SetApp("k8s-operator")
+		hostinfo.SetPackage("k8s-operator")
 	}
 
 	s := &tsnet.Server{
@@ -166,7 +166,7 @@ waitOnline:
 			loginDone = true
 		case "NeedsMachineAuth":
 			if !machineAuthShown {
-				startlog.Infof("Machine approval required, please visit the admin panel to approve")
+				startlog.Infof("Machine authorization required, please visit the admin panel to authorize")
 				machineAuthShown = true
 			}
 		default:
@@ -235,11 +235,15 @@ waitOnline:
 
 	startlog.Infof("Startup complete, operator running")
 	if shouldRunAuthProxy {
-		rt, err := rest.TransportFor(restConfig)
+		rc, err := rest.TransportFor(restConfig)
 		if err != nil {
 			startlog.Fatalf("could not get rest transport: %v", err)
 		}
-		go runAuthProxy(s, rt, zlog.Named("auth-proxy").Infof)
+		authProxyListener, err := s.Listen("tcp", ":443")
+		if err != nil {
+			startlog.Fatalf("could not listen on :443: %v", err)
+		}
+		go runAuthProxy(lc, authProxyListener, rc, zlog.Named("auth-proxy").Infof)
 	}
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 		startlog.Fatalf("could not start manager: %v", err)

cmd/k8s-operator/proxy.go

@@ -5,8 +5,10 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"log"
+	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -15,7 +17,6 @@ import (
 
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/tsnet"
 	"tailscale.com/types/logger"
 )
 
@@ -40,42 +41,23 @@ func (h *authProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	h.rp.ServeHTTP(w, r)
 }
 
-// runAuthProxy runs an HTTP server that authenticates requests using the
-// Tailscale LocalAPI and then proxies them to the Kubernetes API.
-// It listens on :443 and uses the Tailscale HTTPS certificate.
-// s will be started if it is not already running.
-// rt is used to proxy requests to the Kubernetes API.
-//
-// It never returns.
-func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
-	ln, err := s.ListenTLS("tcp", ":443")
-	if err != nil {
-		log.Fatalf("could not listen on :443: %v", err)
-	}
+func runAuthProxy(lc *tailscale.LocalClient, ls net.Listener, rt http.RoundTripper, logf logger.Logf) {
 	u, err := url.Parse(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
 	if err != nil {
 		log.Fatalf("runAuthProxy: failed to parse URL %v", err)
 	}
-
-	lc, err := s.LocalClient()
-	if err != nil {
-		log.Fatalf("could not get local client: %v", err)
-	}
 	ap := &authProxy{
 		logf: logf,
 		lc:   lc,
 		rp: &httputil.ReverseProxy{
 			Director: func(r *http.Request) {
-				// We want to proxy to the Kubernetes API, but we want to use
-				// the caller's identity to do so. We do this by impersonating
-				// the caller using the Kubernetes User Impersonation feature:
-				// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
+				// Replace the request with the user's identity.
+				who := r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
+				r.Header.Set("Impersonate-User", who.UserProfile.LoginName)
 
-				// Out of paranoia, remove all authentication headers that might
-				// have been set by the client.
+				// Remove all authentication headers.
 				r.Header.Del("Authorization")
 				r.Header.Del("Impersonate-Group")
-				r.Header.Del("Impersonate-User")
 				r.Header.Del("Impersonate-Uid")
 				for k := range r.Header {
 					if strings.HasPrefix(k, "Impersonate-Extra-") {
@@ -83,19 +65,6 @@ func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
 					}
 				}
 
-				// Now add the impersonation headers that we want.
-				who := r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
-				if who.Node.IsTagged() {
-					// Use the nodes FQDN as the username, and the nodes tags as the groups.
-					// "Impersonate-Group" requires "Impersonate-User" to be set.
-					r.Header.Set("Impersonate-User", strings.TrimSuffix(who.Node.Name, "."))
-					for _, tag := range who.Node.Tags {
-						r.Header.Add("Impersonate-Group", tag)
-					}
-				} else {
-					r.Header.Set("Impersonate-User", who.UserProfile.LoginName)
-				}
-
 				// Replace the URL with the Kubernetes APIServer.
 				r.URL.Scheme = u.Scheme
 				r.URL.Host = u.Host
@@ -103,7 +72,9 @@ func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
 			Transport: rt,
 		},
 	}
-	if err := http.Serve(ln, ap); err != nil {
+	if err := http.Serve(tls.NewListener(ls, &tls.Config{
+		GetCertificate: lc.GetCertificate,
+	}), ap); err != nil {
 		log.Fatalf("runAuthProxy: failed to serve %v", err)
 	}
 }

cmd/mkmanifest/main.go

@@ -19,7 +19,7 @@ func main() {
 
 	arch := winres.Arch(os.Args[1])
 	switch arch {
-	case winres.ArchAMD64, winres.ArchARM64, winres.ArchI386:
+	case winres.ArchAMD64, winres.ArchARM64, winres.ArchI386, winres.ArchARM:
 	default:
 		log.Fatalf("unsupported arch: %s", arch)
 	}

cmd/netlogfmt/main.go

@@ -43,7 +43,7 @@ import (
 	jsonv2 "github.com/go-json-experiment/json"
 	"golang.org/x/exp/maps"
 	"golang.org/x/exp/slices"
-	"tailscale.com/types/logid"
+	"tailscale.com/logtail"
 	"tailscale.com/types/netlogtype"
 	"tailscale.com/util/must"
 )
@@ -136,8 +136,8 @@ func processObject(dec *jsonv2.Decoder) {
 
 type message struct {
 	Logtail struct {
-		ID     logid.PublicID `json:"id"`
-		Logged time.Time      `json:"server_time"`
+		ID     logtail.PublicID `json:"id"`
+		Logged time.Time        `json:"server_time"`
 	} `json:"logtail"`
 	Logged time.Time `json:"logged"`
 	netlogtype.Message

cmd/nginx-auth/nginx-auth.go

@@ -56,7 +56,7 @@ func main() {
 			return
 		}
 
-		if info.Node.IsTagged() {
+		if len(info.Node.Tags) != 0 {
 			w.WriteHeader(http.StatusForbidden)
 			log.Printf("node %s is tagged", info.Node.Hostinfo.Hostname())
 			return

cmd/proxy-to-grafana/proxy-to-grafana.go

@@ -147,7 +147,7 @@ func getTailscaleUser(ctx context.Context, localClient *tailscale.LocalClient, i
 	if err != nil {
 		return nil, fmt.Errorf("failed to identify remote host: %w", err)
 	}
-	if whois.Node.IsTagged() {
+	if len(whois.Node.Tags) != 0 {
 		return nil, fmt.Errorf("tagged nodes are not users")
 	}
 	if whois.UserProfile == nil || whois.UserProfile.LoginName == "" {

cmd/sniproxy/snipproxy.go

@@ -1,219 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// The sniproxy is an outbound SNI proxy. It receives TLS connections over
-// Tailscale on one or more TCP ports and sends them out to the same SNI
-// hostname & port on the internet. It only does TCP.
-package main
-
-import (
-	"context"
-	"flag"
-	"log"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-
-	"golang.org/x/net/dns/dnsmessage"
-	"inet.af/tcpproxy"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/net/netutil"
-	"tailscale.com/tsnet"
-	"tailscale.com/types/nettype"
-)
-
-var (
-	ports        = flag.String("ports", "443", "comma-separated list of ports to proxy")
-	promoteHTTPS = flag.Bool("promote-https", true, "promote HTTP to HTTPS")
-)
-
-var tsMBox = dnsmessage.MustNewName("support.tailscale.com.")
-
-func main() {
-	flag.Parse()
-	if *ports == "" {
-		log.Fatal("no ports")
-	}
-
-	var s server
-	defer s.ts.Close()
-
-	lc, err := s.ts.LocalClient()
-	if err != nil {
-		log.Fatal(err)
-	}
-	s.lc = lc
-
-	for _, portStr := range strings.Split(*ports, ",") {
-		ln, err := s.ts.Listen("tcp", ":"+portStr)
-		if err != nil {
-			log.Fatal(err)
-		}
-		log.Printf("Serving on port %v ...", portStr)
-		go s.serve(ln)
-	}
-
-	ln, err := s.ts.Listen("udp", ":53")
-	if err != nil {
-		log.Fatal(err)
-	}
-	go s.serveDNS(ln)
-
-	if *promoteHTTPS {
-		ln, err := s.ts.Listen("tcp", ":80")
-		if err != nil {
-			log.Fatal(err)
-		}
-		log.Printf("Promoting HTTP to HTTPS ...")
-		go s.promoteHTTPS(ln)
-	}
-
-	select {}
-}
-
-type server struct {
-	ts tsnet.Server
-	lc *tailscale.LocalClient
-}
-
-func (s *server) serve(ln net.Listener) {
-	for {
-		c, err := ln.Accept()
-		if err != nil {
-			log.Fatal(err)
-		}
-		go s.serveConn(c)
-	}
-}
-
-func (s *server) serveDNS(ln net.Listener) {
-	for {
-		c, err := ln.Accept()
-		if err != nil {
-			log.Fatal(err)
-		}
-		go s.serveDNSConn(c.(nettype.ConnPacketConn))
-	}
-}
-
-func (s *server) serveDNSConn(c nettype.ConnPacketConn) {
-	defer c.Close()
-	c.SetReadDeadline(time.Now().Add(5 * time.Second))
-	buf := make([]byte, 1500)
-	n, err := c.Read(buf)
-	if err != nil {
-		log.Printf("c.Read failed: %v\n ", err)
-		return
-	}
-
-	var msg dnsmessage.Message
-	err = msg.Unpack(buf[:n])
-	if err != nil {
-		log.Printf("dnsmessage unpack failed: %v\n ", err)
-		return
-	}
-
-	buf, err = s.dnsResponse(&msg)
-	if err != nil {
-		log.Printf("s.dnsResponse failed: %v\n", err)
-		return
-	}
-
-	_, err = c.Write(buf)
-	if err != nil {
-		log.Printf("c.Write failed: %v\n", err)
-		return
-	}
-}
-
-func (s *server) serveConn(c net.Conn) {
-	addrPortStr := c.LocalAddr().String()
-	_, port, err := net.SplitHostPort(addrPortStr)
-	if err != nil {
-		log.Printf("bogus addrPort %q", addrPortStr)
-		c.Close()
-		return
-	}
-
-	var dialer net.Dialer
-	dialer.Timeout = 5 * time.Second
-
-	var p tcpproxy.Proxy
-	p.ListenFunc = func(net, laddr string) (net.Listener, error) {
-		return netutil.NewOneConnListener(c, nil), nil
-	}
-	p.AddSNIRouteFunc(addrPortStr, func(ctx context.Context, sniName string) (t tcpproxy.Target, ok bool) {
-		return &tcpproxy.DialProxy{
-			Addr:        net.JoinHostPort(sniName, port),
-			DialContext: dialer.DialContext,
-		}, true
-	})
-	p.Start()
-}
-
-func (s *server) dnsResponse(req *dnsmessage.Message) (buf []byte, err error) {
-	resp := dnsmessage.NewBuilder(buf,
-		dnsmessage.Header{
-			ID:            req.Header.ID,
-			Response:      true,
-			Authoritative: true,
-		})
-	resp.EnableCompression()
-
-	if len(req.Questions) == 0 {
-		buf, _ = resp.Finish()
-		return
-	}
-
-	q := req.Questions[0]
-	err = resp.StartQuestions()
-	if err != nil {
-		return
-	}
-	resp.Question(q)
-
-	ip4, ip6 := s.ts.TailscaleIPs()
-	err = resp.StartAnswers()
-	if err != nil {
-		return
-	}
-
-	switch q.Type {
-	case dnsmessage.TypeAAAA:
-		err = resp.AAAAResource(
-			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
-			dnsmessage.AAAAResource{AAAA: ip6.As16()},
-		)
-
-	case dnsmessage.TypeA:
-		err = resp.AResource(
-			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
-			dnsmessage.AResource{A: ip4.As4()},
-		)
-	case dnsmessage.TypeSOA:
-		err = resp.SOAResource(
-			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
-			dnsmessage.SOAResource{NS: q.Name, MBox: tsMBox, Serial: 2023030600,
-				Refresh: 120, Retry: 120, Expire: 120, MinTTL: 60},
-		)
-	case dnsmessage.TypeNS:
-		err = resp.NSResource(
-			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
-			dnsmessage.NSResource{NS: tsMBox},
-		)
-	}
-
-	if err != nil {
-		return
-	}
-
-	return resp.Finish()
-}
-
-func (s *server) promoteHTTPS(ln net.Listener) {
-	err := http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusFound)
-	}))
-	log.Fatalf("promoteHTTPS http.Serve: %v", err)
-}

cmd/tailscale/cli/cli.go

@@ -113,7 +113,6 @@ change in the future.
 			loginCmd,
 			logoutCmd,
 			switchCmd,
-			configureCmd,
 			netcheckCmd,
 			ipCmd,
 			statusCmd,
@@ -147,12 +146,12 @@ change in the future.
 	switch {
 	case slices.Contains(args, "debug"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
-	case slices.Contains(args, "funnel"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, funnelCmd)
 	case slices.Contains(args, "serve"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, serveCmd)
 	case slices.Contains(args, "update"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, updateCmd)
+	case slices.Contains(args, "configure"):
+		rootCmd.Subcommands = append(rootCmd.Subcommands, configureCmd)
 	}
 	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)

cmd/tailscale/cli/cli_test.go

@@ -1071,42 +1071,20 @@ func TestUpdatePrefs(t *testing.T) {
 			},
 			env: upCheckEnv{backendState: "Running"},
 		},
-		{
-			name:             "force_reauth_over_ssh_no_risk",
-			flags:            []string{"--force-reauth"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "force_reauth_over_ssh",
-			flags:            []string{"--force-reauth", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: nil,
-			env:            upCheckEnv{backendState: "Running"},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.sshOverTailscale {
-				tstest.Replace(t, &getSSHClientEnvVar, func() string { return "100.100.100.100 1 1" })
+				old := getSSHClientEnvVar
+				getSSHClientEnvVar = func() string { return "100.100.100.100 1 1" }
+				t.Cleanup(func() { getSSHClientEnvVar = old })
 			} else if isSSHOverTailscale() {
 				// The test is being executed over a "real" tailscale SSH
 				// session, but sshOverTailscale is unset. Make the test appear
 				// as if it's not over tailscale SSH.
-				tstest.Replace(t, &getSSHClientEnvVar, func() string { return "" })
+				old := getSSHClientEnvVar
+				getSSHClientEnvVar = func() string { return "" }
+				t.Cleanup(func() { getSSHClientEnvVar = old })
 			}
 			if tt.env.goos == "" {
 				tt.env.goos = "linux"

cmd/tailscale/cli/configure-kube.go

@@ -26,14 +26,12 @@ func init() {
 
 var configureKubeconfigCmd = &ffcli.Command{
 	Name:       "kubeconfig",
-	ShortHelp:  "[ALPHA] Connect to a Kubernetes cluster using a Tailscale Auth Proxy",
+	ShortHelp:  "Configure kubeconfig to use Tailscale",
 	ShortUsage: "kubeconfig <hostname-or-fqdn>",
 	LongHelp: strings.TrimSpace(`
-Run this command to configure kubectl to connect to a Kubernetes cluster over Tailscale.
+Run this command to configure your kubeconfig to use Tailscale for authentication to a Kubernetes cluster.
 
 The hostname argument should be set to the Tailscale hostname of the peer running as an auth proxy in the cluster.
-
-See: https://tailscale.com/s/k8s-auth-proxy
 `),
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("kubeconfig")

cmd/tailscale/cli/configure-synology.go

@@ -35,13 +35,13 @@ var configureHostCmd = &ffcli.Command{
 var synologyConfigureCmd = &ffcli.Command{
 	Name:      "synology",
 	Exec:      runConfigureSynology,
-	ShortHelp: "Configure Synology to enable outbound connections",
+	ShortHelp: "Configure Synology to enable more Tailscale features",
 	LongHelp: strings.TrimSpace(`
-This command is intended to run at boot as root on a Synology device to
-create the /dev/net/tun device and give the tailscaled binary permission
-to use it.
+The 'configure-host' command is intended to run at boot as root
+to create the /dev/net/tun device and give the tailscaled binary
+permission to use it.
 
-See: https://tailscale.com/s/synology-outbound
+See: https://tailscale.com/kb/1152/synology-outbound/
 `),
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("synology")

cmd/tailscale/cli/configure.go

@@ -15,10 +15,10 @@ import (
 
 var configureCmd = &ffcli.Command{
 	Name:      "configure",
-	ShortHelp: "[ALPHA] Configure the host to enable more Tailscale features",
+	ShortHelp: "Configure the host to enable more Tailscale features",
 	LongHelp: strings.TrimSpace(`
-The 'configure' set of commands are intended to provide a way to enable different
-services on the host to use Tailscale in more ways.
+The 'configure' command is intended to provide a way to configure different
+services on the host to enable more Tailscale features.
 `),
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("configure")

cmd/tailscale/cli/debug.go

@@ -201,23 +201,6 @@ var debugCmd = &ffcli.Command{
 				return fs
 			})(),
 		},
-		{
-			Name:      "portmap",
-			Exec:      debugPortmap,
-			ShortHelp: "run portmap debugging debugging",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("portmap")
-				fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
-				fs.StringVar(&debugPortmapArgs.ty, "type", "", `portmap debug type (one of "", "pmp", "pcp", or "upnp")`)
-				fs.StringVar(&debugPortmapArgs.gwSelf, "gw-self", "", `override gateway and self IP (format: "gatewayIP/selfIP")`)
-				return fs
-			})(),
-		},
-		{
-			Name:      "peer-endpoint-changes",
-			Exec:      runPeerEndpointChanges,
-			ShortHelp: "prints debug information about a peer's endpoint changes",
-		},
 	},
 }
 
@@ -806,82 +789,3 @@ func runCapture(ctx context.Context, args []string) error {
 	_, err = io.Copy(f, stream)
 	return err
 }
-
-var debugPortmapArgs struct {
-	duration time.Duration
-	gwSelf   string
-	ty       string
-}
-
-func debugPortmap(ctx context.Context, args []string) error {
-	rc, err := localClient.DebugPortmap(ctx,
-		debugPortmapArgs.duration,
-		debugPortmapArgs.ty,
-		debugPortmapArgs.gwSelf,
-	)
-	if err != nil {
-		return err
-	}
-	defer rc.Close()
-
-	_, err = io.Copy(os.Stdout, rc)
-	return err
-}
-
-func runPeerEndpointChanges(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		printf("%s\n", description)
-		os.Exit(1)
-	}
-
-	if len(args) != 1 || args[0] == "" {
-		return errors.New("usage: peer-status <hostname-or-IP>")
-	}
-	var ip string
-
-	hostOrIP := args[0]
-	ip, self, err := tailscaleIPFromArg(ctx, hostOrIP)
-	if err != nil {
-		return err
-	}
-	if self {
-		printf("%v is local Tailscale IP\n", ip)
-		return nil
-	}
-
-	if ip != hostOrIP {
-		log.Printf("lookup %q => %q", hostOrIP, ip)
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/debug-peer-endpoint-changes?ip="+ip, nil)
-	if err != nil {
-		return err
-	}
-
-	resp, err := localClient.DoLocalRequest(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-
-	var dst bytes.Buffer
-	if err := json.Indent(&dst, body, "", "  "); err != nil {
-		return fmt.Errorf("indenting returned JSON: %w", err)
-	}
-
-	if ss := dst.String(); !strings.HasSuffix(ss, "\n") {
-		dst.WriteByte('\n')
-	}
-	fmt.Printf("%s", dst.String())
-	return nil
-}

cmd/tailscale/cli/funnel.go

@@ -1,138 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"net"
-	"os"
-	"strconv"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/ipn"
-	"tailscale.com/util/mak"
-)
-
-var funnelCmd = newFunnelCommand(&serveEnv{lc: &localClient})
-
-// newFunnelCommand returns a new "funnel" subcommand using e as its environment.
-// The funnel subcommand is used to turn on/off the Funnel service.
-// Funnel is off by default.
-// Funnel allows you to publish a 'tailscale serve' server publicly, open to the
-// entire internet.
-// newFunnelCommand shares the same serveEnv as the "serve" subcommand. See
-// newServeCommand and serve.go for more details.
-func newFunnelCommand(e *serveEnv) *ffcli.Command {
-	return &ffcli.Command{
-		Name:      "funnel",
-		ShortHelp: "[ALPHA] turn Tailscale Funnel on or off",
-		ShortUsage: strings.TrimSpace(`
-funnel <serve-port> {on|off}
-  funnel status [--json]
-`),
-		LongHelp: strings.Join([]string{
-			"Funnel allows you to publish a 'tailscale serve'",
-			"server publicly, open to the entire internet.",
-			"",
-			"Turning off Funnel only turns off serving to the internet.",
-			"It does not affect serving to your tailnet.",
-		}, "\n"),
-		Exec:      e.runFunnel,
-		UsageFunc: usageFunc,
-		Subcommands: []*ffcli.Command{
-			{
-				Name:      "status",
-				Exec:      e.runServeStatus,
-				ShortHelp: "show current serve/funnel status",
-				FlagSet: e.newFlags("funnel-status", func(fs *flag.FlagSet) {
-					fs.BoolVar(&e.json, "json", false, "output JSON")
-				}),
-				UsageFunc: usageFunc,
-			},
-		},
-	}
-}
-
-// runFunnel is the entry point for the "tailscale funnel" subcommand and
-// manages turning on/off funnel. Funnel is off by default.
-//
-// Note: funnel is only supported on single DNS name for now. (2022-11-15)
-func (e *serveEnv) runFunnel(ctx context.Context, args []string) error {
-	if len(args) != 2 {
-		return flag.ErrHelp
-	}
-
-	var on bool
-	switch args[1] {
-	case "on", "off":
-		on = args[1] == "on"
-	default:
-		return flag.ErrHelp
-	}
-	sc, err := e.lc.GetServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-	st, err := e.getLocalClientStatus(ctx)
-	if err != nil {
-		return fmt.Errorf("getting client status: %w", err)
-	}
-
-	port64, err := strconv.ParseUint(args[0], 10, 16)
-	if err != nil {
-		return err
-	}
-	port := uint16(port64)
-
-	if err := ipn.CheckFunnelAccess(port, st.Self.Capabilities); err != nil {
-		return err
-	}
-	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
-	hp := ipn.HostPort(dnsName + ":" + strconv.Itoa(int(port)))
-	if on == sc.AllowFunnel[hp] {
-		printFunnelWarning(sc)
-		// Nothing to do.
-		return nil
-	}
-	if on {
-		mak.Set(&sc.AllowFunnel, hp, true)
-	} else {
-		delete(sc.AllowFunnel, hp)
-		// clear map mostly for testing
-		if len(sc.AllowFunnel) == 0 {
-			sc.AllowFunnel = nil
-		}
-	}
-	if err := e.lc.SetServeConfig(ctx, sc); err != nil {
-		return err
-	}
-	printFunnelWarning(sc)
-	return nil
-}
-
-// printFunnelWarning prints a warning if the Funnel is on but there is no serve
-// config for its host:port.
-func printFunnelWarning(sc *ipn.ServeConfig) {
-	var warn bool
-	for hp, a := range sc.AllowFunnel {
-		if !a {
-			continue
-		}
-		_, portStr, _ := net.SplitHostPort(string(hp))
-		p, _ := strconv.ParseUint(portStr, 10, 16)
-		if _, ok := sc.TCP[uint16(p)]; !ok {
-			warn = true
-			fmt.Fprintf(os.Stderr, "Warning: funnel=on for %s, but no serve config\n", hp)
-		}
-	}
-	if warn {
-		fmt.Fprintf(os.Stderr, "         run: `tailscale serve --help` to see how to configure handlers\n")
-	}
-}

cmd/tailscale/cli/netcheck.go

@@ -47,7 +47,7 @@ var netcheckArgs struct {
 func runNetcheck(ctx context.Context, args []string) error {
 	c := &netcheck.Client{
 		UDPBindAddr: envknob.String("TS_DEBUG_NETCHECK_UDP_BIND"),
-		PortMapper:  portmapper.NewClient(logger.WithPrefix(log.Printf, "portmap: "), nil, nil),
+		PortMapper:  portmapper.NewClient(logger.WithPrefix(log.Printf, "portmap: "), nil),
 	}
 	if netcheckArgs.verbose {
 		c.Logf = logger.WithPrefix(log.Printf, "netcheck: ")

cmd/tailscale/cli/network-lock.go

@@ -15,7 +15,6 @@ import (
 	"os"
 	"strconv"
 	"strings"
-	"time"
 
 	"github.com/mattn/go-colorable"
 	"github.com/mattn/go-isatty"
@@ -40,7 +39,6 @@ var netlockCmd = &ffcli.Command{
 		nlDisablementKDFCmd,
 		nlLogCmd,
 		nlLocalDisableCmd,
-		nlTskeyWrapCmd,
 	},
 	Exec: runNetworkLockStatus,
 }
@@ -232,15 +230,6 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 			if k.Key == st.PublicKey {
 				line.WriteString("(self)")
 			}
-			if k.Metadata["purpose"] == "pre-auth key" {
-				if preauthKeyID := k.Metadata["authkey_stableid"]; preauthKeyID != "" {
-					line.WriteString("(pre-auth key ")
-					line.WriteString(preauthKeyID)
-					line.WriteString(")")
-				} else {
-					line.WriteString("(pre-auth key)")
-				}
-			}
 			fmt.Println(line.String())
 		}
 	}
@@ -256,13 +245,11 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 			for i, addr := range p.TailscaleIPs {
 				line.WriteString(addr.String())
 				if i < len(p.TailscaleIPs)-1 {
-					line.WriteString(",")
+					line.WriteString(", ")
 				}
 			}
 			line.WriteString("\t")
 			line.WriteString(string(p.StableID))
-			line.WriteString("\t")
-			line.WriteString(p.NodeKey.String())
 			fmt.Println(line.String())
 		}
 	}
@@ -280,78 +267,14 @@ var nlAddCmd = &ffcli.Command{
 	},
 }
 
