portlist: move sync.Once up and Close on err

Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
portlist: remove NewPoller constructor
2023-05-25 09:03:28 -04:00 · 2023-05-24 18:17:29 -04:00
131 changed files with 752 additions and 4373 deletions
--- a/.github/workflows/docker-file-build.yml
+++ b/.github/workflows/docker-file-build.yml
@@ -1,15 +0,0 @@
-name: "Dockerfile build"
-on: 
-  push:
-    branches:
-    - main
-  pull_request:
-    branches:
-      - "*"
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: "Build Docker image"
-      run: docker build .
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -50,7 +50,7 @@ jobs:
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
+        uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 #v5.0.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: License Updater <noreply+license-updater@tailscale.com>
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -32,7 +32,7 @@ jobs:

      - name: golangci-lint
        # Note: this is the 'v3' tag as of 2023-04-17
-        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
+        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5
        with:
          version: v1.52.2

--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -35,7 +35,7 @@ jobs:
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
+        uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 #v5.0.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
--- a/5
+++ b/5
@@ -47,7 +47,8 @@ RUN go install \
    golang.org/x/crypto/ssh \
    golang.org/x/crypto/acme \
    nhooyr.io/websocket \
-    github.com/mdlayher/netlink
+    github.com/mdlayher/netlink \
+    golang.zx2c4.com/wireguard/device

 COPY . .

@@ -72,4 +73,4 @@ RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
 # using build_docker.sh which sets an entrypoint for the image.
-RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh
+RUN ln -s /usr/local/bin/containerboot /tailscale/run.sh
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -2,4 +2,4 @@
 # SPDX-License-Identifier: BSD-3-Clause

 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
--- a/5
+++ b/5
@@ -48,10 +48,11 @@ staticcheck: ## Run staticcheck.io checks
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)

 spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
-	./tool/go run ./cmd/dist build synology/dsm${SYNO_DSM}/${SYNO_ARCH}
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}

 spkall: ## Build synology packages for all architectures and DSM versions
-	./tool/go run ./cmd/dist build synology
+	mkdir -p spks
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all

 pushspk: spk ## Push and install synology package on ${SYNO_HOST} host
 	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.45.0
+1.43.0
--- a/api.md
+++ b/api.md
@@ -1222,11 +1222,6 @@ The remaining three methods operate on auth keys and API access tokens.

  // expirySeconds (int) is the duration in seconds a new key is valid.
  "expirySeconds": 86400
-
-  // description (string) is an optional short phrase that describes what
-  // this key is used for. It can be a maximum of 50 alphanumeric characters.
-  // Hyphens and underscores are also allowed.
-  "description": "short description of key purpose"
 }
 ```

@@ -1313,9 +1308,6 @@ Note the following about required vs. optional values:
  Specifies the duration in seconds until the key should expire.
  Defaults to 90 days if not supplied.

- **`description`:** Optional in `POST` body.
-  A short string specifying the purpose of the key. Can be a maximum of 50 alphanumeric characters. Hyphens and spaces are also allowed.
-
 ### Request example

 ``` jsonc
@@ -1333,8 +1325,7 @@ curl "https://api.tailscale.com/api/v2/tailnet/example.com/keys" \
      }
    }
  },
-  "expirySeconds": 86400,
-  "description": "dev access"
+  "expirySeconds": 86400
 }'
 ```

@@ -1360,8 +1351,7 @@ It holds the capabilities specified in the request and can no longer be retrieve
        "tags": [ "tag:example" ]
      }
    }
-  },
-  "description": "dev access"
+  }
 }
 ```

@@ -1413,8 +1403,7 @@ The response is a JSON object with information about the key supplied.
        ]
      }
    }
-  },
-  "description": "dev access"
+  }
 }
 ```

--- a/build_dist.sh
+++ b/build_dist.sh
@@ -49,4 +49,4 @@ while [ "$#" -gt 1 ]; do
 	esac
 done

-exec $go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"

 	"tailscale.com/types/opt"
 )
@@ -212,20 +213,8 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)

 // AuthorizeDevice marks a device as authorized.
 func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
-	return c.SetAuthorized(ctx, deviceID, true)
-}
-
-// SetAuthorized marks a device as authorized or not.
-func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized bool) error {
-	params := &struct {
-		Authorized bool `json:"authorized"`
-	}{Authorized: authorized}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
 	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
 	if err != nil {
 		return err
 	}
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -125,7 +125,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W    tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy
        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
@@ -180,7 +179,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from internal/profile+
-   L    compress/zlib                                                from debug/elf
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
@@ -204,8 +202,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        crypto/tls                                                   from golang.org/x/crypto/acme+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
-   L    debug/dwarf                                                  from debug/elf
-   L    debug/elf                                                    from golang.org/x/sys/unix
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -221,7 +217,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        fmt                                                          from compress/flate+
        go/token                                                     from google.golang.org/protobuf/internal/strs
        hash                                                         from crypto+
-   L    hash/adler32                                                 from compress/zlib
        hash/crc32                                                   from compress/gzip+
        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
        hash/maphash                                                 from go4.org/mem
@@ -230,7 +225,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from github.com/mitchellh/go-ps+
        log                                                          from expvar+
-        log/internal                                                 from log
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -33,7 +33,6 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
-	"tailscale.com/util/cmpx"
 )

 var (
@@ -437,7 +436,11 @@ func defaultMeshPSKFile() string {
 }

 func rateLimitedListenAndServeTLS(srv *http.Server) error {
-	ln, err := net.Listen("tcp", cmpx.Or(srv.Addr, ":https"))
+	addr := srv.Addr
+	if addr == "" {
+		addr = ":https"
+	}
+	ln, err := net.Listen("tcp", addr)
 	if err != nil {
 		return err
 	}
--- a/cmd/dist/dist.go
+++ b/cmd/dist/dist.go
@@ -13,38 +13,15 @@ import (

 	"tailscale.com/release/dist"
 	"tailscale.com/release/dist/cli"
-	"tailscale.com/release/dist/synology"
 	"tailscale.com/release/dist/unixpkgs"
 )

-var synologyPackageCenter bool
-
 func getTargets() ([]dist.Target, error) {
-	var ret []dist.Target
-
-	ret = append(ret, unixpkgs.Targets()...)
-	// Synology packages can be built either for sideloading, or for
-	// distribution by Synology in their package center. When
-	// distributed through the package center, apps can request
-	// additional permissions to use a tuntap interface and control
-	// the NAS's network stack, rather than be forced to run in
-	// userspace mode.
-	//
-	// Since only we can provide packages to Synology for
-	// distribution, we default to building the "sideload" variant of
-	// packages that we distribute on pkgs.tailscale.com.
-	ret = append(ret, synology.Targets(synologyPackageCenter)...)
-	return ret, nil
+	return unixpkgs.Targets(), nil
 }

 func main() {
 	cmd := cli.CLI(getTargets)
-	for _, subcmd := range cmd.Subcommands {
-		if subcmd.Name == "build" {
-			subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")
-		}
-	}
-
 	if err := cmd.ParseAndRun(context.Background(), os.Args[1:]); err != nil && !errors.Is(err, flag.ErrHelp) {
 		log.Fatal(err)
 	}
--- a/cmd/get-authkey/main.go
+++ b/cmd/get-authkey/main.go
@@ -16,7 +16,6 @@ import (

 	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/util/cmpx"
 )

 func main() {
@@ -40,7 +39,10 @@ func main() {
 		log.Fatal("at least one tag must be specified")
 	}

-	baseURL := cmpx.Or(os.Getenv("TS_BASE_URL"), "https://api.tailscale.com")
+	baseURL := os.Getenv("TS_BASE_URL")
+	if baseURL == "" {
+		baseURL = "https://api.tailscale.com"
+	}

 	credentials := clientcredentials.Config{
 		ClientID:     clientID,
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -25,6 +25,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/transport"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -37,6 +38,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
@@ -183,17 +185,17 @@ waitOnline:
 	// the cache that sits a few layers below the builder stuff, which will
 	// implicitly filter what parts of the world the builder code gets to see at
 	// all.
-	nsFilter := cache.ByObject{
-		Field: client.InNamespace(tsNamespace).AsSelector(),
+	nsFilter := cache.ObjectSelector{
+		Field: fields.SelectorFromSet(fields.Set{"metadata.namespace": tsNamespace}),
 	}
 	restConfig := config.GetConfigOrDie()
 	mgr, err := manager.New(restConfig, manager.Options{
-		Cache: cache.Options{
-			ByObject: map[client.Object]cache.ByObject{
+		NewCache: cache.BuilderWithOptions(cache.Options{
+			SelectorsByObject: map[client.Object]cache.ObjectSelector{
 				&corev1.Secret{}:      nsFilter,
 				&appsv1.StatefulSet{}: nsFilter,
 			},
-		},
+		}),
 	})
 	if err != nil {
 		startlog.Fatalf("could not create manager: %v", err)
@@ -209,7 +211,7 @@ waitOnline:
 		logger:                 zlog.Named("service-reconciler"),
 	}

-	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(_ context.Context, o client.Object) []reconcile.Request {
+	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(o client.Object) []reconcile.Request {
 		ls := o.GetLabels()
 		if ls[LabelManaged] != "true" {
 			return nil
@@ -229,8 +231,8 @@ waitOnline:
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&corev1.Service{}).
-		Watches(&appsv1.StatefulSet{}, reconcileFilter).
-		Watches(&corev1.Secret{}, reconcileFilter).
+		Watches(&source.Kind{Type: &appsv1.StatefulSet{}}, reconcileFilter).
+		Watches(&source.Kind{Type: &corev1.Secret{}}, reconcileFilter).
 		Complete(sr)
 	if err != nil {
 		startlog.Fatalf("could not create controller: %v", err)
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -110,8 +110,6 @@ func TestLoadBalancerClass(t *testing.T) {
 	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
-	})
-	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@@ -449,8 +447,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 		}
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
-	})
-	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@@ -781,21 +777,6 @@ func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, n
 	}
 }

-func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); err != nil {
-		t.Fatalf("getting %q: %v", name, err)
-	}
-	update(obj)
-	if err := client.Status().Update(context.Background(), obj); err != nil {
-		t.Fatalf("updating %q: %v", name, err)
-	}
-}
-
 func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
 	t.Helper()
 	got := O(new(T))
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -22,7 +22,6 @@ import (
 	"tailscale.com/tstest"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/version/distro"
 )

@@ -720,7 +719,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var warnBuf tstest.MemLogger
-			goos := cmpx.Or(tt.goos, "linux")
+			goos := tt.goos
+			if goos == "" {
+				goos = "linux"
+			}
 			st := tt.st
 			if st == nil {
 				st = new(ipnstate.Status)
--- a/cmd/tailscale/cli/funnel.go
+++ b/cmd/tailscale/cli/funnel.go
@@ -30,10 +30,10 @@ func newFunnelCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "funnel",
 		ShortHelp: "Turn on/off Funnel service",
-		ShortUsage: strings.Join([]string{
-			"funnel <serve-port> {on|off}",
-			"funnel status [--json]",
-		}, "\n  "),
+		ShortUsage: strings.TrimSpace(`
+funnel <serve-port> {on|off}
+  funnel status [--json]
+`),
 		LongHelp: strings.Join([]string{
 			"Funnel allows you to publish a 'tailscale serve'",
 			"server publicly, open to the entire internet.",
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -51,7 +51,7 @@ relay node.
 		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through WireGuard, but not either host OS stack)")
 		fs.BoolVar(&pingArgs.icmp, "icmp", false, "do a ICMP-level ping (through WireGuard, but not the local host OS stack)")
 		fs.BoolVar(&pingArgs.peerAPI, "peerapi", false, "try hitting the peer's peerapi HTTP server")
-		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send. 0 for infinity.")
+		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
 		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
 		return fs
 	})(),
--- a/cmd/tailscale/cli/serve.go
+++ b/cmd/tailscale/cli/serve.go
@@ -35,14 +35,13 @@ func newServeCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "serve",
 		ShortHelp: "Serve content and local servers",
-		ShortUsage: strings.Join([]string{
-			"serve http:<port> <mount-point> <source> [off]",
-			"serve https:<port> <mount-point> <source> [off]",
-			"serve tcp:<port> tcp://localhost:<local-port> [off]",
-			"serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]",
-			"serve status [--json]",
-			"serve reset",
-		}, "\n  "),
+		ShortUsage: strings.TrimSpace(`
+serve https:<port> <mount-point> <source> [off]
+  serve tcp:<port> tcp://localhost:<local-port> [off]
+  serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]
+  serve status [--json]
+  serve reset
+`),
 		LongHelp: strings.TrimSpace(`
 *** BETA; all of this is subject to change ***

@@ -59,8 +58,8 @@ EXAMPLES
  - To proxy requests to a web server at 127.0.0.1:3000:
    $ tailscale serve https:443 / http://127.0.0.1:3000

-    Or, using the default port (443):
-    $ tailscale serve https / http://127.0.0.1:3000
+	Or, using the default port:
+	$ tailscale serve https / http://127.0.0.1:3000

  - To serve a single file or a directory of files:
    $ tailscale serve https / /home/alice/blog/index.html
@@ -69,12 +68,6 @@ EXAMPLES
  - To serve simple static text:
    $ tailscale serve https:8080 / text:"Hello, world!"

-  - To serve over HTTP (tailnet only):
-    $ tailscale serve http:80 / http://127.0.0.1:3000
-
-    Or, using the default port (80):
-    $ tailscale serve http / http://127.0.0.1:3000
-
  - To forward incoming TCP connections on port 2222 to a local TCP server on
    port 22 (e.g. to run OpenSSH in parallel with Tailscale SSH):
    $ tailscale serve tcp:2222 tcp://localhost:22
@@ -182,7 +175,6 @@ func (e *serveEnv) getLocalClientStatus(ctx context.Context) (*ipnstate.Status,
 // serve config types like proxy, path, and text.
 //
 // Examples:
-// - tailscale serve http / http://localhost:3000
 // - tailscale serve https / http://localhost:3000
 // - tailscale serve https /images/ /var/www/images/
 // - tailscale serve https:10000 /motd.txt text:"Hello, world!"
@@ -207,14 +199,19 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.lc.SetServeConfig(ctx, sc)
 	}

+	parsePort := func(portStr string) (uint16, error) {
+		port64, err := strconv.ParseUint(portStr, 10, 16)
+		if err != nil {
+			return 0, err
+		}
+		return uint16(port64), nil
+	}
+
 	srcType, srcPortStr, found := strings.Cut(args[0], ":")
 	if !found {
 		if srcType == "https" && srcPortStr == "" {
 			// Default https port to 443.
 			srcPortStr = "443"
-		} else if srcType == "http" && srcPortStr == "" {
-			// Default http port to 80.
-			srcPortStr = "80"
 		} else {
 			return flag.ErrHelp
 		}
@@ -222,18 +219,18 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {

 	turnOff := "off" == args[len(args)-1]

-	if len(args) < 2 || ((srcType == "https" || srcType == "http") && !turnOff && len(args) < 3) {
+	if len(args) < 2 || (srcType == "https" && !turnOff && len(args) < 3) {
 		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
 		return flag.ErrHelp
 	}

-	srcPort, err := parseServePort(srcPortStr)
+	srcPort, err := parsePort(srcPortStr)
 	if err != nil {
-		return fmt.Errorf("invalid port %q: %w", srcPortStr, err)
+		return err
 	}

 	switch srcType {
-	case "https", "http":
+	case "https":
 		mount, err := cleanMountPoint(args[1])
 		if err != nil {
 			return err
@@ -241,8 +238,7 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		if turnOff {
 			return e.handleWebServeRemove(ctx, srcPort, mount)
 		}
-		useTLS := srcType == "https"
-		return e.handleWebServe(ctx, srcPort, useTLS, mount, args[2])
+		return e.handleWebServe(ctx, srcPort, mount, args[2])
 	case "tcp", "tls-terminated-tcp":
 		if turnOff {
 			return e.handleTCPServeRemove(ctx, srcPort)
@@ -250,20 +246,20 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.handleTCPServe(ctx, srcType, srcPort, args[1])
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid serve type %q\n", srcType)
-		fmt.Fprint(os.Stderr, "must be one of: http:<port>, https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
+		fmt.Fprint(os.Stderr, "must be one of: https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
 		return flag.ErrHelp
 	}
 }

-// handleWebServe handles the "tailscale serve (http/https):..." subcommand. It
-// configures the serve config to forward HTTPS connections to the given source.
+// handleWebServe handles the "tailscale serve https:..." subcommand.
+// It configures the serve config to forward HTTPS connections to the
+// given source.
 //
 // Examples:
-//   - tailscale serve http / http://localhost:3000
 //   - tailscale serve https / http://localhost:3000
 //   - tailscale serve https:8443 /files/ /home/alice/shared-files/
 //   - tailscale serve https:10000 /motd.txt text:"Hello, world!"
-func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bool, mount, source string) error {
+func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, mount, source string) error {
 	h := new(ipn.HTTPHandler)

 	ts, _, _ := strings.Cut(source, ":")
@@ -322,7 +318,7 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo
 		return flag.ErrHelp
 	}

-	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: useTLS, HTTP: !useTLS})
+	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: true})

 	if _, ok := sc.Web[hp]; !ok {
 		mak.Set(&sc.Web, hp, new(ipn.WebServerConfig))
@@ -630,10 +626,7 @@ func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
 		printf("\n")
 	}
 	for hp := range sc.Web {
-		err := e.printWebStatusTree(sc, hp)
-		if err != nil {
-			return err
-		}
+		printWebStatusTree(sc, hp)
 		printf("\n")
 	}
 	printFunnelWarning(sc)
@@ -672,37 +665,20 @@ func printTCPStatusTree(ctx context.Context, sc *ipn.ServeConfig, st *ipnstate.S
 	return nil
 }

-func (e *serveEnv) printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) error {
-	// No-op if no serve config
+func printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) {
 	if sc == nil {
-		return nil
+		return
 	}
 	fStatus := "tailnet only"
 	if sc.AllowFunnel[hp] {
 		fStatus = "Funnel on"
 	}
 	host, portStr, _ := net.SplitHostPort(string(hp))
-
-	port, err := parseServePort(portStr)
-	if err != nil {
-		return fmt.Errorf("invalid port %q: %w", portStr, err)
+	if portStr == "443" {
+		printf("https://%s (%s)\n", host, fStatus)
+	} else {
+		printf("https://%s:%s (%s)\n", host, portStr, fStatus)
 	}
-
-	scheme := "https"
-	if sc.IsServingHTTP(port) {
-		scheme = "http"
-	}
-
-	portPart := ":" + portStr
-	if scheme == "http" && portStr == "80" ||
-		scheme == "https" && portStr == "443" {
-		portPart = ""
-	}
-	if scheme == "http" {
-		hostname, _, _ := strings.Cut("host", ".")
-		printf("%s://%s%s (%s)\n", scheme, hostname, portPart, fStatus)
-	}
-	printf("%s://%s%s (%s)\n", scheme, host, portPart, fStatus)
 	srvTypeAndDesc := func(h *ipn.HTTPHandler) (string, string) {
 		switch {
 		case h.Path != "":
@@ -729,8 +705,6 @@ func (e *serveEnv) printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) erro
 		t, d := srvTypeAndDesc(h)
 		printf("%s %s%s %-5s %s\n", "|--", m, strings.Repeat(" ", maxLen-len(m)), t, d)
 	}
-
-	return nil
 }

 func elipticallyTruncate(s string, max int) string {
@@ -751,16 +725,3 @@ func (e *serveEnv) runServeReset(ctx context.Context, args []string) error {
 	sc := new(ipn.ServeConfig)
 	return e.lc.SetServeConfig(ctx, sc)
 }
-
-// parseServePort parses a port number from a string and returns it as a
-// uint16. It returns an error if the port number is invalid or zero.
-func parseServePort(s string) (uint16, error) {
-	p, err := strconv.ParseUint(s, 10, 16)
-	if err != nil {
-		return 0, err
-	}
-	if p == 0 {
-		return 0, errors.New("port number must be non-zero")
-	}
-	return uint16(p), nil
-}
--- a/cmd/tailscale/cli/serve_test.go
+++ b/cmd/tailscale/cli/serve_test.go
@@ -89,59 +89,6 @@ func TestServeConfigMutations(t *testing.T) {
 		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})

-	// https
-	add(step{reset: true})
-	add(step{ // allow omitting port (default to 80)
-		command: cmd("http / http://localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // support non Funnel port
-		command: cmd("http:9999 /abc http://localhost:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 9999: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("http:9999 /abc off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("http:8080 /abc http://127.0.0.1:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 8080: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8080": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-
 	// https
 	add(step{reset: true})
 	add(step{
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -29,7 +29,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/groupmember"
 	"tailscale.com/version/distro"
 )
@@ -156,7 +155,10 @@ func runWeb(ctx context.Context, args []string) error {
 // urlOfListenAddr parses a given listen address into a formatted URL
 func urlOfListenAddr(addr string) string {
 	host, port, _ := net.SplitHostPort(addr)
-	return fmt.Sprintf("http://%s", net.JoinHostPort(cmpx.Or(host, "127.0.0.1"), port))
+	if host == "" {
+		host = "127.0.0.1"
+	}
+	return fmt.Sprintf("http://%s", net.JoinHostPort(host, port))
 }

 // authorize returns the name of the user accessing the web UI after verifying
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -114,7 +114,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/cmpx                                      from tailscale.com/cmd/tailscale/cli+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
@@ -177,7 +176,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from net/http
-        compress/zlib                                                from image/png+
+        compress/zlib                                                from image/png
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
@@ -202,8 +201,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
        database/sql/driver                                          from github.com/google/uuid
-   L    debug/dwarf                                                  from debug/elf
-   L    debug/elf                                                    from golang.org/x/sys/unix
        embed                                                        from tailscale.com/cmd/tailscale/cli+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -231,7 +228,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from golang.org/x/sys/cpu+
        log                                                          from expvar+
-        log/internal                                                 from log
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -308,7 +308,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/clientmetric                              from tailscale.com/control/controlclient+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
  LW    tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
-        tailscale.com/util/cmpx                                      from tailscale.com/derp/derphttp+
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
@@ -398,7 +397,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from golang.org/x/net/http2+
-   L    compress/zlib                                                from debug/elf
        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
@@ -423,8 +421,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
-   L    debug/dwarf                                                  from debug/elf
-   L    debug/elf                                                    from golang.org/x/sys/unix
        embed                                                        from tailscale.com+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -440,7 +436,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        flag                                                         from net/http/httptest+
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
-        hash/adler32                                                 from tailscale.com/ipn/ipnlocal+
+        hash/adler32                                                 from tailscale.com/ipn/ipnlocal
        hash/crc32                                                   from compress/gzip+
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
@@ -449,7 +445,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from github.com/godbus/dbus/v5+
        log                                                          from expvar+
-        log/internal                                                 from log
  LD    log/syslog                                                   from tailscale.com/ssh/tailssh
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -126,10 +126,6 @@ var syslogf logger.Logf = logger.Discard
 // At this point we're still the parent process that
 // Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
-	go func() {
-		winutil.LogSupportInfo(log.Printf)
-	}()
-
 	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
 		syslog, err := eventlog.Open(serviceName)
 		if err == nil {
--- a/control/controlclient/debug.go
+++ b/control/controlclient/debug.go
@@ -20,7 +20,7 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {

 	zbuf := new(bytes.Buffer)
 	zw := gzip.NewWriter(zbuf)
-	zw.Write(goroutines.ScrubbedGoroutineDump(true))
+	zw.Write(goroutines.ScrubbedGoroutineDump())
 	zw.Close()

 	req, err := http.NewRequestWithContext(ctx, "PUT", targetURL, zbuf)
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -40,7 +40,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/cmpx"
 )

 // Client is a DERP-over-HTTP client.
