comment out the shell.nix file

Signed-off-by: Christine Dodrill <xe@tailscale.com>
Review cleanups
2020-12-21 10:19:03 -05:00 · 2020-12-16 09:48:01 -05:00 · 2020-12-15 09:11:04 -05:00
124 changed files with 2696 additions and 6885 deletions
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -1,48 +0,0 @@
-name: Code Coverage
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Set up Go
-      uses: actions/setup-go@v1
-      with:
-        go-version: 1.15
-      id: go
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
-
-      # https://markphelps.me/2019/11/speed-up-your-go-builds-with-actions-cache/
-    - name: Restore Cache
-      uses: actions/cache@preview
-      id: cache
-      with:
-        path: ~/go/pkg/mod
-        key: ${{ runner.os }}-${{ hashFiles('**/go.sum') }}
-
-    - name: Basic build
-      run: go build ./cmd/...
-
-    - name: Run tests on linux with coverage data
-      run: go test -race -coverprofile=coverage.txt -bench=. -benchtime=1x ./...
-
-    - name: coveralls.io
-      uses: shogo82148/actions-goveralls@v1
-      env:
-        COVERALLS_TOKEN: ${{ secrets.COVERALLS_TOKEN }}
-        GITHUB_TOKEN: ${{ secrets.COVERALLS_BOT_PUBLIC_REPO_TOKEN }}
-      with:
-        path-to-profile: ./coverage.txt
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,8 @@
 *.so
 *.dylib

+cmd/relaynode/relaynode
+cmd/taillogin/taillogin
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled

--- a/17
+++ b/17
@@ -2,23 +2,6 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.

-############################################################################
-#
-# WARNING: Tailscale is not yet officially supported in Docker,
-# Kubernetes, etc.
-#
-# It might work, but we don't regularly test it, and it's not as polished as
-# our currently supported platforms. This is provided for people who know
-# how Tailscale works and what they're doing.
-#
-# Our tracking bug for officially support container use cases is:
-#    https://github.com/tailscale/tailscale/issues/504
-#
-# Also, see the various bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
-#
-############################################################################
-
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:
--- a/README.md
+++ b/README.md
@@ -63,13 +63,8 @@ Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)

 ## About Us

-[Tailscale](https://tailscale.com/) is primarily developed by the
-people at https://github.com/orgs/tailscale/people. For other contributors,
-see:
-
-* https://github.com/tailscale/tailscale/graphs/contributors
-* https://github.com/tailscale/tailscale-android/graphs/contributors
-
-## Legal
+We are apenwarr, bradfitz, crawshaw, danderson, dfcarney, josharian
+from Tailscale Inc.
+You can learn more about us from [our website](https://tailscale.com).

 WireGuard is a registered trademark of Jason A. Donenfeld.
--- a/api.md
+++ b/api.md
@@ -1,774 +0,0 @@
-# Tailscale API
-
-The Tailscale API is a (mostly) RESTful API. Typically, POST bodies should be JSON encoded and responses will be JSON encoded.
-
-# Authentication
-Currently based on {some authentication method}. Visit the [admin panel](https://api.tailscale.com/admin) and navigate to the `Keys` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints.
-
-# APIs
-
-* **[Devices](#device)**
-  - [GET device](#device-get)
-  - [DELETE device](#device-delete)
-  - Routes
-    - [GET device routes](#device-routes-get)
-    - [POST device routes](#device-routes-post)
-* **[Tailnets](#tailnet)**
-  - ACLs
-    - [GET tailnet ACL](#tailnet-acl-get)
-    - [POST tailnet ACL](#tailnet-acl-post): set ACL for a tailnet
-    - [POST tailnet ACL preview](#tailnet-acl-preview-post): preview rule matches on an ACL for a resource
-  - [Devices](#tailnet-devices)
-    - [GET tailnet devices](#tailnet-devices-get)
-  - [DNS](#tailnet-dns)
-    - [GET tailnet DNS nameservers](#tailnet-dns-nameservers-get)
-    - [POST tailnet DNS nameservers](#tailnet-dns-nameservers-post)
-    - [GET tailnet DNS preferences](#tailnet-dns-preferences-get)
-    - [POST tailnet DNS preferences](#tailnet-dns-preferences-post)
-    - [GET tailnet DNS searchpaths](#tailnet-dns-searchpaths-get)
-    - [POST tailnet DNS searchpaths](#tailnet-dns-searchpaths-post)
-
-## Device
-<!-- TODO: description about what devices are -->
-Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id". 
-You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.
-
-To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network. 
-Find the device you're looking for and get the "id" field.
-This is your deviceID. 
-
-<a name=device-get></div>
-
-#### `GET /api/v2/device/:deviceid` - lists the details for a device
-Returns the details for the specified device.
-Supply the device of interest in the path using its ID.
-Use the `fields` query parameter to explicitly indicate which fields are returned.
-
-
-##### Parameters
-##### Query Parameters
-`fields` - Controls which fields will be included in the returned response.
-Currently, supported options are: 
-* `all`: returns all fields in the response.
-* `default`: return all fields except:
-  * `enabledRoutes`
-  * `advertisedRoutes`
-  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
-
-Use commas to separate multiple options.
-If more than one option is indicated, then the union is used.
-For example, for `fields=default,all`, all fields are returned.
-If the `fields` parameter is not provided, then the default option is used.
-
-##### Example 
-```
-GET /api/v2/device/12345
-curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
-  -u "tskey-yourapikey123:"
-```
-
-Response
-```
-{
-  "addresses":[
-    "100.105.58.116"
-  ],
-  "id":"12345",
-  "user":"user1@example.com",
-  "name":"user1-device.example.com",
-  "hostname":"User1-Device",
-  "clientVersion":"date.20201107",
-  "updateAvailable":false,
-  "os":"macOS",
-  "created":"2020-11-20T20:56:49Z",
-  "lastSeen":"2020-11-20T16:15:55-05:00",
-  "keyExpiryDisabled":false,
-  "expires":"2021-05-19T20:56:49Z",
-  "authorized":true,
-  "isExternal":false,
-  "machineKey":"mkey:user1-machine-key",
-  "nodeKey":"nodekey:user1-node-key",
-  "blocksIncomingConnections":false,
-  "enabledRoutes":[
-    
-  ],
-  "advertisedRoutes":[
-    
-  ],
-  "clientConnectivity": {
-    "endpoints":[
-      "209.195.87.231:59128",
-      "192.168.0.173:59128"
-    ],
-    "derp":"",
-    "mappingVariesByDestIP":false,
-    "latency":{
-      "Dallas":{
-        "latencyMs":60.463043
-      },
-      "New York City":{
-        "preferred":true,
-        "latencyMs":31.323811
-      },
-      "San Francisco":{
-        "latencyMs":81.313389
-      }
-    },
-    "clientSupports":{
-      "hairPinning":false,
-      "ipv6":false,
-      "pcp":false,
-      "pmp":false,
-      "udp":true,
-      "upnp":false
-    }
-  }
-}
-```
-
-<a name=device-delete></div>
-
-#### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
-Deletes the provided device from its tailnet. 
-The device must belong to the user's tailnet.
-Deleting shared/external devices is not supported.
-Supply the device of interest in the path using its ID.
-
-
-##### Parameters
-No parameters.
-
-##### Example
-```
-DELETE /api/v2/device/12345
-curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
-  -u "tskey-yourapikey123:" -v
-```
-
-Response
-
-If successful, the response should be empty: 
-```
-< HTTP/1.1 200 OK
-...
-* Connection #0 to host left intact
-* Closing connection 0
-```
-
-If the device is not owned by your tailnet: 
-```
-< HTTP/1.1 501 Not Implemented
-...
-{"message":"cannot delete devices outside of your tailnet"}
-```
-
-
-<a name=device-routes-get></div>
-
-#### `GET /api/v2/device/:deviceID/routes` - fetch subnet routes that are advertised and enabled for a device
-
-Retrieves the list of subnet routes that a device is advertising, as well as those that are enabled for it. Enabled routes are not necessarily advertised (e.g. for pre-enabling), and likewise, advertised routes are not necessarily enabled.
-
-##### Parameters
-
-No parameters.
-
-##### Example
-
-```
-curl 'https://api.tailscale.com/api/v2/device/11055/routes' \
-u "tskey-yourapikey123:"
-```
-
-Response
-```
-{
-   "advertisedRoutes" : [
-      "10.0.1.0/24",
-      "1.2.0.0/16",
-      "2.0.0.0/24"
-   ],
-   "enabledRoutes" : []
-}
-```
-
-<a name=device-routes-post></div>
-
-#### `POST /api/v2/device/:deviceID/routes` - set the subnet routes that are enabled for a device
-
-Sets which subnet routes are enabled to be routed by a device by replacing the existing list of subnet routes with the supplied parameters. Routes can be enabled without a device advertising them (e.g. for preauth). Returns a list of enabled subnet routes and a list of advertised subnet routes for a device.
-
-##### Parameters
-
-###### POST Body
-`routes` - The new list of enabled subnet routes in JSON.
-```
-{
-  "routes": ["10.0.1.0/24", "1.2.0.0/16", "2.0.0.0/24"]
-}
-```
-
-##### Example
-
-```
-curl 'https://api.tailscale.com/api/v2/device/11055/routes' \
-u "tskey-yourapikey123:" \
--data-binary '{"routes": ["10.0.1.0/24", "1.2.0.0/16", "2.0.0.0/24"]}'
-```
-
-Response
-
-```
-{
-   "advertisedRoutes" : [
-      "10.0.1.0/24",
-      "1.2.0.0/16",
-      "2.0.0.0/24"
-   ],
-   "enabledRoutes" : [
-      "10.0.1.0/24",
-      "1.2.0.0/16",
-      "2.0.0.0/24"
-   ]
-}
-```
-
-## Tailnet 
-A tailnet is the name of your Tailscale network. 
-You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
-
-
-`alice@example.com` belongs to the `example.com` tailnet and would use the following format for API calls:
-
-```
-GET /api/v2/tailnet/example.com/...
-curl https://api.tailscale.com/api/v2/tailnet/example.com/...
-```
-
-
-For solo plans, the tailnet is the email you signed up with.
-So `alice@gmail.com` has the tailnet `alice@gmail.com` since `@gmail.com` is a shared email host.
-Her API calls would have the following format:
-```
-GET /api/v2/tailnet/alice@gmail.com/...
-curl https://api.tailscale.com/api/v2/tailnet/alice@gmail.com/...
-```
-
-Tailnets are a top-level resource. ACL is an example of a resource that is tied to a top-level tailnet.
-
-For more information on Tailscale networks/tailnets, click [here](https://tailscale.com/kb/1064/invite-team-members).
-
-### ACL
-
-<a name=tailnet-acl-get></a>
-
-#### `GET /api/v2/tailnet/:tailnet/acl` - fetch ACL for a tailnet
-
-Retrieves the ACL that is currently set for the given tailnet. Supply the tailnet of interest in the path. This endpoint can send back either the HuJSON of the ACL or a parsed JSON, depending on the `Accept` header.
-
-##### Parameters
-
-###### Headers
-`Accept` - Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.
-
-##### Returns
-Returns the ACL HuJSON by default. Returns a parsed JSON of the ACL (sans comments) if the `Accept` type is explicitly set to `application/json`. An `ETag` header is also sent in the response, which can be optionally used in POST requests to avoid missed updates.
-<!-- TODO (chungdaniel): define error types and a set of docs for them -->
-
-##### Example
-
-###### Requesting a HuJSON response:
-```
-GET /api/v2/tailnet/example.com/acl
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
-  -u "tskey-yourapikey123:" \
-  -H "Accept: application/hujson" \
-  -v
-```
-
-Response
-```
-...
-Content-Type: application/hujson
-Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
-...
-
-// Example/default ACLs for unrestricted connections.
-{
-    "Tests": [],
-    // Declare static groups of users beyond those in the identity service.
-    "Groups": {
-        "group:example": [
-            "user1@example.com",
-            "user2@example.com"
-        ],
-    },
-    // Declare convenient hostname aliases to use in place of IP addresses.
-    "Hosts": {
-        "example-host-1": "100.100.100.100",
-    },
-    // Access control lists.
-    "ACLs": [
-        // Match absolutely everything. Comment out this section if you want
-        // to define specific ACL restrictions.
-        {
-            "Action": "accept",
-            "Users": [
-                "*"
-            ],
-            "Ports": [
-                "*:*"
-            ]
-        },
-    ]
-}
-```
-
-###### Requesting a JSON response:
-```
-GET /api/v2/tailnet/example.com/acl
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
-  -u "tskey-yourapikey123:" \
-  -H "Accept: application/json" \
-  -v
-```
-
-Response
-```
-...
-Content-Type: application/json
-Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
-...
-{
-   "acls" : [
-      {
-         "action" : "accept",
-         "ports" : [
-            "*:*"
-         ],
-         "users" : [
-            "*"
-         ]
-      }
-   ],
-   "groups" : {
-      "group:example" : [
-         "user1@example.com",
-         "user2@example.com"
-      ]
-   },
-   "hosts" : {
-      "example-host-1" : "100.100.100.100"
-   }
-}
-```
-
-<a name=tailnet-acl-post></a>
-
-#### `POST /api/v2/tailnet/:tailnet/acl` - set ACL for a tailnet
-
-Sets the ACL for the given tailnet. HuJSON and JSON are both accepted inputs. An `If-Match` header can be set to avoid missed updates.
-
-Returns error for invalid ACLs.
-Returns error if using an `If-Match` header and the ETag does not match.
-
-##### Parameters
-
-###### Headers
-`If-Match` - A request header. Set this value to the ETag header provided in an `ACL GET` request to avoid missed updates.
-
-`Accept` - Sets the return type of the updated ACL. Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.
-
-###### POST Body
-ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)
-
-##### Example
-```
-POST /api/v2/tailnet/example.com/acl
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
-  -u "tskey-yourapikey123:" \
-  -H "If-Match: \"e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c\""
-  --data-binary '// Example/default ACLs for unrestricted connections.
-{
-  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
-  "Tests": [
-    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
-  ],
-  // Declare static groups of users beyond those in the identity service.
-  "Groups": {
-    "group:example": [ "user1@example.com", "user2@example.com" ],
-  },
-  // Declare convenient hostname aliases to use in place of IP addresses.
-  "Hosts": {
-    "example-host-1": "100.100.100.100",
-  },
-  // Access control lists.
-  "ACLs": [
-    // Match absolutely everything. Comment out this section if you want
-    // to define specific ACL restrictions.
-    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
-  ]
-}'
-```
-
-Response
-```
-// Example/default ACLs for unrestricted connections.
-{
-  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
-  "Tests": [
-    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
-  ],
-  // Declare static groups of users beyond those in the identity service.
-  "Groups": {
-    "group:example": [ "user1@example.com", "user2@example.com" ],
-  },
-  // Declare convenient hostname aliases to use in place of IP addresses.
-  "Hosts": {
-    "example-host-1": "100.100.100.100",
-  },
-  // Access control lists.
-  "ACLs": [
-    // Match absolutely everything. Comment out this section if you want
-    // to define specific ACL restrictions.
-    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
-  ]
-}
-```
-
-<a name=tailnet-acl-preview-post></a>
-
-#### `POST /api/v2/tailnet/:tailnet/acl/preview` - preview rule matches on an ACL for a resource
-Determines what rules match for a user on an ACL without saving the ACL to the server.
-
-##### Parameters
-
-###### Query Parameters
-`user` - A user's email. The provided ACL is queried with this user to determine which rules match.
-
-###### POST Body
-ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)
-
-##### Example
-```
-POST /api/v2/tailnet/example.com/acl/preiew
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl?user=user1@example.com' \
-  -u "tskey-yourapikey123:" \
-  --data-binary '// Example/default ACLs for unrestricted connections.
-{
-  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
-  "Tests": [
-    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
-  ],
-  // Declare static groups of users beyond those in the identity service.
-  "Groups": {
-    "group:example": [ "user1@example.com", "user2@example.com" ],
-  },
-  // Declare convenient hostname aliases to use in place of IP addresses.
-  "Hosts": {
-    "example-host-1": "100.100.100.100",
-  },
-  // Access control lists.
-  "ACLs": [
-    // Match absolutely everything. Comment out this section if you want
-    // to define specific ACL restrictions.
-    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
-  ]
-}'
-```
-
-Response
-```
-{"matches":[{"users":["*"],"ports":["*:*"],"lineNumber":19}],"user":"user1@example.com"}
-```
-
-<a name=tailnet-devices></a>
-
-### Devices
-
-<a name=tailnet-devices-get></a>
-
-#### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
-Lists the devices in a tailnet. 
-Supply the tailnet of interest in the path.
-Use the `fields` query parameter to explicitly indicate which fields are returned.
-
-
-##### Parameters
-
-###### Query Parameters
-`fields` - Controls which fields will be included in the returned response.
-Currently, supported options are: 
-* `all`: Returns all fields in the response.
-* `default`: return all fields except:
-  * `enabledRoutes`
-  * `advertisedRoutes`
-  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
-
-Use commas to separate multiple options.
-If more than one option is indicated, then the union is used.
-For example, for `fields=default,all`, all fields are returned.
-If the `fields` parameter is not provided, then the default option is used.
-
-##### Example
-
-```
-GET /api/v2/tailnet/example.com/devices
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
-  -u "tskey-yourapikey123:"
-```
-
-Response 
-```
-{
-  "devices":[
-    {
-      "addresses":[
-        "100.68.203.125"
-      ],
-      "clientVersion":"date.20201107",
-      "os":"macOS",
-      "name":"user1-device.example.com",
-      "created":"2020-11-30T22:20:04Z",
-      "lastSeen":"2020-11-30T17:20:04-05:00",
-      "hostname":"User1-Device",
-      "machineKey":"mkey:user1-node-key",
-      "nodeKey":"nodekey:user1-node-key",
-      "id":"12345",
-      "user":"user1@example.com",
-      "expires":"2021-05-29T22:20:04Z",
-      "keyExpiryDisabled":false,
-      "authorized":false,
-      "isExternal":false,
-      "updateAvailable":false,
-      "blocksIncomingConnections":false,
-    },
-    {
-      "addresses":[
-        "100.111.63.90"
-      ],
-      "clientVersion":"date.20201107",
-      "os":"macOS",
-      "name":"user2-device.example.com",
-      "created":"2020-11-30T22:21:03Z",
-      "lastSeen":"2020-11-30T17:21:03-05:00",
-      "hostname":"User2-Device",
-      "machineKey":"mkey:user2-machine-key",
-      "nodeKey":"nodekey:user2-node-key",
-      "id":"48810",
-      "user":"user2@example.com",
-      "expires":"2021-05-29T22:21:03Z",
-      "keyExpiryDisabled":false,
-      "authorized":false,
-      "isExternal":false,
-      "updateAvailable":false,
-      "blocksIncomingConnections":false,
-    }
-  ]
-}
-```
-
-<a name=tailnet-dns></a>
-
-### DNS
-
-<a name=tailnet-dns-nameservers-get></a>
-
-#### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
-Lists the DNS nameservers for a tailnet. 
-Supply the tailnet of interest in the path.
-
-##### Parameters
-No parameters.
-
-##### Example 
-
-```
-GET /api/v2/tailnet/example.com/dns/nameservers
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
-  -u "tskey-yourapikey123:"
-```
-
-Response 
-```
-{
-  "dns": ["8.8.8.8"],
-}
-```
-
-<a name=tailnet-dns-nameservers-post></a>
-
-#### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
-Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user. 
-Supply the tailnet of interest in the path.
-Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).
-
-##### Parameters
-###### POST Body
-`dns` - The new list of DNS nameservers in JSON.
-```
-{
-  "dns":["8.8.8.8"]
-}
-```
-
-##### Returns
-Returns the new list of nameservers and the status of MagicDNS. 
-
-If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).
-
-##### Example
-###### Adding DNS nameservers with the MagicDNS on:
-```
-POST /api/v2/tailnet/example.com/dns/nameservers
-curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
-  -u "tskey-yourapikey123:" \
-  --data-binary '{"dns": ["8.8.8.8"]}'
-```
-
-Response:
-```
-{
-  "dns":["8.8.8.8"],
-  "magicDNS":true,
-}
-```
-
-###### Removing all DNS nameservers with the MagicDNS on:
-```
-POST /api/v2/tailnet/example.com/dns/nameservers
-curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
-  -u "tskey-yourapikey123:" \
-  --data-binary '{"dns": []}'
-```
-
-Response:
-```
-{
-  "dns":[],
-  "magicDNS": false,
-}
-```
-
-<a name=tailnet-dns-preferences-get></a>
-
-#### `GET /api/v2/tailnet/:tailnet/dns/preferences` - retrieves the DNS preferences for a tailnet
-Retrieves the DNS preferences that are currently set for the given tailnet.
-Supply the tailnet of interest in the path.
-
-##### Parameters
-No parameters. 
-
-##### Example
-```
-GET /api/v2/tailnet/example.com/dns/preferences
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
-  -u "tskey-yourapikey123:" 
-```
-
-Response:
-```
-{
-  "magicDNS":false, 
-}
-```
-
-<a name=tailnet-dns-preferences-post></a>
-
-#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet 
-Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
-Note that MagicDNS is dependent on DNS servers. 
-
-If there is at least one DNS server, then MagicDNS can be enabled. 
-Otherwise, it returns an error.
-Note that removing all nameservers will turn off MagicDNS. 
-To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.
-
-##### Parameters
-###### POST Body
-The DNS preferences in JSON. Currently, MagicDNS is the only setting available.
-`magicDNS` -  Automatically registers DNS names for devices in your tailnet.
-```
-{
-  "magicDNS": true
-}
-```
-
-##### Example
-```
-POST /api/v2/tailnet/example.com/dns/preferences
-curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
-  -u "tskey-yourapikey123:" \
-  --data-binary '{"magicDNS": true}'
-```
-
-
-Response:
-
-If there are no DNS servers, it returns an error message:
-```
-{
-  "message":"need at least one nameserver to enable MagicDNS"
-}
-```
-
-If there are DNS servers: 
-```
-{
-  "magicDNS":true,
-}
-```
-
-<a name=tailnet-dns-searchpaths-get></a>
-
-#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet 
-Retrieves the list of search paths that is currently set for the given tailnet. 
-Supply the tailnet of interest in the path.
-
-
-##### Parameters
-No parameters.
-
-##### Example
-```
-GET /api/v2/tailnet/example.com/dns/searchpaths
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
-  -u "tskey-yourapikey123:" 
-```
-
-Response:
-```
-{
-  "searchPaths": ["user1.example.com"],
-}
-```
-
-<a name=tailnet-dns-searchpaths-post></a>
-
-#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet 
-Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.
-
-##### Parameters
-
-###### POST Body
-`searchPaths` - A list of searchpaths in JSON.
-```
-{
-  "searchPaths: ["user1.example.com", "user2.example.com"]
-}
-```
-
-##### Example
-```
-POST /api/v2/tailnet/example.com/dns/searchpaths
-curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
-  -u "tskey-yourapikey123:" \
-  --data-binary '{"searchPaths": ["user1.example.com", "user2.example.com"]}'
-```
-
-Response:
-```
-{
-  "searchPaths": ["user1.example.com", "user2.example.com"],
-}
-```
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -140,7 +140,7 @@ func main() {
 		flag.Usage()
 		os.Exit(2)
 	}
-	if err := ioutil.WriteFile(output, out, 0644); err != nil {
+	if err := ioutil.WriteFile(output, out, 0666); err != nil {
 		log.Fatal(err)
 	}
 }
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -25,6 +25,7 @@ import (
 	"strings"
 	"time"

+	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/crypto/acme/autocert"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
@@ -34,7 +35,6 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
-	"tailscale.com/types/wgkey"
 	"tailscale.com/version"
 )

@@ -51,7 +51,7 @@ var (
 )

 type config struct {
-	PrivateKey wgkey.Private
+	PrivateKey wgcfg.PrivateKey
 }

 func loadConfig() config {
@@ -77,8 +77,8 @@ func loadConfig() config {
 	}
 }

-func mustNewKey() wgkey.Private {
-	key, err := wgkey.NewPrivate()
+func mustNewKey() wgcfg.PrivateKey {
+	key, err := wgcfg.NewPrivateKey()
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -97,7 +97,7 @@ func writeNewConfig() config {
 	if err != nil {
 		log.Fatal(err)
 	}
-	if err := atomicfile.WriteFile(*configPath, b, 0600); err != nil {
+	if err := atomicfile.WriteFile(*configPath, b, 0666); err != nil {
 		log.Fatal(err)
 	}
 	return cfg
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -99,7 +99,7 @@ func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context
 		if runtime.GOOS != "windows" && rootArgs.socket == "" {
 			fatalf("--socket cannot be empty")
 		}
-		fatalf("Failed to connect to tailscaled. (safesocket.Connect: %v)\n", err)
+		fatalf("Failed to connect to connect to tailscaled. (safesocket.Connect: %v)\n", err)
 	}
 	clientToServer := func(b []byte) {
 		ipn.WriteMsg(c, b)
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -14,8 +14,6 @@ import (
 	"net"
 	"net/http"
 	"os"
-	"sort"
-	"strings"
 	"time"

 	"github.com/peterbourgon/ff/v2/ffcli"
@@ -23,7 +21,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/util/dnsname"
 )

 var statusCmd = &ffcli.Command{
@@ -37,7 +34,6 @@ var statusCmd = &ffcli.Command{
 		fs.BoolVar(&statusArgs.web, "web", false, "run webserver with HTML showing status")
 		fs.BoolVar(&statusArgs.active, "active", false, "filter output to only peers with active sessions (not applicable to web mode)")
 		fs.BoolVar(&statusArgs.self, "self", true, "show status of local machine")
-		fs.BoolVar(&statusArgs.peers, "peers", true, "show status of peers")
 		fs.StringVar(&statusArgs.listen, "listen", "127.0.0.1:8384", "listen address; use port 0 for automatic")
 		fs.BoolVar(&statusArgs.browser, "browser", true, "Open a browser in web mode")
 		return fs
@@ -51,7 +47,6 @@ var statusArgs struct {
 	browser bool   // in web mode, whether to open browser
 	active  bool   // in CLI mode, filter output to only peers with active sessions
 	self    bool   // in CLI mode, show status of local machine
-	peers   bool   // in CLI mode, show status of peer machines
 }

 func runStatus(ctx context.Context, args []string) error {
@@ -141,30 +136,30 @@ func runStatus(ctx context.Context, args []string) error {
 	f := func(format string, a ...interface{}) { fmt.Fprintf(&buf, format, a...) }
 	printPS := func(ps *ipnstate.PeerStatus) {
 		active := peerActive(ps)
-		f("%-15s %-20s %-12s %-7s ",
-			ps.TailAddr,
-			dnsOrQuoteHostname(st, ps),
-			ownerLogin(st, ps),
+		f("%s %-7s %-15s %-18s tx=%8d rx=%8d ",
+			ps.PublicKey.ShortString(),
 			ps.OS,
+			ps.TailAddr,
+			ps.SimpleHostName(),
+			ps.TxBytes,
+			ps.RxBytes,
 		)
 		relay := ps.Relay
-		anyTraffic := ps.TxBytes != 0 || ps.RxBytes != 0
-		if !active {
-			if anyTraffic {
-				f("idle")
-			} else {
-				f("-")
-			}
+		if active && relay != "" && ps.CurAddr == "" {
+			relay = "*" + relay + "*"
 		} else {
-			f("active; ")
-			if relay != "" && ps.CurAddr == "" {
-				f("relay %q", relay)
-			} else if ps.CurAddr != "" {
-				f("direct %s", ps.CurAddr)
-			}
+			relay = " " + relay
 		}
-		if anyTraffic {
-			f(", tx %d rx %d", ps.TxBytes, ps.RxBytes)
+		f("%-6s", relay)
+		for i, addr := range ps.Addrs {
+			if i != 0 {
+				f(", ")
+			}
+			if addr == ps.CurAddr {
+				f("*%s*", addr)
+			} else {
+				f("%s", addr)
+			}
 		}
 		f("\n")
 	}
@@ -172,23 +167,13 @@ func runStatus(ctx context.Context, args []string) error {
 	if statusArgs.self && st.Self != nil {
 		printPS(st.Self)
 	}
-	if statusArgs.peers {
-		var peers []*ipnstate.PeerStatus
-		for _, peer := range st.Peers() {
-			ps := st.Peer[peer]
-			if ps.ShareeNode {
-				continue
-			}
-			peers = append(peers, ps)
-		}
-		sort.Slice(peers, func(i, j int) bool { return sortKey(peers[i]) < sortKey(peers[j]) })
-		for _, ps := range peers {
-			active := peerActive(ps)
-			if statusArgs.active && !active {
-				continue
-			}
-			printPS(ps)
+	for _, peer := range st.Peers() {
+		ps := st.Peer[peer]
+		active := peerActive(ps)
+		if statusArgs.active && !active {
+			continue
 		}
+		printPS(ps)
 	}
 	os.Stdout.Write(buf.Bytes())
 	return nil
@@ -200,37 +185,3 @@ func runStatus(ctx context.Context, args []string) error {
 func peerActive(ps *ipnstate.PeerStatus) bool {
 	return !ps.LastWrite.IsZero() && time.Since(ps.LastWrite) < 2*time.Minute
 }
-
-func dnsOrQuoteHostname(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
-	if i := strings.Index(ps.DNSName, "."); i != -1 && dnsname.HasSuffix(ps.DNSName, st.MagicDNSSuffix) {
-		return ps.DNSName[:i]
-	}
-	if ps.DNSName != "" {
-		return strings.TrimRight(ps.DNSName, ".")
-	}
-	return fmt.Sprintf("(%q)", strings.ReplaceAll(ps.SimpleHostName(), " ", "_"))
-}
-
-func sortKey(ps *ipnstate.PeerStatus) string {
-	if ps.DNSName != "" {
-		return ps.DNSName
-	}
-	if ps.HostName != "" {
-		return ps.HostName
-	}
-	return ps.TailAddr
-}
-
-func ownerLogin(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
-	if ps.UserID.IsZero() {
-		return "-"
-	}
-	u, ok := st.User[ps.UserID]
-	if !ok {
-		return fmt.Sprint(ps.UserID)
-	}
-	if i := strings.Index(u.LoginName, "@"); i != -1 {
-		return u.LoginName[:i+1]
-	}
-	return u.LoginName
-}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -19,6 +19,7 @@ import (
 	"sync"

 	"github.com/peterbourgon/ff/v2/ffcli"
+	"github.com/tailscale/wireguard-go/wgcfg"
 	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
@@ -84,6 +85,29 @@ var upArgs struct {
 	hostname        string
 }

+// parseIPOrCIDR parses an IP address or a CIDR prefix. If the input
+// is an IP address, it is returned in CIDR form with a /32 mask for
+// IPv4 or a /128 mask for IPv6.
+func parseIPOrCIDR(s string) (wgcfg.CIDR, bool) {
+	if strings.Contains(s, "/") {
+		ret, err := wgcfg.ParseCIDR(s)
+		if err != nil {
+			return wgcfg.CIDR{}, false
+		}
+		return ret, true
+	}
+
+	ip, ok := wgcfg.ParseIP(s)
+	if !ok {
+		return wgcfg.CIDR{}, false
+	}
+	if ip.Is4() {
+		return wgcfg.CIDR{IP: ip, Mask: 32}, true
+	} else {
+		return wgcfg.CIDR{IP: ip, Mask: 128}, true
+	}
+}
+
 func isBSD(s string) bool {
 	return s == "dragonfly" || s == "freebsd" || s == "netbsd" || s == "openbsd"
 }
@@ -138,18 +162,19 @@ func runUp(ctx context.Context, args []string) error {
 		}
 	}

-	var routes []netaddr.IPPrefix
+	var routes []wgcfg.CIDR
 	if upArgs.advertiseRoutes != "" {
 		advroutes := strings.Split(upArgs.advertiseRoutes, ",")
 		for _, s := range advroutes {
-			ipp, err := netaddr.ParseIPPrefix(s)
-			if err != nil {
+			cidr, ok := parseIPOrCIDR(s)
+			ipp, err := netaddr.ParseIPPrefix(s) // parse it with other pawith both packages
+			if !ok || err != nil {
 				fatalf("%q is not a valid IP address or CIDR prefix", s)
 			}
 			if ipp != ipp.Masked() {
 				fatalf("%s has non-address bits set; expected %s", ipp, ipp.Masked())
 			}
-			routes = append(routes, ipp)
+			routes = append(routes, cidr)
 		}
 		checkIPForwarding()
 	}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -9,11 +9,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/wgengine/router/dns
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
+        github.com/golang/groupcache/lru                             from tailscale.com/wgengine/filter+
+   L    github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
        github.com/peterbourgon/ff/v2/ffcli                          from tailscale.com/cmd/tailscale/cli
     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
@@ -24,15 +24,18 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
-        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device
     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
-        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/iphlpapi        from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/namespaceapi    from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/nci             from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/registry        from github.com/tailscale/wireguard-go/tun/wintun+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/setupapi        from github.com/tailscale/wireguard-go/tun/wintun
+        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/conn+
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
-     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
-        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
        rsc.io/goversion/version                                     from tailscale.com/version
@@ -51,7 +54,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
        tailscale.com/metrics                                        from tailscale.com/derp
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
-        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
@@ -73,11 +75,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
-        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
-        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
-  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
+   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/wgengine                                       from tailscale.com/ipn
@@ -85,7 +84,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine
     💣 tailscale.com/wgengine/monitor                               from tailscale.com/cmd/tailscale/cli+
        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
+     💣 tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
@@ -119,11 +118,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
   W    golang.org/x/sys/windows                                     from github.com/apenwarr/fixconsole+
-   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+   W    golang.org/x/sys/windows/registry                            from github.com/tailscale/wireguard-go/tun/wintun+
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
-        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
+        golang.org/x/text/unicode/norm                               from github.com/tailscale/wireguard-go/tun/wintun+
        golang.org/x/time/rate                                       from tailscale.com/types/logger+
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
@@ -198,7 +197,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/coreos/go-iptables/iptables+
        regexp/syntax                                                from regexp
-        runtime/debug                                                from golang.org/x/sync/singleflight
        runtime/pprof                                                from tailscale.com/log/logheap+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -9,8 +9,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/wgengine/router/dns
-        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
+        github.com/golang/groupcache/lru                             from tailscale.com/wgengine/filter+
+   L    github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
@@ -19,7 +19,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
        github.com/tailscale/wireguard-go/device/tokenbucket         from github.com/tailscale/wireguard-go/device
@@ -28,44 +27,18 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
-        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device
     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
-        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/iphlpapi        from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/namespaceapi    from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/nci             from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/registry        from github.com/tailscale/wireguard-go/tun/wintun+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/setupapi        from github.com/tailscale/wireguard-go/tun/wintun
+        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/conn+
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
-     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
-        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire
-        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
-        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/tcpip/stack+
-        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
-     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
-     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/tcpip+
-        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
-     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
-     💣 gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/buffer                           from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
-        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/link/channel+
-        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/link/channel                     from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/network/fragmentation            from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
-        gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
-        gvisor.dev/gvisor/pkg/tcpip/network/ip                       from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
-        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
-        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
-        gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/tcpip/transport/icmp                   from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/transport/packet                 from gvisor.dev/gvisor/pkg/tcpip/transport/raw
-        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
-     💣 gvisor.dev/gvisor/pkg/tcpip/transport/tcp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
-        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/tcpip+
        inet.af/netaddr                                              from tailscale.com/control/controlclient+
        rsc.io/goversion/version                                     from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
@@ -86,7 +59,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
        tailscale.com/metrics                                        from tailscale.com/derp
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
-        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/ipn+
        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
        tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
@@ -111,24 +83,20 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
-        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
-        tailscale.com/util/dnsname                                   from tailscale.com/control/controlclient+
-  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
+   W    tailscale.com/util/endian                                    from tailscale.com/net/netns+
        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
-        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
        tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
        tailscale.com/wgengine/magicsock                             from tailscale.com/cmd/tailscaled+
     💣 tailscale.com/wgengine/monitor                               from tailscale.com/wgengine
-        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
-        tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
+     💣 tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
-        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine+
+        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
@@ -142,6 +110,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/ssh/terminal                             from tailscale.com/logpolicy
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/context/ctxhttp                             from golang.org/x/oauth2/internal
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -160,19 +129,17 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
   W    golang.org/x/sys/windows                                     from github.com/apenwarr/fixconsole+
-   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-        golang.org/x/term                                            from tailscale.com/logpolicy
+   W    golang.org/x/sys/windows/registry                            from github.com/tailscale/wireguard-go/tun/wintun+
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
-        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
+        golang.org/x/text/unicode/norm                               from github.com/tailscale/wireguard-go/tun/wintun+
        golang.org/x/time/rate                                       from tailscale.com/types/logger+
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from internal/profile+
        compress/zlib                                                from debug/elf+
-        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -33,7 +33,6 @@ import (
 	"tailscale.com/version"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/magicsock"
-	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
 )

@@ -65,7 +64,6 @@ var args struct {
 	port       uint16
 	statepath  string
 	socketpath string
-	verbose    int
 }

 func main() {
@@ -78,7 +76,6 @@ func main() {
 	}

 	printVersion := false
-	flag.IntVar(&args.verbose, "verbose", 0, "log verbosity level; 0 is default, 1 or higher are increasingly verbose")
 	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
 	flag.BoolVar(&args.fake, "fake", false, "use userspace fake tunnel+routing instead of kernel TUN interface")
 	flag.StringVar(&args.debug, "debug", "", "listen address ([ip]:port) of optional debug server")
@@ -121,7 +118,6 @@ func run() error {
 	var err error

 	pol := logpolicy.New("tailnode.log.tailscale.io")
-	pol.SetVerbosityLevel(args.verbose)
 	defer func() {
 		// Finish uploading logs after closing everything else.
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
@@ -148,11 +144,7 @@ func run() error {

 	var e wgengine.Engine
 	if args.fake {
-		var impl wgengine.FakeImplFunc
-		if args.tunname == "userspace-networking" {
-			impl = netstack.Impl
-		}
-		e, err = wgengine.NewFakeUserspaceEngine(logf, 0, impl)
+		e, err = wgengine.NewFakeUserspaceEngine(logf, args.port)
 	} else {
 		e, err = wgengine.NewUserspaceEngine(logf, args.tunname, args.port)
 	}
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -18,24 +18,6 @@ StateDirectory=tailscale
 StateDirectoryMode=0750
 CacheDirectory=tailscale
 CacheDirectoryMode=0750
-Type=notify
-
-DeviceAllow=/dev/net/tun
-DeviceAllow=/dev/null
-DeviceAllow=/dev/random
-DeviceAllow=/dev/urandom
-DevicePolicy=strict
-LockPersonality=true
-MemoryDenyWriteExecute=true
-PrivateTmp=true
-ProtectClock=true
-ProtectControlGroups=true
-ProtectHome=true
-ProtectKernelTunables=true
-ProtectSystem=strict
-ReadWritePaths=/etc/
-RestrictSUIDSGID=true
-SystemCallArchitectures=native

 [Install]
 WantedBy=multi-user.target
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -17,13 +17,13 @@ import (
 	"sync"
 	"time"

+	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/oauth2"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/structs"
-	"tailscale.com/types/wgkey"
 )

 // State is the high-level state of the client. It is used only in
@@ -117,16 +117,15 @@ type Client struct {
 	mu         sync.Mutex   // mutex guards the following fields
 	statusFunc func(Status) // called to update Client status

-	paused          bool // whether we should stop making HTTP requests
-	unpauseWaiters  []chan struct{}
-	loggedIn        bool       // true if currently logged in
-	loginGoal       *LoginGoal // non-nil if some login activity is desired
-	synced          bool       // true if our netmap is up-to-date
-	hostinfo        *tailcfg.Hostinfo
-	inPollNetMap    bool // true if currently running a PollNetMap
-	inLiteMapUpdate bool // true if a lite (non-streaming) map request is outstanding
-	inSendStatus    int  // number of sendStatus calls currently in progress
-	state           State
+	paused         bool // whether we should stop making HTTP requests
+	unpauseWaiters []chan struct{}
+	loggedIn       bool       // true if currently logged in
+	loginGoal      *LoginGoal // non-nil if some login activity is desired
+	synced         bool       // true if our netmap is up-to-date
+	hostinfo       *tailcfg.Hostinfo
+	inPollNetMap   bool // true if currently running a PollNetMap
+	inSendStatus   int  // number of sendStatus calls currently in progress
+	state          State

 	authCtx    context.Context // context used for auth requests
 	mapCtx     context.Context // context used for netmap requests
@@ -183,8 +182,7 @@ func (c *Client) SetPaused(paused bool) {
 	}
 	c.paused = paused
 	if paused {
-		// Only cancel the map routine. (The auth routine isn't expensive
-		// so it's fine to keep it running.)
+		// Just cancel the map routine. The auth routine isn't expensive.
 		c.cancelMapLocked()
 	} else {
 		for _, ch := range c.unpauseWaiters {
@@ -202,50 +200,6 @@ func (c *Client) Start() {
 	go c.mapRoutine()
 }

-// sendNewMapRequest either sends a new OmitPeers, non-streaming map request
-// (to just send Hostinfo/Netinfo/Endpoints info, while keeping an existing
-// streaming response open), or start a new streaming one if necessary.
-//
-// It should be called whenever there's something new to tell the server.
-func (c *Client) sendNewMapRequest() {
-	c.mu.Lock()
-
-	// If we're not already streaming a netmap, or if we're already stuck
-	// in a lite update, then tear down everything and start a new stream
-	// (which starts by sending a new map request)
-	if !c.inPollNetMap || c.inLiteMapUpdate {
-		c.mu.Unlock()
-		c.cancelMapSafely()
-		return
-	}
-
-	// Otherwise, send a lite update that doesn't keep a
-	// long-running stream response.
-	defer c.mu.Unlock()
-	c.inLiteMapUpdate = true
-	ctx, cancel := context.WithTimeout(c.mapCtx, 10*time.Second)
-	go func() {
-		defer cancel()
-		t0 := time.Now()
-		err := c.direct.SendLiteMapUpdate(ctx)
-		d := time.Since(t0).Round(time.Millisecond)
-		c.mu.Lock()
-		c.inLiteMapUpdate = false
-		c.mu.Unlock()
-		if err == nil {
-			c.logf("[v1] successful lite map update in %v", d)
-			return
-		}
-		if ctx.Err() == nil {
-			c.logf("lite map update after %v: %v", d, err)
-		}
-		// Fall back to restarting the long-polling map
-		// request (the old heavy way) if the lite update
-		// failed for any reason.
-		c.cancelMapSafely()
-	}()
-}
-
 func (c *Client) cancelAuth() {
 	c.mu.Lock()
 	if c.authCancel != nil {
@@ -276,7 +230,7 @@ func (c *Client) cancelMapSafely() {
 	c.mu.Lock()
 	defer c.mu.Unlock()

-	c.logf("[v1] cancelMapSafely: synced=%v", c.synced)
+	c.logf("cancelMapSafely: synced=%v", c.synced)

 	if c.inPollNetMap {
 		// received at least one netmap since the last
@@ -298,12 +252,12 @@ func (c *Client) cancelMapSafely() {
 		// request.
 		select {
 		case c.newMapCh <- struct{}{}:
-			c.logf("[v1] cancelMapSafely: wrote to channel")
+			c.logf("cancelMapSafely: wrote to channel")
 		default:
 			// if channel write failed, then there was already
 			// an outstanding newMapCh request. One is enough,
 			// since it'll always use the latest endpoints.
-			c.logf("[v1] cancelMapSafely: channel was full")
+			c.logf("cancelMapSafely: channel was full")
 		}
 	}
 }
@@ -314,24 +268,22 @@ func (c *Client) authRoutine() {

 	for {
 		c.mu.Lock()
+		c.logf("authRoutine: %s", c.state)
+		expiry := c.expiry
 		goal := c.loginGoal
 		ctx := c.authCtx
-		if goal != nil {
-			c.logf("authRoutine: %s; wantLoggedIn=%v", c.state, goal.wantLoggedIn)
-		} else {
-			c.logf("authRoutine: %s; goal=nil", c.state)
-		}
+		synced := c.synced
 		c.mu.Unlock()

 		select {
 		case <-c.quit:
-			c.logf("[v1] authRoutine: quit")
+			c.logf("authRoutine: quit")
 			return
 		default:
 		}

 		report := func(err error, msg string) {
-			c.logf("[v1] %s: %v", msg, err)
+			c.logf("%s: %v", msg, err)
 			err = fmt.Errorf("%s: %v", msg, err)
 			// don't send status updates for context errors,
 			// since context cancelation is always on purpose.
@@ -341,13 +293,51 @@ func (c *Client) authRoutine() {
 		}

 		if goal == nil {
-			// Wait for user to Login or Logout.
-			<-ctx.Done()
-			c.logf("[v1] authRoutine: context done.")
-			continue
-		}
+			// Wait for something interesting to happen
+			var exp <-chan time.Time
+			var expTimer *time.Timer
+			if expiry != nil && !expiry.IsZero() {
+				// if expiry is in the future, don't delay
+				// past that time.
+				// If it's in the past, then it's already
+				// being handled by someone, so no need to
+				// wake ourselves up again.
+				now := c.timeNow()
+				if expiry.Before(now) {
+					delay := expiry.Sub(now)
+					if delay > 5*time.Second {
+						delay = time.Second
+					}
+					expTimer = time.NewTimer(delay)
+					exp = expTimer.C
+				}
+			}
+			select {
+			case <-ctx.Done():
+				if expTimer != nil {
+					expTimer.Stop()
+				}
+				c.logf("authRoutine: context done.")
+			case <-exp:
+				// Unfortunately the key expiry isn't provided
+				// by the control server until mapRequest.
+				// So we have to do some hackery with c.expiry
+				// in here.
+				// TODO(apenwarr): add a key expiry field in RegisterResponse.
+				c.logf("authRoutine: key expiration check.")
+				if synced && expiry != nil && !expiry.IsZero() && expiry.Before(c.timeNow()) {
+					c.logf("Key expired; setting loggedIn=false.")