-var nlRemoveArgs struct {
-	resign bool
-}
-
 var nlRemoveCmd = &ffcli.Command{
 	Name:       "remove",
-	ShortUsage: "remove [--re-sign=false] <public-key>...",
+	ShortUsage: "remove <public-key>...",
 	ShortHelp:  "Removes one or more trusted signing keys from tailnet lock",
 	LongHelp:   "Removes one or more trusted signing keys from tailnet lock",
-	Exec:       runNetworkLockRemove,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("lock remove")
-		fs.BoolVar(&nlRemoveArgs.resign, "re-sign", true, "resign signatures which would be invalidated by removal of trusted signing keys")
-		return fs
-	})(),
-}
-
-func runNetworkLockRemove(ctx context.Context, args []string) error {
-	removeKeys, _, err := parseNLArgs(args, true, false)
-	if err != nil {
-		return err
-	}
-	st, err := localClient.NetworkLockStatus(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	if !st.Enabled {
-		return errors.New("tailnet lock is not enabled")
-	}
-
-	if nlRemoveArgs.resign {
-		// Validate we are not removing trust in ourselves while resigning. This is because
-		// we resign with our own key, so the signatures would be immediately invalid.
-		for _, k := range removeKeys {
-			kID, err := k.ID()
-			if err != nil {
-				return fmt.Errorf("computing KeyID for key %v: %w", k, err)
-			}
-			if bytes.Equal(st.PublicKey.KeyID(), kID) {
-				return errors.New("cannot remove local trusted signing key while resigning; run command on a different node or with --re-sign=false")
-			}
-		}
-
-		// Resign affected signatures for each of the keys we are removing.
-		for _, k := range removeKeys {
-			kID, _ := k.ID() // err already checked above
-			sigs, err := localClient.NetworkLockAffectedSigs(ctx, kID)
-			if err != nil {
-				return fmt.Errorf("affected sigs for key %X: %w", kID, err)
-			}
-
-			for _, sigBytes := range sigs {
-				var sig tka.NodeKeySignature
-				if err := sig.Unserialize(sigBytes); err != nil {
-					return fmt.Errorf("failed decoding signature: %w", err)
-				}
-				var nodeKey key.NodePublic
-				if err := nodeKey.UnmarshalBinary(sig.Pubkey); err != nil {
-					return fmt.Errorf("failed decoding pubkey for signature: %w", err)
-				}
-
-				// Safety: NetworkLockAffectedSigs() verifies all signatures before
-				// successfully returning.
-				rotationKey, _ := sig.UnverifiedWrappingPublic()
-				if err := localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey)); err != nil {
-					return fmt.Errorf("failed to sign %v: %w", nodeKey, err)
-				}
-			}
-		}
-	}
-
-	return localClient.NetworkLockModify(ctx, nil, removeKeys)
+	Exec: func(ctx context.Context, args []string) error {
+		return runNetworkLockModify(ctx, nil, args)
+	},
 }
 
 // parseNLArgs parses a slice of strings into slices of tka.Key & disablement
@@ -635,60 +558,3 @@ func runNetworkLockLog(ctx context.Context, args []string) error {
 	}
 	return nil
 }
-
-var nlTskeyWrapCmd = &ffcli.Command{
-	Name:       "tskey-wrap",
-	ShortUsage: "tskey-wrap <tailscale pre-auth key>",
-	ShortHelp:  "Modifies a pre-auth key from the admin panel to work with tailnet lock",
-	LongHelp:   "Modifies a pre-auth key from the admin panel to work with tailnet lock",
-	Exec:       runTskeyWrapCmd,
-}
-
-func runTskeyWrapCmd(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("usage: lock tskey-wrap <tailscale pre-auth key>")
-	}
-	if strings.Contains(args[0], "--TL") {
-		return errors.New("Error: provided key was already wrapped")
-	}
-
-	st, err := localClient.StatusWithoutPeers(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-
-	// Generate a separate tailnet-lock key just for the credential signature.
-	// We use the free-form meta strings to mark a little bit of metadata about this
-	// key.
-	priv := key.NewNLPrivate()
-	m := map[string]string{
-		"purpose":            "pre-auth key",
-		"wrapper_stableid":   string(st.Self.ID),
-		"wrapper_createtime": fmt.Sprint(time.Now().Unix()),
-	}
-	if strings.HasPrefix(args[0], "tskey-auth-") && strings.Index(args[0][len("tskey-auth-"):], "-") > 0 {
-		// We don't want to accidentally embed the nonce part of the authkey in
-		// the event the format changes. As such, we make sure its in the format we
-		// expect (tskey-auth-<stableID, inc CNTRL suffix>-nonce) before we parse
-		// out and embed the stableID.
-		s := strings.TrimPrefix(args[0], "tskey-auth-")
-		m["authkey_stableid"] = s[:strings.Index(s, "-")]
-	}
-	k := tka.Key{
-		Kind:   tka.Key25519,
-		Public: priv.Public().Verifier(),
-		Votes:  1,
-		Meta:   m,
-	}
-
-	wrapped, err := localClient.NetworkLockWrapPreauthKey(ctx, args[0], priv)
-	if err != nil {
-		return fmt.Errorf("wrapping failed: %w", err)
-	}
-	if err := localClient.NetworkLockModify(ctx, []tka.Key{k}, nil); err != nil {
-		return fmt.Errorf("add key failed: %w", err)
-	}
-
-	fmt.Println(wrapped)
-	return nil
-}

cmd/tailscale/cli/serve.go

@@ -21,8 +21,10 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"golang.org/x/exp/slices"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
 	"tailscale.com/util/mak"
 	"tailscale.com/version"
 )
@@ -35,11 +37,8 @@ func newServeCommand(e *serveEnv) *ffcli.Command {
 		Name:      "serve",
 		ShortHelp: "[ALPHA] Serve from your Tailscale node",
 		ShortUsage: strings.TrimSpace(`
-serve https:<port> <mount-point> <source> [off]
-  serve tcp:<port> tcp://localhost:<local-port> [off]
-  serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]
-  serve status [--json]
-`),
+  serve [flags] <mount-point> {proxy|path|text} <arg>
+  serve [flags] <sub-command> [sub-flags] <args>`),
 		LongHelp: strings.TrimSpace(`
 *** ALPHA; all of this is subject to change ***
 
@@ -48,42 +47,68 @@ content and local servers from your Tailscale node to
 your tailnet. 
 
 You can also choose to enable the Tailscale Funnel with:
-'tailscale funnel on'. Funnel allows you to publish
+'tailscale serve funnel on'. Funnel allows you to publish
 a 'tailscale serve' server publicly, open to the entire
 internet. See https://tailscale.com/funnel.
 
 EXAMPLES
   - To proxy requests to a web server at 127.0.0.1:3000:
-    $ tailscale serve https:443 / http://127.0.0.1:3000
-
-	Or, using the default port:
-	$ tailscale serve https / http://127.0.0.1:3000
+    $ tailscale serve / proxy 3000
 
   - To serve a single file or a directory of files:
-    $ tailscale serve https / /home/alice/blog/index.html
-    $ tailscale serve https /images/ /home/alice/blog/images
+    $ tailscale serve / path /home/alice/blog/index.html
+    $ tailscale serve /images/ path /home/alice/blog/images
 
   - To serve simple static text:
-    $ tailscale serve https:8080 / text:"Hello, world!"
-
-  - To forward raw TCP packets to a local TCP server on port 5432:
-    $ tailscale serve tcp:2222 tcp://localhost:22
-
-  - To forward raw, TLS-terminated TCP packets to a local TCP server on port 80:
-    $ tailscale serve tls-terminated-tcp:443 tcp://localhost:80
+    $ tailscale serve / text "Hello, world!"
 `),
-		Exec:      e.runServe,
+		Exec: e.runServe,
+		FlagSet: e.newFlags("serve", func(fs *flag.FlagSet) {
+			fs.BoolVar(&e.remove, "remove", false, "remove an existing serve config")
+			fs.UintVar(&e.servePort, "serve-port", 443, "port to serve on (443, 8443 or 10000)")
+		}),
 		UsageFunc: usageFunc,
 		Subcommands: []*ffcli.Command{
 			{
 				Name:      "status",
 				Exec:      e.runServeStatus,
-				ShortHelp: "show current serve/funnel status",
+				ShortHelp: "show current serve status",
 				FlagSet: e.newFlags("serve-status", func(fs *flag.FlagSet) {
 					fs.BoolVar(&e.json, "json", false, "output JSON")
 				}),
 				UsageFunc: usageFunc,
 			},
+			{
+				Name:      "tcp",
+				Exec:      e.runServeTCP,
+				ShortHelp: "add or remove a TCP port forward",
+				LongHelp: strings.Join([]string{
+					"EXAMPLES",
+					"  - Forward TLS over TCP to a local TCP server on port 5432:",
+					"    $ tailscale serve tcp 5432",
+					"",
+					"  - Forward raw, TLS-terminated TCP packets to a local TCP server on port 5432:",
+					"    $ tailscale serve tcp --terminate-tls 5432",
+				}, "\n"),
+				FlagSet: e.newFlags("serve-tcp", func(fs *flag.FlagSet) {
+					fs.BoolVar(&e.terminateTLS, "terminate-tls", false, "terminate TLS before forwarding TCP connection")
+				}),
+				UsageFunc: usageFunc,
+			},
+			{
+				Name:       "funnel",
+				Exec:       e.runServeFunnel,
+				ShortUsage: "funnel [flags] {on|off}",
+				ShortHelp:  "turn Tailscale Funnel on or off",
+				LongHelp: strings.Join([]string{
+					"Funnel allows you to publish a 'tailscale serve'",
+					"server publicly, open to the entire internet.",
+					"",
+					"Turning off Funnel only turns off serving to the internet.",
+					"It does not affect serving to your tailnet.",
+				}, "\n"),
+				UsageFunc: usageFunc,
+			},
 		},
 	}
 }
@@ -120,7 +145,10 @@ type localServeClient interface {
 // It also contains the flags, as registered with newServeCommand.
 type serveEnv struct {
 	// flags
-	json bool // output JSON (status only for now)
+	servePort    uint // Port to serve on. Defaults to 443.
+	terminateTLS bool
+	remove       bool // remove a serve config
+	json         bool // output JSON (status only for now)
 
 	lc localServeClient // localClient interface, specific to serve
 
@@ -160,15 +188,28 @@ func (e *serveEnv) getLocalClientStatus(ctx context.Context) (*ipnstate.Status,
 	return st, nil
 }
 
+// validateServePort returns --serve-port flag value,
+// or an error if the port is not a valid port to serve on.
+func (e *serveEnv) validateServePort() (port uint16, err error) {
+	// make sure e.servePort is uint16
+	port = uint16(e.servePort)
+	if uint(port) != e.servePort {
+		return 0, fmt.Errorf("serve-port %d is out of range", e.servePort)
+	}
+	// make sure e.servePort is 443, 8443 or 10000
+	if port != 443 && port != 8443 && port != 10000 {
+		return 0, fmt.Errorf("serve-port %d is invalid; must be 443, 8443 or 10000", e.servePort)
+	}
+	return port, nil
+}
+
 // runServe is the entry point for the "serve" subcommand, managing Web
 // serve config types like proxy, path, and text.
 //
 // Examples:
-// - tailscale serve https / http://localhost:3000
-// - tailscale serve https /images/ /var/www/images/
-// - tailscale serve https:10000 /motd.txt text:"Hello, world!"
-// - tailscale serve tcp:2222 tcp://localhost:22
-// - tailscale serve tls-terminated-tcp:443 tcp://localhost:80
+// - tailscale serve / proxy 3000
+// - tailscale serve /images/ path /var/www/images/
+// - tailscale --serve-port=10000 serve /motd.txt text "Hello, world!"
 func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 	if len(args) == 0 {
 		return flag.ErrHelp
@@ -188,94 +229,39 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.lc.SetServeConfig(ctx, sc)
 	}
 
-	parsePort := func(portStr string) (uint16, error) {
-		port64, err := strconv.ParseUint(portStr, 10, 16)
-		if err != nil {
-			return 0, err
-		}
-		return uint16(port64), nil
-	}
-
-	srcType, srcPortStr, found := strings.Cut(args[0], ":")
-	if !found {
-		if srcType == "https" && srcPortStr == "" {
-			// Default https port to 443.
-			srcPortStr = "443"
-		} else {
-			return flag.ErrHelp
-		}
-	}
-
-	turnOff := "off" == args[len(args)-1]
-
-	if len(args) < 2 || (srcType == "https" && !turnOff && len(args) < 3) {
+	if !(len(args) == 3 || (e.remove && len(args) >= 1)) {
 		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
 		return flag.ErrHelp
 	}
 
-	srcPort, err := parsePort(srcPortStr)
+	srvPort, err := e.validateServePort()
+	if err != nil {
+		return err
+	}
+	srvPortStr := strconv.Itoa(int(srvPort))
+
+	mount, err := cleanMountPoint(args[0])
 	if err != nil {
 		return err
 	}
 
-	switch srcType {
-	case "https":
-		mount, err := cleanMountPoint(args[1])
-		if err != nil {
-			return err
-		}
-		if turnOff {
-			return e.handleWebServeRemove(ctx, srcPort, mount)
-		}
-		return e.handleWebServe(ctx, srcPort, mount, args[2])
-	case "tcp", "tls-terminated-tcp":
-		if turnOff {
-			return e.handleTCPServeRemove(ctx, srcPort)
-		}
-		return e.handleTCPServe(ctx, srcType, srcPort, args[1])
-	default:
-		fmt.Fprintf(os.Stderr, "error: invalid serve type %q\n", srcType)
-		fmt.Fprint(os.Stderr, "must be one of: https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
-		return flag.ErrHelp
+	if e.remove {
+		return e.handleWebServeRemove(ctx, mount)
 	}
-}
 
-// handleWebServe handles the "tailscale serve https:..." subcommand.
-// It configures the serve config to forward HTTPS connections to the
-// given source.
-//
-// Examples:
-//   - tailscale serve https / http://localhost:3000
-//   - tailscale serve https:8443 /files/ /home/alice/shared-files/
-//   - tailscale serve https:10000 /motd.txt text:"Hello, world!"
-func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, mount, source string) error {
 	h := new(ipn.HTTPHandler)
 
-	ts, _, _ := strings.Cut(source, ":")
-	switch {
-	case ts == "text":
-		text := strings.TrimPrefix(source, "text:")
-		if text == "" {
-			return errors.New("unable to serve; text cannot be an empty string")
-		}
-		h.Text = text
-	case isProxyTarget(source):
-		t, err := expandProxyTarget(source)
-		if err != nil {
-			return err
-		}
-		h.Proxy = t
-	default: // assume path
+	switch args[1] {
+	case "path":
 		if version.IsSandboxedMacOS() {
 			// don't allow path serving for now on macOS (2022-11-15)
 			return fmt.Errorf("path serving is not supported if sandboxed on macOS")
 		}
-		if !filepath.IsAbs(source) {
+		if !filepath.IsAbs(args[2]) {
 			fmt.Fprintf(os.Stderr, "error: path must be absolute\n\n")
 			return flag.ErrHelp
 		}
-		source = filepath.Clean(source)
-		fi, err := os.Stat(source)
+		fi, err := os.Stat(args[2])
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "error: invalid path: %v\n\n", err)
 			return flag.ErrHelp
@@ -285,7 +271,21 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, mount, so
 			// for relative file links to work
 			mount += "/"
 		}
-		h.Path = source
+		h.Path = args[2]
+	case "proxy":
+		t, err := expandProxyTarget(args[2])
+		if err != nil {
+			return err
+		}
+		h.Proxy = t
+	case "text":
+		if args[2] == "" {
+			return errors.New("unable to serve; text cannot be an empty string")
+		}
+		h.Text = args[2]
+	default:
+		fmt.Fprintf(os.Stderr, "error: unknown serve type %q\n\n", args[1])
+		return flag.ErrHelp
 	}
 
 	cursc, err := e.lc.GetServeConfig(ctx)
@@ -300,7 +300,7 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, mount, so
 	if err != nil {
 		return err
 	}
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
+	hp := ipn.HostPort(net.JoinHostPort(dnsName, srvPortStr))
 
 	if sc.IsTCPForwardingOnPort(srvPort) {
 		fmt.Fprintf(os.Stderr, "error: cannot serve web; already serving TCP\n")
@@ -339,36 +339,12 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, mount, so
 	return nil
 }
 
-// isProxyTarget reports whether source is a valid proxy target.
-func isProxyTarget(source string) bool {
-	if strings.HasPrefix(source, "http://") ||
-		strings.HasPrefix(source, "https://") ||
-		strings.HasPrefix(source, "https+insecure://") {
-		return true
+func (e *serveEnv) handleWebServeRemove(ctx context.Context, mount string) error {
+	srvPort, err := e.validateServePort()
+	if err != nil {
+		return err
 	}
-	// support "localhost:3000", for example
-	_, portStr, ok := strings.Cut(source, ":")
-	if ok && allNumeric(portStr) {
-		return true
-	}
-	return false
-}
-
-// allNumeric reports whether s only comprises of digits
-// and has at least one digit.
-func allNumeric(s string) bool {
-	for i := 0; i < len(s); i++ {
-		if s[i] < '0' || s[i] > '9' {
-			return false
-		}
-	}
-	return s != ""
-}
-
-// handleWebServeRemove removes a web handler from the serve config.
-// The srvPort argument is the serving port and the mount argument is
-// the mount point or registered path to remove.
-func (e *serveEnv) handleWebServeRemove(ctx context.Context, srvPort uint16, mount string) error {
+	srvPortStr := strconv.Itoa(int(srvPort))
 	sc, err := e.lc.GetServeConfig(ctx)
 	if err != nil {
 		return err
@@ -383,9 +359,9 @@ func (e *serveEnv) handleWebServeRemove(ctx context.Context, srvPort uint16, mou
 	if sc.IsTCPForwardingOnPort(srvPort) {
 		return errors.New("cannot remove web handler; currently serving TCP")
 	}
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
+	hp := ipn.HostPort(net.JoinHostPort(dnsName, srvPortStr))
 	if !sc.WebHandlerExists(hp, mount) {
-		return errors.New("error: handler does not exist")
+		return errors.New("error: serve config does not exist")
 	}
 	// delete existing handler, then cascade delete if empty
 	delete(sc.Web[hp].Handlers, mount)
@@ -420,11 +396,18 @@ func cleanMountPoint(mount string) (string, error) {
 	return "", fmt.Errorf("invalid mount point %q", mount)
 }
 
-func expandProxyTarget(source string) (string, error) {
-	if !strings.Contains(source, "://") {
-		source = "http://" + source
+func expandProxyTarget(target string) (string, error) {
+	if allNumeric(target) {
+		p, err := strconv.ParseUint(target, 10, 16)
+		if p == 0 || err != nil {
+			return "", fmt.Errorf("invalid port %q", target)
+		}
+		return "http://127.0.0.1:" + target, nil
 	}
-	u, err := url.ParseRequestURI(source)
+	if !strings.Contains(target, "://") {
+		target = "http://" + target
+	}
+	u, err := url.ParseRequestURI(target)
 	if err != nil {
 		return "", fmt.Errorf("parsing url: %w", err)
 	}
@@ -434,14 +417,9 @@ func expandProxyTarget(source string) (string, error) {
 	default:
 		return "", fmt.Errorf("must be a URL starting with http://, https://, or https+insecure://")
 	}
-
-	port, err := strconv.ParseUint(u.Port(), 10, 16)
-	if port == 0 || err != nil {
-		return "", fmt.Errorf("invalid port %q: %w", u.Port(), err)
-	}
-
 	host := u.Hostname()
 	switch host {
+	// TODO(shayne,bradfitz): do we want to do this?
 	case "localhost", "127.0.0.1":
 		host = "127.0.0.1"
 	default:
@@ -454,111 +432,16 @@ func expandProxyTarget(source string) (string, error) {
 	return url, nil
 }
 
-// handleTCPServe handles the "tailscale serve tls-terminated-tcp:..." subcommand.
-// It configures the serve config to forward TCP connections to the
-// given source.
-//
-// Examples:
-//   - tailscale serve tcp:2222 tcp://localhost:22
-//   - tailscale serve tls-terminated-tcp:8443 tcp://localhost:8080
-func (e *serveEnv) handleTCPServe(ctx context.Context, srcType string, srcPort uint16, dest string) error {
-	var terminateTLS bool
-	switch srcType {
-	case "tcp":
-		terminateTLS = false
-	case "tls-terminated-tcp":
-		terminateTLS = true
-	default:
-		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q\n\n", dest)
-		return flag.ErrHelp
-	}
-
-	dstURL, err := url.Parse(dest)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q: %v\n\n", dest, err)
-		return flag.ErrHelp
-	}
-	host, dstPortStr, err := net.SplitHostPort(dstURL.Host)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q: %v\n\n", dest, err)
-		return flag.ErrHelp
-	}
-
-	switch host {
-	case "localhost", "127.0.0.1":
-		// ok
-	default:
-		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q\n", dest)
-		fmt.Fprint(os.Stderr, "must be one of: localhost or 127.0.0.1\n\n", dest)
-		return flag.ErrHelp
-	}
-
-	if p, err := strconv.ParseUint(dstPortStr, 10, 16); p == 0 || err != nil {
-		fmt.Fprintf(os.Stderr, "error: invalid port %q\n\n", dstPortStr)
-		return flag.ErrHelp
-	}
-
-	cursc, err := e.lc.GetServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	sc := cursc.Clone() // nil if no config
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-
-	fwdAddr := "127.0.0.1:" + dstPortStr
-
-	if sc.IsServingWeb(srcPort) {
-		return fmt.Errorf("cannot serve TCP; already serving web on %d", srcPort)
-	}
-
-	mak.Set(&sc.TCP, srcPort, &ipn.TCPPortHandler{TCPForward: fwdAddr})
-
-	dnsName, err := e.getSelfDNSName(ctx)
-	if err != nil {
-		return err
-	}
-	if terminateTLS {
-		sc.TCP[srcPort].TerminateTLS = dnsName
-	}
-
-	if !reflect.DeepEqual(cursc, sc) {
-		if err := e.lc.SetServeConfig(ctx, sc); err != nil {
-			return err
+func allNumeric(s string) bool {
+	for i := 0; i < len(s); i++ {
+		if s[i] < '0' || s[i] > '9' {
+			return false
 		}
 	}
-
-	return nil
+	return s != ""
 }
 
-// handleTCPServeRemove removes the TCP forwarding configuration for the
-// given srvPort, or serving port.
-func (e *serveEnv) handleTCPServeRemove(ctx context.Context, src uint16) error {
-	cursc, err := e.lc.GetServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	sc := cursc.Clone() // nil if no config
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-	if sc.IsServingWeb(src) {
-		return fmt.Errorf("unable to remove; serving web, not TCP forwarding on serve port %d", src)
-	}
-	if ph := sc.GetTCPPortHandler(src); ph != nil {
-		delete(sc.TCP, src)
-		// clear map mostly for testing
-		if len(sc.TCP) == 0 {
-			sc.TCP = nil
-		}
-		return e.lc.SetServeConfig(ctx, sc)
-	}
-	return errors.New("error: serve config does not exist")
-}
-
-// runServeStatus is the entry point for the "serve status"
-// subcommand and prints the current serve config.
+// runServeStatus prints the current serve config.
 //
 // Examples:
 //   - tailscale status
@@ -577,7 +460,6 @@ func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
 		e.stdout().Write(j)
 		return nil
 	}
-	printFunnelStatus(ctx)
 	if sc == nil || (len(sc.TCP) == 0 && len(sc.Web) == 0 && len(sc.AllowFunnel) == 0) {
 		printf("No serve config\n")
 		return nil
@@ -596,7 +478,17 @@ func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
 		printWebStatusTree(sc, hp)
 		printf("\n")
 	}
-	printFunnelWarning(sc)
+	// warn when funnel on without handlers
+	for hp, a := range sc.AllowFunnel {
+		if !a {
+			continue
+		}
+		_, portStr, _ := net.SplitHostPort(string(hp))
+		p, _ := strconv.ParseUint(portStr, 10, 16)
+		if _, ok := sc.TCP[uint16(p)]; !ok {
+			printf("WARNING: funnel=on for %s, but no serve config\n", hp)
+		}
+	}
 	return nil
 }
 
@@ -680,3 +572,152 @@ func elipticallyTruncate(s string, max int) string {
 	}
 	return s[:max-3] + "..."
 }
+
+// runServeTCP is the entry point for the "serve tcp" subcommand and
+// manages the serve config for TCP forwarding.
+//
+// Examples:
+//   - tailscale serve tcp 5432
+//   - tailscale serve --serve-port=8443 tcp 4430
+//   - tailscale serve --serve-port=10000 tcp --terminate-tls 8080
+func (e *serveEnv) runServeTCP(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
+		return flag.ErrHelp
+	}
+
+	srvPort, err := e.validateServePort()
+	if err != nil {
+		return err
+	}
+
+	portStr := args[0]
+	p, err := strconv.ParseUint(portStr, 10, 16)
+	if p == 0 || err != nil {
+		fmt.Fprintf(os.Stderr, "error: invalid port %q\n\n", portStr)
+	}
+
+	cursc, err := e.lc.GetServeConfig(ctx)
+	if err != nil {
+		return err
+	}
+	sc := cursc.Clone() // nil if no config
+	if sc == nil {
+		sc = new(ipn.ServeConfig)
+	}
+
+	fwdAddr := "127.0.0.1:" + portStr
+
+	if sc.IsServingWeb(srvPort) {
+		if e.remove {
+			return fmt.Errorf("unable to remove; serving web, not TCP forwarding on serve port %d", srvPort)
+		}
+		return fmt.Errorf("cannot serve TCP; already serving web on %d", srvPort)
+	}
+
+	if e.remove {
+		if ph := sc.GetTCPPortHandler(srvPort); ph != nil && ph.TCPForward == fwdAddr {
+			delete(sc.TCP, srvPort)
+			// clear map mostly for testing
+			if len(sc.TCP) == 0 {
+				sc.TCP = nil
+			}
+			return e.lc.SetServeConfig(ctx, sc)
+		}
+		return errors.New("error: serve config does not exist")
+	}
+
+	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{TCPForward: fwdAddr})
+
+	dnsName, err := e.getSelfDNSName(ctx)
+	if err != nil {
+		return err
+	}
+	if e.terminateTLS {
+		sc.TCP[srvPort].TerminateTLS = dnsName
+	}
+
+	if !reflect.DeepEqual(cursc, sc) {
+		if err := e.lc.SetServeConfig(ctx, sc); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// runServeFunnel is the entry point for the "serve funnel" subcommand and
+// manages turning on/off funnel. Funnel is off by default.
+//
+// Note: funnel is only supported on single DNS name for now. (2022-11-15)
+func (e *serveEnv) runServeFunnel(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		return flag.ErrHelp
+	}
+
+	srvPort, err := e.validateServePort()
+	if err != nil {
+		return err
+	}
+	srvPortStr := strconv.Itoa(int(srvPort))
+
+	var on bool
+	switch args[0] {
+	case "on", "off":
+		on = args[0] == "on"
+	default:
+		return flag.ErrHelp
+	}
+	sc, err := e.lc.GetServeConfig(ctx)
+	if err != nil {
+		return err
+	}
+	if sc == nil {
+		sc = new(ipn.ServeConfig)
+	}
+	st, err := e.getLocalClientStatus(ctx)
+	if err != nil {
+		return fmt.Errorf("getting client status: %w", err)
+	}
+	if err := checkHasAccess(st.Self.Capabilities); err != nil {
+		return err
+	}
+	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
+	hp := ipn.HostPort(dnsName + ":" + srvPortStr)
+	if on == sc.AllowFunnel[hp] {
+		// Nothing to do.
+		return nil
+	}
+	if on {
+		mak.Set(&sc.AllowFunnel, hp, true)
+	} else {
+		delete(sc.AllowFunnel, hp)
+		// clear map mostly for testing
+		if len(sc.AllowFunnel) == 0 {
+			sc.AllowFunnel = nil
+		}
+	}
+	if err := e.lc.SetServeConfig(ctx, sc); err != nil {
+		return err
+	}
+	return nil
+}
+
+// checkHasAccess checks three things: 1) an invite was used to join the
+// Funnel alpha; 2) HTTPS is enabled; 3) the node has the "funnel" attribute.
+// If any of these are false, an error is returned describing the problem.
+//
+// The nodeAttrs arg should be the node's Self.Capabilities which should contain
+// the attribute we're checking for and possibly warning-capabilities for Funnel.
+func checkHasAccess(nodeAttrs []string) error {
+	if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoInvite) {
+		return errors.New("Funnel not available; an invite is required to join the alpha. See https://tailscale.com/kb/1223/tailscale-funnel/.")
+	}
+	if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoHTTPS) {
+		return errors.New("Funnel not available; HTTPS must be enabled. See https://tailscale.com/kb/1153/enabling-https/.")
+	}
+	if !slices.Contains(nodeAttrs, tailcfg.NodeAttrFunnel) {
+		return errors.New("Funnel not available; \"funnel\" node attribute not set. See https://tailscale.com/kb/1223/tailscale-funnel/.")
+	}
+	return nil
+}

cmd/tailscale/cli/serve_test.go

@@ -15,7 +15,6 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
@@ -49,6 +48,30 @@ func TestCleanMountPoint(t *testing.T) {
 	}
 }
 