@@ -655,7 +654,10 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 					// Start v4 dial
 				}
 			}
-			dst := cmpx.Or(dstPrimary, n.HostName)
+			dst := dstPrimary
+			if dst == "" {
+				dst = n.HostName
+			}
 			port := "443"
 			if n.DERPPort != 0 {
 				port = fmt.Sprint(n.DERPPort)
--- a/flake.nix
+++ b/flake.nix
@@ -115,4 +115,4 @@
  in
    flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-fgCrmtJs1svFz0Xn7iwLNrbBNlcO6V0yqGPMY0+V1VQ=
+# nix-direnv cache busting line: sha256-7L+dvS++UNfMVcPUCbK/xuBPwtrzW4RpZTtcl7VCwQs=
--- a/go.mod
+++ b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/frankban/quicktest v1.14.5
 	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/go-json-experiment/json v0.0.0-20230321051131-ccbac49a6929
-	github.com/go-logr/zapr v1.2.4
+	github.com/go-logr/zapr v1.2.3
 	github.com/go-ole/go-ole v1.2.6
 	github.com/godbus/dbus/v5 v5.1.0
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
@@ -48,7 +48,7 @@ require (
 	github.com/mdlayher/genetlink v1.3.2
 	github.com/mdlayher/netlink v1.7.2
 	github.com/mdlayher/sdnotify v1.0.0
-	github.com/miekg/dns v1.1.55
+	github.com/miekg/dns v1.1.54
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/peterbourgon/ff/v3 v3.3.0
 	github.com/pkg/errors v0.9.1
@@ -76,13 +76,13 @@ require (
 	golang.org/x/crypto v0.8.0
 	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53
 	golang.org/x/mod v0.10.0
-	golang.org/x/net v0.10.0
+	golang.org/x/net v0.9.0
 	golang.org/x/oauth2 v0.7.0
 	golang.org/x/sync v0.2.0
-	golang.org/x/sys v0.8.1-0.20230609144347-5059a07aa46a
-	golang.org/x/term v0.8.0
+	golang.org/x/sys v0.8.0
+	golang.org/x/term v0.7.0
 	golang.org/x/time v0.3.0
-	golang.org/x/tools v0.9.1
+	golang.org/x/tools v0.8.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	gvisor.dev/gvisor v0.0.0-20230504175454-7b0a1988a28f
@@ -90,11 +90,11 @@ require (
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/tcpproxy v0.0.0-20221017015627-91f861402626
 	inet.af/wf v0.0.0-20221017222439-36129f591884
-	k8s.io/api v0.27.2
-	k8s.io/apimachinery v0.27.2
-	k8s.io/client-go v0.27.2
+	k8s.io/api v0.26.1
+	k8s.io/apimachinery v0.26.1
+	k8s.io/client-go v0.26.1
 	nhooyr.io/websocket v1.8.7
-	sigs.k8s.io/controller-runtime v0.15.0
+	sigs.k8s.io/controller-runtime v0.14.6
 	sigs.k8s.io/yaml v1.3.0
 	software.sslmate.com/src/go-pkcs12 v0.2.0
 )
@@ -334,7 +334,7 @@ require (
 	golang.org/x/exp/typeparams v0.0.0-20230425010034-47ecfdc1ba53 // indirect
 	golang.org/x/image v0.7.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -343,8 +343,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
-	k8s.io/apiextensions-apiserver v0.27.2 // indirect
-	k8s.io/component-base v0.27.2 // indirect
+	k8s.io/apiextensions-apiserver v0.26.1 // indirect
+	k8s.io/component-base v0.26.1 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
--- a/go.mod.sri
+++ b/go.mod.sri
@@ -1 +1 @@
-sha256-fgCrmtJs1svFz0Xn7iwLNrbBNlcO6V0yqGPMY0+V1VQ=
+sha256-7L+dvS++UNfMVcPUCbK/xuBPwtrzW4RpZTtcl7VCwQs=
--- a/go.sum
+++ b/go.sum
@@ -274,6 +274,7 @@ github.com/esimonov/ifshort v1.0.4 h1:6SID4yGWfRae/M7hkVDVVyppy8q/v9OuxNdmjLQStB
 github.com/esimonov/ifshort v1.0.4/go.mod h1:Pe8zjlRrJ80+q2CxHLfEOfTwxCZ4O+MuhcHcfgNWTk0=
 github.com/ettle/strcase v0.1.1 h1:htFueZyVeE1XNnMEfbqp5r67qAN/4r6ya1ysq8Q+Zcw=
 github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY=
+github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
@@ -338,10 +339,11 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
-github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA=
+github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A=
+github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4=
 github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
@@ -360,7 +362,6 @@ github.com/go-playground/validator/v10 v10.2.0 h1:KgJ0snyC2R9VXYN2rneOtQcw5aHQB1
 github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4=
 github.com/go-toolsmith/astcast v1.1.0 h1:+JN9xZV1A+Re+95pgnMgDboWNVnIMMQXwfBwLRPgSC8=
 github.com/go-toolsmith/astcast v1.1.0/go.mod h1:qdcuFWeGGS2xX5bLM/c3U9lewg7+Zu4mr+xPwZIB4ZU=
@@ -513,7 +514,6 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1/go.mod h1:+y9lKiqDhR4zkLl+V9h4q0rdyrYVsWWm6LLCQP33DIk=
 github.com/google/rpmpack v0.0.0-20221120200012-98b63d62fd77 h1:+C0+foB1Bm0WYdbaDIuUGEVG1Eqx9WWcGUoJBSLdZo0=
@@ -767,8 +767,8 @@ github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8Ku
 github.com/mgechev/revive v1.3.1 h1:OlQkcH40IB2cGuprTPcjB0iIUddgVZgGmDX3IAMR8D4=
 github.com/mgechev/revive v1.3.1/go.mod h1:YlD6TTWl2B8A103R9KWJSPVI9DrEf+oqr15q21Ld+5I=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
-github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI=
+github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
@@ -831,11 +831,11 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.1 h1:jMU0WaQrP0a/YAEq8eJmJKjBoMs+pClEr1vDMlM/Do4=
 github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
-github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
+github.com/onsi/ginkgo/v2 v2.8.0 h1:pAM+oBNPrpXRs+E/8spkeGx9QgekbRVyr74EUvRVOUI=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
+github.com/onsi/gomega v1.26.0 h1:03cDLK28U6hWvCAns6NeydX3zIm4SF3ci69ulidS32Q=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -1172,13 +1172,13 @@ go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
-go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
+go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
@@ -1316,8 +1316,8 @@ golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
+golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1432,8 +1432,8 @@ golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.1-0.20230609144347-5059a07aa46a h1:qMsju+PNttu/NMbq8bQ9waDdxgJMu9QNoUDuhnBaYt0=
-golang.org/x/sys v0.8.1-0.20230609144347-5059a07aa46a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1444,8 +1444,8 @@ golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
+golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1566,8 +1566,8 @@ golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
 golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
-golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
+golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y=
+golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1576,8 +1576,8 @@ golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeu
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
-gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc=
-gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY=
+gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1709,6 +1709,7 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -1733,16 +1734,16 @@ inet.af/tcpproxy v0.0.0-20221017015627-91f861402626 h1:2dMP3Ox/Wh5BiItwOt4jxRsfz
 inet.af/tcpproxy v0.0.0-20221017015627-91f861402626/go.mod h1:Tojt5kmHpDIR2jMojxzZK2w2ZR7OILODmUo2gaSwjrk=
 inet.af/wf v0.0.0-20221017222439-36129f591884 h1:zg9snq3Cpy50lWuVqDYM7AIRVTtU50y5WXETMFohW/Q=
 inet.af/wf v0.0.0-20221017222439-36129f591884/go.mod h1:bSAQ38BYbY68uwpasXOTZo22dKGy9SNvI6PZFeKomZE=
-k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo=
-k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4=
-k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo=
-k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ=
-k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg=
-k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
-k8s.io/client-go v0.27.2 h1:vDLSeuYvCHKeoQRhCXjxXO45nHVv2Ip4Fe0MfioMrhE=
-k8s.io/client-go v0.27.2/go.mod h1:tY0gVmUsHrAmjzHX9zs7eCjxcBsf8IiNe7KQ52biTcQ=
-k8s.io/component-base v0.27.2 h1:neju+7s/r5O4x4/txeUONNTS9r1HsPbyoPBAtHsDCpo=
-k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo=
+k8s.io/api v0.26.1 h1:f+SWYiPd/GsiWwVRz+NbFyCgvv75Pk9NK6dlkZgpCRQ=
+k8s.io/api v0.26.1/go.mod h1:xd/GBNgR0f707+ATNyPmQ1oyKSgndzXij81FzWGsejg=
+k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI=
+k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM=
+k8s.io/apimachinery v0.26.1 h1:8EZ/eGJL+hY/MYCNwhmDzVqq2lPl3N3Bo8rvweJwXUQ=
+k8s.io/apimachinery v0.26.1/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74=
+k8s.io/client-go v0.26.1 h1:87CXzYJnAMGaa/IDDfRdhTzxk/wzGZ+/HUQpqgVSZXU=
+k8s.io/client-go v0.26.1/go.mod h1:IWNSglg+rQ3OcvDkhY6+QLeasV4OYHDjdqeWkDQZwGE=
+k8s.io/component-base v0.26.1 h1:4ahudpeQXHZL5kko+iDHqLj/FSGAEUnSVO0EBbgDd+4=
+k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/kAWU=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
@@ -1766,8 +1767,8 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU=
-sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk=
+sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA=
+sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
--- a/go.toolchain.branch
+++ b/go.toolchain.branch
@@ -1 +1 @@
-tailscale.go1.21
+tailscale.go1.20
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-492f6d9d792fa6e4caa388e4d7bab46b48d07ad5
+ddff070c02790cb571006e820e58cce9627569cf
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -7,10 +7,8 @@ package hostinfo

 import (
 	"bufio"
-	"bytes"
 	"io"
 	"os"
-	"os/exec"
 	"runtime"
 	"runtime/debug"
 	"strings"
@@ -436,12 +434,3 @@ func etcAptSourceFileIsDisabled(r io.Reader) bool {
 	}
 	return disabled
 }
-
-// IsSELinuxEnforcing reports whether SELinux is in "Enforcing" mode.
-func IsSELinuxEnforcing() bool {
-	if runtime.GOOS != "linux" {
-		return false
-	}
-	out, _ := exec.Command("getenforce").Output()
-	return string(bytes.TrimSpace(out)) == "Enforcing"
-}
--- a/ipn/ipn_clone.go
+++ b/ipn/ipn_clone.go
@@ -103,7 +103,6 @@ func (src *TCPPortHandler) Clone() *TCPPortHandler {
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _TCPPortHandlerCloneNeedsRegeneration = TCPPortHandler(struct {
 	HTTPS        bool
-	HTTP         bool
 	TCPForward   string
 	TerminateTLS string
 }{})
--- a/ipn/ipn_view.go
+++ b/ipn/ipn_view.go
@@ -228,14 +228,12 @@ func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error {
 }

 func (v TCPPortHandlerView) HTTPS() bool          { return v.ж.HTTPS }
-func (v TCPPortHandlerView) HTTP() bool           { return v.ж.HTTP }
 func (v TCPPortHandlerView) TCPForward() string   { return v.ж.TCPForward }
 func (v TCPPortHandlerView) TerminateTLS() string { return v.ж.TerminateTLS }

 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _TCPPortHandlerViewNeedsRegeneration = TCPPortHandler(struct {
 	HTTPS        bool
-	HTTP         bool
 	TCPForward   string
 	TerminateTLS string
 }{})
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -49,7 +49,7 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 		}
 	case "/debug/goroutines":
 		w.Header().Set("Content-Type", "text/plain")
-		w.Write(goroutines.ScrubbedGoroutineDump(true))
+		w.Write(goroutines.ScrubbedGoroutineDump())
 	case "/debug/prefs":
 		writeJSON(b.Prefs())
 	case "/debug/metrics":
--- a/ipn/ipnlocal/cert.go
+++ b/ipn/ipnlocal/cert.go
@@ -101,13 +101,11 @@ func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string) (*TLSCertK
 	}

 	if pair, err := getCertPEMCached(cs, domain, now); err == nil {
-		shouldRenew, err := shouldStartDomainRenewal(domain, now, pair)
-		if err != nil {
-			logf("error checking for certificate renewal: %v", err)
-		} else if shouldRenew {
+		future := now.AddDate(0, 0, 14)
+		if b.shouldStartDomainRenewal(cs, domain, future) {
 			logf("starting async renewal")
 			// Start renewal in the background.
-			go b.getCertPEM(context.Background(), cs, logf, traceACME, domain, now)
+			go b.getCertPEM(context.Background(), cs, logf, traceACME, domain, future)
 		}
 		return pair, nil
 	}
@@ -120,41 +118,18 @@ func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string) (*TLSCertK
 	return pair, nil
 }

-func shouldStartDomainRenewal(domain string, now time.Time, pair *TLSCertKeyPair) (bool, error) {
+func (b *LocalBackend) shouldStartDomainRenewal(cs certStore, domain string, future time.Time) bool {
 	renewMu.Lock()
 	defer renewMu.Unlock()
+	now := time.Now()
 	if last, ok := lastRenewCheck[domain]; ok && now.Sub(last) < time.Minute {
 		// We checked very recently. Don't bother reparsing &
 		// validating the x509 cert.
-		return false, nil
+		return false
 	}
 	lastRenewCheck[domain] = now
-
-	block, _ := pem.Decode(pair.CertPEM)
-	if block == nil {
-		return false, fmt.Errorf("parsing certificate PEM")
-	}
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return false, fmt.Errorf("parsing certificate: %w", err)
-	}
-
-	certLifetime := cert.NotAfter.Sub(cert.NotBefore)
-	if certLifetime < 0 {
-		return false, fmt.Errorf("negative certificate lifetime %v", certLifetime)
-	}
-
-	// Per https://github.com/tailscale/tailscale/issues/8204, check
-	// whether we're more than 2/3 of the way through the certificate's
-	// lifetime, which is the officially-recommended best practice by Let's
-	// Encrypt.
-	renewalDuration := certLifetime * 2 / 3
-	renewAt := cert.NotBefore.Add(renewalDuration)
-
-	if now.After(renewAt) {
-		return true, nil
-	}
-	return false, nil
+	_, err := getCertPEMCached(cs, domain, future)
+	return errors.Is(err, errCertExpired)
 }

 // certStore provides a way to perist and retrieve TLS certificates.
--- a/ipn/ipnlocal/cert_test.go
+++ b/ipn/ipnlocal/cert_test.go
@@ -6,19 +6,12 @@
 package ipnlocal

 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"embed"
-	"encoding/pem"
-	"math/big"
 	"testing"
 	"time"

 	"github.com/google/go-cmp/cmp"
-	"golang.org/x/exp/maps"
 	"tailscale.com/ipn/store/mem"
 )

@@ -107,94 +100,3 @@ func TestCertStoreRoundTrip(t *testing.T) {
 		})
 	}
 }
-
-func TestShouldStartDomainRenewal(t *testing.T) {
-	reset := func() {
-		renewMu.Lock()
-		defer renewMu.Unlock()
-		maps.Clear(lastRenewCheck)
-	}
-
-	mustMakePair := func(template *x509.Certificate) *TLSCertKeyPair {
-		priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-		if err != nil {
-			panic(err)
-		}
-
-		b, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
-		if err != nil {
-			panic(err)
-		}
-		certPEM := pem.EncodeToMemory(&pem.Block{
-			Type:  "CERTIFICATE",
-			Bytes: b,
-		})
-
-		return &TLSCertKeyPair{
-			Cached:  false,
-			CertPEM: certPEM,
-			KeyPEM:  []byte("unused"),
-		}
-	}
-
-	now := time.Unix(1685714838, 0)
-	subject := pkix.Name{
-		Organization:  []string{"Tailscale, Inc."},
-		Country:       []string{"CA"},
-		Province:      []string{"ON"},
-		Locality:      []string{"Toronto"},
-		StreetAddress: []string{"290 Bremner Blvd"},
-		PostalCode:    []string{"M5V 3L9"},
-	}
-
-	testCases := []struct {
-		name      string
-		notBefore time.Time
-		lifetime  time.Duration
-		want      bool
-		wantErr   string
-	}{
-		{
-			name:      "should renew",
-			notBefore: now.AddDate(0, 0, -89),
-			lifetime:  90 * 24 * time.Hour,
-			want:      true,
-		},
-		{
-			name:      "short-lived renewal",
-			notBefore: now.AddDate(0, 0, -7),
-			lifetime:  10 * 24 * time.Hour,
-			want:      true,
-		},
-		{
-			name:      "no renew",
-			notBefore: now.AddDate(0, 0, -59), // 59 days ago == not 2/3rds of the way through 90 days yet
-			lifetime:  90 * 24 * time.Hour,
-			want:      false,
-		},
-	}
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			reset()
-
-			ret, err := shouldStartDomainRenewal("example.com", now, mustMakePair(&x509.Certificate{
-				SerialNumber: big.NewInt(2019),
-				Subject:      subject,
-				NotBefore:    tt.notBefore,
-				NotAfter:     tt.notBefore.Add(tt.lifetime),
-			}))
-
-			if tt.wantErr != "" {
-				if err == nil {
-					t.Errorf("wanted error, got nil")
-				} else if err.Error() != tt.wantErr {
-					t.Errorf("got err=%q, want %q", err.Error(), tt.wantErr)
-				}
-			} else {
-				if ret != tt.want {
-					t.Errorf("got ret=%v, want %v", ret, tt.want)
-				}
-			}
-		})
-	}
-}
--- a/ipn/ipnlocal/dnsconfig_test.go
+++ b/ipn/ipnlocal/dnsconfig_test.go
@@ -16,7 +16,6 @@ import (
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/netmap"
 	"tailscale.com/util/cloudenv"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/dnsname"
 )

@@ -309,7 +308,10 @@ func TestDNSConfigForNetmap(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			verOS := cmpx.Or(tt.os, "linux")
+			verOS := tt.os
+			if verOS == "" {
+				verOS = "linux"
+			}
 			var log tstest.MemLogger
 			got := dnsConfigForNetmap(tt.nm, tt.prefs.View(), log.Logf, verOS)
 			if !reflect.DeepEqual(got, tt.want) {
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -4,6 +4,7 @@
 package ipnlocal

 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"encoding/json"
@@ -17,6 +18,7 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
+	"os/exec"
 	"os/user"
 	"path/filepath"
 	"runtime"
@@ -30,7 +32,6 @@ import (
 	"go4.org/mem"
 	"go4.org/netipx"
 	"golang.org/x/exp/slices"
-	"gvisor.dev/gvisor/pkg/tcpip"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/doctor"
@@ -70,7 +71,6 @@ import (
 	"tailscale.com/types/preftype"
 	"tailscale.com/types/ptr"
 	"tailscale.com/types/views"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/deephash"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
@@ -293,6 +293,12 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo

 	ctx, cancel := context.WithCancel(context.Background())
 	portpoll := new(portlist.Poller)
+	err = portpoll.Check()
+	if err != nil {
+		logf("skipping portlist: %s", err)
+		portpoll.Close()
+		portpoll = nil
+	}

 	b := &LocalBackend{
 		ctx:            ctx,
@@ -1374,6 +1380,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {

 	if b.portpoll != nil {
 		b.portpollOnce.Do(func() {
+			go b.portpoll.Run(b.ctx)
 			go b.readPoller()

 			// Give the poller a second to get results to
@@ -1808,30 +1815,11 @@ func dnsMapsEqual(new, old *netmap.NetworkMap) bool {
 // readPoller is a goroutine that receives service lists from
 // b.portpoll and propagates them into the controlclient's HostInfo.
 func (b *LocalBackend) readPoller() {
-	isFirst := true
-	ticker := time.NewTicker(portlist.PollInterval())
-	defer ticker.Stop()
-	initChan := make(chan struct{})
-	close(initChan)
+	n := 0
 	for {
-		select {
-		case <-ticker.C:
-		case <-b.ctx.Done():
+		ports, ok := <-b.portpoll.Updates()
+		if !ok {
 			return
-		case <-initChan:
-			// Preserving old behavior: readPoller should
-			// immediately poll the first time, then wait
-			// for a tick after.
-			initChan = nil
-		}
-
-		ports, changed, err := b.portpoll.Poll()
-		if err != nil {
-			b.logf("error polling for open ports: %v", err)
-			return
-		}
-		if !changed {
-			continue
 		}
 		sl := []tailcfg.Service{}
 		for _, p := range ports {
@@ -1855,8 +1843,8 @@ func (b *LocalBackend) readPoller() {

 		b.doSetHostinfoFilterServices(hi)

-		if isFirst {
-			isFirst = false
+		n++
+		if n == 1 {
 			close(b.gotPortPollRes)
 		}
 	}
@@ -2581,7 +2569,7 @@ func (b *LocalBackend) checkSSHPrefsLocked(p *ipn.Prefs) error {
 		if distro.Get() == distro.QNAP && !envknob.UseWIPCode() {
 			return errors.New("The Tailscale SSH server does not run on QNAP.")
 		}
-		b.updateSELinuxHealthWarning()
+		checkSELinux()
 		// otherwise okay
 	case "darwin":
 		// okay only in tailscaled mode for now.
@@ -2827,14 +2815,14 @@ func (b *LocalBackend) GetPeerAPIPort(ip netip.Addr) (port uint16, ok bool) {
 	return 0, false
 }

-// handlePeerAPIConn serves an already-accepted connection c.
+// ServePeerAPIConnection serves an already-accepted connection c.
 //
 // The remote parameter is the remote address.
 // The local parameter is the local address (either a Tailscale IPv4
 // or IPv6 IP and the peerapi port for that address).
 //
-// The connection will be closed by handlePeerAPIConn.
-func (b *LocalBackend) handlePeerAPIConn(remote, local netip.AddrPort, c net.Conn) {
+// The connection will be closed by ServePeerAPIConnection.
+func (b *LocalBackend) ServePeerAPIConnection(remote, local netip.AddrPort, c net.Conn) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	for _, pln := range b.peerAPIListeners {
@@ -2848,48 +2836,6 @@ func (b *LocalBackend) handlePeerAPIConn(remote, local netip.AddrPort, c net.Con
 	return
 }

-func (b *LocalBackend) isLocalIP(ip netip.Addr) bool {
-	nm := b.NetMap()
-	return nm != nil && slices.Contains(nm.Addresses, netip.PrefixFrom(ip, ip.BitLen()))
-}
-
-var (
-	magicDNSIP   = tsaddr.TailscaleServiceIP()
-	magicDNSIPv6 = tsaddr.TailscaleServiceIPv6()
-)
-
-// TCPHandlerForDst returns a TCP handler for connections to dst, or nil if
-// no handler is needed. It also returns a list of TCP socket options to
-// apply to the socket before calling the handler.
-func (b *LocalBackend) TCPHandlerForDst(src, dst netip.AddrPort) (handler func(c net.Conn) error, opts []tcpip.SettableSocketOption) {
-	if dst.Port() == 80 && (dst.Addr() == magicDNSIP || dst.Addr() == magicDNSIPv6) {
-		return b.HandleQuad100Port80Conn, opts
-	}
-	if !b.isLocalIP(dst.Addr()) {
-		return nil, nil
-	}
-	if dst.Port() == 22 && b.ShouldRunSSH() {
-		// Use a higher keepalive idle time for SSH connections, as they are
-		// typically long lived and idle connections are more likely to be
-		// intentional. Ideally we would turn this off entirely, but we can't
-		// tell the difference between a long lived connection that is idle
-		// vs a connection that is dead because the peer has gone away.
-		// We pick 72h as that is typically sufficient for a long weekend.
-		opts = append(opts, ptr.To(tcpip.KeepaliveIdleOption(72*time.Hour)))
-		return b.handleSSHConn, opts
-	}
-	if port, ok := b.GetPeerAPIPort(dst.Addr()); ok && dst.Port() == port {
-		return func(c net.Conn) error {
-			b.handlePeerAPIConn(src, dst, c)
-			return nil
-		}, opts
-	}
-	if handler := b.tcpHandlerForServe(dst.Port(), src); handler != nil {
-		return handler, opts
-	}
-	return nil, nil
-}
-
 func (b *LocalBackend) peerAPIServicesLocked() (ret []tailcfg.Service) {
 	for _, pln := range b.peerAPIListeners {
 		proto := tailcfg.PeerAPI4
@@ -3974,7 +3920,10 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	b.dialer.SetNetMap(nm)
 	var login string
 	if nm != nil {
-		login = cmpx.Or(nm.UserProfiles[nm.User].LoginName, "<missing-profile>")
+		login = nm.UserProfiles[nm.User].LoginName
+		if login == "" {
+			login = "<missing-profile>"
+		}
 	}
 	b.netMap = nm
 	if login != b.activeLogin {
@@ -4129,10 +4078,6 @@ func (b *LocalBackend) setServeProxyHandlersLocked() {
 	b.serveConfig.Web().Range(func(_ ipn.HostPort, conf ipn.WebServerConfigView) (cont bool) {
 		conf.Handlers().Range(func(_ string, h ipn.HTTPHandlerView) (cont bool) {
 			backend := h.Proxy()
-			if backend == "" {
-				// Only create proxy handlers for servers with a proxy backend.
-				return true
-			}
 			mak.Set(&backends, backend, true)
 			if _, ok := b.serveProxyHandlers.Load(backend); ok {
 				return true
@@ -4707,29 +4652,33 @@ func (b *LocalBackend) sshServerOrInit() (_ SSHServer, err error) {

 var warnSSHSELinux = health.NewWarnable()

-func (b *LocalBackend) updateSELinuxHealthWarning() {
-	if hostinfo.IsSELinuxEnforcing() {
+func checkSELinux() {
+	if runtime.GOOS != "linux" {
+		return
+	}
+	out, _ := exec.Command("getenforce").Output()
+	if string(bytes.TrimSpace(out)) == "Enforcing" {
 		warnSSHSELinux.Set(errors.New("SELinux is enabled; Tailscale SSH may not work. See https://tailscale.com/s/ssh-selinux"))
 	} else {
 		warnSSHSELinux.Set(nil)
 	}
 }

-func (b *LocalBackend) handleSSHConn(c net.Conn) (err error) {
+func (b *LocalBackend) HandleSSHConn(c net.Conn) (err error) {
 	s, err := b.sshServerOrInit()
 	if err != nil {
 		return err
 	}
-	b.updateSELinuxHealthWarning()
+	checkSELinux()
 	return s.HandleSSHConn(c)
 }

 // HandleQuad100Port80Conn serves http://100.100.100.100/ on port 80 (and
 // the equivalent tsaddr.TailscaleServiceIPv6 address).
