ipn/ipnlocal: put DNS suffixes of shared nodes as split DNS routes

Updates #3756
Updates #3767

Co-authored-by: Mihai Parparita <mihai@tailscale.com>
Change-Id: I049ffa7e7dce3d7a7ee4c6aa37f7d4ceefd1ff9d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

.github/workflows/cross-darwin.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/cross-freebsd.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/cross-openbsd.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/cross-wasm.yml

@@ -19,22 +19,17 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory
       uses: actions/checkout@v3
 
-    - name: Wasm client build
+    - name: Wasm build CLI and client modules
       env:
         GOOS: js
         GOARCH: wasm
-      run: go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-
-    - name: tsconnect static build
-      # Use our custom Go toolchain, we set build tags (to control binary size)
-      # that depend on it.
-      run: ./tool/go run ./cmd/tsconnect --fast-compression build
+      run: go build ./cmd/tailscale/cli ./ipn/... ./net/... ./safesocket ./types/... ./wgengine/...
 
     - uses: k0kubun/action-slack@v2.0.0
       with:

.github/workflows/cross-windows.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/depaware.yml

@@ -16,7 +16,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
 
     - name: Check out code
       uses: actions/checkout@v3

.github/workflows/go_generate.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.19
+          go-version: 1.18
 
       - name: Check out code
         uses: actions/checkout@v3

.github/workflows/license.yml

@@ -16,7 +16,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
 
     - name: Check out code
       uses: actions/checkout@v3

.github/workflows/linux-race.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/linux.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory
@@ -28,11 +28,6 @@ jobs:
     - name: Basic build
       run: go build ./cmd/...
 
-    - name: Build variants
-      run: |
-        go install --tags=ts_include_cli ./cmd/tailscaled
-        go install --tags=ts_omit_aws ./cmd/tailscaled
-
     - name: Get QEMU
       run: |
         # The qemu in Ubuntu 20.04 (Focal) is too old; we need 5.x something

.github/workflows/linux32.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/staticcheck.yml

@@ -16,14 +16,11 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.18
 
     - name: Check out code
       uses: actions/checkout@v3
 
-    - name: Run gofmt (goimports)
-      run: go run golang.org/x/tools/cmd/goimports -d --format-only .
-
     - name: Run go vet
       run: go vet ./...
 

.github/workflows/vm.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.19
+          go-version: 1.18
 
       - name: Checkout Code
         uses: actions/checkout@v3

.github/workflows/windows-race.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19.x
+        go-version: 1.18.x
 
     - name: Checkout code
       uses: actions/checkout@v3

.github/workflows/windows.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19.x
+        go-version: 1.18.x
 
     - name: Checkout code
       uses: actions/checkout@v3

Dockerfile

@@ -72,4 +72,3 @@ FROM alpine:3.16
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
-COPY --from=build-env /go/src/tailscale/docs/k8s/run.sh /usr/local/bin/

Makefile

@@ -9,7 +9,7 @@ vet:
 	./tool/go vet ./...
 
 tidy:
-	./tool/go mod tidy
+	./tool/go mod tidy -compat=1.17
 
 updatedeps:
 	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled

README.md

@@ -43,7 +43,10 @@ If your distro has conventions that preclude the use of
 `build_dist.sh`, please do the equivalent of what it does in your
 distro's way, so that bug reports contain useful version information.
 
-We require the latest Go release, currently Go 1.19.
+We only guarantee to support the latest Go release and any Go beta or
+release candidate builds (currently Go 1.18) in module mode. It might
+work in earlier Go versions or in GOPATH mode, but we're making no
+effort to keep those working.
 
 ## Bugs
 

VERSION.txt

@@ -1 +1 @@
-1.29.0
+1.27.0

api.md

@@ -1120,7 +1120,7 @@ Replaces the list of searchpaths with the list supplied by the user and returns
 `searchPaths` - A list of searchpaths in JSON.
 ```
 {
-  "searchPaths": ["user1.example.com", "user2.example.com"]
+  "searchPaths: ["user1.example.com", "user2.example.com"]
 }
 ```
 

build_dist.sh

@@ -45,25 +45,4 @@ EOF
 	exit 0
 fi
 
-tags=""
-ldflags="-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}"
-
-# build_dist.sh arguments must precede go build arguments.
-while [ "$#" -gt 1 ]; do
-	case "$1" in
-	--extra-small)
-		shift
-		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws"
-		;;
-	--box)
-		shift
-		tags="${tags:+$tags,}ts_include_cli"
-		;;
-	*)
-		break
-		;;
-	esac
-done
-
-exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec ./tool/go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"

client/tailscale/acl.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package tailscale
 
@@ -13,7 +13,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"net/netip"
+
+	"inet.af/netaddr"
 )
 
 // ACLRow defines a rule that grants access by a set of users or groups to a set
@@ -353,7 +354,7 @@ func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (r
 // Returns ACLPreview on success with matches in a slice. If there are no matches,
 // the call is still successful but Matches will be an empty slice.
 // Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.AddrPort) (res *ACLPreview, err error) {
+func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netaddr.IPPort) (res *ACLPreview, err error) {
 	// Format return errors to be descriptive.
 	defer func() {
 		if err != nil {

client/tailscale/devices.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package tailscale
 

client/tailscale/dns.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package tailscale
 

client/tailscale/localclient.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package tailscale
 
@@ -19,7 +19,6 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptrace"
-	"net/netip"
 	"net/url"
 	"os/exec"
 	"runtime"
@@ -29,6 +28,7 @@ import (
 	"time"
 
 	"go4.org/mem"
+	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -665,7 +665,7 @@ func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn str
 
 // Ping sends a ping of the provided type to the provided IP and waits
 // for its response.
-func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
+func (lc *LocalClient) Ping(ctx context.Context, ip netaddr.IP, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
 	v := url.Values{}
 	v.Set("ip", ip.String())
 	v.Set("type", string(pingtype))

client/tailscale/required_version.go

@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !go1.19
-// +build !go1.19
+//go:build !go1.18
+// +build !go1.18
 
 package tailscale
 
 func init() {
-	you_need_Go_1_19_to_compile_Tailscale()
+	you_need_Go_1_18_to_compile_Tailscale()
 }

client/tailscale/routes.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package tailscale
 
@@ -13,14 +13,15 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"net/netip"
+
+	"inet.af/netaddr"
 )
 
 // Routes contains the lists of subnet routes that are currently advertised by a device,
 // as well as the subnets that are enabled to be routed by the device.
 type Routes struct {
-	AdvertisedRoutes []netip.Prefix `json:"advertisedRoutes"`
-	EnabledRoutes    []netip.Prefix `json:"enabledRoutes"`
+	AdvertisedRoutes []netaddr.IPPrefix `json:"advertisedRoutes"`
+	EnabledRoutes    []netaddr.IPPrefix `json:"enabledRoutes"`
 }
 
 // Routes retrieves the list of subnet routes that have been enabled for a device.
@@ -55,14 +56,14 @@ func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, e
 }
 
 type postRoutesParams struct {
-	Routes []netip.Prefix `json:"routes"`
+	Routes []netaddr.IPPrefix `json:"routes"`
 }
 
 // SetRoutes updates the list of subnets that are enabled for a device.
-// Subnets must be parsable by net/netip.ParsePrefix.
+// Subnets must be parsable by inet.af/netaddr.ParseIPPrefix.
 // Subnets do not have to be currently advertised by a device, they may be pre-enabled.
 // Returns the updated list of enabled and advertised subnet routes in a *Routes object.
-func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip.Prefix) (routes *Routes, err error) {
+func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netaddr.IPPrefix) (routes *Routes, err error) {
 	defer func() {
 		if err != nil {
 			err = fmt.Errorf("tailscale.SetRoutes: %w", err)

client/tailscale/tailnet.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package tailscale
 

client/tailscale/tailscale.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 // Package tailscale contains Go clients for the Tailscale Local API and
 // Tailscale control plane API.

cmd/cloner/cloner.go

@@ -153,25 +153,18 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 			}
 			writef("}")
 		case *types.Map:
-			elem := ft.Elem()
 			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
-			if sliceType, isSlice := elem.(*types.Slice); isSlice {
+			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(ft.Elem()))
+			if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
 				n := it.QualifiedName(sliceType.Elem())
 				writef("\tfor k := range src.%s {", fname)
 				// use zero-length slice instead of nil to ensure
 				// the key is always copied.
 				writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
 				writef("\t}")
-			} else if codegen.ContainsPointers(elem) {
+			} else if codegen.ContainsPointers(ft.Elem()) {
 				writef("\tfor k, v := range src.%s {", fname)
-				switch elem.(type) {
-				case *types.Pointer:
-					writef("\t\tdst.%s[k] = v.Clone()", fname)
-				default:
-					writef("\t\tv2 := v.Clone()")
-					writef("\t\tdst.%s[k] = *v2", fname)
-				}
+				writef("\t\tdst.%s[k] = v.Clone()", fname)
 				writef("\t}")
 			} else {
 				writef("\tfor k, v := range src.%s {", fname)

cmd/derper/derper.go

@@ -29,6 +29,7 @@ import (
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
+	"tailscale.com/logpolicy"
 	"tailscale.com/metrics"
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
@@ -36,15 +37,16 @@ import (
 )
 
 var (
-	dev        = flag.Bool("dev", false, "run in localhost development mode")
-	addr       = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
-	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	configPath = flag.String("c", "", "config file path")
-	certMode   = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
-	certDir    = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
-	hostname   = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
-	runSTUN    = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
+	dev           = flag.Bool("dev", false, "run in localhost development mode")
+	addr          = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
+	httpPort      = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	stunPort      = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	configPath    = flag.String("c", "", "config file path")
+	certMode      = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
+	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
+	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
+	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
+	runSTUN       = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
 
 	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
 	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
@@ -133,6 +135,7 @@ func main() {
 	flag.Parse()
 
 	if *dev {
+		*logCollection = ""
 		*addr = ":3340" // above the keys DERP
 		log.Printf("Running in dev mode.")
 		tsweb.DevMode = true
@@ -143,6 +146,12 @@ func main() {
 		log.Fatalf("invalid server address: %v", err)
 	}
 
+	var logPol *logpolicy.Policy
+	if *logCollection != "" {
+		logPol = logpolicy.New(*logCollection)
+		log.SetOutput(logPol.Logtail)
+	}
+
 	cfg := loadConfig()
 
 	serveTLS := tsweb.IsProd443(*addr) || *certMode == "manual"

cmd/derper/websocket.go

@@ -6,6 +6,7 @@ package main
 
 import (
 	"bufio"
+	"context"
 	"expvar"
 	"log"
 	"net/http"
@@ -44,8 +45,8 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 			return
 		}
 		counterWebSocketAccepts.Add(1)
-		wc := websocket.NetConn(r.Context(), c, websocket.MessageBinary)
+		wc := websocket.NetConn(context.Background(), c, websocket.MessageBinary)
 		brw := bufio.NewReadWriter(bufio.NewReader(wc), bufio.NewWriter(wc))
-		s.Accept(r.Context(), wc, brw, r.RemoteAddr)
+		s.Accept(wc, brw, r.RemoteAddr)
 	})
 }

cmd/gitops-pusher/.gitignore

@@ -1 +0,0 @@
-version-cache.json

cmd/gitops-pusher/cache.go

@@ -1,67 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"encoding/json"
-	"os"
-)
-
-// Cache contains cached information about the last time this tool was run.
-//
-// This is serialized to a JSON file that should NOT be checked into git.
-// It should be managed with either CI cache tools or stored locally somehow. The
-// exact mechanism is irrelevant as long as it is consistent.
-//
-// This allows gitops-pusher to detect external ACL changes. I'm not sure what to
-// call this problem, so I've been calling it the "three version problem" in my
-// notes. The basic problem is that at any given time we only have two versions
-// of the ACL file at any given point. In order to check if there has been
-// tampering of the ACL files in the admin panel, we need to have a _third_ version
-// to compare against.
-//
-// In this case I am not storing the old ACL entirely (though that could be a
-// reasonable thing to add in the future), but only its sha256sum. This allows
-// us to detect if the shasum in control matches the shasum we expect, and if that
-// expectation fails, then we can react accordingly.
-type Cache struct {
-	PrevETag string // Stores the previous ETag of the ACL to allow
-}
-
-// Save persists the cache to a given file.
-func (c *Cache) Save(fname string) error {
-	os.Remove(fname)
-	fout, err := os.Create(fname)
-	if err != nil {
-		return err
-	}
-	defer fout.Close()
-
-	return json.NewEncoder(fout).Encode(c)
-}
-
-// LoadCache loads the cache from a given file.
-func LoadCache(fname string) (*Cache, error) {
-	var result Cache
-
-	fin, err := os.Open(fname)
-	if err != nil {
-		return nil, err
-	}
-	defer fin.Close()
-
-	err = json.NewDecoder(fin).Decode(&result)
-	if err != nil {
-		return nil, err
-	}
-
-	return &result, nil
-}
-
-// Shuck removes the first and last character of a string, analogous to
-// shucking off the husk of an ear of corn.
-func Shuck(s string) string {
-	return s[1 : len(s)-1]
-}

cmd/gitops-pusher/gitops-pusher.go

@@ -13,140 +13,24 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"io"
 	"log"
 	"net/http"
 	"os"
-	"regexp"
 	"strings"
 	"time"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"github.com/tailscale/hujson"
 )
 
 var (
-	rootFlagSet  = flag.NewFlagSet("gitops-pusher", flag.ExitOnError)
-	policyFname  = rootFlagSet.String("policy-file", "./policy.hujson", "filename for policy file")
-	cacheFname   = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash")
-	timeout      = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
-	githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)")
-
-	modifiedExternallyFailure = make(chan struct{}, 1)
+	policyFname = flag.String("policy-file", "./policy.hujson", "filename for policy file")
+	timeout     = flag.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
 )
 
-func modifiedExternallyError() {
-	if *githubSyntax {
-		fmt.Printf("::error file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.\n", *policyFname)
-	} else {
-		fmt.Printf("The policy file was modified externally in the admin console.\n")
-	}
-	modifiedExternallyFailure <- struct{}{}
-}
-
-func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
-		if err != nil {
-			return err
-		}
-
-		localEtag, err := sumFile(*policyFname)
-		if err != nil {
-			return err
-		}
-
-		if cache.PrevETag == "" {
-			log.Println("no previous etag found, assuming local file is correct and recording that")
-			cache.PrevETag = localEtag
-		}
-
-		log.Printf("control: %s", controlEtag)
-		log.Printf("local:   %s", localEtag)
-		log.Printf("cache:   %s", cache.PrevETag)
-
-		if cache.PrevETag != controlEtag {
-			modifiedExternallyError()
-		}
-
-		if controlEtag == localEtag {
-			cache.PrevETag = localEtag
-			log.Println("no update needed, doing nothing")
-			return nil
-		}
-
-		if err := applyNewACL(ctx, tailnet, apiKey, *policyFname, controlEtag); err != nil {
-			return err
-		}
-
-		cache.PrevETag = localEtag
-
-		return nil
-	}
-}
-
-func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
-		if err != nil {
-			return err
-		}
-
-		localEtag, err := sumFile(*policyFname)
-		if err != nil {
-			return err
-		}
-
-		if cache.PrevETag == "" {
-			log.Println("no previous etag found, assuming local file is correct and recording that")
-			cache.PrevETag = localEtag
-		}
-
-		log.Printf("control: %s", controlEtag)
-		log.Printf("local:   %s", localEtag)
-		log.Printf("cache:   %s", cache.PrevETag)
-
-		if cache.PrevETag != controlEtag {
-			modifiedExternallyError()
-		}
-
-		if controlEtag == localEtag {
-			log.Println("no updates found, doing nothing")
-			return nil
-		}
-
-		if err := testNewACLs(ctx, tailnet, apiKey, *policyFname); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-func getChecksums(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
-		if err != nil {
-			return err
-		}
-
-		localEtag, err := sumFile(*policyFname)
-		if err != nil {
-			return err
-		}
-
-		if cache.PrevETag == "" {
-			log.Println("no previous etag found, assuming local file is correct and recording that")
-			cache.PrevETag = Shuck(localEtag)
-		}
-
-		log.Printf("control: %s", controlEtag)
-		log.Printf("local:   %s", localEtag)
-		log.Printf("cache:   %s", cache.PrevETag)
-
-		return nil
-	}
-}
-
 func main() {
+	flag.Parse()
+	ctx, cancel := context.WithTimeout(context.Background(), *timeout)
+	defer cancel()
+
 	tailnet, ok := os.LookupEnv("TS_TAILNET")
 	if !ok {
 		log.Fatal("set envvar TS_TAILNET to your tailnet's name")
@@ -155,82 +39,72 @@ func main() {
 	if !ok {
 		log.Fatal("set envvar TS_API_KEY to your Tailscale API key")
 	}
-	cache, err := LoadCache(*cacheFname)
-	if err != nil {
-		if os.IsNotExist(err) {
-			cache = &Cache{}
-		} else {
-			log.Fatalf("error loading cache: %v", err)
+
+	switch flag.Arg(0) {
+	case "apply":
+		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
+		if err != nil {
+			log.Fatal(err)
 		}
-	}
-	defer cache.Save(*cacheFname)
 
-	applyCmd := &ffcli.Command{
-		Name:       "apply",
-		ShortUsage: "gitops-pusher [options] apply",
-		ShortHelp:  "Pushes changes to CONTROL",
-		LongHelp:   `Pushes changes to CONTROL`,
-		Exec:       apply(cache, tailnet, apiKey),
-	}
+		localEtag, err := sumFile(*policyFname)
+		if err != nil {
+			log.Fatal(err)
+		}
 
-	testCmd := &ffcli.Command{
-		Name:       "test",
-		ShortUsage: "gitops-pusher [options] test",
-		ShortHelp:  "Tests ACL changes",
-		LongHelp:   "Tests ACL changes",
-		Exec:       test(cache, tailnet, apiKey),
-	}
+		log.Printf("control: %s", controlEtag)
+		log.Printf("local:   %s", localEtag)
 
-	cksumCmd := &ffcli.Command{
-		Name:       "checksum",
-		ShortUsage: "Shows checksums of ACL files",
-		ShortHelp:  "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
-		LongHelp:   "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
-		Exec:       getChecksums(cache, tailnet, apiKey),
-	}
+		if controlEtag == localEtag {
+			log.Println("no update needed, doing nothing")
+			os.Exit(0)
+		}
 
-	root := &ffcli.Command{
-		ShortUsage:  "gitops-pusher [options] <command>",
-		ShortHelp:   "Push Tailscale ACLs to CONTROL using a GitOps workflow",
-		Subcommands: []*ffcli.Command{applyCmd, cksumCmd, testCmd},
-		FlagSet:     rootFlagSet,
-	}
+		if err := applyNewACL(ctx, tailnet, apiKey, *policyFname, controlEtag); err != nil {
+			log.Fatal(err)
+		}
 
-	if err := root.Parse(os.Args[1:]); err != nil {
-		log.Fatal(err)
-	}
+	case "test":
+		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
+		if err != nil {
+			log.Fatal(err)
+		}
 
-	ctx, cancel := context.WithTimeout(context.Background(), *timeout)
-	defer cancel()
+		localEtag, err := sumFile(*policyFname)
+		if err != nil {
+			log.Fatal(err)
+		}
 
-	if err := root.Run(ctx); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
-	}
+		log.Printf("control: %s", controlEtag)
+		log.Printf("local:   %s", localEtag)
 
-	if len(modifiedExternallyFailure) != 0 {
-		os.Exit(1)
+		if controlEtag == localEtag {
+			log.Println("no updates found, doing nothing")
+			os.Exit(0)
+		}
+
+		if err := testNewACLs(ctx, tailnet, apiKey, *policyFname); err != nil {
+			log.Fatal(err)
+		}
+	default:
+		log.Fatalf("usage: %s [options] <test|apply>", os.Args[0])
 	}
 }
 
 func sumFile(fname string) (string, error) {
-	data, err := os.ReadFile(fname)
-	if err != nil {
-		return "", err
-	}
-
-	formatted, err := hujson.Format(data)
+	fin, err := os.Open(fname)
 	if err != nil {
 		return "", err
 	}
+	defer fin.Close()
 
 	h := sha256.New()
-	_, err = h.Write(formatted)
+	_, err = io.Copy(h, fin)
 	if err != nil {
 		return "", err
 	}
 
-	return fmt.Sprintf("%x", h.Sum(nil)), nil
+	return fmt.Sprintf("\"%x\"", h.Sum(nil)), nil
 }
 
 func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag string) error {
@@ -247,7 +121,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
 
 	req.SetBasicAuth(apiKey, "")
 	req.Header.Set("Content-Type", "application/hujson")
-	req.Header.Set("If-Match", `"`+oldEtag+`"`)
+	req.Header.Set("If-Match", oldEtag)
 
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
@@ -291,27 +165,25 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error
 	}
 	defer resp.Body.Close()
 
-	var ate ACLTestError
-	err = json.NewDecoder(resp.Body).Decode(&ate)
-	if err != nil {
-		return err
-	}
-
-	if len(ate.Message) != 0 || len(ate.Data) != 0 {
-		return ate
-	}
-
 	got := resp.StatusCode
 	want := http.StatusOK
 	if got != want {
 		return fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
 	}
 
+	var ate ACLTestError
+	err = json.NewDecoder(resp.Body).Decode(&ate)
+	if err != nil {
+		return err
+	}
+
+	if len(ate.Data) != 0 {
+		return ate
+	}
+
 	return nil
 }
 
-var lineColMessageSplit = regexp.MustCompile(`line ([0-9]+), column ([0-9]+): (.*)$`)
-
 type ACLTestError struct {
 	Message string               `json:"message"`
 	Data    []ACLTestErrorDetail `json:"data"`
@@ -320,17 +192,7 @@ type ACLTestError struct {
 func (ate ACLTestError) Error() string {
 	var sb strings.Builder
 
-	if *githubSyntax && lineColMessageSplit.MatchString(ate.Message) {
-		sp := lineColMessageSplit.FindStringSubmatch(ate.Message)
-
-		line := sp[1]
-		col := sp[2]
-		msg := sp[3]
-
-		fmt.Fprintf(&sb, "::error file=%s,line=%s,col=%s::%s", *policyFname, line, col, msg)
-	} else {
-		fmt.Fprintln(&sb, ate.Message)
-	}
+	fmt.Fprintln(&sb, ate.Message)
 	fmt.Fprintln(&sb)
 
 	for _, data := range ate.Data {
@@ -369,5 +231,5 @@ func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
 		return "", fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
 	}
 