+func TestCheckHasAccess(t *testing.T) {
+	tests := []struct {
+		caps    []string
+		wantErr bool
+	}{
+		{[]string{}, true}, // No "funnel" attribute
+		{[]string{tailcfg.CapabilityWarnFunnelNoInvite}, true},
+		{[]string{tailcfg.CapabilityWarnFunnelNoHTTPS}, true},
+		{[]string{tailcfg.NodeAttrFunnel}, false},
+	}
+	for _, tt := range tests {
+		err := checkHasAccess(tt.caps)
+		switch {
+		case err != nil && tt.wantErr,
+			err == nil && !tt.wantErr:
+			continue
+		case tt.wantErr:
+			t.Fatalf("got no error, want error")
+		case !tt.wantErr:
+			t.Fatalf("got error %v, want no error", err)
+		}
+	}
+}
+
 func TestServeConfigMutations(t *testing.T) {
 	// Stateful mutations, starting from an empty config.
 	type step struct {
@@ -57,8 +80,6 @@ func TestServeConfigMutations(t *testing.T) {
 		want    *ipn.ServeConfig               // non-nil means we want a save of this value
 		wantErr func(error) (badErrMsg string) // nil means no error is wanted
 		line    int                            // line number of addStep call, for error messages
-
-		debugBreak func()
 	}
 	var steps []step
 	add := func(s step) {
@@ -69,19 +90,19 @@ func TestServeConfigMutations(t *testing.T) {
 	// funnel
 	add(step{reset: true})
 	add(step{
-		command: cmd("funnel 443 on"),
+		command: cmd("funnel on"),
 		want:    &ipn.ServeConfig{AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true}},
 	})
 	add(step{
-		command: cmd("funnel 443 on"),
+		command: cmd("funnel on"),
 		want:    nil, // nothing to save
 	})
 	add(step{
-		command: cmd("funnel 443 off"),
+		command: cmd("funnel off"),
 		want:    &ipn.ServeConfig{},
 	})
 	add(step{
-		command: cmd("funnel 443 off"),
+		command: cmd("funnel off"),
 		want:    nil, // nothing to save
 	})
 	add(step{
@@ -92,23 +113,27 @@ func TestServeConfigMutations(t *testing.T) {
 	// https
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 / http://localhost:0"), // invalid port, too low
+		command: cmd("/ proxy 0"), // invalid port, too low
 		wantErr: anyErr(),
 	})
 	add(step{
-		command: cmd("https:443 / http://localhost:65536"), // invalid port, too high
+		command: cmd("/ proxy 65536"), // invalid port, too high
 		wantErr: anyErr(),
 	})
 	add(step{
-		command: cmd("https:443 / http://somehost:3000"), // invalid host
+		command: cmd("/ proxy somehost"), // invalid host
 		wantErr: anyErr(),
 	})
 	add(step{
-		command: cmd("https:443 / httpz://127.0.0.1"), // invalid scheme
+		command: cmd("/ proxy http://otherhost"), // invalid host
 		wantErr: anyErr(),
 	})
-	add(step{ // allow omitting port (default to 443)
-		command: cmd("https / http://localhost:3000"),
+	add(step{
+		command: cmd("/ proxy httpz://127.0.0.1"), // invalid scheme
+		wantErr: anyErr(),
+	})
+	add(step{
+		command: cmd("/ proxy 3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -118,33 +143,12 @@ func TestServeConfigMutations(t *testing.T) {
 			},
 		},
 	})
-	add(step{ // support non Funnel port
-		command: cmd("https:9999 /abc http://localhost:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 9999: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
+	add(step{ // invalid port
+		command: cmd("--serve-port=9999 /abc proxy 3001"),
+		wantErr: anyErr(),
 	})
 	add(step{
-		command: cmd("https:9999 /abc off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("https:8443 /abc http://127.0.0.1:3001"),
+		command: cmd("--serve-port=8443 /abc proxy 3001"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -158,7 +162,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:10000 / text:hi"),
+		command: cmd("--serve-port=10000 / text hi"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
 				443: {HTTPS: true}, 8443: {HTTPS: true}, 10000: {HTTPS: true}},
@@ -176,12 +180,12 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:443 /foo off"),
+		command: cmd("--remove /foo"),
 		want:    nil, // nothing to save
 		wantErr: anyErr(),
 	}) // handler doesn't exist, so we get an error
 	add(step{
-		command: cmd("https:10000 / off"),
+		command: cmd("--remove --serve-port=10000 /"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -195,7 +199,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:443 / off"),
+		command: cmd("--remove /"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{8443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -206,11 +210,11 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:8443 /abc off"),
+		command: cmd("--remove --serve-port=8443 /abc"),
 		want:    &ipn.ServeConfig{},
 	})
-	add(step{ // clean mount: "bar" becomes "/bar"
-		command: cmd("https:443 bar https://127.0.0.1:8443"),
+	add(step{
+		command: cmd("bar proxy https://127.0.0.1:8443"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -221,12 +225,12 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:443 bar https://127.0.0.1:8443"),
+		command: cmd("bar proxy https://127.0.0.1:8443"),
 		want:    nil, // nothing to save
 	})
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 / https+insecure://127.0.0.1:3001"),
+		command: cmd("/ proxy https+insecure://127.0.0.1:3001"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -238,7 +242,7 @@ func TestServeConfigMutations(t *testing.T) {
 	})
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 /foo localhost:3000"),
+		command: cmd("/foo proxy localhost:3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -249,7 +253,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // test a second handler on the same port
-		command: cmd("https:8443 /foo localhost:3000"),
+		command: cmd("--serve-port=8443 /foo proxy localhost:3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -265,35 +269,16 @@ func TestServeConfigMutations(t *testing.T) {
 
 	// tcp
 	add(step{reset: true})
-	add(step{ // must include scheme for tcp
-		command: cmd("tls-terminated-tcp:443 localhost:5432"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-	add(step{ // !somehost, must be localhost or 127.0.0.1
-		command: cmd("tls-terminated-tcp:443 tcp://somehost:5432"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-	add(step{ // bad target port, too low
-		command: cmd("tls-terminated-tcp:443 tcp://somehost:0"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-	add(step{ // bad target port, too high
-		command: cmd("tls-terminated-tcp:443 tcp://somehost:65536"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:5432"),
+		command: cmd("tcp 5432"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:5432",
-					TerminateTLS: "foo.test.ts.net",
-				},
+				443: {TCPForward: "127.0.0.1:5432"},
 			},
 		},
 	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://127.0.0.1:8443"),
+		command: cmd("tcp -terminate-tls 8443"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
 				443: {
@@ -304,11 +289,11 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://127.0.0.1:8443"),
+		command: cmd("tcp -terminate-tls 8443"),
 		want:    nil, // nothing to save
 	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:8444"),
+		command: cmd("tcp --terminate-tls 8444"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
 				443: {
@@ -319,41 +304,35 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://127.0.0.1:8445"),
+		command: cmd("tcp -terminate-tls=false 8445"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:8445",
-					TerminateTLS: "foo.test.ts.net",
-				},
+				443: {TCPForward: "127.0.0.1:8445"},
 			},
 		},
 	})
 	add(step{reset: true})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:123"),
+		command: cmd("tcp 123"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:123",
-					TerminateTLS: "foo.test.ts.net",
-				},
+				443: {TCPForward: "127.0.0.1:123"},
 			},
 		},
 	})
-	add(step{ // handler doesn't exist, so we get an error
-		command: cmd("tls-terminated-tcp:8443 off"),
-		wantErr: anyErr(),
-	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 off"),
+		command: cmd("--remove tcp 321"),
+		wantErr: anyErr(),
+	}) // handler doesn't exist, so we get an error
+	add(step{
+		command: cmd("--remove tcp 123"),
 		want:    &ipn.ServeConfig{},
 	})
 
 	// text
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 / text:hello"),
+		command: cmd("/ text hello"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -374,7 +353,7 @@ func TestServeConfigMutations(t *testing.T) {
 	add(step{reset: true})
 	writeFile("foo", "this is foo")
 	add(step{
-		command: cmd("https:443 / " + filepath.Join(td, "foo")),
+		command: cmd("/ path " + filepath.Join(td, "foo")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -387,7 +366,7 @@ func TestServeConfigMutations(t *testing.T) {
 	os.MkdirAll(filepath.Join(td, "subdir"), 0700)
 	writeFile("subdir/file-a", "this is A")
 	add(step{
-		command: cmd("https:443 /some/where " + filepath.Join(td, "subdir/file-a")),
+		command: cmd("/some/where path " + filepath.Join(td, "subdir/file-a")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -398,13 +377,13 @@ func TestServeConfigMutations(t *testing.T) {
 			},
 		},
 	})
-	add(step{ // bad path
-		command: cmd("https:443 / bad/path"),
+	add(step{
+		command: cmd("/ path missing"),
 		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 / " + filepath.Join(td, "subdir")),
+		command: cmd("/ path " + filepath.Join(td, "subdir")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -415,14 +394,14 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:443 / off"),
+		command: cmd("--remove /"),
 		want:    &ipn.ServeConfig{},
 	})
 
 	// combos
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 / localhost:3000"),
+		command: cmd("/ proxy 3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -433,7 +412,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("funnel 443 on"),
+		command: cmd("funnel on"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
@@ -445,7 +424,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // serving on secondary port doesn't change funnel
-		command: cmd("https:8443 /bar localhost:3001"),
+		command: cmd("--serve-port=8443 /bar proxy 3001"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
@@ -460,7 +439,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // turn funnel on for secondary port
-		command: cmd("funnel 8443 on"),
+		command: cmd("--serve-port=8443 funnel on"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true, "foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
@@ -475,7 +454,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // turn funnel off for primary port 443
-		command: cmd("funnel 443 off"),
+		command: cmd("funnel off"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
@@ -490,7 +469,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // remove secondary port
-		command: cmd("https:8443 /bar off"),
+		command: cmd("--serve-port=8443 --remove /bar"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
@@ -502,7 +481,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // start a tcp forwarder on 8443
-		command: cmd("tcp:8443 tcp://localhost:5432"),
+		command: cmd("--serve-port=8443 tcp 5432"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {TCPForward: "127.0.0.1:5432"}},
@@ -514,27 +493,27 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // remove primary port http handler
-		command: cmd("https:443 / off"),
+		command: cmd("--remove /"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{8443: {TCPForward: "127.0.0.1:5432"}},
 		},
 	})
 	add(step{ // remove tcp forwarder
-		command: cmd("tls-terminated-tcp:8443 off"),
+		command: cmd("--serve-port=8443 --remove tcp 5432"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 		},
 	})
 	add(step{ // turn off funnel
-		command: cmd("funnel 8443 off"),
+		command: cmd("--serve-port=8443 funnel off"),
 		want:    &ipn.ServeConfig{},
 	})
 
 	// tricky steps
 	add(step{reset: true})
 	add(step{ // a directory with a trailing slash mount point
-		command: cmd("https:443 /dir " + filepath.Join(td, "subdir")),
+		command: cmd("/dir path " + filepath.Join(td, "subdir")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -545,7 +524,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // this should overwrite the previous one
-		command: cmd("https:443 /dir " + filepath.Join(td, "foo")),
+		command: cmd("/dir path " + filepath.Join(td, "foo")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -557,7 +536,7 @@ func TestServeConfigMutations(t *testing.T) {
 	})
 	add(step{reset: true}) // reset and do the opposite
 	add(step{              // a file without a trailing slash mount point
-		command: cmd("https:443 /dir " + filepath.Join(td, "foo")),
+		command: cmd("/dir path " + filepath.Join(td, "foo")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -568,7 +547,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // this should overwrite the previous one
-		command: cmd("https:443 /dir " + filepath.Join(td, "subdir")),
+		command: cmd("/dir path " + filepath.Join(td, "subdir")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -581,24 +560,37 @@ func TestServeConfigMutations(t *testing.T) {
 
 	// error states
 	add(step{reset: true})
+	add(step{ // make sure we can't add "tcp" as if it was a mount
+		command: cmd("tcp text foo"),
+		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
+	})
+	add(step{ // "/tcp" is fine though as a mount
+		command: cmd("/tcp text foo"),
+		want: &ipn.ServeConfig{
+			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
+			Web: map[ipn.HostPort]*ipn.WebServerConfig{
+				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
+					"/tcp": {Text: "foo"},
+				}},
+			},
+		},
+	})
+	add(step{reset: true})
 	add(step{ // tcp forward 5432 on serve port 443
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:5432"),
+		command: cmd("tcp 5432"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:5432",
-					TerminateTLS: "foo.test.ts.net",
-				},
+				443: {TCPForward: "127.0.0.1:5432"},
 			},
 		},
 	})
 	add(step{ // try to start a web handler on the same port
-		command: cmd("https:443 / localhost:3000"),
+		command: cmd("/ proxy 3000"),
 		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{reset: true})
 	add(step{ // start a web handler on port 443
-		command: cmd("https:443 / localhost:3000"),
+		command: cmd("/ proxy 3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@@ -608,17 +600,14 @@ func TestServeConfigMutations(t *testing.T) {
 			},
 		},
 	})
-	add(step{ // try to start a tcp forwarder on the same serve port
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:5432"),
+	add(step{ // try to start a tcp forwarder on the same serve port (443 default)
+		command: cmd("tcp 5432"),
 		wantErr: anyErr(),
 	})
 
 	lc := &fakeLocalServeClient{}
 	// And now run the steps above.
 	for i, st := range steps {
-		if st.debugBreak != nil {
-			st.debugBreak()
-		}
 		if st.reset {
 			t.Logf("Executing step #%d, line %v: [reset]", i, st.line)
 			lc.config = nil
@@ -636,16 +625,8 @@ func TestServeConfigMutations(t *testing.T) {
 			testStdout:  &stdout,
 		}
 		lastCount := lc.setCount
-		var cmd *ffcli.Command
-		var args []string
-		if st.command[0] == "funnel" {
-			cmd = newFunnelCommand(e)
-			args = st.command[1:]
-		} else {
-			cmd = newServeCommand(e)
-			args = st.command
-		}
-		err := cmd.ParseAndRun(context.Background(), args)
+		cmd := newServeCommand(e)
+		err := cmd.ParseAndRun(context.Background(), st.command)
 		if flagOut.Len() > 0 {
 			t.Logf("flag package output: %q", flagOut.Bytes())
 		}
@@ -696,7 +677,7 @@ var fakeStatus = &ipnstate.Status{
 	BackendState: ipn.Running.String(),
 	Self: &ipnstate.PeerStatus{
 		DNSName:      "foo.test.ts.net",
-		Capabilities: []string{tailcfg.NodeAttrFunnel, tailcfg.CapabilityFunnelPorts + "?ports=443,8443"},
+		Capabilities: []string{tailcfg.NodeAttrFunnel},
 	},
 }
 
@@ -736,5 +717,7 @@ func anyErr() func(error) string {
 }
 
 func cmd(s string) []string {
-	return strings.Fields(s)
+	cmds := strings.Fields(s)
+	fmt.Printf("cmd: %v", cmds)
+	return cmds
 }

cmd/tailscale/cli/status.go

@@ -258,7 +258,6 @@ func printFunnelStatus(ctx context.Context) {
 		}
 		printf("#     - %s\n", url)
 	}
-	outln()
 }
 
 // isRunningOrStarting reports whether st is in state Running or Starting.
@@ -276,7 +275,7 @@ func isRunningOrStarting(st *ipnstate.Status) (description string, ok bool) {
 		}
 		return s, false
 	case ipn.NeedsMachineAuth.String():
-		return "Machine is not yet approved by tailnet admin.", false
+		return "Machine is not yet authorized by tailnet admin.", false
 	case ipn.Running.String(), ipn.Starting.String():
 		return st.BackendState, true
 	}

cmd/tailscale/cli/up.go

@@ -409,12 +409,6 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 		return false, nil, err
 	}
 
-	if env.upArgs.forceReauth && isSSHOverTailscale() {
-		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will result in your SSH session disconnecting.`, env.upArgs.acceptedRisks); err != nil {
-			return false, nil, err
-		}
-	}
-
 	tagsChanged := !reflect.DeepEqual(curPrefs.AdvertiseTags, prefs.AdvertiseTags)
 
 	simpleUp = env.flagSet.NFlag() == 0 &&
@@ -590,7 +584,7 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 					if env.upArgs.json {
 						printUpDoneJSON(ipn.NeedsMachineAuth, "")
 					} else {
-						fmt.Fprintf(Stderr, "\nTo approve your machine, visit (as admin):\n\n\t%s\n\n", prefs.AdminPageURL())
+						fmt.Fprintf(Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s\n\n", prefs.AdminPageURL())
 					}
 				case ipn.Running:
 					// Done full authentication process

cmd/tailscale/cli/update.go

@@ -145,11 +145,11 @@ func newUpdater() (*updater, error) {
 		case strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
 			up.update = up.updateMacSys
 		default:
-			return nil, errors.New("This is the macOS App Store version of Tailscale; update in the App Store, or see https://tailscale.com/s/unstable-clients to use TestFlight or to install the non-App Store version")
+			return nil, errors.New("This is the macOS App Store version of Tailscale; update in the App Store, or see https://tailscale.com/kb/1083/install-unstable/ to use TestFlight or to install the non-App Store version")
 		}
 	}
 	if up.update == nil {
-		return nil, errors.New("The 'update' command is not supported on this platform; see https://tailscale.com/s/client-updates")
+		return nil, errors.New("The 'update' command is not supported on this platform; see https://tailscale.com/kb/1067/update/")
 	}
 	return up, nil
 }

cmd/tailscale/cli/web.go

@@ -228,48 +228,33 @@ func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
 	return "", nil, fmt.Errorf("not authenticated by any mechanism")
 }
 
-// qnapAuthnURL returns the auth URL to use by inferring where the UI is
-// running based on the request URL. This is necessary because QNAP has so
-// many options, see https://github.com/tailscale/tailscale/issues/7108
-// and https://github.com/tailscale/tailscale/issues/6903
-func qnapAuthnURL(requestUrl string, query url.Values) string {
-	in, err := url.Parse(requestUrl)
-	scheme := ""
-	host := ""
-	if err != nil || in.Scheme == "" {
-		log.Printf("Cannot parse QNAP login URL %v", err)
-
-		// try localhost and hope for the best
-		scheme = "http"
-		host = "localhost"
-	} else {
-		scheme = in.Scheme
-		host = in.Host
-	}
-
-	u := url.URL{
-		Scheme:   scheme,
-		Host:     host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return u.String()
-}
-
 func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
 	query := url.Values{
 		"qtoken": []string{token},
 		"user":   []string{user},
 	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+	u := url.URL{
+		Scheme:   "http",
+		Host:     "127.0.0.1:8080",
+		Path:     "/cgi-bin/authLogin.cgi",
+		RawQuery: query.Encode(),
+	}
+
+	return qnapAuthnFinish(user, u.String())
 }
 
 func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
 	query := url.Values{
 		"sid": []string{sid},
 	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+	u := url.URL{
+		Scheme:   "http",
+		Host:     "127.0.0.1:8080",
+		Path:     "/cgi-bin/authLogin.cgi",
+		RawQuery: query.Encode(),
+	}
+
+	return qnapAuthnFinish(user, u.String())
 }
 
 func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {

cmd/tailscale/cli/web_test.go

@@ -3,10 +3,7 @@
 
 package cli
 
-import (
-	"net/url"
-	"testing"
-)
+import "testing"
 
 func TestUrlOfListenAddr(t *testing.T) {
 	tests := []struct {
@@ -37,64 +34,9 @@ func TestUrlOfListenAddr(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			u := urlOfListenAddr(tt.in)
-			if u != tt.want {
-				t.Errorf("expected url: %q, got: %q", tt.want, u)
-			}
-		})
-	}
-}
-
-func TestQnapAuthnURL(t *testing.T) {
-	query := url.Values{
-		"qtoken": []string{"token"},
-	}
-	tests := []struct {
-		name string
-		in   string
-		want string
-	}{
-		{
-			name: "localhost http",
-			in:   "http://localhost:8088/",
-			want: "http://localhost:8088/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "localhost https",
-			in:   "https://localhost:5000/",
-			want: "https://localhost:5000/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP http",
-			in:   "http://10.1.20.4:80/",
-			want: "http://10.1.20.4:80/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP6 https",
-			in:   "https://[ff7d:0:1:2::1]/",
-			want: "https://[ff7d:0:1:2::1]/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "hostname https",
-			in:   "https://qnap.example.com/",
-			want: "https://qnap.example.com/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "invalid URL",
-			in:   "This is not a URL, it is a really really really really really really really really really really really really long string to exercise the URL truncation code in the error path.",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "err != nil",
-			in:   "http://192.168.0.%31/",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			u := qnapAuthnURL(tt.in, query)
-			if u != tt.want {
-				t.Errorf("expected url: %q, got: %q", tt.want, u)
+			url := urlOfListenAddr(tt.in)
+			if url != tt.want {
+				t.Errorf("expected url: %q, got: %q", tt.want, url)
 			}
 		})
 	}

cmd/tailscale/depaware.txt

@@ -79,7 +79,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
-        tailscale.com/net/sockstats                                  from tailscale.com/control/controlhttp+
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
         tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
@@ -122,7 +121,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/quarantine                                from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
      💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
         tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
         tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+

cmd/tailscale/generate.go

@@ -6,3 +6,4 @@ package main
 //go:generate go run tailscale.com/cmd/mkmanifest amd64 windows-manifest.xml manifest_windows_amd64.syso
 //go:generate go run tailscale.com/cmd/mkmanifest 386 windows-manifest.xml manifest_windows_386.syso
 //go:generate go run tailscale.com/cmd/mkmanifest arm64 windows-manifest.xml manifest_windows_arm64.syso
+//go:generate go run tailscale.com/cmd/mkmanifest arm windows-manifest.xml manifest_windows_arm.syso

cmd/tailscaled/debug.go

@@ -14,18 +14,24 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"net"
 	"net/http"
 	"net/http/httptrace"
+	"net/netip"
 	"net/url"
 	"os"
+	"strings"
 	"time"
 
 	"tailscale.com/derp/derphttp"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/portmapper"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
 	"tailscale.com/wgengine/monitor"
 )
 
@@ -223,5 +229,95 @@ func checkDerp(ctx context.Context, derpRegion string) (err error) {
 }
 
 func debugPortmap(ctx context.Context) error {
-	return fmt.Errorf("this flag has been deprecated in favour of 'tailscale debug portmap'")
+	ctx, cancel := context.WithTimeout(ctx, 3*time.Second)
+	defer cancel()
+
+	portmapper.VerboseLogs = true
+	switch envknob.String("TS_DEBUG_PORTMAP_TYPE") {
+	case "":
+	case "pmp":
+		portmapper.DisablePCP = true
+		portmapper.DisableUPnP = true
+	case "pcp":
+		portmapper.DisablePMP = true
+		portmapper.DisableUPnP = true
+	case "upnp":
+		portmapper.DisablePCP = true
+		portmapper.DisablePMP = true
+	default:
+		log.Fatalf("TS_DEBUG_PORTMAP_TYPE must be one of pmp,pcp,upnp")
+	}
+
+	done := make(chan bool, 1)
+
+	var c *portmapper.Client
+	logf := log.Printf
+	c = portmapper.NewClient(logger.WithPrefix(logf, "portmapper: "), func() {
+		logf("portmapping changed.")
+		logf("have mapping: %v", c.HaveMapping())
+
+		if ext, ok := c.GetCachedMappingOrStartCreatingOne(); ok {
+			logf("cb: mapping: %v", ext)
+			select {
+			case done <- true:
+			default:
+			}
+			return
+		}
+		logf("cb: no mapping")
+	})
+	linkMon, err := monitor.New(logger.WithPrefix(logf, "monitor: "))
+	if err != nil {
+		return err
+	}
+
+	gatewayAndSelfIP := func() (gw, self netip.Addr, ok bool) {
+		if v := os.Getenv("TS_DEBUG_GW_SELF"); strings.Contains(v, "/") {
+			i := strings.Index(v, "/")
+			gw = netip.MustParseAddr(v[:i])
+			self = netip.MustParseAddr(v[i+1:])
+			return gw, self, true
+		}
+		return linkMon.GatewayAndSelfIP()
+	}
+
+	c.SetGatewayLookupFunc(gatewayAndSelfIP)
+
+	gw, selfIP, ok := gatewayAndSelfIP()
+	if !ok {
+		logf("no gateway or self IP; %v", linkMon.InterfaceState())
+		return nil
+	}
+	logf("gw=%v; self=%v", gw, selfIP)
+
+	uc, err := net.ListenPacket("udp", "0.0.0.0:0")
+	if err != nil {
+		return err
+	}
+	defer uc.Close()
+	c.SetLocalPort(uint16(uc.LocalAddr().(*net.UDPAddr).Port))
+
+	res, err := c.Probe(ctx)
+	if err != nil {
+		return fmt.Errorf("Probe: %v", err)
+	}
+	logf("Probe: %+v", res)
+
+	if !res.PCP && !res.PMP && !res.UPnP {
+		logf("no portmapping services available")
+		return nil
+	}
+
+	if ext, ok := c.GetCachedMappingOrStartCreatingOne(); ok {
+		logf("mapping: %v", ext)
+	} else {
+		logf("no mapping")
+	}
+
+	select {
+	case <-done:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
 }

cmd/tailscaled/depaware.txt

@@ -219,11 +219,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    tailscale.com/kube                                           from tailscale.com/ipn/store/kubestore
         tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
         tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
-        tailscale.com/log/sockstatlog                                from tailscale.com/ipn/ipnlocal
         tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled+
         tailscale.com/logtail                                        from tailscale.com/control/controlclient+
         tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
-        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy+
+        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
         tailscale.com/metrics                                        from tailscale.com/derp+
         tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
         tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
@@ -247,7 +246,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
         tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
         tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
-        tailscale.com/net/sockstats                                  from tailscale.com/control/controlclient+
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
         tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
         tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
@@ -300,14 +298,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
         tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
         tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/must                                      from tailscale.com/logpolicy
         tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
    W    tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnauth
         tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
-        tailscale.com/util/ringbuffer                                from tailscale.com/wgengine/magicsock
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
-        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
         tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
         tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
         tailscale.com/util/vizerror                                  from tailscale.com/tsweb
@@ -415,7 +410,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         encoding/xml                                                 from github.com/tailscale/goupnp+
         errors                                                       from bufio+
         expvar                                                       from tailscale.com/derp+
-        flag                                                         from net/http/httptest+
+        flag                                                         from tailscale.com/control/controlclient+
         fmt                                                          from compress/flate+
         hash                                                         from crypto+
         hash/adler32                                                 from tailscale.com/ipn/ipnlocal

cmd/tailscaled/generate.go

@@ -6,3 +6,4 @@ package main
 //go:generate go run tailscale.com/cmd/mkmanifest amd64 windows-manifest.xml manifest_windows_amd64.syso
 //go:generate go run tailscale.com/cmd/mkmanifest 386 windows-manifest.xml manifest_windows_386.syso
 //go:generate go run tailscale.com/cmd/mkmanifest arm64 windows-manifest.xml manifest_windows_arm64.syso
+//go:generate go run tailscale.com/cmd/mkmanifest arm windows-manifest.xml manifest_windows_arm.syso

cmd/tsconnect/src/app/app.tsx

@@ -38,31 +38,13 @@ class App extends Component<{}, AppState> {
     if (ipnState === "NeedsMachineAuth") {
       machineAuthInstructions = (
         <div class="container mx-auto px-4 text-center">
-          An administrator needs to approve this device.
-        </div>
-      )
-    }
-
-    const lockedOut = netMap?.lockedOut
-    let lockedOutInstructions
-    if (lockedOut) {
-      lockedOutInstructions = (
-        <div class="container mx-auto px-4 text-center space-y-4">
-          <p>This instance of Tailscale Connect needs to be signed, due to
-            {" "}<a href="https://tailscale.com/kb/1226/tailnet-lock/" class="link">tailnet lock</a>{" "}
-            being enabled on this domain.
-          </p>
-
-          <p>
-            Run the following command on a device with a trusted tailnet lock key:
-            <pre>tailscale lock sign {netMap.self.nodeKey}</pre>
-          </p>
+          An administrator needs to authorize this device.
         </div>
       )
     }
 
     let ssh
-    if (ipn && ipnState === "Running" && netMap && !lockedOut) {
+    if (ipn && ipnState === "Running" && netMap) {
       ssh = <SSH netMap={netMap} ipn={ipn} />
     }
 