-func (b *LocalBackend) HandleQuad100Port80Conn(c net.Conn) error {
+func (b *LocalBackend) HandleQuad100Port80Conn(c net.Conn) {
 	var s http.Server
 	s.Handler = http.HandlerFunc(b.handleQuad100Port80Conn)
-	return s.Serve(netutil.NewOneConnListener(c, nil))
+	s.Serve(netutil.NewOneConnListener(c, nil))
 }

 func validQuad100Host(h string) bool {
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -158,9 +158,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
 		return nil
 	}

-	if b.tka != nil || nm.TKAEnabled {
-		b.logf("tkaSyncIfNeeded: enabled=%v, head=%v", nm.TKAEnabled, nm.TKAHead)
-	}
+	b.logf("tkaSyncIfNeeded: enabled=%v, head=%v", nm.TKAEnabled, nm.TKAHead)

 	ourNodeKey := prefs.Persist().PublicNodeKey()

@@ -199,7 +197,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
 				health.SetTKAHealth(nil)
 			}
 		} else {
-			return fmt.Errorf("[bug] unreachable invariant of wantEnabled w/ isEnabled")
+			return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled")
 		}
 	}

@@ -451,8 +449,6 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 		filtered[i] = b.tka.filtered[i].Clone()
 	}

-	stateID1, _ := b.tka.authority.StateIDs()
-
 	return &ipnstate.NetworkLockStatus{
 		Enabled:       true,
 		Head:          &head,
@@ -461,7 +457,6 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 		NodeKeySigned: selfAuthorized,
 		TrustedKeys:   outKeys,
 		FilteredPeers: filtered,
-		StateID:       stateID1,
 	}
 }

@@ -889,18 +884,6 @@ func (b *LocalBackend) NetworkLockWrapPreauthKey(preauthKey string, tkaKey key.N
 	return fmt.Sprintf("%s--TL%s-%s", preauthKey, tkaSuffixEncoder.EncodeToString(sig.Serialize()), tkaSuffixEncoder.EncodeToString(priv)), nil
 }

-// NetworkLockVerifySigningDeeplink asks the authority to verify the given deeplink
-// URL. See the comment for ValidateDeeplink for details.
-func (b *LocalBackend) NetworkLockVerifySigningDeeplink(url string) tka.DeeplinkValidationResult {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.tka == nil {
-		return tka.DeeplinkValidationResult{IsValid: false, Error: errNetworkLockNotActive.Error()}
-	}
-
-	return b.tka.authority.ValidateDeeplink(url)
-}
-
 func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeKeySignature, error) {
 	p, err := nodeInfo.NodePublic.MarshalBinary()
 	if err != nil {
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -780,7 +780,7 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
 		return
 	}

-	getConnOrReset := func() (net.Conn, bool) {
+	getConn := func() (net.Conn, bool) {
 		conn, _, err := w.(http.Hijacker).Hijack()
 		if err != nil {
 			h.logf("ingress: failed hijacking conn")
@@ -798,7 +798,7 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
 		http.Error(w, "denied", http.StatusForbidden)
 	}

-	h.ps.b.HandleIngressTCPConn(h.peerNode, target, srcAddr, getConnOrReset, sendRST)
+	h.ps.b.HandleIngressTCPConn(h.peerNode, target, srcAddr, getConn, sendRST)
 }

 func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {
--- a/ipn/ipnlocal/profiles.go
+++ b/ipn/ipnlocal/profiles.go
@@ -24,8 +24,6 @@ import (

 var errAlreadyMigrated = errors.New("profile migration already completed")

-var debug = envknob.RegisterBool("TS_DEBUG_PROFILES")
-
 // profileManager is a wrapper around a StateStore that manages
 // multiple profiles and the current profile.
 type profileManager struct {
@@ -44,13 +42,6 @@ type profileManager struct {
 	isNewProfile bool
 }

-func (pm *profileManager) dlogf(format string, args ...any) {
-	if !debug() {
-		return
-	}
-	pm.logf(format, args...)
-}
-
 // CurrentUserID returns the current user ID. It is only non-empty on
 // Windows where we have a multi-user system.
 func (pm *profileManager) CurrentUserID() ipn.WindowsUserID {
@@ -75,10 +66,8 @@ func (pm *profileManager) SetCurrentUserID(uid ipn.WindowsUserID) error {
 	// Read the CurrentProfileKey from the store which stores
 	// the selected profile for the current user.
 	b, err := pm.store.ReadState(ipn.CurrentProfileKey(string(uid)))
-	pm.dlogf("SetCurrentUserID: ReadState(%q) = %v, %v", string(uid), len(b), err)
 	if err == ipn.ErrStateNotExist || len(b) == 0 {
 		if runtime.GOOS == "windows" {
-			pm.dlogf("SetCurrentUserID: windows: migrating from legacy preferences")
 			if err := pm.migrateFromLegacyPrefs(); err != nil && !errors.Is(err, errAlreadyMigrated) {
 				return err
 			}
@@ -92,7 +81,6 @@ func (pm *profileManager) SetCurrentUserID(uid ipn.WindowsUserID) error {
 	pk := ipn.StateKey(string(b))
 	prof := pm.findProfileByKey(pk)
 	if prof == nil {
-		pm.dlogf("SetCurrentUserID: no profile found for key: %q", pk)
 		pm.NewProfile()
 		return nil
 	}
@@ -567,7 +555,6 @@ func newProfileManagerWithGOOS(store ipn.StateStore, logf logger.Logf, goos stri
 		// and runtime must be valid Windows security identifier structures.
 	} else if len(knownProfiles) == 0 && goos != "windows" && runtime.GOOS != "windows" {
 		// No known profiles, try a migration.
-		pm.dlogf("no known profiles; trying to migrate from legacy prefs")
 		if err := pm.migrateFromLegacyPrefs(); err != nil {
 			return nil, err
 		}
@@ -586,13 +573,11 @@ func (pm *profileManager) migrateFromLegacyPrefs() error {
 		metricMigrationError.Add(1)
 		return fmt.Errorf("load legacy prefs: %w", err)
 	}
-	pm.dlogf("loaded legacy preferences; sentinel=%q", sentinel)
 	if err := pm.SetPrefs(prefs); err != nil {
 		metricMigrationError.Add(1)
 		return fmt.Errorf("migrating _daemon profile: %w", err)
 	}
 	pm.completeMigration(sentinel)
-	pm.dlogf("completed legacy preferences migration with sentinel=%q", sentinel)
 	metricMigrationSuccess.Add(1)
 	return nil
 }
--- a/ipn/ipnlocal/profiles_windows.go
+++ b/ipn/ipnlocal/profiles_windows.go
@@ -40,7 +40,6 @@ func legacyPrefsDir(uid ipn.WindowsUserID) (string, error) {
 func (pm *profileManager) loadLegacyPrefs() (string, ipn.PrefsView, error) {
 	userLegacyPrefsDir, err := legacyPrefsDir(pm.currentUserID)
 	if err != nil {
-		pm.dlogf("no legacy preferences directory for %q: %v", pm.currentUserID, err)
 		return "", ipn.PrefsView{}, err
 	}

@@ -48,17 +47,14 @@ func (pm *profileManager) loadLegacyPrefs() (string, ipn.PrefsView, error) {
 	// verify that migration sentinel is not present
 	_, err = os.Stat(migrationSentinel)
 	if err == nil {
-		pm.dlogf("migration sentinel %q already exists", migrationSentinel)
 		return "", ipn.PrefsView{}, errAlreadyMigrated
 	}
 	if !os.IsNotExist(err) {
-		pm.dlogf("os.Stat(%q) = %v", migrationSentinel, err)
 		return "", ipn.PrefsView{}, err
 	}

 	prefsPath := filepath.Join(userLegacyPrefsDir, legacyPrefsFile+legacyPrefsExt)
 	prefs, err := ipn.LoadPrefs(prefsPath)
-	pm.dlogf("ipn.LoadPrefs(%q) = %v, %v", prefsPath, prefs, err)
 	if errors.Is(err, fs.ErrNotExist) {
 		return "", ipn.PrefsView{}, errAlreadyMigrated
 	}
--- a/ipn/ipnlocal/serve.go
+++ b/ipn/ipnlocal/serve.go
@@ -162,13 +162,12 @@ func (s *serveListener) handleServeListenersAccept(ln net.Listener) error {
 			return err
 		}
 		srcAddr := conn.RemoteAddr().(*net.TCPAddr).AddrPort()
-		handler := s.b.tcpHandlerForServe(s.ap.Port(), srcAddr)
-		if handler == nil {
+		getConn := func() (net.Conn, bool) { return conn, true }
+		sendRST := func() {
 			s.b.logf("serve RST for %v", srcAddr)
 			conn.Close()
-			continue
 		}
-		go handler(conn)
+		go s.b.HandleInterceptedTCPConn(s.ap.Port(), srcAddr, getConn, sendRST)
 	}
 }

@@ -257,7 +256,7 @@ func (b *LocalBackend) ServeConfig() ipn.ServeConfigView {
 	return b.serveConfig
 }

-func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ipn.HostPort, srcAddr netip.AddrPort, getConnOrReset func() (net.Conn, bool), sendRST func()) {
+func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ipn.HostPort, srcAddr netip.AddrPort, getConn func() (net.Conn, bool), sendRST func()) {
 	b.mu.Lock()
 	sc := b.serveConfig
 	b.mu.Unlock()
@@ -290,7 +289,7 @@ func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ip
 	if b.getTCPHandlerForFunnelFlow != nil {
 		handler := b.getTCPHandlerForFunnelFlow(srcAddr, dport)
 		if handler != nil {
-			c, ok := getConnOrReset()
+			c, ok := getConn()
 			if !ok {
 				b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
 				return
@@ -299,41 +298,39 @@ func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ip
 			return
 		}
 	}
-	// TODO(bradfitz): pass ingressPeer etc in context to tcpHandlerForServe,
+	// TODO(bradfitz): pass ingressPeer etc in context to HandleInterceptedTCPConn,
 	// extend serveHTTPContext or similar.
-	handler := b.tcpHandlerForServe(dport, srcAddr)
-	if handler == nil {
-		sendRST()
-		return
-	}
-	c, ok := getConnOrReset()
-	if !ok {
-		b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
-		return
-	}
-	handler(c)
+	b.HandleInterceptedTCPConn(dport, srcAddr, getConn, sendRST)
 }

-// tcpHandlerForServe returns a handler for a TCP connection to be served via
-// the ipn.ServeConfig.
-func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort) (handler func(net.Conn) error) {
+func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.AddrPort, getConn func() (net.Conn, bool), sendRST func()) {
 	b.mu.Lock()
 	sc := b.serveConfig
 	b.mu.Unlock()

 	if !sc.Valid() {
 		b.logf("[unexpected] localbackend: got TCP conn w/o serveConfig; from %v to port %v", srcAddr, dport)
-		return nil
+		sendRST()
+		return
 	}

 	tcph, ok := sc.TCP().GetOk(dport)
 	if !ok {
 		b.logf("[unexpected] localbackend: got TCP conn without TCP config for port %v; from %v", dport, srcAddr)
-		return nil
+		sendRST()
+		return
 	}

-	if tcph.HTTPS() || tcph.HTTP() {
+	if tcph.HTTPS() {
+		conn, ok := getConn()
+		if !ok {
+			b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
+			return
+		}
 		hs := &http.Server{
+			TLSConfig: &tls.Config{
+				GetCertificate: b.getTLSServeCertForPort(dport),
+			},
 			Handler: http.HandlerFunc(b.serveWebHandler),
 			BaseContext: func(_ net.Listener) context.Context {
 				return context.WithValue(context.Background(), serveHTTPContextKey{}, &serveHTTPContext{
@@ -342,92 +339,79 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 				})
 			},
 		}
-		if tcph.HTTPS() {
-			hs.TLSConfig = &tls.Config{
-				GetCertificate: b.getTLSServeCertForPort(dport),
-			}
-			return func(c net.Conn) error {
-				return hs.ServeTLS(netutil.NewOneConnListener(c, nil), "", "")
-			}
-		}
-
-		return func(c net.Conn) error {
-			return hs.Serve(netutil.NewOneConnListener(c, nil))
-		}
+		hs.ServeTLS(netutil.NewOneConnListener(conn, nil), "", "")
+		return
 	}

 	if backDst := tcph.TCPForward(); backDst != "" {
-		return func(conn net.Conn) error {
-			defer conn.Close()
-			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-			backConn, err := b.dialer.SystemDial(ctx, "tcp", backDst)
-			cancel()
-			if err != nil {
-				b.logf("localbackend: failed to TCP proxy port %v (from %v) to %s: %v", dport, srcAddr, backDst, err)
-				return nil
-			}
-			defer backConn.Close()
-			if sni := tcph.TerminateTLS(); sni != "" {
-				conn = tls.Server(conn, &tls.Config{
-					GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-						ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-						defer cancel()
-						pair, err := b.GetCertPEM(ctx, sni)
-						if err != nil {
-							return nil, err
-						}
-						cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM)
-						if err != nil {
-							return nil, err
-						}
-						return &cert, nil
-					},
-				})
-			}
-
-			// TODO(bradfitz): do the RegisterIPPortIdentity and
-			// UnregisterIPPortIdentity stuff that netstack does
-			errc := make(chan error, 1)
-			go func() {
-				_, err := io.Copy(backConn, conn)
-				errc <- err
-			}()
-			go func() {
-				_, err := io.Copy(conn, backConn)
-				errc <- err
-			}()
-			return <-errc
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		backConn, err := b.dialer.SystemDial(ctx, "tcp", backDst)
+		cancel()
+		if err != nil {
+			b.logf("localbackend: failed to TCP proxy port %v (from %v) to %s: %v", dport, srcAddr, backDst, err)
+			sendRST()
+			return
 		}
+		conn, ok := getConn()
+		if !ok {
+			b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
+			backConn.Close()
+			return
+		}
+		defer conn.Close()
+		defer backConn.Close()
+
+		if sni := tcph.TerminateTLS(); sni != "" {
+			conn = tls.Server(conn, &tls.Config{
+				GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+					ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+					defer cancel()
+					pair, err := b.GetCertPEM(ctx, sni)
+					if err != nil {
+						return nil, err
+					}
+					cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM)
+					if err != nil {
+						return nil, err
+					}
+					return &cert, nil
+				},
+			})
+		}
+
+		// TODO(bradfitz): do the RegisterIPPortIdentity and
+		// UnregisterIPPortIdentity stuff that netstack does
+
+		errc := make(chan error, 1)
+		go func() {
+			_, err := io.Copy(backConn, conn)
+			errc <- err
+		}()
+		go func() {
+			_, err := io.Copy(conn, backConn)
+			errc <- err
+		}()
+		<-errc
+		return
 	}

 	b.logf("closing TCP conn to port %v (from %v) with actionless TCPPortHandler", dport, srcAddr)
-	return nil
-}
-
-func getServeHTTPContext(r *http.Request) (c *serveHTTPContext, ok bool) {
-	c, ok = r.Context().Value(serveHTTPContextKey{}).(*serveHTTPContext)
-	return c, ok
+	sendRST()
 }

 func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView, at string, ok bool) {
 	var z ipn.HTTPHandlerView // zero value

-	hostname := r.Host
 	if r.TLS == nil {
-		tcd := "." + b.Status().CurrentTailnet.MagicDNSSuffix
-		if !strings.HasSuffix(hostname, tcd) {
-			hostname += tcd
-		}
-	} else {
-		hostname = r.TLS.ServerName
+		return z, "", false
 	}

-	sctx, ok := getServeHTTPContext(r)
+	sctx, ok := r.Context().Value(serveHTTPContextKey{}).(*serveHTTPContext)
 	if !ok {
 		b.logf("[unexpected] localbackend: no serveHTTPContext in request")
 		return z, "", false
 	}
-	wsc, ok := b.webServerConfig(hostname, sctx.DestPort)
+	wsc, ok := b.webServerConfig(r.TLS.ServerName, sctx.DestPort)
 	if !ok {
 		return z, "", false
 	}
@@ -463,8 +447,9 @@ func (b *LocalBackend) proxyHandlerForBackend(backend string) (*httputil.Reverse
 		Rewrite: func(r *httputil.ProxyRequest) {
 			r.SetURL(u)
 			r.Out.Host = r.In.Host
-			addProxyForwardedHeaders(r)
-			b.addTailscaleIdentityHeaders(r)
+			if c, ok := r.Out.Context().Value(serveHTTPContextKey{}).(*serveHTTPContext); ok {
+				r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
+			}
 		},
 		Transport: &http.Transport{
 			DialContext: b.dialer.SystemDial,
@@ -482,40 +467,6 @@ func (b *LocalBackend) proxyHandlerForBackend(backend string) (*httputil.Reverse
 	return rp, nil
 }

-func addProxyForwardedHeaders(r *httputil.ProxyRequest) {
-	r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
-	if r.In.TLS != nil {
-		r.Out.Header.Set("X-Forwarded-Proto", "https")
-	}
-	if c, ok := getServeHTTPContext(r.Out); ok {
-		r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
-	}
-}
-
-func (b *LocalBackend) addTailscaleIdentityHeaders(r *httputil.ProxyRequest) {
-	// Clear any incoming values squatting in the headers.
-	r.Out.Header.Del("Tailscale-User-Login")
-	r.Out.Header.Del("Tailscale-User-Name")
-	r.Out.Header.Del("Tailscale-Headers-Info")
-
-	c, ok := getServeHTTPContext(r.Out)
-	if !ok {
-		return
-	}
-	node, user, ok := b.WhoIs(c.SrcAddr)
-	if !ok {
-		return // traffic from outside of Tailnet (funneled)
-	}
-	if node.IsTagged() {
-		// 2023-06-14: Not setting identity headers for tagged nodes.
-		// Only currently set for nodes with user identities.
-		return
-	}
-	r.Out.Header.Set("Tailscale-User-Login", user.LoginName)
-	r.Out.Header.Set("Tailscale-User-Name", user.DisplayName)
-	r.Out.Header.Set("Tailscale-Headers-Info", "https://tailscale.com/s/serve-headers")
-}
-
 func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) {
 	h, mountPoint, ok := b.getServeHandler(r)
 	if !ok {
@@ -648,8 +599,8 @@ func allNumeric(s string) bool {
 	return s != ""
 }

-func (b *LocalBackend) webServerConfig(hostname string, port uint16) (c ipn.WebServerConfigView, ok bool) {
-	key := ipn.HostPort(fmt.Sprintf("%s:%v", hostname, port))
+func (b *LocalBackend) webServerConfig(sniName string, port uint16) (c ipn.WebServerConfigView, ok bool) {
+	key := ipn.HostPort(fmt.Sprintf("%s:%v", sniName, port))

 	b.mu.Lock()
 	defer b.mu.Unlock()
--- a/ipn/ipnlocal/serve_test.go
+++ b/ipn/ipnlocal/serve_test.go
@@ -10,22 +10,12 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
-	"net/netip"
 	"net/url"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"

 	"tailscale.com/ipn"
-	"tailscale.com/ipn/store/mem"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tsd"
-	"tailscale.com/types/logid"
-	"tailscale.com/types/netmap"
-	"tailscale.com/util/cmpx"
-	"tailscale.com/util/must"
-	"tailscale.com/wgengine"
 )

 func TestExpandProxyArg(t *testing.T) {
@@ -150,7 +140,10 @@ func TestGetServeHandler(t *testing.T) {
 				},
 				TLS: &tls.ConnectionState{ServerName: serverName},
 			}
-			port := cmpx.Or(tt.port, 443)
+			port := tt.port
+			if port == 0 {
+				port = 443
+			}
 			req = req.WithContext(context.WithValue(req.Context(), serveHTTPContextKey{}, &serveHTTPContext{
 				DestPort: port,
 			}))
@@ -169,142 +162,6 @@ func TestGetServeHandler(t *testing.T) {
 	}
 }

-func TestServeHTTPProxy(t *testing.T) {
-	sys := &tsd.System{}
-	e, err := wgengine.NewUserspaceEngine(t.Logf, wgengine.Config{SetSubsystem: sys.Set})
-	if err != nil {
-		t.Fatal(err)
-	}
-	sys.Set(e)
-	sys.Set(new(mem.Store))
-	b, err := NewLocalBackend(t.Logf, logid.PublicID{}, sys, 0)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer b.Shutdown()
-	dir := t.TempDir()
-	b.SetVarRoot(dir)
-
-	pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
-	pm.currentProfile = &ipn.LoginProfile{ID: "id0"}
-	b.pm = pm
-
-	b.netMap = &netmap.NetworkMap{
-		SelfNode: &tailcfg.Node{
-			Name: "example.ts.net",
-		},
-		UserProfiles: map[tailcfg.UserID]tailcfg.UserProfile{
-			tailcfg.UserID(1): {
-				LoginName:   "someone@example.com",
-				DisplayName: "Some One",
-			},
-		},
-	}
-	b.nodeByAddr = map[netip.Addr]*tailcfg.Node{
-		netip.MustParseAddr("100.150.151.152"): {
-			ComputedName: "some-peer",
-			User:         tailcfg.UserID(1),
-		},
-		netip.MustParseAddr("100.150.151.153"): {
-			ComputedName: "some-tagged-peer",
-			Tags:         []string{"tag:server", "tag:test"},
-			User:         tailcfg.UserID(1),
-		},
-	}
-
-	// Start test serve endpoint.
-	testServ := httptest.NewServer(http.HandlerFunc(
-		func(w http.ResponseWriter, r *http.Request) {
-			// Piping all the headers through the response writer
-			// so we can check their values in tests below.
-			for key, val := range r.Header {
-				w.Header().Add(key, strings.Join(val, ","))
-			}
-		},
-	))
-	defer testServ.Close()
-
-	conf := &ipn.ServeConfig{
-		Web: map[ipn.HostPort]*ipn.WebServerConfig{
-			"example.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-				"/": {Proxy: testServ.URL},
-			}},
-		},
-	}
-	if err := b.SetServeConfig(conf); err != nil {
-		t.Fatal(err)
-	}
-
-	type headerCheck struct {
-		header string
-		want   string
-	}
-
-	tests := []struct {
-		name        string
-		srcIP       string
-		wantHeaders []headerCheck
-	}{
-		{
-			name:  "request-from-user-within-tailnet",
-			srcIP: "100.150.151.152",
-			wantHeaders: []headerCheck{
-				{"X-Forwarded-Proto", "https"},
-				{"X-Forwarded-For", "100.150.151.152"},
-				{"Tailscale-User-Login", "someone@example.com"},
-				{"Tailscale-User-Name", "Some One"},
-				{"Tailscale-Headers-Info", "https://tailscale.com/s/serve-headers"},
-			},
-		},
-		{
-			name:  "request-from-tagged-node-within-tailnet",
-			srcIP: "100.150.151.153",
-			wantHeaders: []headerCheck{
-				{"X-Forwarded-Proto", "https"},
-				{"X-Forwarded-For", "100.150.151.153"},
-				{"Tailscale-User-Login", ""},
-				{"Tailscale-User-Name", ""},
-				{"Tailscale-Headers-Info", ""},
-			},
-		},
-		{
-			name:  "request-from-outside-tailnet",
-			srcIP: "100.160.161.162",
-			wantHeaders: []headerCheck{
-				{"X-Forwarded-Proto", "https"},
-				{"X-Forwarded-For", "100.160.161.162"},
-				{"Tailscale-User-Login", ""},
-				{"Tailscale-User-Name", ""},
-				{"Tailscale-Headers-Info", ""},
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := &http.Request{
-				URL: &url.URL{Path: "/"},
-				TLS: &tls.ConnectionState{ServerName: "example.ts.net"},
-			}
-			req = req.WithContext(context.WithValue(req.Context(), serveHTTPContextKey{}, &serveHTTPContext{
-				DestPort: 443,
-				SrcAddr:  netip.MustParseAddrPort(tt.srcIP + ":1234"), // random src port for tests
-			}))
-
-			w := httptest.NewRecorder()
-			b.serveWebHandler(w, req)
-
-			// Verify the headers.
-			h := w.Result().Header
-			for _, c := range tt.wantHeaders {
-				if got := h.Get(c.header); got != c.want {
-					t.Errorf("invalid %q header; want=%q, got=%q", c.header, c.want, got)
-				}
-			}
-		})
-	}
-}
-
 func TestServeFileOrDirectory(t *testing.T) {
 	td := t.TempDir()
 	writeFile := func(suffix, contents string) {
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -121,11 +121,6 @@ type NetworkLockStatus struct {
 	// (i.e. no connectivity) because they failed tailnet lock
 	// checks.
 	FilteredPeers []*TKAFilteredPeer
-
-	// StateID is a nonce associated with the network lock authority,
-	// generated upon enablement. This field is not populated if the
-	// network lock is disabled.
-	StateID uint64
 }

 // NetworkLockUpdate describes a change to network-lock state.