-		if !goal.wantLoggedIn {
+					c.mu.Lock()
+					c.loginGoal = &LoginGoal{
+						wantLoggedIn: c.loggedIn,
+					}
+					c.loggedIn = false
+					c.expiry = nil
+					c.mu.Unlock()
+				}
+			}
+		} else if !goal.wantLoggedIn {
 			err := c.direct.TryLogout(ctx)
 			if err != nil {
 				report(err, "TryLogout")
@@ -479,7 +469,7 @@ func (c *Client) mapRoutine() {
 		}

 		report := func(err error, msg string) {
-			c.logf("[v1] %s: %v", msg, err)
+			c.logf("%s: %v", msg, err)
 			err = fmt.Errorf("%s: %v", msg, err)
 			// don't send status updates for context errors,
 			// since context cancelation is always on purpose.
@@ -514,7 +504,7 @@ func (c *Client) mapRoutine() {

 				select {
 				case <-c.newMapCh:
-					c.logf("[v1] mapRoutine: new map request during PollNetMap. canceling.")
+					c.logf("mapRoutine: new map request during PollNetMap. canceling.")
 					c.cancelMapLocked()

 					// Don't emit this netmap; we're
@@ -536,7 +526,7 @@ func (c *Client) mapRoutine() {

 				c.mu.Unlock()

-				c.logf("[v1] mapRoutine: netmap received: %s", state)
+				c.logf("mapRoutine: netmap received: %s", state)
 				if stillAuthed {
 					c.sendStatus("mapRoutine-got-netmap", nil, "", nm)
 				}
@@ -590,7 +580,7 @@ func (c *Client) SetHostinfo(hi *tailcfg.Hostinfo) {
 	c.logf("Hostinfo: %v", hi)

 	// Send new Hostinfo to server
-	c.sendNewMapRequest()
+	c.cancelMapSafely()
 }

 func (c *Client) SetNetInfo(ni *tailcfg.NetInfo) {
@@ -598,12 +588,13 @@ func (c *Client) SetNetInfo(ni *tailcfg.NetInfo) {
 		panic("nil NetInfo")
 	}
 	if !c.direct.SetNetInfo(ni) {
+		c.logf("[unexpected] duplicate NetInfo: %v", ni)
 		return
 	}
 	c.logf("NetInfo: %v", ni)

 	// Send new Hostinfo (which includes NetInfo) to server
-	c.sendNewMapRequest()
+	c.cancelMapSafely()
 }

 func (c *Client) sendStatus(who string, err error, url string, nm *NetworkMap) {
@@ -616,7 +607,7 @@ func (c *Client) sendStatus(who string, err error, url string, nm *NetworkMap) {
 	c.inSendStatus++
 	c.mu.Unlock()

-	c.logf("[v1] sendStatus: %s: %v", who, state)
+	c.logf("sendStatus: %s: %v", who, state)

 	var p *Persist
 	var fin *empty.Message
@@ -680,7 +671,7 @@ func (c *Client) Logout() {
 func (c *Client) UpdateEndpoints(localPort uint16, endpoints []string) {
 	changed := c.direct.SetEndpoints(localPort, endpoints)
 	if changed {
-		c.sendNewMapRequest()
+		c.cancelMapSafely()
 	}
 }

@@ -709,7 +700,7 @@ func (c *Client) Shutdown() {

 // NodePublicKey returns the node public key currently in use. This is
 // used exclusively in tests.
-func (c *Client) TestOnlyNodePublicKey() wgkey.Key {
+func (c *Client) TestOnlyNodePublicKey() wgcfg.Key {
 	priv := c.direct.GetPersist()
 	return priv.PrivateNodeKey.Public()
 }
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -42,11 +42,6 @@ func TestStatusEqual(t *testing.T) {
 			&Status{},
 			false,
 		},
-		{
-			nil,
-			nil,
-			true,
-		},
 		{
 			&Status{},
 			&Status{},
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -31,6 +31,7 @@ import (
 	"sync/atomic"
 	"time"

+	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/crypto/nacl/box"
 	"golang.org/x/oauth2"
 	"inet.af/netaddr"
@@ -43,10 +44,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
-	"tailscale.com/types/wgkey"
-	"tailscale.com/util/systemd"
 	"tailscale.com/version"
-	"tailscale.com/wgengine/filter"
 )

 type Persist struct {
@@ -61,10 +59,10 @@ type Persist struct {
 	// needed. This field should be considered read-only from GUI
 	// frontends. The real value should not be written back in
 	// this field, lest the frontend persist it to disk.
-	LegacyFrontendPrivateMachineKey wgkey.Private `json:"PrivateMachineKey"`
+	LegacyFrontendPrivateMachineKey wgcfg.PrivateKey `json:"PrivateMachineKey"`

-	PrivateNodeKey    wgkey.Private
-	OldPrivateNodeKey wgkey.Private // needed to request key rotation
+	PrivateNodeKey    wgcfg.PrivateKey
+	OldPrivateNodeKey wgcfg.PrivateKey // needed to request key rotation
 	Provider          string
 	LoginName         string
 }
@@ -85,7 +83,7 @@ func (p *Persist) Equals(p2 *Persist) bool {
 }

 func (p *Persist) Pretty() string {
-	var mk, ok, nk wgkey.Key
+	var mk, ok, nk wgcfg.Key
 	if !p.LegacyFrontendPrivateMachineKey.IsZero() {
 		mk = p.LegacyFrontendPrivateMachineKey.Public()
 	}
@@ -95,7 +93,7 @@ func (p *Persist) Pretty() string {
 	if !p.PrivateNodeKey.IsZero() {
 		nk = p.PrivateNodeKey.Public()
 	}
-	ss := func(k wgkey.Key) string {
+	ss := func(k wgcfg.Key) string {
 		if k.IsZero() {
 			return ""
 		}
@@ -107,23 +105,22 @@ func (p *Persist) Pretty() string {

 // Direct is the client that connects to a tailcontrol server for a node.
 type Direct struct {
-	httpc                  *http.Client // HTTP client used to talk to tailcontrol
-	serverURL              string       // URL of the tailcontrol server
-	timeNow                func() time.Time
-	lastPrintMap           time.Time
-	newDecompressor        func() (Decompressor, error)
-	keepAlive              bool
-	logf                   logger.Logf
-	discoPubKey            tailcfg.DiscoKey
-	machinePrivKey         wgkey.Private
-	debugFlags             []string
-	keepSharerAndUserSplit bool
+	httpc           *http.Client // HTTP client used to talk to tailcontrol
+	serverURL       string       // URL of the tailcontrol server
+	timeNow         func() time.Time
+	lastPrintMap    time.Time
+	newDecompressor func() (Decompressor, error)
+	keepAlive       bool
+	logf            logger.Logf
+	discoPubKey     tailcfg.DiscoKey
+	machinePrivKey  wgcfg.PrivateKey
+	debugFlags      []string

 	mu           sync.Mutex // mutex guards the following fields
-	serverKey    wgkey.Key
+	serverKey    wgcfg.Key
 	persist      Persist
 	authKey      string
-	tryingNewKey wgkey.Private
+	tryingNewKey wgcfg.PrivateKey
 	expiry       *time.Time
 	// hostinfo is mutated in-place while mu is held.
 	hostinfo      *tailcfg.Hostinfo // always non-nil
@@ -134,7 +131,7 @@ type Direct struct {

 type Options struct {
 	Persist           Persist           // initial persistent data
-	MachinePrivateKey wgkey.Private     // the machine key to use
+	MachinePrivateKey wgcfg.PrivateKey  // the machine key to use
 	ServerURL         string            // URL of the tailcontrol server
 	AuthKey           string            // optional node auth key for auto registration
 	TimeNow           func() time.Time  // time.Now implementation used by Client
@@ -145,10 +142,6 @@ type Options struct {
 	Logf              logger.Logf
 	HTTPTestClient    *http.Client // optional HTTP client to use (for tests only)
 	DebugFlags        []string     // debug settings to send to control
-
-	// KeepSharerAndUserSplit controls whether the client
-	// understands Node.Sharer. If false, the Sharer is mapped to the User.
-	KeepSharerAndUserSplit bool
 }

 type Decompressor interface {
@@ -195,18 +188,17 @@ func NewDirect(opts Options) (*Direct, error) {
 	}

 	c := &Direct{
-		httpc:                  httpc,
-		machinePrivKey:         opts.MachinePrivateKey,
-		serverURL:              opts.ServerURL,
-		timeNow:                opts.TimeNow,
-		logf:                   opts.Logf,
-		newDecompressor:        opts.NewDecompressor,
-		keepAlive:              opts.KeepAlive,
-		persist:                opts.Persist,
-		authKey:                opts.AuthKey,
-		discoPubKey:            opts.DiscoPublicKey,
-		debugFlags:             opts.DebugFlags,
-		keepSharerAndUserSplit: opts.KeepSharerAndUserSplit,
+		httpc:           httpc,
+		machinePrivKey:  opts.MachinePrivateKey,
+		serverURL:       opts.ServerURL,
+		timeNow:         opts.TimeNow,
+		logf:            opts.Logf,
+		newDecompressor: opts.NewDecompressor,
+		keepAlive:       opts.KeepAlive,
+		persist:         opts.Persist,
+		authKey:         opts.AuthKey,
+		discoPubKey:     opts.DiscoPublicKey,
+		debugFlags:      opts.DebugFlags,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(NewHostinfo())
@@ -316,7 +308,6 @@ func (c *Direct) doLoginOrRegen(ctx context.Context, t *oauth2.Token, flags Logi
 	if mustregen {
 		_, url, err = c.doLogin(ctx, t, flags, true, url)
 	}
-
 	return url, err
 }

@@ -337,7 +328,6 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,

 	if expired {
 		c.logf("Old key expired -> regen=true")
-		systemd.Status("key expired; run 'tailscale up' to authenticate")
 		regen = true
 	}
 	if (flags & LoginInteractive) != 0 {
@@ -346,7 +336,7 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	}

 	c.logf("doLogin(regen=%v, hasUrl=%v)", regen, url != "")
-	if serverKey.IsZero() {
+	if serverKey == (wgcfg.Key{}) {
 		var err error
 		serverKey, err = loadServerKey(ctx, c.httpc, c.serverURL)
 		if err != nil {
@@ -358,12 +348,12 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 		c.mu.Unlock()
 	}

-	var oldNodeKey wgkey.Key
+	var oldNodeKey wgcfg.Key
 	if url != "" {
 	} else if regen || persist.PrivateNodeKey.IsZero() {
 		c.logf("Generating a new nodekey.")
 		persist.OldPrivateNodeKey = persist.PrivateNodeKey
-		key, err := wgkey.NewPrivate()
+		key, err := wgcfg.NewPrivateKey()
 		if err != nil {
 			c.logf("login keygen: %v", err)
 			return regen, url, err
@@ -527,18 +517,6 @@ func inTest() bool { return flag.Lookup("test.v") != nil }
 // maxPolls is how many network maps to download; common values are 1
 // or -1 (to keep a long-poll query open to the server).
 func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkMap)) error {
-	return c.sendMapRequest(ctx, maxPolls, cb)
-}
-
-// SendLiteMapUpdate makes a /map request to update the server of our latest state,
-// but does not fetch anything. It returns an error if the server did not return a
-// successful 200 OK response.
-func (c *Direct) SendLiteMapUpdate(ctx context.Context) error {
-	return c.sendMapRequest(ctx, 1, nil)
-}
-
-// cb nil means to omit peers.
-func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*NetworkMap)) error {
 	c.mu.Lock()
 	persist := c.persist
 	serverURL := c.serverURL
@@ -555,17 +533,15 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 	}

 	allowStream := maxPolls != 1
-	c.logf("[v1] PollNetMap: stream=%v :%v ep=%v", allowStream, localPort, ep)
+	c.logf("PollNetMap: stream=%v :%v ep=%v", allowStream, localPort, ep)

 	vlogf := logger.Discard
 	if Debug.NetMap {
-		// TODO(bradfitz): update this to use "[v2]" prefix perhaps? but we don't
-		// want to upload it always.
 		vlogf = c.logf
 	}

 	request := tailcfg.MapRequest{
-		Version:    tailcfg.CurrentMapRequestVersion,
+		Version:    5,
 		KeepAlive:  c.keepAlive,
 		NodeKey:    tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
 		DiscoKey:   c.discoPubKey,
@@ -573,7 +549,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 		Stream:     allowStream,
 		Hostinfo:   hostinfo,
 		DebugFlags: c.debugFlags,
-		OmitPeers:  cb == nil,
 	}
 	if hostinfo != nil && ipForwardingBroken(hostinfo.RoutableIPs) {
 		old := request.DebugFlags
@@ -626,11 +601,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 	}
 	defer res.Body.Close()

-	if cb == nil {
-		io.Copy(ioutil.Discard, res.Body)
-		return nil
-	}
-
 	// If we go more than pollTimeout without hearing from the server,
 	// end the long poll. We should be receiving a keep alive ping
 	// every minute.
@@ -666,8 +636,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw

 	var lastDERPMap *tailcfg.DERPMap
 	var lastUserProfile = map[tailcfg.UserID]tailcfg.UserProfile{}
-	var lastParsedPacketFilter []filter.Match
-	var collectServices bool

 	// If allowStream, then the server will use an HTTP long poll to
 	// return incremental results. There is always one response right
@@ -708,7 +676,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 		case timeoutReset <- struct{}{}:
 			vlogf("netmap: sent timer reset")
 		case <-ctx.Done():
-			c.logf("[v1] netmap: not resetting timer; context done: %v", ctx.Err())
+			c.logf("netmap: not resetting timer; context done: %v", ctx.Err())
 			return ctx.Err()
 		}
 		if resp.KeepAlive {
@@ -745,40 +713,23 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 			resp.Peers = filtered
 		}

-		if pf := resp.PacketFilter; pf != nil {
-			lastParsedPacketFilter = c.parsePacketFilter(pf)
-		}
-
-		if v, ok := resp.CollectServices.Get(); ok {
-			collectServices = v
-		}
-
-		// Get latest localPort. This might've changed if
-		// a lite map update occured meanwhile. This only affects
-		// the end-to-end test.
-		// TODO(bradfitz): remove the NetworkMap.LocalPort field entirely.
-		c.mu.Lock()
-		localPort = c.localPort
-		c.mu.Unlock()
-
 		nm := &NetworkMap{
-			NodeKey:         tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
-			PrivateKey:      persist.PrivateNodeKey,
-			MachineKey:      machinePubKey,
-			Expiry:          resp.Node.KeyExpiry,
-			Name:            resp.Node.Name,
-			Addresses:       resp.Node.Addresses,
-			Peers:           resp.Peers,
-			LocalPort:       localPort,
-			User:            resp.Node.User,
-			UserProfiles:    make(map[tailcfg.UserID]tailcfg.UserProfile),
-			Domain:          resp.Domain,
-			DNS:             resp.DNSConfig,
-			Hostinfo:        resp.Node.Hostinfo,
-			PacketFilter:    lastParsedPacketFilter,
-			CollectServices: collectServices,
-			DERPMap:         lastDERPMap,
-			Debug:           resp.Debug,
+			NodeKey:      tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
+			PrivateKey:   persist.PrivateNodeKey,
+			MachineKey:   machinePubKey,
+			Expiry:       resp.Node.KeyExpiry,
+			Name:         resp.Node.Name,
+			Addresses:    resp.Node.Addresses,
+			Peers:        resp.Peers,
+			LocalPort:    localPort,
+			User:         resp.Node.User,
+			UserProfiles: make(map[tailcfg.UserID]tailcfg.UserProfile),
+			Domain:       resp.Domain,
+			DNS:          resp.DNSConfig,
+			Hostinfo:     resp.Node.Hostinfo,
+			PacketFilter: c.parsePacketFilter(resp.PacketFilter),
+			DERPMap:      lastDERPMap,
+			Debug:        resp.Debug,
 		}
 		addUserProfile := func(userID tailcfg.UserID) {
 			if _, dup := nm.UserProfiles[userID]; dup {
@@ -791,13 +742,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 		}
 		addUserProfile(nm.User)
 		for _, peer := range resp.Peers {
-			if !peer.Sharer.IsZero() {
-				if c.keepSharerAndUserSplit {
-					addUserProfile(peer.Sharer)
-				} else {
-					peer.User = peer.Sharer
-				}
-			}
 			addUserProfile(peer.User)
 		}
 		if resp.Node.MachineAuthorized {
@@ -806,7 +750,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 			nm.MachineStatus = tailcfg.MachineUnauthorized
 		}
 		if len(resp.DNS) > 0 {
-			nm.DNS.Nameservers = resp.DNS
+			nm.DNS.Nameservers = wgIPToNetaddr(resp.DNS)
 		}
 		if len(resp.SearchPaths) > 0 {
 			nm.DNS.Domains = resp.SearchPaths
@@ -823,7 +767,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 		now := c.timeNow()
 		if now.Sub(c.lastPrintMap) >= 5*time.Minute {
 			c.lastPrintMap = now
-			c.logf("[v1] new network map[%d]:\n%s", i, nm.Concise())
+			c.logf("new network map[%d]:\n%s", i, nm.Concise())
 		}

 		c.mu.Lock()
@@ -838,7 +782,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 	return nil
 }

-func decode(res *http.Response, v interface{}, serverKey *wgkey.Key, mkey *wgkey.Private) error {
+func decode(res *http.Response, v interface{}, serverKey *wgcfg.Key, mkey *wgcfg.PrivateKey) error {
 	defer res.Body.Close()
 	msg, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
@@ -893,7 +837,7 @@ func (c *Direct) decodeMsg(msg []byte, v interface{}) error {

 }

-func decodeMsg(msg []byte, v interface{}, serverKey *wgkey.Key, mkey *wgkey.Private) error {
+func decodeMsg(msg []byte, v interface{}, serverKey *wgcfg.Key, mkey *wgcfg.PrivateKey) error {
 	decrypted, err := decryptMsg(msg, serverKey, mkey)
 	if err != nil {
 		return err
@@ -907,7 +851,7 @@ func decodeMsg(msg []byte, v interface{}, serverKey *wgkey.Key, mkey *wgkey.Priv
 	return nil
 }

-func decryptMsg(msg []byte, serverKey *wgkey.Key, mkey *wgkey.Private) ([]byte, error) {
+func decryptMsg(msg []byte, serverKey *wgcfg.Key, mkey *wgcfg.PrivateKey) ([]byte, error) {
 	var nonce [24]byte
 	if len(msg) < len(nonce)+1 {
 		return nil, fmt.Errorf("response missing nonce, len=%d", len(msg))
@@ -923,7 +867,7 @@ func decryptMsg(msg []byte, serverKey *wgkey.Key, mkey *wgkey.Private) ([]byte,
 	return decrypted, nil
 }

-func encode(v interface{}, serverKey *wgkey.Key, mkey *wgkey.Private) ([]byte, error) {
+func encode(v interface{}, serverKey *wgcfg.Key, mkey *wgcfg.PrivateKey) ([]byte, error) {
 	b, err := json.Marshal(v)
 	if err != nil {
 		return nil, err
@@ -942,31 +886,42 @@ func encode(v interface{}, serverKey *wgkey.Key, mkey *wgkey.Private) ([]byte, e
 	return msg, nil
 }

-func loadServerKey(ctx context.Context, httpc *http.Client, serverURL string) (wgkey.Key, error) {
+func loadServerKey(ctx context.Context, httpc *http.Client, serverURL string) (wgcfg.Key, error) {
 	req, err := http.NewRequest("GET", serverURL+"/key", nil)
 	if err != nil {
-		return wgkey.Key{}, fmt.Errorf("create control key request: %v", err)
+		return wgcfg.Key{}, fmt.Errorf("create control key request: %v", err)
 	}
 	req = req.WithContext(ctx)
 	res, err := httpc.Do(req)
 	if err != nil {
-		return wgkey.Key{}, fmt.Errorf("fetch control key: %v", err)
+		return wgcfg.Key{}, fmt.Errorf("fetch control key: %v", err)
 	}
 	defer res.Body.Close()
 	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<16))
 	if err != nil {
-		return wgkey.Key{}, fmt.Errorf("fetch control key response: %v", err)
+		return wgcfg.Key{}, fmt.Errorf("fetch control key response: %v", err)
 	}
 	if res.StatusCode != 200 {
-		return wgkey.Key{}, fmt.Errorf("fetch control key: %d: %s", res.StatusCode, string(b))
+		return wgcfg.Key{}, fmt.Errorf("fetch control key: %d: %s", res.StatusCode, string(b))
 	}
-	key, err := wgkey.ParseHex(string(b))
+	key, err := wgcfg.ParseHexKey(string(b))
 	if err != nil {
-		return wgkey.Key{}, fmt.Errorf("fetch control key: %v", err)
+		return wgcfg.Key{}, fmt.Errorf("fetch control key: %v", err)
 	}
 	return key, nil
 }

+func wgIPToNetaddr(ips []wgcfg.IP) (ret []netaddr.IP) {
+	for _, ip := range ips {
+		nip, ok := netaddr.FromStdIP(ip.IP())
+		if !ok {
+			panic(fmt.Sprintf("conversion of %s from wgcfg to netaddr IP failed", ip))
+		}
+		ret = append(ret, nip.Unmap())
+	}
+	return ret
+}
+
 // Debug contains temporary internal-only debug knobs.
 // They're unexported to not draw attention to them.
 var Debug = initDebug()
@@ -1125,12 +1080,11 @@ func TrimWGConfig() opt.Bool {
 // and will definitely not work for the routes provided.
 //
 // It should not return false positives.
-func ipForwardingBroken(routes []netaddr.IPPrefix) bool {
+func ipForwardingBroken(routes []wgcfg.CIDR) bool {
 	if len(routes) == 0 {
 		// Nothing to route, so no need to warn.
 		return false
 	}
-
 	if runtime.GOOS != "linux" {
 		// We only do subnet routing on Linux for now.
 		// It might work on darwin/macOS when building from source, so
@@ -1138,57 +1092,17 @@ func ipForwardingBroken(routes []netaddr.IPPrefix) bool {
 		// already in the admin panel.
 		return false
 	}
-
-	v4Routes, v6Routes := false, false
-	for _, r := range routes {
-		if r.IP.Is4() {
-			v4Routes = true
-		} else {
-			v6Routes = true
-		}
+	out, err := ioutil.ReadFile("/proc/sys/net/ipv4/ip_forward")
+	if err != nil {
+		// Try another way.
+		out, err = exec.Command("sysctl", "-n", "net.ipv4.ip_forward").Output()
 	}
-
-	if v4Routes {
-		out, err := ioutil.ReadFile("/proc/sys/net/ipv4/ip_forward")
-		if err != nil {
-			// Try another way.
-			out, err = exec.Command("sysctl", "-n", "net.ipv4.ip_forward").Output()
-		}
-		if err != nil {
-			// Oh well, we tried. This is just for debugging.
-			// We don't want false positives.
-			// TODO: maybe we want a different warning for inability to check?
-			return false
-		}
-		if strings.TrimSpace(string(out)) == "0" {
-			return true
-		}
+	if err != nil {
+		// Oh well, we tried. This is just for debugging.
+		// We don't want false positives.
+		// TODO: maybe we want a different warning for inability to check?
+		return false
 	}
-	if v6Routes {
-		// Note: you might be wondering why we check only the state of
-		// conf.all.forwarding, rather than per-interface forwarding
-		// configuration. According to kernel documentation, it seems
-		// that to actually forward packets, you need to enable
-		// forwarding globally, and the per-interface forwarding
-		// setting only alters other things such as how router
-		// advertisements are handled. The kernel itself warns that
-		// enabling forwarding per-interface and not globally will
-		// probably not work, so I feel okay calling those configs
-		// broken until we have proof otherwise.
-		out, err := ioutil.ReadFile("/proc/sys/net/ipv6/conf/all/forwarding")
-		if err != nil {
-			out, err = exec.Command("sysctl", "-n", "net.ipv6.conf.all.forwarding").Output()
-		}
-		if err != nil {
-			// Oh well, we tried. This is just for debugging.
-			// We don't want false positives.
-			// TODO: maybe we want a different warning for inability to check?
-			return false
-		}
-		if strings.TrimSpace(string(out)) == "0" {
-			return true
-		}
-	}
-
-	return false
+	return strings.TrimSpace(string(out)) == "0"
+	// TODO: also check IPv6 if 'routes' contains any IPv6 routes
 }
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -11,7 +11,6 @@ import (
 	"testing"

 	"tailscale.com/tailcfg"
-	"tailscale.com/types/wgkey"
 )

 func TestUndeltaPeers(t *testing.T) {
@@ -92,67 +91,3 @@ func formatNodes(nodes []*tailcfg.Node) string {
 	}
 	return sb.String()
 }
-
-func TestNewDirect(t *testing.T) {
-	hi := NewHostinfo()
-	ni := tailcfg.NetInfo{LinkType: "wired"}
-	hi.NetInfo = &ni
-
-	key, err := wgkey.NewPrivate()
-	if err != nil {
-		t.Error(err)
-	}
-	opts := Options{ServerURL: "https://example.com", MachinePrivateKey: key, Hostinfo: hi}
-	c, err := NewDirect(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if c.serverURL != opts.ServerURL {
-		t.Errorf("c.serverURL got %v want %v", c.serverURL, opts.ServerURL)
-	}
-
-	if !hi.Equal(c.hostinfo) {
-		t.Errorf("c.hostinfo got %v want %v", c.hostinfo, hi)
-	}
-
-	changed := c.SetNetInfo(&ni)
-	if changed {
-		t.Errorf("c.SetNetInfo(ni) want false got %v", changed)
-	}
-	ni = tailcfg.NetInfo{LinkType: "wifi"}
-	changed = c.SetNetInfo(&ni)
-	if !changed {
-		t.Errorf("c.SetNetInfo(ni) want true got %v", changed)
-	}
-
-	changed = c.SetHostinfo(hi)
-	if changed {
-		t.Errorf("c.SetHostinfo(hi) want false got %v", changed)
-	}
-	hi = NewHostinfo()
-	hi.Hostname = "different host name"
-	changed = c.SetHostinfo(hi)
-	if !changed {
-		t.Errorf("c.SetHostinfo(hi) want true got %v", changed)
-	}
-
-	endpoints := []string{"1", "2", "3"}
-	changed = c.newEndpoints(12, endpoints)
-	if !changed {
-		t.Errorf("c.newEndpoints(12) want true got %v", changed)
-	}
-	changed = c.newEndpoints(12, endpoints)
-	if changed {
-		t.Errorf("c.newEndpoints(12) want false got %v", changed)
-	}
-	changed = c.newEndpoints(13, endpoints)
-	if !changed {
-		t.Errorf("c.newEndpoints(13) want true got %v", changed)
-	}
-	endpoints = []string{"4", "5", "6"}
-	changed = c.newEndpoints(13, endpoints)
-	if !changed {
-		t.Errorf("c.newEndpoints(13) want true got %v", changed)
-	}
-}
--- a/control/controlclient/hostinfo_linux.go
+++ b/control/controlclient/hostinfo_linux.go
@@ -73,7 +73,7 @@ func osVersionLinux() string {
 			return fmt.Sprintf("%s%s", bytes.TrimSpace(cr), attr)
 		}
 		fallthrough
-	case "fedora", "rhel", "alpine", "nixos":
+	case "fedora", "rhel", "alpine":
 		// Their PRETTY_NAME is fine as-is for all versions I tested.
 		fallthrough
 	default:
--- a/control/controlclient/netmap.go
+++ b/control/controlclient/netmap.go
@@ -14,11 +14,8 @@ import (
 	"time"

 	"github.com/tailscale/wireguard-go/wgcfg"
-	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/wgkey"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/wgengine/filter"
 )

@@ -26,11 +23,11 @@ type NetworkMap struct {
 	// Core networking

 	NodeKey    tailcfg.NodeKey
-	PrivateKey wgkey.Private
+	PrivateKey wgcfg.PrivateKey
 	Expiry     time.Time
 	// Name is the DNS name assigned to this node.
 	Name          string
-	Addresses     []netaddr.IPPrefix
+	Addresses     []wgcfg.CIDR
 	LocalPort     uint16 // used for debugging
 	MachineStatus tailcfg.MachineStatus
 	MachineKey    tailcfg.MachineKey
@@ -39,12 +36,6 @@ type NetworkMap struct {
 	Hostinfo      tailcfg.Hostinfo
 	PacketFilter  []filter.Match

-	// CollectServices reports whether this node's Tailnet has
-	// requested that info about services be included in HostInfo.
-	// If set, Hostinfo.ShieldsUp blocks services collection; that
-	// takes precedence over this field.
-	CollectServices bool
-
 	// DERPMap is the last DERP server map received. It's reused
 	// between updates and should not be modified.
 	DERPMap *tailcfg.DERPMap
@@ -63,30 +54,7 @@ type NetworkMap struct {
 	// TODO(crawshaw): Capabilities []tailcfg.Capability
 }

-// MagicDNSSuffix returns the domain's MagicDNS suffix, or empty if none.
-// If non-empty, it will neither start nor end with a period.
-func (nm *NetworkMap) MagicDNSSuffix() string {
-	searchPathUsedAsDNSSuffix := func(suffix string) bool {
-		if dnsname.HasSuffix(nm.Name, suffix) {
-			return true
-		}
-		for _, p := range nm.Peers {
-			if dnsname.HasSuffix(p.Name, suffix) {
-				return true
-			}
-		}
-		return false
-	}
-
-	for _, d := range nm.DNS.Domains {
-		if searchPathUsedAsDNSSuffix(d) {
-			return strings.Trim(d, ".")
-		}
-	}
-	return ""
-}
-
-func (nm *NetworkMap) String() string {
+func (nm NetworkMap) String() string {
 	return nm.Concise()
 }

@@ -272,7 +240,7 @@ const EndpointDiscoSuffix = ".disco.tailscale:12345"
 func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Config, error) {
 	cfg := &wgcfg.Config{
 		Name:       "tailscale",
-		PrivateKey: wgcfg.PrivateKey(nm.PrivateKey),
+		PrivateKey: nm.PrivateKey,
 		Addresses:  nm.Addresses,
 		ListenPort: nm.LocalPort,
 		Peers:      make([]wgcfg.Peer, 0, len(nm.Peers)),
@@ -298,7 +266,7 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 			if err := appendEndpoint(cpeer, fmt.Sprintf("%x%s", peer.DiscoKey[:], EndpointDiscoSuffix)); err != nil {
 				return nil, err
 			}
-			cpeer.Endpoints = fmt.Sprintf("%x.disco.tailscale:12345", peer.DiscoKey[:])
+			cpeer.Endpoints = []wgcfg.Endpoint{{Host: fmt.Sprintf("%x.disco.tailscale", peer.DiscoKey[:]), Port: 12345}}
 		} else {
 			if err := appendEndpoint(cpeer, peer.DERP); err != nil {
 				return nil, err
@@ -310,14 +278,14 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 			}
 		}
 		for _, allowedIP := range peer.AllowedIPs {
-			if allowedIP.Bits == 0 {
+			if allowedIP.Mask == 0 {
 				if (flags & AllowDefaultRoute) == 0 {
-					logf("[v1] wgcfg: %v skipping default route", peer.Key.ShortString())
+					logf("wgcfg: %v skipping default route", peer.Key.ShortString())
 					continue
 				}
 			} else if cidrIsSubnet(peer, allowedIP) {
 				if (flags & AllowSubnetRoutes) == 0 {
-					logf("[v1] wgcfg: %v skipping subnet route", peer.Key.ShortString())
+					logf("wgcfg: %v skipping subnet route", peer.Key.ShortString())
 					continue
 				}
 			}
@@ -330,11 +298,17 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi

 // cidrIsSubnet reports whether cidr is a non-default-route subnet
 // exported by node that is not one of its own self addresses.
-func cidrIsSubnet(node *tailcfg.Node, cidr netaddr.IPPrefix) bool {
-	if cidr.Bits == 0 {
+func cidrIsSubnet(node *tailcfg.Node, cidr wgcfg.CIDR) bool {
+	if cidr.Mask == 0 {
 		return false
 	}
-	if !cidr.IsSingleIP() {
+	if cidr.Mask < 32 {
+		// Fast path for IPv4, to avoid loop below.
+		//
+		// TODO: if cidr.IP is an IPv6 address, we could do "< 128"
+		// to avoid the range over node.Addresses. Or we could
+		// just remove this fast path and unconditionally do the range
+		// loop.
 		return true
 	}
 	for _, selfCIDR := range node.Addresses {
@@ -349,18 +323,15 @@ func appendEndpoint(peer *wgcfg.Peer, epStr string) error {
 	if epStr == "" {
 		return nil
 	}
-	_, port, err := net.SplitHostPort(epStr)
+	host, port, err := net.SplitHostPort(epStr)
 	if err != nil {
 		return fmt.Errorf("malformed endpoint %q for peer %v", epStr, peer.PublicKey.ShortString())
 	}
-	_, err = strconv.ParseUint(port, 10, 16)
+	port16, err := strconv.ParseUint(port, 10, 16)
 	if err != nil {
 		return fmt.Errorf("invalid port in endpoint %q for peer %v", epStr, peer.PublicKey.ShortString())
 	}
-	if peer.Endpoints != "" {
-		peer.Endpoints += ","
-	}
-	peer.Endpoints += epStr
+	peer.Endpoints = append(peer.Endpoints, wgcfg.Endpoint{Host: host, Port: uint16(port16)})
 	return nil
 }

@@ -380,7 +351,7 @@ func eqStringsIgnoreNil(a, b []string) bool {

 // eqCIDRsIgnoreNil reports whether a and b have the same length and
 // contents, but ignore whether a or b are nil.
-func eqCIDRsIgnoreNil(a, b []netaddr.IPPrefix) bool {
+func eqCIDRsIgnoreNil(a, b []wgcfg.CIDR) bool {
 	if len(a) != len(b) {
 		return false
 	}
--- a/control/controlclient/netmap_test.go
+++ b/control/controlclient/netmap_test.go
@@ -6,10 +6,9 @@ package controlclient

 import (
 	"encoding/hex"
-	"encoding/json"
 	"testing"

-	"inet.af/netaddr"
+	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/tailcfg"
 )

@@ -251,7 +250,7 @@ func TestConciseDiffFrom(t *testing.T) {
 						DERP:       "127.3.3.40:2",
 						Endpoints:  []string{"192.168.0.100:41641", "1.1.1.1:41641"},
 						DiscoKey:   testDiscoKey("f00f00f00f"),
-						AllowedIPs: []netaddr.IPPrefix{{IP: netaddr.IPv4(100, 102, 103, 104), Bits: 32}},
+						AllowedIPs: []wgcfg.CIDR{{IP: wgcfg.IPv4(100, 102, 103, 104), Mask: 32}},
 					},
 				},
 			},
@@ -264,7 +263,7 @@ func TestConciseDiffFrom(t *testing.T) {
 						DERP:       "127.3.3.40:2",
 						Endpoints:  []string{"192.168.0.100:41641", "1.1.1.1:41641"},
 						DiscoKey:   testDiscoKey("ba4ba4ba4b"),
-						AllowedIPs: []netaddr.IPPrefix{{IP: netaddr.IPv4(100, 102, 103, 104), Bits: 32}},
+						AllowedIPs: []wgcfg.CIDR{{IP: wgcfg.IPv4(100, 102, 103, 104), Mask: 32}},
 					},
 				},
 			},
@@ -283,15 +282,3 @@ func TestConciseDiffFrom(t *testing.T) {
 		})
 	}
 }
-
-func TestNewHostinfo(t *testing.T) {
-	hi := NewHostinfo()
-	if hi == nil {
-		t.Fatal("no Hostinfo")
-	}
-	j, err := json.MarshalIndent(hi, "  ", "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Logf("Got: %s", j)
-}
--- a/control/controlclient/persist_test.go
+++ b/control/controlclient/persist_test.go
@@ -8,7 +8,7 @@ import (
 	"reflect"
 	"testing"

-	"tailscale.com/types/wgkey"
+	"github.com/tailscale/wireguard-go/wgcfg"
 )

 func TestPersistEqual(t *testing.T) {
@@ -18,8 +18,8 @@ func TestPersistEqual(t *testing.T) {
 			have, persistHandles)
 	}

-	newPrivate := func() wgkey.Private {
-		k, err := wgkey.NewPrivate()
+	newPrivate := func() wgcfg.PrivateKey {
+		k, err := wgcfg.NewPrivateKey()
 		if err != nil {
 			panic(err)
 		}
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -358,7 +358,7 @@ func (c *Client) dialURL(ctx context.Context) (net.Conn, error) {
 	dialer := netns.NewDialer()

 	if c.DNSCache != nil {
-		ip, _, err := c.DNSCache.LookupIP(ctx, host)
+		ip, err := c.DNSCache.LookupIP(ctx, host)
 		if err == nil {
 			hostOrIP = ip.String()
 		}
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module tailscale.com