@@ -73,7 +55,6 @@ class App extends Component<{}, AppState> {
         <div class="flex-grow flex flex-col justify-center overflow-hidden">
           {urlDisplay}
           {machineAuthInstructions}
-          {lockedOutInstructions}
           {ssh}
         </div>
       </>

cmd/tsconnect/src/app/header.tsx

@@ -30,7 +30,7 @@ const STATE_LABELS = {
   NoState: "Initializing…",
   InUseOtherUser: "In-use by another user",
   NeedsLogin: "Needs login",
-  NeedsMachineAuth: "Needs approval",
+  NeedsMachineAuth: "Needs authorization",
   Stopped: "Stopped",
   Starting: "Starting…",
   Running: "Running",

cmd/tsconnect/src/app/ssh.tsx

@@ -60,11 +60,11 @@ function SSHSession({
 function NoSSHPeers() {
   return (
     <div class="container mx-auto px-4 text-center">
-      None of your machines have{" "}
+      None of your machines have
       <a href="https://tailscale.com/kb/1193/tailscale-ssh/" class="link">
         Tailscale SSH
       </a>
-      {" "}enabled. Give it a try!
+      enabled. Give it a try!
     </div>
   )
 }

cmd/tsconnect/src/types/wasm_js.d.ts

@@ -63,7 +63,6 @@ declare global {
   type IPNNetMap = {
     self: IPNNetMapSelfNode
     peers: IPNNetMapPeerNode[]
-    lockedOut: boolean
   }
 
   type IPNNetMapNode = {

cmd/tsconnect/wasm/wasm_js.go

@@ -272,7 +272,6 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 						TailscaleSSHEnabled: p.Hostinfo.TailscaleSSHEnabled(),
 					}
 				}),
-				LockedOut: nm.TKAEnabled && len(nm.SelfNode.KeySignature) == 0,
 			}
 			if jsonNetMap, err := json.Marshal(jsNetMap); err == nil {
 				jsCallbacks.Call("notifyNetMap", string(jsonNetMap))
@@ -522,9 +521,8 @@ func (w termWriter) Write(p []byte) (n int, err error) {
 }
 
 type jsNetMap struct {
-	Self      jsNetMapSelfNode   `json:"self"`
-	Peers     []jsNetMapPeerNode `json:"peers"`
-	LockedOut bool               `json:"lockedOut"`
+	Self  jsNetMapSelfNode   `json:"self"`
+	Peers []jsNetMapPeerNode `json:"peers"`
 }
 
 type jsNetMapNode struct {

control/controlclient/auto.go

@@ -13,7 +13,6 @@ import (
 
 	"tailscale.com/health"
 	"tailscale.com/logtail/backoff"
-	"tailscale.com/net/sockstats"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
@@ -59,17 +58,15 @@ type Auto struct {
 
 	mu sync.Mutex // mutex guards the following fields
 
-	paused               bool // whether we should stop making HTTP requests
-	unpauseWaiters       []chan struct{}
-	loggedIn             bool               // true if currently logged in
-	loginGoal            *LoginGoal         // non-nil if some login activity is desired
-	synced               bool               // true if our netmap is up-to-date
-	inPollNetMap         bool               // true if currently running a PollNetMap
-	inLiteMapUpdate      bool               // true if a lite (non-streaming) map request is outstanding
-	liteMapUpdateCancel  context.CancelFunc // cancels a lite map update, may be nil
-	liteMapUpdateCancels int                // how many times we've canceled a lite map update
-	inSendStatus         int                // number of sendStatus calls currently in progress
-	state                State
+	paused          bool // whether we should stop making HTTP requests
+	unpauseWaiters  []chan struct{}
+	loggedIn        bool       // true if currently logged in
+	loginGoal       *LoginGoal // non-nil if some login activity is desired
+	synced          bool       // true if our netmap is up-to-date
+	inPollNetMap    bool       // true if currently running a PollNetMap
+	inLiteMapUpdate bool       // true if a lite (non-streaming) map request is outstanding
+	inSendStatus    int        // number of sendStatus calls currently in progress
+	state           State
 
 	authCtx    context.Context // context used for auth requests
 	mapCtx     context.Context // context used for netmap requests
@@ -121,11 +118,7 @@ func NewNoStart(opts Options) (_ *Auto, err error) {
 		statusFunc: opts.Status,
 	}
 	c.authCtx, c.authCancel = context.WithCancel(context.Background())
-	c.authCtx = sockstats.WithSockStats(c.authCtx, sockstats.LabelControlClientAuto)
-
 	c.mapCtx, c.mapCancel = context.WithCancel(context.Background())
-	c.mapCtx = sockstats.WithSockStats(c.mapCtx, sockstats.LabelControlClientAuto)
-
 	c.unregisterHealthWatch = health.RegisterWatcher(direct.ReportHealthChange)
 	return c, nil
 
@@ -170,56 +163,28 @@ func (c *Auto) Start() {
 func (c *Auto) sendNewMapRequest() {
 	c.mu.Lock()
 
-	// If we're not already streaming a netmap, then tear down everything
-	// and start a new stream (which starts by sending a new map request)
-	if !c.inPollNetMap || !c.loggedIn {
+	// If we're not already streaming a netmap, or if we're already stuck
+	// in a lite update, then tear down everything and start a new stream
+	// (which starts by sending a new map request)
+	if !c.inPollNetMap || c.inLiteMapUpdate || !c.loggedIn {
 		c.mu.Unlock()
 		c.cancelMapSafely()
 		return
 	}
 
-	// If we are already in process of doing a LiteMapUpdate, cancel it and
-	// try a new one. If this is the 10th time we have done this
-	// cancelation, tear down everything and start again.
-	const maxLiteMapUpdateAttempts = 10
-	if c.inLiteMapUpdate {
-		// Always cancel the in-flight lite map update, regardless of
-		// whether we cancel the streaming map request or not.
-		c.liteMapUpdateCancel()
-		c.inLiteMapUpdate = false
-
-		if c.liteMapUpdateCancels >= maxLiteMapUpdateAttempts {
-			// Not making progress
-			c.mu.Unlock()
-			c.cancelMapSafely()
-			return
-		}
-
-		// Increment our cancel counter and continue below to start a
-		// new lite update.
-		c.liteMapUpdateCancels++
-	}
-
 	// Otherwise, send a lite update that doesn't keep a
 	// long-running stream response.
 	defer c.mu.Unlock()
 	c.inLiteMapUpdate = true
 	ctx, cancel := context.WithTimeout(c.mapCtx, 10*time.Second)
-	c.liteMapUpdateCancel = cancel
 	go func() {
 		defer cancel()
 		t0 := time.Now()
 		err := c.direct.SendLiteMapUpdate(ctx)
 		d := time.Since(t0).Round(time.Millisecond)
-
 		c.mu.Lock()
 		c.inLiteMapUpdate = false
-		c.liteMapUpdateCancel = nil
-		if err == nil {
-			c.liteMapUpdateCancels = 0
-		}
 		c.mu.Unlock()
-
 		if err == nil {
 			c.logf("[v1] successful lite map update in %v", d)
 			return
@@ -227,13 +192,10 @@ func (c *Auto) sendNewMapRequest() {
 		if ctx.Err() == nil {
 			c.logf("lite map update after %v: %v", d, err)
 		}
-		if !errors.Is(ctx.Err(), context.Canceled) {
-			// Fall back to restarting the long-polling map
-			// request (the old heavy way) if the lite update
-			// failed for reasons other than the context being
-			// canceled.
-			c.cancelMapSafely()
-		}
+		// Fall back to restarting the long-polling map
+		// request (the old heavy way) if the lite update
+		// failed for any reason.
+		c.cancelMapSafely()
 	}()
 }
 
@@ -244,7 +206,6 @@ func (c *Auto) cancelAuth() {
 	}
 	if !c.closed {
 		c.authCtx, c.authCancel = context.WithCancel(context.Background())
-		c.authCtx = sockstats.WithSockStats(c.authCtx, sockstats.LabelControlClientAuto)
 	}
 	c.mu.Unlock()
 }
@@ -255,8 +216,6 @@ func (c *Auto) cancelMapLocked() {
 	}
 	if !c.closed {
 		c.mapCtx, c.mapCancel = context.WithCancel(context.Background())
-		c.mapCtx = sockstats.WithSockStats(c.mapCtx, sockstats.LabelControlClientAuto)
-
 	}
 }
 
@@ -270,12 +229,6 @@ func (c *Auto) cancelMapSafely() {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
-	// Always reset our lite map cancels counter if we're canceling
-	// everything, since we're about to restart with a new map update; this
-	// allows future calls to sendNewMapRequest to retry sending lite
-	// updates.
-	c.liteMapUpdateCancels = 0
-
 	c.logf("[v1] cancelMapSafely: synced=%v", c.synced)
 
 	if c.inPollNetMap {
@@ -407,13 +360,7 @@ func (c *Auto) authRoutine() {
 				c.mu.Unlock()
 
 				c.sendStatus("authRoutine-url", err, url, nil)
-				if goal.url == url {
-					// The server sent us the same URL we already tried,
-					// backoff to avoid a busy loop.
-					bo.BackOff(ctx, errors.New("login URL not changing"))
-				} else {
-					bo.BackOff(ctx, nil)
-				}
+				bo.BackOff(ctx, err)
 				continue
 			}
 
@@ -475,7 +422,7 @@ func (c *Auto) mapRoutine() {
 			}
 			continue
 		}
-		c.logf("mapRoutine: %s", c.state)
+		c.logf("[v1] mapRoutine: %s", c.state)
 		loggedIn := c.loggedIn
 		ctx := c.mapCtx
 		c.mu.Unlock()
@@ -488,7 +435,7 @@ func (c *Auto) mapRoutine() {
 		}
 
 		report := func(err error, msg string) {
-			c.logf("%s: %v", msg, err)
+			c.logf("[v1] %s: %v", msg, err)
 			err = fmt.Errorf("%s: %w", msg, err)
 			// don't send status updates for context errors,
 			// since context cancelation is always on purpose.
@@ -506,9 +453,9 @@ func (c *Auto) mapRoutine() {
 
 			select {
 			case <-ctx.Done():
-				c.logf("mapRoutine: context done.")
+				c.logf("[v1] mapRoutine: context done.")
 			case <-c.newMapCh:
-				c.logf("mapRoutine: new map needed while idle.")
+				c.logf("[v1] mapRoutine: new map needed while idle.")
 			}
 		} else {
 			// Be sure this is false when we're not inside

control/controlclient/direct.go

@@ -7,11 +7,10 @@ import (
 	"bufio"
 	"bytes"
 	"context"
-	"crypto/ed25519"
-	"encoding/base64"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
+	"flag"
 	"fmt"
 	"io"
 	"log"
@@ -88,15 +87,16 @@ type Direct struct {
 	sfGroup     singleflight.Group[struct{}, *NoiseClient] // protects noiseClient creation.
 	noiseClient *NoiseClient
 
-	persist      persist.PersistView
-	authKey      string
-	tryingNewKey key.NodePrivate
-	expiry       *time.Time
-	hostinfo     *tailcfg.Hostinfo // always non-nil
-	netinfo      *tailcfg.NetInfo
-	endpoints    []tailcfg.Endpoint
-	tkaHead      string
-	lastPingURL  string // last PingRequest.URL received, for dup suppression
+	persist       persist.PersistView
+	authKey       string
+	tryingNewKey  key.NodePrivate
+	expiry        *time.Time
+	hostinfo      *tailcfg.Hostinfo // always non-nil
+	netinfo       *tailcfg.NetInfo
+	endpoints     []tailcfg.Endpoint
+	tkaHead       string
+	everEndpoints bool   // whether we've ever had non-empty endpoints
+	lastPingURL   string // last PingRequest.URL received, for dup suppression
 }
 
 type Options struct {
@@ -212,7 +212,6 @@ func NewDirect(opts Options) (*Direct, error) {
 			Forward:          dnscache.Get().Forward, // use default cache's forwarder
 			UseLastGood:      true,
 			LookupIPFallback: dnsfallback.Lookup,
-			Logf:             opts.Logf,
 		}
 		tr := http.DefaultTransport.(*http.Transport).Clone()
 		tr.Proxy = tshttpproxy.ProxyFromEnvironment
@@ -425,7 +424,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	tryingNewKey := c.tryingNewKey
 	serverKey := c.serverKey
 	serverNoiseKey := c.serverNoiseKey
-	authKey, isWrapped, wrappedSig, wrappedKey := decodeWrappedAuthkey(c.authKey, c.logf)
+	authKey := c.authKey
 	hi := c.hostInfoLocked()
 	backendLogID := hi.BackendLogID
 	expired := c.expiry != nil && !c.expiry.IsZero() && c.expiry.Before(c.timeNow())
@@ -511,22 +510,6 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		if nodeKeySignature, err = resignNKS(persist.NetworkLockKey, tryingNewKey.Public(), opt.OldNodeKeySignature); err != nil {
 			c.logf("Failed re-signing node-key signature: %v", err)
 		}
-	} else if isWrapped {
-		// We were given a wrapped pre-auth key, which means that in addition
-		// to being a regular pre-auth key there was a suffix with information to
-		// generate a tailnet-lock signature.
-		nk, err := tryingNewKey.Public().MarshalBinary()
-		if err != nil {
-			return false, "", nil, fmt.Errorf("marshalling node-key: %w", err)
-		}
-		sig := &tka.NodeKeySignature{
-			SigKind: tka.SigRotation,
-			Pubkey:  nk,
-			Nested:  wrappedSig,
-		}
-		sigHash := sig.SigHash()
-		sig.Signature = ed25519.Sign(wrappedKey, sigHash[:])
-		nodeKeySignature = sig.Serialize()
 	}
 
 	if backendLogID == "" {
@@ -752,6 +735,9 @@ func (c *Direct) newEndpoints(endpoints []tailcfg.Endpoint) (changed bool) {
 	}
 	c.logf("[v2] client.newEndpoints(%v)", epStrs)
 	c.endpoints = append(c.endpoints[:0], endpoints...)
+	if len(endpoints) > 0 {
+		c.everEndpoints = true
+	}
 	return true // changed
 }
 
@@ -764,16 +750,16 @@ func (c *Direct) SetEndpoints(endpoints []tailcfg.Endpoint) (changed bool) {
 	return c.newEndpoints(endpoints)
 }
 
+func inTest() bool { return flag.Lookup("test.v") != nil }
+
 // PollNetMap makes a /map request to download the network map, calling cb with
 // each new netmap.
 func (c *Direct) PollNetMap(ctx context.Context, cb func(*netmap.NetworkMap)) error {
-	c.logf("PollNetMap")
 	return c.sendMapRequest(ctx, -1, false, cb)
 }
 
 // FetchNetMap fetches the netmap once.
 func (c *Direct) FetchNetMap(ctx context.Context) (*netmap.NetworkMap, error) {
-	c.logf("FetchNetMap")
 	var ret *netmap.NetworkMap
 	err := c.sendMapRequest(ctx, 1, false, func(nm *netmap.NetworkMap) {
 		ret = nm
@@ -788,7 +774,6 @@ func (c *Direct) FetchNetMap(ctx context.Context) (*netmap.NetworkMap, error) {
 // but does not fetch anything. It returns an error if the server did not return a
 // successful 200 OK response.
 func (c *Direct) SendLiteMapUpdate(ctx context.Context) error {
-	c.logf("SendLiteMapUpdate")
 	return c.sendMapRequest(ctx, 1, false, nil)
 }
 
@@ -799,7 +784,6 @@ const pollTimeout = 120 * time.Second
 
 // cb nil means to omit peers.
 func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool, cb func(*netmap.NetworkMap)) error {
-	c.logf("sendMapRequest")
 	metricMapRequests.Add(1)
 	metricMapRequestsActive.Add(1)
 	defer metricMapRequestsActive.Add(-1)
@@ -822,29 +806,26 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		epStrs = append(epStrs, ep.Addr.String())
 		epTypes = append(epTypes, ep.Type)
 	}
+	everEndpoints := c.everEndpoints
 	c.mu.Unlock()
 
 	machinePrivKey, err := c.getMachinePrivKey()
 	if err != nil {
-            c.logf("sendMapRequest: machinePrivKey failed")
 		return fmt.Errorf("getMachinePrivKey: %w", err)
 	}
 	if machinePrivKey.IsZero() {
-            c.logf("sendMapRequest: machinePrivKey isZero")
 		return errors.New("getMachinePrivKey returned zero key")
 	}
 
 	if persist.PrivateNodeKey().IsZero() {
-            c.logf("sendMapRequest: privateNodeKey isZero")
 		return errors.New("privateNodeKey is zero")
 	}
 	if backendLogID == "" {
-            c.logf("sendMapRequest: BackendLogID missing")
 		return errors.New("hostinfo: BackendLogID missing")
 	}
 
 	allowStream := maxPolls != 1
-	c.logf("PollNetMap: stream=%v ep=%v", allowStream, epStrs)
+	c.logf("[v1] PollNetMap: stream=%v ep=%v", allowStream, epStrs)
 
 	vlogf := logger.Discard
 	if DevKnob.DumpNetMaps() {
@@ -866,17 +847,15 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		OmitPeers:     cb == nil,
 		TKAHead:       c.tkaHead,
 
-		// Previously we'd set ReadOnly to true if we didn't have any endpoints
-		// yet as we expected to learn them in a half second and restart the full
-		// streaming map poll, however as we are trying to reduce the number of
-		// times we restart the full streaming map poll we now just set ReadOnly
-		// false when we're doing a full streaming map poll.
-		//
-		// TODO(maisem/bradfitz): really ReadOnly should be set to true if for
-		// all streams and we should only do writes via lite map updates.
-		// However that requires an audit and a bunch of testing to make sure we
-		// don't break anything.
-		ReadOnly: readOnly && !allowStream,
+		// On initial startup before we know our endpoints, set the ReadOnly flag
+		// to tell the control server not to distribute out our (empty) endpoints to peers.
+		// Presumably we'll learn our endpoints in a half second and do another post
+		// with useful results. The first POST just gets us the DERP map which we
+		// need to do the STUN queries to discover our endpoints.
+		// TODO(bradfitz): we skip this optimization in tests, though,
+		// because the e2e tests are currently hyper-specific about the
+		// ordering of things. The e2e tests need love.
+		ReadOnly: readOnly || (len(epStrs) == 0 && !everEndpoints && !inTest()),
 	}
 	var extraDebugFlags []string
 	if hi != nil && c.linkMon != nil && !c.skipIPForwardingCheck &&
@@ -899,8 +878,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	}
 
 	bodyData, err := encode(request, serverKey, serverNoiseKey, machinePrivKey)
-	if err !=  nil {
-		c.logf("PollNetMap: encode failed")
+	if err != nil {
 		vlogf("netmap: encode: %v", err)
 		return err
 	}
@@ -928,13 +906,11 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 
 	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyData))
 	if err != nil {
-		c.logf("PollNetMap: NewRequestWithContext failed")
 		return err
 	}
 
 	res, err := httpc.Do(req)
 	if err != nil {
-		c.logf("PollNetMap: httpc.Do failed")
 		vlogf("netmap: Do: %v", err)
 		return err
 	}
@@ -942,7 +918,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	if res.StatusCode != 200 {
 		msg, _ := io.ReadAll(res.Body)
 		res.Body.Close()
-		c.logf("PollNetMap: Status != 200")
 		return fmt.Errorf("initial fetch failed %d: %.200s",
 			res.StatusCode, strings.TrimSpace(string(msg)))
 	}
@@ -952,7 +927,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 
 	if cb == nil {
 		io.Copy(io.Discard, res.Body)
-		c.logf("PollNetMap: cb == nil")
 		return nil
 	}
 
@@ -965,7 +939,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 			select {
 			case <-pollDone:
 				vlogf("netmap: ending timeout goroutine")
-				c.logf("netmap: ending timeout goroutine")
 				return
 			case <-timeout.C:
 				c.logf("map response long-poll timed out!")
@@ -977,12 +950,10 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 					case <-timeout.C:
 					case <-pollDone:
 						vlogf("netmap: ending timeout goroutine")
-				c.logf("netmap: ending timeout goroutine")
 						return
 					}
 				}
 				vlogf("netmap: reset timeout timer")
-				c.logf("netmap: reset timeout timer")
 				timeout.Reset(pollTimeout)
 			}
 		}
@@ -1005,7 +976,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		vlogf("netmap: starting size read after %v (poll %v)", time.Since(t0).Round(time.Millisecond), i)
 		var siz [4]byte
 		if _, err := io.ReadFull(res.Body, siz[:]); err != nil {
-			c.logf("PollNetMap: io.ReadFull 4 bytes failed")
 			vlogf("netmap: size read error after %v: %v", time.Since(t0).Round(time.Millisecond), err)
 			return err
 		}
@@ -1013,7 +983,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		vlogf("netmap: read size %v after %v", size, time.Since(t0).Round(time.Millisecond))
 		msg = append(msg[:0], make([]byte, size)...)
 		if _, err := io.ReadFull(res.Body, msg); err != nil {
-			c.logf("PollNetMap: io.ReadFull all bytes failed")
 			vlogf("netmap: body read error: %v", err)
 			return err
 		}
@@ -1021,7 +990,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 
 		var resp tailcfg.MapResponse
 		if err := c.decodeMsg(msg, &resp, machinePrivKey); err != nil {
-			c.logf("PollNetMap: decode error")
 			vlogf("netmap: decode error: %v")
 			return err
 		}
@@ -1067,7 +1035,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 				c.logf("netmap: [unexpected] new dial plan; nowhere to store it")
 			}
 		}
-		c.logf("PollNetMap: past dial plan")
 
 		select {
 		case timeoutReset <- struct{}{}:
@@ -1746,43 +1713,6 @@ func (c *Direct) ReportHealthChange(sys health.Subsystem, sysErr error) {
 	res.Body.Close()
 }
 
-// decodeWrappedAuthkey separates wrapping information from an authkey, if any.
-// In all cases the authkey is returned, sans wrapping information if any.
-//
-// If the authkey is wrapped, isWrapped returns true, along with the wrapping signature
-// and private key.
-func decodeWrappedAuthkey(key string, logf logger.Logf) (authKey string, isWrapped bool, sig *tka.NodeKeySignature, priv ed25519.PrivateKey) {
-	authKey, suffix, found := strings.Cut(key, "--TL")
-	if !found {
-		return key, false, nil, nil
-	}
-	sigBytes, privBytes, found := strings.Cut(suffix, "-")
-	if !found {
-		logf("decoding wrapped auth-key: did not find delimiter")
-		return key, false, nil, nil
-	}
-
-	rawSig, err := base64.RawStdEncoding.DecodeString(sigBytes)
-	if err != nil {
-		logf("decoding wrapped auth-key: signature decode: %v", err)
-		return key, false, nil, nil
-	}
-	rawPriv, err := base64.RawStdEncoding.DecodeString(privBytes)
-	if err != nil {
-		logf("decoding wrapped auth-key: priv decode: %v", err)
-		return key, false, nil, nil
-	}
-
-	sig = new(tka.NodeKeySignature)
-	if err := sig.Unserialize([]byte(rawSig)); err != nil {
-		logf("decoding wrapped auth-key: signature: %v", err)
-		return key, false, nil, nil
-	}
-	priv = ed25519.PrivateKey(rawPriv)
-
-	return authKey, true, sig, priv
-}
-
 var (
 	metricMapRequestsActive = clientmetric.NewGauge("controlclient_map_requests_active")
 

control/controlclient/direct_test.go

@@ -4,7 +4,6 @@
 package controlclient
 
 import (
-	"crypto/ed25519"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -143,42 +142,3 @@ func TestTsmpPing(t *testing.T) {
 		t.Fatal(err)
 	}
 }
-
-func TestDecodeWrappedAuthkey(t *testing.T) {
-	k, isWrapped, sig, priv := decodeWrappedAuthkey("tskey-32mjsdkdsffds9o87dsfkjlh", nil)
-	if want := "tskey-32mjsdkdsffds9o87dsfkjlh"; k != want {
-		t.Errorf("decodeWrappedAuthkey(<unwrapped-key>).key = %q, want %q", k, want)
-	}
-	if isWrapped {
-		t.Error("decodeWrappedAuthkey(<unwrapped-key>).isWrapped = true, want false")
-	}
-	if sig != nil {
-		t.Errorf("decodeWrappedAuthkey(<unwrapped-key>).sig = %v, want nil", sig)
-	}
-	if priv != nil {
-		t.Errorf("decodeWrappedAuthkey(<unwrapped-key>).priv = %v, want nil", priv)
-	}
-
-	k, isWrapped, sig, priv = decodeWrappedAuthkey("tskey-auth-k7UagY1CNTRL-ZZZZZ--TLpAEDA1ggnXuw4/fWnNWUwcoOjLemhOvml1juMl5lhLmY5sBUsj8EWEAfL2gdeD9g8VDw5tgcxCiHGlEb67BgU2DlFzZApi4LheLJraA+pYjTGChVhpZz1iyiBPD+U2qxDQAbM3+WFY0EBlggxmVqG53Hu0Rg+KmHJFMlUhfgzo+AQP6+Kk9GzvJJOs4-k36RdoSFqaoARfQo0UncHAV0t3YTqrkD5r/z2jTrE43GZWobnce7RGD4qYckUyVSF+DOj4BA/r4qT0bO8kk6zg", nil)
-	if want := "tskey-auth-k7UagY1CNTRL-ZZZZZ"; k != want {
-		t.Errorf("decodeWrappedAuthkey(<wrapped-key>).key = %q, want %q", k, want)
-	}
-	if !isWrapped {
-		t.Error("decodeWrappedAuthkey(<wrapped-key>).isWrapped = false, want true")
-	}
-
-	if sig == nil {
-		t.Fatal("decodeWrappedAuthkey(<wrapped-key>).sig = nil, want non-nil signature")
-	}
-	sigHash := sig.SigHash()
-	if !ed25519.Verify(sig.KeyID, sigHash[:], sig.Signature) {
-		t.Error("signature failed to verify")
-	}
-
-	// Make sure the private is correct by using it.
-	someSig := ed25519.Sign(priv, []byte{1, 2, 3, 4})
-	if !ed25519.Verify(sig.WrappingPubkey, []byte{1, 2, 3, 4}, someSig) {
-		t.Error("failed to use priv")
-	}
-
-}

control/controlclient/map_test.go

@@ -13,7 +13,6 @@ import (
 
 	"go4.org/mem"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/opt"
@@ -22,11 +21,12 @@ import (
 )
 
 func TestUndeltaPeers(t *testing.T) {
-	var curTime time.Time
-	tstest.Replace(t, &clockNow, func() time.Time {
-		return curTime
-	})
+	defer func(old func() time.Time) { clockNow = old }(clockNow)
 