-	return Shuck(resp.Header.Get("ETag")), nil
+	return resp.Header.Get("ETag"), nil
 }

cmd/hello/hello.go

@@ -135,13 +135,13 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 		return ""
 	}
 	for _, nodeIP := range who.Node.Addresses {
-		if nodeIP.Addr().Is4() && nodeIP.IsSingleIP() {
-			return nodeIP.Addr().String()
+		if nodeIP.IP().Is4() && nodeIP.IsSingleIP() {
+			return nodeIP.IP().String()
 		}
 	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.IsSingleIP() {
-			return nodeIP.Addr().String()
+			return nodeIP.IP().String()
 		}
 	}
 	return ""

cmd/proxy-to-grafana/proxy-to-grafana.go

@@ -14,14 +14,14 @@
 //
 // Use this Grafana configuration to enable the auth proxy:
 //
-//	[auth.proxy]
-//	enabled = true
-//	header_name = X-WEBAUTH-USER
-//	header_property = username
-//	auto_sign_up = true
-//	whitelist = 127.0.0.1
-//	headers = Name:X-WEBAUTH-NAME
-//	enable_login_token = true
+//     [auth.proxy]
+//     enabled = true
+//     header_name = X-WEBAUTH-USER
+//     header_property = username
+//     auto_sign_up = true
+//     whitelist = 127.0.0.1
+//     headers = Name:X-WEBAUTH-NAME
+//     enable_login_token = true
 package main
 
 import (

cmd/tailscale/cli/cert.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/atomicfile"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/version"
 )
@@ -45,7 +46,7 @@ func runCert(ctx context.Context, args []string) error {
 	if certArgs.serve {
 		s := &http.Server{
 			TLSConfig: &tls.Config{
-				GetCertificate: localClient.GetCertificate,
+				GetCertificate: tailscale.GetCertificate,
 			},
 			Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				if r.TLS != nil && !strings.Contains(r.Host, ".") && r.Method == "GET" {
@@ -89,7 +90,7 @@ func runCert(ctx context.Context, args []string) error {
 		certArgs.certFile = domain + ".crt"
 		certArgs.keyFile = domain + ".key"
 	}
-	certPEM, keyPEM, err := localClient.CertPair(ctx, domain)
+	certPEM, keyPEM, err := tailscale.CertPair(ctx, domain)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/cli.go

@@ -20,7 +20,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"syscall"
 	"text/tabwriter"
 
@@ -30,6 +29,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
+	"tailscale.com/syncs"
 	"tailscale.com/version/distro"
 )
 
@@ -230,7 +230,7 @@ var rootArgs struct {
 	socket string
 }
 
-var gotSignal atomic.Bool
+var gotSignal syncs.AtomicBool
 
 func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context, context.CancelFunc) {
 	s := safesocket.DefaultConnectionStrategy(rootArgs.socket)

cmd/tailscale/cli/cli_test.go

@@ -9,13 +9,13 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"net/netip"
 	"reflect"
 	"strings"
 	"testing"
 
 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tstest"
@@ -56,7 +56,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		flags    []string // argv to be parsed by FlagSet
 		curPrefs *ipn.Prefs
 
-		curExitNodeIP netip.Addr
+		curExitNodeIP netaddr.IP
 		curUser       string // os.Getenv("USER") on the client side
 		goos          string // empty means "linux"
 		distro        distro.Distro
@@ -152,10 +152,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.42.0/24"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-routes=10.0.42.0/24 --advertise-exit-node",
@@ -168,10 +168,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.42.0/24"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
 			want: "",
@@ -184,10 +184,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.42.0/24"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
 			want: "",
@@ -212,8 +212,8 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
 
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -226,10 +226,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -255,16 +255,16 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
-				ExitNodeIP:       netip.MustParseAddr("100.64.5.6"),
+				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
 				CorpDNS:          false,
 				ShieldsUp:        true,
 				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
 				Hostname:         "myhostname",
 				ForceDaemon:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.0.0/16"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterNoDivert,
 				OperatorUser:  "alice",
@@ -280,14 +280,14 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
-				ExitNodeIP:       netip.MustParseAddr("100.64.5.6"),
+				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
 				CorpDNS:          false,
 				ShieldsUp:        true,
 				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
 				Hostname:         "myhostname",
 				ForceDaemon:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
 				},
 				NetfilterMode: preftype.NetfilterNoDivert,
 				OperatorUser:  "alice",
@@ -344,10 +344,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --operator=expbits --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -360,10 +360,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-routes=1.2.0.0/16 --operator=expbits --advertise-exit-node",
@@ -391,14 +391,14 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
 
-				ExitNodeIP: netip.MustParseAddr("100.64.5.4"),
+				ExitNodeIP: netaddr.MustParseIP("100.64.5.4"),
 			},
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.4",
 		},
 		{
 			name:          "error_exit_node_omit_with_id_pref",
 			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netip.MustParseAddr("100.64.5.7"),
+			curExitNodeIP: netaddr.MustParseIP("100.64.5.7"),
 			curPrefs: &ipn.Prefs{
 				ControlURL:       ipn.DefaultControlURL,
 				AllowSingleHosts: true,
@@ -412,7 +412,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		{
 			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
 			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
+			curExitNodeIP: netaddr.MustParseIP("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
 				ControlURL:       ipn.DefaultControlURL,
 				AllowSingleHosts: true,
@@ -562,9 +562,9 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				WantRunning:      true,
 				AllowSingleHosts: true,
 				CorpDNS:          true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterOn,
 			},
@@ -631,7 +631,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				exitNodeIP: "100.105.106.107",
 			},
 			st: &ipnstate.Status{
-				TailscaleIPs: []netip.Addr{netip.MustParseAddr("100.105.106.107")},
+				TailscaleIPs: []netaddr.IP{netaddr.MustParseIP("100.105.106.107")},
 			},
 			wantErr: `cannot use 100.105.106.107 as an exit node as it is a local IP address to this machine; did you mean --advertise-exit-node?`,
 		},
@@ -671,8 +671,8 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			want: &ipn.Prefs{
 				WantRunning: true,
 				NoSNAT:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
 				},
 			},
 		},
@@ -956,7 +956,7 @@ func TestUpdatePrefs(t *testing.T) {
 	}
 }
 
-var cmpIP = cmp.Comparer(func(a, b netip.Addr) bool {
+var cmpIP = cmp.Comparer(func(a, b netaddr.IP) bool {
 	return a == b
 })
 

cmd/tailscale/cli/configure-host.go

@@ -66,7 +66,7 @@ func runConfigureHost(ctx context.Context, args []string) error {
 		return err
 	}
 	if isDSM6 {
-		printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
+		fmt.Printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
 		return nil
 	}
 
@@ -80,6 +80,6 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if out, err := exec.Command("/bin/setcap", "cap_net_admin,cap_net_raw+eip", daemonBin).CombinedOutput(); err != nil {
 		return fmt.Errorf("setcap: %v, %s", err, out)
 	}
-	printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
+	fmt.Printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
 	return nil
 }

cmd/tailscale/cli/debug.go

@@ -17,7 +17,6 @@ import (
 	"log"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
 	"runtime"
 	"strconv"
@@ -25,6 +24,7 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/control/controlhttp"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
@@ -308,18 +308,18 @@ func runStat(ctx context.Context, args []string) error {
 	for _, a := range args {
 		fi, err := os.Lstat(a)
 		if err != nil {
-			printf("%s: %v\n", a, err)
+			fmt.Printf("%s: %v\n", a, err)
 			continue
 		}
-		printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
+		fmt.Printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
 		if fi.IsDir() {
 			ents, _ := os.ReadDir(a)
 			for i, ent := range ents {
 				if i == 25 {
-					printf("  ...\n")
+					fmt.Printf("  ...\n")
 					break
 				}
-				printf("  - %s\n", ent.Name())
+				fmt.Printf("  - %s\n", ent.Name())
 			}
 		}
 	}
@@ -404,23 +404,23 @@ func runVia(ctx context.Context, args []string) error {
 	default:
 		return errors.New("expect either <site-id> <v4-cidr> or <v6-route>")
 	case 1:
-		ipp, err := netip.ParsePrefix(args[0])
+		ipp, err := netaddr.ParseIPPrefix(args[0])
 		if err != nil {
 			return err
 		}
-		if !ipp.Addr().Is6() {
+		if !ipp.IP().Is6() {
 			return errors.New("with one argument, expect an IPv6 CIDR")
 		}
-		if !tsaddr.TailscaleViaRange().Contains(ipp.Addr()) {
+		if !tsaddr.TailscaleViaRange().Contains(ipp.IP()) {
 			return errors.New("not a via route")
 		}
 		if ipp.Bits() < 96 {
 			return errors.New("short length, want /96 or more")
 		}
-		v4 := tsaddr.UnmapVia(ipp.Addr())
-		a := ipp.Addr().As16()
+		v4 := tsaddr.UnmapVia(ipp.IP())
+		a := ipp.IP().As16()
 		siteID := binary.BigEndian.Uint32(a[8:12])
-		printf("site %v (0x%x), %v\n", siteID, siteID, netip.PrefixFrom(v4, ipp.Bits()-96))
+		fmt.Printf("site %v (0x%x), %v\n", siteID, siteID, netaddr.IPPrefixFrom(v4, ipp.Bits()-96))
 	case 2:
 		siteID, err := strconv.ParseUint(args[0], 0, 32)
 		if err != nil {
@@ -429,7 +429,7 @@ func runVia(ctx context.Context, args []string) error {
 		if siteID > 0xff {
 			return fmt.Errorf("site-id values over 255 are currently reserved")
 		}
-		ipp, err := netip.ParsePrefix(args[1])
+		ipp, err := netaddr.ParseIPPrefix(args[1])
 		if err != nil {
 			return err
 		}
@@ -437,7 +437,7 @@ func runVia(ctx context.Context, args []string) error {
 		if err != nil {
 			return err
 		}
-		outln(via)
+		fmt.Println(via)
 	}
 	return nil
 }

cmd/tailscale/cli/file.go

@@ -14,7 +14,6 @@ import (
 	"log"
 	"mime"
 	"net/http"
-	"net/netip"
 	"os"
 	"path"
 	"path/filepath"
@@ -24,6 +23,7 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/time/rate"
+	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -85,7 +85,7 @@ func runCp(ctx context.Context, args []string) error {
 		hadBrackets = true
 		target = strings.TrimSuffix(strings.TrimPrefix(target, "["), "]")
 	}
-	if ip, err := netip.ParseAddr(target); err == nil && ip.Is6() && !hadBrackets {
+	if ip, err := netaddr.ParseIP(target); err == nil && ip.Is6() && !hadBrackets {
 		return fmt.Errorf("an IPv6 literal must be written as [%s]", ip)
 	} else if hadBrackets && (err != nil || !ip.Is6()) {
 		return errors.New("unexpected brackets around target")
@@ -168,7 +168,7 @@ func runCp(ctx context.Context, args []string) error {
 }
 
 func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNodeID, isOffline bool, err error) {
-	ip, err := netip.ParseAddr(ipStr)
+	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
 		return "", false, err
 	}
@@ -179,7 +179,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 	for _, ft := range fts {
 		n := ft.Node
 		for _, a := range n.Addresses {
-			if a.Addr() != ip {
+			if a.IP() != ip {
 				continue
 			}
 			isOffline = n.Online != nil && !*n.Online
@@ -191,7 +191,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 
 // fileTargetErrorDetail returns a non-nil error saying why ip is an
 // invalid file sharing target.
-func fileTargetErrorDetail(ctx context.Context, ip netip.Addr) error {
+func fileTargetErrorDetail(ctx context.Context, ip netaddr.IP) error {
 	found := false
 	if st, err := localClient.Status(ctx); err == nil && st.Self != nil {
 		for _, peer := range st.Peer {
@@ -281,7 +281,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 		if detail != "" {
 			detail = "\t" + detail
 		}
-		printf("%s\t%s%s\n", n.Addresses[0].Addr(), n.ComputedName, detail)
+		printf("%s\t%s%s\n", n.Addresses[0].IP(), n.ComputedName, detail)
 	}
 	return nil
 }

cmd/tailscale/cli/id-token.go

@@ -7,6 +7,7 @@ package cli
 import (
 	"context"
 	"errors"
+	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 )
@@ -28,6 +29,6 @@ func runIDToken(ctx context.Context, args []string) error {
 		return err
 	}
 
-	outln(tr.IDToken)
+	fmt.Println(tr.IDToken)
 	return nil
 }

cmd/tailscale/cli/ip.go

@@ -9,9 +9,9 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"net/netip"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
 )
 
@@ -100,7 +100,7 @@ func runIP(ctx context.Context, args []string) error {
 }
 
 func peerMatchingIP(st *ipnstate.Status, ipStr string) (ps *ipnstate.PeerStatus, ok bool) {
-	ip, err := netip.ParseAddr(ipStr)
+	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
 		return
 	}

cmd/tailscale/cli/netcheck.go

@@ -126,10 +126,8 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 		printf("\t* IPv6: yes, %v\n", report.GlobalV6)
 	} else if report.IPv6 {
 		printf("\t* IPv6: (no addr found)\n")
-	} else if report.OSHasIPv6 {
-		printf("\t* IPv6: no, but OS has support\n")
 	} else {
-		printf("\t* IPv6: no, unavailable in OS\n")
+		printf("\t* IPv6: no\n")
 	}
 	printf("\t* MappingVariesByDestIP: %v\n", report.MappingVariesByDestIP)
 	printf("\t* HairPinning: %v\n", report.HairPinning)

cmd/tailscale/cli/ping.go

@@ -11,12 +11,12 @@ import (
 	"fmt"
 	"log"
 	"net"
-	"net/netip"
 	"os"
 	"strings"
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 )
@@ -116,7 +116,7 @@ func runPing(ctx context.Context, args []string) error {
 	for {
 		n++
 		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
-		pr, err := localClient.Ping(ctx, netip.MustParseAddr(ip), pingType())
+		pr, err := localClient.Ping(ctx, netaddr.MustParseIP(ip), pingType())
 		cancel()
 		if err != nil {
 			if errors.Is(err, context.DeadlineExceeded) {

cmd/tailscale/cli/risks.go

@@ -55,8 +55,8 @@ func presentRiskToUser(riskType, riskMessage string) error {
 	if riskAccepted(riskType) {
 		return nil
 	}
-	outln(riskMessage)
-	printf("To skip this warning, use --accept-risk=%s\n", riskType)
+	fmt.Println(riskMessage)
+	fmt.Printf("To skip this warning, use --accept-risk=%s\n", riskType)
 
 	interrupt := make(chan os.Signal, 1)
 	signal.Notify(interrupt, syscall.SIGINT)
@@ -64,15 +64,15 @@ func presentRiskToUser(riskType, riskMessage string) error {
 	for left := riskAbortTimeSeconds; left > 0; left-- {
 		msg := fmt.Sprintf("\rContinuing in %d seconds...", left)
 		msgLen = len(msg)
-		printf(msg)
+		fmt.Print(msg)
 		select {
 		case <-interrupt:
-			printf("\r%s\r", strings.Repeat("x", msgLen+1))
+			fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen+1))
 			return errAborted
 		case <-time.After(time.Second):
 			continue
 		}
 	}
-	printf("\r%s\r", strings.Repeat(" ", msgLen))
+	fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen))
 	return errAborted
 }

cmd/tailscale/cli/ssh.go

@@ -10,7 +10,6 @@ import (
 	"errors"
 	"fmt"
 	"log"
-	"net/netip"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -18,6 +17,7 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -163,10 +163,10 @@ func nodeDNSNameFromArg(st *ipnstate.Status, arg string) (dnsName string, ok boo
 	if arg == "" {
 		return
 	}
-	argIP, _ := netip.ParseAddr(arg)
+	argIP, _ := netaddr.ParseIP(arg)
 	for _, ps := range st.Peer {
 		dnsName = ps.DNSName
-		if argIP.IsValid() {
+		if !argIP.IsZero() {
 			for _, ip := range ps.TailscaleIPs {
 				if ip == argIP {
 					return dnsName, true
@@ -202,7 +202,7 @@ func isSSHOverTailscale() bool {
 	if !ok {
 		return false
 	}
-	ip, err := netip.ParseAddr(ipStr)
+	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
 		return false
 	}

cmd/tailscale/cli/status.go

@@ -13,12 +13,12 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/toqueteos/webbrowser"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
@@ -260,7 +260,7 @@ func ownerLogin(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	return u.LoginName
 }
 
-func firstIPString(v []netip.Addr) string {
+func firstIPString(v []netaddr.IP) string {
 	if len(v) == 0 {
 		return ""
 	}

cmd/tailscale/cli/up.go

@@ -13,7 +13,6 @@ import (
 	"flag"
 	"fmt"
 	"log"
-	"net/netip"
 	"os"
 	"reflect"
 	"runtime"
@@ -25,6 +24,7 @@ import (
 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -178,16 +178,15 @@ var upArgs upArgsT
 // JSON block will be output. The AuthURL and QR fields will not be present, the
 // BackendState and Error fields will give the result of the authentication.
 // Ex:
+// {
+//    "AuthURL": "https://login.tailscale.com/a/0123456789abcdef",
+//    "QR": "data:image/png;base64,0123...cdef"
+//    "BackendState": "NeedsLogin"
+// }
+// {
+//    "BackendState": "Running"
+// }
 //
-//	{
-//	   "AuthURL": "https://login.tailscale.com/a/0123456789abcdef",
-//	   "QR": "data:image/png;base64,0123...cdef"
-//	   "BackendState": "NeedsLogin"
-//	}
-//
-//	{
-//	   "BackendState": "Running"
-//	}
 type upOutputJSON struct {
 	AuthURL      string `json:",omitempty"` // Authentication URL of the form https://login.tailscale.com/a/0123456789
 	QR           string `json:",omitempty"` // a DataURL (base64) PNG of a QR code AuthURL
@@ -200,18 +199,18 @@ func warnf(format string, args ...any) {
 }
 
 var (
-	ipv4default = netip.MustParsePrefix("0.0.0.0/0")
-	ipv6default = netip.MustParsePrefix("::/0")
+	ipv4default = netaddr.MustParseIPPrefix("0.0.0.0/0")
+	ipv6default = netaddr.MustParseIPPrefix("::/0")
 )
 
-func validateViaPrefix(ipp netip.Prefix) error {
+func validateViaPrefix(ipp netaddr.IPPrefix) error {
 	if !tsaddr.IsViaPrefix(ipp) {
 		return fmt.Errorf("%v is not a 4-in-6 prefix", ipp)
 	}
 	if ipp.Bits() < (128 - 32) {
 		return fmt.Errorf("%v 4-in-6 prefix must be at least a /%v", ipp, 128-32)
 	}
-	a := ipp.Addr().As16()
+	a := ipp.IP().As16()
 	// The first 64 bits of a are the via prefix.
 	// The next 32 bits are the "site ID".
 	// The last 32 bits are the IPv4.
@@ -224,13 +223,13 @@ func validateViaPrefix(ipp netip.Prefix) error {
 	return nil
 }
 
-func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netip.Prefix, error) {
-	routeMap := map[netip.Prefix]bool{}
+func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netaddr.IPPrefix, error) {
+	routeMap := map[netaddr.IPPrefix]bool{}
 	if advertiseRoutes != "" {
 		var default4, default6 bool
 		advroutes := strings.Split(advertiseRoutes, ",")
 		for _, s := range advroutes {
-			ipp, err := netip.ParsePrefix(s)
+			ipp, err := netaddr.ParseIPPrefix(s)
 			if err != nil {
 				return nil, fmt.Errorf("%q is not a valid IP address or CIDR prefix", s)
 			}
@@ -256,10 +255,10 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		}
 	}
 	if advertiseDefaultRoute {
-		routeMap[netip.MustParsePrefix("0.0.0.0/0")] = true
-		routeMap[netip.MustParsePrefix("::/0")] = true
+		routeMap[netaddr.MustParseIPPrefix("0.0.0.0/0")] = true
+		routeMap[netaddr.MustParseIPPrefix("::/0")] = true
 	}
-	routes := make([]netip.Prefix, 0, len(routeMap))
+	routes := make([]netaddr.IPPrefix, 0, len(routeMap))
 	for r := range routeMap {
 		routes = append(routes, r)
 	}
@@ -267,7 +266,7 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		if routes[i].Bits() != routes[j].Bits() {
 			return routes[i].Bits() < routes[j].Bits()
 		}
-		return routes[i].Addr().Less(routes[j].Addr())
+		return routes[i].IP().Less(routes[j].IP())
 	})
 	return routes, nil
 }
@@ -571,9 +570,9 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 
 				data, err := json.MarshalIndent(js, "", "\t")
 				if err != nil {
-					printf("upOutputJSON marshalling error: %v", err)
+					log.Printf("upOutputJSON marshalling error: %v", err)
 				} else {
-					outln(string(data))
+					fmt.Println(string(data))
 				}
 			} else {
 				fmt.Fprintf(Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
@@ -711,7 +710,7 @@ func printUpDoneJSON(state ipn.State, errorString string) {
 	if err != nil {
 		log.Printf("printUpDoneJSON marshalling error: %v", err)
 	} else {
-		outln(string(data))
+		fmt.Println(string(data))
 	}
 }
 
@@ -791,7 +790,7 @@ type upCheckEnv struct {
 	flagSet       *flag.FlagSet
 	upArgs        upArgsT
 	backendState  string
-	curExitNodeIP netip.Addr
+	curExitNodeIP netaddr.IP
 	distro        distro.Distro
 }
 
@@ -914,10 +913,10 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]any) {
 	ret := make(map[string]any)
 
 	exitNodeIPStr := func() string {
-		if prefs.ExitNodeIP.IsValid() {
+		if !prefs.ExitNodeIP.IsZero() {
 			return prefs.ExitNodeIP.String()
 		}
-		if prefs.ExitNodeID.IsZero() || !env.curExitNodeIP.IsValid() {
+		if prefs.ExitNodeID.IsZero() || env.curExitNodeIP.IsZero() {
 			return ""
 		}
 		return env.curExitNodeIP.String()
@@ -992,13 +991,13 @@ func fmtFlagValueArg(flagName string, val any) string {
 	return fmt.Sprintf("--%s=%v", flagName, shellquote.Join(fmt.Sprint(val)))
 }
 
-func hasExitNodeRoutes(rr []netip.Prefix) bool {
+func hasExitNodeRoutes(rr []netaddr.IPPrefix) bool {
 	var v4, v6 bool
 	for _, r := range rr {
 		if r.Bits() == 0 {
-			if r.Addr().Is4() {
+			if r.IP().Is4() {
 				v4 = true
-			} else if r.Addr().Is6() {
+			} else if r.IP().Is6() {
 				v6 = true
 			}
 		}
@@ -1009,11 +1008,11 @@ func hasExitNodeRoutes(rr []netip.Prefix) bool {
 // withoutExitNodes returns rr unchanged if it has only 1 or 0 /0
 // routes. If it has both IPv4 and IPv6 /0 routes, then it returns
 // a copy with all /0 routes removed.
-func withoutExitNodes(rr []netip.Prefix) []netip.Prefix {
+func withoutExitNodes(rr []netaddr.IPPrefix) []netaddr.IPPrefix {
 	if !hasExitNodeRoutes(rr) {
 		return rr
 	}
-	var out []netip.Prefix
+	var out []netaddr.IPPrefix
 	for _, r := range rr {
 		if r.Bits() > 0 {
 			out = append(out, r)
@@ -1024,11 +1023,11 @@ func withoutExitNodes(rr []netip.Prefix) []netip.Prefix {
 