-go 1.15
+go 1.14

 require (
 	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5
@@ -12,33 +12,30 @@ require (
 	github.com/go-multierror/multierror v1.0.2
 	github.com/go-ole/go-ole v1.2.4
 	github.com/godbus/dbus/v5 v5.0.3
-	github.com/golang/protobuf v1.4.2 // indirect
-	github.com/google/go-cmp v0.5.4
+	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
+	github.com/google/go-cmp v0.4.0
 	github.com/goreleaser/nfpm v1.1.10
-	github.com/jsimonetti/rtnetlink v0.0.0-20201216134343-bde56ed16391
+	github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4
 	github.com/klauspost/compress v1.10.10
-	github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1
-	github.com/mdlayher/netlink v1.2.0
-	github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a
+	github.com/kr/pty v1.1.1
+	github.com/mdlayher/netlink v1.1.0
 	github.com/miekg/dns v1.1.30
 	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
-	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
-	github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d
+	github.com/tailscale/depaware v0.0.0-20201003033024-5d95aab075be
+	github.com/tailscale/wireguard-go v0.0.0-20201021041318-a6168fd06b3f
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
-	golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392
-	golang.org/x/net v0.0.0-20201216054612-986b41b23924
+	golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9
+	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9
-	golang.org/x/sys v0.0.0-20201218084310-7d0127a74742
-	golang.org/x/term v0.0.0-20201207232118-ee85cb95a76b
+	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
+	golang.org/x/sys v0.0.0-20201112073958-5cba982894dd
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
-	golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58
+	golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d
 	golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8
-	gvisor.dev/gvisor v0.0.0-20210111185822-3ff3110fcdd6
-	honnef.co/go/tools v0.1.0
-	inet.af/netaddr v0.0.0-20210105212526-648fbc18a69d
+	honnef.co/go/tools v0.0.1-2020.1.4
+	inet.af/netaddr v0.0.0-20200810144936-56928fe48a98
 	rsc.io/goversion v1.2.0
 )
--- a/go.sum
+++ b/go.sum
@@ -1,34 +1,12 @@
-bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.0.0-20170206221025-ce650573d812/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.52.1-0.20200122224058-0482b626c726/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
-github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
-github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20190129172621-c8b1d7a94ddf/go.mod h1:aJ4qN3TfrelA6NZ6AXsXRfmEVaYin3EDbSPJrKS8OXo=
 github.com/Masterminds/semver/v3 v3.0.3 h1:znjIyLfpXEDQjOIEWh+ehwpTU14UzUPub3c3sm36u14=
 github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Microsoft/go-winio v0.4.15-0.20200908182639-5b44b70ab3ab/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
-github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/aclements/go-gg v0.0.0-20170118225347-6dbb4e4fefb0/go.mod h1:55qNq4vcpkIuHowELi5C8e+1yUHtoLoOUR9QU5j7Tes=
+github.com/aclements/go-moremath v0.0.0-20161014184102-0ff62e0875ff/go.mod h1:idZL3yvz4kzx1dsBOAC+oYv6L92P1oFEhUXUB1A/lwQ=
 github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
@@ -44,530 +22,219 @@ github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb h1:m935MPodAbYS46DG4
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
-github.com/cenkalti/backoff v1.1.1-0.20190506075156-2146c9339422/go.mod h1:b6Nc7NRH5C4aCISLry0tLnTjcuTEvoiqcWDdsU0sOGM=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
-github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/containerd/cgroups v0.0.0-20201119153540-4cbc285b3327/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
-github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
-github.com/containerd/containerd v1.3.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/continuity v0.0.0-20200928162600-f2cc35102c2a/go.mod h1:W0qIOTD7mp2He++YVq+kgfXezRYqzP1uDuMVH1bITDY=
-github.com/containerd/fifo v0.0.0-20191213151349-ff969a566b00/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
-github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g=
-github.com/containerd/ttrpc v0.0.0-20200121165050-0be804eadb15/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
-github.com/containerd/typeurl v0.0.0-20200205145503-b45ef1f1f737/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
 github.com/coreos/go-iptables v0.4.5 h1:DpHb9vJrZQEFMcVLFKAAGMUVX0XoRC0ptCthinRYm38=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
-github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
-github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v1.4.2-0.20191028175130-9e7d5ac5ea55/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.3.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/dpjacques/clockwork v0.1.1-0.20200827220843-c1f524b839be/go.mod h1:D8mP2A8vVT2GkXqPorSBmhnshhkFBYgzhA90KmJt25Y=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/dvyukov/go-fuzz v0.0.0-20201127111758-49e582c6c23d/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
-github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-multierror/multierror v1.0.2 h1:AwsKbEXkmf49ajdFJgcFXqSG0aLo0HEyAE9zk9JguJo=
 github.com/go-multierror/multierror v1.0.2/go.mod h1:U7SZR/D9jHgt2nkSj8XcbCWdmVM2igraCHQ3HC1HiKY=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8=
-github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
+github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofrs/flock v0.6.1-0.20180915234121-886344bea079/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
-github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/gonum/blas v0.0.0-20181208220705-f22b278b28ac/go.mod h1:P32wAyui1PQ58Oce/KYkOqQv8cVw1zAapXOl+dRFGbc=
+github.com/gonum/floats v0.0.0-20181209220543-c233463c7e82/go.mod h1:PxC8OnwL11+aosOB5+iEPoV3picfs8tUpkVd0pDo+Kg=
+github.com/gonum/internal v0.0.0-20181124074243-f884aa714029/go.mod h1:Pu4dmpkhSyOzRwuXkOgAvijx4o+4YMUJJo9OvPYMkks=
+github.com/gonum/lapack v0.0.0-20181123203213-e4cdc5a0bff9/go.mod h1:XA3DeT6rxh2EAE789SSiSJNqxPaC0aE9J8NTOI0Jo/A=
+github.com/gonum/matrix v0.0.0-20181209220409-c518dec07be9/go.mod h1:0EXg4mc1CNP0HCqCz+K4ts155PXIlUywf0wqN+GfPZw=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3-0.20201020212313-ab46b8bd0abd/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-github/v28 v28.1.2-0.20191108005307-e555eab49ce8/go.mod h1:g82e6OHbJ0WYrYeOrid1MMfHAtqjxBz+N74tfAt9KrQ=
-github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
-github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0 h1:BW6OvS3kpT5UEPbCZ+KyX/OB4Ks9/MNMhWjqPPkZxsE=
 github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg=
-github.com/google/subcommands v1.0.2-0.20190508160503-636abe8753b8/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
-github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
+github.com/googleapis/gax-go v0.0.0-20161107002406-da06d194a00e/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
 github.com/goreleaser/nfpm v1.1.10 h1:0nwzKUJTcygNxTzVKq2Dh9wpVP1W2biUH6SNKmoxR3w=
 github.com/goreleaser/nfpm v1.1.10/go.mod h1:oOcoGRVwvKIODz57NUfiRwFWGfn00NXdgnn6MrYtO5k=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4 h1:nwOc1YaOrYJ37sEBrtWZrdqzK22hiJs3GpDmP3sR2Yw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
-github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
-github.com/jsimonetti/rtnetlink v0.0.0-20201216134343-bde56ed16391 h1:Dqu/4JhMV1vpXHDjzQCuDCEsjNi0xfuSmQlMOyqayKA=
-github.com/jsimonetti/rtnetlink v0.0.0-20201216134343-bde56ed16391/go.mod h1:cR77jAZG3Y3bsb8hF6fHJbFoyFukLFOkQ98S0pQz3xw=
-github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.10 h1:a/y8CglcM7gLGYmlbP/stPE5sR3hbhFRUjCBfd/0B3I=
 github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1 h1:zc0R6cOw98cMengLA0fvU55mqbnN7sd/tBMLzSejp+M=
-github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lxn/walk v0.0.0-20191128110447-55ccb3a9f5c1/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
 github.com/lxn/walk v0.0.0-20201110160827-18ea5e372cdb/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
+github.com/lxn/win v0.0.0-20191128105842-2da648fda5b4/go.mod h1:ouWl4wViUNh8tPSIwxTVMuS014WakR1hqvBc2I0bMoA=
 github.com/lxn/win v0.0.0-20201111105847-2a20daff6a55/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a/go.mod h1:M1qoD/MqPgTZIk0EWKB38wE28ACRfVcn+cU08jyArI0=
+github.com/mattn/go-sqlite3 v0.0.0-20161215041557-2d44decb4941/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-zglob v0.0.1 h1:xsEx/XUoVlI6yXjqBK062zYhRTZltCNmYPx6v+8DNaY=
 github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
 github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
 github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M=
 github.com/mdlayher/netlink v1.1.0 h1:mpdLgm+brq10nI9zM1BpX1kpDbh3NLl3RSnVq6ZSkfg=
 github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY=
-github.com/mdlayher/netlink v1.1.1/go.mod h1:WTYpFb/WTvlRJAyKhZL5/uy69TDDpHHu2VZmb2XgV7o=
-github.com/mdlayher/netlink v1.2.0 h1:zPolhRjfuabdf8ofZsl56eoU+92cvSlAn13lw4veCZ0=
-github.com/mdlayher/netlink v1.2.0/go.mod h1:kwVW1io0AZy9A1E2YYgaD4Cj+C+GPkU6klXCMzIJ9p8=
-github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a h1:wMv2mvcHRH4jqIxaVL5t6gSq1hjPiaWH7TOcA0Z+uNo=
-github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a/go.mod h1:HtjVsQfsrBm1GDcDTUFn4ZXhftxTwO/hxrvEiRc61U4=
 github.com/miekg/dns v1.1.30 h1:Qww6FseFn8PRfw07jueqIXqodm0JKiiKuK0DeXSqfyo=
 github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/mohae/deepcopy v0.0.0-20170308212314-bb9b5e7adda9/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.2-0.20181111125026-1722abf79c2f/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3 h1:YtFkrqsMEj7YqpIhRteVxJxCeC3jJBieuLr0d4C4rSA=
 github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
-github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
-github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY=
 github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk=
 github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 h1:+/+DxvQaYifJ+grD4klzrS5y+KJXldn/2YTl5JG+vZ8=
 github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b h1:+gCnWOZV8Z/8jehJ2CdqB47Z3S+SREmQcuXkRFLNsiI=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
-github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027 h1:lK99QQdH3yBWY6aGilF+IRlQIdmhzLrsEmF6JgN+Ryw=
-github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
-github.com/tailscale/wireguard-go v0.0.0-20210109012254-dc30a1b9415e h1:ZXbXfVJOhSq4/Gt7TnqwXBPCctzYXkWXo3oQS7LZ40I=
-github.com/tailscale/wireguard-go v0.0.0-20210109012254-dc30a1b9415e/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
-github.com/tailscale/wireguard-go v0.0.0-20210113223737-a6213b5eaf98 h1:khwYPK1eT+4pmEFyCjpf6Br/0JWjdVT3uQ+ILFJPTRo=
-github.com/tailscale/wireguard-go v0.0.0-20210113223737-a6213b5eaf98/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
-github.com/tailscale/wireguard-go v0.0.0-20210114205708-a1377e83f551 h1:hjBVxvVa145kVflAFkVcTr/zwUzBO4SqfSS6xhbcMv8=
-github.com/tailscale/wireguard-go v0.0.0-20210114205708-a1377e83f551/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
-github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d h1:8GcGtZ4Ui+lzHm6gOq7s2Oe4ksxkbUYtS/JuoJ2Nce8=
-github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
+github.com/tailscale/depaware v0.0.0-20201003033024-5d95aab075be h1:ZKe3kVGbu/goUVxXcaCPbQ4b0STQ5NsCpG90CG6mw/c=
+github.com/tailscale/depaware v0.0.0-20201003033024-5d95aab075be/go.mod h1:jissDaJNHiyV2tFdr3QyNEfsZrax/i2yQiSO+CljThI=
+github.com/tailscale/wireguard-go v0.0.0-20200921221757-11a958a67bdd h1:yEWpro9EdxGgkt24NInVnONIJxRLURH5c37Ki5+06EE=
+github.com/tailscale/wireguard-go v0.0.0-20200921221757-11a958a67bdd/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
+github.com/tailscale/wireguard-go v0.0.0-20201008164108-2c83f43a9859 h1:Z7bXXCYRg/8sjSyKTk0V8Yso/gQjNvPb10DBemKuz+A=
+github.com/tailscale/wireguard-go v0.0.0-20201008164108-2c83f43a9859/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
+github.com/tailscale/wireguard-go v0.0.0-20201021041318-a6168fd06b3f h1:KMx58dbn2YCutzOvjNHgmvbwQH7nGE8H+J42Nenjl/M=
+github.com/tailscale/wireguard-go v0.0.0-20201021041318-a6168fd06b3f/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
 github.com/ulikunitz/xz v0.5.6 h1:jGHAfXawEGZQ3blwU5wnWKQJvAraT7Ftq9EXjnXYgt8=
 github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
-github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/vishvananda/netlink v1.0.1-0.20190930145447-2ec5bdc52b86/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
-github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go4.org/intern v0.0.0-20201223054237-ef8cbcb8edd7 h1:yeDrXaQ3VRXbTN7lHj70DxW4LdPow83MVwPPRjpP70U=
-go4.org/intern v0.0.0-20201223054237-ef8cbcb8edd7/go.mod h1:vLqJ+12kCw61iCWsPto0EOHhBS+o4rO5VIucbc9g2Cc=
-go4.org/intern v0.0.0-20201223061701-969c7e87e7cb h1:yuqO0E4bHRsTPUocDpRKXfLE40lwWplVxENQ2WOV7Gc=
-go4.org/intern v0.0.0-20201223061701-969c7e87e7cb/go.mod h1:vLqJ+12kCw61iCWsPto0EOHhBS+o4rO5VIucbc9g2Cc=
-go4.org/intern v0.0.0-20210101010959-7cab76ca296a h1:28p852HIWWaOS019DYK/A3yTmpm1HJaUce63pvll4C8=
-go4.org/intern v0.0.0-20210101010959-7cab76ca296a/go.mod h1:vLqJ+12kCw61iCWsPto0EOHhBS+o4rO5VIucbc9g2Cc=
+go4.org/mem v0.0.0-20200706164138-185c595c3ecc h1:paujszgN6SpsO/UsXC7xax3gQAKz/XQKCYZLQdU34Tw=
+go4.org/mem v0.0.0-20200706164138-185c595c3ecc/go.mod h1:NEYvpHWemiG/E5UWfaN5QAIGZeT1sa0Z2UNk6oeMb/k=
 go4.org/mem v0.0.0-20201119185036-c04c5a6ff174 h1:vSug/WNOi2+4jrKdivxayTN/zd8EA1UrStjpWvvo1jk=
 go4.org/mem v0.0.0-20201119185036-c04c5a6ff174/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
-go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222175341-b30ae309168e h1:ExUmGi0ZsQmiVo9giDQqXkr7vreeXPMkOGIusfsfbzI=
-go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222175341-b30ae309168e/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
-go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222180813-1025295fd063 h1:1tk03FUNpulq2cuWpXZWj649rwJpk0d20rxWiopKRmc=
-go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222180813-1025295fd063/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
-golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899 h1:DZhuSZLsGlFL4CmhA8BcRA0mnthyA/nZ00AqCUo7vHg=
+golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9 h1:umElSU9WZirRdgu2yFHY0ayQkEnKiOC1TtM3fWXFnoU=
 golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392 h1:xYJJ3S178yv++9zXV/hnr29plCAGO9vAFG9dorqaFQc=
-golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0 h1:8pl+sMODzuvGJkmj2W4kZihvVb5mKm8pB/X44PIQHv8=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191003171128-d98b1b443823/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up98WAHf3f/ulnJ62IyA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201216054612-986b41b23924 h1:QsnDpLLOKwHBBDa8nDws4DYNc/ryVW2vCpxCs09d4PY=
-golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20170207211851-4464e7848382/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/perf v0.0.0-20200918155509-d949658356f9 h1:yVBHF5pcQLKR9B+y+dOJ6y68nqJBDWaZ9DhB1Ohg0qE=
+golang.org/x/perf v0.0.0-20200918155509-d949658356f9/go.mod h1:FrqOtQDO3iMDVUtw5nNTDFpR1HUCGh00M3kj2wiSzLQ=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191003212358-c178f38b412c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200812155832-6a926be9bd1d h1:QQrM/CCYEzTs91GZylDCQjGHudbPTxF/1fvXdVh5lMo=
+golang.org/x/sys v0.0.0-20200812155832-6a926be9bd1d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201107080550-4d91cf3a1aaf/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201118182958-a01c418693c7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201202213521-69691e467435/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201218084310-7d0127a74742 h1:+CBz4km/0KPU3RGTwARGh/noP3bEwtHcq+0YcBQM2JQ=
-golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20201207232118-ee85cb95a76b h1:a0ErnNnPKmhDyIXQvdZr+Lq8dc8xpMeqkF8y5PgQU4Q=
-golang.org/x/term v0.0.0-20201207232118-ee85cb95a76b/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200609164405-eb789aa7ce50/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20201021000207-d49c4edd7d96/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
-golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 h1:1Bs6RVeBFtLZ8Yi1Hk07DiOqzvwLD/4hln4iahvFlag=
-golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201001230009-b5b87423c93b/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
+golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d h1:vWQvJ/Z0Lu+9/8oQ/pAYXNzbc7CMnBl+tULGVHOy3oE=
+golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.zx2c4.com/wireguard v0.0.20200321-0.20200715051853-507f148e1c42 h1:SrR1hmxGKKarHEEDvaHxatwnqE3uT+7jvMcin6SHOkw=
+golang.zx2c4.com/wireguard v0.0.20200321-0.20200715051853-507f148e1c42/go.mod h1:GJvYs5O24/ASlwPiRklVnjMx2xQzrOic0DuU6GvYJL4=
 golang.zx2c4.com/wireguard v0.0.20200321-0.20201111175144-60b3766b89b9 h1:qowcZ56hhpeoESmWzI4Exhx4Y78TpCyXUJur4/c0CoE=
 golang.zx2c4.com/wireguard v0.0.20200321-0.20201111175144-60b3766b89b9/go.mod h1:LMeNfjlcPZTrBC1juwgbQyA4Zy2XVcsrdO/fIJxwyuA=
+golang.zx2c4.com/wireguard/windows v0.1.2-0.20201004085714-dd60d0447f81 h1:cT2oWlz8v9g7bjFZclT362akxJJfGv9d7ccKu6GQUbA=
+golang.zx2c4.com/wireguard/windows v0.1.2-0.20201004085714-dd60d0447f81/go.mod h1:GaK5zcgr5XE98WaRzIDilumDBp5/yP8j2kG/LCDnvAM=
 golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8 h1:nlXPqGA98n+qcq1pwZ28KjM5EsFQvamKS00A+VUeVjs=
 golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8/go.mod h1:psva4yDnAHLuh7lUzOK7J7bLYxNFfo0iKWz+mi9gzkA=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/api v0.0.0-20170206182103-3d017632ea10/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
+google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.1-0.20201020201750-d3470999428b h1:jEdfCm+8YTWSYgU4L7Nq0jjU+q9RxIhi0cXLTY+Ih3A=
-google.golang.org/protobuf v1.25.1-0.20201020201750-d3470999428b/go.mod h1:hFxJC2f0epmp1elRCiEGJTKAWbwxZ2nvqZdHl3FQXCY=
+google.golang.org/grpc v0.0.0-20170208002647-2a6bf6142e96/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
-gvisor.dev/gvisor v0.0.0-20210111185822-3ff3110fcdd6 h1:H5EvGkFG+pgAAbZMV8Me3Gy+HUYdaDcGXKWWixZ0EE8=
-gvisor.dev/gvisor v0.0.0-20210111185822-3ff3110fcdd6/go.mod h1:5DEMKRjYDiM24fvDUWPjBpABm9ROMcv/kEcox3fHtm0=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.1.0 h1:AWNL1W1i7f0wNZ8VwOKNJ0sliKvOF/adn0EHenfUh+c=
-honnef.co/go/tools v0.1.0/go.mod h1:XtegFAyX/PfluP4921rXU5IkjkqBCDnUq4W8VCIoKvM=
-inet.af/netaddr v0.0.0-20201228234250-33d0a924ebbf h1:0eHZ8v6j5wIiOVyoYPd70ueZ/RPEQtRlzi60uneDbRU=
-inet.af/netaddr v0.0.0-20201228234250-33d0a924ebbf/go.mod h1:9NdhtHLglxJliAZB6aC5ws3mfnUArdAzHG/iJq7cB/o=
-inet.af/netaddr v0.0.0-20210105212526-648fbc18a69d h1:6f0242aW/6x2enQBOSKgDS8KQNw6Tp7IVR8eG3x0Jc8=
-inet.af/netaddr v0.0.0-20210105212526-648fbc18a69d/go.mod h1:jPZo7Jy4nke2cCgISa4fKJKa5T7+EO8k5fWwWghzneg=
-k8s.io/api v0.16.13/go.mod h1:QWu8UWSTiuQZMMeYjwLs6ILu5O74qKSJ0c+4vrchDxs=
-k8s.io/apimachinery v0.16.13/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
-k8s.io/apimachinery v0.16.14-rc.0/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
-k8s.io/client-go v0.16.13/go.mod h1:UKvVT4cajC2iN7DCjLgT0KVY/cbY6DGdUCyRiIfws5M=
-k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/kube-openapi v0.0.0-20200410163147-594e756bea31/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
-k8s.io/utils v0.0.0-20190801114015-581e00157fb1/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
+honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+inet.af/netaddr v0.0.0-20200810144936-56928fe48a98 h1:bWyWDZP0l6VnQ1TDKf6yNwuiEDV6Q3q1Mv34m+lzT1I=
+inet.af/netaddr v0.0.0-20200810144936-56928fe48a98/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
 rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=
 rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo=
-sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
--- a/internal/deepprint/deepprint_test.go
+++ b/internal/deepprint/deepprint_test.go
@@ -37,11 +37,16 @@ func getVal() []interface{} {
 	return []interface{}{
 		&wgcfg.Config{
 			Name:       "foo",
-			Addresses:  []netaddr.IPPrefix{{Bits: 5, IP: netaddr.IPFrom16([16]byte{3: 3})}},
+			Addresses:  []wgcfg.CIDR{{Mask: 5, IP: wgcfg.IP{Addr: [16]byte{3: 3}}}},
 			ListenPort: 5,
 			Peers: []wgcfg.Peer{
 				{
-					Endpoints: "foo:5",
+					Endpoints: []wgcfg.Endpoint{
+						{
+							Host: "foo",
+							Port: 5,
+						},
+					},
 				},
 			},
 		},
--- a/ipn/handle.go
+++ b/ipn/handle.go
@@ -8,8 +8,8 @@ import (
 	"sync"
 	"time"

+	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/oauth2"
-	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/types/logger"
 )
@@ -118,7 +118,7 @@ func (h *Handle) EngineStatus() EngineStatus {
 	return h.engineStatusCache
 }

-func (h *Handle) LocalAddrs() []netaddr.IPPrefix {
+func (h *Handle) LocalAddrs() []wgcfg.CIDR {
 	h.mu.Lock()
 	defer h.mu.Unlock()

@@ -126,7 +126,7 @@ func (h *Handle) LocalAddrs() []netaddr.IPPrefix {
 	if nm != nil {
 		return nm.Addresses
 	}
-	return []netaddr.IPPrefix{}
+	return []wgcfg.CIDR{}
 }

 func (h *Handle) NetMap() *controlclient.NetworkMap {
--- a/ipn/ipnserver/conn_linux.go
+++ b/ipn/ipnserver/conn_linux.go
@@ -1,49 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux
-
-package ipnserver
-
-import (
-	"net"
-
-	"golang.org/x/sys/unix"
-	"tailscale.com/types/logger"
-)
-
-func isReadonlyConn(c net.Conn, logf logger.Logf) (ro bool) {
-	ro = true // conservative default for naked returns below
-	uc, ok := c.(*net.UnixConn)
-	if !ok {
-		logf("unexpected connection type %T", c)
-		return
-	}
-	raw, err := uc.SyscallConn()
-	if err != nil {
-		logf("SyscallConn: %v", err)
-		return
-	}
-
-	var cred *unix.Ucred
-	cerr := raw.Control(func(fd uintptr) {
-		cred, err = unix.GetsockoptUcred(int(fd),
-			unix.SOL_SOCKET,
-			unix.SO_PEERCRED)
-	})
-	if cerr != nil {
-		logf("raw.Control: %v", err)
-		return
-	}
-	if err != nil {
-		logf("raw.Control: %v", err)
-		return
-	}
-	if cred.Uid == 0 {
-		// root is not read-only.
-		return false
-	}
-	logf("non-root connection from %v (read-only)", cred.Uid)
-	return true
-}
--- a/ipn/ipnserver/conn_no_ucred.go
+++ b/ipn/ipnserver/conn_no_ucred.go
@@ -1,27 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !linux
-
-package ipnserver
-
-import (
-	"net"
-
-	"tailscale.com/types/logger"
-)
-
-func isReadonlyConn(c net.Conn, logf logger.Logf) bool {
-	// Windows doesn't need/use this mechanism, at least yet. It
-	// has a different last-user-wins auth model.
-
-	// And on Darwin, we're not using it yet, as the Darwin
-	// tailscaled port isn't yet done, and unix.Ucred and
-	// unix.GetsockoptUcred aren't in x/sys/unix.
-
-	// TODO(bradfitz): OpenBSD and FreeBSD should implement this too.
-	// But their x/sys/unix package is different than Linux, so
-	// I didn't include it for now.
-	return false
-}
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -34,7 +34,6 @@ import (
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/pidowner"
-	"tailscale.com/util/systemd"
 	"tailscale.com/version"
 	"tailscale.com/wgengine"
 )
@@ -266,24 +265,18 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	}

 	defer s.removeAndCloseConn(c)
-	logf("[v1] incoming control connection")
-
-	if isReadonlyConn(c, logf) {
-		ctx = ipn.ReadonlyContextOf(ctx)
-	}
+	logf("incoming control connection")

 	for ctx.Err() == nil {
 		msg, err := ipn.ReadMsg(br)
 		if err != nil {
-			if errors.Is(err, io.EOF) {
-				logf("[v1] ReadMsg: %v", err)
-			} else if ctx.Err() == nil {
+			if ctx.Err() == nil {
 				logf("ReadMsg: %v", err)
 			}
 			return
 		}
 		s.bsMu.Lock()
-		if err := s.bs.GotCommandMsg(ctx, msg); err != nil {
+		if err := s.bs.GotCommandMsg(msg); err != nil {
 			logf("GotCommandMsg: %v", err)
 		}
 		gotQuit := s.bs.GotQuit
@@ -359,7 +352,7 @@ func (s *server) addConn(c net.Conn, isHTTP bool) (ci connIdentity, err error) {
 		if doReset {
 			s.logf("identity changed; resetting server")
 			s.bsMu.Lock()
-			s.bs.Reset(context.TODO())
+			s.bs.Reset()
 			s.bsMu.Unlock()
 		}
 	}()
@@ -411,7 +404,7 @@ func (s *server) removeAndCloseConn(c net.Conn) {
 		} else {
 			s.logf("client disconnected; stopping server")
 			s.bsMu.Lock()
-			s.bs.Reset(context.TODO())
+			s.bs.Reset()
 			s.bsMu.Unlock()
 		}
 	}
@@ -585,7 +578,7 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	server.bs = ipn.NewBackendServer(logf, b, server.writeToClients)

 	if opts.AutostartStateKey != "" {
-		server.bs.GotCommand(context.TODO(), &ipn.Command{
+		server.bs.GotCommand(&ipn.Command{
 			Version: version.Long,
 			Start: &ipn.StartArgs{
 				Opts: ipn.Options{
@@ -596,7 +589,6 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 		})
 	}

-	systemd.Ready()
 	for i := 1; ctx.Err() == nil; i++ {
 		var c net.Conn
 		var err error
--- a/ipn/ipnserver/server_test.go
+++ b/ipn/ipnserver/server_test.go
@@ -56,7 +56,7 @@ func TestRunMultipleAccepts(t *testing.T) {
 		}
 	}

-	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0, nil)
+	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -25,10 +25,9 @@ import (

 // Status represents the entire state of the IPN network.
 type Status struct {
-	BackendState   string
-	TailscaleIPs   []netaddr.IP // Tailscale IP(s) assigned to this node
-	Self           *PeerStatus
-	MagicDNSSuffix string // e.g. "userfoo.tailscale.net" (no surrounding dots)
+	BackendState string
+	TailscaleIPs []netaddr.IP // Tailscale IP(s) assigned to this node
+	Self         *PeerStatus

 	Peer map[key.Public]*PeerStatus
 	User map[tailcfg.UserID]tailcfg.UserProfile
@@ -65,12 +64,6 @@ type PeerStatus struct {
 	LastHandshake time.Time // with local wireguard
 	KeepAlive     bool

-	// ShareeNode indicates this node exists in the netmap because
-	// it's owned by a shared-to user and that node might connect
-	// to us. These nodes should be hidden by "tailscale status"
-	// etc by default.
-	ShareeNode bool `json:",omitempty"`
-
 	// InNetworkMap means that this peer was seen in our latest network map.
 	// In theory, all of InNetworkMap and InMagicSock and InEngine should all be true.
 	InNetworkMap bool
@@ -104,12 +97,6 @@ func (sb *StatusBuilder) SetBackendState(v string) {
 	sb.st.BackendState = v
 }

-func (sb *StatusBuilder) SetMagicDNSSuffix(v string) {
-	sb.mu.Lock()
-	defer sb.mu.Unlock()
-	sb.st.MagicDNSSuffix = v
-}
-
 func (sb *StatusBuilder) Status() *Status {
 	sb.mu.Lock()
 	defer sb.mu.Unlock()
@@ -231,9 +218,6 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 	if st.KeepAlive {
 		e.KeepAlive = true
 	}
-	if st.ShareeNode {
-		e.ShareeNode = true
-	}
 }

 type StatusUpdater interface {
--- a/ipn/local.go
+++ b/ipn/local.go
@@ -29,8 +29,6 @@ import (
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/wgkey"
-	"tailscale.com/util/systemd"
 	"tailscale.com/version"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
@@ -84,7 +82,7 @@ type LocalBackend struct {
 	userID         string   // current controlling user ID (for Windows, primarily)
 	prefs          *Prefs
 	inServerMode   bool
-	machinePrivKey wgkey.Private
+	machinePrivKey wgcfg.PrivateKey
 	state          State
 	// hostinfo is mutated in-place while mu is held.
 	hostinfo *tailcfg.Hostinfo
@@ -201,7 +199,6 @@ func (b *LocalBackend) UpdateStatus(sb *ipnstate.StatusBuilder) {
 	// TODO: hostinfo, and its networkinfo
 	// TODO: EngineStatus copy (and deprecate it?)
 	if b.netMap != nil {
-		sb.SetMagicDNSSuffix(b.netMap.MagicDNSSuffix())
 		for id, up := range b.netMap.UserProfiles {
 			sb.AddUser(id, up)
 		}
@@ -211,14 +208,8 @@ func (b *LocalBackend) UpdateStatus(sb *ipnstate.StatusBuilder) {
 				lastSeen = *p.LastSeen
 			}
 			var tailAddr string
-			for _, addr := range p.Addresses {
-				// The peer struct currently only allows a single
-				// Tailscale IP address. For compatibility with the
-				// old display, make sure it's the IPv4 address.
-				if addr.IP.Is4() && addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.IP) {
-					tailAddr = addr.IP.String()
-					break
-				}
+			if len(p.Addresses) > 0 {
+				tailAddr = strings.TrimSuffix(p.Addresses[0].String(), "/32")
 			}
 			sb.AddPeer(key.Public(p.Key), &ipnstate.PeerStatus{
 				InNetworkMap: true,
@@ -230,7 +221,6 @@ func (b *LocalBackend) UpdateStatus(sb *ipnstate.StatusBuilder) {
 				KeepAlive:    p.KeepAlive,
 				Created:      p.Created,
 				LastSeen:     lastSeen,
-				ShareeNode:   p.Hostinfo.ShareeNode,
 			})
 		}
 	}
@@ -253,11 +243,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	// The following do not depend on any data for which we need to lock b.
 	if st.Err != "" {
 		// TODO(crawshaw): display in the UI.
-		if st.Err == "EOF" {
-			b.logf("[v1] Received error: EOF")
-		} else {
-			b.logf("Received error: %v", st.Err)
-		}
+		b.logf("Received error: %v", st.Err)
 		return
 	}
 	if st.LoginFinished != nil {
@@ -321,7 +307,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		if netMap != nil {
 			diff := st.NetMap.ConciseDiffFrom(netMap)
 			if strings.TrimSpace(diff) == "" {
-				b.logf("[v1] netmap diff: (none)")
+				b.logf("netmap diff: (none)")
 			} else {
 				b.logf("netmap diff:\n%v", diff)
 			}
@@ -352,7 +338,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 // This updates the endpoints both in the backend and in the control client.
 func (b *LocalBackend) setWgengineStatus(s *wgengine.Status, err error) {
 	if err != nil {
-		b.logf("wgengine status error: %v", err)
+		b.logf("wgengine status error: %#v", err)
 		return
 	}
 	if s == nil {
@@ -536,9 +522,9 @@ func (b *LocalBackend) updateFilter(netMap *controlclient.NetworkMap, prefs *Pre
 	// quite hard to debug, so save yourself the trouble.
 	var (
 		haveNetmap   = netMap != nil
-		addrs        []netaddr.IPPrefix
+		addrs        []wgcfg.CIDR
 		packetFilter []filter.Match
-		advRoutes    []netaddr.IPPrefix
+		advRoutes    []wgcfg.CIDR
 		shieldsUp    = prefs == nil || prefs.ShieldsUp // Be conservative when not ready
 	)
 	if haveNetmap {
@@ -560,11 +546,12 @@ func (b *LocalBackend) updateFilter(netMap *controlclient.NetworkMap, prefs *Pre
 		return
 	}

-	localNets := unmapIPPrefixes(netMap.Addresses, advRoutes)
+	localNets := wgCIDRsToNetaddr(netMap.Addresses, advRoutes)

 	if shieldsUp {
 		b.logf("netmap packet filter: (shields up)")
-		b.e.SetFilter(filter.NewShieldsUpFilter(b.logf))
+		var prevFilter *filter.Filter // don't reuse old filter state
+		b.e.SetFilter(filter.New(nil, localNets, prevFilter, b.logf))
 	} else {
 		b.logf("netmap packet filter: %v", packetFilter)
 		b.e.SetFilter(filter.New(packetFilter, localNets, b.e.GetFilter(), b.logf))
@@ -573,7 +560,7 @@ func (b *LocalBackend) updateFilter(netMap *controlclient.NetworkMap, prefs *Pre

 // dnsCIDRsEqual determines whether two CIDR lists are equal
 // for DNS map construction purposes (that is, only the first entry counts).
-func dnsCIDRsEqual(newAddr, oldAddr []netaddr.IPPrefix) bool {
+func dnsCIDRsEqual(newAddr, oldAddr []wgcfg.CIDR) bool {
 	if len(newAddr) != len(oldAddr) {
 		return false
 	}
@@ -627,11 +614,11 @@ func (b *LocalBackend) updateDNSMap(netMap *controlclient.NetworkMap) {
 	}

 	nameToIP := make(map[string]netaddr.IP)
-	set := func(name string, addrs []netaddr.IPPrefix) {
+	set := func(name string, addrs []wgcfg.CIDR) {
 		if len(addrs) == 0 || name == "" {
 			return
 		}
-		nameToIP[name] = addrs[0].IP
+		nameToIP[name] = netaddr.IPFrom16(addrs[0].IP.Addr)
 	}

 	for _, peer := range netMap.Peers {
@@ -639,7 +626,7 @@ func (b *LocalBackend) updateDNSMap(netMap *controlclient.NetworkMap) {
 	}
 	set(netMap.Name, netMap.Addresses)

-	dnsMap := tsdns.NewMap(nameToIP, magicDNSRootDomains(netMap))
+	dnsMap := tsdns.NewMap(nameToIP, domainsForProxying(netMap))
 	// map diff will be logged in tsdns.Resolver.SetMap.
 	b.e.SetDNSMap(dnsMap)
 }
@@ -738,7 +725,7 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 		return nil
 	}

-	var legacyMachineKey wgkey.Private
+	var legacyMachineKey wgcfg.PrivateKey
 	if b.prefs.Persist != nil {
 		legacyMachineKey = b.prefs.Persist.LegacyFrontendPrivateMachineKey
 	}
@@ -773,7 +760,7 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 	} else {
 		b.logf("generating new machine key")
 		var err error
-		b.machinePrivKey, err = wgkey.NewPrivate()
+		b.machinePrivKey, err = wgcfg.NewPrivateKey()
 		if err != nil {
 			return fmt.Errorf("initializing new machine key: %w", err)
 		}
@@ -1008,24 +995,22 @@ func (b *LocalBackend) parseWgStatusLocked(s *wgengine.Status) (ret EngineStatus

 	// [GRINDER STATS LINES] - please don't remove (used for log parsing)
 	if peerStats.Len() > 0 {
-		b.keyLogf("[v1] peer keys: %s", strings.TrimSpace(peerKeys.String()))
-		b.statsLogf("[v1] v%v peers: %v", version.Long, strings.TrimSpace(peerStats.String()))
+		b.keyLogf("peer keys: %s", strings.TrimSpace(peerKeys.String()))
+		b.statsLogf("v%v peers: %v", version.Long, strings.TrimSpace(peerStats.String()))
 	}
 	return ret
 }

-// shouldUploadServices reports whether this node should include services
-// in Hostinfo. When the user preferences currently request "shields up"
-// mode, all inbound connections are refused, so services are not reported.
-// Otherwise, shouldUploadServices respects NetMap.CollectServices.
-func (b *LocalBackend) shouldUploadServices() bool {
+// shieldsAreUp returns whether user preferences currently request
+// "shields up" mode, which disallows all inbound connections.
+func (b *LocalBackend) shieldsAreUp() bool {
 	b.mu.Lock()
 	defer b.mu.Unlock()

-	if b.prefs == nil || b.netMap == nil {
-		return false // default to safest setting
+	if b.prefs == nil {
+		return true // default to safest setting
 	}
-	return !b.prefs.ShieldsUp && b.netMap.CollectServices
+	return b.prefs.ShieldsUp
 }

 func (b *LocalBackend) SetCurrentUserID(uid string) {
@@ -1067,7 +1052,7 @@ func (b *LocalBackend) SetPrefs(newp *Prefs) {

 	oldHi := b.hostinfo
 	newHi := oldHi.Clone()
-	newHi.RoutableIPs = append([]netaddr.IPPrefix(nil), b.prefs.AdvertiseRoutes...)
+	newHi.RoutableIPs = append([]wgcfg.CIDR(nil), b.prefs.AdvertiseRoutes...)
 	applyPrefsToHostinfo(newHi, newp)
 	b.hostinfo = newHi
 	hostInfoChanged := !oldHi.Equal(newHi)
@@ -1125,7 +1110,9 @@ func (b *LocalBackend) SetPrefs(newp *Prefs) {
 // painstakingly constructing it in twelvety other places.
 func (b *LocalBackend) doSetHostinfoFilterServices(hi *tailcfg.Hostinfo) {
 	hi2 := *hi
-	if !b.shouldUploadServices() {
+	if b.shieldsAreUp() {
+		// No local services are available, since ShieldsUp will block
+		// them all.
 		hi2.Services = []tailcfg.Service{}
 	}

@@ -1209,14 +1196,20 @@ func (b *LocalBackend) authReconfig() {

 	// If CorpDNS is false, rcfg.DNS remains the zero value.
 	if uc.CorpDNS {
+		domains := nm.DNS.Domains
 		proxied := nm.DNS.Proxied
-		if proxied && len(nm.DNS.Nameservers) == 0 {
-			b.logf("[unexpected] dns proxied but no nameservers")
-			proxied = false
+		if proxied {
+			if len(nm.DNS.Nameservers) == 0 {
+				b.logf("[unexpected] dns proxied but no nameservers")
+				proxied = false
+			} else {
+				// Domains for proxying should come first to avoid leaking queries.
+				domains = append(domainsForProxying(nm), domains...)
+			}
 		}
 		rcfg.DNS = dns.Config{
 			Nameservers: nm.DNS.Nameservers,
-			Domains:     nm.DNS.Domains,
+			Domains:     domains,
 			PerDomain:   nm.DNS.PerDomain,
 			Proxied:     proxied,
 		}
@@ -1226,29 +1219,56 @@ func (b *LocalBackend) authReconfig() {
 	if err == wgengine.ErrNoChanges {
 		return
 	}
-	b.logf("[v1] authReconfig: ra=%v dns=%v 0x%02x: %v", uc.RouteAll, uc.CorpDNS, flags, err)
+	b.logf("authReconfig: ra=%v dns=%v 0x%02x: %v", uc.RouteAll, uc.CorpDNS, flags, err)
 }

-// magicDNSRootDomains returns the subset of nm.DNS.Domains that are the search domains for MagicDNS.
-// Each entry has a trailing period.
-func magicDNSRootDomains(nm *controlclient.NetworkMap) []string {
-	if v := nm.MagicDNSSuffix(); v != "" {
-		return []string{strings.Trim(v, ".") + "."}
+// domainsForProxying produces a list of search domains for proxied DNS.
+func domainsForProxying(nm *controlclient.NetworkMap) []string {
+	var domains []string
+	if idx := strings.IndexByte(nm.Name, '.'); idx != -1 {
+		domains = append(domains, nm.Name[idx+1:])
 	}
-	return nil
+	for _, peer := range nm.Peers {
+		idx := strings.IndexByte(peer.Name, '.')
+		if idx == -1 {
+			continue
+		}
+		domain := peer.Name[idx+1:]
+		seen := false
+		// In theory this makes the function O(n^2) worst case,
+		// but in practice we expect domains to contain very few elements
+		// (only one until invitations are introduced).
+		for _, seenDomain := range domains {
+			if domain == seenDomain {
+				seen = true
+			}
+		}
+		if !seen {
+			domains = append(domains, domain)
+		}
+	}
+	return domains
 }

 // routerConfig produces a router.Config from a wireguard config and IPN prefs.
 func routerConfig(cfg *wgcfg.Config, prefs *Prefs) *router.Config {
+	var addrs []wgcfg.CIDR
+	for _, addr := range cfg.Addresses {
+		addrs = append(addrs, wgcfg.CIDR{
+			IP:   addr.IP,
+			Mask: 32,
+		})
+	}
+
 	rs := &router.Config{
-		LocalAddrs:       unmapIPPrefixes(cfg.Addresses),
-		SubnetRoutes:     unmapIPPrefixes(prefs.AdvertiseRoutes),
+		LocalAddrs:       wgCIDRsToNetaddr(addrs),
+		SubnetRoutes:     wgCIDRsToNetaddr(prefs.AdvertiseRoutes),
 		SNATSubnetRoutes: !prefs.NoSNAT,
 		NetfilterMode:    prefs.NetfilterMode,
 	}

 	for _, peer := range cfg.Peers {
-		rs.Routes = append(rs.Routes, unmapIPPrefixes(peer.AllowedIPs)...)
+		rs.Routes = append(rs.Routes, wgCIDRsToNetaddr(peer.AllowedIPs)...)
 	}

 	rs.Routes = append(rs.Routes, netaddr.IPPrefix{
@@ -1259,10 +1279,15 @@ func routerConfig(cfg *wgcfg.Config, prefs *Prefs) *router.Config {
 	return rs
 }

-func unmapIPPrefixes(ippsList ...[]netaddr.IPPrefix) (ret []netaddr.IPPrefix) {
-	for _, ipps := range ippsList {
-		for _, ipp := range ipps {
-			ret = append(ret, netaddr.IPPrefix{IP: ipp.IP.Unmap(), Bits: ipp.Bits})
+func wgCIDRsToNetaddr(cidrLists ...[]wgcfg.CIDR) (ret []netaddr.IPPrefix) {
+	for _, cidrs := range cidrLists {
+		for _, cidr := range cidrs {
+			ncidr, ok := netaddr.FromStdIPNet(cidr.IPNet())
+			if !ok {
+				panic(fmt.Sprintf("conversion of %s from wgcfg to netaddr IPNet failed", cidr))
+			}
+			ncidr.IP = ncidr.IP.Unmap()
+			ret = append(ret, ncidr)
 		}
 	}
 	return ret
@@ -1296,8 +1321,6 @@ func (b *LocalBackend) enterState(newState State) {
 	notify := b.notify
 	bc := b.c
 	networkUp := b.prevIfState.AnyInterfaceUp()
-	activeLogin := b.activeLogin
-	authURL := b.authURL
 	b.mu.Unlock()

 	if state == newState {
@@ -1315,7 +1338,6 @@ func (b *LocalBackend) enterState(newState State) {

 	switch newState {
 	case NeedsLogin:
-		systemd.Status("Needs login: %s", authURL)
 		b.blockEngineUpdates(true)
 		fallthrough
 	case Stopped:
@@ -1323,20 +1345,12 @@ func (b *LocalBackend) enterState(newState State) {
 		if err != nil {
 			b.logf("Reconfig(down): %v", err)
 		}
-
-		if authURL == "" {
-			systemd.Status("Stopped; run 'tailscale up' to log in")
-		}
 	case Starting, NeedsMachineAuth:
 		b.authReconfig()
 		// Needed so that UpdateEndpoints can run
 		b.e.RequestStatus()
 	case Running:
-		var addrs []string
-		for _, addr := range b.netMap.Addresses {
-			addrs = append(addrs, addr.IP.String())
-		}
-		systemd.Status("Connected; %s; %s", activeLogin, strings.Join(addrs, " "))
+		break
 	default:
 		b.logf("[unexpected] unknown newState %#v", newState)
 	}
@@ -1535,6 +1549,7 @@ func (b *LocalBackend) TestOnlyPublicKeys() (machineKey tailcfg.MachineKey, node
 // 1.0.x.  But eventually we want to stop sending the machine key to
 // clients. We can't do that until 1.0.x is no longer supported.
 func temporarilySetMachineKeyInPersist() bool {
+	//lint:ignore S1008 for comments
 	switch runtime.GOOS {
 	case "darwin", "ios", "android":
 		// iOS, macOS, Android users can't downgrade anyway.
--- a/ipn/local_test.go
+++ b/ipn/local_test.go
@@ -1,119 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ipn
-
-import (
-	"inet.af/netaddr"
-	"tailscale.com/control/controlclient"
-	"tailscale.com/tailcfg"
-	"testing"
-)
-
-func TestNetworkMapCompare(t *testing.T) {
-	prefix1, err := netaddr.ParseIPPrefix("192.168.0.0/24")
-	if err != nil {
-		t.Fatal(err)
-	}
-	node1 := &tailcfg.Node{Addresses: []netaddr.IPPrefix{prefix1}}
-
-	prefix2, err := netaddr.ParseIPPrefix("10.0.0.0/8")
-	if err != nil {
-		t.Fatal(err)
-	}
-	node2 := &tailcfg.Node{Addresses: []netaddr.IPPrefix{prefix2}}
-
-	tests := []struct {
-		name string
-		a, b *controlclient.NetworkMap
-		want bool
-	}{
-		{
-			"both nil",
-			nil,
-			nil,
-			true,
-		},
-		{
-			"b nil",
-			&controlclient.NetworkMap{},
-			nil,
-			false,
-		},
-		{
-			"a nil",
-			nil,
-			&controlclient.NetworkMap{},
-			false,
-		},
-		{
-			"both default",
-			&controlclient.NetworkMap{},
-			&controlclient.NetworkMap{},
-			true,
-		},
-		{
-			"names identical",
-			&controlclient.NetworkMap{Name: "map1"},
-			&controlclient.NetworkMap{Name: "map1"},
-			true,
-		},
-		{
-			"names differ",
-			&controlclient.NetworkMap{Name: "map1"},
-			&controlclient.NetworkMap{Name: "map2"},
-			false,
-		},
-		{
-			"Peers identical",
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{}},
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{}},
-			true,
-		},
-		{
-			"Peer list length",
-			// length of Peers list differs
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{{}}},
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{}},
-			false,
-		},
-		{
-			"Node names identical",
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{Name: "A"}}},
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{Name: "A"}}},
-			true,
-		},
-		{
-			"Node names differ",
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{Name: "A"}}},
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{Name: "B"}}},
-			false,
-		},
-		{
-			"Node lists identical",
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{node1, node1}},
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{node1, node1}},
-			true,
-		},
-		{
-			"Node lists differ",
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{node1, node1}},
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{node1, node2}},
-			false,
-		},
-		{
-			"Node Users differ",
-			// User field is not checked.
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{User: 0}}},
-			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{User: 1}}},
-			true,
-		},
-	}
-	for _, tt := range tests {
-		got := dnsMapsEqual(tt.a, tt.b)
-		if got != tt.want {
-			t.Errorf("%s: Equal = %v; want %v", tt.name, got, tt.want)
-		}
-	}
-}
--- a/ipn/loglines_test.go
+++ b/ipn/loglines_test.go
@@ -23,10 +23,9 @@ import (
 func TestLocalLogLines(t *testing.T) {
 	logListen := tstest.NewLogLineTracker(t.Logf, []string{
 		"SetPrefs: %v",
-		"[v1] peer keys: %s",
-		"[v1] v%v peers: %v",
+		"peer keys: %s",
+		"v%v peers: %v",
 	})
-	defer logListen.Close()

 	logid := func(hex byte) logtail.PublicID {
 		var ret logtail.PublicID
@@ -41,7 +40,7 @@ func TestLocalLogLines(t *testing.T) {
 	store := &MemoryStore{
 		cache: make(map[StateKey][]byte),
 	}
-	e, err := wgengine.NewFakeUserspaceEngine(logListen.Logf, 0, nil)
+	e, err := wgengine.NewFakeUserspaceEngine(logListen.Logf, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -72,7 +71,7 @@ func TestLocalLogLines(t *testing.T) {
 	prefs.Persist = persist
 	lb.SetPrefs(prefs)

-	t.Run("after_prefs", testWantRemain("[v1] peer keys: %s", "[v1] v%v peers: %v"))
+	t.Run("after_prefs", testWantRemain("peer keys: %s", "v%v peers: %v"))

 	// log peers, peer keys
 	status := &wgengine.Status{
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -6,7 +6,6 @@ package ipn

 import (
 	"bytes"
-	"context"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
@@ -21,24 +20,6 @@ import (
 	"tailscale.com/version"
 )

-type readOnlyContextKey struct{}
-
-// IsReadonlyContext reports whether ctx is a read-only context, as currently used
-// by Unix non-root users running the "tailscale" CLI command. They can run "status",
-// but not much else.
-func IsReadonlyContext(ctx context.Context) bool {
-	return ctx.Value(readOnlyContextKey{}) != nil
-}
-
-// ReadonlyContextOf returns ctx wrapped with a context value that
-// will make IsReadonlyContext reports true.
-func ReadonlyContextOf(ctx context.Context) context.Context {
-	if IsReadonlyContext(ctx) {
-		return ctx
-	}
-	return context.WithValue(ctx, readOnlyContextKey{}, readOnlyContextKey{})
-}
-
 var jsonEscapedZero = []byte(`\u0000`)

 type NoArgs struct{}
@@ -130,7 +111,7 @@ func (bs *BackendServer) SendInUseOtherUserErrorMessage(msg string) {

 // GotCommandMsg parses the incoming message b as a JSON Command and
 // calls GotCommand with it.
-func (bs *BackendServer) GotCommandMsg(ctx context.Context, b []byte) error {
+func (bs *BackendServer) GotCommandMsg(b []byte) error {
 	cmd := &Command{}
 	if len(b) == 0 {
 		return nil
@@ -138,15 +119,15 @@ func (bs *BackendServer) GotCommandMsg(ctx context.Context, b []byte) error {
 	if err := json.Unmarshal(b, cmd); err != nil {
 		return err
 	}
-	return bs.GotCommand(ctx, cmd)
+	return bs.GotCommand(cmd)
 }

-func (bs *BackendServer) GotFakeCommand(ctx context.Context, cmd *Command) error {
+func (bs *BackendServer) GotFakeCommand(cmd *Command) error {
 	cmd.Version = version.Long
-	return bs.GotCommand(ctx, cmd)
+	return bs.GotCommand(cmd)
 }

-func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
+func (bs *BackendServer) GotCommand(cmd *Command) error {
 	if cmd.Version != version.Long && !cmd.AllowVersionSkew {
 		vs := fmt.Sprintf("GotCommand: Version mismatch! frontend=%#v backend=%#v",
 			cmd.Version, version.Long)
@@ -160,33 +141,12 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 		})
 		return nil
 	}
-
-	// TODO(bradfitz): finish plumbing context down to all the methods below;
-	// currently we just check for read-only contexts in this method and
-	// then never use contexts again.
-
-	// Actions permitted with a read-only context:
-	if c := cmd.RequestEngineStatus; c != nil {
-		bs.b.RequestEngineStatus()
-		return nil
-	} else if c := cmd.RequestStatus; c != nil {
-		bs.b.RequestStatus()
-		return nil
-	} else if c := cmd.Ping; c != nil {
-		bs.b.Ping(c.IP)
-		return nil
-	}
-
-	if IsReadonlyContext(ctx) {
-		msg := "permission denied"
-		bs.send(Notify{ErrMessage: &msg})
-		return nil
-	}
-
 	if cmd.Quit != nil {
 		bs.GotQuit = true
 		return errors.New("Quit command received")
-	} else if c := cmd.Start; c != nil {
+	}
+
+	if c := cmd.Start; c != nil {
 		opts := c.Opts
 		opts.Notify = bs.send
 		return bs.b.Start(opts)
@@ -205,17 +165,27 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	} else if c := cmd.SetWantRunning; c != nil {
 		bs.b.SetWantRunning(*c)
 		return nil
+	} else if c := cmd.RequestEngineStatus; c != nil {
+		bs.b.RequestEngineStatus()
+		return nil
+	} else if c := cmd.RequestStatus; c != nil {
+		bs.b.RequestStatus()
+		return nil
 	} else if c := cmd.FakeExpireAfter; c != nil {
 		bs.b.FakeExpireAfter(c.Duration)
 		return nil
+	} else if c := cmd.Ping; c != nil {
+		bs.b.Ping(c.IP)
+		return nil
+	} else {
+		return fmt.Errorf("BackendServer.Do: no command specified")
 	}
-	return fmt.Errorf("BackendServer.Do: no command specified")
 }

-func (bs *BackendServer) Reset(ctx context.Context) error {
+func (bs *BackendServer) Reset() error {
 	// Tell the backend we got a Logout command, which will cause it
 	// to forget all its authentication information.
-	return bs.GotFakeCommand(ctx, &Command{Logout: &NoArgs{}})
+	return bs.GotFakeCommand(&Command{Logout: &NoArgs{}})
 }

 type BackendClient struct {
--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -6,7 +6,6 @@ package ipn

 import (
 	"bytes"
-	"context"
 	"testing"
 	"time"

@@ -82,7 +81,7 @@ func TestClientServer(t *testing.T) {
 		serverToClientCh <- append([]byte{}, b...)
 	}
 	clientToServer := func(b []byte) {
-		bs.GotCommandMsg(context.TODO(), b)
+		bs.GotCommandMsg(b)
 	}
 	slogf := func(fmt string, args ...interface{}) {
 		t.Logf("s: "+fmt, args...)
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -5,7 +5,6 @@
 package ipn

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -15,7 +14,7 @@ import (
 	"runtime"
 	"strings"

-	"inet.af/netaddr"
+	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/atomicfile"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/wgengine/router"
@@ -100,7 +99,7 @@ type Prefs struct {
 	// AdvertiseRoutes specifies CIDR prefixes to advertise into the
 	// Tailscale network as reachable through the current
 	// node.
-	AdvertiseRoutes []netaddr.IPPrefix
+	AdvertiseRoutes []wgcfg.CIDR

 	// NoSNAT specifies whether to source NAT traffic going to
 	// destinations in AdvertiseRoutes. The default is to apply source
@@ -206,12 +205,12 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		p.Persist.Equals(p2.Persist)
 }

-func compareIPNets(a, b []netaddr.IPPrefix) bool {
+func compareIPNets(a, b []wgcfg.CIDR) bool {
 	if len(a) != len(b) {
 		return false
 	}
 	for i := range a {
-		if a[i] != b[i] {
+		if !a[i].IP.Equal(b[i].IP) || a[i].Mask != b[i].Mask {
 			return false
 		}
 	}
@@ -277,14 +276,6 @@ func LoadPrefs(filename string) (*Prefs, error) {
 	if err != nil {
 		return nil, fmt.Errorf("LoadPrefs open: %w", err) // err includes path
 	}
-	if bytes.Contains(data, jsonEscapedZero) {
-		// Tailscale 1.2.0 - 1.2.8 on Windows had a memory corruption bug
-		// in the backend process that ended up sending NULL bytes over JSON
-		// to the frontend which wrote them out to JSON files on disk.
-		// So if we see one, treat is as corrupt and the user will need
-		// to log in again. (better than crashing)
-		return nil, os.ErrNotExist
-	}
 	p, err := PrefsFromBytes(data, false)
 	if err != nil {
 		return nil, fmt.Errorf("LoadPrefs(%q) decode: %w", filename, err)
@@ -296,7 +287,7 @@ func SavePrefs(filename string, p *Prefs) {
 	log.Printf("Saving prefs %v %v\n", filename, p.Pretty())
 	data := p.ToBytes()
 	os.MkdirAll(filepath.Dir(filename), 0700)
-	if err := atomicfile.WriteFile(filename, data, 0600); err != nil {
+	if err := atomicfile.WriteFile(filename, data, 0666); err != nil {
 		log.Printf("SavePrefs: %v\n", err)
 	}
 }
--- a/ipn/prefs_clone.go
+++ b/ipn/prefs_clone.go
@@ -7,7 +7,7 @@
 package ipn

 import (
-	"inet.af/netaddr"
+	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/wgengine/router"
 )
@@ -44,7 +44,7 @@ var _PrefsNeedsRegeneration = Prefs(struct {
 	DeviceModel      string
 	NotepadURLs      bool
 	ForceDaemon      bool
-	AdvertiseRoutes  []netaddr.IPPrefix
+	AdvertiseRoutes  []wgcfg.CIDR
 	NoSNAT           bool
 	NetfilterMode    router.NetfilterMode
 	Persist          *controlclient.Persist
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -7,16 +7,14 @@ package ipn
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"reflect"
 	"testing"
 	"time"