+	var curTime time.Time
+	clockNow = func() time.Time {
+		return curTime
+	}
 	online := func(v bool) func(*tailcfg.Node) {
 		return func(n *tailcfg.Node) {
 			n.Online = &v

control/controlhttp/client.go

@@ -41,7 +41,6 @@ import (
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/netutil"
-	"tailscale.com/net/sockstats"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
@@ -273,8 +272,6 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*ClientConn, er
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
-	ctx = sockstats.WithSockStats(ctx, sockstats.LabelControlClientDialer)
-
 	// u80 and u443 are the URLs we'll try to hit over HTTP or HTTPS,
 	// respectively, in order to do the HTTP upgrade to a net.Conn over which
 	// we'll speak Noise.
@@ -388,14 +385,12 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr,
 		dns = &dnscache.Resolver{
 			SingleHostStaticResult: []netip.Addr{addr},
 			SingleHost:             u.Hostname(),
-			Logf:                   a.Logf, // not a.logf method; we want to propagate nil-ness
 		}
 	} else {
 		dns = &dnscache.Resolver{
 			Forward:          dnscache.Get().Forward,
 			LookupIPFallback: dnsfallback.Lookup,
 			UseLastGood:      true,
-			Logf:             a.Logf, // not a.logf method; we want to propagate nil-ness
 		}
 	}
 

derp/derphttp/derphttp_client.go

@@ -32,7 +32,6 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netns"
-	"tailscale.com/net/sockstats"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/syncs"
@@ -321,7 +320,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 		}
 		c.serverPubKey = derpClient.ServerPublicKey()
 		c.client = derpClient
-		c.netConn = conn
+		c.netConn = tcpConn
 		c.connGen++
 		return c.client, c.connGen, nil
 	case c.url != nil:
@@ -616,8 +615,6 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 	ctx, cancel := context.WithTimeout(ctx, dialNodeTimeout)
 	defer cancel()
 
-	ctx = sockstats.WithSockStats(ctx, sockstats.LabelDERPHTTPClient)
-
 	nwait := 0
 	startDial := func(dstPrimary, proto string) {
 		nwait++

envknob/envknob.go

@@ -42,7 +42,6 @@ var (
 	regBool     = map[string]*bool{}
 	regOptBool  = map[string]*opt.Bool{}
 	regDuration = map[string]*time.Duration{}
-	regInt      = map[string]*int{}
 )
 
 func noteEnv(k, v string) {
@@ -183,25 +182,6 @@ func RegisterDuration(envVar string) func() time.Duration {
 	return func() time.Duration { return *p }
 }
 
-// RegisterInt returns a func that gets the named environment variable as an
-// integer, without a map lookup per call. It assumes that any mutations happen
-// via envknob.Setenv.
-func RegisterInt(envVar string) func() int {
-	mu.Lock()
-	defer mu.Unlock()
-	p, ok := regInt[envVar]
-	if !ok {
-		val := os.Getenv(envVar)
-		if val != "" {
-			noteEnvLocked(envVar, val)
-		}
-		p = new(int)
-		setIntLocked(p, envVar, val)
-		regInt[envVar] = p
-	}
-	return func() int { return *p }
-}
-
 func setBoolLocked(p *bool, envVar, val string) {
 	noteEnvLocked(envVar, val)
 	if val == "" {
@@ -241,19 +221,6 @@ func setDurationLocked(p *time.Duration, envVar, val string) {
 	}
 }
 
-func setIntLocked(p *int, envVar, val string) {
-	noteEnvLocked(envVar, val)
-	if val == "" {
-		*p = 0
-		return
-	}
-	var err error
-	*p, err = strconv.Atoi(val)
-	if err != nil {
-		log.Fatalf("invalid int environment variable %s value %q", envVar, val)
-	}
-}
-
 // Bool returns the boolean value of the named environment variable.
 // If the variable is not set, it returns false.
 // An invalid value exits the binary with a failure.

flake.nix

@@ -108,11 +108,10 @@
           graphviz
           perl
           go_1_20
-          yarn
         ];
       };
     };
   in
     flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-LIvaxSo+4LuHUk8DIZ27IaRQwaDnjW6Jwm5AEc/V95A=
+# nix-direnv cache busting line: sha256-zyyqBRFPNPzPYCMgnbnOy5rb3fkn4XEHZlTlJvwqunM=

go.mod

@@ -85,7 +85,6 @@ require (
 	gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0
 	honnef.co/go/tools v0.4.0-0.dev.0.20230130122044-c30b15588105
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
-	inet.af/tcpproxy v0.0.0-20221017015627-91f861402626
 	inet.af/wf v0.0.0-20220728202103-50d96caab2f6
 	k8s.io/api v0.25.0
 	k8s.io/apimachinery v0.25.0
@@ -305,7 +304,7 @@ require (
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a // indirect
-	golang.org/x/image v0.5.0 // indirect
+	golang.org/x/image v0.0.0-20201208152932-35266b937fa6 // indirect
 	golang.org/x/text v0.7.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect

go.mod.sri

@@ -1 +1 @@
-sha256-LIvaxSo+4LuHUk8DIZ27IaRQwaDnjW6Jwm5AEc/V95A=
+sha256-zyyqBRFPNPzPYCMgnbnOy5rb3fkn4XEHZlTlJvwqunM=

go.sum

@@ -126,7 +126,6 @@ github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
-github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
@@ -1271,7 +1270,6 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
@@ -1359,9 +1357,8 @@ golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a h1:Jw5wfR+h9mnIYH
 golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.0.0-20201208152932-35266b937fa6 h1:nfeHNc1nAqecKCy2FCy4HY+soOOe5sDLJ/gZLbx6GYI=
 golang.org/x/image v0.0.0-20201208152932-35266b937fa6/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.5.0 h1:5JMiNunQeQw++mMOz48/ISeNu3Iweh/JaZU8ZLqHRrI=
-golang.org/x/image v0.5.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1387,7 +1384,6 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1450,7 +1446,6 @@ golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1483,7 +1478,6 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1592,10 +1586,8 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1733,7 +1725,6 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.8-0.20211102182255-bb4add04ddef/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.4.1-0.20221208213631-3f74d914ae6d h1:9ZNWAi4CYhNv60mXGgAncgq7SGc5qa7C8VZV8Tg7Ggs=
 golang.org/x/tools v0.4.1-0.20221208213631-3f74d914ae6d/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1948,8 +1939,6 @@ howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 inet.af/peercred v0.0.0-20210906144145-0893ea02156a h1:qdkS8Q5/i10xU2ArJMKYhVa1DORzBfYS/qA2UK2jheg=
 inet.af/peercred v0.0.0-20210906144145-0893ea02156a/go.mod h1:FjawnflS/udxX+SvpsMgZfdqx2aykOlkISeAsADi5IU=
-inet.af/tcpproxy v0.0.0-20221017015627-91f861402626 h1:2dMP3Ox/Wh5BiItwOt4jxRsfzkgyBrHzx2nW28Yg6nc=
-inet.af/tcpproxy v0.0.0-20221017015627-91f861402626/go.mod h1:Tojt5kmHpDIR2jMojxzZK2w2ZR7OILODmUo2gaSwjrk=
 inet.af/wf v0.0.0-20220728202103-50d96caab2f6 h1:BfgDtKnWJTeu+xI1aOEweXdPwqOhB3IbQUDj1XuftcY=
 inet.af/wf v0.0.0-20220728202103-50d96caab2f6/go.mod h1:bSAQ38BYbY68uwpasXOTZo22dKGy9SNvI6PZFeKomZE=
 k8s.io/api v0.25.0 h1:H+Q4ma2U/ww0iGB78ijZx6DRByPz6/733jIuFpX70e0=

go.toolchain.rev

@@ -1 +1 @@
-db4dc9046c93dde2c0e534ca7d529bd690ad09c9
+ec180cbca39fcb5dc420399b37583e53fcf382c9

hostinfo/hostinfo.go

@@ -36,7 +36,6 @@ func New() *tailcfg.Hostinfo {
 	return &tailcfg.Hostinfo{
 		IPNVersion:      version.Long(),
 		Hostname:        hostname,
-		App:             appTypeCached(),
 		OS:              version.OS(),
 		OSVersion:       GetOSVersion(),
 		Container:       lazyInContainer.Get(),
@@ -113,13 +112,6 @@ func GetOSVersion() string {
 	return ""
 }
 
-func appTypeCached() string {
-	if v, ok := appType.Load().(string); ok {
-		return v
-	}
-	return ""
-}
-
 func packageTypeCached() string {
 	if v, _ := packagingType.Load().(string); v != "" {
 		return v
@@ -167,7 +159,6 @@ var (
 	osVersionAtomic       atomic.Value // of string
 	desktopAtomic         atomic.Value // of opt.Bool
 	packagingType         atomic.Value // of string
-	appType               atomic.Value // of string
 )
 
 // SetPushDeviceToken sets the device token for use in Hostinfo updates.
@@ -185,11 +176,6 @@ func SetOSVersion(v string) { osVersionAtomic.Store(v) }
 // F-Droid build) and tsnet (set to "tsnet").
 func SetPackage(v string) { packagingType.Store(v) }
 
-// SetApp sets the app type for the app.
-// It is used by tsnet to specify what app is using it such as "golinks"
-// and "k8s-operator".
-func SetApp(v string) { appType.Store(v) }
-
 func deviceModel() string {
 	s, _ := deviceModelAtomic.Load().(string)
 	return s

ipn/ipnlocal/c2n.go

@@ -83,9 +83,6 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		writeJSON(res)
-	case "/sockstats":
-		w.Header().Set("Content-Type", "text/plain")
-		b.sockstatLogger.WriteLogs(w)
 	default:
 		http.Error(w, "unknown c2n path", http.StatusBadRequest)
 	}

ipn/ipnlocal/local.go

@@ -11,7 +11,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 	"net"
 	"net/http"
 	"net/http/httputil"
@@ -44,8 +43,6 @@ import (
 	"tailscale.com/ipn/ipnauth"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
-	"tailscale.com/log/sockstatlog"
-	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
@@ -152,23 +149,6 @@ type LocalBackend struct {
 	sshAtomicBool         atomic.Bool
 	shutdownCalled        bool // if Shutdown has been called
 	debugSink             *capture.Sink
-	sockstatLogger        *sockstatlog.Logger
-
-	// getTCPHandlerForFunnelFlow returns a handler for an incoming TCP flow for
-	// the provided srcAddr and dstPort if one exists.
-	//
-	// srcAddr is the source address of the flow, not the address of the Funnel
-	// node relaying the flow.
-	// dstPort is the destination port of the flow.
-	//
-	// It returns nil if there is no known handler for this flow.
-	//
-	// This is specifically used to handle TCP flows for Funnel connections to tsnet
-	// servers.
-	//
-	// It is set once during initialization, and can be nil if SetTCPHandlerForFunnelFlow
-	// is never called.
-	getTCPHandlerForFunnelFlow func(srcAddr netip.AddrPort, dstPort uint16) (handler func(net.Conn))
 
 	// lastProfileID tracks the last profile we've seen from the ProfileManager.
 	// It's used to detect when the user has changed their profile.
@@ -308,14 +288,6 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 		loginFlags:     loginFlags,
 	}
 
-	// for now, only log sockstats on unstable builds
-	if version.IsUnstableBuild() {
-		b.sockstatLogger, err = sockstatlog.NewLogger(logpolicy.LogsDir(logf), logf)
-		if err != nil {
-			b.logf("error setting up sockstat logger: %v", err)
-		}
-	}
-
 	// Default filter blocks everything and logs nothing, until Start() is called.
 	b.setFilter(filter.NewAllowNone(logf, &netipx.IPSet{}))
 
@@ -498,7 +470,6 @@ func (b *LocalBackend) linkChange(major bool, ifst *interfaces.State) {
 		case ipn.NoState, ipn.Stopped:
 			// Do nothing.
 		default:
-			b.logf("linkChange: calling b.authReconfig")
 			go b.authReconfig()
 		}
 	}
@@ -554,10 +525,6 @@ func (b *LocalBackend) Shutdown() {
 	}
 	b.mu.Unlock()
 
-	if b.sockstatLogger != nil {
-		b.sockstatLogger.Shutdown()
-	}
-
 	b.unregisterLinkMon()
 	b.unregisterHealthWatch()
 	if cc != nil {
@@ -840,7 +807,6 @@ func (b *LocalBackend) SetDecompressor(fn func() (controlclient.Decompressor, er
 // setClientStatus is the callback invoked by the control client whenever it posts a new status.
 // Among other things, this is where we update the netmap, packet filters, DNS and DERP maps.
 func (b *LocalBackend) setClientStatus(st controlclient.Status) {
-	b.logf("setClientStatus called")
 	// The following do not depend on any data for which we need to lock b.
 	if st.Err != nil {
 		// TODO(crawshaw): display in the UI.
@@ -854,7 +820,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 			s := uerr.UserVisibleError()
 			b.send(ipn.Notify{ErrMessage: &s})
 		}
-		b.logf("setClientStatus status send failed, returning")
 		return
 	}
 
@@ -890,7 +855,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 				// saved call (e.g. if we race stopping this
 				// timer).
 				if b.numClientStatusCalls.Load() != currCall {
-					b.logf("setClientStatus b.numClientStatusCalls.Load, returning")
 					return
 				}
 
@@ -924,11 +888,8 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	if st.LoginFinished != nil && wasBlocked {
 		// Auth completed, unblock the engine
 		b.blockEngineUpdates(false)
-		b.logf("ipnlocal: blockEngineUpdates returned")
 		b.authReconfig()
-		b.logf("ipnlocal: b.authReconfig returned")
 		b.send(ipn.Notify{LoginFinished: &empty.Message{}})
-		b.logf("ipnlocal: ipn.Notify returned")
 	}
 
 	// Lock b once and do only the things that require locking.
@@ -2559,6 +2520,9 @@ func (b *LocalBackend) checkSSHPrefsLocked(p *ipn.Prefs) error {
 		if version.IsSandboxedMacOS() {
 			return errors.New("The Tailscale SSH server does not run in sandboxed Tailscale GUI builds.")
 		}
+		if !envknob.UseWIPCode() {
+			return errors.New("The Tailscale SSH server is disabled on macOS tailscaled by default. To try, set env TAILSCALE_USE_WIP_CODE=1")
+		}
 	case "freebsd", "openbsd":
 	default:
 		return errors.New("The Tailscale SSH server is not supported on " + runtime.GOOS)
@@ -2771,9 +2735,7 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) ipn
 	if oldp.WantRunning() != newp.WantRunning {
 		b.stateMachine()
 	} else {
-		b.logf("setPrefsLockedOnEntry: calling b.authReconfig")
 		b.authReconfig()
-		b.logf("setPrefsLockedOnEntry: b.authReconfig returned")
 	}
 
 	b.send(ipn.Notify{Prefs: &prefs})
@@ -2902,28 +2864,24 @@ func (b *LocalBackend) blockEngineUpdates(block bool) {
 // updates are not currently blocked, based on the cached netmap and
 // user prefs.
 func (b *LocalBackend) authReconfig() {
-	b.logf("authReconfig: starting.")
 	b.mu.Lock()
-	b.logf("authReconfig: Lock acquired.")
 	blocked := b.blocked
 	prefs := b.pm.CurrentPrefs()
-	b.logf("authReconfig: CurrentPrefs returned.")
 	nm := b.netMap
 	hasPAC := b.prevIfState.HasPAC()
-	b.logf("authReconfig: HasPAC returned.")
 	disableSubnetsIfPAC := nm != nil && nm.Debug != nil && nm.Debug.DisableSubnetsIfPAC.EqualBool(true)
 	b.mu.Unlock()
 
 	if blocked {
-		b.logf("authReconfig: blocked, skipping.")
+		b.logf("[v1] authReconfig: blocked, skipping.")
 		return
 	}
 	if nm == nil {
-		b.logf("authReconfig: netmap not yet valid. Skipping.")
+		b.logf("[v1] authReconfig: netmap not yet valid. Skipping.")
 		return
 	}
 	if !prefs.WantRunning() {
-		b.logf("authReconfig: skipping because !WantRunning.")
+		b.logf("[v1] authReconfig: skipping because !WantRunning.")
 		return
 	}
 
@@ -2940,7 +2898,6 @@ func (b *LocalBackend) authReconfig() {
 			flags &^= netmap.AllowSubnetRoutes
 		}
 	}
-	b.logf("authReconfig: bitfields finished.")
 
 	// Keep the dialer updated about whether we're supposed to use
 	// an exit node's DNS server (so SOCKS5/HTTP outgoing dials
@@ -2950,31 +2907,24 @@ func (b *LocalBackend) authReconfig() {
 	} else {
 		b.dialer.SetExitDNSDoH("")
 	}
-	b.logf("authReconfig: exitNodeCanProxyDNS returned.")
 
 	cfg, err := nmcfg.WGCfg(nm, b.logf, flags, prefs.ExitNodeID())
 	if err != nil {
 		b.logf("wgcfg: %v", err)
 		return
 	}
-	b.logf("authReconfig: WGCfg exit node returned.")
 
 	oneCGNATRoute := shouldUseOneCGNATRoute(nm, b.logf, version.OS())
-	b.logf("authReconfig: shouldUseOneCGNATRoute.")
 	rcfg := b.routerConfig(cfg, prefs, oneCGNATRoute)
-	b.logf("authReconfig: routerConfig oneCGNATRoute.")
 	dcfg := dnsConfigForNetmap(nm, prefs, b.logf, version.OS())
-	b.logf("authReconfig: dnsConfigForNetmap.")
 
 	err = b.e.Reconfig(cfg, rcfg, dcfg, nm.Debug)
 	if err == wgengine.ErrNoChanges {
-		b.logf("authReconfig: wgengine.ErrNoChanges.")
 		return
 	}
-	b.logf("authReconfig: ra=%v dns=%v 0x%02x: %v", prefs.RouteAll(), prefs.CorpDNS(), flags, err)
+	b.logf("[v1] authReconfig: ra=%v dns=%v 0x%02x: %v", prefs.RouteAll(), prefs.CorpDNS(), flags, err)
 
 	b.initPeerAPIListener()
-	b.logf("authReconfig: b.initPeerAPIListener.")
 }
 
 // shouldUseOneCGNATRoute reports whether we should prefer to make one big
@@ -3167,12 +3117,6 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs ipn.PrefsView, logf logger.
 	return dcfg
 }
 
-// SetTCPHandlerForFunnelFlow sets the TCP handler for Funnel flows.
-// It should only be called before the LocalBackend is used.
-func (b *LocalBackend) SetTCPHandlerForFunnelFlow(h func(src netip.AddrPort, dstPort uint16) (handler func(net.Conn))) {
-	b.getTCPHandlerForFunnelFlow = h
-}
-
 // SetVarRoot sets the root directory of Tailscale's writable
 // storage area . (e.g. "/var/lib/tailscale")
 //
@@ -3382,7 +3326,7 @@ var (
 // peerRoutes returns the routerConfig.Routes to access peers.
 // If there are over cgnatThreshold CGNAT routes, one big CGNAT route
 // is used instead.
-func peerRoutes(logf logger.Logf, peers []wgcfg.Peer, cgnatThreshold int) (routes []netip.Prefix) {
+func peerRoutes(peers []wgcfg.Peer, cgnatThreshold int) (routes []netip.Prefix) {
 	tsULA := tsaddr.TailscaleULARange()
 	cgNAT := tsaddr.CGNATRange()
 	var didULA bool
@@ -3390,18 +3334,6 @@ func peerRoutes(logf logger.Logf, peers []wgcfg.Peer, cgnatThreshold int) (route
 	for _, peer := range peers {
 		for _, aip := range peer.AllowedIPs {
 			aip = unmapIPPrefix(aip)
-
-			// Ensure that we're only accepting properly-masked
-			// prefixes; the control server should be masking
-			// these, so if we get them, skip.
-			if mm := aip.Masked(); aip != mm {
-				// To avoid a DoS where a peer could cause all
-				// reconfigs to fail by sending a bad prefix, we just
-				// skip, but don't error, on an unmasked route.
-				logf("advertised route %s from %s has non-address bits set; expected %s", aip, peer.PublicKey.ShortString(), mm)
-				continue
-			}
-
 			// Only add the Tailscale IPv6 ULA once, if we see anybody using part of it.
 			if aip.Addr().Is6() && aip.IsSingleIP() && tsULA.Contains(aip.Addr()) {
 				if !didULA {
@@ -3434,13 +3366,12 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs ipn.PrefsView, oneC
 	if oneCGNATRoute {
 		singleRouteThreshold = 1
 	}
-
 	rs := &router.Config{
 		LocalAddrs:       unmapIPPrefixes(cfg.Addresses),
 		SubnetRoutes:     unmapIPPrefixes(prefs.AdvertiseRoutes().AsSlice()),
 		SNATSubnetRoutes: !prefs.NoSNAT(),
 		NetfilterMode:    prefs.NetfilterMode(),
-		Routes:           peerRoutes(b.logf, cfg.Peers, singleRouteThreshold),
+		Routes:           peerRoutes(cfg.Peers, singleRouteThreshold),
 	}
 
 	if distro.Get() == distro.Synology {
@@ -3593,12 +3524,9 @@ func (b *LocalBackend) enterStateLockedOnEntry(newState ipn.State) {
 			systemd.Status("Stopped; run 'tailscale up' to log in")
 		}
 	case ipn.Starting, ipn.NeedsMachineAuth:
-		b.logf("enterStateLockedOnEntry: ipn.Starting, ipn.NeedsMachineAuth")
 		b.authReconfig()
-		b.logf("enterStateLockedOnEntry: authReconfig returned")
 		// Needed so that UpdateEndpoints can run
 		b.e.RequestStatus()
-		b.logf("enterStateLockedOnEntry: b.e.RequestStatus returned")
 	case ipn.Running:
 		var addrs []string
 		for _, addr := range netMap.Addresses {
@@ -3741,21 +3669,6 @@ func (b *LocalBackend) resetControlClientLockedAsync() {
 	if b.cc == nil {
 		return
 	}
-
-	// When we clear the control client, stop any outstanding netmap expiry
-	// timer; synthesizing a new netmap while we don't have a control
-	// client will break things.
-	//
-	// See https://github.com/tailscale/tailscale/issues/7392
-	if b.nmExpiryTimer != nil {
-		b.nmExpiryTimer.Stop()
-		b.nmExpiryTimer = nil
-
-		// Also bump the epoch to ensure that if the timer started, it
-		// will abort.
-		b.numClientStatusCalls.Add(1)
-	}
-
 	go b.cc.Shutdown()
 	b.cc = nil
 	b.ccAuto = nil
@@ -3895,7 +3808,6 @@ func (b *LocalBackend) updatePersistFromNetMapLocked(nm *netmap.NetworkMap, pref
 }
 
 func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
-	b.logf("setNetMapLocked")
 	b.dialer.SetNetMap(nm)
 	var login string
 	if nm != nil {
@@ -4545,7 +4457,6 @@ type keyProvingNoiseRoundTripper struct {
 }
 
 func (n keyProvingNoiseRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	log.Println("RoundTrip")
 	b := n.b
 
 	var priv key.NodePrivate
@@ -4829,9 +4740,6 @@ func (b *LocalBackend) initTKALocked() error {
 		if err != nil {
 			return fmt.Errorf("initializing tka: %v", err)
 		}
-		if err := authority.Compact(storage, tkaCompactionDefaults); err != nil {
-			b.logf("tka compaction failed: %v", err)
-		}
 
 		b.tka = &tkaState{
 			profile:   cp.ID,
@@ -4846,7 +4754,6 @@ func (b *LocalBackend) initTKALocked() error {
 
 // resetForProfileChangeLockedOnEntry resets the backend for a profile change.
 func (b *LocalBackend) resetForProfileChangeLockedOnEntry() error {
-	b.logf("resetForProfileChangeLockedOnEntry")
 	b.setNetMapLocked(nil) // Reset netmap.
 	// Reset the NetworkMap in the engine
 	b.e.SetNetworkMap(new(netmap.NetworkMap))
@@ -4905,7 +4812,6 @@ func (b *LocalBackend) ListProfiles() []ipn.LoginProfile {
 // backend is left with a new profile, ready for StartLoginInterative to be
 // called to register it as new node.
 func (b *LocalBackend) ResetAuth() error {
-	b.logf("ResetAuth")
 	b.mu.Lock()
 	b.resetControlClientLockedAsync()
 	if err := b.clearMachineKeyLocked(); err != nil {
@@ -4960,26 +4866,3 @@ func (b *LocalBackend) StreamDebugCapture(ctx context.Context, w io.Writer) erro
 	}
 	return nil
 }
-
-func (b *LocalBackend) GetPeerEndpointChanges(ctx context.Context, ip netip.Addr) ([]magicsock.EndpointChange, error) {
-	b.logf("GetPeerEndpointChanges")
-	pip, ok := b.e.PeerForIP(ip)
-	if !ok {
-		return nil, fmt.Errorf("no matching peer")
-	}
-	if pip.IsSelf {
-		return nil, fmt.Errorf("%v is local Tailscale IP", ip)
-	}
-	peer := pip.Node
-
-	mc, err := b.magicConn()
-	if err != nil {
-		return nil, fmt.Errorf("getting magicsock conn: %w", err)
-	}
-
-	chs, err := mc.GetEndpointChanges(peer)
-	if err != nil {
-		return nil, fmt.Errorf("getting endpoint changes: %w", err)
-	}
-	return chs, nil
-}

ipn/ipnlocal/local_test.go

@@ -21,7 +21,6 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
-	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/wgengine"
@@ -334,25 +333,10 @@ func TestPeerRoutes(t *testing.T) {
 				pp("100.64.0.2/32"),
 			},
 		},
-		{
-			name: "skip-unmasked-prefixes",
-			peers: []wgcfg.Peer{
-				{
-					PublicKey: key.NewNode().Public(),
-					AllowedIPs: []netip.Prefix{
-						pp("100.64.0.2/32"),
-						pp("10.0.0.100/16"),
-					},
-				},
-			},
-			want: []netip.Prefix{
-				pp("100.64.0.2/32"),
-			},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := peerRoutes(t.Logf, tt.peers, 2)
+			got := peerRoutes(tt.peers, 2)
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("got = %v; want %v", got, tt.want)
 			}
@@ -497,7 +481,8 @@ func (panicOnUseTransport) RoundTrip(*http.Request) (*http.Response, error) {
 