 // exitNodeIP returns the exit node IP from p, using st to map
 // it from its ID form to an IP address if needed.
-func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netip.Addr) {
+func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netaddr.IP) {
 	if p == nil {
 		return
 	}
-	if p.ExitNodeIP.IsValid() {
+	if !p.ExitNodeIP.IsZero() {
 		return p.ExitNodeIP
 	}
 	id := p.ExitNodeID

cmd/tailscale/cli/web.go

@@ -20,7 +20,6 @@ import (
 	"net"
 	"net/http"
 	"net/http/cgi"
-	"net/netip"
 	"net/url"
 	"os"
 	"os/exec"
@@ -28,6 +27,7 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
@@ -208,20 +208,12 @@ func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
 		return "", nil, err
 	}
 	token, err := r.Cookie("qtoken")
-	if err == nil {
-		return qnapAuthnQtoken(r, user.Value, token.Value)
+	if err != nil {
+		return "", nil, err
 	}
-	sid, err := r.Cookie("NAS_SID")
-	if err == nil {
-		return qnapAuthnSid(r, user.Value, sid.Value)
-	}
-	return "", nil, fmt.Errorf("not authenticated by any mechanism")
-}
-
-func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
 	query := url.Values{
-		"qtoken": []string{token},
-		"user":   []string{user},
+		"qtoken": []string{token.Value},
+		"user":   []string{user.Value},
 	}
 	u := url.URL{
 		Scheme:   r.URL.Scheme,
@@ -229,26 +221,7 @@ func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResp
 		Path:     "/cgi-bin/authLogin.cgi",
 		RawQuery: query.Encode(),
 	}
-
-	return qnapAuthnFinish(user, u.String())
-}
-
-func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"sid": []string{sid},
-	}
-	u := url.URL{
-		Scheme:   r.URL.Scheme,
-		Host:     r.URL.Host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return qnapAuthnFinish(user, u.String())
-}
-
-func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
-	resp, err := http.Get(url)
+	resp, err := http.Get(u.String())
 	if err != nil {
 		return "", nil, err
 	}
@@ -264,7 +237,7 @@ func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
 	if authResp.AuthPassed == 0 {
 		return "", nil, fmt.Errorf("not authenticated")
 	}
-	return user, authResp, nil
+	return user.Value, authResp, nil
 }
 
 func synoAuthn() (string, error) {
@@ -393,8 +366,8 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		Status:       st.BackendState,
 		DeviceName:   deviceName,
 	}
-	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
-	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
+	exitNodeRouteV4 := netaddr.MustParseIPPrefix("0.0.0.0/0")
+	exitNodeRouteV6 := netaddr.MustParseIPPrefix("::/0")
 	for _, r := range prefs.AdvertiseRoutes {
 		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
 			data.AdvertiseExitNode = true

cmd/tailscale/depaware.txt

@@ -1,13 +1,9 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)
 
-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
    L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
@@ -30,10 +26,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
         github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
+     💣 go4.org/intern                                               from inet.af/netaddr
      💣 go4.org/mem                                                  from tailscale.com/derp+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter
+        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
         nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
         nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
         nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
@@ -57,7 +54,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp
         tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
      💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
         tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
@@ -71,9 +67,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
         tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
         tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/syncs                                          from tailscale.com/net/netcheck
+        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
         tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/tka                                            from tailscale.com/types/key
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
      💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
         tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
@@ -83,7 +78,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/types/key                                      from tailscale.com/derp+
         tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
         tailscale.com/types/netmap                                   from tailscale.com/ipn
-        tailscale.com/types/nettype                                  from tailscale.com/net/netcheck+
         tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
         tailscale.com/types/pad32                                    from tailscale.com/derp
         tailscale.com/types/persist                                  from tailscale.com/ipn
@@ -102,9 +96,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
         tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/blake2s                                  from tailscale.com/control/controlbase+
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/blake2s                                  from tailscale.com/control/controlbase
         golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
         golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
@@ -162,7 +155,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         embed                                                        from tailscale.com/cmd/tailscale/cli+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
         encoding/base64                                              from encoding/json+
         encoding/binary                                              from compress/gzip+
         encoding/hex                                                 from crypto/x509+
@@ -183,7 +175,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         image/color                                                  from github.com/skip2/go-qrcode+
         image/png                                                    from github.com/skip2/go-qrcode
         io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
+        io/fs                                                        from crypto/rand+
         io/ioutil                                                    from golang.org/x/sys/cpu+
         log                                                          from expvar+
         math                                                         from compress/flate+
@@ -198,7 +190,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         net/http/cgi                                                 from tailscale.com/cmd/tailscale/cli
         net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
         net/http/internal                                            from net/http
-        net/netip                                                    from net+
+        net/netip                                                    from net
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
         os                                                           from crypto/rand+

cmd/tailscaled/debug.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package main
 
@@ -20,12 +20,12 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptrace"
-	"net/netip"
 	"net/url"
 	"os"
 	"strings"
 	"time"
 
+	"inet.af/netaddr"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -266,11 +266,11 @@ func debugPortmap(ctx context.Context) error {
 		return err
 	}
 
-	gatewayAndSelfIP := func() (gw, self netip.Addr, ok bool) {
+	gatewayAndSelfIP := func() (gw, self netaddr.IP, ok bool) {
 		if v := os.Getenv("TS_DEBUG_GW_SELF"); strings.Contains(v, "/") {
 			i := strings.Index(v, "/")
-			gw = netip.MustParseAddr(v[:i])
-			self = netip.MustParseAddr(v[i+1:])
+			gw = netaddr.MustParseIP(v[:i])
+			self = netaddr.MustParseIP(v[i+1:])
 			return gw, self, true
 		}
 		return linkMon.GatewayAndSelfIP()

cmd/tailscaled/depaware.txt

@@ -1,7 +1,5 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)
 
-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
@@ -64,13 +62,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
   LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
    W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
    W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
    L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns+
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
         github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
    L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
    L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
@@ -117,9 +113,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
    L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
    L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
+     💣 go4.org/intern                                               from inet.af/netaddr
      💣 go4.org/mem                                                  from tailscale.com/control/controlbase+
-        go4.org/netipx                                               from tailscale.com/ipn/ipnlocal+
+        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
    W 💣 golang.zx2c4.com/wintun                                      from golang.zx2c4.com/wireguard/tun
      💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
    W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
@@ -133,8 +129,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/cmd/tailscaled+
         gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/tcpip+
-        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/bufferv2
-     💣 gvisor.dev/gvisor/pkg/bufferv2                               from gvisor.dev/gvisor/pkg/tcpip+
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip/stack
         gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs+
      💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
         gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
@@ -148,6 +143,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
         gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
         gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
+     💣 gvisor.dev/gvisor/pkg/tcpip/buffer                           from gvisor.dev/gvisor/pkg/tcpip/header+
         gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
         gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
         gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -156,7 +152,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/network/internal/multicast       from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/net/tstun+
         gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack
         gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
@@ -172,6 +167,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
         gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from tailscale.com/net/tstun+
         gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
+        inet.af/netaddr                                              from tailscale.com/control/controlclient+
         inet.af/peercred                                             from tailscale.com/ipn/ipnserver
    W 💣 inet.af/wf                                                   from tailscale.com/wf
         nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
@@ -219,7 +215,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient+
         tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
      💣 tailscale.com/net/interfaces                                 from tailscale.com/control/controlclient+
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
         tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns+
@@ -241,10 +236,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
         tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
   LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
-        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
+        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
   LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
-        tailscale.com/tka                                            from tailscale.com/types/key+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
         tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
      💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
@@ -257,7 +251,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/types/key                                      from tailscale.com/control/controlbase+
         tailscale.com/types/logger                                   from tailscale.com/control/controlclient+
         tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
-        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock+
+        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
         tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
         tailscale.com/types/pad32                                    from tailscale.com/derp
         tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
@@ -274,6 +268,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
         tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
         tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
+        tailscale.com/util/netconv                                   from tailscale.com/wgengine/magicsock
         tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
         tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
         tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
@@ -295,8 +290,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
    W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
         golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
   LD    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf+
         golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
@@ -311,8 +305,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -369,7 +361,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         embed                                                        from tailscale.com+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
         encoding/base64                                              from encoding/json+
         encoding/binary                                              from compress/gzip+
         encoding/hex                                                 from crypto/x509+
@@ -386,7 +377,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         hash/maphash                                                 from go4.org/mem
         html                                                         from tailscale.com/ipn/ipnlocal+
         io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
+        io/fs                                                        from crypto/rand+
         io/ioutil                                                    from github.com/godbus/dbus/v5+
         log                                                          from expvar+
   LD    log/syslog                                                   from tailscale.com/ssh/tailssh

cmd/tailscaled/install_darwin.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package main
 

cmd/tailscaled/install_windows.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package main
 

cmd/tailscaled/proxy.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 // HTTP proxy code
 

cmd/tailscaled/required_version.go

@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !go1.19
-// +build !go1.19
+//go:build !go1.18
+// +build !go1.18
 
 package main
 
 func init() {
-	you_need_Go_1_19_to_compile_Tailscale()
+	you_need_Go_1_18_to_compile_Tailscale()
 }

cmd/tailscaled/tailscaled.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 // The tailscaled program is the Tailscale client daemon. It's configured
 // and controlled via the tailscale CLI program.
@@ -21,7 +21,6 @@ import (
 	"net"
 	"net/http"
 	"net/http/pprof"
-	"net/netip"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -30,6 +29,7 @@ import (
 	"syscall"
 	"time"
 
+	"inet.af/netaddr"
 	"tailscale.com/cmd/tailscaled/childproc"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
@@ -128,8 +128,6 @@ var subCommands = map[string]*func([]string) error{
 	"be-child":                &beChildFunc,
 }
 
-var beCLI func() // non-nil if CLI is linked in
-
 func main() {
 	printVersion := false
 	flag.IntVar(&args.verbose, "verbose", 0, "log verbosity level; 0 is default, 1 or higher are increasingly verbose")
@@ -145,11 +143,6 @@ func main() {
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
 	flag.BoolVar(&printVersion, "version", false, "print version information and exit")
 
-	if len(os.Args) > 0 && filepath.Base(os.Args[0]) == "tailscale" && beCLI != nil {
-		beCLI()
-		return
-	}
-
 	if len(os.Args) > 1 {
 		sub := os.Args[1]
 		if fp, ok := subCommands[sub]; ok {
@@ -373,11 +366,11 @@ func run() error {
 	ns.ProcessSubnets = useNetstack || wrapNetstack
 
 	if useNetstack {
-		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
+		dialer.UseNetstackForIP = func(ip netaddr.IP) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
 		}
-		dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
+		dialer.NetstackDialTCP = func(ctx context.Context, dst netaddr.IPPort) (net.Conn, error) {
 			return ns.DialContextTCP(ctx, dst)
 		}
 	}
@@ -411,6 +404,7 @@ func run() error {
 	// want to keep running.
 	signal.Ignore(syscall.SIGPIPE)
 	go func() {
+		defer dialer.Close()
 		select {
 		case s := <-interrupt:
 			logf("tailscaled got signal %v; shutting down", s)
@@ -443,7 +437,6 @@ func run() error {
 	if err != nil {
 		return fmt.Errorf("safesocket.Listen: %v", err)
 	}
-	defer dialer.Close()
 
 	err = srv.Run(ctx, ln)
 	// Cancelation is not an error: it is the only way to stop ipnserver.
@@ -522,7 +515,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 	} else {
 		dev, devName, err := tstun.New(logf, name)
 		if err != nil {
-			tstun.Diagnose(logf, name, err)
+			tstun.Diagnose(logf, name)
 			return nil, false, fmt.Errorf("tstun.New(%q): %w", name, err)
 		}
 		conf.Tun = dev

cmd/tailscaled/tailscaled_bird.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19 && (linux || darwin || freebsd || openbsd)
-// +build go1.19
+//go:build go1.18 && (linux || darwin || freebsd || openbsd)
+// +build go1.18
 // +build linux darwin freebsd openbsd
 
 package main

cmd/tailscaled/tailscaled_notwindows.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !windows && go1.19
-// +build !windows,go1.19
+//go:build !windows && go1.18
+// +build !windows,go1.18
 
 package main // import "tailscale.com/cmd/tailscaled"
 

cmd/tailscaled/tailscaled_windows.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18
 
 package main // import "tailscale.com/cmd/tailscaled"
 
@@ -25,7 +25,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
-	"net/netip"
 	"os"
 	"time"
 
@@ -33,6 +32,7 @@ import (
 	"golang.org/x/sys/windows/svc"
 	"golang.org/x/sys/windows/svc/eventlog"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/ipn/store"
@@ -245,7 +245,7 @@ func beFirewallKillswitch() bool {
 	// is passed in via stdin encoded in json.
 	dcd := json.NewDecoder(os.Stdin)
 	for {
-		var routes []netip.Prefix
+		var routes []netaddr.IPPrefix
 		if err := dcd.Decode(&routes); err != nil {
 			log.Fatalf("parent process died or requested exit, exiting (%v)", err)
 		}

cmd/tailscaled/with_cli.go

@@ -1,25 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build ts_include_cli
-// +build ts_include_cli
-
-package main
-
-import (
-	"fmt"
-	"os"
-
-	"tailscale.com/cmd/tailscale/cli"
-)
-
-func init() {
-	beCLI = func() {
-		args := os.Args[1:]
-		if err := cli.Run(args); err != nil {
-			fmt.Fprintln(os.Stderr, err)
-			os.Exit(1)
-		}
-	}
-}

cmd/tsconnect/.gitignore

@@ -1,4 +0,0 @@
-src/wasm_exec.js
-src/main.wasm
-node_modules/
-dist/

cmd/tsconnect/README.md

@@ -1,30 +0,0 @@
-# tsconnect
-
-The tsconnect command builds and serves the static site that is generated for
-the Tailscale Connect JS/WASM client.
-
-## Development
-
-To start the development server:
-
-```
-./tool/go run ./cmd/tsconnect dev
-```
-
-The site is served at http://localhost:9090/. JavaScript and CSS changes can be picked up with a browser reload. Go changes (including to the `wasm` package) require the server to be stopped and restarted. In development mode the state the Tailscale client is stored in `sessionStorage` and will thus survive page reloads (but not the tab being closed).
-
-## Deployment
-
-To build the static assets necessary for serving, run:
-
-```
-./tool/go run ./cmd/tsconnect build
-```
-
-To serve them, run:
-
-```
-./tool/go run ./cmd/tsconnect serve
-```
-
-By default the build output is placed in the `dist/` directory and embedded in the binary, but this can be controlled by the `-distdir` flag. The `-addr` flag controls the interface and port that the serve listens on.

cmd/tsconnect/build.go

@@ -1,131 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"os"
-	"path"
-	"path/filepath"
-
-	esbuild "github.com/evanw/esbuild/pkg/api"
-	"tailscale.com/util/precompress"
-)
-
-func runBuild() {
-	buildOptions, err := commonSetup(prodMode)
-	if err != nil {
-		log.Fatalf("Cannot setup: %v", err)
-	}
-
-	log.Printf("Linting...\n")
-	if err := runYarn("lint"); err != nil {
-		log.Fatalf("Linting failed: %v", err)
-	}
-
-	if err := cleanDist(); err != nil {
-		log.Fatalf("Cannot clean %s: %v", *distDir, err)
-	}
-
-	buildOptions.Write = true
-	buildOptions.MinifyWhitespace = true
-	buildOptions.MinifyIdentifiers = true
-	buildOptions.MinifySyntax = true
-
-	buildOptions.EntryNames = "[dir]/[name]-[hash]"
-	buildOptions.AssetNames = "[name]-[hash]"
-	buildOptions.Metafile = true
-
-	log.Printf("Running esbuild...\n")
-	result := esbuild.Build(*buildOptions)
-	if len(result.Errors) > 0 {
-		log.Printf("ESBuild Error:\n")
-		for _, e := range result.Errors {
-			log.Printf("%v", e)
-		}
-		log.Fatal("Build failed")
-	}
-	if len(result.Warnings) > 0 {
-		log.Printf("ESBuild Warnings:\n")
-		for _, w := range result.Warnings {
-			log.Printf("%v", w)
-		}
-	}
-
-	// Preserve build metadata so we can extract hashed file names for serving.
-	metadataBytes, err := fixEsbuildMetadataPaths(result.Metafile)
-	if err != nil {
-		log.Fatalf("Cannot fix esbuild metadata paths: %v", err)
-	}
-	if err := ioutil.WriteFile(path.Join(*distDir, "/esbuild-metadata.json"), metadataBytes, 0666); err != nil {
-		log.Fatalf("Cannot write metadata: %v", err)
-	}
-
-	if er := precompressDist(*fastCompression); err != nil {
-		log.Fatalf("Cannot precompress resources: %v", er)
-	}
-}
-
-// fixEsbuildMetadataPaths re-keys the esbuild metadata file to use paths
-// relative to the dist directory (it normally uses paths relative to the cwd,
-// which are akward if we're running with a different cwd at serving time).
-func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
-	var metadata EsbuildMetadata
-	if err := json.Unmarshal([]byte(metadataStr), &metadata); err != nil {
-		return nil, fmt.Errorf("Cannot parse metadata: %w", err)
-	}
-	distAbsPath, err := filepath.Abs(*distDir)
-	if err != nil {
-		return nil, fmt.Errorf("Cannot get absolute path from %s: %w", *distDir, err)
-	}
-	for outputPath, output := range metadata.Outputs {
-		outputAbsPath, err := filepath.Abs(outputPath)
-		if err != nil {
-			return nil, fmt.Errorf("Cannot get absolute path from %s: %w", outputPath, err)
-		}
-		outputRelPath, err := filepath.Rel(distAbsPath, outputAbsPath)
-		if err != nil {
-			return nil, fmt.Errorf("Cannot get relative path from %s: %w", outputRelPath, err)
-		}
-		delete(metadata.Outputs, outputPath)
-		metadata.Outputs[outputRelPath] = output
-	}
-	return json.Marshal(metadata)
-}
-
-// cleanDist removes files from the dist build directory, except the placeholder
-// one that we keep to make sure Git still creates the directory.
-func cleanDist() error {
-	log.Printf("Cleaning %s...\n", *distDir)
-	files, err := os.ReadDir(*distDir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return os.MkdirAll(*distDir, 0755)
-		}
-		return err
-	}
-
-	for _, file := range files {
-		if file.Name() != "placeholder" {
-			if err := os.Remove(filepath.Join(*distDir, file.Name())); err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func precompressDist(fastCompression bool) error {
-	log.Printf("Pre-compressing files in %s/...\n", *distDir)
-	return precompress.PrecompressDir(*distDir, precompress.Options{
-		FastCompression: fastCompression,
-		ProgressFn: func(path string) {
-			log.Printf("Pre-compressing %v\n", path)
-		},
-	})
-}

cmd/tsconnect/common.go

@@ -1,154 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"fmt"
-	"log"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"runtime"
-	"strconv"
-	"time"
-
-	esbuild "github.com/evanw/esbuild/pkg/api"
-)
-
-const (
-	devMode  = true
-	prodMode = false
-)
-
-// commonSetup performs setup that is common to both dev and build modes.
-func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
-	// Change cwd to to where this file lives -- that's where all inputs for
-	// esbuild and other build steps live.
-	if _, filename, _, ok := runtime.Caller(0); ok {
-		if err := os.Chdir(path.Dir(filename)); err != nil {
-			return nil, fmt.Errorf("Cannot change cwd: %w", err)
-		}
-	}
-	if err := buildDeps(dev); err != nil {
-		return nil, fmt.Errorf("Cannot build deps: %w", err)
-	}
-
-	return &esbuild.BuildOptions{
-		EntryPoints: []string{"src/index.ts", "src/index.css"},
-		Loader:      map[string]esbuild.Loader{".wasm": esbuild.LoaderFile},
-		Outdir:      *distDir,
-		Bundle:      true,
-		Sourcemap:   esbuild.SourceMapLinked,
-		LogLevel:    esbuild.LogLevelInfo,
-		Define:      map[string]string{"DEBUG": strconv.FormatBool(dev)},
-		Target:      esbuild.ES2017,
-		Plugins: []esbuild.Plugin{{
-			Name: "tailscale-tailwind",
-			Setup: func(build esbuild.PluginBuild) {
-				setupEsbuildTailwind(build, dev)
-			},
-		}},
-	}, nil
-}
-
-// buildDeps builds the static assets that are needed for the server (except for
-// JS/CSS bundling, which is  handled by esbuild).
-func buildDeps(dev bool) error {
-	if err := copyWasmExec(); err != nil {
-		return fmt.Errorf("Cannot copy wasm_exec.js: %w", err)
-	}
-	if err := buildWasm(dev); err != nil {
-		return fmt.Errorf("Cannot build main.wasm: %w", err)
-	}
-	if err := installJSDeps(); err != nil {
-		return fmt.Errorf("Cannot install JS deps: %w", err)
-	}
-	return nil
-}
-
-// copyWasmExec grabs the current wasm_exec.js runtime helper library from the
-// Go toolchain.
-func copyWasmExec() error {
-	log.Printf("Copying wasm_exec.js...\n")
-	wasmExecSrcPath := filepath.Join(runtime.GOROOT(), "misc", "wasm", "wasm_exec.js")
-	wasmExecDstPath := filepath.Join("src", "wasm_exec.js")
-	contents, err := os.ReadFile(wasmExecSrcPath)
-	if err != nil {
-		return err
-	}
-	return os.WriteFile(wasmExecDstPath, contents, 0600)
-}
-
-// buildWasm builds the Tailscale wasm binary and places it where the JS can
-// load it.
-func buildWasm(dev bool) error {
-	log.Printf("Building wasm...\n")
-	args := []string{"build", "-tags", "tailscale_go,osusergo,netgo,nethttpomithttp2,omitidna,omitpemdecrypt"}
-	if !dev {
-		// Omit long paths and debug symbols in release builds, to reduce the
-		// generated WASM binary size.
-		args = append(args, "-trimpath", "-ldflags", "-s -w")
-	}
-	args = append(args, "-o", "src/main.wasm", "./wasm")
-	cmd := exec.Command(filepath.Join(runtime.GOROOT(), "bin", "go"), args...)
-	cmd.Env = append(os.Environ(), "GOOS=js", "GOARCH=wasm")
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	return cmd.Run()
-}
-
-// installJSDeps installs the JavaScript dependencies specified by package.json
-func installJSDeps() error {
-	log.Printf("Installing JS deps...\n")
-	return runYarn()
-}
-
-func runYarn(args ...string) error {
-	cmd := exec.Command(*yarnPath, args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	return cmd.Run()
-}
-
-// EsbuildMetadata is the subset of metadata struct (described by
-// https://esbuild.github.io/api/#metafile) that we care about for mapping
-// from entry points to hashed file names.
-type EsbuildMetadata struct {
-	Outputs map[string]struct {
-		Inputs map[string]struct {
-			BytesInOutput int64 `json:"bytesInOutput"`
-		} `json:"inputs,omitempty"`
-		EntryPoint string `json:"entryPoint,omitempty"`
-	} `json:"outputs,omitempty"`
-}
-
-func setupEsbuildTailwind(build esbuild.PluginBuild, dev bool) {
-	build.OnLoad(esbuild.OnLoadOptions{
-		Filter: "./src/index.css$",
-	}, func(args esbuild.OnLoadArgs) (esbuild.OnLoadResult, error) {
-		start := time.Now()
-		yarnArgs := []string{"--silent", "tailwind", "-i", args.Path}
-		if !dev {
-			yarnArgs = append(yarnArgs, "--minify")
-		}
-		cmd := exec.Command(*yarnPath, yarnArgs...)
-		tailwindOutput, err := cmd.Output()
-		log.Printf("Ran tailwind in %v\n", time.Since(start))
-		if err != nil {
-			if exitErr, ok := err.(*exec.ExitError); ok {
-				log.Printf("Tailwind stderr: %s", exitErr.Stderr)
-			}
-			return esbuild.OnLoadResult{}, fmt.Errorf("Cannot run tailwind: %w", err)
-		}
-		tailwindOutputStr := string(tailwindOutput)
-		return esbuild.OnLoadResult{
-			Contents: &tailwindOutputStr,
-			Loader:   esbuild.LoaderCSS,
-		}, nil
-
-	})
-}

cmd/tsconnect/dev.go

@@ -1,38 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"log"
-	"net"
-	"strconv"
-
-	esbuild "github.com/evanw/esbuild/pkg/api"
-)
-
-func runDev() {
-	buildOptions, err := commonSetup(devMode)
-	if err != nil {
-		log.Fatalf("Cannot setup: %v", err)
-	}
-	host, portStr, err := net.SplitHostPort(*addr)
-	if err != nil {
-		log.Fatalf("Cannot parse addr: %v", err)
-	}
-	port, err := strconv.ParseUint(portStr, 10, 16)
-	if err != nil {
-		log.Fatalf("Cannot parse port: %v", err)
-	}
-	result, err := esbuild.Serve(esbuild.ServeOptions{
-		Port:     uint16(port),
-		Host:     host,
-		Servedir: "./",
-	}, *buildOptions)
-	if err != nil {
-		log.Fatalf("Cannot start esbuild server: %v", err)
-	}
-	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
-	result.Wait()
-}

cmd/tsconnect/dist/placeholder

@@ -1,2 +0,0 @@
-This is here to make sure the dist/ directory exists for the go:embed command
-in serve.go.