@@ -588,8 +583,6 @@ func osEmoji(os string) string {
 		return "🖥️"
 	case "iOS":
 		return "📱"
-	case "tvOS":
-		return "🍎📺"
 	case "android":
 		return "🤖"
 	case "freebsd":
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -104,7 +104,6 @@ var handler = map[string]localAPIHandler{
 	"tka/force-local-disable":     (*Handler).serveTKALocalDisable,
 	"tka/affected-sigs":           (*Handler).serveTKAAffectedSigs,
 	"tka/wrap-preauth-key":        (*Handler).serveTKAWrapPreauthKey,
-	"tka/verify-deeplink":         (*Handler).serveTKAVerifySigningDeeplink,
 	"upload-client-metrics":       (*Handler).serveUploadClientMetrics,
 	"watch-ipn-bus":               (*Handler).serveWatchIPNBus,
 	"whois":                       (*Handler).serveWhoIs,
@@ -931,8 +930,8 @@ func InUseOtherUserIPNStream(w http.ResponseWriter, r *http.Request, err error)
 }

 func (h *Handler) serveWatchIPNBus(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitRead {
-		http.Error(w, "watch ipn bus access denied", http.StatusForbidden)
+	if !h.PermitWrite {
+		http.Error(w, "denied", http.StatusForbidden)
 		return
 	}
 	f, ok := w.(http.Flusher)
@@ -1611,35 +1610,6 @@ func (h *Handler) serveTKAWrapPreauthKey(w http.ResponseWriter, r *http.Request)
 	w.Write([]byte(wrappedKey))
 }

-func (h *Handler) serveTKAVerifySigningDeeplink(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitRead {
-		http.Error(w, "signing deeplink verification access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != httpm.POST {
-		http.Error(w, "use POST", http.StatusMethodNotAllowed)
-		return
-	}
-
-	type verifyRequest struct {
-		URL string
-	}
-	var req verifyRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		http.Error(w, "invalid JSON for verifyRequest body", 400)
-		return
-	}
-
-	res := h.b.NetworkLockVerifySigningDeeplink(req.URL)
-	j, err := json.MarshalIndent(res, "", "\t")
-	if err != nil {
-		http.Error(w, "JSON encoding error", 500)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	w.Write(j)
-}
-
 func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
--- a/ipn/serve.go
+++ b/ipn/serve.go
@@ -76,12 +76,6 @@ type TCPPortHandler struct {
 	// It is mutually exclusive with TCPForward.
 	HTTPS bool `json:",omitempty"`

-	// HTTP, if true, means that tailscaled should handle this connection as an
-	// HTTP request as configured by ServeConfig.Web.
-	//
-	// It is mutually exclusive with TCPForward.
-	HTTP bool `json:",omitempty"`
-
 	// TCPForward is the IP:port to forward TCP connections to.
 	// Whether or not TLS is terminated by tailscaled depends on
 	// TerminateTLS.
@@ -109,7 +103,7 @@ type HTTPHandler struct {
 	// temporary ones? Error codes? Redirects?
 }

-// WebHandlerExists reports whether if the ServeConfig Web handler exists for
+// WebHandlerExists checks if the ServeConfig Web handler exists for
 // the given host:port and mount point.
 func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool {
 	h := sc.GetWebHandler(hp, mount)
@@ -134,8 +128,9 @@ func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler {
 	return sc.TCP[port]
 }

-// IsTCPForwardingAny reports whether ServeConfig is currently forwarding in
-// TCPForward mode on any port. This is exclusive of Web/HTTPS serving.
+// IsTCPForwardingAny checks if ServeConfig is currently forwarding
+// in TCPForward mode on any port.
+// This is exclusive of Web/HTTPS serving.
 func (sc *ServeConfig) IsTCPForwardingAny() bool {
 	if sc == nil || len(sc.TCP) == 0 {
 		return false
@@ -148,47 +143,34 @@ func (sc *ServeConfig) IsTCPForwardingAny() bool {
 	return false
 }

-// IsTCPForwardingOnPort reports whether if ServeConfig is currently forwarding
-// in TCPForward mode on the given port. This is exclusive of Web/HTTPS serving.
+// IsTCPForwardingOnPort checks if ServeConfig is currently forwarding
+// in TCPForward mode on the given port.
+// This is exclusive of Web/HTTPS serving.
 func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool {
 	if sc == nil || sc.TCP[port] == nil {
 		return false
 	}
-	return !sc.IsServingWeb(port)
+	return !sc.TCP[port].HTTPS
 }

-// IsServingWeb reports whether if ServeConfig is currently serving Web
-// (HTTP/HTTPS) on the given port. This is exclusive of TCPForwarding.
+// IsServingWeb checks if ServeConfig is currently serving
+// Web/HTTPS on the given port.
+// This is exclusive of TCPForwarding.
 func (sc *ServeConfig) IsServingWeb(port uint16) bool {
-	return sc.IsServingHTTP(port) || sc.IsServingHTTPS(port)
-}
-
-// IsServingHTTPS reports whether if ServeConfig is currently serving HTTPS on
-// the given port. This is exclusive of HTTP and TCPForwarding.
-func (sc *ServeConfig) IsServingHTTPS(port uint16) bool {
 	if sc == nil || sc.TCP[port] == nil {
 		return false
 	}
 	return sc.TCP[port].HTTPS
 }

-// IsServingHTTP reports whether if ServeConfig is currently serving HTTP on the
-// given port. This is exclusive of HTTPS and TCPForwarding.
-func (sc *ServeConfig) IsServingHTTP(port uint16) bool {
-	if sc == nil || sc.TCP[port] == nil {
-		return false
-	}
-	return sc.TCP[port].HTTP
-}
-
-// IsFunnelOn reports whether if ServeConfig is currently allowing funnel
-// traffic for any host:port.
+// IsFunnelOn checks if ServeConfig is currently allowing
+// funnel traffic for any host:port.
 //
 // View version of ServeConfig.IsFunnelOn.
 func (v ServeConfigView) IsFunnelOn() bool { return v.ж.IsFunnelOn() }

-// IsFunnelOn reports whether if ServeConfig is currently allowing funnel
-// traffic for any host:port.
+// IsFunnelOn checks if ServeConfig is currently allowing
+// funnel traffic for any host:port.
 func (sc *ServeConfig) IsFunnelOn() bool {
 	if sc == nil {
 		return false
--- a/licenses/android.md
+++ b/licenses/android.md
@@ -73,10 +73,10 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47ecfdc1:LICENSE))
 - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/334a2380:shiny/LICENSE))
 - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.7.0:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.10.0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.9.0:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/5059a07a:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.8.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.8.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.7.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.9.0:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
 - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/7b0a1988a28f/LICENSE))
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -58,13 +58,13 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/f1b76eb4bb35/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.10.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.8.0:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47ecfdc1:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://github.com/tailscale/golang-x-net/blob/dd4570e13977/LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.9.0:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.9.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.9.0:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.10.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.8.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.7.0:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.9.0:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
 - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/7b0a1988a28f/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -81,11 +81,11 @@ Some packages may only be included on certain architectures or operating systems
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/f1b76eb4bb35/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.8.0:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47ecfdc1:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.10.0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.9.0:LICENSE))
 - [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) ([BSD-3-Clause](https://cs.opensource.google/go/x/oauth2/+/v0.7.0:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/5059a07a:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.8.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.8.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.7.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.9.0:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))
@@ -94,7 +94,7 @@ Some packages may only be included on certain architectures or operating systems
 - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/7b0a1988a28f/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [inet.af/wf](https://pkg.go.dev/inet.af/wf) ([BSD-3-Clause](https://github.com/inetaf/wf/blob/36129f591884/LICENSE))
- - [k8s.io/client-go/util/homedir](https://pkg.go.dev/k8s.io/client-go/util/homedir) ([Apache-2.0](https://github.com/kubernetes/client-go/blob/v0.27.2/LICENSE))
+ - [k8s.io/client-go/util/homedir](https://pkg.go.dev/k8s.io/client-go/util/homedir) ([Apache-2.0](https://github.com/kubernetes/client-go/blob/v0.26.1/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
 - [sigs.k8s.io/yaml](https://pkg.go.dev/sigs.k8s.io/yaml) ([MIT](https://github.com/kubernetes-sigs/yaml/blob/v1.3.0/LICENSE))
 - [software.sslmate.com/src/go-pkcs12](https://pkg.go.dev/software.sslmate.com/src/go-pkcs12) ([BSD-3-Clause](https://github.com/SSLMate/go-pkcs12/blob/v0.2.0/LICENSE))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -38,15 +38,15 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/f1b76eb4bb35/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.10.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.8.0:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47ecfdc1:LICENSE))
 - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.7.0:LICENSE))
 - [golang.org/x/mod](https://pkg.go.dev/golang.org/x/mod) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.10.0:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://github.com/tailscale/golang-x-net/blob/dd4570e13977/LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.9.0:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.9.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.9.0:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.10.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.8.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.7.0:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.9.0:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))
 - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
 - [gopkg.in/Knetic/govaluate.v3](https://pkg.go.dev/gopkg.in/Knetic/govaluate.v3) ([MIT](https://github.com/Knetic/govaluate/blob/v3.0.0/LICENSE))
--- a/logtail/filch/filch_wasm.go
+++ b/logtail/filch/filch_wasm.go
--- a/logtail/filch/filch_unix.go
+++ b/logtail/filch/filch_unix.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-//go:build !windows && !wasm
+//go:build !windows && !js

 package filch

--- a/net/dns/recursive/recursive.go
+++ b/net/dns/recursive/recursive.go
@@ -1,636 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package recursive implements a simple recursive DNS resolver.
-package recursive
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"strings"
-	"time"
-
-	"github.com/miekg/dns"
-	"golang.org/x/exp/constraints"
-	"golang.org/x/exp/slices"
-	"tailscale.com/envknob"
-	"tailscale.com/net/netns"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/dnsname"
-	"tailscale.com/util/mak"
-	"tailscale.com/util/multierr"
-	"tailscale.com/util/slicesx"
-)
-
-const (
-	// maxDepth is how deep from the root nameservers we'll recurse when
-	// resolving; passing this limit will instead return an error.
-	//
-	// maxDepth must be at least 20 to resolve "console.aws.amazon.com",
-	// which is a domain with a moderately complicated DNS setup. The
-	// current value of 30 was chosen semi-arbitrarily to ensure that we
-	// have about 50% headroom.
-	maxDepth = 30
-	// numStartingServers is the number of root nameservers that we use as
-	// initial candidates for our recursion.
-	numStartingServers = 3
-	// udpQueryTimeout is the amount of time we wait for a UDP response
-	// from a nameserver before falling back to a TCP connection.
-	udpQueryTimeout = 5 * time.Second
-
-	// These constants aren't typed in the DNS package, so we create typed
-	// versions here to avoid having to do repeated type casts.
-	qtypeA    dns.Type = dns.Type(dns.TypeA)
-	qtypeAAAA dns.Type = dns.Type(dns.TypeAAAA)
-)
-
-var (
-	// ErrMaxDepth is returned when recursive resolving exceeds the maximum
-	// depth limit for this package.
-	ErrMaxDepth = fmt.Errorf("exceeded max depth %d when resolving", maxDepth)
-
-	// ErrAuthoritativeNoResponses is the error returned when an
-	// authoritative nameserver indicates that there are no responses to
-	// the given query.
-	ErrAuthoritativeNoResponses = errors.New("authoritative server returned no responses")
-
-	// ErrNoResponses is returned when our resolution process completes
-	// with no valid responses from any nameserver, but no authoritative
-	// server explicitly returned NXDOMAIN.
-	ErrNoResponses = errors.New("no responses to query")
-)
-
-var rootServersV4 = []netip.Addr{
-	netip.MustParseAddr("198.41.0.4"),     // a.root-servers.net
-	netip.MustParseAddr("199.9.14.201"),   // b.root-servers.net
-	netip.MustParseAddr("192.33.4.12"),    // c.root-servers.net
-	netip.MustParseAddr("199.7.91.13"),    // d.root-servers.net
-	netip.MustParseAddr("192.203.230.10"), // e.root-servers.net
-	netip.MustParseAddr("192.5.5.241"),    // f.root-servers.net
-	netip.MustParseAddr("192.112.36.4"),   // g.root-servers.net
-	netip.MustParseAddr("198.97.190.53"),  // h.root-servers.net
-	netip.MustParseAddr("192.36.148.17"),  // i.root-servers.net
-	netip.MustParseAddr("192.58.128.30"),  // j.root-servers.net
-	netip.MustParseAddr("193.0.14.129"),   // k.root-servers.net
-	netip.MustParseAddr("199.7.83.42"),    // l.root-servers.net
-	netip.MustParseAddr("202.12.27.33"),   // m.root-servers.net
-}
-
-var rootServersV6 = []netip.Addr{
-	netip.MustParseAddr("2001:503:ba3e::2:30"), // a.root-servers.net
-	netip.MustParseAddr("2001:500:200::b"),     // b.root-servers.net
-	netip.MustParseAddr("2001:500:2::c"),       // c.root-servers.net
-	netip.MustParseAddr("2001:500:2d::d"),      // d.root-servers.net
-	netip.MustParseAddr("2001:500:a8::e"),      // e.root-servers.net
-	netip.MustParseAddr("2001:500:2f::f"),      // f.root-servers.net
-	netip.MustParseAddr("2001:500:12::d0d"),    // g.root-servers.net
-	netip.MustParseAddr("2001:500:1::53"),      // h.root-servers.net
-	netip.MustParseAddr("2001:7fe::53"),        // i.root-servers.net
-	netip.MustParseAddr("2001:503:c27::2:30"),  // j.root-servers.net
-	netip.MustParseAddr("2001:7fd::1"),         // k.root-servers.net
-	netip.MustParseAddr("2001:500:9f::42"),     // l.root-servers.net
-	netip.MustParseAddr("2001:dc3::35"),        // m.root-servers.net
-}
-
-var debug = envknob.RegisterBool("TS_DEBUG_RECURSIVE_DNS")
-
-// Resolver is a recursive DNS resolver that is designed for looking up A and AAAA records.
-type Resolver struct {
-	// Dialer is used to create outbound connections. If nil, a zero
-	// net.Dialer will be used instead.
-	Dialer netns.Dialer
-
-	// Logf is the logging function to use; if none is specified, then logs
-	// will be dropped.
-	Logf logger.Logf
-
-	// NoIPv6, if set, will prevent this package from querying for AAAA
-	// records and will avoid contacting nameservers over IPv6.
-	NoIPv6 bool
-
-	// Test mocks
-	testQueryHook    func(name dnsname.FQDN, nameserver netip.Addr, protocol string, qtype dns.Type) (*dns.Msg, error)
-	testExchangeHook func(nameserver netip.Addr, network string, msg *dns.Msg) (*dns.Msg, error)
-	rootServers      []netip.Addr
-	timeNow          func() time.Time
-
-	// Caching
-	// NOTE(andrew): if we make resolution parallel, this needs a mutex
-	queryCache map[dnsQuery]dnsMsgWithExpiry
-
-	// Possible future additions:
-	//    - Additional nameservers? From the system maybe?
-	//    - NoIPv4 for IPv4
-	//    - DNS-over-HTTPS or DNS-over-TLS support
-}
-
-// queryState stores all state during the course of a single query
-type queryState struct {
-	// rootServers are the root nameservers to start from
-	rootServers []netip.Addr
-
-	// TODO: metrics?
-}
-
-type dnsQuery struct {
-	nameserver netip.Addr
-	name       dnsname.FQDN
-	qtype      dns.Type
-}
-
-func (q dnsQuery) String() string {
-	return fmt.Sprintf("dnsQuery{nameserver:%q,name:%q,qtype:%v}", q.nameserver.String(), q.name, q.qtype)
-}
-
-type dnsMsgWithExpiry struct {
-	*dns.Msg
-	expiresAt time.Time
-}
-
-func (r *Resolver) now() time.Time {
-	if r.timeNow != nil {
-		return r.timeNow()
-	}
-	return time.Now()
-}
-
-func (r *Resolver) logf(format string, args ...any) {
-	if r.Logf == nil {
-		return
-	}
-	r.Logf(format, args...)
-}
-
-func (r *Resolver) dlogf(format string, args ...any) {
-	if r.Logf == nil || !debug() {
-		return
-	}
-	r.Logf(format, args...)
-}
-
-func (r *Resolver) depthlogf(depth int, format string, args ...any) {
-	if r.Logf == nil || !debug() {
-		return
-	}
-	prefix := fmt.Sprintf("[%d] %s", depth, strings.Repeat("  ", depth))
-	r.Logf(prefix+format, args...)
-}
-
-var defaultDialer net.Dialer
-
-func (r *Resolver) dialer() netns.Dialer {
-	if r.Dialer != nil {
-		return r.Dialer
-	}
-
-	return &defaultDialer
-}
-
-func (r *Resolver) newState() *queryState {
-	var rootServers []netip.Addr
-	if len(r.rootServers) > 0 {
-		rootServers = r.rootServers
-	} else {
-		// Select a random subset of root nameservers to start from, since if
-		// we don't get responses from those, something else has probably gone
-		// horribly wrong.
-		roots4 := slices.Clone(rootServersV4)
-		slicesx.Shuffle(roots4)
-		roots4 = roots4[:numStartingServers]
-
-		var roots6 []netip.Addr
-		if !r.NoIPv6 {
-			roots6 = slices.Clone(rootServersV6)
-			slicesx.Shuffle(roots6)
-			roots6 = roots6[:numStartingServers]
-		}
-
-		// Interleave the root servers so that we try to contact them over
-		// IPv4, then IPv6, IPv4, IPv6, etc.
-		rootServers = slicesx.Interleave(roots4, roots6)
-	}
-
-	return &queryState{
-		rootServers: rootServers,
-	}
-}
-
-// Resolve will perform a recursive DNS resolution for the provided name,
-// starting at a randomly-chosen root DNS server, and return the A and AAAA
-// responses as a slice of netip.Addrs along with the minimum TTL for the
-// returned records.
-func (r *Resolver) Resolve(ctx context.Context, name string) (addrs []netip.Addr, minTTL time.Duration, err error) {
-	dnsName, err := dnsname.ToFQDN(name)
-	if err != nil {
-		return nil, 0, err
-	}
-
-	qstate := r.newState()
-
-	r.logf("querying IPv4 addresses for: %q", name)
-	addrs4, minTTL4, err4 := r.resolveRecursiveFromRoot(ctx, qstate, 0, dnsName, qtypeA)
-
-	var (
-		addrs6  []netip.Addr
-		minTTL6 time.Duration
-		err6    error
-	)
-	if !r.NoIPv6 {
-		r.logf("querying IPv6 addresses for: %q", name)
-		addrs6, minTTL6, err6 = r.resolveRecursiveFromRoot(ctx, qstate, 0, dnsName, qtypeAAAA)
-	}
-
-	if err4 != nil && err6 != nil {
-		if err4 == err6 {
-			return nil, 0, err4
-		}
-
-		return nil, 0, multierr.New(err4, err6)
-	}
-	if err4 != nil {
-		return addrs6, minTTL6, nil
-	} else if err6 != nil {
-		return addrs4, minTTL4, nil
-	}
-
-	minTTL = minTTL4
-	if minTTL6 < minTTL {
-		minTTL = minTTL6
-	}
-
-	addrs = append(addrs4, addrs6...)
-	if len(addrs) == 0 {
-		return nil, 0, ErrNoResponses
-	}
-
-	slicesx.Shuffle(addrs)
-	return addrs, minTTL, nil
-}
-
-func (r *Resolver) resolveRecursiveFromRoot(
-	ctx context.Context,
-	qstate *queryState,
-	depth int,
-	name dnsname.FQDN, // what we're querying
-	qtype dns.Type,
-) ([]netip.Addr, time.Duration, error) {
-	r.depthlogf(depth, "resolving %q from root (type: %v)", name, qtype)
-
-	var depthError bool
-	for _, server := range qstate.rootServers {
-		addrs, minTTL, err := r.resolveRecursive(ctx, qstate, depth, name, server, qtype)
-		if err == nil {
-			return addrs, minTTL, err
-		} else if errors.Is(err, ErrAuthoritativeNoResponses) {
-			return nil, 0, ErrAuthoritativeNoResponses
-		} else if errors.Is(err, ErrMaxDepth) {
-			depthError = true
-		}
-	}
-
-	if depthError {
-		return nil, 0, ErrMaxDepth
-	}
-	return nil, 0, ErrNoResponses
-}
-
-func (r *Resolver) resolveRecursive(
-	ctx context.Context,
-	qstate *queryState,
-	depth int,
-	name dnsname.FQDN, // what we're querying
-	nameserver netip.Addr,
-	qtype dns.Type,
-) ([]netip.Addr, time.Duration, error) {
-	if depth == maxDepth {
-		r.depthlogf(depth, "not recursing past maximum depth")
-		return nil, 0, ErrMaxDepth
-	}
-
-	// Ask this nameserver for an answer.
-	resp, err := r.queryNameserver(ctx, depth, name, nameserver, qtype)
-	if err != nil {
-		return nil, 0, err
-	}
-
-	// If we get an actual answer from the nameserver, then return it.
-	var (
-		answers []netip.Addr
-		cnames  []dnsname.FQDN
-		minTTL  = 24 * 60 * 60 // 24 hours in seconds
-	)
-	for _, answer := range resp.Answer {
-		if crec, ok := answer.(*dns.CNAME); ok {
-			cnameFQDN, err := dnsname.ToFQDN(crec.Target)
-			if err != nil {
-				r.logf("bad CNAME %q returned: %v", crec.Target, err)
-				continue
-			}
-
-			cnames = append(cnames, cnameFQDN)
-			continue
-		}
-
-		addr := addrFromRecord(answer)
-		if !addr.IsValid() {
-			r.logf("[unexpected] invalid record in %T answer", answer)
-		} else if addr.Is4() && qtype != qtypeA {
-			r.logf("[unexpected] got IPv4 answer but qtype=%v", qtype)
-		} else if addr.Is6() && qtype != qtypeAAAA {
-			r.logf("[unexpected] got IPv6 answer but qtype=%v", qtype)
-		} else {
-			answers = append(answers, addr)
-			minTTL = min(minTTL, int(answer.Header().Ttl))
-		}
-	}
-
-	if len(answers) > 0 {
-		r.depthlogf(depth, "got answers for %q: %v", name, answers)
-		return answers, time.Duration(minTTL) * time.Second, nil
-	}
-
-	r.depthlogf(depth, "no answers for %q", name)
-
-	// If we have a non-zero number of CNAMEs, then try resolving those
-	// (from the root again) and return the first one that succeeds.
-	//
-	// TODO: return the union of all responses?
-	// TODO: parallelism?
-	if len(cnames) > 0 {
-		r.depthlogf(depth, "got CNAME responses for %q: %v", name, cnames)
-	}
-	var cnameDepthError bool
-	for _, cname := range cnames {
-		answers, minTTL, err := r.resolveRecursiveFromRoot(ctx, qstate, depth+1, cname, qtype)
-		if err == nil {
-			return answers, minTTL, nil
-		} else if errors.Is(err, ErrAuthoritativeNoResponses) {
-			return nil, 0, ErrAuthoritativeNoResponses
-		} else if errors.Is(err, ErrMaxDepth) {
-			cnameDepthError = true
-		}
-	}
-
-	// If this is an authoritative response, then we know that continuing
-	// to look further is not going to result in any answers and we should
-	// bail out.
-	if resp.MsgHdr.Authoritative {
-		// If we failed to recurse into a CNAME due to a depth limit,
-		// propagate that here.
-		if cnameDepthError {
-			return nil, 0, ErrMaxDepth
-		}
-
-		r.depthlogf(depth, "got authoritative response with no answers; stopping")
-		return nil, 0, ErrAuthoritativeNoResponses
-	}
-
-	r.depthlogf(depth, "got %d NS responses and %d ADDITIONAL responses for %q", len(resp.Ns), len(resp.Extra), name)
-
-	// No CNAMEs and no answers; see if we got any AUTHORITY responses,
-	// which indicate which nameservers to query next.
-	var authorities []dnsname.FQDN
-	for _, rr := range resp.Ns {
-		ns, ok := rr.(*dns.NS)
-		if !ok {
-			continue
-		}
-
-		nsName, err := dnsname.ToFQDN(ns.Ns)
-		if err != nil {
-			r.logf("unexpected bad NS name %q: %v", ns.Ns, err)
-			continue
-		}
-
-		authorities = append(authorities, nsName)
-	}
-
-	// Also check for "glue" records, which are IP addresses provided by
-	// the DNS server for authority responses; these are required when the
-	// authority server is a subdomain of what's being resolved.
-	glueRecords := make(map[dnsname.FQDN][]netip.Addr)
-	for _, rr := range resp.Extra {
-		name, err := dnsname.ToFQDN(rr.Header().Name)
-		if err != nil {
-			r.logf("unexpected bad Name %q in Extra addr: %v", rr.Header().Name, err)
-			continue
-		}
-
-		if addr := addrFromRecord(rr); addr.IsValid() {
-			glueRecords[name] = append(glueRecords[name], addr)
-		} else {
-			r.logf("unexpected bad Extra %T addr", rr)
-		}
-	}
-
-	// Try authorities with glue records first, to minimize the number of
-	// additional DNS queries that we need to make.
-	authoritiesGlue, authoritiesNoGlue := slicesx.Partition(authorities, func(aa dnsname.FQDN) bool {
-		return len(glueRecords[aa]) > 0
-	})
-
-	authorityDepthError := false
-
-	r.depthlogf(depth, "authorities with glue records for recursion: %v", authoritiesGlue)
-	for _, authority := range authoritiesGlue {
-		for _, nameserver := range glueRecords[authority] {
-			answers, minTTL, err := r.resolveRecursive(ctx, qstate, depth+1, name, nameserver, qtype)
-			if err == nil {
-				return answers, minTTL, nil
-			} else if errors.Is(err, ErrAuthoritativeNoResponses) {
-				return nil, 0, ErrAuthoritativeNoResponses
-			} else if errors.Is(err, ErrMaxDepth) {
-				authorityDepthError = true
-			}
-		}
-	}
-
-	r.depthlogf(depth, "authorities with no glue records for recursion: %v", authoritiesNoGlue)
-	for _, authority := range authoritiesNoGlue {
-		// First, resolve the IP for the authority server from the
-		// root, querying for both IPv4 and IPv6 addresses regardless
-		// of what the current question type is.