 // Issue 1573: don't generate a machine key if we don't want to be running.
 func TestLazyMachineKeyGeneration(t *testing.T) {
-	tstest.Replace(t, &panicOnMachineKeyGeneration, func() bool { return true })
+	defer func(old func() bool) { panicOnMachineKeyGeneration = old }(panicOnMachineKeyGeneration)
+	panicOnMachineKeyGeneration = func() bool { return true }
 
 	var logf logger.Logf = logger.Discard
 	store := new(mem.Store)

ipn/ipnlocal/loglines_test.go

@@ -11,11 +11,11 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/store/mem"
+	"tailscale.com/logtail"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/logid"
 	"tailscale.com/types/persist"
 	"tailscale.com/wgengine"
 )
@@ -37,8 +37,8 @@ func TestLocalLogLines(t *testing.T) {
 	// This lets the logListen tracker verify that the rate-limiter allows these key lines.
 	logf := logger.RateLimitedFnWithClock(logListen.Logf, 5*time.Second, 0, 10, time.Now)
 
-	logid := func(hex byte) logid.PublicID {
-		var ret logid.PublicID
+	logid := func(hex byte) logtail.PublicID {
+		var ret logtail.PublicID
 		for i := 0; i < len(ret); i++ {
 			ret[i] = hex
 		}

ipn/ipnlocal/network-lock.go

@@ -6,9 +6,7 @@ package ipnlocal
 import (
 	"bytes"
 	"context"
-	"crypto/ed25519"
 	"crypto/rand"
-	"encoding/base64"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
@@ -39,11 +37,6 @@ import (
 var (
 	errMissingNetmap        = errors.New("missing netmap: verify that you are logged in")
 	errNetworkLockNotActive = errors.New("network-lock is not active")
-
-	tkaCompactionDefaults = tka.CompactionOptions{
-		MinChain: 24,                  // Keep at minimum 24 AUMs since head.
-		MinAge:   14 * 24 * time.Hour, // Keep 2 weeks of AUMs.
-	}
 )
 
 type tkaState struct {
@@ -106,7 +99,6 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
 					ID:           p.ID,
 					StableID:     p.StableID,
 					TailscaleIPs: make([]netip.Addr, len(p.Addresses)),
-					NodeKey:      p.Key,
 				}
 				for i, addr := range p.Addresses {
 					if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.Addr()) {
@@ -792,98 +784,6 @@ func (b *LocalBackend) NetworkLockLog(maxEntries int) ([]ipnstate.NetworkLockUpd
 	return out, nil
 }
 
-// NetworkLockAffectedSigs returns the signatures which would be invalidated
-// by removing trust in the specified KeyID.
-func (b *LocalBackend) NetworkLockAffectedSigs(keyID tkatype.KeyID) ([]tkatype.MarshaledSignature, error) {
-	var (
-		ourNodeKey key.NodePublic
-		err        error
-	)
-	b.mu.Lock()
-	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() {
-		ourNodeKey = p.Persist().PublicNodeKey()
-	}
-	if b.tka == nil {
-		err = errNetworkLockNotActive
-	}
-	b.mu.Unlock()
-	if err != nil {
-		return nil, err
-	}
-
-	resp, err := b.tkaReadAffectedSigs(ourNodeKey, keyID)
-	if err != nil {
-		return nil, err
-	}
-
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.tka == nil {
-		return nil, errNetworkLockNotActive
-	}
-
-	// Confirm for ourselves tha the signatures would actually be invalidated
-	// by removal of trusted in the specified key.
-	for i, sigBytes := range resp.Signatures {
-		var sig tka.NodeKeySignature
-		if err := sig.Unserialize(sigBytes); err != nil {
-			return nil, fmt.Errorf("failed decoding signature %d: %w", i, err)
-		}
-
-		sigKeyID, err := sig.UnverifiedAuthorizingKeyID()
-		if err != nil {
-			return nil, fmt.Errorf("extracting SigID from signature %d: %w", i, err)
-		}
-		if !bytes.Equal(keyID, sigKeyID) {
-			return nil, fmt.Errorf("got signature with keyID %X from request for %X", sigKeyID, keyID)
-		}
-
-		var nodeKey key.NodePublic
-		if err := nodeKey.UnmarshalBinary(sig.Pubkey); err != nil {
-			return nil, fmt.Errorf("failed decoding pubkey for signature %d: %w", i, err)
-		}
-		if err := b.tka.authority.NodeKeyAuthorized(nodeKey, sigBytes); err != nil {
-			return nil, fmt.Errorf("signature %d is not valid: %w", i, err)
-		}
-	}
-
-	return resp.Signatures, nil
-}
-
-var tkaSuffixEncoder = base64.RawStdEncoding
-
-// NetworkLockWrapPreauthKey wraps a pre-auth key with information to
-// enable unattended bringup in the locked tailnet.
-//
-// The provided trusted tailnet-lock key is used to sign
-// a SigCredential structure, which is encoded along with the
-// private key and appended to the pre-auth key.
-func (b *LocalBackend) NetworkLockWrapPreauthKey(preauthKey string, tkaKey key.NLPrivate) (string, error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.tka == nil {
-		return "", errNetworkLockNotActive
-	}
-
-	pub, priv, err := ed25519.GenerateKey(nil) // nil == crypto/rand
-	if err != nil {
-		return "", err
-	}
-
-	sig := tka.NodeKeySignature{
-		SigKind:        tka.SigCredential,
-		KeyID:          tkaKey.KeyID(),
-		WrappingPubkey: pub,
-	}
-	sig.Signature, err = tkaKey.SignNKS(sig.SigHash())
-	if err != nil {
-		return "", fmt.Errorf("signing failed: %w", err)
-	}
-
-	b.logf("Generated network-lock credential signature using %s", tkaKey.Public().CLIString())
-	return fmt.Sprintf("%s--TL%s-%s", preauthKey, tkaSuffixEncoder.EncodeToString(sig.Serialize()), tkaSuffixEncoder.EncodeToString(priv)), nil
-}
-
 func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeKeySignature, error) {
 	p, err := nodeInfo.NodePublic.MarshalBinary()
 	if err != nil {
@@ -1210,39 +1110,3 @@ func (b *LocalBackend) tkaSubmitSignature(ourNodeKey key.NodePublic, sig tkatype
 
 	return a, nil
 }
-
-func (b *LocalBackend) tkaReadAffectedSigs(ourNodeKey key.NodePublic, key tkatype.KeyID) (*tailcfg.TKASignaturesUsingKeyResponse, error) {
-	var encodedReq bytes.Buffer
-	if err := json.NewEncoder(&encodedReq).Encode(tailcfg.TKASignaturesUsingKeyRequest{
-		Version: tailcfg.CurrentCapabilityVersion,
-		NodeKey: ourNodeKey,
-		KeyID:   key,
-	}); err != nil {
-		return nil, fmt.Errorf("encoding request: %v", err)
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-
-	req, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/affected-sigs", &encodedReq)
-	if err != nil {
-		return nil, fmt.Errorf("req: %w", err)
-	}
-	resp, err := b.DoNoiseRequest(req)
-	if err != nil {
-		return nil, fmt.Errorf("resp: %w", err)
-	}
-	if resp.StatusCode != 200 {
-		body, _ := io.ReadAll(resp.Body)
-		resp.Body.Close()
-		return nil, fmt.Errorf("request returned (%d): %s", resp.StatusCode, string(body))
-	}
-	a := new(tailcfg.TKASignaturesUsingKeyResponse)
-	err = json.NewDecoder(&io.LimitedReader{R: resp.Body, N: 1024 * 1024}).Decode(a)
-	resp.Body.Close()
-	if err != nil {
-		return nil, fmt.Errorf("decoding JSON: %w", err)
-	}
-
-	return a, nil
-}

ipn/ipnlocal/network-lock_test.go

@@ -7,7 +7,6 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
-	"fmt"
 	"net"
 	"net/http"
 	"net/http/httptest"
@@ -878,135 +877,3 @@ func TestTKAForceDisable(t *testing.T) {
 		t.Fatal("tka was re-initalized")
 	}
 }
-
-func TestTKAAffectedSigs(t *testing.T) {
-	nodePriv := key.NewNode()
-	// toSign := key.NewNode()
-	nlPriv := key.NewNLPrivate()
-
-	pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
-	must.Do(pm.SetPrefs((&ipn.Prefs{
-		Persist: &persist.Persist{
-			PrivateNodeKey: nodePriv,
-			NetworkLockKey: nlPriv,
-		},
-	}).View()))
-
-	// Make a fake TKA authority, to seed local state.
-	disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
-	tkaKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
-
-	temp := t.TempDir()
-	tkaPath := filepath.Join(temp, "tka-profile", string(pm.CurrentProfile().ID))
-	os.Mkdir(tkaPath, 0755)
-	chonk, err := tka.ChonkDir(tkaPath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	authority, _, err := tka.Create(chonk, tka.State{
-		Keys:               []tka.Key{tkaKey},
-		DisablementSecrets: [][]byte{tka.DisablementKDF(disablementSecret)},
-	}, nlPriv)
-	if err != nil {
-		t.Fatalf("tka.Create() failed: %v", err)
-	}
-
-	untrustedKey := key.NewNLPrivate()
-	tcs := []struct {
-		name    string
-		makeSig func() *tka.NodeKeySignature
-		wantErr string
-	}{
-		{
-			"no error",
-			func() *tka.NodeKeySignature {
-				sig, _ := signNodeKey(tailcfg.TKASignInfo{NodePublic: nodePriv.Public()}, nlPriv)
-				return sig
-			},
-			"",
-		},
-		{
-			"signature for different keyID",
-			func() *tka.NodeKeySignature {
-				sig, _ := signNodeKey(tailcfg.TKASignInfo{NodePublic: nodePriv.Public()}, untrustedKey)
-				return sig
-			},
-			fmt.Sprintf("got signature with keyID %X from request for %X", untrustedKey.KeyID(), nlPriv.KeyID()),
-		},
-		{
-			"invalid signature",
-			func() *tka.NodeKeySignature {
-				sig, _ := signNodeKey(tailcfg.TKASignInfo{NodePublic: nodePriv.Public()}, nlPriv)
-				copy(sig.Signature, []byte{1, 2, 3, 4, 5, 6}) // overwrite with trash to invalid signature
-				return sig
-			},
-			"signature 0 is not valid: invalid signature",
-		},
-	}
-
-	for _, tc := range tcs {
-		t.Run(tc.name, func(t *testing.T) {
-			s := tc.makeSig()
-			ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				defer r.Body.Close()
-				switch r.URL.Path {
-				case "/machine/tka/affected-sigs":
-					body := new(tailcfg.TKASignaturesUsingKeyRequest)
-					if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-						t.Fatal(err)
-					}
-					if body.Version != tailcfg.CurrentCapabilityVersion {
-						t.Errorf("sign CapVer = %v, want %v", body.Version, tailcfg.CurrentCapabilityVersion)
-					}
-					if body.NodeKey != nodePriv.Public() {
-						t.Errorf("nodeKey = %v, want %v", body.NodeKey, nodePriv.Public())
-					}
-
-					w.WriteHeader(200)
-					if err := json.NewEncoder(w).Encode(tailcfg.TKASignaturesUsingKeyResponse{
-						Signatures: []tkatype.MarshaledSignature{s.Serialize()},
-					}); err != nil {
-						t.Fatal(err)
-					}
-
-				default:
-					t.Errorf("unhandled endpoint path: %v", r.URL.Path)
-					w.WriteHeader(404)
-				}
-			}))
-			defer ts.Close()
-			cc := fakeControlClient(t, client)
-			b := LocalBackend{
-				varRoot: temp,
-				cc:      cc,
-				ccAuto:  cc,
-				logf:    t.Logf,
-				tka: &tkaState{
-					authority: authority,
-					storage:   chonk,
-				},
-				pm:    pm,
-				store: pm.Store(),
-			}
-
-			sigs, err := b.NetworkLockAffectedSigs(nlPriv.KeyID())
-			switch {
-			case tc.wantErr == "" && err != nil:
-				t.Errorf("NetworkLockAffectedSigs() failed: %v", err)
-			case tc.wantErr != "" && err == nil:
-				t.Errorf("NetworkLockAffectedSigs().err = nil, want %q", tc.wantErr)
-			case tc.wantErr != "" && err.Error() != tc.wantErr:
-				t.Errorf("NetworkLockAffectedSigs().err = %q, want %q", err.Error(), tc.wantErr)
-			}
-
-			if tc.wantErr == "" {
-				if len(sigs) != 1 {
-					t.Fatalf("len(sigs) = %d, want 1", len(sigs))
-				}
-				if !bytes.Equal(s.Serialize(), sigs[0]) {
-					t.Errorf("unexpected signature: got %v, want %v", sigs[0], s.Serialize())
-				}
-			}
-		})
-	}
-}

ipn/ipnlocal/peerapi.go

@@ -45,7 +45,6 @@ import (
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/netutil"
-	"tailscale.com/net/sockstats"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/multierr"
@@ -710,8 +709,6 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	case "/v0/doctor":
 		h.handleServeDoctor(w, r)
-	case "/v0/sockstats":
-		h.handleServeSockStats(w, r)
 		return
 	case "/v0/ingress":
 		metricIngressCalls.Add(1)
@@ -761,12 +758,12 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
 		bad("Tailscale-Ingress-Src header invalid; want ip:port")
 		return
 	}
-	target := ipn.HostPort(r.Header.Get("Tailscale-Ingress-Target"))
+	target := r.Header.Get("Tailscale-Ingress-Target")
 	if target == "" {
 		bad("Tailscale-Ingress-Target header not set")
 		return
 	}
-	if _, _, err := net.SplitHostPort(string(target)); err != nil {
+	if _, _, err := net.SplitHostPort(target); err != nil {
 		bad("Tailscale-Ingress-Target header invalid; want host:port")
 		return
 	}
@@ -779,17 +776,13 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
 			return nil, false
 		}
 		io.WriteString(conn, "HTTP/1.1 101 Switching Protocols\r\n\r\n")
-		return &ipn.FunnelConn{
-			Conn:   conn,
-			Src:    srcAddr,
-			Target: target,
-		}, true
+		return conn, true
 	}
 	sendRST := func() {
 		http.Error(w, "denied", http.StatusForbidden)
 	}
 
-	h.ps.b.HandleIngressTCPConn(h.peerNode, target, srcAddr, getConn, sendRST)
+	h.ps.b.HandleIngressTCPConn(h.peerNode, ipn.HostPort(target), srcAddr, getConn, sendRST)
 }
 
 func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {
@@ -857,93 +850,6 @@ func (h *peerAPIHandler) handleServeDoctor(w http.ResponseWriter, r *http.Reques
 	fmt.Fprintln(w, "</pre>")
 }
 
-func (h *peerAPIHandler) handleServeSockStats(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
-		return
-	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	fmt.Fprintln(w, "<!DOCTYPE html><h1>Socket Stats</h1>")
-
-	stats, interfaceStats, validation := sockstats.Get(), sockstats.GetInterfaces(), sockstats.GetValidation()
-	if stats == nil {
-		fmt.Fprintln(w, "No socket stats available")
-		return
-	}
-
-	fmt.Fprintln(w, "<table border='1' cellspacing='0' style='border-collapse: collapse;'>")
-	fmt.Fprintln(w, "<thead>")
-	fmt.Fprintln(w, "<th>Label</th>")
-	fmt.Fprintln(w, "<th>Tx</th>")
-	fmt.Fprintln(w, "<th>Rx</th>")
-	for _, iface := range interfaceStats.Interfaces {
-		fmt.Fprintf(w, "<th>Tx (%s)</th>", html.EscapeString(iface))
-		fmt.Fprintf(w, "<th>Rx (%s)</th>", html.EscapeString(iface))
-	}
-	fmt.Fprintln(w, "<th>Validation</th>")
-	fmt.Fprintln(w, "</thead>")
-
-	fmt.Fprintln(w, "<tbody>")
-	labels := make([]sockstats.Label, 0, len(stats.Stats))
-	for label := range stats.Stats {
-		labels = append(labels, label)
-	}
-	slices.SortFunc(labels, func(a, b sockstats.Label) bool {
-		return a.String() < b.String()
-	})
-
-	txTotal := uint64(0)
-	rxTotal := uint64(0)
-	txTotalByInterface := map[string]uint64{}
-	rxTotalByInterface := map[string]uint64{}
-
-	for _, label := range labels {
-		stat := stats.Stats[label]
-		fmt.Fprintln(w, "<tr>")
-		fmt.Fprintf(w, "<td>%s</td>", html.EscapeString(label.String()))
-		fmt.Fprintf(w, "<td align=right>%d</td>", stat.TxBytes)
-		fmt.Fprintf(w, "<td align=right>%d</td>", stat.RxBytes)
-
-		txTotal += stat.TxBytes
-		rxTotal += stat.RxBytes
-
-		if interfaceStat, ok := interfaceStats.Stats[label]; ok {
-			for _, iface := range interfaceStats.Interfaces {
-				fmt.Fprintf(w, "<td align=right>%d</td>", interfaceStat.TxBytesByInterface[iface])
-				fmt.Fprintf(w, "<td align=right>%d</td>", interfaceStat.RxBytesByInterface[iface])
-				txTotalByInterface[iface] += interfaceStat.TxBytesByInterface[iface]
-				rxTotalByInterface[iface] += interfaceStat.RxBytesByInterface[iface]
-			}
-		}
-
-		if validationStat, ok := validation.Stats[label]; ok && (validationStat.RxBytes > 0 || validationStat.TxBytes > 0) {
-			fmt.Fprintf(w, "<td>Tx=%d (%+d) Rx=%d (%+d)</td>",
-				validationStat.TxBytes,
-				int64(validationStat.TxBytes)-int64(stat.TxBytes),
-				validationStat.RxBytes,
-				int64(validationStat.RxBytes)-int64(stat.RxBytes))
-		} else {
-			fmt.Fprintln(w, "<td></td>")
-		}
-
-		fmt.Fprintln(w, "</tr>")
-	}
-	fmt.Fprintln(w, "</tbody>")
-
-	fmt.Fprintln(w, "<tfoot>")
-	fmt.Fprintln(w, "<th>Total</th>")
-	fmt.Fprintf(w, "<th>%d</th>", txTotal)
-	fmt.Fprintf(w, "<th>%d</th>", rxTotal)
-	for _, iface := range interfaceStats.Interfaces {
-		fmt.Fprintf(w, "<th>%d</th>", txTotalByInterface[iface])
-		fmt.Fprintf(w, "<th>%d</th>", rxTotalByInterface[iface])
-	}
-	fmt.Fprintln(w, "<th></th>")
-	fmt.Fprintln(w, "</tfoot>")
-
-	fmt.Fprintln(w, "</table>")
-}
-
 type incomingFile struct {
 	name        string // "foo.jpg"
 	started     time.Time

ipn/ipnlocal/profiles.go

@@ -534,7 +534,7 @@ func newProfileManagerWithGOOS(store ipn.StateStore, logf logger.Logf, goos stri
 		if err := pm.setPrefsLocked(prefs); err != nil {
 			return nil, err
 		}
-	} else if len(knownProfiles) == 0 && goos != "windows" {
+	} else if len(knownProfiles) == 0 {
 		// No known profiles, try a migration.
 		if err := pm.migrateFromLegacyPrefs(); err != nil {
 			return nil, err

ipn/ipnlocal/serve.go

@@ -281,22 +281,9 @@ func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ip
 		sendRST()
 		return
 	}
-	dport := uint16(port16)
-	if b.getTCPHandlerForFunnelFlow != nil {
-		handler := b.getTCPHandlerForFunnelFlow(srcAddr, dport)
-		if handler != nil {
-			c, ok := getConn()
-			if !ok {
-				b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
-				return
-			}
-			handler(c)
-			return
-		}
-	}
 	// TODO(bradfitz): pass ingressPeer etc in context to HandleInterceptedTCPConn,
 	// extend serveHTTPContext or similar.
-	b.HandleInterceptedTCPConn(dport, srcAddr, getConn, sendRST)
+	b.HandleInterceptedTCPConn(uint16(port16), srcAddr, getConn, sendRST)
 }
 
 func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.AddrPort, getConn func() (net.Conn, bool), sendRST func()) {

ipn/ipnstate/ipnstate.go

@@ -88,7 +88,6 @@ type TKAFilteredPeer struct {
 	ID           tailcfg.NodeID
 	StableID     tailcfg.StableNodeID
 	TailscaleIPs []netip.Addr // Tailscale IP(s) assigned to this node
-	NodeKey      key.NodePublic
 }
 
 // NetworkLockStatus represents whether network-lock is enabled,

ipn/ipnstate/ipnstate_clone.go

@@ -9,7 +9,6 @@ import (
 	"net/netip"
 
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 )
 
 // Clone makes a deep copy of TKAFilteredPeer.
@@ -30,5 +29,4 @@ var _TKAFilteredPeerCloneNeedsRegeneration = TKAFilteredPeer(struct {
 	ID           tailcfg.NodeID
 	StableID     tailcfg.StableNodeID
 	TailscaleIPs []netip.Addr
-	NodeKey      key.NodePublic
 }{})

ipn/localapi/debugderp.go

@@ -4,17 +4,13 @@
 package localapi
 
 import (
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"net"
 	"net/http"
 	"strconv"
 
-	"tailscale.com/derp/derphttp"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 )
 
 func (h *Handler) serveDebugDERPRegion(w http.ResponseWriter, r *http.Request) {
@@ -55,9 +51,6 @@ func (h *Handler) serveDebugDERPRegion(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	st.Info = append(st.Info, fmt.Sprintf("Region %v == %q", reg.RegionID, reg.RegionCode))
-	if len(dm.Regions) == 1 {
-		st.Warnings = append(st.Warnings, "Having only a single DERP region (i.e. removing the default Tailscale-provided regions) is a single point of failure and could hamper connectivity")
-	}
 
 	if reg.Avoid {
 		st.Warnings = append(st.Warnings, "Region is marked with Avoid bit")
@@ -67,120 +60,10 @@ func (h *Handler) serveDebugDERPRegion(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ctx := r.Context()
-
-	var (
-		dialer net.Dialer
-		client *http.Client = http.DefaultClient
-	)
-	checkConn := func(derpNode *tailcfg.DERPNode) bool {
-		port := firstNonzero(derpNode.DERPPort, 443)
-
-		var (
-			hasIPv4 bool
-			hasIPv6 bool
-		)
-
-		// Check IPv4 first
-		addr := net.JoinHostPort(firstNonzero(derpNode.IPv4, derpNode.HostName), strconv.Itoa(port))
-		conn, err := dialer.DialContext(ctx, "tcp4", addr)
-		if err != nil {
-			st.Errors = append(st.Errors, fmt.Sprintf("Error connecting to node %q @ %q over IPv4: %v", derpNode.HostName, addr, err))
-		} else {
-			defer conn.Close()
-
-			// Upgrade to TLS and verify that works properly.
-			tlsConn := tls.Client(conn, &tls.Config{
-				ServerName: firstNonzero(derpNode.CertName, derpNode.HostName),
-			})
-			if err := tlsConn.HandshakeContext(ctx); err != nil {
-				st.Errors = append(st.Errors, fmt.Sprintf("Error upgrading connection to node %q @ %q to TLS over IPv4: %v", derpNode.HostName, addr, err))
-			} else {
-				hasIPv4 = true
-			}
-		}
-
-		// Check IPv6
-		addr = net.JoinHostPort(firstNonzero(derpNode.IPv6, derpNode.HostName), strconv.Itoa(port))
-		conn, err = dialer.DialContext(ctx, "tcp6", addr)
-		if err != nil {
-			st.Errors = append(st.Errors, fmt.Sprintf("Error connecting to node %q @ %q over IPv6: %v", derpNode.HostName, addr, err))
-		} else {
-			defer conn.Close()
-
-			// Upgrade to TLS and verify that works properly.
-			tlsConn := tls.Client(conn, &tls.Config{
-				ServerName: firstNonzero(derpNode.CertName, derpNode.HostName),
-				// TODO(andrew-d): we should print more
-				// detailed failure information on if/why TLS
-				// verification fails
-			})
-			if err := tlsConn.HandshakeContext(ctx); err != nil {
-				st.Errors = append(st.Errors, fmt.Sprintf("Error upgrading connection to node %q @ %q to TLS over IPv6: %v", derpNode.HostName, addr, err))
-			} else {
-				hasIPv6 = true
-			}
-		}
-
-		// If we only have an IPv6 conn, then warn; we want both.
-		if hasIPv6 && !hasIPv4 {
-			st.Warnings = append(st.Warnings, fmt.Sprintf("Node %q only has IPv6 connectivity, not IPv4", derpNode.HostName))
-		} else if hasIPv6 && hasIPv4 {
-			st.Info = append(st.Info, fmt.Sprintf("Node %q has working IPv4 and IPv6 connectivity", derpNode.HostName))
-		}
-
-		return hasIPv4 || hasIPv6
-	}
-
-	// Start by checking whether we can establish a HTTP connection
-	for _, derpNode := range reg.Nodes {
-		connSuccess := checkConn(derpNode)
-
-		// Verify that the /generate_204 endpoint works
-		captivePortalURL := "http://" + derpNode.HostName + "/generate_204"
-		resp, err := client.Get(captivePortalURL)
-		if err != nil {
-			st.Warnings = append(st.Warnings, fmt.Sprintf("Error making request to the captive portal check %q; is port 80 blocked?", captivePortalURL))
-		} else {
-			resp.Body.Close()
-		}
-
-		if !connSuccess {
-			continue
-		}
-
-		fakePrivKey := key.NewNode()
-
-		// Next, repeatedly get the server key to see if the node is
-		// behind a load balancer (incorrectly).
-		serverPubKeys := make(map[key.NodePublic]bool)
-		for i := 0; i < 5; i++ {
-			func() {
-				rc := derphttp.NewRegionClient(fakePrivKey, h.logf, func() *tailcfg.DERPRegion {
-					return &tailcfg.DERPRegion{
-						RegionID:   reg.RegionID,
-						RegionCode: reg.RegionCode,
-						RegionName: reg.RegionName,
-						Nodes:      []*tailcfg.DERPNode{derpNode},
-					}
-				})
-				if err := rc.Connect(ctx); err != nil {
-					st.Errors = append(st.Errors, fmt.Sprintf("Error connecting to node %q @ try %d: %v", derpNode.HostName, i, err))
-					return
-				}
-
-				if len(serverPubKeys) == 0 {
-					st.Info = append(st.Info, fmt.Sprintf("Successfully established a DERP connection with node %q", derpNode.HostName))
-				}
-				serverPubKeys[rc.ServerPublicKey()] = true
-			}()
-		}
-		if len(serverPubKeys) > 1 {
-			st.Errors = append(st.Errors, fmt.Sprintf("Received multiple server public keys (%d); is the DERP server behind a load balancer?", len(serverPubKeys)))
-		}
-	}
-
 	// TODO(bradfitz): finish:
+	// * first try TCP connection
+	// * reconnect 4 or 5 times; see if we ever get a different server key.
+	//   if so, they're load balancing the wrong way. error.
 	// * try to DERP auth with new public key.
 	// * if rejected, add Info that it's likely the DERP server authz is on,
 	//   try with LocalBackend's node key instead.
@@ -192,17 +75,17 @@ func (h *Handler) serveDebugDERPRegion(w http.ResponseWriter, r *http.Request) {
 	//   in DERPRegion. Or maybe even list all their server pub keys that it's peered
 	//   with.
 	// * try STUN queries
+	// * warn about IPv6 only
 	// * If their certificate is bad, either expired or just wrongly
 	//   issued in the first place, tell them specifically that the
 	// 	 cert is bad not just that the connection failed.
-}
-
-func firstNonzero[T comparable](items ...T) T {
-	var zero T
-	for _, item := range items {
-		if item != zero {
-			return item
-		}
-	}
-	return zero
+	// * If /generate_204 on port 80 cannot be reached, warn
+	// 	 that they won't get captive portal detection and
+	// 	 should allow port 80.
+	// * If they have exactly one DERP region because they
+	//   removed all of Tailscale's DERPs, warn that they have
+	//   a SPOF that will hamper even direct connections from
+	//   working. (warning, not error, as that's probably a likely
+	//   config for headscale users)
+	st.Info = append(st.Info, "TODO: 🦉")
 }

ipn/localapi/localapi.go

@@ -35,7 +35,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/logtail"
 	"tailscale.com/net/netutil"
-	"tailscale.com/net/portmapper"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
@@ -45,7 +44,6 @@ import (
 	"tailscale.com/util/httpm"
 	"tailscale.com/util/mak"
 	"tailscale.com/version"
-	"tailscale.com/wgengine/monitor"
 )
 
 type localAPIHandler func(*Handler, http.ResponseWriter, *http.Request)
@@ -70,8 +68,6 @@ var handler = map[string]localAPIHandler{
 	"debug-derp-region":           (*Handler).serveDebugDERPRegion,
 	"debug-packet-filter-matches": (*Handler).serveDebugPacketFilterMatches,
 	"debug-packet-filter-rules":   (*Handler).serveDebugPacketFilterRules,
-	"debug-portmap":               (*Handler).serveDebugPortmap,
-	"debug-peer-endpoint-changes": (*Handler).serveDebugPeerEndpointChanges,
 	"debug-capture":               (*Handler).serveDebugCapture,
 	"derpmap":                     (*Handler).serveDERPMap,
 	"dev-set-state-store":         (*Handler).serveDevSetStateStore,
@@ -100,8 +96,6 @@ var handler = map[string]localAPIHandler{
 	"tka/status":                  (*Handler).serveTKAStatus,
 	"tka/disable":                 (*Handler).serveTKADisable,
 	"tka/force-local-disable":     (*Handler).serveTKALocalDisable,
-	"tka/affected-sigs":           (*Handler).serveTKAAffectedSigs,
-	"tka/wrap-preauth-key":        (*Handler).serveTKAWrapPreauthKey,
 	"upload-client-metrics":       (*Handler).serveUploadClientMetrics,
 	"watch-ipn-bus":               (*Handler).serveWatchIPNBus,
 	"whois":                       (*Handler).serveWhoIs,
@@ -156,7 +150,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "server has no local backend", http.StatusInternalServerError)
 		return
 	}
-	if r.Referer() != "" || r.Header.Get("Origin") != "" || !h.validHost(r.Host) {
+	if r.Referer() != "" || r.Header.Get("Origin") != "" || !validHost(r.Host) {
 		metricInvalidRequests.Add(1)
 		http.Error(w, "invalid localapi request", http.StatusForbidden)
 		return
@@ -186,20 +180,21 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-// validLocalHostForTesting allows loopback handlers without RequiredPassword for testing.
-var validLocalHostForTesting = false
+// validLocalHost allows either localhost or loopback IP hosts on platforms
+// that use token security.
+var validLocalHost = runtime.GOOS == "darwin" || runtime.GOOS == "ios" || runtime.GOOS == "android"
 