cmd/tsconnect/index.html

@@ -1,44 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Tailscale Connect</title>
-    <link rel="stylesheet" type="text/css" href="dist/index.css" />
-    <script src="dist/index.js" defer></script>
-  </head>
-  <body class="flex flex-col h-screen overflow-hidden">
-    <div class="bg-gray-100 border-b border-gray-200 pt-4 pb-2">
-      <header class="container mx-auto px-4 flex flex-row items-center">
-        <h1 class="text-3xl font-bold grow">Tailscale Connect</h1>
-        <div class="text-gray-600" id="state">Loading…</div>
-      </header>
-    </div>
-    <div
-      id="content"
-      class="flex-grow flex flex-col justify-center overflow-hidden"
-    >
-      <form
-        id="ssh-form"
-        class="container mx-auto px-4 hidden flex justify-center"
-      >
-        <input type="text" class="input username" placeholder="Username" />
-        <div class="select-with-arrow mx-2">
-          <select class="select"></select>
-        </div>
-        <input
-          type="submit"
-          class="button bg-green-500 border-green-500 text-white hover:bg-green-600 hover:border-green-600"
-          value="SSH"
-        />
-      </form>
-      <div id="no-ssh" class="container mx-auto px-4 hidden text-center">
-        None of your machines have
-        <a href="https://tailscale.com/kb/1193/tailscale-ssh/" class="link"
-          >Tailscale SSH</a
-        >
-        enabled. Give it a try!
-      </div>
-    </div>
-  </body>
-</html>

cmd/tsconnect/package.json

@@ -1,21 +0,0 @@
-{
-  "name": "tsconnect",
-  "version": "0.0.1",
-  "license": "BSD-3-Clause",
-  "devDependencies": {
-    "@types/golang-wasm-exec": "^1.15.0",
-    "@types/qrcode": "^1.4.2",
-    "qrcode": "^1.5.0",
-    "tailwindcss": "^3.1.6",
-    "typescript": "^4.7.4",
-    "xterm": "^4.18.0",
-    "xterm-addon-fit": "^0.5.0"
-  },
-  "scripts": {
-    "lint": "tsc --noEmit"
-  },
-  "prettier": {
-    "semi": false,
-    "printWidth": 80
-  }
-}

cmd/tsconnect/serve.go

@@ -1,144 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"bytes"
-	"embed"
-	"encoding/json"
-	"fmt"
-	"io"
-	"io/fs"
-	"io/ioutil"
-	"log"
-	"net/http"
-	"os"
-	"path"
-	"time"
-
-	"tailscale.com/tsweb"
-	"tailscale.com/util/precompress"
-)
-
-//go:embed index.html
-var embeddedFS embed.FS
-
-//go:embed dist/*
-var embeddedDistFS embed.FS
-
-var serveStartTime = time.Now()
-
-func runServe() {
-	mux := http.NewServeMux()
-
-	var distFS fs.FS
-	if *distDir == "./dist" {
-		var err error
-		distFS, err = fs.Sub(embeddedDistFS, "dist")
-		if err != nil {
-			log.Fatalf("Could not drop dist/ prefix from embedded FS: %v", err)
-		}
-	} else {
-		distFS = os.DirFS(*distDir)
-	}
-
-	indexBytes, err := generateServeIndex(distFS)
-	if err != nil {
-		log.Fatalf("Could not generate index.html: %v", err)
-	}
-	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		http.ServeContent(w, r, "index.html", serveStartTime, bytes.NewReader(indexBytes))
-	}))
-	mux.Handle("/dist/", http.StripPrefix("/dist/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		handleServeDist(w, r, distFS)
-	})))
-	tsweb.Debugger(mux)
-
-	log.Printf("Listening on %s", *addr)
-	err = http.ListenAndServe(*addr, mux)
-	if err != nil {
-		log.Fatal(err)
-	}
-}
-
-func generateServeIndex(distFS fs.FS) ([]byte, error) {
-	log.Printf("Generating index.html...\n")
-	rawIndexBytes, err := embeddedFS.ReadFile("index.html")
-	if err != nil {
-		return nil, fmt.Errorf("Could not read index.html: %w", err)
-	}
-
-	esbuildMetadataFile, err := distFS.Open("esbuild-metadata.json")
-	if err != nil {
-		return nil, fmt.Errorf("Could not open esbuild-metadata.json: %w", err)
-	}
-	defer esbuildMetadataFile.Close()
-	esbuildMetadataBytes, err := ioutil.ReadAll(esbuildMetadataFile)
-	if err != nil {
-		return nil, fmt.Errorf("Could not read esbuild-metadata.json: %w", err)
-	}
-	var esbuildMetadata EsbuildMetadata
-	if err := json.Unmarshal(esbuildMetadataBytes, &esbuildMetadata); err != nil {
-		return nil, fmt.Errorf("Could not parse esbuild-metadata.json: %w", err)
-	}
-	entryPointsToHashedDistPaths := make(map[string]string)
-	mainWasmPath := ""
-	for outputPath, output := range esbuildMetadata.Outputs {
-		if output.EntryPoint != "" {
-			entryPointsToHashedDistPaths[output.EntryPoint] = path.Join("dist", outputPath)
-		}
-		if path.Ext(outputPath) == ".wasm" {
-			for input := range output.Inputs {
-				if input == "src/main.wasm" {
-					mainWasmPath = path.Join("dist", outputPath)
-					break
-				}
-			}
-		}
-	}
-
-	indexBytes := rawIndexBytes
-	for entryPointPath, defaultDistPath := range entryPointsToDefaultDistPaths {
-		hashedDistPath := entryPointsToHashedDistPaths[entryPointPath]
-		if hashedDistPath != "" {
-			indexBytes = bytes.ReplaceAll(indexBytes, []byte(defaultDistPath), []byte(hashedDistPath))
-		}
-	}
-	if mainWasmPath != "" {
-		mainWasmPrefetch := fmt.Sprintf("</title>\n<link rel='preload' as='fetch' crossorigin='anonymous' href='%s'>", mainWasmPath)
-		indexBytes = bytes.ReplaceAll(indexBytes, []byte("</title>"), []byte(mainWasmPrefetch))
-	}
-
-	return indexBytes, nil
-}
-
-var entryPointsToDefaultDistPaths = map[string]string{
-	"src/index.css": "dist/index.css",
-	"src/index.ts":  "dist/index.js",
-}
-
-func handleServeDist(w http.ResponseWriter, r *http.Request, distFS fs.FS) {
-	path := r.URL.Path
-	f, err := precompress.OpenPrecompressedFile(w, r, path, distFS)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusNotFound)
-		return
-	}
-	defer f.Close()
-
-	// fs.File does not claim to implement Seeker, but in practice it does.
-	fSeeker, ok := f.(io.ReadSeeker)
-	if !ok {
-		http.Error(w, "Not seekable", http.StatusInternalServerError)
-		return
-	}
-
-	// Aggressively cache static assets, since we cache-bust our assets with
-	// hashed filenames.
-	w.Header().Set("Cache-Control", "public, max-age=31535996")
-	w.Header().Set("Vary", "Accept-Encoding")
-
-	http.ServeContent(w, r, path, serveStartTime, fSeeker)
-}

cmd/tsconnect/src/esbuild.d.ts

@@ -1,15 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/**
- * @fileoverview Type definitions for types generated by the esbuild build
- * process.
- */
-
-declare module "*.wasm" {
-  const path: string
-  export default path
-}
-
-declare const DEBUG: boolean

cmd/tsconnect/src/index.css

@@ -1,79 +0,0 @@
-/* Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved. */
-/* Use of this source code is governed by a BSD-style */
-/* license that can be found in the LICENSE file. */
-
-@import "xterm/css/xterm.css";
-
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
-
-.link {
-  @apply text-blue-600;
-}
-
-.link:hover {
-  @apply underline;
-}
-
-.button {
-  @apply font-medium py-1 px-2 rounded-md border border-transparent text-center cursor-pointer;
-  transition-property: background-color, border-color, color, box-shadow;
-  transition-duration: 120ms;
-  box-shadow: 0 1px 1px rgba(0, 0, 0, 0.04);
-  min-width: 80px;
-}
-.button:focus {
-  @apply outline-none ring;
-}
-.button:disabled {
-  @apply pointer-events-none select-none;
-}
-
-.input {
-  @apply appearance-none leading-tight rounded-md bg-white border border-gray-300 hover:border-gray-400 transition-colors px-3;
-  height: 2.375rem;
-}
-
-.input::placeholder {
-  @apply text-gray-400;
-}
-
-.input:disabled {
-  @apply border-gray-200;
-  @apply bg-gray-50;
-  @apply cursor-not-allowed;
-}
-
-.input:focus {
-  @apply outline-none ring border-transparent;
-}
-
-.select {
-  @apply appearance-none py-2 px-3 leading-tight rounded-md bg-white border border-gray-300;
-}
-
-.select-with-arrow {
-  @apply relative;
-}
-
-.select-with-arrow .select {
-  width: 100%;
-}
-
-.select-with-arrow::after {
-  @apply absolute;
-  content: "";
-  top: 50%;
-  right: 0.5rem;
-  transform: translate(-0.3em, -0.15em);
-  width: 0.6em;
-  height: 0.4em;
-  opacity: 0.6;
-  background-color: currentColor;
-  clip-path: polygon(100% 0%, 0 0%, 50% 100%);
-}
-
-body.ssh-active #ssh-form {
-  @apply hidden;
-}

cmd/tsconnect/src/index.ts

@@ -1,58 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import "./wasm_exec"
-import wasmUrl from "./main.wasm"
-import { notifyState, notifyNetMap, notifyBrowseToURL } from "./notifier"
-import { sessionStateStorage } from "./js-state-store"
-
-const go = new Go()
-WebAssembly.instantiateStreaming(
-  fetch(`./dist/${wasmUrl}`),
-  go.importObject
-).then((result) => {
-  // The Go process should never exit, if it does then it's an unhandled panic.
-  go.run(result.instance).then(() => handleGoPanic())
-  const ipn = newIPN({
-    // Persist IPN state in sessionStorage in development, so that we don't need
-    // to re-authorize every time we reload the page.
-    stateStorage: DEBUG ? sessionStateStorage : undefined,
-  })
-  ipn.run({
-    notifyState: notifyState.bind(null, ipn),
-    notifyNetMap: notifyNetMap.bind(null, ipn),
-    notifyBrowseToURL: notifyBrowseToURL.bind(null, ipn),
-    notifyPanicRecover: handleGoPanic,
-  })
-})
-
-function handleGoPanic(err?: string) {
-  if (DEBUG && err) {
-    console.error("Go panic", err)
-  }
-  if (panicNode) {
-    panicNode.remove()
-  }
-  panicNode = document.createElement("div")
-  panicNode.className =
-    "rounded bg-red-500 p-2 absolute top-2 right-2 text-white font-bold text-right cursor-pointer"
-  panicNode.textContent = "Tailscale has encountered an error."
-  const panicDetailNode = document.createElement("div")
-  panicDetailNode.className = "text-sm font-normal"
-  panicDetailNode.textContent = "Click to reload"
-  panicNode.appendChild(panicDetailNode)
-  panicNode.addEventListener("click", () => location.reload(), {
-    once: true,
-  })
-  document.body.appendChild(panicNode)
-  setTimeout(() => {
-    panicNode!.remove()
-  }, 10000)
-}
-
-let panicNode: HTMLDivElement | undefined
-
-export function getContentNode(): HTMLDivElement {
-  return document.querySelector("#content") as HTMLDivElement
-}

cmd/tsconnect/src/js-state-store.ts

@@ -1,14 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/** @fileoverview Callbacks used by jsStateStore to persist IPN state. */
-
-export const sessionStateStorage: IPNStateStorage = {
-  setState(id, value) {
-    window.sessionStorage[`ipn-state-${id}`] = value
-  },
-  getState(id) {
-    return window.sessionStorage[`ipn-state-${id}`] || ""
-  },
-}

cmd/tsconnect/src/login.ts

@@ -1,74 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import * as qrcode from "qrcode"
-import { getContentNode } from "./index"
-
-export async function showLoginURL(url: string) {
-  if (loginNode) {
-    loginNode.remove()
-  }
-  loginNode = document.createElement("div")
-  loginNode.className = "flex flex-col items-center justify-items-center"
-  const linkNode = document.createElement("a")
-  linkNode.className = "link"
-  linkNode.href = url
-  linkNode.target = "_blank"
-  loginNode.appendChild(linkNode)
-
-  try {
-    const dataURL = await qrcode.toDataURL(url, { width: 512 })
-    const imageNode = document.createElement("img")
-    imageNode.className = "mx-auto"
-    imageNode.src = dataURL
-    imageNode.width = 256
-    imageNode.height = 256
-    linkNode.appendChild(imageNode)
-  } catch (err) {
-    console.error("Could not generate QR code:", err)
-  }
-
-  linkNode.appendChild(document.createTextNode(url))
-
-  getContentNode().appendChild(loginNode)
-}
-
-export function hideLoginURL() {
-  if (!loginNode) {
-    return
-  }
-  loginNode.remove()
-  loginNode = undefined
-}
-
-let loginNode: HTMLDivElement | undefined
-
-export function showLogoutButton(ipn: IPN) {
-  if (logoutButtonNode) {
-    logoutButtonNode.remove()
-  }
-  logoutButtonNode = document.createElement("button")
-  logoutButtonNode.className =
-    "button bg-gray-500 border-gray-500 text-white hover:bg-gray-600 hover:border-gray-600 ml-2 font-bold"
-  logoutButtonNode.textContent = "Logout"
-  logoutButtonNode.addEventListener(
-    "click",
-    () => {
-      ipn.logout()
-    },
-    { once: true }
-  )
-  const headerNode = document.getElementsByTagName("header")[0]!
-  headerNode.appendChild(logoutButtonNode)
-}
-
-export function hideLogoutButton() {
-  if (!logoutButtonNode) {
-    return
-  }
-  logoutButtonNode.remove()
-  logoutButtonNode = undefined
-}
-
-let logoutButtonNode: HTMLButtonElement | undefined

cmd/tsconnect/src/notifier.ts

@@ -1,65 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import {
-  showLoginURL,
-  hideLoginURL,
-  showLogoutButton,
-  hideLogoutButton,
-} from "./login"
-import { showSSHForm, hideSSHForm } from "./ssh"
-import { IPNState } from "./wasm_js"
-
-/**
- * @fileoverview Notification callback functions (bridged from ipn.Notify)
- */
-
-export function notifyState(ipn: IPN, state: IPNState) {
-  let stateLabel
-  switch (state) {
-    case IPNState.NoState:
-      stateLabel = "Initializing…"
-      break
-    case IPNState.InUseOtherUser:
-      stateLabel = "In-use by another user"
-      break
-    case IPNState.NeedsLogin:
-      stateLabel = "Needs Login"
-      hideLogoutButton()
-      hideSSHForm()
-      ipn.login()
-      break
-    case IPNState.NeedsMachineAuth:
-      stateLabel = "Needs authorization"
-      break
-    case IPNState.Stopped:
-      stateLabel = "Stopped"
-      hideLogoutButton()
-      hideSSHForm()
-      break
-    case IPNState.Starting:
-      stateLabel = "Starting…"
-      break
-    case IPNState.Running:
-      stateLabel = "Running"
-      hideLoginURL()
-      showLogoutButton(ipn)
-      break
-  }
-  const stateNode = document.querySelector("#state") as HTMLDivElement
-  stateNode.textContent = stateLabel ?? ""
-}
-
-export function notifyNetMap(ipn: IPN, netMapStr: string) {
-  const netMap = JSON.parse(netMapStr) as IPNNetMap
-  if (DEBUG) {
-    console.log("Received net map: " + JSON.stringify(netMap, null, 2))
-  }
-
-  showSSHForm(netMap.peers, ipn)
-}
-
-export function notifyBrowseToURL(ipn: IPN, url: string) {
-  showLoginURL(url)
-}

cmd/tsconnect/src/ssh.ts

@@ -1,98 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import { Terminal } from "xterm"
-import { FitAddon } from "xterm-addon-fit"
-import { getContentNode } from "./index"
-
-export function showSSHForm(peers: IPNNetMapPeerNode[], ipn: IPN) {
-  const formNode = document.querySelector("#ssh-form") as HTMLDivElement
-  const noSSHNode = document.querySelector("#no-ssh") as HTMLDivElement
-
-  const sshPeers = peers.filter(
-    (p) => p.tailscaleSSHEnabled && p.online !== false
-  )
-  if (sshPeers.length == 0) {
-    formNode.classList.add("hidden")
-    noSSHNode.classList.remove("hidden")
-    return
-  }
-  sshPeers.sort((a, b) => a.name.localeCompare(b.name))
-
-  const selectNode = formNode.querySelector("select")!
-  selectNode.innerHTML = ""
-  for (const p of sshPeers) {
-    const option = document.createElement("option")
-    option.textContent = p.name.split(".")[0]
-    option.value = p.name
-    selectNode.appendChild(option)
-  }
-
-  const usernameNode = formNode.querySelector(".username") as HTMLInputElement
-  formNode.onsubmit = (e) => {
-    e.preventDefault()
-    const hostname = selectNode.value
-    ssh(hostname, usernameNode.value, ipn)
-  }
-
-  noSSHNode.classList.add("hidden")
-  formNode.classList.remove("hidden")
-}
-
-export function hideSSHForm() {
-  const formNode = document.querySelector("#ssh-form") as HTMLDivElement
-  formNode.classList.add("hidden")
-}
-
-function ssh(hostname: string, username: string, ipn: IPN) {
-  document.body.classList.add("ssh-active")
-  const termContainerNode = document.createElement("div")
-  termContainerNode.className = "flex-grow bg-black p-2 overflow-hidden"
-  getContentNode().appendChild(termContainerNode)
-
-  const term = new Terminal({
-    cursorBlink: true,
-  })
-  const fitAddon = new FitAddon()
-  term.loadAddon(fitAddon)
-  term.open(termContainerNode)
-  fitAddon.fit()
-
-  let onDataHook: ((data: string) => void) | undefined
-  term.onData((e) => {
-    onDataHook?.(e)
-  })
-
-  term.focus()
-
-  const sshSession = ipn.ssh(hostname, username, {
-    writeFn: (input) => term.write(input),
-    setReadFn: (hook) => (onDataHook = hook),
-    rows: term.rows,
-    cols: term.cols,
-    onDone: () => {
-      resizeObserver.disconnect()
-      term.dispose()
-      termContainerNode.remove()
-      document.body.classList.remove("ssh-active")
-      window.removeEventListener("beforeunload", beforeUnloadListener)
-    },
-  })
-
-  // Make terminal and SSH session track the size of the containing DOM node.
-  const resizeObserver = new ResizeObserver((entries) => {
-    fitAddon.fit()
-  })
-  resizeObserver.observe(termContainerNode)
-  term.onResize(({ rows, cols }) => {
-    sshSession.resize(rows, cols)
-  })
-
-  // Close the session if the user closes the window without an explicit
-  // exit.
-  const beforeUnloadListener = () => {
-    sshSession.close()
-  }
-  window.addEventListener("beforeunload", beforeUnloadListener)
-}

cmd/tsconnect/src/wasm_js.ts

@@ -1,98 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/**
- * @fileoverview Type definitions for types exported by the wasm_js.go Go
- * module. Not actually a .d.ts file so that we can use enums from it in
- * esbuild's simplified TypeScript compiler (see https://github.com/evanw/esbuild/issues/2298#issuecomment-1146378367)
- */
-
-declare global {
-  function newIPN(config: IPNConfig): IPN
-
-  interface IPN {
-    run(callbacks: IPNCallbacks): void
-    login(): void
-    logout(): void
-    ssh(
-      host: string,
-      username: string,
-      termConfig: {
-        writeFn: (data: string) => void
-        setReadFn: (readFn: (data: string) => void) => void
-        rows: number
-        cols: number
-        onDone: () => void
-      }
-    ): IPNSSHSession
-    fetch(
-      url: string
-    ): Promise<{
-      status: number
-      statusText: string
-      text: () => Promise<string>
-    }>
-  }
-
-  interface IPNSSHSession {
-    resize(rows: number, cols: number): boolean
-    close(): boolean
-  }
-
-  interface IPNStateStorage {
-    setState(id: string, value: string): void
-    getState(id: string): string
-  }
-
-  type IPNConfig = {
-    stateStorage?: IPNStateStorage
-  }
-
-  type IPNCallbacks = {
-    notifyState: (state: IPNState) => void
-    notifyNetMap: (netMapStr: string) => void
-    notifyBrowseToURL: (url: string) => void
-    notifyPanicRecover: (err: string) => void
-  }
-
-  type IPNNetMap = {
-    self: IPNNetMapSelfNode
-    peers: IPNNetMapPeerNode[]
-  }
-
-  type IPNNetMapNode = {
-    name: string
-    addresses: string[]
-    machineKey: string
-    nodeKey: string
-  }
-
-  type IPNNetMapSelfNode = IPNNetMapNode & {
-    machineStatus: IPNMachineStatus
-  }
-
-  type IPNNetMapPeerNode = IPNNetMapNode & {
-    online?: boolean
-    tailscaleSSHEnabled: boolean
-  }
-}
-
-/** Mirrors values from ipn/backend.go */
-export const enum IPNState {
-  NoState = 0,
-  InUseOtherUser = 1,
-  NeedsLogin = 2,
-  NeedsMachineAuth = 3,
-  Stopped = 4,
-  Starting = 5,
-  Running = 6,
-}
-
-/** Mirrors values from MachineStatus in tailcfg.go */
-export const enum IPNMachineStatus {
-  MachineUnknown = 0,
-  MachineUnauthorized = 1,
-  MachineAuthorized = 2,
-  MachineInvalid = 3,
-}