-	"inet.af/netaddr"
+	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/tstest"
-	"tailscale.com/types/wgkey"
 	"tailscale.com/wgengine/router"
 )

@@ -36,9 +34,9 @@ func TestPrefsEqual(t *testing.T) {
 			have, prefsHandles)
 	}

-	nets := func(strs ...string) (ns []netaddr.IPPrefix) {
+	nets := func(strs ...string) (ns []wgcfg.CIDR) {
 		for _, s := range strs {
-			n, err := netaddr.ParseIPPrefix(s)
+			n, err := wgcfg.ParseCIDR(s)
 			if err != nil {
 				panic(err)
 			}
@@ -167,12 +165,12 @@ func TestPrefsEqual(t *testing.T) {

 		{
 			&Prefs{AdvertiseRoutes: nil},
-			&Prefs{AdvertiseRoutes: []netaddr.IPPrefix{}},
+			&Prefs{AdvertiseRoutes: []wgcfg.CIDR{}},
 			true,
 		},
 		{
-			&Prefs{AdvertiseRoutes: []netaddr.IPPrefix{}},
-			&Prefs{AdvertiseRoutes: []netaddr.IPPrefix{}},
+			&Prefs{AdvertiseRoutes: []wgcfg.CIDR{}},
+			&Prefs{AdvertiseRoutes: []wgcfg.CIDR{}},
 			true,
 		},
 		{
@@ -348,7 +346,7 @@ func TestPrefsPretty(t *testing.T) {
 		{
 			Prefs{
 				Persist: &controlclient.Persist{
-					PrivateNodeKey: wgkey.Private{1: 1},
+					PrivateNodeKey: wgcfg.PrivateKey{1: 1},
 				},
 			},
 			"linux",
@@ -373,25 +371,3 @@ func TestLoadPrefsNotExist(t *testing.T) {
 	}
 	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
 }
-
-// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs hanldes corrupted input files.
-// See issue #954 for details.
-func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
-	f, err := ioutil.TempFile("", "TestLoadPrefsFileWithZeroInIt")
-	if err != nil {
-		t.Fatal(err)
-	}
-	path := f.Name()
-	if _, err := f.Write(jsonEscapedZero); err != nil {
-		t.Fatal(err)
-	}
-	f.Close()
-	defer os.Remove(path)
-
-	p, err := LoadPrefs(path)
-	if errors.Is(err, os.ErrNotExist) {
-		// expected.
-		return
-	}
-	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
-}
--- a/ipn/store.go
+++ b/ipn/store.go
@@ -24,7 +24,7 @@ var ErrStateNotExist = errors.New("no state with given ID")

 const (
 	// MachineKeyStateKey is the key under which we store the machine key,
-	// in its wgkey.Private.MarshalText representation.
+	// in its wgcfg.PrivateKey.MarshalText representation.
 	MachineKeyStateKey = StateKey("_machinekey")

 	// GlobalDaemonStateKey is the ipn.StateKey that tailscaled
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -25,7 +25,7 @@ import (
 	"strings"
 	"time"

-	"golang.org/x/term"
+	"golang.org/x/crypto/ssh/terminal"
 	"tailscale.com/atomicfile"
 	"tailscale.com/logtail"
 	"tailscale.com/logtail/filch"
@@ -49,7 +49,7 @@ type Config struct {
 // Policy is a logger and its public ID.
 type Policy struct {
 	// Logtail is the logger.
-	Logtail *logtail.Logger
+	Logtail logtail.Logger
 	// PublicID is the logger's instance identifier.
 	PublicID logtail.PublicID
 }
@@ -311,7 +311,7 @@ func tryFixLogStateLocation(dir, cmdname string) {
 // given collection name.
 func New(collection string) *Policy {
 	var lflags int
-	if term.IsTerminal(2) || runtime.GOOS == "windows" {
+	if terminal.IsTerminal(2) || runtime.GOOS == "windows" {
 		lflags = 0
 	} else {
 		lflags = log.LstdFlags
@@ -391,7 +391,7 @@ func New(collection string) *Policy {
 	if filchBuf != nil {
 		c.Buffer = filchBuf
 	}
-	lw := logtail.NewLogger(c, log.Printf)
+	lw := logtail.Log(c, log.Printf)
 	log.SetFlags(0) // other logflags are set on console, not here
 	log.SetOutput(lw)

@@ -413,15 +413,6 @@ func New(collection string) *Policy {
 	}
 }

-// SetVerbosityLevel controls the verbosity level that should be
-// written to stderr. 0 is the default (not verbose). Levels 1 or higher
-// are increasingly verbose.
-//
-// It should not be changed concurrently with log writes.
-func (p *Policy) SetVerbosityLevel(level int) {
-	p.Logtail.SetVerbosityLevel(level)
-}
-
 // Close immediately shuts down the logger.
 func (p *Policy) Close() {
 	ctx, cancel := context.WithCancel(context.Background())
--- a/logtail/example/logtail/logtail.go
+++ b/logtail/example/logtail/logtail.go
@@ -31,7 +31,7 @@ func main() {
 		log.Fatalf("logtail: bad -privateid: %v", err)
 	}

-	logger := logtail.NewLogger(logtail.Config{
+	logger := logtail.Log(logtail.Config{
 		Collection: *collection,
 		PrivateID:  id,
 	}, log.Printf)
--- a/logtail/filch/filch.go
+++ b/logtail/filch/filch.go
@@ -131,11 +131,11 @@ func New(filePrefix string, opts Options) (f *Filch, err error) {
 	path1 := filePrefix + ".log1.txt"
 	path2 := filePrefix + ".log2.txt"

-	f1, err = os.OpenFile(path1, os.O_CREATE|os.O_RDWR, 0600)
+	f1, err = os.OpenFile(path1, os.O_CREATE|os.O_RDWR, 0666)
 	if err != nil {
 		return nil, err
 	}
-	f2, err = os.OpenFile(path2, os.O_CREATE|os.O_RDWR, 0600)
+	f2, err = os.OpenFile(path2, os.O_CREATE|os.O_RDWR, 0666)
 	if err != nil {
 		return nil, err
 	}
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -14,7 +14,6 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
-	"strconv"
 	"time"

 	"tailscale.com/logtail/backoff"
@@ -25,6 +24,34 @@ import (
 // Config.BaseURL isn't provided.
 const DefaultHost = "log.tailscale.io"

+type Logger interface {
+	// Write logs an encoded JSON blob.
+	//
+	// If the []byte passed to Write is not an encoded JSON blob,
+	// then contents is fit into a JSON blob and written.
+	//
+	// This is intended as an interface for the stdlib "log" package.
+	Write([]byte) (int, error)
+
+	// Flush uploads all logs to the server.
+	// It blocks until complete or there is an unrecoverable error.
+	Flush() error
+
+	// Shutdown gracefully shuts down the logger while completing any
+	// remaining uploads.
+	//
+	// It will block, continuing to try and upload unless the passed
+	// context object interrupts it by being done.
+	// If the shutdown is interrupted, an error is returned.
+	Shutdown(context.Context) error
+
+	// Close shuts down this logger object, the background log uploader
+	// process, and any associated goroutines.
+	//
+	// DEPRECATED: use Shutdown
+	Close()
+}
+
 type Encoder interface {
 	EncodeAll(src, dst []byte) []byte
 	Close() error
@@ -39,7 +66,6 @@ type Config struct {
 	LowMemory      bool             // if true, logtail minimizes memory use
 	TimeNow        func() time.Time // if set, subsitutes uses of time.Now
 	Stderr         io.Writer        // if set, logs are sent here instead of os.Stderr
-	StderrLevel    int              // max verbosity level to write to stderr; 0 means the non-verbose messages only
 	Buffer         Buffer           // temp storage, if nil a MemoryBuffer
 	NewZstdEncoder func() Encoder   // if set, used to compress logs for transmission

@@ -48,7 +74,7 @@ type Config struct {
 	DrainLogs <-chan struct{}
 }

-func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
+func Log(cfg Config, logf tslogger.Logf) Logger {
 	if cfg.BaseURL == "" {
 		cfg.BaseURL = "https://" + DefaultHost
 	}
@@ -68,9 +94,8 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 		}
 		cfg.Buffer = NewMemoryBuffer(pendingSize)
 	}
-	l := &Logger{
+	l := &logger{
 		stderr:         cfg.Stderr,
-		stderrLevel:    cfg.StderrLevel,
 		httpc:          cfg.HTTPC,
 		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
 		lowMem:         cfg.LowMemory,
@@ -97,11 +122,8 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 	return l
 }

-// Logger writes logs, splitting them as configured between local
-// logging facilities and uploading to a log server.
-type Logger struct {
+type logger struct {
 	stderr         io.Writer
-	stderrLevel    int
 	httpc          *http.Client
 	url            string
 	lowMem         bool
@@ -119,22 +141,7 @@ type Logger struct {
 	shutdownDone  chan struct{} // closd when shutdown complete
 }

-// SetVerbosityLevel controls the verbosity level that should be
-// written to stderr. 0 is the default (not verbose). Levels 1 or higher
-// are increasingly verbose.
-//
-// It should not be changed concurrently with log writes.
-func (l *Logger) SetVerbosityLevel(level int) {
-	l.stderrLevel = level
-}
-
-// Shutdown gracefully shuts down the logger while completing any
-// remaining uploads.
-//
-// It will block, continuing to try and upload unless the passed
-// context object interrupts it by being done.
-// If the shutdown is interrupted, an error is returned.
-func (l *Logger) Shutdown(ctx context.Context) error {
+func (l *logger) Shutdown(ctx context.Context) error {
 	done := make(chan struct{})
 	go func() {
 		select {
@@ -156,11 +163,7 @@ func (l *Logger) Shutdown(ctx context.Context) error {
 	return nil
 }

-// Close shuts down this logger object, the background log uploader
-// process, and any associated goroutines.
-//
-// Deprecated: use Shutdown
-func (l *Logger) Close() {
+func (l *logger) Close() {
 	l.Shutdown(context.Background())
 }

@@ -171,7 +174,7 @@ func (l *Logger) Close() {
 //
 // If the caller provides a DrainLogs channel, then unblock-drain-on-Write
 // is disabled, and it is up to the caller to trigger unblock the drain.
-func (l *Logger) drainBlock() (shuttingDown bool) {
+func (l *logger) drainBlock() (shuttingDown bool) {
 	if l.drainLogs == nil {
 		select {
 		case <-l.shutdownStart:
@@ -190,7 +193,7 @@ func (l *Logger) drainBlock() (shuttingDown bool) {

 // drainPending drains and encodes a batch of logs from the buffer for upload.
 // If no logs are available, drainPending blocks until logs are available.
-func (l *Logger) drainPending() (res []byte) {
+func (l *logger) drainPending() (res []byte) {
 	buf := new(bytes.Buffer)
 	entries := 0

@@ -251,22 +254,13 @@ func (l *Logger) drainPending() (res []byte) {
 }

 // This is the goroutine that repeatedly uploads logs in the background.
-func (l *Logger) uploading(ctx context.Context) {
+func (l *logger) uploading(ctx context.Context) {
 	defer close(l.shutdownDone)

 	for {
 		body := l.drainPending()
-		origlen := -1 // sentinel value: uncompressed
-		// Don't attempt to compress tiny bodies; not worth the CPU cycles.
-		if l.zstdEncoder != nil && len(body) > 256 {
-			zbody := l.zstdEncoder.EncodeAll(body, nil)
-			// Only send it compressed if the bandwidth savings are sufficient.
-			// Just the extra headers associated with enabling compression
-			// are 50 bytes by themselves.
-			if len(body)-len(zbody) > 64 {
-				origlen = len(body)
-				body = zbody
-			}
+		if l.zstdEncoder != nil {
+			body = l.zstdEncoder.EncodeAll(body, nil)
 		}

 		for len(body) > 0 {
@@ -275,7 +269,7 @@ func (l *Logger) uploading(ctx context.Context) {
 				return
 			default:
 			}
-			uploaded, err := l.upload(ctx, body, origlen)
+			uploaded, err := l.upload(ctx, body)
 			if err != nil {
 				fmt.Fprintf(l.stderr, "logtail: upload: %v\n", err)
 			}
@@ -293,10 +287,7 @@ func (l *Logger) uploading(ctx context.Context) {
 	}
 }

-// upload uploads body to the log server.
-// origlen indicates the pre-compression body length.
-// origlen of -1 indicates that the body is not compressed.
-func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded bool, err error) {
+func (l *logger) upload(ctx context.Context, body []byte) (uploaded bool, err error) {
 	req, err := http.NewRequest("POST", l.url, bytes.NewReader(body))
 	if err != nil {
 		// I know of no conditions under which this could fail.
@@ -304,9 +295,8 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded
 		// TODO record logs to disk
 		panic("logtail: cannot build http request: " + err.Error())
 	}
-	if origlen != -1 {
+	if l.zstdEncoder != nil {
 		req.Header.Add("Content-Encoding", "zstd")
-		req.Header.Add("Orig-Content-Length", strconv.Itoa(origlen))
 	}
 	req.Header["User-Agent"] = nil // not worth writing one; save some bytes

@@ -316,7 +306,7 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded
 	req = req.WithContext(ctx)

 	compressedNote := "not-compressed"
-	if origlen != -1 {
+	if l.zstdEncoder != nil {
 		compressedNote = "compressed"
 	}

@@ -343,13 +333,11 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded
 	return true, nil
 }

-// Flush uploads all logs to the server.
-// It blocks until complete or there is an unrecoverable error.
-func (l *Logger) Flush() error {
+func (l *logger) Flush() error {
 	return nil
 }

-func (l *Logger) send(jsonBlob []byte) (int, error) {
+func (l *logger) send(jsonBlob []byte) (int, error) {
 	n, err := l.buffer.Write(jsonBlob)
 	if l.drainLogs == nil {
 		select {
@@ -362,7 +350,7 @@ func (l *Logger) send(jsonBlob []byte) (int, error) {

 // TODO: instead of allocating, this should probably just append
 // directly into the output log buffer.
-func (l *Logger) encodeText(buf []byte, skipClientTime bool) []byte {
+func (l *logger) encodeText(buf []byte, skipClientTime bool) []byte {
 	now := l.timeNow()

 	// Factor in JSON encoding overhead to try to only do one alloc
@@ -418,7 +406,7 @@ func (l *Logger) encodeText(buf []byte, skipClientTime bool) []byte {
 	return b
 }

-func (l *Logger) encode(buf []byte) []byte {
+func (l *logger) encode(buf []byte) []byte {
 	if buf[0] != '{' {
 		return l.encodeText(buf, l.skipClientTime) // text fast-path
 	}
@@ -459,18 +447,11 @@ func (l *Logger) encode(buf []byte) []byte {
 	return b
 }

-// Write logs an encoded JSON blob.
-//
-// If the []byte passed to Write is not an encoded JSON blob,
-// then contents is fit into a JSON blob and written.
-//
-// This is intended as an interface for the stdlib "log" package.
-func (l *Logger) Write(buf []byte) (int, error) {
+func (l *logger) Write(buf []byte) (int, error) {
 	if len(buf) == 0 {
 		return 0, nil
 	}
-	level, buf := parseAndRemoveLogLevel(buf)
-	if l.stderr != nil && l.stderr != ioutil.Discard && level <= l.stderrLevel {
+	if l.stderr != nil && l.stderr != ioutil.Discard {
 		if buf[len(buf)-1] == '\n' {
 			l.stderr.Write(buf)
 		} else {
@@ -484,23 +465,3 @@ func (l *Logger) Write(buf []byte) (int, error) {
 	_, err := l.send(b)
 	return len(buf), err
 }
-
-var (
-	openBracketV = []byte("[v")
-	v1           = []byte("[v1] ")
-	v2           = []byte("[v2] ")
-)
-
-// level 0 is normal (or unknown) level; 1+ are increasingly verbose
-func parseAndRemoveLogLevel(buf []byte) (level int, cleanBuf []byte) {
-	if len(buf) == 0 || buf[0] == '{' || !bytes.Contains(buf, openBracketV) {
-		return 0, buf
-	}
-	if bytes.Contains(buf, v1) {
-		return 1, bytes.ReplaceAll(buf, v1, nil)
-	}
-	if bytes.Contains(buf, v2) {
-		return 2, bytes.ReplaceAll(buf, v2, nil)
-	}
-	return 0, buf
-}
--- a/logtail/logtail_test.go
+++ b/logtail/logtail_test.go
@@ -6,12 +6,6 @@ package logtail

 import (
 	"context"
-	"encoding/json"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"net/http/httptest"
-	"strings"
 	"testing"
 	"time"
 )
@@ -20,215 +14,16 @@ func TestFastShutdown(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	cancel()

-	testServ := httptest.NewServer(http.HandlerFunc(
-		func(w http.ResponseWriter, r *http.Request) {}))
-	defer testServ.Close()
-
-	l := NewLogger(Config{
-		BaseURL: testServ.URL,
+	l := Log(Config{
+		BaseURL: "http://localhost:1234",
 	}, t.Logf)
-	err := l.Shutdown(ctx)
-	if err != nil {
-		t.Error(err)
-	}
-}
-
-// maximum number of times a test will call l.Write()
-const logLines = 3
-
-type LogtailTestServer struct {
-	srv      *httptest.Server // Log server
-	uploaded chan []byte
-}
-
-func NewLogtailTestHarness(t *testing.T) (*LogtailTestServer, *Logger) {
-	ts := LogtailTestServer{}
-
-	// max channel backlog = 1 "started" + #logLines x "log line" + 1 "closed"
-	ts.uploaded = make(chan []byte, 2+logLines)
-
-	ts.srv = httptest.NewServer(http.HandlerFunc(
-		func(w http.ResponseWriter, r *http.Request) {
-			body, err := ioutil.ReadAll(r.Body)
-			if err != nil {
-				t.Error("failed to read HTTP request")
-			}
-			ts.uploaded <- body
-		}))
-
-	t.Cleanup(ts.srv.Close)
-
-	l := NewLogger(Config{BaseURL: ts.srv.URL}, t.Logf)
-
-	// There is always an initial "logtail started" message
-	body := <-ts.uploaded
-	if !strings.Contains(string(body), "started") {
-		t.Errorf("unknown start logging statement: %q", string(body))
-	}
-
-	return &ts, l
-}
-
-func TestDrainPendingMessages(t *testing.T) {
-	ts, l := NewLogtailTestHarness(t)
-
-	for i := 0; i < logLines; i++ {
-		l.Write([]byte("log line"))
-	}
-
-	// all of the "log line" messages usually arrive at once, but poll if needed.
-	body := ""
-	for i := 0; i <= logLines; i++ {
-		body += string(<-ts.uploaded)
-		count := strings.Count(body, "log line")
-		if count == logLines {
-			break
-		}
-		// if we never find count == logLines, the test will eventually time out.
-	}
-
-	err := l.Shutdown(context.Background())
-	if err != nil {
-		t.Error(err)
-	}
-}
-
-func TestEncodeAndUploadMessages(t *testing.T) {
-	ts, l := NewLogtailTestHarness(t)
-
-	tests := []struct {
-		name string
-		log  string
-		want string
-	}{
-		{
-			"plain text",
-			"log line",
-			"log line",
-		},
-		{
-			"simple JSON",
-			`{"text": "log line"}`,
-			"log line",
-		},
-	}
-
-	for _, tt := range tests {
-		io.WriteString(l, tt.log)
-		body := <-ts.uploaded
-
-		data := make(map[string]interface{})
-		err := json.Unmarshal(body, &data)
-		if err != nil {
-			t.Error(err)
-		}
-
-		got := data["text"]
-		if got != tt.want {
-			t.Errorf("%s: got %q; want %q", tt.name, got.(string), tt.want)
-		}
-
-		ltail, ok := data["logtail"]
-		if ok {
-			logtailmap := ltail.(map[string]interface{})
-			_, ok = logtailmap["client_time"]
-			if !ok {
-				t.Errorf("%s: no client_time present", tt.name)
-			}
-		} else {
-			t.Errorf("%s: no logtail map present", tt.name)
-		}
-	}
-
-	err := l.Shutdown(context.Background())
-	if err != nil {
-		t.Error(err)
-	}
-}
-
-func TestEncodeSpecialCases(t *testing.T) {
-	ts, l := NewLogtailTestHarness(t)
-
-	// -------------------------------------------------------------------------
-
-	// JSON log message already contains a logtail field.
-	io.WriteString(l, `{"logtail": "LOGTAIL", "text": "text"}`)
-	body := <-ts.uploaded
-	data := make(map[string]interface{})
-	err := json.Unmarshal(body, &data)
-	if err != nil {
-		t.Error(err)
-	}
-	errorHasLogtail, ok := data["error_has_logtail"]
-	if ok {
-		if errorHasLogtail != "LOGTAIL" {
-			t.Errorf("error_has_logtail: got:%q; want:%q",
-				errorHasLogtail, "LOGTAIL")
-		}
-	} else {
-		t.Errorf("no error_has_logtail field: %v", data)
-	}
-
-	// -------------------------------------------------------------------------
-
-	// special characters
-	io.WriteString(l, "\b\f\n\r\t"+`"\`)
-	bodytext := string(<-ts.uploaded)
-	// json.Unmarshal would unescape the characters, we have to look at the encoded text
-	escaped := strings.Contains(bodytext, `\b\f\n\r\t\"\`)
-	if !escaped {
-		t.Errorf("special characters got %s", bodytext)
-	}
-
-	// -------------------------------------------------------------------------
-
-	// skipClientTime to omit the logtail metadata
-	l.skipClientTime = true
-	io.WriteString(l, "text")
-	body = <-ts.uploaded
-	data = make(map[string]interface{})
-	err = json.Unmarshal(body, &data)
-	if err != nil {
-		t.Error(err)
-	}
-	_, ok = data["logtail"]
-	if ok {
-		t.Errorf("skipClientTime: unexpected logtail map present: %v", data)
-	}
-
-	// -------------------------------------------------------------------------
-
-	// lowMem + long string
-	l.skipClientTime = false
-	l.lowMem = true
-	longStr := strings.Repeat("0", 512)
-	io.WriteString(l, longStr)
-	body = <-ts.uploaded
-	data = make(map[string]interface{})
-	err = json.Unmarshal(body, &data)
-	if err != nil {
-		t.Error(err)
-	}
-	text, ok := data["text"]
-	if !ok {
-		t.Errorf("lowMem: no text %v", data)
-	}
-	if n := len(text.(string)); n > 300 {
-		t.Errorf("lowMem: got %d chars; want <300 chars", n)
-	}
-
-	// -------------------------------------------------------------------------
-
-	err = l.Shutdown(context.Background())
-	if err != nil {
-		t.Error(err)
-	}
+	l.Shutdown(ctx)
 }

 var sink []byte

 func TestLoggerEncodeTextAllocs(t *testing.T) {
-	lg := &Logger{timeNow: time.Now}
+	lg := &logger{timeNow: time.Now}
 	inBuf := []byte("some text to encode")
 	n := testing.AllocsPerRun(1000, func() {
 		sink = lg.encodeText(inBuf, false)
@@ -239,7 +34,7 @@ func TestLoggerEncodeTextAllocs(t *testing.T) {
 }

 func TestLoggerWriteLength(t *testing.T) {
-	lg := &Logger{
+	lg := &logger{
 		timeNow: time.Now,
 		buffer:  NewMemoryBuffer(1024),
 	}
@@ -252,54 +47,3 @@ func TestLoggerWriteLength(t *testing.T) {
 		t.Errorf("logger.Write wrote %d bytes, expected %d", n, len(inBuf))
 	}
 }
-
-func TestParseAndRemoveLogLevel(t *testing.T) {
-	tests := []struct {
-		log       string
-		wantLevel int
-		wantLog   string
-	}{
-		{
-			"no level",
-			0,
-			"no level",
-		},
-		{
-			"[v1] level 1",
-			1,
-			"level 1",
-		},
-		{
-			"level 1 [v1] ",
-			1,
-			"level 1 ",
-		},
-		{
-			"[v2] level 2",
-			2,
-			"level 2",
-		},
-		{
-			"level [v2] 2",
-			2,
-			"level 2",
-		},
-		{
-			"[v3] no level 3",
-			0,
-			"[v3] no level 3",
-		},
-	}
-
-	for _, tt := range tests {
-		gotLevel, gotLog := parseAndRemoveLogLevel([]byte(tt.log))
-		if gotLevel != tt.wantLevel {
-			t.Errorf("parseAndRemoveLogLevel(%q): got:%d; want %d",
-				tt.log, gotLevel, tt.wantLevel)
-		}
-		if string(gotLog) != tt.wantLog {
-			t.Errorf("parseAndRemoveLogLevel(%q): got:%q; want %q",
-				tt.log, gotLog, tt.wantLog)
-		}
-	}
-}
--- a/net/dnscache/dnscache.go
+++ b/net/dnscache/dnscache.go
@@ -71,8 +71,7 @@ type Resolver struct {
 }

 type ipCacheEntry struct {
-	ip      net.IP // either v4 or v6
-	ip6     net.IP // nil if no v4 or no v6
+	ip      net.IP
 	expires time.Time
 }

@@ -92,87 +91,78 @@ func (r *Resolver) ttl() time.Duration {

 var debug, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_DNS_CACHE"))

-// LookupIP returns the host's primary IP address (either IPv4 or
-// IPv6, but preferring IPv4) and optionally its IPv6 address, if
-// there is both IPv4 and IPv6.
-//
-// If err is nil, ip will be non-nil. The v6 address may be nil even
-// with a nil error.
-func (r *Resolver) LookupIP(ctx context.Context, host string) (ip, v6 net.IP, err error) {
+// LookupIP returns the first IPv4 address found, otherwise the first IPv6 address.
+func (r *Resolver) LookupIP(ctx context.Context, host string) (net.IP, error) {
 	if ip := net.ParseIP(host); ip != nil {
 		if ip4 := ip.To4(); ip4 != nil {
-			return ip4, nil, nil
+			return ip4, nil
 		}
 		if debug {
 			log.Printf("dnscache: %q is an IP", host)
 		}
-		return ip, nil, nil
+		return ip, nil
 	}

-	if ip, ip6, ok := r.lookupIPCache(host); ok {
+	if ip, ok := r.lookupIPCache(host); ok {
 		if debug {
 			log.Printf("dnscache: %q = %v (cached)", host, ip)
 		}
-		return ip, ip6, nil
+		return ip, nil
 	}

-	type ipPair struct {
-		ip, ip6 net.IP
-	}
 	ch := r.sf.DoChan(host, func() (interface{}, error) {
-		ip, ip6, err := r.lookupIP(host)
+		ip, err := r.lookupIP(host)
 		if err != nil {
 			return nil, err
 		}
-		return ipPair{ip, ip6}, nil
+		return ip, nil
 	})
 	select {
 	case res := <-ch:
 		if res.Err != nil {
 			if r.UseLastGood {
-				if ip, ip6, ok := r.lookupIPCacheExpired(host); ok {
+				if ip, ok := r.lookupIPCacheExpired(host); ok {
 					if debug {
 						log.Printf("dnscache: %q using %v after error", host, ip)
 					}
-					return ip, ip6, nil
+					return ip, nil
 				}
 			}
 			if debug {
 				log.Printf("dnscache: error resolving %q: %v", host, res.Err)
 			}
-			return nil, nil, res.Err
+			return nil, res.Err
 		}
-		pair := res.Val.(ipPair)
-		return pair.ip, pair.ip6, nil
+		return res.Val.(net.IP), nil
 	case <-ctx.Done():
 		if debug {
 			log.Printf("dnscache: context done while resolving %q: %v", host, ctx.Err())
 		}
-		return nil, nil, ctx.Err()
+		return nil, ctx.Err()
 	}
 }

-func (r *Resolver) lookupIPCache(host string) (ip, ip6 net.IP, ok bool) {
+func (r *Resolver) lookupIPCache(host string) (ip net.IP, ok bool) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 	if ent, ok := r.ipCache[host]; ok && ent.expires.After(time.Now()) {
-		return ent.ip, ent.ip6, true
+		return ent.ip, true
 	}
-	return nil, nil, false
+	return nil, false
 }

-func (r *Resolver) lookupIPCacheExpired(host string) (ip, ip6 net.IP, ok bool) {
+func (r *Resolver) lookupIPCacheExpired(host string) (ip net.IP, ok bool) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 	if ent, ok := r.ipCache[host]; ok {
-		return ent.ip, ent.ip6, true
+		return ent.ip, true
 	}
-	return nil, nil, false
+	return nil, false
 }

 func (r *Resolver) lookupTimeoutForHost(host string) time.Duration {
 	if r.UseLastGood {
-		if _, _, ok := r.lookupIPCacheExpired(host); ok {
+		if _, ok := r.lookupIPCacheExpired(host); ok {
 			// If we have some previous good value for this host,
 			// don't give this DNS lookup much time. If we're in a
 			// situation where the user's DNS server is unreachable
@@ -187,52 +177,40 @@ func (r *Resolver) lookupTimeoutForHost(host string) time.Duration {
 	return 10 * time.Second
 }

-func (r *Resolver) lookupIP(host string) (ip, ip6 net.IP, err error) {
-	if ip, ip6, ok := r.lookupIPCache(host); ok {
+func (r *Resolver) lookupIP(host string) (net.IP, error) {
+	if ip, ok := r.lookupIPCache(host); ok {
 		if debug {
 			log.Printf("dnscache: %q found in cache as %v", host, ip)
 		}
-		return ip, ip6, nil
+		return ip, nil
 	}

 	ctx, cancel := context.WithTimeout(context.Background(), r.lookupTimeoutForHost(host))
 	defer cancel()
 	ips, err := r.fwd().LookupIPAddr(ctx, host)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 	if len(ips) == 0 {
-		return nil, nil, fmt.Errorf("no IPs for %q found", host)
+		return nil, fmt.Errorf("no IPs for %q found", host)
 	}

-	have4 := false
 	for _, ipa := range ips {
 		if ip4 := ipa.IP.To4(); ip4 != nil {
-			if !have4 {
-				ip6 = ip
-				ip = ip4
-				have4 = true
-			}
-		} else {
-			if have4 {
-				ip6 = ipa.IP
-			} else {
-				ip = ipa.IP
-			}
+			return r.addIPCache(host, ip4, r.ttl()), nil
 		}
 	}
-	r.addIPCache(host, ip, ip6, r.ttl())
-	return ip, ip6, nil
+	return r.addIPCache(host, ips[0].IP, r.ttl()), nil
 }

-func (r *Resolver) addIPCache(host string, ip, ip6 net.IP, d time.Duration) {
+func (r *Resolver) addIPCache(host string, ip net.IP, d time.Duration) net.IP {
 	if isPrivateIP(ip) {
 		// Don't cache obviously wrong entries from captive portals.
 		// TODO: use DoH or DoT for the forwarding resolver?
 		if debug {
 			log.Printf("dnscache: %q resolved to private IP %v; using but not caching", host, ip)
 		}
-		return
+		return ip
 	}

 	if debug {
@@ -244,7 +222,8 @@ func (r *Resolver) addIPCache(host string, ip, ip6 net.IP, d time.Duration) {
 	if r.ipCache == nil {
 		r.ipCache = make(map[string]ipCacheEntry)
 	}
-	r.ipCache[host] = ipCacheEntry{ip: ip, ip6: ip6, expires: time.Now().Add(d)}
+	r.ipCache[host] = ipCacheEntry{ip: ip, expires: time.Now().Add(d)}
+	return ip
 }

 func mustCIDR(s string) *net.IPNet {
@@ -276,7 +255,7 @@ func Dialer(fwd DialContextFunc, dnsCache *Resolver) DialContextFunc {
 			// inventing a similar one.
 			return fwd(ctx, network, address)
 		}
-		ip, ip6, err := dnsCache.LookupIP(ctx, host)
+		ip, err := dnsCache.LookupIP(ctx, host)
 		if err != nil {
 			return nil, fmt.Errorf("failed to resolve %q: %w", host, err)
 		}
@@ -284,19 +263,6 @@ func Dialer(fwd DialContextFunc, dnsCache *Resolver) DialContextFunc {
 		if debug {
 			log.Printf("dnscache: dialing %s, %s for %s", network, dst, address)
 		}
-		c, err := fwd(ctx, network, dst)
-		if err == nil || ctx.Err() != nil || ip6 == nil {
-			return c, err
-		}
-		// Fall back to trying IPv6.
-		// TODO(bradfitz): this is a primarily for IPv6-only
-		// hosts; it's not supposed to be a real Happy
-		// Eyeballs implementation. We should use the net
-		// package's implementation of that by plumbing this
-		// dnscache impl into net.Dialer.Resolver.Dial and
-		// unmarshal/marshal DNS queries/responses to the net
-		// package. This works for v6-only hosts for now.
-		dst = net.JoinHostPort(ip6.String(), port)
 		return fwd(ctx, network, dst)
 	}
 }
--- a/net/flowtrack/flowtrack.go
+++ b/net/flowtrack/flowtrack.go
@@ -1,104 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-//
-// Original implementation (from same author) from which this was derived was:
-// https://github.com/golang/groupcache/blob/5b532d6fd5efaf7fa130d4e859a2fde0fc3a9e1b/lru/lru.go
-// ... which was Apache licensed:
-// https://github.com/golang/groupcache/blob/master/LICENSE
-
-// Package flowtrack contains types for tracking TCP/UDP flows by 4-tuples.
-package flowtrack
-
-import (
-	"container/list"
-	"fmt"
-
-	"inet.af/netaddr"
-)
-
-// Tuple is a 4-tuple of source and destination IP and port.
-type Tuple struct {
-	Src netaddr.IPPort
-	Dst netaddr.IPPort
-}
-
-func (t Tuple) String() string {
-	return fmt.Sprintf("(%v => %v)", t.Src, t.Dst)
-}
-
-// Cache is an LRU cache keyed by Tuple.
-//
-// The zero value is valid to use.
-//
-// It is not safe for concurrent access.
-type Cache struct {
-	// MaxEntries is the maximum number of cache entries before
-	// an item is evicted. Zero means no limit.
-	MaxEntries int
-
-	ll *list.List
-	m  map[Tuple]*list.Element // of *entry
-}
-
-// entry is the container/list element type.
-type entry struct {
-	key   Tuple
-	value interface{}
-}
-
-// Add adds a value to the cache, set or updating its assoicated
-// value.
-//
-// If MaxEntries is non-zero and the length of the cache is greater
-// after any addition, the least recently used value is evicted.
-func (c *Cache) Add(key Tuple, value interface{}) {
-	if c.m == nil {
-		c.m = make(map[Tuple]*list.Element)
-		c.ll = list.New()
-	}
-	if ee, ok := c.m[key]; ok {
-		c.ll.MoveToFront(ee)
-		ee.Value.(*entry).value = value
-		return
-	}
-	ele := c.ll.PushFront(&entry{key, value})
-	c.m[key] = ele
-	if c.MaxEntries != 0 && c.Len() > c.MaxEntries {
-		c.RemoveOldest()
-	}
-}
-
-// Get looks up a key's value from the cache, also reporting
-// whether it was present.
-func (c *Cache) Get(key Tuple) (value interface{}, ok bool) {
-	if ele, hit := c.m[key]; hit {
-		c.ll.MoveToFront(ele)
-		return ele.Value.(*entry).value, true
-	}
-	return nil, false
-}
-
-// Remove removes the provided key from the cache if it was present.
-func (c *Cache) Remove(key Tuple) {
-	if ele, hit := c.m[key]; hit {
-		c.removeElement(ele)
-	}
-}
-
-// RemoveOldest removes the oldest item from the cache, if any.
-func (c *Cache) RemoveOldest() {
-	if c.ll != nil {
-		if ele := c.ll.Back(); ele != nil {
-			c.removeElement(ele)
-		}
-	}
-}
-
-func (c *Cache) removeElement(e *list.Element) {
-	c.ll.Remove(e)
-	delete(c.m, e.Value.(*entry).key)
-}
-
-// Len returns the number of items in the cache.
-func (c *Cache) Len() int { return len(c.m) }
--- a/net/flowtrack/flowtrack_test.go
+++ b/net/flowtrack/flowtrack_test.go
@@ -1,82 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package flowtrack
-
-import (
-	"testing"
-
-	"inet.af/netaddr"
-)
-
-func TestCache(t *testing.T) {
-	c := &Cache{MaxEntries: 2}
-
-	k1 := Tuple{Src: netaddr.MustParseIPPort("1.1.1.1:1"), Dst: netaddr.MustParseIPPort("1.1.1.1:1")}
-	k2 := Tuple{Src: netaddr.MustParseIPPort("1.1.1.1:1"), Dst: netaddr.MustParseIPPort("2.2.2.2:2")}
-	k3 := Tuple{Src: netaddr.MustParseIPPort("1.1.1.1:1"), Dst: netaddr.MustParseIPPort("3.3.3.3:3")}
-	k4 := Tuple{Src: netaddr.MustParseIPPort("1.1.1.1:1"), Dst: netaddr.MustParseIPPort("4.4.4.4:4")}
-
-	wantLen := func(want int) {
-		t.Helper()
-		if got := c.Len(); got != want {
-			t.Fatalf("Len = %d; want %d", got, want)
-		}
-	}
-	wantVal := func(key Tuple, want interface{}) {
-		t.Helper()
-		got, ok := c.Get(key)
-		if !ok {
-			t.Fatalf("Get(%q) failed; want value %v", key, want)
-		}
-		if got != want {
-			t.Fatalf("Get(%q) = %v; want %v", key, got, want)
-		}
-	}
-	wantMissing := func(key Tuple) {
-		t.Helper()
-		if got, ok := c.Get(key); ok {
-			t.Fatalf("Get(%q) = %v; want absent from cache", key, got)
-		}
-	}
-
-	wantLen(0)
-	c.RemoveOldest() // shouldn't panic
-	c.Remove(k4)     // shouldn't panic
-
-	c.Add(k1, 1)
-	wantLen(1)
-	c.Add(k2, 2)
-	wantLen(2)
-	c.Add(k3, 3)
-	wantLen(2) // hit the max
-
-	wantMissing(k1)
-	c.Remove(k1)
-	wantLen(2) // no change; k1 should've been the deleted one per LRU
-
-	wantVal(k3, 3)
-
-	wantVal(k2, 2)
-	c.Remove(k2)
-	wantLen(1)
-	wantMissing(k2)
-
-	c.Add(k3, 30)
-	wantVal(k3, 30)
-	wantLen(1)
-
-	allocs := int(testing.AllocsPerRun(1000, func() {
-		got, ok := c.Get(k3)
-		if !ok {
-			t.Fatal("missing k3")
-		}
-		if got != 30 {
-			t.Fatalf("got = %d; want 30", got)
-		}
-	}))
-	if allocs != 0 {
-		t.Errorf("allocs = %v; want 0", allocs)
-	}
-}
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -94,6 +94,11 @@ func LocalAddresses() (regular, loopback []string, err error) {
 				if !ok {
 					continue
 				}
+				if ip.Is6() {
+					// TODO(crawshaw): IPv6 support.
+					// Easy to do here, but we need good endpoint ordering logic.
+					continue
+				}
 				// TODO(apenwarr): don't special case cgNAT.
 				// In the general wireguard case, it might
 				// very well be something we can route to
--- a/net/interfaces/interfaces_darwin.go
+++ b/net/interfaces/interfaces_darwin.go
@@ -64,11 +64,11 @@ func likelyHomeRouterIPDarwinExec() (ret netaddr.IP, ok bool) {
 		if err == nil && isPrivateIP(ip) {
 			ret = ip
 			// We've found what we're looking for.
-			return errStopReadingNetstatTable
+			return stopReadingNetstatTable
 		}
 		return nil
 	})
 	return ret, !ret.IsZero()
 }

-var errStopReadingNetstatTable = errors.New("found private gateway")
+var stopReadingNetstatTable = errors.New("found private gateway")
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -692,7 +692,7 @@ func (rs *reportState) probePortMapServices() {
 	port1900 := netaddr.IPPort{IP: gw, Port: 1900}.UDPAddr()
 	port5351 := netaddr.IPPort{IP: gw, Port: 5351}.UDPAddr()

-	rs.c.logf("[v1] probePortMapServices: me %v -> gw %v", myIP, gw)
+	rs.c.logf("probePortMapServices: me %v -> gw %v", myIP, gw)

 	// Create a UDP4 socket used just for querying for UPnP, NAT-PMP, and PCP.
 	uc, err := netns.Listener().ListenPacket(context.Background(), "udp4", ":0")
@@ -710,7 +710,6 @@ func (rs *reportState) probePortMapServices() {
 	uc.WriteTo(pcpPacket(myIP, tempPort, false), port5351)

 	res := make([]byte, 1500)
-	sentPCPDelete := false
 	for {
 		n, addr, err := uc.ReadFrom(res)
 		if err != nil {
@@ -728,14 +727,11 @@ func (rs *reportState) probePortMapServices() {
 			if n == 60 && res[0] == 0x02 { // right length and version 2
 				rs.setOptBool(&rs.report.PCP, true)

-				if !sentPCPDelete {
-					sentPCPDelete = true
-					// And now delete the mapping.
-					// (PCP is the only protocol of the three that requires
-					// we cause a side effect to detect whether it's present,
-					// so we need to redo that side effect now.)
-					uc.WriteTo(pcpPacket(myIP, tempPort, true), port5351)
-				}
+				// And now delete the mapping.
+				// (PCP is the only protocol of the three that requires
+				// we cause a side effect to detect whether it's present,
+				// so we need to redo that side effect now.)
+				uc.WriteTo(pcpPacket(myIP, tempPort, true), port5351)
 			}
 		}
 	}
@@ -751,7 +747,6 @@ var uPnPPacket = []byte("M-SEARCH * HTTP/1.1\r\n" +

 var v4unspec, _ = netaddr.ParseIP("0.0.0.0")

-// pcpPacket generates a PCP packet with a MAP opcode.
 func pcpPacket(myIP netaddr.IP, mapToLocalPort int, delete bool) []byte {
 	const udpProtoNumber = 17
 	lifetimeSeconds := uint32(1)
@@ -759,24 +754,17 @@ func pcpPacket(myIP netaddr.IP, mapToLocalPort int, delete bool) []byte {
 		lifetimeSeconds = 0
 	}
 	const opMap = 1
-
-	// 24 byte header + 36 byte map opcode
 	pkt := make([]byte, (32+32+128)/8+(96+8+24+16+16+128)/8)
-
-	// The header (https://tools.ietf.org/html/rfc6887#section-7.1)
 	pkt[0] = 2 // version
 	pkt[1] = opMap
 	binary.BigEndian.PutUint32(pkt[4:8], lifetimeSeconds)
 	myIP16 := myIP.As16()
 	copy(pkt[8:], myIP16[:])
-
-	// The map opcode body (https://tools.ietf.org/html/rfc6887#section-11.1)
-	mapOp := pkt[24:]
-	rand.Read(mapOp[:12]) // 96 bit mappping nonce
-	mapOp[12] = udpProtoNumber
-	binary.BigEndian.PutUint16(mapOp[16:], uint16(mapToLocalPort))
+	rand.Read(pkt[24 : 24+12])
+	pkt[36] = udpProtoNumber
+	binary.BigEndian.PutUint16(pkt[40:], uint16(mapToLocalPort))
 	v4unspec16 := v4unspec.As16()
-	copy(mapOp[20:], v4unspec16[:])
+	copy(pkt[40:], v4unspec16[:])
 	return pkt
 }

@@ -842,7 +830,7 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e

 	ifState, err := interfaces.GetState()
 	if err != nil {
-		c.logf("[v1] interfaces: %v", err)
+		c.logf("interfaces: %v", err)
 		return nil, err
 	}

@@ -951,7 +939,7 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 			go func(reg *tailcfg.DERPRegion) {
 				defer wg.Done()
 				if d, ip, err := c.measureHTTPSLatency(ctx, reg); err != nil {
-					c.logf("[v1] netcheck: measuring HTTPS latency of %v (%d): %v", reg.RegionCode, reg.RegionID, err)
+					c.logf("netcheck: measuring HTTPS latency of %v (%d): %v", reg.RegionCode, reg.RegionID, err)
 				} else {
 					rs.mu.Lock()
 					rs.report.RegionLatency[reg.RegionID] = d
@@ -1045,7 +1033,7 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 }

 func (c *Client) logConciseReport(r *Report, dm *tailcfg.DERPMap) {
-	c.logf("[v1] report: %v", logger.ArgWriter(func(w *bufio.Writer) {
+	c.logf("%v", logger.ArgWriter(func(w *bufio.Writer) {
 		fmt.Fprintf(w, "udp=%v", r.UDP)
 		if !r.IPv4 {
 			fmt.Fprintf(w, " v4=%v", r.IPv4)
@@ -1102,10 +1090,6 @@ func (c *Client) addReportHistoryAndSetPreferredDERP(r *Report) {
 	c.mu.Lock()
 	defer c.mu.Unlock()