 // validHost reports whether h is a valid Host header value for a LocalAPI request.
-func (h *Handler) validHost(hostname string) bool {
+func validHost(h string) bool {
 	// The client code sends a hostname of "local-tailscaled.sock".
-	switch hostname {
+	switch h {
 	case "", apitype.LocalAPIHost:
 		return true
 	}
-	if !validLocalHostForTesting && h.RequiredPassword == "" {
-		return false // only allow localhost with basic auth or in tests
+	if !validLocalHost {
+		return false
 	}
-	host, _, err := net.SplitHostPort(hostname)
+	host, _, err := net.SplitHostPort(h)
 	if err != nil {
 		return false
 	}
@@ -606,153 +601,6 @@ func (h *Handler) serveDebugPacketFilterMatches(w http.ResponseWriter, r *http.R
 	enc.Encode(nm.PacketFilter)
 }
 
-func (h *Handler) serveDebugPortmap(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "debug access denied", http.StatusForbidden)
-		return
-	}
-	w.Header().Set("Content-Type", "text/plain")
-
-	dur, err := time.ParseDuration(r.FormValue("duration"))
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusBadRequest)
-		return
-	}
-
-	gwSelf := r.FormValue("gateway_and_self")
-
-	// Update portmapper debug flags
-	debugKnobs := &portmapper.DebugKnobs{VerboseLogs: true}
-	switch r.FormValue("type") {
-	case "":
-	case "pmp":
-		debugKnobs.DisablePCP = true
-		debugKnobs.DisableUPnP = true
-	case "pcp":
-		debugKnobs.DisablePMP = true
-		debugKnobs.DisableUPnP = true
-	case "upnp":
-		debugKnobs.DisablePCP = true
-		debugKnobs.DisablePMP = true
-	default:
-		http.Error(w, "unknown portmap debug type", http.StatusBadRequest)
-		return
-	}
-
-	var (
-		logLock     sync.Mutex
-		handlerDone bool
-	)
-	logf := func(format string, args ...any) {
-		if !strings.HasSuffix(format, "\n") {
-			format = format + "\n"
-		}
-
-		logLock.Lock()
-		defer logLock.Unlock()
-
-		// The portmapper can call this log function after the HTTP
-		// handler returns, which is not allowed and can cause a panic.
-		// If this happens, ignore the log lines since this typically
-		// occurs due to a client disconnect.
-		if handlerDone {
-			return
-		}
-
-		// Write and flush each line to the client so that output is streamed
-		fmt.Fprintf(w, format, args...)
-		if f, ok := w.(http.Flusher); ok {
-			f.Flush()
-		}
-	}
-	defer func() {
-		logLock.Lock()
-		handlerDone = true
-		logLock.Unlock()
-	}()
-
-	ctx, cancel := context.WithTimeout(r.Context(), dur)
-	defer cancel()
-
-	done := make(chan bool, 1)
-
-	var c *portmapper.Client
-	c = portmapper.NewClient(logger.WithPrefix(logf, "portmapper: "), debugKnobs, func() {
-		logf("portmapping changed.")
-		logf("have mapping: %v", c.HaveMapping())
-
-		if ext, ok := c.GetCachedMappingOrStartCreatingOne(); ok {
-			logf("cb: mapping: %v", ext)
-			select {
-			case done <- true:
-			default:
-			}
-			return
-		}
-		logf("cb: no mapping")
-	})
-	defer c.Close()
-
-	linkMon, err := monitor.New(logger.WithPrefix(logf, "monitor: "))
-	if err != nil {
-		logf("error creating monitor: %v", err)
-		return
-	}
-
-	gatewayAndSelfIP := func() (gw, self netip.Addr, ok bool) {
-		if a, b, ok := strings.Cut(gwSelf, "/"); ok {
-			gw = netip.MustParseAddr(a)
-			self = netip.MustParseAddr(b)
-			return gw, self, true
-		}
-		return linkMon.GatewayAndSelfIP()
-	}
-
-	c.SetGatewayLookupFunc(gatewayAndSelfIP)
-
-	gw, selfIP, ok := gatewayAndSelfIP()
-	if !ok {
-		logf("no gateway or self IP; %v", linkMon.InterfaceState())
-		return
-	}
-	logf("gw=%v; self=%v", gw, selfIP)
-
-	uc, err := net.ListenPacket("udp", "0.0.0.0:0")
-	if err != nil {
-		return
-	}
-	defer uc.Close()
-	c.SetLocalPort(uint16(uc.LocalAddr().(*net.UDPAddr).Port))
-
-	res, err := c.Probe(ctx)
-	if err != nil {
-		logf("error in Probe: %v", err)
-		return
-	}
-	logf("Probe: %+v", res)
-
-	if !res.PCP && !res.PMP && !res.UPnP {
-		logf("no portmapping services available")
-		return
-	}
-
-	if ext, ok := c.GetCachedMappingOrStartCreatingOne(); ok {
-		logf("mapping: %v", ext)
-	} else {
-		logf("no mapping")
-	}
-
-	select {
-	case <-done:
-	case <-ctx.Done():
-		if r.Context().Err() == nil {
-			logf("serveDebugPortmap: context done: %v", ctx.Err())
-		} else {
-			h.logf("serveDebugPortmap: context done: %v", ctx.Err())
-		}
-	}
-}
-
 func (h *Handler) serveComponentDebugLogging(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "debug access denied", http.StatusForbidden)
@@ -870,34 +718,6 @@ func (h *Handler) serveStatus(w http.ResponseWriter, r *http.Request) {
 	e.Encode(st)
 }
 
-func (h *Handler) serveDebugPeerEndpointChanges(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitRead {
-		http.Error(w, "status access denied", http.StatusForbidden)
-		return
-	}
-
-	ipStr := r.FormValue("ip")
-	if ipStr == "" {
-		http.Error(w, "missing 'ip' parameter", 400)
-		return
-	}
-	ip, err := netip.ParseAddr(ipStr)
-	if err != nil {
-		http.Error(w, "invalid IP", 400)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	chs, err := h.b.GetPeerEndpointChanges(r.Context(), ip)
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-		return
-	}
-
-	e := json.NewEncoder(w)
-	e.SetIndent("", "\t")
-	e.Encode(chs)
-}
-
 // InUseOtherUserIPNStream reports whether r is a request for the watch-ipn-bus
 // handler. If so, it writes an ipn.Notify InUseOtherUser message to the user
 // and returns true. Otherwise it returns false, in which case it doesn't write
@@ -1571,40 +1391,6 @@ func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(204)
 }
 
-func (h *Handler) serveTKAWrapPreauthKey(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != httpm.POST {
-		http.Error(w, "use POST", http.StatusMethodNotAllowed)
-		return
-	}
-
-	type wrapRequest struct {
-		TSKey  string
-		TKAKey string // key.NLPrivate.MarshalText
-	}
-	var req wrapRequest
-	if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 12*1024)).Decode(&req); err != nil {
-		http.Error(w, "invalid JSON body", http.StatusBadRequest)
-		return
-	}
-	var priv key.NLPrivate
-	if err := priv.UnmarshalText([]byte(req.TKAKey)); err != nil {
-		http.Error(w, "invalid JSON body", http.StatusBadRequest)
-		return
-	}
-
-	wrappedKey, err := h.b.NetworkLockWrapPreauthKey(req.TSKey, priv)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	w.WriteHeader(200)
-	w.Write([]byte(wrappedKey))
-}
-
 func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
@@ -1684,32 +1470,6 @@ func (h *Handler) serveTKALog(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }
 
-func (h *Handler) serveTKAAffectedSigs(w http.ResponseWriter, r *http.Request) {
-	if r.Method != httpm.POST {
-		http.Error(w, "use POST", http.StatusMethodNotAllowed)
-		return
-	}
-	keyID, err := ioutil.ReadAll(http.MaxBytesReader(w, r.Body, 2048))
-	if err != nil {
-		http.Error(w, "reading body", http.StatusBadRequest)
-		return
-	}
-
-	sigs, err := h.b.NetworkLockAffectedSigs(keyID)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	j, err := json.MarshalIndent(sigs, "", "\t")
-	if err != nil {
-		http.Error(w, "JSON encoding error", http.StatusInternalServerError)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	w.Write(j)
-}
-
 // serveProfiles serves profile switching-related endpoints. Supported methods
 // and paths are:
 //   - GET /profiles/: list all profiles (JSON-encoded array of ipn.LoginProfiles)

ipn/localapi/localapi_test.go

@@ -14,7 +14,6 @@ import (
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnlocal"
-	"tailscale.com/tstest"
 )
 
 func TestValidHost(t *testing.T) {
@@ -24,9 +23,9 @@ func TestValidHost(t *testing.T) {
 	}{
 		{"", true},
 		{apitype.LocalAPIHost, true},
-		{"localhost:9109", false},
-		{"127.0.0.1:9110", false},
-		{"[::1]:9111", false},
+		{"localhost:9109", validLocalHost},
+		{"127.0.0.1:9110", validLocalHost},
+		{"[::1]:9111", validLocalHost},
 		{"100.100.100.100:41112", false},
 		{"10.0.0.1:41112", false},
 		{"37.16.9.210:41112", false},
@@ -34,8 +33,7 @@ func TestValidHost(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.host, func(t *testing.T) {
-			h := &Handler{}
-			if got := h.validHost(test.host); got != test.valid {
+			if got := validHost(test.host); got != test.valid {
 				t.Errorf("validHost(%q)=%v, want %v", test.host, got, test.valid)
 			}
 		})
@@ -43,7 +41,11 @@ func TestValidHost(t *testing.T) {
 }
 
 func TestSetPushDeviceToken(t *testing.T) {
-	tstest.Replace(t, &validLocalHostForTesting, true)
+	origValidLocalHost := validLocalHost
+	validLocalHost = true
+	defer func() {
+		validLocalHost = origValidLocalHost
+	}()
 
 	h := &Handler{
 		PermitWrite: true,

ipn/serve.go

@@ -3,19 +3,6 @@
 
 package ipn
 
-import (
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"net/url"
-	"strconv"
-	"strings"
-
-	"golang.org/x/exp/slices"
-	"tailscale.com/tailcfg"
-)
-
 // ServeConfigKey returns a StateKey that stores the
 // JSON-encoded ServeConfig for a config profile.
 func ServeConfigKey(profileID ProfileID) StateKey {
@@ -42,26 +29,6 @@ type ServeConfig struct {
 // There is no implicit port 443. It must contain a colon.
 type HostPort string
 
-// A FunnelConn wraps a net.Conn that is coming over a
-// Funnel connection. It can be used to determine further
-// information about the connection, like the source address
-// and the target SNI name.
-type FunnelConn struct {
-	// Conn is the underlying connection.
-	net.Conn
-
-	// Target is what was presented in the "Tailscale-Ingress-Target"
-	// HTTP header.
-	Target HostPort
-
-	// Src is the source address of the connection.
-	// This is the address of the client that initiated the
-	// connection, not the address of the Tailscale Funnel
-	// node which is relaying the connection. That address
-	// can be found in Conn.RemoteAddr.
-	Src netip.AddrPort
-}
-
 // WebServerConfig describes a web server's configuration.
 type WebServerConfig struct {
 	Handlers map[string]*HTTPHandler // mountPoint => handler
@@ -176,83 +143,3 @@ func (sc *ServeConfig) IsFunnelOn() bool {
 	}
 	return false
 }
-
-// CheckFunnelAccess checks whether Funnel access is allowed for the given node
-// and port.
-// It checks:
-//  1. an invite was used to join the Funnel alpha
-//  2. HTTPS is enabled on the Tailnet
-//  3. the node has the "funnel" nodeAttr
-//  4. the port is allowed for Funnel
-//
-// The nodeAttrs arg should be the node's Self.Capabilities which should contain
-// the attribute we're checking for and possibly warning-capabilities for
-// Funnel.
-func CheckFunnelAccess(port uint16, nodeAttrs []string) error {
-	if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoInvite) {
-		return errors.New("Funnel not available; an invite is required to join the alpha. See https://tailscale.com/s/no-funnel.")
-	}
-	if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoHTTPS) {
-		return errors.New("Funnel not available; HTTPS must be enabled. See https://tailscale.com/s/https.")
-	}
-	if !slices.Contains(nodeAttrs, tailcfg.NodeAttrFunnel) {
-		return errors.New("Funnel not available; \"funnel\" node attribute not set. See https://tailscale.com/s/no-funnel.")
-	}
-	return checkFunnelPort(port, nodeAttrs)
-}
-
-// checkFunnelPort checks whether the given port is allowed for Funnel.
-// It uses the tailcfg.CapabilityFunnelPorts nodeAttr to determine the allowed
-// ports.
-func checkFunnelPort(wantedPort uint16, nodeAttrs []string) error {
-	deny := func(allowedPorts string) error {
-		if allowedPorts == "" {
-			return fmt.Errorf("port %d is not allowed for funnel", wantedPort)
-		}
-		return fmt.Errorf("port %d is not allowed for funnel; allowed ports are: %v", wantedPort, allowedPorts)
-	}
-	var portsStr string
-	for _, attr := range nodeAttrs {
-		if !strings.HasPrefix(attr, tailcfg.CapabilityFunnelPorts) {
-			continue
-		}
-		u, err := url.Parse(attr)
-		if err != nil {
-			return deny("")
-		}
-		portsStr = u.Query().Get("ports")
-		if portsStr == "" {
-			return deny("")
-		}
-		u.RawQuery = ""
-		if u.String() != tailcfg.CapabilityFunnelPorts {
-			return deny("")
-		}
-	}
-	wantedPortString := strconv.Itoa(int(wantedPort))
-	for _, ps := range strings.Split(portsStr, ",") {
-		if ps == "" {
-			continue
-		}
-		first, last, ok := strings.Cut(ps, "-")
-		if !ok {
-			if first == wantedPortString {
-				return nil
-			}
-			continue
-		}
-		fp, err := strconv.ParseUint(first, 10, 16)
-		if err != nil {
-			continue
-		}
-		lp, err := strconv.ParseUint(last, 10, 16)
-		if err != nil {
-			continue
-		}
-		pr := tailcfg.PortRange{First: uint16(fp), Last: uint16(lp)}
-		if pr.Contains(wantedPort) {
-			return nil
-		}
-	}
-	return deny(portsStr)
-}

ipn/serve_test.go

@@ -1,40 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-package ipn
-
-import (
-	"testing"
-
-	"tailscale.com/tailcfg"
-)
-
-func TestCheckFunnelAccess(t *testing.T) {
-	portAttr := "https://tailscale.com/cap/funnel-ports?ports=443,8080-8090,8443,"
-	tests := []struct {
-		port    uint16
-		caps    []string
-		wantErr bool
-	}{
-		{443, []string{portAttr}, true}, // No "funnel" attribute
-		{443, []string{portAttr, tailcfg.CapabilityWarnFunnelNoInvite}, true},
-		{443, []string{portAttr, tailcfg.CapabilityWarnFunnelNoHTTPS}, true},
-		{443, []string{portAttr, tailcfg.NodeAttrFunnel}, false},
-		{8443, []string{portAttr, tailcfg.NodeAttrFunnel}, false},
-		{8321, []string{portAttr, tailcfg.NodeAttrFunnel}, true},
-		{8083, []string{portAttr, tailcfg.NodeAttrFunnel}, false},
-		{8091, []string{portAttr, tailcfg.NodeAttrFunnel}, true},
-		{3000, []string{portAttr, tailcfg.NodeAttrFunnel}, true},
-	}
-	for _, tt := range tests {
-		err := CheckFunnelAccess(tt.port, tt.caps)
-		switch {
-		case err != nil && tt.wantErr,
-			err == nil && !tt.wantErr:
-			continue
-		case tt.wantErr:
-			t.Fatalf("got no error, want error")
-		case !tt.wantErr:
-			t.Fatalf("got error %v, want no error", err)
-		}
-	}
-}

kube/client.go

@@ -14,15 +14,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"log"
 	"net/http"
-	"net/url"
 	"os"
 	"path/filepath"
 	"sync"
 	"time"
-
-	"tailscale.com/util/multierr"
 )
 
 const (
@@ -30,19 +26,7 @@ const (
 	defaultURL = "https://kubernetes.default.svc"
 )
 
-// rootPathForTests is set by tests to override the root path to the
-// service account directory.
-var rootPathForTests string
-
-// SetRootPathForTesting sets the path to the service account directory.
-func SetRootPathForTesting(p string) {
-	rootPathForTests = p
-}
-
 func readFile(n string) ([]byte, error) {
-	if rootPathForTests != "" {
-		return os.ReadFile(filepath.Join(rootPathForTests, saPath, n))
-	}
 	return os.ReadFile(filepath.Join(saPath, n))
 }
 
@@ -84,12 +68,6 @@ func New() (*Client, error) {
 	}, nil
 }
 
-// SetURL sets the URL to use for the Kubernetes API.
-// This is used only for testing.
-func (c *Client) SetURL(url string) {
-	c.url = url
-}
-
 func (c *Client) expireToken() {
 	c.mu.Lock()
 	defer c.mu.Unlock()
@@ -133,27 +111,28 @@ func getError(resp *http.Response) error {
 	return st
 }
 
-func setHeader(key, value string) func(*http.Request) {
-	return func(req *http.Request) {
-		req.Header.Set(key, value)
-	}
-}
-
-// doRequest performs an HTTP request to the Kubernetes API.
-// If in is not nil, it is expected to be a JSON-encodable object and will be
-// sent as the request body.
-// If out is not nil, it is expected to be a pointer to an object that can be
-// decoded from JSON.
-// If the request fails with a 401, the token is expired and a new one is
-// requested.
-func (c *Client) doRequest(ctx context.Context, method, url string, in, out any, opts ...func(*http.Request)) error {
-	req, err := c.newRequest(ctx, method, url, in)
+func (c *Client) doRequest(ctx context.Context, method, url string, in, out any) error {
+	tk, err := c.getOrRenewToken()
 	if err != nil {
 		return err
 	}
-	for _, opt := range opts {
-		opt(req)
+	var body io.Reader
+	if in != nil {
+		var b bytes.Buffer
+		if err := json.NewEncoder(&b).Encode(in); err != nil {
+			return err
+		}
+		body = &b
 	}
+	req, err := http.NewRequestWithContext(ctx, method, url, body)
+	if err != nil {
+		return err
+	}
+	if body != nil {
+		req.Header.Add("Content-Type", "application/json")
+	}
+	req.Header.Add("Accept", "application/json")
+	req.Header.Add("Authorization", "Bearer "+tk)
 	resp, err := c.client.Do(req)
 	if err != nil {
 		return err
@@ -171,36 +150,6 @@ func (c *Client) doRequest(ctx context.Context, method, url string, in, out any,
 	return nil
 }
 
-func (c *Client) newRequest(ctx context.Context, method, url string, in any) (*http.Request, error) {
-	tk, err := c.getOrRenewToken()
-	if err != nil {
-		return nil, err
-	}
-	var body io.Reader
-	if in != nil {
-		switch in := in.(type) {
-		case []byte:
-			body = bytes.NewReader(in)
-		default:
-			var b bytes.Buffer
-			if err := json.NewEncoder(&b).Encode(in); err != nil {
-				return nil, err
-			}
-			body = &b
-		}
-	}
-	req, err := http.NewRequestWithContext(ctx, method, url, body)
-	if err != nil {
-		return nil, err
-	}
-	if body != nil {
-		req.Header.Add("Content-Type", "application/json")
-	}
-	req.Header.Add("Accept", "application/json")
-	req.Header.Add("Authorization", "Bearer "+tk)
-	return req, nil
-}
-
 // GetSecret fetches the secret from the Kubernetes API.
 func (c *Client) GetSecret(ctx context.Context, name string) (*Secret, error) {
 	s := &Secret{Data: make(map[string][]byte)}
@@ -220,97 +169,3 @@ func (c *Client) CreateSecret(ctx context.Context, s *Secret) error {
 func (c *Client) UpdateSecret(ctx context.Context, s *Secret) error {
 	return c.doRequest(ctx, "PUT", c.secretURL(s.Name), s, nil)
 }
-
-// JSONPatch is a JSON patch operation.
-// It currently (2023-03-02) only supports the "remove" operation.
-//
-// https://tools.ietf.org/html/rfc6902
-type JSONPatch struct {
-	Op   string `json:"op"`
-	Path string `json:"path"`
-}
-
-// JSONPatchSecret updates a secret in the Kubernetes API using a JSON patch.
-// It currently (2023-03-02) only supports the "remove" operation.
-func (c *Client) JSONPatchSecret(ctx context.Context, name string, patch []JSONPatch) error {
-	for _, p := range patch {
-		if p.Op != "remove" {
-			panic(fmt.Errorf("unsupported JSON patch operation: %q", p.Op))
-		}
-	}
-	return c.doRequest(ctx, "PATCH", c.secretURL(name), patch, nil, setHeader("Content-Type", "application/json-patch+json"))
-}
-
-// StrategicMergePatchSecret updates a secret in the Kubernetes API using a
-// strategic merge patch.
-// If a fieldManager is provided, it will be used to track the patch.
-func (c *Client) StrategicMergePatchSecret(ctx context.Context, name string, s *Secret, fieldManager string) error {
-	surl := c.secretURL(name)
-	if fieldManager != "" {
-		uv := url.Values{
-			"fieldManager": {fieldManager},
-		}
-		surl += "?" + uv.Encode()
-	}
-	s.Namespace = c.ns
-	s.Name = name
-	return c.doRequest(ctx, "PATCH", surl, s, nil, setHeader("Content-Type", "application/strategic-merge-patch+json"))
-}
-
-// CheckSecretPermissions checks the secret access permissions of the current
-// pod. It returns an error if the basic permissions tailscale needs are
-// missing, and reports whether the patch permission is additionally present.
-//
-// Errors encountered during the access checking process are logged, but ignored
-// so that the pod tries to fail alive if the permissions exist and there's just
-// something wrong with SelfSubjectAccessReviews. There shouldn't be, pods
-// should always be able to use SSARs to assess their own permissions, but since
-// we didn't use to check permissions this way we'll be cautious in case some
-// old version of k8s deviates from the current behavior.
-func (c *Client) CheckSecretPermissions(ctx context.Context, secretName string) (canPatch bool, err error) {
-	var errs []error
-	for _, verb := range []string{"get", "update"} {
-		ok, err := c.checkPermission(ctx, verb, secretName)
-		if err != nil {
-			log.Printf("error checking %s permission on secret %s: %v", verb, secretName, err)
-		} else if !ok {
-			errs = append(errs, fmt.Errorf("missing %s permission on secret %q", verb, secretName))
-		}
-	}
-	if len(errs) > 0 {
-		return false, multierr.New(errs...)
-	}
-	ok, err := c.checkPermission(ctx, "patch", secretName)
-	if err != nil {
-		log.Printf("error checking patch permission on secret %s: %v", secretName, err)
-		return false, nil
-	}
-	return ok, nil
-}
-
-// checkPermission reports whether the current pod has permission to use the
-// given verb (e.g. get, update, patch) on secretName.
-func (c *Client) checkPermission(ctx context.Context, verb, secretName string) (bool, error) {
-	sar := map[string]any{
-		"apiVersion": "authorization.k8s.io/v1",
-		"kind":       "SelfSubjectAccessReview",
-		"spec": map[string]any{
-			"resourceAttributes": map[string]any{
-				"namespace": c.ns,
-				"verb":      verb,
-				"resource":  "secrets",
-				"name":      secretName,
-			},
-		},
-	}
-	var res struct {
-		Status struct {
-			Allowed bool `json:"allowed"`
-		} `json:"status"`
-	}
-	url := c.url + "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews"
-	if err := c.doRequest(ctx, "POST", url, sar, &res); err != nil {
-		return false, err
-	}
-	return res.Status.Allowed, nil
-}