cmd/tsconnect/tailwind.config.js

@@ -1,8 +0,0 @@
-/** @type {import('tailwindcss').Config} */
-module.exports = {
-  content: ["./index.html", "./src/**/*.ts"],
-  theme: {
-    extend: {},
-  },
-  plugins: [],
-}

cmd/tsconnect/tsconfig.json

@@ -1,13 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2017",
-    "module": "ES2020",
-    "moduleResolution": "node",
-    "isolatedModules": true,
-    "strict": true,
-    "forceConsistentCasingInFileNames": true,
-    "sourceMap": true
-  },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules"]
-}

cmd/tsconnect/tsconnect.go

@@ -1,63 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The tsconnect command builds and serves the static site that is generated for
-// the Tailscale Connect JS/WASM client. Can be run in 3 modes:
-//   - dev: builds the site and serves it. JS and CSS changes can be picked up
-//     with a reload.
-//   - build: builds the site and writes it to dist/
-//   - serve: serves the site from dist/ (embedded in the binary)
-package main // import "tailscale.com/cmd/tsconnect"
-
-import (
-	"flag"
-	"fmt"
-	"log"
-	"os"
-)
-
-var (
-	addr            = flag.String("addr", ":9090", "address to listen on")
-	distDir         = flag.String("distdir", "./dist", "path of directory to place build output in")
-	yarnPath        = flag.String("yarnpath", "../../tool/yarn", "path yarn executable used to install JavaScript dependencies")
-	fastCompression = flag.Bool("fast-compression", false, "Use faster compression when building, to speed up build time. Meant to iterative/debugging use only.")
-)
-
-func main() {
-	flag.Usage = usage
-	flag.Parse()
-	if len(flag.Args()) != 1 {
-		flag.Usage()
-	}
-
-	switch flag.Arg(0) {
-	case "dev":
-		runDev()
-	case "build":
-		runBuild()
-	case "serve":
-		runServe()
-	default:
-		log.Printf("Unknown command: %s", flag.Arg(0))
-		flag.Usage()
-	}
-}
-
-func usage() {
-	fmt.Fprintf(os.Stderr, `
-usage: tsconnect {dev|build|serve}
-`[1:])
-
-	flag.PrintDefaults()
-	fmt.Fprintf(os.Stderr, `
-
-tsconnect implements development/build/serving workflows for Tailscale Connect.
-It can be invoked with one of three subcommands:
-
-- dev: Run in development mode, allowing JS and CSS changes to be picked up without a rebuilt or restart.
-- build: Run in production build mode (generating static assets)
-- serve: Run in production serve mode (serving static assets)
-`[1:])
-	os.Exit(2)
-}

cmd/tsconnect/wasm/wasm_js.go

@@ -1,529 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The wasm package builds a WebAssembly module that provides a subset of
-// Tailscale APIs to JavaScript.
-//
-// When run in the browser, a newIPN(config) function is added to the global JS
-// namespace. When called it returns an ipn object with the methods
-// run(callbacks), login(), logout(), and ssh(...).
-package main
-
-import (
-	"bytes"
-	"context"
-	"encoding/hex"
-	"encoding/json"
-	"fmt"
-	"log"
-	"math/rand"
-	"net"
-	"net/http"
-	"net/netip"
-	"strings"
-	"syscall/js"
-	"time"
-
-	"golang.org/x/crypto/ssh"
-	"tailscale.com/control/controlclient"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnlocal"
-	"tailscale.com/ipn/ipnserver"
-	"tailscale.com/ipn/store/mem"
-	"tailscale.com/net/netns"
-	"tailscale.com/net/tsdial"
-	"tailscale.com/safesocket"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
-	"tailscale.com/wgengine"
-	"tailscale.com/wgengine/netstack"
-	"tailscale.com/words"
-)
-
-func main() {
-	js.Global().Set("newIPN", js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		if len(args) != 1 {
-			log.Fatal("Usage: newIPN(config)")
-			return nil
-		}
-		return newIPN(args[0])
-	}))
-	// Keep Go runtime alive, otherwise it will be shut down before newIPN gets
-	// called.
-	<-make(chan bool)
-}
-
-func newIPN(jsConfig js.Value) map[string]any {
-	netns.SetEnabled(false)
-	var logf logger.Logf = log.Printf
-
-	dialer := new(tsdial.Dialer)
-	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
-		Dialer: dialer,
-	})
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	tunDev, magicConn, dnsManager, ok := eng.(wgengine.InternalsGetter).GetInternals()
-	if !ok {
-		log.Fatalf("%T is not a wgengine.InternalsGetter", eng)
-	}
-	ns, err := netstack.Create(logf, tunDev, eng, magicConn, dialer, dnsManager)
-	if err != nil {
-		log.Fatalf("netstack.Create: %v", err)
-	}
-	ns.ProcessLocalIPs = true
-	ns.ProcessSubnets = true
-	if err := ns.Start(); err != nil {
-		log.Fatalf("failed to start netstack: %v", err)
-	}
-	dialer.UseNetstackForIP = func(ip netip.Addr) bool {
-		return true
-	}
-	dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
-		return ns.DialContextTCP(ctx, dst)
-	}
-
-	jsStateStorage := jsConfig.Get("stateStorage")
-	var store ipn.StateStore
-	if jsStateStorage.IsUndefined() {
-		store = new(mem.Store)
-	} else {
-		store = &jsStateStore{jsStateStorage}
-	}
-	srv, err := ipnserver.New(log.Printf, "some-logid", store, eng, dialer, nil, ipnserver.Options{
-		SurviveDisconnects: true,
-		LoginFlags:         controlclient.LoginEphemeral,
-	})
-	if err != nil {
-		log.Fatalf("ipnserver.New: %v", err)
-	}
-	lb := srv.LocalBackend()
-	ns.SetLocalBackend(lb)
-
-	jsIPN := &jsIPN{
-		dialer: dialer,
-		srv:    srv,
-		lb:     lb,
-	}
-
-	return map[string]any{
-		"run": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-			if len(args) != 1 {
-				log.Fatal(`Usage: run({
-					notifyState(state: int): void,
-					notifyNetMap(netMap: object): void,
-					notifyBrowseToURL(url: string): void,
-					notifyPanicRecover(err: string): void,
-				})`)
-				return nil
-			}
-			jsIPN.run(args[0])
-			return nil
-		}),
-		"login": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-			if len(args) != 0 {
-				log.Printf("Usage: login()")
-				return nil
-			}
-			jsIPN.login()
-			return nil
-		}),
-		"logout": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-			if len(args) != 0 {
-				log.Printf("Usage: logout()")
-				return nil
-			}
-			jsIPN.logout()
-			return nil
-		}),
-		"ssh": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-			if len(args) != 3 {
-				log.Printf("Usage: ssh(hostname, userName, termConfig)")
-				return nil
-			}
-			return jsIPN.ssh(
-				args[0].String(),
-				args[1].String(),
-				args[2])
-		}),
-		"fetch": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-			if len(args) != 1 {
-				log.Printf("Usage: fetch(url)")
-				return nil
-			}
-
-			url := args[0].String()
-			return jsIPN.fetch(url)
-		}),
-	}
-}
-
-type jsIPN struct {
-	dialer *tsdial.Dialer
-	srv    *ipnserver.Server
-	lb     *ipnlocal.LocalBackend
-}
-
-func (i *jsIPN) run(jsCallbacks js.Value) {
-	notifyState := func(state ipn.State) {
-		jsCallbacks.Call("notifyState", int(state))
-	}
-	notifyState(ipn.NoState)
-
-	i.lb.SetNotifyCallback(func(n ipn.Notify) {
-		// Panics in the notify callback are likely due to be due to bugs in
-		// this bridging module (as opposed to actual bugs in Tailscale) and
-		// thus may be recoverable. Let the UI know, and allow the user to
-		// choose if they want to reload the page.
-		defer func() {
-			if r := recover(); r != nil {
-				fmt.Println("Panic recovered:", r)
-				jsCallbacks.Call("notifyPanicRecover", fmt.Sprint(r))
-			}
-		}()
-		log.Printf("NOTIFY: %+v", n)
-		if n.State != nil {
-			notifyState(*n.State)
-		}
-		if nm := n.NetMap; nm != nil && i.lb.State() == ipn.Running {
-			jsNetMap := jsNetMap{
-				Self: jsNetMapSelfNode{
-					jsNetMapNode: jsNetMapNode{
-						Name:       nm.Name,
-						Addresses:  mapSlice(nm.Addresses, func(a netip.Prefix) string { return a.Addr().String() }),
-						NodeKey:    nm.NodeKey.String(),
-						MachineKey: nm.MachineKey.String(),
-					},
-					MachineStatus: int(nm.MachineStatus),
-				},
-				Peers: mapSlice(nm.Peers, func(p *tailcfg.Node) jsNetMapPeerNode {
-					name := p.Name
-					if name == "" {
-						// In practice this should only happen for Hello.
-						name = p.Hostinfo.Hostname()
-					}
-					return jsNetMapPeerNode{
-						jsNetMapNode: jsNetMapNode{
-							Name:       name,
-							Addresses:  mapSlice(p.Addresses, func(a netip.Prefix) string { return a.Addr().String() }),
-							MachineKey: p.Machine.String(),
-							NodeKey:    p.Key.String(),
-						},
-						Online:              p.Online,
-						TailscaleSSHEnabled: p.Hostinfo.TailscaleSSHEnabled(),
-					}
-				}),
-			}
-			if jsonNetMap, err := json.Marshal(jsNetMap); err == nil {
-				jsCallbacks.Call("notifyNetMap", string(jsonNetMap))
-			} else {
-				log.Printf("Could not generate JSON netmap: %v", err)
-			}
-		}
-		if n.BrowseToURL != nil {
-			jsCallbacks.Call("notifyBrowseToURL", *n.BrowseToURL)
-		}
-	})
-
-	go func() {
-		err := i.lb.Start(ipn.Options{
-			StateKey: "wasm",
-			UpdatePrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				RouteAll:         false,
-				AllowSingleHosts: true,
-				WantRunning:      true,
-				Hostname:         generateHostname(),
-			},
-		})
-		if err != nil {
-			log.Printf("Start error: %v", err)
-		}
-	}()
-
-	go func() {
-		ln, _, err := safesocket.Listen("", 0)
-		if err != nil {
-			log.Fatalf("safesocket.Listen: %v", err)
-		}
-
-		err = i.srv.Run(context.Background(), ln)
-		log.Fatalf("ipnserver.Run exited: %v", err)
-	}()
-}
-
-func (i *jsIPN) login() {
-	go i.lb.StartLoginInteractive()
-}
-
-func (i *jsIPN) logout() {
-	if i.lb.State() == ipn.NoState {
-		log.Printf("Backend not running")
-	}
-	go i.lb.Logout()
-}
-
-func (i *jsIPN) ssh(host, username string, termConfig js.Value) map[string]any {
-	jsSSHSession := &jsSSHSession{
-		jsIPN:      i,
-		host:       host,
-		username:   username,
-		termConfig: termConfig,
-	}
-
-	go jsSSHSession.Run()
-
-	return map[string]any{
-		"close": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-			return jsSSHSession.Close() != nil
-		}),
-		"resize": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-			rows := args[0].Int()
-			cols := args[1].Int()
-			return jsSSHSession.Resize(rows, cols) != nil
-		}),
-	}
-}
-
-type jsSSHSession struct {
-	jsIPN      *jsIPN
-	host       string
-	username   string
-	termConfig js.Value
-	session    *ssh.Session
-}
-
-func (s *jsSSHSession) Run() {
-	writeFn := s.termConfig.Get("writeFn")
-	setReadFn := s.termConfig.Get("setReadFn")
-	rows := s.termConfig.Get("rows").Int()
-	cols := s.termConfig.Get("cols").Int()
-	onDone := s.termConfig.Get("onDone")
-	defer onDone.Invoke()
-
-	write := func(s string) {
-		writeFn.Invoke(s)
-	}
-	writeError := func(label string, err error) {
-		write(fmt.Sprintf("%s Error: %v\r\n", label, err))
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-	c, err := s.jsIPN.dialer.UserDial(ctx, "tcp", net.JoinHostPort(s.host, "22"))
-	if err != nil {
-		writeError("Dial", err)
-		return
-	}
-	defer c.Close()
-
-	config := &ssh.ClientConfig{
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-		User:            s.username,
-	}
-
-	sshConn, _, _, err := ssh.NewClientConn(c, s.host, config)
-	if err != nil {
-		writeError("SSH Connection", err)
-		return
-	}
-	defer sshConn.Close()
-	write("SSH Connected\r\n")
-
-	sshClient := ssh.NewClient(sshConn, nil, nil)
-	defer sshClient.Close()
-
-	session, err := sshClient.NewSession()
-	if err != nil {
-		writeError("SSH Session", err)
-		return
-	}
-	s.session = session
-	write("Session Established\r\n")
-	defer session.Close()
-
-	stdin, err := session.StdinPipe()
-	if err != nil {
-		writeError("SSH Stdin", err)
-		return
-	}
-
-	session.Stdout = termWriter{writeFn}
-	session.Stderr = termWriter{writeFn}
-
-	setReadFn.Invoke(js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		input := args[0].String()
-		_, err := stdin.Write([]byte(input))
-		if err != nil {
-			writeError("Write Input", err)
-		}
-		return nil
-	}))
-
-	err = session.RequestPty("xterm", rows, cols, ssh.TerminalModes{})
-
-	if err != nil {
-		writeError("Pseudo Terminal", err)
-		return
-	}
-
-	err = session.Shell()
-	if err != nil {
-		writeError("Shell", err)
-		return
-	}
-
-	err = session.Wait()
-	if err != nil {
-		writeError("Wait", err)
-		return
-	}
-}
-
-func (s *jsSSHSession) Close() error {
-	return s.session.Close()
-}
-
-func (s *jsSSHSession) Resize(rows, cols int) error {
-	return s.session.WindowChange(rows, cols)
-}
-
-func (i *jsIPN) fetch(url string) js.Value {
-	return makePromise(func() (any, error) {
-		c := &http.Client{
-			Transport: &http.Transport{
-				DialContext: i.dialer.UserDial,
-			},
-		}
-		res, err := c.Get(url)
-		if err != nil {
-			return nil, err
-		}
-
-		return map[string]any{
-			"status":     res.StatusCode,
-			"statusText": res.Status,
-			"text": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-				return makePromise(func() (any, error) {
-					defer res.Body.Close()
-					buf := new(bytes.Buffer)
-					if _, err := buf.ReadFrom(res.Body); err != nil {
-						return nil, err
-					}
-					return buf.String(), nil
-				})
-			}),
-			// TODO: populate a more complete JS Response object
-		}, nil
-	})
-}
-
-type termWriter struct {
-	f js.Value
-}
-
-func (w termWriter) Write(p []byte) (n int, err error) {
-	r := bytes.Replace(p, []byte("\n"), []byte("\n\r"), -1)
-	w.f.Invoke(string(r))
-	return len(p), nil
-}
-
-type jsNetMap struct {
-	Self  jsNetMapSelfNode   `json:"self"`
-	Peers []jsNetMapPeerNode `json:"peers"`
-}
-
-type jsNetMapNode struct {
-	Name       string   `json:"name"`
-	Addresses  []string `json:"addresses"`
-	MachineKey string   `json:"machineKey"`
-	NodeKey    string   `json:"nodeKey"`
-}
-
-type jsNetMapSelfNode struct {
-	jsNetMapNode
-	MachineStatus int `json:"machineStatus"`
-}
-
-type jsNetMapPeerNode struct {
-	jsNetMapNode
-	Online              *bool `json:"online,omitempty"`
-	TailscaleSSHEnabled bool  `json:"tailscaleSSHEnabled"`
-}
-
-type jsStateStore struct {
-	jsStateStorage js.Value
-}
-
-func (s *jsStateStore) ReadState(id ipn.StateKey) ([]byte, error) {
-	jsValue := s.jsStateStorage.Call("getState", string(id))
-	if jsValue.String() == "" {
-		return nil, ipn.ErrStateNotExist
-	}
-	return hex.DecodeString(jsValue.String())
-}
-
-func (s *jsStateStore) WriteState(id ipn.StateKey, bs []byte) error {
-	s.jsStateStorage.Call("setState", string(id), hex.EncodeToString(bs))
-	return nil
-}
-
-func mapSlice[T any, M any](a []T, f func(T) M) []M {
-	n := make([]M, len(a))
-	for i, e := range a {
-		n[i] = f(e)
-	}
-	return n
-}
-
-func filterSlice[T any](a []T, f func(T) bool) []T {
-	n := make([]T, 0, len(a))
-	for _, e := range a {
-		if f(e) {
-			n = append(n, e)
-		}
-	}
-	return n
-}
-
-func generateHostname() string {
-	tails := words.Tails()
-	scales := words.Scales()
-	if rand.Int()%2 == 0 {
-		// JavaScript
-		tails = filterSlice(tails, func(s string) bool { return strings.HasPrefix(s, "j") })
-		scales = filterSlice(scales, func(s string) bool { return strings.HasPrefix(s, "s") })
-	} else {
-		// WebAssembly
-		tails = filterSlice(tails, func(s string) bool { return strings.HasPrefix(s, "w") })
-		scales = filterSlice(scales, func(s string) bool { return strings.HasPrefix(s, "a") })
-	}
-
-	tail := tails[rand.Intn(len(tails))]
-	scale := scales[rand.Intn(len(scales))]
-	return fmt.Sprintf("%s-%s", tail, scale)
-}
-
-// makePromise handles the boilerplate of wrapping goroutines with JS promises.
-// f is run on a goroutine and its return value is used to resolve the promise
-// (or reject it if an error is returned).
-func makePromise(f func() (any, error)) js.Value {
-	handler := js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		resolve := args[0]
-		reject := args[1]
-		go func() {
-			if res, err := f(); err == nil {
-				resolve.Invoke(res)
-			} else {
-				reject.Invoke(err.Error())
-			}
-		}()
-		return nil
-	})
-
-	promiseConstructor := js.Global().Get("Promise")
-	return promiseConstructor.New(handler)
-}