-	var prevDERP int
-	if c.last != nil {
-		prevDERP = c.last.PreferredDERP
-	}
 	if c.prev == nil {
 		c.prev = map[time.Time]*Report{}
 	}
@@ -1123,9 +1107,9 @@ func (c *Client) addReportHistoryAndSetPreferredDERP(r *Report) {
 			delete(c.prev, t)
 			continue
 		}
-		for regionID, d := range pr.RegionLatency {
-			if bd, ok := bestRecent[regionID]; !ok || d < bd {
-				bestRecent[regionID] = d
+		for hp, d := range pr.RegionLatency {
+			if bd, ok := bestRecent[hp]; !ok || d < bd {
+				bestRecent[hp] = d
 			}
 		}
 	}
@@ -1133,27 +1117,13 @@ func (c *Client) addReportHistoryAndSetPreferredDERP(r *Report) {
 	// Then, pick which currently-alive DERP server from the
 	// current report has the best latency over the past maxAge.
 	var bestAny time.Duration
-	var oldRegionCurLatency time.Duration
-	for regionID, d := range r.RegionLatency {
-		if regionID == prevDERP {
-			oldRegionCurLatency = d
-		}
-		best := bestRecent[regionID]
+	for hp := range r.RegionLatency {
+		best := bestRecent[hp]
 		if r.PreferredDERP == 0 || best < bestAny {
 			bestAny = best
-			r.PreferredDERP = regionID
+			r.PreferredDERP = hp
 		}
 	}
-
-	// If we're changing our preferred DERP but the old one's still
-	// accessible and the new one's not much better, just stick with
-	// where we are.
-	if prevDERP != 0 &&
-		r.PreferredDERP != prevDERP &&
-		oldRegionCurLatency != 0 &&
-		bestAny > oldRegionCurLatency/3*2 {
-		r.PreferredDERP = prevDERP
-	}
 }

 func updateLatency(m map[int]time.Duration, regionID int, d time.Duration) {
--- a/net/netcheck/netcheck_test.go
+++ b/net/netcheck/netcheck_test.go
@@ -195,24 +195,6 @@ func TestAddReportHistoryAndSetPreferredDERP(t *testing.T) {
 			wantPrevLen: 1, // t=[0123]s all gone. (too old, older than 10 min)
 			wantDERP:    3, // only option
 		},
-		{
-			name: "preferred_derp_hysteresis_no_switch",
-			steps: []step{
-				{0 * time.Second, report("d1", 4, "d2", 5)},
-				{1 * time.Second, report("d1", 4, "d2", 3)},
-			},
-			wantPrevLen: 2,
-			wantDERP:    1, // 2 didn't get fast enough
-		},
-		{
-			name: "preferred_derp_hysteresis_do_switch",
-			steps: []step{
-				{0 * time.Second, report("d1", 4, "d2", 5)},
-				{1 * time.Second, report("d1", 4, "d2", 1)},
-			},
-			wantPrevLen: 2,
-			wantDERP:    2, // 2 got fast enough
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -572,47 +554,9 @@ func TestLogConciseReport(t *testing.T) {
 			var buf bytes.Buffer
 			c := &Client{Logf: func(f string, a ...interface{}) { fmt.Fprintf(&buf, f, a...) }}
 			c.logConciseReport(tt.r, dm)
-			if got := strings.TrimPrefix(buf.String(), "[v1] report: "); got != tt.want {
+			if got := buf.String(); got != tt.want {
 				t.Errorf("unexpected result.\n got: %#q\nwant: %#q\n", got, tt.want)
 			}
 		})
 	}
 }
-
-func TestSortRegions(t *testing.T) {
-	unsortedMap := &tailcfg.DERPMap{
-		Regions: map[int]*tailcfg.DERPRegion{},
-	}
-	for rid := 1; rid <= 5; rid++ {
-		var nodes []*tailcfg.DERPNode
-		nodes = append(nodes, &tailcfg.DERPNode{
-			Name:     fmt.Sprintf("%da", rid),
-			RegionID: rid,
-			HostName: fmt.Sprintf("derp%d-1", rid),
-			IPv4:     fmt.Sprintf("%d.0.0.1", rid),
-			IPv6:     fmt.Sprintf("%d::1", rid),
-		})
-		unsortedMap.Regions[rid] = &tailcfg.DERPRegion{
-			RegionID: rid,
-			Nodes:    nodes,
-		}
-	}
-	report := newReport()
-	report.RegionLatency[1] = time.Second * time.Duration(5)
-	report.RegionLatency[2] = time.Second * time.Duration(3)
-	report.RegionLatency[3] = time.Second * time.Duration(6)
-	report.RegionLatency[4] = time.Second * time.Duration(0)
-	report.RegionLatency[5] = time.Second * time.Duration(2)
-	sortedMap := sortRegions(unsortedMap, report)
-
-	// Sorting by latency this should result in rid: 5, 2, 1, 3
-	// rid 4 with latency 0 should be at the end
-	want := []int{5, 2, 1, 3, 4}
-	got := make([]int, len(sortedMap))
-	for i, r := range sortedMap {
-		got[i] = r.RegionID
-	}
-	if !reflect.DeepEqual(got, want) {
-		t.Errorf("got %v; want %v", got, want)
-	}
-}
--- a/net/nettest/pipe.go
+++ b/net/nettest/pipe.go
@@ -60,7 +60,7 @@ func (p *Pipe) Read(b []byte) (n int, err error) {
 	for {
 		p.mu.Lock()
 		closed := p.closed
-		timedout := !p.readTimeout.IsZero() && !time.Now().Before(p.readTimeout)
+		timedout := !p.readTimeout.IsZero() && time.Now().After(p.readTimeout)
 		blocked := p.blocked
 		if !closed && !timedout && len(p.buf) > 0 {
 			n2 := copy(b, p.buf)
@@ -99,7 +99,7 @@ func (p *Pipe) Write(b []byte) (n int, err error) {
 	for {
 		p.mu.Lock()
 		closed := p.closed
-		timedout := !p.writeTimeout.IsZero() && !time.Now().Before(p.writeTimeout)
+		timedout := !p.writeTimeout.IsZero() && time.Now().After(p.writeTimeout)
 		blocked := p.blocked
 		if !closed && !timedout {
 			n2 := len(b)
--- a/net/nettest/pipe_test.go
+++ b/net/nettest/pipe_test.go
@@ -35,7 +35,7 @@ func TestPipeTimeout(t *testing.T) {
 		p := NewPipe("p1", 1<<16)
 		p.SetWriteDeadline(time.Now().Add(-1 * time.Second))
 		n, err := p.Write([]byte{'h'})
-		if !errors.Is(err, ErrWriteTimeout) || !errors.Is(err, ErrTimeout) {
+		if err == nil || !errors.Is(err, ErrWriteTimeout) || !errors.Is(err, ErrTimeout) {
 			t.Errorf("missing write timeout got err: %v", err)
 		}
 		if n != 0 {
@@ -49,7 +49,7 @@ func TestPipeTimeout(t *testing.T) {
 		p.SetReadDeadline(time.Now().Add(-1 * time.Second))
 		b := make([]byte, 1)
 		n, err := p.Read(b)
-		if !errors.Is(err, ErrReadTimeout) || !errors.Is(err, ErrTimeout) {
+		if err == nil || !errors.Is(err, ErrReadTimeout) || !errors.Is(err, ErrTimeout) {
 			t.Errorf("missing read timeout got err: %v", err)
 		}
 		if n != 0 {
@@ -65,7 +65,7 @@ func TestPipeTimeout(t *testing.T) {
 		if err := p.Block(); err != nil {
 			t.Fatal(err)
 		}
-		if _, err := p.Write([]byte{'h'}); !errors.Is(err, ErrWriteTimeout) {
+		if _, err := p.Write([]byte{'h'}); err == nil || !errors.Is(err, ErrWriteTimeout) {
 			t.Fatalf("want write timeout got: %v", err)
 		}
 	})
@@ -80,10 +80,11 @@ func TestPipeTimeout(t *testing.T) {
 		if err := p.Block(); err != nil {
 			t.Fatal(err)
 		}
-		if _, err := p.Read(b); !errors.Is(err, ErrReadTimeout) {
+		if _, err := p.Read(b); err == nil || !errors.Is(err, ErrReadTimeout) {
 			t.Fatalf("want read timeout got: %v", err)
 		}
 	})
+
 }

 func TestLimit(t *testing.T) {
@@ -116,8 +117,4 @@ func TestLimit(t *testing.T) {
 	} else if n != 1 {
 		t.Errorf("Read(%q): n=%d want 1", string(b), n)
 	}
-
-	if err := <-errCh; err != nil {
-		t.Error(err)
-	}
 }
--- a/net/packet/header.go
+++ b/net/packet/header.go
@@ -36,6 +36,9 @@ type Header interface {
 	// purpose of computing length and checksum fields. Marshal
 	// implementations must not allocate memory.
 	Marshal(buf []byte) error
+	// ToResponse transforms the header into one for a response packet.
+	// For instance, this swaps the source and destination IPs.
+	ToResponse()
 }

 // Generate generates a new packet with the given Header and
--- a/net/packet/ip.go
+++ b/net/packet/ip.go
@@ -24,17 +24,6 @@ const (
 	TCP    IPProto = 0x06
 	UDP    IPProto = 0x11

-	// TSMP is the Tailscale Message Protocol (our ICMP-ish
-	// thing), an IP protocol used only between Tailscale nodes
-	// (still encrypted by WireGuard) that communicates why things
-	// failed, etc.
-	//
-	// Proto number 99 is reserved for "any private encryption
-	// scheme". We never accept these from the host OS stack nor
-	// send them to the host network stack. It's only used between
-	// nodes.
-	TSMP IPProto = 99
-
 	// Fragment represents any non-first IP fragment, for which we
 	// don't have the sub-protocol header (and therefore can't
 	// figure out what the sub-protocol is).
@@ -58,8 +47,6 @@ func (p IPProto) String() string {
 		return "UDP"
 	case TCP:
 		return "TCP"
-	case TSMP:
-		return "TSMP"
 	default:
 		return "Unknown"
 	}
--- a/net/packet/ip4.go
+++ b/net/packet/ip4.go
@@ -6,11 +6,47 @@ package packet

 import (
 	"encoding/binary"
-	"errors"
+	"fmt"

 	"inet.af/netaddr"
 )

+// IP4 is an IPv4 address.
+type IP4 uint32
+
+// IPFromNetaddr converts a netaddr.IP to an IP4. Panics if !ip.Is4.
+func IP4FromNetaddr(ip netaddr.IP) IP4 {
+	ipbytes := ip.As4()
+	return IP4(binary.BigEndian.Uint32(ipbytes[:]))
+}
+
+// Netaddr converts ip to a netaddr.IP.
+func (ip IP4) Netaddr() netaddr.IP {
+	return netaddr.IPv4(byte(ip>>24), byte(ip>>16), byte(ip>>8), byte(ip))
+}
+
+func (ip IP4) String() string {
+	return fmt.Sprintf("%d.%d.%d.%d", byte(ip>>24), byte(ip>>16), byte(ip>>8), byte(ip))
+}
+
+// IsMulticast returns whether ip is a multicast address.
+func (ip IP4) IsMulticast() bool {
+	return byte(ip>>24)&0xf0 == 0xe0
+}
+
+// IsLinkLocalUnicast returns whether ip is a link-local unicast
+// address.
+func (ip IP4) IsLinkLocalUnicast() bool {
+	return byte(ip>>24) == 169 && byte(ip>>16) == 254
+}
+
+// IsMostLinkLocalUnicast returns whether ip is a link-local unicast
+// address other than the magical "169.254.169.254" address used by
+// GCP DNS.
+func (ip IP4) IsMostLinkLocalUnicast() bool {
+	return ip.IsLinkLocalUnicast() && ip != 0xA9FEA9FE
+}
+
 // ip4HeaderLength is the length of an IPv4 header with no IP options.
 const ip4HeaderLength = 20

@@ -18,8 +54,8 @@ const ip4HeaderLength = 20
 type IP4Header struct {
 	IPProto IPProto
 	IPID    uint16
-	Src     netaddr.IP
-	Dst     netaddr.IP
+	SrcIP   IP4
+	DstIP   IP4
 }

 // Len implements Header.
@@ -27,8 +63,6 @@ func (h IP4Header) Len() int {
 	return ip4HeaderLength
 }

-var errWrongFamily = errors.New("wrong address family for src/dst IP")
-
 // Marshal implements Header.
 func (h IP4Header) Marshal(buf []byte) error {
 	if len(buf) < h.Len() {
@@ -37,9 +71,6 @@ func (h IP4Header) Marshal(buf []byte) error {
 	if len(buf) > maxPacketLength {
 		return errLargePacket
 	}
-	if !h.Src.Is4() || !h.Dst.Is4() {
-		return errWrongFamily
-	}

 	buf[0] = 0x40 | (byte(h.Len() >> 2))                   // IPv4 + IHL
 	buf[1] = 0x00                                          // DSCP + ECN
@@ -52,10 +83,8 @@ func (h IP4Header) Marshal(buf []byte) error {
 	// it later, because the checksum computation runs over these
 	// bytes and expects them to be zero.
 	binary.BigEndian.PutUint16(buf[10:12], 0)
-	src := h.Src.As4()
-	dst := h.Dst.As4()
-	copy(buf[12:16], src[:])
-	copy(buf[16:20], dst[:])
+	binary.BigEndian.PutUint32(buf[12:16], uint32(h.SrcIP)) // Src
+	binary.BigEndian.PutUint32(buf[16:20], uint32(h.DstIP)) // Dst

 	binary.BigEndian.PutUint16(buf[10:12], ip4Checksum(buf[0:20])) // Checksum

@@ -64,7 +93,7 @@ func (h IP4Header) Marshal(buf []byte) error {

 // ToResponse implements Header.
 func (h *IP4Header) ToResponse() {
-	h.Src, h.Dst = h.Dst, h.Src
+	h.SrcIP, h.DstIP = h.DstIP, h.SrcIP
 	// Flip the bits in the IPID. If incoming IPIDs are distinct, so are these.
 	h.IPID = ^h.IPID
 }
@@ -106,9 +135,8 @@ func (h IP4Header) marshalPseudo(buf []byte) error {
 	}

 	length := len(buf) - h.Len()
-	src, dst := h.Src.As4(), h.Dst.As4()
-	copy(buf[8:12], src[:])
-	copy(buf[12:16], dst[:])
+	binary.BigEndian.PutUint32(buf[8:12], uint32(h.SrcIP))
+	binary.BigEndian.PutUint32(buf[12:16], uint32(h.DstIP))
 	buf[16] = 0x0
 	buf[17] = uint8(h.IPProto)
 	binary.BigEndian.PutUint16(buf[18:20], uint16(length))
--- a/net/packet/ip6.go
+++ b/net/packet/ip6.go
@@ -6,10 +6,45 @@ package packet

 import (
 	"encoding/binary"
+	"fmt"

 	"inet.af/netaddr"
 )

+// IP6 is an IPv6 address.
+type IP6 struct {
+	Hi, Lo uint64
+}
+
+// IP6FromNetaddr converts a netaddr.IP to an IP6. Panics if !ip.Is6.
+func IP6FromNetaddr(ip netaddr.IP) IP6 {
+	if !ip.Is6() {
+		panic(fmt.Sprintf("IP6FromNetaddr called with non-v6 addr %q", ip))
+	}
+	b := ip.As16()
+	return IP6{binary.BigEndian.Uint64(b[:8]), binary.BigEndian.Uint64(b[8:])}
+}
+
+// Netaddr converts ip to a netaddr.IP.
+func (ip IP6) Netaddr() netaddr.IP {
+	var b [16]byte
+	binary.BigEndian.PutUint64(b[:8], ip.Hi)
+	binary.BigEndian.PutUint64(b[8:], ip.Lo)
+	return netaddr.IPFrom16(b)
+}
+
+func (ip IP6) String() string {
+	return ip.Netaddr().String()
+}
+
+func (ip IP6) IsMulticast() bool {
+	return (ip.Hi >> 56) == 0xFF
+}
+
+func (ip IP6) IsLinkLocalUnicast() bool {
+	return (ip.Hi >> 48) == 0xFE80
+}
+
 // ip6HeaderLength is the length of an IPv6 header with no IP options.
 const ip6HeaderLength = 40

@@ -17,8 +52,8 @@ const ip6HeaderLength = 40
 type IP6Header struct {
 	IPProto IPProto
 	IPID    uint32 // only lower 20 bits used
-	Src     netaddr.IP
-	Dst     netaddr.IP
+	SrcIP   IP6
+	DstIP   IP6
 }

 // Len implements Header.
@@ -40,16 +75,17 @@ func (h IP6Header) Marshal(buf []byte) error {
 	binary.BigEndian.PutUint16(buf[4:6], uint16(len(buf)-ip6HeaderLength)) // Total length
 	buf[6] = uint8(h.IPProto)                                              // Inner protocol
 	buf[7] = 64                                                            // TTL
-	src, dst := h.Src.As16(), h.Dst.As16()
-	copy(buf[8:24], src[:])
-	copy(buf[24:40], dst[:])
+	binary.BigEndian.PutUint64(buf[8:16], h.SrcIP.Hi)
+	binary.BigEndian.PutUint64(buf[16:24], h.SrcIP.Lo)
+	binary.BigEndian.PutUint64(buf[24:32], h.DstIP.Hi)
+	binary.BigEndian.PutUint64(buf[32:40], h.DstIP.Lo)

 	return nil
 }

 // ToResponse implements Header.
 func (h *IP6Header) ToResponse() {
-	h.Src, h.Dst = h.Dst, h.Src
+	h.SrcIP, h.DstIP = h.DstIP, h.SrcIP
 	// Flip the bits in the IPID. If incoming IPIDs are distinct, so are these.
 	h.IPID = (^h.IPID) & 0x000FFFFF
 }
@@ -64,9 +100,10 @@ func (h IP6Header) marshalPseudo(buf []byte) error {
 		return errLargePacket
 	}

-	src, dst := h.Src.As16(), h.Dst.As16()
-	copy(buf[:16], src[:])
-	copy(buf[16:32], dst[:])
+	binary.BigEndian.PutUint64(buf[:8], h.SrcIP.Hi)
+	binary.BigEndian.PutUint64(buf[8:16], h.SrcIP.Lo)
+	binary.BigEndian.PutUint64(buf[16:24], h.DstIP.Hi)
+	binary.BigEndian.PutUint64(buf[24:32], h.DstIP.Lo)
 	binary.BigEndian.PutUint32(buf[32:36], uint32(len(buf)-h.Len()))
 	buf[36] = 0
 	buf[37] = 0
--- a/net/packet/packet.go
+++ b/net/packet/packet.go
@@ -7,25 +7,18 @@ package packet
 import (
 	"encoding/binary"
 	"fmt"
-	"net"
 	"strings"

-	"inet.af/netaddr"
 	"tailscale.com/types/strbuilder"
 )

 // RFC1858: prevent overlapping fragment attacks.
 const minFrag = 60 + 20 // max IPv4 header + basic TCP header

-type TCPFlag uint8
-
 const (
-	TCPFin    TCPFlag = 0x01
-	TCPSyn    TCPFlag = 0x02
-	TCPRst    TCPFlag = 0x04
-	TCPPsh    TCPFlag = 0x08
-	TCPAck    TCPFlag = 0x10
-	TCPSynAck TCPFlag = TCPSyn | TCPAck
+	TCPSyn    = 0x02
+	TCPAck    = 0x10
+	TCPSynAck = TCPSyn | TCPAck
 )

 // Parsed is a minimal decoding of a packet suitable for use in filters.
@@ -45,50 +38,64 @@ type Parsed struct {
 	IPVersion uint8
 	// IPProto is the IP subprotocol (UDP, TCP, etc.). Valid iff IPVersion != 0.
 	IPProto IPProto
-	// SrcIP4 is the source address. Family matches IPVersion. Port is
-	// valid iff IPProto == TCP || IPProto == UDP.
-	Src netaddr.IPPort
-	// DstIP4 is the destination address. Family matches IPVersion.
-	Dst netaddr.IPPort
+	// SrcIP4 is the IPv4 source address. Valid iff IPVersion == 4.
+	SrcIP4 IP4
+	// DstIP4 is the IPv4 destination address. Valid iff IPVersion == 4.
+	DstIP4 IP4
+	// SrcIP6 is the IPv6 source address. Valid iff IPVersion == 6.
+	SrcIP6 IP6
+	// DstIP6 is the IPv6 destination address. Valid iff IPVersion == 6.
+	DstIP6 IP6
+	// SrcPort is the TCP/UDP source port. Valid iff IPProto == TCP || IPProto == UDP.
+	SrcPort uint16
+	// DstPort is the TCP/UDP source port. Valid iff IPProto == TCP || IPProto == UDP.
+	DstPort uint16
 	// TCPFlags is the packet's TCP flag bigs. Valid iff IPProto == TCP.
-	TCPFlags TCPFlag
+	TCPFlags uint8
 }

 func (p *Parsed) String() string {
-	if p.IPVersion != 4 && p.IPVersion != 6 {
+	switch p.IPVersion {
+	case 4:
+		sb := strbuilder.Get()
+		sb.WriteString(p.IPProto.String())
+		sb.WriteByte('{')
+		writeIP4Port(sb, p.SrcIP4, p.SrcPort)
+		sb.WriteString(" > ")
+		writeIP4Port(sb, p.DstIP4, p.DstPort)
+		sb.WriteByte('}')
+		return sb.String()
+	case 6:
+		sb := strbuilder.Get()
+		sb.WriteString(p.IPProto.String())
+		sb.WriteByte('{')
+		writeIP6Port(sb, p.SrcIP6, p.SrcPort)
+		sb.WriteString(" > ")
+		writeIP6Port(sb, p.DstIP6, p.DstPort)
+		sb.WriteByte('}')
+		return sb.String()
+	default:
 		return "Unknown{???}"
 	}
-
-	sb := strbuilder.Get()
-	sb.WriteString(p.IPProto.String())
-	sb.WriteByte('{')
-	writeIPPort(sb, p.Src)
-	sb.WriteString(" > ")
-	writeIPPort(sb, p.Dst)
-	sb.WriteByte('}')
-	return sb.String()
 }

-// writeIPPort writes ipp.String() into sb, with fewer allocations.
-//
-// TODO: make netaddr more efficient in this area, and retire this func.
-func writeIPPort(sb *strbuilder.Builder, ipp netaddr.IPPort) {
-	if ipp.IP.Is4() {
-		raw := ipp.IP.As4()
-		sb.WriteUint(uint64(raw[0]))
-		sb.WriteByte('.')
-		sb.WriteUint(uint64(raw[1]))
-		sb.WriteByte('.')
-		sb.WriteUint(uint64(raw[2]))
-		sb.WriteByte('.')
-		sb.WriteUint(uint64(raw[3]))
-		sb.WriteByte(':')
-	} else {
-		sb.WriteByte('[')
-		sb.WriteString(ipp.IP.String()) // TODO: faster?
-		sb.WriteString("]:")
-	}
-	sb.WriteUint(uint64(ipp.Port))
+func writeIP4Port(sb *strbuilder.Builder, ip IP4, port uint16) {
+	sb.WriteUint(uint64(byte(ip >> 24)))
+	sb.WriteByte('.')
+	sb.WriteUint(uint64(byte(ip >> 16)))
+	sb.WriteByte('.')
+	sb.WriteUint(uint64(byte(ip >> 8)))
+	sb.WriteByte('.')
+	sb.WriteUint(uint64(byte(ip)))
+	sb.WriteByte(':')
+	sb.WriteUint(uint64(port))
+}
+
+func writeIP6Port(sb *strbuilder.Builder, ip IP6, port uint16) {
+	sb.WriteByte('[')
+	sb.WriteString(ip.Netaddr().String()) // TODO: faster?
+	sb.WriteString("]:")
+	sb.WriteUint(uint64(port))
 }

 // Decode extracts data from the packet in b into q.
@@ -133,8 +140,8 @@ func (q *Parsed) decode4(b []byte) {
 	}

 	// If it's valid IPv4, then the IP addresses are valid
-	q.Src.IP = netaddr.IPv4(b[12], b[13], b[14], b[15])
-	q.Dst.IP = netaddr.IPv4(b[16], b[17], b[18], b[19])
+	q.SrcIP4 = IP4(binary.BigEndian.Uint32(b[12:16]))
+	q.DstIP4 = IP4(binary.BigEndian.Uint32(b[16:20]))

 	q.subofs = int((b[0] & 0x0F) << 2)
 	if q.subofs > q.length {
@@ -176,8 +183,8 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = Unknown
 				return
 			}
-			q.Src.Port = 0
-			q.Dst.Port = 0
+			q.SrcPort = 0
+			q.DstPort = 0
 			q.dataofs = q.subofs + icmp4HeaderLength
 			return
 		case IGMP:
@@ -189,9 +196,9 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = Unknown
 				return
 			}
-			q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
-			q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
-			q.TCPFlags = TCPFlag(sub[13]) & 0x3F
+			q.SrcPort = binary.BigEndian.Uint16(sub[0:2])
+			q.DstPort = binary.BigEndian.Uint16(sub[2:4])
+			q.TCPFlags = sub[13] & 0x3F
 			headerLength := (sub[12] & 0xF0) >> 2
 			q.dataofs = q.subofs + int(headerLength)
 			return
@@ -200,14 +207,10 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = Unknown
 				return
 			}
-			q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
-			q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
+			q.SrcPort = binary.BigEndian.Uint16(sub[0:2])
+			q.DstPort = binary.BigEndian.Uint16(sub[2:4])
 			q.dataofs = q.subofs + udpHeaderLength
 			return
-		case TSMP:
-			// Inter-tailscale messages.
-			q.dataofs = q.subofs
-			return
 		default:
 			q.IPProto = Unknown
 			return
@@ -246,10 +249,10 @@ func (q *Parsed) decode6(b []byte) {
 		return
 	}

-	// okay to ignore `ok` here, because IPs pulled from packets are
-	// always well-formed stdlib IPs.
-	q.Src.IP, _ = netaddr.FromStdIP(net.IP(b[8:24]))
-	q.Dst.IP, _ = netaddr.FromStdIP(net.IP(b[24:40]))
+	q.SrcIP6.Hi = binary.BigEndian.Uint64(b[8:16])
+	q.SrcIP6.Lo = binary.BigEndian.Uint64(b[16:24])
+	q.DstIP6.Hi = binary.BigEndian.Uint64(b[24:32])
+	q.DstIP6.Lo = binary.BigEndian.Uint64(b[32:40])

 	// We don't support any IPv6 extension headers. Don't try to
 	// be clever. Therefore, the IP subprotocol always starts at
@@ -273,17 +276,17 @@ func (q *Parsed) decode6(b []byte) {
 			q.IPProto = Unknown
 			return
 		}
-		q.Src.Port = 0
-		q.Dst.Port = 0
+		q.SrcPort = 0
+		q.DstPort = 0
 		q.dataofs = q.subofs + icmp6HeaderLength
 	case TCP:
 		if len(sub) < tcpHeaderLength {
 			q.IPProto = Unknown
 			return
 		}
-		q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
-		q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
-		q.TCPFlags = TCPFlag(sub[13]) & 0x3F
+		q.SrcPort = binary.BigEndian.Uint16(sub[0:2])
+		q.DstPort = binary.BigEndian.Uint16(sub[2:4])
+		q.TCPFlags = sub[13] & 0x3F
 		headerLength := (sub[12] & 0xF0) >> 2
 		q.dataofs = q.subofs + int(headerLength)
 		return
@@ -292,13 +295,9 @@ func (q *Parsed) decode6(b []byte) {
 			q.IPProto = Unknown
 			return
 		}
-		q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
-		q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
+		q.SrcPort = binary.BigEndian.Uint16(sub[0:2])
+		q.DstPort = binary.BigEndian.Uint16(sub[2:4])
 		q.dataofs = q.subofs + udpHeaderLength
-	case TSMP:
-		// Inter-tailscale messages.
-		q.dataofs = q.subofs
-		return
 	default:
 		q.IPProto = Unknown
 		return
@@ -313,8 +312,8 @@ func (q *Parsed) IP4Header() IP4Header {
 	return IP4Header{
 		IPID:    ipid,
 		IPProto: q.IPProto,
-		Src:     q.Src.IP,
-		Dst:     q.Dst.IP,
+		SrcIP:   q.SrcIP4,
+		DstIP:   q.DstIP4,
 	}
 }

@@ -335,8 +334,8 @@ func (q *Parsed) UDP4Header() UDP4Header {
 	}
 	return UDP4Header{
 		IP4Header: q.IP4Header(),
-		SrcPort:   q.Src.Port,
-		DstPort:   q.Dst.Port,
+		SrcPort:   q.SrcPort,
+		DstPort:   q.DstPort,
 	}
 }

--- a/net/packet/packet_test.go
+++ b/net/packet/packet_test.go
@@ -12,12 +12,54 @@ import (
 	"inet.af/netaddr"
 )

-func mustIPPort(s string) netaddr.IPPort {
-	ipp, err := netaddr.ParseIPPort(s)
+func mustIP4(s string) IP4 {
+	ip, err := netaddr.ParseIP(s)
 	if err != nil {
 		panic(err)
 	}
-	return ipp
+	return IP4FromNetaddr(ip)
+}
+
+func mustIP6(s string) IP6 {
+	ip, err := netaddr.ParseIP(s)
+	if err != nil {
+		panic(err)
+	}
+	return IP6FromNetaddr(ip)
+}
+
+func TestIP4String(t *testing.T) {
+	const str = "1.2.3.4"
+	ip := mustIP4(str)
+
+	var got string
+	allocs := testing.AllocsPerRun(1000, func() {
+		got = ip.String()
+	})
+
+	if got != str {
+		t.Errorf("got %q; want %q", got, str)
+	}
+	if allocs != 1 {
+		t.Errorf("allocs = %v; want 1", allocs)
+	}
+}
+
+func TestIP6String(t *testing.T) {
+	const str = "2607:f8b0:400a:809::200e"
+	ip := mustIP6(str)
+
+	var got string
+	allocs := testing.AllocsPerRun(1000, func() {
+		got = ip.String()
+	})
+
+	if got != str {
+		t.Errorf("got %q; want %q", got, str)
+	}
+	if allocs != 2 {
+		t.Errorf("allocs = %v; want 1", allocs)
+	}
 }

 var icmp4RequestBuffer = []byte{
@@ -41,8 +83,10 @@ var icmp4RequestDecode = Parsed{

 	IPVersion: 4,
 	IPProto:   ICMPv4,
-	Src:       mustIPPort("1.2.3.4:0"),
-	Dst:       mustIPPort("5.6.7.8:0"),
+	SrcIP4:    mustIP4("1.2.3.4"),
+	DstIP4:    mustIP4("5.6.7.8"),
+	SrcPort:   0,
+	DstPort:   0,
 }

 var icmp4ReplyBuffer = []byte{
@@ -65,8 +109,10 @@ var icmp4ReplyDecode = Parsed{

 	IPVersion: 4,
 	IPProto:   ICMPv4,
-	Src:       mustIPPort("1.2.3.4:0"),
-	Dst:       mustIPPort("5.6.7.8:0"),
+	SrcIP4:    mustIP4("1.2.3.4"),
+	DstIP4:    mustIP4("5.6.7.8"),
+	SrcPort:   0,
+	DstPort:   0,
 }

 // ICMPv6 Router Solicitation
@@ -86,8 +132,8 @@ var icmp6PacketDecode = Parsed{
 	length:    len(icmp6PacketBuffer),
 	IPVersion: 6,
 	IPProto:   ICMPv6,
-	Src:       mustIPPort("[fe80::fb57:1dea:9c39:8fb7]:0"),
-	Dst:       mustIPPort("[ff02::2]:0"),
+	SrcIP6:    mustIP6("fe80::fb57:1dea:9c39:8fb7"),
+	DstIP6:    mustIP6("ff02::2"),
 }

 // This is a malformed IPv4 packet.
@@ -124,8 +170,10 @@ var tcp4PacketDecode = Parsed{

 	IPVersion: 4,
 	IPProto:   TCP,
-	Src:       mustIPPort("1.2.3.4:123"),
-	Dst:       mustIPPort("5.6.7.8:567"),
+	SrcIP4:    mustIP4("1.2.3.4"),
+	DstIP4:    mustIP4("5.6.7.8"),
+	SrcPort:   123,
+	DstPort:   567,
 	TCPFlags:  TCPSynAck,
 }

@@ -150,8 +198,10 @@ var tcp6RequestDecode = Parsed{

 	IPVersion: 6,
 	IPProto:   TCP,
-	Src:       mustIPPort("[2001:559:bc13:5400:1749:4628:3934:e1b]:42080"),
-	Dst:       mustIPPort("[2607:f8b0:400a:809::200e]:80"),
+	SrcIP6:    mustIP6("2001:559:bc13:5400:1749:4628:3934:e1b"),
+	DstIP6:    mustIP6("2607:f8b0:400a:809::200e"),
+	SrcPort:   42080,
+	DstPort:   80,
 	TCPFlags:  TCPSyn,
 }

@@ -176,8 +226,10 @@ var udp4RequestDecode = Parsed{

 	IPVersion: 4,
 	IPProto:   UDP,
-	Src:       mustIPPort("1.2.3.4:123"),
-	Dst:       mustIPPort("5.6.7.8:567"),
+	SrcIP4:    mustIP4("1.2.3.4"),
+	DstIP4:    mustIP4("5.6.7.8"),
+	SrcPort:   123,
+	DstPort:   567,
 }

 var invalid4RequestBuffer = []byte{
@@ -198,8 +250,8 @@ var invalid4RequestDecode = Parsed{

 	IPVersion: 4,
 	IPProto:   Unknown,
-	Src:       mustIPPort("1.2.3.4:0"),
-	Dst:       mustIPPort("5.6.7.8:0"),
+	SrcIP4:    mustIP4("1.2.3.4"),
+	DstIP4:    mustIP4("5.6.7.8"),
 }

 var udp6RequestBuffer = []byte{
@@ -223,8 +275,10 @@ var udp6RequestDecode = Parsed{

 	IPVersion: 6,
 	IPProto:   UDP,
-	Src:       mustIPPort("[2001:559:bc13:5400:1749:4628:3934:e1b]:54276"),
-	Dst:       mustIPPort("[2607:f8b0:400a:809::200e]:443"),
+	SrcIP6:    mustIP6("2001:559:bc13:5400:1749:4628:3934:e1b"),
+	DstIP6:    mustIP6("2607:f8b0:400a:809::200e"),
+	SrcPort:   54276,
+	DstPort:   443,
 }

 var udp4ReplyBuffer = []byte{
@@ -247,8 +301,10 @@ var udp4ReplyDecode = Parsed{
 	length:  len(udp4ReplyBuffer),

 	IPProto: UDP,
-	Src:     mustIPPort("1.2.3.4:567"),
-	Dst:     mustIPPort("5.6.7.8:123"),
+	SrcIP4:  mustIP4("1.2.3.4"),
+	DstIP4:  mustIP4("5.6.7.8"),
+	SrcPort: 567,
+	DstPort: 123,
 }

 var igmpPacketBuffer = []byte{
@@ -270,42 +326,11 @@ var igmpPacketDecode = Parsed{

 	IPVersion: 4,
 	IPProto:   IGMP,
-	Src:       mustIPPort("192.168.1.82:0"),
-	Dst:       mustIPPort("224.0.0.251:0"),
+	SrcIP4:    mustIP4("192.168.1.82"),
+	DstIP4:    mustIP4("224.0.0.251"),
 }

-var ipv4TSMPBuffer = []byte{
-	// IPv4 header:
-	0x45, 0x00,
-	0x00, 0x1b, // 20 + 7 bytes total
-	0x00, 0x00, // ID
-	0x00, 0x00, // Fragment
-	0x40, // TTL
-	byte(TSMP),
-	0x5f, 0xc3, // header checksum (wrong here)
-	// source IP:
-	0x64, 0x5e, 0x0c, 0x0e,
-	// dest IP:
-	0x64, 0x4a, 0x46, 0x03,
-	byte(TSMPTypeRejectedConn),
-	byte(TCP),
-	byte(RejectedDueToACLs),
-	0x00, 123, // src port
-	0x00, 80, // dst port
-}
-
-var ipv4TSMPDecode = Parsed{
-	b:         ipv4TSMPBuffer,
-	subofs:    20,
-	dataofs:   20,
-	length:    27,
-	IPVersion: 4,
-	IPProto:   TSMP,
-	Src:       mustIPPort("100.94.12.14:0"),
-	Dst:       mustIPPort("100.74.70.3:0"),
-}
-
-func TestParsedString(t *testing.T) {
+func TestParsed(t *testing.T) {
 	tests := []struct {
 		name    string
 		qdecode Parsed
@@ -319,7 +344,6 @@ func TestParsedString(t *testing.T) {
 		{"icmp6", icmp6PacketDecode, "ICMPv6{[fe80::fb57:1dea:9c39:8fb7]:0 > [ff02::2]:0}"},
 		{"igmp", igmpPacketDecode, "IGMP{192.168.1.82:0 > 224.0.0.251:0}"},
 		{"unknown", unknownPacketDecode, "Unknown{???}"},
-		{"ipv4_tsmp", ipv4TSMPDecode, "TSMP{100.94.12.14:0 > 100.74.70.3:0}"},
 	}

 	for _, tt := range tests {
@@ -356,7 +380,6 @@ func TestDecode(t *testing.T) {
 		{"igmp", igmpPacketBuffer, igmpPacketDecode},
 		{"unknown", unknownPacketBuffer, unknownPacketDecode},
 		{"invalid4", invalid4RequestBuffer, invalid4RequestDecode},
-		{"ipv4_tsmp", ipv4TSMPBuffer, ipv4TSMPDecode},
 	}

 	for _, tt := range tests {
@@ -364,7 +387,7 @@ func TestDecode(t *testing.T) {
 			var got Parsed
 			got.Decode(tt.buf)
 			if !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("mismatch\n got: %s %#v\nwant: %s %#v", got.String(), got, tt.want.String(), tt.want)
+				t.Errorf("mismatch\n got: %#v\nwant: %#v", got, tt.want)
 			}
 		})
 	}
@@ -449,16 +472,9 @@ func TestMarshalResponse(t *testing.T) {
 	icmpHeader := icmp4RequestDecode.ICMP4Header()
 	udpHeader := udp4RequestDecode.UDP4Header()

-	type HeaderToResponser interface {
-		Header
-		// ToResponse transforms the header into one for a response packet.
-		// For instance, this swaps the source and destination IPs.
-		ToResponse()
-	}
-
 	tests := []struct {
 		name   string
-		header HeaderToResponser
+		header Header
 		want   []byte
 	}{
 		{"icmp", &icmpHeader, icmp4ReplyBuffer},
--- a/net/packet/tsmp.go
+++ b/net/packet/tsmp.go
@@ -1,140 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// TSMP is our ICMP-like "Tailscale Message Protocol" for signaling
-// Tailscale-specific messages between nodes. It uses IP protocol 99
-// (reserved for "any private encryption scheme") within
-// Wireguard's normal encryption between peers and never hits the host
-// network stack.
-
-package packet
-
-import (
-	"encoding/binary"
-	"errors"
-	"fmt"
-
-	"inet.af/netaddr"
-	"tailscale.com/net/flowtrack"
-)
-
-// TailscaleRejectedHeader is a TSMP message that says that one
-// Tailscale node has rejected the connection from another. Unlike a
-// TCP RST, this includes a reason.
-//
-// On the wire, after the IP header, it's currently 7 bytes:
-//     * '!'
-//     * IPProto byte (IANA protocol number: TCP or UDP)
-//     * 'A' or 'S' (RejectedDueToACLs, RejectedDueToShieldsUp)
-//     * srcPort big endian uint16
-//     * dstPort big endian uint16
-//
-// In the future it might also accept 16 byte IP flow src/dst IPs
-// after the header, if they're different than the IP-level ones.
-type TailscaleRejectedHeader struct {
-	IPSrc  netaddr.IP            // IPv4 or IPv6 header's src IP
-	IPDst  netaddr.IP            // IPv4 or IPv6 header's dst IP
-	Src    netaddr.IPPort        // rejected flow's src
-	Dst    netaddr.IPPort        // rejected flow's dst
-	Proto  IPProto               // proto that was rejected (TCP or UDP)
-	Reason TailscaleRejectReason // why the connection was rejected
-}
-
-func (rh TailscaleRejectedHeader) Flow() flowtrack.Tuple {
-	return flowtrack.Tuple{Src: rh.Src, Dst: rh.Dst}
-}
-
-func (rh TailscaleRejectedHeader) String() string {
-	return fmt.Sprintf("TSMP-reject-flow{%s %s > %s}: %s", rh.Proto, rh.Src, rh.Dst, rh.Reason)
-}
-
-type TSMPType uint8
-
-const (
-	TSMPTypeRejectedConn TSMPType = '!'
-)
-
-type TailscaleRejectReason byte
-
-const (
-	RejectedDueToACLs      TailscaleRejectReason = 'A'
-	RejectedDueToShieldsUp TailscaleRejectReason = 'S'
-)
-
-func (r TailscaleRejectReason) String() string {
-	switch r {
-	case RejectedDueToACLs:
-		return "acl"
-	case RejectedDueToShieldsUp:
-		return "shields"
-	}
-	return fmt.Sprintf("0x%02x", byte(r))
-}
-
-func (h TailscaleRejectedHeader) Len() int {
-	var ipHeaderLen int
-	if h.IPSrc.Is4() {
-		ipHeaderLen = ip4HeaderLength
-	} else if h.IPSrc.Is6() {
-		ipHeaderLen = ip6HeaderLength
-	}
-	return ipHeaderLen +
-		1 + // TSMPType byte
-		1 + // IPProto byte
-		1 + // TailscaleRejectReason byte
-		2*2 // 2 uint16 ports
-}
-
-func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
-	if len(buf) < h.Len() {
-		return errSmallBuffer
-	}
-	if len(buf) > maxPacketLength {
-		return errLargePacket
-	}
-	if h.Src.IP.Is4() {
-		iph := IP4Header{
-			IPProto: TSMP,
-			Src:     h.IPSrc,
-			Dst:     h.IPDst,
-		}
-		iph.Marshal(buf)
-		buf = buf[ip4HeaderLength:]
-	} else if h.Src.IP.Is6() {
-		iph := IP6Header{
-			IPProto: TSMP,
-			Src:     h.IPSrc,
-			Dst:     h.IPDst,
-		}
-		iph.Marshal(buf)
-		buf = buf[ip6HeaderLength:]
-	} else {
-		return errors.New("bogus src IP")
-	}
-	buf[0] = byte(TSMPTypeRejectedConn)
-	buf[1] = byte(h.Proto)
-	buf[2] = byte(h.Reason)
-	binary.BigEndian.PutUint16(buf[3:5], h.Src.Port)
-	binary.BigEndian.PutUint16(buf[5:7], h.Dst.Port)
-	return nil
-}
-
-// AsTailscaleRejectedHeader parses pp as an incoming rejection
-// connection TSMP message.
-//
-// ok reports whether pp was a valid TSMP rejection packet.
-func (pp *Parsed) AsTailscaleRejectedHeader() (h TailscaleRejectedHeader, ok bool) {
-	p := pp.Payload()
-	if len(p) < 7 || p[0] != byte(TSMPTypeRejectedConn) {
-		return
-	}
-	return TailscaleRejectedHeader{
-		Proto:  IPProto(p[1]),
-		Reason: TailscaleRejectReason(p[2]),
-		IPSrc:  pp.Src.IP,
-		IPDst:  pp.Dst.IP,
-		Src:    netaddr.IPPort{IP: pp.Dst.IP, Port: binary.BigEndian.Uint16(p[3:5])},
-		Dst:    netaddr.IPPort{IP: pp.Src.IP, Port: binary.BigEndian.Uint16(p[5:7])},
-	}, true
-}
--- a/net/packet/tsmp_test.go
+++ b/net/packet/tsmp_test.go
@@ -1,63 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"testing"
-
-	"inet.af/netaddr"
-)
-
-func TestTailscaleRejectedHeader(t *testing.T) {
-	tests := []struct {
-		h       TailscaleRejectedHeader
-		wantStr string
-	}{
-		{
-			h: TailscaleRejectedHeader{
-				IPSrc:  netaddr.MustParseIP("5.5.5.5"),
-				IPDst:  netaddr.MustParseIP("1.2.3.4"),
-				Src:    netaddr.MustParseIPPort("1.2.3.4:567"),
-				Dst:    netaddr.MustParseIPPort("5.5.5.5:443"),
-				Proto:  TCP,
-				Reason: RejectedDueToACLs,
-			},
-			wantStr: "TSMP-reject-flow{TCP 1.2.3.4:567 > 5.5.5.5:443}: acl",
-		},
-		{
-			h: TailscaleRejectedHeader{
-				IPSrc:  netaddr.MustParseIP("2::2"),
-				IPDst:  netaddr.MustParseIP("1::1"),
-				Src:    netaddr.MustParseIPPort("[1::1]:567"),
-				Dst:    netaddr.MustParseIPPort("[2::2]:443"),
-				Proto:  UDP,
-				Reason: RejectedDueToShieldsUp,
-			},
-			wantStr: "TSMP-reject-flow{UDP [1::1]:567 > [2::2]:443}: shields",
-		},
-	}
-	for i, tt := range tests {
-		gotStr := tt.h.String()
-		if gotStr != tt.wantStr {
-			t.Errorf("%v. String = %q; want %q", i, gotStr, tt.wantStr)
-			continue
-		}
-		pkt := make([]byte, tt.h.Len())
-		tt.h.Marshal(pkt)
-
-		var p Parsed
-		p.Decode(pkt)
-		t.Logf("Parsed: %+v", p)
-		t.Logf("Parsed: %s", p.String())
-		back, ok := p.AsTailscaleRejectedHeader()
-		if !ok {
-			t.Errorf("%v. %q (%02x) didn't parse back", i, gotStr, pkt)
-			continue
-		}
-		if back != tt.h {
-			t.Errorf("%v. %q parsed back as %q", i, tt.h, back)
-		}
-	}
-}
--- a/net/tsaddr/tsaddr_test.go
+++ b/net/tsaddr/tsaddr_test.go
@@ -4,32 +4,7 @@

 package tsaddr

-import (
-	"testing"
-
-	"inet.af/netaddr"
-)
-
-func TestInCrostiniRange(t *testing.T) {
-	tests := []struct {
-		ip   netaddr.IP
-		want bool
-	}{
-		{netaddr.IPv4(192, 168, 0, 1), false},
-		{netaddr.IPv4(100, 101, 102, 103), false},
-		{netaddr.IPv4(100, 115, 92, 0), true},
-		{netaddr.IPv4(100, 115, 92, 5), true},
-		{netaddr.IPv4(100, 115, 92, 255), true},
-		{netaddr.IPv4(100, 115, 93, 40), true},
-		{netaddr.IPv4(100, 115, 94, 1), false},
-	}
-
-	for _, test := range tests {
-		if got := ChromeOSVMRange().Contains(test.ip); got != test.want {
-			t.Errorf("inCrostiniRange(%q) = %v, want %v", test.ip, got, test.want)
-		}
-	}
-}
+import "testing"

 func TestChromeOSVMRange(t *testing.T) {
 	if got, want := ChromeOSVMRange().String(), "100.115.92.0/23"; got != want {
--- a/portlist/portlist_test.go
+++ b/portlist/portlist_test.go
@@ -47,153 +47,6 @@ func TestIgnoreLocallyBoundPorts(t *testing.T) {
 	}
 }