licenses/android.md

@@ -52,15 +52,15 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/927187094b94/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
  - [go4.org/unsafe/assume-no-moving-gc](https://pkg.go.dev/go4.org/unsafe/assume-no-moving-gc) ([BSD-3-Clause](https://github.com/go4org/unsafe-assume-no-moving-gc/blob/ee73d164e760/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.6.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.3.0:LICENSE))
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47842c84:LICENSE))
  - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/334a2380:shiny/LICENSE))
- - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.5.0:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.7.0:LICENSE))
+ - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/062f8c9f:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.5.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.5.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.5.0:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.7.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/e7d7f631:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.4.0:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.6.0:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE))
  - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/703fd9b7fbc0/LICENSE))
  - [inet.af/netaddr](https://pkg.go.dev/inet.af/netaddr) ([BSD-3-Clause](https://github.com/inetaf/netaddr/blob/097006376321/LICENSE))

licenses/apple.md

@@ -15,7 +15,7 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
  - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/v5.0.6/LICENSE))
  - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
- - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
+ - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.0.1/LICENSE))
  - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
  - [github.com/illarion/gonotify](https://pkg.go.dev/github.com/illarion/gonotify) ([MIT](https://github.com/illarion/gonotify/blob/v1.0.1/LICENSE))
  - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/de60144f33f8/LICENSE))
@@ -42,7 +42,7 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
  - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.6.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/cafedaf6:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47842c84:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.7.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.5.0:LICENSE))

licenses/windows.md

@@ -14,10 +14,8 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/909beea2cc74/LICENSE))
  - [github.com/apenwarr/fixconsole](https://pkg.go.dev/github.com/apenwarr/fixconsole) ([Apache-2.0](https://github.com/apenwarr/fixconsole/blob/5a9f6489cc29/LICENSE))
  - [github.com/apenwarr/w32](https://pkg.go.dev/github.com/apenwarr/w32) ([BSD-3-Clause](https://github.com/apenwarr/w32/blob/aa00fece76ab/LICENSE))
- - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/2b26ab7fb5f9/LICENSE))
  - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
  - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
- - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.0/LICENSE))
  - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
  - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
  - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
@@ -27,18 +25,14 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.1/LICENSE.md))
  - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.0/LICENSE.md))
  - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
- - [github.com/nfnt/resize](https://pkg.go.dev/github.com/nfnt/resize) ([ISC](https://github.com/nfnt/resize/blob/83c6a9932646/LICENSE))
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
- - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/31689615ddb4/LICENSE))
- - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/ad93eed16885/LICENSE))
- - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.1.6/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/e7f9a47617c0/LICENSE))
+ - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/e8ccca099752/LICENSE))
  - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
  - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.6.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/cafedaf6:LICENSE))
- - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.5.0:LICENSE))
- - [golang.org/x/mod](https://pkg.go.dev/golang.org/x/mod) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.7.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47842c84:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.7.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.5.0:LICENSE))

log/sockstatlog/logger.go

@@ -1,164 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package sockstatlog provides a logger for capturing and storing network socket stats.
-package sockstatlog
-
-import (
-	"context"
-	"encoding/json"
-	"io"
-	"os"
-	"path/filepath"
-	"time"
-
-	"tailscale.com/logtail/filch"
-	"tailscale.com/net/sockstats"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/mak"
-)
-
-// pollPeriod specifies how often to poll for socket stats.
-const pollPeriod = time.Second / 10
-
-// Logger logs statistics about network sockets.
-type Logger struct {
-	ctx      context.Context
-	cancelFn context.CancelFunc
-
-	ticker    *time.Ticker
-	logf      logger.Logf
-	logbuffer *filch.Filch
-}
-
-// deltaStat represents the bytes transferred during a time period.
-// The first element is transmitted bytes, the second element is received bytes.
-type deltaStat [2]uint64
-
-// event represents the socket stats on a specific interface during a time period.
-type event struct {
-	// Time is when the event started as a Unix timestamp in milliseconds.
-	Time int64 `json:"t"`
-
-	// Duration is the duration of this event in milliseconds.
-	Duration int64 `json:"d"`
-
-	// IsCellularInterface is set to 1 if the traffic was sent over a cellular interface.
-	IsCellularInterface int `json:"c,omitempty"`
-
-	// Stats records the stats for each Label during the time period.
-	Stats map[sockstats.Label]deltaStat `json:"s"`
-}
-
-// NewLogger returns a new Logger that will store stats in logdir.
-// On platforms that do not support sockstat logging, a nil Logger will be returned.
-// The returned Logger must be shut down with Shutdown when it is no longer needed.
-func NewLogger(logdir string, logf logger.Logf) (*Logger, error) {
-	if !sockstats.IsAvailable {
-		return nil, nil
-	}
-
-	if err := os.MkdirAll(logdir, 0755); err != nil && !os.IsExist(err) {
-		return nil, err
-	}
-	filchPrefix := filepath.Join(logdir, "sockstats")
-	filch, err := filch.New(filchPrefix, filch.Options{ReplaceStderr: false})
-	if err != nil {
-		return nil, err
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	logger := &Logger{
-		ctx:       ctx,
-		cancelFn:  cancel,
-		ticker:    time.NewTicker(pollPeriod),
-		logf:      logf,
-		logbuffer: filch,
-	}
-
-	go logger.poll()
-
-	return logger, nil
-}
-
-// poll fetches the current socket stats at the configured time interval,
-// calculates the delta since the last poll, and logs any non-zero values.
-// This method does not return.
-func (l *Logger) poll() {
-	// last is the last set of socket stats we saw.
-	var lastStats *sockstats.SockStats
-	var lastTime time.Time
-
-	enc := json.NewEncoder(l.logbuffer)
-	for {
-		select {
-		case <-l.ctx.Done():
-			return
-		case t := <-l.ticker.C:
-			stats := sockstats.Get()
-			if lastStats != nil {
-				diffstats := delta(lastStats, stats)
-				if len(diffstats) > 0 {
-					e := event{
-						Time:     lastTime.UnixMilli(),
-						Duration: t.Sub(lastTime).Milliseconds(),
-						Stats:    diffstats,
-					}
-					if stats.CurrentInterfaceCellular {
-						e.IsCellularInterface = 1
-					}
-					if err := enc.Encode(e); err != nil {
-						l.logf("sockstatlog: error encoding log: %v", err)
-					}
-				}
-			}
-			lastTime = t
-			lastStats = stats
-		}
-	}
-}
-
-func (l *Logger) Shutdown() {
-	l.ticker.Stop()
-	l.logbuffer.Close()
-	l.cancelFn()
-}
-
-// WriteLogs reads local logs, combining logs into events, and writes them to w.
-// Logs within eventWindow are combined into the same event.
-func (l *Logger) WriteLogs(w io.Writer) {
-	if l == nil || l.logbuffer == nil {
-		return
-	}
-	for {
-		b, err := l.logbuffer.TryReadLine()
-		if err != nil {
-			l.logf("sockstatlog: error reading log: %v", err)
-			return
-		}
-		if b == nil {
-			// no more log messages
-			return
-		}
-
-		w.Write(b)
-	}
-}
-
-// delta calculates the delta stats between two SockStats snapshots.
-// b is assumed to have occurred after a.
-// Zero values are omitted from the returned map, and an empty map is returned if no bytes were transferred.
-func delta(a, b *sockstats.SockStats) (stats map[sockstats.Label]deltaStat) {
-	if a == nil || b == nil {
-		return nil
-	}
-	for label, bs := range b.Stats {
-		as := a.Stats[label]
-		if as.TxBytes == bs.TxBytes && as.RxBytes == bs.RxBytes {
-			// fast path for unchanged stats
-			continue
-		}
-		mak.Set(&stats, label, deltaStat{bs.TxBytes - as.TxBytes, bs.RxBytes - as.RxBytes})
-	}
-	return stats
-}

log/sockstatlog/logger_test.go

@@ -1,95 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package sockstatlog
-
-import (
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"tailscale.com/net/sockstats"
-)
-
-func TestDelta(t *testing.T) {
-	tests := []struct {
-		name      string
-		a, b      *sockstats.SockStats
-		wantStats map[sockstats.Label]deltaStat
-	}{
-		{
-			name:      "nil a stat",
-			a:         nil,
-			b:         &sockstats.SockStats{},
-			wantStats: nil,
-		},
-		{
-			name:      "nil b stat",
-			a:         &sockstats.SockStats{},
-			b:         nil,
-			wantStats: nil,
-		},
-		{
-			name: "no change",
-			a: &sockstats.SockStats{
-				Stats: map[sockstats.Label]sockstats.SockStat{
-					sockstats.LabelDERPHTTPClient: {
-						TxBytes: 10,
-					},
-				},
-			},
-			b: &sockstats.SockStats{
-				Stats: map[sockstats.Label]sockstats.SockStat{
-					sockstats.LabelDERPHTTPClient: {
-						TxBytes: 10,
-					},
-				},
-			},
-			wantStats: nil,
-		},
-		{
-			name: "tx after empty stat",
-			a:    &sockstats.SockStats{},
-			b: &sockstats.SockStats{
-				Stats: map[sockstats.Label]sockstats.SockStat{
-					sockstats.LabelDERPHTTPClient: {
-						TxBytes: 10,
-					},
-				},
-			},
-			wantStats: map[sockstats.Label]deltaStat{
-				sockstats.LabelDERPHTTPClient: {10, 0},
-			},
-		},
-		{
-			name: "rx after non-empty stat",
-			a: &sockstats.SockStats{
-				Stats: map[sockstats.Label]sockstats.SockStat{
-					sockstats.LabelDERPHTTPClient: {
-						TxBytes: 10,
-						RxBytes: 10,
-					},
-				},
-			},
-			b: &sockstats.SockStats{
-				Stats: map[sockstats.Label]sockstats.SockStat{
-					sockstats.LabelDERPHTTPClient: {
-						TxBytes: 10,
-						RxBytes: 30,
-					},
-				},
-			},
-			wantStats: map[sockstats.Label]deltaStat{
-				sockstats.LabelDERPHTTPClient: {0, 20},
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			gotStats := delta(tt.a, tt.b)
-			if !cmp.Equal(gotStats, tt.wantStats) {
-				t.Errorf("gotStats = %v, want %v", gotStats, tt.wantStats)
-			}
-		})
-	}
-}

logpolicy/logpolicy.go

@@ -43,9 +43,7 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/logid"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/must"
 	"tailscale.com/util/racebuild"
 	"tailscale.com/util/winutil"
 	"tailscale.com/version"
@@ -96,8 +94,8 @@ func LogHost() string {
 // Config represents an instance of logs in a collection.
 type Config struct {
 	Collection string
-	PrivateID  logid.PrivateID
-	PublicID   logid.PublicID
+	PrivateID  logtail.PrivateID
+	PublicID   logtail.PublicID
 }
 
 // Policy is a logger and its public ID.
@@ -105,12 +103,15 @@ type Policy struct {
 	// Logtail is the logger.
 	Logtail *logtail.Logger
 	// PublicID is the logger's instance identifier.
-	PublicID logid.PublicID
+	PublicID logtail.PublicID
 }
 
 // NewConfig creates a Config with collection and a newly generated PrivateID.
 func NewConfig(collection string) *Config {
-	id := must.Get(logid.NewPrivateID())
+	id, err := logtail.NewPrivateID()
+	if err != nil {
+		panic("logtail.NewPrivateID should never fail")
+	}
 	return &Config{
 		Collection: collection,
 		PrivateID:  id,
@@ -192,9 +193,9 @@ func (l logWriter) Write(buf []byte) (int, error) {
 	return len(buf), nil
 }
 
-// LogsDir returns the directory to use for log configuration and
+// logsDir returns the directory to use for log configuration and
 // buffer storage.
-func LogsDir(logf logger.Logf) string {
+func logsDir(logf logger.Logf) string {
 	if d := os.Getenv("TS_LOGS_DIR"); d != "" {
 		fi, err := os.Stat(d)
 		if err == nil && fi.IsDir() {
@@ -478,7 +479,7 @@ func NewWithConfigPath(collection, dir, cmdName string) *Policy {
 	}
 
 	if dir == "" {
-		dir = LogsDir(earlyLogf)
+		dir = logsDir(earlyLogf)
 	}
 	if cmdName == "" {
 		cmdName = version.CmdName()

logtail/api.md

@@ -125,11 +125,11 @@ The caller can query-encode the following fields:
       "collections": {
         "collection1.yourcompany.com": {
           "instances": {
-            "<logid.PublicID>" :{
+            "<logtail.PublicID>" :{
               "first-seen": "timestamp",
               "size": 4096
             },
-            "<logid.PublicID>" :{
+            "<logtail.PublicID>" :{
               "first-seen": "timestamp",
               "size": 512000,
               "orphan": true,

logtail/example/logreprocess/logreprocess.go

@@ -15,7 +15,7 @@ import (
 	"strings"
 	"time"
 
-	"tailscale.com/types/logid"
+	"tailscale.com/logtail"
 )
 
 func main() {
@@ -56,7 +56,7 @@ func main() {
 		log.Fatalf("logreprocess: read error %d: %s", resp.StatusCode, string(b))
 	}
 
-	tracebackCache := make(map[logid.PublicID]*ProcessedMsg)
+	tracebackCache := make(map[logtail.PublicID]*ProcessedMsg)
 
 	scanner := bufio.NewScanner(resp.Body)
 	for scanner.Scan() {
@@ -98,8 +98,8 @@ func main() {
 
 type Msg struct {
 	Logtail struct {
-		Instance   logid.PublicID `json:"instance"`
-		ClientTime time.Time      `json:"client_time"`
+		Instance   logtail.PublicID `json:"instance"`
+		ClientTime time.Time        `json:"client_time"`
 	} `json:"logtail"`
 
 	Text string `json:"text"`
@@ -110,6 +110,6 @@ type ProcessedMsg struct {
 		ClientTime time.Time `json:"client_time"`
 	} `json:"logtail"`
 
-	OrigInstance logid.PublicID `json:"orig_instance"`
-	Text         string         `json:"text"`
+	OrigInstance logtail.PublicID `json:"orig_instance"`
+	Text         string           `json:"text"`
 }

logtail/example/logtail/logtail.go

@@ -12,7 +12,6 @@ import (
 	"os"
 
 	"tailscale.com/logtail"
-	"tailscale.com/types/logid"
 )
 
 func main() {
@@ -26,7 +25,7 @@ func main() {
 
 	log.SetFlags(0)
 
-	var id logid.PrivateID
+	var id logtail.PrivateID
 	if err := id.UnmarshalText([]byte(*privateID)); err != nil {
 		log.Fatalf("logtail: bad -privateid: %v", err)
 	}

logtail/filch/filch_test.go

@@ -12,8 +12,6 @@ import (
 	"testing"
 	"unicode"
 	"unsafe"
-
-	"tailscale.com/tstest"
 )
 
 type filchTest struct {
@@ -179,7 +177,10 @@ func TestFilchStderr(t *testing.T) {
 	defer pipeR.Close()
 	defer pipeW.Close()
 
-	tstest.Replace(t, &stderrFD, int(pipeW.Fd()))
+	stderrFD = int(pipeW.Fd())
+	defer func() {
+		stderrFD = 2
+	}()
 
 	filePrefix := t.TempDir()
 	f := newFilchTest(t, filePrefix, Options{ReplaceStderr: true})

logtail/id.go

@@ -0,0 +1,27 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package logtail
+
+import "tailscale.com/types/logid"
+
+// Deprecated: Use "tailscale.com/types/logid".PrivateID instead.
+type PrivateID = logid.PrivateID
+
+// Deprecated: Use "tailscale.com/types/logid".NewPrivateID instead.
+func NewPrivateID() (PrivateID, error) {
+	return logid.NewPrivateID()
+}
+
+// Deprecated: Use "tailscale.com/types/logid".ParsePrivateID instead.
+func ParsePrivateID(s string) (PrivateID, error) {
+	return logid.ParsePrivateID(s)
+}
+
+// Deprecated: Use "tailscale.com/types/logid".PublicID instead.
+type PublicID = logid.PublicID
+
+// Deprecated: Use "tailscale.com/types/logid".ParsePublicID instead.
+func ParsePublicID(s string) (PublicID, error) {
+	return logid.ParsePublicID(s)
+}

logtail/logtail.go

@@ -24,9 +24,7 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/net/sockstats"
 	tslogger "tailscale.com/types/logger"
-	"tailscale.com/types/logid"
 	"tailscale.com/util/set"
 	"tailscale.com/wgengine/monitor"
 )
@@ -50,8 +48,8 @@ type Encoder interface {
 
 type Config struct {
 	Collection     string           // collection name, a domain name
-	PrivateID      logid.PrivateID  // private ID for the primary log stream
-	CopyPrivateID  logid.PrivateID  // private ID for a log stream that is a superset of this log stream
+	PrivateID      PrivateID        // private ID for the primary log stream
+	CopyPrivateID  PrivateID        // private ID for a log stream that is a superset of this log stream
 	BaseURL        string           // if empty defaults to "https://log.tailscale.io"
 	HTTPC          *http.Client     // if empty defaults to http.DefaultClient
 	SkipClientTime bool             // if true, client_time is not written to logs
@@ -190,7 +188,7 @@ type Logger struct {
 	uploadCancel   func()
 	explainedRaw   bool
 	metricsDelta   func() string // or nil
-	privateID      logid.PrivateID
+	privateID      PrivateID
 	httpDoCalls    atomic.Int32
 
 	procID              uint32
@@ -223,7 +221,7 @@ func (l *Logger) SetLinkMonitor(lm *monitor.Mon) {
 // PrivateID returns the logger's private log ID.
 //
 // It exists for internal use only.
-func (l *Logger) PrivateID() logid.PrivateID { return l.privateID }
+func (l *Logger) PrivateID() PrivateID { return l.privateID }
 
 // Shutdown gracefully shuts down the logger while completing any
 // remaining uploads.
@@ -428,7 +426,6 @@ func (l *Logger) awaitInternetUp(ctx context.Context) {
 // origlen of -1 indicates that the body is not compressed.
 func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded bool, err error) {
 	const maxUploadTime = 45 * time.Second
-	ctx = sockstats.WithSockStats(ctx, sockstats.LabelLogtailLogger)
 	ctx, cancel := context.WithTimeout(ctx, maxUploadTime)
 	defer cancel()
 
@@ -463,6 +460,14 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded
 		return uploaded, fmt.Errorf("log upload of %d bytes %s failed %d: %q", len(body), compressedNote, resp.StatusCode, b)
 	}
 
+	// Try to read to EOF, in case server's response is
+	// chunked. We want to reuse the TCP connection if it's
+	// HTTP/1. On success, we expect 0 bytes.
+	// TODO(bradfitz): can remove a few days after 2020-04-04 once
+	// server is fixed.
+	if resp.ContentLength == -1 {
+		resp.Body.Read(make([]byte, 1))
+	}
 	return true, nil
 }
 

logtail/logtail_test.go

@@ -295,6 +295,28 @@ func TestParseAndRemoveLogLevel(t *testing.T) {
 	}
 }
 
+func TestPublicIDUnmarshalText(t *testing.T) {
+	const hexStr = "6c60a9e0e7af57170bb1347b2d477e4cbc27d4571a4923b21651456f931e3d55"
+	x := []byte(hexStr)
+
+	var id PublicID
+	if err := id.UnmarshalText(x); err != nil {
+		t.Fatal(err)
+	}
+	if id.String() != hexStr {
+		t.Errorf("String = %q; want %q", id.String(), hexStr)
+	}
+	err := tstest.MinAllocsPerRun(t, 0, func() {
+		var id PublicID
+		if err := id.UnmarshalText(x); err != nil {
+			t.Fatal(err)
+		}
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func unmarshalOne(t *testing.T, body []byte) map[string]any {
 	t.Helper()
 	var entries []map[string]any

net/dns/manager_windows.go

@@ -51,14 +51,12 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (OSConfigurator,
 		ret.nrptDB = newNRPTRuleDatabase(logf)
 	}
 
-	go func() {
-		// Log WSL status once at startup.
-		if distros, err := wslDistros(); err != nil {
-			logf("WSL: could not list distributions: %v", err)
-		} else {
-			logf("WSL: found %d distributions", len(distros))
-		}
-	}()
+	// Log WSL status once at startup.
+	if distros, err := wslDistros(); err != nil {
+		logf("WSL: could not list distributions: %v", err)
+	} else {
+		logf("WSL: found %d distributions", len(distros))
+	}
 
 	return ret, nil
 }

net/dns/resolver/forwarder.go

@@ -26,7 +26,6 @@ import (
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/neterror"
 	"tailscale.com/net/netns"
-	"tailscale.com/net/sockstats"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/logger"
@@ -384,7 +383,6 @@ func (f *forwarder) getKnownDoHClientForProvider(urlBase string) (c *http.Client
 	dialer := dnscache.Dialer(nsDialer.DialContext, &dnscache.Resolver{
 		SingleHost:             dohURL.Hostname(),
 		SingleHostStaticResult: allIPs,
-		Logf:                   f.logf,
 	})
 	c = &http.Client{
 		Transport: &http.Transport{
@@ -408,7 +406,6 @@ func (f *forwarder) getKnownDoHClientForProvider(urlBase string) (c *http.Client
 const dohType = "application/dns-message"
 
 func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client, packet []byte) ([]byte, error) {
-	ctx = sockstats.WithSockStats(ctx, sockstats.LabelDNSForwarderDoH)
 	metricDNSFwdDoH.Add(1)
 	req, err := http.NewRequestWithContext(ctx, "POST", urlBase, bytes.NewReader(packet))
 	if err != nil {
@@ -488,7 +485,6 @@ func (f *forwarder) sendUDP(ctx context.Context, fq *forwardQuery, rr resolverAn
 		return nil, fmt.Errorf("unrecognized resolver type %q", rr.name.Addr)
 	}
 	metricDNSFwdUDP.Add(1)
-	ctx = sockstats.WithSockStats(ctx, sockstats.LabelDNSForwarderUDP)
 
 	ln, err := f.packetListener(ipp.Addr())
 	if err != nil {

net/dns/resolver/tsdns_test.go

@@ -997,8 +997,11 @@ func TestMarshalResponseFormatError(t *testing.T) {
 }
 
 func TestForwardLinkSelection(t *testing.T) {
+	old := initListenConfig
+	defer func() { initListenConfig = old }()
+
 	configCall := make(chan string, 1)
-	tstest.Replace(t, &initListenConfig, func(nc *net.ListenConfig, mon *monitor.Mon, tunName string) error {
+	initListenConfig = func(nc *net.ListenConfig, mon *monitor.Mon, tunName string) error {
 		select {
 		case configCall <- tunName:
 			return nil
@@ -1006,7 +1009,7 @@ func TestForwardLinkSelection(t *testing.T) {
 			t.Error("buffer full")
 			return errors.New("buffer full")
 		}
-	})
+	}
 
 	// specialIP is some IP we pretend that our link selector
 	// routes differently.

net/dns/wsl_windows.go

@@ -5,7 +5,6 @@ package dns
 
 import (
 	"bytes"
-	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -13,7 +12,6 @@ import (
 	"os/user"
 	"strings"
 	"syscall"
-	"time"
 
 	"golang.org/x/sys/windows"
 	"tailscale.com/types/logger"
@@ -22,13 +20,7 @@ import (
 
 // wslDistros reports the names of the installed WSL2 linux distributions.
 func wslDistros() ([]string, error) {
-	// There is a bug in some builds of wsl.exe that causes it to block
-	// indefinitely while executing this operation. Set a timeout so that we don't
-	// get wedged! (Issue #7476)
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-
-	b, err := wslCombinedOutput(exec.CommandContext(ctx, "wsl.exe", "-l"))
+	b, err := wslCombinedOutput(exec.Command("wsl.exe", "-l"))
 	if err != nil {
 		return nil, fmt.Errorf("%v: %q", err, string(b))
 	}

net/dnscache/dnscache.go

@@ -24,7 +24,6 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/util/cloudenv"
 	"tailscale.com/util/singleflight"
-	"tailscale.com/util/slicesx"
 )
 
 var zaddr netip.Addr
@@ -578,7 +577,7 @@ func (dc *dialCall) raceDial(ctx context.Context, ips []netip.Addr) (net.Conn, e
 			iv4 = append(iv4, ip)
 		}
 	}
-	ips = slicesx.Interleave(iv6, iv4)
+	ips = interleaveSlices(iv6, iv4)
 
 	go func() {
 		for i, ip := range ips {
@@ -637,6 +636,21 @@ func (dc *dialCall) raceDial(ctx context.Context, ips []netip.Addr) (net.Conn, e
 	}
 }
 
+// interleaveSlices combines two slices of the form [a, b, c] and [x, y, z]
+// into a slice with elements interleaved; i.e. [a, x, b, y, c, z].
+func interleaveSlices[T any](a, b []T) []T {
+	var (
+		i   int
+		ret = make([]T, 0, len(a)+len(b))
+	)
+	for i = 0; i < len(a) && i < len(b); i++ {
+		ret = append(ret, a[i], b[i])
+	}
+	ret = append(ret, a[i:]...)
+	ret = append(ret, b[i:]...)
+	return ret
+}
+
 func v4addrs(aa []netip.Addr) (ret []netip.Addr) {
 	for _, a := range aa {
 		a = a.Unmap()

net/dnscache/dnscache_test.go

@@ -13,8 +13,6 @@ import (
 	"reflect"
 	"testing"
 	"time"
-
-	"tailscale.com/tstest"
 )
 
 var dialTest = flag.String("dial-test", "", "if non-empty, addr:port to test dial")
@@ -143,8 +141,34 @@ func TestResolverAllHostStaticResult(t *testing.T) {
 	}
 }
 
+func TestInterleaveSlices(t *testing.T) {
+	testCases := []struct {
+		name string
+		a, b []int
+		want []int
+	}{
+		{name: "equal", a: []int{1, 3, 5}, b: []int{2, 4, 6}, want: []int{1, 2, 3, 4, 5, 6}},
+		{name: "short_b", a: []int{1, 3, 5}, b: []int{2, 4}, want: []int{1, 2, 3, 4, 5}},
+		{name: "short_a", a: []int{1, 3}, b: []int{2, 4, 6}, want: []int{1, 2, 3, 4, 6}},
+		{name: "len_1", a: []int{1}, b: []int{2, 4, 6}, want: []int{1, 2, 4, 6}},
+		{name: "nil_a", a: nil, b: []int{2, 4, 6}, want: []int{2, 4, 6}},
+		{name: "nil_all", a: nil, b: nil, want: []int{}},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			merged := interleaveSlices(tc.a, tc.b)
+			if !reflect.DeepEqual(merged, tc.want) {
+				t.Errorf("got %v; want %v", merged, tc.want)
+			}
+		})
+	}
+}
+
 func TestShouldTryBootstrap(t *testing.T) {
-	tstest.Replace(t, &debug, func() bool { return true })
+	oldDebug := debug
+	t.Cleanup(func() { debug = oldDebug })
+	debug = func() bool { return true }
 
 	type step struct {
 		ip  netip.Addr // IP we pretended to dial