-		//
-		// TODO: check for infinite recursion; it'll get caught by our
-		// recursion depth, but we want to bail early.
-		for _, authorityQtype := range []dns.Type{qtypeAAAA, qtypeA} {
-			answers, _, err := r.resolveRecursiveFromRoot(ctx, qstate, depth+1, authority, authorityQtype)
-			if err != nil {
-				r.depthlogf(depth, "error querying authority %q: %v", authority, err)
-				continue
-			}
-			r.depthlogf(depth, "resolved authority %q (type %v) to: %v", authority, authorityQtype, answers)
-
-			// Now, query this authority for the final address.
-			for _, nameserver := range answers {
-				answers, minTTL, err := r.resolveRecursive(ctx, qstate, depth+1, name, nameserver, qtype)
-				if err == nil {
-					return answers, minTTL, nil
-				} else if errors.Is(err, ErrAuthoritativeNoResponses) {
-					return nil, 0, ErrAuthoritativeNoResponses
-				} else if errors.Is(err, ErrMaxDepth) {
-					authorityDepthError = true
-				}
-			}
-		}
-	}
-
-	if authorityDepthError {
-		return nil, 0, ErrMaxDepth
-	}
-	return nil, 0, ErrNoResponses
-}
-
-func min[T constraints.Ordered](a, b T) T {
-	if a < b {
-		return a
-	}
-	return b
-}
-
-// queryNameserver sends a query for "name" to the nameserver "nameserver" for
-// records of type "qtype", trying both UDP and TCP connections as
-// appropriate.
-func (r *Resolver) queryNameserver(
-	ctx context.Context,
-	depth int,
-	name dnsname.FQDN, // what we're querying
-	nameserver netip.Addr, // destination of query
-	qtype dns.Type,
-) (*dns.Msg, error) {
-	// TODO(andrew): we should QNAME minimisation here to avoid sending the
-	// full name to intermediate/root nameservers. See:
-	//    https://www.rfc-editor.org/rfc/rfc7816
-
-	// Handle the case where UDP is blocked by adding an explicit timeout
-	// for the UDP portion of this query.
-	udpCtx, udpCtxCancel := context.WithTimeout(ctx, udpQueryTimeout)
-	defer udpCtxCancel()
-
-	msg, err := r.queryNameserverProto(udpCtx, depth, name, nameserver, "udp", qtype)
-	if err == nil {
-		return msg, nil
-	}
-
-	msg, err2 := r.queryNameserverProto(ctx, depth, name, nameserver, "tcp", qtype)
-	if err2 == nil {
-		return msg, nil
-	}
-
-	return nil, multierr.New(err, err2)
-}
-
-// queryNameserverProto sends a query for "name" to the nameserver "nameserver"
-// for records of type "qtype" over the provided protocol (either "udp"
-// or "tcp"), and returns the DNS response or an error.
-func (r *Resolver) queryNameserverProto(
-	ctx context.Context,
-	depth int,
-	name dnsname.FQDN, // what we're querying
-	nameserver netip.Addr, // destination of query
-	protocol string,
-	qtype dns.Type,
-) (resp *dns.Msg, err error) {
-	if r.testQueryHook != nil {
-		return r.testQueryHook(name, nameserver, protocol, qtype)
-	}
-
-	now := r.now()
-	nameserverStr := nameserver.String()
-
-	cacheKey := dnsQuery{
-		nameserver: nameserver,
-		name:       name,
-		qtype:      qtype,
-	}
-	cacheEntry, ok := r.queryCache[cacheKey]
-	if ok && cacheEntry.expiresAt.Before(now) {
-		r.depthlogf(depth, "using cached response from %s about %q (type: %v)", nameserverStr, name, qtype)
-		return cacheEntry.Msg, nil
-	}
-
-	var network string
-	if nameserver.Is4() {
-		network = protocol + "4"
-	} else {
-		network = protocol + "6"
-	}
-
-	// Prepare a message asking for an appropriately-typed record
-	// for the name we're querying.
-	m := new(dns.Msg)
-	m.SetQuestion(name.WithTrailingDot(), uint16(qtype))
-
-	// Allow mocking out the network components with our exchange hook.
-	if r.testExchangeHook != nil {
-		resp, err = r.testExchangeHook(nameserver, network, m)
-	} else {
-		// Dial the current nameserver using our dialer.
-		var nconn net.Conn
-		nconn, err = r.dialer().DialContext(ctx, network, net.JoinHostPort(nameserverStr, "53"))
-		if err != nil {
-			return nil, err
-		}
-
-		var c dns.Client // TODO: share?
-		conn := &dns.Conn{
-			Conn:    nconn,
-			UDPSize: c.UDPSize,
-		}
-
-		// Send the DNS request to the current nameserver.
-		r.depthlogf(depth, "asking %s over %s about %q (type: %v)", nameserverStr, protocol, name, qtype)
-		resp, _, err = c.ExchangeWithConnContext(ctx, m, conn)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	// If the message was truncated and we're using UDP, re-run with TCP.
-	if resp.MsgHdr.Truncated && protocol == "udp" {
-		r.depthlogf(depth, "response message truncated; re-running query with TCP")
-		resp, err = r.queryNameserverProto(ctx, depth, name, nameserver, "tcp", qtype)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	// Find minimum expiry for all records in this message.
-	var minTTL int
-	for _, rr := range resp.Answer {
-		minTTL = min(minTTL, int(rr.Header().Ttl))
-	}
-	for _, rr := range resp.Ns {
-		minTTL = min(minTTL, int(rr.Header().Ttl))
-	}
-	for _, rr := range resp.Extra {
-		minTTL = min(minTTL, int(rr.Header().Ttl))
-	}
-
-	mak.Set(&r.queryCache, cacheKey, dnsMsgWithExpiry{
-		Msg:       resp,
-		expiresAt: now.Add(time.Duration(minTTL) * time.Second),
-	})
-	return resp, nil
-}
-
-func addrFromRecord(rr dns.RR) netip.Addr {
-	switch v := rr.(type) {
-	case *dns.A:
-		ip, ok := netip.AddrFromSlice(v.A)
-		if !ok || !ip.Is4() {
-			return netip.Addr{}
-		}
-		return ip
-	case *dns.AAAA:
-		ip, ok := netip.AddrFromSlice(v.AAAA)
-		if !ok || !ip.Is6() {
-			return netip.Addr{}
-		}
-		return ip
-	}
-	return netip.Addr{}
-}
--- a/net/dns/recursive/recursive_test.go
+++ b/net/dns/recursive/recursive_test.go
@@ -1,741 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package recursive
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"net"
-	"net/netip"
-	"reflect"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/miekg/dns"
-	"golang.org/x/exp/slices"
-	"tailscale.com/envknob"
-	"tailscale.com/tstest"
-)
-
-const testDomain = "tailscale.com"
-
-// Recursively resolving the AWS console requires being able to handle CNAMEs,
-// glue records, falling back from UDP to TCP for oversize queries, and more;
-// it's a great integration test for DNS resolution and they can handle the
-// traffic :)
-const complicatedTestDomain = "console.aws.amazon.com"
-
-var flagNetworkAccess = flag.Bool("enable-network-access", false, "run tests that need external network access")
-
-func init() {
-	envknob.Setenv("TS_DEBUG_RECURSIVE_DNS", "true")
-}
-
-func newResolver(tb testing.TB) *Resolver {
-	clock := &tstest.Clock{
-		Step: 50 * time.Millisecond,
-	}
-	return &Resolver{
-		Logf:    tb.Logf,
-		timeNow: clock.Now,
-	}
-}
-
-func TestResolve(t *testing.T) {
-	if !*flagNetworkAccess {
-		t.SkipNow()
-	}
-
-	ctx := context.Background()
-	r := newResolver(t)
-	addrs, minTTL, err := r.Resolve(ctx, testDomain)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	t.Logf("addrs: %+v", addrs)
-	t.Logf("minTTL: %v", minTTL)
-	if len(addrs) < 1 {
-		t.Fatalf("expected at least one address")
-	}
-
-	if minTTL <= 10*time.Second || minTTL >= 24*time.Hour {
-		t.Errorf("invalid minimum TTL: %v", minTTL)
-	}
-
-	var has4, has6 bool
-	for _, addr := range addrs {
-		has4 = has4 || addr.Is4()
-		has6 = has6 || addr.Is6()
-	}
-
-	if !has4 {
-		t.Errorf("expected at least one IPv4 address")
-	}
-	if !has6 {
-		t.Errorf("expected at least one IPv6 address")
-	}
-}
-
-func TestResolveComplicated(t *testing.T) {
-	if !*flagNetworkAccess {
-		t.SkipNow()
-	}
-
-	ctx := context.Background()
-	r := newResolver(t)
-	addrs, minTTL, err := r.Resolve(ctx, complicatedTestDomain)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	t.Logf("addrs: %+v", addrs)
-	t.Logf("minTTL: %v", minTTL)
-	if len(addrs) < 1 {
-		t.Fatalf("expected at least one address")
-	}
-
-	if minTTL <= 10*time.Second || minTTL >= 24*time.Hour {
-		t.Errorf("invalid minimum TTL: %v", minTTL)
-	}
-}
-
-func TestResolveNoIPv6(t *testing.T) {
-	if !*flagNetworkAccess {
-		t.SkipNow()
-	}
-
-	r := newResolver(t)
-	r.NoIPv6 = true
-
-	addrs, _, err := r.Resolve(context.Background(), testDomain)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	t.Logf("addrs: %+v", addrs)
-	if len(addrs) < 1 {
-		t.Fatalf("expected at least one address")
-	}
-
-	for _, addr := range addrs {
-		if addr.Is6() {
-			t.Errorf("got unexpected IPv6 address: %v", addr)
-		}
-	}
-}
-
-func TestResolveFallbackToTCP(t *testing.T) {
-	var udpCalls, tcpCalls int
-	hook := func(nameserver netip.Addr, network string, req *dns.Msg) (*dns.Msg, error) {
-		if strings.HasPrefix(network, "udp") {
-			t.Logf("got %q query; returning truncated result", network)
-			udpCalls++
-			resp := &dns.Msg{}
-			resp.SetReply(req)
-			resp.Truncated = true
-			return resp, nil
-		}
-
-		t.Logf("got %q query; returning real result", network)
-		tcpCalls++
-		resp := &dns.Msg{}
-		resp.SetReply(req)
-		resp.Answer = append(resp.Answer, &dns.A{
-			Hdr: dns.RR_Header{
-				Name:   req.Question[0].Name,
-				Rrtype: req.Question[0].Qtype,
-				Class:  dns.ClassINET,
-				Ttl:    300,
-			},
-			A: net.IPv4(1, 2, 3, 4),
-		})
-		return resp, nil
-	}
-
-	r := newResolver(t)
-	r.testExchangeHook = hook
-
-	ctx := context.Background()
-	resp, err := r.queryNameserverProto(ctx, 0, "tailscale.com", netip.MustParseAddr("9.9.9.9"), "udp", dns.Type(dns.TypeA))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(resp.Answer) < 1 {
-		t.Fatalf("no answers in response: %v", resp)
-	}
-	rrA, ok := resp.Answer[0].(*dns.A)
-	if !ok {
-		t.Fatalf("invalid RR type: %T", resp.Answer[0])
-	}
-	if !rrA.A.Equal(net.IPv4(1, 2, 3, 4)) {
-		t.Errorf("wanted A response 1.2.3.4, got: %v", rrA.A)
-	}
-	if tcpCalls != 1 {
-		t.Errorf("got %d, want 1 TCP calls", tcpCalls)
-	}
-	if udpCalls != 1 {
-		t.Errorf("got %d, want 1 UDP calls", udpCalls)
-	}
-
-	// Verify that we're cached and re-run to fetch from the cache.
-	if len(r.queryCache) < 1 {
-		t.Errorf("wanted entries in the query cache")
-	}
-
-	resp2, err := r.queryNameserverProto(ctx, 0, "tailscale.com", netip.MustParseAddr("9.9.9.9"), "udp", dns.Type(dns.TypeA))
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !reflect.DeepEqual(resp, resp2) {
-		t.Errorf("expected equal responses; old=%+v new=%+v", resp, resp2)
-	}
-
-	// We didn't make any more network requests since we loaded from the cache.
-	if tcpCalls != 1 {
-		t.Errorf("got %d, want 1 TCP calls", tcpCalls)
-	}
-	if udpCalls != 1 {
-		t.Errorf("got %d, want 1 UDP calls", udpCalls)
-	}
-}
-
-func dnsIPRR(name string, addr netip.Addr) dns.RR {
-	if addr.Is4() {
-		return &dns.A{
-			Hdr: dns.RR_Header{
-				Name:   name,
-				Rrtype: dns.TypeA,
-				Class:  dns.ClassINET,
-				Ttl:    300,
-			},
-			A: net.IP(addr.AsSlice()),
-		}
-	}
-
-	return &dns.AAAA{
-		Hdr: dns.RR_Header{
-			Name:   name,
-			Rrtype: dns.TypeAAAA,
-			Class:  dns.ClassINET,
-			Ttl:    300,
-		},
-		AAAA: net.IP(addr.AsSlice()),
-	}
-}
-
-func cnameRR(name, target string) dns.RR {
-	return &dns.CNAME{
-		Hdr: dns.RR_Header{
-			Name:   name,
-			Rrtype: dns.TypeCNAME,
-			Class:  dns.ClassINET,
-			Ttl:    300,
-		},
-		Target: target,
-	}
-}
-
-func nsRR(name, target string) dns.RR {
-	return &dns.NS{
-		Hdr: dns.RR_Header{
-			Name:   name,
-			Rrtype: dns.TypeNS,
-			Class:  dns.ClassINET,
-			Ttl:    300,
-		},
-		Ns: target,
-	}
-}
-
-type mockReply struct {
-	name  string
-	qtype dns.Type
-	resp  *dns.Msg
-}
-
-type replyMock struct {
-	tb      testing.TB
-	replies map[netip.Addr][]mockReply
-}
-
-func (r *replyMock) exchangeHook(nameserver netip.Addr, network string, req *dns.Msg) (*dns.Msg, error) {
-	if len(req.Question) != 1 {
-		r.tb.Fatalf("unsupported multiple or empty question: %v", req.Question)
-	}
-	question := req.Question[0]
-
-	replies := r.replies[nameserver]
-	if len(replies) == 0 {
-		r.tb.Fatalf("no configured replies for nameserver: %v", nameserver)
-	}
-
-	for _, reply := range replies {
-		if reply.name == question.Name && reply.qtype == dns.Type(question.Qtype) {
-			return reply.resp.Copy(), nil
-		}
-	}
-
-	r.tb.Fatalf("no replies found for query %q of type %v to %v", question.Name, question.Qtype, nameserver)
-	panic("unreachable")
-}
-
-// responses for mocking, shared between the following tests
-var (
-	rootServerAddr = netip.MustParseAddr("198.41.0.4") // a.root-servers.net.
-	comNSAddr      = netip.MustParseAddr("192.5.6.30") // a.gtld-servers.net.
-
-	// DNS response from the root nameservers for a .com nameserver
-	comRecord = &dns.Msg{
-		Ns:    []dns.RR{nsRR("com.", "a.gtld-servers.net.")},
-		Extra: []dns.RR{dnsIPRR("a.gtld-servers.net.", comNSAddr)},
-	}
-
-	// Random Amazon nameservers that we use in glue records
-	amazonNS   = netip.MustParseAddr("205.251.192.197")
-	amazonNSv6 = netip.MustParseAddr("2600:9000:5306:1600::1")
-
-	// Nameservers for the tailscale.com domain
-	tailscaleNameservers = &dns.Msg{
-		Ns: []dns.RR{
-			nsRR("tailscale.com.", "ns-197.awsdns-24.com."),
-			nsRR("tailscale.com.", "ns-557.awsdns-05.net."),
-			nsRR("tailscale.com.", "ns-1558.awsdns-02.co.uk."),
-			nsRR("tailscale.com.", "ns-1359.awsdns-41.org."),
-		},
-		Extra: []dns.RR{
-			dnsIPRR("ns-197.awsdns-24.com.", amazonNS),
-		},
-	}
-)
-
-func TestBasicRecursion(t *testing.T) {
-	mock := &replyMock{
-		tb: t,
-		replies: map[netip.Addr][]mockReply{
-			// Query to the root server returns the .com server + a glue record
-			rootServerAddr: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: comRecord},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: comRecord},
-			},
-
-			// Query to the ".com" server return the nameservers for tailscale.com
-			comNSAddr: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: tailscaleNameservers},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: tailscaleNameservers},
-			},
-
-			// Query to the actual nameserver works.
-			amazonNS: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{
-						dnsIPRR("tailscale.com.", netip.MustParseAddr("13.248.141.131")),
-						dnsIPRR("tailscale.com.", netip.MustParseAddr("76.223.15.28")),
-					},
-				}},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{
-						dnsIPRR("tailscale.com.", netip.MustParseAddr("2600:9000:a602:b1e6:86d:8165:5e8c:295b")),
-						dnsIPRR("tailscale.com.", netip.MustParseAddr("2600:9000:a51d:27c1:1530:b9ef:2a6:b9e5")),
-					},
-				}},
-			},
-		},
-	}
-
-	r := newResolver(t)
-	r.testExchangeHook = mock.exchangeHook
-	r.rootServers = []netip.Addr{rootServerAddr}
-
-	// Query for tailscale.com, verify we get the right responses
-	ctx := context.Background()
-	addrs, minTTL, err := r.Resolve(ctx, "tailscale.com")
-	if err != nil {
-		t.Fatal(err)
-	}
-	wantAddrs := []netip.Addr{
-		netip.MustParseAddr("13.248.141.131"),
-		netip.MustParseAddr("76.223.15.28"),
-		netip.MustParseAddr("2600:9000:a602:b1e6:86d:8165:5e8c:295b"),
-		netip.MustParseAddr("2600:9000:a51d:27c1:1530:b9ef:2a6:b9e5"),
-	}
-	slices.SortFunc(addrs, func(x, y netip.Addr) bool { return x.String() < y.String() })
-	slices.SortFunc(wantAddrs, func(x, y netip.Addr) bool { return x.String() < y.String() })
-
-	if !reflect.DeepEqual(addrs, wantAddrs) {
-		t.Errorf("got addrs=%+v; want %+v", addrs, wantAddrs)
-	}
-
-	const wantMinTTL = 5 * time.Minute
-	if minTTL != wantMinTTL {
-		t.Errorf("got minTTL=%+v; want %+v", minTTL, wantMinTTL)
-	}
-}
-
-func TestNoAnswers(t *testing.T) {
-	mock := &replyMock{
-		tb: t,
-		replies: map[netip.Addr][]mockReply{
-			// Query to the root server returns the .com server + a glue record
-			rootServerAddr: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: comRecord},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: comRecord},
-			},
-
-			// Query to the ".com" server return the nameservers for tailscale.com
-			comNSAddr: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: tailscaleNameservers},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: tailscaleNameservers},
-			},
-
-			// Query to the actual nameserver returns no responses, authoritatively.
-			amazonNS: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{},
-				}},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{},
-				}},
-			},
-		},
-	}
-
-	r := &Resolver{
-		Logf:             t.Logf,
-		testExchangeHook: mock.exchangeHook,
-		rootServers:      []netip.Addr{rootServerAddr},
-	}
-
-	// Query for tailscale.com, verify we get the right responses
-	_, _, err := r.Resolve(context.Background(), "tailscale.com")
-	if err == nil {
-		t.Fatalf("got no error, want error")
-	}
-	if !errors.Is(err, ErrAuthoritativeNoResponses) {
-		t.Fatalf("got err=%v, want %v", err, ErrAuthoritativeNoResponses)
-	}
-}
-
-func TestRecursionCNAME(t *testing.T) {
-	mock := &replyMock{
-		tb: t,
-		replies: map[netip.Addr][]mockReply{
-			// Query to the root server returns the .com server + a glue record
-			rootServerAddr: {
-				{name: "subdomain.otherdomain.com.", qtype: dns.Type(dns.TypeA), resp: comRecord},
-				{name: "subdomain.otherdomain.com.", qtype: dns.Type(dns.TypeAAAA), resp: comRecord},
-
-				{name: "subdomain.tailscale.com.", qtype: dns.Type(dns.TypeA), resp: comRecord},
-				{name: "subdomain.tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: comRecord},
-			},
-
-			// Query to the ".com" server return the nameservers for tailscale.com
-			comNSAddr: {
-				{name: "subdomain.otherdomain.com.", qtype: dns.Type(dns.TypeA), resp: tailscaleNameservers},
-				{name: "subdomain.otherdomain.com.", qtype: dns.Type(dns.TypeAAAA), resp: tailscaleNameservers},
-
-				{name: "subdomain.tailscale.com.", qtype: dns.Type(dns.TypeA), resp: tailscaleNameservers},
-				{name: "subdomain.tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: tailscaleNameservers},
-			},
-
-			// Query to the actual nameserver works.
-			amazonNS: {
-				{name: "subdomain.otherdomain.com.", qtype: dns.Type(dns.TypeA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{cnameRR("subdomain.otherdomain.com.", "subdomain.tailscale.com.")},
-				}},
-				{name: "subdomain.otherdomain.com.", qtype: dns.Type(dns.TypeAAAA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{cnameRR("subdomain.otherdomain.com.", "subdomain.tailscale.com.")},
-				}},
-
-				{name: "subdomain.tailscale.com.", qtype: dns.Type(dns.TypeA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{dnsIPRR("tailscale.com.", netip.MustParseAddr("13.248.141.131"))},
-				}},
-				{name: "subdomain.tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{dnsIPRR("tailscale.com.", netip.MustParseAddr("2600:9000:a602:b1e6:86d:8165:5e8c:295b"))},
-				}},
-			},
-		},
-	}
-
-	r := &Resolver{
-		Logf:             t.Logf,
-		testExchangeHook: mock.exchangeHook,
-		rootServers:      []netip.Addr{rootServerAddr},
-	}
-
-	// Query for tailscale.com, verify we get the right responses
-	addrs, minTTL, err := r.Resolve(context.Background(), "subdomain.otherdomain.com")
-	if err != nil {
-		t.Fatal(err)
-	}
-	wantAddrs := []netip.Addr{
-		netip.MustParseAddr("13.248.141.131"),
-		netip.MustParseAddr("2600:9000:a602:b1e6:86d:8165:5e8c:295b"),
-	}
-	slices.SortFunc(addrs, func(x, y netip.Addr) bool { return x.String() < y.String() })
-	slices.SortFunc(wantAddrs, func(x, y netip.Addr) bool { return x.String() < y.String() })
-
-	if !reflect.DeepEqual(addrs, wantAddrs) {
-		t.Errorf("got addrs=%+v; want %+v", addrs, wantAddrs)
-	}
-
-	const wantMinTTL = 5 * time.Minute
-	if minTTL != wantMinTTL {
-		t.Errorf("got minTTL=%+v; want %+v", minTTL, wantMinTTL)
-	}
-}
-
-func TestRecursionNoGlue(t *testing.T) {
-	coukNS := netip.MustParseAddr("213.248.216.1")
-	coukRecord := &dns.Msg{
-		Ns:    []dns.RR{nsRR("com.", "dns1.nic.uk.")},
-		Extra: []dns.RR{dnsIPRR("dns1.nic.uk.", coukNS)},
-	}
-
-	intermediateNS := netip.MustParseAddr("205.251.193.66") // g-ns-322.awsdns-02.co.uk.
-	intermediateRecord := &dns.Msg{
-		Ns:    []dns.RR{nsRR("awsdns-02.co.uk.", "g-ns-322.awsdns-02.co.uk.")},
-		Extra: []dns.RR{dnsIPRR("g-ns-322.awsdns-02.co.uk.", intermediateNS)},
-	}
-
-	const amazonNameserver = "ns-1558.awsdns-02.co.uk."
-	tailscaleNameservers := &dns.Msg{
-		Ns: []dns.RR{
-			nsRR("tailscale.com.", amazonNameserver),
-		},
-	}
-
-	tailscaleResponses := []mockReply{
-		{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: &dns.Msg{
-			MsgHdr: dns.MsgHdr{Authoritative: true},
-			Answer: []dns.RR{dnsIPRR("tailscale.com.", netip.MustParseAddr("13.248.141.131"))},
-		}},
-		{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: &dns.Msg{
-			MsgHdr: dns.MsgHdr{Authoritative: true},
-			Answer: []dns.RR{dnsIPRR("tailscale.com.", netip.MustParseAddr("2600:9000:a602:b1e6:86d:8165:5e8c:295b"))},
-		}},
-	}
-
-	mock := &replyMock{
-		tb: t,
-		replies: map[netip.Addr][]mockReply{
-			rootServerAddr: {
-				// Query to the root server returns the .com server + a glue record
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: comRecord},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: comRecord},
-
-				// Querying the .co.uk nameserver returns the .co.uk nameserver + a glue record.
-				{name: amazonNameserver, qtype: dns.Type(dns.TypeA), resp: coukRecord},
-				{name: amazonNameserver, qtype: dns.Type(dns.TypeAAAA), resp: coukRecord},
-			},
-
-			// Queries to the ".com" server return the nameservers
-			// for tailscale.com, which don't contain a glue
-			// record.