-func TestLessThan(t *testing.T) {
-	tests := []struct {
-		name string
-		a, b Port
-		want bool
-	}{
-		{
-			"Port a < b",
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			Port{Proto: "tcp", Port: 101, Process: "proc1", inode: "inode1"},
-			true,
-		},
-		{
-			"Port a > b",
-			Port{Proto: "tcp", Port: 101, Process: "proc1", inode: "inode1"},
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			false,
-		},
-		{
-			"Proto a < b",
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			Port{Proto: "udp", Port: 100, Process: "proc1", inode: "inode1"},
-			true,
-		},
-		{
-			"Proto a < b",
-			Port{Proto: "udp", Port: 100, Process: "proc1", inode: "inode1"},
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			false,
-		},
-		{
-			"inode a < b",
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode2"},
-			true,
-		},
-		{
-			"inode a > b",
-			Port{Proto: "tcp", Port: 100, Process: "proc2", inode: "inode2"},
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			false,
-		},
-		{
-			"Process a < b",
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			Port{Proto: "tcp", Port: 100, Process: "proc2", inode: "inode1"},
-			true,
-		},
-		{
-			"Process a > b",
-			Port{Proto: "tcp", Port: 100, Process: "proc2", inode: "inode1"},
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			false,
-		},
-		{
-			"Port evaluated first",
-			Port{Proto: "udp", Port: 100, Process: "proc2", inode: "inode2"},
-			Port{Proto: "tcp", Port: 101, Process: "proc1", inode: "inode1"},
-			true,
-		},
-		{
-			"Proto evaluated second",
-			Port{Proto: "tcp", Port: 100, Process: "proc2", inode: "inode2"},
-			Port{Proto: "udp", Port: 100, Process: "proc1", inode: "inode1"},
-			true,
-		},
-		{
-			"inode evaluated third",
-			Port{Proto: "tcp", Port: 100, Process: "proc2", inode: "inode1"},
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode2"},
-			true,
-		},
-		{
-			"Process evaluated fourth",
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			Port{Proto: "tcp", Port: 100, Process: "proc2", inode: "inode1"},
-			true,
-		},
-		{
-			"equal",
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			Port{Proto: "tcp", Port: 100, Process: "proc1", inode: "inode1"},
-			false,
-		},
-	}
-
-	for _, tt := range tests {
-		got := tt.a.lessThan(&tt.b)
-		if got != tt.want {
-			t.Errorf("%s: Equal = %v; want %v", tt.name, got, tt.want)
-		}
-	}
-}
-
-func TestSameInodes(t *testing.T) {
-	port1 := Port{Proto: "tcp", Port: 100, Process: "proc", inode: "inode1"}
-	port2 := Port{Proto: "tcp", Port: 100, Process: "proc", inode: "inode1"}
-	portProto := Port{Proto: "udp", Port: 100, Process: "proc", inode: "inode1"}
-	portPort := Port{Proto: "tcp", Port: 101, Process: "proc", inode: "inode1"}
-	portInode := Port{Proto: "tcp", Port: 100, Process: "proc", inode: "inode2"}
-	portProcess := Port{Proto: "tcp", Port: 100, Process: "other", inode: "inode1"}
-
-	tests := []struct {
-		name string
-		a, b List
-		want bool
-	}{
-		{
-			"identical",
-			List{port1, port1},
-			List{port2, port2},
-			true,
-		},
-		{
-			"proto differs",
-			List{port1, port1},
-			List{port2, portProto},
-			false,
-		},
-		{
-			"port differs",
-			List{port1, port1},
-			List{port2, portPort},
-			false,
-		},
-		{
-			"inode differs",
-			List{port1, port1},
-			List{port2, portInode},
-			false,
-		},
-		{
-			// SameInodes does not check the Process field
-			"Process differs",
-			List{port1, port1},
-			List{port2, portProcess},
-			true,
-		},
-	}
-	for _, tt := range tests {
-		got := tt.a.SameInodes(tt.b)
-		if got != tt.want {
-			t.Errorf("%s: Equal = %v; want %v", tt.name, got, tt.want)
-		}
-	}
-}
-
 func BenchmarkGetList(b *testing.B) {
 	b.ReportAllocs()
 	for i := 0; i < b.N; i++ {
--- a/safesocket/unixsocket.go
+++ b/safesocket/unixsocket.go
@@ -64,33 +64,10 @@ func listen(path string, port uint16) (ln net.Listener, _ uint16, err error) {
 	if err != nil {
 		return nil, 0, err
 	}
-	os.Chmod(path, socketPermissionsForOS())
+	os.Chmod(path, 0666)
 	return pipe, 0, err
 }

-// socketPermissionsForOS returns the permissions to use for the
-// tailscaled.sock.
-func socketPermissionsForOS() os.FileMode {
-	if runtime.GOOS == "linux" {
-		// On Linux, the ipn/ipnserver package looks at the Unix peer creds
-		// and only permits read-only actions from non-root users, so we want
-		// this opened up wider.
-		//
-		// TODO(bradfitz): unify this all one in place probably, moving some
-		// of ipnserver (which does much of the "safe" bits) here. Maybe
-		// instead of net.Listener, we should return a type that returns
-		// an identity in addition to a net.Conn? (returning a wrapped net.Conn
-		// would surprise downstream callers probably)
-		//
-		// TODO(bradfitz): if OpenBSD and FreeBSD do the equivalent peercreds
-		// stuff that's in ipn/ipnserver/conn_ucred.go, they should also
-		// return 0666 here.
-		return 0666
-	}
-	// Otherwise, root only.
-	return 0600
-}
-
 // connectMacOSAppSandbox connects to the Tailscale Network Extension,
 // which is necessarily running within the macOS App Sandbox.  Our
 // little dance to connect a regular user binary to the sandboxed
--- a/scripts/check_license_headers.sh
+++ b/scripts/check_license_headers.sh
@@ -10,7 +10,7 @@
 check_file() {
    got=$1

-    for year in `seq 2019 2021`; do
+    for year in `seq 2019 2020`; do
        want=$(cat <<EOF
 // Copyright (c) $year Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
--- a/syncs/syncs.go
+++ b/syncs/syncs.go
@@ -33,7 +33,7 @@ func NewWaitGroupChan() *WaitGroupChan {
 }

 // DoneChan returns a channel that's closed on completion.
-func (wg *WaitGroupChan) DoneChan() <-chan struct{} { return wg.done }
+func (c *WaitGroupChan) DoneChan() <-chan struct{} { return c.done }

 // Add adds delta, which may be negative, to the WaitGroupChan
 // counter. If the counter becomes zero, all goroutines blocked on
@@ -46,10 +46,10 @@ func (wg *WaitGroupChan) DoneChan() <-chan struct{} { return wg.done }
 // than zero, may happen at any time. Typically this means the calls
 // to Add should execute before the statement creating the goroutine
 // or other event to be waited for.
-func (wg *WaitGroupChan) Add(delta int) {
-	n := atomic.AddInt64(&wg.n, int64(delta))
+func (c *WaitGroupChan) Add(delta int) {
+	n := atomic.AddInt64(&c.n, int64(delta))
 	if n == 0 {
-		close(wg.done)
+		close(c.done)
 	}
 }

--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -14,6 +14,7 @@ import (
 	"strings"
 	"time"

+	"github.com/tailscale/wireguard-go/wgcfg"
 	"go4.org/mem"
 	"golang.org/x/oauth2"
 	"inet.af/netaddr"
@@ -22,18 +23,6 @@ import (
 	"tailscale.com/types/structs"
 )

-// CurrentMapRequestVersion is the current MapRequest.Version value.
-//
-// History of versions:
-//     3: implicit compression, keep-alives
-//     4: opt-in keep-alives via KeepAlive field, opt-in compression via Compress
-//     5: 2020-10-19, implies IncludeIPv6, delta Peers/UserProfiles, supports MagicDNS
-//     6: 2020-12-07: means MapResponse.PacketFilter nil means unchanged
-//     7: 2020-12-15: FilterRule.SrcIPs accepts CIDRs+ranges, doesn't warn about 0.0.0.0/::
-//     8: 2020-12-19: client can receive IPv6 addresses and routes if beta enabled server-side
-//     9: 2020-12-30: client doesn't auto-add implicit search domains from peers; only DNSConfig.Domains
-const CurrentMapRequestVersion = 9
-
 type ID int64

 type UserID ID
@@ -123,6 +112,8 @@ type User struct {
 	Logins        []LoginID
 	Roles         []RoleID
 	Created       time.Time
+
+	// Note: be sure to update Clone when adding new fields
 }

 type Login struct {
@@ -147,32 +138,27 @@ type UserProfile struct {
 }

 type Node struct {
-	ID   NodeID
-	Name string // DNS
-
-	// User is the user who created the node. If ACL tags are in
-	// use for the node then it doesn't reflect the ACL identity
-	// that the node is running as.
-	User UserID
-
-	// Sharer, if non-zero, is the user who shared this node, if different than User.
-	Sharer UserID `json:",omitempty"`
-
+	ID         NodeID
+	Name       string // DNS
+	User       UserID
 	Key        NodeKey
 	KeyExpiry  time.Time
 	Machine    MachineKey
 	DiscoKey   DiscoKey
-	Addresses  []netaddr.IPPrefix // IP addresses of this Node directly
-	AllowedIPs []netaddr.IPPrefix // range of IP addresses to route to this node
-	Endpoints  []string           `json:",omitempty"` // IP+port (public via STUN, and local LANs)
-	DERP       string             `json:",omitempty"` // DERP-in-IP:port ("127.3.3.40:N") endpoint
+	Addresses  []wgcfg.CIDR // IP addresses of this Node directly
+	AllowedIPs []wgcfg.CIDR // range of IP addresses to route to this node
+	Endpoints  []string     `json:",omitempty"` // IP+port (public via STUN, and local LANs)
+	DERP       string       `json:",omitempty"` // DERP-in-IP:port ("127.3.3.40:N") endpoint
 	Hostinfo   Hostinfo
 	Created    time.Time
 	LastSeen   *time.Time `json:",omitempty"`

-	KeepAlive bool `json:",omitempty"` // open and keep open a connection to this peer
+	KeepAlive bool // open and keep open a connection to this peer

-	MachineAuthorized bool `json:",omitempty"` // TODO(crawshaw): replace with MachineStatus
+	MachineAuthorized bool // TODO(crawshaw): replace with MachineStatus
+
+	// NOTE: any new fields containing pointers in this type
+	//       require changes to Node.Clone.
 }

 type MachineStatus int
@@ -289,6 +275,9 @@ type Service struct {
 	Description string       `json:",omitempty"` // text description of service
 	// TODO(apenwarr): allow advertising services on subnet IPs?
 	// TODO(apenwarr): add "tags" here for each service?
+
+	// NOTE: any new fields containing pointers in this type
+	//       require changes to Hostinfo.Clone.
 }

 // Hostinfo contains a summary of a Tailscale host.
@@ -298,23 +287,22 @@ type Service struct {
 type Hostinfo struct {
 	// TODO(crawshaw): mark all these fields ",omitempty" when all the
 	// iOS apps are updated with the latest swift version of this struct.
-	IPNVersion    string             `json:",omitempty"` // version of this code
-	FrontendLogID string             `json:",omitempty"` // logtail ID of frontend instance
-	BackendLogID  string             `json:",omitempty"` // logtail ID of backend instance
-	OS            string             // operating system the client runs on (a version.OS value)
-	OSVersion     string             `json:",omitempty"` // operating system version, with optional distro prefix ("Debian 10.4", "Windows 10 Pro 10.0.19041")
-	DeviceModel   string             `json:",omitempty"` // mobile phone model ("Pixel 3a", "iPhone 11 Pro")
-	Hostname      string             // name of the host the client runs on
-	ShieldsUp     bool               `json:",omitempty"` // indicates whether the host is blocking incoming connections
-	ShareeNode    bool               `json:",omitempty"` // indicates this node exists in netmap because it's owned by a shared-to user
-	GoArch        string             `json:",omitempty"` // the host's GOARCH value (of the running binary)
-	RoutableIPs   []netaddr.IPPrefix `json:",omitempty"` // set of IP ranges this client can route
-	RequestTags   []string           `json:",omitempty"` // set of ACL tags this node wants to claim
-	Services      []Service          `json:",omitempty"` // services advertised by this machine
-	NetInfo       *NetInfo           `json:",omitempty"`
+	IPNVersion    string       // version of this code
+	FrontendLogID string       `json:",omitempty"` // logtail ID of frontend instance
+	BackendLogID  string       `json:",omitempty"` // logtail ID of backend instance
+	OS            string       // operating system the client runs on (a version.OS value)
+	OSVersion     string       `json:",omitempty"` // operating system version, with optional distro prefix ("Debian 10.4", "Windows 10 Pro 10.0.19041")
+	DeviceModel   string       `json:",omitempty"` // mobile phone model ("Pixel 3a", "iPhone 11 Pro")
+	Hostname      string       // name of the host the client runs on
+	ShieldsUp     bool         `json:",omitempty"` // indicates whether the host is blocking incoming connections
+	GoArch        string       `json:",omitempty"` // the host's GOARCH value (of the running binary)
+	RoutableIPs   []wgcfg.CIDR `json:",omitempty"` // set of IP ranges this client can route
+	RequestTags   []string     `json:",omitempty"` // set of ACL tags this node wants to claim
+	Services      []Service    `json:",omitempty"` // services advertised by this machine
+	NetInfo       *NetInfo     `json:",omitempty"`

 	// NOTE: any new fields containing pointers in this type
-	//       require changes to Hostinfo.Equal.
+	//       require changes to Hostinfo.Clone and Hostinfo.Equal.
 }

 // NetInfo contains information about the host's network state.
@@ -366,7 +354,7 @@ type NetInfo struct {
 	// the control plane.
 	DERPLatency map[string]float64 `json:",omitempty"`

-	// Update BasicallyEqual when adding fields.
+	// Update Clone and BasicallyEqual when adding fields.
 }

 func (ni *NetInfo) String() string {
@@ -491,9 +479,11 @@ type MapRequest struct {
 	// we want to signal to the control server that we're capable of something
 	// different.
 	//
-	// For current values and history, see CurrentMapRequestVersion above.
-	Version int
-
+	// History of versions:
+	//     3: implicit compression, keep-alives
+	//     4: opt-in keep-alives via KeepAlive field, opt-in compression via Compress
+	//     5: 2020-10-19, implies IncludeIPv6, DeltaPeers/DeltaUserProfiles, supports MagicDNS
+	Version     int
 	Compress    string // "zstd" or "" (no compression)
 	KeepAlive   bool   // whether server should send keep-alives back to us
 	NodeKey     NodeKey
@@ -515,10 +505,6 @@ type MapRequest struct {
 	// OmitPeers is whether the client is okay with the Peers list
 	// being omitted in the response. (For example, a client on
 	// start up using ReadOnly to get the DERP map.)
-	//
-	// If OmitPeers is true, Stream is false, and ReadOnly is false,
-	// then the server will let clients update their endpoints without
-	// breaking existing long-polling (Stream == true) connections.
 	OmitPeers bool `json:",omitempty"`

 	// DebugFlags is a list of strings specifying debugging and
@@ -531,8 +517,8 @@ type MapRequest struct {
 	// Current DebugFlags values are:
 	//     * "warn-ip-forwarding-off": client is trying to be a subnet
 	//       router but their IP forwarding is broken.
-	//     * "minimize-netmap": have control minimize the netmap, removing
-	//       peers that are unreachable per ACLS.
+	//     * "v6-overlay": IPv6 development flag to have control send
+	//       v6 node addrs
 	DebugFlags []string `json:",omitempty"`
 }

@@ -544,11 +530,11 @@ type PortRange struct {

 var PortRangeAny = PortRange{0, 65535}

-// NetPortRange represents a range of ports that's allowed for one or more IPs.
+// NetPortRange represents a single subnet:portrange.
 type NetPortRange struct {
 	_     structs.Incomparable
-	IP    string // IP, CIDR, Range, or "*" (same formats as FilterRule.SrcIPs)
-	Bits  *int   // deprecated; the old way to turn IP into a CIDR
+	IP    string // "*" means all
+	Bits  *int   // backward compatibility: if missing, means "all" bits
 	Ports PortRange
 }

@@ -559,26 +545,19 @@ type NetPortRange struct {
 // allowed if a source IP is mathces of those CIDRs.
 type FilterRule struct {
 	// SrcIPs are the source IPs/networks to match.
-	//
-	// It may take the following forms:
-	//     * an IP address (IPv4 or IPv6)
-	//     * the string "*" to match everything (both IPv4 & IPv6)
-	//     * a CIDR (e.g. "192.168.0.0/16")
-	//     * a range of two IPs, inclusive, separated by hyphen ("2eff::1-2eff::0800")
+	// The special value "*" means to match all.
 	SrcIPs []string

-	// SrcBits is deprecated; it's the old way to specify a CIDR
-	// prior to MapRequest.Version 7. Its values correspond to the
-	// SrcIPs above.
+	// SrcBits values correspond to the SrcIPs above.
 	//
-	// If an entry of SrcBits is present for the same index as a
-	// SrcIPs entry, it changes the SrcIP above to be a network
-	// with /n CIDR bits. If the slice is nil or insufficiently
-	// long, the default value (for an IPv4 address) for a
-	// position is 32, as if the SrcIPs above were a /32 mask. For
-	// a "*" SrcIPs value, the corresponding SrcBits value is
-	// ignored.
-	SrcBits []int `json:",omitempty"`
+	// If present at the same index, it changes the SrcIP above to
+	// be a network with /n CIDR bits. If the slice is nil or
+	// insufficiently long, the default value (for an IPv4
+	// address) for a position is 32, as if the SrcIPs above were
+	// a /32 mask. For a "*" SrcIPs value, the corresponding
+	// SrcBits value is ignored.
+	// TODO: for IPv6, clarify default bits length.
+	SrcBits []int

 	// DstPorts are the port ranges to allow once a source IP
 	// matches (is in the CIDR described by SrcIPs & SrcBits).
@@ -622,15 +601,14 @@ type MapResponse struct {

 	// Peers, if non-empty, is the complete list of peers.
 	// It will be set in the first MapResponse for a long-polled request/response.
-	// Subsequent responses will be delta-encoded if MapRequest.Version >= 5 and server
-	// chooses, in which case Peers will be nil or zero length.
+	// Subsequent responses will be delta-encoded if DeltaPeers was set in the request.
 	// If Peers is non-empty, PeersChanged and PeersRemoved should
 	// be ignored (and should be empty).
 	// Peers is always returned sorted by Node.ID.
 	Peers []*Node `json:",omitempty"`
 	// PeersChanged are the Nodes (identified by their ID) that
 	// have changed or been added since the past update on the
-	// HTTP response. It's not used by the server if MapRequest.Version < 5.
+	// HTTP response. It's only set if MapRequest.DeltaPeers was true.
 	// PeersChanged is always returned sorted by Node.ID.
 	PeersChanged []*Node `json:",omitempty"`
 	// PeersRemoved are the NodeIDs that are no longer in the peer list.
@@ -639,47 +617,18 @@ type MapResponse struct {
 	// DNS is the same as DNSConfig.Nameservers.
 	//
 	// TODO(dmytro): should be sent in DNSConfig.Nameservers once clients have updated.
-	DNS []netaddr.IP `json:",omitempty"`
-
-	// SearchPaths is the old way to specify DNS search
-	// domains. Clients should use these values if set, but the
-	// server will omit this field for clients with
-	// MapRequest.Version >= 9. Clients should prefer to use
-	// DNSConfig.Domains instead.
-	SearchPaths []string `json:",omitempty"`
-
-	// DNSConfig contains the DNS settings for the client to use.
+	DNS []wgcfg.IP `json:",omitempty"`
+	// SearchPaths are the same as DNSConfig.Domains.
 	//
-	// TODO(bradfitz): make this a pointer and conditionally sent
-	// only if changed, like DERPMap, PacketFilter, etc. It's
-	// small, though.
-	DNSConfig DNSConfig `json:",omitempty"`
+	// TODO(dmytro): should be sent in DNSConfig.Domains once clients have updated.
+	SearchPaths []string  `json:",omitempty"`
+	DNSConfig   DNSConfig `json:",omitempty"`

-	// Domain is the name of the network that this node is
-	// in. It's either of the form "example.com" (for user
-	// foo@example.com, for multi-user networks) or
-	// "foo@gmail.com" (for siloed users on shared email
-	// providers). Its exact form should not be depended on; new
-	// forms are coming later.
-	Domain string
-
-	// CollectServices reports whether this node's Tailnet has
-	// requested that info about services be included in HostInfo.
-	// If unset, the most recent non-empty MapResponse value in
-	// the HTTP response stream is used.
-	CollectServices opt.Bool `json:",omitempty"`
-
-	// PacketFilter are the firewall rules.
-	//
-	// For MapRequest.Version >= 6, a nil value means the most
-	// previously streamed non-nil MapResponse.PacketFilter within
-	// the same HTTP response. A non-nil but empty list always means
-	// no PacketFilter (that is, to block everything).
+	// ACLs
+	Domain       string
 	PacketFilter []FilterRule
-
-	UserProfiles []UserProfile // as of 1.1.541 (mapver 5): may be new or updated user profiles only
+	UserProfiles []UserProfile // as of 1.1.541: may be new or updated user profiles only
 	Roles        []Role        // deprecated; clients should not rely on Roles
-
 	// TODO: Groups       []Group
 	// TODO: Capabilities []Capability

@@ -781,7 +730,6 @@ func (n *Node) Equal(n2 *Node) bool {
 		n.ID == n2.ID &&
 		n.Name == n2.Name &&
 		n.User == n2.User &&
-		n.Sharer == n2.Sharer &&
 		n.Key == n2.Key &&
 		n.KeyExpiry.Equal(n2.KeyExpiry) &&
 		n.Machine == n2.Machine &&
@@ -808,7 +756,7 @@ func eqStrings(a, b []string) bool {
 	return true
 }

-func eqCIDRs(a, b []netaddr.IPPrefix) bool {
+func eqCIDRs(a, b []wgcfg.CIDR) bool {
 	if len(a) != len(b) || ((a == nil) != (b == nil)) {
 		return false
 	}
--- a/tailcfg/tailcfg_clone.go
+++ b/tailcfg/tailcfg_clone.go
@@ -7,6 +7,7 @@
 package tailcfg

 import (
+	"github.com/tailscale/wireguard-go/wgcfg"
 	"inet.af/netaddr"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
@@ -64,13 +65,12 @@ var _NodeNeedsRegeneration = Node(struct {
 	ID                NodeID
 	Name              string
 	User              UserID
-	Sharer            UserID
 	Key               NodeKey
 	KeyExpiry         time.Time
 	Machine           MachineKey
 	DiscoKey          DiscoKey
-	Addresses         []netaddr.IPPrefix
-	AllowedIPs        []netaddr.IPPrefix
+	Addresses         []wgcfg.CIDR
+	AllowedIPs        []wgcfg.CIDR
 	Endpoints         []string
 	DERP              string
 	Hostinfo          Hostinfo
@@ -106,9 +106,8 @@ var _HostinfoNeedsRegeneration = Hostinfo(struct {
 	DeviceModel   string
 	Hostname      string
 	ShieldsUp     bool
-	ShareeNode    bool
 	GoArch        string
-	RoutableIPs   []netaddr.IPPrefix
+	RoutableIPs   []wgcfg.CIDR
 	RequestTags   []string
 	Services      []Service
 	NetInfo       *NetInfo
--- a/tailcfg/tailcfg_test.go
+++ b/tailcfg/tailcfg_test.go
@@ -11,8 +11,7 @@ import (
 	"testing"
 	"time"

-	"inet.af/netaddr"
-	"tailscale.com/types/wgkey"
+	"github.com/tailscale/wireguard-go/wgcfg"
 )

 func fieldsOf(t reflect.Type) (fields []string) {
@@ -24,21 +23,18 @@ func fieldsOf(t reflect.Type) (fields []string) {

 func TestHostinfoEqual(t *testing.T) {
 	hiHandles := []string{
-		"IPNVersion", "FrontendLogID", "BackendLogID",
-		"OS", "OSVersion", "DeviceModel", "Hostname",
-		"ShieldsUp", "ShareeNode",
-		"GoArch",
-		"RoutableIPs", "RequestTags",
-		"Services", "NetInfo",
+		"IPNVersion", "FrontendLogID", "BackendLogID", "OS", "OSVersion",
+		"DeviceModel", "Hostname", "ShieldsUp", "GoArch", "RoutableIPs",
+		"RequestTags", "Services", "NetInfo",
 	}
 	if have := fieldsOf(reflect.TypeOf(Hostinfo{})); !reflect.DeepEqual(have, hiHandles) {
 		t.Errorf("Hostinfo.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, hiHandles)
 	}

-	nets := func(strs ...string) (ns []netaddr.IPPrefix) {
+	nets := func(strs ...string) (ns []wgcfg.CIDR) {
 		for _, s := range strs {
-			n, err := netaddr.ParseIPPrefix(s)
+			n, err := wgcfg.ParseCIDR(s)
 			if err != nil {
 				panic(err)
 			}
@@ -173,11 +169,6 @@ func TestHostinfoEqual(t *testing.T) {
 			&Hostinfo{Services: []Service{Service{Proto: TCP, Port: 1234, Description: "foo"}}},
 			true,
 		},
-		{
-			&Hostinfo{ShareeNode: true},
-			&Hostinfo{},
-			false,
-		},
 	}
 	for i, tt := range tests {
 		got := tt.a.Equal(tt.b)
@@ -188,20 +179,15 @@ func TestHostinfoEqual(t *testing.T) {
 }

 func TestNodeEqual(t *testing.T) {
-	nodeHandles := []string{
-		"ID", "Name", "User", "Sharer",
-		"Key", "KeyExpiry", "Machine", "DiscoKey",
-		"Addresses", "AllowedIPs", "Endpoints", "DERP", "Hostinfo",
-		"Created", "LastSeen", "KeepAlive", "MachineAuthorized",
-	}
+	nodeHandles := []string{"ID", "Name", "User", "Key", "KeyExpiry", "Machine", "DiscoKey", "Addresses", "AllowedIPs", "Endpoints", "DERP", "Hostinfo", "Created", "LastSeen", "KeepAlive", "MachineAuthorized"}
 	if have := fieldsOf(reflect.TypeOf(Node{})); !reflect.DeepEqual(have, nodeHandles) {
 		t.Errorf("Node.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, nodeHandles)
 	}

-	newPublicKey := func(t *testing.T) wgkey.Key {
+	newPublicKey := func(t *testing.T) wgcfg.Key {
 		t.Helper()
-		k, err := wgkey.NewPrivate()
+		k, err := wgcfg.NewPrivateKey()
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -270,23 +256,23 @@ func TestNodeEqual(t *testing.T) {
 			true,
 		},
 		{
-			&Node{Addresses: []netaddr.IPPrefix{}},
+			&Node{Addresses: []wgcfg.CIDR{}},
 			&Node{Addresses: nil},
 			false,
 		},
 		{
-			&Node{Addresses: []netaddr.IPPrefix{}},
-			&Node{Addresses: []netaddr.IPPrefix{}},
+			&Node{Addresses: []wgcfg.CIDR{}},
+			&Node{Addresses: []wgcfg.CIDR{}},
 			true,
 		},
 		{
-			&Node{AllowedIPs: []netaddr.IPPrefix{}},
+			&Node{AllowedIPs: []wgcfg.CIDR{}},
 			&Node{AllowedIPs: nil},
 			false,
 		},
 		{
-			&Node{Addresses: []netaddr.IPPrefix{}},
-			&Node{Addresses: []netaddr.IPPrefix{}},
+			&Node{Addresses: []wgcfg.CIDR{}},
+			&Node{Addresses: []wgcfg.CIDR{}},
 			true,
 		},
 		{
@@ -435,8 +421,8 @@ func TestCloneNode(t *testing.T) {
 	}{
 		{"nil_fields", &Node{}},
 		{"zero_fields", &Node{
-			Addresses:  make([]netaddr.IPPrefix, 0),
-			AllowedIPs: make([]netaddr.IPPrefix, 0),
+			Addresses:  make([]wgcfg.CIDR, 0),
+			AllowedIPs: make([]wgcfg.CIDR, 0),
 			Endpoints:  make([]string, 0),
 		}},
 	}
--- a/tempfork/pprof/pprof.go
+++ b/tempfork/pprof/pprof.go
@@ -44,12 +44,11 @@ func AddHandlers(mux *http.ServeMux) {
 func Cmdline(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-	fmt.Fprint(w, strings.Join(os.Args, "\x00"))
+	fmt.Fprintf(w, strings.Join(os.Args, "\x00"))
 }

 func sleep(w http.ResponseWriter, d time.Duration) {
 	var clientGone <-chan bool
-	//lint:ignore SA1019 CloseNotifier is deprecated but it functions and this is a temporary fork
 	if cn, ok := w.(http.CloseNotifier); ok {
 		clientGone = cn.CloseNotify()
 	}
--- a/tstest/log.go
+++ b/tstest/log.go
@@ -75,18 +75,13 @@ type LogLineTracker struct {
 	logf      logger.Logf
 	listenFor []string

-	mu     sync.Mutex
-	closed bool
-	seen   map[string]bool // format string => false (if not yet seen but wanted) or true (once seen)
+	mu   sync.Mutex
+	seen map[string]bool // format string => false (if not yet seen but wanted) or true (once seen)
 }

 // Logf logs to its underlying logger and also tracks that the given format pattern has been seen.
 func (lt *LogLineTracker) Logf(format string, args ...interface{}) {
 	lt.mu.Lock()
-	if lt.closed {
-		lt.mu.Unlock()
-		return
-	}
 	if v, ok := lt.seen[format]; ok && !v {
 		lt.seen[format] = true
 	}
@@ -106,10 +101,3 @@ func (lt *LogLineTracker) Check() []string {
 	}
 	return notSeen
 }
-
-// Close closes lt. After calling Close, calls to Logf become no-ops.
-func (lt *LogLineTracker) Close() {
-	lt.mu.Lock()
-	defer lt.mu.Unlock()
-	lt.closed = true
-}
--- a/tsweb/tsweb.go
+++ b/tsweb/tsweb.go
@@ -43,17 +43,7 @@ func registerCommonDebug(mux *http.ServeMux) {
 	expvar.Publish("counter_uptime_sec", expvar.Func(func() interface{} { return int64(Uptime().Seconds()) }))
 	mux.Handle("/debug/pprof/", Protected(http.DefaultServeMux)) // to net/http/pprof
 	mux.Handle("/debug/vars", Protected(http.DefaultServeMux))   // to expvar
-	mux.Handle("/debug/varz", Protected(http.HandlerFunc(VarzHandler)))
-	mux.Handle("/debug/gc", Protected(http.HandlerFunc(gcHandler)))
-}
-
-func gcHandler(w http.ResponseWriter, r *http.Request) {
-	w.Write([]byte("running GC...\n"))
-	if f, ok := w.(http.Flusher); ok {
-		f.Flush()
-	}
-	runtime.GC()
-	w.Write([]byte("Done.\n"))
+	mux.Handle("/debug/varz", Protected(http.HandlerFunc(varzHandler)))
 }

 func DefaultCertDir(leafDir string) string {
@@ -371,7 +361,7 @@ func Error(code int, msg string, err error) HTTPError {
 	return HTTPError{Code: code, Msg: msg, Err: err}
 }

-// VarzHandler is an HTTP handler to write expvar values into the
+// varzHandler is an HTTP handler to write expvar values into the
 // prometheus export format:
 //
 //   https://github.com/prometheus/docs/blob/master/content/docs/instrumenting/exposition_formats.md
@@ -388,7 +378,7 @@ func Error(code int, msg string, err error) HTTPError {
 //     is not exported.
 //
 // This will evolve over time, or perhaps be replaced.
-func VarzHandler(w http.ResponseWriter, r *http.Request) {
+func varzHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/plain; version=0.0.4")

 	var dump func(prefix string, kv expvar.KeyValue)
--- a/types/key/key.go
+++ b/types/key/key.go
@@ -82,15 +82,6 @@ func (k Private) Public() Public {
 	return Public(pub)
 }

-func (k Private) SharedSecret(pub Public) (ss [32]byte) {
-	apk := (*[32]byte)(&pub)
-	ask := (*[32]byte)(&k)
-	//lint:ignore SA1019 Code copied from wireguard-go, we aim for
-	//minimal changes from it.
-	curve25519.ScalarMult(&ss, ask, apk)
-	return ss
-}
-
 // NewPublicFromHexMem parses a public key in its hex form, given in m.
 // The provided m must be exactly 64 bytes in length.
 func NewPublicFromHexMem(m mem.RO) (Public, error) {
--- a/types/key/key_test.go
+++ b/types/key/key_test.go
@@ -7,7 +7,7 @@ package key
 import (
 	"testing"

-	"tailscale.com/types/wgkey"
+	"github.com/tailscale/wireguard-go/wgcfg"
 )

 func TestTextUnmarshal(t *testing.T) {
@@ -28,10 +28,10 @@ func TestTextUnmarshal(t *testing.T) {
 func TestClamping(t *testing.T) {
 	t.Run("NewPrivate", func(t *testing.T) { testClamping(t, NewPrivate) })

-	// Also test the wgkey package, as their behavior should match.
-	t.Run("wgkey", func(t *testing.T) {
+	// Also test the wgcfg package, as their behavior should match.
+	t.Run("wgcfg", func(t *testing.T) {
 		testClamping(t, func() Private {
-			k, err := wgkey.NewPrivate()
+			k, err := wgcfg.NewPrivateKey()
 			if err != nil {
 				t.Fatal(err)
 			}
--- a/types/logger/logger.go
+++ b/types/logger/logger.go
@@ -132,7 +132,7 @@ func RateLimitedFn(logf Logf, f time.Duration, burst int, maxCache int) Logf {
 			logf(format, args...)
 		case warn:
 			// For the warning, log the specific format string
-			logf("[RATE LIMITED] format string \"%s\" (example: \"%s\")", format, fmt.Sprintf(format, args...))
+			logf("[RATE LIMITED] %s", format)
 		}
 	}
 }
@@ -179,40 +179,3 @@ func (fn ArgWriter) Format(f fmt.State, _ rune) {
 }

 var argBufioPool = &sync.Pool{New: func() interface{} { return bufio.NewWriterSize(ioutil.Discard, 1024) }}
-
-// Filtered returns a Logf that silently swallows some log lines.
-// Each inbound format and args is evaluated and printed to a string s.
-// The original format and args are passed to logf if and only if allow(s) returns true.
-func Filtered(logf Logf, allow func(s string) bool) Logf {
-	return func(format string, args ...interface{}) {
-		msg := fmt.Sprintf(format, args...)
-		if !allow(msg) {
-			return
-		}
-		logf(format, args...)
-	}
-}
-
-// LogfCloser wraps logf to create a logger that can be closed.
-// Calling close makes all future calls to newLogf into no-ops.
-func LogfCloser(logf Logf) (newLogf Logf, close func()) {
-	var (
-		mu     sync.Mutex
-		closed bool
-	)
-	close = func() {
-		mu.Lock()
-		defer mu.Unlock()
-		closed = true
-	}
-	newLogf = func(msg string, args ...interface{}) {
-		mu.Lock()
-		if closed {
-			mu.Unlock()
-			return
-		}
-		mu.Unlock()
-		logf(msg, args...)
-	}
-	return newLogf, close
-}
--- a/types/logger/logger_test.go
+++ b/types/logger/logger_test.go
@@ -45,8 +45,8 @@ func TestRateLimiter(t *testing.T) {
 		"templated format string no. 0",
 		"boring string with constant formatting (constant)",
 		"templated format string no. 1",
-		"[RATE LIMITED] format string \"boring string with constant formatting %s\" (example: \"boring string with constant formatting (constant)\")",
-		"[RATE LIMITED] format string \"templated format string no. %d\" (example: \"templated format string no. 2\")",
+		"[RATE LIMITED] boring string with constant formatting %s",
+		"[RATE LIMITED] templated format string no. %d",
 		"Make sure this string makes it through the rest (that are blocked) 4",
 		"4 shouldn't get filtered.",
 	}
--- a/types/wgkey/key.go
+++ b/types/wgkey/key.go
@@ -1,241 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package wgkey contains types and helpers for WireGuard keys.
-// It is very similar to package tailscale.com/types/key,
-// which is also used for curve25519 keys.
-// These keys are used for WireGuard clients;
-// those keys are used in other curve25519 clients.
-package wgkey
-
-import (
-	"bytes"
-	"crypto/rand"
-	"crypto/subtle"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"strings"
-
-	"golang.org/x/crypto/chacha20poly1305"
-	"golang.org/x/crypto/curve25519"
-)
-
-// Size is the number of bytes in a curve25519 key.
-const Size = 32
-
-// A Key is a curve25519 key.
-// It is used by WireGuard to represent public keys.
-type Key [Size]byte
-
-// NewPreshared generates a new random Key.
-func NewPreshared() (*Key, error) {
-	var k [Size]byte
-	_, err := rand.Read(k[:])
-	if err != nil {
-		return nil, err
-	}
-	return (*Key)(&k), nil
-}
-
-func Parse(b64 string) (*Key, error) { return parseBase64(base64.StdEncoding, b64) }
-
-func ParseHex(s string) (Key, error) {
-	b, err := hex.DecodeString(s)
-	if err != nil {
-		return Key{}, fmt.Errorf("invalid hex key (%q): %w", s, err)
-	}
-	if len(b) != Size {
-		return Key{}, fmt.Errorf("invalid hex key (%q): length=%d, want %d", s, len(b), Size)
-	}
-
-	var key Key
-	copy(key[:], b)
-	return key, nil
-}
-
-func ParsePrivateHex(v string) (Private, error) {
-	k, err := ParseHex(v)
-	if err != nil {
-		return Private{}, err
-	}
-	pk := Private(k)
-	if pk.IsZero() {
-		// Do not clamp a zero key, pass the zero through
-		// (much like NaN propagation) so that IsZero reports
-		// a useful result.
-		return pk, nil
-	}
-	pk.clamp()
-	return pk, nil
-}
-
-func (k Key) Base64() string    { return base64.StdEncoding.EncodeToString(k[:]) }
-func (k Key) String() string    { return k.ShortString() }
-func (k Key) HexString() string { return hex.EncodeToString(k[:]) }
-func (k Key) Equal(k2 Key) bool { return subtle.ConstantTimeCompare(k[:], k2[:]) == 1 }
-
-func (k *Key) ShortString() string {
-	long := k.Base64()
-	return "[" + long[0:5] + "]"
-}
-
-func (k *Key) IsZero() bool {
-	if k == nil {
-		return true
-	}
-	var zeros Key
-	return subtle.ConstantTimeCompare(zeros[:], k[:]) == 1
-}
-
-func (k *Key) MarshalJSON() ([]byte, error) {
-	if k == nil {
-		return []byte("null"), nil
-	}
-	// TODO(josharian): use encoding/hex instead?
-	buf := new(bytes.Buffer)
-	fmt.Fprintf(buf, `"%x"`, k[:])
-	return buf.Bytes(), nil
-}
-
-func (k *Key) UnmarshalJSON(b []byte) error {
-	if k == nil {
-		return errors.New("wgkey.Key: UnmarshalJSON on nil pointer")
-	}
-	if len(b) < 3 || b[0] != '"' || b[len(b)-1] != '"' {
-		return errors.New("wgkey.Key: UnmarshalJSON not given a string")
-	}
-	b = b[1 : len(b)-1]
-	key, err := ParseHex(string(b))
-	if err != nil {
-		return fmt.Errorf("wgkey.Key: UnmarshalJSON: %v", err)
-	}
-	copy(k[:], key[:])
-	return nil
-}
-
-func (a *Key) LessThan(b *Key) bool {
-	for i := range a {
-		if a[i] < b[i] {
-			return true
-		} else if a[i] > b[i] {
-			return false
-		}
-	}
-	return false
-}
-
-// A Private is a curve25519 key.
-// It is used by WireGuard to represent private keys.
-type Private [Size]byte
-
-// NewPrivate generates a new curve25519 secret key.
-// It conforms to the format described on https://cr.yp.to/ecdh.html.
-func NewPrivate() (Private, error) {
-	k, err := NewPreshared()
-	if err != nil {
-		return Private{}, err
-	}
-	k[0] &= 248
-	k[31] = (k[31] & 127) | 64
-	return (Private)(*k), nil
-}
-
-func ParsePrivate(b64 string) (*Private, error) {
-	k, err := parseBase64(base64.StdEncoding, b64)
-	return (*Private)(k), err
-}
-
-func (k *Private) String() string        { return base64.StdEncoding.EncodeToString(k[:]) }
-func (k *Private) HexString() string     { return hex.EncodeToString(k[:]) }
-func (k *Private) Equal(k2 Private) bool { return subtle.ConstantTimeCompare(k[:], k2[:]) == 1 }
-
-func (k *Private) IsZero() bool {
-	pk := Key(*k)
-	return pk.IsZero()
-}
-
-func (k *Private) clamp() {
-	k[0] &= 248
-	k[31] = (k[31] & 127) | 64
-}
-
-// Public computes the public key matching this curve25519 secret key.
-func (k *Private) Public() Key {
-	pk := Key(*k)
-	if pk.IsZero() {
-		panic("Tried to generate emptyPrivate.Public()")
-	}
-	var p [Size]byte
-	curve25519.ScalarBaseMult(&p, (*[Size]byte)(k))
-	return (Key)(p)
-}
-
-func (k Private) MarshalText() ([]byte, error) {
-	// TODO(josharian): use encoding/hex instead?
-	buf := new(bytes.Buffer)
-	fmt.Fprintf(buf, `privkey:%x`, k[:])
-	return buf.Bytes(), nil
-}
-
-func (k *Private) UnmarshalText(b []byte) error {
-	s := string(b)
-	if !strings.HasPrefix(s, `privkey:`) {
-		return errors.New("wgkey.Private: UnmarshalText not given a private-key string")
-	}
-	s = strings.TrimPrefix(s, `privkey:`)
-	key, err := ParseHex(s)
-	if err != nil {
-		return fmt.Errorf("wgkey.Private: UnmarshalText: %v", err)
-	}
-	copy(k[:], key[:])
-	return nil
-}
-
-func parseBase64(enc *base64.Encoding, s string) (*Key, error) {
-	k, err := enc.DecodeString(s)
-	if err != nil {
-		return nil, fmt.Errorf("invalid key (%q): %w", s, err)
-	}
-	if len(k) != Size {
-		return nil, fmt.Errorf("invalid key (%q): length=%d, want %d", s, len(k), Size)
-	}
-	var key Key
-	copy(key[:], k)
-	return &key, nil
-}
-
-func ParseSymmetric(b64 string) (Symmetric, error) {
-	k, err := parseBase64(base64.StdEncoding, b64)
-	if err != nil {
-		return Symmetric{}, err
-	}
-	return Symmetric(*k), nil
-}
-
-func ParseSymmetricHex(s string) (Symmetric, error) {
-	b, err := hex.DecodeString(s)
-	if err != nil {
-		return Symmetric{}, fmt.Errorf("invalid symmetric hex key (%q): %w", s, err)
-	}
-	if len(b) != chacha20poly1305.KeySize {
-		return Symmetric{}, fmt.Errorf("invalid symmetric hex key length (%q): length=%d, want %d", s, len(b), chacha20poly1305.KeySize)
-	}
-	var key Symmetric
-	copy(key[:], b)
-	return key, nil
-}
-
-// Symmetric is a chacha20poly1305 key.
-// It is used by WireGuard to represent pre-shared symmetric keys.
-type Symmetric [chacha20poly1305.KeySize]byte
-
-func (k Symmetric) Base64() string    { return base64.StdEncoding.EncodeToString(k[:]) }
-func (k Symmetric) String() string    { return "sym:" + k.Base64()[:8] }
-func (k Symmetric) HexString() string { return hex.EncodeToString(k[:]) }
-func (k Symmetric) IsZero() bool      { return k.Equal(Symmetric{}) }
-func (k Symmetric) Equal(k2 Symmetric) bool {
-	return subtle.ConstantTimeCompare(k[:], k2[:]) == 1
-}
--- a/types/wgkey/key_test.go
+++ b/types/wgkey/key_test.go
@@ -1,111 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package wgkey
-
-import (
-	"bytes"
-	"testing"
-)
-
-func TestKeyBasics(t *testing.T) {
-	k1, err := NewPreshared()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	b, err := k1.MarshalJSON()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	t.Run("JSON round-trip", func(t *testing.T) {
-		// should preserve the keys
-		k2 := new(Key)
-		if err := k2.UnmarshalJSON(b); err != nil {
-			t.Fatal(err)
-		}
-		if !bytes.Equal(k1[:], k2[:]) {
-			t.Fatalf("k1 %v != k2 %v", k1[:], k2[:])
-		}
-		if b1, b2 := k1.String(), k2.String(); b1 != b2 {
-			t.Fatalf("base64-encoded keys do not match: %s, %s", b1, b2)
-		}
-	})
-
-	t.Run("JSON incompatible with PrivateKey", func(t *testing.T) {
-		k2 := new(Private)
-		if err := k2.UnmarshalText(b); err == nil {
-			t.Fatalf("successfully decoded key as private key")
-		}
-	})
-
-	t.Run("second key", func(t *testing.T) {
-		// A second call to NewPreshared should make a new key.
-		k3, err := NewPreshared()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if bytes.Equal(k1[:], k3[:]) {
-			t.Fatalf("k1 %v == k3 %v", k1[:], k3[:])
-		}
-		// Check for obvious comparables to make sure we are not generating bad strings somewhere.
-		if b1, b2 := k1.String(), k3.String(); b1 == b2 {
-			t.Fatalf("base64-encoded keys match: %s, %s", b1, b2)
-		}
-	})
-}
-func TestPrivateKeyBasics(t *testing.T) {
-	pri, err := NewPrivate()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	b, err := pri.MarshalText()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	t.Run("JSON round-trip", func(t *testing.T) {
-		// should preserve the keys
-		pri2 := new(Private)
-		if err := pri2.UnmarshalText(b); err != nil {
-			t.Fatal(err)
-		}
-		if !bytes.Equal(pri[:], pri2[:]) {
-			t.Fatalf("pri %v != pri2 %v", pri[:], pri2[:])
-		}
-		if b1, b2 := pri.String(), pri2.String(); b1 != b2 {
-			t.Fatalf("base64-encoded keys do not match: %s, %s", b1, b2)
-		}
-		if pub1, pub2 := pri.Public().String(), pri2.Public().String(); pub1 != pub2 {
-			t.Fatalf("base64-encoded public keys do not match: %s, %s", pub1, pub2)
-		}
-	})
-
-	t.Run("JSON incompatible with Key", func(t *testing.T) {
-		k2 := new(Key)
-		if err := k2.UnmarshalJSON(b); err == nil {
-			t.Fatalf("successfully decoded private key as key")
-		}
-	})
-
-	t.Run("second key", func(t *testing.T) {
-		// A second call to New should make a new key.
-		pri3, err := NewPrivate()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if bytes.Equal(pri[:], pri3[:]) {
-			t.Fatalf("pri %v == pri3 %v", pri[:], pri3[:])
-		}
-		// Check for obvious comparables to make sure we are not generating bad strings somewhere.
-		if b1, b2 := pri.String(), pri3.String(); b1 == b2 {
-			t.Fatalf("base64-encoded keys match: %s, %s", b1, b2)
-		}
-		if pub1, pub2 := pri.Public().String(), pri3.Public().String(); pub1 == pub2 {
-			t.Fatalf("base64-encoded public keys match: %s, %s", pub1, pub2)
-		}
-	})
-}
--- a/util/dnsname/dnsname.go
+++ b/util/dnsname/dnsname.go
@@ -1,19 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package dnsname contains string functions for working with DNS names.
-package dnsname
-
-import "strings"
-
-// HasSuffix reports whether the provided DNS name ends with the
-// component(s) in suffix, ignoring any trailing dots.
-//
-// If suffix is the empty string, HasSuffix always reports false.
-func HasSuffix(name, suffix string) bool {
-	name = strings.TrimSuffix(name, ".")
-	suffix = strings.TrimSuffix(suffix, ".")
-	nameBase := strings.TrimSuffix(name, suffix)
-	return len(nameBase) < len(name) && strings.HasSuffix(nameBase, ".")
-}
--- a/util/dnsname/dnsname_test.go
+++ b/util/dnsname/dnsname_test.go
@@ -1,28 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dnsname
-
-import "testing"
-
-func TestHasSuffix(t *testing.T) {
-	tests := []struct {
-		name, suffix string
-		want         bool
-	}{
-		{"foo.com", "com", true},
-		{"foo.com.", "com", true},
-		{"foo.com.", "com.", true},
-
-		{"", "", false},
-		{"foo.com.", "", false},
-		{"foo.com.", "o.com", false},
-	}
-	for _, tt := range tests {
-		got := HasSuffix(tt.name, tt.suffix)
-		if got != tt.want {
-			t.Errorf("HasSuffix(%q, %q) = %v; want %v", tt.name, tt.suffix, got, tt.want)
-		}
-	}
-}
--- a/util/systemd/doc.go
+++ b/util/systemd/doc.go
@@ -1,14 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package systemd contains a minimal wrapper around systemd-notify to enable
-applications to signal readiness and status to systemd.
-
-This package will only have effect on Linux systems running Tailscale in a
-systemd unit with the Type=notify flag set. On other operating systems (or
-when running in a Linux distro without being run from inside systemd) this
-package will become a no-op.
-*/
-package systemd
--- a/util/systemd/systemd_linux.go
+++ b/util/systemd/systemd_linux.go
@@ -1,81 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux
-
-package systemd
-
-import (
-	"log"
-	"os"
-	"sync"
-
-	"github.com/mdlayher/sdnotify"
-)
-
-var getNotifyOnce struct {
-	sync.Once
-	v *sdnotify.Notifier
-}
-
-type logOnce struct {
-	sync.Once
-}
-
-func (l *logOnce) logf(format string, args ...interface{}) {
-	l.Once.Do(func() {
-		log.Printf(format, args...)
-	})
-}
-
-var (
-	readyOnce  = &logOnce{}
-	statusOnce = &logOnce{}
-)
-
-func notifier() *sdnotify.Notifier {
-	getNotifyOnce.Do(func() {
-		sock := os.Getenv(sdnotify.Socket)
-		if sock == "" {
-			// Not running under systemd probably. Bail out before logging.
-			return
-		}
-		var err error
-		getNotifyOnce.v, err = sdnotify.Open(sock)
-		if err != nil {
-			log.Printf("systemd: systemd-notifier error: %v", err)
-		}
-	})
-	return getNotifyOnce.v
-}
-
-// Ready signals readiness to systemd. This will unblock service dependents from starting.
-func Ready() {
-	err := notifier().Notify(sdnotify.Ready)
-	if err != nil {
-		readyOnce.logf("systemd: error notifying: %v", err)
-	}
-}
-
-// Status sends a single line status update to systemd so that information shows up
-// in systemctl output. For example:
-//
-//    $ systemctl status tailscale
-//    ● tailscale.service - Tailscale client daemon
-//    Loaded: loaded (/nix/store/qc312qcy907wz80fqrgbbm8a9djafmlg-unit-tailscale.service/tailscale.service; enabled; vendor preset: enabled)
-//    Active: active (running) since Tue 2020-11-24 17:54:07 EST; 13h ago
-//    Main PID: 26741 (.tailscaled-wra)
-//    Status: "Connected; user@host.domain.tld; 100.101.102.103"
-//    IP: 0B in, 0B out
-//    Tasks: 22 (limit: 4915)
-//    Memory: 30.9M
-//    CPU: 2min 38.469s
-//    CGroup: /system.slice/tailscale.service
-//    └─26741 /nix/store/sv6cj4mw2jajm9xkbwj07k29dj30lh0n-tailscale-date.20200727/bin/tailscaled --port 41641
-func Status(format string, args ...interface{}) {
-	err := notifier().Notify(sdnotify.Statusf(format, args...))
-	if err != nil {
-		statusOnce.logf("systemd: error notifying: %v", err)
-	}
-}
--- a/util/systemd/systemd_nonlinux.go
+++ b/util/systemd/systemd_nonlinux.go
@@ -1,10 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !linux
-
-package systemd
-
-func Ready()                        {}
-func Status(string, ...interface{}) {}
--- a/version/distro/distro.go
+++ b/version/distro/distro.go
@@ -17,7 +17,6 @@ const (
 	Arch     = Distro("arch")
 	Synology = Distro("synology")
 	OpenWrt  = Distro("openwrt")
-	NixOS    = Distro("nixos")
 )