cmd/tsconnect/yarn.lock

@@ -1,649 +0,0 @@
-# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-# yarn lockfile v1
-
-
-"@nodelib/fs.scandir@2.1.5":
-  version "2.1.5"
-  resolved "https://registry.yarnpkg.com/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz#7619c2eb21b25483f6d167548b4cfd5a7488c3d5"
-  integrity sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==
-  dependencies:
-    "@nodelib/fs.stat" "2.0.5"
-    run-parallel "^1.1.9"
-
-"@nodelib/fs.stat@2.0.5", "@nodelib/fs.stat@^2.0.2":
-  version "2.0.5"
-  resolved "https://registry.yarnpkg.com/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz#5bd262af94e9d25bd1e71b05deed44876a222e8b"
-  integrity sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==
-
-"@nodelib/fs.walk@^1.2.3":
-  version "1.2.8"
-  resolved "https://registry.yarnpkg.com/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz#e95737e8bb6746ddedf69c556953494f196fe69a"
-  integrity sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==
-  dependencies:
-    "@nodelib/fs.scandir" "2.1.5"
-    fastq "^1.6.0"
-
-"@types/golang-wasm-exec@^1.15.0":
-  version "1.15.0"
-  resolved "https://registry.yarnpkg.com/@types/golang-wasm-exec/-/golang-wasm-exec-1.15.0.tgz#d0aafbb2b0dc07eaf45dfb83bfb6cdd5b2b3c55c"
-  integrity sha512-FrL97mp7WW8LqNinVkzTVKOIQKuYjQqgucnh41+1vRQ+bf1LT8uh++KRf9otZPXsa6H1p8ruIGz1BmCGttOL6Q==
-
-"@types/node@*":
-  version "18.6.1"
-  resolved "https://registry.yarnpkg.com/@types/node/-/node-18.6.1.tgz#828e4785ccca13f44e2fb6852ae0ef11e3e20ba5"
-  integrity sha512-z+2vB6yDt1fNwKOeGbckpmirO+VBDuQqecXkgeIqDlaOtmKn6hPR/viQ8cxCfqLU4fTlvM3+YjM367TukWdxpg==
-
-"@types/qrcode@^1.4.2":
-  version "1.4.2"
-  resolved "https://registry.yarnpkg.com/@types/qrcode/-/qrcode-1.4.2.tgz#7d7142d6fa9921f195db342ed08b539181546c74"
-  integrity sha512-7uNT9L4WQTNJejHTSTdaJhfBSCN73xtXaHFyBJ8TSwiLhe4PRuTue7Iph0s2nG9R/ifUaSnGhLUOZavlBEqDWQ==
-  dependencies:
-    "@types/node" "*"
-
-acorn-node@^1.8.2:
-  version "1.8.2"
-  resolved "https://registry.yarnpkg.com/acorn-node/-/acorn-node-1.8.2.tgz#114c95d64539e53dede23de8b9d96df7c7ae2af8"
-  integrity sha512-8mt+fslDufLYntIoPAaIMUe/lrbrehIiwmR3t2k9LljIzoigEPF27eLk2hy8zSGzmR/ogr7zbRKINMo1u0yh5A==
-  dependencies:
-    acorn "^7.0.0"
-    acorn-walk "^7.0.0"
-    xtend "^4.0.2"
-
-acorn-walk@^7.0.0:
-  version "7.2.0"
-  resolved "https://registry.yarnpkg.com/acorn-walk/-/acorn-walk-7.2.0.tgz#0de889a601203909b0fbe07b8938dc21d2e967bc"
-  integrity sha512-OPdCF6GsMIP+Az+aWfAAOEt2/+iVDKE7oy6lJ098aoe59oAmK76qV6Gw60SbZ8jHuG2wH058GF4pLFbYamYrVA==
-
-acorn@^7.0.0:
-  version "7.4.1"
-  resolved "https://registry.yarnpkg.com/acorn/-/acorn-7.4.1.tgz#feaed255973d2e77555b83dbc08851a6c63520fa"
-  integrity sha512-nQyp0o1/mNdbTO1PO6kHkwSrmgZ0MT/jCCpNiwbUjGoRN4dlBhqJtoQuCnEOKzgTVwg0ZWiCoQy6SxMebQVh8A==
-
-ansi-regex@^5.0.1:
-  version "5.0.1"
-  resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-5.0.1.tgz#082cb2c89c9fe8659a311a53bd6a4dc5301db304"
-  integrity sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==
-
-ansi-styles@^4.0.0:
-  version "4.3.0"
-  resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-4.3.0.tgz#edd803628ae71c04c85ae7a0906edad34b648937"
-  integrity sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==
-  dependencies:
-    color-convert "^2.0.1"
-
-anymatch@~3.1.2:
-  version "3.1.2"
-  resolved "https://registry.yarnpkg.com/anymatch/-/anymatch-3.1.2.tgz#c0557c096af32f106198f4f4e2a383537e378716"
-  integrity sha512-P43ePfOAIupkguHUycrc4qJ9kz8ZiuOUijaETwX7THt0Y/GNK7v0aa8rY816xWjZ7rJdA5XdMcpVFTKMq+RvWg==
-  dependencies:
-    normalize-path "^3.0.0"
-    picomatch "^2.0.4"
-
-arg@^5.0.2:
-  version "5.0.2"
-  resolved "https://registry.yarnpkg.com/arg/-/arg-5.0.2.tgz#c81433cc427c92c4dcf4865142dbca6f15acd59c"
-  integrity sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==
-
-binary-extensions@^2.0.0:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-2.2.0.tgz#75f502eeaf9ffde42fc98829645be4ea76bd9e2d"
-  integrity sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA==
-
-braces@^3.0.2, braces@~3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.2.tgz#3454e1a462ee8d599e236df336cd9ea4f8afe107"
-  integrity sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==
-  dependencies:
-    fill-range "^7.0.1"
-
-camelcase-css@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/camelcase-css/-/camelcase-css-2.0.1.tgz#ee978f6947914cc30c6b44741b6ed1df7f043fd5"
-  integrity sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA==
-
-camelcase@^5.0.0:
-  version "5.3.1"
-  resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-5.3.1.tgz#e3c9b31569e106811df242f715725a1f4c494320"
-  integrity sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==
-
-chokidar@^3.5.3:
-  version "3.5.3"
-  resolved "https://registry.yarnpkg.com/chokidar/-/chokidar-3.5.3.tgz#1cf37c8707b932bd1af1ae22c0432e2acd1903bd"
-  integrity sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==
-  dependencies:
-    anymatch "~3.1.2"
-    braces "~3.0.2"
-    glob-parent "~5.1.2"
-    is-binary-path "~2.1.0"
-    is-glob "~4.0.1"
-    normalize-path "~3.0.0"
-    readdirp "~3.6.0"
-  optionalDependencies:
-    fsevents "~2.3.2"
-
-cliui@^6.0.0:
-  version "6.0.0"
-  resolved "https://registry.yarnpkg.com/cliui/-/cliui-6.0.0.tgz#511d702c0c4e41ca156d7d0e96021f23e13225b1"
-  integrity sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==
-  dependencies:
-    string-width "^4.2.0"
-    strip-ansi "^6.0.0"
-    wrap-ansi "^6.2.0"
-
-color-convert@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/color-convert/-/color-convert-2.0.1.tgz#72d3a68d598c9bdb3af2ad1e84f21d896abd4de3"
-  integrity sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==
-  dependencies:
-    color-name "~1.1.4"
-
-color-name@^1.1.4, color-name@~1.1.4:
-  version "1.1.4"
-  resolved "https://registry.yarnpkg.com/color-name/-/color-name-1.1.4.tgz#c2a09a87acbde69543de6f63fa3995c826c536a2"
-  integrity sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==
-
-cssesc@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-3.0.0.tgz#37741919903b868565e1c09ea747445cd18983ee"
-  integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==
-
-decamelize@^1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/decamelize/-/decamelize-1.2.0.tgz#f6534d15148269b20352e7bee26f501f9a191290"
-  integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=
-
-defined@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/defined/-/defined-1.0.0.tgz#c98d9bcef75674188e110969151199e39b1fa693"
-  integrity sha512-Y2caI5+ZwS5c3RiNDJ6u53VhQHv+hHKwhkI1iHvceKUHw9Df6EK2zRLfjejRgMuCuxK7PfSWIMwWecceVvThjQ==
-
-detective@^5.2.1:
-  version "5.2.1"
-  resolved "https://registry.yarnpkg.com/detective/-/detective-5.2.1.tgz#6af01eeda11015acb0e73f933242b70f24f91034"
-  integrity sha512-v9XE1zRnz1wRtgurGu0Bs8uHKFSTdteYZNbIPFVhUZ39L/S79ppMpdmVOZAnoz1jfEFodc48n6MX483Xo3t1yw==
-  dependencies:
-    acorn-node "^1.8.2"
-    defined "^1.0.0"
-    minimist "^1.2.6"
-
-didyoumean@^1.2.2:
-  version "1.2.2"
-  resolved "https://registry.yarnpkg.com/didyoumean/-/didyoumean-1.2.2.tgz#989346ffe9e839b4555ecf5666edea0d3e8ad037"
-  integrity sha512-gxtyfqMg7GKyhQmb056K7M3xszy/myH8w+B4RT+QXBQsvAOdc3XymqDDPHx1BgPgsdAA5SIifona89YtRATDzw==
-
-dijkstrajs@^1.0.1:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/dijkstrajs/-/dijkstrajs-1.0.2.tgz#2e48c0d3b825462afe75ab4ad5e829c8ece36257"
-  integrity sha512-QV6PMaHTCNmKSeP6QoXhVTw9snc9VD8MulTT0Bd99Pacp4SS1cjcrYPgBPmibqKVtMJJfqC6XvOXgPMEEPH/fg==
-
-dlv@^1.1.3:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/dlv/-/dlv-1.1.3.tgz#5c198a8a11453596e751494d49874bc7732f2e79"
-  integrity sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==
-
-emoji-regex@^8.0.0:
-  version "8.0.0"
-  resolved "https://registry.yarnpkg.com/emoji-regex/-/emoji-regex-8.0.0.tgz#e818fd69ce5ccfcb404594f842963bf53164cc37"
-  integrity sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==
-
-encode-utf8@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/encode-utf8/-/encode-utf8-1.0.3.tgz#f30fdd31da07fb596f281beb2f6b027851994cda"
-  integrity sha512-ucAnuBEhUK4boH2HjVYG5Q2mQyPorvv0u/ocS+zhdw0S8AlHYY+GOFhP1Gio5z4icpP2ivFSvhtFjQi8+T9ppw==
-
-fast-glob@^3.2.11:
-  version "3.2.11"
-  resolved "https://registry.yarnpkg.com/fast-glob/-/fast-glob-3.2.11.tgz#a1172ad95ceb8a16e20caa5c5e56480e5129c1d9"
-  integrity sha512-xrO3+1bxSo3ZVHAnqzyuewYT6aMFHRAd4Kcs92MAonjwQZLsK9d0SF1IyQ3k5PoirxTW0Oe/RqFgMQ6TcNE5Ew==
-  dependencies:
-    "@nodelib/fs.stat" "^2.0.2"
-    "@nodelib/fs.walk" "^1.2.3"
-    glob-parent "^5.1.2"
-    merge2 "^1.3.0"
-    micromatch "^4.0.4"
-
-fastq@^1.6.0:
-  version "1.13.0"
-  resolved "https://registry.yarnpkg.com/fastq/-/fastq-1.13.0.tgz#616760f88a7526bdfc596b7cab8c18938c36b98c"
-  integrity sha512-YpkpUnK8od0o1hmeSc7UUs/eB/vIPWJYjKck2QKIzAf71Vm1AAQ3EbuZB3g2JIy+pg+ERD0vqI79KyZiB2e2Nw==
-  dependencies:
-    reusify "^1.0.4"
-
-fill-range@^7.0.1:
-  version "7.0.1"
-  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.0.1.tgz#1919a6a7c75fe38b2c7c77e5198535da9acdda40"
-  integrity sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==
-  dependencies:
-    to-regex-range "^5.0.1"
-
-find-up@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/find-up/-/find-up-4.1.0.tgz#97afe7d6cdc0bc5928584b7c8d7b16e8a9aa5d19"
-  integrity sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==
-  dependencies:
-    locate-path "^5.0.0"
-    path-exists "^4.0.0"
-
-fsevents@~2.3.2:
-  version "2.3.2"
-  resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.2.tgz#8a526f78b8fdf4623b709e0b975c52c24c02fd1a"
-  integrity sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==
-
-function-bind@^1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.1.tgz#a56899d3ea3c9bab874bb9773b7c5ede92f4895d"
-  integrity sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==
-
-get-caller-file@^2.0.1:
-  version "2.0.5"
-  resolved "https://registry.yarnpkg.com/get-caller-file/-/get-caller-file-2.0.5.tgz#4f94412a82db32f36e3b0b9741f8a97feb031f7e"
-  integrity sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==
-
-glob-parent@^5.1.2, glob-parent@~5.1.2:
-  version "5.1.2"
-  resolved "https://registry.yarnpkg.com/glob-parent/-/glob-parent-5.1.2.tgz#869832c58034fe68a4093c17dc15e8340d8401c4"
-  integrity sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==
-  dependencies:
-    is-glob "^4.0.1"
-
-glob-parent@^6.0.2:
-  version "6.0.2"
-  resolved "https://registry.yarnpkg.com/glob-parent/-/glob-parent-6.0.2.tgz#6d237d99083950c79290f24c7642a3de9a28f9e3"
-  integrity sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==
-  dependencies:
-    is-glob "^4.0.3"
-
-has@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/has/-/has-1.0.3.tgz#722d7cbfc1f6aa8241f16dd814e011e1f41e8796"
-  integrity sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==
-  dependencies:
-    function-bind "^1.1.1"
-
-is-binary-path@~2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/is-binary-path/-/is-binary-path-2.1.0.tgz#ea1f7f3b80f064236e83470f86c09c254fb45b09"
-  integrity sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==
-  dependencies:
-    binary-extensions "^2.0.0"
-
-is-core-module@^2.9.0:
-  version "2.9.0"
-  resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.9.0.tgz#e1c34429cd51c6dd9e09e0799e396e27b19a9c69"
-  integrity sha512-+5FPy5PnwmO3lvfMb0AsoPaBG+5KHUI0wYFXOtYPnVVVspTFUuMZNfNaNVRt3FZadstu2c8x23vykRW/NBoU6A==
-  dependencies:
-    has "^1.0.3"
-
-is-extglob@^2.1.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/is-extglob/-/is-extglob-2.1.1.tgz#a88c02535791f02ed37c76a1b9ea9773c833f8c2"
-  integrity sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==
-
-is-fullwidth-code-point@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz#f116f8064fe90b3f7844a38997c0b75051269f1d"
-  integrity sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==
-
-is-glob@^4.0.1, is-glob@^4.0.3, is-glob@~4.0.1:
-  version "4.0.3"
-  resolved "https://registry.yarnpkg.com/is-glob/-/is-glob-4.0.3.tgz#64f61e42cbbb2eec2071a9dac0b28ba1e65d5084"
-  integrity sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==
-  dependencies:
-    is-extglob "^2.1.1"
-
-is-number@^7.0.0:
-  version "7.0.0"
-  resolved "https://registry.yarnpkg.com/is-number/-/is-number-7.0.0.tgz#7535345b896734d5f80c4d06c50955527a14f12b"
-  integrity sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==
-
-lilconfig@^2.0.5:
-  version "2.0.6"
-  resolved "https://registry.yarnpkg.com/lilconfig/-/lilconfig-2.0.6.tgz#32a384558bd58af3d4c6e077dd1ad1d397bc69d4"
-  integrity sha512-9JROoBW7pobfsx+Sq2JsASvCo6Pfo6WWoUW79HuB1BCoBXD4PLWJPqDF6fNj67pqBYTbAHkE57M1kS/+L1neOg==
-
-locate-path@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/locate-path/-/locate-path-5.0.0.tgz#1afba396afd676a6d42504d0a67a3a7eb9f62aa0"
-  integrity sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==
-  dependencies:
-    p-locate "^4.1.0"
-
-merge2@^1.3.0:
-  version "1.4.1"
-  resolved "https://registry.yarnpkg.com/merge2/-/merge2-1.4.1.tgz#4368892f885e907455a6fd7dc55c0c9d404990ae"
-  integrity sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==
-
-micromatch@^4.0.4:
-  version "4.0.5"
-  resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-4.0.5.tgz#bc8999a7cbbf77cdc89f132f6e467051b49090c6"
-  integrity sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==
-  dependencies:
-    braces "^3.0.2"
-    picomatch "^2.3.1"
-
-minimist@^1.2.6:
-  version "1.2.6"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44"
-  integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==
-
-nanoid@^3.3.4:
-  version "3.3.4"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.4.tgz#730b67e3cd09e2deacf03c027c81c9d9dbc5e8ab"
-  integrity sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==
-
-normalize-path@^3.0.0, normalize-path@~3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/normalize-path/-/normalize-path-3.0.0.tgz#0dcd69ff23a1c9b11fd0978316644a0388216a65"
-  integrity sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==
-
-object-hash@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/object-hash/-/object-hash-3.0.0.tgz#73f97f753e7baffc0e2cc9d6e079079744ac82e9"
-  integrity sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==
-
-p-limit@^2.2.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/p-limit/-/p-limit-2.3.0.tgz#3dd33c647a214fdfffd835933eb086da0dc21db1"
-  integrity sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==
-  dependencies:
-    p-try "^2.0.0"
-
-p-locate@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/p-locate/-/p-locate-4.1.0.tgz#a3428bb7088b3a60292f66919278b7c297ad4f07"
-  integrity sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==
-  dependencies:
-    p-limit "^2.2.0"
-
-p-try@^2.0.0:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/p-try/-/p-try-2.2.0.tgz#cb2868540e313d61de58fafbe35ce9004d5540e6"
-  integrity sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==
-
-path-exists@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/path-exists/-/path-exists-4.0.0.tgz#513bdbe2d3b95d7762e8c1137efa195c6c61b5b3"
-  integrity sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==
-
-path-parse@^1.0.7:
-  version "1.0.7"
-  resolved "https://registry.yarnpkg.com/path-parse/-/path-parse-1.0.7.tgz#fbc114b60ca42b30d9daf5858e4bd68bbedb6735"
-  integrity sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==
-
-picocolors@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/picocolors/-/picocolors-1.0.0.tgz#cb5bdc74ff3f51892236eaf79d68bc44564ab81c"
-  integrity sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==
-
-picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^2.3.1:
-  version "2.3.1"
-  resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.1.tgz#3ba3833733646d9d3e4995946c1365a67fb07a42"
-  integrity sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==
-
-pify@^2.3.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/pify/-/pify-2.3.0.tgz#ed141a6ac043a849ea588498e7dca8b15330e90c"
-  integrity sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==
-
-pngjs@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/pngjs/-/pngjs-5.0.0.tgz#e79dd2b215767fd9c04561c01236df960bce7fbb"
-  integrity sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==
-
-postcss-import@^14.1.0:
-  version "14.1.0"
-  resolved "https://registry.yarnpkg.com/postcss-import/-/postcss-import-14.1.0.tgz#a7333ffe32f0b8795303ee9e40215dac922781f0"
-  integrity sha512-flwI+Vgm4SElObFVPpTIT7SU7R3qk2L7PyduMcokiaVKuWv9d/U+Gm/QAd8NDLuykTWTkcrjOeD2Pp1rMeBTGw==
-  dependencies:
-    postcss-value-parser "^4.0.0"
-    read-cache "^1.0.0"
-    resolve "^1.1.7"
-
-postcss-js@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-js/-/postcss-js-4.0.0.tgz#31db79889531b80dc7bc9b0ad283e418dce0ac00"
-  integrity sha512-77QESFBwgX4irogGVPgQ5s07vLvFqWr228qZY+w6lW599cRlK/HmnlivnnVUxkjHnCu4J16PDMHcH+e+2HbvTQ==
-  dependencies:
-    camelcase-css "^2.0.1"
-
-postcss-load-config@^3.1.4:
-  version "3.1.4"
-  resolved "https://registry.yarnpkg.com/postcss-load-config/-/postcss-load-config-3.1.4.tgz#1ab2571faf84bb078877e1d07905eabe9ebda855"
-  integrity sha512-6DiM4E7v4coTE4uzA8U//WhtPwyhiim3eyjEMFCnUpzbrkK9wJHgKDT2mR+HbtSrd/NubVaYTOpSpjUl8NQeRg==
-  dependencies:
-    lilconfig "^2.0.5"
-    yaml "^1.10.2"
-
-postcss-nested@5.0.6:
-  version "5.0.6"
-  resolved "https://registry.yarnpkg.com/postcss-nested/-/postcss-nested-5.0.6.tgz#466343f7fc8d3d46af3e7dba3fcd47d052a945bc"
-  integrity sha512-rKqm2Fk0KbA8Vt3AdGN0FB9OBOMDVajMG6ZCf/GoHgdxUJ4sBFp0A/uMIRm+MJUdo33YXEtjqIz8u7DAp8B7DA==
-  dependencies:
-    postcss-selector-parser "^6.0.6"
-
-postcss-selector-parser@^6.0.10, postcss-selector-parser@^6.0.6:
-  version "6.0.10"
-  resolved "https://registry.yarnpkg.com/postcss-selector-parser/-/postcss-selector-parser-6.0.10.tgz#79b61e2c0d1bfc2602d549e11d0876256f8df88d"
-  integrity sha512-IQ7TZdoaqbT+LCpShg46jnZVlhWD2w6iQYAcYXfHARZ7X1t/UGhhceQDs5X0cGqKvYlHNOuv7Oa1xmb0oQuA3w==
-  dependencies:
-    cssesc "^3.0.0"
-    util-deprecate "^1.0.2"
-
-postcss-value-parser@^4.0.0, postcss-value-parser@^4.2.0:
-  version "4.2.0"
-  resolved "https://registry.yarnpkg.com/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz#723c09920836ba6d3e5af019f92bc0971c02e514"
-  integrity sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==
-
-postcss@^8.4.14:
-  version "8.4.14"
-  resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.4.14.tgz#ee9274d5622b4858c1007a74d76e42e56fd21caf"
-  integrity sha512-E398TUmfAYFPBSdzgeieK2Y1+1cpdxJx8yXbK/m57nRhKSmk1GB2tO4lbLBtlkfPQTDKfe4Xqv1ASWPpayPEig==
-  dependencies:
-    nanoid "^3.3.4"
-    picocolors "^1.0.0"
-    source-map-js "^1.0.2"
-
-qrcode@^1.5.0:
-  version "1.5.0"
-  resolved "https://registry.yarnpkg.com/qrcode/-/qrcode-1.5.0.tgz#95abb8a91fdafd86f8190f2836abbfc500c72d1b"
-  integrity sha512-9MgRpgVc+/+47dFvQeD6U2s0Z92EsKzcHogtum4QB+UNd025WOJSHvn/hjk9xmzj7Stj95CyUAs31mrjxliEsQ==
-  dependencies:
-    dijkstrajs "^1.0.1"
-    encode-utf8 "^1.0.3"
-    pngjs "^5.0.0"
-    yargs "^15.3.1"
-
-queue-microtask@^1.2.2:
-  version "1.2.3"
-  resolved "https://registry.yarnpkg.com/queue-microtask/-/queue-microtask-1.2.3.tgz#4929228bbc724dfac43e0efb058caf7b6cfb6243"
-  integrity sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==
-
-quick-lru@^5.1.1:
-  version "5.1.1"
-  resolved "https://registry.yarnpkg.com/quick-lru/-/quick-lru-5.1.1.tgz#366493e6b3e42a3a6885e2e99d18f80fb7a8c932"
-  integrity sha512-WuyALRjWPDGtt/wzJiadO5AXY+8hZ80hVpe6MyivgraREW751X3SbhRvG3eLKOYN+8VEvqLcf3wdnt44Z4S4SA==
-
-read-cache@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/read-cache/-/read-cache-1.0.0.tgz#e664ef31161166c9751cdbe8dbcf86b5fb58f774"
-  integrity sha512-Owdv/Ft7IjOgm/i0xvNDZ1LrRANRfew4b2prF3OWMQLxLfu3bS8FVhCsrSCMK4lR56Y9ya+AThoTpDCTxCmpRA==
-  dependencies:
-    pify "^2.3.0"
-
-readdirp@~3.6.0:
-  version "3.6.0"
-  resolved "https://registry.yarnpkg.com/readdirp/-/readdirp-3.6.0.tgz#74a370bd857116e245b29cc97340cd431a02a6c7"
-  integrity sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==
-  dependencies:
-    picomatch "^2.2.1"
-
-require-directory@^2.1.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/require-directory/-/require-directory-2.1.1.tgz#8c64ad5fd30dab1c976e2344ffe7f792a6a6df42"
-  integrity sha1-jGStX9MNqxyXbiNE/+f3kqam30I=
-
-require-main-filename@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/require-main-filename/-/require-main-filename-2.0.0.tgz#d0b329ecc7cc0f61649f62215be69af54aa8989b"
-  integrity sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==
-
-resolve@^1.1.7, resolve@^1.22.1:
-  version "1.22.1"
-  resolved "https://registry.yarnpkg.com/resolve/-/resolve-1.22.1.tgz#27cb2ebb53f91abb49470a928bba7558066ac177"
-  integrity sha512-nBpuuYuY5jFsli/JIs1oldw6fOQCBioohqWZg/2hiaOybXOft4lonv85uDOKXdf8rhyK159cxU5cDcK/NKk8zw==
-  dependencies:
-    is-core-module "^2.9.0"
-    path-parse "^1.0.7"
-    supports-preserve-symlinks-flag "^1.0.0"
-
-reusify@^1.0.4:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/reusify/-/reusify-1.0.4.tgz#90da382b1e126efc02146e90845a88db12925d76"
-  integrity sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==
-
-run-parallel@^1.1.9:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/run-parallel/-/run-parallel-1.2.0.tgz#66d1368da7bdf921eb9d95bd1a9229e7f21a43ee"
-  integrity sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==
-  dependencies:
-    queue-microtask "^1.2.2"
-
-set-blocking@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-2.0.0.tgz#045f9782d011ae9a6803ddd382b24392b3d890f7"
-  integrity sha1-BF+XgtARrppoA93TgrJDkrPYkPc=
-
-source-map-js@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/source-map-js/-/source-map-js-1.0.2.tgz#adbc361d9c62df380125e7f161f71c826f1e490c"
-  integrity sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==
-
-string-width@^4.1.0, string-width@^4.2.0:
-  version "4.2.3"
-  resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
-  integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
-  dependencies:
-    emoji-regex "^8.0.0"
-    is-fullwidth-code-point "^3.0.0"
-    strip-ansi "^6.0.1"
-
-strip-ansi@^6.0.0, strip-ansi@^6.0.1:
-  version "6.0.1"
-  resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
-  integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
-  dependencies:
-    ansi-regex "^5.0.1"
-
-supports-preserve-symlinks-flag@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz#6eda4bd344a3c94aea376d4cc31bc77311039e09"
-  integrity sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==
-
-tailwindcss@^3.1.6:
-  version "3.1.6"
-  resolved "https://registry.yarnpkg.com/tailwindcss/-/tailwindcss-3.1.6.tgz#bcb719357776c39e6376a8d84e9834b2b19a49f1"
-  integrity sha512-7skAOY56erZAFQssT1xkpk+kWt2NrO45kORlxFPXUt3CiGsVPhH1smuH5XoDH6sGPXLyBv+zgCKA2HWBsgCytg==
-  dependencies:
-    arg "^5.0.2"
-    chokidar "^3.5.3"
-    color-name "^1.1.4"
-    detective "^5.2.1"
-    didyoumean "^1.2.2"
-    dlv "^1.1.3"
-    fast-glob "^3.2.11"
-    glob-parent "^6.0.2"
-    is-glob "^4.0.3"
-    lilconfig "^2.0.5"
-    normalize-path "^3.0.0"
-    object-hash "^3.0.0"
-    picocolors "^1.0.0"
-    postcss "^8.4.14"
-    postcss-import "^14.1.0"
-    postcss-js "^4.0.0"
-    postcss-load-config "^3.1.4"
-    postcss-nested "5.0.6"
-    postcss-selector-parser "^6.0.10"
-    postcss-value-parser "^4.2.0"
-    quick-lru "^5.1.1"
-    resolve "^1.22.1"
-
-to-regex-range@^5.0.1:
-  version "5.0.1"
-  resolved "https://registry.yarnpkg.com/to-regex-range/-/to-regex-range-5.0.1.tgz#1648c44aae7c8d988a326018ed72f5b4dd0392e4"
-  integrity sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==
-  dependencies:
-    is-number "^7.0.0"
-
-typescript@^4.7.4:
-  version "4.7.4"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.7.4.tgz#1a88596d1cf47d59507a1bcdfb5b9dfe4d488235"
-  integrity sha512-C0WQT0gezHuw6AdY1M2jxUO83Rjf0HP7Sk1DtXj6j1EwkQNZrHAg2XPWlq62oqEhYvONq5pkC2Y9oPljWToLmQ==
-
-util-deprecate@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf"
-  integrity sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==
-
-which-module@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/which-module/-/which-module-2.0.0.tgz#d9ef07dce77b9902b8a3a8fa4b31c3e3f7e6e87a"
-  integrity sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho=
-
-wrap-ansi@^6.2.0:
-  version "6.2.0"
-  resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-6.2.0.tgz#e9393ba07102e6c91a3b221478f0257cd2856e53"
-  integrity sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==
-  dependencies:
-    ansi-styles "^4.0.0"
-    string-width "^4.1.0"
-    strip-ansi "^6.0.0"
-
-xtend@^4.0.2:
-  version "4.0.2"
-  resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"
-  integrity sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==
-
-xterm-addon-fit@^0.5.0:
-  version "0.5.0"
-  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.5.0.tgz#2d51b983b786a97dcd6cde805e700c7f913bc596"
-  integrity sha512-DsS9fqhXHacEmsPxBJZvfj2la30Iz9xk+UKjhQgnYNkrUIN5CYLbw7WEfz117c7+S86S/tpHPfvNxJsF5/G8wQ==
-
-xterm@^4.18.0:
-  version "4.18.0"
-  resolved "https://registry.yarnpkg.com/xterm/-/xterm-4.18.0.tgz#a1f6ab2c330c3918fb094ae5f4c2562987398ea1"
-  integrity sha512-JQoc1S0dti6SQfI0bK1AZvGnAxH4MVw45ZPFSO6FHTInAiau3Ix77fSxNx3mX4eh9OL4AYa8+4C8f5UvnSfppQ==
-
-y18n@^4.0.0:
-  version "4.0.3"
-  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.3.tgz#b5f259c82cd6e336921efd7bfd8bf560de9eeedf"
-  integrity sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==
-
-yaml@^1.10.2:
-  version "1.10.2"
-  resolved "https://registry.yarnpkg.com/yaml/-/yaml-1.10.2.tgz#2301c5ffbf12b467de8da2333a459e29e7920e4b"
-  integrity sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==
-
-yargs-parser@^18.1.2:
-  version "18.1.3"
-  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-18.1.3.tgz#be68c4975c6b2abf469236b0c870362fab09a7b0"
-  integrity sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==
-  dependencies:
-    camelcase "^5.0.0"
-    decamelize "^1.2.0"
-
-yargs@^15.3.1:
-  version "15.4.1"
-  resolved "https://registry.yarnpkg.com/yargs/-/yargs-15.4.1.tgz#0d87a16de01aee9d8bec2bfbf74f67851730f4f8"
-  integrity sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==
-  dependencies:
-    cliui "^6.0.0"
-    decamelize "^1.2.0"
-    find-up "^4.1.0"
-    get-caller-file "^2.0.1"
-    require-directory "^2.1.1"
-    require-main-filename "^2.0.0"
-    set-blocking "^2.0.0"
-    string-width "^4.2.0"
-    which-module "^2.0.0"
-    y18n "^4.0.0"
-    yargs-parser "^18.1.2"