-			comNSAddr: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: tailscaleNameservers},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: tailscaleNameservers},
-			},
-
-			// Queries to the ".co.uk" nameserver returns the
-			// address of the intermediate Amazon nameserver.
-			coukNS: {
-				{name: amazonNameserver, qtype: dns.Type(dns.TypeA), resp: intermediateRecord},
-				{name: amazonNameserver, qtype: dns.Type(dns.TypeAAAA), resp: intermediateRecord},
-			},
-
-			// Queries to the intermediate nameserver returns an
-			// answer for the final Amazon nameserver.
-			intermediateNS: {
-				{name: amazonNameserver, qtype: dns.Type(dns.TypeA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{dnsIPRR(amazonNameserver, amazonNS)},
-				}},
-				{name: amazonNameserver, qtype: dns.Type(dns.TypeAAAA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{dnsIPRR(amazonNameserver, amazonNSv6)},
-				}},
-			},
-
-			// Queries to the actual nameserver work and return
-			// responses to the query.
-			amazonNS:   tailscaleResponses,
-			amazonNSv6: tailscaleResponses,
-		},
-	}
-
-	r := newResolver(t)
-	r.testExchangeHook = mock.exchangeHook
-	r.rootServers = []netip.Addr{rootServerAddr}
-
-	// Query for tailscale.com, verify we get the right responses
-	addrs, minTTL, err := r.Resolve(context.Background(), "tailscale.com")
-	if err != nil {
-		t.Fatal(err)
-	}
-	wantAddrs := []netip.Addr{
-		netip.MustParseAddr("13.248.141.131"),
-		netip.MustParseAddr("2600:9000:a602:b1e6:86d:8165:5e8c:295b"),
-	}
-	slices.SortFunc(addrs, func(x, y netip.Addr) bool { return x.String() < y.String() })
-	slices.SortFunc(wantAddrs, func(x, y netip.Addr) bool { return x.String() < y.String() })
-
-	if !reflect.DeepEqual(addrs, wantAddrs) {
-		t.Errorf("got addrs=%+v; want %+v", addrs, wantAddrs)
-	}
-
-	const wantMinTTL = 5 * time.Minute
-	if minTTL != wantMinTTL {
-		t.Errorf("got minTTL=%+v; want %+v", minTTL, wantMinTTL)
-	}
-}
-
-func TestRecursionLimit(t *testing.T) {
-	mock := &replyMock{
-		tb:      t,
-		replies: map[netip.Addr][]mockReply{},
-	}
-
-	// Fill out a CNAME chain equal to our recursion limit; we won't get
-	// this far since each CNAME is more than 1 level "deep", but this
-	// ensures that we have more than the limit.
-	for i := 0; i < maxDepth+1; i++ {
-		curr := fmt.Sprintf("%d-tailscale.com.", i)
-
-		tailscaleNameservers := &dns.Msg{
-			Ns:    []dns.RR{nsRR(curr, "ns-197.awsdns-24.com.")},
-			Extra: []dns.RR{dnsIPRR("ns-197.awsdns-24.com.", amazonNS)},
-		}
-
-		// Query to the root server returns the .com server + a glue record
-		mock.replies[rootServerAddr] = append(mock.replies[rootServerAddr],
-			mockReply{name: curr, qtype: dns.Type(dns.TypeA), resp: comRecord},
-			mockReply{name: curr, qtype: dns.Type(dns.TypeAAAA), resp: comRecord},
-		)
-
-		// Query to the ".com" server return the nameservers for NN-tailscale.com
-		mock.replies[comNSAddr] = append(mock.replies[comNSAddr],
-			mockReply{name: curr, qtype: dns.Type(dns.TypeA), resp: tailscaleNameservers},
-			mockReply{name: curr, qtype: dns.Type(dns.TypeAAAA), resp: tailscaleNameservers},
-		)
-
-		// Queries to the nameserver return a CNAME for the n+1th server.
-		next := fmt.Sprintf("%d-tailscale.com.", i+1)
-		mock.replies[amazonNS] = append(mock.replies[amazonNS],
-			mockReply{
-				name:  curr,
-				qtype: dns.Type(dns.TypeA),
-				resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{cnameRR(curr, next)},
-				},
-			},
-			mockReply{
-				name:  curr,
-				qtype: dns.Type(dns.TypeAAAA),
-				resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{cnameRR(curr, next)},
-				},
-			},
-		)
-	}
-
-	r := newResolver(t)
-	r.testExchangeHook = mock.exchangeHook
-	r.rootServers = []netip.Addr{rootServerAddr}
-
-	// Query for the first node in the chain, 0-tailscale.com, and verify
-	// we get a max-depth error.
-	ctx := context.Background()
-	_, _, err := r.Resolve(ctx, "0-tailscale.com")
-	if err == nil {
-		t.Fatal("expected error, got nil")
-	} else if !errors.Is(err, ErrMaxDepth) {
-		t.Fatalf("got err=%v, want ErrMaxDepth", err)
-	}
-}
-
-func TestInvalidResponses(t *testing.T) {
-	mock := &replyMock{
-		tb: t,
-		replies: map[netip.Addr][]mockReply{
-			// Query to the root server returns the .com server + a glue record
-			rootServerAddr: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: comRecord},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: comRecord},
-			},
-
-			// Query to the ".com" server return the nameservers for tailscale.com
-			comNSAddr: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: tailscaleNameservers},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: tailscaleNameservers},
-			},
-
-			// Query to the actual nameserver returns an invalid IP address
-			amazonNS: {
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					Answer: []dns.RR{&dns.A{
-						Hdr: dns.RR_Header{
-							Name:   "tailscale.com.",
-							Rrtype: dns.TypeA,
-							Class:  dns.ClassINET,
-							Ttl:    300,
-						},
-						// Note: this is an IPv6 addr in an IPv4 response
-						A: net.IP(netip.MustParseAddr("2600:9000:a51d:27c1:1530:b9ef:2a6:b9e5").AsSlice()),
-					}},
-				}},
-				{name: "tailscale.com.", qtype: dns.Type(dns.TypeAAAA), resp: &dns.Msg{
-					MsgHdr: dns.MsgHdr{Authoritative: true},
-					// This an IPv4 response to an IPv6 query
-					Answer: []dns.RR{&dns.A{
-						Hdr: dns.RR_Header{
-							Name:   "tailscale.com.",
-							Rrtype: dns.TypeA,
-							Class:  dns.ClassINET,
-							Ttl:    300,
-						},
-						A: net.IP(netip.MustParseAddr("13.248.141.131").AsSlice()),
-					}},
-				}},
-			},
-		},
-	}
-
-	r := &Resolver{
-		Logf:             t.Logf,
-		testExchangeHook: mock.exchangeHook,
-		rootServers:      []netip.Addr{rootServerAddr},
-	}
-
-	// Query for tailscale.com, verify we get no responses since the
-	// addresses are invalid.
-	_, _, err := r.Resolve(context.Background(), "tailscale.com")
-	if err == nil {
-		t.Fatalf("got no error, want error")
-	}
-	if !errors.Is(err, ErrAuthoritativeNoResponses) {
-		t.Fatalf("got err=%v, want %v", err, ErrAuthoritativeNoResponses)
-	}
-}
-
-// TODO(andrew): test for more edge cases that aren't currently covered:
-//	* Nameservers that cross between IPv4 and IPv6
-//	* Authoritative no replies after following CNAME
-//	* Authoritative no replies after following non-glue NS record
-//	* Error querying non-glue NS record followed by success
--- a/net/dnscache/dnscache.go
+++ b/net/dnscache/dnscache.go
@@ -143,6 +143,10 @@ func (r *Resolver) cloudHostResolver() (v *net.Resolver, ok bool) {
 	switch runtime.GOOS {
 	case "android", "ios", "darwin":
 		return nil, false
+	case "windows":
+		// TODO(bradfitz): remove this restriction once we're using Go 1.19
+		// which supports net.Resolver.PreferGo on Windows.
+		return nil, false
 	}
 	ip := cloudenv.Get().ResolverIP()
 	if ip == "" {
--- a/net/dnscache/messagecache.go
+++ b/net/dnscache/messagecache.go
@@ -13,7 +13,6 @@ import (

 	"github.com/golang/groupcache/lru"
 	"golang.org/x/net/dns/dnsmessage"
-	"tailscale.com/util/cmpx"
 )

 // MessageCache is a cache that works at the DNS message layer,
@@ -60,7 +59,10 @@ func (c *MessageCache) Flush() {
 // pruneLocked prunes down the cache size to the configured (or
 // default) max size.
 func (c *MessageCache) pruneLocked() {
-	max := cmpx.Or(c.cacheSizeSet, 500)
+	max := c.cacheSizeSet
+	if max == 0 {
+		max = 500
+	}
 	for c.cache.Len() > max {
 		c.cache.RemoveOldest()
 	}
--- a/net/memnet/listener.go
+++ b/net/memnet/listener.go
@@ -22,10 +22,6 @@ type Listener struct {
 	ch        chan Conn
 	closeOnce sync.Once
 	closed    chan struct{}
-
-	// NewConn, if non-nil, is called to create a new pair of connections
-	// when dialing. If nil, NewConn is used.
-	NewConn func(network, addr string, maxBuf int) (Conn, Conn)
 }

 // Listen returns a new Listener for the provided address.
@@ -74,14 +70,7 @@ func (l *Listener) Dial(ctx context.Context, network, addr string) (_ net.Conn,
 			Addr: addr,
 		}
 	}
-
-	newConn := l.NewConn
-	if newConn == nil {
-		newConn = func(network, addr string, maxBuf int) (Conn, Conn) {
-			return NewConn(addr, maxBuf)
-		}
-	}
-	c, s := newConn(network, addr, bufferSize)
+	c, s := NewConn(addr, bufferSize)
 	defer func() {
 		if err != nil {
 			c.Close()
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -42,7 +42,6 @@ import (
 	"tailscale.com/types/opt"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/mak"
 )

@@ -451,9 +450,10 @@ func makeProbePlan(dm *tailcfg.DERPMap, ifState *interfaces.State, last *Report)
 				do6 = false
 			}
 			n := reg.Nodes[try%len(reg.Nodes)]
-			prevLatency := cmpx.Or(
-				last.RegionLatency[reg.RegionID]*120/100,
-				defaultActiveRetransmitTime)
+			prevLatency := last.RegionLatency[reg.RegionID] * 120 / 100
+			if prevLatency == 0 {
+				prevLatency = defaultActiveRetransmitTime
+			}
 			delay := time.Duration(try) * prevLatency
 			if try > 1 {
 				delay += time.Duration(try) * 50 * time.Millisecond
@@ -1589,7 +1589,10 @@ func (rs *reportState) runProbe(ctx context.Context, dm *tailcfg.DERPMap, probe
 // proto is 4 or 6
 // If it returns nil, the node is skipped.
 func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeProto) (ap netip.AddrPort) {
-	port := cmpx.Or(n.STUNPort, 3478)
+	port := n.STUNPort
+	if port == 0 {
+		port = 3478
+	}
 	if port < 0 || port > 1<<16-1 {
 		return
 	}
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-//go:build !wasm
+//go:build !js

 // Package tun creates a tuntap device, working around OS-specific
 // quirks if necessary.
--- a/paths/paths_wasm.go
+++ b/paths/paths_wasm.go
--- a/paths/paths_unix.go
+++ b/paths/paths_unix.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-//go:build !windows && !js && !wasip1
+//go:build !windows && !js

 package paths

--- a/portlist/poller.go
+++ b/portlist/poller.go
@@ -7,8 +7,8 @@
 package portlist

 import (
+	"context"
 	"errors"
-	"fmt"
 	"runtime"
 	"sync"
 	"time"
@@ -17,17 +17,9 @@ import (
 	"tailscale.com/envknob"
 )

-var (
-	newOSImpl            func(includeLocalhost bool) osImpl // if non-nil, constructs a new osImpl.
-	pollInterval         = 5 * time.Second                  // default; changed by some OS-specific init funcs
-	debugDisablePortlist = envknob.RegisterBool("TS_DEBUG_DISABLE_PORTLIST")
-)
+var pollInterval = 5 * time.Second // default; changed by some OS-specific init funcs

-// PollInterval is the recommended OS-specific interval
-// to wait between *Poller.Poll method calls.
-func PollInterval() time.Duration {
-	return pollInterval
-}
+var debugDisablePortlist = envknob.RegisterBool("TS_DEBUG_DISABLE_PORTLIST")

 // Poller scans the systems for listening ports periodically and sends
 // the results to C.
@@ -37,15 +29,22 @@ type Poller struct {
 	// This field should only be changed before calling Run.
 	IncludeLocalhost bool

+	initOnce sync.Once // guards init of private fields
+	c        chan List // unbuffered
+
 	// os, if non-nil, is an OS-specific implementation of the portlist getting
 	// code. When non-nil, it's responsible for getting the complete list of
 	// cached ports complete with the process name. That is, when set,
 	// addProcesses is not used.
 	// A nil values means we don't have code for getting the list on the current
 	// operating system.
-	os       osImpl
-	initOnce sync.Once // guards init of os
-	initErr  error
+	os osImpl
+
+	// closeCtx is the context that's canceled on Close.
+	closeCtx       context.Context
+	closeCtxCancel context.CancelFunc
+
+	runDone chan struct{} // closed when Run completes

 	// scatch is memory for Poller.getList to reuse between calls.
 	scratch []Port
@@ -67,55 +66,139 @@ type osImpl interface {
 	AppendListeningPorts(base []Port) ([]Port, error)
 }

+// newOSImpl, if non-nil, constructs a new osImpl.
+var newOSImpl func(includeLocalhost bool) osImpl
+
+var errUnimplemented = errors.New("portlist poller not implemented on " + runtime.GOOS)
+
 func (p *Poller) setPrev(pl List) {
 	// Make a copy, as the pass in pl slice aliases pl.scratch and we don't want
 	// that to except to the caller.
 	p.prev = slices.Clone(pl)
 }

-// init initializes the Poller by ensuring it has an underlying
-// OS implementation and is not turned off by envknob.
+// init sets the os implementation if exists. It also sets
+// all private fields. All exported methods must call this in a
+// Once, otherwise they may panic.
 func (p *Poller) init() {
-	switch {
-	case debugDisablePortlist():
-		p.initErr = errors.New("portlist disabled by envknob")
-	case newOSImpl == nil:
-		p.initErr = errors.New("portlist poller not implemented on " + runtime.GOOS)
-	default:
+	if debugDisablePortlist() {
+		return
+	}
+	if newOSImpl != nil {
 		p.os = newOSImpl(p.IncludeLocalhost)
 	}
+	p.closeCtx, p.closeCtxCancel = context.WithCancel(context.Background())
+	p.c = make(chan List)
+	p.runDone = make(chan struct{})
+}
+
+// Updates return the channel that receives port list updates.
+//
+// The channel is closed when the Poller is closed.
+func (p *Poller) Updates() <-chan List {
+	p.initOnce.Do(p.init)
+	return p.c
 }

 // Close closes the Poller.
+// Run will return with a nil error.
 func (p *Poller) Close() error {
-	if p.initErr != nil {
-		return p.initErr
-	}
+	p.initOnce.Do(p.init)
+	p.closeCtxCancel()
 	if p.os == nil {
 		return nil
 	}
-	return p.os.Close()
+	<-p.runDone // if caller of Close never called Run, this can hang.
+	if p.os != nil {
+		p.os.Close()
+	}
+	return nil
 }

-// Poll returns the list of listening ports, if changed from
-// a previous call as indicated by the changed result.
-func (p *Poller) Poll() (ports []Port, changed bool, err error) {
+// send sends pl to p.c and returns whether it was successfully sent.
+func (p *Poller) send(ctx context.Context, pl List) (sent bool, err error) {
+	select {
+	case p.c <- pl:
+		return true, nil
+	case <-ctx.Done():
+		return false, ctx.Err()
+	case <-p.closeCtx.Done():
+		return false, nil
+	}
+}
+
+// Run runs the Poller periodically until either the context
+// is done, or the Close is called.
+//
+// Run may only be called once.
+func (p *Poller) Run(ctx context.Context) error {
+	tick := time.NewTicker(pollInterval)
+	defer tick.Stop()
+	return p.runWithTickChan(ctx, tick.C)
+}
+
+// Check makes sure that the Poller is enabled and
+// the undelrying OS implementation is working properly.
+//
+// An error returned from Check is non-fatal and means
+// that it's been administratively disabled or the underlying
+// OS is not implemented.
+func (p *Poller) Check() error {
 	p.initOnce.Do(p.init)
-	if p.initErr != nil {
-		return nil, false, fmt.Errorf("error initializing poller: %w", p.initErr)
+	if p.os == nil {
+		return errUnimplemented
 	}
-	pl, err := p.getList()
-	if err != nil {
-		return nil, false, err
+	// Do one initial poll synchronously so we can return an error
+	// early.
+	if pl, err := p.getList(); err != nil {
+		return err
+	} else {
+		p.setPrev(pl)
 	}
-	if pl.equal(p.prev) {
-		return nil, false, nil
+	return nil
+}
+
+func (p *Poller) runWithTickChan(ctx context.Context, tickChan <-chan time.Time) error {
+	p.initOnce.Do(p.init)
+	if p.os == nil {
+		return errUnimplemented
+	}
+
+	defer close(p.runDone)
+	defer close(p.c)
+
+	// Send out the pre-generated initial value.
+	if sent, err := p.send(ctx, p.prev); !sent {
+		return err
+	}
+
+	for {
+		select {
+		case <-tickChan:
+			pl, err := p.getList()
+			if err != nil {
+				return err
+			}
+			if pl.equal(p.prev) {
+				continue
+			}
+			p.setPrev(pl)
+			if sent, err := p.send(ctx, p.prev); !sent {
+				return err
+			}
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-p.closeCtx.Done():
+			return nil
+		}
 	}
-	p.setPrev(pl)
-	return p.prev, true, nil
 }

 func (p *Poller) getList() (List, error) {
+	if debugDisablePortlist() {
+		return nil, nil
+	}
+	p.initOnce.Do(p.init)
 	var err error
 	p.scratch, err = p.os.AppendListeningPorts(p.scratch[:0])
 	return p.scratch, err
--- a/portlist/portlist_test.go
+++ b/portlist/portlist_test.go
@@ -4,8 +4,11 @@
 package portlist

 import (
+	"context"
 	"net"
+	"sync"
 	"testing"
+	"time"

 	"tailscale.com/tstest"
 )
@@ -14,14 +17,14 @@ func TestGetList(t *testing.T) {
 	tstest.ResourceCheck(t)

 	var p Poller
-	pl, _, err := p.Poll()
+	pl, err := p.getList()
 	if err != nil {
 		t.Fatal(err)
 	}
 	for i, p := range pl {
 		t.Logf("[%d] %+v", i, p)
 	}
-	t.Logf("As String: %s", List(pl))
+	t.Logf("As String: %v", pl.String())
 }

 func TestIgnoreLocallyBoundPorts(t *testing.T) {
@@ -35,7 +38,7 @@ func TestIgnoreLocallyBoundPorts(t *testing.T) {
 	ta := ln.Addr().(*net.TCPAddr)
 	port := ta.Port
 	var p Poller
-	pl, _, err := p.Poll()
+	pl, err := p.getList()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -46,16 +49,16 @@ func TestIgnoreLocallyBoundPorts(t *testing.T) {
 	}
 }

-func TestPoller(t *testing.T) {
+func TestChangesOverTime(t *testing.T) {
 	var p Poller
 	p.IncludeLocalhost = true
 	get := func(t *testing.T) []Port {
 		t.Helper()
-		s, _, err := p.Poll()
+		s, err := p.getList()
 		if err != nil {
 			t.Fatal(err)
 		}
-		return s
+		return append([]Port(nil), s...)
 	}

 	p1 := get(t)
@@ -172,21 +175,69 @@ func TestEqualLessThan(t *testing.T) {
 	}
 }

-func TestClose(t *testing.T) {
+func TestPoller(t *testing.T) {
 	var p Poller
-	err := p.Close()
-	if err != nil {
-		t.Fatal(err)
-	}
-	p = Poller{}
-	_, _, err = p.Poll()
-	if err != nil {
-		t.Skipf("skipping due to poll error: %v", err)
-	}
-	err = p.Close()
+	err := p.Check()
 	if err != nil {
+		t.Skipf("not running test: %v", err)
+	}
+	defer p.Close()
+
+	var wg sync.WaitGroup
+	wg.Add(2)
+
+	gotUpdate := make(chan bool, 16)
+
+	go func() {
+		defer wg.Done()
+		for pl := range p.Updates() {
+			// Look at all the pl slice memory to maximize
+			// chance of race detector seeing violations.
+			for _, v := range pl {
+				if v == (Port{}) {
+					// Force use
+					panic("empty port")
+				}
+			}
+			select {
+			case gotUpdate <- true:
+			default:
+			}
+		}
+	}()
+
+	tick := make(chan time.Time, 16)
+	go func() {
+		defer wg.Done()
+		if err := p.runWithTickChan(context.Background(), tick); err != nil {
+			t.Error("runWithTickChan:", err)
+		}
+	}()
+	for i := 0; i < 10; i++ {
+		ln, err := net.Listen("tcp", ":0")
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer ln.Close()
+		tick <- time.Time{}
+
+		select {
+		case <-gotUpdate:
+		case <-time.After(5 * time.Second):
+			t.Fatal("timed out waiting for update")
+		}
+	}
+
+	// And a bunch of ticks without waiting for updates,
+	// to make race tests more likely to fail, if any present.
+	for i := 0; i < 10; i++ {
+		tick <- time.Time{}
+	}
+
+	if err := p.Close(); err != nil {
 		t.Fatal(err)
 	}
+	wg.Wait()
 }

 func BenchmarkGetList(b *testing.B) {
@@ -200,11 +251,6 @@ func BenchmarkGetListIncremental(b *testing.B) {
 func benchmarkGetList(b *testing.B, incremental bool) {
 	b.ReportAllocs()
 	var p Poller
-	p.init()
-	if p.initErr != nil {
-		b.Skip(p.initErr)
-	}
-	b.Cleanup(func() { p.Close() })
 	for i := 0; i < b.N; i++ {
 		pl, err := p.getList()
 		if err != nil {
--- a/prober/derp.go
+++ b/prober/derp.go
@@ -188,9 +188,6 @@ func (d *derpProber) updateMap(ctx context.Context) error {
 			if existing, ok := d.nodes[n.HostName]; ok {
 				return fmt.Errorf("derpmap has duplicate nodes: %+v and %+v", existing, n)
 			}
-			// Allow the prober to monitor nodes marked as
-			// STUN only in the default map
-			n.STUNOnly = false
 			d.nodes[n.HostName] = n
 		}
 	}
--- a/release/dist/cli/cli.go
+++ b/release/dist/cli/cli.go
@@ -124,11 +124,10 @@ func runBuild(ctx context.Context, filters []string, targets []dist.Target) erro
 		if err != nil {
 			return fmt.Errorf("getting absolute path of manifest: %w", err)
 		}
+		fmt.Println(manifest)
+		fmt.Println(filepath.Join(b.Out, out[0]))
 		for i := range out {
-			if !filepath.IsAbs(out[i]) {
-				out[i] = filepath.Join(b.Out, out[i])
-			}
-			rel, err := filepath.Rel(filepath.Dir(manifest), out[i])
+			rel, err := filepath.Rel(filepath.Dir(manifest), filepath.Join(b.Out, out[i]))
 			if err != nil {
 				return fmt.Errorf("making path relative: %w", err)
 			}
--- a/release/dist/dist.go
+++ b/release/dist/dist.go
@@ -17,7 +17,6 @@ import (
 	"sort"
 	"strings"
 	"sync"
-	"time"

 	"tailscale.com/util/multierr"
 	"tailscale.com/version/mkversion"
@@ -45,8 +44,6 @@ type Build struct {
 	Go string
 	// Version is the version info of the build.
 	Version mkversion.VersionInfo
-	// Time is the timestamp of the build.