 // Get returns the current distro, or the empty string if unknown.
@@ -28,28 +27,18 @@ func Get() Distro {
 	return ""
 }

-func have(file string) bool {
-	_, err := os.Stat(file)
-	return err == nil
-}
-
-func haveDir(file string) bool {
-	fi, err := os.Stat(file)
-	return err == nil && fi.IsDir()
-}
-
 func linuxDistro() Distro {
-	switch {
-	case haveDir("usr/syno"):
+	if fi, err := os.Stat("/usr/syno"); err == nil && fi.IsDir() {
 		return Synology
-	case have("/etc/debian_version"):
+	}
+	if _, err := os.Stat("/etc/debian_version"); err == nil {
 		return Debian
-	case have("/etc/arch-release"):
+	}
+	if _, err := os.Stat("/etc/arch-release"); err == nil {
 		return Arch
-	case have("/etc/openwrt_version"):
+	}
+	if _, err := os.Stat("/etc/openwrt_version"); err == nil {
 		return OpenWrt
-	case have("/run/current-system/sw/bin/nixos-version"):
-		return NixOS
 	}
 	return ""
 }
--- a/version/version.go
+++ b/version/version.go
@@ -10,7 +10,7 @@ package version
 // Long is a full version number for this build, of the form
 // "x.y.z-commithash", or "date.yyyymmdd" if no actual version was
 // provided.
-const Long = "date.20210104"
+const Long = "date.20201107"

 // Short is a short version number for this build, of the form
 // "x.y.z", or "date.yyyymmdd" if no actual version was provided.
--- a/version/version.sh
+++ b/version/version.sh
@@ -31,7 +31,7 @@ case $# in
        if [ -z "$extra_hash_or_dir" ]; then
            # Nothing, empty extra hash is fine.
            extra_hash=""
-        elif [ -e "$extra_hash_or_dir/.git" ]; then
+        elif [ -d "$extra_hash_or_dir/.git" ]; then
            extra_hash=$(git_hash_dirty "$extra_hash_or_dir" HEAD)
        elif ! expr "$extra_hash_or_dir" : "^[0-9a-f]*$"; then
            echo "Invalid extra hash '$extra_hash_or_dir', must be a git commit or path to a git repo" >&2
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -10,9 +10,9 @@ import (
 	"sync"
 	"time"

+	"github.com/golang/groupcache/lru"
 	"golang.org/x/time/rate"
 	"inet.af/netaddr"
-	"tailscale.com/net/flowtrack"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/logger"
 )
@@ -25,28 +25,45 @@ type Filter struct {
 	// tailscale must have a destination within local4 or local6,
 	// regardless of the policy filter below. Zero values reject
 	// all incoming traffic.
-	local4 []netaddr.IPPrefix
-	local6 []netaddr.IPPrefix
+	local4 []net4
+	local6 []net6
 	// matches4 and matches6 are lists of match->action rules
 	// applied to all packets arriving over tailscale
 	// tunnels. Matches are checked in order, and processing stops
 	// at the first matching rule. The default policy if no rules
 	// match is to drop the packet.
-	matches4 matches
-	matches6 matches
+	matches4 matches4
+	matches6 matches6
 	// state is the connection tracking state attached to this
 	// filter. It is used to allow incoming traffic that is a response
 	// to an outbound connection that this node made, even if those
 	// incoming packets don't get accepted by matches above.
-	state *filterState
+	state4 *filterState
+	state6 *filterState
+}

-	shieldsUp bool
+// tuple4 is a 4-tuple of source and destination IPv4 and port. It's
+// used as a lookup key in filterState.
+type tuple4 struct {
+	SrcIP   packet.IP4
+	DstIP   packet.IP4
+	SrcPort uint16
+	DstPort uint16
+}
+
+// tuple6 is a 4-tuple of source and destination IPv6 and port. It's
+// used as a lookup key in filterState.
+type tuple6 struct {
+	SrcIP   packet.IP6
+	DstIP   packet.IP6
+	SrcPort uint16
+	DstPort uint16
 }

 // filterState is a state cache of past seen packets.
 type filterState struct {
 	mu  sync.Mutex
-	lru *flowtrack.Cache // from flowtrack.Tuple -> nil
+	lru *lru.Cache // of tuple4 or tuple6
 }

 // lruMax is the size of the LRU cache in filterState.
@@ -56,18 +73,15 @@ const lruMax = 512
 type Response int

 const (
-	Drop         Response = iota // do not continue processing packet.
-	DropSilently                 // do not continue processing packet, but also don't log
-	Accept                       // continue processing packet.
-	noVerdict                    // no verdict yet, continue running filter
+	Drop      Response = iota // do not continue processing packet.
+	Accept                    // continue processing packet.
+	noVerdict                 // no verdict yet, continue running filter
 )

 func (r Response) String() string {
 	switch r {
 	case Drop:
 		return "Drop"
-	case DropSilently:
-		return "DropSilently"
 	case Accept:
 		return "Accept"
 	case noVerdict:
@@ -77,10 +91,6 @@ func (r Response) String() string {
 	}
 }

-func (r Response) IsDrop() bool {
-	return r == Drop || r == DropSilently
-}
-
 // RunFlags controls the filter's debug log verbosity at runtime.
 type RunFlags int

@@ -132,70 +142,36 @@ func NewAllowNone(logf logger.Logf) *Filter {
 	return New(nil, nil, nil, logf)
 }

-func NewShieldsUpFilter(logf logger.Logf) *Filter {
-	f := New(nil, nil, nil, logf)
-	f.shieldsUp = true
-	return f
-}
-
 // New creates a new packet filter. The filter enforces that incoming
 // packets must be destined to an IP in localNets, and must be allowed
 // by matches. If shareStateWith is non-nil, the returned filter
 // shares state with the previous one, to enable changing rules at
 // runtime without breaking existing stateful flows.
 func New(matches []Match, localNets []netaddr.IPPrefix, shareStateWith *Filter, logf logger.Logf) *Filter {
-	var state *filterState
+	var state4, state6 *filterState
 	if shareStateWith != nil {
-		state = shareStateWith.state
+		state4 = shareStateWith.state4
+		state6 = shareStateWith.state6
 	} else {
-		state = &filterState{
-			lru: &flowtrack.Cache{MaxEntries: lruMax},
+		state4 = &filterState{
+			lru: lru.New(lruMax),
+		}
+		state6 = &filterState{
+			lru: lru.New(lruMax),
 		}
 	}
 	f := &Filter{
 		logf:     logf,
-		matches4: matchesFamily(matches, netaddr.IP.Is4),
-		matches6: matchesFamily(matches, netaddr.IP.Is6),
-		local4:   netsFamily(localNets, netaddr.IP.Is4),
-		local6:   netsFamily(localNets, netaddr.IP.Is6),
-		state:    state,
+		matches4: newMatches4(matches),
+		matches6: newMatches6(matches),
+		local4:   nets4FromIPPrefixes(localNets),
+		local6:   nets6FromIPPrefixes(localNets),
+		state4:   state4,
+		state6:   state6,
 	}
 	return f
 }

-func netsFamily(nets []netaddr.IPPrefix, keep func(netaddr.IP) bool) []netaddr.IPPrefix {
-	var ret []netaddr.IPPrefix
-	for _, net := range nets {
-		if keep(net.IP) {
-			ret = append(ret, net)
-		}
-	}
-	return ret
-}
-
-// matchesFamily returns the subset of ms for which keep(srcNet.IP)
-// and keep(dstNet.IP) are both true.
-func matchesFamily(ms matches, keep func(netaddr.IP) bool) matches {
-	var ret matches
-	for _, m := range ms {
-		var retm Match
-		for _, src := range m.Srcs {
-			if keep(src.IP) {
-				retm.Srcs = append(retm.Srcs, src)
-			}
-		}
-		for _, dst := range m.Dsts {
-			if keep(dst.Net.IP) {
-				retm.Dsts = append(retm.Dsts, dst)
-			}
-		}
-		if len(retm.Srcs) > 0 && len(retm.Dsts) > 0 {
-			ret = append(ret, retm)
-		}
-	}
-	return ret
-}
-
 func maybeHexdump(flag RunFlags, b []byte) string {
 	if flag == 0 {
 		return ""
@@ -253,25 +229,23 @@ func (f *Filter) CheckTCP(srcIP, dstIP netaddr.IP, dstPort uint16) Response {
 		return Drop
 	case srcIP.Is4():
 		pkt.IPVersion = 4
+		pkt.SrcIP4 = packet.IP4FromNetaddr(srcIP)
+		pkt.DstIP4 = packet.IP4FromNetaddr(dstIP)
 	case srcIP.Is6():
 		pkt.IPVersion = 6
+		pkt.SrcIP6 = packet.IP6FromNetaddr(srcIP)
+		pkt.DstIP6 = packet.IP6FromNetaddr(dstIP)
 	default:
 		panic("unreachable")
 	}
-	pkt.Src.IP = srcIP
-	pkt.Dst.IP = dstIP
 	pkt.IPProto = packet.TCP
 	pkt.TCPFlags = packet.TCPSyn
-	pkt.Src.Port = 0
-	pkt.Dst.Port = dstPort
+	pkt.SrcPort = 0
+	pkt.DstPort = dstPort

 	return f.RunIn(pkt, 0)
 }

-// ShieldsUp reports whether this is a "shields up" (block everything
-// incoming) filter.
-func (f *Filter) ShieldsUp() bool { return f.shieldsUp }
-
 // RunIn determines whether this node is allowed to receive q from a
 // Tailscale peer.
 func (f *Filter) RunIn(q *packet.Parsed, rf RunFlags) Response {
@@ -313,7 +287,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
 	// A compromised peer could try to send us packets for
 	// destinations we didn't explicitly advertise. This check is to
 	// prevent that.
-	if !ipInList(q.Dst.IP, f.local4) {
+	if !ip4InList(q.DstIP4, f.local4) {
 		return Drop, "destination not allowed"
 	}

@@ -346,11 +320,11 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
 			return Accept, "tcp ok"
 		}
 	case packet.UDP:
-		t := flowtrack.Tuple{Src: q.Src, Dst: q.Dst}
+		t := tuple4{q.SrcIP4, q.DstIP4, q.SrcPort, q.DstPort}

-		f.state.mu.Lock()
-		_, ok := f.state.lru.Get(t)
-		f.state.mu.Unlock()
+		f.state4.mu.Lock()
+		_, ok := f.state4.lru.Get(t)
+		f.state4.mu.Unlock()

 		if ok {
 			return Accept, "udp cached"
@@ -358,8 +332,6 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
 		if f.matches4.match(q) {
 			return Accept, "udp ok"
 		}
-	case packet.TSMP:
-		return Accept, "tsmp ok"
 	default:
 		return Drop, "Unknown proto"
 	}
@@ -370,7 +342,7 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
 	// A compromised peer could try to send us packets for
 	// destinations we didn't explicitly advertise. This check is to
 	// prevent that.
-	if !ipInList(q.Dst.IP, f.local6) {
+	if !ip6InList(q.DstIP6, f.local6) {
 		return Drop, "destination not allowed"
 	}

@@ -403,11 +375,11 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
 			return Accept, "tcp ok"
 		}
 	case packet.UDP:
-		t := flowtrack.Tuple{Src: q.Src, Dst: q.Dst}
+		t := tuple6{q.SrcIP6, q.DstIP6, q.SrcPort, q.DstPort}

-		f.state.mu.Lock()
-		_, ok := f.state.lru.Get(t)
-		f.state.mu.Unlock()
+		f.state6.mu.Lock()
+		_, ok := f.state6.lru.Get(t)
+		f.state6.mu.Unlock()

 		if ok {
 			return Accept, "udp cached"
@@ -427,11 +399,20 @@ func (f *Filter) runOut(q *packet.Parsed) (r Response, why string) {
 		return Accept, "ok out"
 	}

-	tuple := flowtrack.Tuple{Src: q.Dst, Dst: q.Src} // src/dst reversed
-
-	f.state.mu.Lock()
-	f.state.lru.Add(tuple, nil)
-	f.state.mu.Unlock()
+	switch q.IPVersion {
+	case 4:
+		t := tuple4{q.DstIP4, q.SrcIP4, q.DstPort, q.SrcPort}
+		var ti interface{} = t // allocate once, rather than twice inside mutex
+		f.state4.mu.Lock()
+		f.state4.lru.Add(ti, ti)
+		f.state4.mu.Unlock()
+	case 6:
+		t := tuple6{q.DstIP6, q.SrcIP6, q.DstPort, q.SrcPort}
+		var ti interface{} = t // allocate once, rather than twice inside mutex
+		f.state6.mu.Lock()
+		f.state6.lru.Add(ti, ti)
+		f.state6.mu.Unlock()
+	}
 	return Accept, "ok out"
 }

@@ -455,8 +436,6 @@ func (d direction) String() string {
 	}
 }

-var gcpDNSAddr = netaddr.IPv4(169, 254, 169, 254)
-
 // pre runs the direction-agnostic filter logic. dir is only used for
 // logging.
 func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) Response {
@@ -469,13 +448,25 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) Response {
 		return Drop
 	}

-	if q.Dst.IP.IsMulticast() {
-		f.logRateLimit(rf, q, dir, Drop, "multicast")
-		return Drop
-	}
-	if q.Dst.IP.IsLinkLocalUnicast() && q.Dst.IP != gcpDNSAddr {
-		f.logRateLimit(rf, q, dir, Drop, "link-local-unicast")
-		return Drop
+	switch q.IPVersion {
+	case 4:
+		if q.DstIP4.IsMulticast() {
+			f.logRateLimit(rf, q, dir, Drop, "multicast")
+			return Drop
+		}
+		if q.DstIP4.IsMostLinkLocalUnicast() {
+			f.logRateLimit(rf, q, dir, Drop, "link-local-unicast")
+			return Drop
+		}
+	case 6:
+		if q.DstIP6.IsMulticast() {
+			f.logRateLimit(rf, q, dir, Drop, "multicast")
+			return Drop
+		}
+		if q.DstIP6.IsLinkLocalUnicast() {
+			f.logRateLimit(rf, q, dir, Drop, "link-local-unicast")
+			return Drop
+		}
 	}

 	switch q.IPProto {
@@ -502,5 +493,12 @@ func omitDropLogging(p *packet.Parsed, dir direction) bool {
 		return false
 	}

-	return p.Dst.IP.IsMulticast() || (p.Dst.IP.IsLinkLocalUnicast() && p.Dst.IP != gcpDNSAddr) || p.IPProto == packet.IGMP
+	switch p.IPVersion {
+	case 4:
+		return p.DstIP4.IsMulticast() || p.DstIP4.IsMostLinkLocalUnicast() || p.IPProto == packet.IGMP
+	case 6:
+		return p.DstIP6.IsMulticast() || p.DstIP6.IsLinkLocalUnicast()
+	default:
+		return false
+	}
 }
--- a/wgengine/filter/filter_test.go
+++ b/wgengine/filter/filter_test.go
@@ -94,9 +94,9 @@ func TestFilter(t *testing.T) {
 		if test.p.IPProto == packet.TCP {
 			var got Response
 			if test.p.IPVersion == 4 {
-				got = acl.CheckTCP(test.p.Src.IP, test.p.Dst.IP, test.p.Dst.Port)
+				got = acl.CheckTCP(test.p.SrcIP4.Netaddr(), test.p.DstIP4.Netaddr(), test.p.DstPort)
 			} else {
-				got = acl.CheckTCP(test.p.Src.IP, test.p.Dst.IP, test.p.Dst.Port)
+				got = acl.CheckTCP(test.p.SrcIP6.Netaddr(), test.p.DstIP6.Netaddr(), test.p.DstPort)
 			}
 			if test.want != got {
 				t.Errorf("#%d CheckTCP got=%v want=%v packet:%v", i, got, test.want, test.p)
@@ -194,7 +194,7 @@ func TestNoAllocs(t *testing.T) {
 	}
 }

-func TestParseIPSet(t *testing.T) {
+func TestParseIP(t *testing.T) {
 	tests := []struct {
 		host    string
 		bits    int
@@ -203,33 +203,23 @@ func TestParseIPSet(t *testing.T) {
 	}{
 		{"8.8.8.8", 24, pfx("8.8.8.8/24"), ""},
 		{"2601:1234::", 64, pfx("2601:1234::/64"), ""},
-		{"8.8.8.8", 33, nil, `invalid CIDR size 33 for IP "8.8.8.8"`},
-		{"8.8.8.8", -1, pfx("8.8.8.8/32"), ""},
-		{"8.8.8.8", 32, pfx("8.8.8.8/32"), ""},
-		{"8.8.8.8/24", -1, nil, "8.8.8.8/24 contains non-network bits set"},
-		{"8.8.8.0/24", 18, pfx("8.8.8.0/24"), ""}, // the 18 is ignored
-		{"1.0.0.0-1.255.255.255", 5, pfx("1.0.0.0/8"), ""},
-		{"1.0.0.0-2.1.2.3", 5, pfx("1.0.0.0/8", "2.0.0.0/16", "2.1.0.0/23", "2.1.2.0/30"), ""},
-		{"1.0.0.2-1.0.0.1", -1, nil, "invalid IP range \"1.0.0.2-1.0.0.1\""},
-		{"2601:1234::", 129, nil, `invalid CIDR size 129 for IP "2601:1234::"`},
-		{"0.0.0.0", 24, pfx("0.0.0.0/24"), ""},
-		{"::", 64, pfx("::/64"), ""},
+		{"8.8.8.8", 33, nil, `invalid CIDR size 33 for host "8.8.8.8"`},
+		{"8.8.8.8", -1, nil, `invalid CIDR size -1 for host "8.8.8.8"`},
+		{"2601:1234::", 129, nil, `invalid CIDR size 129 for host "2601:1234::"`},
+		{"0.0.0.0", 24, nil, `ports="0.0.0.0": to allow all IP addresses, use *:port, not 0.0.0.0:port`},
+		{"::", 64, nil, `ports="::": to allow all IP addresses, use *:port, not [::]:port`},
 		{"*", 24, pfx("0.0.0.0/0", "::/0"), ""},
 	}
 	for _, tt := range tests {
-		var bits *int
-		if tt.bits != -1 {
-			bits = &tt.bits
-		}
-		got, err := parseIPSet(tt.host, bits)
+		got, err := parseIP(tt.host, tt.bits)
 		if err != nil {
 			if err.Error() == tt.wantErr {
 				continue
 			}
-			t.Errorf("parseIPSet(%q, %v) error: %v; want error %q", tt.host, tt.bits, err, tt.wantErr)
+			t.Errorf("parseIP(%q, %v) error: %v; want error %q", tt.host, tt.bits, err, tt.wantErr)
 		}
 		if diff := cmp.Diff(got, tt.want, cmp.Comparer(func(a, b netaddr.IP) bool { return a == b })); diff != "" {
-			t.Errorf("parseIPSet(%q, %v) = %s; want %s", tt.host, tt.bits, got, tt.want)
+			t.Errorf("parseIP(%q, %v) = %s; want %s", tt.host, tt.bits, got, tt.want)
 			continue
 		}
 	}
@@ -345,19 +335,19 @@ func TestOmitDropLogging(t *testing.T) {
 		},
 		{
 			name: "v4_multicast_out_low",
-			pkt:  &packet.Parsed{IPVersion: 4, Dst: mustIPPort("224.0.0.0:0")},
+			pkt:  &packet.Parsed{IPVersion: 4, DstIP4: mustIP4("224.0.0.0")},
 			dir:  out,
 			want: true,
 		},
 		{
 			name: "v4_multicast_out_high",
-			pkt:  &packet.Parsed{IPVersion: 4, Dst: mustIPPort("239.255.255.255:0")},
+			pkt:  &packet.Parsed{IPVersion: 4, DstIP4: mustIP4("239.255.255.255")},
 			dir:  out,
 			want: true,
 		},
 		{
 			name: "v4_link_local_unicast",
-			pkt:  &packet.Parsed{IPVersion: 4, Dst: mustIPPort("169.254.1.2:0")},
+			pkt:  &packet.Parsed{IPVersion: 4, DstIP4: mustIP4("169.254.1.2")},
 			dir:  out,
 			want: true,
 		},
@@ -387,16 +377,18 @@ func parsed(proto packet.IPProto, src, dst string, sport, dport uint16) packet.P
 	var ret packet.Parsed
 	ret.Decode(dummyPacket)
 	ret.IPProto = proto
-	ret.Src.IP = sip
-	ret.Src.Port = sport
-	ret.Dst.IP = dip
-	ret.Dst.Port = dport
+	ret.SrcPort = sport
+	ret.DstPort = dport
 	ret.TCPFlags = packet.TCPSyn

 	if sip.Is4() {
 		ret.IPVersion = 4
+		ret.SrcIP4 = packet.IP4FromNetaddr(sip)
+		ret.DstIP4 = packet.IP4FromNetaddr(dip)
 	} else {
 		ret.IPVersion = 6
+		ret.SrcIP6 = packet.IP6FromNetaddr(sip)
+		ret.DstIP6 = packet.IP6FromNetaddr(dip)
 	}

 	return ret
@@ -405,8 +397,8 @@ func parsed(proto packet.IPProto, src, dst string, sport, dport uint16) packet.P
 func raw6(proto packet.IPProto, src, dst string, sport, dport uint16, trimLen int) []byte {
 	u := packet.UDP6Header{
 		IP6Header: packet.IP6Header{
-			Src: mustIP(src),
-			Dst: mustIP(dst),
+			SrcIP: packet.IP6FromNetaddr(mustIP(src)),
+			DstIP: packet.IP6FromNetaddr(mustIP(dst)),
 		},
 		SrcPort: sport,
 		DstPort: dport,
@@ -414,7 +406,7 @@ func raw6(proto packet.IPProto, src, dst string, sport, dport uint16, trimLen in

 	payload := make([]byte, 12)
 	// Set the right bit to look like a TCP SYN, if the packet ends up interpreted as TCP
-	payload[5] = byte(packet.TCPSyn)
+	payload[5] = packet.TCPSyn

 	b := packet.Generate(&u, payload) // payload large enough to possibly be TCP

@@ -434,8 +426,8 @@ func raw6(proto packet.IPProto, src, dst string, sport, dport uint16, trimLen in
 func raw4(proto packet.IPProto, src, dst string, sport, dport uint16, trimLength int) []byte {
 	u := packet.UDP4Header{
 		IP4Header: packet.IP4Header{
-			Src: mustIP(src),
-			Dst: mustIP(dst),
+			SrcIP: packet.IP4FromNetaddr(mustIP(src)),
+			DstIP: packet.IP4FromNetaddr(mustIP(dst)),
 		},
 		SrcPort: sport,
 		DstPort: dport,
@@ -443,7 +435,7 @@ func raw4(proto packet.IPProto, src, dst string, sport, dport uint16, trimLength

 	payload := make([]byte, 12)
 	// Set the right bit to look like a TCP SYN, if the packet ends up interpreted as TCP
-	payload[5] = byte(packet.TCPSyn)
+	payload[5] = packet.TCPSyn

 	b := packet.Generate(&u, payload) // payload large enough to possibly be TCP

@@ -486,12 +478,12 @@ func parseHexPkt(t *testing.T, h string) *packet.Parsed {
 	return p
 }

-func mustIPPort(s string) netaddr.IPPort {
-	ipp, err := netaddr.ParseIPPort(s)
+func mustIP4(s string) packet.IP4 {
+	ip, err := netaddr.ParseIP(s)
 	if err != nil {
 		panic(err)
 	}
-	return ipp
+	return packet.IP4FromNetaddr(ip)
 }

 func pfx(strs ...string) (ret []netaddr.IPPrefix) {
--- a/wgengine/filter/match.go
+++ b/wgengine/filter/match.go
@@ -9,7 +9,6 @@ import (
 	"strings"

 	"inet.af/netaddr"
-	"tailscale.com/net/packet"
 )

 // PortRange is a range of TCP and UDP ports.
@@ -72,46 +71,3 @@ func (m Match) String() string {
 	}
 	return fmt.Sprintf("%v=>%v", ss, ds)
 }
-
-type matches []Match
-
-func (ms matches) match(q *packet.Parsed) bool {
-	for _, m := range ms {
-		if !ipInList(q.Src.IP, m.Srcs) {
-			continue
-		}
-		for _, dst := range m.Dsts {
-			if !dst.Net.Contains(q.Dst.IP) {
-				continue
-			}
-			if !dst.Ports.contains(q.Dst.Port) {
-				continue
-			}
-			return true
-		}
-	}
-	return false
-}
-
-func (ms matches) matchIPsOnly(q *packet.Parsed) bool {
-	for _, m := range ms {
-		if !ipInList(q.Src.IP, m.Srcs) {
-			continue
-		}
-		for _, dst := range m.Dsts {
-			if dst.Net.Contains(q.Dst.IP) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-func ipInList(ip netaddr.IP, netlist []netaddr.IPPrefix) bool {
-	for _, net := range netlist {
-		if net.Contains(ip) {
-			return true
-		}
-	}
-	return false
-}
--- a/wgengine/filter/match4.go
+++ b/wgengine/filter/match4.go
@@ -0,0 +1,151 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package filter
+
+import (
+	"fmt"
+	"math/bits"
+	"strings"
+
+	"inet.af/netaddr"
+	"tailscale.com/net/packet"
+)
+
+type net4 struct {
+	ip   packet.IP4
+	mask packet.IP4
+}
+
+func net4FromIPPrefix(pfx netaddr.IPPrefix) net4 {
+	if !pfx.IP.Is4() {
+		panic("net4FromIPPrefix given non-ipv4 prefix")
+	}
+	return net4{
+		ip:   packet.IP4FromNetaddr(pfx.IP),
+		mask: netmask4(pfx.Bits),
+	}
+}
+
+func nets4FromIPPrefixes(pfxs []netaddr.IPPrefix) (ret []net4) {
+	for _, pfx := range pfxs {
+		if pfx.IP.Is4() {
+			ret = append(ret, net4FromIPPrefix(pfx))
+		}
+	}
+	return ret
+}
+
+func (n net4) Contains(ip packet.IP4) bool {
+	return (n.ip & n.mask) == (ip & n.mask)
+}
+
+func (n net4) Bits() int {
+	return 32 - bits.TrailingZeros32(uint32(n.mask))
+}
+
+func (n net4) String() string {
+	b := n.Bits()
+	if b == 32 {
+		return n.ip.String()
+	} else if b == 0 {
+		return "*"
+	} else {
+		return fmt.Sprintf("%s/%d", n.ip, b)
+	}
+}
+
+type npr4 struct {
+	net   net4
+	ports PortRange
+}
+
+func (npr npr4) String() string {
+	return fmt.Sprintf("%s:%s", npr.net, npr.ports)
+}
+
+type match4 struct {
+	srcs []net4
+	dsts []npr4
+}
+
+type matches4 []match4
+
+func (ms matches4) String() string {
+	var b strings.Builder
+	for _, m := range ms {
+		fmt.Fprintf(&b, "%s => %s\n", m.srcs, m.dsts)
+	}
+	return b.String()
+}
+
+func newMatches4(ms []Match) (ret matches4) {
+	for _, m := range ms {
+		var m4 match4
+		for _, src := range m.Srcs {
+			if src.IP.Is4() {
+				m4.srcs = append(m4.srcs, net4FromIPPrefix(src))
+			}
+		}
+		for _, dst := range m.Dsts {
+			if dst.Net.IP.Is4() {
+				m4.dsts = append(m4.dsts, npr4{net4FromIPPrefix(dst.Net), dst.Ports})
+			}
+		}
+		if len(m4.srcs) > 0 && len(m4.dsts) > 0 {
+			ret = append(ret, m4)
+		}
+	}
+	return ret
+}
+
+// match returns whether q's source IP and destination IP:port match
+// any of ms.
+func (ms matches4) match(q *packet.Parsed) bool {
+	for _, m := range ms {
+		if !ip4InList(q.SrcIP4, m.srcs) {
+			continue
+		}
+		for _, dst := range m.dsts {
+			if !dst.net.Contains(q.DstIP4) {
+				continue
+			}
+			if !dst.ports.contains(q.DstPort) {
+				continue
+			}
+			return true
+		}
+	}
+	return false
+}
+
+// matchIPsOnly returns whether q's source and destination IP match
+// any of ms.
+func (ms matches4) matchIPsOnly(q *packet.Parsed) bool {
+	for _, m := range ms {
+		if !ip4InList(q.SrcIP4, m.srcs) {
+			continue
+		}
+		for _, dst := range m.dsts {
+			if dst.net.Contains(q.DstIP4) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func netmask4(bits uint8) packet.IP4 {
+	b := ^uint32((1 << (32 - bits)) - 1)
+	return packet.IP4(b)
+}
+
+func ip4InList(ip packet.IP4, netlist []net4) bool {
+	for _, net := range netlist {
+		if net.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
--- a/wgengine/filter/match6.go
+++ b/wgengine/filter/match6.go
@@ -0,0 +1,171 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package filter
+
+import (
+	"fmt"
+	"math/bits"
+	"strings"
+
+	"inet.af/netaddr"
+	"tailscale.com/net/packet"
+)
+
+type net6 struct {
+	ip   packet.IP6
+	mask packet.IP6
+}
+
+func net6FromIPPrefix(pfx netaddr.IPPrefix) net6 {
+	if !pfx.IP.Is6() {
+		panic("net6FromIPPrefix given non-ipv6 prefix")
+	}
+	var mask packet.IP6
+	if pfx.Bits > 64 {
+		mask.Hi = ^uint64(0)
+		mask.Lo = (^uint64(0) << (128 - pfx.Bits))
+	} else {
+		mask.Hi = (^uint64(0) << (64 - pfx.Bits))
+	}
+
+	return net6{
+		ip:   packet.IP6FromNetaddr(pfx.IP),
+		mask: mask,
+	}
+}
+
+func nets6FromIPPrefixes(pfxs []netaddr.IPPrefix) (ret []net6) {
+	for _, pfx := range pfxs {
+		if pfx.IP.Is6() {
+			ret = append(ret, net6FromIPPrefix(pfx))
+		}
+	}
+	return ret
+}
+
+func (n net6) Contains(ip packet.IP6) bool {
+	// This is equivalent to the more straightforward implementation:
+	//   ((n.ip.Hi & n.mask.Hi) == (ip.Hi & n.mask.Hi) &&
+	//    (n.ip.Lo & n.mask.Lo) == (ip.Lo & n.mask.Lo))
+	//
+	// This implementation runs significantly faster because it
+	// eliminates branches and minimizes the required
+	// bit-twiddling.
+	a := (n.ip.Hi ^ ip.Hi) & n.mask.Hi
+	b := (n.ip.Lo ^ ip.Lo) & n.mask.Lo
+	return (a | b) == 0
+}
+
+func (n net6) Bits() int {
+	return 128 - bits.TrailingZeros64(n.mask.Hi) - bits.TrailingZeros64(n.mask.Lo)
+}
+
+func (n net6) String() string {
+	switch n.Bits() {
+	case 128:
+		return n.ip.String()
+	case 0:
+		return "*"
+	default:
+		return fmt.Sprintf("%s/%d", n.ip, n.Bits())
+	}
+}
+
+type npr6 struct {
+	net   net6
+	ports PortRange
+}
+
+func (npr npr6) String() string {
+	return fmt.Sprintf("%s:%s", npr.net, npr.ports)
+}
+
+type match6 struct {
+	srcs []net6
+	dsts []npr6
+}
+
+type matches6 []match6
+
+func (ms matches6) String() string {
+	var b strings.Builder
+	for _, m := range ms {
+		fmt.Fprintf(&b, "%s => %s\n", m.srcs, m.dsts)
+	}
+	return b.String()
+}
+
+func newMatches6(ms []Match) (ret matches6) {
+	for _, m := range ms {
+		var m6 match6
+		for _, src := range m.Srcs {
+			if src.IP.Is6() {
+				m6.srcs = append(m6.srcs, net6FromIPPrefix(src))
+			}
+		}
+		for _, dst := range m.Dsts {
+			if dst.Net.IP.Is6() {
+				m6.dsts = append(m6.dsts, npr6{net6FromIPPrefix(dst.Net), dst.Ports})
+			}
+		}
+		if len(m6.srcs) > 0 && len(m6.dsts) > 0 {
+			ret = append(ret, m6)
+		}
+	}
+	return ret
+}
+
+func (ms matches6) match(q *packet.Parsed) bool {
+outer:
+	for i := range ms {
+		srcs := ms[i].srcs
+		for j := range srcs {
+			if srcs[j].Contains(q.SrcIP6) {
+				dsts := ms[i].dsts
+				for k := range dsts {
+					if dsts[k].net.Contains(q.DstIP6) && dsts[k].ports.contains(q.DstPort) {
+						return true
+					}
+				}
+				// We hit on src, but missed on all
+				// dsts. No need to try other srcs,
+				// they'll never fully match.
+				continue outer
+			}
+		}
+	}
+	return false
+}
+
+func (ms matches6) matchIPsOnly(q *packet.Parsed) bool {
+outer:
+	for i := range ms {
+		srcs := ms[i].srcs
+		for j := range srcs {
+			if srcs[j].Contains(q.SrcIP6) {
+				dsts := ms[i].dsts
+				for k := range dsts {
+					if dsts[k].net.Contains(q.DstIP6) {
+						return true
+					}
+				}
+				// We hit on src, but missed on all
+				// dsts. No need to try other srcs,
+				// they'll never fully match.
+				continue outer
+			}
+		}
+	}
+	return false
+}
+
+func ip6InList(ip packet.IP6, netlist []net6) bool {
+	for _, net := range netlist {
+		if net.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
--- a/wgengine/filter/match6_test.go
+++ b/wgengine/filter/match6_test.go
@@ -0,0 +1,37 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package filter
+
+import "testing"
+
+// Verifies that the fast bit-twiddling implementation of Contains
+// works the same as the easy-to-read implementation. Since we can't
+// sensibly check it on 128 bits, the test runs over 4-bit
+// "IPs". Bit-twiddling is the same at any width, so this adequately
+// proves that the implementations are equivalent.
+func TestOptimizedContains(t *testing.T) {
+	for ipHi := 0; ipHi < 0xf; ipHi++ {
+		for ipLo := 0; ipLo < 0xf; ipLo++ {
+			for nIPHi := 0; nIPHi < 0xf; nIPHi++ {
+				for nIPLo := 0; nIPLo < 0xf; nIPLo++ {
+					for maskHi := 0; maskHi < 0xf; maskHi++ {
+						for maskLo := 0; maskLo < 0xf; maskLo++ {
+
+							a := (nIPHi ^ ipHi) & maskHi
+							b := (nIPLo ^ ipLo) & maskLo
+							got := (a | b) == 0
+
+							want := ((nIPHi&maskHi) == (ipHi&maskHi) && (nIPLo&maskLo) == (ipLo&maskLo))
+
+							if got != want {
+								t.Errorf("mask %1x%1x/%1x%1x %1x%1x got=%v want=%v", nIPHi, nIPLo, maskHi, maskLo, ipHi, ipLo, got, want)
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+}
--- a/wgengine/filter/tailcfg.go
+++ b/wgengine/filter/tailcfg.go
@@ -6,7 +6,6 @@ package filter

 import (
 	"fmt"
-	"strings"

 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
@@ -23,11 +22,11 @@ func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error) {
 		m := Match{}

 		for i, s := range r.SrcIPs {
-			var bits *int
+			bits := 32
 			if len(r.SrcBits) > i {
-				bits = &r.SrcBits[i]
+				bits = r.SrcBits[i]
 			}
-			nets, err := parseIPSet(s, bits)
+			nets, err := parseIP(s, bits)
 			if err != nil && erracc == nil {
 				erracc = err
 				continue
@@ -36,7 +35,11 @@ func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error) {
 		}

 		for _, d := range r.DstPorts {
-			nets, err := parseIPSet(d.IP, d.Bits)
+			bits := 32
+			if d.Bits != nil {
+				bits = *d.Bits
+			}
+			nets, err := parseIP(d.IP, bits)
 			if err != nil && erracc == nil {
 				erracc = err
 				continue
@@ -62,65 +65,35 @@ var (
 	zeroIP6 = netaddr.IPFrom16([16]byte{})
 )