cmd/tsshd/tsshd.go

@@ -11,4 +11,3 @@
 // Its functionality moved into tailscaled.
 //
 // See https://github.com/tailscale/tailscale/issues/3802
-package main

cmd/viewer/tests/tests.go

@@ -7,31 +7,30 @@ package tests
 
 import (
 	"fmt"
-	"net/netip"
+
+	"inet.af/netaddr"
 )
 
 //go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices
 
 type StructWithoutPtrs struct {
 	Int int
-	Pfx netip.Prefix
+	Pfx netaddr.IPPrefix
 }
 
 type Map struct {
 	Int                 map[string]int
 	SliceInt            map[string][]int
-	StructPtrWithPtr    map[string]*StructWithPtrs
-	StructPtrWithoutPtr map[string]*StructWithoutPtrs
-	StructWithoutPtr    map[string]StructWithoutPtrs
+	StructWithPtr       map[string]*StructWithPtrs
+	StructWithoutPtr    map[string]*StructWithoutPtrs
 	SlicesWithPtrs      map[string][]*StructWithPtrs
 	SlicesWithoutPtrs   map[string][]*StructWithoutPtrs
 	StructWithoutPtrKey map[StructWithoutPtrs]int `json:"-"`
 
-	// Unsupported views.
+	// Unsupported.
 	SliceIntPtr      map[string][]*int
 	PointerKey       map[*string]int        `json:"-"`
 	StructWithPtrKey map[StructWithPtrs]int `json:"-"`
-	StructWithPtr    map[string]StructWithPtrs
 }
 
 type StructWithPtrs struct {
@@ -55,6 +54,6 @@ type StructWithSlices struct {
 	Ints           []*int
 
 	Slice    []string
-	Prefixes []netip.Prefix
+	Prefixes []netaddr.IPPrefix
 	Data     []byte
 }

cmd/viewer/tests/tests_clone.go

@@ -7,7 +7,7 @@
 package tests
 
 import (
-	"net/netip"
+	"inet.af/netaddr"
 )
 
 // Clone makes a deep copy of StructWithPtrs.
@@ -50,7 +50,7 @@ func (src *StructWithoutPtrs) Clone() *StructWithoutPtrs {
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _StructWithoutPtrsCloneNeedsRegeneration = StructWithoutPtrs(struct {
 	Int int
-	Pfx netip.Prefix
+	Pfx netaddr.IPPrefix
 }{})
 
 // Clone makes a deep copy of Map.
@@ -73,22 +73,16 @@ func (src *Map) Clone() *Map {
 			dst.SliceInt[k] = append([]int{}, src.SliceInt[k]...)
 		}
 	}
-	if dst.StructPtrWithPtr != nil {
-		dst.StructPtrWithPtr = map[string]*StructWithPtrs{}
-		for k, v := range src.StructPtrWithPtr {
-			dst.StructPtrWithPtr[k] = v.Clone()
-		}
-	}
-	if dst.StructPtrWithoutPtr != nil {
-		dst.StructPtrWithoutPtr = map[string]*StructWithoutPtrs{}
-		for k, v := range src.StructPtrWithoutPtr {
-			dst.StructPtrWithoutPtr[k] = v.Clone()
+	if dst.StructWithPtr != nil {
+		dst.StructWithPtr = map[string]*StructWithPtrs{}
+		for k, v := range src.StructWithPtr {
+			dst.StructWithPtr[k] = v.Clone()
 		}
 	}
 	if dst.StructWithoutPtr != nil {
-		dst.StructWithoutPtr = map[string]StructWithoutPtrs{}
+		dst.StructWithoutPtr = map[string]*StructWithoutPtrs{}
 		for k, v := range src.StructWithoutPtr {
-			dst.StructWithoutPtr[k] = v
+			dst.StructWithoutPtr[k] = v.Clone()
 		}
 	}
 	if dst.SlicesWithPtrs != nil {
@@ -127,13 +121,6 @@ func (src *Map) Clone() *Map {
 			dst.StructWithPtrKey[k] = v
 		}
 	}
-	if dst.StructWithPtr != nil {
-		dst.StructWithPtr = map[string]StructWithPtrs{}
-		for k, v := range src.StructWithPtr {
-			v2 := v.Clone()
-			dst.StructWithPtr[k] = *v2
-		}
-	}
 	return dst
 }
 
@@ -141,16 +128,14 @@ func (src *Map) Clone() *Map {
 var _MapCloneNeedsRegeneration = Map(struct {
 	Int                 map[string]int
 	SliceInt            map[string][]int
-	StructPtrWithPtr    map[string]*StructWithPtrs
-	StructPtrWithoutPtr map[string]*StructWithoutPtrs
-	StructWithoutPtr    map[string]StructWithoutPtrs
+	StructWithPtr       map[string]*StructWithPtrs
+	StructWithoutPtr    map[string]*StructWithoutPtrs
 	SlicesWithPtrs      map[string][]*StructWithPtrs
 	SlicesWithoutPtrs   map[string][]*StructWithoutPtrs
 	StructWithoutPtrKey map[StructWithoutPtrs]int
 	SliceIntPtr         map[string][]*int
 	PointerKey          map[*string]int
 	StructWithPtrKey    map[StructWithPtrs]int
-	StructWithPtr       map[string]StructWithPtrs
 }{})
 
 // Clone makes a deep copy of StructWithSlices.
@@ -193,6 +178,6 @@ var _StructWithSlicesCloneNeedsRegeneration = StructWithSlices(struct {
 	Structs        []StructWithPtrs
 	Ints           []*int
 	Slice          []string
-	Prefixes       []netip.Prefix
+	Prefixes       []netaddr.IPPrefix
 	Data           []byte
 }{})

cmd/viewer/tests/tests_view.go

@@ -9,9 +9,9 @@ package tests
 import (
 	"encoding/json"
 	"errors"
-	"net/netip"
 
 	"go4.org/mem"
+	"inet.af/netaddr"
 	"tailscale.com/types/views"
 )
 
@@ -134,13 +134,13 @@ func (v *StructWithoutPtrsView) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
-func (v StructWithoutPtrsView) Int() int          { return v.ж.Int }
-func (v StructWithoutPtrsView) Pfx() netip.Prefix { return v.ж.Pfx }
+func (v StructWithoutPtrsView) Int() int              { return v.ж.Int }
+func (v StructWithoutPtrsView) Pfx() netaddr.IPPrefix { return v.ж.Pfx }
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _StructWithoutPtrsViewNeedsRegeneration = StructWithoutPtrs(struct {
 	Int int
-	Pfx netip.Prefix
+	Pfx netaddr.IPPrefix
 }{})
 
 // View returns a readonly view of Map.
@@ -196,22 +196,18 @@ func (v MapView) SliceInt() views.MapFn[string, []int, views.Slice[int]] {
 	})
 }
 
-func (v MapView) StructPtrWithPtr() views.MapFn[string, *StructWithPtrs, StructWithPtrsView] {
-	return views.MapFnOf(v.ж.StructPtrWithPtr, func(t *StructWithPtrs) StructWithPtrsView {
+func (v MapView) StructWithPtr() views.MapFn[string, *StructWithPtrs, StructWithPtrsView] {
+	return views.MapFnOf(v.ж.StructWithPtr, func(t *StructWithPtrs) StructWithPtrsView {
 		return t.View()
 	})
 }
 
-func (v MapView) StructPtrWithoutPtr() views.MapFn[string, *StructWithoutPtrs, StructWithoutPtrsView] {
-	return views.MapFnOf(v.ж.StructPtrWithoutPtr, func(t *StructWithoutPtrs) StructWithoutPtrsView {
+func (v MapView) StructWithoutPtr() views.MapFn[string, *StructWithoutPtrs, StructWithoutPtrsView] {
+	return views.MapFnOf(v.ж.StructWithoutPtr, func(t *StructWithoutPtrs) StructWithoutPtrsView {
 		return t.View()
 	})
 }
 
-func (v MapView) StructWithoutPtr() views.Map[string, StructWithoutPtrs] {
-	return views.MapOf(v.ж.StructWithoutPtr)
-}
-
 func (v MapView) SlicesWithPtrs() views.MapFn[string, []*StructWithPtrs, views.SliceView[*StructWithPtrs, StructWithPtrsView]] {
 	return views.MapFnOf(v.ж.SlicesWithPtrs, func(t []*StructWithPtrs) views.SliceView[*StructWithPtrs, StructWithPtrsView] {
 		return views.SliceOfViews[*StructWithPtrs, StructWithPtrsView](t)
@@ -231,26 +227,18 @@ func (v MapView) SliceIntPtr() map[string][]*int           { panic("unsupported"
 func (v MapView) PointerKey() map[*string]int              { panic("unsupported") }
 func (v MapView) StructWithPtrKey() map[StructWithPtrs]int { panic("unsupported") }
 
-func (v MapView) StructWithPtr() views.MapFn[string, StructWithPtrs, StructWithPtrsView] {
-	return views.MapFnOf(v.ж.StructWithPtr, func(t StructWithPtrs) StructWithPtrsView {
-		return t.View()
-	})
-}
-
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _MapViewNeedsRegeneration = Map(struct {
 	Int                 map[string]int
 	SliceInt            map[string][]int
-	StructPtrWithPtr    map[string]*StructWithPtrs
-	StructPtrWithoutPtr map[string]*StructWithoutPtrs
-	StructWithoutPtr    map[string]StructWithoutPtrs
+	StructWithPtr       map[string]*StructWithPtrs
+	StructWithoutPtr    map[string]*StructWithoutPtrs
 	SlicesWithPtrs      map[string][]*StructWithPtrs
 	SlicesWithoutPtrs   map[string][]*StructWithoutPtrs
 	StructWithoutPtrKey map[StructWithoutPtrs]int
 	SliceIntPtr         map[string][]*int
 	PointerKey          map[*string]int
 	StructWithPtrKey    map[StructWithPtrs]int
-	StructWithPtr       map[string]StructWithPtrs
 }{})
 
 // View returns a readonly view of StructWithSlices.
@@ -323,6 +311,6 @@ var _StructWithSlicesViewNeedsRegeneration = StructWithSlices(struct {
 	Structs        []StructWithPtrs
 	Ints           []*int
 	Slice          []string
-	Prefixes       []netip.Prefix
+	Prefixes       []netaddr.IPPrefix
 	Data           []byte
 }{})

cmd/viewer/viewer.go

@@ -177,7 +177,7 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 			case "byte":
 				it.Import("go4.org/mem")
 				writeTemplate("byteSliceField")
-			case "inet.af/netip.Prefix", "net/netip.Prefix":
+			case "inet.af/netaddr.IPPrefix":
 				it.Import("tailscale.com/types/views")
 				writeTemplate("ipPrefixSliceField")
 			default:
@@ -224,18 +224,6 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 			mElem := m.Elem()
 			var template string
 			switch u := mElem.(type) {
-			case *types.Struct, *types.Named:
-				strucT := u
-				args.FieldType = it.QualifiedName(fieldType)
-				if codegen.ContainsPointers(strucT) {
-					args.MapFn = "t.View()"
-					template = "mapFnField"
-					args.MapValueType = it.QualifiedName(mElem)
-					args.MapValueView = args.MapValueType + "View"
-				} else {
-					template = "mapField"
-					args.MapValueType = it.QualifiedName(mElem)
-				}
 			case *types.Basic:
 				template = "mapField"
 				args.MapValueType = it.QualifiedName(mElem)
@@ -354,7 +342,8 @@ func main() {
 	it := codegen.NewImportTracker(pkg.Types)
 
 	buf := new(bytes.Buffer)
-	fmt.Fprintf(buf, "//go:generate go run tailscale.com/cmd/cloner  %s\n\n", strings.Join(flagArgs, " "))
+	fmt.Fprintf(buf, `//go:generate go run tailscale.com/cmd/cloner  %s`, strings.Join(flagArgs, " "))
+	fmt.Fprintln(buf)
 	runCloner := false
 	for _, typeName := range typeNames {
 		typ, ok := namedTypes[typeName]

control/controlclient/direct.go

@@ -16,7 +16,6 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
-	"net/netip"
 	"net/url"
 	"os"
 	"reflect"
@@ -27,6 +26,7 @@ import (
 	"time"
 
 	"go4.org/mem"
+	"inet.af/netaddr"
 	"tailscale.com/control/controlknobs"
 	"tailscale.com/envknob"
 	"tailscale.com/health"
@@ -67,7 +67,6 @@ type Direct struct {
 	linkMon                *monitor.Mon // or nil
 	discoPubKey            key.DiscoPublic
 	getMachinePrivKey      func() (key.MachinePrivate, error)
-	getNLPublicKey         func() (key.NLPublic, error) // or nil
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
@@ -109,10 +108,6 @@ type Options struct {
 	PopBrowserURL        func(url string) // optional func to open browser
 	Dialer               *tsdial.Dialer   // non-nil
 
-	// GetNLPublicKey specifies an optional function to use
-	// Network Lock. If nil, it's not used.
-	GetNLPublicKey func() (key.NLPublic, error)
-
 	// Status is called when there's a change in status.
 	Status func(Status)
 
@@ -134,7 +129,7 @@ type Options struct {
 // Pinger is the LocalBackend.Ping method.
 type Pinger interface {
 	// Ping is a request to do a ping with the peer handling the given IP.
-	Ping(ctx context.Context, ip netip.Addr, pingType tailcfg.PingType) (*ipnstate.PingResult, error)
+	Ping(ctx context.Context, ip netaddr.IP, pingType tailcfg.PingType) (*ipnstate.PingResult, error)
 }
 
 type Decompressor interface {
@@ -195,7 +190,6 @@ func NewDirect(opts Options) (*Direct, error) {
 	c := &Direct{
 		httpc:                  httpc,
 		getMachinePrivKey:      opts.GetMachinePrivateKey,
-		getNLPublicKey:         opts.GetNLPublicKey,
 		serverURL:              opts.ServerURL,
 		timeNow:                opts.TimeNow,
 		logf:                   opts.Logf,
@@ -430,14 +424,6 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		oldNodeKey = persist.OldPrivateNodeKey.Public()
 	}
 
-	var nlPub key.NLPublic
-	if c.getNLPublicKey != nil {
-		nlPub, err = c.getNLPublicKey()
-		if err != nil {
-			return false, "", fmt.Errorf("get nl key: %v", err)
-		}
-	}
-
 	if tryingNewKey.IsZero() {
 		if opt.Logout {
 			return false, "", errors.New("no nodekey to log out")
@@ -453,7 +439,6 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		Version:    1,
 		OldNodeKey: oldNodeKey,
 		NodeKey:    tryingNewKey.Public(),
-		NLKey:      nlPub,
 		Hostinfo:   hi,
 		Followup:   opt.URL,
 		Timestamp:  &now,
@@ -1182,8 +1167,8 @@ func TrimWGConfig() opt.Bool {
 // It should not return false positives.
 //
 // TODO(bradfitz): Change controlclient.Options.SkipIPForwardingCheck into a
-// func([]netip.Prefix) error signature instead.
-func ipForwardingBroken(routes []netip.Prefix, state *interfaces.State) bool {
+// func([]netaddr.IPPrefix) error signature instead.
+func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool {
 	warn, err := netutil.CheckIPForwarding(routes, state)
 	if err != nil {
 		// Oh well, we tried. This is just for debugging.
@@ -1423,7 +1408,7 @@ func (c *Direct) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 // doPingerPing sends a Ping to pr.IP using pinger, and sends an http request back to
 // pr.URL with ping response data.
 func doPingerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger, pingType tailcfg.PingType) {
-	if pr.URL == "" || !pr.IP.IsValid() || pinger == nil {
+	if pr.URL == "" || pr.IP.IsZero() || pinger == nil {
 		logf("invalid ping request: missing url, ip or pinger")
 		return
 	}

control/controlclient/direct_test.go

@@ -8,10 +8,10 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
-	"net/netip"
 	"testing"
 	"time"
 
+	"inet.af/netaddr"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsdial"
@@ -86,7 +86,7 @@ func TestNewDirect(t *testing.T) {
 func fakeEndpoints(ports ...uint16) (ret []tailcfg.Endpoint) {
 	for _, port := range ports {
 		ret = append(ret, tailcfg.Endpoint{
-			Addr: netip.AddrPortFrom(netip.Addr{}, port),
+			Addr: netaddr.IPPortFrom(netaddr.IP{}, port),
 		})
 	}
 	return

control/controlclient/map.go

@@ -5,11 +5,10 @@
 package controlclient
 
 import (
-	"fmt"
 	"log"
-	"net/netip"
 	"sort"
 
+	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -166,6 +165,12 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		}
 		ms.addUserProfile(peer.User)
 	}
+	if len(resp.DNS) > 0 {
+		nm.DNS.Nameservers = resp.DNS
+	}
+	if len(resp.SearchPaths) > 0 {
+		nm.DNS.Domains = resp.SearchPaths
+	}
 	if Debug.ProxyDNS {
 		nm.DNS.Proxied = true
 	}
@@ -239,7 +244,7 @@ func undeltaPeers(mapRes *tailcfg.MapResponse, prev []*tailcfg.Node) {
 		sortNodes(newFull)
 	}
 
-	if len(mapRes.PeerSeenChange) != 0 || len(mapRes.OnlineChange) != 0 || len(mapRes.PeersChangedPatch) != 0 {
+	if len(mapRes.PeerSeenChange) != 0 || len(mapRes.OnlineChange) != 0 {
 		peerByID := make(map[tailcfg.NodeID]*tailcfg.Node, len(newFull))
 		for _, n := range newFull {
 			peerByID[n.ID] = n
@@ -260,34 +265,6 @@ func undeltaPeers(mapRes *tailcfg.MapResponse, prev []*tailcfg.Node) {
 				n.Online = &online
 			}
 		}
-		for _, ec := range mapRes.PeersChangedPatch {
-			if n, ok := peerByID[ec.NodeID]; ok {
-				if ec.DERPRegion != 0 {
-					n.DERP = fmt.Sprintf("%s:%v", tailcfg.DerpMagicIP, ec.DERPRegion)
-				}
-				if ec.Endpoints != nil {
-					n.Endpoints = ec.Endpoints
-				}
-				if ec.Key != nil {
-					n.Key = *ec.Key
-				}
-				if ec.DiscoKey != nil {
-					n.DiscoKey = *ec.DiscoKey
-				}
-				if v := ec.Online; v != nil {
-					n.Online = ptrCopy(v)
-				}
-				if v := ec.LastSeen; v != nil {
-					n.LastSeen = ptrCopy(v)
-				}
-				if v := ec.KeyExpiry; v != nil {
-					n.KeyExpiry = *v
-				}
-				if v := ec.Capabilities; v != nil {
-					n.Capabilities = *v
-				}
-			}
-		}
 	}
 
 	mapRes.Peers = newFull
@@ -295,16 +272,6 @@ func undeltaPeers(mapRes *tailcfg.MapResponse, prev []*tailcfg.Node) {
 	mapRes.PeersRemoved = nil
 }
 