-	Time time.Time

 	// once is a cache of function invocations that should run once per process
 	// (for example building a helper docker container)
@@ -89,7 +86,6 @@ func NewBuild(repo, out string) (*Build, error) {
 		Out:          out,
 		Go:           goTool,
 		Version:      mkversion.Info(),
-		Time:         time.Now().UTC(),
 		extra:        map[any]any{},
 		goBuildLimit: make(chan struct{}, runtime.NumCPU()),
 	}
@@ -118,9 +114,6 @@ func (b *Build) Build(targets []Target) (files []string, err error) {
 		go func(i int, t Target) {
 			var err error
 			defer func() {
-				if err != nil {
-					err = fmt.Errorf("%s: %w", t, err)
-				}
 				errs[i] = err
 				wg.Done()
 			}()
--- a/release/dist/synology/files/PACKAGE_ICON.PNG
+++ b/release/dist/synology/files/PACKAGE_ICON.PNG
--- a/release/dist/synology/files/PACKAGE_ICON_256.PNG
+++ b/release/dist/synology/files/PACKAGE_ICON_256.PNG
--- a/release/dist/synology/files/Tailscale.sc
+++ b/release/dist/synology/files/Tailscale.sc
@@ -1,6 +0,0 @@
-[Tailscale]
-title="Tailscale"
-desc="Tailscale VPN"
-port_forward="no"
-src.ports="41641/udp"
-dst.ports="41641/udp"
--- a/release/dist/synology/files/config
+++ b/release/dist/synology/files/config
@@ -1,11 +0,0 @@
-{
-	".url": {
-		"SYNO.SDS.Tailscale": {
-			"type": "url",
-			"title": "Tailscale",
-			"icon": "PACKAGE_ICON_256.PNG",
-			"url": "webman/3rdparty/Tailscale/",
-			"urlTarget": "_syno_tailscale"
-		}
-	}
-}
--- a/release/dist/synology/files/index.cgi
+++ b/release/dist/synology/files/index.cgi
@@ -1,2 +0,0 @@
-#! /bin/sh
-exec /var/packages/Tailscale/target/bin/tailscale web -cgi
--- a/release/dist/synology/files/logrotate-dsm6
+++ b/release/dist/synology/files/logrotate-dsm6
@@ -1,8 +0,0 @@
-/var/packages/Tailscale/etc/tailscaled.stdout.log {
-  size 10M
-  rotate 3
-  missingok
-  copytruncate
-  compress
-  notifempty
-}
--- a/release/dist/synology/files/logrotate-dsm7
+++ b/release/dist/synology/files/logrotate-dsm7
@@ -1,8 +0,0 @@
-/var/packages/Tailscale/var/tailscaled.stdout.log {
-  size 10M
-  rotate 3
-  missingok
-  copytruncate
-  compress
-  notifempty
-}
--- a/release/dist/synology/files/privilege-dsm6
+++ b/release/dist/synology/files/privilege-dsm6
@@ -1,7 +0,0 @@
-{
-  "defaults":{
-    "run-as": "root"
-  },
-  "username": "tailscale",
-  "groupname": "tailscale"
-}
--- a/release/dist/synology/files/privilege-dsm7
+++ b/release/dist/synology/files/privilege-dsm7
@@ -1,7 +0,0 @@
-{
-  "defaults":{
-    "run-as": "package"
-  },
-  "username": "tailscale",
-  "groupname": "tailscale"
-}
--- a/release/dist/synology/files/privilege-dsm7.for-package-center
+++ b/release/dist/synology/files/privilege-dsm7.for-package-center
@@ -1,13 +0,0 @@
-{
-  "defaults":{
-    "run-as": "package"
-  },
-  "username": "tailscale",
-  "groupname": "tailscale",
-  "tool": [{
-    "relpath": "bin/tailscaled",
-    "user": "package",
-    "group": "package",
-    "capabilities": "cap_net_admin,cap_chown,cap_net_raw"
-  }]
-}
--- a/release/dist/synology/files/resource
+++ b/release/dist/synology/files/resource
@@ -1,11 +0,0 @@
-{
-	"port-config": {
-		"protocol-file": "conf/Tailscale.sc"
-	},
-	"usr-local-linker": {
-		"bin": ["bin/tailscale"]
-	},
-	"syslog-config": {
-		"logrotate-relpath": "conf/logrotate.conf"
-	}
-}
--- a/release/dist/synology/files/scripts/postupgrade
+++ b/release/dist/synology/files/scripts/postupgrade
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exit 0
--- a/release/dist/synology/files/scripts/preupgrade
+++ b/release/dist/synology/files/scripts/preupgrade
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exit 0
--- a/release/dist/synology/files/scripts/start-stop-status
+++ b/release/dist/synology/files/scripts/start-stop-status
@@ -1,129 +0,0 @@
-#!/bin/bash
-
-SERVICE_NAME="tailscale"
-
-if [ "${SYNOPKG_DSM_VERSION_MAJOR}" -eq "6" ]; then
-    PKGVAR="/var/packages/Tailscale/etc"
-else
-    PKGVAR="${SYNOPKG_PKGVAR}"
-fi
-
-PID_FILE="${PKGVAR}/tailscaled.pid"
-LOG_FILE="${PKGVAR}/tailscaled.stdout.log"
-STATE_FILE="${PKGVAR}/tailscaled.state"
-SOCKET_FILE="${PKGVAR}/tailscaled.sock"
-PORT="41641"
-
-SERVICE_COMMAND="${SYNOPKG_PKGDEST}/bin/tailscaled \
--state=${STATE_FILE} \
--socket=${SOCKET_FILE} \
--port=$PORT"
-
-if [ "${SYNOPKG_DSM_VERSION_MAJOR}" -eq "7" -a ! -e "/dev/net/tun" ]; then
-    # TODO(maisem/crawshaw): Disable the tun device in DSM7 for now.
-    SERVICE_COMMAND="${SERVICE_COMMAND} --tun=userspace-networking"
-fi
-
-if [ "${SYNOPKG_DSM_VERSION_MAJOR}" -eq "6" ]; then
-    chown -R tailscale:tailscale "${PKGVAR}/"
-fi
-
-start_daemon() {
-    local ts=$(date --iso-8601=second)
-    echo "${ts} Starting ${SERVICE_NAME} with: ${SERVICE_COMMAND}" >${LOG_FILE}
-    STATE_DIRECTORY=${PKGVAR} ${SERVICE_COMMAND} 2>&1 | sed -u '1,200p;201s,.*,[further tailscaled logs suppressed],p;d' >>${LOG_FILE} &
-    # We pipe tailscaled's output to sed, so "$!" retrieves the PID of sed not tailscaled.
-    # Use jobs -p to retrieve the PID of the most recent process group leader.
-    jobs -p >"${PID_FILE}"
-}
-
-stop_daemon() {
-    if [ -r "${PID_FILE}" ]; then
-        local PID=$(cat "${PID_FILE}")
-        local ts=$(date --iso-8601=second)
-        echo "${ts} Stopping ${SERVICE_NAME} service PID=${PID}" >>${LOG_FILE}
-        kill -TERM $PID >>${LOG_FILE} 2>&1
-        wait_for_status 1 || kill -KILL $PID >>${LOG_FILE} 2>&1
-        rm -f "${PID_FILE}" >/dev/null
-    fi
-}
-
-daemon_status() {
-    if [ -r "${PID_FILE}" ]; then
-        local PID=$(cat "${PID_FILE}")
-        if ps -o pid -p ${PID} > /dev/null; then
-            return
-        fi
-        rm -f "${PID_FILE}" >/dev/null
-    fi
-    return 1
-}
-
-wait_for_status() {
-    # 20 tries
-    # sleeps for 1 second after each try
-    local counter=20
-    while [ ${counter} -gt 0 ]; do
-        daemon_status
-        [ $? -eq $1 ] && return
-        counter=$((counter - 1))
-        sleep 1
-    done
-    return 1
-}
-
-ensure_tun_created() {
-    if [ "${SYNOPKG_DSM_VERSION_MAJOR}" -eq "7" ]; then
-        # TODO(maisem/crawshaw): Disable the tun device in DSM7 for now.
-        return
-    fi
-    # Create the necessary file structure for /dev/net/tun
-    if ([ ! -c /dev/net/tun ]); then
-        if ([ ! -d /dev/net ]); then
-            mkdir -m 755 /dev/net
-        fi
-        mknod /dev/net/tun c 10 200
-        chmod 0755 /dev/net/tun
-    fi
-
-    # Load the tun module if not already loaded
-    if (!(lsmod | grep -q "^tun\s")); then
-        insmod /lib/modules/tun.ko
-    fi
-}
-
-case $1 in
-start)
-    if daemon_status; then
-        exit 0
-    else
-        ensure_tun_created
-        start_daemon
-        exit $?
-    fi
-    ;;
-stop)
-    if daemon_status; then
-        stop_daemon
-        exit $?
-    else
-        exit 0
-    fi
-    ;;
-status)
-    if daemon_status; then
-        echo "${SERVICE_NAME} is running"
-        exit 0
-    else
-        echo "${SERVICE_NAME} is not running"
-        exit 3
-    fi
-    ;;
-log)
-    exit 0
-    ;;
-*)
-    echo "command $1 is not implemented"
-    exit 0
-    ;;
-esac
--- a/release/dist/synology/pkgs.go
+++ b/release/dist/synology/pkgs.go
@@ -1,306 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package synology contains dist Targets for building Synology Tailscale packages.
-package synology
-
-import (
-	"archive/tar"
-	"bytes"
-	"compress/gzip"
-	"embed"
-	"fmt"
-	"io"
-	"io/fs"
-	"log"
-	"os"
-	"path/filepath"
-	"time"
-
-	"tailscale.com/release/dist"
-)
-
-type target struct {
-	filenameArch    string
-	dsmMajorVersion int
-	goenv           map[string]string
-	packageCenter   bool
-}
-
-func (t *target) String() string {
-	return fmt.Sprintf("synology/dsm%d/%s", t.dsmMajorVersion, t.filenameArch)
-}
-
-func (t *target) Build(b *dist.Build) ([]string, error) {
-	inner, err := getSynologyBuilds(b).buildInnerPackage(b, t.dsmMajorVersion, t.goenv)
-	if err != nil {
-		return nil, err
-	}
-
-	out, err := t.buildSPK(b, inner)
-	if err != nil {
-		return nil, err
-	}
-
-	return []string{out}, nil
-}
-
-func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {
-	filename := fmt.Sprintf("tailscale-%s-%s-%d-dsm%d.spk", t.filenameArch, b.Version.Short, b.Version.Synology[t.dsmMajorVersion], t.dsmMajorVersion)
-	out := filepath.Join(b.Out, filename)
-	log.Printf("Building %s", filename)
-
-	privFile := fmt.Sprintf("privilege-dsm%d", t.dsmMajorVersion)
-	if t.packageCenter && t.dsmMajorVersion == 7 {
-		privFile += ".for-package-center"
-	}
-
-	f, err := os.Create(out)
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-	tw := tar.NewWriter(f)
-	defer tw.Close()
-
-	err = writeTar(tw, b.Time,
-		memFile("INFO", t.mkInfo(b, inner.uncompressedSz), 0644),
-		static("PACKAGE_ICON.PNG", "PACKAGE_ICON.PNG", 0644),
-		static("PACKAGE_ICON_256.PNG", "PACKAGE_ICON_256.PNG", 0644),
-		static("Tailscale.sc", "Tailscale.sc", 0644),
-		dir("conf"),
-		static("resource", "conf/resource", 0644),
-		static(privFile, "conf/privilege", 0644),
-		file(inner.path, "package.tgz", 0644),
-		dir("scripts"),
-		static("scripts/start-stop-status", "scripts/start-stop-status", 0644),
-		static("scripts/postupgrade", "scripts/postupgrade", 0644),
-		static("scripts/preupgrade", "scripts/preupgrade", 0644),
-	)
-	if err != nil {
-		return "", err
-	}
-
-	if err := tw.Close(); err != nil {
-		return "", err
-	}
-	if err := f.Close(); err != nil {
-		return "", err
-	}
-
-	return out, nil
-}
-
-func (t *target) mkInfo(b *dist.Build, uncompressedSz int64) []byte {
-	var ret bytes.Buffer
-	f := func(k, v string) {
-		fmt.Fprintf(&ret, "%s=%q\n", k, v)
-	}
-	f("package", "Tailscale")
-	f("version", fmt.Sprintf("%s-%d", b.Version.Short, b.Version.Synology[t.dsmMajorVersion]))
-	f("arch", t.filenameArch)
-	f("description", "Connect all your devices using WireGuard, without the hassle.")
-	f("displayname", "Tailscale")
-	f("maintainer", "Tailscale, Inc.")
-	f("maintainer_url", "https://github.com/tailscale/tailscale")
-	f("create_time", b.Time.Format("20060102-15:04:05"))
-	f("dsmuidir", "ui")
-	f("dsmappname", "SYNO.SDS.Tailscale")
-	f("startstop_restart_services", "nginx")
-	switch t.dsmMajorVersion {
-	case 6:
-		f("os_min_ver", "6.0.1-7445")
-		f("os_max_ver", "7.0-40000")
-	case 7:
-		f("os_min_ver", "7.0-40000")
-		f("os_max_ver", "")
-	default:
-		panic(fmt.Sprintf("unsupported DSM major version %d", t.dsmMajorVersion))
-	}
-	f("extractsize", fmt.Sprintf("%v", uncompressedSz>>10)) // in KiB
-	return ret.Bytes()
-}
-
-type synologyBuildsMemoizeKey struct{}
-
-type innerPkg struct {
-	path           string
-	uncompressedSz int64
-}
-
-// synologyBuilds is extra build context shared by all synology builds.
-type synologyBuilds struct {
-	innerPkgs dist.Memoize[*innerPkg]
-}
-
-// getSynologyBuilds returns the synologyBuilds for b, creating one if needed.
-func getSynologyBuilds(b *dist.Build) *synologyBuilds {
-	return b.Extra(synologyBuildsMemoizeKey{}, func() any { return new(synologyBuilds) }).(*synologyBuilds)
-}
-
-// buildInnerPackage builds the inner tarball for synology packages,
-// which contains the files to unpack to disk on installation (as
-// opposed to the outer tarball, which contains package metadata)
-func (m *synologyBuilds) buildInnerPackage(b *dist.Build, dsmVersion int, goenv map[string]string) (*innerPkg, error) {
-	key := []any{dsmVersion, goenv}
-	return m.innerPkgs.Do(key, func() (*innerPkg, error) {
-		ts, err := b.BuildGoBinary("tailscale.com/cmd/tailscale", goenv)
-		if err != nil {
-			return nil, err
-		}
-		tsd, err := b.BuildGoBinary("tailscale.com/cmd/tailscaled", goenv)
-		if err != nil {
-			return nil, err
-		}
-
-		tmp := b.TmpDir()
-		out := filepath.Join(tmp, "package.tgz")
-
-		f, err := os.Create(out)
-		if err != nil {
-			return nil, err
-		}
-		defer f.Close()
-		gw := gzip.NewWriter(f)
-		defer gw.Close()
-		cw := &countingWriter{gw, 0}
-		tw := tar.NewWriter(cw)
-		defer tw.Close()
-
-		err = writeTar(tw, b.Time,
-			dir("bin"),
-			file(tsd, "bin/tailscaled", 0755),
-			file(ts, "bin/tailscale", 0755),
-			dir("conf"),
-			static("Tailscale.sc", "conf/Tailscale.sc", 0644),
-			static(fmt.Sprintf("logrotate-dsm%d", dsmVersion), "conf/logrotate.conf", 0644),
-			dir("ui"),
-			static("PACKAGE_ICON_256.PNG", "ui/PACKAGE_ICON_256.PNG", 0644),
-			static("config", "ui/config", 0644),
-			static("index.cgi", "ui/index.cgi", 0755))
-		if err != nil {
-			return nil, err
-		}
-
-		if err := tw.Close(); err != nil {
-			return nil, err
-		}
-		if err := gw.Close(); err != nil {
-			return nil, err
-		}
-		if err := f.Close(); err != nil {
-			return nil, err
-		}
-
-		return &innerPkg{out, cw.n}, nil
-	})
-}
-
-// writeTar writes ents to tw.
-func writeTar(tw *tar.Writer, modTime time.Time, ents ...tarEntry) error {
-	for _, ent := range ents {
-		if err := ent(tw, modTime); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// tarEntry is a function that writes tar entries (files or
-// directories) to a tar.Writer.
-type tarEntry func(*tar.Writer, time.Time) error
-
-// fsFile returns a tarEntry that writes src in fsys to dst in the tar
-// file, with mode.
-func fsFile(fsys fs.FS, src, dst string, mode int64) tarEntry {
-	return func(tw *tar.Writer, modTime time.Time) error {
-		f, err := fsys.Open(src)
-		if err != nil {
-			return err
-		}
-		defer f.Close()
-		fi, err := f.Stat()
-		if err != nil {
-			return err
-		}
-		hdr := &tar.Header{
-			Name:    dst,
-			Size:    fi.Size(),
-			Mode:    mode,
-			ModTime: modTime,
-		}
-		if err := tw.WriteHeader(hdr); err != nil {
-			return err
-		}
-		if _, err = io.Copy(tw, f); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-// file returns a tarEntry that writes src on disk into the tar file as
-// dst, with mode.
-func file(src, dst string, mode int64) tarEntry {
-	return fsFile(os.DirFS(filepath.Dir(src)), filepath.Base(src), dst, mode)
-}
-
-//go:embed files/*
-var files embed.FS
-
-// static returns a tarEntry that writes src in files/ into the tar
-// file as dst, with mode.
-func static(src, dst string, mode int64) tarEntry {
-	fsys, err := fs.Sub(files, "files")
-	if err != nil {
-		panic(err)
-	}
-	return fsFile(fsys, src, dst, mode)
-}
-
-// memFile returns a tarEntry that writes bs to dst in the tar file,
-// with mode.
-func memFile(dst string, bs []byte, mode int64) tarEntry {
-	return func(tw *tar.Writer, modTime time.Time) error {
-		hdr := &tar.Header{
-			Name:    dst,
-			Size:    int64(len(bs)),
-			Mode:    mode,
-			ModTime: modTime,
-		}
-		if err := tw.WriteHeader(hdr); err != nil {
-			return err
-		}
-		if _, err := tw.Write(bs); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-// dir returns a tarEntry that creates a world-readable directory in
-// the tar file.
-func dir(name string) tarEntry {
-	return func(tw *tar.Writer, modTime time.Time) error {
-		return tw.WriteHeader(&tar.Header{
-			Typeflag: tar.TypeDir,
-			Name:     name + "/",
-			Mode:     0755,
-			ModTime:  modTime,
-			// TODO: why tailscale? Files are being written as owned by root.
-			Uname: "tailscale",
-			Gname: "tailscale",
-		})
-	}
-}
-
-type countingWriter struct {
-	w io.Writer
-	n int64
-}
-
-func (cw *countingWriter) Write(bs []byte) (int, error) {
-	n, err := cw.w.Write(bs)
-	cw.n += int64(n)
-	return n, err
-}
--- a/release/dist/synology/targets.go
+++ b/release/dist/synology/targets.go
@@ -1,90 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package synology
-
-import "tailscale.com/release/dist"
-
-var v5Models = []string{
-	"armv5",
-	"88f6281",
-	"88f6282",
-	// hi3535 is actually an armv7 under the hood, but with no
-	// hardware floating point. To the Go compiler, that means it's an
-	// armv5.
-	"hi3535",
-}
-
-var v7Models = []string{
-	"armv7",
-	"alpine",
-	"armada370",
-	"armada375",
-	"armada38x",
-	"armadaxp",
-	"comcerto2k",
-	"monaco",
-}
-
-func Targets(forPackageCenter bool) []dist.Target {
-	var ret []dist.Target
-	for _, dsmVersion := range []int{6, 7} {
-		ret = append(ret,
-			&target{
-				filenameArch:    "x86_64",
-				dsmMajorVersion: dsmVersion,
-				goenv: map[string]string{
-					"GOOS":   "linux",
-					"GOARCH": "amd64",
-				},
-				packageCenter: forPackageCenter,
-			},
-			&target{
-				filenameArch:    "i686",
-				dsmMajorVersion: dsmVersion,
-				goenv: map[string]string{
-					"GOOS":   "linux",
-					"GOARCH": "386",
-				},
-				packageCenter: forPackageCenter,
-			},
-			&target{
-				filenameArch:    "armv8",
-				dsmMajorVersion: dsmVersion,
-				goenv: map[string]string{
-					"GOOS":   "linux",
-					"GOARCH": "arm64",
-				},
-				packageCenter: forPackageCenter,
-			})
-
-		// On older ARMv5 and ARMv7 platforms, synology used a whole
-		// mess of SoC-specific target names, even though the packages
-		// built for each are identical apart from metadata.
-		for _, v5Arch := range v5Models {
-			ret = append(ret, &target{
-				filenameArch:    v5Arch,
-				dsmMajorVersion: dsmVersion,
-				goenv: map[string]string{
-					"GOOS":   "linux",
-					"GOARCH": "arm",
-					"GOARM":  "5",
-				},
-				packageCenter: forPackageCenter,
-			})
-		}
-		for _, v7Arch := range v7Models {
-			ret = append(ret, &target{
-				filenameArch:    v7Arch,
-				dsmMajorVersion: dsmVersion,
-				goenv: map[string]string{
-					"GOOS":   "linux",
-					"GOARCH": "arm",
-					"GOARM":  "7",
-				},
-				packageCenter: forPackageCenter,
-			})
-		}
-	}
-	return ret
-}
--- a/release/dist/unixpkgs/pkgs.go
+++ b/release/dist/unixpkgs/pkgs.go
@@ -14,6 +14,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"

 	"github.com/goreleaser/nfpm"
 	"tailscale.com/release/dist"
@@ -70,6 +71,7 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
 	tw := tar.NewWriter(gw)
 	defer tw.Close()

+	buildTime := time.Now()
 	addFile := func(src, dst string, mode int64) error {
 		f, err := os.Open(src)
 		if err != nil {
@@ -84,7 +86,7 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
 			Name:    dst,
 			Size:    fi.Size(),
 			Mode:    mode,
-			ModTime: b.Time,
+			ModTime: buildTime,
 			Uid:     0,
 			Gid:     0,
 			Uname:   "root",
@@ -102,7 +104,7 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
 		hdr := &tar.Header{
 			Name:    name + "/",
 			Mode:    0755,
-			ModTime: b.Time,
+			ModTime: buildTime,
 			Uid:     0,
 			Gid:     0,
 			Uname:   "root",
--- a/scripts/installer.sh
+++ b/scripts/installer.sh
@@ -217,12 +217,7 @@ main() {
 				VERSION="tumbleweed"
 				PACKAGETYPE="zypper"
 				;;
-			sle-micro-rancher)
-				OS="opensuse"
-				VERSION="leap/15.4"
-				PACKAGETYPE="zypper"
-				;;
-			arch|archarm|endeavouros|blendos)
+			arch|archarm|endeavouros)
 				OS="arch"
 				VERSION="" # rolling release
 				PACKAGETYPE="pacman"
--- a/shell.nix
+++ b/shell.nix
@@ -16,4 +16,4 @@
 ) {
  src =  ./.;
 }).shellNix
-# nix-direnv cache busting line: sha256-fgCrmtJs1svFz0Xn7iwLNrbBNlcO6V0yqGPMY0+V1VQ=
+# nix-direnv cache busting line: sha256-7L+dvS++UNfMVcPUCbK/xuBPwtrzW4RpZTtcl7VCwQs=
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@@ -34,7 +34,6 @@ import (
 	"golang.org/x/exp/slices"
 	"golang.org/x/sys/unix"
 	"tailscale.com/cmd/tailscaled/childproc"
-	"tailscale.com/hostinfo"
 	"tailscale.com/tempfork/gliderlabs/ssh"
 	"tailscale.com/types/logger"
 	"tailscale.com/version/distro"
@@ -121,18 +120,10 @@ func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) {
 		if isShell {
 			incubatorArgs = append(incubatorArgs, "--shell")
 		}
-		// Only the macOS version of the login command supports executing a
-		// command, all other versions only support launching a shell
-		// without taking any arguments.
-		shouldUseLoginCmd := isShell || runtime.GOOS == "darwin"
-		if hostinfo.IsSELinuxEnforcing() {
-			// If we're running on a SELinux-enabled system, the login
-			// command will be unable to set the correct context for the
-			// shell. Fall back to using the incubator to launch the shell.
-			// See http://github.com/tailscale/tailscale/issues/4908.