-// parseIPSet parses arg as one:
-//
-//     * an IP address (IPv4 or IPv6)
-//     * the string "*" to match everything (both IPv4 & IPv6)
-//     * a CIDR (e.g. "192.168.0.0/16")
-//     * a range of two IPs, inclusive, separated by hyphen ("2eff::1-2eff::0800")
-//
-// bits, if non-nil, is the legacy SrcBits CIDR length to make a IP
-// address (without a slash) treated as a CIDR of *bits length.
-//
-// TODO(bradfitz): make this return an IPSet and plumb that all
-// around, and ultimately use a new version of IPSet.ContainsFunc like
-// Contains16Func that works in [16]byte address, so we we can match
-// at runtime without allocating?
-func parseIPSet(arg string, bits *int) ([]netaddr.IPPrefix, error) {
-	if arg == "*" {
-		// User explicitly requested wildcard.
+func parseIP(host string, defaultBits int) ([]netaddr.IPPrefix, error) {
+	if host == "*" {
+		// User explicitly requested wildcard dst ip.
 		return []netaddr.IPPrefix{
 			{IP: zeroIP4, Bits: 0},
 			{IP: zeroIP6, Bits: 0},
 		}, nil
 	}
-	if strings.Contains(arg, "/") {
-		pfx, err := netaddr.ParseIPPrefix(arg)
-		if err != nil {
-			return nil, err
-		}
-		if pfx != pfx.Masked() {
-			return nil, fmt.Errorf("%v contains non-network bits set", pfx)
-		}
-		return []netaddr.IPPrefix{pfx}, nil
-	}
-	if strings.Count(arg, "-") == 1 {
-		i := strings.Index(arg, "-")
-		ip1s, ip2s := arg[:i], arg[i+1:]
-		ip1, err := netaddr.ParseIP(ip1s)
-		if err != nil {
-			return nil, err
-		}
-		ip2, err := netaddr.ParseIP(ip2s)
-		if err != nil {
-			return nil, err
-		}
-		r := netaddr.IPRange{From: ip1, To: ip2}
-		if !r.Valid() {
-			return nil, fmt.Errorf("invalid IP range %q", arg)
-		}
-		return r.Prefixes(), nil
-	}
-	ip, err := netaddr.ParseIP(arg)
+
+	ip, err := netaddr.ParseIP(host)
 	if err != nil {
-		return nil, fmt.Errorf("invalid IP address %q", arg)
+		return nil, fmt.Errorf("ports=%#v: invalid IP address", host)
 	}
-	bits8 := ip.BitLen()
-	if bits != nil {
-		if *bits < 0 || *bits > int(bits8) {
-			return nil, fmt.Errorf("invalid CIDR size %d for IP %q", *bits, arg)
-		}
-		bits8 = uint8(*bits)
+	if ip == zeroIP4 {
+		// For clarity, reject 0.0.0.0 as an input
+		return nil, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not 0.0.0.0:port", host)
 	}
-	return []netaddr.IPPrefix{{IP: ip, Bits: bits8}}, nil
+	if ip == zeroIP6 {
+		// For clarity, reject :: as an input
+		return nil, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not [::]:port", host)
+	}
+
+	if defaultBits < 0 || (ip.Is4() && defaultBits > 32) || (ip.Is6() && defaultBits > 128) {
+		return nil, fmt.Errorf("invalid CIDR size %d for host %q", defaultBits, host)
+	}
+	return []netaddr.IPPrefix{
+		{
+			IP:   ip,
+			Bits: uint8(defaultBits),
+		},
+	}, nil
 }
--- a/wgengine/magicsock/legacy.go
+++ b/wgengine/magicsock/legacy.go
@@ -1,680 +0,0 @@
-// Copyright (c) 2019 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package magicsock
-
-import (
-	"bytes"
-	"crypto/hmac"
-	"crypto/subtle"
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"hash"
-	"net"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/tailscale/wireguard-go/conn"
-	"github.com/tailscale/wireguard-go/tai64n"
-	"github.com/tailscale/wireguard-go/wgcfg"
-	"golang.org/x/crypto/blake2s"
-	"golang.org/x/crypto/chacha20poly1305"
-	"golang.org/x/crypto/poly1305"
-	"inet.af/netaddr"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/types/key"
-	"tailscale.com/types/logger"
-	"tailscale.com/types/wgkey"
-)
-
-var (
-	errNoDestinations = errors.New("magicsock: no destinations")
-	errDisabled       = errors.New("magicsock: legacy networking disabled")
-)
-
-func (c *Conn) createLegacyEndpointLocked(pk key.Public, addrs string) (conn.Endpoint, error) {
-	if c.disableLegacy {
-		return nil, errDisabled
-	}
-
-	a := &addrSet{
-		Logf:      c.logf,
-		publicKey: pk,
-		curAddr:   -1,
-	}
-
-	if addrs != "" {
-		for _, ep := range strings.Split(addrs, ",") {
-			ipp, err := netaddr.ParseIPPort(ep)
-			if err != nil {
-				return nil, fmt.Errorf("bogus address %q", ep)
-			}
-			a.ipPorts = append(a.ipPorts, ipp)
-			a.addrs = append(a.addrs, *ipp.UDPAddr())
-		}
-	}
-
-	// If this endpoint is being updated, remember its old set of
-	// endpoints so we can remove any (from c.addrsByUDP) that are
-	// not in the new set.
-	var oldIPP []netaddr.IPPort
-	if preva, ok := c.addrsByKey[pk]; ok {
-		oldIPP = preva.ipPorts
-	}
-	c.addrsByKey[pk] = a
-
-	// Add entries to c.addrsByUDP.
-	for _, ipp := range a.ipPorts {
-		if ipp.IP == derpMagicIPAddr {
-			continue
-		}
-		c.addrsByUDP[ipp] = a
-	}
-
-	// Remove previous c.addrsByUDP entries that are no longer in the new set.
-	for _, ipp := range oldIPP {
-		if ipp.IP != derpMagicIPAddr && c.addrsByUDP[ipp] != a {
-			delete(c.addrsByUDP, ipp)
-		}
-	}
-
-	return a, nil
-}
-
-func (c *Conn) findLegacyEndpointLocked(ipp netaddr.IPPort, addr *net.UDPAddr, packet []byte) conn.Endpoint {
-	if c.disableLegacy {
-		return nil
-	}
-
-	// Pre-disco: look up their addrSet.
-	if as, ok := c.addrsByUDP[ipp]; ok {
-		as.updateDst(addr)
-		return as
-	}
-
-	// We don't know who this peer is. It's possible that it's one of
-	// our legitimate peers and they've roamed to an address we don't
-	// know. If this is a handshake packet, we can try to identify the
-	// peer in question.
-	if as := c.peerFromPacketLocked(packet); as != nil {
-		as.updateDst(addr)
-		return as
-	}
-
-	// We have no idea who this is, drop the packet.
-	//
-	// In the past, when this magicsock implementation was the main
-	// one, we tried harder to find a match here: we would pass the
-	// packet into wireguard-go with a "singleEndpoint" implementation
-	// that wrapped the UDPAddr. Then, a patch we added to
-	// wireguard-go would call UpdateDst on that singleEndpoint after
-	// decrypting the packet and identifying the peer (if any),
-	// allowing us to update the relevant addrSet.
-	//
-	// This was a significant out of tree patch to wireguard-go, so we
-	// got rid of it, and instead switched to this logic you're
-	// reading now, which makes a best effort to identify sources for
-	// handshake packets (because they're relatively easy to turn into
-	// a peer public key statelessly), but otherwise drops packets
-	// that come from "roaming" addresses that aren't known to
-	// magicsock.
-	//
-	// The practical consequence of this is that some complex NAT
-	// traversal cases will now fail between a very old Tailscale
-	// client (0.96 and earlier) and a very new Tailscale
-	// client. However, those scenarios were likely also failing on
-	// all-old clients, because the probabilistic NAT opening didn't
-	// work reliably. So, in practice, this simplification means
-	// connectivity looks like this:
-	//
-	//  - old+old client: unchanged
-	//  - old+new client (easy network topology): unchanged
-	//  - old+new client (hard network topology): was bad, now a bit worse
-	//  - new+new client: unchanged
-	//
-	// This degradation is acceptable in that it continues to support
-	// the incremental upgrade of old clients that currently work
-	// well, which is our primary goal for the <100 clients still left
-	// on the oldest pre-DERP versions (as of 2021-01-12).
-	return nil
-}
-
-func (c *Conn) resetAddrSetStatesLocked() {
-	for _, as := range c.addrsByKey {
-		as.curAddr = -1
-		as.stopSpray = as.timeNow().Add(sprayPeriod)
-	}
-}
-
-func (c *Conn) sendAddrSet(b []byte, as *addrSet) error {
-	if c.disableLegacy {
-		return errDisabled
-	}
-
-	var addrBuf [8]netaddr.IPPort
-	dsts, roamAddr := as.appendDests(addrBuf[:0], b)
-
-	if len(dsts) == 0 {
-		return errNoDestinations
-	}
-
-	var success bool
-	var ret error
-	for _, addr := range dsts {
-		sent, err := c.sendAddr(addr, as.publicKey, b)
-		if sent {
-			success = true
-		} else if ret == nil {
-			ret = err
-		}
-		if err != nil && addr != roamAddr && c.sendLogLimit.Allow() {
-			if c.connCtx.Err() == nil { // don't log if we're closed
-				c.logf("magicsock: Conn.Send(%v): %v", addr, err)
-			}
-		}
-	}
-	if success {
-		return nil
-	}
-	return ret
-}
-
-// peerFromPacketLocked extracts returns the addrSet for the peer who sent
-// packet, if derivable.
-//
-// The derived addrSet is a hint, not a cryptographically strong
-// assertion. The returned value MUST NOT be used for any security
-// critical function. Callers MUST assume that the addrset can be
-// picked by a remote attacker.
-func (c *Conn) peerFromPacketLocked(packet []byte) *addrSet {
-	if len(packet) < 4 {
-		return nil
-	}
-	msgType := binary.LittleEndian.Uint32(packet[:4])
-	if msgType != messageInitiationType {
-		// Can't get peer out of a non-handshake packet.
-		return nil
-	}
-
-	var msg messageInitiation
-	reader := bytes.NewReader(packet)
-	err := binary.Read(reader, binary.LittleEndian, &msg)
-	if err != nil {
-		return nil
-	}
-
-	// Process just enough of the handshake to extract the long-term
-	// peer public key. We don't verify the handshake all the way, so
-	// this may be a spoofed packet. The extracted peer MUST NOT be
-	// used for any security critical function. In our case, we use it
-	// as a hint for roaming addresses.
-	var (
-		pub      = c.privateKey.Public()
-		hash     [blake2s.Size]byte
-		chainKey [blake2s.Size]byte
-		peerPK   key.Public
-		boxKey   [chacha20poly1305.KeySize]byte
-	)
-
-	mixHash(&hash, &initialHash, pub[:])
-	mixHash(&hash, &hash, msg.Ephemeral[:])
-	mixKey(&chainKey, &initialChainKey, msg.Ephemeral[:])
-
-	ss := c.privateKey.SharedSecret(key.Public(msg.Ephemeral))
-	if isZero(ss[:]) {
-		return nil
-	}
-
-	kdf2(&chainKey, &boxKey, chainKey[:], ss[:])
-	aead, _ := chacha20poly1305.New(boxKey[:])
-	_, err = aead.Open(peerPK[:0], zeroNonce[:], msg.Static[:], hash[:])
-	if err != nil {
-		return nil
-	}
-
-	return c.addrsByKey[peerPK]
-}
-
-func shouldSprayPacket(b []byte) bool {
-	if len(b) < 4 {
-		return false
-	}
-	msgType := binary.LittleEndian.Uint32(b[:4])
-	switch msgType {
-	case messageInitiationType,
-		messageResponseType,
-		messageCookieReplyType: // TODO: necessary?
-		return true
-	}
-	return false
-}
-
-const sprayPeriod = 3 * time.Second
-
-// appendDests appends to dsts the destinations that b should be
-// written to in order to reach as. Some of the returned IPPorts may
-// be fake addrs representing DERP servers.
-//
-// It also returns as's current roamAddr, if any.
-func (as *addrSet) appendDests(dsts []netaddr.IPPort, b []byte) (_ []netaddr.IPPort, roamAddr netaddr.IPPort) {
-	spray := shouldSprayPacket(b) // true for handshakes
-	now := as.timeNow()
-
-	as.mu.Lock()
-	defer as.mu.Unlock()
-
-	as.lastSend = now
-
-	// Some internal invariant checks.
-	if len(as.addrs) != len(as.ipPorts) {
-		panic(fmt.Sprintf("lena %d != leni %d", len(as.addrs), len(as.ipPorts)))
-	}
-	if n1, n2 := as.roamAddr != nil, as.roamAddrStd != nil; n1 != n2 {
-		panic(fmt.Sprintf("roamnil %v != roamstdnil %v", n1, n2))
-	}
-
-	// Spray logic.
-	//
-	// After exchanging a handshake with a peer, we send some outbound
-	// packets to every endpoint of that peer. These packets are spaced out
-	// over several seconds to make sure that our peer has an opportunity to
-	// send its own spray packet to us before we are done spraying.
-	//
-	// Multiple packets are necessary because we have to both establish the
-	// NAT mappings between two peers *and use* the mappings to switch away
-	// from DERP to a higher-priority UDP endpoint.
-	const sprayFreq = 250 * time.Millisecond
-	if spray {
-		as.lastSpray = now
-		as.stopSpray = now.Add(sprayPeriod)
-
-		// Reset our favorite route on new handshakes so we
-		// can downgrade to a worse path if our better path
-		// goes away. (https://github.com/tailscale/tailscale/issues/92)
-		as.curAddr = -1
-	} else if now.Before(as.stopSpray) {
-		// We are in the spray window. If it has been sprayFreq since we
-		// last sprayed a packet, spray this packet.
-		if now.Sub(as.lastSpray) >= sprayFreq {
-			spray = true
-			as.lastSpray = now
-		}
-	}
-
-	// Pick our destination address(es).
-	switch {
-	case spray:
-		// This packet is being sprayed to all addresses.
-		for i := range as.ipPorts {
-			dsts = append(dsts, as.ipPorts[i])
-		}
-		if as.roamAddr != nil {
-			dsts = append(dsts, *as.roamAddr)
-		}
-	case as.roamAddr != nil:
-		// We have a roaming address, prefer it over other addrs.
-		// TODO(danderson): this is not correct, there's no reason
-		// roamAddr should be special like this.
-		dsts = append(dsts, *as.roamAddr)
-	case as.curAddr != -1:
-		if as.curAddr >= len(as.addrs) {
-			as.Logf("[unexpected] magicsock bug: as.curAddr >= len(as.addrs): %d >= %d", as.curAddr, len(as.addrs))
-			break
-		}
-		// No roaming addr, but we've seen packets from a known peer
-		// addr, so keep using that one.
-		dsts = append(dsts, as.ipPorts[as.curAddr])
-	default:
-		// We know nothing about how to reach this peer, and we're not
-		// spraying. Use the first address in the array, which will
-		// usually be a DERP address that guarantees connectivity.
-		if len(as.ipPorts) > 0 {
-			dsts = append(dsts, as.ipPorts[0])
-		}
-	}
-
-	if logPacketDests {
-		as.Logf("spray=%v; roam=%v; dests=%v", spray, as.roamAddr, dsts)
-	}
-	if as.roamAddr != nil {
-		roamAddr = *as.roamAddr
-	}
-	return dsts, roamAddr
-}
-
-// addrSet is a set of UDP addresses that implements wireguard/conn.Endpoint.
-//
-// This is the legacy endpoint for peers that don't support discovery;
-// it predates discoEndpoint.
-type addrSet struct {
-	publicKey key.Public // peer public key used for DERP communication
-
-	// addrs is an ordered priority list provided by wgengine,
-	// sorted from expensive+slow+reliable at the begnining to
-	// fast+cheap at the end. More concretely, it's typically:
-	//
-	//     [DERP fakeip:node, Global IP:port, LAN ip:port]
-	//
-	// But there could be multiple or none of each.
-	addrs   []net.UDPAddr
-	ipPorts []netaddr.IPPort // same as addrs, in different form
-
-	// clock, if non-nil, is used in tests instead of time.Now.
-	clock func() time.Time
-	Logf  logger.Logf // must not be nil
-
-	mu sync.Mutex // guards following fields
-
-	lastSend time.Time
-
-	// roamAddr is non-nil if/when we receive a correctly signed
-	// WireGuard packet from an unexpected address. If so, we
-	// remember it and send responses there in the future, but
-	// this should hopefully never be used (or at least used
-	// rarely) in the case that all the components of Tailscale
-	// are correctly learning/sharing the network map details.
-	roamAddr    *netaddr.IPPort
-	roamAddrStd *net.UDPAddr
-
-	// curAddr is an index into addrs of the highest-priority
-	// address a valid packet has been received from so far.
-	// If no valid packet from addrs has been received, curAddr is -1.
-	curAddr int
-
-	// stopSpray is the time after which we stop spraying packets.
-	stopSpray time.Time
-
-	// lastSpray is the last time we sprayed a packet.
-	lastSpray time.Time
-
-	// loggedLogPriMask is a bit field of that tracks whether
-	// we've already logged about receiving a packet from a low
-	// priority ("low-pri") address when we already have curAddr
-	// set to a better one. This is only to suppress some
-	// redundant logs.
-	loggedLogPriMask uint32
-}
-
-// derpID returns this addrSet's home DERP node, or 0 if none is found.
-func (as *addrSet) derpID() int {
-	for _, ua := range as.addrs {
-		if ua.IP.Equal(derpMagicIP) {
-			return ua.Port
-		}
-	}
-	return 0
-}
-
-func (as *addrSet) timeNow() time.Time {
-	if as.clock != nil {
-		return as.clock()
-	}
-	return time.Now()
-}
-
-var noAddr, _ = netaddr.FromStdAddr(net.ParseIP("127.127.127.127"), 127, "")
-
-func (a *addrSet) dst() netaddr.IPPort {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-
-	if a.roamAddr != nil {
-		return *a.roamAddr
-	}
-	if len(a.addrs) == 0 {
-		return noAddr
-	}
-	i := a.curAddr
-	if i == -1 {
-		i = 0
-	}
-	return a.ipPorts[i]
-}
-
-func (a *addrSet) DstToBytes() []byte {
-	return packIPPort(a.dst())
-}
-func (a *addrSet) DstToString() string {
-	dst := a.dst()
-	return dst.String()
-}
-func (a *addrSet) DstIP() net.IP {
-	return a.dst().IP.IPAddr().IP // TODO: add netaddr accessor to cut an alloc here?
-}
-func (a *addrSet) SrcIP() net.IP       { return nil }
-func (a *addrSet) SrcToString() string { return "" }
-func (a *addrSet) ClearSrc()           {}
-
-// updateDst records receipt of a packet from new. This is used to
-// potentially update the transmit address used for this addrSet.
-func (a *addrSet) updateDst(new *net.UDPAddr) error {
-	if new.IP.Equal(derpMagicIP) {
-		// Never consider DERP addresses as a viable candidate for
-		// either curAddr or roamAddr. It's only ever a last resort
-		// choice, never a preferred choice.
-		// This is a hot path for established connections.
-		return nil
-	}
-
-	a.mu.Lock()
-	defer a.mu.Unlock()
-
-	if a.roamAddrStd != nil && equalUDPAddr(new, a.roamAddrStd) {
-		// Packet from the current roaming address, no logging.
-		// This is a hot path for established connections.
-		return nil
-	}
-	if a.roamAddr == nil && a.curAddr >= 0 && equalUDPAddr(new, &a.addrs[a.curAddr]) {
-		// Packet from current-priority address, no logging.
-		// This is a hot path for established connections.
-		return nil
-	}
-
-	newa, ok := netaddr.FromStdAddr(new.IP, new.Port, new.Zone)
-	if !ok {
-		return nil
-	}
-
-	index := -1
-	for i := range a.addrs {
-		if equalUDPAddr(new, &a.addrs[i]) {
-			index = i
-			break
-		}
-	}
-
-	publicKey := wgkey.Key(a.publicKey)
-	pk := publicKey.ShortString()
-	old := "<none>"
-	if a.curAddr >= 0 {
-		old = a.addrs[a.curAddr].String()
-	}
-
-	switch {
-	case index == -1:
-		if a.roamAddr == nil {
-			a.Logf("magicsock: rx %s from roaming address %s, set as new priority", pk, new)
-		} else {
-			a.Logf("magicsock: rx %s from roaming address %s, replaces roaming address %s", pk, new, a.roamAddr)
-		}
-		a.roamAddr = &newa
-		a.roamAddrStd = new
-
-	case a.roamAddr != nil:
-		a.Logf("magicsock: rx %s from known %s (%d), replaces roaming address %s", pk, new, index, a.roamAddr)
-		a.roamAddr = nil
-		a.roamAddrStd = nil
-		a.curAddr = index
-		a.loggedLogPriMask = 0
-
-	case a.curAddr == -1:
-		a.Logf("magicsock: rx %s from %s (%d/%d), set as new priority", pk, new, index, len(a.addrs))
-		a.curAddr = index
-		a.loggedLogPriMask = 0
-
-	case index < a.curAddr:
-		if 1 <= index && index <= 32 && (a.loggedLogPriMask&1<<(index-1)) == 0 {
-			a.Logf("magicsock: rx %s from low-pri %s (%d), keeping current %s (%d)", pk, new, index, old, a.curAddr)
-			a.loggedLogPriMask |= 1 << (index - 1)
-		}
-
-	default: // index > a.curAddr
-		a.Logf("magicsock: rx %s from %s (%d/%d), replaces old priority %s", pk, new, index, len(a.addrs), old)
-		a.curAddr = index
-		a.loggedLogPriMask = 0
-	}
-
-	return nil
-}
-
-func equalUDPAddr(x, y *net.UDPAddr) bool {
-	return x.Port == y.Port && x.IP.Equal(y.IP)
-}
-
-func (a *addrSet) String() string {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-
-	buf := new(strings.Builder)
-	buf.WriteByte('[')
-	if a.roamAddr != nil {
-		buf.WriteString("roam:")
-		sbPrintAddr(buf, *a.roamAddrStd)
-	}
-	for i, addr := range a.addrs {
-		if i > 0 || a.roamAddr != nil {
-			buf.WriteString(", ")
-		}
-		sbPrintAddr(buf, addr)
-		if a.curAddr == i {
-			buf.WriteByte('*')
-		}
-	}
-	buf.WriteByte(']')
-
-	return buf.String()
-}
-
-func (as *addrSet) populatePeerStatus(ps *ipnstate.PeerStatus) {
-	as.mu.Lock()
-	defer as.mu.Unlock()
-
-	ps.LastWrite = as.lastSend
-	for i, ua := range as.addrs {
-		if ua.IP.Equal(derpMagicIP) {
-			continue
-		}
-		uaStr := ua.String()
-		ps.Addrs = append(ps.Addrs, uaStr)
-		if as.curAddr == i {
-			ps.CurAddr = uaStr
-		}
-	}
-	if as.roamAddr != nil {
-		ps.CurAddr = udpAddrDebugString(*as.roamAddrStd)
-	}
-}
-
-func (a *addrSet) Addrs() string {
-	var addrs []string
-	for _, addr := range a.addrs {
-		addrs = append(addrs, addr.String())
-	}
-
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	if a.roamAddr != nil {
-		addrs = append(addrs, a.roamAddr.String())
-	}
-	return strings.Join(addrs, ",")
-}
-
-// Message types copied from wireguard-go/device/noise-protocol.go
-const (
-	messageInitiationType  = 1
-	messageResponseType    = 2
-	messageCookieReplyType = 3
-)
-
-// Cryptographic constants copied from wireguard-go/device/noise-protocol.go
-var (
-	noiseConstruction = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"
-	wgIdentifier      = "WireGuard v1 zx2c4 Jason@zx2c4.com"
-	initialChainKey   [blake2s.Size]byte
-	initialHash       [blake2s.Size]byte
-	zeroNonce         [chacha20poly1305.NonceSize]byte
-)
-
-func init() {
-	initialChainKey = blake2s.Sum256([]byte(noiseConstruction))
-	mixHash(&initialHash, &initialChainKey, []byte(wgIdentifier))
-}
-
-// messageInitiation is the same as wireguard-go's MessageInitiation,
-// from wireguard-go/device/noise-protocol.go.
-type messageInitiation struct {
-	Type      uint32
-	Sender    uint32
-	Ephemeral wgcfg.Key
-	Static    [wgcfg.KeySize + poly1305.TagSize]byte
-	Timestamp [tai64n.TimestampSize + poly1305.TagSize]byte
-	MAC1      [blake2s.Size128]byte
-	MAC2      [blake2s.Size128]byte
-}
-
-func mixKey(dst *[blake2s.Size]byte, c *[blake2s.Size]byte, data []byte) {
-	kdf1(dst, c[:], data)
-}
-
-func mixHash(dst *[blake2s.Size]byte, h *[blake2s.Size]byte, data []byte) {
-	hash, _ := blake2s.New256(nil)
-	hash.Write(h[:])
-	hash.Write(data)
-	hash.Sum(dst[:0])
-	hash.Reset()
-}
-
-func hmac1(sum *[blake2s.Size]byte, key, in0 []byte) {
-	mac := hmac.New(func() hash.Hash {
-		h, _ := blake2s.New256(nil)
-		return h
-	}, key)
-	mac.Write(in0)
-	mac.Sum(sum[:0])
-}
-
-func hmac2(sum *[blake2s.Size]byte, key, in0, in1 []byte) {
-	mac := hmac.New(func() hash.Hash {
-		h, _ := blake2s.New256(nil)
-		return h
-	}, key)
-	mac.Write(in0)
-	mac.Write(in1)
-	mac.Sum(sum[:0])
-}
-
-func kdf1(t0 *[blake2s.Size]byte, key, input []byte) {
-	hmac1(t0, key, input)
-	hmac1(t0, t0[:], []byte{0x1})
-}
-
-func kdf2(t0, t1 *[blake2s.Size]byte, key, input []byte) {
-	var prk [blake2s.Size]byte
-	hmac1(&prk, key, input)
-	hmac1(t0, prk[:], []byte{0x1})
-	hmac2(t1, prk[:], t0[:], []byte{0x2})
-	for i := range prk[:] {
-		prk[i] = 0
-	}
-}
-
-func isZero(val []byte) bool {
-	acc := 1
-	for _, b := range val {
-		acc &= subtle.ConstantTimeByteEq(b, 0)
-	}
-	return acc == 1
-}
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
--- a/wgengine/magicsock/magicsock_test.go
+++ b/wgengine/magicsock/magicsock_test.go
@@ -20,7 +20,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"testing"
 	"time"
 	"unsafe"
@@ -43,7 +42,6 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/nettype"
-	"tailscale.com/types/wgkey"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/tstun"
 )
@@ -58,7 +56,7 @@ func init() {
 // conditions in tests. In particular, you can't expect two test magicsocks
 // to be able to connect to each other through a test DERP unless they are
 // both fully initialized before you try.
-func (c *Conn) WaitReady(t testing.TB) {
+func (c *Conn) WaitReady(t *testing.T) {
 	t.Helper()
 	timer := time.NewTimer(10 * time.Second)
 	defer timer.Stop()
@@ -121,7 +119,7 @@ func runDERPAndStun(t *testing.T, logf logger.Logf, l nettype.PacketListener, st
 // necessary to send and receive packets to test e2e wireguard
 // happiness.
 type magicStack struct {
-	privateKey wgkey.Private
+	privateKey wgcfg.PrivateKey
 	epCh       chan []string       // endpoint updates produced by this peer
 	conn       *Conn               // the magicsock itself
 	tun        *tuntest.ChannelTUN // TUN device to send/receive packets
@@ -132,10 +130,10 @@ type magicStack struct {
 // newMagicStack builds and initializes an idle magicsock and
 // friends. You need to call conn.SetNetworkMap and dev.Reconfig
 // before anything interesting happens.
-func newMagicStack(t testing.TB, logf logger.Logf, l nettype.PacketListener, derpMap *tailcfg.DERPMap, disableLegacy bool) *magicStack {
+func newMagicStack(t *testing.T, logf logger.Logf, l nettype.PacketListener, derpMap *tailcfg.DERPMap) *magicStack {
 	t.Helper()

-	privateKey, err := wgkey.NewPrivate()
+	privateKey, err := wgcfg.NewPrivateKey()
 	if err != nil {
 		t.Fatalf("generating private key: %v", err)
 	}
@@ -147,8 +145,7 @@ func newMagicStack(t testing.TB, logf logger.Logf, l nettype.PacketListener, der
 		EndpointsFunc: func(eps []string) {
 			epCh <- eps
 		},
-		SimulatedNetwork:        l != nettype.Std{},
-		DisableLegacyNetworking: disableLegacy,
+		SimulatedNetwork: l != nettype.Std{},
 	})
 	if err != nil {
 		t.Fatalf("constructing magicsock: %v", err)
@@ -164,7 +161,11 @@ func newMagicStack(t testing.TB, logf logger.Logf, l nettype.PacketListener, der
 	tsTun.SetFilter(filter.NewAllowAllForTest(logf))

 	dev := device.NewDevice(tsTun, &device.DeviceOptions{
-		Logger:         wireguardGoLogger(logf),
+		Logger: &device.Logger{
+			Debug: logger.StdLogger(logf),
+			Info:  logger.StdLogger(logf),
+			Error: logger.StdLogger(logf),
+		},
 		CreateEndpoint: conn.CreateEndpoint,
 		CreateBind:     conn.CreateBind,
 		SkipBindUpdate: true,
@@ -247,13 +248,13 @@ func meshStacks(logf logger.Logf, ms []*magicStack) (cleanup func()) {
 		nm := &controlclient.NetworkMap{
 			PrivateKey: me.privateKey,
 			NodeKey:    tailcfg.NodeKey(me.privateKey.Public()),
-			Addresses:  []netaddr.IPPrefix{{IP: netaddr.IPv4(1, 0, 0, byte(myIdx+1)), Bits: 32}},
+			Addresses:  []wgcfg.CIDR{{IP: wgcfg.IPv4(1, 0, 0, byte(myIdx+1)), Mask: 32}},
 		}
 		for i, peer := range ms {
 			if i == myIdx {
 				continue
 			}
-			addrs := []netaddr.IPPrefix{{IP: netaddr.IPv4(1, 0, 0, byte(i+1)), Bits: 32}}
+			addrs := []wgcfg.CIDR{{IP: wgcfg.IPv4(1, 0, 0, byte(i+1)), Mask: 32}}
 			peer := &tailcfg.Node{
 				ID:         tailcfg.NodeID(i + 1),
 				Name:       fmt.Sprintf("node%d", i+1),
@@ -337,23 +338,22 @@ func TestNewConn(t *testing.T) {

 	port := pickPort(t)
 	conn, err := NewConn(Options{
-		Port:                    port,
-		EndpointsFunc:           epFunc,
-		Logf:                    t.Logf,
-		DisableLegacyNetworking: true,
+		Port:          port,
+		EndpointsFunc: epFunc,
+		Logf:          t.Logf,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer conn.Close()
 	conn.SetDERPMap(stuntest.DERPMapOf(stunAddr.String()))
-	conn.SetPrivateKey(wgkey.Private(key.NewPrivate()))
+	conn.SetPrivateKey(wgcfg.PrivateKey(key.NewPrivate()))
 	conn.Start()

 	go func() {
 		var pkt [64 << 10]byte
 		for {
-			_, _, err := conn.ReceiveIPv4(pkt[:])
+			_, _, _, err := conn.ReceiveIPv4(pkt[:])
 			if err != nil {
 				return
 			}
@@ -377,7 +377,7 @@ collectEndpoints:
 	}
 }

-func pickPort(t testing.TB) uint16 {
+func pickPort(t *testing.T) uint16 {
 	t.Helper()
 	conn, err := net.ListenPacket("udp4", "127.0.0.1:0")
 	if err != nil {
@@ -442,8 +442,8 @@ func TestPickDERPFallback(t *testing.T) {

 	// But move if peers are elsewhere.
 	const otherNode = 789
-	c.addrsByKey = map[key.Public]*addrSet{
-		key.Public{1}: &addrSet{addrs: []net.UDPAddr{{IP: derpMagicIP, Port: otherNode}}},
+	c.addrsByKey = map[key.Public]*AddrSet{
+		key.Public{1}: &AddrSet{addrs: []net.UDPAddr{{IP: derpMagicIP, Port: otherNode}}},
 	}
 	if got := c.pickDERPFallback(); got != otherNode {
 		t.Errorf("didn't join peers: got %v; want %v", got, someNode)
@@ -454,16 +454,16 @@ func makeConfigs(t *testing.T, addrs []netaddr.IPPort) []wgcfg.Config {
 	t.Helper()

 	var privKeys []wgcfg.PrivateKey
-	var addresses [][]netaddr.IPPrefix
+	var addresses [][]wgcfg.CIDR

 	for i := range addrs {
-		privKey, err := wgkey.NewPrivate()
+		privKey, err := wgcfg.NewPrivateKey()
 		if err != nil {
 			t.Fatal(err)
 		}
-		privKeys = append(privKeys, wgcfg.PrivateKey(privKey))
+		privKeys = append(privKeys, privKey)

-		addresses = append(addresses, []netaddr.IPPrefix{
+		addresses = append(addresses, []wgcfg.CIDR{
 			parseCIDR(t, fmt.Sprintf("1.0.0.%d/32", i+1)),
 		})
 	}
@@ -481,9 +481,12 @@ func makeConfigs(t *testing.T, addrs []netaddr.IPPort) []wgcfg.Config {
 				continue
 			}
 			peer := wgcfg.Peer{
-				PublicKey:           privKeys[peerNum].Public(),
-				AllowedIPs:          addresses[peerNum],
-				Endpoints:           addr.String(),
+				PublicKey:  privKeys[peerNum].Public(),
+				AllowedIPs: addresses[peerNum],
+				Endpoints: []wgcfg.Endpoint{{
+					Host: addr.IP.String(),
+					Port: addr.Port,
+				}},
 				PersistentKeepalive: 25,
 			}
 			cfg.Peers = append(cfg.Peers, peer)
@@ -493,9 +496,9 @@ func makeConfigs(t *testing.T, addrs []netaddr.IPPort) []wgcfg.Config {
 	return cfgs
 }

-func parseCIDR(t *testing.T, addr string) netaddr.IPPrefix {
+func parseCIDR(t *testing.T, addr string) wgcfg.CIDR {
 	t.Helper()
-	cidr, err := netaddr.ParseIPPrefix(addr)
+	cidr, err := wgcfg.ParseCIDR(addr)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -514,9 +517,8 @@ func TestDeviceStartStop(t *testing.T) {
 	defer rc.Assert(t)

 	conn, err := NewConn(Options{
-		EndpointsFunc:           func(eps []string) {},
-		Logf:                    t.Logf,
-		DisableLegacyNetworking: true,
+		EndpointsFunc: func(eps []string) {},
+		Logf:          t.Logf,
 	})
 	if err != nil {
 		t.Fatal(err)
@@ -526,7 +528,11 @@ func TestDeviceStartStop(t *testing.T) {

 	tun := tuntest.NewChannelTUN()
 	dev := device.NewDevice(tun.TUN(), &device.DeviceOptions{
-		Logger:         wireguardGoLogger(t.Logf),
+		Logger: &device.Logger{
+			Debug: logger.StdLogger(t.Logf),
+			Info:  logger.StdLogger(t.Logf),
+			Error: logger.StdLogger(t.Logf),
+		},
 		CreateEndpoint: conn.CreateEndpoint,
 		CreateBind:     conn.CreateBind,
 		SkipBindUpdate: true,
@@ -535,61 +541,6 @@ func TestDeviceStartStop(t *testing.T) {
 	dev.Close()
 }

-// Exercise a code path in sendDiscoMessage if the connection has been closed.
-func TestConnClosed(t *testing.T) {
-	mstun := &natlab.Machine{Name: "stun"}
-	m1 := &natlab.Machine{Name: "m1"}
-	m2 := &natlab.Machine{Name: "m2"}
-	inet := natlab.NewInternet()
-	sif := mstun.Attach("eth0", inet)
-	m1if := m1.Attach("eth0", inet)
-	m2if := m2.Attach("eth0", inet)
-
-	d := &devices{
-		m1:     m1,
-		m1IP:   m1if.V4(),
-		m2:     m2,
-		m2IP:   m2if.V4(),
-		stun:   mstun,
-		stunIP: sif.V4(),
-	}
-
-	logf, closeLogf := logger.LogfCloser(t.Logf)
-	defer closeLogf()
-
-	derpMap, cleanup := runDERPAndStun(t, logf, d.stun, d.stunIP)
-	defer cleanup()
-
-	ms1 := newMagicStack(t, logger.WithPrefix(logf, "conn1: "), d.m1, derpMap, true)
-	defer ms1.Close()
-	ms2 := newMagicStack(t, logger.WithPrefix(logf, "conn2: "), d.m2, derpMap, true)
-	defer ms2.Close()
-
-	cleanup = meshStacks(t.Logf, []*magicStack{ms1, ms2})
-	defer cleanup()
-
-	pkt := tuntest.Ping(ms2.IP(t).IPAddr().IP, ms1.IP(t).IPAddr().IP)
-
-	if len(ms1.conn.activeDerp) == 0 {
-		t.Errorf("unexpected DERP empty got: %v want: >0", len(ms1.conn.activeDerp))
-	}
-
-	ms1.conn.Close()
-	ms2.conn.Close()
-
-	// This should hit a c.closed conditional in sendDiscoMessage() and return immediately.
-	ms1.tun.Outbound <- pkt
-	select {
-	case <-ms2.tun.Inbound:
-		t.Error("unexpected response with connection closed")
-	case <-time.After(100 * time.Millisecond):
-	}
-
-	if len(ms1.conn.activeDerp) > 0 {
-		t.Errorf("unexpected DERP active got: %v want:0", len(ms1.conn.activeDerp))
-	}
-}
-
 func makeNestable(t *testing.T) (logf logger.Logf, setT func(t *testing.T)) {
 	var mu sync.RWMutex
 	cur := t
@@ -836,20 +787,18 @@ func testActiveDiscovery(t *testing.T, d *devices) {
 	setT(t)

 	start := time.Now()
-	wlogf := func(msg string, args ...interface{}) {
+	logf := func(msg string, args ...interface{}) {
 		t.Helper()
 		msg = fmt.Sprintf("%s: %s", time.Since(start).Truncate(time.Microsecond), msg)
 		tlogf(msg, args...)
 	}
-	logf, closeLogf := logger.LogfCloser(wlogf)
-	defer closeLogf()

 	derpMap, cleanup := runDERPAndStun(t, logf, d.stun, d.stunIP)
 	defer cleanup()

-	m1 := newMagicStack(t, logger.WithPrefix(logf, "conn1: "), d.m1, derpMap, true)
+	m1 := newMagicStack(t, logger.WithPrefix(logf, "conn1: "), d.m1, derpMap)
 	defer m1.Close()
-	m2 := newMagicStack(t, logger.WithPrefix(logf, "conn2: "), d.m2, derpMap, true)
+	m2 := newMagicStack(t, logger.WithPrefix(logf, "conn2: "), d.m2, derpMap)
 	defer m2.Close()

 	cleanup = meshStacks(logf, []*magicStack{m1, m2})
@@ -901,9 +850,9 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	derpMap, cleanup := runDERPAndStun(t, logf, d.stun, d.stunIP)
 	defer cleanup()

-	m1 := newMagicStack(t, logf, d.m1, derpMap, false)
+	m1 := newMagicStack(t, logf, d.m1, derpMap)
 	defer m1.Close()
-	m2 := newMagicStack(t, logf, d.m2, derpMap, false)
+	m2 := newMagicStack(t, logf, d.m2, derpMap)
 	defer m2.Close()

 	addrs := []netaddr.IPPort{
@@ -1050,12 +999,12 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	})

 	// Add DERP relay.
-	derpEp := "127.3.3.40:1"
+	derpEp := wgcfg.Endpoint{Host: "127.3.3.40", Port: 1}
 	ep0 := cfgs[0].Peers[0].Endpoints
-	ep0 = derpEp + "," + ep0
+	ep0 = append([]wgcfg.Endpoint{derpEp}, ep0...)
 	cfgs[0].Peers[0].Endpoints = ep0
 	ep1 := cfgs[1].Peers[0].Endpoints
-	ep1 = derpEp + "," + ep1
+	ep1 = append([]wgcfg.Endpoint{derpEp}, ep1...)
 	cfgs[1].Peers[0].Endpoints = ep1
 	if err := m1.dev.Reconfig(&cfgs[0]); err != nil {
 		t.Fatal(err)
@@ -1071,8 +1020,8 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	})

 	// Disable real route.
-	cfgs[0].Peers[0].Endpoints = derpEp
-	cfgs[1].Peers[0].Endpoints = derpEp
+	cfgs[0].Peers[0].Endpoints = []wgcfg.Endpoint{derpEp}
+	cfgs[1].Peers[0].Endpoints = []wgcfg.Endpoint{derpEp}
 	if err := m1.dev.Reconfig(&cfgs[0]); err != nil {
 		t.Fatal(err)
 	}
@@ -1126,7 +1075,7 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	})
 }

-// TestAddrSet tests addrSet appendDests and updateDst.
+// TestAddrSet tests AddrSet appendDests and UpdateDst.
 func TestAddrSet(t *testing.T) {
 	tstest.PanicOnLog()
 	rc := tstest.NewResourceCheck()
@@ -1185,13 +1134,13 @@ func TestAddrSet(t *testing.T) {
 	}
 	tests := []struct {
 		name     string
-		as       *addrSet
+		as       *AddrSet
 		steps    []step
 		logCheck func(t *testing.T, logged []byte)
 	}{
 		{
 			name: "reg_packet_no_curaddr",
-			as: &addrSet{
+			as: &AddrSet{
 				addrs:    udpAddrs("127.3.3.40:1", "123.45.67.89:123", "10.0.0.1:123"),
 				curAddr:  -1, // unknown
 				roamAddr: nil,
@@ -1202,7 +1151,7 @@ func TestAddrSet(t *testing.T) {
 		},
 		{
 			name: "reg_packet_have_curaddr",
-			as: &addrSet{
+			as: &AddrSet{
 				addrs:    udpAddrs("127.3.3.40:1", "123.45.67.89:123", "10.0.0.1:123"),
 				curAddr:  1, // global IP
 				roamAddr: nil,
@@ -1213,7 +1162,7 @@ func TestAddrSet(t *testing.T) {
 		},
 		{
 			name: "reg_packet_have_roamaddr",
-			as: &addrSet{
+			as: &AddrSet{
 				addrs:    udpAddrs("127.3.3.40:1", "123.45.67.89:123", "10.0.0.1:123"),
 				curAddr:  2, // should be ignored
 				roamAddr: mustIPPortPtr("5.6.7.8:123"),
@@ -1226,7 +1175,7 @@ func TestAddrSet(t *testing.T) {
 		},
 		{
 			name: "start_roaming",
-			as: &addrSet{
+			as: &AddrSet{
 				addrs:   udpAddrs("127.3.3.40:1", "123.45.67.89:123", "10.0.0.1:123"),
 				curAddr: 2,
 			},
@@ -1242,7 +1191,7 @@ func TestAddrSet(t *testing.T) {
 		},
 		{
 			name: "spray_packet",
-			as: &addrSet{
+			as: &AddrSet{
 				addrs:    udpAddrs("127.3.3.40:1", "123.45.67.89:123", "10.0.0.1:123"),
 				curAddr:  2, // should be ignored
 				roamAddr: mustIPPortPtr("5.6.7.8:123"),
@@ -1258,7 +1207,7 @@ func TestAddrSet(t *testing.T) {
 		},
 		{
 			name: "low_pri",
-			as: &addrSet{
+			as: &AddrSet{
 				addrs:   udpAddrs("127.3.3.40:1", "123.45.67.89:123", "10.0.0.1:123"),
 				curAddr: 2,
 			},
@@ -1288,7 +1237,7 @@ func TestAddrSet(t *testing.T) {
 				faket = faket.Add(st.advance)

 				if st.updateDst != nil {
-					if err := tt.as.updateDst(st.updateDst); err != nil {
+					if err := tt.as.UpdateDst(st.updateDst); err != nil {
 						t.Fatal(err)
 					}
 					continue
@@ -1305,9 +1254,9 @@ func TestAddrSet(t *testing.T) {
 	}
 }

-// initAddrSet initializes fields in the provided incomplete addrSet
+// initAddrSet initializes fields in the provided incomplete AddrSet
 // to satisfying invariants within magicsock.
-func initAddrSet(as *addrSet) {
+func initAddrSet(as *AddrSet) {
 	if as.roamAddr != nil && as.roamAddrStd == nil {
 		as.roamAddrStd = as.roamAddr.UDPAddr()
 	}
@@ -1382,7 +1331,7 @@ func stringifyConfig(cfg wgcfg.Config) string {
 	return string(j)
 }

-func Test32bitAlignment(t *testing.T) {
+func TestDiscoEndpointAlignment(t *testing.T) {
 	var de discoEndpoint
 	off := unsafe.Offsetof(de.lastRecvUnixAtomic)
 	if off%8 != 0 {
@@ -1394,109 +1343,4 @@ func Test32bitAlignment(t *testing.T) {
 	if de.isFirstRecvActivityInAwhile() {
 		t.Error("expected false on second call")
 	}
-	var c Conn
-	atomic.AddInt64(&c.derpRecvCountAtomic, 1)
-}
-
-func BenchmarkReceiveFrom(b *testing.B) {
-	port := pickPort(b)
-	conn, err := NewConn(Options{
-		Logf: b.Logf,
-		Port: port,
-		EndpointsFunc: func(eps []string) {
-			b.Logf("endpoints: %q", eps)
-		},
-		DisableLegacyNetworking: true,
-	})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn.Close()
-
-	sendConn, err := net.ListenPacket("udp4", "127.0.0.1:0")
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer sendConn.Close()
-
-	// Give conn just enough state that it'll recognize sendConn as a
-	// valid peer and not fall through to the legacy magicsock
-	// codepath.
-	discoKey := tailcfg.DiscoKey{31: 1}
-	conn.SetNetworkMap(&controlclient.NetworkMap{
-		Peers: []*tailcfg.Node{
-			{
-				DiscoKey:  discoKey,
-				Endpoints: []string{sendConn.LocalAddr().String()},
-			},
-		},
-	})
-	conn.CreateEndpoint([32]byte{1: 1}, "0000000000000000000000000000000000000000000000000000000000000001.disco.tailscale:12345")
-	conn.addValidDiscoPathForTest(discoKey, netaddr.MustParseIPPort(sendConn.LocalAddr().String()))
-
-	var dstAddr net.Addr = conn.pconn4.LocalAddr()
-	sendBuf := make([]byte, 1<<10)
-	for i := range sendBuf {
-		sendBuf[i] = 'x'
-	}
-
-	buf := make([]byte, 2<<10)
-	for i := 0; i < b.N; i++ {
-		if _, err := sendConn.WriteTo(sendBuf, dstAddr); err != nil {
-			b.Fatalf("WriteTo: %v", err)
-		}
-		n, ep, err := conn.ReceiveIPv4(buf)
-		if err != nil {
-			b.Fatal(err)
-		}
-		_ = n
-		_ = ep
-	}
-}
-
-func BenchmarkReceiveFrom_Native(b *testing.B) {
-	recvConn, err := net.ListenPacket("udp4", "127.0.0.1:0")
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer recvConn.Close()
-	recvConnUDP := recvConn.(*net.UDPConn)
-
-	sendConn, err := net.ListenPacket("udp4", "127.0.0.1:0")
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer sendConn.Close()
-
-	var dstAddr net.Addr = recvConn.LocalAddr()
-	sendBuf := make([]byte, 1<<10)
-	for i := range sendBuf {
-		sendBuf[i] = 'x'
-	}
-
-	buf := make([]byte, 2<<10)
-	for i := 0; i < b.N; i++ {
-		if _, err := sendConn.WriteTo(sendBuf, dstAddr); err != nil {
-			b.Fatalf("WriteTo: %v", err)
-		}
-		if _, _, err := recvConnUDP.ReadFromUDP(buf); err != nil {
-			b.Fatalf("ReadFromUDP: %v", err)
-		}
-	}
-}
-
-func wireguardGoLogger(logf logger.Logf) *device.Logger {
-	// wireguard-go logs as it starts and stops routines.
-	// Silence those; there are a lot of them, and they're just noise.
-	allowLogf := func(s string) bool {
-		return !strings.Contains(s, "Routine:")
-	}
-	filtered := logger.Filtered(logf, allowLogf)
-	stdLogger := logger.StdLogger(filtered)
-
-	return &device.Logger{
-		Debug: stdLogger,
-		Info:  stdLogger,
-		Error: stdLogger,
-	}
 }
--- a/wgengine/monitor/monitor_linux.go
+++ b/wgengine/monitor/monitor_linux.go
@@ -52,7 +52,10 @@ func newOSMon(logf logger.Logf) (osMon, error) {
 	return &nlConn{logf: logf, conn: conn}, nil
 }

-func (c *nlConn) Close() error { return c.conn.Close() }
+func (c *nlConn) Close() error {
+	c.conn.SetDeadline(time.Unix(0, 0)) // abort any Receive in flight
+	return c.conn.Close()
+}

 func (c *nlConn) Receive() (message, error) {
 	if len(c.buffered) == 0 {
--- a/wgengine/monitor/monitor_windows.go
+++ b/wgengine/monitor/monitor_windows.go
@@ -51,14 +51,13 @@ type messageOrError struct {
 }

 type winMon struct {
-	ctx             context.Context
-	cancel          context.CancelFunc
-	messagec        chan messageOrError
-	logf            logger.Logf
-	pollTicker      *time.Ticker
-	lastState       *interfaces.State
-	closeHandle     windows.Handle // signaled upon close
-	goroutineDoneCh chan struct{}  // closed when awaitIPAndRouteChanges goroutine has stopped
+	ctx         context.Context
+	cancel      context.CancelFunc
+	messagec    chan messageOrError
+	logf        logger.Logf
+	pollTicker  *time.Ticker
+	lastState   *interfaces.State
+	closeHandle windows.Handle // signaled upon close

 	mu            sync.Mutex
 	lastNetChange time.Time
@@ -73,13 +72,12 @@ func newOSMon(logf logger.Logf) (osMon, error) {

 	ctx, cancel := context.WithCancel(context.Background())
 	m := &winMon{
-		logf:            logf,
-		ctx:             ctx,
-		cancel:          cancel,
-		messagec:        make(chan messageOrError, 1),
-		pollTicker:      time.NewTicker(pollIntervalSlow),
-		closeHandle:     closeHandle,
-		goroutineDoneCh: make(chan struct{}),
+		logf:        logf,
+		ctx:         ctx,
+		cancel:      cancel,
+		messagec:    make(chan messageOrError, 1),
+		pollTicker:  time.NewTicker(pollIntervalSlow),
+		closeHandle: closeHandle,
 	}
 	go m.awaitIPAndRouteChanges()
 	return m, nil
@@ -89,12 +87,6 @@ func (m *winMon) Close() error {
 	m.cancel()
 	m.pollTicker.Stop()
 	windows.SetEvent(m.closeHandle) // wakes up any reader blocked in Receive
-
-	// Wait for awaitIPAndRouteChannges to be done, which could
-	// still be using the m.closeHandle.
-	<-m.goroutineDoneCh
-
-	windows.CloseHandle(m.closeHandle)
 	return nil
 }

@@ -133,7 +125,6 @@ func (m *winMon) stateChanged() bool {
 }

 func (m *winMon) awaitIPAndRouteChanges() {
-	defer close(m.goroutineDoneCh)
 	for {
 		msg, err := m.getIPOrRouteChangeMessage()
 		if err == errClosed {
--- a/Show More
+++ b/Show More