-// ptrCopy returns a pointer to a newly allocated shallow copy of *v.
-func ptrCopy[T any](v *T) *T {
-	if v == nil {
-		return nil
-	}
-	ret := new(T)
-	*ret = *v
-	return ret
-}
-
 func nodesSorted(v []*tailcfg.Node) bool {
 	for i, n := range v {
 		if i > 0 && n.ID <= v[i-1].ID {
@@ -331,13 +298,13 @@ func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
 
 var debugSelfIPv6Only = envknob.Bool("TS_DEBUG_SELF_V6_ONLY")
 
-func filterSelfAddresses(in []netip.Prefix) (ret []netip.Prefix) {
+func filterSelfAddresses(in []netaddr.IPPrefix) (ret []netaddr.IPPrefix) {
 	switch {
 	default:
 		return in
 	case debugSelfIPv6Only:
 		for _, a := range in {
-			if a.Addr().Is6() {
+			if a.IP().Is6() {
 				ret = append(ret, a)
 			}
 		}

control/controlclient/map_test.go

@@ -12,7 +12,6 @@ import (
 	"testing"
 	"time"
 
-	"go4.org/mem"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
@@ -35,16 +34,6 @@ func TestUndeltaPeers(t *testing.T) {
 			n.LastSeen = &t
 		}
 	}
-	withDERP := func(d string) func(*tailcfg.Node) {
-		return func(n *tailcfg.Node) {
-			n.DERP = d
-		}
-	}
-	withEP := func(ep string) func(*tailcfg.Node) {
-		return func(n *tailcfg.Node) {
-			n.Endpoints = []string{ep}
-		}
-	}
 	n := func(id tailcfg.NodeID, name string, mod ...func(*tailcfg.Node)) *tailcfg.Node {
 		n := &tailcfg.Node{ID: id, Name: name}
 		for _, f := range mod {
@@ -148,136 +137,7 @@ func TestUndeltaPeers(t *testing.T) {
 				n(2, "bar", seenAt(time.Unix(123, 0))),
 			),
 		},
-		{
-			name: "ep_change_derp",
-			prev: peers(n(1, "foo", withDERP("127.3.3.40:3"))),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID:     1,
-					DERPRegion: 4,
-				}},
-			},
-			want: peers(n(1, "foo", withDERP("127.3.3.40:4"))),
-		},
-		{
-			name: "ep_change_udp",
-			prev: peers(n(1, "foo", withEP("1.2.3.4:111"))),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID:    1,
-					Endpoints: []string{"1.2.3.4:56"},
-				}},
-			},
-			want: peers(n(1, "foo", withEP("1.2.3.4:56"))),
-		},
-		{
-			name: "ep_change_udp",
-			prev: peers(n(1, "foo", withDERP("127.3.3.40:3"), withEP("1.2.3.4:111"))),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID:    1,
-					Endpoints: []string{"1.2.3.4:56"},
-				}},
-			},
-			want: peers(n(1, "foo", withDERP("127.3.3.40:3"), withEP("1.2.3.4:56"))),
-		},
-		{
-			name: "ep_change_both",
-			prev: peers(n(1, "foo", withDERP("127.3.3.40:3"), withEP("1.2.3.4:111"))),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID:     1,
-					DERPRegion: 2,
-					Endpoints:  []string{"1.2.3.4:56"},
-				}},
-			},
-			want: peers(n(1, "foo", withDERP("127.3.3.40:2"), withEP("1.2.3.4:56"))),
-		},
-		{
-			name: "change_key",
-			prev: peers(n(1, "foo")),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID: 1,
-					Key:    ptrTo(key.NodePublicFromRaw32(mem.B(append(make([]byte, 31), 'A')))),
-				}},
-			}, want: peers(&tailcfg.Node{
-				ID:   1,
-				Name: "foo",
-				Key:  key.NodePublicFromRaw32(mem.B(append(make([]byte, 31), 'A'))),
-			}),
-		},
-		{
-			name: "change_disco_key",
-			prev: peers(n(1, "foo")),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID:   1,
-					DiscoKey: ptrTo(key.DiscoPublicFromRaw32(mem.B(append(make([]byte, 31), 'A')))),
-				}},
-			}, want: peers(&tailcfg.Node{
-				ID:       1,
-				Name:     "foo",
-				DiscoKey: key.DiscoPublicFromRaw32(mem.B(append(make([]byte, 31), 'A'))),
-			}),
-		},
-		{
-			name: "change_online",
-			prev: peers(n(1, "foo")),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID: 1,
-					Online: ptrTo(true),
-				}},
-			}, want: peers(&tailcfg.Node{
-				ID:     1,
-				Name:   "foo",
-				Online: ptrTo(true),
-			}),
-		},
-		{
-			name: "change_last_seen",
-			prev: peers(n(1, "foo")),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID:   1,
-					LastSeen: ptrTo(time.Unix(123, 0).UTC()),
-				}},
-			}, want: peers(&tailcfg.Node{
-				ID:       1,
-				Name:     "foo",
-				LastSeen: ptrTo(time.Unix(123, 0).UTC()),
-			}),
-		},
-		{
-			name: "change_key_expiry",
-			prev: peers(n(1, "foo")),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID:    1,
-					KeyExpiry: ptrTo(time.Unix(123, 0).UTC()),
-				}},
-			}, want: peers(&tailcfg.Node{
-				ID:        1,
-				Name:      "foo",
-				KeyExpiry: time.Unix(123, 0).UTC(),
-			}),
-		},
-		{
-			name: "change_capabilities",
-			prev: peers(n(1, "foo")),
-			mapRes: &tailcfg.MapResponse{
-				PeersChangedPatch: []*tailcfg.PeerChange{{
-					NodeID:       1,
-					Capabilities: ptrTo([]string{"foo"}),
-				}},
-			}, want: peers(&tailcfg.Node{
-				ID:           1,
-				Name:         "foo",
-				Capabilities: []string{"foo"},
-			}),
-		}}
-
+	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if !tt.curTime.IsZero() {
@@ -291,10 +151,6 @@ func TestUndeltaPeers(t *testing.T) {
 	}
 }
 
-func ptrTo[T any](v T) *T {
-	return &v
-}
-
 func formatNodes(nodes []*tailcfg.Node) string {
 	var sb strings.Builder
 	for i, n := range nodes {

control/controlknobs/controlknobs.go

@@ -7,13 +7,12 @@
 package controlknobs
 
 import (
-	"sync/atomic"
-
 	"tailscale.com/envknob"
+	"tailscale.com/syncs"
 )
 
 // disableUPnP indicates whether to attempt UPnP mapping.
-var disableUPnP atomic.Bool
+var disableUPnP syncs.AtomicBool
 
 func init() {
 	SetDisableUPnP(envknob.Bool("TS_DISABLE_UPNP"))
@@ -22,11 +21,11 @@ func init() {
 // DisableUPnP reports the last reported value from control
 // whether UPnP portmapping should be disabled.
 func DisableUPnP() bool {
-	return disableUPnP.Load()
+	return disableUPnP.Get()
 }
 
 // SetDisableUPnP sets whether control says that UPnP should be
 // disabled.
 func SetDisableUPnP(v bool) {
-	disableUPnP.Store(v)
+	disableUPnP.Set(v)
 }

derp/derp.go

@@ -40,8 +40,8 @@ const (
 )
 
 // ProtocolVersion is bumped whenever there's a wire-incompatible change.
-//   - version 1 (zero on wire): consistent box headers, in use by employee dev nodes a bit
-//   - version 2: received packets have src addrs in frameRecvPacket at beginning
+//   * version 1 (zero on wire): consistent box headers, in use by employee dev nodes a bit
+//   * version 2: received packets have src addrs in frameRecvPacket at beginning
 const ProtocolVersion = 2
 
 // frameType is the one byte frame type at the beginning of the frame

derp/derp_client.go

@@ -11,13 +11,13 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"net/netip"
 	"sync"
 	"sync/atomic"
 	"time"
 
 	"go4.org/mem"
 	"golang.org/x/time/rate"
+	"inet.af/netaddr"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -156,8 +156,6 @@ func (c *Client) parseServerInfo(b []byte) (*serverInfo, error) {
 }
 
 type clientInfo struct {
-	// Version is the DERP protocol version that the client was built with.
-	// See the ProtocolVersion const.
 	Version int `json:"version,omitempty"`
 
 	// MeshKey optionally specifies a pre-shared key used by
@@ -597,17 +595,17 @@ func (c *Client) setSendRateLimiter(sm ServerInfoMessage) {
 //
 // If the client is broken in some previously detectable way, it
 // returns an error.
-func (c *Client) LocalAddr() (netip.AddrPort, error) {
+func (c *Client) LocalAddr() (netaddr.IPPort, error) {
 	readErr, _ := c.readErr.Load().(error)
 	if readErr != nil {
-		return netip.AddrPort{}, readErr
+		return netaddr.IPPort{}, readErr
 	}
 	if c.nc == nil {
-		return netip.AddrPort{}, errors.New("nil conn")
+		return netaddr.IPPort{}, errors.New("nil conn")
 	}
 	a := c.nc.LocalAddr()
 	if a == nil {
-		return netip.AddrPort{}, errors.New("nil addr")
+		return netaddr.IPPort{}, errors.New("nil addr")
 	}
-	return netip.ParseAddrPort(a.String())
+	return netaddr.ParseIPPort(a.String())
 }

derp/derp_server.go

@@ -25,7 +25,6 @@ import (
 	"math/rand"
 	"net"
 	"net/http"
-	"net/netip"
 	"os/exec"
 	"runtime"
 	"strconv"
@@ -37,10 +36,12 @@ import (
 	"go4.org/mem"
 	"golang.org/x/sync/errgroup"
 	"golang.org/x/time/rate"
+	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/disco"
 	"tailscale.com/envknob"
 	"tailscale.com/metrics"
+	"tailscale.com/syncs"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/pad32"
@@ -161,8 +162,8 @@ type Server struct {
 	// src.
 	sentTo map[key.NodePublic]map[key.NodePublic]int64 // src => dst => dst's latest sclient.connNum
 
-	// maps from netip.AddrPort to a client's public key
-	keyOfAddr map[netip.AddrPort]key.NodePublic
+	// maps from netaddr.IPPort to a client's public key
+	keyOfAddr map[netaddr.IPPort]key.NodePublic
 }
 
 // clientSet represents 1 or more *sclients.
@@ -231,7 +232,7 @@ type dupClientSet struct {
 }
 
 func (s *dupClientSet) ActiveClient() *sclient {
-	if s.last != nil && !s.last.isDisabled.Load() {
+	if s.last != nil && !s.last.isDisabled.Get() {
 		return s.last
 	}
 	return nil
@@ -313,7 +314,7 @@ func NewServer(privateKey key.NodePrivate, logf logger.Logf) *Server {
 		watchers:             map[*sclient]bool{},
 		sentTo:               map[key.NodePublic]map[key.NodePublic]int64{},
 		avgQueueDuration:     new(uint64),
-		keyOfAddr:            map[netip.AddrPort]key.NodePublic{},
+		keyOfAddr:            map[netaddr.IPPort]key.NodePublic{},
 	}
 	s.initMetacert()
 	s.packetsRecvDisco = s.packetsRecvByKind.Get("disco")
@@ -409,7 +410,7 @@ func (s *Server) IsClientConnectedForTest(k key.NodePublic) bool {
 // on its own.
 //
 // Accept closes nc.
-func (s *Server) Accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, remoteAddr string) {
+func (s *Server) Accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string) {
 	closed := make(chan struct{})
 
 	s.mu.Lock()
@@ -427,7 +428,7 @@ func (s *Server) Accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 		s.mu.Unlock()
 	}()
 
-	if err := s.accept(ctx, nc, brw, remoteAddr, connNum); err != nil && !s.isClosed() {
+	if err := s.accept(nc, brw, remoteAddr, connNum); err != nil && !s.isClosed() {
 		s.logf("derp: %s: %v", remoteAddr, err)
 	}
 }
@@ -498,8 +499,8 @@ func (s *Server) registerClient(c *sclient) {
 		s.dupClientConns.Add(2) // both old and new count
 		s.dupClientConnTotal.Add(1)
 		old := set.ActiveClient()
-		old.isDup.Store(true)
-		c.isDup.Store(true)
+		old.isDup.Set(true)
+		c.isDup.Set(true)
 		s.clients[c.key] = &dupClientSet{
 			last: c,
 			set: map[*sclient]bool{
@@ -511,7 +512,7 @@ func (s *Server) registerClient(c *sclient) {
 	case *dupClientSet:
 		s.dupClientConns.Add(1)     // the gauge
 		s.dupClientConnTotal.Add(1) // the counter
-		c.isDup.Store(true)
+		c.isDup.Set(true)
 		set.set[c] = true
 		set.last = c
 		set.sendHistory = append(set.sendHistory, c)
@@ -570,8 +571,8 @@ func (s *Server) unregisterClient(c *sclient) {
 			if remain == nil {
 				panic("unexpected nil remain from single element dup set")
 			}
-			remain.isDisabled.Store(false)
-			remain.isDup.Store(false)
+			remain.isDisabled.Set(false)
+			remain.isDup.Set(false)
 			s.clients[c.key] = singleClient{remain}
 		}
 	}
@@ -640,7 +641,7 @@ func (s *Server) addWatcher(c *sclient) {
 	go c.requestMeshUpdate()
 }
 
-func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, remoteAddr string, connNum int64) error {
+func (s *Server) accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string, connNum int64) error {
 	br := brw.Reader
 	nc.SetDeadline(time.Now().Add(10 * time.Second))
 	bw := &lazyBufioWriter{w: nc, lbw: brw.Writer}
@@ -659,10 +660,10 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 	// At this point we trust the client so we don't time out.
 	nc.SetDeadline(time.Time{})
 
-	ctx, cancel := context.WithCancel(ctx)
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	remoteIPPort, _ := netip.ParseAddrPort(remoteAddr)
+	remoteIPPort, _ := netaddr.ParseIPPort(remoteAddr)
 
 	c := &sclient{
 		connNum:        connNum,
@@ -1072,11 +1073,11 @@ func (s *Server) sendServerKey(lw *lazyBufioWriter) error {
 }
 
 func (s *Server) noteClientActivity(c *sclient) {
-	if !c.isDup.Load() {
+	if !c.isDup.Get() {
 		// Fast path for clients that aren't in a dup set.
 		return
 	}
-	if c.isDisabled.Load() {
+	if c.isDisabled.Get() {
 		// If they're already disabled, no point checking more.
 		return
 	}
@@ -1111,7 +1112,7 @@ func (s *Server) noteClientActivity(c *sclient) {
 		for _, prior := range ds.sendHistory {
 			if prior == c {
 				ds.ForeachClient(func(c *sclient) {
-					c.isDisabled.Store(true)
+					c.isDisabled.Set(true)
 				})
 				break
 			}
@@ -1245,15 +1246,15 @@ type sclient struct {
 	logf           logger.Logf
 	done           <-chan struct{}     // closed when connection closes
 	remoteAddr     string              // usually ip:port from net.Conn.RemoteAddr().String()
-	remoteIPPort   netip.AddrPort      // zero if remoteAddr is not ip:port.
+	remoteIPPort   netaddr.IPPort      // zero if remoteAddr is not ip:port.
 	sendQueue      chan pkt            // packets queued to this client; never closed
 	discoSendQueue chan pkt            // important packets queued to this client; never closed
 	sendPongCh     chan [8]byte        // pong replies to send to the client; never closed
 	peerGone       chan key.NodePublic // write request that a previous sender has disconnected (not used by mesh peers)
 	meshUpdate     chan struct{}       // write request to write peerStateChange
 	canMesh        bool                // clientInfo had correct mesh token for inter-region routing
-	isDup          atomic.Bool         // whether more than 1 sclient for key is connected
-	isDisabled     atomic.Bool         // whether sends to this peer are disabled due to active/active dups
+	isDup          syncs.AtomicBool    // whether more than 1 sclient for key is connected
+	isDisabled     syncs.AtomicBool    // whether sends to this peer are disabled due to active/active dups
 
 	// replaceLimiter controls how quickly two connections with
 	// the same client key can kick each other off the server by
@@ -1758,8 +1759,8 @@ type BytesSentRecv struct {
 
 // parseSSOutput parses the output from the specific call to ss in ServeDebugTraffic.
 // Separated out for ease of testing.
-func parseSSOutput(raw string) map[netip.AddrPort]BytesSentRecv {
-	newState := map[netip.AddrPort]BytesSentRecv{}
+func parseSSOutput(raw string) map[netaddr.IPPort]BytesSentRecv {
+	newState := map[netaddr.IPPort]BytesSentRecv{}
 	// parse every 2 lines and get src and dst ips, and kv pairs
 	lines := strings.Split(raw, "\n")
 	for i := 0; i < len(lines); i += 2 {
@@ -1767,7 +1768,7 @@ func parseSSOutput(raw string) map[netip.AddrPort]BytesSentRecv {
 		if len(ipInfo) < 5 {
 			continue
 		}
-		src, err := netip.ParseAddrPort(ipInfo[4])
+		src, err := netaddr.ParseIPPort(ipInfo[4])
 		if err != nil {
 			continue
 		}
@@ -1792,7 +1793,7 @@ func parseSSOutput(raw string) map[netip.AddrPort]BytesSentRecv {
 }
 
 func (s *Server) ServeDebugTraffic(w http.ResponseWriter, r *http.Request) {
-	prevState := map[netip.AddrPort]BytesSentRecv{}
+	prevState := map[netaddr.IPPort]BytesSentRecv{}
 	enc := json.NewEncoder(w)
 	for r.Context().Err() == nil {
 		output, err := exec.Command("ss", "-i", "-H", "-t").Output()

derp/derp_test.go

@@ -85,12 +85,8 @@ func TestSendRecv(t *testing.T) {
 			t.Fatal(err)
 		}
 		defer cin.Close()
-
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
 		brwServer := bufio.NewReadWriter(bufio.NewReader(cin), bufio.NewWriter(cin))
-		go s.Accept(ctx, cin, brwServer, fmt.Sprintf("test-client-%d", i))
+		go s.Accept(cin, brwServer, fmt.Sprintf("test-client-%d", i))
 
 		key := clientPrivateKeys[i]
 		brw := bufio.NewReadWriter(bufio.NewReader(cout), bufio.NewWriter(cout))
@@ -235,10 +231,10 @@ func TestSendFreeze(t *testing.T) {
 	// Then cathy stops processing messsages.
 	// That should not interfere with alice talking to bob.
 
-	newClient := func(ctx context.Context, name string, k key.NodePrivate) (c *Client, clientConn nettest.Conn) {
+	newClient := func(name string, k key.NodePrivate) (c *Client, clientConn nettest.Conn) {
 		t.Helper()
 		c1, c2 := nettest.NewConn(name, 1024)
-		go s.Accept(ctx, c1, bufio.NewReadWriter(bufio.NewReader(c1), bufio.NewWriter(c1)), name)
+		go s.Accept(c1, bufio.NewReadWriter(bufio.NewReader(c1), bufio.NewWriter(c1)), name)
 
 		brw := bufio.NewReadWriter(bufio.NewReader(c2), bufio.NewWriter(c2))
 		c, err := NewClient(k, c2, brw, t.Logf)
@@ -249,17 +245,14 @@ func TestSendFreeze(t *testing.T) {
 		return c, c2
 	}
 
-	ctx, clientCtxCancel := context.WithCancel(context.Background())
-	defer clientCtxCancel()
-
 	aliceKey := key.NewNode()
-	aliceClient, aliceConn := newClient(ctx, "alice", aliceKey)
+	aliceClient, aliceConn := newClient("alice", aliceKey)
 
 	bobKey := key.NewNode()
-	bobClient, bobConn := newClient(ctx, "bob", bobKey)
+	bobClient, bobConn := newClient("bob", bobKey)
 
 	cathyKey := key.NewNode()
-	cathyClient, cathyConn := newClient(ctx, "cathy", cathyKey)
+	cathyClient, cathyConn := newClient("cathy", cathyKey)
 
 	var (
 		aliceCh = make(chan struct{}, 32)
@@ -462,7 +455,7 @@ func (ts *testServer) close(t *testing.T) error {
 	return nil
 }
 
-func newTestServer(t *testing.T, ctx context.Context) *testServer {
+func newTestServer(t *testing.T) *testServer {
 	t.Helper()
 	logf := logger.WithPrefix(t.Logf, "derp-server: ")
 	s := NewServer(key.NewNode(), logf)
@@ -482,7 +475,7 @@ func newTestServer(t *testing.T, ctx context.Context) *testServer {
 			// TODO: register c in ts so Close also closes it?
 			go func(i int) {
 				brwServer := bufio.NewReadWriter(bufio.NewReader(c), bufio.NewWriter(c))
-				go s.Accept(ctx, c, brwServer, fmt.Sprintf("test-client-%d", i))
+				go s.Accept(c, brwServer, fmt.Sprintf("test-client-%d", i))
 			}(i)
 		}
 	}()
@@ -617,10 +610,7 @@ func (c *testClient) close(t *testing.T) {
 // TestWatch tests the connection watcher mechanism used by regional
 // DERP nodes to mesh up with each other.
 func TestWatch(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	ts := newTestServer(t, ctx)
+	ts := newTestServer(t)
 	defer ts.close(t)
 
 	w1 := newTestWatcher(t, ts, "w1")
@@ -1208,10 +1198,7 @@ func benchmarkSendRecvSize(b *testing.B, packetSize int) {
 	defer connIn.Close()
 
 	brwServer := bufio.NewReadWriter(bufio.NewReader(connIn), bufio.NewWriter(connIn))
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	go s.Accept(ctx, connIn, brwServer, "test-client")
+	go s.Accept(connIn, brwServer, "test-client")
 
 	brw := bufio.NewReadWriter(bufio.NewReader(connOut), bufio.NewWriter(connOut))
 	client, err := NewClient(k, connOut, brw, logger.Discard)
@@ -1367,10 +1354,7 @@ func TestClientSendRateLimiting(t *testing.T) {
 }
 
 func TestServerRepliesToPing(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	ts := newTestServer(t, ctx)
+	ts := newTestServer(t)
 	defer ts.close(t)
 
 	tc := newRegularClient(t, ts, "alice")