-			shouldUseLoginCmd = false
-		}
-		if shouldUseLoginCmd {
+		if isShell || runtime.GOOS == "darwin" {
+			// Only the macOS version of the login command supports executing a
+			// command, all other versions only support launching a shell
+			// without taking any arguments.
 			if lp, err := exec.LookPath("login"); err == nil {
 				incubatorArgs = append(incubatorArgs, "--login-cmd="+lp)
 			}
@@ -476,10 +467,10 @@ func (ss *sshSession) launchProcess() error {
 	}
 	go resizeWindow(ptyDup /* arbitrary fd */, winCh)

-	ss.wrStdin = pty
-	ss.rdStdout = os.NewFile(uintptr(ptyDup), pty.Name())
-	ss.rdStderr = nil // not available for pty
-	ss.childPipes = []io.Closer{tty}
+	ss.tty = tty
+	ss.stdin = pty
+	ss.stdout = os.NewFile(uintptr(ptyDup), pty.Name())
+	ss.stderr = nil // not available for pty

 	return nil
 }
@@ -658,29 +649,40 @@ func (ss *sshSession) startWithPTY() (ptyFile, tty *os.File, err error) {

 // startWithStdPipes starts cmd with os.Pipe for Stdin, Stdout and Stderr.
 func (ss *sshSession) startWithStdPipes() (err error) {
-	var rdStdin, wrStdout, wrStderr io.ReadWriteCloser
+	var stdin io.WriteCloser
+	var stdout, stderr io.ReadCloser
 	defer func() {
 		if err != nil {
-			closeAll(rdStdin, ss.wrStdin, ss.rdStdout, wrStdout, ss.rdStderr, wrStderr)
+			for _, c := range []io.Closer{stdin, stdout, stderr} {
+				if c != nil {
+					c.Close()
+				}
+			}
 		}
 	}()
-	if ss.cmd == nil {
+	cmd := ss.cmd
+	if cmd == nil {
 		return errors.New("nil cmd")
 	}
-	if rdStdin, ss.wrStdin, err = os.Pipe(); err != nil {
+	stdin, err = cmd.StdinPipe()
+	if err != nil {
 		return err
 	}
-	if ss.rdStdout, wrStdout, err = os.Pipe(); err != nil {
+	stdout, err = cmd.StdoutPipe()
+	if err != nil {
 		return err
 	}
-	if ss.rdStderr, wrStderr, err = os.Pipe(); err != nil {
+	stderr, err = cmd.StderrPipe()
+	if err != nil {
 		return err
 	}
-	ss.cmd.Stdin = rdStdin
-	ss.cmd.Stdout = wrStdout
-	ss.cmd.Stderr = wrStderr
-	ss.childPipes = []io.Closer{rdStdin, wrStdout, wrStderr}
-	return ss.cmd.Start()
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	ss.stdin = stdin
+	ss.stdout = stdout
+	ss.stderr = stderr
+	return nil
 }

 func envForUser(u *userMeta) []string {
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -422,7 +422,6 @@ func (srv *server) newConn() (*conn, error) {
 	c := &conn{srv: srv}
 	now := srv.now()
 	c.connID = fmt.Sprintf("ssh-conn-%s-%02x", now.UTC().Format("20060102T150405"), randBytes(5))
-	fwdHandler := &ssh.ForwardedTCPHandler{}
 	c.Server = &ssh.Server{
 		Version:              "Tailscale",
 		ServerConfigCallback: c.ServerConfig,
@@ -431,9 +430,8 @@ func (srv *server) newConn() (*conn, error) {
 		PublicKeyHandler:    c.PublicKeyHandler,
 		PasswordHandler:     c.fakePasswordHandler,

-		Handler:                       c.handleSessionPostSSHAuth,
-		LocalPortForwardingCallback:   c.mayForwardLocalPortTo,
-		ReversePortForwardingCallback: c.mayReversePortForwardTo,
+		Handler:                     c.handleSessionPostSSHAuth,
+		LocalPortForwardingCallback: c.mayForwardLocalPortTo,
 		SubsystemHandlers: map[string]ssh.SubsystemHandler{
 			"sftp": c.handleSessionPostSSHAuth,
 		},
@@ -443,10 +441,7 @@ func (srv *server) newConn() (*conn, error) {
 		ChannelHandlers: map[string]ssh.ChannelHandler{
 			"direct-tcpip": ssh.DirectTCPIPHandler,
 		},
-		RequestHandlers: map[string]ssh.RequestHandler{
-			"tcpip-forward":        fwdHandler.HandleSSHRequest,
-			"cancel-tcpip-forward": fwdHandler.HandleSSHRequest,
-		},
+		RequestHandlers: map[string]ssh.RequestHandler{},
 	}
 	ss := c.Server
 	for k, v := range ssh.DefaultRequestHandlers {
@@ -468,17 +463,6 @@ func (srv *server) newConn() (*conn, error) {
 	return c, nil
 }

-// mayReversePortPortForwardTo reports whether the ctx should be allowed to port forward
-// to the specified host and port.
-// TODO(bradfitz/maisem): should we have more checks on host/port?
-func (c *conn) mayReversePortForwardTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
-	if c.finalAction != nil && c.finalAction.AllowRemotePortForwarding {
-		metricRemotePortForward.Add(1)
-		return true
-	}
-	return false
-}
-
 // mayForwardLocalPortTo reports whether the ctx should be allowed to port forward
 // to the specified host and port.
 // TODO(bradfitz/maisem): should we have more checks on host/port?
@@ -823,16 +807,12 @@ type sshSession struct {
 	agentListener net.Listener // non-nil if agent-forwarding requested+allowed

 	// initialized by launchProcess:
-	cmd      *exec.Cmd
-	wrStdin  io.WriteCloser
-	rdStdout io.ReadCloser
-	rdStderr io.ReadCloser // rdStderr is nil for pty sessions
-	ptyReq   *ssh.Pty      // non-nil for pty sessions
-
-	// childPipes is a list of pipes that need to be closed when the process exits.
-	// For pty sessions, this is the tty fd.
-	// For non-pty sessions, this is the stdin, stdout, stderr fds.
-	childPipes []io.Closer
+	cmd    *exec.Cmd
+	stdin  io.WriteCloser
+	stdout io.ReadCloser
+	stderr io.Reader // nil for pty sessions
+	ptyReq *ssh.Pty  // non-nil for pty sessions
+	tty    *os.File  // non-nil for pty sessions, must be closed after process exits

 	// We use this sync.Once to ensure that we only terminate the process once,
 	// either it exits itself or is terminated
@@ -1111,22 +1091,21 @@ func (ss *sshSession) run() {

 	var processDone atomic.Bool
 	go func() {
-		defer ss.wrStdin.Close()
-		if _, err := io.Copy(rec.writer("i", ss.wrStdin), ss); err != nil {
+		defer ss.stdin.Close()
+		if _, err := io.Copy(rec.writer("i", ss.stdin), ss); err != nil {
 			logf("stdin copy: %v", err)
 			ss.cancelCtx(err)
 		}
 	}()
-	outputDone := make(chan struct{})
 	var openOutputStreams atomic.Int32
-	if ss.rdStderr != nil {
+	if ss.stderr != nil {
 		openOutputStreams.Store(2)
 	} else {
 		openOutputStreams.Store(1)
 	}
 	go func() {
-		defer ss.rdStdout.Close()
-		_, err := io.Copy(rec.writer("o", ss), ss.rdStdout)
+		defer ss.stdout.Close()
+		_, err := io.Copy(rec.writer("o", ss), ss.stdout)
 		if err != nil && !errors.Is(err, io.EOF) {
 			isErrBecauseProcessExited := processDone.Load() && errors.Is(err, syscall.EIO)
 			if !isErrBecauseProcessExited {
@@ -1136,41 +1115,32 @@ func (ss *sshSession) run() {
 		}
 		if openOutputStreams.Add(-1) == 0 {
 			ss.CloseWrite()
-			close(outputDone)
 		}
 	}()
-	// rdStderr is nil for ptys.
-	if ss.rdStderr != nil {
+	// stderr is nil for ptys.
+	if ss.stderr != nil {
 		go func() {
-			defer ss.rdStderr.Close()
-			_, err := io.Copy(ss.Stderr(), ss.rdStderr)
+			_, err := io.Copy(ss.Stderr(), ss.stderr)
 			if err != nil {
 				logf("stderr copy: %v", err)
 			}
 			if openOutputStreams.Add(-1) == 0 {
 				ss.CloseWrite()
-				close(outputDone)
 			}
 		}()
 	}

+	if ss.tty != nil {
+		// If running a tty session, close the tty when the session is done.
+		defer ss.tty.Close()
+	}
 	err = ss.cmd.Wait()
 	processDone.Store(true)
-
 	// This will either make the SSH Termination goroutine be a no-op,
 	// or itself will be a no-op because the process was killed by the
 	// aforementioned goroutine.
 	ss.exitOnce.Do(func() {})

-	// Close the process-side of all pipes to signal the asynchronous
-	// io.Copy routines reading/writing from the pipes to terminate.
-	// Block for the io.Copy to finish before calling ss.Exit below.
-	closeAll(ss.childPipes...)
-	select {
-	case <-outputDone:
-	case <-ss.ctx.Done():
-	}
-
 	if err == nil {
 		ss.logf("Session complete")
 		ss.Exit(0)
@@ -1890,7 +1860,6 @@ var (
 	metricPolicyChangeKick     = clientmetric.NewCounter("ssh_policy_change_kick")
 	metricSFTP                 = clientmetric.NewCounter("ssh_sftp_requests")
 	metricLocalPortForward     = clientmetric.NewCounter("ssh_local_port_forward_requests")
-	metricRemotePortForward    = clientmetric.NewCounter("ssh_remote_port_forward_requests")
 )

 // userVisibleError is a wrapper around an error that implements
@@ -1908,11 +1877,3 @@ type SSHTerminationError interface {
 	error
 	SSHTerminationMessage() string
 }
-
-func closeAll(cs ...io.Closer) {
-	for _, c := range cs {
-		if c != nil {
-			c.Close()
-		}
-	}
-}
--- a/ssh/tailssh/tailssh_test.go
+++ b/ssh/tailssh/tailssh_test.go
@@ -25,7 +25,6 @@ import (
 	"os/user"
 	"reflect"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -948,19 +947,6 @@ func TestSSH(t *testing.T) {
 		// "foo\n" and "bar\n", not "\n" and "bar\n".
 	})

-	t.Run("large_file", func(t *testing.T) {
-		const wantSize = 1e6
-		var outBuf bytes.Buffer
-		cmd := execSSH("head", "-c", strconv.Itoa(wantSize), "/dev/zero")
-		cmd.Stdout = &outBuf
-		if err := cmd.Run(); err != nil {
-			t.Fatal(err)
-		}
-		if gotSize := outBuf.Len(); gotSize != wantSize {
-			t.Fatalf("got %d, want %d", gotSize, int(wantSize))
-		}
-	})
-
 	t.Run("stdin", func(t *testing.T) {
 		if cibuild.On() {
 			t.Skip("Skipping for now; see https://github.com/tailscale/tailscale/issues/4051")
--- a/ssh/tailssh/user.go
+++ b/ssh/tailssh/user.go
@@ -81,11 +81,7 @@ func userLookup(username string) (*userMeta, error) {
 }

 func validUsername(uid string) bool {
-	maxUid := 32
-	if runtime.GOOS == "linux" {
-		maxUid = 256
-	}
-	if len(uid) > maxUid || len(uid) == 0 {
+	if len(uid) > 32 || len(uid) == 0 {
 		return false
 	}
 	for _, r := range uid {
--- a/syncs/shardedmap.go
+++ b/syncs/shardedmap.go
@@ -1,111 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package syncs
-
-import (
-	"sync"
-
-	"golang.org/x/sys/cpu"
-)
-
-// ShardedMap is a synchronized map[K]V, internally sharded by a user-defined
-// K-sharding function.
-//
-// The zero value is not safe for use; use NewShardedMap.
-type ShardedMap[K comparable, V any] struct {
-	shardFunc func(K) int
-	shards    []mapShard[K, V]
-}
-
-type mapShard[K comparable, V any] struct {
-	mu sync.Mutex
-	m  map[K]V
-	_  cpu.CacheLinePad // avoid false sharing of neighboring shards' mutexes
-}
-
-// NewShardedMap returns a new ShardedMap with the given number of shards and
-// sharding function.
-//
-// The shard func must return a integer in the range [0, shards) purely
-// deterministically based on the provided K.
-func NewShardedMap[K comparable, V any](shards int, shard func(K) int) *ShardedMap[K, V] {
-	m := &ShardedMap[K, V]{
-		shardFunc: shard,
-		shards:    make([]mapShard[K, V], shards),
-	}
-	for i := range m.shards {
-		m.shards[i].m = make(map[K]V)
-	}
-	return m
-}
-
-func (m *ShardedMap[K, V]) shard(key K) *mapShard[K, V] {
-	return &m.shards[m.shardFunc(key)]
-}
-
-// GetOk returns m[key] and whether it was present.
-func (m *ShardedMap[K, V]) GetOk(key K) (value V, ok bool) {
-	shard := m.shard(key)
-	shard.mu.Lock()
-	defer shard.mu.Unlock()
-	value, ok = shard.m[key]
-	return
-}
-
-// Get returns m[key] or the zero value of V if key is not present.
-func (m *ShardedMap[K, V]) Get(key K) (value V) {
-	value, _ = m.GetOk(key)
-	return
-}
-
-// Set sets m[key] = value.
-//
-// It reports whether the map grew in size (that is, whether key was not already
-// present in m).
-func (m *ShardedMap[K, V]) Set(key K, value V) (grew bool) {
-	shard := m.shard(key)
-	shard.mu.Lock()
-	defer shard.mu.Unlock()
-	s0 := len(shard.m)
-	shard.m[key] = value
-	return len(shard.m) > s0
-}
-
-// Delete removes key from m.
-//
-// It reports whether the map size shrunk (that is, whether key was present in
-// the map).
-func (m *ShardedMap[K, V]) Delete(key K) (shrunk bool) {
-	shard := m.shard(key)
-	shard.mu.Lock()
-	defer shard.mu.Unlock()
-	s0 := len(shard.m)
-	delete(shard.m, key)
-	return len(shard.m) < s0
-}
-
-// Contains reports whether m contains key.
-func (m *ShardedMap[K, V]) Contains(key K) bool {
-	shard := m.shard(key)
-	shard.mu.Lock()
-	defer shard.mu.Unlock()
-	_, ok := shard.m[key]
-	return ok
-}
-
-// Len returns the number of elements in m.
-//
-// It does so by locking shards one at a time, so it's not particularly cheap,
-// nor does it give a consistent snapshot of the map. It's mostly intended for
-// metrics or testing.
-func (m *ShardedMap[K, V]) Len() int {
-	n := 0
-	for i := range m.shards {
-		shard := &m.shards[i]
-		shard.mu.Lock()
-		n += len(shard.m)
-		shard.mu.Unlock()
-	}
-	return n
-}
--- a/syncs/shardedmap_test.go
+++ b/syncs/shardedmap_test.go
@@ -1,44 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package syncs
-
-import "testing"
-
-func TestShardedMap(t *testing.T) {
-	m := NewShardedMap[int, string](16, func(i int) int { return i % 16 })
-
-	if m.Contains(1) {
-		t.Errorf("got contains; want !contains")
-	}
-	if !m.Set(1, "one") {
-		t.Errorf("got !set; want set")
-	}
-	if m.Set(1, "one") {
-		t.Errorf("got set; want !set")
-	}
-	if !m.Contains(1) {
-		t.Errorf("got !contains; want contains")
-	}
-	if g, w := m.Get(1), "one"; g != w {
-		t.Errorf("got %q; want %q", g, w)
-	}
-	if _, ok := m.GetOk(1); !ok {
-		t.Errorf("got ok; want !ok")
-	}
-	if _, ok := m.GetOk(2); ok {
-		t.Errorf("got ok; want !ok")
-	}
-	if g, w := m.Len(), 1; g != w {
-		t.Errorf("got Len %v; want %v", g, w)
-	}
-	if m.Delete(2) {
-		t.Errorf("got deleted; want !deleted")
-	}
-	if !m.Delete(1) {
-		t.Errorf("got !deleted; want deleted")
-	}
-	if g, w := m.Len(), 0; g != w {
-		t.Errorf("got Len %v; want %v", g, w)
-	}
-}
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -3,7 +3,7 @@

 package tailcfg

-//go:generate go run tailscale.com/cmd/viewer --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan,Location --clonefunc
+//go:generate go run tailscale.com/cmd/viewer --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan --clonefunc

 import (
 	"bytes"
@@ -99,8 +99,7 @@ type CapabilityVersion int
 //   - 60: 2023-04-06: Client understands IsWireGuardOnly
 //   - 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction
 //   - 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events
-//   - 63: 2023-06-08: Client understands SSHAction.AllowRemotePortForwarding.
-const CurrentCapabilityVersion CapabilityVersion = 63
+const CurrentCapabilityVersion CapabilityVersion = 62

 type StableID string

@@ -531,24 +530,6 @@ type Service struct {
 	// TODO(apenwarr): add "tags" here for each service?
 }

-// Location represents geographical location data about a
-// Tailscale host. Location is optional and only set if
-// explicitly declared by a node.
-type Location struct {
-	Country     string `json:",omitempty"` // User friendly country name, with proper capitalization ("Canada")
-	CountryCode string `json:",omitempty"` // ISO 3166-1 alpha-2 in upper case ("CA")
-	City        string `json:",omitempty"` // User friendly city name, with proper capitalization ("Squamish")
-	CityCode    string `json:",omitempty"` // TODO(charlotte): document
-
-	// Priority determines the priority an exit node is given when the
-	// location data between two or more nodes is tied.
-	// A higher value indicates that the exit node is more preferable
-	// for use.
-	// A value of 0 means the exit node does not have a priority
-	// preference. A negative int is not allowed.
-	Priority int `json:",omitempty"`
-}
-
 // Hostinfo contains a summary of a Tailscale host.
 //
 // Because it contains pointers (slices), this type should not be used
@@ -603,11 +584,6 @@ type Hostinfo struct {
 	Userspace       opt.Bool       `json:",omitempty"` // if the client is running in userspace (netstack) mode
 	UserspaceRouter opt.Bool       `json:",omitempty"` // if the client's subnet router is running in userspace (netstack) mode

-	// Location represents geographical location data about a
-	// Tailscale host. Location is optional and only set if
-	// explicitly declared by a node.
-	Location *Location `json:",omitempty"`
-
 	// NOTE: any new fields containing pointers in this type
 	//       require changes to Hostinfo.Equal.
 }
@@ -2072,10 +2048,6 @@ type SSHAction struct {
 	// to use local port forwarding if requested.
 	AllowLocalPortForwarding bool `json:"allowLocalPortForwarding,omitempty"`

-	// AllowRemotePortForwarding, if true, allows accepted connections
-	// to use remote port forwarding if requested.
-	AllowRemotePortForwarding bool `json:"allowRemotePortForwarding,omitempty"`
-
 	// Recorders defines the destinations of the SSH session recorders.
 	// The recording will be uploaded to http://addr:port/record.
 	Recorders []netip.AddrPort `json:"recorders,omitempty"`
--- a/tailcfg/tailcfg_clone.go
+++ b/tailcfg/tailcfg_clone.go
@@ -119,10 +119,6 @@ func (src *Hostinfo) Clone() *Hostinfo {
 	dst.Services = append(src.Services[:0:0], src.Services...)
 	dst.NetInfo = src.NetInfo.Clone()
 	dst.SSH_HostKeys = append(src.SSH_HostKeys[:0:0], src.SSH_HostKeys...)
-	if dst.Location != nil {
-		dst.Location = new(Location)
-		*dst.Location = *src.Location
-	}
 	return dst
 }

@@ -161,7 +157,6 @@ var _HostinfoCloneNeedsRegeneration = Hostinfo(struct {
 	Cloud           string
 	Userspace       opt.Bool
 	UserspaceRouter opt.Bool
-	Location        *Location
 }{})

 // Clone makes a deep copy of NetInfo.
@@ -413,16 +408,15 @@ func (src *SSHAction) Clone() *SSHAction {

 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _SSHActionCloneNeedsRegeneration = SSHAction(struct {
-	Message                   string
-	Reject                    bool
-	Accept                    bool
-	SessionDuration           time.Duration
-	AllowAgentForwarding      bool
-	HoldAndDelegate           string
-	AllowLocalPortForwarding  bool
-	AllowRemotePortForwarding bool
-	Recorders                 []netip.AddrPort
-	OnRecordingFailure        *SSHRecorderFailureAction
+	Message                  string
+	Reject                   bool
+	Accept                   bool
+	SessionDuration          time.Duration
+	AllowAgentForwarding     bool
+	HoldAndDelegate          string
+	AllowLocalPortForwarding bool
+	Recorders                []netip.AddrPort
+	OnRecordingFailure       *SSHRecorderFailureAction
 }{})

 // Clone makes a deep copy of SSHPrincipal.
@@ -463,29 +457,9 @@ var _ControlDialPlanCloneNeedsRegeneration = ControlDialPlan(struct {
 	Candidates []ControlIPCandidate
 }{})

-// Clone makes a deep copy of Location.
-// The result aliases no memory with the original.
-func (src *Location) Clone() *Location {
-	if src == nil {
-		return nil
-	}
-	dst := new(Location)
-	*dst = *src
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _LocationCloneNeedsRegeneration = Location(struct {
-	Country     string
-	CountryCode string
-	City        string
-	CityCode    string
-	Priority    int
-}{})
-
 // Clone duplicates src into dst and reports whether it succeeded.
 // To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,
-// where T is one of User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan,Location.
+// where T is one of User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan.
 func Clone(dst, src any) bool {
 	switch src := src.(type) {
 	case *User:
@@ -614,15 +588,6 @@ func Clone(dst, src any) bool {
 			*dst = src.Clone()
 			return true
 		}
-	case *Location:
-		switch dst := dst.(type) {
-		case *Location:
-			*dst = *src.Clone()
-			return true
-		case **Location:
-			*dst = src.Clone()
-			return true
-		}
 	}
 	return false
 }
--- a/tailcfg/tailcfg_test.go
+++ b/tailcfg/tailcfg_test.go
@@ -65,7 +65,6 @@ func TestHostinfoEqual(t *testing.T) {
 		"Cloud",
 		"Userspace",
 		"UserspaceRouter",
-		"Location",
 	}
 	if have := fieldsOf(reflect.TypeOf(Hostinfo{})); !reflect.DeepEqual(have, hiHandles) {
 		t.Errorf("Hostinfo.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
--- a/tailcfg/tailcfg_view.go
+++ b/tailcfg/tailcfg_view.go
@@ -20,7 +20,7 @@ import (
 	"tailscale.com/types/views"
 )

-//go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan,Location
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan

 // View returns a readonly view of User.
 func (p *User) View() UserView {
@@ -303,15 +303,7 @@ func (v HostinfoView) SSH_HostKeys() views.Slice[string] { return views.SliceOf(
 func (v HostinfoView) Cloud() string                     { return v.ж.Cloud }
 func (v HostinfoView) Userspace() opt.Bool               { return v.ж.Userspace }
 func (v HostinfoView) UserspaceRouter() opt.Bool         { return v.ж.UserspaceRouter }
-func (v HostinfoView) Location() *Location {
-	if v.ж.Location == nil {
-		return nil
-	}
-	x := *v.ж.Location
-	return &x
-}
-
-func (v HostinfoView) Equal(v2 HostinfoView) bool { return v.ж.Equal(v2.ж) }
+func (v HostinfoView) Equal(v2 HostinfoView) bool        { return v.ж.Equal(v2.ж) }

 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _HostinfoViewNeedsRegeneration = Hostinfo(struct {
@@ -348,7 +340,6 @@ var _HostinfoViewNeedsRegeneration = Hostinfo(struct {
 	Cloud           string
 	Userspace       opt.Bool
 	UserspaceRouter opt.Bool
-	Location        *Location
 }{})

 // View returns a readonly view of NetInfo.
@@ -949,7 +940,6 @@ func (v SSHActionView) SessionDuration() time.Duration         { return v.ж.Ses
 func (v SSHActionView) AllowAgentForwarding() bool             { return v.ж.AllowAgentForwarding }
 func (v SSHActionView) HoldAndDelegate() string                { return v.ж.HoldAndDelegate }
 func (v SSHActionView) AllowLocalPortForwarding() bool         { return v.ж.AllowLocalPortForwarding }
-func (v SSHActionView) AllowRemotePortForwarding() bool        { return v.ж.AllowRemotePortForwarding }
 func (v SSHActionView) Recorders() views.Slice[netip.AddrPort] { return views.SliceOf(v.ж.Recorders) }
 func (v SSHActionView) OnRecordingFailure() *SSHRecorderFailureAction {
 	if v.ж.OnRecordingFailure == nil {
@@ -961,16 +951,15 @@ func (v SSHActionView) OnRecordingFailure() *SSHRecorderFailureAction {

 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _SSHActionViewNeedsRegeneration = SSHAction(struct {
-	Message                   string
-	Reject                    bool
-	Accept                    bool
-	SessionDuration           time.Duration
-	AllowAgentForwarding      bool
-	HoldAndDelegate           string
-	AllowLocalPortForwarding  bool
-	AllowRemotePortForwarding bool
-	Recorders                 []netip.AddrPort
-	OnRecordingFailure        *SSHRecorderFailureAction
+	Message                  string
+	Reject                   bool
+	Accept                   bool
+	SessionDuration          time.Duration
+	AllowAgentForwarding     bool
+	HoldAndDelegate          string
+	AllowLocalPortForwarding bool
+	Recorders                []netip.AddrPort
+	OnRecordingFailure       *SSHRecorderFailureAction
 }{})

 // View returns a readonly view of SSHPrincipal.
@@ -1086,63 +1075,3 @@ func (v ControlDialPlanView) Candidates() views.Slice[ControlIPCandidate] {
 var _ControlDialPlanViewNeedsRegeneration = ControlDialPlan(struct {
 	Candidates []ControlIPCandidate
 }{})
-
-// View returns a readonly view of Location.
-func (p *Location) View() LocationView {
-	return LocationView{ж: p}
-}
-
-// LocationView provides a read-only view over Location.
-//
-// Its methods should only be called if `Valid()` returns true.
-type LocationView struct {
-	// ж is the underlying mutable value, named with a hard-to-type
-	// character that looks pointy like a pointer.
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *Location
-}
-
-// Valid reports whether underlying value is non-nil.
-func (v LocationView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a clone of the underlying value which aliases no memory with
-// the original.
-func (v LocationView) AsStruct() *Location {
-	if v.ж == nil {
-		return nil
-	}
-	return v.ж.Clone()
-}
-
-func (v LocationView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
-
-func (v *LocationView) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	var x Location
-	if err := json.Unmarshal(b, &x); err != nil {
-		return err
-	}
-	v.ж = &x
-	return nil
-}
-
-func (v LocationView) Country() string     { return v.ж.Country }
-func (v LocationView) CountryCode() string { return v.ж.CountryCode }
-func (v LocationView) City() string        { return v.ж.City }
-func (v LocationView) CityCode() string    { return v.ж.CityCode }
-func (v LocationView) Priority() int       { return v.ж.Priority }
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _LocationViewNeedsRegeneration = Location(struct {
-	Country     string
-	CountryCode string
-	City        string
-	CityCode    string
-	Priority    int
-}{})
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .45.0
 .43.0